Make JWT-SVID cache size configurable

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>

cmd/spire-agent/cli/run/run.go

@@ -92,6 +92,7 @@ type agentConfig struct {
 	AllowedForeignJWTClaims       []string  `hcl:"allowed_foreign_jwt_claims"`
 	AvailabilityTarget            string    `hcl:"availability_target"`
 	X509SVIDCacheMaxSize          int       `hcl:"x509_svid_cache_max_size"`
+	JWTSVIDCacheMaxSize           int       `hcl:"jwt_svid_cache_max_size"`
 
 	AuthorizedDelegates []string `hcl:"authorized_delegates"`
 
@@ -501,6 +502,11 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 	}
 	ac.X509SVIDCacheMaxSize = c.Agent.X509SVIDCacheMaxSize
 
+	if c.Agent.JWTSVIDCacheMaxSize < 0 {
+		return nil, errors.New("jwt_svid_cache_max_size should not be negative")
+	}
+	ac.JWTSVIDCacheMaxSize = c.Agent.JWTSVIDCacheMaxSize
+
 	td, err := common_cli.ParseTrustDomain(c.Agent.TrustDomain, logger)
 	if err != nil {
 		return nil, err

doc/spire_agent.md

@@ -70,7 +70,8 @@ This may be useful for templating configuration files, for example across differ
 | `trust_domain`                    | The trust domain that this agent belongs to (should be no more than 255 characters)                                                                                                                                                               |                                  |
 | `workload_x509_svid_key_type`     | The workload X509 SVID key type <rsa-2048|ec-p256>                                                                                                                                                                                     | ec-p256                          |
 | `availability_target`             | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. See [Availability Target](#availability-target) |                                  |
-| `x509_svid_cache_max_size`        | Soft limit of max number of SVIDs that would be stored in LRU cache                                                                                                                                                                               | 1000                             |
+| `x509_svid_cache_max_size`        | Soft limit of max number of X509-SVIDs that would be stored in LRU cache                                                                                                                                                                          | 1000                             |
+| `jwt_svid_cache_max_size`         | Hard limit of max number of JWT-SVIDs that would be stored in LRU cache                                                                                                                                                                           | 1000                             |
 
 | experimental                  | Description                                                                          | Default                 |
 |:------------------------------|--------------------------------------------------------------------------------------|-------------------------|

pkg/agent/agent.go

@@ -275,7 +275,8 @@ func (a *Agent) newManager(ctx context.Context, sto storage.Storage, cat catalog
 		Storage:                  sto,
 		SyncInterval:             a.c.SyncInterval,
 		UseSyncAuthorizedEntries: a.c.UseSyncAuthorizedEntries,
-		SVIDCacheMaxSize:         a.c.X509SVIDCacheMaxSize,
+		X509SVIDCacheMaxSize:     a.c.X509SVIDCacheMaxSize,
+		JWTSVIDCacheMaxSize:      a.c.JWTSVIDCacheMaxSize,
 		SVIDStoreCache:           cache,
 		NodeAttestor:             na,
 		RotationStrategy:         rotationutil.NewRotationStrategy(a.c.AvailabilityTarget),

pkg/agent/config.go

@@ -66,9 +66,12 @@ type Config struct {
 	// is used to sync entries from the server.
 	UseSyncAuthorizedEntries bool
 
-	// X509SVIDCacheMaxSize is a soft limit of max number of SVIDs that would be stored in cache
+	// X509SVIDCacheMaxSize is a soft limit of max number of X509-SVIDs that would be stored in cache
 	X509SVIDCacheMaxSize int
 
+	// JWTSVIDCacheMaxSize is a soft limit of max number of JWT-SVIDs that would be stored in cache
+	JWTSVIDCacheMaxSize int
+
 	// Trust domain and associated CA bundle
 	TrustDomain spiffeid.TrustDomain
 	TrustBundle []*x509.Certificate

pkg/agent/manager/config.go

@@ -38,7 +38,8 @@ type Config struct {
 	UseSyncAuthorizedEntries bool
 	RotationInterval         time.Duration
 	SVIDStoreCache           *storecache.Cache
-	SVIDCacheMaxSize         int
+	X509SVIDCacheMaxSize     int
+	JWTSVIDCacheMaxSize      int
 	DisableLRUCache          bool
 	NodeAttestor             nodeattestor.NodeAttestor
 	RotationStrategy         *rotationutil.RotationStrategy
@@ -66,7 +67,7 @@ func newManager(c *Config) *manager {
 	}
 
