Skip to content

fix: handle azure keyvault throttling with retry logic#237

Open
thomas-rabiller wants to merge 1 commit intovcsjones:mainfrom
thomas-rabiller:main
Open

fix: handle azure keyvault throttling with retry logic#237
thomas-rabiller wants to merge 1 commit intovcsjones:mainfrom
thomas-rabiller:main

Conversation

@thomas-rabiller
Copy link

@thomas-rabiller thomas-rabiller commented Mar 15, 2024

Include retry logic to deal with Azure KeyVault throttling errors that may occur during large sign batches, as described in Microsoft docs:
https://learn.microsoft.com/en-us/azure/key-vault/general/overview-throttling

@thomas-rabiller
Copy link
Author

thomas-rabiller commented Mar 15, 2024

#135

@thomas-rabiller thomas-rabiller mentioned this pull request Mar 15, 2024
Closed
@thomas-rabiller thomas-rabiller mentioned this pull request Apr 12, 2024
Open
@PhonicUK
Copy link

PhonicUK commented May 15, 2024

This also looks like a solution for #249

@fabricioferreira
Copy link

fabricioferreira commented Aug 21, 2024

I am looking forward to this PR getting approved.

fabricioferreira
fabricioferreira approved these changes Aug 21, 2024
View reviewed changes
Copy link

@fabricioferreira fabricioferreira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes looks good.

@marcofranzen99 marcofranzen99 mentioned this pull request Sep 30, 2024
Closed
@fabricioferreira
Copy link

fabricioferreira commented Oct 8, 2024
edited
Loading

Hi @vcsjones , any reason not to proceed with this merge? Azure's key vault throttling is insane and keeps failing our pipelines. Thanks!

@casuffitsharp
Copy link

casuffitsharp commented Oct 9, 2024

I believe this issue was addressed in #251. It’s included in v6.0.0-beta1 (check the release announcement here: https://github.com/vcsjones/AzureSignTool/releases/tag/v6.0.0-beta1).

@larde
Copy link

larde commented Mar 5, 2025

We still have this issue on 6.0.1

@ldaniels-dennemeyer
Copy link

ldaniels-dennemeyer commented Mar 14, 2025

Me too, retry mechanism does not seem to work.

@fedorbirjukov
Copy link

fedorbirjukov commented Apr 1, 2025

The retry mechanism is indeed part of 6.0.0. See release notes or the notes of the beta mentioned above (link: #271):

Concurrency

By far one issue that gets reported that most are failures from excessive concurrency. There are two parts that can result failures from throttling. The first is Azure. Azure limits the number of operations a KeyVault can perform in a given period. The second is timestamping from a Certificate Authority.

There are two changes in this release to help with this.

  1. The --max-degree-of-parallelism (-mdop) now defaults to 4, meaning no more than 4 sign operations will happen concurrently. To revert back to the previous behavior, set --max-degree-of-parallelism to 0, or a higher number if you still want some limit on concurrent operations.
  2. The signing operation will now retry failed signing operations if the failure was the result of Azure performing throttling.

So, it must be the CA throttling that limits the signing throughput.

This PR should be abandoned.

@bdagnin
Copy link

bdagnin commented Apr 3, 2025

For us it does seem to be the timestamp service that's causing throttling failures. The Azure retry mechanism in v6.0.1 doesn't kick in at all for these.

I've pulled v6.x into this change and created a build here: https://github.com/bdagnin/AzureSignTool/releases/download/v6.0.2-alpha.1.retry/AzureSignTool.exe
This and -mdop 1 has solved our signing failures.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@fabricioferreira fabricioferreira fabricioferreira approved these changes

@lv1il0s lv1il0s lv1il0s approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@thomas-rabiller @PhonicUK @fabricioferreira @casuffitsharp @larde @ldaniels-dennemeyer @fedorbirjukov @bdagnin @lv1il0s