Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In-memory cache per pod for Vault clients and tokens #202

Merged
merged 10 commits into from
Apr 20, 2023
Merged

In-memory cache per pod for Vault clients and tokens #202

merged 10 commits into from
Apr 20, 2023

Conversation

tomhjp
Copy link
Contributor

@tomhjp tomhjp commented Apr 18, 2023
edited
Loading

This PR adds a Vault client cache, keyed on SecretProviderClass parameters + pod info, which ensures we re-use Vault client tokens until they expire. When combined with the Vault Agent sidecar deployed by default in the helm chart since 0.24.0, this reduces lease creation to the minimum needed per pod.

Fixes #150 and #90, and relates to #149 and #151.

I initially tried caching the k8s tokens in the first commit which would have been simpler, however, I switched away from this because the Vault token TTL is uncapped by the k8s token TTL, so if the k8s token TTL is shorter than the Vault token TTL, it would have caused unnecessarily early reauthentication. It's then a poor UX to communicate that k8s token TTLs need to be set to the same length as Vault token TTLs to avoid thrashing.

It's quite a large PR but a lot of the changes are just moving code from provider.go into auth/kubernetes.go and client.go. The majority of new code is in the client and clientcache packages.

@tomhjp tomhjp requested review from swenson, tvoran, a team, shore and alvin-huang and removed request for a team April 18, 2023 21:07
@tomhjp tomhjp mentioned this pull request Apr 18, 2023
Closed
@tomhjp tomhjp linked an issue Apr 18, 2023 that may be closed by this pull request
Vault token (and credentials) active renew of lease during lifetime of Pod to avoid TTL expiration? #90
Closed
@tomhjp tomhjp mentioned this pull request Apr 18, 2023
Closed
tvoran
tvoran approved these changes Apr 20, 2023
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
internal/clientcache/client_cache.go Outdated Show resolved Hide resolved
@tomhjp @tvoran
Fix unchecked err in test
718c64f 
Co-authored-by: Theron Voran <[email protected]>
@tomhjp tomhjp merged commit fd47192 into main Apr 20, 2023
@tomhjp tomhjp deleted the vault-5491/vault-client-cache branch April 20, 2023 21:27
@tomhjp tomhjp mentioned this pull request Apr 28, 2023
Merged
@dnlopes dnlopes mentioned this pull request Jan 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvoran tvoran tvoran approved these changes

@swenson swenson Awaiting requested review from swenson

@shore shore Awaiting requested review from shore

@alvin-huang alvin-huang Awaiting requested review from alvin-huang

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@tomhjp @tvoran