Merge branch '1.3.x' into 1.4.x
diff --git a/ReleaseNotes.md b/ReleaseNotes.md
index 9090c0c..c91daf1 100644
--- a/ReleaseNotes.md
+++ b/ReleaseNotes.md
@@ -1,5 +1,7 @@
# 认证授权产品发布说明 ReleaseNotes
+[TOC]
+
## 版本说明
@@ -18,8 +20,24 @@
#### develop
-##### 1.3.0 (SNAPSHOT)
+##### 1.4.0 (SNAPSHOT)
+chore: 升级版本,1.4.0-SNAPSHOT
+
+
+#### 1.3.x
+
+##### 1.3.1 (SNAPSHOT)
+
+chore: 升级版本,1.3.1-SNAPSHOT
+
+
+##### 1.3.0
+
+chore: 发布版本 1.3.0-RELEASE
+chore: 新分支1.3.x,预发布,版本号 1.3.0-SNAPSHOT
+feat: 人脸识别接口,支持新开普人脸、百度人脸
+feat: 默认关闭db连接
chore: 升级版本,1.3.0-SNAPSHOT
@@ -56,8 +74,28 @@
#### develop
-##### 1.4.0 (SNAPSHOT)
+##### 1.5.0 (SNAPSHOT)
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+Merge branch 'release-1.3.1' into 1.4.x
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+fix: 日志管理bug修复;用户授权模板中文乱码
+fix: 日志管理bug修复
+fix: authx-log日志代码调整,操作数据类型修改为枚举
+feat: 对接authx-log记录日志
+Merge branch 'release-1.3.0' into develop
chore: 升级版本,1.4.0-SNAPSHOT
@@ -157,8 +195,29 @@
#### develop
-##### 1.4.0 (SNAPSHOT)
+##### 1.5.0 (SNAPSHOT)
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+Merge branch 'release-1.3.1' into 1.4.x
+fix: 日志管理组织机构查询结果不正确修改
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+fix: 修改日志管理bug
+feat: 双因子认证;二次认证
+fix: 人员详情问题修改
+feat: 日志管理
+fix: 人员管理删除人员bug
chore: 升级版本,1.4.0-SNAPSHOT
@@ -216,8 +275,38 @@
#### develop
-##### 1.4.0 (SNAPSHOT)
+##### 1.5.0 (SNAPSHOT)
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+Merge branch 'release-1.3.1' into 1.4.x
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+fix: 日志管理bug修复
+fix: authx-log日志代码调整,操作数据类型修改为枚举
+refactor: 重新整理 authx-log的代码,确保poa rabbitmq 连接正常
+fix: authx-log相关配置修改;chore: 整理k8s脚本
+fix: 修正部署问题
+style: 恢复管理后台修改密码的代码逻辑
+fix: 日志代码修改
+fix: 修正 redis 依赖 导致启动失败的问题
+fix: poa-api pom引用删除spring-cloud-starter-openfeign
+fix: 管理操作日志代码调整
+feat: poa应用调用日志
+fix: 管理操作日志代码调整
+feat: 用户操作日志、管理操作日志
+feat: 新增密码状态字段,及相关检测接口
+Merge branch 'release-1.3.0' into develop
chore: 升级版本,1.4.0-SNAPSHOT
@@ -658,8 +747,29 @@
#### develop
-##### 1.4.0 (SNAPSHOT)
+##### 1.5.0 (SNAPSHOT)
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+Merge branch 'release-1.3.1' into 1.4.x
+fix: 日志管理bug修复
+fix: authx-log日志代码调整,操作数据类型修改为枚举
+fix: 整理authx-log代码
+fix: authx-log相关配置修改;chore: 整理k8s脚本
+feat: poa应用调用日志
+feat: 授权操作日志
+Merge branch 'release-1.3.0' into develop
chore: 升级版本,1.4.0-SNAPSHOT
@@ -881,8 +991,50 @@
#### develop
-##### 1.4.0 (SNAPSHOT)
+##### 1.5.0 (SNAPSHOT)
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+Merge branch 'release-1.3.1' into 1.4.x
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+fix: 修正登录方式的读取
+fix: 修正双因子认证UI
+feat: 读取attest接口返回的 attestServerUrl
+fix: 日志管理bug修复
+refactor: 优化双因子、日志收集的代码逻辑
+fix: 修正rabbitmq template connectionFactory 连接错误的问题
+chore: log 输出线程名,方便调试
+fix: 支持event listener 的异步执行
+fix: 优化rabbitmq 处理,防止线程阻塞、超时
+fix: 发送时,检测token是否过期,若过期,则重新初始化
+fix: 修正无须双因子时,页面请求异常的问题
+fix: 修正时间长度比较的异常
+fix: authx-log日志代码调整,操作数据类型修改为枚举
+fix: 调整attest-server 地址,将 后端请求用的地址 和 前端请求用的地址 的相关配置分开
+feat: 调整redis key 前缀
+feat: 动态检测,用户登录时,是否跨城市
+feat: 根据策略配置,进行检测(动态检测待处理)
+feat: 认证登录,多因子
+feat: 对接authx-log,将登录日志推送至消息队列
+fix: authx-log相关配置修改;chore: 整理k8s脚本
+fix: 修正编译错误
+feat: 整理sql
+fix: 操作日志代码调整
+feat: 操作日志
+feat: 增加跳转标记,处理用户完善、密码修改等跳转,出现冲突
+feat: 登录时,支持密码安全性的检测,若存在异常,则可跳转到修改页面
+Merge branch 'release-1.3.0' into develop
chore: 升级版本,1.4.0-SNAPSHOT
@@ -1363,8 +1515,50 @@
#### develop
-##### 1.4.0 (SNAPSHOT)
+##### 1.5.0 (SNAPSHOT)
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+Merge branch 'release-1.3.1' into 1.4.x
+chore: 整理k8s脚本
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+fix: 修正接口错误
+feat: 新增接口,获取用户在当前设备的公钥
+fix: 修正重试时,无法获取新 token 的问题
+feat: 增加loginName
+refactor: 优化双因子、日志收集的代码逻辑
+fix: 修正登录异常 null,增加判断
+feat: 完善帐号密码登录时,日志记录
+chore: 整理k8s部署脚本
+fix: 修正rabbitmq 相关bean 冲突,导致的启动错误
+feat: 读取attest接口返回的 attestServerUrl
+fix: 修正时间长度比较的异常
+feat: 对登录接口进行mfa 的拦截处理,验证mfa 是否成功
+fix: 调整attest-server 地址,将 后端请求用的地址 和 前端请求用的地址 的相关配置分开
+fix: 获取request 的IP、userAgent
+feat: App端,认证双因子
+feat: 整理登录日志,推送至 authx-log
+chore: 调整poa地址
+refactor: 优化接口
+feat: 修改apppush 接口
+feat: 将 apppush 修改为公共服务,通过poa调用
+fix: 修正 AttestRabbitMQConfiguration 配置错误
+feat: 发送APP推送至用户当前登录的设备
+feat: 登录成功后,返回passwordStatus 密码状态
+feat: 帐号密码登录时,检测密码安全性
+feat: 对接远程接口,detectPassword
+Merge branch 'release-1.3.0' into develop
chore: 升级版本,1.4.0-SNAPSHOT
@@ -1592,8 +1786,40 @@
#### develop
-##### 1.4.0 (SNAPSHOT)
+##### 1.5.0 (SNAPSHOT)
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+Merge branch 'release-1.3.1' into 1.4.x
+chore: 整理k8s脚本
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+fix: 日志管理bug修复
+fix: authx-log 去掉查询日志记录
+fix: authx-log日志代码调整,操作数据类型修改为枚举
+fix: authx-log相关配置修改;chore: 整理k8s脚本
+fix: 用户操作日志修改
+fix: 安全手机、安全邮箱为空时,可跳过验证身份
+fix: 启动类注入EnableAuthxLogTransmitZuul过滤器不生效bug
+feat: 返回安全手机、安全邮箱
+docs: 整理k8s部署yaml
+fix: 关闭RabbitAutoConfiguration 自动配置
+refactor: 将authx-log 的rabbitmq 的相关代码都移入 authx.log 包下;同时,采用独立的rabbitmq 配置,并支持 enable/disable
+feat: 操作日志代码整理
+feat: 调整强制修改密码的接口逻辑
+feat: 用户操作日志
+feat: 密码状态异常时,强制修改密码的接口
+Merge branch 'release-1.3.0' into develop
chore: 升级版本,1.4.0-SNAPSHOT
@@ -1949,8 +2175,59 @@
#### develop
-##### 1.4.0 (SNAPSHOT)
+##### 1.5.0 (SNAPSHOT)
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+Merge branch 'release-1.3.1' into 1.4.x
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+fix: 修正jenkins构建错误
+fix: 修改强制修改密码失败后返回的问题
+fix: 重新修改密码
+fix: 强制密码问题修改
+fix: 强制修改密码没有身份认证
+fix: 强制密码修改-路由修改
+fix: 修改密码提示语
+fix: 重置密码接口联调
+fix: 安全中心修改密码增加密码强度提示
+fix:安全分数提示修改
+fix: 修正移动浏览器,安全中心绑定QQ等,绑定失败的问题处理
+fix: qq绑定问题
+QQ绑定问题修改
+fix: 安全分数计算修改
+fix: 钉钉绑定
+fix: 修改安全登录设置
+fix: 联合登录绑定设置
+fix: 修改安全分数
+fix: 修改H5路径
+fix: 安全等级文字设置
+fix: 修改bug
+fix: 修改绑定第三方
+fix: bug修改
+fix:账号激活证件号码必填
+fix: 字体大小修改
+退出登录
+fix: 修改登录密码问题
+fix: 修改提示消息样式
+fix: 安全登录设置接口联调
+feat:绑定账号
+fix: 社交账号绑定
+feat: 安全中心移动端接口联调
+feat: 安全中心移动端适配
+fix: 激活账号;重置密码移动端适配
+Merge branch 'release-1.3.0' into develop
+fix: 绑定QQ
chore: 升级版本,1.4.0-SNAPSHOT
@@ -2122,6 +2399,112 @@
+### attest-server
+
+身份验证服务
+
+#### develop
+
+##### 1.5.0 (SNAPSHOT)
+
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+chore: 整理k8s脚本
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+chore: jenkins 自动化构建
+chore: 升级版本,1.4.0-SNAPSHOT
+
+
+##### 1.0.0 (SNAPSHOT)
+
+fix: 修正回调页面的问题
+docs: 文档
+feat: APP推送时,回调页面中显示 确认码,确保推送消息与PC端一致性
+fix: url 增加时间戳,防止缓存
+style: 调整命名
+docs: 人脸识别验证的接口文档,调整接口说明
+feat: 支持url scheme 可配置
+docs: 人脸识别验证的接口文档,调整接口说明
+docs: 人脸识别验证的接口文档
+feat: 人脸识别 验证
+feat: 远程获取用户登录APP后提交的公钥
+chore: 修改 application name
+fix: 修正重试时,无法获取新 token 的问题
+feat: 人脸识别
+refactor: 调整GuardService 接口,移除无用的代码
+docs: 完善接口文档
+feat: 发送前,检测token 是否过期
+docs: 整理文档
+feat: GuardToken 增加 state 业务端状态,便于对业务端的提交的验证请求进行合法性校验
+fix: 修正邮件验证码发送失败的问题
+feat: 对接 poa,apppush 接口
+fix: 修正 AttestRabbitMQConfiguration 配置错误
+feat: apppush,向 rabbitmq 发送推送消息,由 token-server 监听后,进行处理
+fix: 修正view 找不到的问题
+feat: APP推送,回调页面
+feat: 修正jwt token 验证
+fix: 解决请求跨域问题
+fix: 修正 token 创建时,空指针异常
+fix: 修正GuardService 注入错误
+chore: 初始导入
+
+
+
+### authx-log
+
+日志服务
+
+#### develop
+
+##### 1.5.0 (SNAPSHOT)
+
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+chore: 整理k8s脚本
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+chore: jenkins 自动化构建
+chore: 升级版本,1.4.0-SNAPSHOT
+
+
+##### 1.0.0 (SNAPSHOT)
+
+fix: 日志管理bug修复
+fix: ip地址截取
+fix: 应用访问日志接口查询条件修改
+fix: 导出bug修复
+feat: 日志管理增加导出接口
+fix: 日志服务修改
+feat: 日志管理查询接口
+fix: 日志服务代码调整
+feat: 日志服务
+docs: 日志服务设计文档
+feat: 日志管理操作接口、消息处理
+feat: 日志服务
+
+
+
### jobs-server
数据同步服务
diff --git "a/deploy-manifests/charts/1.2.0000.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214\357\274\210\345\237\272\344\272\216\345\272\224\347\224\250\345\225\206\345\272\227\357\274\211.md" "b/deploy-manifests/charts/1.2.0000.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214\357\274\210\345\237\272\344\272\216\345\272\224\347\224\250\345\225\206\345\272\227\357\274\211.md"
index cd9be48..a5b121c 100644
--- "a/deploy-manifests/charts/1.2.0000.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214\357\274\210\345\237\272\344\272\216\345\272\224\347\224\250\345\225\206\345\272\227\357\274\211.md"
+++ "b/deploy-manifests/charts/1.2.0000.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214\357\274\210\345\237\272\344\272\216\345\272\224\347\224\250\345\225\206\345\272\227\357\274\211.md"
@@ -9,11 +9,71 @@
版本 | 作者 | 日期 | 备注
- | - | - | -
v1 | 刘洪青 | 2021-05-15 | 初稿
+v1.4 | 刘洪青 | 2021-09-18 | V1.4 版本的部署更新
[TOC]
+## 部署变更说明
+
+**仅列举了一些重要的、对外部存在影响的变更**
+
+
+### V1.3
+
+1. 域名变更
+
+新增,域名 authx-management,认证、用户、授权管理功能的前端UI的外网域名访问
+
+
+### V1.4
+
+1. 数据库用户变更
+
+新增,authx_log
+(可选)移除,agent_service
+
+2. 镜像变更
+
+新增,authx-log
+新增,attest-server
+
+3. 域名变更
+
+新增,域名 authx-service,将 personal-security-center、security-center、以及 authx-management 合并
+废弃,域名 personal-security-center,合并至 域名 authx-service
+废弃,域名 security-center,合并至 域名 authx-service
+废弃,域名 authx-management,现合并至 authx-service
+废弃,域名 token,合并至 域名 cas
+
+4. Context Path 变更
+
+变更,personal-security-center-zuul,context path 更新为 /personal
+变更,token-server,context path 更新为 /token
+
+5. 访问地址变更
+
+变更,用户认证授权管理前端UI,`https://admin-platform.paas.xxx.edu.cn/authx-management` 变更为 `https://authx-service.paas.xxx.edu.cn/authx-management`
+变更,安全中心后端API,`https://personal-security-center.paas.xxx.edu.cn` 变更为 `https://authx-service.paas.xxx.edu.cn/personal`
+变更,Token 认证,`https://token.paas.xxx.edu.cn` 变更为 `https://cas.pass.xxx.edu.cn/token`
+
+
+## 产品依赖
+
+* minio
+
+请使用 应用商店 部署
+
+* ipaddr
+
+请使用 应用商店 部署
+
+* platform openapi
+
+请使用 应用商店 部署
+
+
## 安装准备
### MySQL 初始配置及相关基础命令
@@ -92,7 +152,7 @@
mysqldump -u root -p token_server > token_server.sql
mysqldump -u root -p user > user.sql
mysqldump -u root -p user_authz > user_authz.sql
- mysqldump -u root -p agent_service > agent_service.sql
+ mysqldump -u root -p authx_log > authx_log.sql
```
还原:
@@ -101,7 +161,7 @@
mysql -u root -p token_server < token_server.sql
mysql -u root -p user < user.sql
mysql -u root -p user_authz < user_authz.sql
- mysql -u root -p agent_service < agent_service.sql
+ mysql -u root -p authx_log < authx_log.sql
```
@@ -131,6 +191,8 @@
authx-service authx-service/*
+ authx-log authx-log/*
+
user-data-service goa/*
user-authorization-service user-authorization-service/*
personal-security-center personal-security-center/*
@@ -139,6 +201,7 @@
cas-server cas-server/*
token-server token-server/*
+ attest-server attest-server/*
```
同步规则,创建完成后,进行镜像同步
@@ -192,7 +255,7 @@
jobs-server 同步服务
- cas-server 认证(CAS 认证 + Token Server)
+ cas-server 认证(CAS 认证 + Token Server + 身份认证服务)
```
* 确定命名空间
@@ -208,7 +271,7 @@
jobs-server 同步服务
- cas-server 认证(CAS 认证 + Token Server)
+ cas-server 认证(CAS 认证 + Token Server + 身份认证服务)
```
@@ -222,10 +285,9 @@
```
authx-minio.paas.xxx.edu.cn 文件服务
- security-center.paas.xxx.edu.cn 安全中心
+ authx-service.paas.xxx.edu.cn 用户授权服务(包含 后台管理UI + 安全中心UI + 安全中心后端)
- cas.paas.xxx.edu.cn CAS 认证(视具体情况,可调整)
- token.paas.xxx.edu.cn Token 认证(APP适用)
+ cas.paas.xxx.edu.cn 认证(视具体情况,可调整;包含 CAS 认证 + Token Server + 身份认证服务)
```
如果使用 学校域名,则去除 .paas 即可,同时申请开通相关域名
@@ -249,8 +311,7 @@
服务 | 数据库帐号
- | -
- 第三方代理服务 thridparty-agent-service | agent_service
- - | -
+ 日志服务 authx-log | authx_log
用户服务 user-data-service | user
授权服务 user-authorization-service | user_authz
- | -
@@ -262,10 +323,10 @@
命令:
**请修改命令中的 `your_password` 为实际的数据库用户的密码**
```
- create user 'agent_service'@'%' identified with mysql_native_password by 'your_password';
-
+ create user 'authx_log'@'%' identified with mysql_native_password by 'your_password';
create user 'user'@'%' identified with mysql_native_password by 'your_password';
create user 'user_authz'@'%' identified with mysql_native_password by 'your_password';
+
create user 'cas_server'@'%' identified with mysql_native_password by 'your_password';
