docs: 认证授权服务部署文档
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/0.personal-security-center-base.yaml b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/0.personal-security-center-base.yaml
new file mode 100644
index 0000000..11139b2
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/0.personal-security-center-base.yaml
@@ -0,0 +1,144 @@
+# personal-security-center-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ namespace: personal-security-center
+ name: harbor-registry
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
+
+
+####################################################
+# redis-server
+####################################################
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: personal-security-center
+type: Opaque
+data:
+ REDIS_PASSWORD: OEt1d29zbE9pdXc3SA==
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: personal-security-center
+spec:
+ ports:
+ - name: redis
+ port: 6379
+ protocol: TCP
+ targetPort: redis
+ selector:
+ app: redis
+ release: redis-server
+ role: master
+ type: ClusterIP
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: personal-security-center
+spec:
+ podManagementPolicy: OrderedReady
+ replicas: 1
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ app: redis
+ release: redis-server
+ role: master
+ serviceName: redis-master
+ template:
+ metadata:
+ labels:
+ app: redis
+ release: redis-server
+ role: master
+ spec:
+ containers:
+ - name: redis-server
+ env:
+ - name: REDIS_DISABLE_COMMANDS
+ value: FLUSHDB,FLUSHALL
+ - name: REDIS_REPLICATION_MODE
+ value: master
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: redis-server
+ key: REDIS_PASSWORD
+ # 若使用了学校搭设的私有仓库,请修改
+ image: bitnami/redis:4.0
+ # 若使用了学校搭设的私有仓库,请修改 为 Always
+ imagePullPolicy: IfNotPresent
+ # imagePullPolicy: Always
+ livenessProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 5
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ ports:
+ - containerPort: 6379
+ name: redis
+ protocol: TCP
+ readinessProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 5
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ volumeMounts:
+ - mountPath: /bitnami/redis/data
+ name: redis-data
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ securityContext:
+ fsGroup: 1001
+ # runAsUser: 1001
+ # https://github.com/bitnami/bitnami-docker-redis/issues/106#issuecomment-388884372
+ runAsUser: 0
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir: {}
+ name: redis-data
+ # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可)
+ # imagePullSecrets:
+ # - name: harbor-registry
+ updateStrategy:
+ rollingUpdate:
+ partition: 0
+ type: RollingUpdate
+
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/1.personal-security-center-env.yaml b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/1.personal-security-center-env.yaml
new file mode 100644
index 0000000..4611488
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/1.personal-security-center-env.yaml
@@ -0,0 +1,22 @@
+# personal-security-center-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: personal-security-center
+ name: jvm-env
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: personal-security-center
+ name: redis-env-secret
+type: Opaque
+data:
+ SPRING_REDIS_HOST: cmVkaXMtc2VydmVy
+ SPRING_REDIS_PORT: NjM3OQ==
