Integrate OCORE/OCORE_web-based secret management using Azure Key Vault and DPAPI cache. Update appsettings.json to remove plaintext secrets and list managed keys. Register secret management in Program.cs. Update .gitignore for secret files. Add documentation for naming conventions and migration, plus a PowerShell script for initial secret upload. Centralizes and secures secret handling across the app.
This commit is contained in:
@@ -31,3 +31,15 @@
|
||||
- Whenever possible, prefer OCORE_web_pdf / OCORE PDF functions for PDF-related tasks over rewriting.
|
||||
- Do not use OCMS or OCMS_sharp; use only OCORE or OCORE_web.
|
||||
|
||||
## Azure Key Vault — Secret Naming
|
||||
- Secret names must satisfy the pattern `^[0-9a-zA-Z-]+$` (alphanumerics and hyphens only; no underscores, dots, or spaces).
|
||||
- Hierarchy levels are separated by `--` (double hyphen), which maps to `:` in `IConfiguration`.
|
||||
- Underscores within a name segment are encoded as a single `-` in Key Vault and decoded back to `_` when the key is reconstructed.
|
||||
- The app prefix `fuchs` is prepended to every secret name.
|
||||
- Format: `{appname}--{Section}--{key-with-hyphens-for-underscores}`
|
||||
- Examples:
|
||||
- `fuchs--ConnectionStrings--ocms-ConnectionString` → `ConnectionStrings:ocms_ConnectionString`
|
||||
- `fuchs--Fuchs--SMS-APIKey` → `Fuchs:SMS_APIKey`
|
||||
- `fuchs--Fuchs--Email--Main--password` → `Fuchs:Email:Main:password`
|
||||
- When adding new secrets: replace every `_` in the original config key with `-` for the Key Vault name, and add the entry to `ManagedSecretKeys` in `appsettings.json` (using the same hyphenated form without the `fuchs--` prefix).
|
||||
|
||||
|
||||
Reference in New Issue
Block a user