support changing default SHub credentials without restarting the web app

[bossie]

Open-EO/openeo-geotrellis-extensions#77 implemented a way to get the (default) credentials from Vault instead of hard-coding them in probav-mep.py. In particular, it will fetch those credentials once @ startup time and propagate them to the components (objects) that need them: see e.g. probav-mep.py and async_task.py:

openeo-geopyspark-driver/openeogeotrellis/async_task.py

Lines 194 to 200 in 325f157

	default_sentinel_hub_credentials = vault.get_sentinel_hub_credentials(
	sentinel_hub_client_alias='default',
	vault_token=vault.login_kerberos(args.principal, args.keytab))
	batch_jobs.set_default_sentinel_hub_credentials(
	client_id=default_sentinel_hub_credentials.client_id,
	client_secret=default_sentinel_hub_credentials.client_secret)

The fact that the credentials are only fetched once @ startup time means that they are considered fixed during the lifetime of the application. In the case of the web app, this means that a restart is necessary if we need to change them for some reason, for example when they get compromised.

At the moment this is maybe a theoretical problem and just something that we have to keep in mind, should the problem arise.

I did an attempt to fix this but ultimately reverted it because it didn't play nice with batch job impersonation (IIRC it's because a batch job with impersonation doesn't have the openeo.keytab at its disposal to access Vault).

Another, maybe cleaner, way might be to pass on the Vault token like we do in the non-default SHub credentials case but we have to consider that a synchronous load_collection will also require a Vault token (it won't be in the EvalEnv like it is for a batch job).

I suspect that implementing this will also clean up our APIs a bit because things like set_default_sentinel_hub_credentials will no longer be necessary.