feat(auth): support per-deploy login password key override
Multi-replica deployments need every Pod/container to share one RSA private key, otherwise public keys handed to the browser may not match the key that decrypts the resulting ciphertext. Introduce a `*.local.yaml` override layer that ops-config and tenant-config both load on top of the base config, ship example overrides plus compose/k3s wiring, and tolerate PEM bodies that arrive folded or escaped from Secrets.
This commit is contained in:
@@ -40,3 +40,15 @@ Default ports are NAS-friendly:
|
||||
- MinIO console: `19001`
|
||||
|
||||
Edit `.env` before rerunning `bash deploy.sh` if you need real API keys, stronger secrets, or different ports.
|
||||
|
||||
For multi-container / multi-Pod login password encryption, put the same RSA private key in every replica's config override:
|
||||
|
||||
- tenant API: copy `config.local.yaml.example` to `config.local.yaml`, then fill `auth.password_cipher.private_key_pem`
|
||||
- ops API: copy `ops-config.local.yaml.example` to `ops-config.local.yaml`, then fill `auth.password_cipher.private_key_pem`
|
||||
|
||||
Generate keys with:
|
||||
|
||||
```bash
|
||||
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out login-password-rsa.pem
|
||||
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out ops-login-password-rsa.pem
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user