search

kubernetes-sigs / secrets-store-sync-controller

This is a Kubernetes controller that watches for changes to a custom resource and syncs the secrets from external secrets-store as Kubernetes secret.
Apache License 2.0
9 stars 4 forks source link

Fetch only the secret specified in the `SecretSync` from the provider per reconcile #46

Closed AlexanderStocks closed 2 days ago

AlexanderStocks commented 1 month ago

Currently in the controller we fetch all secrets in a SecretProviderClass from the provider each time we reconcile a SecretSync. This can have a large impact in costs from providers and is an inefficiency.

Describe the solution you'd like I would like to only fetch the secret referenced in the secret sync that we are reconciling.

Environment:

nilekhc commented 1 month ago

Thanks for raising the issue @AlexanderStocks.

The SecretsProviderClass (SPC) serves as the common interface between the Secrets Store CSI Driver and the Secrets Store Sync Controller. Although we expect a 1:1 mapping for secrets between SecretsSync and SPC, there is no such requirement when SPC is used in the Secrets Store CSI driver. Users can define multiple secrets they want to fetch from an external key vault and mount on the volume.

In SecretsSync, you can define only one secret that needs to be created as a Kubernetes Secret. Given this 1:1 mapping, is there a specific reason you are defining multiple secrets in SPC?

nilekhc commented 2 weeks ago

/assign

nilekhc commented 2 days ago

@AlexanderStocks, We discussed this in the community call on 09/05. Another thing to consider is that SecretsSync does not have an understanding of how secrets are defined in the SPC. It’s just a map that can be defined however individual providers want to implement or consume it from the SPC.

The recommendation here is:

  1. Do not include additional secrets in the SPC that are not used for sync.
  2. If you are using a common SPC between both the driver and the sync controller, separate those secrets in different SPCs to ensure the controller does not generate additional calls to Key Vaults.

/close

k8s-ci-robot commented 2 days ago

@nilekhc: Closing this issue.

In response to [this](https://github.com/kubernetes-sigs/secrets-store-sync-controller/issues/46#issuecomment-2332283286): >@AlexanderStocks, We discussed this in the community call on 09/05. Another thing to consider is that SecretsSync does not have an understanding of how secrets are defined in the SPC. It’s just a map that can be defined however individual providers want to implement or consume it from the SPC. > >The recommendation here is: > 1. Do not include additional secrets in the SPC that are not used for sync. > 2. If you are using a common SPC between both the driver and the sync controller, separate those secrets in different SPCs to ensure the controller does not generate additional calls to Key Vaults. > > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.