feat: add LRU validation cache with OpenTelemetry metrics#1936
Draft
nissessenap wants to merge 13 commits intosigstore:mainfrom
Draft
feat: add LRU validation cache with OpenTelemetry metrics#1936nissessenap wants to merge 13 commits intosigstore:mainfrom
nissessenap wants to merge 13 commits intosigstore:mainfrom
Conversation
Add tests for the upcoming LRU+TTL cache implementation (sigstore#647). Unit tests cover set/get, TTL expiry, eviction, key isolation, error skipping, and resource version invalidation. Integration tests verify ValidatePolicy cache hit/miss behavior. All tests currently fail to compile (NewLRUCache undefined), confirming the TDD Red phase. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Edvin Norling <edvin.norling@kognic.com>
Add LRUCache implementing ResultCache using hashicorp/golang-lru/v2 expirable. Only successful validations (PolicyResult non-nil) are cached; failed validations are skipped to allow immediate retries. Fix cache key mismatch bug: ref.Name() in Set vs ref.String() in Get caused cache to never hit. Both now use ref.String(). Move cache Set into ValidatePolicy so caching is self-contained regardless of call path. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Edvin Norling <edvin.norling@kognic.com>
Wire the LRU+TTL cache into the validating webhook via --enable-cache, --cache-size, and --cache-ttl flags. Cache is off by default and only injected into the validating admission controller context. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Edvin Norling <edvin.norling@kognic.com>
- Copy CacheResult.Errors slice in LRUCache.Set to prevent callers from mutating cached entries through the shared backing array - Update copyright year to 2026 on new files (lrucache.go, lrucache_test.go) - Extract cacheTestFixtures helper to reduce boilerplate in cache integration tests Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Edvin Norling <edvin.norling@kognic.com>
Move cache observability into LRUCache.Get() so the implementation
owns its own logging
Bump knative.dev/pkg from v0.0.0-20230612155445 to v0.0.0-20260213150858 to enable OTEL metrics support. Remove stale replace directives for k8s.io/code-generator and k8s.io/kube-openapi that were pinning old incompatible versions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add four OTEL metrics to track cache behavior: cache.operations (hit/miss counter), cache.writes (stored/skipped counter), cache.entries (observable gauge via cache.Len()), and cache.evictions (counter). Uses the global OTEL MeterProvider set up by knative's sharedmain, with race-free entries tracking via callback gauge. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…lback accumulation Each NewLRUCache call was registering a new observable gauge callback on the global meter with no way to unregister, causing callbacks to accumulate across test runs. Move gauge ownership into the LRUCache struct with a Registration field and Close() method, eliminating the global cacheEntriesLenFunc state entirely. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All metric instrument definitions now live together in metrics.go. registerEntriesGauge is a plain function that returns metric.Registration, and LRUCache still owns the lifecycle via its gaugeRegistration field and Close() method. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--enable-cache,--cache-size,--cache-ttlCLI flags) that caches successful policy validation results per image/CIP/resourceVersion, avoiding redundant signature verification on repeated admission requestscache.operations(hit/miss counter),cache.writes(stored/skipped counter),cache.entries(observable gauge viacache.Len()), andcache.evictions(counter)knative.dev/pkgto pick up OTEL v1.39.0 transitive dependenciesDepends on #1933 and #1935
When the other PRs are merged I will give this one a second thought. The metrics name should probably differ a bit so we can add other metrics.
Details
The cache is disabled by default (
NoCacheno-op implementation). When enabled via--enable-cache=true, anLRUCacheis created and injected into the context. Only successful validations (non-nilPolicyResult) are cached; failed validations are never cached to allow retries.Cache metrics use the global OTEL MeterProvider set up by knative's
sharedmain. Thecache.entriesgauge uses an observable callback readingcache.Len()at collection time, avoiding race conditions from manual increment/decrement bookkeeping. EachLRUCacheinstance owns its gauge registration lifecycle via aClose()method.Test plan
ManualReaderwith exact value assertionsValidatePolicyflowgo test ./pkg/webhook/passesgo vet ./pkg/webhook/clean--enable-cache=trueandmetrics-protocol: prometheus, verify/metricson:9090includescache_operations_total,cache_writes_total,cache_entries,cache_evictions_total🤖 Generated with Claude Code