Cache Certificates in Metrics Service (#1440)

MODULE.bazel

@@ -122,7 +122,7 @@ bazel_dep(
 )
 bazel_dep(
     name = "common-jvm",
-    version = "0.74.1",
+    version = "0.75.0",
     repo_name = "wfa_common_jvm",
 )
 bazel_dep(
@@ -199,6 +199,7 @@ maven.artifact(
 )
 maven.install(
     artifacts = [
+        "com.github.ben-manes.caffeine:caffeine:3.1.8",
         "com.google.cloud:google-cloud-security-private-ca:2.3.1",
         "com.google.crypto.tink:tink-awskms:1.9.1",
         "com.google.crypto.tink:tink-gcpkms:1.9.0",

maven_install.json

@@ -1,7 +1,7 @@
 {
   "__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY": "THERE_IS_NO_DATA_ONLY_ZUUL",
-  "__INPUT_ARTIFACTS_HASH": -854047605,
-  "__RESOLVED_ARTIFACTS_HASH": 236716798,
+  "__INPUT_ARTIFACTS_HASH": -551144757,
+  "__RESOLVED_ARTIFACTS_HASH": 185108218,
   "conflict_resolution": {
     "com.google.code.gson:gson:2.8.9": "com.google.code.gson:gson:2.10.1",
     "com.google.errorprone:error_prone_annotations:2.3.2": "com.google.errorprone:error_prone_annotations:2.23.0",
@@ -174,10 +174,10 @@
     },
     "com.github.ben-manes.caffeine:caffeine": {
       "shasums": {
-        "jar": "1e0a7bbef1dd791653143f3f05d0e489934bf5481e58a87c9e619cd46b68729b",
-        "sources": "9c70fa3874ad26bca1e071b7eb69a96d37f6d544eda743b4b00ea050f377b0d0"
+        "jar": "7dd15f9df1be238ffaa367ce6f556737a88031de4294dad18eef57c474ddf1d3",
+        "sources": "7c8237f5d8f23654e7091056316a3730636b7a0f2e6fce450e2bd522090d6b7f"
       },
-      "version": "2.9.3"
+      "version": "3.1.8"
     },
     "com.github.docker-java:docker-java-api": {
       "shasums": {
@@ -6026,8 +6026,6 @@
       "com.flipkart.zjsonpatch"
     ],
     "com.github.ben-manes.caffeine:caffeine": [
-      "com.github.benmanes.caffeine",
-      "com.github.benmanes.caffeine.base",
       "com.github.benmanes.caffeine.cache",
       "com.github.benmanes.caffeine.cache.stats"
     ],

src/main/k8s/reporting_v2.cue

@@ -20,6 +20,8 @@ package k8s
 
 	_reportSchedulingCronSchedule: string | *"30 6 * * *" // Daily at 6:30 AM
 
+	_certificateCacheExpirationDuration: string | *"60m"
+
 	_postgresConfig: #PostgresConfig
 
 	_internalApiTarget: #GrpcTarget & {
@@ -122,6 +124,7 @@ package k8s
 						"--port=8443",
 						"--health-port=8080",
 						"--event-group-metadata-descriptor-cache-duration=1h",
+						"--certificate-cache-expiration-duration=\(_certificateCacheExpirationDuration)",
 			] + _tlsArgs + _internalApiTarget.args + _kingdomApiTarget.args
 
 			spec: template: spec: {

src/main/kotlin/org/wfanet/measurement/integration/common/reporting/v2/InProcessReportingServer.kt

@@ -219,7 +219,9 @@ class InProcessReportingServer(
                 SecureRandom(),
                 signingPrivateKeyDir,
                 trustedCertificates,
+                Duration.ofMinutes(60),
                 Dispatchers.IO,
+                Dispatchers.Default,
               )
               .withMetadataPrincipalIdentities(measurementConsumerConfigs),
             ReportingSetsService(internalReportingSetsClient)

src/main/kotlin/org/wfanet/measurement/reporting/deploy/v2/common/job/ReportSchedulingJobExecutor.kt

@@ -122,7 +122,9 @@ private fun run(
       SecureRandom(),
       v2AlphaFlags.signingPrivateKeyStoreDir,
       commonServerFlags.tlsFlags.signingCerts.trustedCertificates,
+      Duration.ofMinutes(60),
       Dispatchers.IO,
+      Dispatchers.Default,
     )
 
   val inProcessMetricsServerName = InProcessServerBuilder.generateName()

src/main/kotlin/org/wfanet/measurement/reporting/deploy/v2/common/server/V2AlphaPublicApiServer.kt

@@ -186,7 +186,9 @@ private fun run(
       SecureRandom(),
       v2AlphaFlags.signingPrivateKeyStoreDir,
       commonServerFlags.tlsFlags.signingCerts.trustedCertificates,
+      v2AlphaPublicServerFlags.certificateCacheExpirationDuration,
       Dispatchers.IO,
+      Dispatchers.Default,
     )
 
   val inProcessExecutorService: ExecutorService =
@@ -269,4 +271,12 @@ private class V2AlphaPublicServerFlags {
   )
   lateinit var authorityKeyIdentifierToPrincipalMapFile: File
     private set
+
+  @CommandLine.Option(
+    names = ["--certificate-cache-expiration-duration"],
+    description = ["Duration to mark cache entries as expired in format 1d1h1m1s1ms1ns"],
+    required = true,
+  )
+  lateinit var certificateCacheExpirationDuration: Duration
+    private set
 }

src/main/kotlin/org/wfanet/measurement/reporting/service/api/v2alpha/BUILD.bazel

@@ -205,7 +205,9 @@ kt_jvm_library(
         "//src/main/proto/wfa/measurement/reporting/v2alpha:metrics_service_kt_jvm_grpc_proto",
         "//src/main/proto/wfa/measurement/reporting/v2alpha:page_token_kt_jvm_proto",
         "//src/main/proto/wfa/measurement/reporting/v2alpha:reporting_sets_service_kt_jvm_grpc_proto",
+        "@wfa_common_jvm//imports/java/com/github/benmanes/caffeine",
         "@wfa_common_jvm//imports/java/com/google/protobuf/util",
+        "@wfa_common_jvm//imports/kotlin/kotlinx/coroutines:core",
         "@wfa_common_jvm//src/main/kotlin/org/wfanet/measurement/common",
         "@wfa_common_jvm//src/main/kotlin/org/wfanet/measurement/common/crypto:security_provider",
         "@wfa_common_jvm//src/main/kotlin/org/wfanet/measurement/common/grpc",