Kubernetes. How to use externally exposed URL of a Service internal of the cluster

2/17/2021

I want to connect from a Service A to a Service B (KeyCloak) in Kubernetes. But using the externally exposed URL of Service B e.g "auth-dev.localhost".

Because of generic reasons.

Connecting via Browser to "auth-dev.localhost" is working. But I can't reach Service B from Service A with this url declared "kubernetes.oauth.server.url=http://auth-dev.localhost/auth/realms/test"

Thankful for Any Ideas...

 Feb 17, 2021 4:16:00 PM io.quarkus.hibernate.orm.runtime.proxies.ProxyDefinitions

WARN: Unable to find a build time generated proxy for entity %s

Feb 17, 2021 4:16:01 PM org.jboss.threads

INFO: JBoss Threads version %s

Feb 17, 2021 4:16:01 PM io.quarkus.runtime.ApplicationLifecycleManager run

ERROR: Failed to start application (with profile prod)

java.net.ConnectException: Connection refused

at java.base/sun.nio.ch.SocketChannelImpl.checkConnect(Native Method)

at java.base/sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:779)

at io.netty.channel.socket.nio.NioSocketChannel.doFinishConnect(NioSocketChannel.java:330)

at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:334)

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:702)

at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)

at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)

at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)

at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)

at java.base/java.lang.Thread.run(Thread.java:834)

Additional Info

Configurations

Service B (Keycloak)

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: keyclaok
  name: keycloak
  namespace: ${namespace}
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: keycloak
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      containers:
        - image: ${image}
          imagePullPolicy: Always
          name: keycloak
          ports:
            - containerPort: 8080
              name: http
              protocol: TCP
            - containerPort: 5005
              name: https
              protocol: TCP
          envFrom:
            - configMapRef:
                name: keycloak-config
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /auth/realms/master
              port: 8080
              scheme: HTTP
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      imagePullSecrets:
        - name: some-name
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      hostAliases:
        - ip: "127.0.0.1"
          hostnames:
            - "auth-dev.localhost"
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app: keycloak
  name: keycloak-config
data:
  KEYCLOAK_USER: ${user}
  KEYCLOAK_PASSWORD: ${password}
  PROXY_ADDRESS_FORWARDING: "true"
  DB_VENDOR: "postgres"
  DB_ADDR: ${db.host}
  DB_PORT: ${db.port}
  DB_DATABASE: "the-keycloak-DB"
  DB_USER: ${db.user}
  DB_PASSWORD: ${db.user.password}
apiVersion: v1
kind: Service
metadata:
  labels:
    app: keycloak
  name: ${host}
  namespace: ${namespace}
spec:
  externalTrafficPolicy: Cluster
  ports:
    - name: http
      port: ${port}
      protocol: TCP
      targetPort: 8080
  selector:
    app: keycloak
  sessionAffinity: None
  type: LoadBalancer

Service A

apiVersion: v1
kind: Service
metadata:
  labels:
    app: a-service
  name: a-service
  namespace: ${kubernetes.namespace}
spec:
  externalTrafficPolicy: Cluster
  ports:
  - name: http
    port: ${kubernete.port}
    protocol: TCP
    targetPort: 8080
  - name: debug
    port: ${kubernetes.debug.port}
    protocol: TCP
    targetPort: 5005
  selector:
    app: a-service
  sessionAffinity: None
  type: LoadBalancer
apiVersion: v1
kind: ConfigMap
metadata:
  name: a-service-default
  namespace: ${namespace}
data:
  quarkus.oidc.auth-server-url: ${kubernetes.oauth.server.url}
  quarkus.datasource.jdbc.url: jdbc:postgresql://db-service:5234/a-service
  quarkus.datasource.username: my_user
  quarkus.datasource.password: my_password

Further an Ingress is configured that redirects auth-dev.localhost to keycloak which works from the browser

-- Dave M
keycloak
kubernetes
load-balancing
service

1 Answer

2/24/2021

What have seemed to work for my problem was:

Declaring a loadbalancer which redirectet auth-dev.localhost to my Service B (Keycloak) and adding in the "hosts"-file of the running machine

{IP of service POD} auth-dev.localhost

the IP depends on how you configured docker. Default Range is 192.168.65.0/28

And I had to declare the using port as well 8080 in Service A

-- Dave M
Source: StackOverflow