deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml

# 4.1.token-server.yaml

---
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: token-server
  name: token-server-env
data:
  SERVER_PORT: "8080"
  SSL_ENABLED: "false"
  #SSL_KEY_PASSWORD: ""
  #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
  #SSL_KEYSTORE_PASSWORD: ""

  SERVER_SERVLET_CONTEXT_PATH: "/token"

  SERVER_MAXHTTPHEADERSIZE: "20480"

  SERVER_TOMCAT_ACCEPT_COUNT: "5000"
  SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
  SERVER_TOMCAT_MAX_THREADS: "800"
  SERVER_TOMCAT_MIN_SPARE_THREADS: "100"

  LOGGING_LEVEL_COM_SUPWISDOM_INSITITUTE_TOKEN_SERVER: INFO


  SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10"
  SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "50"
  SPRING_DATASOURCE_DRUID_MIN_IDLE: "10"

  SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800"
  SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100"
  SPRING_REDIS_JEDIS_POOL_MINIDLE: "100"


  # **修改** 学校的根域名
  TOKEN_SERVER_PREFIX: https://token.paas.xxx.edu.cn/token
  # **修改** 学校的根域名
  TOKEN_SERVER_SECURITY_JWT_ISS: token.paas.xxx.edu.cn
  #TOKEN_SERVER_SECURITY_JWT_EXPIRATION: 2592000
  #TOKEN_SERVER_SECURITY_JWT_KICKOUT_ENABLED: "false"
  # **修改**
  # 请使用与 cas-server 一致的公私钥
  TOKEN_SERVER_SECURITY_JWT_PRIVATE_KEY_PEM_PKCS8: "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDKivcJfoDpTgShIdrC0AuImgHQKQmdv/CZWRxVPkSY26kZWtVJ4mjzRkDGyB31LUJlVfFNe0nteOyqfNHrhC+uf612+P0KTmT/pOenoegpT8BDEDe1DlmrDoPqKE87JVXjPhx0rnCPMQE0+Em5OOPM/hVDiHhWx5Y1t+FcYre9J6zyg2flbCiv2vVRsQk/9kwesMnEBzB7QY+95sCoSng7llxO1aer7+qShQHrP/nYScIyW2g+a4wL6jd9Z0gIF/irvShIMKV+6EtWLiZFPYrlRQfx+zER7qg+2S+T29UII5lGajQxeldmIip1k62BwHOf/SbOg13nwrF4jLSCKeN/AgMBAAECggEAVtWHHcHngJ6bK325LSZGm5TzTAwb/E6q1wO2OvGMNUCPWbhwktGHjyzCXray6UczHQDgiAhgZHggduM2mFM+ogBJHSWYTo/XiyZmzp6CSxvO4LGWQIBbfxOlCIGpnkDedqNNTdTvmuQ2kUAVU1yJhXw1H5Pli8bbpkIkUxhbj7MsmcSZS4Xaqj1jhOWoBzt1SZEpHgDZ4m8MEMBfjLu+/SQAIWGdJmyANdsU3V/f/DmcgSqu7oTFYZiEFyJqTRyCVHJmyIqAOAtqHkKnJcGfeurwUIuX5NVqdYhj/JM+3k8lXDRyoyC0QADhnfR85uXV/OnXCVBC8GABuMP4DaiHyQKBgQDjwjtbVb/jQur2JYsSDS0sZI3S4X929gWU66AyClnUNbRIVcN4Lyhnp8+d/m9+oVV6kDfjTDnuEz7TWHr94RFcecdivehzxRHdRlRp+IhmtCtzstPhS5f0U6/e59CryxgxV+h5jDUssokzdz1bLsnC8+VgKNL2jVXqkuLkF3RqhQKBgQDjqE186VX3oej5YlmLmqi4LVFFVzpX75dOjAFc+ke/SPXm11o7lj1ONr+t9ZKcwvPx9j5OPXJajbaE2Qx1KXzTPKQT44GdpOvistOJQSNpx2e00K4Sn/7bsJq++UJ7FtmR+iJvfYq1uW1z5taVIjh5hhwFtIBW38voNcghCXVvMwKBgAUwRpPlFzMBMkMbRdjKbg4F2GlGc9Xs8uGaoJKjQ7qe4pWHRqW1RVFfNE6gHkAfQshBAtTtxqAS1iqQaHTiLLgTmiQ4uVPx2F9XG9MyM0FLt3WyTDtksniBc487briLLujo3MXwGMIE6zU98SrjnPsQ/Ve8dlnhjGSEpiCWHDPVAoGAZwNmJMqUytvpxsbZDBGsnMJszvqcfOP+TF2P1FmwE39ZPd5ehy4BiZ2+eGHxuJuCtQ8evFqTnyQW3eA1AeMHB7Kd8B33LbVNw6P1klr2QkwnwirXSbg6I4CzVQ0HJxl809Aiut5M4NQKEfL3UD5O3bZwgahelnDoHKgRadmU2P8CgYANBbxpDT1SdyJUFuKzJ5/cUPBFzOn3eNGRo/RejXSCi5Spd9OoTwDh6dbffk7pUWLYH/BFILW9+RL8uhMt8mdTWVgDKrNrdZLdWUBNsb89St9x/JwlucqgbTvzf0G0h/ZiGNzyPhgGABRrlWVYIdS8KLdTYUkvPHsEAtxR+kwTAg=="
  TOKEN_SERVER_SECURITY_JWT_PUBLIC_KEY_PEM: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyor3CX6A6U4EoSHawtALiJoB0CkJnb/wmVkcVT5EmNupGVrVSeJo80ZAxsgd9S1CZVXxTXtJ7XjsqnzR64Qvrn+tdvj9Ck5k/6Tnp6HoKU/AQxA3tQ5Zqw6D6ihPOyVV4z4cdK5wjzEBNPhJuTjjzP4VQ4h4VseWNbfhXGK3vSes8oNn5Wwor9r1UbEJP/ZMHrDJxAcwe0GPvebAqEp4O5ZcTtWnq+/qkoUB6z/52EnCMltoPmuMC+o3fWdICBf4q70oSDClfuhLVi4mRT2K5UUH8fsxEe6oPtkvk9vVCCOZRmo0MXpXZiIqdZOtgcBzn/0mzoNd58KxeIy0ginjfwIDAQAB"


