tektoncd · lawrencejones · May 26, 2020
diff --git a/pkg/interceptors/interceptors.go b/pkg/interceptors/interceptors.go
@@ -17,7 +17,9 @@ limitations under the License.
 package interceptors
 
 import (
+ "context"
  "net/http"
+ "path"
 
  triggersv1 "github.com/tektoncd/triggers/pkg/apis/triggers/v1alpha1"
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -29,7 +31,40 @@ type Interceptor interface {
  ExecuteTrigger(req *http.Request) (*http.Response, error)
 }
 
-func GetSecretToken(cs kubernetes.Interface, sr *triggersv1.SecretRef, eventListenerNamespace string) ([]byte, error) {
+const requestCacheKey = "interceptors.RequestCache"
+
+// WithCache clones the given request and sets the request context to include a cache.
+// This allows us to cache results from expensive operations and perform them just once
+// per each trigger.
+//
+// Each request should have its own cache, and those caches should expire once the request
+// is processed. For this reason, it's appropriate to store the cache on the request
+// context.
+func WithCache(req *http.Request) *http.Request {
+ return req.WithContext(context.WithValue(req.Context(), requestCacheKey, make(map[string]interface{})))
+}
+
+func getCache(req *http.Request) map[string]interface{} {
+ if cache, ok := req.Context().Value(requestCacheKey).(map[string]interface{}); ok {
+ return cache
+ }
+
+ return make(map[string]interface{})
+}
+
+// GetSecretToken queries Kubernetes for the given secret reference. We use this function
+// to resolve secret material like Github webhook secrets, and call it once for every
+// trigger that references it.
+//
+// As we may have many triggers that all use the same secret, we cache the secret values
+// in the request cache.
+func GetSecretToken(req *http.Request, cs kubernetes.Interface, sr *triggersv1.SecretRef, eventListenerNamespace string) ([]byte, error) {
+ cacheKey := path.Join("secret", sr.Namespace, sr.SecretName, sr.SecretKey)
+ cache := getCache(req)
+ if secretValue, ok := cache[cacheKey]; ok {
+ return secretValue.([]byte), nil
+ }
+
  ns := sr.Namespace
  if ns == "" {
  ns = eventListenerNamespace
@@ -39,5 +74,8 @@ func GetSecretToken(cs kubernetes.Interface, sr *triggersv1.SecretRef, eventList
  return nil, err
  }
 
- return secret.Data[sr.SecretKey], nil
+ secretValue := secret.Data[sr.SecretKey]
+ cache[cacheKey] = secret.Data[sr.SecretKey]
+
+ return secretValue, nil
 }
diff --git a/pkg/sink/sink.go b/pkg/sink/sink.go
@@ -186,6 +186,11 @@ func (r Sink) executeInterceptors(t *triggersv1.EventListenerTrigger, in *http.R
  Header: in.Header,
  Body: ioutil.NopCloser(bytes.NewBuffer(event)),
  }
+
+ // We create a cache against each request, so whenever we make network calls like
+ // fetching kubernetes secrets, we can do so only once per request.
+ request = interceptors.WithCache(request)
+
  var resp *http.Response
  for _, i := range t.Interceptors {
  var interceptor interceptors.Interceptor