Ability to register a callback for when SecretStore has been modified

[ajcasagrande]

🚀 Feature Request

Relevant Package [REQUIRED]

go-mod-bootstrap SecretProvider and SecretStore

Description [REQUIRED]

Similar to how you can register a callback to be notified when a service's configuration is modified from the configuration provider: https://github.com/edgexfoundry/go-mod-bootstrap/blob/010839c6db32356d141c0ae689095f3ceef96608/bootstrap/config/config.go#L290-L293

it would be nice to have the same functionality when the SecretStore is updated. It would need to be able to be registered from an app-service or device-service similar to the config ability.

The advantages of this is that it can also cut down or remove the need for writing code that utilizes logic like this: #343

Using the device-onvif-camera as an example, when a secret is added or updated, the callback can check which Cameras are associated with that secret and modify the client object to use that new value in realtime. This allows you to cache the client object without fear that the credentials are outdated. To replicate the same functionality you would need to lookup the secret value every time you want to use the client.

Describe the solution you'd like

Ability to register a callback with the SecretProvider that gets called anytime a secret is added, updated, or removed. Ideally it would provide you with some details, such as the name/path of what changed, but this is optional.

Describe alternatives you've considered

Custom polling solution.

[lenny-goodell]

Since this is on the running service, we should be able to do this in the Secret Provider. i.e when SetSecret() is called successfully, call any callbacks that are registered.

[bnevis-i]

I don't know Anthony's take, but personally, I don't think doing this all in-process would be very useful. It seems that this functionality would be needed when an external process modifies the secret, and you want your process to be notified.

Sadly, Vault does not have such functionality and we could only get it by polling a specific secret. For the same reason that secret enumeration isn't available, we also wouldn't be able to get an "anything changed" notification either.

As an alternative implementation, I suggest the following:

• store an encryption key in the secret store
• write your connection configurations to a directly on the file system, encrypting it with the above key first
• watch the file system for changes using fsnotify
• load new configuration for the affected files

Such a change would also allow full enumeration of the secrets as well.

This solution is somewhat kubernetes unfriendly, as it would require availability of RWX (shared filesystem) volume types in contrast to the easier RWO (exclusive use) volume types. At least if you wanted a third party to be able to update the config.

[bnevis-i]

Also, EdgeX has a database. Why not use that? (Encrypt first.) That would solve the access by multiple parties problem since the database should be better transactionally protected.

[lenny-goodell]

@bnevis-i , this is in places of the current retry loops waiting for the service /secret endpoint to be used to store the secret.

[bnevis-i]

@lenny-intel Apologies. I assumed this was also ONVIF related.

[lenny-goodell]

@lenny-intel Apologies. I assumed this was also ONVIF related.

@bnevis-i , Yes ONVIF as well as Device MQTT and the old Device Camera service.

Our current model is for all updates to a service secrets to be done by the service itself via the /secret endpoint or the seed file. So in-process should be sufficient.

[lenny-goodell]

@ajcasagrande , would it be helpfully to register the callback only for a specific path?