Cache secrets in interceptors with Reflector

[tragiclifestories]

Changes

This is an alternative implementation of #585 using client-go's cache package. We create a reflector for secrets across all namespaces and use it as a caching layer for secrets in both the Github/lab webhook parsers and CEL compareSecret calls.

I'm putting this up as a draft to get immediate feedback. Still need to test. Also, now that it's also backing CEL functions, WebhookSecretStore is probably the wrong name ...

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Includes tests (if functionality changed/added)
• Includes docs (if user facing)
• Commit messages follow commit message best practices

See the contribution guide for more details.

Release Notes

Describe any user facing changes here, or delete this block.

Examples of user facing changes:
- API changes
- Bug fixes
- Any changes in behavior

[linux-foundation-easycla]

The committers are authorized under a signed CLA.

• ✅ Lawrence Jones (61ddc25)
• ✅ James Turley (8dfdd85, e20bb92, 88e7977)

[tekton-robot]

Hi @tragiclifestories. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jace-ys]

To address your question, maybe just secretStore would work?

[tragiclifestories]

Yes, which of course was what it was when I first wrote this struct def out 😅

[jace-ys]

Not very familiar with the cache store, so curious why we're ignoring the error here?

[tragiclifestories]

It turns out that if you spelunk into the code, error is always nil from this particular store implementation. However, I will probably handle it anyway, since it may turn out that a different store makes more sense in future.

[bigkevmcd]

This looks like a copy/paste mistake?

[tragiclifestories]

it does indeed ...

[bigkevmcd]

Definitely would help with scaling both volume of requests, and triggers that use secrets.

This caching layer is something we do need to consider if we go for a process-based plugin mechanism.

[tragiclifestories]

@bigkevmcd I'll be picking this up again. There are actually a whole host of uncached requests going on in processTrigger and it seems like a lot of caching will be necessary to keep this performant with a lot of triggers.

[tragiclifestories]

So, on further investigation, the fix for this problem implemented in #595 did not work. The reason for this seems to be that the the triggers are executed asynchronously, and thus all immediately stampede to get the secret at the very top of the ExecuteTrigger methods, so in practice you get 100% cache misses, 100% of the time. Which was not what was intended, to put it mildly.

This version speeds things up very significantly compared to master in my tests - more thorough than last time around ;-). It takes about 3s to process the hideous 500-github-trigger YAML I put in the examples in this PR, as opposed to something like 3 minutes on master - and most of that is now due to another, far less severe performance problem with compiling CEL expressions (will raise an issue when I get a second).

[tragiclifestories]

Using NamespaceAll here is probably not a long term solution, since it requires cluster-wide list secrets in RBAC. I guess we could wrap a map of stores here - one per namespace referenced in calls to Get ...

[tragiclifestories]

The interval should probably be configurable here ...

[tekton-robot]

@tragiclifestories: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tekton-robot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

Send feedback to tektoncd/plumbing.

[tekton-robot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

[tekton-robot]

@tekton-robot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tragiclifestories]

/reopen

[tekton-robot]

@tragiclifestories: Reopened this PR.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign wlynch
You can assign the PR to them by writing /assign @wlynch in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tragiclifestories]

I hope I'll get some time to update this in the next week or so. Any ideas on how to write tests for this - and why they don't currently pass - very much welcome. FWIW, we've a version of this PR running in production for over a month with no incident.

[tekton-robot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[tragiclifestories]

/remove-lifecycle stale Promise I'll get to this soon ...

[tragiclifestories]

/remove-lifecycle stale

[tekton-robot]

@tragiclifestories: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bobcatfish]

hey @tragiclifestories ! do you have any strong feelings about us closing this PR for now? You can absolutely re-open it (or open a new one) when you're ready to get back to it

[tragiclifestories]

At this point the rebase would probably take longer than redoing it from scratch 😅 . I think this PR can be closed.

I will try to find a moment to see if the bug still exists - it may well not for all I know ...