create user 'token_server'@'%' identified with mysql_native_password by 'your_password';
@@ -279,8 +340,7 @@
服务 | 数据库
- | -
- 第三方代理服务 thridparty-agent-service | agent_service
- - | -
+ 日志服务 authx-log | authx_log
用户服务 user-data-service | user
授权服务 user-authorization-service | user_authz
- | -
@@ -291,10 +351,10 @@
命令:
```
- create database `agent_service` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
-
+ create database `authx_log` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
create database `user` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
create database `user_authz` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
+
create database `cas_server` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
create database `token_server` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
@@ -308,10 +368,10 @@
命令:
```
- grant all privileges on `agent_service`.* to 'agent_service'@'%' with grant option;
-
+ grant all privileges on `authx_log`.* to 'authx_log'@'%' with grant option;
grant all privileges on `user`.* to 'user'@'%' with grant option;
grant all privileges on `user_authz`.* to 'user_authz'@'%' with grant option;
+
grant all privileges on `cas_server`.* to 'cas_server'@'%' with grant option;
grant all privileges on `token_server`.* to 'token_server'@'%' with grant option;
@@ -328,6 +388,7 @@
```
grant SUPER on *.* to 'user'@'%';
grant SUPER on *.* to 'user_authz'@'%';
+
grant SUPER on *.* to 'cas_server'@'%';
grant SUPER on *.* to 'tmp_data'@'%';
@@ -388,15 +449,6 @@
命名空间: agent-service
-* 外部MYSQL-连接配置
- 外部MySQL host: <请填写数据库服务的IP地址>
- 外部MySQL port: <请填写数据库服务的端口>
-
-* AGENT SERVICE - MYSQL数据库配置
- 用户名: `agent_service` ,固定值、或按实际情况修改
- 密码: <请填写创建的数据库用户的密码>
- 数据库名: `agent_service` ,固定值、或按实际情况修改
-
* 文件服务设置
Minio Url: `http://minio.authx-minio.svc.cluster.local:9000` ,若 minio 的命名空间有调整,请修改
Minio Access Key: `1y8N@8R@a_2u`
@@ -417,6 +469,24 @@
阿里云短信接口Access Key:
阿里云短信接口Access Secret:
+* 人脸服务配置
+ 可与 新开普人脸平台 或 百度人脸服务 进行对接
+
+ 人脸登录类型: aiface: 新开普人脸, aipface: 百度人脸
+
+ **以下配置从 新开普人脸平台 申请**
+ 新开普人脸服务 Url:
+ 新开普人脸服务 App Key:
+ 新开普人脸服务 App Secret:
+ 新开普人脸服务 Secret Key:
+ 新开普人脸服务 Term Code:
+
+ **以下配置从 百度开放平台 申请**
+ 百度人脸服务 App Id:
+ 百度人脸服务 Api Key:
+ 百度人脸服务 Secret Key:
+ 百度人脸服务 组ID:
+
#### authx-service
@@ -448,14 +518,20 @@
密码: <请填写创建的数据库用户的密码>
数据库名: `user_authz` ,固定值、或按实际情况修改
+* MYSQL数据库配置 - 日志服务
+
+ 用户名: `authx_log` ,固定值、或按实际情况修改
+ 密码: <请填写创建的数据库用户的密码>
+ 数据库名: `authx_log` ,固定值、或按实际情况修改
+
* 域名全局设置
根域名: `paas.<school>.edu.cn` ,请修改为实际的学校域名
-* 域名配置 - 安全中心
+* 域名配置 - 用户授权服务
- 子域名: `security-center` ,若须修改,根据实际情况修改即可
+ 子域名: `authx-service` ,若须修改,根据实际情况修改即可
* POA 设置
@@ -480,6 +556,7 @@
Agent Service 文件上传路径: `/api/v1/tpas/file/minio` ,一般不用修改
Agent Service 邮件发送路径: `/api/v1/tpas/mail/smtp` ,一般不用修改
Agent Service 短信发送路径: `/api/v1/tpas/sms/aliyun` , 若不使用阿里云短信服务,须修改
+ Agent Service 人脸服务接口: `/api/v1/tpas/face/aiface` ,新开普人脸 aiface,百度人脸 aipface
* 依赖 API - CAS SERVER
@@ -544,22 +621,29 @@
数据库名: `token_server` ,固定值、或按实际情况修改
+* 外部RABBITMQ - 连接配置
+
+ 外部RabbitMQ host: `authx-service-rabbitmq.authx-service.svc.cluster.local` ,连接 authx-service 的rabbitmq, 若 authx-service 的命名空间有调整,请修改
+ 外部RabbitMQ port: 5672
+
+* RABBITMQ配置 - 安全配置
+
+ 用户名: guest
+ 密码: guest
+
+
* 域名全局设置
根域名: `paas.<school>.edu.cn` ,请修改为实际的学校域名
-* 域名配置 - CAS 认证
+* 域名配置 - 认证服务
子域名: `cas` ,若须修改,根据实际情况修改即可
-* 域名配置 - Token Server
-
- 子域名: `token` ,若须修改,根据实际情况修改即可
-
* POA 设置
- POA网关地址: `http://poa.paas.<school>.edu.cn` ,请设置为 poa 网关的外网地址
+ POA网关地址: `https://poa.paas.<school>.edu.cn` ,请设置为 poa 网关的外网地址
POA SA地址: 请设置为 poa-sa 管理接口的 k8s 内部地址(根据实际部署的 POA 进行调整)
@@ -570,6 +654,7 @@
Agent Service 文件上传路径: `/api/v1/tpas/file/minio` ,一般不用修改
Agent Service 邮件发送路径: `/api/v1/tpas/mail/smtp` ,一般不用修改
Agent Service 短信发送路径: `/api/v1/tpas/sms/aliyun` , 若不使用阿里云短信服务,须修改
+ Agent Service 人脸服务接口: `/api/v1/tpas/face/aiface` ,新开普人脸 aiface,百度人脸 aipface
* 依赖 API - 用户服务
@@ -580,6 +665,12 @@
用户授权API内部地址: `http://authx-service-user-authz-service-sa.authx-service.svc.cluster.local:8080` ,固定值,若 authx-service 的命名空间有调整,请修改
+* POA CLIENT
+
+ Client Id: 从 POA 进行申请
+ Client Secret: 从 POA 进行申请
+
+
* 动态密码
@@ -618,12 +709,6 @@
消息服务应用ID: 由消息服务提供
-* TOKEN SERVER - POA CLIENT
-
- Client Id: 从 POA 进行申请
- Client Secret: 从 POA 进行申请
-
-
* TOKEN SERVER - 人脸服务配置
可与 新开普人脸平台 或 百度人脸服务 进行对接
diff --git "a/deploy-manifests/charts/1.2.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\350\256\244\350\257\201\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\357\274\210\345\256\211\345\205\250\344\270\255\345\277\203\357\274\211.md" "b/deploy-manifests/charts/1.2.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\350\256\244\350\257\201\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\357\274\210\345\256\211\345\205\250\344\270\255\345\277\203\357\274\211.md"
index e30d9d0..02ae0d9 100644
--- "a/deploy-manifests/charts/1.2.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\350\256\244\350\257\201\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\357\274\210\345\256\211\345\205\250\344\270\255\345\277\203\357\274\211.md"
+++ "b/deploy-manifests/charts/1.2.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\350\256\244\350\257\201\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\357\274\210\345\256\211\345\205\250\344\270\255\345\277\203\357\274\211.md"
@@ -34,9 +34,9 @@
update TB_SERVICE
set
DELETED=1,
- INFORMATION_URL='http://personal-security-center.paas.example.com',
- LOGOUT_URL='http://personal-security-center.paas.example.com/slo?redirect_uri=http://security-center.paas.example.com/?clearCertification=clearCertification',
- SERVICE_ID='http://personal-security-center.paas.example.com/cas/(.*)'
+ INFORMATION_URL='http://authx-service.paas.example.com/personal',
+ LOGOUT_URL='http://authx-service.paas.example.com/personal/slo?redirect_uri=http://authx-service.paas.example.com/?clearCertification=clearCertification',
+ SERVICE_ID='http://authx-service.paas.example.com/personal/cas/(.*)'
where ID='2'; -- todo, modify
@@ -48,9 +48,9 @@
`ENABLED`, `SSO_ENABLED`, `REQUIRE_ALL_ATTRIBUTES`,
`APPLICATION_ID`, `EXTERNAL_ID`)
VALUES ('22', '1', 0, 'admin', '2020-07-01 00:00:00',
- '安全中心', '安全中心', 'https://security-center.paas.example.com', 'https://security-center.paas.example.com/?clearCertification=clearCertification',
+ '安全中心', '安全中心', 'https://authx-service.paas.example.com', 'https://authx-service.paas.example.com/?clearCertification=clearCertification',
'REDIRECT', 'FRONT_CHANNEL',
- 22, '安全中心', 22, 'https://security-center.paas.example.com/(.*)',
+ 22, '安全中心', 22, 'https://authx-service.paas.example.com/(.*)',
1, 1, 1,
'22', '22');
@@ -59,12 +59,12 @@
-- 修改根域名
update TB_SERVICE
set
- INFORMATION_URL='http://security-center.paas.example.com',
- LOGOUT_URL='http://security-center.paas.example.com/?clearCertification=clearCertification',
- SERVICE_ID='http://security-center.paas.example.com/(.*)',
+ INFORMATION_URL='http://authx-service.paas.example.com',
+ LOGOUT_URL='http://authx-service.paas.example.com/?clearCertification=clearCertification',
+ SERVICE_ID='http://authx-service.paas.example.com/(.*)',
ID_TOKEN_ENABLED=1,
JWT_AS_SERVICE_TICKET=1,
- APPLICATION_DOMAIN='security-center.paas.example.com'
+ APPLICATION_DOMAIN='authx-service.paas.example.com'
where ID='22'; -- todo, modify
commit;
diff --git "a/deploy-manifests/charts/1.3.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\344\272\221\345\271\263\345\217\260SPA\345\234\260\345\235\200\351\205\215\347\275\256.md" "b/deploy-manifests/charts/1.3.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\344\272\221\345\271\263\345\217\260SPA\345\234\260\345\235\200\351\205\215\347\275\256.md"
index 8106c31..3aaa885 100644
--- "a/deploy-manifests/charts/1.3.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\344\272\221\345\271\263\345\217\260SPA\345\234\260\345\235\200\351\205\215\347\275\256.md"
+++ "b/deploy-manifests/charts/1.3.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\344\272\221\345\271\263\345\217\260SPA\345\234\260\345\235\200\351\205\215\347\275\256.md"
@@ -21,9 +21,9 @@
* 管理功能 - 认证授权
- 认证管理SPA的地址: `https://authx-management.paas.<school>.edu.cn/authx-management`
- 用户管理SPA的地址: `https://authx-management.paas.<school>.edu.cn/authx-management`
- 授权管理SPA的地址: `https://authx-management.paas.<school>.edu.cn/authx-management`
+ 认证管理SPA的地址: `https://authx-service.paas.<school>.edu.cn/authx-management`
+ 用户管理SPA的地址: `https://authx-service.paas.<school>.edu.cn/authx-management`
+ 授权管理SPA的地址: `https://authx-service.paas.<school>.edu.cn/authx-management`
修改完成后,需要手动重启 admin-platform 的 Deployment
diff --git "a/deploy-manifests/charts/1.4.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\344\272\221\345\271\263\345\217\260\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\357\274\210API\350\267\257\347\224\261\343\200\201\350\217\234\345\215\225\343\200\201\350\247\222\350\211\262\346\235\203\351\231\220\357\274\211.md" "b/deploy-manifests/charts/1.4.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\344\272\221\345\271\263\345\217\260\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\357\274\210API\350\267\257\347\224\261\343\200\201\350\217\234\345\215\225\343\200\201\350\247\222\350\211\262\346\235\203\351\231\220\357\274\211.md"
new file mode 100644
index 0000000..822ead9
--- /dev/null
+++ "b/deploy-manifests/charts/1.4.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\344\272\221\345\271\263\345\217\260\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\357\274\210API\350\267\257\347\224\261\343\200\201\350\217\234\345\215\225\343\200\201\350\247\222\350\211\262\346\235\203\351\231\220\357\274\211.md"
@@ -0,0 +1,253 @@
+
+# 认证授权-云平台数据初始化
+
+
+[TOC]
+
+
+## 文档说明
+
+
+
+## 操作指南
+
+**请仔细阅读文档后,再进行操作**
+
+本文档中的各部分操作,只须 选择其中一种方式处理即可
+
+
+## 初始化数据
+
+
+### 创建路由
+
+在 云平台 管理中心 中,添加 接口路由;
+
+管理功能的接口请求,由管理中心的后端网关,统一路由至 相关服务。
+
+**若 路由记录已经存在,请确认 其 路由服务地址 是否正确**
+
+
+#### 方式一,手动添加
+
+进入 云平台 - 基础管理 - 路由管理,添加路由记录
+
+注:
+* 路由前缀 如:`/api/v1/sample/**`,确保与其他路由信息 **不存在冲突**
+* 后端服务地址 如:`http://xxx.sample.edu.cn`
+* 是否丢弃前缀,若是,转发到后端服务时的请求为 `http://xxx.sample.edu.cn/**`,否则为 `http://xxx.sample.edu.cn/api/v1/sample/**`
+
+
+代码 | 名称 | 描述 | 是否启用 | 路由前缀 | 路由服务地址 | 是否丢弃前缀
+- | - | - | - | - | - | - | -
+authx-service-user-api | 认证授权 - 用户接口 | | 是 | /api/v1/base | http://authx-service-user-data-service-goa.authx-service.svc.cluster.local:8080 | 否
+authx-service-personal-api | 认证授权 - 个人信息接口 | | 是 | /api/v1/personal | http://authx-service-personal-security-center-bff.authx-service.svc.cluster.local:8080/api/v1 | 是
+authx-service-admin-api | 认证授权 - 聚合接口(认证、授权) | | 是 | /api/v2/admin | http://authx-service-bff.authx-service.svc.cluster.local:8080 | 否
+authx-service-open-api | 认证授权 - 聚合接口(公开) | | 是 | /api/v2/open | http://authx-service-bff.authx-service.svc.cluster.local:8080 | 否
+authx-service-log-api | 认证授权 - 日志接口 | | 是 | /api/v2/log | http://authx-service-authx-log-sa.authx-service.svc.cluster.local:8080 | 否
+
+
+#### 方式二,bash脚本
+
+```json
+{"id": "20", "code": "authx-service-user-api", "name":"认证授权 - 用户接口", "memo":"", "status":"1", "pathPrefix":"/api/v1/base", "url":"http://authx-service-user-data-service-goa.authx-service.svc.cluster.local:8080", "stripPrefix":false}
+
+{"id": "40", "code": "authx-service-personal-api", "name":"认证授权 - 个人信息接口", "memo":"", "status":"1", "pathPrefix":"/api/v1/personal", "url":"http://authx-service-personal-security-center-bff.authx-service.svc.cluster.local:8080/api/v1", "stripPrefix":true}
+
+{"id": "21", "code": "authx-service-admin-api", "name":"认证授权 - 聚合接口(认证、授权)", "memo":"", "status":"1", "pathPrefix":"/api/v2/admin", "url":"http://authx-service-bff.authx-service.svc.cluster.local:8080", "stripPrefix":false}
+{"id": "22", "code": "authx-service-open-api", "name":"认证授权 - 聚合接口(公开)", "memo":"", "status":"1", "pathPrefix":"/api/v2/open", "url":"http://authx-service-bff.authx-service.svc.cluster.local:8080", "stripPrefix":false}
