feat(auth): support per-deploy login password key override
Multi-replica deployments need every Pod/container to share one RSA private key, otherwise public keys handed to the browser may not match the key that decrypts the resulting ciphertext. Introduce a `*.local.yaml` override layer that ops-config and tenant-config both load on top of the base config, ship example overrides plus compose/k3s wiring, and tolerate PEM bodies that arrive folded or escaped from Secrets.
This commit is contained in:
@@ -35,3 +35,25 @@ stringData:
|
||||
|
||||
browser_fetch:
|
||||
token: ${BROWSER_FETCH_TOKEN:geo-browser-fetch-change-me}
|
||||
|
||||
auth:
|
||||
password_cipher:
|
||||
enabled: true
|
||||
key_id: login-password-rsa-oaep-v1
|
||||
# 多 Pod 必须使用同一把私钥;上线前用 `openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048`
|
||||
# 生成后粘贴完整 PEM。不要把生产私钥提交到代码仓库。
|
||||
private_key_pem: |
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
REPLACE_WITH_TENANT_LOGIN_PASSWORD_RSA_PRIVATE_KEY
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
ops-config.local.yaml: |
|
||||
auth:
|
||||
password_cipher:
|
||||
enabled: true
|
||||
key_id: ops-password-rsa-oaep-v1
|
||||
# 建议与租户端使用不同私钥;所有 ops-api Pod 必须挂载同一份 Secret。
|
||||
private_key_pem: |
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
REPLACE_WITH_OPS_LOGIN_PASSWORD_RSA_PRIVATE_KEY
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
Reference in New Issue
Block a user