Multi-replica deployments need every Pod/container to share one RSA private key, otherwise public keys handed to the browser may not match the key that decrypts the resulting ciphertext. Introduce a `*.local.yaml` override layer that ops-config and tenant-config both load on top of the base config, ship example overrides plus compose/k3s wiring, and tolerate PEM bodies that arrive folded or escaped from Secrets.
1.7 KiB
geo-rankly offline package
This directory is self-contained. It deploys containers, not host binaries.
On a Docker host with Docker Compose v2:
bash deploy.sh compose
compose is the default, so this is equivalent:
bash deploy.sh
deploy.sh compose loads images.tar, creates .env from .env.example when missing, and starts the stack with:
docker compose -f docker-compose.yaml -f docker-compose.offline.yaml --env-file .env up -d
Runtime services connect to Postgres through PgBouncer in session pooling mode. The one-shot migrate job still connects directly to postgres and monitoring-postgres so DDL and seed work do not go through the pooler.
On a k3s host:
bash deploy.sh k3s
This imports images.tar into k3s containerd and applies k3s/ with Kustomize.
Default ports are NAS-friendly:
- tenant web:
18080 - tenant API:
18081 - ops web:
18082 - ops API:
18090 - RabbitMQ management:
15673 - MinIO console:
19001
Edit .env before rerunning bash deploy.sh if you need real API keys, stronger secrets, or different ports.
For multi-container / multi-Pod login password encryption, put the same RSA private key in every replica's config override:
- tenant API: copy
config.local.yaml.exampletoconfig.local.yaml, then fillauth.password_cipher.private_key_pem - ops API: copy
ops-config.local.yaml.exampletoops-config.local.yaml, then fillauth.password_cipher.private_key_pem
Generate keys with:
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out login-password-rsa.pem
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out ops-login-password-rsa.pem