Skip to content

Commit

Permalink
refactor rate limit policy config struct
Browse files Browse the repository at this point in the history
  • Loading branch information
@pdabelf5
pdabelf5 committed Jan 28, 2025
1 parent 7015f55 commit ac68131
Show file tree
Hide file tree
Showing 2 changed files with 106 additions and 92 deletions.
45 changes: 25 additions & 20 deletions internal/configs/virtualserver.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -454,7 +454,7 @@ func (vsc *virtualServerConfigurator) GenerateVirtualServerConfig(
var healthChecks []version2.HealthCheck
var limitReqZones []version2.LimitReqZone

limitReqZones = append(limitReqZones, policiesCfg.LimitReqZones...)
limitReqZones = append(limitReqZones, policiesCfg.RateLimit.Zones...)

// generate upstreams for VirtualServer
for _, u := range vsEx.VirtualServer.Spec.Upstreams {
Expand Down Expand Up @@ -604,7 +604,7 @@ func (vsc *virtualServerConfigurator) GenerateVirtualServerConfig(
policiesCfg.APIKeyClientMap[apiMapName] = routePoliciesCfg.APIKeyClients
}
}
limitReqZones = append(limitReqZones, routePoliciesCfg.LimitReqZones...)
limitReqZones = append(limitReqZones, routePoliciesCfg.RateLimit.Zones...)

dosRouteCfg := generateDosCfg(dosResources[r.Path])

Expand Down Expand Up @@ -745,7 +745,7 @@ func (vsc *virtualServerConfigurator) GenerateVirtualServerConfig(
}
}

limitReqZones = append(limitReqZones, routePoliciesCfg.LimitReqZones...)
limitReqZones = append(limitReqZones, routePoliciesCfg.RateLimit.Zones...)

dosRouteCfg := generateDosCfg(dosResources[r.Path])

Expand Down Expand Up @@ -861,8 +861,8 @@ func (vsc *virtualServerConfigurator) GenerateVirtualServerConfig(
TLSPassthrough: vsc.isTLSPassthrough,
Allow: policiesCfg.Allow,
Deny: policiesCfg.Deny,
LimitReqOptions: policiesCfg.LimitReqOptions,
LimitReqs: policiesCfg.LimitReqs,
LimitReqOptions: policiesCfg.RateLimit.Options,
LimitReqs: policiesCfg.RateLimit.Reqs,
JWTAuth: policiesCfg.JWTAuth,
BasicAuth: policiesCfg.BasicAuth,
JWTAuthList: policiesCfg.JWTAuthList,
Expand Down Expand Up @@ -891,12 +891,17 @@ func (vsc *virtualServerConfigurator) GenerateVirtualServerConfig(
return vsCfg, vsc.warnings
}

// RateLimit hold the configuration for the ratelimiting Policy
type RateLimit struct {
Reqs []version2.LimitReq
Zones []version2.LimitReqZone
Options version2.LimitReqOptions
}

