DevOps Secrets Safe Sizing and Performance

DevOps Secrets Safe architecture was designed from inception to provide flexibility and scalability. The system is made up of a series of distributed services deployed as containers using Kubernetes. By its nature, the performance of the system varies greatly depending on the environment it is running in. To provide an idea of the performance that can be expected from the system, a reference deployment was used to gather performance statistics.

Secrets Safe Test Scenario

A test scenario was created using JMeter. JMeter used 200 threads to simultaneously iterate a list of users. For each user in the list, an authentication was performed and a secret was retrieved. The test continued iterating the list of users for a period of ten minutes.

The following data was loaded into DevOps Secrets Safe prior to the execution of the test. After the data was loaded, the resulting database was approximately 100MB in size.

  • 20,000 secrets, each 1024 bytes in size
  • 1000 local user accounts
  • Access to the secrets was granted to each user

All audit, logs, and performance telemetry generated by Secrets Safe during the test are forwarded to an external Elasticsearch instance.

Deployment Environments

DevOps Secrets Safe was tested in both a cloud hosted as well as an on premises virtualized environment.

Azure Environment

The Azure environment consisted of the following resources:

Service Version VM Host Specs
Azure Kubernetes 1.14.8
  • 3 x D4s_v3
  • 4 vCPU
  • 16GB RAM
  • 6400 Max IOPS
Azure Database for PostgreSQL 11
  • General Purpose
  • 4 vCores
  • Local Redundant

Using this configuration, DevOps Secrets Safe can handle approximately 270 incoming secret requests per second, or approximately 170,000 requests over a 10 minute period.

On-Premises ESXi Environment

The on-premises environment consisted of the following resources:

Service Version VM Host Specs
Kubernetes cluster 1.15.5
  • 3 x CentOS 7.7
  • 4 Cores
  • 16GB RAM
PostgreSQL 10.10
  • 1 x CentOS 7.7
  • 4 Cores
  • 16GB RAM

Using this configuration, DevOps Secrets Safe can handle approximately 270 incoming secret request per second, or approximately 170,000 request over a 10 minute period.

Audit Volume

Action Number of Audit Events
User Authentication 3
Secret Reterival 3
Full Performance test ~500,000 (325MB in Elasticsearch)

Conclusions

The performance of DevOps Secrets Safe’s reference deployment should be enough for most small to medium-sized customers. For larger customers, some further horizontal scaling might be required. Due to DevOps Secrets Safe's underlying architecture, this is easily achievable by adding additional Kubernetes nodes and increasing the number of replicas for the appropriate services.