+ SPRING_REDIS_PASSWORD: OEt1d29zbE9pdXc3SA==
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml
new file mode 100644
index 0000000..c0eeb64
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml
@@ -0,0 +1,41 @@
+# personal-security-center-ingresses.yaml
+
+
+# 个人中心后端接口
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-ingress
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: personal-security-center.paas.xxx.edu.cn
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: personal-security-center-zuul-svc
+ servicePort: http
+
+
+# 安全中心前端
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ namespace: personal-security-center
+ name: security-center-ui-ingress
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: security-center.paas.xxx.edu.cn
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: security-center-ui-svc
+ servicePort: http
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml
new file mode 100644
index 0000000..4da5aa2
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml
@@ -0,0 +1,232 @@
+# personal-security-center-bff.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-bff-template-env
+data:
+ # 根据情况,修改邮件模板
+ EMAIL_TEMPLATE_ACTIVE_USER_SEND_CODE_BY_EMAIL_ADDRESS: "{name}:您正在激活帐号,须验证邮箱有效,验证码{code},有效期5分钟,请尽快完成验证。"
+ EMAIL_TEMPLATE_FORGOT_PASSWORD_SEND_CODE: "{name}:您正在找回密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+
+ EMAIL_TEMPLATE_USER_SECURITY_PASSWORD_SEND_CODE: "{name}:您正在修改密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ EMAIL_TEMPLATE_USER_SECURITY_EMAIL_ADDRESS_SEND_CODE: "{name}:您正在修改安全邮箱,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ EMAIL_TEMPLATE_USER_SECURITY_EMAIL_ADDRESS_SEND_CODE_BY_EMAIL_ADDRESS: "{name}:您正在修改安全邮箱,须验证邮箱有效,验证码{code},有效期5分钟,请尽快完成验证。"
+ EMAIL_TEMPLATE_USER_SECURITY_MOBILE_SEND_CODE: "{name}:您正在修改安全手机,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+
+ EMAIL_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE: "{name}:您正在绑定QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ EMAIL_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE_UNBIND_QQ: "{name}:您正在解绑QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ EMAIL_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE: "{name}:您正在绑定微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ EMAIL_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE_UNBIND_OPENWEIXIN: "{name}:您正在解绑微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ EMAIL_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE: "{name}:您正在绑定企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ EMAIL_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE_UNBIND_WORKWEIXIN: "{name}:您正在解绑企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ EMAIL_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE: "{name}:您正在绑定支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ EMAIL_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE_UNBIND_ALIPAY: "{name}:您正在解绑支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+
+ # 根据情况,修改短信模板
+ SMS_TEMPLATE_ACTIVE_USER_SEND_CODE_BY_MOBILE: "{prefix}{name}:您正在激活帐号,须验证手机有效,验证码{code},有效期5分钟,请尽快完成验证。"
+ SMS_TEMPLATE_FORGOT_PASSWORD_SEND_CODE: "{prefix}{name}:您正在找回密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+
