docs(secrets): G-4 ${secret:} config delivery convention + fail-closed proof (Task 4)
OtOpcUa commits no plaintext secrets — the only secret-shaped committed value is
ServerHistorian:ApiKey='' (empty, disabled by default). Because the pre-host expander
is fail-closed AND section-agnostic, hard-committing a ${secret:} token would break
every dev/CI/integration boot for zero at-rest benefit. Instead document the token
delivery convention for all five config secrets (jwt/ldap/deploy/configdb/historian)
in docs/security.md and note the token option in the ServerHistorian comments.
Mechanism proven live: unseeded token boot fails with SecretNotFoundException at
pre-host expansion; seeded token resolves and boot proceeds. Behavior-neutral
(comment + doc only).
This commit is contained in:
@@ -25,7 +25,7 @@
|
||||
"Enabled": false,
|
||||
"Endpoint": "",
|
||||
"ApiKey": "",
|
||||
"_ApiKeyComment": "NEVER commit a real key. Supply via the environment variable ServerHistorian__ApiKey.",
|
||||
"_ApiKeyComment": "NEVER commit a real key. Supply via env var ServerHistorian__ApiKey, either as a literal or as a ${secret:otopcua/historian/api-key} token resolved fail-closed by the pre-host secrets expander.",
|
||||
"UseTls": true,
|
||||
"AllowUntrustedServerCertificate": false,
|
||||
"CaCertificatePath": null,
|
||||
|
||||
@@ -40,8 +40,10 @@ public sealed class ServerHistorianOptions
|
||||
/// <summary>
|
||||
/// The peppered-HMAC API key (<c>histgw_<id>_<secret></c>) the gateway validates
|
||||
/// in the <c>Authorization: Bearer</c> header. Supply via the environment variable
|
||||
/// <c>ServerHistorian__ApiKey</c> — never commit it to config. Required when
|
||||
/// <see cref="Enabled"/> is <c>true</c>.
|
||||
/// <c>ServerHistorian__ApiKey</c> — never commit it to config. The value may be a literal
|
||||
/// key or a <c>${secret:otopcua/historian/api-key}</c> token, which the pre-host secrets
|
||||
/// expander resolves fail-closed (throwing if the secret is absent) before this options
|
||||
/// class binds. Required when <see cref="Enabled"/> is <c>true</c>.
|
||||
/// </summary>
|
||||
public string ApiKey { get; init; } = "";
|
||||
|
||||
|
||||
Reference in New Issue
Block a user