From 61295ef1d9cd3dcef743a0c33650a528f002d4de Mon Sep 17 00:00:00 2001 From: "Lingling Ye (from Dev Box)" Date: Wed, 20 May 2026 15:46:36 +0800 Subject: [PATCH 1/5] resolve key vault references concurrently --- .../AzureAppConfigurationKeyVaultOptions.cs | 7 + .../AzureAppConfigurationOptions.cs | 6 + .../AzureAppConfigurationProvider.cs | 63 ++++-- .../AzureKeyVaultSecretProvider.cs | 68 ++++--- .../Unit/KeyVaultReferenceTests.cs | 183 ++++++++++++++++++ 5 files changed, 288 insertions(+), 39 deletions(-) diff --git a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationKeyVaultOptions.cs b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationKeyVaultOptions.cs index cca16df80..70a4d75e5 100644 --- a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationKeyVaultOptions.cs +++ b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationKeyVaultOptions.cs @@ -31,6 +31,13 @@ public class AzureAppConfigurationKeyVaultOptions internal TimeSpan? DefaultSecretRefreshInterval = null; internal bool IsKeyVaultRefreshConfigured = false; + /// + /// Specifies whether Key Vault references should be resolved in parallel. + /// Default value is false. Enabling this can reduce the time required to resolve Key Vault references + /// when many references are loaded from Azure App Configuration. + /// + public bool ParallelSecretResolutionEnabled { get; set; } + /// /// Sets the credentials used to authenticate to key vaults that have no registered . /// diff --git a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationOptions.cs b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationOptions.cs index e5b6e2585..8fd34d477 100644 --- a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationOptions.cs +++ b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationOptions.cs @@ -144,6 +144,11 @@ internal IEnumerable Adapters /// internal bool IsKeyVaultRefreshConfigured { get; private set; } = false; + /// + /// Flag to indicate whether Key Vault references should be resolved in parallel. + /// + internal bool IsParallelSecretResolutionEnabled { get; private set; } = false; + /// /// Indicates all feature flag features used by the application. /// @@ -520,6 +525,7 @@ public AzureAppConfigurationOptions ConfigureKeyVault(Action> PrepareData(Dictionary kvp in data) + bool parallelSecretResolution = _options.IsParallelSecretResolutionEnabled; + + if (parallelSecretResolution) { - IEnumerable> keyValuePairs = null; + // Dispatch adapter processing for all settings concurrently. Only Key Vault references + // perform network I/O during adapter processing; other adapters complete synchronously. + // Insertion order in 'data' is preserved when merging results so prefix-stripping and + // last-write-wins behavior remain unchanged. + var pendingTasks = new List>>>(data.Count); - if (_requestTracingEnabled && _requestTracingOptions != null) + foreach (KeyValuePair kvp in data) { - _requestTracingOptions.UpdateAiConfigurationTracing(kvp.Value.ContentType); + if (_requestTracingEnabled && _requestTracingOptions != null) + { + _requestTracingOptions.UpdateAiConfigurationTracing(kvp.Value.ContentType); + } + + pendingTasks.Add(ProcessAdapters(kvp.Value, cancellationToken)); } - keyValuePairs = await ProcessAdapters(kvp.Value, cancellationToken).ConfigureAwait(false); + IEnumerable>[] results = await Task.WhenAll(pendingTasks).ConfigureAwait(false); - foreach (KeyValuePair kv in keyValuePairs) + for (int i = 0; i < results.Length; i++) { - string key = kv.Key; + MergeIntoApplicationData(applicationData, results[i]); + } + } + else + { + foreach (KeyValuePair kvp in data) + { + IEnumerable> keyValuePairs = null; - foreach (string prefix in _options.KeyPrefixes) + if (_requestTracingEnabled && _requestTracingOptions != null) { - if (key.StartsWith(prefix, StringComparison.OrdinalIgnoreCase)) - { - key = key.Substring(prefix.Length); - break; - } + _requestTracingOptions.UpdateAiConfigurationTracing(kvp.Value.ContentType); } - applicationData[key] = kv.Value; + keyValuePairs = await ProcessAdapters(kvp.Value, cancellationToken).ConfigureAwait(false); + + MergeIntoApplicationData(applicationData, keyValuePairs); } } return applicationData; } + private void MergeIntoApplicationData(Dictionary applicationData, IEnumerable> keyValuePairs) + { + foreach (KeyValuePair kv in keyValuePairs) + { + string key = kv.Key; + + foreach (string prefix in _options.KeyPrefixes) + { + if (key.StartsWith(prefix, StringComparison.OrdinalIgnoreCase)) + { + key = key.Substring(prefix.Length); + break; + } + } + + applicationData[key] = kv.Value; + } + } + private async Task LoadAsync(bool ignoreFailures, CancellationToken cancellationToken) { var startupStopwatch = Stopwatch.StartNew(); diff --git a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureKeyVaultReference/AzureKeyVaultSecretProvider.cs b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureKeyVaultReference/AzureKeyVaultSecretProvider.cs index 57505ff95..af03bcef9 100644 --- a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureKeyVaultReference/AzureKeyVaultSecretProvider.cs +++ b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureKeyVaultReference/AzureKeyVaultSecretProvider.cs @@ -16,6 +16,7 @@ internal class AzureKeyVaultSecretProvider private readonly AzureAppConfigurationKeyVaultOptions _keyVaultOptions; private readonly IDictionary _secretClients; private readonly Dictionary _cachedKeyVaultSecrets; + private readonly object _cacheLock = new object(); private Uri _nextRefreshSourceId; private DateTimeOffset? _nextRefreshTime; @@ -38,20 +39,25 @@ public AzureKeyVaultSecretProvider(AzureAppConfigurationKeyVaultOptions keyVault public async Task GetSecretValue(KeyVaultSecretIdentifier secretIdentifier, string key, string label, Logger logger, CancellationToken cancellationToken) { string secretValue = null; + SecretClient client; - if (_cachedKeyVaultSecrets.TryGetValue(secretIdentifier.SourceId, out CachedKeyVaultSecret cachedSecret) && - (!cachedSecret.RefreshAt.HasValue || DateTimeOffset.UtcNow < cachedSecret.RefreshAt.Value)) + lock (_cacheLock) { - return cachedSecret.SecretValue; - } + if (_cachedKeyVaultSecrets.TryGetValue(secretIdentifier.SourceId, out CachedKeyVaultSecret cachedHit) && + (!cachedHit.RefreshAt.HasValue || DateTimeOffset.UtcNow < cachedHit.RefreshAt.Value)) + { + return cachedHit.SecretValue; + } - SecretClient client = GetSecretClient(secretIdentifier.SourceId); + client = GetSecretClient(secretIdentifier.SourceId); + } if (client == null && _keyVaultOptions.SecretResolver == null) { throw new UnauthorizedAccessException("No key vault credential or secret resolver callback configured, and no matching secret client could be found."); } + CachedKeyVaultSecret cachedSecret = null; bool success = false; try @@ -73,7 +79,10 @@ public async Task GetSecretValue(KeyVaultSecretIdentifier secretIdentifi } finally { - SetSecretInCache(secretIdentifier.SourceId, key, cachedSecret, success); + lock (_cacheLock) + { + SetSecretInCache(secretIdentifier.SourceId, key, cachedSecret, success); + } } return secretValue; @@ -81,41 +90,50 @@ public async Task GetSecretValue(KeyVaultSecretIdentifier secretIdentifi public bool ShouldRefreshKeyVaultSecrets() { - return _nextRefreshTime.HasValue && _nextRefreshTime.Value < DateTimeOffset.UtcNow; + lock (_cacheLock) + { + return _nextRefreshTime.HasValue && _nextRefreshTime.Value < DateTimeOffset.UtcNow; + } } public void ClearCache() { - var sourceIdsToRemove = new List(); + lock (_cacheLock) + { + var sourceIdsToRemove = new List(); - var utcNow = DateTimeOffset.UtcNow; + var utcNow = DateTimeOffset.UtcNow; - foreach (KeyValuePair secret in _cachedKeyVaultSecrets) - { - if (secret.Value.LastRefreshTime + RefreshConstants.MinimumSecretRefreshInterval < utcNow) + foreach (KeyValuePair secret in _cachedKeyVaultSecrets) { - sourceIdsToRemove.Add(secret.Key); + if (secret.Value.LastRefreshTime + RefreshConstants.MinimumSecretRefreshInterval < utcNow) + { + sourceIdsToRemove.Add(secret.Key); + } } - } - foreach (Uri sourceId in sourceIdsToRemove) - { - _cachedKeyVaultSecrets.Remove(sourceId); - } + foreach (Uri sourceId in sourceIdsToRemove) + { + _cachedKeyVaultSecrets.Remove(sourceId); + } - if (_cachedKeyVaultSecrets.Any()) - { - UpdateNextRefreshableSecretFromCache(); + if (_cachedKeyVaultSecrets.Any()) + { + UpdateNextRefreshableSecretFromCache(); + } } } public void RemoveSecretFromCache(Uri sourceId) { - _cachedKeyVaultSecrets.Remove(sourceId); - - if (sourceId == _nextRefreshSourceId) + lock (_cacheLock) { - UpdateNextRefreshableSecretFromCache(); + _cachedKeyVaultSecrets.Remove(sourceId); + + if (sourceId == _nextRefreshSourceId) + { + UpdateNextRefreshableSecretFromCache(); + } } } diff --git a/tests/Tests.AzureAppConfiguration/Unit/KeyVaultReferenceTests.cs b/tests/Tests.AzureAppConfiguration/Unit/KeyVaultReferenceTests.cs index 3e856a1b0..f1214f456 100644 --- a/tests/Tests.AzureAppConfiguration/Unit/KeyVaultReferenceTests.cs +++ b/tests/Tests.AzureAppConfiguration/Unit/KeyVaultReferenceTests.cs @@ -1050,5 +1050,188 @@ MockAsyncPageable GetTestKeys(SettingSelector selector, CancellationToken ct) Assert.Equal(_secretValue, config[setting.Key]); } } + + [Fact] + public void ParallelSecretResolution_ResolvesAllReferences() + { + // Build a collection of distinct Key Vault references. + const int referenceCount = 20; + var settings = new List(); + + for (int i = 0; i < referenceCount; i++) + { + settings.Add(ConfigurationModelFactory.ConfigurationSetting( + key: $"Key{i}", + value: $@"{{""uri"":""https://keyvault-theclassics.vault.azure.net/secrets/Secret{i}""}}", + eTag: new ETag($"etag-{i}"), + contentType: KeyVaultConstants.ContentType + "; charset=utf-8")); + } + + var mockClient = new Mock(MockBehavior.Strict); + mockClient.Setup(c => c.GetConfigurationSettingsAsync(It.IsAny(), It.IsAny())) + .Returns(new MockAsyncPageable(settings)); + + var mockSecretClient = new Mock(MockBehavior.Strict); + mockSecretClient.SetupGet(client => client.VaultUri).Returns(new Uri("https://keyvault-theclassics.vault.azure.net")); + mockSecretClient.Setup(client => client.GetSecretAsync(It.IsAny(), It.IsAny(), It.IsAny())) + .Returns((string name, string version, CancellationToken cancellationToken) => + Task.FromResult((Response)new MockResponse(new KeyVaultSecret(name, $"value-of-{name}")))); + + var