+
+{"id": "25", "code": "authx-service-log-api", "name":"认证授权 - 日志接口", "memo":"", "status":"1", "pathPrefix":"/api/v2/log", "url":"http://authx-service-authx-log-sa.authx-service.svc.cluster.local:8080", "stripPrefix":false}
+```
+
+```bash
+curl -i -s -X POST "http://admin-platform-admin-center-sa.admin-platform.svc.cluster.local:8080/v1/admin/routes" -H 'Content-Type: application/json' \
+-d \
+'
+{"id": "20", "code": "authx-service-user-api", "name":"认证授权 - 用户接口", "memo":"", "status":"1", "pathPrefix":"/api/v1/base", "url":"http://authx-service-user-data-service-goa.authx-service.svc.cluster.local:8080", "stripPrefix":false}
+'
+
+curl -i -s -X POST "http://admin-platform-admin-center-sa.admin-platform.svc.cluster.local:8080/v1/admin/routes" -H 'Content-Type: application/json' \
+-d \
+'
+{"id": "40", "code": "authx-service-personal-api", "name":"认证授权 - 个人信息接口", "memo":"", "status":"1", "pathPrefix":"/api/v1/personal", "url":"http://authx-service-personal-security-center-bff.authx-service.svc.cluster.local:8080/api/v1", "stripPrefix":true}
+'
+
+curl -i -s -X POST "http://admin-platform-admin-center-sa.admin-platform.svc.cluster.local:8080/v1/admin/routes" -H 'Content-Type: application/json' \
+-d \
+'
+{"id": "21", "code": "authx-service-admin-api", "name":"认证授权 - 聚合接口(认证、授权)", "memo":"", "status":"1", "pathPrefix":"/api/v2/admin", "url":"http://authx-service-bff.authx-service.svc.cluster.local:8080", "stripPrefix":false}
+'
+
+curl -i -s -X POST "http://admin-platform-admin-center-sa.admin-platform.svc.cluster.local:8080/v1/admin/routes" -H 'Content-Type: application/json' \
+-d \
+'
+{"id": "22", "code": "authx-service-open-api", "name":"认证授权 - 聚合接口(公开)", "memo":"", "status":"1", "pathPrefix":"/api/v2/open", "url":"http://authx-service-bff.authx-service.svc.cluster.local:8080", "stripPrefix":false}
+'
+
+curl -i -s -X POST "http://admin-platform-admin-center-sa.admin-platform.svc.cluster.local:8080/v1/admin/routes" -H 'Content-Type: application/json' \
+-d \
+'
+{"id": "25", "code": "authx-service-log-api", "name":"认证授权 - 日志接口", "memo":"", "status":"1", "pathPrefix":"/api/v2/log", "url":"http://authx-service-authx-log-sa.authx-service.svc.cluster.local:8080", "stripPrefix":false}
+'
+```
+
+
+#### 方式三,SQL脚本(不推荐)
+
+连接至 admin_center 数据库,执行以下 SQL脚本
+
+```sql
+use admin_center;
+
+delete from TB_MGT_ROUTE where ID in ('20','40','21','22','25');
+
+insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+values ('20', 0, 'authx-service-user-api', '认证授权 - 用户接口', '1', '/api/v1/base', 'https://localhost:8022', 0);
+
+insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+values ('40', 0, 'authx-service-personal-api', '认证授权 - 个人信息接口', '1', '/api/v1/personal', 'http://localhost:8041/api/v1', 1);
+
+insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+values ('21', 0, 'authx-service-admin-api', '认证授权 - 聚合接口(认证、授权)', '1', '/api/v2/admin', 'http://localhost:8009', 0);
+insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+values ('22', 0, 'authx-service-open-api', '认证授权 - 聚合接口(公开)', '1', '/api/v2/open', 'http://localhost:8009', 0);
+
+insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+values ('25', 0, 'authx-service-log-api', '认证授权 - 日志接口', '1', '/api/v2/log', 'http://localhost:8009', 0);
+
+commit;
+
+update TB_MGT_ROUTE set URL='http://authx-service-user-data-service-goa.authx-service.svc.cluster.local:8080' where ID='20';
+
+update TB_MGT_ROUTE set URL='http://authx-service-personal-security-center-bff.authx-service.svc.cluster.local:8080/api/v1' where ID='40';
+
+update TB_MGT_ROUTE set URL='http://authx-service-bff.authx-service.svc.cluster.local:8080' where ID='21';
+update TB_MGT_ROUTE set URL='http://authx-service-bff.authx-service.svc.cluster.local:8080' where ID='22';
+
+update TB_MGT_ROUTE set URL='http://authx-service-authx-log-sa.authx-service.svc.cluster.local:8080' where ID='25';
+
+commit;
+```
+
+
+### 创建菜单
+
+#### 方式一,手动导入
+
+进入 云平台 - 基础管理 - 菜单管理,导入
+
+所属应用 选择 用户授权
+
+菜单列表(JSON)如下,(复制后粘贴)
+
+**将 origin 修改为正确的 学校域名**
+
+* 认证管理
+
+```json
+[
+ {
+ "id": "20920", "parentIdOrCode":"20000", "code": "twoFactorAuth", "name": "双因子认证", "memo": "", "status": "1",
+ "icon": "su-icon-test", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/cas-server/twoFactorAuth", "target": "",
+ "order": 20920, "resourceIdOrCodes": []
+ },
+ {
+ "id": "22000", "parentIdOrCode":"20000", "code": "logManagement", "name": "日志管理", "memo": "", "status": "1",
+ "icon": "su-icon-taocanguanli", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/cas-server/logManagement", "target": "",
+ "order": 22000, "resourceIdOrCodes": []
+ }
+]
+```
+
+
+#### 方式二,bash脚本
+
+* 认证管理
+
+```bash
+curl -i -s -X POST "http://admin-platform-admin-center-sa.admin-platform.svc.cluster.local:8080/v1/admin/menus/importMenu" -H 'Content-Type: application/json' \
+-d \
+'
+{
+ "applicationId": "10",
+ "menuList":
+ [
+ {
+ "id": "20920", "parentIdOrCode":"20000", "code": "twoFactorAuth", "name": "双因子认证", "memo": "", "status": "1",
+ "icon": "su-icon-test", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/cas-server/twoFactorAuth", "target": "",
+ "order": 20920, "resourceIdOrCodes": []
+ },
+ {
+ "id": "22000", "parentIdOrCode":"20000", "code": "logManagement", "name": "日志管理", "memo": "", "status": "1",
+ "icon": "su-icon-taocanguanli", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/cas-server/logManagement", "target": "",
+ "order": 22000, "resourceIdOrCodes": []
+ }
+ ]
+}
+'
+```
+
+
+### 关联角色权限
+
+角色由授权服务进行初始化
+
+
+#### 方式一,手动导入(暂不支持)
+
+进入 云平台 - 基础管理 - 角色权限,导入
+
+角色权限(JSON)如下,(复制后粘贴)
+
+```json
+[
+ {
+ "roleId": "20", "roleCode":"cas-admin",
+ "permissionIdOrCodes": ["20920", "22000"]
+ }
+]
+```
+
+
+#### 方式二,bash脚本
+
+```bash
+curl -i -s -X POST "http://admin-platform-admin-center-sa.admin-platform.svc.cluster.local:8080/v1/admin/rolePermissions/importRolePermission" -H 'Content-Type: application/json' \
+-d \
+'
+{
+ "roleCodeIdMap": {
+ "cas-admin": "20",
+ "user-admin": "30",
+ "user-authz-admin": "40",
+ "user-authz-grant-admin": "41",
+ "user-authz-man-grant-admin": "42"
+ },
+ "rolePermissionList":
+ [
+ {
+ "roleId": "20", "roleCode":"cas-admin",
+ "permissionIdOrCodes": ["1", "20000", "20100", "20200", "20300", "20400", "20500", "20600", "20700", "20800", "20900", "20920", "21000", "21100", "22000"]
+ },
+ {
+ "roleId": "30", "roleCode": "user-admin",
+ "permissionIdOrCodes": ["1", "30000", "30100", "30200", "30300", "30400", "30500", "30600", "30700", "30800", "31000"]
+ },
+ {
+ "roleId": "40", "roleCode": "user-authz-admin",
+ "permissionIdOrCodes": ["1", "40000", "40050", "40100", "40200", "40300", "40500", "40900", "41100", "41200", "41300", "41350", "41400", "41500"]
+ },
+ {
+ "roleId": "41", "roleCode": "user-authz-grant-admin",
+ "permissionIdOrCodes": ["1", "40000", "40100", "40300", "40500"]
+ },
+ {
+ "roleId": "42", "roleCode": "user-authz-man-grant-admin",
+ "permissionIdOrCodes": ["1", "40000", "40900"]
+ }
+ ]
+}
+'
+```
+
diff --git "a/deploy-manifests/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.md" "b/deploy-manifests/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.md"
index a92e6a0..91cb8de 100644
--- "a/deploy-manifests/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.md"
+++ "b/deploy-manifests/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.md"
@@ -9,11 +9,27 @@
版本 | 作者 | 日期 | 备注
- | - | - | -
v1 | 刘洪青 | 2020-06-10 | 初稿
+v1.4 | 刘洪青 | 2021-09-21 | V1.4部署更新
[TOC]
+## 产品依赖
+
+* minio
+
+请使用 应用商店 部署
+
+* ipaddr
+
+请使用 应用商店 部署
+
+* platform openapi
+
+请使用 应用商店 部署
+
+
## 安装准备
### MySQL 初始配置及相关基础命令
@@ -92,6 +108,8 @@
mysqldump -u root -p token_server > token_server.sql
mysqldump -u root -p user > user.sql
mysqldump -u root -p user_authz > user_authz.sql
+ mysqldump -u root -p authx_log > authx_log.sql
+
mysqldump -u root -p agent_service > agent_service.sql
```
@@ -101,6 +119,8 @@
mysql -u root -p token_server < token_server.sql
mysql -u root -p user < user.sql
mysql -u root -p user_authz < user_authz.sql
+ mysql -u root -p authx_log < authx_log.sql
+
mysql -u root -p agent_service < agent_service.sql
```
@@ -117,7 +137,7 @@
* 镜像同步
- 从 https://harbor.supwisdom.com 中同步镜像
+ 从 https://harbor.supwisdom.com 中同步镜像(须申请 harbor 帐号)
仓库管理 下 新建目标
```
@@ -129,6 +149,7 @@
```
admin-portal admin-portal/*
authx-service authx-service/*
+ authx-log authx-log/*
thirdparty-agent-service thirdparty-agent-service/*
@@ -136,6 +157,7 @@
user-authorization-service user-authorization-service/*
cas-server cas-server/*
token-server token-server/*
+ attest-server attest-server/*
jobs-server jobs-server/*
@@ -185,12 +207,14 @@
本产品安装需要的域名如下:
```
- cas.paas.xxx.edu.cn 认证(视具体情况,可调整)
- token.paas.xxx.edu.cn 认证(APP适用)
+ cas.paas.xxx.edu.cn 认证(视具体情况,可调整;包括,CAS 认证、Token 认证、身份验证服务)
+ token.paas.xxx.edu.cn (废弃,合并至 cas)认证(APP适用)
- personal-security-center.paas.xxx.edu.cn 个人安全中心后端API
+ personal-security-center.paas.xxx.edu.cn (废弃,合并至 authx-service)个人安全中心后端API
- security-center.paas.xxx.edu.cn 安全中心前端UI(帐号激活、忘记密码)
+ security-center.paas.xxx.edu.cn (废弃,合并至 authx-service)安全中心前端UI(帐号激活、忘记密码)
+
+ authx-service.paas.xxx.edu.cn 用户授权服务(包括,用户认证授权管理前端UI、安全中心前端UI、安全中心后端API)
authx-minio.paas.xxx.edu.cn 文件服务
```
@@ -262,18 +286,27 @@
MINIO_SECRET_KEY | minio密钥(base64加密),默认为 8pxlIe9#lN7Q | OHB4bEllOSNsTjdR
-* auth-service 下的 poa-api-docs-installer
+* auth-service 下的 authx-service-bff
- ConfigMap,poa-api-docs-installer-env
+ ConfigMap,authx-service-bff-env
key | 说明 | 配置示例
- | - | -
- POA_SERVER_URL | POA网关地址(外部访问地址) | http://poa.paas.xxx.edu.cn
- POA_SA_SERVER_URL | POA管理接口地址(k8s集群内部地址) | http://poa-sa-svc.poa.svc.cluster.local:8443
+ UNIAUTH_BASIC_AUTH_USERNAME | uniauth sa basic 认证 的 用户名 | saadmin
+ UNIAUTH_BASIC_AUTH_PASSWORD | uniauth sa basic 认证 的 密码 | saadminfoobar
- | - | -
- USER_API_SERVER_URL | 用户服务开放接口地址(k8s集群内部地址) | http://user-data-service-poa-svc.user-data-service.svc.cluster.local:8080
- USER_AUTHZ_API_SERVER_URL | 授权服务开放接口地址(k8s集群内部地址) | http://user-authorization-poa-svc.user-authorization-service.svc.cluster.local:8080
- COMMUNICATE_API_SERVER_URL | 通信服务开放接口地址(k8s集群内部地址) | http://communicate-center-poa-svc.communicate-center.svc.cluster.local:8080
+ CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ USER_DATA_SERVICE_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_AUTHZ_SERVICE_SERVER_URL | 授权服务管理接口地址(k8s集群内部地址) | http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080
+ UNIAUTH_SERVER_SA_API_SERVER_URL | Uniauth 管理接口地址(k8s集群内部地址) | http://uniauth-prod-backend.uniauth.svc.cluster.local:9090
+ TPAS_FILE_API_URL | 文件服务接口地址(k8s集群内部地址)<br/>默认:minio文件服务 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
+
* thirdparty-agent-service 下的 thirdparty-agent-service
@@ -298,6 +331,20 @@
SMS_ALIYUN_REGION_ID | 区域 | cn-hangzhou
SMS_ALIYUN_ACCESS_KEY_ID | 阿里云短信服务的帐号 |
SMS_ALIYUN_ACCESS_SECRET | 阿里云短信服务的密钥 |
+ - | - | -
+ FACE_AIFACE_AUTOCONFIGURE_ENABLED | 新开普人脸开启开关 | true、false
+ FACE_AIFACE_URL | 新开普人脸地址 |
+ FACE_AIFACE_APPKEY | app key |
+ FACE_AIFACE_APPSECRET | app secret |
+ FACE_AIFACE_SECRETKEY | secret key |
+ FACE_AIFACE_TERM_CODE | term code |
+ - | - | -
+ FACE_AIPFACE_AUTOCONFIGURE_ENABLED | 百度人脸开启开关 | true、false
+ FACE_AIPFACE_APPID | app id |
+ FACE_AIPFACE_APIKEY | app key |
+ FACE_AIPFACE_SECRETKEY | secret key |
+ FACE_AIPFACE_GROUPIDLIST | 组ID,多个用逗号分隔,最多20个 |
+
Secret,agent-service-env-secret
@@ -316,6 +363,15 @@
CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
- | - | -
TPAS_FILE_API_URL | 文件服务接口地址(k8s集群内部地址)<br/>默认:minio文件服务 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
+ - | - | -
+ FILE_SERVER_TYPE | 文件服务类型 | minio
+ FILE_SERVER_URL | 文件服务地址(外网地址) | https://authx-minio.paas.xxx.edu.cn
