wwweww
56 lines
1.3 KiB
Bash
56 lines
1.3 KiB
Bash
#!/bin/bash
|
|
|
|
# JWT 和认证配置完整设置脚本
|
|
|
|
set -e
|
|
|
|
echo "🔐 Juwan JWT 认证配置脚本"
|
|
echo "===================================="
|
|
|
|
NAMESPACE="juwan"
|
|
JWT_SECRET=$(openssl rand -hex 32)
|
|
JWKS_KEY_ID="juwan-key-2026"
|
|
|
|
echo "✅ 生成 JWT 密钥..."
|
|
echo " Secret: $JWT_SECRET"
|
|
|
|
# Step 1: 创建 JWT Secret
|
|
echo ""
|
|
echo "📝 创建 K8s Secret..."
|
|
kubectl create secret generic jwt-secret \
|
|
--from-literal=key=$JWT_SECRET \
|
|
-n $NAMESPACE --dry-run=client -o yaml | kubectl apply -f -
|
|
|
|
# Step 2: 生成 JWKS JSON(包含公钥)
|
|
# 注意:对于 HMAC 算法,JWKS 包含密钥本身
|
|
JWKS_JSON=$(cat <<EOF
|
|
{
|
|
"keys": [
|
|
{
|
|
"kty": "oct",
|
|
"kid": "$JWKS_KEY_ID",
|
|
"k": "$(echo -n $JWT_SECRET | base64 -w 0)",
|
|
"alg": "HS256",
|
|
"use": "sig"
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
)
|
|
|
|
echo "📝 创建 JWKS ConfigMap..."
|
|
kubectl create configmap jwks-config \
|
|
--from-literal=jwks.json="$JWKS_JSON" \
|
|
-n $NAMESPACE --dry-run=client -o yaml | kubectl apply -f -
|
|
|
|
echo ""
|
|
echo "✅ JWT 认证配置完成!"
|
|
echo ""
|
|
echo "后续步骤:"
|
|
echo "1. 更新 Envoy ConfigMap,挂载 JWKS 文件"
|
|
echo "2. 在各 API 服务中配置 JWT_SECRET 环境变量"
|
|
echo "3. 登录端点使用此密钥签名 Token"
|
|
echo ""
|
|
echo "JWT 密钥已保存到 K8s Secret: jwt-secret"
|
|
echo "JWKS 已保存到 K8s ConfigMap: jwks-config"
|