Biggest change to mention is the WatchSecrets function which can be enabled by config.
Added a labelSelector so that we can filter early the secrets we want to be reading (standard k8s labels on secrets)
Updated the libraries to newer k8s API (1.22) - needed to pass a context to a few of the functions, update tests etc.
Update golang version
why we added the watch feature
We noticed when the number of secrets started to grow in our k8s cluster, the controller was a bit slow when making updates (loops through all secrets and calls SSM parameter store to fetch the value).
For a cluster with around 800 secrets, it was taking a few minutes to cycle through all of them, exceeding the default ticker interval as well (30 seconds).
When doing a new deployment (we use helm but it doesn't matter), we deploy our secrets first before deploying but as the secrets take so long to be properly populated with values from SSM, we generally see a CreateContainerConfigError on the pods.
edify42
commented
2 years ago
Hey @cmattoon
changes
WatchSecretsfunction which can be enabled by config.why we added the
watchfeatureWe noticed when the number of secrets started to grow in our k8s cluster, the controller was a bit slow when making updates (loops through all secrets and calls SSM parameter store to fetch the value).
For a cluster with around 800 secrets, it was taking a few minutes to cycle through all of them, exceeding the default ticker interval as well (30 seconds).
When doing a new deployment (we use helm but it doesn't matter), we deploy our secrets first before deploying but as the secrets take so long to be properly populated with values from SSM, we generally see a
CreateContainerConfigErroron the pods.