feat: support both rate limit in xds translator

Signed-off-by: kkk777-7 <[email protected]>

Author: kkk777-7

api/v1alpha1/ratelimit_types.go

@@ -10,7 +10,7 @@ type RateLimitSpec struct {
 	// Type decides the scope for the RateLimits.
 	// Valid RateLimitType values are "Global" or "Local".
 	//
-	// Deprecated: Use Type. allow both "Global" and "Local" fields now.
+	// Deprecated: Use Global and/or Local fields directly instead. Both can be specified simultaneously for combined rate limiting.
 	//
 	// +optional
 	Type *RateLimitType `json:"type"`

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml

@@ -1388,7 +1388,7 @@ spec:
                       Type decides the scope for the RateLimits.
                       Valid RateLimitType values are "Global" or "Local".
 
-                      Deprecated: Use Type. allow both "Global" and "Local" fields now.
+                      Deprecated: Use Global and/or Local fields directly instead. Both can be specified simultaneously for combined rate limiting.
                     enum:
                     - Global
                     - Local

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml

@@ -1387,7 +1387,7 @@ spec:
                       Type decides the scope for the RateLimits.
                       Valid RateLimitType values are "Global" or "Local".
 
-                      Deprecated: Use Type. allow both "Global" and "Local" fields now.
+                      Deprecated: Use Global and/or Local fields directly instead. Both can be specified simultaneously for combined rate limiting.
                     enum:
                     - Global
                     - Local

internal/xds/translator/local_ratelimit.go

@@ -213,7 +213,7 @@ func buildRouteLocalRateLimits(local *ir.LocalRateLimit) (
 
 			if match.Distinct {
 				// For distinct matches, we only check if the header exists using the RequestHeaders action.
-				descriptorKey := getRouteRuleDescriptor(rIdx, mIdx)
+				descriptorKey := fmt.Sprintf("local_%s", getRouteRuleDescriptor(rIdx, mIdx))
 				action = &routev3.RateLimit_Action{
 					ActionSpecifier: &routev3.RateLimit_Action_RequestHeaders_{
 						RequestHeaders: &routev3.RateLimit_Action_RequestHeaders{
@@ -230,8 +230,8 @@ func buildRouteLocalRateLimits(local *ir.LocalRateLimit) (
 			} else {
 				// For exact matches, we check if there is an existing header with the matching value using the
 				// HeaderValueMatch action.
-				descriptorKey := getRouteRuleDescriptor(rIdx, mIdx)
-				descriptorVal := getRouteRuleDescriptor(rIdx, mIdx)
+				descriptorKey := fmt.Sprintf("local_%s", getRouteRuleDescriptor(rIdx, mIdx))
+				descriptorVal := fmt.Sprintf("local_%s", getRouteRuleDescriptor(rIdx, mIdx))
 				headerMatcher := &routev3.HeaderMatcher{
 					Name: match.Name,
 					HeaderMatchSpecifier: &routev3.HeaderMatcher_StringMatch{
@@ -281,7 +281,7 @@ func buildRouteLocalRateLimits(local *ir.LocalRateLimit) (
 				},
 			}
 			entry := &rlv3.RateLimitDescriptor_Entry{
-				Key:   descriptorMaskedRemoteAddress,
+				Key:   fmt.Sprintf("local_%s", descriptorMaskedRemoteAddress),
 				Value: rule.CIDRMatch.CIDR,
 			}
 			descriptorEntries = append(descriptorEntries, entry)
@@ -298,7 +298,7 @@ func buildRouteLocalRateLimits(local *ir.LocalRateLimit) (
 				// If the CIDRMatch is distinct, we use the built-in remote address descriptor key without a value.
 				// This means that each distinct client IP will be counted separately.
 				entry = &rlv3.RateLimitDescriptor_Entry{
-					Key: descriptorRemoteAddress,
+					Key: fmt.Sprintf("local_%s", descriptorRemoteAddress),
 				}
 				descriptorEntries = append(descriptorEntries, entry)
 				rlActions = append(rlActions, action)

internal/xds/translator/ratelimit.go

@@ -171,7 +171,7 @@ func patchRouteWithRateLimit(route *routev3.Route, irRoute *ir.HTTPRoute) error
 	if costSpecified {
 		return patchRouteWithRateLimitOnTypedFilterConfig(route, rateLimits, irRoute)
 	}
-	xdsRouteAction.RateLimits = rateLimits
+	xdsRouteAction.RateLimits = append(xdsRouteAction.RateLimits, rateLimits...)
 	return nil
 }
 

