-
Notifications
You must be signed in to change notification settings - Fork 485
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement LRU cache for storing SVIDs in SPIRE Agent #3181
Conversation
49f442a
to
e782b7a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks much!
Sorry, I accidentally accepted this PR by mistake. |
Signed-off-by: Prasad Borole <prasadb@uber.com>
Signed-off-by: Prasad Borole <prasadb@uber.com>
f335665
to
e2b865b
Compare
Signed-off-by: Prasad Borole <prasadb@uber.com>
e2b865b
to
993f1bc
Compare
Signed-off-by: Prasad Borole <prasadb@uber.com>
Signed-off-by: Prasad Borole <prasadb@uber.com>
Signed-off-by: Prasad Borole <prasadb@uber.com>
Signed-off-by: Prasad Borole <prasadb@uber.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few minor comments, otherwise LGTM
Signed-off-by: Prasad Borole <prasadb@uber.com>
bar := makeRegistrationEntry("BAR", "B") | ||
|
||
// check empty result | ||
assert.Equal(t, []*common.RegistrationEntry{}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
assert.Empty()
is also nice for this sort of thing. No need to change here though. We've iterated a lot on this PR already 😀
pkg/agent/manager/sync.go
Outdated
m.cache.SyncSVIDsWithSubscribers() | ||
staleEntries := m.cache.GetStaleEntries() | ||
if len(staleEntries) > 0 { | ||
return m.updateSVIDs(ctx, staleEntries, m.cache) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this contend with the normal sync goroutine? could this cause two goroutines to pick up the same set of stale entries and effectively request the server sign the same SVID twice?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. There's a chance that this may happen. Updated code to put fetching of SVIDs under lock.
Signed-off-by: Prasad Borole <prasadb@uber.com>
data_dir = "/opt/spire/data/server" | ||
log_level = "DEBUG" | ||
ca_ttl = "1h" | ||
default_svid_ttl = "10m" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't this configuration now need to change to use the experimental flag?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The experimental flag is added to agent config and not server config.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whoops. Wires crossed :) Thanks.
Thanks, @prasadborole1 ! I think we're ready to get this in so we can get some operational experience with it to iron out any remaining issues. |
Signed-off-by: Prasad Borole <prasadb@uber.com> Co-authored-by: Ryan Turner <turner@uber.com>
Updating SPIRE agent SVID cache to be LRU cache. This cache has experimental config fields like
MaxSvidCacheSize
andSVIDCacheExpiryPeriod
.More context: #2940
Testing:
In addition to new integration test, also tested locally with 9k registrations per agent and validated:
DeadlineExceeded
orResourceExhausted
due to huge response size. But validated that SVIDs cache is properly getting constructed.