type policiesCfg struct {
Allow []string
Deny []string
LimitReqOptions version2.LimitReqOptions
LimitReqZones []version2.LimitReqZone
LimitReqs []version2.LimitReq
RateLimit RateLimit
JWTAuth *version2.JWTAuth
JWTAuthList map[string]*version2.JWTAuth
JWKSAuthEnabled bool
Expand Down Expand Up @@ -994,20 +999,20 @@ func (p *policiesCfg) addRateLimitConfig(
) *validationResults {
res := newValidationResults()
rlZoneName := fmt.Sprintf("pol_rl_%v_%v_%v_%v", polNamespace, polName, vsNamespace, vsName)
p.LimitReqs = append(p.LimitReqs, generateLimitReq(rlZoneName, rateLimit))
p.LimitReqZones = append(p.LimitReqZones, generateLimitReqZone(rlZoneName, rateLimit, podReplicas))
if len(p.LimitReqs) == 1 {
p.LimitReqOptions = generateLimitReqOptions(rateLimit)
p.RateLimit.Reqs = append(p.RateLimit.Reqs, generateLimitReq(rlZoneName, rateLimit))
p.RateLimit.Zones = append(p.RateLimit.Zones, generateLimitReqZone(rlZoneName, rateLimit, podReplicas))
if len(p.RateLimit.Reqs) == 1 {
p.RateLimit.Options = generateLimitReqOptions(rateLimit)
} else {
curOptions := generateLimitReqOptions(rateLimit)
if curOptions.DryRun != p.LimitReqOptions.DryRun {
res.addWarningf("RateLimit policy %s with limit request option dryRun='%v' is overridden to dryRun='%v' by the first policy reference in this context", polKey, curOptions.DryRun, p.LimitReqOptions.DryRun)
if curOptions.DryRun != p.RateLimit.Options.DryRun {
res.addWarningf("RateLimit policy %s with limit request option dryRun='%v' is overridden to dryRun='%v' by the first policy reference in this context", polKey, curOptions.DryRun, p.RateLimit.Options.DryRun)
}
if curOptions.LogLevel != p.LimitReqOptions.LogLevel {
res.addWarningf("RateLimit policy %s with limit request option logLevel='%v' is overridden to logLevel='%v' by the first policy reference in this context", polKey, curOptions.LogLevel, p.LimitReqOptions.LogLevel)
if curOptions.LogLevel != p.RateLimit.Options.LogLevel {
res.addWarningf("RateLimit policy %s with limit request option logLevel='%v' is overridden to logLevel='%v' by the first policy reference in this context", polKey, curOptions.LogLevel, p.RateLimit.Options.LogLevel)
}
if curOptions.RejectCode != p.LimitReqOptions.RejectCode {
res.addWarningf("RateLimit policy %s with limit request option rejectCode='%v' is overridden to rejectCode='%v' by the first policy reference in this context", polKey, curOptions.RejectCode, p.LimitReqOptions.RejectCode)
if curOptions.RejectCode != p.RateLimit.Options.RejectCode {
res.addWarningf("RateLimit policy %s with limit request option rejectCode='%v' is overridden to rejectCode='%v' by the first policy reference in this context", polKey, curOptions.RejectCode, p.RateLimit.Options.RejectCode)
}
}
return res
Expand Down Expand Up @@ -1655,8 +1660,8 @@ func removeDuplicateLimitReqZones(rlz []version2.LimitReqZone) []version2.LimitR
func addPoliciesCfgToLocation(cfg policiesCfg, location *version2.Location) {
location.Allow = cfg.Allow
location.Deny = cfg.Deny
location.LimitReqOptions = cfg.LimitReqOptions
location.LimitReqs = cfg.LimitReqs
location.LimitReqOptions = cfg.RateLimit.Options
location.LimitReqs = cfg.RateLimit.Reqs
location.JWTAuth = cfg.JWTAuth
location.BasicAuth = cfg.BasicAuth
location.EgressMTLS = cfg.EgressMTLS
Expand Down
153 changes: 81 additions & 72 deletions internal/configs/virtualserver_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6587,21 +6587,23 @@ func TestGeneratePolicies(t *testing.T) {
},
},
expected: policiesCfg{
LimitReqZones: []version2.LimitReqZone{
{
Key: "test",
ZoneSize: "10M",
Rate: "10r/s",
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
RateLimit: RateLimit{
Reqs: []version2.LimitReq{
{
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
},
},
},
LimitReqOptions: version2.LimitReqOptions{
LogLevel: "notice",
RejectCode: 503,
},
LimitReqs: []version2.LimitReq{
{
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
Zones: []version2.LimitReqZone{
{
Key: "test",
ZoneSize: "10M",
Rate: "10r/s",
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
},
},
Options: version2.LimitReqOptions{
LogLevel: "notice",
RejectCode: 503,
},
},
},
Expand Down Expand Up @@ -6639,30 +6641,32 @@ func TestGeneratePolicies(t *testing.T) {
},
},
expected: policiesCfg{
LimitReqZones: []version2.LimitReqZone{
{
Key: "test",
ZoneSize: "10M",
Rate: "10r/s",
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
},
{
Key: "test2",
ZoneSize: "20M",
Rate: "20r/s",
ZoneName: "pol_rl_default_rateLimit-policy2_default_test",
RateLimit: RateLimit{
Zones: []version2.LimitReqZone{
{
Key: "test",
ZoneSize: "10M",
Rate: "10r/s",
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
},
{
Key: "test2",
ZoneSize: "20M",
Rate: "20r/s",
ZoneName: "pol_rl_default_rateLimit-policy2_default_test",
},
},
},
LimitReqOptions: version2.LimitReqOptions{
LogLevel: "error",
RejectCode: 503,
},
LimitReqs: []version2.LimitReq{
{
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
Options: version2.LimitReqOptions{
LogLevel: "error",
RejectCode: 503,
},
{
ZoneName: "pol_rl_default_rateLimit-policy2_default_test",
Reqs: []version2.LimitReq{
{
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
},
{
ZoneName: "pol_rl_default_rateLimit-policy2_default_test",
},
},
},
},
Expand All @@ -6689,26 +6693,29 @@ func TestGeneratePolicies(t *testing.T) {
},
},
expected: policiesCfg{
LimitReqZones: []version2.LimitReqZone{
{
Key: "test",
ZoneSize: "10M",
Rate: "5r/s",
ZoneName: "pol_rl_default_rateLimitScale-policy_default_test",
RateLimit: RateLimit{
Zones: []version2.LimitReqZone{
{
Key: "test",
ZoneSize: "10M",
Rate: "5r/s",
ZoneName: "pol_rl_default_rateLimitScale-policy_default_test",
},
},
},
LimitReqOptions: version2.LimitReqOptions{
LogLevel: "notice",
RejectCode: 503,
},
LimitReqs: []version2.LimitReq{
{
ZoneName: "pol_rl_default_rateLimitScale-policy_default_test",
Options: version2.LimitReqOptions{
LogLevel: "notice",
RejectCode: 503,
},
Reqs: []version2.LimitReq{
{
ZoneName: "pol_rl_default_rateLimitScale-policy_default_test",
},
},
},
},
msg: "rate limit reference with scale",
},

