Implement SecretsClient.GetSecrets for (more efficient) batch retrieval of secrets

[nazarewk]

Describe the solution you'd like
I would like AWS Parameter Store provider to retrieve entries in a batch using GetParameters instead of 1 by 1 using GetParameter

What is the added value?
Usually a lot less calls to Parameter Store (1 per ExternalSecret instead of 1 per .spec.data entry) helping with scaling for large parameters sets.

Give us examples of the outcome

I would see moving this loop to a new provider.GetSecrets function

external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go

Lines 557 to 568 in 6abfbf0

	for i, secretRef := range externalSecret.Spec.Data {
	secretData, err := providerClient.GetSecret(ctx, secretRef.RemoteRef)
	if errors.Is(err, esv1beta1.NoSecretErr) && externalSecret.Spec.Target.DeletionPolicy != esv1beta1.DeletionPolicyRetain {
	r.recorder.Event(externalSecret, v1.EventTypeNormal, esv1beta1.ReasonDeleted, fmt.Sprintf("secret does not exist at provider using .data[%d] key=%s", i, secretRef.RemoteRef.Key))
	continue
	}
	if err != nil {
	return nil, err
	}
	providerData[secretRef.SecretKey] = secretData
	}

Default implementation would just call provider.GetSecret for each entry, but would allow implementing more efficient batch retrieval functions for providers supporting them.

Observations (Constraints, Context, etc):
As a context I was looking into configuring and improving performance of External Secrets for large (10k+ parameters) Parameter Stores. I stumbled upon each PS request having different userIdentity.principalid in reported CloudTrail Lake results and dig further into it. While i did not find the reason for session per each request I found a possible improvement that i described here.

[gusfcarvalho]

Hi @nazarewk ! Thank you for your interest in the project!

Do you believe this kind of change could be accomodated into the GetSecretMap or GetAllSecrets calls? The reason behind this is that I don't think having a GetSecrets logic in the providers would work, because we need to record if that exact key was not found when DeletionPolicy is not the default (this would be lines 559 to 561).

Accomodating changes to pass this logic to the provider would just couple our code, besides being a huge refactor.

[nazarewk]

@gusfcarvalho from quick look before and again now looks like neither function would be possible to accomodate the functionality:

• GetSecretMap parses a JSON from a single secret
• GetAllSecrets discovers multiple secrets and then retrieves them one by one using GetParameter this is either candidate for GetSecrets call or changing the mode of operation as per modify AWS ParameterStore provider to use GetParametersByPath API instead of DescribeParameters #1066

[nazarewk]

Actually provider could gather up all of the required secrets in all of the steps and then issue a single call to retrieve them all at once, then distribute back to proper handlers for further processing.

[knelasevero]

This is a valid discussion. But before getting deep into it, and noticing your concerns about performance in a large setup, have you checked the controller class functionality? https://external-secrets.io/v0.5.3/guides-controller-class/

With it you can have multiple deployments of ESO, and have different instances of ESO handle different sets of Secret Stores, letting them handle the load that they should.

I think this discussion would lead to a valid optimization design/proposal, but at the same time, I think it wouldn't be very prioritized right now.

[moolen]

I think the proposed approach is reasonable. We should use GetParameters in the findBy(Tags|Name) funcs as well:

external-secrets/pkg/provider/aws/parameterstore/parameterstore.go

Lines 97 to 109 in 6cf51a0

	for _, param := range it.Parameters {
	if !matcher.MatchName(*param.Name) {
	continue
	}
	err = pm.fetchAndSet(data, *param.Name)
	if err != nil {
	return nil, err
	}
	}
	nextToken = it.NextToken
	if nextToken == nil {
	break
	}

But we gotta discuss how we address this breaking change. Users will have to change the IAM policies used for ESO. I think it is worth to make the change and to announce it in the release notes as "Action required". This is - at least right now - NOT covered by the deprecation policy API surface.

[gusfcarvalho]

But we gotta discuss how we address this breaking change. Users will have to change the IAM policies used for ESO. I think it is worth to make the change and to announce it in the release notes as "Action required". This is - at least right now - NOT covered by the deprecation policy API surface.

this breaking change would indeed be bad to have… maybe implement the new logic and if we get a permission error we default to the old one?

I would rather actually go for the whole “versioning providers discussion” before implementing a breaking change here.

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity.