Expand description
TTL-based in-memory cache wrapping any SecretStore.
CachingStore wraps any backend that implements SecretStore and adds
a simple TTL-based memory cache. Cache entries are stored as
Zeroizing buffers so secret bytes are zeroed on
eviction. Setting ttl to Duration::ZERO disables caching entirely,
which is appropriate for file and env backends.
§Lock discipline
The internal tokio::sync::Mutex is never held across an .await
point. All cache reads and writes acquire the lock, copy the data they
need, then drop the lock before any network call.
§Known limitation: thundering herd on TTL expiry
When multiple async tasks share a CachingStore and a cached entry
expires, all tasks that call get concurrently will
each independently detect the miss, each call the inner backend, and each
write the result back. For backends with API rate limits (AWS Secrets
Manager, AWS SSM Parameter Store) this can cause a brief burst of calls.
Mitigation: choose a TTL long enough that simultaneous expiry is unlikely in your workload (the default for network backends is 5 minutes). In single-task applications the herd size is always 1 and this does not arise.
Structs§
- Caching
Store - A
SecretStorewrapper that caches the secret value in memory with a TTL.