security: cleanup clientcert expiration cache functionality

The work done for #142686 in #143081 was truncated to make the changeset
more backportable. Some of the modifications held are ported instead to
this PR, so that extra functions are removed, and the
`clientcert/cache.go` is simpler in terms of its responsibility.

Fixes: #144163
Epic: none

Release note (ops change): cluster setting
`server.client_cert_expiration_cache.capacity` has been deprecated.
The client certificate cache now evicts client certificates based on
time.

Author: angles-n-daemons

docs/generated/settings/settings-for-tenants.txt

@@ -115,7 +115,6 @@ server.auth_log.sql_sessions.enabled	boolean	false	if set, log verbose SQL sessi
 server.authentication_cache.enabled	boolean	true	enables a cache used during authentication to avoid lookups to system tables when retrieving per-user authentication-related information	application
 server.child_metrics.enabled	boolean	false	enables the exporting of child metrics, additional prometheus time series with extra labels	application
 server.child_metrics.include_aggregate.enabled	boolean	true	include the reporting of the aggregate time series when child metrics are enabled. This cluster setting has no effect if child metrics are disabled.	application
-server.client_cert_expiration_cache.capacity	integer	1000	the maximum number of client cert expirations stored	application
 server.clock.forward_jump_check.enabled (alias: server.clock.forward_jump_check_enabled)	boolean	false	if enabled, forward clock jumps > max_offset/2 will cause a panic	application
 server.clock.persist_upper_bound_interval	duration	0s	the interval between persisting the wall time upper bound of the clock. The clock does not generate a wall time greater than the persisted timestamp and will panic if it sees a wall time greater than this value. When cockroach starts, it waits for the wall time to catch-up till this persisted timestamp. This guarantees monotonic wall time across server restarts. Not setting this or setting a value of 0 disables this feature.	application
 server.eventlog.enabled	boolean	true	if set, logged notable events are also stored in the table system.eventlog	application

docs/generated/settings/settings.html

@@ -146,7 +146,6 @@
 <tr><td><div id="setting-server-authentication-cache-enabled" class="anchored"><code>server.authentication_cache.enabled</code></div></td><td>boolean</td><td><code>true</code></td><td>enables a cache used during authentication to avoid lookups to system tables when retrieving per-user authentication-related information</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-child-metrics-enabled" class="anchored"><code>server.child_metrics.enabled</code></div></td><td>boolean</td><td><code>false</code></td><td>enables the exporting of child metrics, additional prometheus time series with extra labels</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-child-metrics-include-aggregate-enabled" class="anchored"><code>server.child_metrics.include_aggregate.enabled</code></div></td><td>boolean</td><td><code>true</code></td><td>include the reporting of the aggregate time series when child metrics are enabled. This cluster setting has no effect if child metrics are disabled.</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
-<tr><td><div id="setting-server-client-cert-expiration-cache-capacity" class="anchored"><code>server.client_cert_expiration_cache.capacity</code></div></td><td>integer</td><td><code>1000</code></td><td>the maximum number of client cert expirations stored</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-clock-forward-jump-check-enabled" class="anchored"><code>server.clock.forward_jump_check.enabled<br />(alias: server.clock.forward_jump_check_enabled)</code></div></td><td>boolean</td><td><code>false</code></td><td>if enabled, forward clock jumps &gt; max_offset/2 will cause a panic</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-clock-persist-upper-bound-interval" class="anchored"><code>server.clock.persist_upper_bound_interval</code></div></td><td>duration</td><td><code>0s</code></td><td>the interval between persisting the wall time upper bound of the clock. The clock does not generate a wall time greater than the persisted timestamp and will panic if it sees a wall time greater than this value. When cockroach starts, it waits for the wall time to catch-up till this persisted timestamp. This guarantees monotonic wall time across server restarts. Not setting this or setting a value of 0 disables this feature.</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-consistency-check-max-rate" class="anchored"><code>server.consistency_check.max_rate</code></div></td><td>byte size</td><td><code>8.0 MiB</code></td><td>the rate limit (bytes/sec) to use for consistency checks; used in conjunction with server.consistency_check.interval to control the frequency of consistency checks. Note that setting this too high can negatively impact performance.</td><td>Dedicated/Self-Hosted</td></tr>

pkg/security/certificate_manager.go

@@ -13,7 +13,6 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/security/certnames"
 	"github.com/cockroachdb/cockroach/pkg/security/clientcert"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
-	"github.com/cockroachdb/cockroach/pkg/settings/cluster"
 	"github.com/cockroachdb/cockroach/pkg/util/log"
 	"github.com/cockroachdb/cockroach/pkg/util/log/eventpb"
 	"github.com/cockroachdb/cockroach/pkg/util/log/severity"
@@ -57,7 +56,7 @@ type CertificateManager struct {
 	certMetrics *Metrics
 
 	// Client cert expiration cache.
-	clientCertExpirationCache *clientcert.ClientCertExpirationCache
+	clientCertExpirationCache *clientcert.Cache
 
 	// mu protects all remaining fields.
 	mu syncutil.RWMutex
@@ -201,12 +200,16 @@ func (cm *CertificateManager) RegisterSignalHandler(
 // It is called during server startup.
 func (cm *CertificateManager) RegisterExpirationCache(
 	ctx context.Context,
-	st *cluster.Settings,
 	stopper *stop.Stopper,
 	timeSrc timeutil.TimeSource,
 	parentMon *mon.BytesMonitor,
-) {
-	cm.clientCertExpirationCache = clientcert.NewClientCertExpirationCache(ctx, st, stopper, timeSrc, parentMon, cm.certMetrics.ClientExpiration, cm.certMetrics.ClientTTL)
+) error {
+	m := mon.NewMonitorInheritWithLimit(mon.MakeName("client-expiration-caches"), 0 /* limit */, parentMon, true /* longLiving */)
+	acc := m.MakeConcurrentBoundAccount()
+	m.StartNoReserved(ctx, parentMon)
+
+	cm.clientCertExpirationCache = clientcert.NewCache(timeSrc, acc, cm.certMetrics.ClientExpiration, cm.certMetrics.ClientTTL)
+	return cm.clientCertExpirationCache.StartPurgeJob(ctx, stopper)
 }
 
 // MaybeUpsertClientExpiration updates or inserts the expiration time for the
@@ -216,7 +219,7 @@ func (cm *CertificateManager) MaybeUpsertClientExpiration(
 	ctx context.Context, identity string, serial string, expiration int64,
 ) {
 	if cache := cm.clientCertExpirationCache; cache != nil {
-		cache.MaybeUpsert(ctx,
+		cache.Upsert(ctx,
 			identity,
 			serial,
 			expiration,

pkg/security/clientcert/BUILD.bazel

@@ -6,11 +6,8 @@ go_library(
     importpath = "github.com/cockroachdb/cockroach/pkg/security/clientcert",
     visibility = ["//visibility:public"],
     deps = [
-        "//pkg/settings",
-        "//pkg/settings/cluster",
         "//pkg/util/log",
         "//pkg/util/metric/aggmetric",
-        "//pkg/util/mon",
         "//pkg/util/stop",
         "//pkg/util/syncutil",
         "//pkg/util/timeutil",
@@ -22,7 +19,6 @@ go_test(
     srcs = ["cert_expiry_cache_test.go"],
     deps = [
         ":clientcert",
-        "//pkg/settings/cluster",
         "//pkg/util/leaktest",
         "//pkg/util/metric",
         "//pkg/util/metric/aggmetric",