configuration = new ConfigurationBuilder() + .AddAzureAppConfiguration(options => + { + options.ClientManager = TestHelpers.CreateMockedConfigurationClientManager(mockClient.Object); + options.ConfigureKeyVault(kv => + { + kv.Register(mockSecretClient.Object); + kv.ParallelSecretResolutionEnabled = true; + }); + }) + .Build(); + + for (int i = 0; i < referenceCount; i++) + { + Assert.Equal($"value-of-Secret{i}", configuration[$"Key{i}"]); + } + } + + [Fact] + public void ParallelSecretResolution_RunsConcurrently() + { + // Use a gated mock secret client to detect concurrent in-flight calls. + const int referenceCount = 10; + var settings = new List(); + + for (int i = 0; i < referenceCount; i++) + { + settings.Add(ConfigurationModelFactory.ConfigurationSetting( + key: $"Key{i}", + value: $@"{{""uri"":""https://keyvault-theclassics.vault.azure.net/secrets/Secret{i}""}}", + eTag: new ETag($"etag-{i}"), + contentType: KeyVaultConstants.ContentType + "; charset=utf-8")); + } + + int inFlight = 0; + int maxInFlight = 0; + var inFlightLock = new object(); + + var mockClient = new Mock(MockBehavior.Strict); + mockClient.Setup(c => c.GetConfigurationSettingsAsync(It.IsAny(), It.IsAny())) + .Returns(new MockAsyncPageable(settings)); + + var mockSecretClient = new Mock(MockBehavior.Strict); + mockSecretClient.SetupGet(client => client.VaultUri).Returns(new Uri("https://keyvault-theclassics.vault.azure.net")); + mockSecretClient.Setup(client => client.GetSecretAsync(It.IsAny(), It.IsAny(), It.IsAny())) + .Returns(async (string name, string version, CancellationToken cancellationToken) => + { + lock (inFlightLock) + { + inFlight++; + if (inFlight > maxInFlight) + { + maxInFlight = inFlight; + } + } + + try + { + await Task.Delay(50, cancellationToken).ConfigureAwait(false); + } + finally + { + lock (inFlightLock) + { + inFlight--; + } + } + + return (Response)new MockResponse(new KeyVaultSecret(name, $"value-of-{name}")); + }); + + var configuration = new ConfigurationBuilder() + .AddAzureAppConfiguration(options => + { + options.ClientManager = TestHelpers.CreateMockedConfigurationClientManager(mockClient.Object); + options.ConfigureKeyVault(kv => + { + kv.Register(mockSecretClient.Object); + kv.ParallelSecretResolutionEnabled = true; + }); + }) + .Build(); + + // Verify all references resolved. + for (int i = 0; i < referenceCount; i++) + { + Assert.Equal($"value-of-Secret{i}", configuration[$"Key{i}"]); + } + + // When run in parallel, more than one secret request must have been in flight at the same time. + Assert.True(maxInFlight > 1, $"Expected concurrent Key Vault requests, but observed max in-flight = {maxInFlight}."); + } + + [Fact] + public void ParallelSecretResolution_DisabledByDefault_RunsSequentially() + { + const int referenceCount = 5; + var settings = new List(); + + for (int i = 0; i < referenceCount; i++) + { + settings.Add(ConfigurationModelFactory.ConfigurationSetting( + key: $"Key{i}", + value: $@"{{""uri"":""https://keyvault-theclassics.vault.azure.net/secrets/Secret{i}""}}", + eTag: new ETag($"etag-{i}"), + contentType: KeyVaultConstants.ContentType + "; charset=utf-8")); + } + + int inFlight = 0; + int maxInFlight = 0; + var inFlightLock = new object(); + + var mockClient = new Mock(MockBehavior.Strict); + mockClient.Setup(c => c.GetConfigurationSettingsAsync(It.IsAny(), It.IsAny())) + .Returns(new MockAsyncPageable(settings)); + + var mockSecretClient = new Mock(MockBehavior.Strict); + mockSecretClient.SetupGet(client => client.VaultUri).Returns(new Uri("https://keyvault-theclassics.vault.azure.net")); + mockSecretClient.Setup(client => client.GetSecretAsync(It.IsAny(), It.IsAny(), It.IsAny())) + .Returns(async (string name, string version, CancellationToken cancellationToken) => + { + lock (inFlightLock) + { + inFlight++; + if (inFlight > maxInFlight) + { + maxInFlight = inFlight; + } + } + + try + { + await Task.Delay(20, cancellationToken).ConfigureAwait(false); + } + finally + { + lock (inFlightLock) + { + inFlight--; + } + } + + return (Response)new MockResponse(new KeyVaultSecret(name, $"value-of-{name}")); + }); + + new ConfigurationBuilder() + .AddAzureAppConfiguration(options => + { + options.ClientManager = TestHelpers.CreateMockedConfigurationClientManager(mockClient.Object); + options.ConfigureKeyVault(kv => kv.Register(mockSecretClient.Object)); + }) + .Build(); + + // Default (sequential) path should never have more than one in-flight Key Vault request. + Assert.Equal(1, maxInFlight); + } } } From 3567b4911fd024c7c103301c9cafeac26220859b Mon Sep 17 00:00:00 2001 From: "Lingling Ye (from Dev Box)" Date: Wed, 20 May 2026 17:00:16 +0800 Subject: [PATCH 2/5] only parallelize kvr --- .../AzureAppConfigurationProvider.cs | 47 +++++++++++++++---- 1 file changed, 38 insertions(+), 9 deletions(-) diff --git a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs index f865c8d16..3d2ccd36c 100644 --- a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs +++ b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs @@ -15,6 +15,7 @@ using System.Linq; using System.Net; using System.Net.Http; +using System.Net.Mime; using System.Net.Sockets; using