Investigate improving resource consumption and performance in clusters with large amount of resources

[irbekrm]

cert-manager currently watches all Secrets (and Pods?) in a cluster.
There are a number of issues associated with that, mostly due to memory consumption.

A couple alternative ways how this could be solved have been discussed:

• filter core resources (Secrets) to be watched by a label. This would require getting to a state where all core resources that cert-manager needs to watch are labelled, this includes resources that already exist in a cluster as well as resources that users have created (i.e Secrets with issuer credentials)

• cache metadata only. This would require a separate call to retrieve the cached resources when they are to be used if the resource spec is needed. Question: would this help in cases where listing a large number of secrets if causing an issue?
  This would probably also require rewriting cert-manager controllers as controller runtime controllers.

• allow users to apply a filter via a flag to filter out some secrets that should not be watched, see Add support for restricting the secrets watch list in cainjector #5174. All cases mentioned the large secrets are those of helm releases, but perhaps there are cases out there where users other large secrets in cluster and it's not feasible to specifiy a selector via a flag?

Additionally:

• ensure that for namespace-scoped deployments only secrets in the specific namespaces are watched (needs more investigation)
• is there a similar issue with watching pods (needs more investigation)?

Related issues/PRs:

• High memory usage on cluster with many secrets #4722
• Cert-manager causes API server panic on clusters with more than 20000 secrets.  #3748
• Newly elected cert-manager leader replica fails to issue pending CertificateRequest for a CA Issuer when the Kubernetes clusters has a lot of Secrets objects #5216
• cert-manager crash looping in AKS #5195

/kind feature

[irbekrm]

/assign

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[TomasKohout]

Hi,

not sure whether this is the right issue where to write this comment, if it's not, please pardon me. 🙂

We have issues running cert-manager because of issues with secret lister. We have 7849 secrets in the cluster, most of them are of type helm.sh/release.v1. The issue is that cert-manager will close connection to the api server after 60s and informer's cache is never synced. I've created hack for this that we currently use which is that I filter out helm releases, but I had to build our own customized cert-manager.

It would be nice if we could filter out those secrets with some command line argument like it's possible to do so in eg. prometheus-operator.

Cheeers! 🙂

[irbekrm]

/remove-lifecycle stale

[odinuge]

We have issues running cert-manager because of issues with secret lister. We have 7849 secrets in the cluster, most of them are of type helm.sh/release.v1. The issue is that cert-manager will close connection to the api server after 60s and informer's cache is never synced

Hi 👋

This seems a bit strange. Having 8k secrets should be fine for the most part, and I find it a bit suspicious unless the apiserver or etcd is very under-provisioned. Is there a chance you have enabled KMS encryption in the API-server? We have seen issues with very slow lists of resources encrypted with KMS. This is very evident if you are trying to list all secrets directly from etcd, but your KMS DEK cache size is smaller than the number of resources. It results in a lot of thrashing and very slow lists. By bumping the KMS DEK cache size to a value larger than the total number of encrypted values, we saw a huge improvement in both cpu and memory usage in the API-server, as well as a lot faster requests

[TomasKohout]

Hi @odinuge ,

we don't use KMS encryption. We run k8s on baremetal servers and our cp servers have only 6 CPUs. We are thouching the edge right now, so we have to optimalize the applications that use API server.

Cheers. 🙂

[xavierbaude]

We get issue the issue described here but starting at 18k secrets and we have KMS enabled on GKE. Below this limit cert manager is ok. Of course on GKE it depend of the performance of the control-plane and at GCP we have the biggest possible. It also depend of the size of the ETCD database.

EDIT (06/29/2023): We don't have the issue anymore since our Cloud Provider increase the dataplane resources (cpu,memory). We also reduce the size of secret by removing some labels and annotations. In fact the major issue we had was related to API timeout when listing all secrets within the cluster.

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale