From a050170414eb7fdc4f6f5331ac662ab60dd28c81 Mon Sep 17 00:00:00 2001 From: Joseph Doherty Date: Wed, 3 Jun 2026 05:30:38 -0400 Subject: [PATCH] chore(docker): supply DEV-ONLY ApiKeyPepper to local Central nodes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Auth/Config normalization made ScadaBridge:InboundApi:ApiKeyPepper a hard Central-only startup requirement (>=16 chars), but the local dev composes never supplied it, so deploy.sh's freshly-built image crash-looped both Central nodes on ConfigPreflight validation. Add a clearly-marked DEV-ONLY, insecure pepper inline to each cluster's Central environment (distinct per environment). These are NOT real secrets — production injects a true per-env secret out-of-band per docs/operations/inbound-api-key-reissue.md; the inline values exist only so the local docker / docker-env2 clusters start. --- docker-env2/docker-compose.yml | 12 ++++++++++++ docker/docker-compose.yml | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/docker-env2/docker-compose.yml b/docker-env2/docker-compose.yml index 0a248233..a7c47637 100644 --- a/docker-env2/docker-compose.yml +++ b/docker-env2/docker-compose.yml @@ -6,6 +6,12 @@ services: SCADABRIDGE_CONFIG: Central ASPNETCORE_ENVIRONMENT: Development ASPNETCORE_URLS: "http://+:5000" + # DEV-ONLY local-cluster value — NOT a real secret. The Auth/Config normalization + # (2026-06-03) made ScadaBridge:InboundApi:ApiKeyPepper a hard Central startup + # requirement (>=16 chars, per-environment). Distinct from the docker/ cluster's + # pepper per the "different per environment" guidance; real deployments inject a + # true secret out-of-band, never from source control. Both Central nodes share it. + ScadaBridge__InboundApi__ApiKeyPepper: "dev-only-insecure-pepper-env2-cluster-0001" ports: - "9101:5000" # Web UI + Inbound API - "9111:8081" # Akka remoting @@ -23,6 +29,12 @@ services: SCADABRIDGE_CONFIG: Central ASPNETCORE_ENVIRONMENT: Development ASPNETCORE_URLS: "http://+:5000" + # DEV-ONLY local-cluster value — NOT a real secret. The Auth/Config normalization + # (2026-06-03) made ScadaBridge:InboundApi:ApiKeyPepper a hard Central startup + # requirement (>=16 chars, per-environment). Distinct from the docker/ cluster's + # pepper per the "different per environment" guidance; real deployments inject a + # true secret out-of-band, never from source control. Both Central nodes share it. + ScadaBridge__InboundApi__ApiKeyPepper: "dev-only-insecure-pepper-env2-cluster-0001" ports: - "9102:5000" # Web UI + Inbound API - "9112:8081" # Akka remoting diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index eed0fce9..7e99afbe 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -6,6 +6,12 @@ services: SCADABRIDGE_CONFIG: Central ASPNETCORE_ENVIRONMENT: Development ASPNETCORE_URLS: "http://+:5000" + # DEV-ONLY local-cluster value — NOT a real secret. The Auth/Config normalization + # (2026-06-03) made ScadaBridge:InboundApi:ApiKeyPepper a hard Central startup + # requirement (>=16 chars, per-environment). Real deployments inject a true secret + # out-of-band (env/secret store), never from source control — see + # docs/operations/inbound-api-key-reissue.md. Both Central nodes share one pepper. + ScadaBridge__InboundApi__ApiKeyPepper: "dev-only-insecure-pepper-docker-cluster-0001" ports: - "9001:5000" # Web UI + Inbound API - "9011:8081" # Akka remoting (host access for CLI/debugging) @@ -23,6 +29,12 @@ services: SCADABRIDGE_CONFIG: Central ASPNETCORE_ENVIRONMENT: Development ASPNETCORE_URLS: "http://+:5000" + # DEV-ONLY local-cluster value — NOT a real secret. The Auth/Config normalization + # (2026-06-03) made ScadaBridge:InboundApi:ApiKeyPepper a hard Central startup + # requirement (>=16 chars, per-environment). Real deployments inject a true secret + # out-of-band (env/secret store), never from source control — see + # docs/operations/inbound-api-key-reissue.md. Both Central nodes share one pepper. + ScadaBridge__InboundApi__ApiKeyPepper: "dev-only-insecure-pepper-docker-cluster-0001" ports: - "9002:5000" # Web UI + Inbound API - "9012:8081" # Akka remoting