feat: SecretProvider for storing/retrieving secrets

[lenny-goodell]

PR Checklist

Please check if your PR fulfills the following requirements:

• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)

If your build fails due to your commit message not passing the build checks, please review the guidelines here: https://github.com/edgexfoundry/device-sdk-c/blob/master/.github/CONTRIBUTING.md

What is the current behavior?

Issue Number: #653

What is the new behavior?

Added creation and initialization SecretProvider during bootstrap for both secure and non-secure modes
Added InsecureSecrets and SecretStore config to device-simple as samples and used to test initializing SecretProvider in secure mode.
APIs to take advantage of the SecretProvider are TBD in future PRs

Does this PR introduce a breaking change?

• Yes
• No

New Imports

• Yes
• No

Specific Instructions

This PR is about just about creating and initializing the Secret Provider. Using it come in following PR.
Do the following to test this PR:

• clone latest developer scripts repo
• Modify developer-scripts/releases/nightly-build/compose-files/docker-compose-nexus.yml as follows:
  • Add ADD_SECRETSTORE_TOKENS: "device-simple" to environment section for vault-worker

    environment:
      SECRETSTORE_SETUP_DONE_FLAG: /tmp/edgex/secrets/edgex-consul/.secretstore-setup-done
      ADD_SECRETSTORE_TOKENS: "device-simple"
    hostname: edgex-vault-worker

• Run compose from developer-scripts/releases/nightly-build/compose-files
  • make run
• build Device SDK from branch for this PR (i.e. clone the branch)

Run Device Simple in secure mode

• cd to example/cmd/device-simple/
• sudo EDGEX_SECURITY_SECRET_STORE=true ./device-simple
  • Need to run as root to access vault token file
• Verify service starts successfully with the following in the log messages:

level=INFO ts=2021-01-08T21:44:12.7857283Z app=device-simple source=secret.go:51 msg="Creating SecretClient"
level=INFO ts=2021-01-08T21:44:12.7872455Z app=device-simple source=secret.go:58 msg="Reading secret store configuration and authentication token"
level=INFO ts=2021-01-08T21:44:12.7873587Z app=device-simple source=secret.go:70 msg="Attempting to create secret client"
level=INFO ts=2021-01-08T21:44:12.805743Z app=device-simple source=secret.go:75 msg="Created SecretClient"

Run Device Simple in non-secure mode

• EDGEX_SECURITY_SECRET_STORE=false ./device-simple
• Verify service starts successfully without any log message about SecretClient

Other information

[chr1shung]

LGTM

[chr1shung]

LGTM

[tonyespy]

In general this looks pretty good, although I had some questions about what appear to be some unrelated changes.

Also I wasn't sure how to test this PR. Could you provide some basic instructions on how to do so?

[tonyespy]

sp: contain --> contains

[codecov-io]

Codecov Report

Merging #707 (c4cbbed) into master (3720988) will decrease coverage by 0.05%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master     #707      +/-   ##
==========================================
- Coverage   45.37%   45.31%   -0.06%     
==========================================
  Files          32       32              
  Lines        3121     3125       +4     
==========================================
  Hits         1416     1416              
- Misses       1592     1596       +4     
  Partials      113      113              

Impacted Files	Coverage Δ
internal/common/config.go	0.00% <0.00%> (ø)
internal/common/types.go	0.00% <ø> (ø)
pkg/service/main.go	0.00% <0.00%> (ø)
pkg/service/service.go	0.00% <0.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3720988...c4cbbed. Read the comment docs.

[cloudxxx8]

LGTM

[tonyespy]

@cloudxxx8 why did you merge this? Per my last review I still had some testing to do and hadn't yet approved this.

[tonyespy]

@lenny-intel I re-tested today using the edgexfoundry snap. I added the following override to security-secretstore-setup (which in turn execs security-file-token-provider):

ADD_SECRETSTORE_TOKENS: device-simple

...and the token is generated for device-simple once I bring everything up. I then manually copied the file from the $SNAP_DATA/secrets/device-simple to the /res directory of device-simple, updated the configuration.toml path for the token and everything worked. I also verified that device-simple works with EDGEX_SECURITY_SECRET_STORE=false as well.

Note, when I tried testing by adding ADD_SECRETSTORE_TOKENS to vault-worked in docker-compose-nexus.yml per your instructions, the device-simple token wasn't generated for me when I brought everything up.

[cloudxxx8]

sorry, @tonyespy , I should have read through your comments thoroughly. I merged this PR because I saw you put comments not "change request" and Lenny had resolved all the comments. Also, I would like to unblock other two PRs early.