feat: add support for httpcaching of github requests

Signed-off-by: Jean-Damien HATZENBUHLER <jean-damien.hatzenbuhler@contentsquare.com>

Author: jd-hatzenbuhler

applicationset/controllers/requeue_after_test.go

@@ -56,7 +56,7 @@ func TestRequeueAfter(t *testing.T) {
 		},
 	}
 	fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, duckType)
-	scmConfig := generators.NewSCMConfig("", []string{""}, true, true, nil, true)
+	scmConfig := generators.NewSCMConfig("", []string{""}, true, true, false, 100, nil, true)
 	terminalGenerators := map[string]generators.Generator{
 		"List":                    generators.NewListGenerator(),
 		"Clusters":                generators.NewClusterGenerator(ctx, k8sClient, appClientset, "argocd"),

applicationset/generators/pull_request_test.go

@@ -398,7 +398,7 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
 				"gitea.myorg.com",
 				"bitbucket.myorg.com",
 				"azuredevops.myorg.com",
-			}, true, true, nil, true))
+			}, true, true, false, 100, nil, true))
 
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -421,7 +421,7 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
 }
 
 func TestSCMProviderDisabled_PRGenerator(t *testing.T) {
-	generator := NewPullRequestGenerator(nil, NewSCMConfig("", []string{}, false, true, nil, true))
+	generator := NewPullRequestGenerator(nil, NewSCMConfig("", []string{}, false, true, false, 100, nil, true))
 
 	applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 		ObjectMeta: metav1.ObjectMeta{

applicationset/generators/scm_provider.go

@@ -37,16 +37,20 @@ type SCMConfig struct {
 	allowedSCMProviders    []string
 	enableSCMProviders     bool
 	enableGitHubAPIMetrics bool
+	enableGitHubCache      bool
+	githubCacheSize        int
 	GitHubApps             github_app_auth.Credentials
 	tokenRefStrictMode     bool
 }
 
-func NewSCMConfig(scmRootCAPath string, allowedSCMProviders []string, enableSCMProviders bool, enableGitHubAPIMetrics bool, gitHubApps github_app_auth.Credentials, tokenRefStrictMode bool) SCMConfig {
+func NewSCMConfig(scmRootCAPath string, allowedSCMProviders []string, enableSCMProviders bool, enableGitHubAPIMetrics bool, enableGitHubCache bool, githubCacheSize int, gitHubApps github_app_auth.Credentials, tokenRefStrictMode bool) SCMConfig {
 	return SCMConfig{
 		scmRootCAPath:          scmRootCAPath,
 		allowedSCMProviders:    allowedSCMProviders,
 		enableSCMProviders:     enableSCMProviders,
 		enableGitHubAPIMetrics: enableGitHubAPIMetrics,
+		enableGitHubCache:      enableGitHubCache,
+		githubCacheSize:        githubCacheSize,
 		GitHubApps:             gitHubApps,
 		tokenRefStrictMode:     tokenRefStrictMode,
 	}
@@ -289,13 +293,22 @@ func (g *SCMProviderGenerator) githubProvider(ctx context.Context, github *argop
 		httpClient = services.NewGitHubMetricsClient(metricsCtx)
 	}
 
+	if g.enableGitHubCache {
+		storage := services.NewLRUSStorage(g.githubCacheSize)
+		if g.enableGitHubAPIMetrics {
+			httpClient = services.NewGitHubCache(storage, httpClient.Transport)
+		} else {
+			httpClient = services.NewGitHubCache(storage, nil)
+		}
+	}
+
 	if github.AppSecretName != "" {
 		auth, err := g.GitHubApps.GetAuthSecret(ctx, github.AppSecretName)
 		if err != nil {
 			return nil, fmt.Errorf("error fetching Github app secret: %w", err)
 		}
 
-		if g.enableGitHubAPIMetrics {
+		if g.enableGitHubAPIMetrics || g.enableGitHubCache {
 			return scm_provider.NewGithubAppProviderFor(ctx, *auth, github.Organization, github.API, github.AllBranches, httpClient)
 		}
 		return scm_provider.NewGithubAppProviderFor(ctx, *auth, github.Organization, github.API, github.AllBranches)
@@ -306,7 +319,7 @@ func (g *SCMProviderGenerator) githubProvider(ctx context.Context, github *argop
 		return nil, fmt.Errorf("error fetching Github token: %w", err)
 	}
 
