Reduce resource consumption when generating Kubernetes certificates by rosstimothy · Pull Request #52109 · gravitational/teleport

rosstimothy · 2025-02-13T00:07:41Z

Closes #52073.

The requested Kubernetes cluster is now cross referenced with the KubeServers in the unified resource cache. This results in a reduction in CPU, memory, and cert generation latency. This also cleans up some of the helper functions in lib/kube/utils that were no longer needed, and suboptimal.

The client side changes here shouldn't have any impact, as the server is performing the same check, and returning the equivalent error the client side code used to. This will also cut the time of tctl auth sign in half as both the client and server were performing the same expensive CheckKubeCluster operation.

Changelog: Improve latency and reduce resource consumption of generating Kubernetes certificates via tctl auth sign and tsh kube login.

Closes #52073. The requested Kubernetes cluster is now cross referenced with the KubeServers in the unified resource cache. This results in a reduction in CPU, memory, and cert generation latency. This also cleans up some of the helper functions in lib/kube/utils that were no longer needed, and suboptimal. The client side changes here shouldn't have any impact, as the server is performing the same check, and returning the equivalent error the client side code used to. This will also cut the time of `tctl auth sign` in half as both the client and server were performing the same expensive CheckKubeCluster operation.

public-teleport-github-review-bot · 2025-02-13T19:49:06Z

@rosstimothy See the table below for backport results.

Branch	Result
branch/v15	Failed
branch/v16	Failed
branch/v17	Failed

…52109) Closes #52073. The requested Kubernetes cluster is now cross referenced with the KubeServers in the unified resource cache. This results in a reduction in CPU, memory, and cert generation latency. This also cleans up some of the helper functions in lib/kube/utils that were no longer needed, and suboptimal. The client side changes here shouldn't have any impact, as the server is performing the same check, and returning the equivalent error the client side code used to. This will also cut the time of `tctl auth sign` in half as both the client and server were performing the same expensive CheckKubeCluster operation.

…ravitational#52109) Closes gravitational#52073. The requested Kubernetes cluster is now cross referenced with the KubeServers in the unified resource cache. This results in a reduction in CPU, memory, and cert generation latency. This also cleans up some of the helper functions in lib/kube/utils that were no longer needed, and suboptimal. The client side changes here shouldn't have any impact, as the server is performing the same check, and returning the equivalent error the client side code used to. This will also cut the time of `tctl auth sign` in half as both the client and server were performing the same expensive CheckKubeCluster operation.

…52109) Closes #52073. The requested Kubernetes cluster is now cross referenced with the KubeServers in the unified resource cache. This results in a reduction in CPU, memory, and cert generation latency. This also cleans up some of the helper functions in lib/kube/utils that were no longer needed, and suboptimal. The client side changes here shouldn't have any impact, as the server is performing the same check, and returning the equivalent error the client side code used to. This will also cut the time of `tctl auth sign` in half as both the client and server were performing the same expensive CheckKubeCluster operation.

…52109) (#52146) Closes #52073. The requested Kubernetes cluster is now cross referenced with the KubeServers in the unified resource cache. This results in a reduction in CPU, memory, and cert generation latency. This also cleans up some of the helper functions in lib/kube/utils that were no longer needed, and suboptimal. The client side changes here shouldn't have any impact, as the server is performing the same check, and returning the equivalent error the client side code used to. This will also cut the time of `tctl auth sign` in half as both the client and server were performing the same expensive CheckKubeCluster operation.

codingllama · 2025-02-24T19:58:43Z

FYI, It looks like this broke local runs of lib/auth.TestAuthenticateSSHUser:

$ go test ./lib/auth -run=TestAuthenticateSSHUser -failfast -count=1

--- FAIL: TestAuthenticateSSHUser (0.24s)
    auth_test.go:750:
                Error Trace:    /Users/alan/code/teleport/lib/auth/auth_test.go:750
                Error:          Received unexpected error:
                                Kubernetes cluster "root-kube-cluster" is not registered in this Teleport cluster; you can list registered Kubernetes clusters using 'tsh kube ls'
                Test:           TestAuthenticateSSHUser
FAIL
FAIL    github.com/gravitational/teleport/lib/auth      3.094s
FAIL

Chatting with Tim about it.

#52109 added a dependency on the unified resource cache to user cert generation to reduce resource consumption. A number of tests that exercise generating Kubernetes user certs were either not waiting for the Kubernetes resources to exist prior to authentication and getting lucky, or checking that the resources were in the auth cache, but not the unified resource cache. This attempts to cover any tests which generate Kubernetes user certificates to verify that the unified resource cache contains the expected cluster before proceeding. Fixes #52157. Fixes #52441.

…52109) Closes #52073. The requested Kubernetes cluster is now cross referenced with the KubeServers in the unified resource cache. This results in a reduction in CPU, memory, and cert generation latency. This also cleans up some of the helper functions in lib/kube/utils that were no longer needed, and suboptimal. The client side changes here shouldn't have any impact, as the server is performing the same check, and returning the equivalent error the client side code used to. This will also cut the time of `tctl auth sign` in half as both the client and server were performing the same expensive CheckKubeCluster operation.

#52109 added a dependency on the unified resource cache to user cert generation to reduce resource consumption. A number of tests that exercise generating Kubernetes user certs were either not waiting for the Kubernetes resources to exist prior to authentication and getting lucky, or checking that the resources were in the auth cache, but not the unified resource cache. This attempts to cover any tests which generate Kubernetes user certificates to verify that the unified resource cache contains the expected cluster before proceeding. Fixes #52157. Fixes #52441.