System.Text; using System.Threading; @@ -629,11 +630,16 @@ private async Task> PrepareData(Dictionary>>>(data.Count); + // Only Key Vault references perform network I/O during adapter processing; other + // adapters complete synchronously. To avoid the overhead of wrapping non-I/O work + // in tasks, only Key Vault references are dispatched concurrently. Non-Key Vault + // settings are processed inline in their original order; their results, along with + // those of the in-flight Key Vault tasks, are merged in insertion order to preserve + // prefix-stripping and last-write-wins behavior. + var results = new IEnumerable>[data.Count]; + var pendingKeyVaultTasks = new List<(int Index, Task>> Task)>(); + + int index = 0; foreach (KeyValuePair kvp in data) { @@ -642,14 +648,31 @@ private async Task> PrepareData(Dictionary>[] results = await Task.WhenAll(pendingTasks).ConfigureAwait(false); + if (pendingKeyVaultTasks.Count > 0) + { + await Task.WhenAll(pendingKeyVaultTasks.Select(p => p.Task)).ConfigureAwait(false); + + foreach ((int Index, Task>> Task) entry in pendingKeyVaultTasks) + { + results[entry.Index] = entry.Task.Result; + } + } - for (int i = 0; i < results.Length; i++) + foreach (IEnumerable> keyValuePairs in results) { - MergeIntoApplicationData(applicationData, results[i]); + MergeIntoApplicationData(applicationData, keyValuePairs); } } else @@ -672,6 +695,12 @@ private async Task> PrepareData(Dictionary applicationData, IEnumerable> keyValuePairs) { foreach (KeyValuePair kv in keyValuePairs) From 8843c4479d582aee0288daf9b707981088e687e6 Mon Sep 17 00:00:00 2001 From: "Lingling Ye (from Dev Box)" Date: Tue, 26 May 2026 10:18:31 +0800 Subject: [PATCH 3/5] resolve comments --- .../AzureAppConfigurationProvider.cs | 100 +++++--------- .../AzureKeyVaultSecretProvider.cs | 123 +++++------------- 2 files changed, 67 insertions(+), 156 deletions(-) diff --git a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs index 3d2ccd36c..50017a736 100644 --- a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs +++ b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs @@ -628,67 +628,56 @@ private async Task> PrepareData(Dictionary>[data.Count]; - var pendingKeyVaultTasks = new List<(int Index, Task>> Task)>(); - - int index = 0; + // Only Key Vault references perform network I/O during adapter processing; other + // adapters complete synchronously. When parallel resolution is enabled, Key Vault + // references are dispatched concurrently while non-Key Vault settings are processed + // inline. Results are merged once at the end. + var results = new List>>(data.Count); + List>>> pendingKeyVaultTasks = parallelSecretResolution + ? new List>>>() + : null; - foreach (KeyValuePair kvp in data) + foreach (KeyValuePair kvp in data) + { + if (_requestTracingEnabled && _requestTracingOptions != null) { - if (_requestTracingEnabled && _requestTracingOptions != null) - { - _requestTracingOptions.UpdateAiConfigurationTracing(kvp.Value.ContentType); - } - - if (IsKeyVaultReference(kvp.Value)) - { - pendingKeyVaultTasks.Add((index, ProcessAdapters(kvp.Value, cancellationToken))); - } - else - { - results[index] = await ProcessAdapters(kvp.Value, cancellationToken).ConfigureAwait(false); - } - - index++; + _requestTracingOptions.UpdateAiConfigurationTracing(kvp.Value.ContentType); } - if (pendingKeyVaultTasks.Count > 0) + if (parallelSecretResolution && IsKeyVaultReference(kvp.Value)) { - await Task.WhenAll(pendingKeyVaultTasks.Select(p => p.Task)).ConfigureAwait(false); - - foreach ((int Index, Task>> Task) entry in pendingKeyVaultTasks) - { - results[entry.Index] = entry.Task.Result; - } + pendingKeyVaultTasks.Add(ProcessAdapters(kvp.Value, cancellationToken)); } - - foreach (IEnumerable> keyValuePairs in results) + else { - MergeIntoApplicationData(applicationData, keyValuePairs); + results.Add(await ProcessAdapters(kvp.Value, cancellationToken).ConfigureAwait(false)); } } - else + + if (pendingKeyVaultTasks?.Count > 0) + { + IEnumerable>[] keyVaultResults = + await Task.WhenAll(pendingKeyVaultTasks).ConfigureAwait(false); + + results.AddRange(keyVaultResults); + } + + foreach (IEnumerable> keyValuePairs in results) { - foreach (KeyValuePair kvp in data) + foreach (KeyValuePair kv in keyValuePairs) { - IEnumerable> keyValuePairs = null; + string key = kv.Key; - if (_requestTracingEnabled && _requestTracingOptions != null) + foreach (string prefix in _options.KeyPrefixes) { - _requestTracingOptions.UpdateAiConfigurationTracing(kvp.Value.ContentType); + if (key.StartsWith(prefix, StringComparison.OrdinalIgnoreCase)) + { + key = key.Substring(prefix.Length); + break; + } } - keyValuePairs = await ProcessAdapters(kvp.Value, cancellationToken).ConfigureAwait(false); - - MergeIntoApplicationData(applicationData, keyValuePairs); + applicationData[key] = kv.Value; } } @@ -701,25 +690,6 @@ private static bool IsKeyVaultReference(ConfigurationSetting setting) && contentType.IsKeyVaultReference(); } - private void MergeIntoApplicationData(Dictionary applicationData, IEnumerable> keyValuePairs) - { - foreach (KeyValuePair kv in keyValuePairs) - { - string key = kv.Key; - - foreach (string prefix