Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Propagating Limitador's env vars #22

Merged
merged 2 commits into from
Aug 8, 2022
Merged

Propagating Limitador's env vars #22

merged 2 commits into from
Aug 8, 2022

Conversation

didierofrivia
Copy link
Member

@didierofrivia didierofrivia commented May 31, 2022
edited
Loading

This PR makes it possible to inject the Name and Namespace to the Kuadrant Controller Deployment object.

It also patches the RoleBinding and ClusterRoleBinding matching the Kuadrant namespace.

Closes Kuadrant/kuadrant-controller#157
Part of #75

PR, verification steps

Deploy kuadrant operator (and operator dependencies) manually

make kind-create-kuadrant-cluster

Deploy empty Kuadrant CR

kubectl apply -f - <<EOF
---
apiVersion: kuadrant.kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant-sample
spec: {}
EOF

Wait until Kuadrant CR status reports it is ready

kubectl wait --for=condition=ready kuadrant/kuadrant-sample --timeout=-1s
kuadrant.kuadrant.kuadrant.io/kuadrant-sample condition met

Deploy Service

kubectl apply -f - <<EOF
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: toystore
  labels:
    app: toystore
spec:
  selector:
    matchLabels:
      app: toystore
  template:
    metadata:
      labels:
        app: toystore
    spec:
      containers:
        - name: toystore
          image: quay.io/3scale/authorino:echo-api
          env:
            - name: PORT
              value: "3000"
          ports:
            - containerPort: 3000
              name: http
  replicas: 1
---
apiVersion: v1
kind: Service
metadata:
  name: toystore
spec:
  selector:
    app: toystore
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 3000
EOF

deployment.apps/toystore created
service/toystore created

Create HTTPRoute to configure routing to the toustore service

kubectl apply -f - <<EOF
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: toystore
  labels:
    app: toystore
spec:
  parentRefs:
    - name: istio-ingressgateway
      namespace: istio-system
  hostnames: ["*.toystore.com"]
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: "/toy"
          method: GET
      backendRefs:
        - name: toystore
          port: 80

EOF
httproute.gateway.networking.k8s.io/toystore created

Port forward the istio gateway service in order to reach it

kubectl port-forward -n istio-system service/istio-ingressgateway 8080:80 &

Check if you can reach the toystore service

curl -H 'Host: api.toystore.com' http://127.0.0.1:8080/toy

Handling connection for 8080
{
  "method": "GET",
  "path": "/toy",
  "query_string": null,
  "body": "",
  "headers": {
    "HTTP_HOST": "api.toystore.com",
    "HTTP_USER_AGENT": "curl/7.79.1",
    "HTTP_ACCEPT": "*/*",
    "HTTP_X_FORWARDED_FOR": "10.244.0.10",
    "HTTP_X_FORWARDED_PROTO": "http",
    "HTTP_X_ENVOY_INTERNAL": "true",
    "HTTP_X_REQUEST_ID": "8e7bbf90-3edd-4cbf-8bb7-7594a9d7933b",
    "HTTP_X_ENVOY_DECORATOR_OPERATION": "toystore.default.svc.cluster.local:80/toy((\\/).*)?",
    "HTTP_X_ENVOY_PEER_METADATA": "ChQKDkFQUF9DT05UQUlORVJTEgIaAAoaCgpDTFVTVEVSX0lEEgwaCkt1YmVybmV0ZXMKGQoNSVNUSU9fVkVSU0lPThIIGgYxLjEzLjIKvwMKBkxBQkVMUxK0AyqxAwodCgNhcHASFhoUaXN0aW8taW5ncmVzc2dhdGV3YXkKEwoFY2hhcnQSChoIZ2F0ZXdheXMKFAoIaGVyaXRhZ2USCBoGVGlsbGVyCjYKKWluc3RhbGwub3BlcmF0b3IuaXN0aW8uaW8vb3duaW5nLXJlc291cmNlEgkaB3Vua25vd24KGQoFaXN0aW8SEBoOaW5ncmVzc2dhdGV3YXkKGQoMaXN0aW8uaW8vcmV2EgkaB2RlZmF1bHQKMAobb3BlcmF0b3IuaXN0aW8uaW8vY29tcG9uZW50EhEaD0luZ3Jlc3NHYXRld2F5cwohChFwb2QtdGVtcGxhdGUtaGFzaBIMGgo3ZmQ1NjhmYzk5ChIKB3JlbGVhc2USBxoFaXN0aW8KOQofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIWGhRpc3Rpby1pbmdyZXNzZ2F0ZXdheQovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKIgoXc2lkZWNhci5pc3Rpby5pby9pbmplY3QSBxoFZmFsc2UKGgoHTUVTSF9JRBIPGg1jbHVzdGVyLmxvY2FsCi8KBE5BTUUSJxolaXN0aW8taW5ncmVzc2dhdGV3YXktN2ZkNTY4ZmM5OS1oaG0ydAobCglOQU1FU1BBQ0USDhoMaXN0aW8tc3lzdGVtCl0KBU9XTkVSElQaUmt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9pc3Rpby1zeXN0ZW0vZGVwbG95bWVudHMvaXN0aW8taW5ncmVzc2dhdGV3YXkKFwoRUExBVEZPUk1fTUVUQURBVEESAioACicKDVdPUktMT0FEX05BTUUSFhoUaXN0aW8taW5ncmVzc2dhdGV3YXk=",
    "HTTP_X_ENVOY_PEER_METADATA_ID": "router~10.244.0.10~istio-ingressgateway-7fd568fc99-hhm2t.istio-system~istio-system.svc.cluster.local",
    "HTTP_X_ENVOY_ATTEMPT_COUNT": "1",
    "HTTP_X_B3_TRACEID": "db0b968ee02ef57fcaf0ad1bc7448d00",
    "HTTP_X_B3_SPANID": "caf0ad1bc7448d00",
    "HTTP_X_B3_SAMPLED": "0",
    "HTTP_VERSION": "HTTP/1.1"
  },
  "uuid": "7de70ba8-3447-4750-a7e9-6ffabf861b0f"
}%