  # face
  # aiface 新开普人脸，aipface 百度人脸
  TOKEN_SERVER_FACE_SOURCE_TYPE: aiface

  # 若须对接新开普人脸，须由新开普人脸系统提供相关配置
  TOKEN_SERVER_FACE_AIFACE_URL: ""
  TOKEN_SERVER_FACE_AIFACE_APPKEY: ""
  TOKEN_SERVER_FACE_AIFACE_APPSECRET: ""
  TOKEN_SERVER_FACE_AIFACE_SECRETKEY: ""
  TOKEN_SERVER_FACE_AIFACE_TERM_CODE: ""

  # 若须对接百度人脸，须在百度开放平台注册应用
  TOKEN_SERVER_FACE_AIPFACE_APPID: ""
  TOKEN_SERVER_FACE_AIPFACE_APIKEY: ""
  TOKEN_SERVER_FACE_AIPFACE_SECRETKEY: ""


  # passwordless
  TOKEN_SERVER_PASSWORDLESS_TOKEN_EXPIRATION_IN_SECONDS: "300"
  # **修改** 根据实际情况，修改短信模板
  TOKEN_SERVER_PASSWORDLESS_SMS_TEXT_TEMPLATE: 【认证中心】您正在进行登录，本次登录的动态密码为{token}，有效期5分钟，请尽快完成登录。
  TOKEN_SERVER_PASSWORDLESS_SMS_FROM: 认证中心


  # 手机号登录时，是否自动注册 guest 帐号
  TOKEN_SERVER_AUTO_REGISTER_GUEST_ACCOUNT_BY_MOBILE_ENABLED: "false"


  ## 密码验证接口（外部接口）
  TOKEN_SERVER_SECURITY_PASSWORD_VERIFY_URL: ""
  # http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080/api/v1/security/accounts/verifyAccountPassword


  # **修改** 从个推申请
  GETUI_SERVER_URL: https://openapi-gy.getui.com
  GETUI_GEYAN_APP_ID: ""
  GETUI_GEYAN_APP_KEY: ""
  GETUI_GEYAN_APP_SECRET: ""
  GETUI_GEYAN_MASTER_SECRET: ""

  # **修改** 从消息中心申请
  MESSAGECENTER_ENABLED: "false"
  MESSAGECENTER_APP_ID: ""
  MESSAGECENTER_MESSAGE_TYPE_CODE_APP_LOGIN: APP_LOGIN
  MESSAGECENTER_MESSAGE_TYPE_CODE_PASSWORD: PASSWORD

