[Bug] GET /api/v4/credentials is very expensive #1075
Description
Current Behavior
GET /api/v4/credentials is a very expensive operation, since it entails listing all Credentials, then for each listing all discovered Targets, and then evaluating the Credential's linked MatchExpression (which is another lazily fetched entity) against each Target as a filter, then collecting the result. Even with MatchExpression evaluations against individual Targets cached, this is a heavy operation.
This endpoint is used for the UI's Security view, which renders a pretty direct representation of this data, which makes sense.
However, this endpoint is also used by the Cryostat Agent as a hacky check for whether the stored credentials that the Agent wants to persist for itself already exist in the server's keyring. The Agent asks Cryostat for this list, just to check if any credential has an identical MatchExpression to what the Agent would submit for itself.
Alternative designs:
- Add an endpoint that allows Agents to ask Cryostat if there are any existing stored credentials that would match themselves (or more generally, allow any client to ask Cryostat if there are credentials for a given target description). This would still require Cryostat to pull all Credentials and test all their MatchExpressions against the given target description. This may have broader application for future use cases beyond Agent registration - it might be useful for Custom Targets, for example.
- Add an endpoint that allows clients to check if there are any Credentials that already use an identical MatchExpression. This can be done much more cheaply on the server/database side, but is a much more specific endpoint with a very narrow usecase.
Expected Behavior
No response
Steps To Reproduce
No response
Environment
- OS:
- Environment:
- Version:Anything else?
No response