{
policyRefs: []conf_v1.PolicyReference{
{
Expand Down Expand Up @@ -7397,30 +7404,32 @@ func TestGeneratePoliciesFails(t *testing.T) {
},
policyOpts: policyOptions{},
expected: policiesCfg{
LimitReqZones: []version2.LimitReqZone{
{
Key: "test",
ZoneSize: "10M",
Rate: "10r/s",
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
},
{
Key: "test2",
ZoneSize: "20M",
Rate: "20r/s",
ZoneName: "pol_rl_default_rateLimit-policy2_default_test",
RateLimit: RateLimit{
Zones: []version2.LimitReqZone{
{
Key: "test",
ZoneSize: "10M",
Rate: "10r/s",
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
},
{
Key: "test2",
ZoneSize: "20M",
Rate: "20r/s",
ZoneName: "pol_rl_default_rateLimit-policy2_default_test",
},
},
},
LimitReqOptions: version2.LimitReqOptions{
LogLevel: "error",
RejectCode: 503,
},
LimitReqs: []version2.LimitReq{
{
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
Options: version2.LimitReqOptions{
LogLevel: "error",
RejectCode: 503,
},
{
ZoneName: "pol_rl_default_rateLimit-policy2_default_test",
Reqs: []version2.LimitReq{
{
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
},
{
ZoneName: "pol_rl_default_rateLimit-policy2_default_test",
},
},
},
},
Expand Down

0 comments on commit ac68131

Please sign in to comment.