Evaluator: enable per-tenant HTTP caching for GitHub API client (#953)

* Larker: enable HTTP caching for GitHub API client

* Bring back #689 tuning

* Initialize HTTPClient once

* Only use init() for tuning the HTTPClient after it's initialized

* Per-instance HTTPClient and GitHub client

* Share caching *http.Client for multiple github.New() invocations

* Per-tenant shared HTTP cache

* Use Get() methods to prevent NPE

* Introduce TestGitHubHTTPCache

* TestGitHubHTTPCache: test with two separate tenants

* $ go mod tidy

Author: edigaryev

api/cirrus_ci_service.proto

@@ -58,10 +58,16 @@ message FileSystem {
   }
 
   message Github {
+    message HTTPCache {
+      string tenant = 1;
+      int32 size = 2;
+    }
+
     string owner = 1;
     string repo = 2;
     string reference = 3;
     string token = 4;
+    HTTPCache http_cache = 5;
   }
 
   oneof impl {

go.mod

@@ -65,6 +65,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.2
 	github.com/IGLOU-EU/go-wildcard v1.0.3
 	github.com/aws/aws-sdk-go v1.55.8
+	github.com/bartventer/httpcache v0.10.2
 	github.com/bmatcuk/doublestar v1.3.4
 	github.com/cirruslabs/chacha v0.16.3
 	github.com/cirruslabs/cirrus-ci-annotations v0.10.0
@@ -74,7 +75,10 @@ require (
 	github.com/go-chi/render v1.0.3
 	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/google/go-github/v59 v59.0.0
-	github.com/hashicorp/vault/api v1.22.0
+	github.com/hashicorp/golang-lru/v2 v2.0.7
+	github.com/hashicorp/vault/api v1.21.0
+	github.com/jarcoal/httpmock v1.4.1
+	github.com/jellydator/ttlcache/v3 v3.4.0
 	github.com/klauspost/pgzip v1.2.6
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/procfs v0.17.0

go.sum

@@ -47,6 +47,8 @@ github.com/avast/retry-go/v4 v4.6.1 h1:VkOLRubHdisGrHnTu89g08aQEWEgRU7LVEop3GbIc
 github.com/avast/retry-go/v4 v4.6.1/go.mod h1:V6oF8njAwxJ5gRo1Q7Cxab24xs5NCWZBeaHHBklR8mA=
 github.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ=
 github.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk=
+github.com/bartventer/httpcache v0.10.2 h1:z/PRtWPf8I7zC9gWPil6wBhnbkGqc6MOzEsIbzou0W4=
+github.com/bartventer/httpcache v0.10.2/go.mod h1:nY3vexlqOtDlEDHfdGM3vMM6oeoKPLV8vPmzVdYOZBI=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20150223135152-b965b613227f/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -279,18 +281,24 @@ github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKe
 github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c=
 github.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I=
 github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
-github.com/hashicorp/vault/api v1.22.0 h1:+HYFquE35/B74fHoIeXlZIP2YADVboaPjaSicHEZiH0=
-github.com/hashicorp/vault/api v1.22.0/go.mod h1:IUZA2cDvr4Ok3+NtK2Oq/r+lJeXkeCrHRmqdyWfpmGM=
+github.com/hashicorp/vault/api v1.21.0 h1:Xej4LJETV/spWRdjreb2vzQhEZt4+B5yxHAObfQVDOs=
+github.com/hashicorp/vault/api v1.21.0/go.mod h1:IUZA2cDvr4Ok3+NtK2Oq/r+lJeXkeCrHRmqdyWfpmGM=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU=
 github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jarcoal/httpmock v1.4.1 h1:0Ju+VCFuARfFlhVXFc2HxlcQkfB+Xq12/EotHko+x2A=
+github.com/jarcoal/httpmock v1.4.1/go.mod h1:ftW1xULwo+j0R0JJkJIIi7UKigZUXCLLanykgjwBXL0=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
+github.com/jellydator/ttlcache/v3 v3.4.0 h1:YS4P125qQS0tNhtL6aeYkheEaB/m8HCqdMMP4mnWdTY=
+github.com/jellydator/ttlcache/v3 v3.4.0/go.mod h1:Hw9EgjymziQD3yGsQdf1FqFdpp7YjFMd4Srg5EJlgD4=
 github.com/jinzhu/gorm v0.0.0-20170222002820-5409931a1bb8/go.mod h1:Vla75njaFJ8clLU1W44h34PjIkijhjHIYnZxMqCdxqo=
 github.com/jinzhu/inflection v0.0.0-20170102125226-1c35d901db3d/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.1/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
@@ -352,6 +360,8 @@ github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6T
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-sqlite3 v1.6.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/maxatome/go-testdeep v1.14.0 h1:rRlLv1+kI8eOI3OaBXZwb3O7xY3exRzdW5QyX48g9wI=
+github.com/maxatome/go-testdeep v1.14.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
 github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU=
 github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=