internal/xds/translator/testdata/out/xds-ir/local-ratelimit-distinct.routes.yaml

@@ -13,7 +13,7 @@
         rateLimits:
         - actions:
           - requestHeaders:
-              descriptorKey: rule-0-match-0
+              descriptorKey: local_rule-0-match-0
               headerName: x-user-id
         upgradeConfigs:
         - upgradeType: websocket
@@ -23,7 +23,7 @@
           alwaysConsumeDefaultTokenBucket: false
           descriptors:
           - entries:
-            - key: rule-0-match-0
+            - key: local_rule-0-match-0
             tokenBucket:
               fillInterval: 0s
               maxTokens: 5
@@ -48,33 +48,33 @@
         rateLimits:
         - actions:
           - headerValueMatch:
-              descriptorKey: rule-0-match-0
-              descriptorValue: rule-0-match-0
+              descriptorKey: local_rule-0-match-0
+              descriptorValue: local_rule-0-match-0
               expectMatch: true
               headers:
               - name: x-user-id
                 stringMatch:
                   exact: one
           - headerValueMatch:
-              descriptorKey: rule-0-match-1
-              descriptorValue: rule-0-match-1
+              descriptorKey: local_rule-0-match-1
+              descriptorValue: local_rule-0-match-1
               expectMatch: true
               headers:
               - name: x-org-id
                 stringMatch:
                   exact: foo
         - actions:
           - headerValueMatch:
-              descriptorKey: rule-1-match-0
-              descriptorValue: rule-1-match-0
+              descriptorKey: local_rule-1-match-0
+              descriptorValue: local_rule-1-match-0
               expectMatch: true
               headers:
               - name: x-user-id
                 stringMatch:
                   exact: two
           - headerValueMatch:
-              descriptorKey: rule-1-match-1
-              descriptorValue: rule-1-match-1
+              descriptorKey: local_rule-1-match-1
+              descriptorValue: local_rule-1-match-1
               expectMatch: true
               headers:
               - name: x-org-id
@@ -91,22 +91,22 @@
           alwaysConsumeDefaultTokenBucket: false
           descriptors:
           - entries:
-            - key: rule-0-match-0
-              value: rule-0-match-0
-            - key: rule-0-match-1
-              value: rule-0-match-1
+            - key: local_rule-0-match-0
+              value: local_rule-0-match-0
+            - key: local_rule-0-match-1
+              value: local_rule-0-match-1
             tokenBucket:
               fillInterval: 3600s
               maxTokens: 10
               tokensPerFill: 10
           - entries:
-            - key: rule-1-match-0
-              value: rule-1-match-0
-            - key: rule-1-match-1
-              value: rule-1-match-1
-            - key: masked_remote_address
+            - key: local_rule-1-match-0
+              value: local_rule-1-match-0
+            - key: local_rule-1-match-1
+              value: local_rule-1-match-1
+            - key: local_masked_remote_address
               value: 192.168.0.0/16
-            - key: remote_address
+            - key: local_remote_address
             tokenBucket:
               fillInterval: 60s
               maxTokens: 10