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
* user-data-service 下的 user-data-service-goa
@@ -335,6 +391,12 @@
JOBS_RABBITMQ_ACCOUNTUSERSVC2JOBSSYNCPASSWORDRABBITSENDER_ENABLED | 是否同步密码(明文密码)到 jobs 的 MQ | true、false
JOBS_RABBITMQ_ORGANIZATIONUSERSVC2JOBSRABBITSENDER_ENABLED | 是否同步组织机构数据至 jobs 的 MQ | true、false
JOBS_RABBITMQ_GROUPUSERSVC2JOBSRABBITSENDER_ENABLED | 是否同步用户组数据至 jobs 的 MQ | true、false
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
* user-data-service 下的 user-data-service-biz
@@ -345,7 +407,15 @@
- | - | -
CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
- | - | -
+ USER_AUTHZ_SERVICE_SERVER_URL | 授权服务管理接口地址(k8s集群内部地址) | http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080
+ - | - | -
TPAS_FILE_API_URL | 文件服务接口地址(k8s集群内部地址)<br/>默认:minio文件服务 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
* user-authorization-service 下的 user-authorization-service-poa
@@ -355,6 +425,12 @@
key | 说明 | 配置示例
- | - | -
USER_DATA_SERVICE_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
* user-authorization-service 下的 user-authorization-service-sa
@@ -363,7 +439,17 @@
key | 说明 | 配置示例
- | - | -
- 暂无 | |
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_CONSUMER_ENABLED | 是否开启用户数据订阅 | true
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
* cas-server 下的 cas-server-sa-api
@@ -377,6 +463,12 @@
FEDERATION_REFRESH_REDIS_TIMER_ENABLED | 是否定时刷新联合登录帐号绑定数据<br/>默认:true | true、false
- | - | -
USER_DATA_SERVICE_SA_API_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
* cas-server 下的 cas-server-security-engine
@@ -403,24 +495,6 @@
CAS_AUTHN_TOKEN_CRYPTO_SIGNING_KEY | jwt格式的ticket的签名密钥 | `(@<rhnPaUYKC_k770*DuWwYQ_#Zc#8c(2rB?kae)rN)>K7qy)awCjxp$L653Mf$2`
SPRING_THYMELEAF_PREFIX | 登录页面UI的代码目录 | classpath:/templates/themes/classic/
- | - | -
- CASSERVER_FEDERATION_QQ_ENABLED | 联合登录 QQ,是否启用 | true、false
- CASSERVER_FEDERATION_QQ_APPID | 联合登录 QQ,appid |
- CASSERVER_FEDERATION_QQ_APPKEY | 联合登录 QQ,appkey |
- - | - | -
- CASSERVER_FEDERATION_OPENWEIXIN_ENABLED | 联合登录 微信,是否启用 | true、false
- CASSERVER_FEDERATION_OPENWEIXIN_APPID | 联合登录 微信,appid |
- CASSERVER_FEDERATION_OPENWEIXIN_APPSECRET | 联合登录 微信,appsecret |
- - | - | -
- CASSERVER_FEDERATION_WORKWEIXIN_ENABLED | 联合登录 企业微信,是否启用 | true、false
- CASSERVER_FEDERATION_WORKWEIXIN_CORPID | 联合登录 企业微信,企业ID |
- CASSERVER_FEDERATION_WORKWEIXIN_AGENTID | 联合登录 企业微信,应用AgentId |
- CASSERVER_FEDERATION_WORKWEIXIN_SECRET | 联合登录 企业微信,Secret |
- - | - | -
- CASSERVER_FEDERATION_ALIPAY_ENABLED | 联合登录 支付宝,是否启用 | true、false
- CASSERVER_FEDERATION_ALIPAY_APPID | 联合登录 支付宝,appid |
- CASSERVER_FEDERATION_ALIPAY_APPPRIVATEKEY | 联合登录 支付宝,应用私钥 |
- CASSERVER_FEDERATION_ALIPAY_ALIPAYPUBLICKEY | 联合登录 支付宝,支付宝公钥 |
- - | - | -
CASSERVER_JWT_ISS | idToken 签发者标识 | cas.paas.xxx.edu.cn
CASSERVER_JWT_PRIVATE_KEY_PEM_PKCS8 | idToken 签名私钥(pkcs8),参考 certs/jwt/readme.md 生成公私钥pem |
CASSERVER_JWT_PUBLIC_KEY_PEM | idToken 签名公钥,参考 certs/jwt/readme.md 生成公私钥pem |
@@ -433,6 +507,8 @@
CASSERVERSITE_PASSWORDLESS_SMS_FROM | 动态密码的短信发送者 | 认证中心
CASSERVERSITE_PASSWORDLESS_SMS_TEXT_TEMPLATE | 动态密码的短信模板 | 【认证中心】您正在登录统一身份认证,本次登录的动态密码为{token},有效期5分钟,请尽快完成登录。
- | - | -
+ SUPERAPP_TOKEN_SIGNING_KEY_URL | TOKEN认证验签公钥地址(k8s集群内部地址) | http://token-server-svc.token-server.svc.cluster.local:8080/token/jwt/publicKey
+ - | - | -
TPAS_AGENT_SERVICE_SERVER_URL | 代理服务接口地址(k8s集群内部地址) | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
TPAS_AGENT_SERVICE_SMS_SENDER_PATH | 短信发送服务地址<br/>console:控制台输出,默认<br/>aliyun:阿里云短信服务<br/>其他,支持学校定制接口 | /api/v1/tpas/sms/console/send
TPAS_AGENT_SERVICE_FILE_PATH | 文件服务地址<br/>默认:minio文件服务 | /api/v1/tpas/file/minio
@@ -443,7 +519,15 @@
- | - | -
USER_AUTHZ_SERVICE_SA_API_SERVER_URL | 授权服务管理接口地址(k8s集群内部地址) | http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080
- | - | -
- SUPERAPP_TOKEN_SIGNING_KEY_URL | TOKEN认证验签公钥地址(外部访问地址) | https://token.paas.xxx.edu.cn/jwt/publicKey
+ ATTEST_SERVER_URL | 身份验证服务地址(k8s集群内部地址) | http://attest-server-svc.attest-server.svc.cluster.local:8080/attest
+ - | - | -
+ IPADDR_SERVER_URL | IP地址服务 | http://ipaddr.ipaddr.svc.cluster.local:9090
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
* cas-server 下的 cas-server-site-scheme
@@ -465,7 +549,7 @@
key | 说明 | 配置示例
- | - | -
- TOKEN_SERVER_PREFIX | TOKEN认证地址(外部访问地址) | https://token.paas.xxx.edu.cn
+ TOKEN_SERVER_PREFIX | TOKEN认证地址(外部访问地址) | https://token.paas.xxx.edu.cn/token
- | - | -
TOKEN_SERVER_SECURITY_JWT_ISS | idToken签发者标识 | token.paas.xxx.edu.cn
TOKEN_SERVER_SECURITY_JWT_EXPIRATION | idToken 失效时长<br/>默认:30天 | 2592000
@@ -488,9 +572,17 @@
TOKEN_SERVER_PASSWORDLESS_SMS_TEXT_TEMPLATE | 动态密码的短信模板 | 【认证中心】您正在登录统一身份认证,本次登录的动态密码为{token},有效期5分钟,请尽快完成登录。
TOKEN_SERVER_PASSWORDLESS_SMS_FROM | 动态密码的短信发送者 | 认证中心
- | - | -
+ GETUI_SERVER_URL | 个推服务地址 | https://openapi-gy.getui.com
+ GETUI_GEYAN_APP_ID | 个推,个验 app id |
+ GETUI_GEYAN_APP_KEY | 个推,个验 app key |
+ GETUI_GEYAN_APP_SECRET | 个推,个验 app secret |
+ GETUI_GEYAN_MASTER_SECRET | 个推,个验 master secret |
+ - | - | -
MESSAGECENTER_ENABLED | 是否对接消息平台<br/>默认:false| true、false
MESSAGECENTER_APP_ID | 应用ID(由消息平台生成)|
- MESSAGECENTER_MESSAGE_TYPE_CODE_APP_LOGIN | 消息类型代码(APP 登录) | APP_LOGIN
+ MESSAGECENTER_MESSAGE_TYPE_CODE_APP_LOGIN | 消息类型代码,APP 登录 | APP_LOGIN
+ MESSAGECENTER_MESSAGE_TYPE_CODE_PASSWORD | 消息类型代码,密码修改登出 | PASSWORD
+ MESSAGECENTER_MESSAGE_TYPE_CODE_APPPUSH | 消息类型代码,消息推送 | APPPUSH
- | - | -
POA_SERVER_URL | POA网关地址(外部访问地址) | https://poa.paas.xxx.edu.cn
POA_CLIENT_ID | client id |
@@ -503,6 +595,23 @@
CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
- | - | -
USER_DATA_SERVICE_SA_API_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ - | - | -
+ ATTEST_SERVER_URL | 身份验证服务地址(k8s集群内部地址) | http://attest-server-svc.attest-server.svc.cluster.local:8080/attest
+ - | - | -
+ IPADDR_SERVER_URL | IP地址服务 | http://ipaddr.ipaddr.svc.cluster.local:9090
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
+ - | - | -
+ USER_RABBITMQ_ENABLED | 是否开启用户数据的消息接收 | true
+ USER_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ USER_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ USER_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ USER_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
+ USER_RABBITMQ_CONSUMER_ENABLED | 是否开启用户数据订阅 | true
* personal-security-center 下的 personal-security-center-bff
@@ -511,10 +620,10 @@
key | 说明 | 配置示例
- | - | -
- PERSONAL_SECURITY_CENTER_SERVER_PREFIX | 个人安全中心访问地址(外部访问地址) | https://personal-security-center.paas.xxx.edu.cn
- CAS_SERVER_PREFIX | CAS认证地址(外部访问地址) | https://cas.paas.xxx.edu.cn
+ PERSONAL_SECURITY_CENTER_SERVER_PREFIX | 个人安全中心访问地址(外部访问地址) | https://authx-service.paas.xxx.edu.cn/personal
+ CAS_SERVER_PREFIX | CAS认证地址(外部访问地址) | https://cas.paas.xxx.edu.cn/cas
- | - | -
- CASSERVER_SITE_SERVER_URL | CAS认证接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ CASSERVER_SITE_SERVER_URL | CAS认证接口地址(k8s集群内部地址) | http://cas-server-site-webapp-svc.cas-server.svc.cluster.local:8080/cas
- | - | -
CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
- | - | -
@@ -523,6 +632,13 @@
TPAS_FILE_API_URL | 文件服务接口地址(k8s集群内部地址)<br/>默认:minio文件服务 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
TPAS_MAIL_API_URL | 邮件发送服务地址(k8s集群内部地址)<br/>console:控制台输出,默认<br/>smtp:SMTP服务<br/>其他,支持学校定制接口 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/mail/smtp
TPAS_SMS_API_URL | 短信发送服务地址(k8s集群内部地址)<br/>console:控制台输出,默认<br/>aliyun:阿里云短信服务<br/>其他,支持学校定制接口 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/sms/console
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
+
ConfigMap,personal-security-center-bff-template-env
邮件内容模板、短信内容模板
@@ -576,10 +692,14 @@
key | 说明 | 配置示例
- | - | -
- APP_SERVER_HOST_URL | 个人安全中心访问地址(外部访问地址) | http://personal-security-center.paas.xxx.edu.cn
- CAS_SERVER_HOST_URL | CAS认证地址(外部访问地址) | https://cas.paas.xxx.edu.cn
+ APP_SERVER_HOST_URL | 个人安全中心访问地址(外部访问地址) | https://authx-service.paas.xxx.edu.cn/personal
+ CAS_SERVER_HOST_URL | CAS认证地址(外部访问地址) | https://cas.paas.xxx.edu.cn/cas
- | - | -
- APPLICATION_INDEX_REDIRECT_URI | 网关服务的默认首页,安全中心访问地址(外部访问地址) | http://security-center.paas.xxx.edu.cn
+ APPLICATION_INDEX_REDIRECT_URI | 网关服务的默认首页,安全中心访问地址(外部访问地址) | https://authx-service.paas.xxx.edu.cn
+ - | - | -
+ USER_DATA_SERVICE_SERVER_URL | 用户服务开放接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ - | - | -
+ USER_AUTHZ_SERVICE_SERVER_URL | 授权服务管理接口地址(k8s集群内部地址) | http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080
* personal-security-center 下的 security-center-ui
@@ -588,14 +708,73 @@
key | 说明 | 配置示例
- | - | -
- RESOURCE_PREFIX | LOGO、FAVICON 等资源地址 | http://authx-minio.paas.xxx.edu.cn/security-center-ui
- MAIN_SERVER | 安全中心访问地址(外部访问地址) | http://security-center.paas.xxx.edu.cn
+ RESOURCE_PREFIX | LOGO、FAVICON 等资源地址 | https://authx-minio.paas.xxx.edu.cn/security-center-ui
+ MAIN_SERVER | 安全中心访问地址(外部访问地址) | https://authx-service.paas.xxx.edu.cn
- | - | -
- PERSONAL_CENTER_API | 后端API,个人安全中心访问地址(外部访问地址) | http://personal-security-center.paas.xxx.edu.cn
+ PERSONAL_CENTER_API | 后端API,个人安全中心访问地址(外部访问地址) | https://authx-service.paas.xxx.edu.cn/personal
+ - | - | -
+ AUTH_TYPE | 认证对接方式,可选 cas,uniauth | cas
- | - | -
AUTH_CAS | CAS认证地址(外部访问地址) | http://cas.paas.xxx.edu.cn/cas
JWT_ISS | JWT Token 签名方标识 | http://cas.paas.xxx.edu.cn/cas
JWT_SECRET | JWT Token 签名密钥 | 固定值,`(@<rhnPaUYKC_k770*DuWwYQ_#Zc#8c(2rB?kae)rN)>K7qy)awCjxp$L653Mf$2`
+ - | - | -
+ UNIAUTH_IDTOKEN | uniauth认证地址(外部访问地址) | https://uniauth.paas.xxx.edu.cn/idtoken
+ UNIAUTH_IDTOKEN_ISS | Id Token 签名方标识 | uniauth
+ UNIAUTH_CLIENT_ID | client id | 22
+
+ 注:
+ AUTH_TYPE 为 cas 时,配置 AUTH_CAS、JWT_ISS、JWT_SECRET
+ AUTH_TYPE 为 uniauth 时,配置 UNIAUTH_IDTOKEN、UNIAUTH_IDTOKEN_ISS、UNIAUTH_CLIENT_ID
+
+
+* attest-server 下的 attest-server
+
+ ConfigMap,attest-server-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ POA_SERVER_URL | POA网关地址(外部访问地址) | https://poa.paas.xxx.edu.cn
+ POA_CLIENT_ID | client id |
+ POA_CLIENT_SECRET | client secret |
+ POA_SCOPES | api 接口的 scope | appPush:v1:apppushByMessageType
+ - | - | -
+ ATTEST_SERVER_PREFIX | 身份验证服务地址(外部访问地址) | https://attest.paas.xxx.edu.cn/attest
+ - | - | -
+ ATTEST_SERVER_SECUREPHONE_SMS_TEXT_TEMPLATE | 短信内容模板 | 【认证服务】{name}:您正在进行验证身份,验证码为{code},有效期5分钟,请尽快完成验证。
+ ATTEST_SERVER_SECUREPHONE_SMS_FROM | 短信内容标题 | 认证服务
+ - | - | -
+ ATTEST_SERVER_SECUREEMAIL_MAIL_TEXT_TEMPLATE | 邮件内容模板 | 【认证服务】{name}:您正在进行验证身份,验证码为{code},有效期5分钟,请尽快完成验证。
+ ATTEST_SERVER_SECUREEMAIL_MAIL_FROM | 邮件内容标题 | 认证服务
+ - | - | -
+ ATTEST_SERVER_FACEVERIFY_SUPERAPP_URL_SCHEME | 在超级APP 中唤起人脸识别的 URL Scheme | superapp
+ - | - | -
+ TOKEN_SERVER_TOKEN_SIGNING_KEY_URL | TOKEN认证验签公钥地址(k8s集群内部地址) | http://token-server-svc.token-server.svc.cluster.local:8080/token/jwt/publicKey
+ - | - | -
+ TPAS_AGENT_SERVICE_SERVER_URL | 代理服务接口地址(k8s集群内部地址) | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
+ TPAS_AGENT_SERVICE_SMS_SENDER_PATH | 短信发送服务地址<br/>console:控制台输出,默认<br/>aliyun:阿里云短信服务<br/>其他,支持学校定制接口 | /api/v1/tpas/sms/console/send
+ TPAS_AGENT_SERVICE_MAIL_SENDER_PATH | 邮件发送服务地址<br/>console:控制台输出,默认<br/>smtp:SMTP服务<br/>其他,支持学校定制接口 | /api/v1/tpas/mail/console/send
+ - | - | -
+ USER_DATA_SERVICE_SA_API_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ - | - | -
+ TOKEN_SERVER_SERVER_URL | Token认证服务接口地址(k8s集群内部地址)| http://token-server-svc.token-server.svc.cluster.local:8080/token
+
+
+* authx-log 下的 authx-log-sa
+
+ ConfigMap,authx-log-sa-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ USER_DATA_SERVICE_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ - | - | -
+ IPADDR_SERVER_URL | IP地址服务 | http://ipaddr.ipaddr.svc.cluster.local:9090
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
## 开始安装
@@ -611,10 +790,13 @@
- | -
用户服务 user-data-service | user
授权服务 user-authorization-service | user_authz
+ - | -
