feat: implement shared cache for bundle, git, and cluster resolvers

Implements a shared, thread-safe LRU cache with TTL expiration for Tekton
resolvers (bundle, git, cluster). All resolvers share a single cache instance
configured via ConfigMap with hot-reload support.

Features:
- Shared singleton cache across all resolver types
- ConfigMap-based configuration (max-size, ttl)
- Three cache modes: always, never, auto (immutability detection)
- Thread-safe concurrent access with proper locking
- Content-addressable keys using SHA-256 hashing
- Observability via annotations (cache hit/miss, timestamps)
- Clock interface for testable timestamp generation

Testing:
- Unit tests for cache operations, TTL, LRU eviction
- Race detector tests for concurrent access
- E2E tests for end-to-end cache behavior
- High-load concurrency tests (1000 goroutines)

Implementation uses k8s.io/apimachinery LRUExpireCache with ConfigMap
watching for dynamic reconfiguration without restart.

Co-authored-by: Brian Cook <[email protected]>
Co-authored-by: Stanislav Jakuschevskij <[email protected]>
Co-authored-by: Vibhav Bobade <[email protected]>
Co-authored-by: AI Assistant <[email protected]>

Author: 4 people

.gitignore

@@ -66,3 +66,6 @@ docs/pipeline-api.md.backup
 
 # Ignore generated kind.yaml
 kind.yaml
+
+# Profiling
+cpu.prof

config/resolvers/bundleresolver-config.yaml

@@ -26,3 +26,8 @@ data:
   default-service-account: "default"
   # The default layer kind in the bundle image.
   default-kind: "task"
+  # Optional: Default cache mode for this resolver. Valid values: "always", "never", "auto" (default: "auto")
+  # "always" - Always cache resolved resources
+  # "never"  - Never cache resolved resources
+  # "auto"   - Only cache bundles with digest references (@sha256:...)
+  # default-cache-mode: "auto"

config/resolvers/cluster-resolver-config.yaml

@@ -30,3 +30,8 @@ data:
   allowed-namespaces: ""
   # An optional comma-separated list of namespaces which the resolver is blocked from accessing. Defaults to empty, meaning all namespaces are allowed.
   blocked-namespaces: ""
+  # Optional: Default cache mode for this resolver. Valid values: "always", "never", "auto" (default: "auto")
+  # "always" - Always cache resolved resources
+  # "never"  - Never cache resolved resources (recommended for cluster resolver since resources are mutable)
+  # "auto"   - Never cache for cluster resolver (same as "never")
+  # default-cache-mode: "auto"

config/resolvers/git-resolver-config.yaml

@@ -41,3 +41,8 @@ data:
   # The default organization to look for repositories under when using the authenticated API,
   # if not specified in the resolver parameters. Optional.
   default-org: ""
+  # Optional: Default cache mode for this resolver. Valid values: "always", "never", "auto" (default: "auto")
+  # "always" - Always cache resolved resources
+  # "never"  - Never cache resolved resources
+  # "auto"   - Only cache when revision is a commit hash
+  # default-cache-mode: "auto"

config/resolvers/resolver-cache-config.yaml

@@ -0,0 +1,28 @@
+# Copyright 2025 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: resolver-cache-config
+  namespace: tekton-pipelines-resolvers
+  labels:
+    app.kubernetes.io/component: resolvers
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pipelines
+data:
+  # Maximum number of entries in the resolver cache
+  max-size: "1000"
+  # Time-to-live for cache entries (examples: 5m, 10m, 1h)
+  ttl: "5m"

docs/bundle-resolver.md

@@ -19,6 +19,7 @@ This Resolver responds to type `bundles`.
 | `bundle`         | The bundle url pointing at the image to fetch                                 | `gcr.io/tekton-releases/catalog/upstream/golang-build:0.1` |
 | `name`           | The name of the resource to pull out of the bundle                            | `golang-build`                                             |
 | `kind`           | The resource kind to pull out of the bundle                                   | `task`                                                     |
+| `cache`          | Controls caching behavior for the resolved resource                           | `always`, `never`, `auto`                                  |
 
 ## Requirements
 
@@ -45,6 +46,44 @@ for the name, namespace and defaults that the resolver ships with.
 | `backoff-cap`        | The maxumum backoff duration. If reached, remaining steps are zeroed.| `10s`, `20s`       |
 | `default-kind`       | The default layer kind in the bundle image.                       | `task`, `pipeline`    |
 
+### Caching Options
+
+The bundle resolver supports caching of resolved resources to improve performance. The caching behavior can be configured using the `cache` option:
+
+| Cache Value | Description |
+|-------------|-------------|
+| `always` | Always cache resolved resources. This is the most aggressive caching strategy and will cache all resolved resources regardless of their source. |
+| `never` | Never cache resolved resources. This disables caching completely. |
+| `auto` | Caching will only occur for bundles pulled by digest. (default) |
+
+### Cache Configuration
+
+The resolver cache can be configured globally using the `resolver-cache-config` ConfigMap. This ConfigMap controls the cache size and TTL (time-to-live) for all resolvers.
+
+| Option Name | Description | Default Value | Example Values |
+|-------------|-------------|---------------|----------------|
+| `max-size` | Maximum number of entries in the cache | `1000` | `500`, `2000` |
+| `ttl` | Time-to-live for cache entries | `5m` | `10m`, `1h` |
+
+The ConfigMap name can be customized using the `RESOLVER_CACHE_CONFIG_MAP_NAME` environment variable. If not set, it defaults to `resolver-cache-config`.
+
+Additionally, you can set a default cache mode for the bundle resolver by adding the `default-cache-mode` option to the `bundleresolver-config` ConfigMap. This overrides the system default (`auto`) for this resolver:
+
+| Option Name | Description | Valid Values | Default |
+|-------------|-------------|--------------|---------|
+| `default-cache-mode` | Default caching behavior when `cache` parameter is not specified | `always`, `never`, `auto` | `auto` |
+
+Example:
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bundleresolver-config
+  namespace: tekton-pipelines-resolvers
+data:
+  default-cache-mode: "always"  # Always cache unless task/pipeline specifies otherwise
+```
+
 ## Usage
 
 ### Task Resolution

docs/cluster-resolver.md

@@ -18,6 +18,48 @@ This Resolver responds to type `cluster`.
 | `kind`      | The kind of resource to fetch.                        | `task`, `pipeline`, `stepaction` |
 | `name`      | The name of the resource to fetch.                    | `some-pipeline`, `some-task`     |
 | `namespace` | The namespace in the cluster containing the resource. | `default`, `other-namespace`     |
+| `cache`     | Optional cache mode for the resolver.                 | `always`, `never`, `auto`        |
+
+### Cache Parameter
+
+The `cache` parameter controls whether the cluster resolver caches resolved resources:
+
+| Cache Mode | Description |
+|------------|-------------|
+| `always`   | Always cache the resolved resource, regardless of whether it has an immutable reference. |
+| `never`    | Never cache the resolved resource. |
+| `auto`     | **Cluster resolver behavior**: Never cache (cluster resources lack immutable references). |
+| (not specified) | **Default behavior**: Never cache (same as `auto` for cluster resolver). |
+
+**Note**: The cluster resolver only caches when `cache: always` is explicitly specified. This is because cluster resources (Tasks, Pipelines, etc.) do not have immutable references like Git commit hashes or bundle digests, making automatic caching unreliable.
+
+### Cache Configuration
+
+The resolver cache can be configured globally using the `resolver-cache-config` ConfigMap. This ConfigMap controls the cache size and TTL (time-to-live) for all resolvers.
+
+| Option Name | Description | Default Value | Example Values |
+|-------------|-------------|---------------|----------------|
+| `max-size` | Maximum number of entries in the cache | `1000` | `500`, `2000` |
+| `ttl` | Time-to-live for cache entries | `5m` | `10m`, `1h` |
+
+The ConfigMap name can be customized using the `RESOLVER_CACHE_CONFIG_MAP_NAME` environment variable. If not set, it defaults to `resolver-cache-config`.
+
+Additionally, you can set a default cache mode for the cluster resolver by adding the `default-cache-mode` option to the `cluster-resolver-config` ConfigMap. This overrides the system default (`auto`) for this resolver:
+
+| Option Name | Description | Valid Values | Default |
+|-------------|-------------|--------------|---------|
+| `default-cache-mode` | Default caching behavior when `cache` parameter is not specified | `always`, `never`, `auto` | `auto` |
+
+Example:
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cluster-resolver-config
+  namespace: tekton-pipelines-resolvers
+data:
+  default-cache-mode: "never"  # Never cache by default (since cluster resources are mutable)
+```
 
 ## Requirements
 
@@ -63,6 +105,48 @@ spec:
       value: namespace-containing-task
 ```
 
+### Task Resolution with Caching
+
+```yaml
+apiVersion: tekton.dev/v1beta1
+kind: TaskRun
+metadata:
+  name: remote-task-reference-cached
+spec:
+  taskRef:
+    resolver: cluster
+    params:
+    - name: kind
+      value: task
+    - name: name
+      value: some-task
+    - name: namespace
+      value: namespace-containing-task
+    - name: cache
+      value: always
+```
+
+### Task Resolution without Caching
+
+```yaml
+apiVersion: tekton.dev/v1beta1
+kind: TaskRun
+metadata:
+  name: remote-task-reference-no-cache
+spec:
+  taskRef:
+    resolver: cluster
+    params:
+    - name: kind
+      value: task
+    - name: name
+      value: some-task
+    - name: namespace
+      value: namespace-containing-task
+    - name: cache
+      value: never
+```
+
 ### StepAction Resolution
 
 ```yaml

docs/git-resolver.md

@@ -26,6 +26,7 @@ This Resolver responds to type `git`.
 | `pathInRepo`  | Where to find the file in the repo.                                                                                                                                        | `task/golang-build/0.3/golang-build.yaml`                   |
 | `serverURL`   | An optional server URL (that includes the https:// prefix) to connect for API operations                                                                                   | `https:/github.mycompany.com`                               |
 | `scmType`     | An optional SCM type to use for API operations                                                                                                                             | `github`, `gitlab`, `gitea`                                 |
+| `cache`       | Controls caching behavior for the resolved resource                                                                                                                         | `always`, `never`, `auto`                                   |
 
 ## Requirements
 
@@ -55,6 +56,44 @@ for the name, namespace and defaults that the resolver ships with.
 | `api-token-secret-namespace` | The namespace containing the token secret, if not `default`.                                                                                                  | `other-namespace`                                                |
 | `default-org`                | The default organization to look for repositories under when using the authenticated API, if not specified in the resolver parameters. Optional.              | `tektoncd`, `kubernetes`                                         |
 
+### Caching Options
+
+The git resolver supports caching of resolved resources to improve performance. The caching behavior can be configured using the `cache` option:
+
+| Cache Value | Description |
+|-------------|-------------|
+| `always` | Always cache resolved resources. This is the most aggressive caching strategy and will cache all resolved resources regardless of their source. |
+| `never` | Never cache resolved resources. This disables caching completely. |
+| `auto` | Caching will only occur when revision is a commit hash. (default) |
+
+### Cache Configuration
+
+The resolver cache can be configured globally using the `resolver-cache-config` ConfigMap. This ConfigMap controls the cache size and TTL (time-to-live) for all resolvers.
+
+| Option Name | Description | Default Value | Example Values |
+|-------------|-------------|---------------|----------------|
+| `max-size` | Maximum number of entries in the cache | `1000` | `500`, `2000` |
+| `ttl` | Time-to-live for cache entries | `5m` | `10m`, `1h` |
+
+The ConfigMap name can be customized using the `RESOLVER_CACHE_CONFIG_MAP_NAME` environment variable. If not set, it defaults to `resolver-cache-config`.
+
+Additionally, you can set a default cache mode for the git resolver by adding the `default-cache-mode` option to the `git-resolver-config` ConfigMap. This overrides the system default (`auto`) for this resolver:
+
+| Option Name | Description | Valid Values | Default |
+|-------------|-------------|--------------|---------|
+| `default-cache-mode` | Default caching behavior when `cache` parameter is not specified | `always`, `never`, `auto` | `auto` |
+
+Example:
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: git-resolver-config
+  namespace: tekton-pipelines-resolvers
+data:
+  default-cache-mode: "always"  # Always cache unless task/pipeline specifies otherwise
+```
+
 ## Usage
 
 The `git` resolver has two modes: cloning a repository with `git clone` (with

docs/hub-resolver.md

@@ -45,7 +45,6 @@ for the name, namespace and defaults that the resolver ships with.
 | `default-kind`              | The default object kind for references.              | `task`, `pipeline`     |
 | `default-type`              | The default hub from where to pull the resource.     | `artifact`, `tekton`   |
 
-
 ### Configuring the Hub API endpoint
 
 The Hub Resolver supports to resolve resources from the [Artifact Hub](https://artifacthub.io/) and the [Tekton Hub](https://hub.tekton.dev/),

docs/resolution.md

@@ -34,6 +34,18 @@ accompanying [resolver-template](./resolver-template).
 For a table of the interfaces and methods a resolver must implement
 along with those that are optional, see [resolver-reference.md](./resolver-reference.md).
 
+## Resolver Cache Configuration
+
+The resolver cache is used to improve performance by caching resolved resources for bundle and git resolver. By default, the cache uses:
+- 5 minutes ("5m") as the time-to-live (TTL) for cache entries
+- 1000 entries as the maximum cache size
+
+You can override these defaults by editing the `resolver-cache-config.yaml` ConfigMap in the `tekton-pipelines-resolvers` namespace. Set the following keys:
+- `max-size`: Set the maximum number of cache entries (e.g., "500")
+- `default-ttl`: Set the default TTL for cache entries (e.g., "10m", "30s")
+
+If these values are missing or invalid, the defaults will be used.
+
 ---
 
 Except as otherwise noted, the content of this page is licensed under the