store optimization (#202)

aa1ex · web-flow · commit 88b0b6c6264e · 2025-10-03T12:07:38.000+03:00
diff --git a/internal/grpcapi/utils.go b/internal/grpcapi/utils.go
@@ -36,19 +36,19 @@ func (s *UtilsService) VerifyDomains(_ context.Context, req *connect.Request[v1.
 	return connect.NewResponse(&v1.VerifyDomainsResponse{Results: results}), nil
 }
 
-func verifyDomainFromSecrets(domain string, secrets map[string]corev1.Secret) *v1.DomainVerificationResult {
+func verifyDomainFromSecrets(domain string, secrets map[string]*corev1.Secret) *v1.DomainVerificationResult {
 	result := &v1.DomainVerificationResult{Domain: domain}
 	var matchedSecret *corev1.Secret
 	var matchedByWildcard bool
 
 	if secret, ok := secrets[domain]; ok {
-		matchedSecret = &secret
+		matchedSecret = secret
 	} else {
 		parts := strings.Split(domain, ".")
 		for i := 1; i < len(parts)-1; i++ {
 			wildcard := "*." + strings.Join(parts[i:], ".")
 			if secret, ok := secrets[wildcard]; ok {
-				matchedSecret = &secret
+				matchedSecret = secret
 				matchedByWildcard = true
 				break
 			}
diff --git a/internal/store/interfaces.go b/internal/store/interfaces.go
@@ -82,7 +82,7 @@ type Store interface {
 	DeleteSecret(name helpers.NamespacedName)
 	IsExistingSecret(name helpers.NamespacedName) bool
 	MapSecrets() map[helpers.NamespacedName]*corev1.Secret
-	MapDomainSecrets() map[string]corev1.Secret
+	MapDomainSecrets() map[string]*corev1.Secret
 
 	// Tracing
 	GetTracing(name helpers.NamespacedName) *v1alpha1.Tracing
diff --git a/internal/store/optimized.go b/internal/store/optimized.go
@@ -1287,13 +1287,14 @@ func (s *OptimizedStore) MapSpecClusters() map[string]*v1alpha1.Cluster {
 	return result
 }
 
-func (s *OptimizedStore) MapDomainSecrets() map[string]corev1.Secret {
+func (s *OptimizedStore) MapDomainSecrets() map[string]*corev1.Secret {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 
-	result := make(map[string]corev1.Secret, len(s.domainSecrets))
+	result := make(map[string]*corev1.Secret, len(s.domainSecrets))
 	for k, v := range s.domainSecrets {
-		result[k] = v
+		secret := v // Create explicit copy for pointer safety
+		result[k] = &secret
 	}
 	return result
 }
diff --git a/internal/store/secret.go b/internal/store/secret.go
@@ -43,10 +43,15 @@ func (s *LegacyStore) MapSecrets() map[helpers.NamespacedName]*corev1.Secret {
 	return maps.Clone(s.secrets)
 }
 
-func (s *LegacyStore) MapDomainSecrets() map[string]corev1.Secret {
+func (s *LegacyStore) MapDomainSecrets() map[string]*corev1.Secret {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
-	return maps.Clone(s.domainToSecretMap)
+	result := make(map[string]*corev1.Secret, len(s.domainToSecretMap))
+	for k, v := range s.domainToSecretMap {
+		secret := v
+		result[k] = &secret
+	}
+	return result
 }
 
