Add support for restricting the secrets watch list in cainjector

[aubm]

The --secrets-field-selector flag is introduced and accepts a field selector expression

The following example makes cainjector ignore all secrets whose type is "helm.sh/release.v1".

--secrets-field-selector type!=helm.sh/release.v1

Pull Request Motivation

Some clusters have lots of creations/updates of secrets that can contain a significant amount of data, namely when heavily relying on helm 3 to deploy lots of releases.
In these clusters, the cainjector can see its memory consumption occasionaly peaks and eventually OOM crash when the allocated limit is exceeded.

To avoid that behavior, one could levarage the --secrets-label-selector flags introduced in the PR in order to have cainjector ignore secrets that are known to never be referenced.

Kind

feature

Release Note

Add support for restricting the secrets watch list in cainjector

[jetstack-bot]

Hi @aubm. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jetstack-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: aubm
To complete the pull request process, please assign jakexks after the PR has been reviewed.
You can assign the PR to them by writing /assign @jakexks in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[irbekrm]

Hi @aubm thank you for the PR!

Agree that cainjector (and also cert-manager controller) watching and caching all Secrets is problematic.

We've been thinking about fixing this by making them cache metadata only if possible.

I'm not opposed to also having a flag for cainjector for this if it seems like the metadata approach alone is not enough of an improvement or if it is not feasible for some reason.

The main issue with this PR is that setting this flag will by default break cert-manager's webhook because cainjector is used to sync CA cert from the webhook's self-signed CA cert stored in an (unlabelled) Secret in cert-manager namespace to the validating and mutating webhook configurations. That would probably need to be solved somehow if we do want this flag.

[aubm]

Hello @irbekrm, thank you for your feedback!

We've been thinking about fixing this by making them cache metadata only if possible.

Let me know if there is something I can do to help with that :)

In the meantime, what would you think if I reversed the logic in this PR? We could have the flag ignore secrets with a given set of labels instead.

[irbekrm]

I'll take a look this week at whether the metadata caching is something that can be implemented in relatively straightforward way and then we can have a discussion about what approach can be realistically taken to solve this soon-ish. If possible I would rather not have the reverse flag as it would require folks to have to set specific labels on cert-manager unrelated resources for cert-manager to not process them - that doesn't seem like a good pattern. But similarly also am aware that this issue needs to be solved.

[aubm]

Hello @irbekrm 👋

Did you have time to look into this?
I could look to make myself available if you need a hand, don't hesitate to poke!

Cheers,

[gmauleon]

Hey there,

Just wanted to see if this is still in the pipeline. It's quite a problem on our side as well.

Thanks!

[aubm]

Hey @irbekrm, just to let you know that I just updated the PR and changed the new option to restrict the secrets watch list based on a field selector instead of a label selector.

I think that should address the issue your raised here:

The main issue with this PR is that setting this flag will by default break cert-manager's webhook because cainjector is used to sync CA cert from the webhook's self-signed CA cert stored in an (unlabelled) Secret in cert-manager namespace to the validating and mutating webhook configurations. That would probably need to be solved somehow if we do want this flag.

Let me know what you think!

[SgtCoDFish]

/kind feature
/ok-to-test

[jetstack-bot]

@aubm: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[jetstack-bot]

@aubm: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cert-manager-master-e2e-v1-27-upgrade	d9c01a9	link	true	/test pull-cert-manager-master-e2e-v1-27-upgrade
pull-cert-manager-master-e2e-v1-27	d9c01a9	link	true	/test pull-cert-manager-master-e2e-v1-27

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[jetstack-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

[jetstack-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

[jetstack-bot]

@jetstack-bot: Closed this PR.

Details

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.