 	cache := managerCache.NewLRUCache(c.Log.WithField(telemetry.SubsystemName, telemetry.CacheManager), c.TrustDomain, c.Bundle,
-		c.Metrics, c.SVIDCacheMaxSize, c.SVIDCacheMaxSize, c.Clk)
+		c.Metrics, c.X509SVIDCacheMaxSize, c.JWTSVIDCacheMaxSize, c.Clk)
 
 	rotCfg := &svid.RotatorConfig{
 		SVIDKeyManager:   keymanager.ForSVID(c.Catalog.GetKeyManager()),

pkg/agent/manager/manager_test.go

@@ -1027,22 +1027,23 @@ func TestSynchronizationWithLRUCache(t *testing.T) {
 	cat.SetKeyManager(km)
 
 	c := &Config{
-		ServerAddr:       api.addr,
-		SVID:             baseSVID,
-		SVIDKey:          baseSVIDKey,
-		Log:              testLogger,
-		TrustDomain:      trustDomain,
-		Storage:          openStorage(t, dir),
-		Bundle:           api.bundle,
-		Metrics:          &telemetry.Blackhole{},
-		RotationInterval: time.Hour,
-		SyncInterval:     time.Hour,
-		Clk:              clk,
-		Catalog:          cat,
-		WorkloadKeyType:  workloadkey.ECP256,
-		SVIDCacheMaxSize: 10,
-		SVIDStoreCache:   storecache.New(&storecache.Config{TrustDomain: trustDomain, Log: testLogger}),
-		RotationStrategy: rotationutil.NewRotationStrategy(0),
+		ServerAddr:           api.addr,
+		SVID:                 baseSVID,
+		SVIDKey:              baseSVIDKey,
+		Log:                  testLogger,
+		TrustDomain:          trustDomain,
+		Storage:              openStorage(t, dir),
+		Bundle:               api.bundle,
+		Metrics:              &telemetry.Blackhole{},
+		RotationInterval:     time.Hour,
+		SyncInterval:         time.Hour,
+		Clk:                  clk,
+		Catalog:              cat,
+		WorkloadKeyType:      workloadkey.ECP256,
+		X509SVIDCacheMaxSize: 10,
+		JWTSVIDCacheMaxSize:  10,
+		SVIDStoreCache:       storecache.New(&storecache.Config{TrustDomain: trustDomain, Log: testLogger}),
+		RotationStrategy:     rotationutil.NewRotationStrategy(0),
 	}
 
 	m := newManager(c)
@@ -1347,20 +1348,21 @@ func TestSyncSVIDsWithLRUCache(t *testing.T) {
 	cat.SetKeyManager(km)
 
 	c := &Config{
-		ServerAddr:       api.addr,
-		SVID:             baseSVID,
-		SVIDKey:          baseSVIDKey,
-		Log:              testLogger,
-		TrustDomain:      trustDomain,
-		Storage:          openStorage(t, dir),
-		Bundle:           api.bundle,
-		Metrics:          &telemetry.Blackhole{},
-		Clk:              clk,
-		Catalog:          cat,
-		WorkloadKeyType:  workloadkey.ECP256,
-		SVIDCacheMaxSize: 1,
-		SVIDStoreCache:   storecache.New(&storecache.Config{TrustDomain: trustDomain, Log: testLogger}),
-		RotationStrategy: rotationutil.NewRotationStrategy(0),
+		ServerAddr:           api.addr,
+		SVID:                 baseSVID,
+		SVIDKey:              baseSVIDKey,
+		Log:                  testLogger,
+		TrustDomain:          trustDomain,
+		Storage:              openStorage(t, dir),
+		Bundle:               api.bundle,
+		Metrics:              &telemetry.Blackhole{},
+		Clk:                  clk,
+		Catalog:              cat,
+		WorkloadKeyType:      workloadkey.ECP256,
+		X509SVIDCacheMaxSize: 1,
+		JWTSVIDCacheMaxSize:  1,
+		SVIDStoreCache:       storecache.New(&storecache.Config{TrustDomain: trustDomain, Log: testLogger}),
+		RotationStrategy:     rotationutil.NewRotationStrategy(0),
 	}
 
 	m := newManager(c)