Token Expiration Handling in EdgeX 3.1

[jonathanchoo519]

In EdgeX version 2.1, I encountered an issue with the Vault authentication tokens that are seeded by security-secretstore-setup. These tokens have an initial TTL of one hour and become invalid if not used or renewed within that period. Due to this, it’s not possible to delay the start of EdgeX services for more than one hour without the tokens expiring, preventing access to the secret store.

In version 2.1, the only solution I found was to restart the security-secretstore-setup component to regenerate the tokens. While this works, it can be a bit cumbersome in certain scenarios.

In version 3.1, I manually restarted the security-secretstore-setup container, but after doing so, my device service failed to start. The error message was as follows:

level=ERROR ts=2024-10-17T06:05:37.966497731Z app=my-devices source=init.go:62 msg="Failed to init cache: request failed, status code: 500, err: {\"message\":\"Internal Server Error\"}\n"

Interestingly, after encountering this error, I didn’t perform any additional actions, but after waiting for about ten or more minutes, the device service started running normally without the error reappearing.

What could be causing this error, and is there a better method to handle the token expiration issue in EdgeX 3.1 without restarting the security-secretstore-setup component?

Any insights or suggestions would be greatly appreciated!

[cloudxxx8]

Please check this
https://docs.edgexfoundry.org/3.1/security/Ch-DelayedStartServices/
https://docs.edgexfoundry.org/3.1/design/adr/security/0020-spiffe/

[jonathanchoo519]

Please check this https://docs.edgexfoundry.org/3.1/security/Ch-DelayedStartServices/ https://docs.edgexfoundry.org/3.1/design/adr/security/0020-spiffe/

Hi @cloudxxx8,

I followed the suggestion to deploy my device service using the delayed start service feature. However, I noticed some issues compared to the normal deployment. The Auto Event doesn’t seem to trigger periodic data readings, and in the EdgeX UI, the device service, devices, and device profiles are missing. Is there a known issue with Auto Event or registration in delayed start services, or am I missing some configuration? Any advice on resolving this would be appreciated!

Thanks in advance!

[cloudxxx8]

you need to rebuild the image without the non_delayedstart build flag as the document mentioned.
for the error, you should check the error log from your device service