-	if g.enableGitHubAPIMetrics {
+	if g.enableGitHubAPIMetrics || g.enableGitHubCache {
 		return scm_provider.NewGithubProvider(github.Organization, token, github.API, github.AllBranches, httpClient)
 	}
 	return scm_provider.NewGithubProvider(github.Organization, token, github.API, github.AllBranches)

applicationset/services/github_cache.go

@@ -0,0 +1,83 @@
+package services
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+
+	ghtransport "github.com/bored-engineer/github-conditional-http-transport"
+	log "github.com/sirupsen/logrus"
+	"k8s.io/utils/lru"
+)
+
+type cachedResponse struct {
+	Response *http.Response
+	Body     []byte
+}
+
+type Storage struct {
+	lruMap *lru.Cache
+}
+
+func (s Storage) Get(_ context.Context, u *url.URL) (*http.Response, error) {
+	body, ok := s.lruMap.Get(u.String())
+	if !ok {
+		return nil, nil
+	}
+	bodyCached, valid := body.(cachedResponse)
+	if !valid {
+		return nil, nil
+	}
+	resp := *bodyCached.Response
+	resp.Body = io.NopCloser(bytes.NewReader(bodyCached.Body))
+	return &resp, nil
+}
+
+func (s Storage) Put(_ context.Context, u *url.URL, resp *http.Response) error {
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("(*http.Response).Body.Read failed: %w", err)
+	}
+	if err := resp.Body.Close(); err != nil {
+		return fmt.Errorf("(*http.Response).Body.Close failed: %w", err)
+	}
+	resp.Body = nil
+	s.lruMap.Add(u.String(), cachedResponse{
+		Response: resp,
+		Body:     body,
+	})
+	return nil
+}
+
+func NewLRUSStorage(size int) Storage {
+	return Storage{
+		lruMap: lru.New(size),
+	}
+}
+
+type GitHubCacheTransport struct {
+	transport http.RoundTripper
+}
+
+func (t *GitHubCacheTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	return t.transport.RoundTrip(req)
+}
+
+func NewGitHubCacheTransport(storage Storage, parent http.RoundTripper) *GitHubCacheTransport {
+	return &GitHubCacheTransport{
+		transport: ghtransport.NewTransport(
+			storage,
+			parent,
+		),
+	}
+}
+
+func NewGitHubCache(storage Storage, parent http.RoundTripper) *http.Client {
+	log.Debug("Creating new GitHub in memory cache")
+	return &http.Client{
+		Transport: NewGitHubCacheTransport(storage, parent),
+	}
+}