in _options.KeyPrefixes) - { - if (key.StartsWith(prefix, StringComparison.OrdinalIgnoreCase)) - { - key = key.Substring(prefix.Length); - break; - } - } - - applicationData[key] = kv.Value; - } - } - private async Task LoadAsync(bool ignoreFailures, CancellationToken cancellationToken) { var startupStopwatch = Stopwatch.StartNew(); diff --git a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureKeyVaultReference/AzureKeyVaultSecretProvider.cs b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureKeyVaultReference/AzureKeyVaultSecretProvider.cs index af03bcef9..696e02a7c 100644 --- a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureKeyVaultReference/AzureKeyVaultSecretProvider.cs +++ b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureKeyVaultReference/AzureKeyVaultSecretProvider.cs @@ -4,8 +4,8 @@ using Azure.Security.KeyVault.Secrets; using Microsoft.Extensions.Configuration.AzureAppConfiguration.Extensions; using System; +using System.Collections.Concurrent; using System.Collections.Generic; -using System.Linq; using System.Threading; using System.Threading.Tasks; @@ -14,17 +14,14 @@ namespace Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureKeyVault internal class AzureKeyVaultSecretProvider { private readonly AzureAppConfigurationKeyVaultOptions _keyVaultOptions; - private readonly IDictionary _secretClients; - private readonly Dictionary _cachedKeyVaultSecrets; - private readonly object _cacheLock = new object(); - private Uri _nextRefreshSourceId; - private DateTimeOffset? _nextRefreshTime; + private readonly ConcurrentDictionary _secretClients; + private readonly ConcurrentDictionary _cachedKeyVaultSecrets; public AzureKeyVaultSecretProvider(AzureAppConfigurationKeyVaultOptions keyVaultOptions = null) { _keyVaultOptions = keyVaultOptions ?? new AzureAppConfigurationKeyVaultOptions(); - _cachedKeyVaultSecrets = new Dictionary(); - _secretClients = new Dictionary(StringComparer.OrdinalIgnoreCase); + _cachedKeyVaultSecrets = new ConcurrentDictionary(); + _secretClients = new ConcurrentDictionary(StringComparer.OrdinalIgnoreCase); if (_keyVaultOptions.SecretClients != null) { @@ -39,19 +36,15 @@ public AzureKeyVaultSecretProvider(AzureAppConfigurationKeyVaultOptions keyVault public async Task GetSecretValue(KeyVaultSecretIdentifier secretIdentifier, string key, string label, Logger logger, CancellationToken cancellationToken) { string secretValue = null; - SecretClient client; - lock (_cacheLock) + if (_cachedKeyVaultSecrets.TryGetValue(secretIdentifier.SourceId, out CachedKeyVaultSecret cachedHit) && + (!cachedHit.RefreshAt.HasValue || DateTimeOffset.UtcNow < cachedHit.RefreshAt.Value)) { - if (_cachedKeyVaultSecrets.TryGetValue(secretIdentifier.SourceId, out CachedKeyVaultSecret cachedHit) && - (!cachedHit.RefreshAt.HasValue || DateTimeOffset.UtcNow < cachedHit.RefreshAt.Value)) - { - return cachedHit.SecretValue; - } - - client = GetSecretClient(secretIdentifier.SourceId); + return cachedHit.SecretValue; } + SecretClient client = GetSecretClient(secretIdentifier.SourceId); + if (client == null && _keyVaultOptions.SecretResolver == null) { throw new UnauthorizedAccessException("No key vault credential or secret resolver callback configured, and no matching secret client could be found."); @@ -79,10 +72,7 @@ public async Task GetSecretValue(KeyVaultSecretIdentifier secretIdentifi } finally { - lock (_cacheLock) - { - SetSecretInCache(secretIdentifier.SourceId, key, cachedSecret, success); - } + SetSecretInCache(secretIdentifier.SourceId, key, cachedSecret, success); } return secretValue; @@ -90,51 +80,35 @@ public async Task GetSecretValue(KeyVaultSecretIdentifier secretIdentifi public bool ShouldRefreshKeyVaultSecrets() { - lock (_cacheLock) + DateTimeOffset utcNow = DateTimeOffset.UtcNow; + + foreach (KeyValuePair secret in _cachedKeyVaultSecrets) { - return _nextRefreshTime.HasValue && _nextRefreshTime.Value < DateTimeOffset.UtcNow; + if (secret.Value.RefreshAt.HasValue && secret.Value.RefreshAt.Value < utcNow) + { + return true; + } } + + return false; } public void ClearCache() { - lock (_cacheLock) - { - var sourceIdsToRemove = new List(); + DateTimeOffset utcNow = DateTimeOffset.UtcNow; - var utcNow = DateTimeOffset.UtcNow; - - foreach (KeyValuePair secret in _cachedKeyVaultSecrets) - { - if (secret.Value.LastRefreshTime + RefreshConstants.MinimumSecretRefreshInterval < utcNow) - { - sourceIdsToRemove.Add(secret.Key); - } - } - - foreach (Uri sourceId in sourceIdsToRemove) - { - _cachedKeyVaultSecrets.Remove(sourceId); - } - - if (_cachedKeyVaultSecrets.Any()) + foreach (KeyValuePair secret in _cachedKeyVaultSecrets) + { + if (secret.Value.LastRefreshTime + RefreshConstants.MinimumSecretRefreshInterval < utcNow) { - UpdateNextRefreshableSecretFromCache(); + _cachedKeyVaultSecrets.TryRemove(secret.Key, out _); } } } public void RemoveSecretFromCache(Uri sourceId) { - lock (_cacheLock) - { - _cachedKeyVaultSecrets.Remove(sourceId); - - if (sourceId == _nextRefreshSourceId) - { - UpdateNextRefreshableSecretFromCache(); - } - } + _cachedKeyVaultSecrets.TryRemove(sourceId, out _); } private SecretClient GetSecretClient(Uri secretUri) @@ -151,14 +125,12 @@ private SecretClient GetSecretClient(Uri secretUri) return null; } - client = new SecretClient( - new Uri(secretUri.GetLeftPart(UriPartial.Authority)), - _keyVaultOptions.Credential, - _keyVaultOptions.ClientOptions); - - _secretClients.Add(keyVaultId, client); - - return client; + return _secretClients.GetOrAdd( + keyVaultId, + _ => new SecretClient( + new Uri(secretUri.GetLeftPart(UriPartial.Authority)), + _keyVaultOptions.Credential, + _keyVaultOptions.ClientOptions)); } private void SetSecretInCache(Uri sourceId, string key, CachedKeyVaultSecret cachedSecret, bool success = true) @@ -170,37 +142,6 @@ private void SetSecretInCache(Uri sourceId, string key, CachedKeyVaultSecret cac UpdateCacheExpirationTimeForSecret(key, cachedSecret, success); _cachedKeyVaultSecrets[sourceId] = cachedSecret; - - if (sourceId == _nextRefreshSourceId) - { - UpdateNextRefreshableSecretFromCache(); - } - else if ((cachedSecret.RefreshAt.HasValue && _nextRefreshTime.HasValue && cachedSecret.RefreshAt.Value < _nextRefreshTime.Value) - || (cachedSecret.RefreshAt.HasValue && !_nextRefreshTime.HasValue)) - { - _nextRefreshSourceId = sourceId; - _nextRefreshTime = cachedSecret.RefreshAt.Value; - } - } - - private void UpdateNextRefreshableSecretFromCache() - { - _nextRefreshSourceId = null; - _nextRefreshTime = DateTimeOffset.MaxValue; - - foreach (KeyValuePair secret in _cachedKeyVaultSecrets) - { - if (secret.Value.RefreshAt.HasValue && secret.Value.RefreshAt.Value < _nextRefreshTime) - { - _nextRefreshTime = secret.Value.RefreshAt; - _nextRefreshSourceId = secret.Key; - } - } - - if (_nextRefreshTime == DateTimeOffset.MaxValue) - { - _nextRefreshTime = null; - } } private void UpdateCacheExpirationTimeForSecret(string key, CachedKeyVaultSecret cachedSecret, bool success) From af2dd46ec415632a6d97ad5588c95f2c4e54b280 Mon Sep 17 00:00:00 2001 From: "Lingling Ye (from Dev Box)" Date: Thu, 28 May 2026 14:44:02 +0800 Subject: [PATCH 4/5] resolve comments --- .../AzureAppConfigurationOptions.cs | 6 ++-- .../AzureAppConfigurationProvider.cs | 34 +++++++++---------- .../AzureKeyVaultKeyValueAdapter.cs | 8 ++--- .../AzureKeyVaultSecretProvider.cs | 20 +++++------ .../ConfigurationSettingExtensions.cs | 19 +++++++++++ 5 files changed, 49 insertions(+), 38 deletions(-) create mode 100644 src/Microsoft.Extensions.Configuration.AzureAppConfiguration/Extensions/ConfigurationSettingExtensions.cs diff --git a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationOptions.cs b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationOptions.cs index 8fd34d477..68862f518 100644 --- a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationOptions.cs +++ b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationOptions.cs @@ -137,17 +137,17 @@ internal IEnumerable Adapters /// /// Flag to indicate whether Key Vault options have been configured. /// - internal bool IsKeyVaultConfigured { get; private set; } = false; + internal bool IsKeyVaultConfigured { get; private set; } /// /// Flag to indicate whether Key Vault secret values will be refreshed automatically. /// - internal bool IsKeyVaultRefreshConfigured { get; private set; } = false; + internal bool IsKeyVaultRefreshConfigured { get; private set; } /// /// Flag to indicate whether Key Vault references should be resolved in parallel. /// - internal bool IsParallelSecretResolutionEnabled { get; private set; } = false; + internal bool IsParallelSecretResolutionEnabled { get; private set; } /// /// Indicates all feature flag features used by the application. diff --git a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs index 50017a736..419421aa3 100644 --- a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs +++ b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs @@ -15,7 +15,6 @@ using System.Linq; using System.Net; using System.Net.Http; -using System.Net.Mime; using System.Net.Sockets; using System.Text; using System.Threading; @@ -631,12 +630,15 @@ private async Task> PrepareData(Dictionary>>(data.Count); - List>>> pendingKeyVaultTasks = parallelSecretResolution - ? new List>>>() + // inline. Results are slotted by index so that the original ordering of settings + // (and the selector precedence it encodes) is preserved. + var results = new IEnumerable>[data.Count]; + List<(int Index, Task>> Task)> pendingKeyVaultTasks = parallelSecretResolution + ? new List<(int, Task>>)>() : null; + int index = 0; + foreach (KeyValuePair kvp in data) { if (_requestTracingEnabled && _requestTracingOptions != null) @@ -644,22 +646,26 @@ private async Task> PrepareData(Dictionary 0) { - IEnumerable>[] keyVaultResults = - await Task.WhenAll(pendingKeyVaultTasks).ConfigureAwait(false); + await Task.WhenAll(pendingKeyVaultTasks.Select(p => p.Task)).ConfigureAwait(false); - results.AddRange(keyVaultResults); + foreach ((int Index, Task>> Task) entry in pendingKeyVaultTasks) + { + results[entry.Index] = entry.Task.Result; + } } foreach (IEnumerable> keyValuePairs in results) @@ -684,12 +690,6 @@ private async Task> PrepareData(Dictionary GetSecretValue(KeyVaultSecretIdentifier secretIdentifi { string secretValue = null; - if (_cachedKeyVaultSecrets.TryGetValue(secretIdentifier.SourceId, out