GoogleCloudPlatform
diff --git a/‎google/cloud/alloydb/connector/async_connector.py
Lines changed: 10 additions & 11 deletions b/‎google/cloud/alloydb/connector/async_connector.py
Lines changed: 10 additions & 11 deletions
diff --git a/‎google/cloud/alloydb/connector/client.py
Lines changed: 69 additions & 0 deletions b/‎google/cloud/alloydb/connector/client.py
Lines changed: 69 additions & 0 deletions
diff --git a/‎google/cloud/alloydb/connector/connection_info.py
Lines changed: 46 additions & 31 deletions b/‎google/cloud/alloydb/connector/connection_info.py
Lines changed: 46 additions & 31 deletions
diff --git a/‎google/cloud/alloydb/connector/connector.py
Lines changed: 7 additions & 2 deletions b/‎google/cloud/alloydb/connector/connector.py
Lines changed: 7 additions & 2 deletions
diff --git a/‎google/cloud/alloydb/connector/instance.py
Lines changed: 11 additions & 50 deletions b/‎google/cloud/alloydb/connector/instance.py
Lines changed: 11 additions & 50 deletions
@@ -60,7 +60,7 @@ def __init__(
         ip_type: str | IPTypes = IPTypes.PRIVATE,
         user_agent: Optional[str] = None,
     ) -> None:
-        self._instances: Dict[str, RefreshAheadCache] = {}
+        self._cache: Dict[str, RefreshAheadCache] = {}
         # initialize default params
         self._quota_project = quota_project
         self._alloydb_api_endpoint = alloydb_api_endpoint
@@ -125,11 +125,11 @@ async def connect(
         enable_iam_auth = kwargs.pop("enable_iam_auth", self._enable_iam_auth)
 
         # use existing connection info if possible
-        if instance_uri in self._instances:
-            instance = self._instances[instance_uri]
+        if instance_uri in self._cache:
+            cache = self._cache[instance_uri]
         else:
-            instance = RefreshAheadCache(instance_uri, self._client, self._keys)
-            self._instances[instance_uri] = instance
+            cache = RefreshAheadCache(instance_uri, self._client, self._keys)
+            self._cache[instance_uri] = cache
 
         connect_func = {
             "asyncpg": asyncpg.connect,
@@ -151,7 +151,8 @@ async def connect(
         # if ip_type is str, convert to IPTypes enum
         if isinstance(ip_type, str):
             ip_type = IPTypes(ip_type.upper())
-        ip_address, context = await instance.connection_info(ip_type)
+        conn_info = await cache.connect_info()
+        ip_address = conn_info.get_preferred_ip(ip_type)
 
         # callable to be used for auto IAM authn
         def get_authentication_token() -> str:
@@ -166,10 +167,10 @@ def get_authentication_token() -> str:
         if enable_iam_auth:
             kwargs["password"] = get_authentication_token
         try:
-            return await connector(ip_address, context, **kwargs)
+            return await connector(ip_address, conn_info.create_ssl_context(), **kwargs)
         except Exception:
             # we attempt a force refresh, then throw the error
-            await instance.force_refresh()
+            await cache.force_refresh()
             raise
 
     async def __aenter__(self) -> Any:
@@ -188,8 +189,6 @@ async def __aexit__(
     async def close(self) -> None:
         """Helper function to cancel RefreshAheadCaches' tasks
         and close client."""
-        await asyncio.gather(
-            *[instance.close() for instance in self._instances.values()]
-        )
+        await asyncio.gather(*[cache.close() for cache in self._cache.values()])
         if self._client:
             await self._client.close()
@@ -14,11 +14,16 @@
 
 from __future__ import annotations
 
+import asyncio
 import logging
 from typing import Dict, List, Optional, Tuple, TYPE_CHECKING
 
 import aiohttp
+from cryptography import x509
+from google.auth.credentials import TokenState
+from google.auth.transport import requests
 
+from google.cloud.alloydb.connector.connection_info import ConnectionInfo
 from google.cloud.alloydb.connector.version import __version__ as version
 
 if TYPE_CHECKING:
@@ -181,6 +186,70 @@ async def _get_client_certificate(
 
         return (resp_dict["caCert"], resp_dict["pemCertificateChain"])
 
