search

bcgov / entity

ServiceBC Registry Team working on Legal Entities
Apache License 2.0
23 stars 59 forks source link

Update Colin Filings CronJob requesting redundant keycloak service account tokens #20601

Open bolyachevets opened 7 months ago

bolyachevets commented 7 months ago

SSO team contacted us about large number of logins via entity-service-account service account:

Screenshot 2024-04-03 at 1.01.38 PM.png

We ran a script to get login counts for entity-service-account within one-minute intervals (timestamp is for the last login event within the minute):

-------------06:00:21-------------
entity-service-account : 100
-------------05:52:50-------------
entity-service-account : 300
-------------05:51:27-------------
entity-service-account : 200
-------------05:43:04-------------
entity-service-account : 300
-------------05:41:41-------------
entity-service-account : 200
-------------05:40:35-------------
entity-service-account : 100
-------------05:32:48-------------
entity-service-account : 300
-------------05:31:31-------------
entity-service-account : 200
-------------05:30:18-------------
entity-service-account : 100
-------------05:22:46-------------
entity-service-account : 300
-------------05:21:24-------------
entity-service-account : 200
-------------05:12:56-------------
entity-service-account : 300
-------------05:11:35-------------
entity-service-account : 200
-------------05:10:29-------------
entity-service-account : 100
-------------05:03:05-------------
entity-service-account : 200
-------------05:02:03-------------
entity-service-account : 200
-------------05:00:51-------------

This implied that the culprit job runs with a 10 minute cron schedule. The only such job in OpenShift is: https://console.apps.silver.devops.gov.bc.ca/k8s/ns/cc892f-dev/cronjobs/update-colin-filings-dev

Disabling this job confirmed the initial guess - the login counts were much lower.

On cursory inspection of the code, it appears that the following line:

https://github.com/bcgov/lear/blob/main/jobs/update-colin-filings/update_colin_filings.py#L76

is called for every single filing.

We need to reduce the number of calls to generate keycloak token in the cronjob

It might be possible to reuse the token defined here https://github.com/bcgov/lear/blob/c8644e4813e23904f6ccbcd90ee3cdc871640484/jobs/update-colin-filings/update_colin_filings.py#L133C13-L133C18 instead of generating a new one.

argush3 commented 7 months ago

Yes, probably possible to just reuse the token.