GenericSecret using local filesystem data source cannot be watched

[minuyim]

If you are reporting any crash or any potential security issue, do not
open an issue in this repo. Please report the issue via emailing
[email protected] where the issue will be triaged appropriately.

Title: GenericSecret using local filesystem data source cannot be watched

Description:
As described here, sds config file can be watched.

But when I set the filename in sds_config, the secret file cannot be watched from Envoy.

Config:

  credentials:
    token_secret:
      name: token
      sds_config:
        path_config_source: 
          path: "config.yaml"

resources:
  - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
    name: token
    generic_secret:
      secret:
        filename: jwt_svid.token

In this example, even if jwt_svid.token is updated by move event, the secret is not updated.

[RyanTheOptimist]

cc: @adisuissa

[adisuissa]

Can you try to configure the watched_directory field, and see if it works?

[minuyim]

Yes, I tried. But it would not work. The envoy version is 57e967669
The secret value can only be updated if the listener configuration has been changed.

[jewertow]

Watching generic secret is not implemented:

• envoy/source/common/secret/sds_api.h

  Line 332 in ad40097

  Config::WatchedDirectory* getWatchedDirectory() override { return nullptr; }

• envoy/source/common/secret/sds_api.cc

  Line 425 in ad40097

  std::vector<std::string> GenericSecretSdsApi::getDataSourceFilenames() { return {}; }

I am working on it.

[zuercher]

TlsSessionTicketKeysSdsApi has the same bug -- it doesn't implement getWatchedDirectory or getDataSourceFilenames() either.

[jewertow]

Yes, I noticed that. I can fix TlsSessionTicketKeysSdsApi as well in follow-up PRs.