  MESSAGECENTER_MESSAGE_TYPE_CODE_APPPUSH: APPPUSH

  # **修改** 从POA申请
  POA_SERVER_URL: https://poa.paas.xxx.edu.cn
  POA_CLIENT_ID: ""
  POA_CLIENT_SECRET: ""
  POA_SCOPES: messagecenter:v1:sendMessage


  TPAS_AGENT_SERVICE_SERVER_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
  TPAS_AGENT_SERVICE_CLIENT_AUTH_ENABLED: "false"
  #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
  #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
  #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
  #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
  #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""

  # **修改**
  # 若须对接sms 接口，须进行二开定制
  TPAS_AGENT_SERVICE_SMS_SENDER_PATH: /api/v1/tpas/sms/console/send
  TPAS_AGENT_SERVICE_FACE_FACEVERIFY_PATH: /api/v1/tpas/face/aiface/faceverify


  CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
  CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
  #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
  #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
  #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
  #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
  #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""

  USER_DATA_SERVICE_SA_API_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
  USER_DATA_SERVICE_SA_API_CLIENT_AUTH_ENABLED: "false"
  #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
  #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
  #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
  #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
  #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""


  ATTEST_SERVER_URL: http://attest-server-svc.attest-server.svc.cluster.local:8080/attest
  ATTEST_CLIENT_AUTH_ENABLED: "false"
  #ATTEST_CLIENT_AUTH_KEY_PASSWORD: ""
  #ATTEST_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
  #ATTEST_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
  #ATTEST_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
  #ATTEST_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""


  IPADDR_SERVER_URL: http://ipaddr.ipaddr.svc.cluster.local:9090
  IPADDR_CLIENT_AUTH_ENABLED: "false"
  #IPADDR_CLIENT_AUTH_KEY_PASSWORD: ""
  #IPADDR_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
  #IPADDR_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
  #IPADDR_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
  #IPADDR_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""


  ##
  # authx-log rabbitmq
  #
  AUTHX_LOG_ENABLED: "true"
  AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
  AUTHX_LOG_RABBITMQ_PORT: "5672"
  AUTHX_LOG_RABBITMQ_USERNAME: guest
  AUTHX_LOG_RABBITMQ_PASSWORD: guest


  ## 
  # 接收 user 推送的 rabbitmq 数据
  #
  USER_RABBITMQ_ENABLED: "true"
  USER_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
  USER_RABBITMQ_PORT: "5672"
  USER_RABBITMQ_USERNAME: guest
  USER_RABBITMQ_PASSWORD: guest

  USER_RABBITMQ_CONSUMER_ENABLED: "true"


---
apiVersion: v1
kind: Secret
metadata:
  namespace: token-server
  name: token-server-env-secret
type: Opaque
data:
  SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVyLmF1dGh4LXNlcnZpY2Uuc3ZjLmNsdXN0ZXIubG9jYWw=
  # rabbitmq-server.authx-service.svc.cluster.local
  SPRING_RABBITMQ_PORT: NTY3Mg==
  SPRING_RABBITMQ_USERNAME: Z3Vlc3Q=
  SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q=


---
apiVersion: v1
kind: Service
metadata:
  namespace: token-server
  name: token-server-svc
  labels:
    app: token-server
    needMonitor: 'true'
spec:
  ports:
    - port: 8080
      targetPort: http
      protocol: TCP
      name: http
    - port: 6060
      targetPort: http-metrics
      protocol: TCP
      name: http-metrics
  selector:
    app: token-server

---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: token-server
  name: token-server
spec:
  selector:
    matchLabels:
      app: token-server
  replicas: 1
  template:
    metadata:
      labels:
        app: token-server
    spec:
      containers:
      - name: token-server
        # 若使用了学校搭设的私有仓库，请 **修改**
        image: harbor.supwisdom.com/token-server/token-server:1.5.0-RELEASE
        imagePullPolicy: Always
        ports:
        - containerPort: 8080
          name: http
        - containerPort: 6060
          name: http-metrics
        envFrom:
        - configMapRef:
            name: jvm-env
        - secretRef:
            name: datasource-env-secret
        - secretRef:
            name: redis-env-secret
        - secretRef:
            name: rabbitmq-env-secret
        - configMapRef:
            name: token-server-env
        resources:
          requests:
            memory: "1024Mi"
          limits:
            memory: "1024Mi"
        readinessProbe:
          httpGet:
            path: /token/actuator/health
            port: 8080
          initialDelaySeconds: 20
          periodSeconds: 5
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 10
      imagePullSecrets:
        - name: harbor-registry