Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable caching of secrets and configmaps #989

Merged
merged 1 commit into from
Jan 27, 2023
Merged

Disable caching of secrets and configmaps #989

merged 1 commit into from
Jan 27, 2023

Conversation

mac-chaffee
Copy link
Contributor

@mac-chaffee mac-chaffee commented Dec 17, 2022
edited
Loading

For background, see fluxcd/helm-controller#512 and fluxcd/helm-controller#513

This PR adds a new opt-in feature gate (CacheSecrets) which causes the default source controller to stop caching secrets. Users can set that feature gate to "true" to go back to the old behavior of caching secrets.

The source controller fetches secrets to perform authenticated git clones, but the controller-runtime client greedily fetches all secrets in the cluster to cache them (LIST and WATCH operations instead of GET operations). Since it's common to have very large secrets for helm charts, this behavior can use up a lot of RAM.

I'm also interested in this feature so that users can run source-controller without giving it cluster-wide access to secrets which can be quite a dangerous permission.

@souleb souleb added enhancement New feature or request experimental Issues and pull requests related to experimental features labels Dec 19, 2022
@hiddeco hiddeco mentioned this pull request Dec 20, 2022
Closed
6 tasks
hiddeco
hiddeco reviewed Dec 20, 2022
View reviewed changes
docs/spec/README.md Outdated Show resolved Hide resolved
internal/features/features.go Outdated Show resolved Hide resolved
@mac-chaffee mac-chaffee changed the title Disable caching of secrets Disable caching of secrets and configmaps Jan 12, 2023
@mac-chaffee mac-chaffee mentioned this pull request Jan 12, 2023
Merged
hiddeco
hiddeco reviewed Jan 13, 2023
View reviewed changes
README.md Outdated Show resolved Hide resolved
hiddeco
hiddeco reviewed Jan 13, 2023
View reviewed changes
main.go Outdated Show resolved Hide resolved
darkowlzz
darkowlzz reviewed Jan 16, 2023
View reviewed changes
internal/features/features.go Outdated Show resolved Hide resolved
internal/features/features.go Outdated Show resolved Hide resolved
@mac-chaffee mac-chaffee force-pushed the no-cache-secrets branch 2 times, most recently from 9094965 to a20c11b Compare January 18, 2023 15:39
@mac-chaffee mac-chaffee requested review from hiddeco and darkowlzz and removed request for hiddeco and darkowlzz January 18, 2023 15:40
@mac-chaffee @hiddeco
Disable caching of secrets and configmaps
f84afcb 
You can re-enable caching by starting the controller
with the argument '--feature-gates=CacheSecretsAndConfigMaps=true'

Signed-off-by: Mac Chaffee <machaffe@renci.org>
@stefanprodan stefanprodan removed the experimental Issues and pull requests related to experimental features label Jan 27, 2023
hiddeco
hiddeco approved these changes Jan 27, 2023
View reviewed changes
Copy link
Member

@hiddeco hiddeco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @mac-chaffee 🙇

@hiddeco hiddeco merged commit 5984c81 into fluxcd:main Jan 27, 2023
This was referenced Apr 24, 2023
Closed
Merged
@bigkevmcd bigkevmcd mentioned this pull request Aug 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@darkowlzz darkowlzz darkowlzz left review comments

@hiddeco hiddeco hiddeco approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@mac-chaffee @darkowlzz @hiddeco @stefanprodan @souleb