chore: add secrets cache (cloudnative-pg#47)

Signed-off-by: Armando Ruocco <[email protected]>
Signed-off-by: Francesco Canovai <[email protected]>
Co-authored-by: Francesco Canovai <[email protected]>

Author: armru

Makefile

@@ -45,11 +45,11 @@ help: ## Display this help.
 
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=plugin-barman-cloud crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=plugin-barman-cloud crd webhook paths="./api/..." output:crd:artifacts:config=config/crd/bases
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
-	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
+	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./api/..."
 
 .PHONY: fmt
 fmt: ## Run go fmt against code.

api/v1/doc.go

@@ -0,0 +1,20 @@
+/*
+Copyright The CloudNativePG Contributors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1 contains API Schema definitions for the barmancloud v1 API group
+// +kubebuilder:object:generate=true
+// +groupName=barmancloud.cnpg.io
+package v1

api/v1/objectstore_types.go

@@ -21,14 +21,30 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+// InstanceSidecarConfiguration defines the configuration for the sidecar that runs in the instance pods.
+type InstanceSidecarConfiguration struct {
+	// The expiration time of the cache entries not managed by the informers. Expressed in seconds.
+	// +optional
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=3600
+	// +kubebuilder:default=180
+	CacheTTL *int `json:"cacheTTL,omitempty"`
+}
+
+// GetCacheTTL returns the cache TTL value, defaulting to 180 seconds if not set.
+func (i InstanceSidecarConfiguration) GetCacheTTL() int {
+	if i.CacheTTL == nil {
+		return 180
+	}
+	return *i.CacheTTL
+}
 
 // ObjectStoreSpec defines the desired state of ObjectStore.
 type ObjectStoreSpec struct {
 	Configuration barmanapi.BarmanObjectStoreConfiguration `json:"configuration"`
 
-	// TODO: we add here any exclusive fields for our plugin CRD
+	// +optional
+	InstanceSidecarConfiguration InstanceSidecarConfiguration `json:"instanceSidecarConfiguration,omitempty"`
 }
 
 // ObjectStoreStatus defines the observed state of ObjectStore.
@@ -39,13 +55,16 @@ type ObjectStoreStatus struct {
 
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
+// +genclient
+// +kubebuilder:storageversion
 
 // ObjectStore is the Schema for the objectstores API.
 type ObjectStore struct {
 	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
+	metav1.ObjectMeta `json:"metadata"`
 
-	Spec   ObjectStoreSpec   `json:"spec,omitempty"`
+	Spec ObjectStoreSpec `json:"spec"`
+	// +optional
 	Status ObjectStoreStatus `json:"status,omitempty"`
 }
 

api/v1/zz_generated.deepcopy.go

@@ -378,6 +378,18 @@ spec:
                 required:
                 - destinationPath
                 type: object
+              instanceSidecarConfiguration:
+                description: InstanceSidecarConfiguration defines the configuration
+                  for the sidecar that runs in the instance pods.
+                properties:
+                  cacheTTL:
+                    default: 180
+                    description: The expiration time of the cache entries not managed
+                      by the informers. Expressed in seconds.
+                    maximum: 3600
+                    minimum: 0
+                    type: integer
+                type: object
             required:
             - configuration
             type: object

config/crd/bases/barmancloud.cnpg.io_objectstores.yaml

@@ -9,8 +9,8 @@ require (
 	github.com/cloudnative-pg/barman-cloud v0.0.0-20241105055149-ae6c2408bd14
 	github.com/cloudnative-pg/cloudnative-pg v1.24.1-0.20241113134512-8608232c2813
 	github.com/cloudnative-pg/cnpg-i v0.0.0-20241109002750-8abd359df734
-	github.com/cloudnative-pg/cnpg-i-machinery v0.0.0-20241014090747-e9c2b3738d19
-	github.com/cloudnative-pg/machinery v0.0.0-20241030141148-670a0f16f836
+	github.com/cloudnative-pg/cnpg-i-machinery v0.0.0-20241030141108-7e59fc9f4797
+	github.com/cloudnative-pg/machinery v0.0.0-20241105070525-042a028b767c
 	github.com/onsi/ginkgo/v2 v2.21.0
 	github.com/onsi/gomega v1.35.1
 	github.com/spf13/cobra v1.8.1

go.mod

@@ -24,10 +24,10 @@ github.com/cloudnative-pg/cloudnative-pg v1.24.1-0.20241113134512-8608232c2813 h
 github.com/cloudnative-pg/cloudnative-pg v1.24.1-0.20241113134512-8608232c2813/go.mod h1:f4hObdRVoQtMmVtWqZ6VDZBrI6ok9Td/UMhojQ+EPmk=
 github.com/cloudnative-pg/cnpg-i v0.0.0-20241109002750-8abd359df734 h1:4jq/FUrlAKxu0Kw9PL5lj5Njq8pAnmUpP/kXKOrJAaE=
 github.com/cloudnative-pg/cnpg-i v0.0.0-20241109002750-8abd359df734/go.mod h1:3U7miYasKr2rYCQzrn/IvbSQc0OpYF8ieZt2FKG4nv0=
-github.com/cloudnative-pg/cnpg-i-machinery v0.0.0-20241014090747-e9c2b3738d19 h1:qy+LrScvQpIwt4qeg9FfCJuoC9CbX/kpFGLF8vSobXg=
-github.com/cloudnative-pg/cnpg-i-machinery v0.0.0-20241014090747-e9c2b3738d19/go.mod h1:X6r1fRuUEIAv4+5SSBY2RmQ201K6GcptOXgnmaX/8tY=
-github.com/cloudnative-pg/machinery v0.0.0-20241030141148-670a0f16f836 h1:Hhg+I2QcaPNN5XaSsYb7Xw3PbQlvCA9eDY+SvVf902Q=
-github.com/cloudnative-pg/machinery v0.0.0-20241030141148-670a0f16f836/go.mod h1:+mUFdys1IX+qwQUrV+/i56Tey/mYh8ZzWZYttwivRns=
+github.com/cloudnative-pg/cnpg-i-machinery v0.0.0-20241030141108-7e59fc9f4797 h1:8iaPgTx16yzx8rrhOi99u+GWGp47kqveF9NShElsYKM=
+github.com/cloudnative-pg/cnpg-i-machinery v0.0.0-20241030141108-7e59fc9f4797/go.mod h1:X6r1fRuUEIAv4+5SSBY2RmQ201K6GcptOXgnmaX/8tY=
+github.com/cloudnative-pg/machinery v0.0.0-20241105070525-042a028b767c h1:t0RBU2gBiwJQ9XGeXlHPBYpsTscSKHgB5TfcWaiwanc=
+github.com/cloudnative-pg/machinery v0.0.0-20241105070525-042a028b767c/go.mod h1:uBHGRIk5rt07mO4zjIC1uvGBWTH6PqIiD1PfpvPGZKU=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

