edgex-go: Add capability to seed unknown and known secrets for any service during bootstrap

🚀 Feature Request

Relevant Package

This feature request is for Secret Store Setup

Description

Currently unknown secrets, those know only at deployment time for things like camera credentials, external broker credentials, HTTP API keys, etc, have to be pushed into the service Secret Store via the /secret REST endpoint once the service is up and running. This can be problematic if the service needs the credentials immediately after bootstraping, i.e. Device MQTT connecting to broker or Device Camera connecting the camera(s) as the devices are added. For add-on services the known secrets are specified to be added via the ADD_KNOWN_SECRETS environment variable (See here for more details).

Describe the solution you’d like

We need an alternative to the REST endpoint and environment variables were the deployment can specify the unknown and known secrets to be populated during bootstrapping so the the secrets are available when the service needs them.

This can be accomplished with a file supplied to Secret Store Setup that contains the secrets to be added to the specified services’ secret store(s). The file will be root access only. For docker, it will be volume mounted into the Secret Store Setup container. For snaps, the file(s) can be provided via a combination of configure hook and/or content interface.

Secret Store Setup will have a new environment variable telling it where to find the file. If the environment variable is not set, the seeding is skipped. If the files doesn’t exists, an error is logged and seeding is skipped.

This file will contain JSON that is an array off objects that contain the following data:

Service Key
Secrets - Array of secrets to add to the service’s Secret Store
- Path
- SecretData - list of key value pairs
KnownSecrets - List of know secrets to added to the service’s Secret Store (redisdb is currently to only known secret)

Example:

[
    {
        "serviceKey": "device-mqtt",
        "secrets": [
            {
                "path": "credentials",
                "secretData": [
                    {
                        "key": "username",
                        "value": "mqtt-user"
                    },
                    {
                        "key": "password",
                        "value": "mqtt-password"
                    }
                ]
            },
            ...
        ],
      "knownSecrets": "redisdb"
    },
   ...
]

The Token Provider will use this list as an additional source for creating Vault Tokens. Secret Store Setup will use this for additional source for adding known secrets

Describe alternatives you’ve considered

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 16 (11 by maintainers)

Most upvoted comments

That’s reasonable. Create a class and tests in separate .go files so it’s easy to rip it out later.

bnevis-i on Sep 16, 2021

Funny. I have no problem with it:

Because you defined it as a map. I like it! Multiple services would look like this.

{
        "device-mqtt": {
            "knownSecrets": [
                "redisdb"
            ],
            "secrets": [
                {
                    "path": "credentials",
                    "imported": true,
                    "data": {
                        "username": "mqtt-user",
                        "password": "mqtt-password"
                    }
                }
            ]
        },
        "device-rest": {
            "knownSecrets": [
                "redisdb"
            ],
            "secrets": [
                {
                    "path": "credentials",
                    "imported": true,
                    "data": {
                        "username": "mqtt-user",
                        "password": "mqtt-password"
                    }
                }
            ]
        }
}

lenny-intel on Sep 16, 2021