ExternalSecret controller constantly updating and generating Vault tokens

[atsai1220]

After tinkering about with this issue (#162), we realize we were still experiencing this issue when creating a stand-alone ExternalSecret CRD that is not touched/managed by any other controller.

The secret is retrieved successfully but the controller seems to be generating an excessive amount of Vault tokens. I can query for an external secret and the status.refreshTime field would change within seconds. Doing a get -w on the external-secret will output new rows too.

Checking the metrics externalsecret_sync_calls_total shows a curious amount of calls. Not sure how ours compare to everyone else's but 200 increase in sync_calls over 15 minutes seems excessive at around 13 calls per minute (1 call every 5 seconds-ish).

Seems like vault.go:NewClient.setAuth() is called for each new client along with a new token on Vault's side.

external-secrets/pkg/provider/vault/vault.go

Lines 128 to 130 in 7741e65

	if err := vStore.setAuth(ctx, client); err != nil {
	return nil, err
	}

The above is called for each externalsecret_controller.go:Reconcile() here

external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go

Line 98 in 7741e65

secretClient, err := storeProvider.NewClient(ctx, store, r.Client, req.Namespace)

Later in the same function, we retrieve the refreshInterval here but I'm unsure about the syntax of .Duration. I thought it would just be dur = externalSecret.Spec.RefreshInterval instead (without .Duration).

external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go

Lines 148 to 150 in 7741e65

	if externalSecret.Spec.RefreshInterval != nil {
	dur = externalSecret.Spec.RefreshInterval.Duration
	}

Then I believe this is where I see my status.refreshTime gets updated even though my refreshInterval is configured for 24h. it is surprising to see a new token to be created first even though the refreshInterval has not been reached yet.

external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go

Lines 152 to 154 in 7741e65

	conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, corev1.ConditionTrue, esv1alpha1.ConditionReasonSecretSynced, "Secret was synced")
	SetExternalSecretCondition(&externalSecret, *conditionSynced)
	externalSecret.Status.RefreshTime = metav1.NewTime(time.Now())

I'm not too familiar with Go yet so I'm probably missing something obvious and it may be a configuration issue on my end... Could someone provide some insight on my interpretation of the controller and the amount of tokens generated by the controller? The amount generated is causing issues with our Vault since we have multiple clusters each generating around 2k~4k tokens despite having TTL of 5m and spec.refreshInterval of 24h. Thank you!!

Below are manifests for this example.

❯ kubectl get externalsecrets.external-secrets.io -n falco test -o json | jq '.status'
{
  "conditions": [
    {
      "lastTransitionTime": "2021-05-26T23:50:41Z",
      "message": "Secret was synced",
      "reason": "SecretSynced",
      "status": "True",
      "type": "Ready"
    }
  ],
  "refreshTime": "2021-05-27T00:01:08Z"
}
❯ kubectl get externalsecrets.external-secrets.io -n falco test -o json | jq '.status'
{
  "conditions": [
    {
      "lastTransitionTime": "2021-05-26T23:50:41Z",
      "message": "Secret was synced",
      "reason": "SecretSynced",
      "status": "True",
      "type": "Ready"
    }
  ],
  "refreshTime": "2021-05-27T00:01:17Z"
}

# Each row is generated a few seconds after the other.
❯ kubectl get externalsecrets.external-secrets.io -n falco test -w
NAME   STORE               REFRESH INTERVAL
test   containerservices   24h
test   containerservices   24h
test   containerservices   24h
...
...

Screenshot from metrics

ExternalSecret manifest

apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: test
  namespace: falco
spec:
  data:
  - remoteRef:
      key: rancher/shared_cluster_data/aws-falco
      property: AWS_ACCESSKEYID
    secretKey: AWS_ACCESSKEYID
  - remoteRef:
      key: rancher/shared_cluster_data/aws-falco
      property: AWS_SECRETACCESSKEY
    secretKey: AWS_SECRETACCESSKEY
  - remoteRef:
      key: rancher/shared_cluster_data/aws-falco
      property: AWS_REGION
    secretKey: AWS_REGION
  - remoteRef:
      key: rancher/shared_cluster_data/aws-falco
      property: AWS_SQS_URL
    secretKey: AWS_SQS_URL
  refreshInterval: 24h
  secretStoreRef:
    kind: ClusterSecretStore
    name: containerservices
  target:
    name: test
status:
  conditions:
  - lastTransitionTime: "2021-05-27T00:07:49Z"
    message: Secret was synced
    reason: SecretSynced
    status: "True"
    type: Ready
  refreshTime: "2021-05-27T00:26:51Z"

