resolver: add credential cache

As authenticator is short-lived seems harmless to cache credential values. This would help for remote builders where session roundtrips are not needed. It looks like containerd also asks credentials too aggressively. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
moby · Jul 1, 2020 · 5a2c799 · 5a2c799
1 parent c81d558
commit 5a2c799
Showing 1 changed file with 26 additions and 5 deletions.
diff --git a/util/resolver/resolver.go b/util/resolver/resolver.go
@@ -150,20 +150,41 @@ func NewRegistryConfig(m map[string]config.RegistryConfig) docker.RegistryHosts
 }
 
 type SessionAuthenticator struct {
-	sm *session.Manager
-	g  session.Group
-	mu sync.Mutex
+	sm    *session.Manager
+	g     session.Group
+	mu    sync.Mutex
+	cache map[string]credentials
+}
+
+type credentials struct {
+	user   string
+	secret string
 }
 
 func NewSessionAuthenticator(sm *session.Manager, g session.Group) *SessionAuthenticator {
-	return &SessionAuthenticator{sm: sm, g: g}
+	return &SessionAuthenticator{sm: sm, g: g, cache: map[string]credentials{}}
 }
 
 func (a *SessionAuthenticator) credentials(h string) (string, string, error) {
 	a.mu.Lock()
+	c, ok := a.cache[h]
+	if ok {
+		a.mu.Unlock()
+		return c.user, c.secret, nil
+	}
 	g := a.g
 	a.mu.Unlock()
-	return auth.CredentialsFunc(a.sm, g)(h)
+	u, s, err := auth.CredentialsFunc(a.sm, g)(h)
+	if err != nil {
+		return "", "", err
+	}
+	a.mu.Lock()
+	a.cache[h] = credentials{
+		user:   u,
+		secret: s,
+	}
+	a.mu.Unlock()
+	return u, s, nil
 }
 
 func (a *SessionAuthenticator) SetSession(g session.Group) {