+ SMS_TEMPLATE_USER_SECURITY_PASSWORD_SEND_CODE: "{prefix}{name}:您正在修改密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ SMS_TEMPLATE_USER_SECURITY_EMAIL_ADDRESS_SEND_CODE: "{prefix}{name}:您正在修改安全邮箱,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ SMS_TEMPLATE_USER_SECURITY_MOBILE_SEND_CODE: "{prefix}{name}:您正在修改安全手机,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ SMS_TEMPLATE_USER_SECURITY_MOBILE_SEND_CODE_BY_MOBILE: "{prefix}{name}:您正在修改安全手机,须验证手机有效,验证码{code},有效期5分钟,请尽快完成验证。"
+
+ SMS_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE: "{prefix}{name}:您正在绑定QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ SMS_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE_UNBIND_QQ: "{prefix}{name}:您正在解绑QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ SMS_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE: "{prefix}{name}:您正在绑定微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ SMS_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE_UNBIND_OPENWEIXIN: "{prefix}{name}:您正在解绑微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ SMS_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE: "{prefix}{name}:您正在绑定企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ SMS_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE_UNBIND_WORKWEIXIN: "{prefix}{name}:您正在解绑企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ SMS_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE: "{prefix}{name}:您正在绑定支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+ SMS_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE_UNBIND_ALIPAY: "{prefix}{name}:您正在解绑支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。"
+
+ SMS_TEMPLATE_PREFIX: ""
+
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-bff-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+ #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+ #SSL_TRUSTSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+ SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800"
+ SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100"
+ SPRING_REDIS_JEDIS_POOL_MINIDLE: "100"
+
+ LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_PERSONAL_SECURITY_CENTER_BFF: INFO
+
+
+ # 修改为学校的 personal-security-center 的访问域名
+ PERSONAL_SECURITY_CENTER_SERVER_PREFIX: http://personal-security-center.paas.xxx.edu.cn
+ # 修改为学校的 cas 的访问域名
+ CAS_SERVER_PREFIX: http://cas.paas.xxx.edu.cn/cas
+
+ PERSONAL_SECURITY_BFF_NONCE_STORE_IMPL: redis
+
+
+ # 新开普人脸对接配置
+ # 修改为实际项目配置
+ PERSONAL_SECURITY_BFF_FACE_AIFACE_URL: "http://117.158.17.228:3003/aiface"
+ PERSONAL_SECURITY_BFF_FACE_AIFACE_APPKEY: "GcacXnw46DxMAApNoSTX"
+ PERSONAL_SECURITY_BFF_FACE_AIFACE_APPSECRET: "eXl15kcYGBdCYTOCFD21"
+ PERSONAL_SECURITY_BFF_FACE_AIFACE_SECRETKEY: "12345678abcdefgh87654321"
+ PERSONAL_SECURITY_BFF_FACE_AIFACE_TERM_CODE: "12"
+
+
+ CASSERVER_SITE_SERVER_URL: http://cas-server-site-webapp-svc.cas-server.svc.cluster.local:8080/cas
+ CASSERVER_SITE_CLIENT_AUTH_ENABLED: "false"
+ #CASSERVER_SITE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #CASSERVER_SITE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #CASSERVER_SITE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #CASSERVER_SITE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #CASSERVER_SITE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ # PERSONAL_SECURITY_CENTER_SA_API_SERVER_URL: http://personal-security-center-sa-api-svc.personal-security-center.svc.cluster.local:8080
+ # PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ TPAS_FILE_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/db
+ TPAS_MAIL_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/mail/smtp
+ TPAS_SMS_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/sms/console
+ TPAS_CLIENT_AUTH_ENABLED: "false"
+ #TPAS_CLIENT_AUTH_KEY_PASSWORD: ""
+ #TPAS_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #TPAS_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #TPAS_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #TPAS_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ # COMMUNICATOR_EMAIL_MAIL_SERVER_HOST: "smtp.supwisdom.com"
+ # COMMUNICATOR_EMAIL_MAIL_SERVER_PORT: "25"
+ # COMMUNICATOR_EMAIL_USER_NAME: "security.institute@supwisdom.com"
+ # COMMUNICATOR_EMAIL_PASSWORD: "Security2019"
+ # COMMUNICATOR_EMAIL_VALIDATE: "true"
+
+ # COMMUNICATOR_SMS_SENDER_URL: https://agent-service-api.supwisdom.com/api/v1/tpas/sms/console/send
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-bff-env-secret
+type: Opaque
+data:
+
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-bff-svc
+ labels:
+ app: personal-security-center-bff
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: personal-security-center-bff
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-bff
+spec:
+ selector:
+ matchLabels:
+ app: personal-security-center-bff
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: personal-security-center-bff
+ spec:
+ containers:
+ - name: personal-security-center-bff
+ # 若使用了学校搭设的私有仓库,请修改
+ image: harbor.supwisdom.com/personal-security-center/personal-security-bff:1.0.2-SNAPSHOT
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: redis-env-secret
+ - secretRef:
+ name: personal-security-center-bff-env-secret
+ - configMapRef:
+ name: personal-security-center-bff-env
+ - configMapRef:
+ name: personal-security-center-bff-template-env
+ resources:
+ requests:
+ memory: "400Mi"
+ limits:
+ memory: "400Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8080
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml
new file mode 100644
index 0000000..19aa3a3
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml
@@ -0,0 +1,169 @@
+# personal-security-center-zuul.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-zuul-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+ #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+ #SSL_TRUSTSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+ ZUUL_HOST_MAX_PER_ROUTE_CONNECTIONS: "1000"
+ ZUUL_HOST_MAX_TOTAL_CONNECTIONS: "1000"
+
+ ZUUL_SEMAPHORE_MAX_SEMAPHORES: "10000"
+
+ LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_PERSONAL_SECURITY_CENTER: INFO
+
+
+ ZUUL_ROUTES_PERSONAL_ME_URL: http://personal-security-center-bff-svc.personal-security-center.svc.cluster.local:8080/api/v1/me
+ ZUUL_ROUTES_PERSONAL_BFF_URL: http://personal-security-center-bff-svc.personal-security-center.svc.cluster.local:8080/api/v1
+
+ ZUUL_ROUTES_USER_BIZ_URL: http://user-data-service-biz-svc.user-data-service.svc.cluster.local:8080/api/v1/user/biz
+
+ # 修改为学校的 portal 的访问域名
+ ZUUL_ROUTES_PORTAL_URL: http://portal.paas.xxx.edu.cn/portal-web/api
+
+
+ INFRAS_SECURITY_BASIC_ENABLED: "false"
+
