Skip to content

Intentions: Add cache for Consul authorization and certificate parsing#61

Merged
aiharos merged 2 commits intomasterfrom
spoe-cache
Jul 30, 2020
Merged

Intentions: Add cache for Consul authorization and certificate parsing#61
aiharos merged 2 commits intomasterfrom
spoe-cache

Conversation

@ShimmerGlass
Copy link
Copy Markdown
Collaborator

@ShimmerGlass ShimmerGlass commented Jun 25, 2020

With intentions enabled, a lot of time is spent parsing the client
certificate and calling consul.
This adds a cache for both, taking care of in flight requests resulting
in much better performance.

@pierresouchay pierresouchay added criteo enhancement New feature or request labels Jul 7, 2020
pierresouchay
pierresouchay reviewed Jul 7, 2020
View reviewed changes
Copy link
Copy Markdown
Collaborator

@pierresouchay pierresouchay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but wonder if we should allow to tune the 2018/1min cache configuration

haproxy/spoe.go
cfg: cfg,
c: c,
cfg: cfg,
certCache: ttlru.New(2048, ttlru.WithTTL(time.Minute)),
Copy link
Copy Markdown
Collaborator

@pierresouchay pierresouchay Jul 7, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is limited to 2048 entries then?

@ShimmerGlass
Copy link
Copy Markdown
Collaborator Author

ShimmerGlass commented Jul 8, 2020

The size of the cache is based on how many service instances will call this one instance in one minute. Additionally, this cache contains pointers that the GC will track and since there is already quite a bit of time spent in the GC I was reluctant having a cache too big.
I don't think this value should be configurable because it's pretty low level and it will be hard to explain / users to configure correctly, but if you think its tool low I can set a higher value.
Note that the goal here is to cache the bulk of certificate parsing (hence lru), it's not a big issue if a small number of requests cache miss.

@pierresouchay
Copy link
Copy Markdown
Collaborator

pierresouchay commented Jul 20, 2020

@dcorbett-haproxy anyone on HAProxy side to review this or can we merge it?

@aiharos
Copy link
Copy Markdown
Collaborator

aiharos commented Jul 27, 2020

Overall this looks ok to merge, but I'm thinking whether it would be useful to have some feedback about the cache hit rate or eviction rate, perhaps at shutdown? If you guys think it's not necessary, I'll merge it as is.

@ShimmerGlass
Intentions: Add cache for Consul authorization and certificate parsing
ed81527 
With intentions enabled, a lot of time is spent parsing the client
certificate and calling consul.
This adds a cache for both, taking care of in flight requests resulting
in much better performance.
@ShimmerGlass
Add cert / auth cache metrics
33bbc5d
@ShimmerGlass
Copy link
Copy Markdown
Collaborator Author

ShimmerGlass commented Jul 28, 2020

@aiharos that's a good point, I've added prometheus metrics to track cache hit ratios

@pierresouchay pierresouchay requested a review from aiharos July 29, 2020 10:37
@aiharos aiharos merged commit fc48722 into master Jul 30, 2020
@ShimmerGlass ShimmerGlass deleted the spoe-cache branch July 30, 2020 12:34
@ShimmerGlass
Copy link
Copy Markdown
Collaborator Author

ShimmerGlass commented Jul 30, 2020

Thank you !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pierresouchay pierresouchay pierresouchay left review comments

@aiharos aiharos Awaiting requested review from aiharos

Assignees

No one assigned

Labels

criteo enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ShimmerGlass @pierresouchay @aiharos