+ 日志服务 authx-log | authx_log
+ - | -
认证服务 cas-server | cas_server
认证服务(APP适用) token-server | token_server
- | -
- 第三方代理服务 thridparty-agent-service | agent_service
+ (可选)第三方代理服务 thridparty-agent-service | agent_service
- | -
v4认证迁移数据 | tmp_data
@@ -623,6 +805,9 @@
```
create user 'user'@'%' identified with mysql_native_password by 'your_password';
create user 'user_authz'@'%' identified with mysql_native_password by 'your_password';
+
+ create user 'authx_log'@'%' identified with mysql_native_password by 'your_password';
+
create user 'cas_server'@'%' identified with mysql_native_password by 'your_password';
create user 'token_server'@'%' identified with mysql_native_password by 'your_password';
@@ -640,10 +825,13 @@
- | -
用户服务 user-data-service | user
授权服务 user-authorization-service | user_authz
+ - | -
+ 日志服务 authx-log | authx_log
+ - | -
认证服务 cas-server | cas_server
认证服务(APP适用) token-server | token_server
- | -
- 第三方代理服务 thridparty-agent-service | agent_service
+ (可选)第三方代理服务 thridparty-agent-service | agent_service
- | -
v4认证迁移数据 | tmp_data
@@ -651,6 +839,9 @@
```
create database `user` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
create database `user_authz` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
+
+ create database `authx_log` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
+
create database `cas_server` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
create database `token_server` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
@@ -668,6 +859,9 @@
```
grant all privileges on `user`.* to 'user'@'%' with grant option;
grant all privileges on `user_authz`.* to 'user_authz'@'%' with grant option;
+
+ grant all privileges on `authx_log`.* to 'authx_log'@'%' with grant option;
+
grant all privileges on `cas_server`.* to 'cas_server'@'%' with grant option;
grant all privileges on `token_server`.* to 'token_server'@'%' with grant option;
@@ -874,6 +1068,18 @@
TODO: 修改 bff、zuul 配置
TODO: 修改 security-center-ui 配置
+ 7.attest-server
+
+ 此为 身份验证服务
+
+ 提供双因子、二次认证时,进行用户的身份验证,包括 APP推送验证、安全手机验证、安全邮箱验证、人脸识别验证 等能力
+
+ 8.authx-log
+
+ 此为 日志服务
+
+ 收集 用户、认证、授权 的管理、使用过程中产生的 操作日志、登录日志;同时,提供日志查询、基于日志的统计功能
+
9.jobs-server
此为 任务调度服务
@@ -924,9 +1130,13 @@
cas-server
token-server
-
+
personal-security-center
+ attest-server
+
+ authx-log
+
jobs-server
```
@@ -956,15 +1166,14 @@
先修改 脚本中的域名(如果存在)
+* 必须,1.authx0service/10.0.init.sql
+
+ 包括,
+ 安全中心的认证对接配置
+ 云平台,管理接口的路由配置
+ 云平台,管理功能的菜单配置
* 可选,1.authx-service/10.0.tmp.sql
若通过交换同步组织机构、帐号数据的,须执行该数据库脚本
-
-* 可选,1.authx-service/10.1.init-flow.sql
-
- 若部署了 流程平台 的产品
-
- 可默认创建几个管理员帐号,以及初始授权
-
diff --git "a/deploy-manifests/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.pdf" "b/deploy-manifests/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.pdf"
index 35bc552..ceaccec 100644
--- "a/deploy-manifests/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.pdf"
+++ "b/deploy-manifests/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.pdf"
Binary files differ
diff --git "a/deploy-manifests/k8s-rancher/0.1.4.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.3-V1.4\357\274\211.md" "b/deploy-manifests/k8s-rancher/0.1.4.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.3-V1.4\357\274\211.md"
new file mode 100644
index 0000000..9ee12dc
--- /dev/null
+++ "b/deploy-manifests/k8s-rancher/0.1.4.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.3-V1.4\357\274\211.md"
@@ -0,0 +1,165 @@
+
+# 认证授权服务升级文档(V1.3 ~ V1.4)
+
+
+## 部署变更说明
+
+对本次升级进行的简要说明,具体的升级步骤,详见 **升级说明**
+
+1. 数据库用户变更
+
+新增,authx_log
+(可选)移除,agent_service
+
+2. 镜像变更
+
+新增,authx-log
+新增,attest-server
+
+3. 域名变更
+
+(可选)新增,域名 authx-service,将 personal-security-center、security-center、以及 authx-management 合并
+(可选)废弃,域名 personal-security-center,合并至 域名 authx-service
+(可选)废弃,域名 security-center,合并至 域名 authx-service
+(可选)迁移,原域名 authx-management 挂在 域名 admin-platform 域名下,现合并至 authx-service
+(可选)废弃,域名 token,合并至 域名 cas
+
+4. Context Path 变更
+
+(可选)变更,personal-security-center-zuul,context path 更新为 /personal
+(可选)变更,token-server,context path 更新为 /token
+
+5. 访问地址变更
+
+(可选)变更,用户认证授权管理前端UI,`https://admin-platform.paas.xxx.edu.cn/authx-management` 变更为 `https://authx-service.paas.xxx.edu.cn/authx-management`
+(可选)变更,安全中心后端API,`https://personal-security-center.paas.xxx.edu.cn` 变更为 `https://authx-service.paas.xxx.edu.cn/personal`
+(可选)变更,Token 认证,`https://token.paas.xxx.edu.cn` 变更为 `https://cas.pass.xxx.edu.cn/token`
+
+6. 部署yaml 变更
+
+新增,7.attest-server
+新增,8.authx-log
+
+新增,0.authx-service,4.4.authx-service-bff.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+
+新增,1.thirdparty-agent-service,4.2.thirdparty-agent-service.yaml,ConfigMap 增加 人脸服务对接配置 `FACE_*`
+
+新增,2.user-data-service,4.1.user-data-service-poa.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+新增,2.user-data-service,4.2.user-data-service-goa.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+新增,2.user-data-service,4.3.user-data-service-biz.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+
+新增,3.user-authorization-service,4.1.user-authorization-poa.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+新增,3.user-authorization-service,4.2.user-authorization-sa.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+
+新增,4.cas-server,4.2.cas-server-sa-api.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+新增,4.cas-server,4.5.cas-server-site-webapp.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+
+新增,5.token-server,4.1.token-server.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+变更,5.token-server,4.1.token-server.yaml,ConfigMap 修改 将 `SPRING_RABBITMQ_*` 调整为 `USER_RABBITMQ_*`
+(可选)新增,5.token-server,4.1.token-server.yaml,ConfigMap 增加 context path 配置 `SERVER_SERVLET_CONTEXT_PATH: /token`
+(可选)变更,5.token-server,4.1.token-server.yaml,ConfigMap 修改 `TOKEN_SERVER_PREFIX: https://cas.paas.xxx.edu.cn/token`
+
+新增,6.personal-security-center,4.4.personal-security-center-bff.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+(可选)新增,6.personal-security-center,4.5.personal-security-center-zuul.yaml,ConfigMap 增加 context path 配置 `SERVER_SERVLET_CONTEXT_PATH: /personal`
+(可选)变更,6.personal-security-center,4.4.personal-security-center-bff.yaml,ConfigMap 修改 `PERSONAL_SECURITY_CENTER_SERVER_PREFIX: https://authx-service.paas.xxx.edu.cn/personal`
+(可选)变更,6.personal-security-center,4.5.personal-security-center-zuul.yaml,ConfigMap 修改 `APP_SERVER_HOST_URL: https://authx-service.paas.xxx.edu.cn/personal`
+(可选)变更,6.personal-security-center,4.5.personal-security-center-zuul.yaml,ConfigMap 修改 `APPLICATION_INDEX_REDIRECT_URI: https://authx-service.paas.xxx.edu.cn`
+(可选)变更,6.personal-security-center,4.9.security-center-ui.yaml,ConfigMap 修改 `MAIN_SERVER: https://authx-service.paas.xxx.edu.cn`
+(可选)变更,6.personal-security-center,4.9.security-center-ui.yaml,ConfigMap 修改 `PERSONAL_CENTER_API: https://authx-service.paas.xxx.edu.cn/personal`
+
+
+## 升级说明
+
+1. 将 工作负载 下的服务 升级到 1.4.x 版本(注意,先执行 `*-installer`)
+
+2. 部署 7.attest-server
+
+3. 部署 8.authx-log
+
+4. ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+ 包括:
+ authx-service-bff
+ user-data-service-poa
+ user-data-service-goa
+ user-data-service-biz
+ user-authorization-poa
+ user-authorization-sa
+ cas-server-sa-api
+ cas-server-site-webapp
+ token-server
+ personal-security-center-bff
+
+5. token-server,ConfigMap 增加 `USER_RABBITMQ_*`
+
+6. (可选)调整 authx-management-ingress 的 host 为 authx-service.paas.xxx.edu.cn
+
+7. (可选,和 6 一起修改)修改 ConfigMap admin-platform/admin-platform-spa-env 下的配置项 `CAS_SERVER_SPA_URL`, `USER_SERVER_SPA_URL`, `AUTH_SERVER_SPA_URL`
+
+ ```
+ CAS_SERVER_SPA_URL: https://authx-service.paas.xxx.edu.cn/authx-management/cas-server-ui
+ USER_SERVER_SPA_URL: https://authx-service.paas.xxx.edu.cn/authx-management/user-server-ui
+ AUTH_SERVER_SPA_URL: https://authx-service.paas.xxx.edu.cn/authx-management/auth-server-ui
+ ```
+
+8. (可选)token-server,ConfigMap 增加 context path 配置 `SERVER_SERVLET_CONTEXT_PATH: /token`
+9. (可选,和 8 一起修改)调整 token-server-ingress 下 token-server-svc 对应的 path 为 /token
+
+10. (可选)调整 token-server-ingress 的 host 为 cas.paas.xxx.edu.cn;调整 host 后,必须增加 context path 配置(即 8、9)
+
+ 注:
+ 若 修改了 token-server 的 context path、或 调整了host,则须调整 超级APP 的配置
+
+11. (可选)修改 token-server 的 ConfigMap
+
+ `TOKEN_SERVER_PREFIX: https://cas.paas.xxx.edu.cn/token`
+ 注:
+ 若 context path 未配置,则不修改;
+ 若 host 未调整,则修改为 `https://token.paas.xxx.edu.cn/token`
+
+12. (可选)personal-security-center-zuul,ConfigMap 增加 context path 配置 `SERVER_SERVLET_CONTEXT_PATH: /personal`
+13. (可选,和 12 一起修改)调整 personal-security-center-ingress 下 personal-security-center-zuul-svc 对应的 path 为 /personal
+
+14. (可选)调整 personal-security-center-ingress 的 host 为 authx-service.paas.xxx.edu.cn;调整 host 后,必须增加 context path 配置(即 12、13)
+
+ 注:
+ 若 修改了 personal-security-center-zuul 的 context path、或 调整了host,则须调整 超级APP 的配置、门户个人中心 的配置
+
+15. (可选)调整 security-center-ingress 的 host 为 authx-service.paas.xxx.edu.cn
+
+14. (可选)修改 personal-security-center-zuul 的 ConfigMap
+
+ `PERSONAL_SECURITY_CENTER_SERVER_PREFIX: https://authx-service.paas.xxx.edu.cn/personal`
+ 注:
+ 若 context path 未配置,则不修改;
+ 若 host 未调整,则修改为 `https://personal-security-center.paas.xxx.edu.cn/personal`
+
+ `APP_SERVER_HOST_URL: https://authx-service.paas.xxx.edu.cn/personal`
+ 注:
+ 若 context path 未配置,则不修改;
+ 若 host 未调整,则修改为 `https://personal-security-center.paas.xxx.edu.cn/personal`
+
+ `APPLICATION_INDEX_REDIRECT_URI: https://authx-service.paas.xxx.edu.cn` (若 host 未调整,则不修改)
+
+
+15. (可选)修改 security-center-ui 的 ConfigMap
+
+ `MAIN_SERVER: https://authx-service.paas.xxx.edu.cn` (若 host 未调整,则不修改)
+
+ `PERSONAL_CENTER_API: https://authx-service.paas.xxx.edu.cn/personal`
+ 注:
+ 若 context path 未配置,则不修改;
+ 若 host 未调整,则修改为 `https://personal-security-center.paas.xxx.edu.cn/personal`
+
+
+
+16. 菜单调整
+
+ 进入 云平台 - 基础管理 - 菜单管理,
+
+ 新增菜单 认证管理 - 双因子认证, 代码:`twoFactorAuth`, 地址:`/cas-server/twoFactorAuth`
+
+ 修改菜单 认证管理 - 日志管理, 代码:`logManagement`, 地址:`/cas-server/logManagement`
+
+
+
+
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/2.authx-service-ingresses.yaml b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/2.authx-service-ingresses.yaml
index abf1755..c8f87da 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/2.authx-service-ingresses.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/2.authx-service-ingresses.yaml
@@ -6,14 +6,14 @@
kind: Ingress
metadata:
namespace: authx-service
- name: authx-management-ingress
+ name: authx-service-authx-management-ingress
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
rules:
# 修改为学校的根域名
- - host: admin-platform.paas.xxx.edu.cn
+ - host: authx-service.paas.xxx.edu.cn
http:
paths:
- path: /authx-management/(.*)
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml
index 36b4b70..c535c46 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml
@@ -74,6 +74,14 @@
#TPAS_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
#TPAS_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
---
apiVersion: v1
kind: Service
@@ -114,7 +122,7 @@
spec:
containers:
- name: authx-service-bff
- image: harbor.supwisdom.com/authx-service/authx-service-bff:1.3.1-RELEASE
+ image: harbor.supwisdom.com/authx-service/authx-service-bff:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.9.authx-management.yaml b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.9.authx-management.yaml
index 8fedc83..06c3911 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.9.authx-management.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.9.authx-management.yaml
@@ -44,7 +44,7 @@
spec:
containers:
- name: authx-management
- image: harbor.supwisdom.com/authx-service/authx-management:1.3.1-RELEASE
+ image: harbor.supwisdom.com/authx-service/authx-management:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 80