+ INFRAS_SECURITY_JWT_ENABLED: "true"
+ #INFRAS_SECURITY_JWT_KEY_ALIAS: "supwisdom-jwt-key"
+ #INFRAS_SECURITY_JWT_KEY_PASSWORD: "changeit"
+ #INFRAS_SECURITY_JWT_KEY_STORE: "file:/certs/jwt/jwt.keystore"
+ #INFRAS_SECURITY_JWT_KEY_STORE_PASSWORD: "changeit"
+
+ INFRAS_SECURITY_JWT_TOKEN_GENERATE_TYPE: cas
+ INFRAS_SECURITY_JWT_TOKEN_DECRYPT_KEY_PRIVATE_KEY_PEM_PKCS8: ""
+ INFRAS_SECURITY_JWT_TOKEN_SIGNING_KEY_URL: "http://cas-server-site-webapp-svc.cas-server.svc.cluster.local:8080/cas/jwt/publicKey"
+
+
+ INFRAS_SECURITY_CAS_ENABLED: "true"
+ # 修改为学校的 personal-security-center 的访问域名
+ APP_SERVER_HOST_URL: "http://personal-security-center.paas.xxx.edu.cn"
+ #APP_LOGIN_URL: "/cas/login"
+ #APP_LOGOUT_URL: "/cas/logout"
+ # 修改为学校的 cas 的访问域名
+ CAS_SERVER_HOST_URL: "http://cas.paas.xxx.edu.cn/cas"
+
+
+ ZUUL_HTTPCLIENT_CLIENT_AUTH_ENABLED: "false"
+ #ZUUL_HTTPCLIENT_CLIENT_AUTH_KEY_PASSWORD: ""
+ #ZUUL_HTTPCLIENT_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore
+ #ZUUL_HTTPCLIENT_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+
+
+ USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore
+ #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ USER_AUTHZ_SERVICE_SERVER_URL: http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080
+ USER_AUTHZ_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-zuul-env-secret
+type: Opaque
+data:
+ # 参考 certs/jwt/readme.md 生成公私钥pem,替换相关配置
+ INFRAS_SECURITY_JWT_PUBLIC_KEY_PEM: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDeW9BNzhMbTlHT3NlS1pPL1lZenlWWUJ6cQpaREVzdWlXNVFleXJDL2JFWFZrT2lKc0RnNFRjc2o5Vnp5dGp2MEFZVmxEcmkxdlExaWZhSG9HN0Z1dE40cTVICllxbGZDSzdvOXpNRWo2cU40NFIydUtjR3BCQnd0WlNCZGxWc2tLZ2NOWGlvU3RTRjZZTFp1Q25jWU5HUXZaOSsKeGY5bll5L09scXczWUFQRUx3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
+ INFRAS_SECURITY_JWT_PRIVATE_KEY_PEM_PKCS8: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUNlQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQW1Jd2dnSmVBZ0VBQW9HQkFMS2dEdnd1YjBZNng0cGsKNzloalBKVmdIT3BrTVN5NkpibEI3S3NMOXNSZFdRNkltd09EaE55eVAxWFBLMk8vUUJoV1VPdUxXOURXSjlvZQpnYnNXNjAzaXJrZGlxVjhJcnVqM013U1BxbzNqaEhhNHB3YWtFSEMxbElGMlZXeVFxQncxZUtoSzFJWHBndG00CktkeGcwWkM5bjM3Ri8yZGpMODZXckRkZ0E4UXZBZ01CQUFFQ2dZRUFuakhFczdDSUdlR0t3TlZkMlAwaU5ZU1cKZHp0ZWxhY1NLN3puMWlCVlhsanh1ejVlVXNGU2xJWkVNMEd6d3JZcEZLUzFLN1lURGFQc1RXOUJJNmxMb0FaawpnaU1vOUE5YnMzdW5XOEg3N2M5T3NTUXZpdHM1eGp3MEJ0dFo0dVhwYmdlUlJmS1dFOFp6MngyYWFIeVdyU1ZIClJINGVya3JYSTFrZzZwQTlyaWtDUVFEaVd0VW5kWktpWHFNTkhJb1RrOUpLNXFyaVJqdS9FTzdtVncvRGo4RmEKSVhFOTMvTkhSVllMZ3E2cFY4SUJiNmlhZnpXbittdkplR3AvbEJsaU81dHpBa0VBeWdUMTE4V25jaFl5elNlTAp3NlVDUkhIOHlJRGx6aGwzWFhxTnhDV2M5V1dGbVpZSERIVy92L2x5dnpwUEtmb3VucmhoUTVXY2g4eGVDSDVqCml1WjlWUUpCQUtsRkJkdUJSOHVXZTlaRlBsaFBsZFlmVXpEdEZxYldVZUQ4d0RRZFg1azRJd2dEWGxrdzE1eTUKK0VWNDlBTEE3bFBDeDJ3N2o3bFZERWNsaUNuMnExTUNRQnltSTI4Y0dxajFPUE1iSHBqNk41NFpSQzN6Q2FQMgp2SlRISW4ra2plUEhKL0VsODQzeXpPU2VyWVVzOGJrVVA3UkdsWlNPRFFxOUVzREZtN3hBLzVrQ1FRQ3A1ZldQCnNWbjFsek15ckYxNHJSK0ZSSWZMazBFMnBMdm5aYzV0NjB3OFpzSVFPRGlOTXZvSDRZUEdSemFpcG9LQnlSeE0KazR1WElVVTMxaVN6VGR4ZgotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0t
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-zuul-svc
+ labels:
+ app: personal-security-center-zuul
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: personal-security-center-zuul
