search

Kuadrant / kuadrant-controller

Apache License 2.0
12 stars 7 forks source link

default rules from httproute on RateLimitPolicy rules #206

Closed eguzki closed 2 years ago

eguzki commented 2 years ago

what

When the rules are empty (null or empty list), take the default values from the target resource (HTTPRoute). This implementation goes to the RateLimitPolicy

Partially implements https://github.com/Kuadrant/kuadrant-controller/issues/190

Verification steps

Run dev env

make local-setup

Create HTTPRoute

kubectl apply -f - <<EOF
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: toystore
  labels:
    app: toystore
spec:
  parentRefs:
    - name: istio-ingressgateway
      namespace: istio-system
  hostnames: ["*.toystore.com"]
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: "/toy"
          method: GET
        - path:
            type: Exact
            value: "/car"
          method: POST
      backendRefs:
        - name: toystore
          port: 80
EOF

Create RateLimitPolicy, with two configurations, one including some rules, another with empty rules

kubectl apply -f - <<EOF
---
apiVersion: apim.kuadrant.io/v1alpha1
kind: RateLimitPolicy
metadata:
  name: toystore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  rateLimits:
    - rules:
        - hosts: ["rate-limited.toystore.com"]
      configurations:
        - actions:
            - generic_key:
                descriptor_key: "limited"
                descriptor_value: "1"
      limits:
        - conditions:
            - "limited == 1"
          maxValue: 5
          seconds: 10
          variables: []
    - configurations:
        - actions:
            - generic_key:
                descriptor_key: "limited2"
                descriptor_value: "2"
      limits:
        - conditions:
            - "limited2 == 1"
          maxValue: 2
          seconds: 10
          variables: []
EOF

Check the wasm plugin object to see the default rules read from the network resource. One of the rule list is copied directly from the policy, the other is generated from the network resource matching rules.

k get wasmplugin kuadrant-istio-ingressgateway -n istio-system -o yaml | yq_pretty 
apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
  creationTimestamp: "2022-09-12T12:07:41Z"
  generation: 1
  name: kuadrant-istio-ingressgateway
  namespace: istio-system
  resourceVersion: "2416"
  uid: cca72a57-29e2-4464-861a-a0136ea879f2
spec:
  phase: STATS
  pluginConfig:
    failure_mode_deny: true
    rate_limit_policies:
      - gateway_actions:
          - configurations:
              - actions:
                  - generic_key:
                      descriptor_key: limited
                      descriptor_value: "1"
            rules:
              - hosts:
                  - rate-limited.toystore.com
          - configurations:
              - actions:
                  - generic_key:
                      descriptor_key: limited2
                      descriptor_value: "2"
            rules:
              - hosts:
                  - '*.toystore.com'
                methods:
                  - GET
                paths:
                  - /toy*
              - hosts:
                  - '*.toystore.com'
                methods:
                  - POST
                paths:
                  - /car
        hostnames:
          - '*.toystore.com'
        name: '*.toystore.com'
        rate_limit_domain: istio-system/istio-ingressgateway#*.toystore.com
        upstream_cluster: kuadrant-rate-limiting-service
  selector:
    matchLabels:
      istio: ingressgateway
  url: oci://quay.io/kuadrant/wasm-shim:latest