internal/evaluator/evaluator.go

@@ -5,6 +5,13 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/bartventer/httpcache"
+	_ "github.com/cirruslabs/cirrus-cli/internal/evaluator/lrucache"
 	"github.com/cirruslabs/cirrus-cli/internal/version"
 	"github.com/cirruslabs/cirrus-cli/pkg/api"
 	"github.com/cirruslabs/cirrus-cli/pkg/larker"
@@ -14,6 +21,7 @@ import (
 	"github.com/cirruslabs/cirrus-cli/pkg/larker/fs/memory"
 	"github.com/cirruslabs/cirrus-cli/pkg/parser"
 	"github.com/cirruslabs/cirrus-cli/pkg/parser/parsererror"
+	"github.com/jellydator/ttlcache/v3"
 	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 	"go.opentelemetry.io/otel/metric/noop"
 	"google.golang.org/grpc"
@@ -23,8 +31,6 @@ import (
 	"google.golang.org/protobuf/reflect/protodesc"
 	"google.golang.org/protobuf/reflect/protoreflect"
 	"google.golang.org/protobuf/types/known/structpb"
-	"net"
-	"strings"
 )
 
 const pathYAML = ".cirrus.yml"
@@ -33,6 +39,9 @@ const pathStarlark = ".cirrus.star"
 var ErrNoFS = errors.New("no filesystem available")
 
 type ConfigurationEvaluatorServiceServer struct {
+	perTenantCachingHTTPClients *ttlcache.Cache[string, *http.Client]
+	roundTripperForTests        http.RoundTripper
+
 	// must be embedded to have forward compatible implementations
 	api.UnimplementedCirrusConfigurationEvaluatorServiceServer
 }
@@ -54,15 +63,26 @@ func addVersion(
 	return handler(ctx, req)
 }
 
-func Serve(ctx context.Context, lis net.Listener) error {
+func Serve(ctx context.Context, lis net.Listener, opts ...Option) error {
 	server := grpc.NewServer(
 		grpc.UnaryInterceptor(addVersion),
 		grpc.StatsHandler(otelgrpc.NewServerHandler(
 			otelgrpc.WithMeterProvider(noop.NewMeterProvider()),
 		)),
 	)
 
-	api.RegisterCirrusConfigurationEvaluatorServiceServer(server, &ConfigurationEvaluatorServiceServer{})
+	r := &ConfigurationEvaluatorServiceServer{
+		perTenantCachingHTTPClients: ttlcache.New[string, *http.Client](
+			ttlcache.WithTTL[string, *http.Client](24 * time.Hour),
+		),
+	}
+
+	// Apply opts
+	for _, opt := range opts {
+		opt(r)
+	}
+
+	api.RegisterCirrusConfigurationEvaluatorServiceServer(server, r)
 
 	errChan := make(chan error)
 
@@ -97,7 +117,15 @@ func (r *ConfigurationEvaluatorServiceServer) EvaluateConfig(
 		yamlConfigs = append(yamlConfigs, request.YamlConfig)
 	}
 
-	fs, err := convertFS(request.Fs)
+	var httpClient *http.Client
+
+	if githubFS := request.GetFs().GetGithub(); githubFS != nil {
+		if httpCache := githubFS.GetHttpCache(); httpCache != nil {
+			httpClient = r.cachingHTTPClient(httpCache.GetTenant(), httpCache.GetSize())
+		}
+	}
+
+	fs, err := convertFS(request.Fs, httpClient)
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to initialize file system: %v", err)
 	}
@@ -109,6 +137,7 @@ func (r *ConfigurationEvaluatorServiceServer) EvaluateConfig(
 			larker.WithFileSystem(fs),
 			larker.WithEnvironment(request.Environment),
 			larker.WithAffectedFiles(request.AffectedFiles),
+			larker.WithHTTPClient(httpClient),
 		)
 