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-zuul
+spec:
+ selector:
+ matchLabels:
+ app: personal-security-center-zuul
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: personal-security-center-zuul
+ spec:
+ containers:
+ - name: personal-security-center-zuul
+ # 若使用了学校搭设的私有仓库,请修改
+ image: harbor.supwisdom.com/personal-security-center/personal-security-zuul:1.0.2-SNAPSHOT
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: personal-security-center-zuul-env-secret
+ - configMapRef:
+ name: personal-security-center-zuul-env
+ resources:
+ requests:
+ memory: "400Mi"
+ limits:
+ memory: "400Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8080
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml
new file mode 100644
index 0000000..1bba8ac
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml
@@ -0,0 +1,70 @@
+# 4.9.security-center-ui.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: personal-security-center
+ name: security-center-ui-env
+data:
+ SCHOOL_NAME: sw
+ MAIN_SERVER: http://security-center.paas.xxx.edu.cn
+
+ PERSONAL_CENTER_API: http://personal-security-center.paas.xxx.edu.cn
+
+ AUTH_CAS: http://cas.paas.xxx.edu.cn/cas
+ JWT_ISS: http://cas.paas.xxx.edu.cn/cas
+ JWT_SECRET: (@<rhnPaUYKC_k770*DuWwYQ_#Zc#8c(2rB?kae)rN)>K7qy)awCjxp$L653Mf$2
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: personal-security-center
+ name: security-center-ui-svc
+ labels:
+ app: security-center-ui-svc
+spec:
+ ports:
+ - port: 80
+ targetPort: http
+ protocol: TCP
+ name: http
+ selector:
+ app: security-center-ui
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: personal-security-center
+ name: security-center-ui
+spec:
+ selector:
+ matchLabels:
+ app: security-center-ui
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: security-center-ui
+ spec:
+ containers:
+ - name: security-center-ui
+ # 若使用了学校搭设的私有仓库,请修改
+ image: harbor.supwisdom.com/personal-security-center/security-center-ui:0.0.1
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 80
+ name: http
+ envFrom:
+ - configMapRef:
+ name: security-center-ui-env
+ resources:
+ requests:
+ memory: "128Mi"
+ limits:
+ memory: "256Mi"
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/certs/jwt/readme.md b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/certs/jwt/readme.md
new file mode 100644
index 0000000..3c94b3e
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/certs/jwt/readme.md
@@ -0,0 +1,83 @@
+# readme.md
+
+
+## 使用 openssl 生成 公私钥
+
+
+1. 生成私钥 App Private Key
+
+必须为 RSA2(SHA256)
+
+```bash
+openssl genrsa -out jwt_private_key.pem 1024
+```
+
+2. 将私钥转换为 PKCS8 格式
+
+```bash
+openssl pkcs8 -topk8 -inform PEM -in jwt_private_key.pem -outform PEM -nocrypt -out jwt_private_key_pkcs8.pem
+```
+
+3. 导出公钥 App Public Key
+
+```bash
+openssl rsa -in jwt_private_key.pem -pubout -out jwt_public_key.pem
+```
+
+4. 将 jwt_public_key.pem 中的内容,去除换行和空格,转成字符串。
+
+处理前:
+```language
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBr5wUHXSlLSFU17T4wDX8ehAI
+2nnZxCc2SnpgfNwuR3jvViSVyr+Pd6JJEeMcl397qKjWqFD/CRlUSB/UEPQRxxbB
+XVlXRB289KE9xteDk04bU17ILgX8Vz/7LFRLn2CpaCSICfWENhoMRJm7xIAodrI3
+FugvRF/6jdTQis2LcQIDAQAB
+-----END PUBLIC KEY-----
+```
+处理后:
+```language
