HPCC-27830 Azure LogAccess use Secrets

[rpastrana]

• Adds esp jsecret category
• Eliminates use of Env vars
• Stablishes azure_logaccess secret
• Updates documentation
• Provides secrets template

Signed-off-by: Rodrigo Pastrana rodrigo.pastrana@lexisnexisrisk.com

Type of change:

• This change is a bug fix (non-breaking change which fixes an issue).
• This change is a new feature (non-breaking change which adds functionality).
• This change improves the code (refactor or other change that does not change the functionality)
• This change fixes warnings (the fix does not alter the functionality or the generated code)
• This change is a breaking change (fix or feature that will cause existing behavior to change).
• This change alters the query API (existing queries will have to be recompiled)

Checklist:

• My code follows the code style of this project.
  • My code does not create any new warnings from compiler, build system, or lint.
• The commit message is properly formatted and free of typos.
  • The commit message title makes sense in a changelog, by itself.
  • The commit is signed.
• My change requires a change to the documentation.
  • I have updated the documentation accordingly, or...
  • I have created a JIRA ticket to update the documentation.
  • Any new interfaces or exported functions are appropriately commented.
• I have read the CONTRIBUTORS document.
• The change has been fully tested:
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • I have checked that this change does not introduce memory leaks.
  • I have used Valgrind or similar tools to check for potential issues.
• I have given due consideration to all of the following potential concerns:
  • Scalability
  • Performance
  • Security
  • Thread-safety
  • Cloud-compatibility
  • Premature optimization
  • Existing deployed queries will not be broken
  • This change fixes the problem, not just the symptom
  • The target branch of this pull request is appropriate for such a change.
• There are no similar instances of the same problem that should be addressed
  • I have addressed them here
  • I have raised JIRA issues to address them separately
• This is a user interface / front-end modification
  • I have tested my changes in multiple modern browsers
  • The component(s) render as expected

Smoketest:

• Send notifications about my Pull Request position in Smoketest queue.
• Test my draft Pull Request.

Testing:

[github-actions]

https://track.hpccsystems.com/browse/HPCC-27830
Jira updated

[afishbeck]

Since you are calling this several times to get values from the same secret (azureLogAccessSecretName) it would be more efficient to get the secret first (as a ptree from the secret cache) and use that to get each value.

Owned<IPropertyTree> secretTree = getSecret(azureLogAccessSecretCategory, azureLogAccessSecretName);

getSecretkeyValue(m_aadTenantID.clear(), secretTree, azureLogAccessSecretAADTenantID);
getSecretKeyValue(m_aadClientID.clear(), secretTree, azureLogAccessSecretAADClientID);

etc.

[rpastrana]

@afishbeck can you confirm this is the intended approach for declaring jsecret secrets?
I'm concerned the secrets/vaults structure might be lead to inadvertent overwrites of a given secret/vault category (in this case 'esp')

[rpastrana]

@afishbeck please review changes from your review.
Note, I added a helper script to create the required secret.

[afishbeck]

Some of the indentations in this file look a bit off.

[afishbeck]

Git complains about these files without newlines at the end. For bash and yaml I would add newlines. For the secret content files you can't.

[afishbeck]

Very trivial, but this makes it look like this vault is just for the logaccess secrets. A name like "myvault" would show how it could be a common vault, or whatever they want/need.

[afishbeck]

@rpastrana a few trivial comment, but looks good.

[rpastrana]

@afishbeck integrated the minor changes you suggested

[rpastrana]

@ghalliday @richardkchapman ready for merge