WIP: Proof of concept for using Kube CSR API in TokenCredentialRequest #1070
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a proof of concept of using the Kube CSR API in the TokenCredentialRequest endpoint to create client certs. It is related to #715.
Today, the Pinniped Concierge uses either the Kube API server's CA's private key to create a cert, or it uses its own CA for the impersonation proxy. Using the Kube CSR API would be an alternative approach which is only possible in Kube 1.22+ thanks to kubernetes/kubernetes#99494.
This proof of concept was written to explore the potential impact on the Pinniped code of using the CSR API for this purpose, including getting a sense of the performance penalty compared to how Pinniped works today.
This PR does not attempt to include unit tests or pass linter checks. It is not expected to pass CI. It does pass all integration tests when run on a development laptop using Kind 0.12.0 with Kubernetes 1.23.
Before this change, the part of the TCR handler which creates the client cert usually takes 2-3ms on Kind on my laptop. Sometimes a call takes more like ~100ms (and rarely up to ~250ms). I'm assuming that this has something to do with the mutex locking inside the issuer code which ensures that the controller can update the issuer cache atomically, but I did not try to confirm this suspicion. For the purpose of this exploration it seems good enough to say that it is usually 2-3ms on my laptop.
With this proof of concept, the runtime of the endpoint has become highly variable compared to before. In 116 runs, the endpoint's cert creation runtime varied from 17ms to 691ms. The average was 75.4ms, and the median was 36ms. The standard deviation was 96.6ms, indicating that the runtimes were highly variable.
Release note:
This PR is not intended to be merged.