Description
Current SPIRE authorized entry cache is a immutable data structure that is rebuilt from the database very frequently. The rebuild of this cache causes very large database load and impedes responsiveness to event and agent registration (e.g. changes are not noticed until the cache is rebuilt). #2182 has been open for some time to come up with a better plan.
Work has been underway to to replace the authorized entry cache system with one that is dynamically adjustable based on events from the datastore. The work is currently behind a feature flag.
This issue documents the work done, and the work remaining and supersedes #2182 as a concrete plan of action.
Here are the pieces of work needed to complete the feature:
- Database schema adjusted and migrations shipped (@faisal-memon, Add entry and node event tables #4379)
- Datastore functionality to populate and prune registration entry related events (@faisal-memon, Populate and prune entry event table #4411)
- Datastore functionality to populate and prune agent related events (@faisal-memon, Populate and prune attested node events #4527)
- Dynamically updatable authorized entry cache data structure (@azdagron, New Mutable Authorized Entry Cache #4451)
- Cache "hydrator" that primes the cache, watches for datastore events, and pushes changes into the cache (@faisal-memon, Populate cache from events #4562)
- Toggle which cache to use in endpoints code based on feature flag (@faisal-memon, Populate cache from events #4562)
- Convert feature flag into experimental flag (@faisal-memon, Make events based cache flag experimental #4723)