Vault GCS backend - Class A Operations usage

sgrzemski · February 22, 2023, 9:30am

Hello,

I am running a successful Vault deployment in HA configuration, based on Google Cloud Storage backend. The config is as follows:

ui = true
log_level = "info"
listener "tcp" {
  tls_disable = 1
  address = "[::]:8200"
  cluster_address = "[::]:8201"
}
service_registration "kubernetes" {}
storage "gcs" {
  bucket     = "REDACTED"
  ha_enabled = "true"
}
seal "gcpckms" {
   project     = "REDACTED"
   region      = "REDACTED"
   key_ring    = "REDACTED"
   crypto_key  = "REDACTED"
}

This configuration utilizes TONS of GCS API Class A Operations and Class B Operations:

Google charges for that API calls additionally. The number are pretty high and cost me hundreds of dollars per month. Is there anything we can do to decrease the usage of GCS?

Any help appreciated!
Thanks,
Szymon

sgrzemski · February 22, 2023, 11:30am

Found the reason of the problem. FYI:

github.com

external-secrets/external-secrets/blob/main/pkg/provider/vault/vault.go#L1402


      
          	if err != nil {
          		return fmt.Errorf(errVaultToken, err)
          	}
          	v.client.SetToken(token)
          	return nil
          }
          
          
func init() {
          	var vaultTokenCacheSize int
          	fs := pflag.NewFlagSet("vault", pflag.ExitOnError)
          	fs.BoolVar(&enableCache, "experimental-enable-vault-token-cache", false, "Enable experimental Vault token cache. External secrets will reuse the Vault token without creating a new one on each request.")
          	// max. 265k vault leases with 30bytes each ~= 7MB
          	fs.IntVar(&vaultTokenCacheSize, "experimental-vault-token-cache-size", 2<<17, "Maximum size of Vault token cache. When more tokens than Only used if --experimental-enable-vault-token-cache is set.")
          	lateInit := func() {
          		logger.Info("initializing vault cache with size=%d", vaultTokenCacheSize)
          		clientCache = cache.Must(vaultTokenCacheSize, func(client Client) {
          			err := revokeTokenIfValid(context.Background(), client)
          			if err != nil {
          				logger.Error(err, "unable to revoke cached token on eviction")
          			}
          		})

External Secrets Operator creates a lease for every secret sync. With multiple K8s clusters and over 500 secrets it was creating the leases constantly. Setting experimental-enable-vault-token-cache and setting longer TTLs to auth methods helped me to reduce the GCS API calls.

maxb · February 22, 2023, 12:15pm

You might find it useful to also switch to batch type tokens whereever you can, as well.

They are not as flexible as service tokens, but they require no storage operations to create or validate, which may be particularly relevant in your scenario.

However, be aware that Vault does have various background processes that need to invoke ListObjects periodically - which seems unfortunate given the GCS storage pricing system :-/

Topic		Replies	Views
Vault gcs backend Vault	3	1058	October 8, 2020
Vault on GKE Backup Vault	4	198	February 3, 2024
Failed to acquire lock: error="lock: attempt lock: write lock: failed to decode lock: unexpected end of JSON input" Vault	0	164	March 19, 2024
Vault GCS storage and GCP auth batch token causing GCS rate limits Vault	2	239	May 2, 2023
Stored unseal keys are supported, but none were found Vault	7	4916	January 7, 2021

Vault GCS backend - Class A Operations usage

Related topics