onepassword rate limits on error/not found

[ashtonian]

Describe the bug

onepassword seems to count some weird things as rate limits. I've opened a support ticket with them but I think there may be a better way to handle it here. If the service account token is not in the correct format or not valid, external secrets manager will exhaust the account wide daily rate limits quite rapidly. Also noticed that if external secrets manager is trying to reconcile a password that is not present in the store it will quickly exhaust rate limits. I noticed this when I reinitialized a cluster with the old 1password connect server token instead of the new one.
Exhausted the daily limits within about 20 minutes.

Their rate limits are pretty low ;(

To Reproduce

apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
  name: onepassword
spec:
  provider:
    onepasswordSDK:
      vault: myvault
      auth:
        serviceAccountSecretRef:
            name: onepassword-connect-token
            key: token
            namespace: utilities

Expected behavior
If possible, some sort of prevention to stop giving the user more rope.

Screenshots

Additional context

[Skarlso]

Hello.

Just to confirm, you didn't see this happening with the connect server?

Hm, the fallback is globally done, by the controller. Not sure what I could do in the SDK, but I'll take a look.

[gusfcarvalho]

Actually, this is the reason why connect-server exists in the first place (because it caches the secrets locally). It is very easy to hit rate limits on 1password using the sdk.

[gusfcarvalho]

This also aligns with the new design for generators/secretstores where I added a rateLimit block for each provider @Skarlso :P

[Skarlso]

Ah, neat. :P Also, I guess the SDK could cache as well...? But I feel like, if I understand correctly, this is during failures..?

[ashtonian]

I didn't notice the not found rate limit exhaustion with the connect provider.

The two scenarios I've run into this:

• missing secrets in 1password vault that are referenced as a external secret.
• Invalid 1password vault token -> was using a connect token on accident with the new sdk provider. It exhausted account read_write rate daily limits quickly.

After I ran into this the first time, I added a 48h sync policy on all my secrets to try and spam it less, as they really don't change often.

[gusfcarvalho]

Ah, neat. :P Also, I guess the SDK could cache as well...? But I feel like, if I understand correctly, this is during failures..?

I don't think external-secrets should cache any values for any providers as of right now. We have no good way to control client-sided caching behavior as our current state - we would need to add experimental flags for that.

IMO, that's a v2 feature

[Skarlso]

Ok, and ok.

[ashtonian]

I wonder if it can be changed the way its accessing resources. After enabling the store, it reconciled about ~70 or so secrets, no errors, all secrets found. Does it need to use up the account limit, is that just any operation?

op service-account ratelimit k8s-integration

TYPE       ACTION        LIMIT    USED    REMAINING    RESET
token      write         100      0       100          N/A
token      read          1000     619     381          54 minutes from now
account    read_write    1000     619     381          23 hours from now

[gusfcarvalho]

I wonder if it can be changed the way its accessing resources. After enabling the store, it reconciled about ~70 or so secrets, no errors, all secrets found. Does it need to use up the account limit, is that just any operation?

op service-account ratelimit k8s-integration

TYPE ACTION LIMIT USED REMAINING RESET
token write 100 0 100 N/A
token read 1000 619 381 54 minutes from now
account read_write 1000 619 381 23 hours from now

1Password has two types of rate limit: one hourly limit per service account token (the token one) and one daily limit bound to the 1password account (the account one). Any operation done with any Service account token will add to the account rate limit (https://developer.1password.com/docs/service-accounts/rate-limits/).

When an operation fails, the controller will reconcile following the default Exponential Backoff, meaning, it will try quite a lot for the first few seconds, then gradually back off until we reach the 10 minutes deadline. I am strongly against changing that 😄 as obviously this change affects not only your use case but every single user of external-secrets.

The way it could be supported for your use case is to implement a stateful rate limiting mechanism within the provider itself.

However, due to our controller logic + provider interface, this is easier said than done. They are not ready to support such rate limiting checks, and thus this will be very hacky to implement on v1 of external-secrets (or IMO even on secretstores.external-secrets.io/v1 API spec).

which is why I pointed out:

IMO, that's a v2 feature

[gusfcarvalho]

out of curiosity, given the concerns with rate limits within onepassword (which I guess you already tried and failed to increase) - why can't you use connect-server?

[gusfcarvalho]

Also, given the limits you provide 😄 I take this is for a personal project. If that's the case, I'd suggest you to take a look at bitwarden instead 😄. It'll be way cheaper for oyu to just sync 'whenever needed' your 1password with bitwarden than trying to make your quota fit your needs.

[ashtonian]

Yea, I can use the connect server, I saw the new hotness via the go sdk and decided to switch, as I assumed the connect provider was going away eventually. I like all of it in onepassword as a lot of the secrets are just admin creds for apps. Its for my rke2 home lab.

I'll just baby this a bit more, its fine. I ran the cluster bootstraping tf on a different machine to create a testing cluster and the 1p service token is the one secret thats just hardcoded locally for bootstrapping and it was the old connect token which caused the initial problem before I realized what was going on.

I wanted to report it cause I know the provider is new and thought there may be some way to potentially lower the usage. The real problem is the daily ~1k ops. I guess its outside of 'personal' usage to integrate 1p with kube :D.

Thanks for looking into it and providing additional context. Overall, great project, use it personally and at work, I know its near volunteer work. I appreciate it.

[Skarlso]

Yah, I wanted the SDK to replace the connect server for sure. The SDK is what... 2 years old or something like that?

In any case, I want it to get on-par with the connect service. It will get there. :) But it takes a bit of time unfortunately.