version: '3.7'
services:
shinyproxy:
build: /home/administrator/shinyproxy
deploy:
replicas: 3
#placement:
#constraints:
#- node.hostname==node1
user: root:root
hostname: shinyproxy
image: localhost:5000/shinyproxy-example
networks:
- sp-example-net
volumes:
- type: bind
source: /var/run/docker.sock
target: /var/run/docker.sock
- type: bind
source: /home/administrator/shinyproxy/application.yml
target: /opt/shinyproxy/application.yml
ports:
- 4000:4000
mariadb:
image: mariadb
networks:
- sp-example-net
volumes:
- type: bind
source: /home/administrator/mariadbdata
target: /var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: root_password
MYSQL_DATABASE: keycloak
MYSQL_USER: keycloak
MYSQL_PASSWORD: password
deploy:
placement:
constraints:
- node.hostname==spm1anadev1
keycloak:
image: jboss/keycloak
networks:
- sp-example-net
volumes:
- type: bind
source: /home/administrator/certs/fullchain.pem
target: /etc/x509/https/tls.crt
- type: bind
source: /home/administrator/certs//privkey.pem
target: /etc/x509/https/tls.key
#- /theme/govuk-social-providers/:/opt/jboss/keycloak/themes/govuk-social-providers/
environment:
- PROXY_ADDRESS_FORWARDING=true
- KEYCLOAK_USER=myadmin
- KEYCLOAK_PASSWORD=mypassword
ports:
- 8443:8443
deploy:
placement:
constraints:
- node.hostname==node1
networks:
sp-example-net:
driver: overlay
attachable: true
我对docker-swarm群集使用以下设置。部署工作正常,但是当我创建Shinyproxy服务的3个副本时,我以重定向循环结束。问题可能在于keycloak不知道重定向来自哪个服务副本,因此我从Shinyproxy实例来回发送到keycloak身份验证。
我想我不是这个问题的第一人,但是我没有找到任何解决方案。谁能帮我?
谢谢!
编辑:我使用以下Dockerfile创建我的Shinyproxy服务。
FROM openjdk:8-jre
COPY certificate.pfx $JAVA_HOME/jre/lib/security/certificate.pfx
RUN \
cd $JAVA_HOME/jre/lib/security \
keytool -importkeystore -srckeystore certificate.pfx -srcstorepass -changeit -srcstoretype pkcs12 -destkeystore cacerts -deststorepass changeit -deststoretype JKS
RUN mkdir -p /opt/shinyproxy/
RUN wget https://www.shinyproxy.io/downloads/shinyproxy-2.3.0.jar -O /opt/shinyproxy/shinyproxy.jar
COPY application.yml /opt/shinyproxy/application.yml
COPY templates /opt/shinyproxy/templates
WORKDIR /opt/shinyproxy/
CMD ["java", "-jar", "/opt/shinyproxy/shinyproxy.jar"]
此服务还使用application.yml,该文件使用keycloaks凭据 secret 进行身份验证:
proxy:
port: 4000
template-path: /opt/shinyproxy/templates/2col
authentication: keycloak
admin-groups: admins
container-backend: docker-swarm
docker:
internal-networking: true
container-network: test_sp-example-net
specs:
- id: 01_hello
display-name: Hello Application
description: Application which demonstrates the basics of a Shiny app
container-cmd: ["R", "-e", "shinyproxy::run_01_hello()"]
container-image: openanalytics/shinyproxy-demo
container-network: "${proxy.docker.container-network}"
access-groups: test
- id: euler
display-name: Euler's number
container-cmd: ["R", "-e", "shiny::runApp('/root/euler')"]
container-image: euler-docker
container-network: "${proxy.docker.container-network}"
access-groups: test
keycloak:
realm: master
auth-server-url: https://analytics.data-mastery.com/auth/
resource: shinyoid
credentials-secret: xxx
logging:
file:
shinyproxy.log
最佳答案
https://support.openanalytics.eu/t/setting-kubernetes-pod-fields-and-using-multiple-replica-sets/783/2
有状态的应用程序=每个Shinyproxy容器管理自己的状态。因此,当您登录第一个副本时,第二个/第三个副本对此一无所知->它们会将浏览器重定向到Keycloak。已经打开了IDP session ,因此Keycloak会立即通过身份验证代码响应进行重定向。但是,该身份验证代码可以由另一个容器处理->,因此将一次又一次地重定向。仅仅是因为ShinyProxies不共享单个状态,而是每个副本都有自己的状态。
如果需要水平缩放,请使用粘性 session (例如Shinyproxy服务前面的traefik-link),因此每个请求将由相同的Shinyproxy副本处理。否则,请垂直缩放Shinyproxy(更多的CPU /内存资源)。