feat: exposes --external-data-provider-response-cache-ttl via helm chart

[nilekhc]

What this PR does / why we need it:

This PR exposes --external-data-provider-response-cache-ttl via helm chart.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #2977

Special notes for your reviewer:

[codecov-commenter]

Codecov Report

Patch coverage has no change and project coverage change: +0.06% 🎉

Comparison is base (e50ee2f) 53.07% compared to head (deabfd9) 53.14%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2978      +/-   ##
==========================================
+ Coverage   53.07%   53.14%   +0.06%     
==========================================
  Files         135      135              
  Lines       11813    11813              
==========================================
+ Hits         6270     6278       +8     
+ Misses       5055     5049       -6     
+ Partials      488      486       -2     

Flag	Coverage Δ
unittests	53.14% <ø> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 2 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[akashsinghal]

Does the audit deployment also have ED cache response ttl option? From my perspective, it makes sense for audit to have a longer ttl so that results from a single audit interval are consistent. However, admission scenarios should have a shorter ttl? If the ED responds with an error for one of the keys due to some transient error, we should not have such a long ttl before the next request to the ED.

[maxsmythe]

it makes sense for audit to have a longer ttl so that results from a single audit interval are consistent.

To nit:

I don't think a TTL helps with that one way or another, since they are only loosely correlated. If the TTL is too long, it will refresh during the next audit, making that audit's response inconsistent. If an audit cycle runs long, the TTL will still refresh.

Audit, in general, is subject to time aliasing. Since we are reading from the API server (or a watch of resources from the API server), the state of resources can change underneath us as audit progresses.

If point-in-time consistency is important, shift-left via something like a precommit hook is your best bet. At that point, I'd also choose a different caching mechanism, like caching per-run.

If we had the ability to cache "per-session-id", then we could scope the cache duration to a given audit run. This is something we considered, but decided to start with this because of the advantages TTL has for the webhook (which can run multiple validations in parallel).

That being said, I have no objection to being able to express a different TTL value for audit vs. webhook, just important to be clear about the benefit.

[maxsmythe]

If the ED responds with an error for one of the keys due to some transient error, we should not have such a long ttl before the next request to the ED.

IIRC errors are not cached, so any erroneous request would be re-ran as a cache miss.

[akashsinghal]

thanks @maxsmythe for the explanation

[ritazh]

do we not need to set external-data-provider-response-cache-ttl in the audit deployment? since it's a separate controller/deployment from the controller-manager deployment yaml?

[maxsmythe]

We should def. define a TTL both places. I thought the issue was whether they needed to be set to the same value, or if we had knobs for setting different values.

[nilekhc]

I have set it to the same value for now

[ritazh]

LGTM

[nilekhc]

@maxsmythe Could you PTAL when you get a chance? Thanks.

[maxsmythe]

LGTM