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/1.thirdparty-agent-service/4.2.thirdparty-agent-service.yaml b/deploy-manifests/k8s-rancher/1.authx-service/1.thirdparty-agent-service/4.2.thirdparty-agent-service.yaml
index a129c1c..eef5afa 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/1.thirdparty-agent-service/4.2.thirdparty-agent-service.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/1.thirdparty-agent-service/4.2.thirdparty-agent-service.yaml
@@ -62,6 +62,23 @@
# 若须对接sms 接口,须进行二开定制
+ # face
+ # aiface 新开普人脸
+ FACE_AIFACE_AUTOCONFIGURE_ENABLED: "false"
+ FACE_AIFACE_URL: ""
+ FACE_AIFACE_APPKEY: ""
+ FACE_AIFACE_APPSECRET: ""
+ FACE_AIFACE_SECRETKEY: ""
+ FACE_AIFACE_TERM_CODE: ""
+
+ # aipface 百度人脸
+ FACE_AIPFACE_AUTOCONFIGURE_ENABLED: "true"
+ FACE_AIPFACE_APPID: "24825582"
+ FACE_AIPFACE_APIKEY: "1KK9A5hIB9HNbHWQGVrw26Ww"
+ FACE_AIPFACE_SECRETKEY: "AsANn1AoxhHDGsscQ7QUIKmWnCW0vggH"
+ FACE_AIPFACE_GROUPIDLIST: "TEST_1"
+
+
---
apiVersion: v1
kind: Secret
@@ -121,7 +138,7 @@
containers:
- name: agent-service
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/thirdparty-agent-service/agent-service:1.2.0-RELEASE
+ image: harbor.supwisdom.com/thirdparty-agent-service/agent-service:1.3.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/10.0.init.sql b/deploy-manifests/k8s-rancher/1.authx-service/10.0.init.sql
index 3298454..371d490 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/10.0.init.sql
+++ b/deploy-manifests/k8s-rancher/1.authx-service/10.0.init.sql
@@ -313,3 +313,30 @@
commit;
+
+-- V1.4,初始数据脚本
+
+update TB_MGT_PERMISSION
+set CODE='logManagement', URL='/cas-server/logManagement'
+where ID='22000'
+;
+
+commit;
+
+
+-- 注意
+update TB_MGT_PERMISSION
+ set LFT = LFT+2
+where LFT>=45
+;
+
+update TB_MGT_PERMISSION
+ set RGT = RGT+2
+where RGT>=45
+;
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('21100', 0, 'twoFactorAuth', '双因子认证', '1', '2', 'su-icon-test', '/cas-server/twoFactorAuth', '10', '20000', 21100, 2, 45, 46);
+
+commit;
+
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.0.user-data-service-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.0.user-data-service-installer.yaml
index fdecf82..745c460 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.0.user-data-service-installer.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.0.user-data-service-installer.yaml
@@ -28,7 +28,7 @@
containers:
- name: user-data-service-installer
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/goa/installer:1.3.1-RELEASE
+ image: harbor.supwisdom.com/goa/installer:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.1.user-data-service-poa.yaml b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.1.user-data-service-poa.yaml
index 0e86267..63d972c 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.1.user-data-service-poa.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.1.user-data-service-poa.yaml
@@ -51,6 +51,13 @@
LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_GOA_COMMON_LOG: INFO
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
---
apiVersion: v1
kind: Service
@@ -92,7 +99,7 @@
containers:
- name: user-data-service-poa
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/goa/poa-api:1.3.1-RELEASE
+ image: harbor.supwisdom.com/goa/poa-api:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.2.user-data-service-goa.yaml b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.2.user-data-service-goa.yaml
index 6120064..5012b42 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.2.user-data-service-goa.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.2.user-data-service-goa.yaml
@@ -65,10 +65,29 @@
JOBS_RABBITMQ_ACCOUNTGROUPUSERSVC2JOBSRABBITSENDER_ENABLED: "false"
+ CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ #ipaddr
+ IPADDR_API_URL: http://ipaddr.ipaddr.svc.cluster.local:9090/v1/find
+
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
LOGGING_LEVEL_COM_SUPWISDOM_GOA: INFO
LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_GOA_COMMON_LOG: INFO
-
---
apiVersion: v1
kind: Service
@@ -110,7 +129,7 @@
containers:
- name: user-data-service-goa
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/goa/goa-api:1.3.1-RELEASE
+ image: harbor.supwisdom.com/goa/goa-api:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.3.user-data-service-biz.yaml b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.3.user-data-service-biz.yaml
index 6494b6e..74d6c2a 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.3.user-data-service-biz.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.3.user-data-service-biz.yaml
@@ -55,6 +55,13 @@
LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_GOA_COMMON_LOG: INFO
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
---
apiVersion: v1
kind: Service
@@ -96,7 +103,7 @@
containers:
- name: user-data-service-biz
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/goa/biz-api:1.3.1-RELEASE
+ image: harbor.supwisdom.com/goa/biz-api:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/5.user-data-service-datax-job.yaml b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/5.user-data-service-datax-job.yaml
index 5e8d4a4..1bba19f 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/5.user-data-service-datax-job.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/5.user-data-service-datax-job.yaml
@@ -41,7 +41,7 @@
containers:
- name: user-data-service-datax-job
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/goa/datax-job:1.3.1-RELEASE
+ image: harbor.supwisdom.com/goa/datax-job:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/9.api-docs-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/9.api-docs-installer.yaml
index fc658da..bfc4af5 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/9.api-docs-installer.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/9.api-docs-installer.yaml
@@ -38,7 +38,7 @@
containers:
- name: api-docs-installer
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/goa/api-docs-installer:1.3.1-RELEASE
+ image: harbor.supwisdom.com/goa/api-docs-installer:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.0.user-authorization-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.0.user-authorization-installer.yaml
index c47a567..4afd7d8 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.0.user-authorization-installer.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.0.user-authorization-installer.yaml
@@ -28,7 +28,7 @@
containers:
- name: user-authorization-installer
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/user-authorization-service/user-authorization-installer:1.3.1-RELEASE
+ image: harbor.supwisdom.com/user-authorization-service/user-authorization-installer:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.1.user-authorization-poa.yaml b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.1.user-authorization-poa.yaml
index 487e850..740ee97 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.1.user-authorization-poa.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.1.user-authorization-poa.yaml
@@ -37,6 +37,14 @@
LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_USER_AUTHORIZATION_SERVICE_COMMON_LOG: INFO
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
---
apiVersion: v1
kind: Service
@@ -78,7 +86,7 @@
containers:
- name: user-authorization-poa
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/user-authorization-service/user-authorization-poa:1.3.1-RELEASE
+ image: harbor.supwisdom.com/user-authorization-service/user-authorization-poa:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.2.user-authorization-sa.yaml b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.2.user-authorization-sa.yaml
index a9e66f0..bb55321 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.2.user-authorization-sa.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.2.user-authorization-sa.yaml
@@ -36,6 +36,14 @@
LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_USER_AUTHORIZATION_SERVICE_COMMON_LOG: INFO
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
# SBA_URL: http://spring-boot-admin-svc.base.svc.cluster.local:8080
@@ -80,7 +88,7 @@
containers:
- name: user-authorization-sa
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/user-authorization-service/user-authorization-sa:1.3.1-RELEASE
+ image: harbor.supwisdom.com/user-authorization-service/user-authorization-sa:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/5.user-authorization-datax-job.yaml b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/5.user-authorization-datax-job.yaml
index 888963d..e4789b1 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/5.user-authorization-datax-job.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/5.user-authorization-datax-job.yaml
@@ -41,7 +41,7 @@
containers:
- name: user-authorization-datax-job
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/user-authorization-service/user-authorization-datax-job:1.3.1-RELEASE
+ image: harbor.supwisdom.com/user-authorization-service/user-authorization-datax-job:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/9.api-docs-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/9.api-docs-installer.yaml
index 1df04c9..90d8627 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/9.api-docs-installer.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/9.api-docs-installer.yaml
@@ -38,7 +38,7 @@
containers:
- name: api-docs-installer
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/user-authorization-service/api-docs-installer:1.3.1-RELEASE
+ image: harbor.supwisdom.com/user-authorization-service/api-docs-installer:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml
index 8238b1e..42eca24 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml
@@ -17,16 +17,7 @@
name: cas-ingress
annotations:
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
- # cert-manager.io/cluster-issuer: "letsencrypt-staging"
- # nginx.ingress.kubernetes.io/ssl-redirect: "true"
- # nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
- # nginx.ingress.kubernetes.io/auth-tls-secret: "cas-server/ca-secret"
- # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
spec:
- # tls:
- # - hosts:
- # - cas.paas.xxx.edu.cn
- # secretName: cas-ingress-tls
rules:
# 修改为学校的根域名
- host: cas.paas.xxx.edu.cn
@@ -40,6 +31,3 @@
backend:
serviceName: cas-server-site-scheme-svc
servicePort: http
-
-
-# TODO: https 配置说明
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml
index feac2b9..8fe13ae 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml
@@ -28,7 +28,7 @@
containers:
- name: cas-server-installer
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/cas-server/cas-server-installer:1.3.1-RELEASE
+ image: harbor.supwisdom.com/cas-server/cas-server-installer:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml
index 74a1079..4ba150a 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml
@@ -42,6 +42,13 @@
#USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
---
apiVersion: v1
kind: Secret
@@ -95,7 +102,7 @@
containers:
- name: cas-server-sa-api
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/cas-server/cas-server-sa-api:1.3.1-RELEASE
+ image: harbor.supwisdom.com/cas-server/cas-server-sa-api:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml
index b5f6433..db4e6a0 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml
@@ -62,7 +62,7 @@
containers:
- name: cas-server-security-engine
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/cas-server/cas-server-security-engine:1.3.1-RELEASE
+ image: harbor.supwisdom.com/cas-server/cas-server-security-engine:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 6060
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml
index 6a080d9..6826c26 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml
@@ -13,11 +13,11 @@
#SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
