Add per worker cache for certificate and private key

[ArchangelSDY]

What this PR does / why we need it:

Originally certificate and private key are converted to DER format and then passed to set_der_cert and set_der_priv_key. The major drawback of this is the input of set_der_cert cannot be cached. The input is DER bytes. Inside set_der_cert, a new X509 * is always created from it. This means redundant work and causes a memory waste.

By switching to set_cert and set_priv_key APIs, we can pass in an opaque X509 * pointer. Since X509 * is reference counted, we can easily add a cache for it, thus it can be reused by multiple connections.

In benchmark, it saves ~20KB memory per connection.

Types of changes

• [ ] Bug fix (non-breaking change which fixes an issue)
• [x] New feature (non-breaking change which adds functionality)
• [ ] Breaking change (fix or feature that would cause existing functionality to change)
• [ ] Documentation only

Which issue/s this PR fixes

fixes #8250

How Has This Been Tested?

1. Set up a websocket upstream
2. Connect 10000 websocket connections
3. Measure the Nginx memory increase

Checklist:

• [ ] My change requires a change to the documentation.
• [ ] I have updated the documentation accordingly.
• [x] I've read the CONTRIBUTION guide
• [x] I have added tests to cover my changes.
• [x] All new and existing tests passed.

[k8s-ci-robot]

Hi @ArchangelSDY. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ArchangelSDY]

/assign @elvinefendi /kind feature

[iamNoah1]

/triage accepted

[theunrealgeek]

I'm familiar with this approach from other projects, will take a look at it /assign

[k8s-ci-robot]

@theunrealgeek: changing LGTM is restricted to collaborators

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tao12345666333]

/assign

[ArchangelSDY]

/retest

[k8s-ci-robot]

@ArchangelSDY: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rikatz]

@tao12345666333 ping :D

[ArchangelSDY]

/retest

[ArchangelSDY]

Ping @tao12345666333

[tao12345666333]

/retest

[ArchangelSDY]

@tao12345666333 Looks the CI isn't responding...

[ArchangelSDY]

@tao12345666333 @rikatz @strongjz The bot isn't responding. Any idea how to get the tests rerun?

[tao12345666333]

maybe you can rebase code, then push it

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ArchangelSDY, theunrealgeek Once this PR has been reviewed and has the lgtm label, please ask for approval from elvinefendi by writing /assign @elvinefendi in a comment. For more information see:The Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

[ArchangelSDY]

@tao12345666333 Rebased and tests passed.

[ArchangelSDY]

@tao12345666333 Ping

[tao12345666333]

ack

[ArchangelSDY]

@tao12345666333 Any new comment?

[ArchangelSDY]

@tao12345666333 Any interest to get this merged?

[tao12345666333]

Sorry for delay, too busy.

I can finish this before Wednesday.

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[netlify[bot]]

✅ Deploy Preview for kubernetes-ingress-nginx ready!

Name	Link
🔨 Latest commit	a2be8cd691379f00e70fc1d2e7d9e995484ee0bd
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-ingress-nginx/deploys/65b917d1dd89420007686071
😎 Deploy Preview	https://deploy-preview-8266--kubernetes-ingress-nginx.netlify.app/user-guide/nginx-configuration/configmap
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ArchangelSDY, theunrealgeek Once this PR has been reviewed and has the lgtm label, please ask for approval from tao12345666333. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

[ArchangelSDY]

Rebased.