applicationset/services/github_cache_test.go

@@ -0,0 +1,139 @@
+package services
+
+import (
+	"encoding/hex"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	hash "github.com/bored-engineer/github-conditional-http-transport"
+	"github.com/stretchr/testify/assert"
+)
+
+func setupFakeGithubServer(cacheHitCounter *int) *httptest.Server {
+	payload := []byte(`{"name": "main"}`)
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Respond on 200/304 only if Authorization header start with `Bearer ok`
+		authorization := r.Header.Get("Authorization")
+		if !strings.HasPrefix(authorization, "Bearer ok") {
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+		// If the request contains If-None-Match header, respond with 304
+		ifNoneMatch := r.Header.Get("If-None-Match")
+		if ifNoneMatch != "" {
+			*cacheHitCounter++
+			w.WriteHeader(http.StatusNotModified)
+			return
+		}
+		// Otherwise respond with 200 with Etag and payload
+		h := hash.Hash(r.Header)
+		h.Write(payload)
+		w.Header().Set("Etag", hex.EncodeToString(h.Sum(nil)))
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write(payload)
+	}))
+}
+
+func TestGitHubCache_Success(t *testing.T) {
+	// Setup a fake HTTP server
+	cacheHitCounter := 0
+	ts := setupFakeGithubServer(&cacheHitCounter)
+	defer ts.Close()
+
+	storage := NewLRUSStorage(100)
+	client := &http.Client{
+		Transport: NewGitHubCacheTransport(
+			storage,
+			nil,
+		),
+	}
+	ctx := t.Context()
+
+	// First request, should hit the server
+	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, ts.URL+"/owner/repo/branches/main", http.NoBody)
+	req.Header.Set("Accept", "application/vnd.github.v3+json")
+	req.Header.Set("Authorization", "Bearer ok1")
+	res, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	assert.Equal(t, http.StatusOK, res.StatusCode, "Expected ok status")
+
+	// Second request, should be served from cache with 304 even if Authorization header changed
+	req.Header.Set("Authorization", "Bearer ok2")
+	res, err = client.Do(req)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	assert.Equal(t, http.StatusOK, res.StatusCode, "Expected ok status")
+	assert.Equal(t, cacheHitCounter, 1, "Expected one cache hit")
+}
+
+func TestGitHubCache_NotAuthorized(t *testing.T) {
+	// Setup a fake HTTP server
+	cacheHitCounter := 0
+	ts := setupFakeGithubServer(&cacheHitCounter)
+	defer ts.Close()
+
+	storage := NewLRUSStorage(100)
+	client := &http.Client{
+		Transport: NewGitHubCacheTransport(
+			storage,
+			nil,
+		),
+	}
+	ctx := t.Context()
+
+	// First request, should hit the server
+	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, ts.URL+"/owner/repo/branches/main", http.NoBody)
+	req.Header.Set("Accept", "application/vnd.github.v3+json")
+	req.Header.Set("Authorization", "Bearer ok1")
+	res, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	assert.Equal(t, http.StatusOK, res.StatusCode, "Expected ok status")
+
+	// Second request, should not be served from cache if Authorization is an invalid token
+	req.Header.Set("Authorization", "Bearer ko")
+	res, err = client.Do(req)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	assert.Equal(t, http.StatusUnauthorized, res.StatusCode, "Expected unauthorized status")
+	assert.Equal(t, cacheHitCounter, 0, "Expected no cache hit")
+}
+
+func TestNewGitHubCache(t *testing.T) {
+	// Test cases
+	testCases := []struct {
+		name   string
+		parent http.RoundTripper
+	}{
+		{
+			name:   "with parent transport",
+			parent: http.DefaultTransport,
+		},
+		{
+			name:   "with nil parent transport",
+			parent: nil,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Create client
+			storage := NewLRUSStorage(100)
+			client := NewGitHubCache(storage, tc.parent)
+
+			// Assert client is not nil
+			assert.NotNil(t, client)
+
+			// Assert transport is properly configured
+			_, ok := client.Transport.(*GitHubCacheTransport)
+			assert.True(t, ok, "Transport should be GitHubCacheTransport")
+		})
+	}
+}

cmd/argocd-applicationset-controller/commands/applicationset_controller.go

@@ -76,6 +76,8 @@ func NewCommand() *cobra.Command {
 		globalPreservedAnnotations   []string
 		globalPreservedLabels        []string
 		enableGitHubAPIMetrics       bool
+		enableGitHubCache            bool
+		githubCacheSize              int
 		metricsAplicationsetLabels   []string
 		enableScmProviders           bool
 		webhookParallelism           int
@@ -193,7 +195,7 @@ func NewCommand() *cobra.Command {
 			argoSettingsMgr := argosettings.NewSettingsManager(ctx, k8sClient, namespace)
 			argoCDDB := db.NewDB(namespace, argoSettingsMgr, k8sClient)
 
