Foreman » Smart Proxy

Proxy::PuppetCa.list (https://github.com/theforeman/smart-proxy/blob/develop/modules/puppetca/puppetca_main.rb#L69) takes an extremely long period of time to complete when the CA inventory list is relatively large and there have been a relatively large number of revoked certificates.

The source of this issue is in Proxy::PuppetCa#ca_inventory, which performs a very slow O(n^2) operation to build up a hash of certificate data and whether each certificate has been revoked. In particular, the Proxy::PuppetCa#ca_inventory iterates through every certificate in the inventory and then looks up that certificate's serial in the array returned by Proxy::PuppetCa#revoked_serials. When both the inventory and the list of revoked clients is large, this operation is extremely slow.

The downstream effect of this issue is that trying to interact with the Puppet CA via Foreman simply times out (the read_timeout on the RestClient request is only 60 seconds, the Proxy::PuppetCa.list operation in our environment takes approximately 80s).

Perhaps a way to make this faster this would be to just return a valueless Hash from Proxy::PuppetCa#revoked_serials so that the serial lookup is ~O(1).

Just to give you some numbers to work with, we have approximately 10900 certificates in our inventory and about 8900 of them are revoked.