CachedKeyVaultSecret cachedHit) && - (!cachedHit.RefreshAt.HasValue || DateTimeOffset.UtcNow < cachedHit.RefreshAt.Value)) + if (_cachedKeyVaultSecrets.TryGetValue(secretIdentifier.SourceId, out CachedKeyVaultSecret cachedSecret) && + (!cachedSecret.RefreshAt.HasValue || DateTimeOffset.UtcNow < cachedSecret.RefreshAt.Value)) { - return cachedHit.SecretValue; + return cachedSecret.SecretValue; } SecretClient client = GetSecretClient(secretIdentifier.SourceId); @@ -50,7 +50,7 @@ public async Task GetSecretValue(KeyVaultSecretIdentifier secretIdentifi throw new UnauthorizedAccessException("No key vault credential or secret resolver callback configured, and no matching secret client could be found."); } - CachedKeyVaultSecret cachedSecret = null; + CachedKeyVaultSecret updatedCachedSecret = null; bool success = false; try @@ -67,12 +67,12 @@ public async Task GetSecretValue(KeyVaultSecretIdentifier secretIdentifi secretValue = await _keyVaultOptions.SecretResolver(secretIdentifier.SourceId).ConfigureAwait(false); } - cachedSecret = new CachedKeyVaultSecret(secretValue, secretIdentifier.SourceId); + updatedCachedSecret = new CachedKeyVaultSecret(secretValue, secretIdentifier.SourceId); success = true; } finally { - SetSecretInCache(secretIdentifier.SourceId, key, cachedSecret, success); + SetSecretInCache(secretIdentifier.SourceId, key, updatedCachedSecret, success); } return secretValue; @@ -80,11 +80,9 @@ public async Task GetSecretValue(KeyVaultSecretIdentifier secretIdentifi public bool ShouldRefreshKeyVaultSecrets() { - DateTimeOffset utcNow = DateTimeOffset.UtcNow; - foreach (KeyValuePair secret in _cachedKeyVaultSecrets) { - if (secret.Value.RefreshAt.HasValue && secret.Value.RefreshAt.Value < utcNow) + if (secret.Value.RefreshAt.HasValue && secret.Value.RefreshAt.Value < DateTimeOffset.UtcNow) { return true; } @@ -95,11 +93,9 @@ public bool ShouldRefreshKeyVaultSecrets() public void ClearCache() { - DateTimeOffset utcNow = DateTimeOffset.UtcNow; - foreach (KeyValuePair secret in _cachedKeyVaultSecrets) { - if (secret.Value.LastRefreshTime + RefreshConstants.MinimumSecretRefreshInterval < utcNow) + if (secret.Value.LastRefreshTime + RefreshConstants.MinimumSecretRefreshInterval < DateTimeOffset.UtcNow) { _cachedKeyVaultSecrets.TryRemove(secret.Key, out _); } diff --git a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/Extensions/ConfigurationSettingExtensions.cs b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/Extensions/ConfigurationSettingExtensions.cs new file mode 100644 index 000000000..28639337c --- /dev/null +++ b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/Extensions/ConfigurationSettingExtensions.cs @@ -0,0 +1,19 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT license. +// +using Azure.Data.AppConfiguration; +using Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureKeyVault; +using System.Net.Mime; + +namespace Microsoft.Extensions.Configuration.AzureAppConfiguration.Extensions +{ + internal static class ConfigurationSettingExtensions + { + public static bool IsKeyVaultReference(this ConfigurationSetting setting) + { + return setting != null + && setting.ContentType.TryParseContentType(out ContentType contentType) + && contentType.IsKeyVaultReference(); + } + } +} From a2783823373318f2314b67a7a290d99c41bca2d4 Mon Sep 17 00:00:00 2001 From: "Lingling Ye (from Dev Box)" Date: Thu, 28 May 2026 20:16:45 +0800 Subject: [PATCH 5/5] add PreloadAsync --- .../AzureAppConfigurationProvider.cs | 47 +++--------- .../AzureKeyVaultKeyValueAdapter.cs | 73 +++++++++++++++++++ .../FeatureManagementKeyValueAdapter.cs | 5 ++ .../IKeyValueAdapter.cs | 4 + .../JsonKeyValueAdapter.cs | 5 ++ 5 files changed, 98 insertions(+), 36 deletions(-) diff --git a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs index 419421aa3..98247d430 100644 --- a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs +++ b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureAppConfigurationProvider.cs @@ -625,19 +625,16 @@ private async Task> PrepareData(Dictionary>[data.Count]; - List<(int Index, Task>> Task)> pendingKeyVaultTasks = parallelSecretResolution - ? new List<(int, Task>>)>() - : null; - - int index = 0; + // When parallel secret resolution is enabled, let each adapter pre-warm its caches + // (Key Vault references are dispatched concurrently here) so the sequential loop below + // can process settings in the original order without losing precedence on key collisions. + if (_options.IsParallelSecretResolutionEnabled) + { + await Task.WhenAll( + _options.Adapters.Select(adapter => + adapter.PreloadAsync(data.Values, _logger, cancellationToken))) + .ConfigureAwait(false); + } foreach (KeyValuePair kvp in data) { @@ -646,30 +643,8 @@ private async Task> PrepareData(Dictionary> keyValuePairs = await ProcessAdapters(kvp.Value, cancellationToken).ConfigureAwait(false); - if (pendingKeyVaultTasks?.Count > 0) - { - await Task.WhenAll(pendingKeyVaultTasks.Select(p => p.Task)).ConfigureAwait(false); - - foreach ((int Index, Task>> Task) entry in pendingKeyVaultTasks) - { - results[entry.Index] = entry.Task.Result; - } - } - - foreach (IEnumerable> keyValuePairs in results) - { foreach (KeyValuePair kv in keyValuePairs) { string key = kv.Key; diff --git a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureKeyVaultReference/AzureKeyVaultKeyValueAdapter.cs b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureKeyVaultReference/AzureKeyVaultKeyValueAdapter.cs index ef0fda913..5e7118ab5 100644 --- a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureKeyVaultReference/AzureKeyVaultKeyValueAdapter.cs +++ b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureKeyVaultReference/AzureKeyVaultKeyValueAdapter.cs @@ -112,6 +112,79 @@ public bool NeedsRefresh() return _secretProvider.ShouldRefreshKeyVaultSecrets(); } + public async Task PreloadAsync(IEnumerable settings, Logger logger, CancellationToken cancellationToken) + { + if (settings == null) + { + return; + } + + HashSet seen = null; + List<(KeyVaultSecretIdentifier Identifier, string Key, string Label)> toFetch = null; + + foreach (ConfigurationSetting setting in settings) + { + if (!CanProcess(setting)) + { + continue; + } + + string secretRefUri = ParseSecretReferenceUri(setting); + + if (string.IsNullOrEmpty(secretRefUri) || + !Uri.TryCreate(secretRefUri, UriKind.Absolute, out Uri secretUri) || + !KeyVaultSecretIdentifier.TryCreate(secretUri, out KeyVaultSecretIdentifier secretIdentifier)) + { + // Invalid references are surfaced from ProcessKeyValue with full exception context. + continue; + } + + seen = seen ?? new HashSet(); + + if (!seen.Add(secretIdentifier.SourceId)) + { + continue; + } + + toFetch = toFetch ?? new List<(KeyVaultSecretIdentifier, string, string)>(); + toFetch.Add((secretIdentifier, setting.Key, setting.Label)); + } + + if (toFetch == null) + { + return; + } + + var tasks = new Task[toFetch.Count]; + + for (int i = 0; i < toFetch.Count; i++) + { + (KeyVaultSecretIdentifier identifier, string key, string label) = toFetch[i]; + tasks[i] = PreloadSecretAsync(identifier, key, label, logger, cancellationToken); + } + + await Task.WhenAll(tasks).ConfigureAwait(false); + } + + private async Task PreloadSecretAsync(KeyVaultSecretIdentifier identifier, string key, string label, Logger logger, CancellationToken cancellationToken) + { + try + { + await _secretProvider.GetSecretValue(identifier, key, label, logger, cancellationToken).ConfigureAwait(false); + } + catch (OperationCanceledException) + { + throw; + } + catch + { + // Per-secret failures are deferred so ProcessKeyValue can throw a properly populated + // KeyVaultReferenceException. Evict the negative cache entry written by GetSecretValue + // so the retry actually re-fetches instead of returning a cached null within the backoff. + _secretProvider.RemoveSecretFromCache(identifier.SourceId); + } + } + private string ParseSecretReferenceUri(ConfigurationSetting setting) { string secretRefUri = null; diff --git a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/FeatureManagement/FeatureManagementKeyValueAdapter.cs b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/FeatureManagement/FeatureManagementKeyValueAdapter.cs index fdd7f2fdf..a3431cd7b 100644 --- a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/FeatureManagement/FeatureManagementKeyValueAdapter.cs +++ b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/FeatureManagement/FeatureManagementKeyValueAdapter.cs @@ -87,6 +87,11 @@ public void OnConfigUpdated() return; } + public Task PreloadAsync(IEnumerable settings, Logger logger, CancellationToken cancellationToken) + { + return Task.CompletedTask; + } + private List> ProcessDotnetSchemaFeatureFlag(FeatureFlag featureFlag, ConfigurationSetting setting, Uri endpoint) { var keyValues = new List>(); diff --git a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/IKeyValueAdapter.cs b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/IKeyValueAdapter.cs index de13314e1..9dddc0e02 100644 --- a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/IKeyValueAdapter.cs +++ b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/IKeyValueAdapter.cs @@ -13,6 +13,10 @@ internal interface IKeyValueAdapter { Task>> ProcessKeyValue(ConfigurationSetting setting, Uri endpoint, Logger logger, CancellationToken cancellationToken); + // Pre-warm any per-setting state (e.g. Key Vault secret cache) before ProcessKeyValue is invoked + // on each setting. Adapters with no pre-fetchable state can return a completed task. + Task PreloadAsync(IEnumerable settings, Logger logger, CancellationToken cancellationToken); + bool CanProcess(ConfigurationSetting setting); void OnChangeDetected(ConfigurationSetting setting = null); diff --git a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/JsonKeyValueAdapter.cs b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/JsonKeyValueAdapter.cs index d353439fd..9d8826e78 100644 --- a/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/JsonKeyValueAdapter.cs +++ b/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/JsonKeyValueAdapter.cs @@ -80,5 +80,10 @@ public bool NeedsRefresh() { return false; } + + public Task PreloadAsync(IEnumerable settings, Logger logger, CancellationToken cancellationToken) + { + return Task.CompletedTask; + } } }