#SSL_KEYSTORE_PASSWORD: ""
- SERVER_MAXHTTPHEADERSIZE: "10240"
+ SERVER_MAXHTTPHEADERSIZE: "2097152"
SERVER_TOMCAT_ACCEPT_COUNT: "5000"
SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
- SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MAX_THREADS: "350"
SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
@@ -116,8 +116,8 @@
CASSERVERSITE_SMS_SENDER_IMPL: agent-service
# **修改** 学校的根域名
- CASSERVERSITE_FORGOT_PASSWORD_URL: https://security-center.paas.xxx.edu.cn/find-pwd
- CASSERVERSITE_ACTIVE_ACCOUNT_URL: https://security-center.paas.xxx.edu.cn/active-account
+ CASSERVERSITE_FORGOT_PASSWORD_URL: https://authx-service.paas.xxx.edu.cn/find-pwd
+ CASSERVERSITE_ACTIVE_ACCOUNT_URL: https://authx-service.paas.xxx.edu.cn/active-account
## 动态码登录相关配置
CASSERVERSITE_PASSWORDLESS_TOKEN_EXPIRATION_IN_SECONDS: "300"
@@ -131,6 +131,11 @@
# http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080/api/v1/security/accounts/verifyAccountPassword
+ ##
+ # 超级APP Token 的验签公钥
+ SUPERAPP_TOKEN_SIGNING_KEY_URL: http://token-server-svc.token-server.svc.cluster.local:8080/token/jwt/publicKey
+
+
TPAS_AGENT_SERVICE_SERVER_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
TPAS_AGENT_SERVICE_CLIENT_AUTH_ENABLED: "false"
#TPAS_AGENT_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
@@ -172,11 +177,30 @@
#USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
#USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
- ##
- # 超级APP Token 的验签公钥
- # 如须和 超级APP 进行对接,修改此配置
- # **修改** 学校的根域名
- SUPERAPP_TOKEN_SIGNING_KEY_URL: https://token.paas.xxx.edu.cn/jwt/publicKey
+
+ ATTEST_SERVER_URL: http://attest-server-svc.attest-server.svc.cluster.local:8080/attest
+ ATTEST_CLIENT_AUTH_ENABLED: "false"
+ #ATTEST_CLIENT_AUTH_KEY_PASSWORD: ""
+ #ATTEST_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #ATTEST_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #ATTEST_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #ATTEST_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ IPADDR_SERVER_URL: http://ipaddr.ipaddr.svc.cluster.local:9090
+ IPADDR_CLIENT_AUTH_ENABLED: "false"
+ #IPADDR_CLIENT_AUTH_KEY_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #IPADDR_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
##
@@ -228,7 +252,7 @@
containers:
- name: cas-server-site-webapp
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/cas-server/cas-server-site-webapp:1.3.1-RELEASE
+ image: harbor.supwisdom.com/cas-server/cas-server-site-webapp:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
@@ -246,9 +270,9 @@
name: cas-server-site-webapp-env
resources:
requests:
- memory: "6000Mi"
+ memory: "4096Mi"
limits:
- memory: "6000Mi"
+ memory: "4096Mi"
readinessProbe:
tcpSocket:
port: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml
index 5aada1b..4ca985f 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml
@@ -95,7 +95,7 @@
memory: "256Mi"
- name: cas-server-site-scheme-generator
# 根据情况修改镜像地址
- image: harbor.supwisdom.com/cas-server/cas-server-site-scheme:1.3.1-RELEASE
+ image: harbor.supwisdom.com/cas-server/cas-server-site-scheme:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml
index e1e880d..b390d9b 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml
@@ -42,7 +42,7 @@
containers:
- name: cas-server-datax-job
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/cas-server/cas-server-datax-job:1.3.1-RELEASE
+ image: harbor.supwisdom.com/cas-server/cas-server-datax-job:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/2.token-server-ingresses.yaml b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/2.token-server-ingresses.yaml
index 808eb18..3634ed7 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/2.token-server-ingresses.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/2.token-server-ingresses.yaml
@@ -13,10 +13,10 @@
spec:
rules:
# 修改为学校的根域名
- - host: token.paas.xxx.edu.cn
+ - host: cas.paas.xxx.edu.cn
http:
paths:
- - path: /
+ - path: /token
backend:
serviceName: token-server-svc
servicePort: http
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.0.token-server-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.0.token-server-installer.yaml
index 9b43336..ad0118a 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.0.token-server-installer.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.0.token-server-installer.yaml
@@ -28,7 +28,7 @@
containers:
- name: token-server-installer
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/token-server/token-server-installer:1.3.1-RELEASE
+ image: harbor.supwisdom.com/token-server/token-server-installer:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml
index b7cc3bf..89706ed 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml
@@ -13,7 +13,9 @@
#SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
#SSL_KEYSTORE_PASSWORD: ""
- SERVER_MAXHTTPHEADERSIZE: "10240"
+ SERVER_SERVLET_CONTEXT_PATH: "/token"
+
+ SERVER_MAXHTTPHEADERSIZE: "20480"
SERVER_TOMCAT_ACCEPT_COUNT: "5000"
SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
@@ -33,7 +35,7 @@
# **修改** 学校的根域名
- TOKEN_SERVER_PREFIX: https://token.paas.xxx.edu.cn
+ TOKEN_SERVER_PREFIX: https://token.paas.xxx.edu.cn/token
# **修改** 学校的根域名
TOKEN_SERVER_SECURITY_JWT_ISS: token.paas.xxx.edu.cn
#TOKEN_SERVER_SECURITY_JWT_EXPIRATION: 2592000
@@ -89,6 +91,8 @@
MESSAGECENTER_MESSAGE_TYPE_CODE_APP_LOGIN: APP_LOGIN
MESSAGECENTER_MESSAGE_TYPE_CODE_PASSWORD: PASSWORD
+ MESSAGECENTER_MESSAGE_TYPE_CODE_APPPUSH: APPPUSH
+
# **修改** 从POA申请
POA_SERVER_URL: https://poa.paas.xxx.edu.cn
POA_CLIENT_ID: ""
@@ -96,6 +100,18 @@
POA_SCOPES: messagecenter:v1:sendMessage
+ TPAS_AGENT_SERVICE_SERVER_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
+ TPAS_AGENT_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ TPAS_AGENT_SERVICE_SMS_SENDER_PATH: /api/v1/tpas/sms/console/send
+ TPAS_AGENT_SERVICE_FACE_FACEVERIFY_PATH: /api/v1/tpas/face/aiface/faceverify
+
+
CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
#CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
@@ -113,15 +129,45 @@
#USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
- TPAS_AGENT_SERVICE_SERVER_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
- TPAS_AGENT_SERVICE_CLIENT_AUTH_ENABLED: "false"
- #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
- #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
- #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
- #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
- #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+ ATTEST_SERVER_URL: http://attest-server-svc.attest-server.svc.cluster.local:8080/attest
+ ATTEST_CLIENT_AUTH_ENABLED: "false"
+ #ATTEST_CLIENT_AUTH_KEY_PASSWORD: ""
+ #ATTEST_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #ATTEST_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #ATTEST_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #ATTEST_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
- TPAS_AGENT_SERVICE_SMS_SENDER_PATH: /api/v1/tpas/sms/console/send
+
+ IPADDR_SERVER_URL: http://ipaddr.ipaddr.svc.cluster.local:9090
+ IPADDR_CLIENT_AUTH_ENABLED: "false"
+ #IPADDR_CLIENT_AUTH_KEY_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #IPADDR_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ ##
+ # authx-log rabbitmq
+ #
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
+ ##
+ # 接收 user 推送的 rabbitmq 数据
+ #
+ USER_RABBITMQ_ENABLED: "true"
+ USER_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ USER_RABBITMQ_PORT: "5672"
+ USER_RABBITMQ_USERNAME: guest
+ USER_RABBITMQ_PASSWORD: guest
+
+ USER_RABBITMQ_CONSUMER_ENABLED: "true"
+
---
apiVersion: v1
@@ -179,7 +225,7 @@
containers:
- name: token-server
# 若使用了学校搭设的私有仓库,请 **修改**
- image: harbor.supwisdom.com/token-server/token-server:1.3.1-RELEASE
+ image: harbor.supwisdom.com/token-server/token-server:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
@@ -204,7 +250,7 @@
memory: "1024Mi"
readinessProbe:
httpGet:
- path: /actuator/health
+ path: /token/actuator/health
port: 8080
initialDelaySeconds: 20
periodSeconds: 5
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/9.api-docs-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/9.api-docs-installer.yaml
index fe7387c..836af30 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/9.api-docs-installer.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/9.api-docs-installer.yaml
@@ -38,7 +38,7 @@
containers:
- name: api-docs-installer
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/token-server/api-docs-installer:1.3.1-RELEASE
+ image: harbor.supwisdom.com/token-server/api-docs-installer:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml
index 3bdc109..e2f3c30 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml
@@ -13,26 +13,25 @@
spec:
rules:
# 修改为学校的根域名
- - host: personal-security-center.paas.xxx.edu.cn
+ - host: authx-service.paas.xxx.edu.cn
http:
paths:
- - path: /
+ - path: /personal
backend:
serviceName: personal-security-center-zuul-svc
servicePort: http
-
-# 安全中心前端
+# 安全中心
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: personal-security-center
- name: security-center-ui-ingress
+ name: security-center-ingress
spec:
rules:
# 修改为学校的根域名
- - host: security-center.paas.xxx.edu.cn
+ - host: authx-service.paas.xxx.edu.cn
http:
paths:
- path: /
@@ -40,3 +39,30 @@
serviceName: security-center-ui-svc
servicePort: http
+
+# 也可以合并为一个 ingress,参考如下:
+
+# # 安全中心 前端UI、后端API
+# ---
+# apiVersion: extensions/v1beta1
+# kind: Ingress
+# metadata:
+# namespace: personal-security-center
+# name: authx-service-security-center-ingress
+# annotations:
+# nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+# spec:
+# rules:
+# # 修改为学校的根域名
+# - host: authx-service.paas.xxx.edu.cn
+# http:
+# paths:
+# - path: /
+# backend:
+# serviceName: security-center-ui-svc
+# servicePort: http
+# - path: /personal
+# backend:
+# serviceName: personal-security-center-zuul-svc
+# servicePort: http
+
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml
index ae9611c..9f93bb9 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml
@@ -93,9 +93,9 @@
# 修改为学校的 personal-security-center 的访问域名
- PERSONAL_SECURITY_CENTER_SERVER_PREFIX: http://personal-security-center.paas.xxx.edu.cn
+ PERSONAL_SECURITY_CENTER_SERVER_PREFIX: https://authx-service.paas.xxx.edu.cn/personal
# 修改为学校的 cas 的访问域名
- CAS_SERVER_PREFIX: http://cas.paas.xxx.edu.cn/cas
+ CAS_SERVER_PREFIX: https://cas.paas.xxx.edu.cn/cas
PERSONAL_SECURITY_BFF_NONCE_STORE_IMPL: redis
@@ -150,6 +150,7 @@
TPAS_FILE_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
TPAS_MAIL_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/mail/smtp
TPAS_SMS_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/sms/console
+ TPAS_FACE_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/face/aiface
TPAS_CLIENT_AUTH_ENABLED: "false"
#TPAS_CLIENT_AUTH_KEY_PASSWORD: ""
#TPAS_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
@@ -166,6 +167,14 @@
# COMMUNICATOR_SMS_SENDER_URL: https://agent-service-api.supwisdom.com/api/v1/tpas/sms/console/send
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
---
apiVersion: v1
kind: Secret
@@ -218,7 +227,7 @@
containers:
- name: personal-security-center-bff
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/personal-security-center/personal-security-bff:1.3.1-RELEASE
+ image: harbor.supwisdom.com/personal-security-center/personal-security-bff:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml
index 9bcd61f..32c52ba 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml
@@ -14,6 +14,8 @@
#SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
#SSL_TRUSTSTORE_PASSWORD: ""
+ SERVER_SERVLET_CONTEXT_PATH: "/personal"
+
SERVER_MAXHTTPHEADERSIZE: "10240"
SERVER_TOMCAT_ACCEPT_COUNT: "5000"
@@ -62,18 +64,18 @@
