New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HPCC-27830 Azure LogAccess use Secrets #16245
HPCC-27830 Azure LogAccess use Secrets #16245
Conversation
https://track.hpccsystems.com/browse/HPCC-27830 |
|
||
if (m_tenantID.isEmpty()) | ||
throw makeStringException(-1, "Could not determine Azure Tenant ID, set 'AZURE_TENANT_ID' env var, or connection/@tenantID in AzureClient LogAccess configuration!"); | ||
getSecretValue(m_aadTenantID.clear(), azureLogAccessSecretCategory, azureLogAccessSecretName, azureLogAccessSecretAADTenantID, true); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since you are calling this several times to get values from the same secret (azureLogAccessSecretName) it would be more efficient to get the secret first (as a ptree from the secret cache) and use that to get each value.
Owned<IPropertyTree> secretTree = getSecret(azureLogAccessSecretCategory, azureLogAccessSecretName);
getSecretkeyValue(m_aadTenantID.clear(), secretTree, azureLogAccessSecretAADTenantID);
getSecretKeyValue(m_aadClientID.clear(), secretTree, azureLogAccessSecretAADClientID);
etc.
d300295
to
d2d8161
Compare
|
||
Example use: | ||
```console | ||
helm install myhpcc hpcc/hpcc -f HPCC-Platform/helm/examples/azure/log-analytics/loganalytics-hpcc-logaccess.yaml | ||
helm install myhpcc hpcc/hpcc -f HPCC-Platform/helm/examples/azure/log-analytics/loganalytics-hpcc-logaccess.yaml -f HPCC-Platform/helm/examples/azure/log-analytics/loganalytics-logccess-secrets.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@afishbeck can you confirm this is the intended approach for declaring jsecret secrets?
I'm concerned the secrets/vaults structure might be lead to inadvertent overwrites of a given secret/vault category (in this case 'esp')
6e41de3
to
8d472b4
Compare
@afishbeck please review changes from your review. |
if (m_clientID.isEmpty()) | ||
throw makeStringException(-1, "Could not find Azure AD client ID, set 'AZURE_CLIENT_ID' env var, or connection/@clientID in AzureClient LogAccess configuration - format is '00000000-0000-0000-0000-000000000000'!"); | ||
if (m_aadClientID.isEmpty()) | ||
throw makeStringExceptionV(-1, "%s: Could not find AAD Client ID, provide it as part of %s.%s secret, or connection/@clientID in AzureClient LogAccess configuration!", COMPONENT_NAME, azureLogAccessSecretName, azureLogAccessSecretAADClientID); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some of the indentations in this file look a bit off.
else | ||
echo "Target secret '${secretname}' successfully created!" | ||
${k8scommand} get secret ${secretname} | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Git complains about these files without newlines at the end. For bash and yaml I would add newlines. For the secret content files you can't.
azure-logaccess: "azure-logaccess" | ||
vaults: | ||
esp: | ||
- name: azure-logaccess |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very trivial, but this makes it look like this vault is just for the logaccess secrets. A name like "myvault" would show how it could be a common vault, or whatever they want/need.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rpastrana a few trivial comment, but looks good.
c1367f2
to
9e5140b
Compare
- Adds esp jsecret category - Eliminates use of Env vars - Stablishes azure_logaccess secret - Updates documentation - Provides secrets template - Provides logAccess secret creator Signed-off-by: Rodrigo Pastrana <rodrigo.pastrana@lexisnexisrisk.com>
9e5140b
to
c4ebc36
Compare
@afishbeck integrated the minor changes you suggested |
@ghalliday @richardkchapman ready for merge |
Signed-off-by: Rodrigo Pastrana rodrigo.pastrana@lexisnexisrisk.com
Type of change:
Checklist:
Smoketest:
Testing: