Развертывание Passport
Обновлено: 05.03.2024
Passport — публичный веб-сервис. Обязательно использование TLS.
Приложению также требуется сертификат для подписи JWT токенов.
Допускается использование self-signed сертификата.
Пример сценария для генерации сертификата:
./openssl.exe req -x509 -nodes -days 730 -newkey rsa:2048 -keyout path\key.pem -out path\cert.crt -config path\cert.cnf
./openssl.exe pkcs12 -inkey path\key.pem -in path\cert.crt -export -out path\cert.pfx
Где path — локальная папка.
cert.cnf — это конфигурационный текстовый файл. Пример cert.cnf для конфигурирования сертификата в запросе выше:
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = XX
stateOrProvinceName = N/A
localityName = N/A
organizationName = Timetta
commonName = Timetta: Self-signed certificate
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.0.15
DNS.1 = localhost
[v3_ca]
subjectAltName = @alt_names
basicConstraints = critical, CA:false
keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment
Деплоймент:
apiVersion: apps/v1
kind: Deployment
metadata:
name: passport-deployment
namespace: timetta
labels:
appName: passport-deployment
spec:
selector:
matchLabels:
appName: passport-app
template:
metadata:
labels:
appName: passport-app
spec:
containers:
- name: passport
image: cr.yandex/crpr8bvek949tq2fuqkf/passport:latest
ports:
- protocol: TCP
containerPort: 5401
env:
- name: "ASPNETCORE_URLS"
value: "http://*:5401"
volumeMounts:
- mountPath: /app/secrets
name: app-settings-secret
readOnly: true
volumes:
- name: app-settings-secret
projected:
sources:
- secret:
name: app-settings
- secret:
name: passport-cert
- secret:
name: kafka-cert
imagePullSecrets:
- name: service-settings
---
Сервис и ingress-контроллер:
apiVersion: v1
kind: Service
metadata:
name: passport-service
namespace: timetta
spec:
selector:
appName: passport-app
ports:
- protocol: TCP
port: 80
targetPort: 5401
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: passport-ingress
namespace: timetta
annotations:
cert-manager.io/cluster-issuer: "letsencrypt"
nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
nginx.ingress.kubernetes.io/proxy-buffers-number: "8"
spec:
ingressClassName: "nginx"
tls:
- hosts:
- auth.your-domain
secretName: auth-timetta-on-prem-tls
rules:
- host: auth.your-domain
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: passport-service
port:
number: 80