envoyproxy · zirain · May 21, 2025 · May 14, 2025
@@ -89,7 +89,7 @@ func (*apiKeyAuth) patchResources(*types.ResourceVersionTable, []*ir.HTTPRoute)
 
 // patchRoute patches the provided route with the apiKeyAuth config if applicable.
 // Note: this method overwrites the HCM level filter config with the per route filter config.
-func (*apiKeyAuth) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (*apiKeyAuth) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if route == nil {
 		return errors.New("xds route is nil")
 	}

@@ -107,7 +107,7 @@ func listenerContainsRBAC(irListener *ir.HTTPListener) bool {
 }
 
 // patchRoute patches the provided route with the RBAC config if applicable.
-func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if route == nil {
 		return errors.New("xds route is nil")
 	}

@@ -115,7 +115,7 @@ func (*basicAuth) patchResources(*types.ResourceVersionTable, []*ir.HTTPRoute) e
 
 // patchRoute patches the provided route with the basicAuth config if applicable.
 // Note: this method overwrites the HCM level filter config with the per route filter config.
-func (*basicAuth) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (*basicAuth) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if route == nil {
 		return errors.New("xds route is nil")
 	}

@@ -143,7 +143,7 @@ func (*compressor) patchResources(*types.ResourceVersionTable, []*ir.HTTPRoute)
 
 // patchRoute patches the provided route with the compressor config if applicable.
 // Note: this method overwrites the HCM level filter config with the per route filter config.
-func (*compressor) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (*compressor) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if route == nil {
 		return errors.New("xds route is nil")
 	}

@@ -105,7 +105,7 @@ func listenerContainsCORS(irListener *ir.HTTPListener) bool {
 }
 
 // patchRoute patches the provided route with the CORS config if applicable.
-func (*cors) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (*cors) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if route == nil {
 		return errors.New("xds route is nil")
 	}

@@ -141,7 +141,7 @@ func buildCredentialSecret(credentialInjection *ir.CredentialInjection) *tlsv3.S
 
 // patchRoute patches the provided route with the credential injector filter if applicable.
 // Note: this method enables the corresponding credential injector filter for the provided route.
-func (*credentialInjector) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (*credentialInjector) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if route == nil {
 		return errors.New("xds route is nil")
 	}

@@ -426,7 +426,7 @@ func (c *customResponse) patchResources(tCtx *types.ResourceVersionTable,
 
 // patchRoute patches the provided route with the customResponse config if applicable.
 // Note: this method enables the corresponding customResponse filter for the provided route.
-func (c *customResponse) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (c *customResponse) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if route == nil {
 		return errors.New("xds route is nil")
 	}

@@ -244,7 +244,7 @@ func (*extAuth) patchResources(tCtx *types.ResourceVersionTable,
 
 // patchRoute patches the provided route with the extAuth config if applicable.
 // Note: this method enables the corresponding extAuth filter for the provided route.
-func (*extAuth) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (*extAuth) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if route == nil {
 		return errors.New("xds route is nil")
 	}

@@ -212,7 +212,7 @@ func (*extProc) patchResources(tCtx *types.ResourceVersionTable,
 
 // patchRoute patches the provided route with the extProc config if applicable.
 // Note: this method enables the corresponding extProc filter for the provided route.
-func (*extProc) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (*extProc) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if route == nil {
 		return errors.New("xds route is nil")
 	}

@@ -106,7 +106,7 @@ func (*fault) patchResources(*types.ResourceVersionTable, []*ir.HTTPRoute) error
 
 // patchRoute patches the provided route with the fault config if applicable.
 // Note: this method enables the corresponding fault filter for the provided route.
-func (*fault) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (*fault) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if route == nil {
 		return errors.New("xds route is nil")
 	}

@@ -98,6 +98,6 @@ func (*healthCheck) patchResources(*types.ResourceVersionTable, []*ir.HTTPRoute)
 	return nil
 }
 
-func (*healthCheck) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (*healthCheck) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	return nil
 }
@@ -56,7 +56,7 @@ type httpFilter interface {
 	patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListener) error
 
 	// patchRoute patches the provide Route with a filter's Route level configuration.
-	patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error
+	patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, httpListener *ir.HTTPListener) error
 
 	// patchResources adds all the other needed resources referenced by this
 	// filter to the resource version table.
@@ -296,12 +296,9 @@ func (t *Translator) patchHCMWithFilters(
 
 // patchRouteWithPerRouteConfig appends per-route filter configuration to the
 // provided route.
-func patchRouteWithPerRouteConfig(
-	route *routev3.Route,
-	irRoute *ir.HTTPRoute,
-) error {
+func patchRouteWithPerRouteConfig(route *routev3.Route, irRoute *ir.HTTPRoute, httpListener *ir.HTTPListener) error {
 	for _, filter := range httpFilters {
-		if err := filter.patchRoute(route, irRoute); err != nil {
+		if err := filter.patchRoute(route, irRoute, httpListener); err != nil {
 			return err
 		}
 	}

@@ -255,7 +255,7 @@ func buildXdsUpstreamTLSSocket(sni string) (*corev3.TransportSocket, error) {
 
 // patchRoute patches the provided route with a JWT PerRouteConfig, if the route
 // doesn't contain it.
-func (*jwt) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (*jwt) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if route == nil {
 		return errors.New("xds route is nil")
 	}

@@ -117,7 +117,7 @@
 	return nil
 }
 
-func (*localRateLimit) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (*localRateLimit) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, httpListener *ir.HTTPListener) error {
 	routeAction := route.GetRoute()
 
 	// Return early if no rate limit config exists.
@@ -168,7 +168,8 @@
 				Denominator: typev3.FractionalPercent_HUNDRED,
 			},
 		},
-		Descriptors: descriptors,
+		EnableXRatelimitHeaders: rlv3.XRateLimitHeadersRFCVersion_DRAFT_VERSION_03,
+		Descriptors:             descriptors,
 		// By setting AlwaysConsumeDefaultTokenBucket to false, the descriptors
 		// won't consume the default token bucket. This means that a request only
 		// counts towards the default token bucket if it does not match any of the
@@ -177,6 +178,9 @@
 			Value: false,
 		},
 	}
+	if httpListener.Headers != nil && httpListener.Headers.DisableRateLimitHeaders {
+		localRl.EnableXRatelimitHeaders = rlv3.XRateLimitHeadersRFCVersion_OFF
+	}
 
 	localRlAny, err := anypb.New(localRl)
 	if err != nil {

@@ -107,7 +107,7 @@ func (*lua) patchResources(_ *types.ResourceVersionTable, _ []*ir.HTTPRoute) err
 }
 
 // patchRoute patches the provided route so Lua filters are enabled if applicable.
-func (*lua) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (*lua) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if route == nil {
 		return errors.New("xds route is nil")
 	}

@@ -476,7 +476,7 @@ func oauth2HMACSecretName(oidc *ir.OIDC) string {
 
 // patchRoute patches the provided route with the oauth2 config if applicable.
 // Note: this method enables the corresponding oauth2 filter for the provided route.
-func (*oidc) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (*oidc) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if route == nil {
 		return errors.New("xds route is nil")
 	}

@@ -101,7 +101,7 @@ func (r *requestBuffer) patchResources(tCtx *types.ResourceVersionTable, routes
 }
 
 // patchRoute will add a BufferPerRoute filter for a particular route
-func (r *requestBuffer) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (r *requestBuffer) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if !routeContainsRequestBuffer(irRoute) {
 		return nil
 	}

@@ -40,7 +40,7 @@ var defaultUpgradeConfig = []*routev3.RouteAction_UpgradeConfig{
 	},
 }
 
-func buildXdsRoute(httpRoute *ir.HTTPRoute) (*routev3.Route, error) {
+func buildXdsRoute(httpRoute *ir.HTTPRoute, httpListener *ir.HTTPListener) (*routev3.Route, error) {
 	router := &routev3.Route{
 		Name:     httpRoute.Name,
 		Match:    buildXdsRouteMatch(httpRoute.PathMatch, httpRoute.HeaderMatches, httpRoute.QueryParamMatches),
@@ -124,7 +124,7 @@ func buildXdsRoute(httpRoute *ir.HTTPRoute) (*routev3.Route, error) {
 	}
 
 	// Add per route filter configs to the route, if needed.
-	if err := patchRouteWithPerRouteConfig(router, httpRoute); err != nil {
+	if err := patchRouteWithPerRouteConfig(router, httpRoute, httpListener); err != nil {
 		return nil, err
 	}
 

