fix: Avoid AssumeRoleWithWebIdentity for each reconcile #1148
Conversation
|
did we need to adjust also something for |
|
@haarchri yeah, I think we can refactor it to share a bit more code, but first I wonder if there's a place to store this struct in a "less global" variable. |
|
@muvaf do you have any idea where we could store this state? Is a global variable like this OK if there are no other options? TAs you can see this should give a performance boost and cost reduction if all AWS security products are enabled (Detective/GuardDuty/CloudTrail). |
|
tested your PR today in our environment looks really great - if we adopt this after we clearify to save the state for |
|
I think this is a very good idea if we have the tools to get the caching right. A few questions:
I think that's OK. |
|
@chlunde any chance to finalize this PR ? i am happy to test this in our environment =) |
chlunde
force-pushed
the
sdk-cache-creds
branch
2 times, most recently
from
b1ee6d1 to
dae0db7
Compare
|
Crossplane does not currently have enough maintainers to address every issue and pull request. This pull request has been automatically marked as |
|
/fresh |
|
I rebased changes in this pr and we're running this version now as an experiment. So far no issues and we're seing roughly a 65% drop in AssumeRole requests: |
|
Version was running in one of our cluster for almost 10 days, looking great. Token is refreshed properly, everything works, no restarts. @chlunde @haarchri @MisterMX What would be options to proceed here? The change would save a lot some bucks for everyone operating provider-aws on a bigger scale like we do. I could make a fresh PR with rebased changes and even work on finalizing the PR but i don't want to steal @chlunde the show 😋 |
MisterMX
force-pushed
the
sdk-cache-creds
branch
from
dae0db7 to
81c16dc
Compare
|
We've been running with this code for 1.5 years without issues, but we only use one provider config per provider. If someone with more complex setups, assuming roles in different accounts, also could verify it would be nice. |
MisterMX
force-pushed
the
sdk-cache-creds
branch
from
81c16dc to
7b9ad8b
Compare
MisterMX
changed the title
Use a shared client/credentials to avoid calling AssumeRoleWithWebIdentity. aws.Config (v1/v2) is thread safe and checks token expiry/handles renewal. Signed-off-by: Carl Henrik Lunde <[email protected]> Signed-off-by: Maximilian Blatt (external expert on behalf of DB Netz) <[email protected]>
MisterMX
force-pushed
the
sdk-cache-creds
branch
from
7b9ad8b to
3d78629
Compare
|
I made a little improvement by using two separate I believe there is room for some more improvements by using |
…ntity-auth-tokenfile add web identity token configuration to ProviderConfig spec
Description of your changes
Use a shared client/credentials to avoid calling AssumeRoleWithWebIdentity for each reconcile.
aws.Config (v1/v2) is thread safe and checks token expiry/handles renewal. To handle
Fixes #828
I have:
make reviewable testto ensure this PR is ready for review.How has this code been tested
Ran for one week. Creating PR for discussion, how can we avoid a global variable?
As you can see below we get a significant reduction in the number of API calls to AWS: