feat(cache): redis cache (#8822)

# Which Problems Are Solved

Add a cache implementation using Redis single mode. This does not add
support for Redis Cluster or sentinel.

# How the Problems Are Solved

Added the `internal/cache/redis` package. All operations occur
atomically, including setting of secondary indexes, using LUA scripts
where needed.

The [`miniredis`](https://github.com/alicebob/miniredis) package is used
to run unit tests.

# Additional Changes

- Move connector code to `internal/cache/connector/...` and remove
duplicate code from `query` and `command` packages.
- Fix a missed invalidation on the restrictions projection

# Additional Context

Closes #8130

internal/query/cache.go

@@ -2,90 +2,28 @@ package query
 
 import (
 	"context"
-	"fmt"
-	"strings"
 
 	"github.com/zitadel/logging"
 
 	"github.com/zitadel/zitadel/internal/cache"
-	"github.com/zitadel/zitadel/internal/cache/gomap"
-	"github.com/zitadel/zitadel/internal/cache/noop"
-	"github.com/zitadel/zitadel/internal/cache/pg"
-	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/cache/connector"
 	"github.com/zitadel/zitadel/internal/eventstore"
 )
 
 type Caches struct {
-	connectors *cacheConnectors
-	instance   cache.Cache[instanceIndex, string, *authzInstance]
+	instance cache.Cache[instanceIndex, string, *authzInstance]
 }
 
-func startCaches(background context.Context, conf *cache.CachesConfig, client *database.DB) (_ *Caches, err error) {
-	caches := &Caches{
-		instance: noop.NewCache[instanceIndex, string, *authzInstance](),
-	}
-	if conf == nil {
-		return caches, nil
-	}
-	caches.connectors, err = startCacheConnectors(background, conf, client)
-	if err != nil {
-		return nil, err
-	}
-	caches.instance, err = startCache[instanceIndex, string, *authzInstance](background, instanceIndexValues(), "authz_instance", conf.Instance, caches.connectors)
+func startCaches(background context.Context, connectors connector.Connectors) (_ *Caches, err error) {
+	caches := new(Caches)
+	caches.instance, err = connector.StartCache[instanceIndex, string, *authzInstance](background, instanceIndexValues(), cache.PurposeAuthzInstance, connectors.Config.Instance, connectors)
 	if err != nil {
 		return nil, err
 	}
 	caches.registerInstanceInvalidation()
-
 	return caches, nil
 }
 
-type cacheConnectors struct {
-	memory   *cache.AutoPruneConfig
-	postgres *pgxPoolCacheConnector
-}
-
-type pgxPoolCacheConnector struct {
-	*cache.AutoPruneConfig
-	client *database.DB
-}
-
-func startCacheConnectors(_ context.Context, conf *cache.CachesConfig, client *database.DB) (_ *cacheConnectors, err error) {
-	connectors := new(cacheConnectors)
-	if conf.Connectors.Memory.Enabled {
-		connectors.memory = &conf.Connectors.Memory.AutoPrune
-	}
-	if conf.Connectors.Postgres.Enabled {
-		connectors.postgres = &pgxPoolCacheConnector{
-			AutoPruneConfig: &conf.Connectors.Postgres.AutoPrune,
-			client:          client,
-		}
-	}
-	return connectors, nil
-}
-
-func startCache[I ~int, K ~string, V cache.Entry[I, K]](background context.Context, indices []I, name string, conf *cache.CacheConfig, connectors *cacheConnectors) (cache.Cache[I, K, V], error) {
-	if conf == nil || conf.Connector == "" {
-		return noop.NewCache[I, K, V](), nil
-	}
-	if strings.EqualFold(conf.Connector, "memory") && connectors.memory != nil {
-		c := gomap.NewCache[I, K, V](background, indices, *conf)
-		connectors.memory.StartAutoPrune(background, c, name)
-		return c, nil
-	}
-	if strings.EqualFold(conf.Connector, "postgres") && connectors.postgres != nil {
-		client := connectors.postgres.client
-		c, err := pg.NewCache[I, K, V](background, name, *conf, indices, client.Pool, client.Type())
-		if err != nil {
-			return nil, fmt.Errorf("query start cache: %w", err)
-		}
-		connectors.postgres.StartAutoPrune(background, c, name)
-		return c, nil
-	}
-
-	return nil, fmt.Errorf("cache connector %q not enabled", conf.Connector)
-}
-
 type invalidator[I comparable] interface {
 	Invalidate(ctx context.Context, index I, key ...string) error
 }

internal/query/instance.go

@@ -587,9 +587,10 @@ func (c *Caches) registerInstanceInvalidation() {
 	projection.InstanceTrustedDomainProjection.RegisterCacheInvalidation(invalidate)
 	projection.SecurityPolicyProjection.RegisterCacheInvalidation(invalidate)
 
-	// limits uses own aggregate ID, invalidate using resource owner.
+	// These projections have their own aggregate ID, invalidate using resource owner.
 	invalidate = cacheInvalidationFunc(c.instance, instanceIndexByID, getResourceOwner)
 	projection.LimitsProjection.RegisterCacheInvalidation(invalidate)
+	projection.RestrictionsProjection.RegisterCacheInvalidation(invalidate)
 
 	// System feature update should invalidate all instances, so Truncate the cache.
 	projection.SystemFeatureProjection.RegisterCacheInvalidation(func(ctx context.Context, _ []*eventstore.Aggregate) {

internal/query/query.go

@@ -11,7 +11,7 @@ import (
 	"golang.org/x/text/language"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
-	"github.com/zitadel/zitadel/internal/cache"
+	"github.com/zitadel/zitadel/internal/cache/connector"
 	sd "github.com/zitadel/zitadel/internal/config/systemdefaults"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/database"
@@ -49,7 +49,7 @@ func StartQueries(
 	es *eventstore.Eventstore,
 	esV4 es_v4.Querier,
 	querySqlClient, projectionSqlClient *database.DB,
-	caches *cache.CachesConfig,
+	cacheConnectors connector.Connectors,
 	projections projection.Config,
 	defaults sd.SystemDefaults,
 	idpConfigEncryption, otpEncryption, keyEncryptionAlgorithm, certEncryptionAlgorithm crypto.EncryptionAlgorithm,
@@ -89,7 +89,7 @@ func StartQueries(
 	if startProjections {
 		projection.Start(ctx)
 	}
-	repo.caches, err = startCaches(ctx, caches, querySqlClient)
+	repo.caches, err = startCaches(ctx, cacheConnectors)
 	if err != nil {
 		return nil, err
 	}