-			scmConfig := generators.NewSCMConfig(scmRootCAPath, allowedScmProviders, enableScmProviders, enableGitHubAPIMetrics, github_app.NewAuthCredentials(argoCDDB.(db.RepoCredsDB)), tokenRefStrictMode)
+			scmConfig := generators.NewSCMConfig(scmRootCAPath, allowedScmProviders, enableScmProviders, enableGitHubAPIMetrics, enableGitHubCache, githubCacheSize, github_app.NewAuthCredentials(argoCDDB.(db.RepoCredsDB)), tokenRefStrictMode)
 
 			tlsConfig := apiclient.TLSConfiguration{
 				DisableTLS:       repoServerPlaintext,
@@ -292,6 +294,8 @@ func NewCommand() *cobra.Command {
 	command.Flags().IntVar(&webhookParallelism, "webhook-parallelism-limit", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_WEBHOOK_PARALLELISM_LIMIT", 50, 1, 1000), "Number of webhook requests processed concurrently")
 	command.Flags().StringSliceVar(&metricsAplicationsetLabels, "metrics-applicationset-labels", []string{}, "List of Application labels that will be added to the argocd_applicationset_labels metric")
 	command.Flags().BoolVar(&enableGitHubAPIMetrics, "enable-github-api-metrics", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_API_METRICS", false), "Enable GitHub API metrics for generators that use the GitHub API")
+	command.Flags().BoolVar(&enableGitHubCache, "enable-github-cache", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_CACHE", false), "Enable GitHub cache for generators that use the GitHub API")
+	command.Flags().IntVar(&githubCacheSize, "github-cache-size", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_GITHUB_CACHE_SIZE", 2000, 0, math.MaxInt), "Size of the GitHub cache")
 	command.Flags().IntVar(&maxResourcesStatusCount, "max-resources-status-count", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_MAX_RESOURCES_STATUS_COUNT", 0, 0, math.MaxInt), "Max number of resources stored in appset status.")
 
 	return &command

cmd/argocd-server/commands/argocd_server.go

@@ -96,6 +96,8 @@ func NewCommand() *cobra.Command {
 		allowedScmProviders      []string
 		enableScmProviders       bool
 		enableGitHubAPIMetrics   bool
+		enableGitHubCache        bool
+		githubCacheSize          int
 
 		// argocd k8s event logging flag
 		enableK8sEvent []string
@@ -257,6 +259,8 @@ func NewCommand() *cobra.Command {
 				AllowedScmProviders:      allowedScmProviders,
 				EnableScmProviders:       enableScmProviders,
 				EnableGitHubAPIMetrics:   enableGitHubAPIMetrics,
+				EnableGitHubCache:        enableGitHubCache,
+				GitHubCacheSize:          githubCacheSize,
 			}
 
 			stats.RegisterStackDumper()
@@ -336,6 +340,8 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringSliceVar(&allowedScmProviders, "appset-allowed-scm-providers", env.StringsFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS", []string{}, ","), "The list of allowed custom SCM provider API URLs. This restriction does not apply to SCM or PR generators which do not accept a custom API URL. (Default: Empty = all)")
 	command.Flags().BoolVar(&enableNewGitFileGlobbing, "appset-enable-new-git-file-globbing", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING", false), "Enable new globbing in Git files generator.")
 	command.Flags().BoolVar(&enableGitHubAPIMetrics, "appset-enable-github-api-metrics", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_API_METRICS", false), "Enable GitHub API metrics for generators that use the GitHub API")
+	command.Flags().BoolVar(&enableGitHubCache, "appset-enable-github-cache", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_CACHE", false), "Enable GitHub cache for generators that use the GitHub API")
+	command.Flags().IntVar(&githubCacheSize, "appset-github-cache-size", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_GITHUB_CACHE_SIZE", 2000, 0, math.MaxInt), "Size of the GitHub cache")
 
 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(command)
 	cacheSrc = servercache.AddCacheFlagsToCmd(command, cacheutil.Options{

docs/operator-manual/server-commands/argocd-applicationset-controller.md

@@ -19,6 +19,7 @@ require (
 	github.com/aws/aws-sdk-go v1.55.7
 	github.com/bmatcuk/doublestar/v4 v4.9.1
 	github.com/bombsimon/logrusr/v4 v4.1.0
+	github.com/bored-engineer/github-conditional-http-transport v0.0.0-20260105072410-0d0a872debdf
 	github.com/bradleyfalzon/ghinstallation/v2 v2.17.0
 	github.com/casbin/casbin/v2 v2.135.0
 	github.com/casbin/govaluate v1.10.0