backend: caching: implemented caching for single-cluster

[upsaurav12]

Implementation

I have implemented caching for the single-cluster. For multi-cluster i am trying to check by creating user by changing use-context.

Here how i have implemented:

1. I am capturing response during ProxyRequest and storing it in cache in string.
2. Then I am changing the response from gzip to byte and then to string.
3. If the user is making request for the first time it will first first selfsubjectrulesreviews and if it returns Failure then it is not authenticated. If doesn't then process to acquire from cache.
4. A new key will be generated for new kind and namespace and clusters and it will be same if the user is making the same requests.
5. If key is not present in cache then it will go for actual request to k8's and then store in cache.

However more things i have to add like cache should be synced with the latest k8's value but i am finding solution whether i should go for countinuously make requests to k8's after 5s or fixed time oruse watch events from k8's.

Test Results

=== RUN   TestInitialize
=== RUN   TestInitialize/initializes_responseCapture_with_defaults
--- PASS: TestInitialize/initializes_responseCapture_with_defaults (0.00s)
--- PASS: TestInitialize (0.00s)
=== RUN   TestExtractNamespace
=== RUN   TestExtractNamespace/valid_url_with_namespace
--- PASS: TestExtractNamespace/valid_url_with_namespace (0.00s)
=== RUN   TestExtractNamespace/empty_url
--- PASS: TestExtractNamespace/empty_url (0.00s)
=== RUN   TestExtractNamespace/invalid_url_format
--- PASS: TestExtractNamespace/invalid_url_format (0.00s)
--- PASS: TestExtractNamespace (0.00s)
=== RUN   TestGetResponseBody
=== RUN   TestGetResponseBody/valid_response
--- PASS: TestGetResponseBody/valid_response (0.00s)
=== RUN   TestGetResponseBody/empty_Response
--- PASS: TestGetResponseBody/empty_Response (0.00s)
=== RUN   TestGetResponseBody/empty_contentType
--- PASS: TestGetResponseBody/empty_contentType (0.00s)
--- PASS: TestGetResponseBody (0.00s)
=== RUN   TestGenerateKey
=== RUN   TestGenerateKey/url_was_valid_
--- PASS: TestGenerateKey/url_was_valid_ (0.00s)
=== RUN   TestGenerateKey/empty_cluster
--- PASS: TestGenerateKey/empty_cluster (0.00s)
--- PASS: TestGenerateKey (0.00s)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: upsaurav12
Once this PR has been reviewed and has the lgtm label, please assign joaquimrocha for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[illume]

Nice one.

ps. See commit guidelines, and run make backend-lint to see lint issues localy.

[illume]

Nice start. Thanks.

Would you mind separating the code out from headlamp.go? Code can be put into a separate module/package, and then headlamp.go can import it and use it. We are in the process of moving as much code out of headlamp.go as possible into package modules. It's all a bit too much code tangled up in there.

Could you please add tests? As well, please add documentation to your functions.

I left a comment about commit message guidelines and running backend-lint.

[upsaurav12]

@illume I have added extracted the cache implementation from headlamp.go. I am sorry i wasn't able to write tests because my system is running slow will write the code and push them

I am not sure that this implementation might work for multiple users however i am finding way to test it with services accounts but in development mode it is directly fetching from kubeconfig file and it loads clusters directly without asking for bearer token

[illume]

How about making an own package for pkg/k8cache? I think maybe it should not go inside pkg/cache, since it's topic is slightly different than what pkg/cache already does.

[upsaurav12]

How about making an own package for pkg/k8cache? I think maybe it should not go inside pkg/cache, since it's topic is slightly different than what pkg/cache already does.

I was thinking the same but eventually had to impelment in the same package because of cache initialization and ease of importing functions.

I will. modify it.

[upsaurav12]

I have moved the code to pkg/k8cache as package.

[upsaurav12]

Hi I have just tested this cache implementation with different serviceaccounts as a users. for example service accounts have no-access to cluster resources, user having limited access and user having full access. From my end it is working fine like showing the data that the user is authorized.

Screen.Recording.-.Jun.28.2025-VEED.mp4

However still there are still some points that is need to be fixed/address.

1. Initialization of Cache:- Currently i am initializing the cache as a global variable which i am not sure that it would be ideal approach for this project specifically. it is fine to initialize as it?
2. Synchronization of Cache data :- We can have two options Watch API and Polling to K8;s at a fixed time interval. which approach should be the ideal for the project ?
3. Use of token :- Would it be good approach to use token in the key generation because here i am already using SSAR request to authorize the user but in K8's dashboard PR they had used it.

[illume]

I left a few notes.

[upsaurav12]

I left a few notes.

I am sorry i could get these replies. i don't know why but they weren't visible to me?
thanks for suggestion i have made some changes for your requested changes.

[illume]

I am sorry i could get these replies. i don't know why but they weren't visible to me?

No worries. I think I wrote them, and then few days came back and noticed they were still pending and submitted the review. I'm not sure why they kept the old date on them, I think it's a github bug. That's why they weren't visible to you - I didn't submit the review yet.

[yolossn]

I don't think we need this span to be instrumented. @illume wdyt? this function just gets the context key and context.

[upsaurav12]

i have added because i was getting linting error of length of CacheMiddleware function

[yolossn]

AFAIU telemetry doesn't have anything to do with linting issue. Can you share the exact error that you faced?

[upsaurav12]

no, i am talking about funlen linting issue, it was saying that the function length is >60 lines of code, that's why i made a saparate function that will return contextKey , KContext, span and ctx

[yolossn]

separate function is okay, not every new function needs to have a telemetry span.

[upsaurav12]

okay understood, should i need to remove telemetry and span for some new functions such as ReturnAuthErrRespone , ReturnAfterAuthError etc

[yolossn]

for now, lets remove this.

[yolossn]

This function doesn't make a request to K8ClusterAPI, please improve the function name here.

[upsaurav12]

@illume said that previous one was good, so can we change the name to previous one

[upsaurav12]

would RequestToK8AndStore be good for you @yolossn

[yolossn]

Please add a comment here, It is not clear why the Check is done here.

[yolossn]

Can you please explain the context behind purging post request alone?

[upsaurav12]

I was adding for more methods but from the last meet you asked for only POST

[yolossn]

Looks like there is a misunderstanding here, all kind of update request that can make the cache stale should be handled here. ie put, post, delete

[upsaurav12]

Now i am pushing the changes

[yolossn]

Also synchronously looping through every request in cache and deleting the request at the end of each update request will make it slower. Also the method type check in the cacheMiddleware is removed. Almost all of the update request (put,post,delete) will be unique and we need not have to check them in the cache.

[upsaurav12]

@yolossn @illume
would this work ?

// PurgeDataForPostRequest remove the stale data which is related to POST request.
// It uses UnmarshalCacheData to filter the response for purging the resource data.
// It also uses GetAll method from cache.Cache to retrieve all the data that was stored.
func PurgeDataForPostRequest(w http.ResponseWriter, r *http.Request, k8scache cache.Cache[string],
	next http.Handler, rcw *responseCapture, isAllowed bool,
) error {
	lasts, _ := GetKindAndVerb(r)

	last := Singular(lasts)

	go func() error {

		// start := time.Now()
		val, err := k8scache.GetAll(context.Background(), nil)
		if err != nil {
			return err
		}

		for key, v := range val {
			var cachedData CachedResponseData

			_, err := UnmarshalCacheData(v, cachedData)
			if err != nil {
				return err
			}

			err = ProcessCachedItem(key, v, last, k8scache, next, w, r, rcw, isAllowed)
			if err != nil {
				return err
			}
		}

		// elapsed := time.Since(start)
		// fmt.Println("elasped : ", elapsed)

		return nil
	}()

	return nil
}

[upsaurav12]

i have made some changes in the code

[k8s-ci-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[skoeva]

there's an updated PR for this, will close it for now