…52109) Closes #52073. The requested Kubernetes cluster is now cross referenced with the KubeServers in the unified resource cache. This results in a reduction in CPU, memory, and cert generation latency. This also cleans up some of the helper functions in lib/kube/utils that were no longer needed, and suboptimal. The client side changes here shouldn't have any impact, as the server is performing the same check, and returning the equivalent error the client side code used to. This will also cut the time of `tctl auth sign` in half as both the client and server were performing the same expensive CheckKubeCluster operation.

#52109 added a dependency on the unified resource cache to user cert generation to reduce resource consumption. A number of tests that exercise generating Kubernetes user certs were either not waiting for the Kubernetes resources to exist prior to authentication and getting lucky, or checking that the resources were in the auth cache, but not the unified resource cache. This attempts to cover any tests which generate Kubernetes user certificates to verify that the unified resource cache contains the expected cluster before proceeding. Fixes #52157. Fixes #52441.

…ates (#52148) * Reduce resource consumption when generating Kubernetes certificates (#52109) Closes #52073. The requested Kubernetes cluster is now cross referenced with the KubeServers in the unified resource cache. This results in a reduction in CPU, memory, and cert generation latency. This also cleans up some of the helper functions in lib/kube/utils that were no longer needed, and suboptimal. The client side changes here shouldn't have any impact, as the server is performing the same check, and returning the equivalent error the client side code used to. This will also cut the time of `tctl auth sign` in half as both the client and server were performing the same expensive CheckKubeCluster operation. * Fix test flakes related to Kubernetes user cert generation (#52442) #52109 added a dependency on the unified resource cache to user cert generation to reduce resource consumption. A number of tests that exercise generating Kubernetes user certs were either not waiting for the Kubernetes resources to exist prior to authentication and getting lucky, or checking that the resources were in the auth cache, but not the unified resource cache. This attempts to cover any tests which generate Kubernetes user certificates to verify that the unified resource cache contains the expected cluster before proceeding. Fixes #52157. Fixes #52441.

…ates (#52147) * Reduce resource consumption when generating Kubernetes certificates (#52109) Closes #52073. The requested Kubernetes cluster is now cross referenced with the KubeServers in the unified resource cache. This results in a reduction in CPU, memory, and cert generation latency. This also cleans up some of the helper functions in lib/kube/utils that were no longer needed, and suboptimal. The client side changes here shouldn't have any impact, as the server is performing the same check, and returning the equivalent error the client side code used to. This will also cut the time of `tctl auth sign` in half as both the client and server were performing the same expensive CheckKubeCluster operation. * Fix test flakes related to Kubernetes user cert generation (#52442) #52109 added a dependency on the unified resource cache to user cert generation to reduce resource consumption. A number of tests that exercise generating Kubernetes user certs were either not waiting for the Kubernetes resources to exist prior to authentication and getting lucky, or checking that the resources were in the auth cache, but not the unified resource cache. This attempts to cover any tests which generate Kubernetes user certificates to verify that the unified resource cache contains the expected cluster before proceeding. Fixes #52157. Fixes #52441.

rosstimothy added the no-changelog Indicates that a PR does not require a changelog entry label Feb 13, 2025

rosstimothy force-pushed the tross/kube_cert_perf branch 4 times, most recently from 2f4c6f3 to 3af4b9b Compare February 13, 2025 01:20

rosstimothy removed the no-changelog Indicates that a PR does not require a changelog entry label Feb 13, 2025

rosstimothy force-pushed the tross/kube_cert_perf branch from 3af4b9b to a91e888 Compare February 13, 2025 01:55

rosstimothy marked this pull request as ready for review February 13, 2025 02:12

rosstimothy requested a review from tigrato February 13, 2025 02:12

github-actions Bot added kubernetes-access size/sm tctl tctl - Teleport admin tool tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels Feb 13, 2025

github-actions Bot requested review from avatus and creack February 13, 2025 02:12

tigrato approved these changes Feb 13, 2025

View reviewed changes

avatus approved these changes Feb 13, 2025

View reviewed changes

public-teleport-github-review-bot Bot removed the request for review from creack February 13, 2025 17:57

rosstimothy added this pull request to the merge queue Feb 13, 2025

rosstimothy added backport/branch/v15 backport/branch/v17 labels Feb 13, 2025

Merged via the queue into master with commit 8a5107c Feb 13, 2025

rosstimothy deleted the tross/kube_cert_perf branch February 13, 2025 19:46

rosstimothy mentioned this pull request Feb 13, 2025

[v17] Reduce resource consumption when generating Kubernetes certificates #52146

Merged

rosstimothy mentioned this pull request Feb 13, 2025

[v16] Reduce resource consumption when generating Kubernetes certificates #52147

Merged

rosstimothy mentioned this pull request Feb 13, 2025

[v15] Reduce resource consumption when generating Kubernetes certificates #52148

Merged

rosstimothy mentioned this pull request Feb 13, 2025

TestKubeSelection flakiness #52157

Closed

rosstimothy mentioned this pull request Feb 24, 2025

Fix test flakes related to Kubernetes user cert generation #52442

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Reduce resource consumption when generating Kubernetes certificates#52109

Reduce resource consumption when generating Kubernetes certificates#52109
rosstimothy merged 1 commit intomasterfrom
tross/kube_cert_perf

rosstimothy commented Feb 13, 2025 •

edited

Loading

Uh oh!

public-teleport-github-review-bot Bot commented Feb 13, 2025

Uh oh!

codingllama commented Feb 24, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

rosstimothy commented Feb 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

public-teleport-github-review-bot Bot commented Feb 13, 2025

Uh oh!

codingllama commented Feb 24, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

rosstimothy commented Feb 13, 2025 •

edited

Loading