SecretTemplate should rely on Watch when a Service Account is not specified
Closed this issue · 0 comments
Describe the problem/challenge you have
#66 Introduced the SecretTemplate API. This allows you to define arbitrary input resources that are used to generate a new Kubernetes Secret based on templating.
For a first pass, to handle updates to these input resources we decided to simply periodically re-sync all input resources. However this isn't very performant or scalable.
Describe the solution you'd like
Instead of a periodic resync we should rely on watches. However SecretTemplate allows the user to provide a Service Account, this means we cannot simply have a single watch between clients and share informers. Each watch call is made for a particular identity. So any sharing mechanism would need some serious thought.
However, for cases when a Service Account is not present, SecretTemplate can only read Secrets as Input Resources. Therefore we can use watch for the non-service account secrets case.
Therefore we should do the following
- When a Service Account is not specified (Secrets only), we rely on Watches to be informed on updates.
- When a Service Account is specified, we continue to periodically resync.
Addressing the general problem can be a future enhancement.
Anything else you would like to add:
Addtional context in this PR thread
Vote on this request
This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.
👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"
We are also happy to receive and review Pull Requests if you would like to work on this issue.