 func (s *LegacyStore) updateDomainSecretsMap() {
diff --git a/internal/store/secret_bench_test.go b/internal/store/secret_bench_test.go
@@ -0,0 +1,75 @@
+package store
+
+import (
+	"fmt"
+	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// BenchmarkMapDomainSecrets_OptimizedStore benchmarks the optimized implementation
+func BenchmarkMapDomainSecrets_OptimizedStore(b *testing.B) {
+	store := NewOptimizedStore()
+
+	// Populate store with test secrets
+	for i := 0; i < 100; i++ {
+		domain := fmt.Sprintf("domain-%d.example.com", i)
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      fmt.Sprintf("secret-%d", i),
+				Namespace: "default",
+				Annotations: map[string]string{
+					"envoy.kaasops.io/domains": domain,
+				},
+			},
+			Data: map[string][]byte{
+				"tls.crt": make([]byte, 1024),
+				"tls.key": make([]byte, 1024),
+			},
+		}
+		store.SetSecret(secret)
+	}
+
+	b.ResetTimer()
+	b.ReportAllocs()
+
+	var result map[string]*corev1.Secret
+	for i := 0; i < b.N; i++ {
+		result = store.MapDomainSecrets()
+	}
+	_ = result
+}
+
+// BenchmarkMapDomainSecrets_LegacyStore benchmarks the legacy implementation
+func BenchmarkMapDomainSecrets_LegacyStore(b *testing.B) {
+	store := New()
+
+	// Populate store with test secrets
+	for i := 0; i < 100; i++ {
+		domain := fmt.Sprintf("domain-%d.example.com", i)
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      fmt.Sprintf("secret-%d", i),
+				Namespace: "default",
+				Annotations: map[string]string{
+					"envoy.kaasops.io/domains": domain,
+				},
+			},
+			Data: map[string][]byte{
+				"tls.crt": make([]byte, 1024),
+				"tls.key": make([]byte, 1024),
+			},
+		}
+		store.SetSecret(secret)
+	}
+
+	b.ResetTimer()
+	b.ReportAllocs()
+
+	var result map[string]*corev1.Secret
+	for i := 0; i < b.N; i++ {
+		result = store.MapDomainSecrets()
+	}
+	_ = result
+}
diff --git a/internal/store/secret_test.go b/internal/store/secret_test.go
@@ -0,0 +1,121 @@
+package store
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// TestMapDomainSecrets_ReturnsPointers verifies that MapDomainSecrets returns pointers
+func TestMapDomainSecrets_ReturnsPointers(t *testing.T) {
+	tests := []struct {
+		name  string
+		store Store
+	}{
+		{"OptimizedStore", NewOptimizedStore()},
+		{"LegacyStore", &StoreAdapter{LegacyStore: New()}},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create test secrets
+			secret1 := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "secret1",
+					Namespace: "default",
+					Annotations: map[string]string{
+						"envoy.kaasops.io/domains": "domain1.com",
+					},
+				},
+				Data: map[string][]byte{
+					"tls.crt": []byte("cert1"),
+					"tls.key": []byte("key1"),
+				},
+			}
+
+			secret2 := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "secret2",
+					Namespace: "default",
+					Annotations: map[string]string{
+						"envoy.kaasops.io/domains": "domain2.com",
+					},
+				},
+				Data: map[string][]byte{
+					"tls.crt": []byte("cert2"),
+					"tls.key": []byte("key2"),
+				},
+			}
+
+			tt.store.SetSecret(secret1)
+			tt.store.SetSecret(secret2)
+
+			// Get domain secrets map
+			domainSecrets := tt.store.MapDomainSecrets()
+
+			// Verify we got pointers
+			assert.NotNil(t, domainSecrets)
+			assert.Len(t, domainSecrets, 2)
+
+			// Verify correct data
+			s1, ok := domainSecrets["domain1.com"]
+			assert.True(t, ok, "domain1.com should exist")
+			assert.NotNil(t, s1, "domain1.com secret should not be nil")
+			assert.Equal(t, "secret1", s1.Name)
+			assert.Equal(t, []byte("cert1"), s1.Data["tls.crt"])
+
+			s2, ok := domainSecrets["domain2.com"]
+			assert.True(t, ok, "domain2.com should exist")
+			assert.NotNil(t, s2, "domain2.com secret should not be nil")
+			assert.Equal(t, "secret2", s2.Name)
+			assert.Equal(t, []byte("cert2"), s2.Data["tls.crt"])
+
+			// Verify that each domain has a unique pointer
+			assert.NotSame(t, s1, s2, "pointers should be different")
+		})
+	}
+}
+
+// TestMapDomainSecrets_ImmutableCopy verifies that returned map is a copy
+func TestMapDomainSecrets_ImmutableCopy(t *testing.T) {
+	tests := []struct {
+		name  string
+		store Store
+	}{
+		{"OptimizedStore", NewOptimizedStore()},
+		{"LegacyStore", &StoreAdapter{LegacyStore: New()}},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			secret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "secret",
+					Namespace: "default",
+					Annotations: map[string]string{
+						"envoy.kaasops.io/domains": "test.com",
+					},
+				},
+				Data: map[string][]byte{"key": []byte("value")},
+			}
+
+			tt.store.SetSecret(secret)
+
+			// Get first copy
+			map1 := tt.store.MapDomainSecrets()
+
+			// Get second copy
+			map2 := tt.store.MapDomainSecrets()
+
+			// Verify both have the data
+			assert.Len(t, map1, 1)
+			assert.Len(t, map2, 1)
+
+			// Pointers should be different (new allocation each time)
+			assert.NotSame(t, map1["test.com"], map2["test.com"],
+				"each call should return new pointers to prevent accidental mutation")
+		})
+	}
+}
diff --git a/internal/xds/resbuilder/builder.go b/internal/xds/resbuilder/builder.go
@@ -1007,11 +1007,11 @@ func getSecretNameToDomainsViaSecretRef(secretRef *v1alpha1.ResourceRef, vsNames
 	return m
 }
 
