update RateLimitPolicy and API design #75
Conversation
|
Please ignore tests in CI for now as we are iterating on design at the moment. |
| AuthConfigSelector map[string]string `json:"authConfigSelector,omitempty"` | ||
| RateLimitSelector *map[string]string `json:"rateLimitSelector,omitempty"` | ||
| Info API_Metadata `json:"info"` | ||
| VirtualServiceSelector map[string]string `json:"virtualServiceSelector,omitempty"` |
There was a problem hiding this comment.
I think having this here for now is fine. But want to discuss alternatives such as annotations on the resource and or a object reference
name: myroute
group: "kuadrant.io/v1alpha1"
Kind: "VirtualService|HTTPRoute"
| RateLimitStage_BOTH RateLimit_Stage = "BOTH" | ||
| ) | ||
|
|
||
| var RateLimit_Stage_name = map[int32]string{ |
There was a problem hiding this comment.
go has a useful type called iota
const (
C0 = iota
C1
C2
)
There was a problem hiding this comment.
I had an integer there but then the string was required to match with the stage names.
| type: object | ||
| type: array | ||
| required: | ||
| - limits | ||
| - phases | ||
| - rules | ||
| - routes |
There was a problem hiding this comment.
should routes be required?
There was a problem hiding this comment.
I guess nothing is really required, so will add omit tag to limits and routes.
| matchingLabels := client.MatchingLabels{} | ||
| matchingLabels = api.Spec.VirtualServiceSelector // interface requirements | ||
|
|
||
| if err := r.Client().List(ctx, vslist, matchingLabels); err != nil { |
There was a problem hiding this comment.
does this list accross the whole cluster? I wonder should we limit it to the namespace the RateLimitPolicy is created in. Otherwise I could reference a virtualservice I don't own and affect its behaviour
| } | ||
| logger.Info("number of virtualservices matched", "count", len(vslist.Items)) |
There was a problem hiding this comment.
I am not sure what the V-level should be but looks like 1 is for Info and 10 is for trace so 4 maybe?
| logger.Error(err, "failed to add owner ref to RateLimit filters patch") | ||
| return ctrl.Result{}, err | ||
| } | ||
| if err := r.Client().Create(ctx, rateLimitPatch); err != nil { |
There was a problem hiding this comment.
should do a CreateUpdate here as it is in a reconcile loop. base.ReconcileResource
| logger.Error(err, "failed to add owner ref to route-level ratelimits patch") | ||
| return ctrl.Result{}, err | ||
| } | ||
| if err := r.Client().Create(ctx, routePatch); err != nil { |
There was a problem hiding this comment.
can do create update here also. If they change the name on the VS the next time we reconcile we will want to reflect that in our setup and remove the rate limiting from the named route
| Context: networkingv1alpha3.EnvoyFilter_GATEWAY, | ||
| ObjectTypes: &networkingv1alpha3.EnvoyFilter_EnvoyConfigObjectMatch_Cluster{ | ||
| Cluster: &networkingv1alpha3.EnvoyFilter_ClusterMatch{ | ||
| Name: "outbound|8081||limitador.kuadrant-system.svc.cluster.local", |
There was a problem hiding this comment.
lets pull that out to a constant. Likely at some point it would come from configuration
| @@ -279,7 +338,7 @@ func routeRateLimitsPatch(vHostName, routeName string, actions []*apimv1alpha1.A | |||
| return nil | |||
| } | |||
|
|
|||
| // A nice trick to make things easy. | |||
| // A nice trick to make it easier add-in actions | |||
| stringPatch := string(patchRaw) | |||
| stringPatch = strings.Replace(stringPatch, "\"ACTIONS\"", string(jsonActions), 1) | |||
| fmt.Printf("STRING PATCH: %v", stringPatch) | |||
There was a problem hiding this comment.
But it's such a nice trick! JK, will do...
There was a problem hiding this comment.
Oh wait, I see, you mean the printf.
| AuthConfigSelector map[string]string `json:"authConfigSelector,omitempty"` | ||
| RateLimitSelector *map[string]string `json:"rateLimitSelector,omitempty"` | ||
| Info API_Metadata `json:"info"` | ||
| VirtualServiceSelector map[string]string `json:"virtualServiceSelector,omitempty"` |
There was a problem hiding this comment.
The customer will be the owner of the virtualservice objects? In that case, kuadrant API object does no longer make any sense. Annotations and labels can be used to link VirtualServices, AuthConfigs, AuthortizationPolicies and RateLimitPolicies.
IMO the current kuadrant API CRD is a good compromise for an API owner between capabilities and complexity. It is made for API owners, in their own language and terms.
|
Tried this out locally and was able to see the rate limiting working |
|
going to merge to allow building on top of these chnges |
* example: add virtualservice resource to toystore example * update ratelimitpolicy and API design * update samples for RLP and API resource
* add API and RateLimitPolicy resource * add new apis' controller * Add finalizer (#74) * add API and RateLimitPolicy resource * add new apis' controller * add owner and finalizer for ratelimit policy Co-authored-by: Rahul Anand <[email protected]> * update RateLimitPolicy and API design (#75) * example: add virtualservice resource to toystore example * update ratelimitpolicy and API design * update samples for RLP and API resource * tie networking and ratelimit using annotations (#76) * tie networking and ratelimit using annotations * move network selection into spec from annotations * reuse ClusterEnvoyPatch from istioprovider * create AuthorizationPolicy using VirtualService (#79) * create AuthorizationPolicy using VirtualService * just log if reconciling w/o provider annotation * move orphan check into the reconcile logic * pass logger from main reconciler and small fix * use predicate funcs to filter events for virtualservice * make preauth as the first and postauth as the last filter (#80) * cleanup API APIProduct CRDs (#81) * cleanup API APIProduct CRDs * fix tests * remove duplicated constants * Harden RateLimitPolicy implementation (#82) * harden RateLimitPolicy implementation * change finalizer's name * fix typo and use correct gateway labels * fix lint before merging into main Co-authored-by: Craig Brookes <[email protected]> Co-authored-by: Eguzki Astiz Lezaun <[email protected]>
This PR updates RateLimitPolicy and API resource designs.
Few notes:
|(pipe) character in authority header is auto-rejected by Limitador limitador#53,rate-limit-clustername is patched at the same time when filters are added.virtualserviceresource has been added to make it easy to test.RateLimitPolicyto account for virtualhost-level actions in the next PRs.