@@ -149,7 +149,7 @@ func getLongestNonRegexPrefix(path string) string {
 }
 
 // patchRoute patches the provide Route with a filter's Route level configuration.
-func (s *sessionPersistence) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (s *sessionPersistence) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if route == nil {
 		return errors.New("xds route is nil")
 	}

@@ -28,6 +28,7 @@
               fillInterval: 0s
               maxTokens: 5
               tokensPerFill: 5
+          enableXRatelimitHeaders: DRAFT_VERSION_03
           filterEnabled:
             defaultValue:
               numerator: 100
@@ -110,6 +111,7 @@
               fillInterval: 60s
               maxTokens: 10
               tokensPerFill: 10
+          enableXRatelimitHeaders: DRAFT_VERSION_03
           filterEnabled:
             defaultValue:
               numerator: 100

@@ -44,6 +44,7 @@
               fillInterval: 3600s
               maxTokens: 10
               tokensPerFill: 10
+          enableXRatelimitHeaders: DRAFT_VERSION_03
           filterEnabled:
             defaultValue:
               numerator: 100
@@ -124,6 +125,7 @@
               fillInterval: 60s
               maxTokens: 10
               tokensPerFill: 10
+          enableXRatelimitHeaders: DRAFT_VERSION_03
           filterEnabled:
             defaultValue:
               numerator: 100
@@ -146,6 +148,7 @@
         envoy.filters.http.local_ratelimit:
           '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
           alwaysConsumeDefaultTokenBucket: false
+          enableXRatelimitHeaders: DRAFT_VERSION_03
           filterEnabled:
             defaultValue:
               numerator: 100

@@ -480,7 +480,7 @@ func (t *Translator) addRouteToRouteConfig(
 
 		var xdsRoute *routev3.Route
 		// 1:1 between IR HTTPRoute and xDS config.route.v3.Route
-		xdsRoute, err = buildXdsRoute(httpRoute)
+		xdsRoute, err = buildXdsRoute(httpRoute, httpListener)
 		if err != nil {
 			// skip this route if failed to build xds route
 			errs = errors.Join(errs, err)

@@ -179,7 +179,7 @@ func (*wasm) patchResources(_ *types.ResourceVersionTable, _ []*ir.HTTPRoute) er
 
 // patchRoute patches the provided route with the wasm config if applicable.
 // Note: this method enables the corresponding wasm filter for the provided route.
-func (*wasm) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
+func (*wasm) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if route == nil {
 		return errors.New("xds route is nil")
 	}

@@ -11,6 +11,7 @@ new features: |
   Added support for percentage-based request mirroring
   Add an option to OIDC authentication to bypass it and defer to JWT when the request contains an "Authorization: Bearer ..." header.
   Added support for configuring Subject Alternative Names (SANs) for upstream TLS validation via `BackendTLSPolicy.validation.subjectAltNames`.
+  Added support for local rate limit header.
 
 bug fixes: |
 

@@ -1,4 +1,17 @@
 apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: ClientTrafficPolicy
+metadata:
+  name: disable-ratelimit-header
+  namespace: gateway-conformance-infra
+spec:
+  headers:
+    disableRateLimitHeaders: true
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: all-namespaces  # use different gatway
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
 kind: BackendTrafficPolicy
 metadata:
   name: ratelimit-specific-user
@@ -49,6 +62,7 @@ metadata:
 spec:
   parentRefs:
     - name: same-namespace
+    - name: all-namespaces
   rules:
     - backendRefs:
         - name: infra-backend-v1
@@ -66,6 +80,7 @@ metadata:
 spec:
   parentRefs:
     - name: same-namespace
+    - name: all-namespaces
   rules:
     - backendRefs:
         - name: infra-backend-v1
@@ -83,6 +98,7 @@ metadata:
 spec:
   parentRefs:
     - name: same-namespace
+    - name: all-namespaces
   rules:
     - backendRefs:
         - name: infra-backend-v1
@@ -125,6 +141,7 @@ metadata:
 spec:
   parentRefs:
     - name: same-namespace
+    - name: all-namespaces
   rules:
     - backendRefs:
         - name: infra-backend-v1