Merge pull request #239 from Kuadrant/metadata-caching

Metadata caching
Kuadrant · Apr 8, 2022 · 59b8588 · 59b8588
2 parents 8371356 + 8013370
commit 59b8588
Show file tree

Hide file tree

Showing 12 changed files with 552 additions and 18 deletions.
diff --git a/api/v1beta1/auth_config_types.go b/api/v1beta1/auth_config_types.go
@@ -32,6 +32,7 @@ const (
 	MetadataUma                      = "METADATA_UMA"
 	MetadataGenericHTTP              = "METADATA_GENERIC_HTTP"
 	MetadataUserinfo                 = "METADATA_USERINFO"
+	MetadataDefaultCacheTTL          = 60
 	AuthorizationOPA                 = "AUTHORIZATION_OPA"
 	AuthorizationJSONPatternMatching = "AUTHORIZATION_JSON"
 	AuthorizationKubernetesAuthz     = "AUTHORIZATION_KUBERNETESAUTHZ"
@@ -247,7 +248,7 @@ type Identity_KubernetesAuth struct {
 type Identity_Anonymous struct{}
 
 // The metadata config.
-// Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "userInfo" or "uma".
+// Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "http", userInfo" or "uma".
 type Metadata struct {
 	// The name of the metadata source.
 	// It can be used to refer to the resolved metadata object in other configs.
@@ -262,14 +263,18 @@ type Metadata struct {
 	// +kubebuilder:default:=false
 	Metrics bool `json:"metrics,omitempty"`
 
-	// Conditions for Authorino to enforce this metadata config.
-	// If omitted, the config will be enforced for all requests.
-	// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped.
+	// Conditions for Authorino to apply this metadata config.
+	// If omitted, the config will be applied for all requests.
+	// If present, all conditions must match for the config to be applied; otherwise, the config will be skipped.
 	Conditions []JSONPattern `json:"when,omitempty"`
 
 	UserInfo    *Metadata_UserInfo    `json:"userInfo,omitempty"`
 	UMA         *Metadata_UMA         `json:"uma,omitempty"`
 	GenericHTTP *Metadata_GenericHTTP `json:"http,omitempty"`
+
+	// Caching options for the external metadata fetched when applying this config.
+	// Omit it to avoid caching metadata from this source.
+	Cache *MetadataCaching `json:"cache,omitempty"`
 }
 
 func (m *Metadata) GetType() string {
@@ -337,6 +342,15 @@ type Metadata_GenericHTTP struct {
 	Credentials Credentials `json:"credentials,omitempty"`
 }
 
+type MetadataCaching struct {
+	// Key used to store the entry in the cache.
+	// Cache entries from different metadata configs are stored and managed separately regardless of the key.
+	Key StaticOrDynamicValue `json:"key"`
+	// Duration (in seconds) of the external data in the cache before pulled again from the source.
+	// +kubebuilder:default:=60
+	TTL int `json:"ttl,omitempty"`
+}
+
 // Authorization policy to be enforced.
 // Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "opa", "json" or "kubernetes".
 type Authorization struct {

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go
@@ -212,6 +212,17 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
 			Metrics:    metadata.Metrics,
 		}
 
+		if metadata.Cache != nil {
+			ttl := metadata.Cache.TTL
+			if ttl == 0 {
+				ttl = api.MetadataDefaultCacheTTL
+			}
+			translatedMetadata.Cache = evaluators.NewMetadataCache(
+				*getJsonFromStaticDynamic(&metadata.Cache.Key),
+				ttl,
+			)
+		}
+
 		switch metadata.GetType() {
 		// uma
 		case api.MetadataUma:

diff --git a/docs/user-guides/logging.md b/docs/user-guides/logging.md
@@ -56,7 +56,7 @@ Some typical log messages output by the Authorino service are listed in the tabl
 | logger | level | message | extra values |
 | -------|-------|---------|--------|
 | `authorino` | `info` | "setting instance base logger" | `min level=info\|debug`, `mode=production\|development` |
-| `authorino` | `debug` | "setting up with options" | `WATCH_NAMESPACE`, `AUTH_CONFIG_LABEL_SELECTOR`, `SECRET_LABEL_SELECTOR`, `LOG_LEVEL`, `LOG_MODE`, `EXT_AUTH_GRPC_PORT`, `TLS_CERT`, `TLS_CERT_KEY`, `OIDC_HTTP_PORT`, `OIDC_TLS_CERT`, `OIDC_TLS_CERT_KEY`, `DEEP_METRICS_ENABLED`, `metrics-addr`, `enable-leader-election` |
+| `authorino` | `debug` | "setting up with options" | `WATCH_NAMESPACE`, `AUTH_CONFIG_LABEL_SELECTOR`, `SECRET_LABEL_SELECTOR`, `LOG_LEVEL`, `LOG_MODE`, `EXT_AUTH_GRPC_PORT`, `TLS_CERT`, `TLS_CERT_KEY`, `OIDC_HTTP_PORT`, `OIDC_TLS_CERT`, `OIDC_TLS_CERT_KEY`, `METADATA_CACHE_SIZE`, `DEEP_METRICS_ENABLED`, `metrics-addr`, `enable-leader-election` |
 | `authorino` | `info` | "attempting to acquire leader lease authorino/cb88a58a.authorino.kuadrant.io...\n" | |
 | `authorino` | `info` | "successfully acquired lease authorino/cb88a58a.authorino.kuadrant.io\n" | |
 | `authorino` | `info` | "starting grpc service" | `port`, `tls` |
@@ -129,7 +129,7 @@ The examples below are all with `LOG_LEVEL=debug` and `LOG_MODE=production`.
 
 ```jsonc
 {"level":"info","ts":1634674939.7563884,"logger":"authorino","msg":"setting instance base logger","min level":"debug","mode":"production"}
-{"level":"debug","ts":1634674939.7567484,"logger":"authorino","msg":"setting up with options","WATCH_NAMESPACE":"","AUTH_CONFIG_LABEL_SELECTOR":"","SECRET_LABEL_SELECTOR":"authorino.kuadrant.io/managed-by=authorino","LOG_LEVEL":"debug","LOG_MODE":"production","EXT_AUTH_GRPC_PORT":"50051","TLS_CERT":"/etc/ssl/certs/tls.crt","TLS_CERT_KEY":"/etc/ssl/private/tls.key","OIDC_HTTP_PORT":"8083","OIDC_TLS_CERT":"/etc/ssl/certs/oidc.crt","OIDC_TLS_CERT_KEY":"/etc/ssl/private/oidc.key","metrics-addr":"127.0.0.1:8080","enable-leader-election":true}
+{"level":"debug","ts":1634674939.7567484,"logger":"authorino","msg":"setting up with options","WATCH_NAMESPACE":"","AUTH_CONFIG_LABEL_SELECTOR":"","SECRET_LABEL_SELECTOR":"authorino.kuadrant.io/managed-by=authorino","LOG_LEVEL":"debug","LOG_MODE":"production","EXT_AUTH_GRPC_PORT":"50051","TLS_CERT":"/etc/ssl/certs/tls.crt","TLS_CERT_KEY":"/etc/ssl/private/tls.key","OIDC_HTTP_PORT":"8083","OIDC_TLS_CERT":"/etc/ssl/certs/oidc.crt","OIDC_TLS_CERT_KEY":"/etc/ssl/private/oidc.key","METADATA_CACHE_SIZE":"1","DEEP_METRICS_ENABLED": "false","metrics-addr":"127.0.0.1:8080","enable-leader-election":true}
 {"level":"info","ts":1634674941.0670755,"logger":"authorino.controller-runtime.metrics","msg":"metrics server is starting to listen","addr":"127.0.0.1:8080"}
 {"level":"info","ts":1634674941.0946925,"logger":"authorino","msg":"starting grpc service","port":"50051","tls":true}
 {"level":"info","ts":1634674941.103486,"logger":"authorino","msg":"starting oidc service","port":"8083","tls":true}

diff --git a/go.mod b/go.mod
@@ -3,8 +3,10 @@ module github.com/kuadrant/authorino
 go 1.16
 
 require (
+	github.com/coocood/freecache v1.1.1
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
+	github.com/eko/gocache v1.2.0
 	github.com/envoyproxy/go-control-plane v0.10.1
 	github.com/go-logr/logr v1.2.2
 	github.com/gogo/googleapis v1.3.0