 		lrkResult, err := lrk.MainOptional(ctx, request.StarlarkConfig)
@@ -207,14 +236,23 @@ func (r *ConfigurationEvaluatorServiceServer) EvaluateFunction(
 	ctx context.Context,
 	request *api.EvaluateFunctionRequest,
 ) (*api.EvaluateFunctionResponse, error) {
-	fs, err := convertFS(request.Fs)
+	var httpClient *http.Client
+
+	if githubFS := request.GetFs().GetGithub(); githubFS != nil {
+		if httpCache := githubFS.GetHttpCache(); httpCache != nil {
+			httpClient = r.cachingHTTPClient(httpCache.GetTenant(), httpCache.GetSize())
+		}
+	}
+
+	fs, err := convertFS(request.Fs, httpClient)
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to initialize file system: %v", err)
 	}
 
 	lrk := larker.New(
 		larker.WithFileSystem(fs),
 		larker.WithEnvironment(request.Environment),
+		larker.WithHTTPClient(httpClient),
 	)
 
 	// Run Starlark hook
@@ -281,7 +319,7 @@ func TransformAdditionalInstances(
 	return additionalInstances, nil
 }
 
-func convertFS(apiFS *api.FileSystem) (fs fs.FileSystem, err error) {
+func convertFS(apiFS *api.FileSystem, httpClient *http.Client) (fs fs.FileSystem, err error) {
 	fs = failing.New(ErrNoFS)
 
 	if apiFS == nil {
@@ -292,8 +330,40 @@ func convertFS(apiFS *api.FileSystem) (fs fs.FileSystem, err error) {
 	case *api.FileSystem_Memory_:
 		fs, err = memory.New(impl.Memory.FilesContents)
 	case *api.FileSystem_Github_:
-		fs, err = github.New(impl.Github.Owner, impl.Github.Repo, impl.Github.Reference, impl.Github.Token)
+		fs, err = github.New(impl.Github.Owner, impl.Github.Repo, impl.Github.Reference, impl.Github.Token,
+			httpClient)
 	}
 
 	return fs, err
 }
+
+func (r *ConfigurationEvaluatorServiceServer) cachingHTTPClient(tenant string, size int32) *http.Client {
+	if tenant == "" || size == 0 {
+		return nil
+	}
+
+	httpClient, _ := r.perTenantCachingHTTPClients.GetOrSetFunc(tenant, func() *http.Client {
+		dsn := fmt.Sprintf("lrucache://?size=%d", size)
+
+		httpClient := httpcache.NewClient(dsn, httpcache.WithUpstream(r.roundTripper()))
+
+		// GitHub has a 10-second timeout for API requests
+		httpClient.Timeout = 11 * time.Second
+
+		return httpClient
+	})
+
+	return httpClient.Value()
+}
+
+func (r *ConfigurationEvaluatorServiceServer) roundTripper() http.RoundTripper {
+	if r.roundTripperForTests != nil {
+		return r.roundTripperForTests
+	}
+
+	return &http.Transport{
+		MaxIdleConns:        1024,
+		MaxIdleConnsPerHost: 1024,        // default is 2 which is too small and we mostly access the same host
+		IdleConnTimeout:     time.Minute, // let's put something big but not infinite like the default
+	}
+}

internal/evaluator/evaluator_test.go

@@ -4,12 +4,22 @@
 package evaluator_test
 
 import (
+	"bytes"
 	"context"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
+	"io"
+	"net"
+	"net/http"
+	"testing"
+	"time"
+
 	"github.com/cirruslabs/cirrus-cli/internal/evaluator"
 	"github.com/cirruslabs/cirrus-cli/pkg/api"
 	"github.com/golang/protobuf/protoc-gen-go/descriptor"
+	"github.com/google/go-github/v59/github"
+	"github.com/jarcoal/httpmock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/xeipuuv/gojsonschema"
@@ -21,12 +31,9 @@ import (
 	"google.golang.org/protobuf/types/known/anypb"
 	"google.golang.org/protobuf/types/known/emptypb"
 	"google.golang.org/protobuf/types/known/structpb"
-	"net"
-	"testing"
-	"time"
 )
 
