-
Notifications
You must be signed in to change notification settings - Fork 370
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JENKINS-73172] Reuse credentials object reference through scans to avoid frequent duplicated lookups #787
Conversation
…nt duplicated lookups
src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does not smell like the right fix. Rather, scan credentials should be looked up once at the beginning of branch indexing (or some similar identifiable task associated with a single credentialsId
) and the StandardCredentials
object should be passed directly to all the methods that would need it.
Right, it's not the right fix. And need to rework a bit the For the failing tests, makes sense that they fail here but the fact that the constructor Those tests assume that getting a
So actually you cannot select a SSH Username and Passkey credentials to an SCMSource and if you did set an ID (through CasC maybe) it would not be found through the connector and that would just not work. All the The scenario - and probably the reason this code is here - is SSHCheckoutTrait in which case we need to decorate the builder. The GitHubSCMBuilder should have simpler methods, i.e. a |
Discussing with @daniel-beck We'd need to take care of some expiration for GitHub App Creds. Based on the stale time window the cache token: https://github.com/jenkinsci/github-branch-source-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java#L384-L435. |
In the context of the OrganizationScan, this could be more efficient. The SCMNavigator creates SCMSources for each repo and we change context every time. So we are still doing a lot of lookups for the same credentials. As @jglick we need to pass along the credentials or an instance of some expiring credentials object. |
I do not think |
I see. It actually refreshes automatically through the refresh token. |
… via system property
Added a system property to disable it. Just in case. |
So far as I know that would be fine. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still -0 as per #787 (review): no cache system should be necessary, the credentials object should just be computed before the scan begins and passed along to whatever methods need it.
The context of the scan is not really passed between
Now for the scanning after a SCM Events, it actually depends. Sometimes it does not go through
I assume that we do want to do a scan at the beginning of a scan whether it is a branch indexing, an organization scan or a received event. If we make a change to a credentials, the next "ignition" of a scan should pick it up whatever the source. (Which was one of the reason for the We need to at least be able from an |
src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java
Outdated
Show resolved
Hide resolved
Sounds like a fix would be more straightforward if I do not really have time to review this in detail, so I am hoping someone (else) in @jenkinsci/github-branch-source-plugin-developers is able to review and merge. |
src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMNavigator.java
Outdated
Show resolved
Hide resolved
@@ -598,8 +623,8 @@ public static void setCacheSize(int cacheSize) { | |||
/** {@inheritDoc} */ | |||
@Override | |||
public String getRemote() { | |||
return GitHubSCMBuilder.uriResolver(getOwner(), apiUri, credentialsId) | |||
.getRepositoryUri(apiUri, repoOwner, repository); | |||
// Only HTTPS is applicable to the source remote with Username / Password credentials |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think you can be sure it is only username / password credentials?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rsandell Per my understanding, we can only have a HTTPS resolver from GitHubSCMSource
. Only StandardUsernamePasswordCredentials
can be selected and used to connect to the GitHub API:
- https://github.com/jenkinsci/github-branch-source-plugin/blob/1789.v5b_0c0cea_18c3/src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java#L509-L512
- https://github.com/jenkinsci/github-branch-source-plugin/blob/1789.v5b_0c0cea_18c3/src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java#L308
- https://github.com/jenkinsci/github-branch-source-plugin/blob/1789.v5b_0c0cea_18c3/src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java#L139
- https://github.com/jenkinsci/github-branch-source-plugin/blob/1789.v5b_0c0cea_18c3/src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java#L368-L394
I am not sure why it is not made more explicit with the typing.. But I don't see a scenario where it could be different and that makes sense since this SCM Source is using the GitHub Rest API..
The only specific scenario where we would see SSH if with the SSHCheckoutTrait
and that is handled by the trait implementation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It could be an app credential couldn't it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It could be an app credential couldn't it?
Yes it is, but GitHubAppCredentials
implements StandardUsernamePasswordCredentials
and is used for REST calls over HTTPS as well as mentioned Alan. So "HTTPS resolver only" here looks good to me.
src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMBuilderTest.java
Outdated
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMBuilderTest.java
Outdated
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMBuilderTest.java
Outdated
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMBuilderTest.java
Outdated
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMBuilderTest.java
Outdated
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMBuilderTest.java
Outdated
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMBuilderTest.java
Outdated
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMBuilderTest.java
Outdated
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMBuilderTest.java
Outdated
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMBuilderTest.java
Outdated
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMBuilderTest.java
Outdated
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMBuilderTest.java
Outdated
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMBuilderTest.java
Outdated
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMBuilderTest.java
Outdated
Show resolved
Hide resolved
/** {@inheritDoc} */ | ||
@NonNull | ||
@Override | ||
public GitHubSCMSource build() { | ||
GitHubSCMSource result = new GitHubSCMSource(repoOwner, projectName()); | ||
GitHubSCMSource result = new GitHubSCMSource(repoOwner, projectName(), credentials); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks to me that credentials
and credentialsId
could diverge. I think that credentialsId()
should return credentials.getId()
in case credentials
is set. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. Would be more consistent to do this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jeromepochat I applied your suggestion.
src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSource.java
Outdated
Show resolved
Hide resolved
I manually tested with org scan and multibranch pipeline. I confirm that it works fine and the caches in both (some comments left but no blocker) |
Recommend #787 (comment) to avoid technical debt, but a low priority compared to the bug itself. Other than that, I defer to @jeromepochat’s review; @rsandell or anyone else still reviewing this? I can physically merge, I am just not actively maintaining this. |
Co-authored-by: Jérôme Pochat <[email protected]>
Co-authored-by: Jérôme Pochat <[email protected]>
1d34ff2
to
5c29094
Compare
Description
Keep a threadlocal cache of scan credentials to avoid credentials lookup storm during branch indexing / org scan. See
JENKINS-73172 for further information.
Submitter checklist
Reviewer checklist
Documentation changes
Users/aliases to notify