go.sum

@@ -0,0 +1,199 @@
+package client
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/cloudnative-pg/machinery/pkg/log"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	v1 "github.com/cloudnative-pg/plugin-barman-cloud/api/v1"
+)
+
+type cachedSecret struct {
+	secret        *corev1.Secret
+	fetchUnixTime int64
+}
+
+// ExtendedClient is an extended client that is capable of caching multiple secrets without relying on informers
+type ExtendedClient struct {
+	client.Client
+	barmanObjectKey client.ObjectKey
+	cachedSecrets   []*cachedSecret
+	mux             *sync.Mutex
+	ttl             int
+}
+
+// NewExtendedClient returns an extended client capable of caching secrets on the 'Get' operation
+func NewExtendedClient(
+	baseClient client.Client,
+	objectStoreKey client.ObjectKey,
+) client.Client {
+	return &ExtendedClient{
+		Client:          baseClient,
+		barmanObjectKey: objectStoreKey,
+		mux:             &sync.Mutex{},
+	}
+}
+
+func (e *ExtendedClient) refreshTTL(ctx context.Context) error {
+	var object v1.ObjectStore
+	if err := e.Get(ctx, e.barmanObjectKey, &object); err != nil {
+		return fmt.Errorf("failed to get the object store while refreshing the TTL parameter: %w", err)
+	}
+
+	e.ttl = object.Spec.InstanceSidecarConfiguration.GetCacheTTL()
+
+	return nil
+}
+
+// Get behaves like the original Get method, but uses a cache for secrets
+func (e *ExtendedClient) Get(
+	ctx context.Context,
+	key client.ObjectKey,
+	obj client.Object,
+	opts ...client.GetOption,
+) error {
+	contextLogger := log.FromContext(ctx).
+		WithName("extended_client").
+		WithValues("name", key.Name, "namespace", key.Namespace)
+
+	if _, ok := obj.(*corev1.Secret); !ok {
+		contextLogger.Trace("not a secret, skipping")
+		return e.Client.Get(ctx, key, obj, opts...)
+	}
+
+	if err := e.refreshTTL(ctx); err != nil {
+		return err
+	}
+
+	if e.isCacheDisabled() {
+		contextLogger.Trace("cache is disabled")
+		return e.Client.Get(ctx, key, obj, opts...)
+	}
+
+	contextLogger.Trace("locking the cache")
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	expiredSecretIndex := -1
+	// check if in cache
+	for idx, cache := range e.cachedSecrets {
+		if cache.secret.Namespace != key.Namespace || cache.secret.Name != key.Name {
+			continue
+		}
+		if e.isExpired(cache.fetchUnixTime) {
+			contextLogger.Trace("secret found, but it is expired")
+			expiredSecretIndex = idx
+			break
+		}
+		contextLogger.Debug("secret found, loading it from cache")
+		cache.secret.DeepCopyInto(obj.(*corev1.Secret))
+		return nil
+	}
+
+	if err := e.Client.Get(ctx, key, obj); err != nil {
+		return err
+	}
+
+	cs := &cachedSecret{
+		secret:        obj.(*corev1.Secret).DeepCopy(),
+		fetchUnixTime: time.Now().Unix(),
+	}
+
+	contextLogger.Debug("setting secret in the cache")
+	if expiredSecretIndex != -1 {
+		e.cachedSecrets[expiredSecretIndex] = cs
+	} else {
+		e.cachedSecrets = append(e.cachedSecrets, cs)
+	}
+
+	return nil
+}
+
+func (e *ExtendedClient) isExpired(unixTime int64) bool {
+	return time.Now().Unix()-unixTime > int64(e.ttl)
+}
+
+func (e *ExtendedClient) isCacheDisabled() bool {
+	const noCache = 0
+	return e.ttl == noCache
+}
+
+// RemoveSecret ensures that a secret is not present in the cache
+func (e *ExtendedClient) RemoveSecret(key client.ObjectKey) {
+	if e.isCacheDisabled() {
+		return
+	}
+
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	for i, cache := range e.cachedSecrets {
+		if cache.secret.Namespace == key.Namespace && cache.secret.Name == key.Name {
+			e.cachedSecrets = append(e.cachedSecrets[:i], e.cachedSecrets[i+1:]...)
+			return
+		}
+	}
+}
+
+// Update behaves like the original Update method, but on secrets it removes the secret from the cache
+func (e *ExtendedClient) Update(
+	ctx context.Context,
+	obj client.Object,
+	opts ...client.UpdateOption,
+) error {
+	if e.isCacheDisabled() {
+		return e.Client.Update(ctx, obj, opts...)
+	}
+
+	if _, ok := obj.(*corev1.Secret); !ok {
+		return e.Client.Update(ctx, obj, opts...)
+	}
+
+	e.RemoveSecret(client.ObjectKeyFromObject(obj))
+
+	return e.Client.Update(ctx, obj, opts...)
+}
+
+// Delete behaves like the original Delete method, but on secrets it removes the secret from the cache
+func (e *ExtendedClient) Delete(
+	ctx context.Context,
+	obj client.Object,
+	opts ...client.DeleteOption,
+) error {
+	if e.isCacheDisabled() {
+		return e.Client.Delete(ctx, obj, opts...)
+	}
+
+	if _, ok := obj.(*corev1.Secret); !ok {
+		return e.Client.Delete(ctx, obj, opts...)
+	}
+
+	e.RemoveSecret(client.ObjectKeyFromObject(obj))
+
+	return e.Client.Delete(ctx, obj, opts...)
+}
+
+// Patch behaves like the original Patch method, but on secrets it removes the secret from the cache
+func (e *ExtendedClient) Patch(
+	ctx context.Context,
+	obj client.Object,
+	patch client.Patch,
+	opts ...client.PatchOption,
+) error {
+	if e.isCacheDisabled() {
+		return e.Client.Patch(ctx, obj, patch, opts...)
+	}
+
+	if _, ok := obj.(*corev1.Secret); !ok {
+		return e.Client.Patch(ctx, obj, patch, opts...)
+	}
+
+	e.RemoveSecret(client.ObjectKeyFromObject(obj))
+
+	return e.Client.Patch(ctx, obj, patch, opts...)
+}