-func getSecretNameToDomainsViaAutoDiscovery(domains []string, domainToSecretMap map[string]v1.Secret) (map[helpers.NamespacedName][]string, error) {
+func getSecretNameToDomainsViaAutoDiscovery(domains []string, domainToSecretMap map[string]*v1.Secret) (map[helpers.NamespacedName][]string, error) {
 	m := make(map[helpers.NamespacedName][]string)
 
 	for _, domain := range domains {
-		var secret v1.Secret
+		var secret *v1.Secret
 		secret, ok := domainToSecretMap[domain]
 		if !ok {
 			secret, ok = domainToSecretMap[getWildcardDomain(domain)]
diff --git a/internal/xds/resbuilder_v2/adapters/tls_adapter.go b/internal/xds/resbuilder_v2/adapters/tls_adapter.go
@@ -73,12 +73,12 @@ func (a *TLSAdapter) getSecretNameToDomainsViaSecretRef(
 // getSecretNameToDomainsViaAutoDiscovery maps domains to secrets based on auto-discovery
 func (a *TLSAdapter) getSecretNameToDomainsViaAutoDiscovery(
 	domains []string,
-	domainToSecretMap map[string]v1.Secret,
+	domainToSecretMap map[string]*v1.Secret,
 ) (map[helpers.NamespacedName][]string, error) {
 	m := make(map[helpers.NamespacedName][]string)
 
 	for _, domain := range domains {
-		var secret v1.Secret
+		var secret *v1.Secret
 		secret, ok := domainToSecretMap[domain]
 		if !ok {
 			secret, ok = domainToSecretMap[utils.GetWildcardDomain(domain)]
diff --git a/internal/xds/resbuilder_v2/builder.go b/internal/xds/resbuilder_v2/builder.go
@@ -837,11 +837,11 @@ func getSecretNameToDomainsViaSecretRef(secretRef *v1alpha1.ResourceRef, vsNames
 	return m
 }
 
-func getSecretNameToDomainsViaAutoDiscovery(domains []string, domainToSecretMap map[string]v1.Secret) (map[helpers.NamespacedName][]string, error) {
+func getSecretNameToDomainsViaAutoDiscovery(domains []string, domainToSecretMap map[string]*v1.Secret) (map[helpers.NamespacedName][]string, error) {
 	m := make(map[helpers.NamespacedName][]string)
 
 	for _, domain := range domains {
-		var secret v1.Secret
+		var secret *v1.Secret
 		secret, ok := domainToSecretMap[domain]
 		if !ok {
 			secret, ok = domainToSecretMap[utils.GetWildcardDomain(domain)]
diff --git a/internal/xds/resbuilder_v2/tls/builder.go b/internal/xds/resbuilder_v2/tls/builder.go
@@ -80,11 +80,11 @@ func (b *Builder) getSecretNameToDomainsViaSecretRef(secretRef *v1alpha1.Resourc
 }
 
 // getSecretNameToDomainsViaAutoDiscovery maps domains to secrets based on auto-discovery
-func (b *Builder) getSecretNameToDomainsViaAutoDiscovery(domains []string, domainToSecretMap map[string]v1.Secret) (map[helpers.NamespacedName][]string, error) {
+func (b *Builder) getSecretNameToDomainsViaAutoDiscovery(domains []string, domainToSecretMap map[string]*v1.Secret) (map[helpers.NamespacedName][]string, error) {
 	m := make(map[helpers.NamespacedName][]string)
 
 	for _, domain := range domains {
-		var secret v1.Secret
+		var secret *v1.Secret
 		secret, ok := domainToSecretMap[domain]
 		if !ok {
 			secret, ok = domainToSecretMap[utils.GetWildcardDomain(domain)]

Original file line number	Diff line number	Diff line change
`@@ -1287,13 +1287,14 @@ func (s OptimizedStore) MapSpecClusters() map[string]v1alpha1.Cluster {`
`1287`	`1287`	`return result`
`1288`	`1288`	`}`
`1289`	`1289`
`1290`		`-func (s *OptimizedStore) MapDomainSecrets() map[string]corev1.Secret {`
	`1290`	`+func (s OptimizedStore) MapDomainSecrets() map[string]corev1.Secret {`
`1291`	`1291`	`s.mu.RLock()`
`1292`	`1292`	`defer s.mu.RUnlock()`
`1293`	`1293`
`1294`		`- result := make(map[string]corev1.Secret, len(s.domainSecrets))`
	`1294`	`+ result := make(map[string]*corev1.Secret, len(s.domainSecrets))`
`1295`	`1295`	`for k, v := range s.domainSecrets {`
`1296`		`- result[k] = v`
	`1296`	`+ secret := v // Create explicit copy for pointer safety`
	`1297`	`+ result[k] = &secret`
`1297`	`1298`	`}`
`1298`	`1299`	`return result`
`1299`	`1300`	`}`