-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth/mount: fetch single vault resource on read #2145
Conversation
Once hashicorp/vault#25499 is merged and the API is tagged we can pull that in |
23ccd2b
to
b478ba2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for including the details in the memory profiles! The improvements are visually very clear to understand via the flame graphs, appreciate it
Had some questions around how some of the changes might affect different token policy cases, and wondering if we should document any changes in token policies for LIST
vs GET
on sys paths. Excited about adding these improvements 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
b478ba2
to
ae8e2b4
Compare
* add mountutil and GetMount * fix nomad backend existence check * fix context arg * use GET instead of LIST for auth mount fetching * normalize error response * changelog * fix github auth path * fix auth existence checking * use contexts and add log * fix build and rebase * make golangci-lint happy
Just encountered an issue after upgrading the vault provider that my data resource for I had to extend the policy my policy with path "sys/auth*" {
capabilities = ["read", "list", "sudo"]
} This seems like overkill, especially as it's not documented in the vault API docs. |
@pree Hello, I am sorry you are having trouble! Thanks for pointing this out. We did mention policy changes in the Changelog and we have published a v4.0.0 Upgrade Guide but it looks like we missed this nuance. I think we may be able get a patch in to remove the sudo requirement, however you will still need to update your policy path to use |
Thanks for the reply @fairclothjm. I would love a |
I have started to play around with this version and so far, it is a night and day difference in our environment. Significantly less CPU (100%->40%) and roughly 3x faster to run though all of our resources. Thank you so much and kudos @fairclothjm |
Thanks and glad to hear that @kkronenb ! |
Description
This changes the READ operations in
vault_auth_backend
andvault_mount
to use theGET /sys/auth/:path
andGET /sys/mounts/:path
APIs respectively. Previously, these resources were calling LIST which could result in a substantially higher CPU and memory footprint for the provider in cases where a given Vault server has a large number of secret/auth mounts.At this time, there are no helpers for these API paths in the Vault
api
package. See hashicorp/vault#25499 which proposes to add them.TF Config used in the performance tests
Details on the CPU performance improvements
As expected, the CPU profile shows the biggest improvements in the Provider's READ operations which were spending most of the CPU time listing and decoding mount data.
pprof CPU profile flame graph
Before:
After:
Additionally, from the CPU profile we can see a big difference in the time spent in the call to
mallocgc
:Before:
After:
So let's take a look at the pprof memory profile...
Details on the Memory performance improvements
Interestingly, the pprof memory profile does not shed any light on the performance improvements that we would predict based on the previous CPU profile analysis. However, both before and after point to the AWS SDK init functions as being very memory hungry.
pprof Memory profile
Before:
After:
Relates OR Closes #0000
Checklist