From 5a2c799da7896fffe3d72e7544dd05c129744c91 Mon Sep 17 00:00:00 2001
From: Tonis Tiigi <tonistiigi@gmail.com>
Date: Tue, 30 Jun 2020 22:17:11 -0700
Subject: [PATCH] resolver: add credential cache

As authenticator is short-lived seems harmless to cache
credential values. This would help for remote builders where
session roundtrips are not needed. It looks like containerd
also asks credentials too aggressively.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
---
 util/resolver/resolver.go | 31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/util/resolver/resolver.go b/util/resolver/resolver.go
index 44dbbedd8c67a..69856589d93ca 100644
--- a/util/resolver/resolver.go
+++ b/util/resolver/resolver.go
@@ -150,20 +150,41 @@ func NewRegistryConfig(m map[string]config.RegistryConfig) docker.RegistryHosts
 }
 
 type SessionAuthenticator struct {
-	sm *session.Manager
-	g  session.Group
-	mu sync.Mutex
+	sm    *session.Manager
+	g     session.Group
+	mu    sync.Mutex
+	cache map[string]credentials
+}
+
+type credentials struct {
+	user   string
+	secret string
 }
 
 func NewSessionAuthenticator(sm *session.Manager, g session.Group) *SessionAuthenticator {
-	return &SessionAuthenticator{sm: sm, g: g}
+	return &SessionAuthenticator{sm: sm, g: g, cache: map[string]credentials{}}
 }
 
 func (a *SessionAuthenticator) credentials(h string) (string, string, error) {
 	a.mu.Lock()
+	c, ok := a.cache[h]
+	if ok {
+		a.mu.Unlock()
+		return c.user, c.secret, nil
+	}
 	g := a.g
 	a.mu.Unlock()
-	return auth.CredentialsFunc(a.sm, g)(h)
+	u, s, err := auth.CredentialsFunc(a.sm, g)(h)
+	if err != nil {
+		return "", "", err
+	}
+	a.mu.Lock()
+	a.cache[h] = credentials{
+		user:   u,
+		secret: s,
+	}
+	a.mu.Unlock()
+	return u, s, nil
 }
 
 func (a *SessionAuthenticator) SetSession(g session.Group) {