performance: share a single secret store

Loading a Java Keystore can take anywhere from ~0.3s to upwards of 3s, so the
pattern of loading one per variable we need to replace adds a significant
amount of overhead on pipelines that use these variables, whether or not they
are provided by the keystore.

By providing a private, constant, lazy singleton, we ensure that we don't
incur the cost of repeatedly building the keystore.

Fixes #10794

Author: yaauie

logstash-core/lib/logstash/util/lazy_singleton.rb

@@ -0,0 +1,33 @@
+require 'thread' # Mutex
+
+# A [LazySingleton] wraps the result of the provided block,
+# which is guaranteed to be called at-most-once, even if the
+# block's return value is nil.
+class ::LogStash::Util::LazySingleton
+
+  def initialize(&block)
+    @mutex = Mutex.new
+    @block = block
+    @instantiated = false
+  end
+
+  def instance
+    unless @instantiated
+      @mutex.synchronize do
+        unless @instantiated
+          @instance = @block.call
+          @instantiated = true
+        end
+      end
+    end
+
+    return @instance
+  end
+
+  def reset!
+    @mutex.synchronize do
+      @instantiated = false
+      @instance = nil
+    end
+  end
+end

logstash-core/lib/logstash/util/substitution_variables.rb

@@ -2,12 +2,17 @@
 
 java_import "org.logstash.secret.store.SecretStoreExt"
 
+require_relative 'lazy_singleton'
+
 module ::LogStash::Util::SubstitutionVariables
 
   include LogStash::Util::Loggable
 
   SUBSTITUTION_PLACEHOLDER_REGEX = /\${(?<name>[a-zA-Z_.][a-zA-Z0-9_.]*)(:(?<default>[^}]*))?}/
 
+  SECRET_STORE = ::LogStash::Util::LazySingleton.new { load_secret_store }
+  private_constant :SECRET_STORE
+
   # Recursive method to replace substitution variable references in parameters
   def deep_replace(value)
     if value.is_a?(Hash)
@@ -42,7 +47,7 @@ def replace_placeholders(value)
       logger.debug("Replacing `#{placeholder}` with actual value")
 
       #check the secret store if it exists
-      secret_store = SecretStoreExt.getIfExists(LogStash::SETTINGS.get_setting("keystore.file").value, LogStash::SETTINGS.get_setting("keystore.classname").value)
+      secret_store = SECRET_STORE.instance
       replacement = secret_store.nil? ? nil : secret_store.retrieveSecret(SecretStoreExt.getStoreId(name))
       #check the environment
       replacement = ENV.fetch(name, default) if replacement.nil?
@@ -54,4 +59,20 @@ def replace_placeholders(value)
     end
   end # def replace_placeholders
 
+  class << self
+    private
+
+    # loads a secret_store from disk if available, or returns nil
+    #
+    # @api private
+    # @return [SecretStoreExt,nil]
+    def load_secret_store
+      SecretStoreExt.getIfExists(LogStash::SETTINGS.get_setting("keystore.file").value, LogStash::SETTINGS.get_setting("keystore.classname").value)
+    end
+
+    # @api test
+    def reset_secret_store
+      SECRET_STORE.reset!
+    end
+  end
 end

logstash-core/spec/logstash/settings_spec.rb

@@ -158,6 +158,11 @@
 
     before :each do
       LogStash::SETTINGS.set("keystore.file", File.join(File.dirname(__FILE__), "../../src/test/resources/logstash.keystore.with.default.pass"))
+      LogStash::Util::SubstitutionVariables.send(:reset_secret_store)
+    end
+
+    after(:each) do
+      LogStash::Util::SubstitutionVariables.send(:reset_secret_store)
     end
 
     context "placeholders in flat logstash.yml" do
@@ -211,6 +216,7 @@
 
     before :each do
       LogStash::SETTINGS.set("keystore.file", File.join(File.dirname(__FILE__), "../../src/test/resources/logstash.keystore.with.default.pass"))
+      LogStash::Util::SubstitutionVariables.send(:reset_secret_store)
     end
 
     before do
@@ -225,6 +231,10 @@
       ENV.delete('a')
     end
 
+    after(:each) do
+      LogStash::Util::SubstitutionVariables.send(:reset_secret_store)
+    end
+
     subject do
       settings = described_class.new
       settings.register(LogStash::Setting::ArrayCoercible.new("host", String, []))