Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rate limit policy: header match support in wasm configuration #698

Merged
merged 2 commits into from
Jun 14, 2024
Merged

rate limit policy: header match support in wasm configuration #698

merged 2 commits into from
Jun 14, 2024

Conversation

eguzki
Copy link
Contributor

@eguzki eguzki commented Jun 11, 2024
edited
Loading

What

Header match support in route selectors (applies to rate limit policy wasm configuration).

As an example: rate limit policy to rate limit traffic of the toystore service when the request has "X-kuadrant" header with the value yes.

---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: toystore
spec:
  parentRefs:
  - name: istio-ingressgateway
    namespace: istio-system
  hostnames:
  - api.toystore.com
  rules:
  - matches:
    - headers:
      - name: "X-kuadrant"
        value: "yes"
    backendRefs:
    - name: toystore
      port: 80
---
apiVersion: kuadrant.io/v1beta2
kind: RateLimitPolicy
metadata:
  name: toystore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  limits:
    "get-resource":
      rates:
      - limit: 5
        duration: 10
        unit: second
      routeSelectors:
      - matches:
        - headers:
          - name: "X-kuadrant"
            value: "yes"

Verification Steps

  • Checkout this branch
  • Deploy
make local-setup
  • Deploy kuadrant
kubectl apply  -f - <<EOF               
---                                     
apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant-sample
spec: {}
EOF
  • Deploy toystore
kubectl apply -f examples/toystore/toystore.yaml
kubectl wait --timeout=300s --for=condition=Available deployment toystore
  • Create HTTP Route with two rules with header matching.
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: toystore
spec:
  parentRefs:
  - name: istio-ingressgateway
    namespace: istio-system
  hostnames:
  - api.toystore.com
  rules:
  - matches:
    - headers:
      - name: "X-kuadrant-class"
        value: "a"
    backendRefs:
    - name: toystore
      port: 80
  - matches:
    - headers:
      - name: "X-kuadrant-class"
        value: "b"
    backendRefs:
    - name: toystore
      port: 80
EOF
  • Create Rate limit policy
kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
kind: RateLimitPolicy
metadata:
  name: toystore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  limits:
    "kuadrant-class-a":
      rates:
      - limit: 5
        duration: 10
        unit: second
      routeSelectors:
      - matches:
        - headers:
          - name: "X-kuadrant-class"
            value: "a"
EOF
  • Ensure HTTP Route is rate limits at 5 requests every 10 seconds only when the header is present to qualify traffic as "class a"

Export the gateway hostname and port:

export INGRESS_HOST=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.status.addresses[0].value}')
export INGRESS_PORT=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT

while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H "X-kuadrant-class: a" -H 'Host: api.toystore.com' http://$GATEWAY_URL/ | grep -E --color "\b(429)\b|$"; sleep 1; done
  • Ensure HTTP Route is not rate limited when the header is present to qualify traffic as "class b"
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H "X-kuadrant-class: b" -H 'Host: api.toystore.com' http://$GATEWAY_URL/ | grep -E --color "\b(429)\b|$"; sleep 1; done

@codecov Codecov
Copy link

codecov bot commented Jun 11, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.87%. Comparing base (ece13e8) to head (81b12b5).
Report is 120 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #698      +/-   ##
==========================================
+ Coverage   80.20%   82.87%   +2.66%     
==========================================
  Files          64       76      +12     
  Lines        4492     5762    +1270     
==========================================
+ Hits         3603     4775    +1172     
- Misses        600      654      +54     
- Partials      289      333      +44
Flag Coverage Δ
bare-k8s-integration 4.58% <0.00%> (?)
controllers-integration 72.30% <0.00%> (?)
gatewayapi-integration 10.91% <0.00%> (?)
integration ?
istio-integration 56.02% <0.00%> (?)
unit 32.64% <100.00%> (+2.61%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
api/v1beta1 (u) 71.42% <ø> (ø)
api/v1beta2 (u) 93.58% <100.00%> (+2.16%) ⬆️
pkg/common (u) 88.13% <ø> (-0.70%) ⬇️
pkg/istio (u) 73.88% <ø> (-0.03%) ⬇️
pkg/log (u) 94.73% <ø> (ø)
pkg/reconcilers (u) ∅ <ø> (∅)
pkg/rlptools (u) 82.37% <ø> (+2.91%) ⬆️
controllers (i) 81.93% <80.66%> (+5.13%) ⬆️
Files Coverage Δ
pkg/rlptools/wasm/utils.go 87.32% <100.00%> (ø)

... and 33 files with indirect coverage changes

@eguzki eguzki marked this pull request as ready for review June 11, 2024 11:45
@eguzki eguzki requested a review from a team as a code owner June 11, 2024 11:45
KevFan
KevFan approved these changes Jun 14, 2024
View reviewed changes
Copy link
Contributor

@KevFan KevFan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified, LGTM ! 💯

@eguzki eguzki merged commit 321bdf5 into main Jun 14, 2024
26 checks passed
@eguzki eguzki deleted the header-match branch June 14, 2024 14:31
dlaw4608 pushed a commit to dlaw4608/kuadrant-operator that referenced this pull request Jun 17, 2024
@eguzki
rate limit policy: header match support in wasm configuration (Kuadra…
80c1af2 
…nt#698)

* rate limit policy: header match support in wasm configuration

* fix rebase issues
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KevFan KevFan KevFan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Kuadrant
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eguzki @KevFan