Disable caching of secrets and configmaps #513
Conversation
|
Overall, I do see the benefits of offering as an option the capability of decreasing the RBAC requirements in which the controller runs under. As discussed here, by default, even when impersonation is in place, the controller service account still requires There are some considerations worth taking around the impact of this. But giving Flux users the option to decide based on their priorities and security vs performance trade-offs, does not seem like a terrible idea. I am just not sure about the API. Potentially, users may want to disable cache for other objects in the future, so |
|
@pjbgf I was thinking the same thing originally about If you know of a helper function that does the job, I'd be happy to include it! |
mac-chaffee
force-pushed
the
no-cache-secrets
branch
from
1c67cf1
to
f106cf8
Compare
mac-chaffee
force-pushed
the
no-cache-secrets
branch
from
f106cf8
to
3d2b938
Compare
|
Hello again! Just following up on this. Given the complexity of parsing API types from strings and the lack of a defined use-case for disabling caches for things other than secrets, I think we ought to stick with just |
|
@mac-chaffee after some thought on this and discussions with @darkowlzz, we think that This has been done in CAPI a while ago and should work well for us too. Therefore, can you please:
|
|
Sounds good. To clarify, should CacheSecretsAndConfigMaps be set to true by default? or false? |
mac-chaffee
force-pushed
the
no-cache-secrets
branch
from
3d2b938
to
fceffe0
Compare
There was a problem hiding this comment.
@mac-chaffee please align the documentation to the other controllers (as per comments below).
|
mac-chaffee
force-pushed
the
no-cache-secrets
branch
from
5de3bfc
to
c1f7386
Compare
Yes I ran it locally and was unpleasantly surprised to see it connect to my production cluster, but at least I was able to confirm the RBAC was working with the flag enabled/disabled! |
mac-chaffee
changed the title
|
Tested this against my setup, all works as expected. In terms of memory footprint, I don't have many secrets and configmaps in the cluster (~105 objects), but it already makes a dent. At a larger cluster this should be even more substantial:
|
There was a problem hiding this comment.
Left a few minor comments. Overall, it looks good to me.
I think we should add this to all the other controllers as well.
Also, we need to update the docs about this, similar to how we document such feature gates in source-controller, refer GitRepository docs.
We can add it in the helm-controller v2beta1 docs.
|
I really like this addition thanks @mac-chaffee. I agree that this should be added to the other controllers behind feature gate. |
|
To sort the issue in the e2e tests, please run |
mac-chaffee
force-pushed
the
no-cache-secrets
branch
from
c1f7386
to
2e323dd
Compare
|
Oh wait I forgot the docs. Seems we don't have docs for the existing CLI flags, so I can add that too. Thinking the most logical place to put that would be https://github.com/fluxcd/helm-controller/blob/main/docs/spec/README.md instead of the page on helmreleases since spec/README is linked from the top-level README as "controller". |
mac-chaffee
force-pushed
the
no-cache-secrets
branch
2 times, most recently
from
36a100c
to
613b06e
Compare
|
@mac-chaffee we do have flag documentation, but they're maintained in the |
|
Is it really fine to have it |
mac-chaffee
force-pushed
the
no-cache-secrets
branch
from
613b06e
to
2e323dd
Compare
Ah thanks. I removed the docs from this PR (we don't want two sources of truth for the cli flags) and will update fluxcd/website later |
You can re-enabled caching of secrets by starting the controller with the argument '--feature-gates=CacheSecretsAndConfigMaps=true' Signed-off-by: Mac Chaffee <machaffe@renci.org>
mac-chaffee
force-pushed
the
no-cache-secrets
branch
from
2e323dd
to
9bcf125
Compare
Think based on the (realistic) assumption that we only need a tiny subset of Secrets in any cluster makes this a fair choice. Helm itself maintains its own (extremely expensive) cache anyway, so in terms of API request overhead this should be negligible. |
There was a problem hiding this comment.
We discussed this among maintainers and agreed this would be beneficial to all controllers. We would like the feature flag (CacheSecretsAndConfigMaps) to be the same across controllers (even if they do not necessarily make use of a ConfigMap at present). For which I will create an umbrella issue.
Thanks a lot @mac-chaffee 🥇
Fixes #512 .
By default,
controller-runtimegives you a cache-backed client, which will perform a LIST operation on any API type that you fetch, even if you use a GET request like we do:helm-controller/controllers/helmrelease_controller.go
Line 556 in 5a7d0f8
So unless you restrict helm-controller to a specific namespace with
--watch-all-namespaces=false, then it will attempt to populate its cache by listing all secrets in the cluster, even if it only needs to access a few in specific namespaces. That requires giving helm-controller the ability to read every secret in the cluster.This PR allows users to avoid that restriction by disabling caching of secrets. Now users can deploy HelmReleases that use
valuesFromwithout having to grant Flux access to more secrets than necessary.