Merge pull request #247 from Kuadrant/caching-for-all

Caching option for all evaluators of all phases

api/v1beta1/auth_config_types.go

@@ -32,12 +32,12 @@ const (
 	MetadataUma                      = "METADATA_UMA"
 	MetadataGenericHTTP              = "METADATA_GENERIC_HTTP"
 	MetadataUserinfo                 = "METADATA_USERINFO"
-	MetadataDefaultCacheTTL          = 60
 	AuthorizationOPA                 = "AUTHORIZATION_OPA"
 	AuthorizationJSONPatternMatching = "AUTHORIZATION_JSON"
 	AuthorizationKubernetesAuthz     = "AUTHORIZATION_KUBERNETESAUTHZ"
 	ResponseWristband                = "RESPONSE_WRISTBAND"
 	ResponseDynamicJSON              = "RESPONSE_DYNAMIC_JSON"
+	EvaluatorDefaultCacheTTL         = 60
 )
 
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
@@ -80,6 +80,15 @@ type JsonProperty struct {
 	ValueFrom ValueFrom `json:"valueFrom,omitempty"`
 }
 
+type EvaluatorCaching struct {
+	// Key used to store the entry in the cache.
+	// Cache entries from different metadata configs are stored and managed separately regardless of the key.
+	Key StaticOrDynamicValue `json:"key"`
+	// Duration (in seconds) of the external data in the cache before pulled again from the source.
+	// +kubebuilder:default:=60
+	TTL int `json:"ttl,omitempty"`
+}
+
 // Specifies the desired state of the AuthConfig resource, i.e. the authencation/authorization scheme to be applied to protect the matching service hosts.
 type AuthConfigSpec struct {
 	// Important: Run "make" to regenerate code after modifying this file
@@ -178,6 +187,10 @@ type Identity struct {
 	// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped.
 	Conditions []JSONPattern `json:"when,omitempty"`
 
+	// Caching options for the identity resolved when applying this config.
+	// Omit it to avoid caching identity objects for this config.
+	Cache *EvaluatorCaching `json:"cache,omitempty"`
+
 	// Defines where client credentials are required to be passed in the request for this identity source/authentication mode.
 	// If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the credentials value (token, API key, etc).
 	Credentials Credentials `json:"credentials,omitempty"`
@@ -268,13 +281,13 @@ type Metadata struct {
 	// If present, all conditions must match for the config to be applied; otherwise, the config will be skipped.
 	Conditions []JSONPattern `json:"when,omitempty"`
 
+	// Caching options for the external metadata fetched when applying this config.
+	// Omit it to avoid caching metadata from this source.
+	Cache *EvaluatorCaching `json:"cache,omitempty"`
+
 	UserInfo    *Metadata_UserInfo    `json:"userInfo,omitempty"`
 	UMA         *Metadata_UMA         `json:"uma,omitempty"`
 	GenericHTTP *Metadata_GenericHTTP `json:"http,omitempty"`
-
-	// Caching options for the external metadata fetched when applying this config.
-	// Omit it to avoid caching metadata from this source.
-	Cache *MetadataCaching `json:"cache,omitempty"`
 }
 
 func (m *Metadata) GetType() string {
@@ -342,15 +355,6 @@ type Metadata_GenericHTTP struct {
 	Credentials Credentials `json:"credentials,omitempty"`
 }
 
-type MetadataCaching struct {
-	// Key used to store the entry in the cache.
-	// Cache entries from different metadata configs are stored and managed separately regardless of the key.
-	Key StaticOrDynamicValue `json:"key"`
-	// Duration (in seconds) of the external data in the cache before pulled again from the source.
-	// +kubebuilder:default:=60
-	TTL int `json:"ttl,omitempty"`
-}
-
 // Authorization policy to be enforced.
 // Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "opa", "json" or "kubernetes".
 type Authorization struct {
@@ -372,6 +376,10 @@ type Authorization struct {
 	// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped.
 	Conditions []JSONPattern `json:"when,omitempty"`
 
