Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable SPIRE Agent LRU cache by default #4773

Merged
merged 5 commits into from
Jan 20, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions cmd/spire-agent/cli/run/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@ type experimentalConfig struct {

UnusedKeyPositions map[string][]token.Pos `hcl:",unusedKeyPositions"`
X509SVIDCacheMaxSize int `hcl:"x509_svid_cache_max_size"`
DisableLRUCache bool `hcl:"disable_lru_cache"`
}

type Command struct {
Expand Down Expand Up @@ -468,6 +469,11 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
ac.UseSyncAuthorizedEntries = c.Agent.Experimental.UseSyncAuthorizedEntries
ac.X509SVIDCacheMaxSize = c.Agent.Experimental.X509SVIDCacheMaxSize

if c.Agent.Experimental.DisableLRUCache && ac.X509SVIDCacheMaxSize != 0 {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it really experimental disablig LRU cache?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

may we add documentation about this configurable?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the README.

return nil, errors.New("x509_svid_cache_max_size should not be set when disable_lru_cache is set")
}
ac.DisableLRUCache = c.Agent.Experimental.DisableLRUCache

serverHostPort := net.JoinHostPort(c.Agent.ServerAddress, strconv.Itoa(c.Agent.ServerPort))
ac.ServerAddress = fmt.Sprintf("dns:///%s", serverHostPort)

Expand Down
28 changes: 28 additions & 0 deletions cmd/spire-agent/cli/run/run_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -915,6 +915,34 @@ func TestNewAgentConfig(t *testing.T) {
require.Nil(t, c)
},
},
{
msg: "disable_lru_cache is set",
input: func(c *Config) {
c.Agent.Experimental.DisableLRUCache = true
},
test: func(t *testing.T, c *agent.Config) {
require.True(t, c.DisableLRUCache)
},
},
{
msg: "both disable_lru_cache and x509_svid_cache_max_size are set",
expectError: true,
input: func(c *Config) {
c.Agent.Experimental.DisableLRUCache = true
c.Agent.Experimental.X509SVIDCacheMaxSize = 100
},
test: func(t *testing.T, c *agent.Config) {
require.Nil(t, c)
},
},
{
msg: "disable_lru_cache is not set",
input: func(c *Config) {
},
test: func(t *testing.T, c *agent.Config) {
require.False(t, c.DisableLRUCache)
},
},
{
msg: "allowed_foreign_jwt_claims provided",
input: func(c *Config) {
Expand Down
10 changes: 6 additions & 4 deletions doc/spire_agent.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,10 +70,12 @@ This may be useful for templating configuration files, for example across differ
| `workload_x509_svid_key_type` | The workload X509 SVID key type <rsa-2048|ec-p256> | ec-p256 |
| `availability_target` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. See [Availability Target](#availability-target) | |

| experimental | Description | Default |
|:------------------|-----------------------------------------------------------------|-------------------------|
| `named_pipe_name` | Pipe name to bind the SPIRE Agent API named pipe (Windows only) | \spire-agent\public\api |
| `sync_interval` | Sync interval with SPIRE server with exponential backoff | 5 sec |
| experimental | Description | Default |
|:---------------------------|-----------------------------------------------------------------------|-------------------------|
| `named_pipe_name` | Pipe name to bind the SPIRE Agent API named pipe (Windows only) | \spire-agent\public\api |
| `sync_interval` | Sync interval with SPIRE server with exponential backoff | 5 sec |
| `x509_svid_cache_max_size` | Soft limit of max number of SVIDs that would be stored in LRU cache | 1000 |
| `disable_lru_cache` | Reverts back to use the SPIRE Agent non-LRU cache for storing SVIDs | false |

### Initial trust bundle configuration

Expand Down
1 change: 1 addition & 0 deletions pkg/agent/agent.go
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,7 @@ func (a *Agent) newManager(ctx context.Context, sto storage.Storage, cat catalog
SyncInterval: a.c.SyncInterval,
UseSyncAuthorizedEntries: a.c.UseSyncAuthorizedEntries,
SVIDCacheMaxSize: a.c.X509SVIDCacheMaxSize,
DisableLRUCache: a.c.DisableLRUCache,
SVIDStoreCache: cache,
NodeAttestor: na,
RotationStrategy: rotationutil.NewRotationStrategy(a.c.AvailabilityTarget),
Expand Down
3 changes: 3 additions & 0 deletions pkg/agent/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,9 @@ type Config struct {
// X509SVIDCacheMaxSize is a soft limit of max number of SVIDs that would be stored in cache
X509SVIDCacheMaxSize int

// DisableLRUCache disables the SPIRE Agent LRU cache used for storing SVIDs and fallback to original cache
DisableLRUCache bool

// Trust domain and associated CA bundle
TrustDomain spiffeid.TrustDomain
TrustBundle []*x509.Certificate
Expand Down
4 changes: 3 additions & 1 deletion pkg/agent/manager/cache/lru_cache.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,10 @@ import (
)

const (
// DefaultSVIDCacheMaxSize is set when svidCacheMaxSize is not provided
DefaultSVIDCacheMaxSize = 1000
SVIDSyncInterval = 500 * time.Millisecond
// SVIDSyncInterval is the interval at which SVIDs are synced with subscribers
SVIDSyncInterval = 500 * time.Millisecond
)

// Cache caches each registration entry, bundles, and JWT SVIDs for the agent.
Expand Down
9 changes: 5 additions & 4 deletions pkg/agent/manager/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ type Config struct {
RotationInterval time.Duration
SVIDStoreCache *storecache.Cache
SVIDCacheMaxSize int
DisableLRUCache bool
NodeAttestor nodeattestor.NodeAttestor
RotationStrategy *rotationutil.RotationStrategy

Expand All @@ -65,13 +66,13 @@ func newManager(c *Config) *manager {
}

var cache Cache
if c.SVIDCacheMaxSize > 0 {
if c.DisableLRUCache {
cache = managerCache.New(c.Log.WithField(telemetry.SubsystemName, telemetry.CacheManager), c.TrustDomain, c.Bundle,
c.Metrics)
} else {
// use LRU cache implementation
cache = managerCache.NewLRUCache(c.Log.WithField(telemetry.SubsystemName, telemetry.CacheManager), c.TrustDomain, c.Bundle,
c.Metrics, c.SVIDCacheMaxSize, c.Clk)
} else {
cache = managerCache.New(c.Log.WithField(telemetry.SubsystemName, telemetry.CacheManager), c.TrustDomain, c.Bundle,
c.Metrics)
}

rotCfg := &svid.RotatorConfig{
Expand Down
Loading