feat(auth): support per-deploy login password key override
Multi-replica deployments need every Pod/container to share one RSA private key, otherwise public keys handed to the browser may not match the key that decrypts the resulting ciphertext. Introduce a `*.local.yaml` override layer that ops-config and tenant-config both load on top of the base config, ship example overrides plus compose/k3s wiring, and tolerate PEM bodies that arrive folded or escaped from Secrets.
This commit is contained in:
@@ -1,6 +1,11 @@
|
||||
server:
|
||||
port: 8090
|
||||
mode: release
|
||||
# 生产环境请配置为真实运维后台域名,例如 https://ops.example.com。
|
||||
# 留空时沿用开发环境 CORS 放开策略。
|
||||
allowed_origins: []
|
||||
security_headers:
|
||||
enabled: true
|
||||
trusted_proxies:
|
||||
- 127.0.0.1
|
||||
- ::1
|
||||
@@ -43,6 +48,14 @@ jwt:
|
||||
secret: "geo-ops-15645415841"
|
||||
access_ttl: 8h
|
||||
|
||||
auth:
|
||||
password_cipher:
|
||||
# 留空 private_key_pem 时会在单进程内生成临时密钥;生产多 Pod 请在
|
||||
# geo-rankly-app-secret/ops-config.local.yaml 中配置同一把私钥。
|
||||
enabled: true
|
||||
key_id: ops-password-rsa-oaep-v1
|
||||
private_key_pem: ""
|
||||
|
||||
default_admin:
|
||||
username: admin
|
||||
display_name: system-admin
|
||||
|
||||
Reference in New Issue
Block a user