Skip to content

fix: fetch federated trust bundles concurrently #6491

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
markgoddard wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: fetch federated trust bundles concurrently #6491

markgoddard wants to merge 1 commit into from

Conversation

@markgoddard
Copy link

@markgoddard markgoddard commented Dec 12, 2025

SPIRE agent periodically syncs entries, federated bundles and SVIDs from
the SPIRE server. This happens every 5 seconds with a backoff. There is
a 30 second timeout for this process. If there are many federations for
the entries allowed for the agent, this timeout can be exceeded.

This change adds a concurrent fetch for federated bundles to reduce the
chance of hitting the timeout.

Fixes: #6490

@markgoddard
fix: fetch federated trust bundles concurrently
a11fc24 
SPIRE agent periodically syncs entries, federated bundles and SVIDs from
the SPIRE server. This happens every 5 seconds with a backoff. There is
a 30 second timeout for this process. If there are many federations for
the entries allowed for the agent, this timeout can be exceeded.

This change adds a concurrent fetch for federated bundles to reduce the
chance of hitting the timeout.

Fixes: spiffe#6490
sorindumitru
sorindumitru reviewed Dec 18, 2025
View reviewed changes
Copy link
Collaborator

@sorindumitru sorindumitru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @markgoddard for providing a fix to this issue. This is looking good. I think we have some tests for fetching the federated bundles, but could you add one with more bundles than the number of workers to make sure that keeps working?

pkg/agent/client/client.go
}

// fetchBundle fetches a single federated bundle from SPIRE server.
func (c *client) fetchBundle(ctx context.Context, bundleClient bundlev1.BundleClient, trustDomain string) (*types.Bundle, error) {
Copy link
Collaborator

@sorindumitru sorindumitru Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we include federated in the names of these functions since they can only deal with federated bundles.

Suggested change
func (c *client) fetchBundle(ctx context.Context, bundleClient bundlev1.BundleClient, trustDomain string) (*types.Bundle, error) {
func (c *client) fetchFederatedBundle(ctx context.Context, bundleClient bundlev1.BundleClient, trustDomain string) (*types.Bundle, error) {

pkg/agent/client/client.go
// fetchBundlesConcurrently fetches federated bundles concurrently.
// This is done to improve sync times when there are many federations. This should ensure that the
// sync does not exceed rpcTimeout.
func (c *client) fetchBundlesConcurrently(ctx context.Context, bundleClient bundlev1.BundleClient, trustDomains []string, bundles []*types.Bundle) ([]*types.Bundle, error) {
Copy link
Collaborator

@sorindumitru sorindumitru Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
func (c *client) fetchBundlesConcurrently(ctx context.Context, bundleClient bundlev1.BundleClient, trustDomains []string, bundles []*types.Bundle) ([]*types.Bundle, error) {
func (c *client) fetchFederatedBundlesConcurrently(ctx context.Context, bundleClient bundlev1.BundleClient, trustDomains []string, bundles []*types.Bundle) ([]*types.Bundle, error) {

pkg/agent/client/client.go
Comment on lines +642 to +644
wg.Add(1)
go func() {
defer wg.Done()
Copy link
Collaborator

@sorindumitru sorindumitru Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can now do something like this to avoid the Add() and defer:

Suggested change
wg.Add(1)
go func() {
defer wg.Done()
wg.Go(func() {

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sorindumitru sorindumitru sorindumitru left review comments

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo amartinezfayo is a code owner

@MarcosDY MarcosDY Awaiting requested review from MarcosDY MarcosDY is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@sorindumitru sorindumitru

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SPIRE agent can exceed the RPC timeout when synchronising bundles with many federations

2 participants

@markgoddard @sorindumitru