-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Config revamp #110
Config revamp #110
Conversation
Signed-off-by: Guilherme Cassolato <[email protected]>
Signed-off-by: Guilherme Cassolato <[email protected]>
Signed-off-by: Guilherme Cassolato <[email protected]>
Signed-off-by: Guilherme Cassolato <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good
Verification steps working |
Latest commit removes |
I'm still writing tests for conditional actions, and realise that we need a coordinated merge of this so potentially this should be reviewed/merged to a feature branch |
From What if there are many, which one has preference? |
I'm not tied to this change, and I can drop the commit. But I was working toward what we agreed in #108 where the data required to build the message was defined in the - routeRuleConditions:
hostnames:
- "*.foo.com"
- "users.bar.com"
matches:
- request.method == "GET"
- request.path.startsWith('/bar')
actions:
- conditions:
- "!['127.0.0.1', '192.168.1.1'].contains(source.ip)"
action:
service: limitador
data:
ip: source.ip
magic_RL_name: "'1'"
- conditions: []
action:
service: authorino
data:
authCfg: "'someIdentifier'" |
e093991
to
841520d
Compare
I've dropped that commit fwiw. I tend to agree that right now the purpose of the data and |
I agree with @eguzki. I don't like this change. Whether as The way it was before, we could technically have an action without any data, which makes sense to me since we have default data that comes from the type of action ( Anyway, I honestly liked more how it was before. Thanks for ditching the commit! |
Thanks both for the constructive feedback, will continue on tests for conditional actions |
Signed-off-by: Guilherme Cassolato <[email protected]>
Signed-off-by: Guilherme Cassolato <[email protected]>
Signed-off-by: Guilherme Cassolato <[email protected]>
Signed-off-by: Adam Cattermole <[email protected]>
Rename conditions to matches - hoist all_of Signed-off-by: Adam Cattermole <[email protected]>
Signed-off-by: Adam Cattermole <[email protected]>
Signed-off-by: Adam Cattermole <[email protected]>
Signed-off-by: Adam Cattermole <[email protected]>
Signed-off-by: Adam Cattermole <[email protected]>
Signed-off-by: Adam Cattermole <[email protected]>
Signed-off-by: Adam Cattermole <[email protected]>
2e97e38
to
a392f7d
Compare
Signed-off-by: Guilherme Cassolato <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💪🏼
Signed-off-by: Guilherme Cassolato <[email protected]>
Signed-off-by: Guilherme Cassolato <[email protected]>
Signed-off-by: Guilherme Cassolato <[email protected]>
* sotw: effective ratelimitpolicy - ratelimit workflow - ratelimitopolicies validator - effective ratelimitpolicies reconciler - limitador limits reconciler - ratelimitpolicy status updater (accepted condition) Signed-off-by: Guilherme Cassolato <[email protected]> * removed unused function to apply rlp overrides Signed-off-by: Guilherme Cassolato <[email protected]> * istio extension (WasmPlugin) reconciler Signed-off-by: Guilherme Cassolato <[email protected]> * fixup: unique limit definitions per scope Signed-off-by: Guilherme Cassolato <[email protected]> * fixup: log error only when indeed there's an error to be logged Signed-off-by: Guilherme Cassolato <[email protected]> * do not fail when missing kuadrant object Signed-off-by: Guilherme Cassolato <[email protected]> * fixup: equality between wasmplugins and avoid rebuilding wasm config from struct when nil Signed-off-by: Guilherme Cassolato <[email protected]> * fixup: error comparison Signed-off-by: Guilherme Cassolato <[email protected]> * cleanup istio extension objects when it cannot calculate effective policies Signed-off-by: Guilherme Cassolato <[email protected]> * refactor: removal of SortablePolicy for sorting policies objects by creation timestamp Signed-off-by: Guilherme Cassolato <[email protected]> * remove no longer relevant integration test case Signed-off-by: Guilherme Cassolato <[email protected]> * fixup: avoid updating invalid rate limit policies to 'accepted' on events that do not (re)validate policies Signed-off-by: Guilherme Cassolato <[email protected]> * fixup: continue istio extension workflow when it fails for a given gateway Signed-off-by: Guilherme Cassolato <[email protected]> * Remove unnused event recorder from base reconciler Signed-off-by: Guilherme Cassolato <[email protected]> * Istio rate limit cluster reconciler Signed-off-by: Guilherme Cassolato <[email protected]> * enable Istio-related rate limit tasks only when Istio is installed Signed-off-by: Guilherme Cassolato <[email protected]> * ensure at least one hostname per wasm config policy Signed-off-by: Guilherme Cassolato <[email protected]> * bump istio to 1.22 Signed-off-by: Guilherme Cassolato <[email protected]> * Use targetRefs to attach to gateways in the Istio EnvoyFilter and WasmPlugin resources Signed-off-by: Guilherme Cassolato <[email protected]> * refactor: debug log messages for when Limitador, EnvoyFilter and WasmPlugins are up to date already and therefore nothing to be done Signed-off-by: Guilherme Cassolato <[email protected]> * sort wasm 'policies' within the wasm plugin config by hostname from most specific to least specific Signed-off-by: Guilherme Cassolato <[email protected]> * go fmt: refactor: debug log messages for when Limitador, EnvoyFilter and WasmPlugin Signed-off-by: Guilherme Cassolato <[email protected]> * sort wasm 'policies' within the wasm plugin config by hostname and http route match from most specific to least specific Signed-off-by: Guilherme Cassolato <[email protected]> * code style: remove unused parameter ctx Signed-off-by: Guilherme Cassolato <[email protected]> * fix: unit test: sort wasm 'policies' within the