b939cfa2fa
Multi-replica deployments need every Pod/container to share one RSA private key, otherwise public keys handed to the browser may not match the key that decrypts the resulting ciphertext. Introduce a `*.local.yaml` override layer that ops-config and tenant-config both load on top of the base config, ship example overrides plus compose/k3s wiring, and tolerate PEM bodies that arrive folded or escaped from Secrets.
55 lines
1.7 KiB
Markdown
55 lines
1.7 KiB
Markdown
# geo-rankly offline package
|
|
|
|
This directory is self-contained. It deploys containers, not host binaries.
|
|
|
|
On a Docker host with Docker Compose v2:
|
|
|
|
```bash
|
|
bash deploy.sh compose
|
|
```
|
|
|
|
`compose` is the default, so this is equivalent:
|
|
|
|
```bash
|
|
bash deploy.sh
|
|
```
|
|
|
|
`deploy.sh compose` loads `images.tar`, creates `.env` from `.env.example` when missing, and starts the stack with:
|
|
|
|
```bash
|
|
docker compose -f docker-compose.yaml -f docker-compose.offline.yaml --env-file .env up -d
|
|
```
|
|
|
|
Runtime services connect to Postgres through PgBouncer in `session` pooling mode. The one-shot `migrate` job still connects directly to `postgres` and `monitoring-postgres` so DDL and seed work do not go through the pooler.
|
|
|
|
On a k3s host:
|
|
|
|
```bash
|
|
bash deploy.sh k3s
|
|
```
|
|
|
|
This imports `images.tar` into k3s containerd and applies `k3s/` with Kustomize.
|
|
|
|
Default ports are NAS-friendly:
|
|
|
|
- tenant web: `18080`
|
|
- tenant API: `18081`
|
|
- ops web: `18082`
|
|
- ops API: `18090`
|
|
- RabbitMQ management: `15673`
|
|
- MinIO console: `19001`
|
|
|
|
Edit `.env` before rerunning `bash deploy.sh` if you need real API keys, stronger secrets, or different ports.
|
|
|
|
For multi-container / multi-Pod login password encryption, put the same RSA private key in every replica's config override:
|
|
|
|
- tenant API: copy `config.local.yaml.example` to `config.local.yaml`, then fill `auth.password_cipher.private_key_pem`
|
|
- ops API: copy `ops-config.local.yaml.example` to `ops-config.local.yaml`, then fill `auth.password_cipher.private_key_pem`
|
|
|
|
Generate keys with:
|
|
|
|
```bash
|
|
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out login-password-rsa.pem
|
|
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out ops-login-password-rsa.pem
|
|
```
|