Apply a RLP

kubectl apply -f - <<EOF
---
apiVersion: apim.kuadrant.io/v1alpha1
kind: RateLimitPolicy
metadata:
  name: toystore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  rateLimits:
    - rules:
        - paths: ["/toy"]
          methods: ["GET"]
      configurations:
        - actions:
            - generic_key:
                descriptor_key: get-operation
                descriptor_value: "1"
      limits:
        - conditions:
            - "get-operation == 1"
          maxValue: 2
          seconds: 5
          variables: []
EOF

Rollout Limitador. // This is needed for now until a fix is merged in Limitador repo

kubectl rollout restart deployment/limitador

Try again curling the service, you should be ratelimited to 2 request per 5 seconds

while :; do curl --write-out '%{http_code}' --silent --output /dev/null -H "Host: api.toystore.com" http://localhost:8080/toy | egrep --color "\b(429)\b|$”;

Voilá! Profit!

200
200
429
429
429
200
200
429
429
429

@didierofrivia didierofrivia force-pushed the kuadrant-controller-limitador-envvars branch from 64e633b to 9bcba88 Compare June 1, 2022 09:11
eguzki
eguzki reviewed Jun 1, 2022
View reviewed changes
Copy link
Contributor

@eguzki eguzki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking super nice

controllers/kuadrant_controller.go Outdated Show resolved Hide resolved
controllers/kuadrant_controller.go Outdated Show resolved Hide resolved
@didierofrivia didierofrivia force-pushed the kuadrant-controller-limitador-envvars branch from 9bcba88 to 1b59e21 Compare June 2, 2022 07:40
@didierofrivia didierofrivia changed the title [controller] Propagating Limitador's env vars Propagating Limitador's env vars Jun 2, 2022
@didierofrivia didierofrivia force-pushed the kuadrant-controller-limitador-envvars branch 2 times, most recently from 8631e8f to 7fd7fd4 Compare June 10, 2022 10:30
@didierofrivia didierofrivia force-pushed the kuadrant-controller-limitador-envvars branch 2 times, most recently from d8917f5 to eea4cb1 Compare July 26, 2022 14:14
@didierofrivia didierofrivia marked this pull request as ready for review July 26, 2022 14:16
@didierofrivia didierofrivia changed the base branch from main to update-external-metadata July 26, 2022 14:47
@didierofrivia didierofrivia changed the base branch from update-external-metadata to main July 26, 2022 14:56
eguzki
eguzki reviewed Jul 26, 2022
View reviewed changes
Copy link
Contributor

@eguzki eguzki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

have you tested manually e2e?

  • Deploy kuadrant with the operator.
  • Deploy RLP
  • Rate limit is happening

@didierofrivia didierofrivia force-pushed the kuadrant-controller-limitador-envvars branch 2 times, most recently from 16007f6 to caa9b4d Compare July 28, 2022 11:23
@didierofrivia didierofrivia force-pushed the kuadrant-controller-limitador-envvars branch 5 times, most recently from 3822d12 to 9c3599b Compare July 29, 2022 13:20
@didierofrivia
[controller] Propagating Limitador's env vars
a49a69c 
* limitador namespace
* limitador service name
* limitador service grpc port

* Using keyed values
@didierofrivia
[controller] Patching the (Cluster)RoleBinding to match Kuadrant NS
52402f4 
* It needs some DRY up
* There's no easy way, since obj is type interface when multiple case
  types
@didierofrivia didierofrivia force-pushed the kuadrant-controller-limitador-envvars branch from 9c3599b to 52402f4 Compare July 29, 2022 14:05
@didierofrivia didierofrivia requested review from eguzki and a team July 29, 2022 15:28
alexsnaps
alexsnaps approved these changes Aug 5, 2022
View reviewed changes
controllers/kuadrant_controller.go
}
}
newObj = obj
default:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This some code style we're following?

controllers/kuadrant_controller.go
@@ -389,14 +396,47 @@ func (r *KuadrantReconciler) createOnlyInKuadrantNSCb(ctx context.Context, kObj
return err
}

k8sObjKind := k8sObj.DeepCopyObject().GetObjectKind()
var newObj client.Object
newObj = k8sObj
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I must be missing something here, but there is a lot of copying going on here.
Is the switch obj := k8sObj.(type) a copy itself? Trying to understand… but I wonder why not use the default: if a "default" copy has to happen? That's if they are all different… I guess I need to refresh my golang

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know, it's a bit misleading the default case, its block will be executed if none of the other cases match.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

switch obj := k8sObj.(type) will only live within the switch block, so we need to copy it to a different var.

I'd love the swith case to include a finally clause, that will be executed at the very end, thus we could avoid a lot of repetition

@didierofrivia didierofrivia merged commit 27791c5 into main Aug 8, 2022
@didierofrivia didierofrivia deleted the kuadrant-controller-limitador-envvars branch August 8, 2022 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexsnaps alexsnaps alexsnaps approved these changes

@eguzki eguzki Awaiting requested review from eguzki

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Kuadrant Operator should inform the Kuadrant controller where limitador is deployed
3 participants
@didierofrivia @alexsnaps @eguzki