+	// Caching options for the policy evaluation results when enforcing this config.
+	// Omit it to avoid caching policy evaluation results for this config.
+	Cache *EvaluatorCaching `json:"cache,omitempty"`
+
 	OPA             *Authorization_OPA                 `json:"opa,omitempty"`
 	JSON            *Authorization_JSONPatternMatching `json:"json,omitempty"`
 	KubernetesAuthz *Authorization_KubernetesAuthz     `json:"kubernetes,omitempty"`
@@ -478,6 +486,10 @@ type Response struct {
 	// If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped.
 	Conditions []JSONPattern `json:"when,omitempty"`
 
+	// Caching options for dynamic responses built when applying this config.
+	// Omit it to avoid caching dynamic responses for this config.
+	Cache *EvaluatorCaching `json:"cache,omitempty"`
+
 	// How Authorino wraps the response.
 	// Use "httpHeader" (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" to wrap the response as Envoy Dynamic Metadata
 	// +kubebuilder:default:=httpHeader

controllers/auth_config_controller.go

@@ -148,6 +148,17 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
 			Metrics:            identity.Metrics,
 		}
 
+		if identity.Cache != nil {
+			ttl := identity.Cache.TTL
+			if ttl == 0 {
+				ttl = api.EvaluatorDefaultCacheTTL
+			}
+			translatedIdentity.Cache = evaluators.NewEvaluatorCache(
+				*getJsonFromStaticDynamic(&identity.Cache.Key),
+				ttl,
+			)
+		}
+
 		authCred := auth.NewAuthCredential(identity.Credentials.KeySelector, string(identity.Credentials.In))
 
 		switch identity.GetType() {
@@ -215,9 +226,9 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
 		if metadata.Cache != nil {
 			ttl := metadata.Cache.TTL
 			if ttl == 0 {
-				ttl = api.MetadataDefaultCacheTTL
+				ttl = api.EvaluatorDefaultCacheTTL
 			}
-			translatedMetadata.Cache = evaluators.NewMetadataCache(
+			translatedMetadata.Cache = evaluators.NewEvaluatorCache(
 				*getJsonFromStaticDynamic(&metadata.Cache.Key),
 				ttl,
 			)
@@ -322,6 +333,17 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
 			Metrics:    authorization.Metrics,
 		}
 
+		if authorization.Cache != nil {
+			ttl := authorization.Cache.TTL
+			if ttl == 0 {
+				ttl = api.EvaluatorDefaultCacheTTL
+			}
+			translatedAuthorization.Cache = evaluators.NewEvaluatorCache(
+				*getJsonFromStaticDynamic(&authorization.Cache.Key),
+				ttl,
+			)
+		}
+
 		switch authorization.GetType() {
 		// opa
 		case api.AuthorizationOPA:
@@ -402,6 +424,17 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
 			response.Metrics,
 		)
 
+		if response.Cache != nil {
+			ttl := response.Cache.TTL
+			if ttl == 0 {
+				ttl = api.EvaluatorDefaultCacheTTL
+			}
+			translatedResponse.Cache = evaluators.NewEvaluatorCache(
+				*getJsonFromStaticDynamic(&response.Cache.Key),
+				ttl,
+			)
+		}
+
 		switch response.GetType() {
 		// wristband
 		case api.ResponseWristband:

docs/user-guides.md

@@ -69,6 +69,9 @@ Induce the lookup of an AuthConfig by supplying extended host context, for use c
 - **[Reducing the operational space: sharding, noise and multi-tenancy](./user-guides/sharding.md)**<br/>
 Have multiple instances of Authorino running in the same space (Kubernetes namespace or cluster-scoped), yet watching particular sets of resources.
 
+- **[Caching](./user-guides/caching.md)**<br/>
+Cache auth objects resolved at runtime for any configuration bit of an AuthConfig, for easy access in subsequent requests whenever an arbitrary cache key repeats, until the cache entry expires.
+
 - **[Observability](./user-guides/metrics.md)**<br/>
 Prometheus metrics exported by Authorino.