feat(auth): support per-deploy login password key override
Deployment Config CI / Deployment Config (push) Successful in 27s
Backend CI / Backend (push) Successful in 15m4s

Multi-replica deployments need every Pod/container to share one RSA private key, otherwise public keys handed to the browser may not match the key that decrypts the resulting ciphertext. Introduce a `*.local.yaml` override layer that ops-config and tenant-config both load on top of the base config, ship example overrides plus compose/k3s wiring, and tolerate PEM bodies that arrive folded or escaped from Secrets.
This commit is contained in:
2026-05-14 11:54:40 +08:00
parent 2bc192b3c7
commit b939cfa2fa
16 changed files with 310 additions and 10 deletions
+11
View File
@@ -0,0 +1,11 @@
auth:
password_cipher:
enabled: true
key_id: login-password-rsa-oaep-v1
# 多 Pod / 多容器部署必须使用同一把私钥。复制本文件为 config.local.yaml
# 再粘贴完整 PEM;不要提交生产私钥。留空时应用会生成单进程临时私钥,
# 只适合本机单副本试跑,不适合多副本生产。
#
# 生成示例:
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out login-password-rsa.pem
private_key_pem: ""