Performance issues with Foreman Proxy Puppet CA plugin and large CA inventories
Proxy::PuppetCa.list (https://github.com/theforeman/smart-proxy/blob/develop/modules/puppetca/puppetca_main.rb#L69) takes an extremely long period of time to complete when the CA inventory list is relatively large and there have been a relatively large number of revoked certificates.
The source of this issue is in
Proxy::PuppetCa#ca_inventory, which performs a very slow
O(n^2) operation to build up a hash of certificate data and whether each certificate has been revoked. In particular, the
Proxy::PuppetCa#ca_inventory iterates through every certificate in the inventory and then looks up that certificate's serial in the array returned by
Proxy::PuppetCa#revoked_serials. When both the inventory and the list of revoked clients is large, this operation is extremely slow.
The downstream effect of this issue is that trying to interact with the Puppet CA via Foreman simply times out (the
read_timeout on the
RestClient request is only 60 seconds, the
Proxy::PuppetCa.list operation in our environment takes approximately 80s).
Perhaps a way to make this faster this would be to just return a valueless
Proxy::PuppetCa#revoked_serials so that the serial lookup is ~
Just to give you some numbers to work with, we have approximately 10900 certificates in our inventory and about 8900 of them are revoked.