ClusterSecretstore manifest

apiVersion: external-secrets.io/v1alpha1
kind: ClusterSecretStore
metadata:
  name: containerservices
spec:
  controller: default
  provider:
    vault:
      auth:
        kubernetes:
          mountPath: containerservices_usw1-testingcluster
          role: kube-webhook-role
          serviceAccountRef:
            name: external-secrets-kubernetes-external-secrets
            namespace: vault-infra
      caBundle: 123123
      path: secret
      server: https://vault...io
      version: v2

Version: ghcr.io/external-secrets/external-secrets:v0.1.3

[atsai1220]

I ran make run locally and externalSecret.Spec.RefreshInterval.Duration looks correct.

	dur := time.Hour
	if externalSecret.Spec.RefreshInterval != nil {
		log.Info(externalSecret.Spec.RefreshInterval.Duration.String())
		dur = externalSecret.Spec.RefreshInterval.Duration
	}

2021-05-26T18:19:26.296-0700	INFO	controllers.ExternalSecret	6h0m0s	{"ExternalSecret": "velero/cloud-credentials", "SecretStore": "/containerservices"}

[atsai1220]

If I add some logging to the externalsecret_controller.go file then I can see a new Vault client is created almost every second. it is as if RequeueAfter is not respected or that the controller sees a change because the controller made a status update to the object.

2021-05-26T18:40:58.807-0700	INFO	controllers.ExternalSecret	New Client created	{"ExternalSecret": "falco/falco-aws-credentials", "SecretStore": "/containerservices"}
2021-05-26T18:40:59.658-0700	INFO	controllers.ExternalSecret	6h0m0s	{"ExternalSecret": "falco/falco-aws-credentials", "SecretStore": "/containerservices"}
2021-05-26T18:41:00.890-0700	INFO	controllers.ExternalSecret	New Client created	{"ExternalSecret": "velero/cloud-credentials", "SecretStore": "/containerservices"}
2021-05-26T18:41:01.472-0700	INFO	controllers.ExternalSecret	6h0m0s	{"ExternalSecret": "velero/cloud-credentials", "SecretStore": "/containerservices"}
2021-05-26T18:41:02.939-0700	INFO	controllers.ExternalSecret	New Client created	{"ExternalSecret": "falco/test", "SecretStore": "/containerservices"}
2021-05-26T18:41:03.885-0700	INFO	controllers.ExternalSecret	0s	{"ExternalSecret": "falco/test", "SecretStore": "/containerservices"}
2021-05-26T18:41:05.443-0700	INFO	controllers.ExternalSecret	New Client created	{"ExternalSecret": "falco/falco-aws-credentials", "SecretStore": "/containerservices"}
2021-05-26T18:41:06.493-0700	INFO	controllers.ExternalSecret	6h0m0s	{"ExternalSecret": "falco/falco-aws-credentials", "SecretStore": "/containerservices"}
2021-05-26T18:41:07.534-0700	INFO	controllers.ExternalSecret	New Client created	{"ExternalSecret": "velero/cloud-credentials", "SecretStore": "/containerservices"}
2021-05-26T18:41:08.157-0700	INFO	controllers.ExternalSecret	6h0m0s	{"ExternalSecret": "velero/cloud-credentials", "SecretStore": "/containerservices"}
2021-05-26T18:41:09.684-0700	INFO	controllers.ExternalSecret	New Client created	{"ExternalSecret": "falco/test", "SecretStore": "/containerservices"}
2021-05-26T18:41:10.406-0700	INFO	controllers.ExternalSecret	0s	{"ExternalSecret": "falco/test", "SecretStore": "/containerservices"}
2021-05-26T18:41:11.730-0700	INFO	controllers.ExternalSecret	New Client created	{"ExternalSecret": "falco/falco-aws-credentials", "SecretStore": "/containerservices"}
2021-05-26T18:41:12.361-0700	INFO	controllers.ExternalSecret	6h0m0s	{"ExternalSecret": "falco/falco-aws-credentials", "SecretStore": "/containerservices"}
2021-05-26T18:41:13.480-0700	INFO	controllers.ExternalSecret	New Client created	{"ExternalSecret": "velero/cloud-credentials", "SecretStore": "/containerservices"}
2021-05-26T18:41:14.220-0700	INFO	controllers.ExternalSecret	6h0m0s	{"ExternalSecret": "velero/cloud-credentials", "SecretStore": "/containerservices"}
2021-05-26T18:41:15.329-0700	INFO	controllers.ExternalSecret	New Client created	{"ExternalSecret": "falco/test", "SecretStore": "/containerservices"}
2021-05-26T18:41:16.223-0700	INFO	controllers.ExternalSecret	0s	{"ExternalSecret": "falco/test", "SecretStore": "/containerservices"}