wasm plugin config by hostname and http route match Signed-off-by: Guilherme Cassolato <[email protected]> * Refactor WasmPlugin reconciliation to reduce repetition with EnvoyExtensionPolicy and ease the merge of auth * Separate the code for building Wasm Configs from any logic specific to the Istio WasmPlugin resource * Move all generic Wasm-related code either upwards to a common file of the workflow tasks (in the `controllers` package) into new package `pkg/wasm` (replacing `pkg/rlptools/wasm`) * Logic related to RL reconciliation → controllers/ratelimit_workflow.go * Logic related to Wasm Config types → pkg/wasm * Rename `rlptools` package as `ratelimit` – only Limitador RateLimit index types remaining there Signed-off-by: Guilherme Cassolato <[email protected]> * envoy gateway rate limit cluster reconciler Signed-off-by: Guilherme Cassolato <[email protected]> * fix: wrong default GroupKind assumed on Istio policies TargetRefs Signed-off-by: Guilherme Cassolato <[email protected]> * minor fixes to code comments and log messages Signed-off-by: Guilherme Cassolato <[email protected]> * envoy gateway extension reconciler Signed-off-by: Guilherme Cassolato <[email protected]> * code style: ratelimit.RateLimitIndex -> Index Signed-off-by: Guilherme Cassolato <[email protected]> * code style: wasm.WasmExtensionName -> ExtensionName Signed-off-by: Guilherme Cassolato <[email protected]> * code style: wasm.WasmRuleBuilderFunc -> RuleBuilderFunc Signed-off-by: Guilherme Cassolato <[email protected]> * code style: fix grouping of go imports Signed-off-by: Guilherme Cassolato <[email protected]> * new structure of the wasm config based on Kuadrant/wasm-shim#110 Signed-off-by: Guilherme Cassolato <[email protected]> * fix: envoy_gateway_extension_reconciler.go file name Signed-off-by: Guilherme Cassolato <[email protected]> * fix: log messages of envoy patch policy reconciliation Signed-off-by: Guilherme Cassolato <[email protected]> * rlp enforced condition and consistency in the message when target not found Signed-off-by: Guilherme Cassolato <[email protected]> * tests: gateway extension reconciler tests resource comparison Signed-off-by: Guilherme Cassolato <[email protected]> * more descriptive wasm actionset names Signed-off-by: Guilherme Cassolato <[email protected]> * tests: fix integration tests - order of wasm action sets Signed-off-by: Guilherme Cassolato <[email protected]> * fixup: should not increment twice on the index of http route match when building the wasm action set name Signed-off-by: Guilherme Cassolato <[email protected]> * tests: fix integration tests - order of wasm action sets (again!) Signed-off-by: Guilherme Cassolato <[email protected]> * back to opaque wasm action set names Signed-off-by: Guilherme Cassolato <[email protected]> * remove duplicate GetKuadrantFromTopology func Signed-off-by: Guilherme Cassolato <[email protected]> * do not isolate policy-machinery imports in a separate group Signed-off-by: Guilherme Cassolato <[email protected]> * helper function to extract network objects in a request path Signed-off-by: Guilherme Cassolato <[email protected]> * set owner reference directly when building the desired objects Signed-off-by: Guilherme Cassolato <[email protected]> * only validate policies on create and update events Signed-off-by: Guilherme Cassolato <[email protected]> * update policy status on all kinds of policy-releated event (deleting a policy may also affect the state of the resources status depends on) Signed-off-by: Guilherme Cassolato <[email protected]> * use labels on the internal resources created to watch and select them from topology Signed-off-by: Guilherme Cassolato <[email protected]> * policy not enforced due to 'not in the path to any existing routes' (formerly reported as 'no free routes to enforce policy') Signed-off-by: Guilherme Cassolato <[email protected]> * tests: fix integration tests - Istio EnvoyFilter only created if RLP is in the path to a route Signed-off-by: Guilherme Cassolato <[email protected]> * lint: removed unnused func arg in the tests Signed-off-by: Guilherme Cassolato <[email protected]> * tests: fix integration tests - Istio WasmPlugin config with correct limit IDs and scopes Signed-off-by: Guilherme Cassolato <[email protected]> * check state of the targeted resources to define the policy's enforced status condition Signed-off-by: Guilherme Cassolato <[email protected]> * re-enable RateLimitPolicy discoverability (PolicyAffected status condition) Signed-off-by: Guilherme Cassolato <[email protected]> * tests: fix integration tests - common ratelimit workflow tests Signed-off-by: Guilherme Cassolato <[email protected]> * refactor: common.NamespacedNameFromLocator func Signed-off-by: Guilherme Cassolato <[email protected]> * hack to isolate test namespaces sharing the same limitador cr Signed-off-by: Guilherme Cassolato <[email protected]> --------- Signed-off-by: Guilherme Cassolato <[email protected]>
Changes
This is moving towards a configuration based on the suggestion in #108.
Currently this is looking as follows:
I've separated all of the changes by commit to try make it easier to read the changes.
The primary change to non-config types is that we now have
actions.conditions
so we can conditionally perform an action - example provided in the envoy configuration that only calls the rate limiting service whenuser_id == 'alice'
:Port-forward envoy and watch the logs for all services:
Test unauthenticated does not get rate limited:
Bob is not rate limited (note no calls to limitador in logs):
Alice has 5 requests per 10 seconds:
Outstanding
scope
fromaction.data
(won't do)For a future PR:
routeRuleConditions.matches
andaction.conditions
fromPatternExpression
to CEL