docs: add security documentation for plain text secrets

josecelano · josecelano · commit 83d62f0979bd · 2025-07-09T10:32:09.000+01:00
- Add security warning to prometheus.yml.tpl about plain text token storage
- Document Prometheus limitation with runtime environment variable substitution
- Include TODO items for researching safer secret injection methods:
  * Prometheus file_sd_configs with dynamic token refresh
  * External authentication proxy (oauth2-proxy, etc.)
  * Vault integration or secret management solutions
  * Init containers to generate configs with short-lived tokens

- Add security documentation to .env.production about plain text secrets
- Explain runtime secret injection alternatives for Docker Compose
- Provide practical examples for secure deployment workflows
- Mention Docker secrets and external secret management options

These changes improve security awareness and provide clear paths
for implementing enhanced secret management in production deployments.
diff --git a/application/.env.production b/application/.env.production
@@ -1,7 +1,19 @@
 # Torrust Tracker Demo - Production Environment Configuration
-# 
+#
 # This configuration uses MySQL as the default database backend.
 # Make sure to change the default passwords before deployment!
+#
+# SECURITY NOTE: Secrets are stored in plain text in this Docker Compose .env file.
+# For enhanced security, administrators can inject secrets at runtime when launching
+# Docker Compose instead of storing them in this file:
+#
+# Examples:
+#   export MYSQL_PASSWORD="secure_password"
+#   export TRACKER_ADMIN_TOKEN="secure_token"
+#   docker compose up -d
+#
+# Or use Docker secrets, external secret management systems (Vault, etc.),
+# or environment-specific CI/CD secret injection.
 
 USER_ID=1000
 
diff --git a/infrastructure/config/templates/prometheus.yml.tpl b/infrastructure/config/templates/prometheus.yml.tpl
@@ -1,4 +1,17 @@
 ---
+# Prometheus Configuration Template
+# Generated from environment variables for ${ENVIRONMENT}
+#
+# NOTE: Admin token is stored in plain text in this config file after template processing.
+# This is a limitation of Prometheus configuration - it does not support runtime environment
+# variable substitution like other services.
+#
+# TODO: Research safer secret injection methods for Prometheus:
+#   - Prometheus file_sd_configs with dynamic token refresh
+#   - External authentication proxy (oauth2-proxy, etc.)
+#   - Vault integration or secret management solutions
+#   - Init containers to generate configs with short-lived tokens
+
 global:
   scrape_interval: 15s
 