+    async def get_connection_info(
+        self,
+        project: str,
+        region: str,
+        cluster: str,
+        name: str,
+        keys: asyncio.Future,
+    ) -> ConnectionInfo:
+        """Immediately performs a full refresh operation using the AlloyDB API.
+
+        Args:
+            project (str): The name of the project the AlloyDB instance is
+                located in.
+            region (str): The region the AlloyDB instance is located in.
+            cluster (str): The cluster the AlloyDB instance is located in.
+            name (str): Name of the AlloyDB instance.
+            keys (asyncio.Future): A future to the client's public-private key
+                pair.
+
+        Returns:
+            ConnectionInfo: All the information required to connect securely to
+                the AlloyDB instance.
+        """
+        priv_key, pub_key = await keys
+
+        # before making AlloyDB API calls, refresh creds if required
+        if not self._credentials.token_state == TokenState.FRESH:
+            self._credentials.refresh(requests.Request())
+
+        # fetch metadata
+        metadata_task = asyncio.create_task(
+            self._get_metadata(
+                project,
+                region,
+                cluster,
+                name,
+            )
+        )
+        # generate client and CA certs
+        certs_task = asyncio.create_task(
+            self._get_client_certificate(
+                project,
+                region,
+                cluster,
+                pub_key,
+            )
+        )
+
+        ip_addrs, certs = await asyncio.gather(metadata_task, certs_task)
+
+        # unpack certs
+        ca_cert, cert_chain = certs
+        # get expiration from client certificate
+        cert_obj = x509.load_pem_x509_certificate(cert_chain[0].encode("UTF-8"))
+        expiration = cert_obj.not_valid_after_utc
+
+        return ConnectionInfo(
+            cert_chain,
+            ca_cert,
+            priv_key,
+            ip_addrs,
+            expiration,
+        )
+
     async def close(self) -> None:
         """Close AlloyDBClient gracefully."""
         await self._client.close()
@@ -14,61 +14,76 @@
 
 from __future__ import annotations
 
+from dataclasses import dataclass
 import logging
 import ssl
 from tempfile import TemporaryDirectory
-from typing import Dict, List, Optional, Tuple, TYPE_CHECKING
-
-from cryptography import x509
+from typing import Dict, List, Optional, TYPE_CHECKING
 
+from google.cloud.alloydb.connector.exceptions import IPTypeNotFoundError
 from google.cloud.alloydb.connector.utils import _write_to_file
 
 if TYPE_CHECKING:
+    import datetime
+
     from cryptography.hazmat.primitives.asymmetric import rsa
 
+    from google.cloud.alloydb.connector.instance import IPTypes
+
 logger = logging.getLogger(name=__name__)
 
 
+@dataclass
 class ConnectionInfo:
-    """
-    Manages the result of a refresh operation.
+    """Contains all necessary information to connect securely to the
+    server-side Proxy running on an AlloyDB instance."""
 
-    Holds the certificates and IP address of an AlloyDB instance.
-    Builds the TLS context required to connect to AlloyDB database.
+    cert_chain: List[str]
+    ca_cert: str
+    key: rsa.RSAPrivateKey
+    ip_addrs: Dict[str, Optional[str]]
+    expiration: datetime.datetime
+    context: Optional[ssl.SSLContext] = None
 
-    Args:
-        ip_addrs (Dict[str, str]): The IP addresses of the AlloyDB instance.
-        key (rsa.RSAPrivateKey): Private key for the client connection.
-        certs (Tuple[str, List(str)]): Client cert and CA certs for establishing
-            the chain of trust used in building the TLS context.
-    """
+    def create_ssl_context(self) -> ssl.SSLContext:
+        """Constructs a SSL/TLS context for the given connection info.
+
+        Cache the SSL context to ensure we don't read from disk repeatedly when
+        configuring a secure connection.
+        """
+        # if SSL context is cached, use it
+        if self.context is not None:
+            return self.context
 
-    def __init__(
-        self,
-        ip_addrs: Dict[str, Optional[str]],
-        key: rsa.RSAPrivateKey,
-        certs: Tuple[str, List[str]],
-    ) -> None:
-        self.ip_addrs = ip_addrs
         # create TLS context
-        self.context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+        context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
         # TODO: Set check_hostname to True to verify the identity in the
         # certificate once PSC DNS is populated in all existing clusters.
-        self.context.check_hostname = False
+        context.check_hostname = False
         # force TLSv1.3
-        self.context.minimum_version = ssl.TLSVersion.TLSv1_3
-        # unpack certs
-        ca_cert, cert_chain = certs
-        # get expiration from client certificate
-        cert_obj = x509.load_pem_x509_certificate(cert_chain[0].encode("UTF-8"))
-        self.expiration = cert_obj.not_valid_after_utc
+        context.minimum_version = ssl.TLSVersion.TLSv1_3
 
         # tmpdir and its contents are automatically deleted after the CA cert
         # and cert chain are loaded into the SSLcontext. The values
         # need to be written to files in order to be loaded by the SSLContext
         with TemporaryDirectory() as tmpdir:
             ca_filename, cert_chain_filename, key_filename = _write_to_file(
-                tmpdir, ca_cert, cert_chain, key
+                tmpdir, self.ca_cert, self.cert_chain, self.key
+            )
+            context.load_cert_chain(cert_chain_filename, keyfile=key_filename)
+            context.load_verify_locations(cafile=ca_filename)
+        # set class attribute to cache context for subsequent calls
+        self.context = context
+        return context
+
+    def get_preferred_ip(self, ip_type: IPTypes) -> str:
+        """Returns the first IP address for the instance, according to the preference
+        supplied by ip_type. If no IP addressess with the given preference are found,
+        an error is raised."""
+        ip_address = self.ip_addrs.get(ip_type.value)
+        if ip_address is None:
+            raise IPTypeNotFoundError(
+                "AlloyDB instance does not have an IP addresses matching "
+                f"type: '{ip_type.value}'"
             )
-            self.context.load_cert_chain(cert_chain_filename, keyfile=key_filename)
-            self.context.load_verify_locations(cafile=ca_filename)
+        return ip_address
@@ -178,12 +178,17 @@ async def connect_async(self, instance_uri: str, driver: str, **kwargs: Any) ->
         # if ip_type is str, convert to IPTypes enum
         if isinstance(ip_type, str):
             ip_type = IPTypes(ip_type.upper())
-        ip_address, context = await cache.connection_info(ip_type)
+        conn_info = await cache.connect_info()
+        ip_address = conn_info.get_preferred_ip(ip_type)
 
         # synchronous drivers are blocking and run using executor
         try:
             metadata_partial = partial(
-                self.metadata_exchange, ip_address, context, enable_iam_auth, driver
+                self.metadata_exchange,
+                ip_address,
+                conn_info.create_ssl_context(),
+                enable_iam_auth,
+                driver,
             )
             sock = await self._loop.run_in_executor(None, metadata_partial)
             connect_partial = partial(connector, sock, **kwargs)
 
@@ -20,19 +20,13 @@
 import re
 from typing import Tuple, TYPE_CHECKING
 
-from google.auth.credentials import TokenState
-from google.auth.transport import requests
-
 from google.cloud.alloydb.connector.connection_info import ConnectionInfo
-from google.cloud.alloydb.connector.exceptions import IPTypeNotFoundError
 from google.cloud.alloydb.connector.exceptions import RefreshError
 from google.cloud.alloydb.connector.rate_limiter import AsyncRateLimiter
 from google.cloud.alloydb.connector.refresh_utils import _is_valid
 from google.cloud.alloydb.connector.refresh_utils import _seconds_until_refresh
 
 if TYPE_CHECKING:
-    import ssl
-
     from cryptography.hazmat.primitives.asymmetric import rsa
 
     from google.cloud.alloydb.connector.client import AlloyDBClient
@@ -132,32 +126,13 @@ async def _perform_refresh(self) -> ConnectionInfo:
 
         try:
             await self._refresh_rate_limiter.acquire()
-            priv_key, pub_key = await self._keys
-
-            # before making AlloyDB API calls, refresh creds if required
-            if not self._client._credentials.token_state == TokenState.FRESH:
-                self._client._credentials.refresh(requests.Request())
-
-            # fetch metadata
-            metadata_task = asyncio.create_task(
-                self._client._get_metadata(
-                    self._project,
-                    self._region,
-                    self._cluster,
-                    self._name,
-                )
+            connection_info = await self._client.get_connection_info(
+                self._project,
+                self._region,
+                self._cluster,
+                self._name,
+                self._keys,
             )
-            # generate client and CA certs
-            certs_task = asyncio.create_task(
-                self._client._get_client_certificate(
-                    self._project,
-                    self._region,
-                    self._cluster,
-                    pub_key,
-                )
-            )
-
-            ip_addr, certs = await asyncio.gather(metadata_task, certs_task)
 
         except Exception:
             logger.debug(
@@ -167,8 +142,7 @@ async def _perform_refresh(self) -> ConnectionInfo:
 
         finally:
             self._refresh_in_progress.clear()
-
-        return ConnectionInfo(ip_addr, priv_key, certs)
+        return connection_info
 
     def _schedule_refresh(self, delay: int) -> asyncio.Task:
         """
@@ -241,24 +215,11 @@ async def force_refresh(self) -> None:
         if not await _is_valid(self._current):
             self._current = self._next
 
-    async def connection_info(self, ip_type: IPTypes) -> Tuple[str, ssl.SSLContext]:
-        """
-        Return connection info for current refresh result.
-
-        Args:
-            ip_type (IpTypes): Type of AlloyDB instance IP to connect over.
-        Returns:
-            Tuple[str, ssl.SSLContext]: AlloyDB instance IP address
-                and configured TLS connection.
+    async def connect_info(self) -> ConnectionInfo:
+        """Retrieves ConnectionInfo instance for establishing a secure
+        connection to the AlloyDB instance.
         """
-        refresh: ConnectionInfo = await self._current
-        ip_address = refresh.ip_addrs.get(ip_type.value)
-        if ip_address is None:
-            raise IPTypeNotFoundError(
-                "AlloyDB instance does not have an IP addresses matching "
-                f"type: '{ip_type.value}'"
-            )
-        return ip_address, refresh.context
+        return await self._current
 
     async def close(self) -> None:
         """