Evaluator: enable per-tenant HTTP caching for GitHub API client

[edigaryev]

To reduce GitHub API rate limit usage for Starlark scripts.

[fkorotkov]

Is it a TTL for caching or just request timeout?

[edigaryev]

Request timeout, this is copied from the previous code.

[fkorotkov]

I think this should be a singleton shared between these instances. Otherwise we'll only cache things within a single starlark evaluation.

Maybe pass fs_cachable in the proto request.

[edigaryev]

I think this should be a singleton shared between these instances. Otherwise we'll only cache things within a single starlark evaluation.

Fixed in 267599f.

Maybe pass fs_cachable in the proto request.

Can you elaborate?

[fkorotkov]

Was thinking if it's safe to share the cache between repositories for a GH FS or should be have a cache of FSes per repo.

[edigaryev]

I think the safest (and good enough) way to start with is to have a separate cache, HTTP client and GitHub client instance per EvaluateConfig() and EvaluateFunction().

The current implementation is almost like that, except that it instantiates a new cache, HTTP client and GitHub client instance on module loading (e.g. load("github.com/cirrus-modules/golang", "task", "container")).

It feels like we should avoid doing this if currentFS is already *github.GitHub here:

cirrus-cli/pkg/larker/resolver/module_fs.go

Lines 107 to 120 in fdfa078

	func findLocatorFS(
	ctx context.Context,
	currentFS fs.FileSystem,
	env map[string]string,
	location interface{},
	) (fs.FileSystem, string, error) {
	switch typedLocation := location.(type) {
	case gitHubLocation:
	token := env["CIRRUS_REPO_CLONE_TOKEN"]
	ghFS, err := github.New(typedLocation.Owner, typedLocation.Name, typedLocation.Revision, token)
	if err != nil {
	return nil, "", err
	}

[edigaryev]

Actually, perhaps a separate *github.Github is totally fine, we just need to have a shared *http.Client per EvaluateConfig() and EvaluateFunction() invocation.

[edigaryev]

Actually, perhaps a separate *github.Github is totally fine, we just need to have a shared *http.Client per EvaluateConfig() and EvaluateFunction() invocation.

Implemented in 792cb3a.

[fkorotkov]

Does it evict things ever?

[edigaryev]

Good catch. I think we need re-initialize the caching HTTP client per-evaluation 🤔

[edigaryev]

Fixed in af92585.

[fkorotkov]

Does it ever invalidate entries?

[edigaryev]

It does:

• NewClient(dsn, ...) calls NewTransport(dsn, ...)
• NewTransport(dsn, ...) calls store.Open(dsn)
• store.Open(dsn) calls registry.Default().OpenConn(dsn)
• registry.Default().OpenConn(dsn) calls memcache.Open(), which creates a new in-memory map

[fkorotkov]

I just don't see how it caches between invocations of EvaluateConfig. To me it seems it only caches within a single invocation of EvaluateConfig which is still good but probably not effective at all.

[edigaryev]

I just don't see how it caches between invocations of EvaluateConfig.

It does not for security reasons. Otherwise that would be considered a shared cache, which github.com/bartventer/httpcache is not:

Note: This package is intended for use as a private (client-side) cache. It is not a shared or proxy cache. It is designed to be used with an HTTP client to cache responses from origin servers, improving performance and reducing load on those servers.

Also for shared caches, storing responses to authenticated requests is not allowed as per RFC 9111, §3:

A cache MUST NOT store a response to a request unless:

[...]

• if the cache is shared: the Authorization header field is not present in the request (see Section 11.6.2 of [HTTP]) or a response directive is present that explicitly allows shared caching (see Section 3.5); and

We do some exceptions to this in Chacha, but in case of Chacha we control much more variables (e.g. we specifically list HTTP targets for exclusion), compared to all of the GitHub API.

[fkorotkov]

OK. Then I'm not going crazy. Exactly why I initially proposed to have a cache per GitHub Repo.