internal/xds/translator/testdata/out/xds-ir/local-ratelimit.routes.yaml

@@ -13,16 +13,16 @@
         rateLimits:
         - actions:
           - headerValueMatch:
-              descriptorKey: rule-0-match-0
-              descriptorValue: rule-0-match-0
+              descriptorKey: local_rule-0-match-0
+              descriptorValue: local_rule-0-match-0
               expectMatch: true
               headers:
               - name: x-user-id
                 stringMatch:
                   exact: one
           - headerValueMatch:
-              descriptorKey: rule-0-match-1
-              descriptorValue: rule-0-match-1
+              descriptorKey: local_rule-0-match-1
+              descriptorValue: local_rule-0-match-1
               expectMatch: true
               headers:
               - name: x-org-id
@@ -36,10 +36,10 @@
           alwaysConsumeDefaultTokenBucket: false
           descriptors:
           - entries:
-            - key: rule-0-match-0
-              value: rule-0-match-0
-            - key: rule-0-match-1
-              value: rule-0-match-1
+            - key: local_rule-0-match-0
+              value: local_rule-0-match-0
+            - key: local_rule-0-match-1
+              value: local_rule-0-match-1
             tokenBucket:
               fillInterval: 3600s
               maxTokens: 10
@@ -64,33 +64,33 @@
         rateLimits:
         - actions:
           - headerValueMatch:
-              descriptorKey: rule-0-match-0
-              descriptorValue: rule-0-match-0
+              descriptorKey: local_rule-0-match-0
+              descriptorValue: local_rule-0-match-0
               expectMatch: true
               headers:
               - name: x-user-id
                 stringMatch:
                   exact: one
           - headerValueMatch:
-              descriptorKey: rule-0-match-1
-              descriptorValue: rule-0-match-1
+              descriptorKey: local_rule-0-match-1
+              descriptorValue: local_rule-0-match-1
               expectMatch: true
               headers:
               - name: x-org-id
                 stringMatch:
                   exact: foo
         - actions:
           - headerValueMatch:
-              descriptorKey: rule-1-match-0
-              descriptorValue: rule-1-match-0
+              descriptorKey: local_rule-1-match-0
+              descriptorValue: local_rule-1-match-0
               expectMatch: true
               headers:
               - name: x-user-id
                 stringMatch:
                   exact: two
           - headerValueMatch:
-              descriptorKey: rule-1-match-1
-              descriptorValue: rule-1-match-1
+              descriptorKey: local_rule-1-match-1
+              descriptorValue: local_rule-1-match-1
               expectMatch: true
               headers:
               - name: x-org-id
@@ -106,20 +106,20 @@
           alwaysConsumeDefaultTokenBucket: false
           descriptors:
           - entries:
-            - key: rule-0-match-0
-              value: rule-0-match-0
-            - key: rule-0-match-1
-              value: rule-0-match-1
+            - key: local_rule-0-match-0
+              value: local_rule-0-match-0
+            - key: local_rule-0-match-1
+              value: local_rule-0-match-1
             tokenBucket:
               fillInterval: 3600s
               maxTokens: 10
               tokensPerFill: 10
           - entries:
-            - key: rule-1-match-0
-              value: rule-1-match-0
-            - key: rule-1-match-1
-              value: rule-1-match-1
-            - key: masked_remote_address
+            - key: local_rule-1-match-0
+              value: local_rule-1-match-0
+            - key: local_rule-1-match-1
+              value: local_rule-1-match-1
+            - key: local_masked_remote_address
               value: 192.168.0.0/16
             tokenBucket:
               fillInterval: 60s

internal/xds/translator/testdata/out/xds-ir/ratelimit-both-type.routes.yaml

@@ -31,6 +31,15 @@
       route:
         cluster: second-route-dest
         rateLimits:
+        - actions:
+          - headerValueMatch:
+              descriptorKey: local_rule-0-match-0
+              descriptorValue: local_rule-0-match-0
+              expectMatch: true
+              headers:
+              - name: x-user-id
+                stringMatch:
+                  exact: one
         - actions:
           - genericKey:
               descriptorKey: second-route
@@ -46,8 +55,8 @@
           alwaysConsumeDefaultTokenBucket: false
           descriptors:
           - entries:
-            - key: rule-0-match-0
-              value: rule-0-match-0
+            - key: local_rule-0-match-0
+              value: local_rule-0-match-0
             tokenBucket:
               fillInterval: 3600s
               maxTokens: 10

release-notes/current.yaml

@@ -26,6 +26,7 @@ new features: |
   Added support for returning 503 responses when no valid backend endpoints exist.
   Added support for CSRFTokenTTL in OIDC authn to configure the lifetime of the CSRF token used during the OAuth2 authorization code flow.
   Added support for binaryData in ConfigMap referenced by HTTPRouteFilter for direct response.
+  Added support for both Global and Local rate limiting in BackendTrafficPolicy simultaneously.
 
 
 bug fixes: |

site/content/en/latest/api/extension_types.md

@@ -4262,7 +4262,7 @@ _Appears in:_
 
 | Field | Type | Required | Default | Description |
 | ---   | ---  | ---      | ---     | ---         |
-| `type` | _[RateLimitType](#ratelimittype)_ |  false  |  | Type decides the scope for the RateLimits.<br />Valid RateLimitType values are "Global" or "Local".<br />Deprecated: Use Type. allow both "Global" and "Local" fields now. |
+| `type` | _[RateLimitType](#ratelimittype)_ |  false  |  | Type decides the scope for the RateLimits.<br />Valid RateLimitType values are "Global" or "Local".<br />Deprecated: Use Global and/or Local fields directly instead. Both can be specified simultaneously for combined rate limiting. |
 | `global` | _[GlobalRateLimit](#globalratelimit)_ |  false  |  | Global defines global rate limit configuration. |
 | `local` | _[LocalRateLimit](#localratelimit)_ |  false  |  | Local defines local rate limit configuration. |