Recreate session when making new client (#1041)

* Recreate session when making new client requests has a memory leak from our observation of containers experiencing OOMs for this sidecar. It appears that the underlying session is keeping sockets alive. Calling close on the session should clean things up. We don't want to do this all the time because the point is to reuse connections in the pool. However, when we expire a client we can take that opportunity to recreate the session. Over time this should let us clean up the memory help by the session while having a minimal impact on connection reuse. * dropped a paren --------- Co-authored-by: Andy Weiss <[email protected]>
reddit · Dec 6, 2024 · 57883eb · 57883eb
1 parent 1f7c1de
commit 57883eb
Showing 1 changed file with 17 additions and 5 deletions.
diff --git a/baseplate/sidecars/secrets_fetcher.py b/baseplate/sidecars/secrets_fetcher.py
@@ -147,17 +147,21 @@ def __init__(self, base_url: str, role: str, auth_type: Authenticator, mount_poi
         self.role = role
         self.auth_type = auth_type
         self.mount_point = mount_point
-        self.session = requests.Session()
-        self.session.headers["User-Agent"] = (
+        self.client: Optional[VaultClient] = None
+
+    def _make_session(self) -> requests.Session:
+        session = requests.Session()
+        session.headers["User-Agent"] = (
             f"baseplate.py-{self.__class__.__name__}/{baseplate_version}"
         )
-        self.client: Optional[VaultClient] = None
+        return session
 
     def _make_client(self) -> "VaultClient":
         """Obtain a client token from an auth backend and return a Vault client with it."""
         client_token, lease_duration = self.auth_type(self)
+        session = self._make_session()
 
-        return VaultClient(self.session, self.base_url, client_token, lease_duration)
+        return VaultClient(session, self.base_url, client_token, lease_duration)
 
     def _vault_kubernetes_auth(self) -> tuple[str, datetime.datetime]:
         r"""Get a client token from Vault through the Kubernetes auth backend.
@@ -258,8 +262,13 @@ def auth_types() -> dict[str, Authenticator]:
 
     def get_client(self) -> "VaultClient":
         """Get an authenticated client, reauthenticating if not cached."""
-        if not self.client or self.client.is_about_to_expire:
+        if self.client and self.client.is_about_to_expire:
+            self.client.close()
+            self.client = None
+
+        if not self.client:
             self.client = self._make_client()
+
         return self.client
 
 
@@ -283,6 +292,9 @@ def __init__(
         self.token = token
         self.token_expiration = token_expiration
 
+    def close(self):
+        self.session.close()
+
     @property
     def is_about_to_expire(self) -> bool:
         """Return if the token is near expiration and in need of regeneration."""