...
...
	secretClient, err := storeProvider.NewClient(ctx, store, r.Client, req.Namespace)
	log.Info("New Client created")
..
...
	log.Info(dur.String())
	return ctrl.Result{
		RequeueAfter: dur,
	}, nil
}
...
...

external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go

Lines 97 to 99 in 7741e65

	secretClient, err := storeProvider.NewClient(ctx, store, r.Client, req.Namespace)
	if err != nil {

external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go

Lines 162 to 165 in 7741e65

	return ctrl.Result{
	RequeueAfter: dur,
	}, nil
	}

[atsai1220]

Here is a GIF that shows status.refreshTime changing even though the ExternalSecret has 0 for spec.refreshinterval. This is the same for other ExternalSecrets that have higher spec.refreshinterval. It seems to me a new Vault token is created each time too and that's the issue I'm running into.

[moolen]

I was able to reproduce the issue. The root cause is:
when we update the status field which contains the refreshTime field this triggers another reconciliation. If that reconciliation is not finished within the same second it will trigger another reconciliation (and so on and so on).

to reproduce:
add this somewhere in the .Reconcile() func

<-time.After(time.Second * 2)

not sure how to tackle this issue. Either we ignore status updates entirely in the controller or we use refreshTime and refreshInterval to ensure it won't be reconciled within a specific timeframe. But then: how do we actually trigger a sync? If the spec changes refreshTime must be reset somehow. Manual syncs won't be doable with just changing labels or annotations.

For reference: that was discussed here already: #110 (comment)

[atsai1220]

I was able to reproduce the issue. The root cause is:
when we update the status field which contains the refreshTime field this triggers another reconciliation. If that reconciliation is not finished within the same second it will trigger another reconciliation (and so on and so on).

to reproduce:
add this somewhere in the .Reconcile() func

<-time.After(time.Second * 2)

not sure how to tackle this issue. Either we ignore status updates entirely in the controller or we use refreshTime and refreshInterval to ensure it won't be reconciled within a specific timeframe. But then: how do we actually trigger a sync? If the spec changes refreshTime must be reset somehow. Manual syncs won't be doable with just changing labels or annotations.

For reference: that was discussed here already: #110 (comment)

Thank you for the insight. Just bouncing ideas here and I hope it makes sense to those with more experience but if not I enjoy a good learning experience too. Would guiding users to use .Spec.Target.Template.Metadata as described here (#68 (comment)) be the way to go for managing target Secret's label and annotations if we opt to ignore .Status updates? This way the part changed is still under .Spec. It was a surprising behavior for labels/annotations to be inherited by generated Secrets and caused issues for us too with GitOps workflows. I may not want the labels/annotations of my ExternalSecret object to be the same as my generated Secret object.

In the case of ignoring status updates, all ExternalSecrete objects would eventually be reconciled even if their .Status is removed or .MetaData is updated, right? They would all eventually be at the top of the queue to be reconciled due to the default .spec.refreshInterval or customized .spec.refreshInterval at the beginning of the controller startup.

It seems GenerationChangedPredicate would cause a reconcilation from a spec change and we can update status.refreshTime when reconciliation eventually happens. https://github.com/kubernetes-sigs/controller-runtime/blob/9cbdc4a7abe409da5e656576dd5178774baccf9a/pkg/predicate/predicate.go#L139-L154

[atsai1220]

I was able to reproduce the issue. The root cause is:
when we update the status field which contains the refreshTime field this triggers another reconciliation. If that reconciliation is not finished within the same second it will trigger another reconciliation (and so on and so on).

to reproduce:
add this somewhere in the .Reconcile() func

<-time.After(time.Second * 2)

not sure how to tackle this issue. Either we ignore status updates entirely in the controller or we use refreshTime and refreshInterval to ensure it won't be reconciled within a specific timeframe. But then: how do we actually trigger a sync? If the spec changes refreshTime must be reset somehow. Manual syncs won't be doable with just changing labels or annotations.

For reference: that was discussed here already: #110 (comment)

It should be possible if we also use predicate.AnnotationChangedPredicate and predicate.LabelChangedPredicate in relation to annotation and label updates along with predicate.GenerationChangedPredicate.

Annotation
https://github.com/kubernetes-sigs/controller-runtime/blob/fca94d5ab22dfccc576140375042c45298ebbc4b/pkg/predicate/predicate.go#L189-L201

Label
https://github.com/kubernetes-sigs/controller-runtime/blob/fca94d5ab22dfccc576140375042c45298ebbc4b/pkg/predicate/predicate.go#L219-L231