Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] cache environment secret decryption #444

Closed
sstarcher opened this issue Jan 22, 2019 · 2 comments · Fixed by #804
Closed

[feature] cache environment secret decryption #444

sstarcher opened this issue Jan 22, 2019 · 2 comments · Fixed by #804
Labels
feature request

Comments

@sstarcher
Copy link
Contributor

After the recent addition of templates I went through a refactor and broke apart some of my massive helmfiles. This has been a great advantage with usability and readability, but now if targeting a specific item we have a ton of verbose and time intensive spam of secret decryption.

Can we do what we did with the repos and cache the secrets in memory as they are accessed so if you have 20 helmfiles we don't re-decrypt the environment for each of them.

NOTES:
The Prometheus Operator has been installed. Check its status by running:
  kubectl --namespace ops get pods -l "release=prometheus"

Visit https://github.com/coreos/prometheus-operator for instructions on how
to create & configure Alertmanager and Prometheus instances using the Operator.

Decrypting secret /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
Decrypting /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml

Decrypting secret /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
Decrypting /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml

Decrypting secret /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
Decrypting /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml

Decrypting secret /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
Decrypting /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml

Decrypting secret /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
Decrypting /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml

Decrypting secret /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
Decrypting /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml

Decrypting secret /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
Decrypting /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml

Decrypting secret /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
Decrypting /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml

Decrypting secret /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
Decrypting /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml

Decrypting secret /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
Decrypting /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml

Decrypting secret /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
Decrypting /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml

Decrypting secret /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
Decrypting /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml

Decrypting secret /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
Decrypting /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml

Decrypting secret /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
Decrypting /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml

Decrypting secret /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
Decrypting /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml

Decrypting secret /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
Decrypting /Users/sstarcher/kubernetes/helm/account/dev/_environment/secrets.yaml
@mumoshu
Copy link
Collaborator

mumoshu commented Jan 24, 2019

Thanks for writing this! Yes, an in-memory cache of decrypted secrets makes sense to me. Once implemented, can we enable it by default, assuming it won't break anything and there would be no downside to enable it?

@mumoshu mumoshu mentioned this issue Jan 24, 2019
Open
@sstarcher
Copy link
Contributor Author

Agreed, I think it's reasonable to assume that the secrets should not change during a helmfile run.

@mumoshu mumoshu mentioned this issue Feb 6, 2019
Open
@mumoshu mumoshu mentioned this issue Apr 5, 2019
Closed
@mumoshu mumoshu mentioned this issue Jul 12, 2019
Closed
@mumoshu mumoshu mentioned this issue Jul 31, 2019
Closed
@travisgroth travisgroth mentioned this issue Aug 6, 2019
Merged
mumoshu pushed a commit that referenced this issue Aug 7, 2019
@travisgroth @mumoshu
Cache secrets and concurrent decryption (#790)
6baad71 
Related to #782 and #444 

- Allows concurrent decryption of different secrets files
- Caches decrypted secrets by original file path and returns decrypted results from memory
- Secrets being run through an instance of helmexec will be cached and run as fast as possible concurrently

NB: This particular PR doesn't make _all_ calls to secrets cached and concurrent.  Environment Secrets in particular seem to not be evaluated with a ScatterGather(), and doesn't use the same helmexec instance as other parts of the code, so it doesn't take advantage of these changes.  Some reworking of the plumbing there would be needed.
@travisgroth travisgroth mentioned this issue Aug 12, 2019
Merged
mumoshu pushed a commit that referenced this issue Aug 15, 2019
@travisgroth @mumoshu
Share helmexec from State Creation (#804)
a584aea 
Closes #444 and #782 

This is the final PR to fully cache and parallelize helm secret decryption.  It threads the shared helmexec.Interface into the StateCreator and HelmState structs to be used during environment secret decryption.  This should effectively cache secrets for the duration of a helmfile run, regardless of where they are first decrypted.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Shared helmexec for Environment Secrets travisgroth/helmfile
2 participants
@mumoshu @sstarcher