Client side throttling with many secrets and low refresh interval

[bobbywatson3]

Describe the solution you'd like
On our cluster with ~1,800 external-secrets set at approximately 15s refreshInterval, we frequently see secrets taking minutes to sync, and the following errors (in between successul syncs) in the logs:

I0707 17:40:58.294661       1 request.go:665] Waited for 49.945948656s due to client-side throttling, not priority and fairness, request: GET:https://172.20.0.1:443/api/v1/namespaces/foo/secrets/bar-secrets

Even with concurrency set to a high value like 1,000, we can't get around this throttling. Is it possible to configure the client side rate limiter? The kube go-client has the config here. I think the external-secrets operator would need to be configured here. (Thanks @gusfcarvalho for help finding this)

This is with release v0.5.5.

What is the added value?
This would allow clusters with more sync traffic to maintain performant secret syncs.

Observations (Constraints, Context, etc):

Even with this traffic, resource utilization on the pods was very low at around 100mCPU and 220MiB of memory.

[gusfcarvalho]

Another option here would be to set a flag to allow caching Secrets and Configmaps, as this would effectively probably eliminate the ClientSided throttling.

[gusfcarvalho]

@moolen @knelasevero WDYT? maybe both options? (allow to configure RequestLimiter in the client Config and allow to configure enabling Secrets Caching)

[calebwoofenden]

Wouldn't caching sort of defeat the purpose of secret sync? The idea is to check the remote source to see if the secret has been updated, then update the secret in kube if so.

[gusfcarvalho]

Hi @calebwoofenden ! The cache that I was mentioning was regarding the kubernetes secrets! Controller-runtime by default would cache anything to it as a way to not overload the APIserver (or the client apperently). For most cases this is not useful so we on purpose disabled the cache for secrets. Having this cache enabled would allow the client to be more efficient because it is eso the one creating the secrets in the first place.

[moolen]

I agree, both options would be beneficial, but having the ability to enable the cache will probably be enough. I guess the initial list/watch call is counted as a single request in regards to rate limiting.

Tho enabling cache will change the memory footprint significantly.

[florianmutter]

We are facing the same issue but I'm not sure if I can enable caching or not. Could someone tell me what the implications are of enabling caching? Is there something that could go wrong with caching enabled?

[moolen]

not sure if I can enable caching or not

try it out 🤞

Could someone tell me what the implications are of enabling caching?
Is there something that could go wrong with caching enabled?

If you enable caching all Kubernetes Kind=Secret metadata is stored in-memory in the controller (memory usage will go up depending on the number+size of the secrets in your cluster). It will also change the access pattern of the operator towards the kube-apiserver - very likely less requests.

WCGW?
It depends, due to the change in memory allocation it may need some tweaking of memory requests/limits. If it's not properly tweaked or the cluster state changes it may cause the controller to get OOMKilled.

related: #1725