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBr5wUHXSlLSFU17T4wDX8ehAI2nnZxCc2SnpgfNwuR3jvViSVyr+Pd6JJEeMcl397qKjWqFD/CRlUSB/UEPQRxxbBXVlXRB289KE9xteDk04bU17ILgX8Vz/7LFRLn2CpaCSICfWENhoMRJm7xIAodrI3FugvRF/6jdTQis2LcQIDAQAB
+-----END PUBLIC KEY-----
+```
+
+4. 将 jwt_private_key_pkcs8.pem 中的内容,去除换行和空格,转成字符串。
+
+处理前:
+```language
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMGvnBQddKUtIVTX
+tPjANfx6EAjaednEJzZKemB83C5HeO9WJJXKv493okkR4xyXf3uoqNaoUP8JGVRI
+H9QQ9BHHFsFdWVdEHbz0oT3G14OTThtTXsguBfxXP/ssVEufYKloJIgJ9YQ2GgxE
+mbvEgCh2sjcW6C9EX/qN1NCKzYtxAgMBAAECgYBKBSjq7w7jCUpRuFYrMpnvMV7r
+Y0NqG/K4ZuI5+b3T2fC31v4IWQG4fIoCztky1hscUSqlTpIVxY5ujVnMm+YKMXs+
+qW2zyUdvoqUbFNAZstYatg6FQ7QlwXMDnIzlq6w5lEofsO46+0kH/d9IX+cPN0nH
+04J1UKwg0ugyjYVUAQJBAP8di+ECIJkVTbi96JWMCfK1eYdxwe+8DEd7kcW2P6qU
+/0fxP6qExkbFqPWQbJVNvOKmH5tVW5oi4Q7vaT4MzJECQQDCW4kMG7a6yBKRWZ1/
+hAixqumBv5FFCnL/yzqH6a5n8tb91vcQCwBGfu+YeQt8zVI56BTP4AJDF5KQu1vq
+kcDhAkEA+YaHu2QeSDzrEShG5obbcBaKMK1WmEqg5AX8FZrleM5VRqOztvA5Ex3f
+3ZgObJZlinYb8g2yE/fLk5UdpgBU0QJAFw+FU0p2g/L5QQXBCkBAR9RfoGV6dxam
+TnNunnG7n9nQaI35Ao5LmhG1nAHAuy4hc311+rQ5kHxbh5Czd0GUAQJBALxZpqPZ
+y7LrKmTbVLAdd0K1dQ3jWUsqk5HXwlxzrmmypn5ut41zwZQl0znyrv7XcfDZ6dqR
+hh20uoiJ/Hfky6A=
+-----END PRIVATE KEY-----
+```
+处理后:
+```language
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMGvnBQddKUtIVTXtPjANfx6EAjaednEJzZKemB83C5HeO9WJJXKv493okkR4xyXf3uoqNaoUP8JGVRIH9QQ9BHHFsFdWVdEHbz0oT3G14OTThtTXsguBfxXP/ssVEufYKloJIgJ9YQ2GgxEmbvEgCh2sjcW6C9EX/qN1NCKzYtxAgMBAAECgYBKBSjq7w7jCUpRuFYrMpnvMV7rY0NqG/K4ZuI5+b3T2fC31v4IWQG4fIoCztky1hscUSqlTpIVxY5ujVnMm+YKMXs+qW2zyUdvoqUbFNAZstYatg6FQ7QlwXMDnIzlq6w5lEofsO46+0kH/d9IX+cPN0nH04J1UKwg0ugyjYVUAQJBAP8di+ECIJkVTbi96JWMCfK1eYdxwe+8DEd7kcW2P6qU/0fxP6qExkbFqPWQbJVNvOKmH5tVW5oi4Q7vaT4MzJECQQDCW4kMG7a6yBKRWZ1/hAixqumBv5FFCnL/yzqH6a5n8tb91vcQCwBGfu+YeQt8zVI56BTP4AJDF5KQu1vqkcDhAkEA+YaHu2QeSDzrEShG5obbcBaKMK1WmEqg5AX8FZrleM5VRqOztvA5Ex3f3ZgObJZlinYb8g2yE/fLk5UdpgBU0QJAFw+FU0p2g/L5QQXBCkBAR9RfoGV6dxamTnNunnG7n9nQaI35Ao5LmhG1nAHAuy4hc311+rQ5kHxbh5Czd0GUAQJBALxZpqPZy7LrKmTbVLAdd0K1dQ3jWUsqk5HXwlxzrmmypn5ut41zwZQl0znyrv7XcfDZ6dqRhh20uoiJ/Hfky6A=
+-----END PRIVATE KEY-----
+```
+
+
+5. (可选)将pem内容进行 base64 编码后,配置到k8s
+
+echo -n '-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDzgNo1jsexpIahW50bbEFcJV6qzOnjjMBum4jMB/CgkJqZHxEh9u1yhdzfdHI+TJREy9RuoqumdRGpVA+YXOwHZnPUU/cHQQkITViPVPSvIHLKA7eqHbmb9FZdQZfFmadBm+AcVpQG+h4SuJgD5yAtye7oRLzxEGXZM+trt8HoFwIDAQAB
+-----END PUBLIC KEY-----' |base64
+
+
+echo -n '-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAPOA2jWOx7GkhqFbnRtsQVwlXqrM6eOMwG6biMwH8KCQmpkfESH27XKF3N90cj5MlETL1G6iq6Z1EalUD5hc7Admc9RT9wdBCQhNWI9U9K8gcsoDt6oduZv0Vl1Bl8WZp0Gb4BxWlAb6HhK4mAPnIC3J7uhEvPEQZdkz62u3wegXAgMBAAECgYEA7mA8veOJsGjs9zd1ZKwki+11cGVrrjxTAbS3RW2cbcNB5RZZslNF/i/3mrUnRb+4AmU8EBalTS4b3RUSs0h8MZV9ObLazZg/c8GlLJeISuRWSuCG7ysvn4NS5ncCj5LW/0w6qKTtzIZqKdMbKfPl1xs+fPCaqlv7mpzIGUYGOKECQQD9125TlH6ftXoR5qaN6CLUuRpdpizjE59pmQMxgL/MQS45G9pUtTHfCZVDKgftqHFZEhL2ysrCbl7TFwHJ2wjHAkEA9ZLqvVPP4RLl78lt/OjLRliGDCeWkw5samzeveIsiaeWItsHzcGqipVw1zCaRRlY/hPs4uHSY0hWWV1+SGr2MQJAcgNdLnU4GovsdDXhAUQOwPUS/pUw/B1IMKnlYUqu2xM7q7Ly8bEg4UjwneY3AWvy3Urc8bRMNeBU/wMKbpvO6QJAVUuZQvdYbdmtidLR5BVLfXyD2rbpYtyQpYp490UWqR1PVX30QPAydv4e+m9ENhnuwhlTnx5Gf/uBGnsRwL9+EQJAcB6ptBg0drWmnpDC3HhFUSWaBVp6BAZic/YeC95pwynlcKScCTI+IY+wXKWRQwcqb2K+STaX4vhsTDLxDZaJAw==
+-----END PRIVATE KEY-----' |base64