-func getClient(t *testing.T) api.CirrusConfigurationEvaluatorServiceClient {
+func getClient(t *testing.T, opts ...evaluator.Option) api.CirrusConfigurationEvaluatorServiceClient {
 	ctx, cancel := context.WithCancel(context.Background())
 
 	lis, err := net.Listen("tcp", "localhost:0")
@@ -37,7 +44,7 @@ func getClient(t *testing.T) api.CirrusConfigurationEvaluatorServiceClient {
 	errChan := make(chan error)
 
 	go func() {
-		errChan <- evaluator.Serve(ctx, lis)
+		errChan <- evaluator.Serve(ctx, lis, opts...)
 	}()
 
 	t.Cleanup(func() {
@@ -56,8 +63,8 @@ func getClient(t *testing.T) api.CirrusConfigurationEvaluatorServiceClient {
 	return api.NewCirrusConfigurationEvaluatorServiceClient(conn)
 }
 
-func evaluateConfigHelper(t *testing.T, request *api.EvaluateConfigRequest) (*api.EvaluateConfigResponse, error) {
-	return getClient(t).EvaluateConfig(context.Background(), request)
+func evaluateConfigHelper(t *testing.T, request *api.EvaluateConfigRequest, opts ...evaluator.Option) (*api.EvaluateConfigResponse, error) {
+	return getClient(t, opts...).EvaluateConfig(context.Background(), request)
 }
 
 func schemaHelper(t *testing.T, request *api.JSONSchemaRequest) (*api.JSONSchemaResponse, error) {
@@ -448,3 +455,72 @@ func TestBacktraceHook(t *testing.T) {
 	require.Contains(t, string(response.OutputLogs), "hook\nsentinel\n")
 	require.Contains(t, string(response.OutputLogs), "Traceback (most recent call last):\n  .cirrus.star:6:10")
 }
+
+func TestGitHubHTTPCache(t *testing.T) {
+	mockTransport := httpmock.NewMockTransport()
+
+	mockTransport.RegisterResponder("GET", "https://api.github.com/repos/cirruslabs/cirrus-cli/contents/README.md?ref=main", func(req *http.Request) (*http.Response, error) {
+		githubRepositoryContent := github.RepositoryContent{
+			Content: github.String(base64.StdEncoding.EncodeToString([]byte("Hello, World!"))),
+		}
+
+		githubRepositoryContentJSON, err := json.Marshal(&githubRepositoryContent)
+		require.NoError(t, err)
+
+		return &http.Response{
+			StatusCode: http.StatusOK,
+			Header:     http.Header{},
+			Body:       io.NopCloser(bytes.NewReader(githubRepositoryContentJSON)),
+		}, nil
+	})
+
+	starlarkConfig := `load("cirrus", "fs")
+def main(ctx):
+    print(fs.read("README.md"))
+
+    print(fs.read("README.md"))
+
+    return []
+`
+
+	response, err := evaluateConfigHelper(t, &api.EvaluateConfigRequest{
+		StarlarkConfig: starlarkConfig,
+		Fs: &api.FileSystem{
+			Impl: &api.FileSystem_Github_{
+				Github: &api.FileSystem_Github{
+					Owner:     "cirruslabs",
+					Repo:      "cirrus-cli",
+					Reference: "main",
+					HttpCache: &api.FileSystem_Github_HTTPCache{
+						Tenant: "tenant1",
+						Size:   64 * 1024,
+					},
+				},
+			},
+		},
+	}, evaluator.WithRoundTripperForTests(mockTransport))
+	require.NoError(t, err)
+	require.Equal(t, 1, mockTransport.GetTotalCallCount())
+	require.Equal(t, "Hello, World!\nHello, World!\n", string(response.OutputLogs))
+
+	// Ensure that the other tenant does not reuse our cache
+	response, err = evaluateConfigHelper(t, &api.EvaluateConfigRequest{
+		StarlarkConfig: starlarkConfig,
+		Fs: &api.FileSystem{
+			Impl: &api.FileSystem_Github_{
+				Github: &api.FileSystem_Github{
+					Owner:     "cirruslabs",
+					Repo:      "cirrus-cli",
+					Reference: "main",
+					HttpCache: &api.FileSystem_Github_HTTPCache{
+						Tenant: "tenant2",
+						Size:   64 * 1024,
+					},
+				},
+			},
+		},
+	}, evaluator.WithRoundTripperForTests(mockTransport))
+	require.NoError(t, err)
+	require.Equal(t, 2, mockTransport.GetTotalCallCount())
+	require.Equal(t, "Hello, World!\nHello, World!\n", string(response.OutputLogs))
+}