feat: Add caching of ACM certificate lookups (#180)

fivestars-os · Oct 27, 2024 · d400410 · d400410
1 parent 996687a
commit d400410
Show file tree

Hide file tree

Showing 6 changed files with 80 additions and 124 deletions.
diff --git a/aladdin/commands/get_certificate.py b/aladdin/commands/get_certificate.py
@@ -28,7 +28,7 @@ def parse_args(parser):
     subparser.add_argument(
         "--poll-interval",
         type=int,
-        default=10,
+        default=30,
         dest="poll_interval",
         help="Seconds to wait between polls to AWS ACM",
     )
@@ -40,9 +40,9 @@ def get_certificate(
     namespace: str,
     for_cluster: bool = False,
     wait: int = 0,
-    poll_interval: int = 10
+    poll_interval: int = 30
 ):
-    cr = ClusterRules(namespace=namespace)
+    ClusterRules(namespace=namespace)
     cert = None
     timeout_start = time.time()
     while not cert:

diff --git a/aladdin/lib/aws/certificate.py b/aladdin/lib/aws/certificate.py
@@ -5,6 +5,7 @@
 import re
 from hashlib import md5
 
+from aladdin.lib.cache import certificate_cache
 from aladdin.lib.aws.dns_mapping import fill_hostedzone
 from aladdin.lib.cluster_rules import ClusterRules
 
@@ -113,12 +114,14 @@ def get_service_certificate_arn(certificate_scope: str = None) -> str:
     certificate_scope = certificate_scope or ClusterRules().service_certificate_scope
     return _get_certificate_arn(certificate_scope)
 
+
 def get_cluster_certificate_arn(certificate_scope: str = None) -> str:
     certificate_scope = certificate_scope or ClusterRules().cluster_certificate_scope
     return _get_certificate_arn(certificate_scope)
 
-def _get_certificate_arn(certificate_scope) -> str:
 
+@certificate_cache
+def _get_certificate_arn(certificate_scope: str) -> str:
     cert = search_certificate_arn(ClusterRules().boto, certificate_scope)
 
     # Check against None to allow empty string

diff --git a/aladdin/lib/cache.py b/aladdin/lib/cache.py
@@ -0,0 +1,64 @@
+import datetime
+import logging
+import pathlib
+import time
+import functools
+import shelve
+import shutil
+from contextlib import contextmanager
+from collections import defaultdict
+
+from aladdin.lib.cluster_rules import ClusterRules
+
+cache_root = pathlib.Path.home() / ".aladdin" / "cache"
+
+
+@contextmanager
+def clear_on_error():
+    try:
+        yield
+    except Exception:
+        logging.info("Clearing cache due to error")
+        shutil.rmtree(cache_root, ignore_errors=True)
+
+
+def certificate_cache(func):
+    cache_root.mkdir(parents=True, exist_ok=True)
+    cache_path = cache_root / "certificates"
+    ttls = defaultdict(
+        # the default ttl for existing certificates
+        lambda: datetime.timedelta(hours=1),
+        # allow checking the status more frequently for new certificates
+        {
+            "": datetime.timedelta(minutes=1),
+            None: datetime.timedelta(minutes=1),
+        },
+    )
+
+    @functools.wraps(func)
+    @clear_on_error()
+    def wrapper(certificate_scope):
+        cache = shelve.open(cache_path)
+        data: dict = cache.get(certificate_scope) or {}
+
+        age = time.time() - data.get("time", 0)
+        value = data.get("value")
+        ttl = ttls[value]
+        if (
+            not data
+            or age > ttl.total_seconds()
+            or not ClusterRules().certificate_lookup_cache
+        ):
+            value = func(certificate_scope)
+            cache[certificate_scope] = {
+                "value": value,
+                "time": time.time(),
+            }
+            cache.close()
+        elif value:
+            logging.info(
+                "Found CACHED certificate %s for %s", value, certificate_scope
+            )
+        return value
+
+    return wrapper
diff --git a/aladdin/lib/cluster_rules.py b/aladdin/lib/cluster_rules.py
@@ -113,6 +113,14 @@ def certificate_lookup(self):
             return False
         return self.rules.get("certificate_lookup", True)
 
+    @property
+    def certificate_lookup_cache(self):
+        if strtobool(os.getenv("IS_LOCAL", "false")):
+            return False
+        if strtobool(os.getenv("ALADDIN_DISABLE_CERTIFICATE_LOOKUP_CACHE", "false")):
+            return False
+        return self.rules.get("certificate_lookup_cache", True)
+
     @property
     def dns_sync(self):
         if strtobool(os.getenv("IS_LOCAL", "false")) or self.is_local:

diff --git a/aladdin/lib/k8s/kubernetes_utils.py b/aladdin/lib/k8s/kubernetes_utils.py
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "aladdin"
-version = "1.29.8.5"
+version = "1.29.8.6"
 description = ""
 authors = ["Fivestars <dev@fivestars.com>"]
 include = [