Files
geo/deploy/OFFLINE_PACKAGE.md
T
root b939cfa2fa
Deployment Config CI / Deployment Config (push) Successful in 27s
Backend CI / Backend (push) Successful in 15m4s
feat(auth): support per-deploy login password key override
Multi-replica deployments need every Pod/container to share one RSA private key, otherwise public keys handed to the browser may not match the key that decrypts the resulting ciphertext. Introduce a `*.local.yaml` override layer that ops-config and tenant-config both load on top of the base config, ship example overrides plus compose/k3s wiring, and tolerate PEM bodies that arrive folded or escaped from Secrets.
2026-05-14 11:54:40 +08:00

1.7 KiB

geo-rankly offline package

This directory is self-contained. It deploys containers, not host binaries.

On a Docker host with Docker Compose v2:

bash deploy.sh compose

compose is the default, so this is equivalent:

bash deploy.sh

deploy.sh compose loads images.tar, creates .env from .env.example when missing, and starts the stack with:

docker compose -f docker-compose.yaml -f docker-compose.offline.yaml --env-file .env up -d

Runtime services connect to Postgres through PgBouncer in session pooling mode. The one-shot migrate job still connects directly to postgres and monitoring-postgres so DDL and seed work do not go through the pooler.

On a k3s host:

bash deploy.sh k3s

This imports images.tar into k3s containerd and applies k3s/ with Kustomize.

Default ports are NAS-friendly:

  • tenant web: 18080
  • tenant API: 18081
  • ops web: 18082
  • ops API: 18090
  • RabbitMQ management: 15673
  • MinIO console: 19001

Edit .env before rerunning bash deploy.sh if you need real API keys, stronger secrets, or different ports.

For multi-container / multi-Pod login password encryption, put the same RSA private key in every replica's config override:

  • tenant API: copy config.local.yaml.example to config.local.yaml, then fill auth.password_cipher.private_key_pem
  • ops API: copy ops-config.local.yaml.example to ops-config.local.yaml, then fill auth.password_cipher.private_key_pem

Generate keys with:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out login-password-rsa.pem
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out ops-login-password-rsa.pem