#INFRAS_SECURITY_JWT_TOKEN_SIGNING_KEY_URL: "http://uniauth-prod-backend.uniauth.svc.cluster.local:9090/idtoken/publicKey"
- INFRAS_SECURITY_CAS_ENABLED: "true"
- # 修改为学校的 personal-security-center 的访问域名
- APP_SERVER_HOST_URL: "http://personal-security-center.paas.xxx.edu.cn"
+ INFRAS_SECURITY_CAS_ENABLED: "false"
+ # 修改为学校的 security-center 的访问域名
+ APP_SERVER_HOST_URL: "https://authx-service.paas.xxx.edu.cn/personal"
#APP_LOGIN_URL: "/cas/login"
#APP_LOGOUT_URL: "/cas/logout"
# 修改为学校的 cas 的访问域名
- CAS_SERVER_HOST_URL: "http://cas.paas.xxx.edu.cn/cas"
+ CAS_SERVER_HOST_URL: "https://cas.paas.xxx.edu.cn/cas"
# 后端API服务,域名访问时,默认跳转地址
# 修改为学校的 security-center 安全中心的访问域名
- APPLICATION_INDEX_REDIRECT_URI: "http://security-center.paas.xxx.edu.cn"
+ APPLICATION_INDEX_REDIRECT_URI: "https://authx-service.paas.xxx.edu.cn"
ZUUL_HTTPCLIENT_CLIENT_AUTH_ENABLED: "false"
@@ -152,7 +154,7 @@
containers:
- name: personal-security-center-zuul
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/personal-security-center/personal-security-zuul:1.3.1-RELEASE
+ image: harbor.supwisdom.com/personal-security-center/personal-security-zuul:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
@@ -175,7 +177,7 @@
memory: "512Mi"
readinessProbe:
httpGet:
- path: /actuator/health
+ path: /personal/actuator/health
port: 8080
initialDelaySeconds: 20
periodSeconds: 5
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml
index 7072e3d..671389a 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml
@@ -8,23 +8,23 @@
name: security-center-ui-env
data:
# **修改** 学校的根域名
- RESOURCE_PREFIX: http://authx-minio.paas.xxx.edu.cn/security-center-ui
+ RESOURCE_PREFIX: https://authx-minio.paas.xxx.edu.cn/security-center-ui
SCHOOL_NAME: ""
- MAIN_SERVER: http://security-center.paas.xxx.edu.cn
+ MAIN_SERVER: https://authx-service.paas.xxx.edu.cn
- PERSONAL_CENTER_API: http://personal-security-center.paas.xxx.edu.cn
+ PERSONAL_CENTER_API: https://authx-service.paas.xxx.edu.cn/personal
# 可选 cas,uniauth
AUTH_TYPE: cas
# AUTH_TYPE 为 uniauth 时,配置
- UNIAUTH_IDTOKEN: http://uniauth.paas.xxx.edu.cn/idtoken
+ UNIAUTH_IDTOKEN: https://uniauth.paas.xxx.edu.cn/idtoken
UNIAUTH_IDTOKEN_ISS: "uniauth"
UNIAUTH_CLIENT_ID: "22"
# AUTH_TYPE 为 cas 时,配置 AUTH_CAS、JWT_ISS、JWT_SECRET
- AUTH_CAS: http://cas.paas.xxx.edu.cn/cas
- JWT_ISS: http://cas.paas.xxx.edu.cn/cas
+ AUTH_CAS: https://cas.paas.xxx.edu.cn/cas
+ JWT_ISS: https://cas.paas.xxx.edu.cn/cas
JWT_SECRET: (@<rhnPaUYKC_k770*DuWwYQ_#Zc#8c(2rB?kae)rN)>K7qy)awCjxp$L653Mf$2
@@ -64,7 +64,7 @@
containers:
- name: security-center-ui
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/personal-security-center/security-center-ui:1.3.1-RELEASE
+ image: harbor.supwisdom.com/personal-security-center/security-center-ui:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 80
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/0.attest-server-base.yaml b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/0.attest-server-base.yaml
new file mode 100644
index 0000000..c3968d2
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/0.attest-server-base.yaml
@@ -0,0 +1,16 @@
+# 0.attest-server-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ namespace: attest-server
+ name: harbor-registry
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/1.attest-server-env.yaml b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/1.attest-server-env.yaml
new file mode 100644
index 0000000..c6be3bc
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/1.attest-server-env.yaml
@@ -0,0 +1,10 @@
+# 1.attest-server-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: attest-server
+ name: jvm-env
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/2.attest-server-ingresses.yaml b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/2.attest-server-ingresses.yaml
new file mode 100644
index 0000000..71f4d2a
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/2.attest-server-ingresses.yaml
@@ -0,0 +1,21 @@
+# 2.attest-server-ingresses.yaml
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: attest-server-ingress
+ namespace: attest-server
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: cas.paas.xxx.edu.cn
+ http:
+ paths:
+ - path: /attest
+ backend:
+ serviceName: attest-server-svc
+ servicePort: http
+
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/4.1.attest-server.yaml b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/4.1.attest-server.yaml
new file mode 100644
index 0000000..fb8aa8b
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/4.1.attest-server.yaml
@@ -0,0 +1,172 @@
+# 4.1.attest-server.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: attest-server
+ name: attest-server-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEY_PASSWORD: ""
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+
+ SERVER_SERVLET_CONTEXT_PATH: "/attest"
+
+ SERVER_MAXHTTPHEADERSIZE: "20480"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "500"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "500"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+
+ # **修改** 从POA申请
+ POA_SERVER_URL: https://poa.paas.xxx.edu.cn
+ POA_CLIENT_ID: ""
+ POA_CLIENT_SECRET: ""
+ POA_SCOPES: appPush:v1:apppushByMessageType
+
+
+ # 修改为学校的根域名
+ ATTEST_SERVER_PREFIX: https://cas.paas.xxx.edu.cn/attest
+
+
+ # guard
+ ATTEST_SERVER_SECUREPHONE_SMS_TEXT_TEMPLATE: 【认证服务】{name}:您正在进行验证身份,验证码为{code},有效期5分钟,请尽快完成验证。
+ ATTEST_SERVER_SECUREPHONE_SMS_FROM: 认证服务
+
+ ATTEST_SERVER_SECUREEMAIL_MAIL_TEXT_TEMPLATE: 【认证服务】{name}:您正在进行验证身份,验证码为{code},有效期5分钟,请尽快完成验证。
+ ATTEST_SERVER_SECUREEMAIL_MAIL_FROM: 认证服务
+
+ # 在超级APP 中唤起人脸识别的 URL Scheme
+ ATTEST_SERVER_FACEVERIFY_SUPERAPP_URL_SCHEME: superapp
+
+
+ # 超级APP Token 的验签公钥
+ TOKEN_SERVER_TOKEN_SIGNING_KEY_URL: http://token-server-svc.token-server.svc.cluster.local:8080/token/jwt/publicKey
+
+
+ USER_DATA_SERVICE_SA_API_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ TPAS_AGENT_SERVICE_SERVER_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
+ TPAS_AGENT_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ TPAS_AGENT_SERVICE_SMS_SENDER_PATH: /api/v1/tpas/sms/console/send
+ TPAS_AGENT_SERVICE_MAIL_SENDER_PATH: /api/v1/tpas/mail/console/send
+ TPAS_AGENT_SERVICE_FACE_FACEVERIFY_PATH: /api/v1/tpas/face/aiface/faceverify
+
+
+ ##
+ # token-server
+ #
+ TOKEN_SERVER_SERVER_URL: http://token-server-svc.token-server.svc.cluster.local:8080/token
+
+
+ ##
+ # 将 attest 数据 推送到 rabbitmq
+ #
+ # ATTEST_RABBITMQ_ENABLED: "false"
+ # ATTEST_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ # ATTEST_RABBITMQ_PORT: "5672"
+ # ATTEST_RABBITMQ_USERNAME: guest
+ # ATTEST_RABBITMQ_PASSWORD: guest
+ #
+ # ATTEST_RABBITMQ_APPPUSHATTEST2TOKENRABBITSENDER_ENABLED: "false"
+
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: attest-server
+ name: attest-server-env-secret
+type: Opaque
+data:
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: attest-server
+ name: attest-server-svc
+ labels:
+ app: attest-server
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: attest-server
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: attest-server
+ name: attest-server
+spec:
+ selector:
+ matchLabels:
+ app: attest-server
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: attest-server
+ spec:
+ containers:
+ - name: attest-server
+ image: harbor.supwisdom.com/attest-server/attest-server:1.4.0-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - configMapRef:
+ name: attest-server-env
+ - secretRef:
+ name: attest-server-env-secret
+ resources:
+ requests:
+ memory: "1024Mi"
+ limits:
+ memory: "1024Mi"
+ readinessProbe:
+ httpGet:
+ path: /attest/actuator/health
+ port: 8080
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/0.authx-log-base.yaml b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/0.authx-log-base.yaml
new file mode 100644
index 0000000..84e9a09
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/0.authx-log-base.yaml
@@ -0,0 +1,16 @@
+# 0.authx-log-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ namespace: authx-log
+ name: harbor-registry
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/1.authx-log-env.yaml b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/1.authx-log-env.yaml
new file mode 100644
index 0000000..8b20aad
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/1.authx-log-env.yaml
@@ -0,0 +1,26 @@
+# 1.authx-log-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: authx-log
+ name: jvm-env
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: authx-log
+ name: datasource-env-secret
+type: Opaque
+data:
+ # jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/authx_log?serverTimezone=Asia/Shanghai
+ JDBC_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvYXV0aHhfbG9nP3NlcnZlclRpbWV6b25lPUFzaWEvU2hhbmdoYWk=
+ # authx_log
+ JDBC_USERNAME: YXV0aHhfbG9n
+ # 修改为实际的数据库密码,并使用 base64 工具进行编码
+ # kingstar
+ JDBC_PASSWORD: a2luZ3N0YXI=
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/4.0.authx-log-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/4.0.authx-log-installer.yaml
new file mode 100644
index 0000000..bfc032f
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/4.0.authx-log-installer.yaml
@@ -0,0 +1,40 @@
+# 4.0.authx-log-installer.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: authx-log
+ name: authx-log-installer-env
+data:
+ DB_TYPE: mysql8
+
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ namespace: authx-log
+ name: authx-log-installer
+spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: authx-log-installer
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: authx-log-installer
+ image: harbor.supwisdom.com/authx-log/authx-log-installer:1.4.0-RELEASE
+ imagePullPolicy: Always
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - configMapRef:
+ name: authx-log-installer-env
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/4.2.authx-log-sa.yaml b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/4.2.authx-log-sa.yaml
new file mode 100644
index 0000000..36bd04c
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/4.2.authx-log-sa.yaml
@@ -0,0 +1,116 @@
+# 4.2.authx-log-sa.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: authx-log
+ name: authx-log-sa-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+ #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+ #SSL_TRUSTSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ #同环境中用户的地址
+ USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ # USER_DATA_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ # USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore
+ # USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ # USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore
+ # USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ #ipaddr
+ IPADDR_SERVER_URL: http://ipaddr.ipaddr.svc.cluster.local:9090
+ IPADDR_CLIENT_AUTH_ENABLED: "false"
+ #IPADDR_CLIENT_AUTH_KEY_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #IPADDR_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: authx-log
+ name: authx-log-sa-svc
+ labels:
+ app: authx-log-sa
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: authx-log-sa
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: authx-log
+ name: authx-log-sa
+spec:
+ selector:
+ matchLabels:
+ app: authx-log-sa
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: authx-log-sa
+ annotations:
+ co.elastic.logs/enabled: "true"
+ spec:
+ containers:
+ - name: authx-log-sa
+ image: harbor.supwisdom.com/authx-log/authx-log-sa:1.4.0-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - configMapRef:
+ name: authx-log-sa-env
+ resources:
+ requests:
+ memory: "1024Mi"
+ limits:
+ memory: "1024Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8080
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry