feat: disables provider response cache when TTL is set to 0 (#3028) (#…

…3033) Signed-off-by: Nilekh Chaudhari <[email protected]>
open-policy-agent · Oct 5, 2023 · c73cd2c · c73cd2c
1 parent b363b40
commit c73cd2c
Show file tree

Hide file tree

Showing 3 changed files with 588 additions and 4 deletions.
diff --git a/main.go b/main.go
@@ -110,7 +110,7 @@ var (
 	enableTLSHealthcheck                 = flag.Bool("enable-tls-healthcheck", false, "enable probing webhook API with certificate stored in certDir")
 	disabledBuiltins                     = util.NewFlagSet()
 	enableK8sCel                         = flag.Bool("experimental-enable-k8s-native-validation", false, "PROTOTYPE (not stable): enable the validating admission policy driver")
-	externaldataProviderResponseCacheTTL = flag.Duration("external-data-provider-response-cache-ttl", 3*time.Minute, "TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. Defaults to 3 minutes if unspecified.")
+	externaldataProviderResponseCacheTTL = flag.Duration("external-data-provider-response-cache-ttl", 3*time.Minute, "TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. Defaults to 3 minutes if unspecified. Setting the TTL to 0 disables the cache.")
 )
 
 func init() {
@@ -363,13 +363,17 @@ func setupControllers(ctx context.Context, mgr ctrl.Manager, sw *watch.Controlle
 		args = append(args, rego.AddExternalDataProviderCache(providerCache))
 		mutationOpts.ProviderCache = providerCache
 
-		if *externaldataProviderResponseCacheTTL <= 0 {
+		switch {
+		case *externaldataProviderResponseCacheTTL > 0:
+			providerResponseCache := frameworksexternaldata.NewProviderResponseCache(ctx, *externaldataProviderResponseCacheTTL)
+			args = append(args, rego.AddExternalDataProviderResponseCache(providerResponseCache))
+		case *externaldataProviderResponseCacheTTL == 0:
+			setupLog.Info("external data provider response cache is disabled")
+		default:
 			err := fmt.Errorf("invalid value for external-data-provider-response-cache-ttl: %d", *externaldataProviderResponseCacheTTL)
 			setupLog.Error(err, "unable to create external data provider response cache")
 			return err
 		}
-		providerResponseCache := frameworksexternaldata.NewProviderResponseCache(ctx, *externaldataProviderResponseCacheTTL)
-		args = append(args, rego.AddExternalDataProviderResponseCache(providerResponseCache))
 
 		certFile := filepath.Join(*certDir, certName)
 		keyFile := filepath.Join(*certDir, keyName)

diff --git a/website/docs/externaldata.md b/website/docs/externaldata.md
@@ -146,6 +146,9 @@ If there is a system error, the provider should return the system error message
 
 Example provider implementation: https://github.com/open-policy-agent/gatekeeper/blob/master/test/externaldata/dummy-provider/provider.go
 
+#### Provider Response Caching
+Starting with v3.13+, Gatekeeper supports caching of responses from external data providers for both audit and validating webhook. It caches the response based on the `Key` and `Value` received as part of the [`ProviderResponse`](#providerresponse). By default, the cache is invalidated after 3 minutes, which is the default Time-to-Live (TTL). You can configure the TTL using the `--external-data-provider-response-cache-ttl` flag. Setting the flag to 0 disables this cache.
+
 ## External data for Gatekeeper validating webhook
 
 External data adds a [custom OPA built-in function](https://www.openpolicyagent.org/docs/latest/extensions/#custom-built-in-functions-in-go) called `external_data` to Rego. This function is used to query external data providers.