Improve performance for fetching authorized entries

[sorindumitru]

This does a bunch of speedups to authorized entries lookup (used for syncing agent entries but also for signing SVIDs):

• Make the caches return a new type, ReadOnlyEntry. This delays the clone of the entry from the cache until we actually need to clone it. Useful for SyncAuthorizedEntries where we retrieve all entries that the agent is authorized for but would only need to clone a few of them that we actually send to the agent. Also useful for signing SVIDs which can clone just the fields of the entry that are used.
• Switch from proto.Clone to our own Clone method. This allows us to combine cloning with output mask application, which avoid cloning some fields. This is also 1.5-2x faster than proto.Clone
• The entry cache can use just the path component of the entry when storing entries in the cache. This avoid some unnecessary work, which was seen in spire-server cpu profile data.

Some of the benchmarks we have in the tests show good improvements. Seen improvements also while running this, although somewhat smaller than the benchmark since some of the work still needs to be done in other places. Before:

BenchmarkBuildInMemory-16                             55          21637647 ns/op        14817260 B/op     100311 allocs/op
BenchmarkGetAuthorizedEntriesInMemory-16            5833            205069 ns/op          291966 B/op       3005 allocs/op
BenchmarkEntryLookup-16                               46          25513459 ns/op         5123503 B/op     136200 allocs/op

and after:

BenchmarkBuildInMemory-16                             54          19256267 ns/op         9915763 B/op     100310 allocs/op
BenchmarkGetAuthorizedEntriesInMemory-16           64569             17356 ns/op            9338 B/op         10 allocs/op
BenchmarkEntryLookup-16                              100          11445476 ns/op          156498 B/op       1536 allocs/op

For the events based cache. Before:

BenchmarkGetAuthorizedEntriesInMemory-16            9115            131016 ns/op          205207 B/op       1513 allocs/op
BenchmarkEntryLookup-16                               57          18919070 ns/op          209983 B/op       2461 allocs/op

and after:

BenchmarkGetAuthorizedEntriesInMemory-16           23606             50479 ns/op           68260 B/op         13 allocs/op
BenchmarkEntryLookup-16                               62          17778846 ns/op           91850 B/op       1180 allocs/op

[amartinezfayo]

Thank you @sorindumitru for this, it looks great!

[amartinezfayo]

It doesn't seem like we there is test coverage for this, could you add that?

[sorindumitru]

I've added a test to verify that the getters return the expected value

[sorindumitru]

One thing I realized was that it's somewhat possible to switch the trust domain of a deployment. I've added some changes to filter the entries with the wrong trust domain from the cache and a test for that too.

[amartinezfayo]

I'm a bit concerned about the potential for field skew here. If the types.Entry struct is updated in the future (e.g., new fields are added), the manual Clone implementation will also need to be updated. Otherwise, newly added fields won't be cloned, which could lead to subtle, hard-to-detect bugs.

It might be helpful to add a comment warning about this, or ideally, include a test (perhaps using reflection) that ensures all fields are properly cloned.

[sorindumitru]

There's a test for this, which indeed uses reflection to make sure all fields are cloned:

spire/pkg/server/api/entry_test.go

Line 727 in d73d8a7

func TestReadOnlyEntryClone(t *testing.T) {

[amartinezfayo]

I missed that, thanks!