Resolve key vault references concurrently#736
Open
linglingye001 wants to merge 2 commits into
Open
Conversation
linglingye001
force-pushed
the
linglingye/resolve-secret-parallel
branch
from
5c8223e to
61295ef
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces an opt-in capability to resolve Azure Key Vault references concurrently during Azure App Configuration load, aiming to reduce startup time when many Key Vault references are present.
Changes:
- Add
ParallelSecretResolutionEnabledoption under Key Vault configuration and plumb it into provider options. - Update configuration loading to optionally process adapter resolution concurrently and merge results deterministically.
- Add unit tests covering parallel resolution behavior and default sequential behavior; add locking in the Key Vault secret provider to support concurrent access.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/Tests.AzureAppConfiguration/Unit/KeyVaultReferenceTests.cs | Adds tests validating parallel Key Vault resolution and default sequential behavior. |
| src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureKeyVaultReference/AzureKeyVaultSecretProvider.cs | Adds synchronization around secret caching and refresh bookkeeping for thread safety under concurrency. |
| src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs | Adds parallel adapter processing path and factors merge logic into a helper. |
| src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationOptions.cs | Stores whether parallel secret resolution is enabled after Key Vault configuration. |
| src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationKeyVaultOptions.cs | Introduces the public ParallelSecretResolutionEnabled toggle with documentation. |
Comments suppressed due to low confidence (1)
src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs:654
- In parallel mode, all adapter tasks are dispatched before any failures are observed (via
Task.WhenAll). If a single Key Vault reference is invalid/unavailable, the load will still issue requests for the remaining references, increasing latency and side effects (extra Key Vault traffic) even though the overall load fails. Consider failing fast by cancelling remaining work when the first task faults (e.g., linked CancellationTokenSource + cancel on first exception, or processing in bounded batches).
// Dispatch adapter processing for all settings concurrently. Only Key Vault references
// perform network I/O during adapter processing; other adapters complete synchronously.
// Insertion order in 'data' is preserved when merging results so prefix-stripping and
// last-write-wins behavior remain unchanged.
var pendingTasks = new List<Task<IEnumerable<KeyValuePair<string, string>>>>(data.Count);
foreach (KeyValuePair<string, ConfigurationSetting> kvp in data)
{
if (_requestTracingEnabled && _requestTracingOptions != null)
{
_requestTracingOptions.UpdateAiConfigurationTracing(kvp.Value.ContentType);
}
pendingTasks.Add(ProcessAdapters(kvp.Value, cancellationToken));
}
IEnumerable<KeyValuePair<string, string>>[] results = await Task.WhenAll(pendingTasks).ConfigureAwait(false);
for (int i = 0; i < results.Length; i++)
{
MergeIntoApplicationData(applicationData, results[i]);
}
}
| private readonly AzureAppConfigurationKeyVaultOptions _keyVaultOptions; | ||
| private readonly IDictionary<string, SecretClient> _secretClients; | ||
| private readonly Dictionary<Uri, CachedKeyVaultSecret> _cachedKeyVaultSecrets; | ||
| private readonly object _cacheLock = new object(); |
Member
There was a problem hiding this comment.
Instead of using lock, we should use ConcurrentDictionary for atomic operation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.