-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix override RLPs on multiple gateway parents #659
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #659 +/- ##
==========================================
+ Coverage 80.20% 82.81% +2.60%
==========================================
Files 64 73 +9
Lines 4492 5737 +1245
==========================================
+ Hits 3603 4751 +1148
- Misses 600 652 +52
- Partials 289 334 +45
Flags with carried forward coverage won't be shown. Click here to find out more.
|
ad90f28
to
7b1f99c
Compare
@@ -61,7 +62,7 @@ type RateLimitingWASMPluginReconciler struct { | |||
// For more details, check Reconcile and its Result here: | |||
// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.10.0/pkg/reconcile | |||
func (r *RateLimitingWASMPluginReconciler) Reconcile(eventCtx context.Context, req ctrl.Request) (ctrl.Result, error) { | |||
logger := r.Logger().WithValues("Gateway", req.NamespacedName) | |||
logger := r.Logger().WithValues("Gateway", req.NamespacedName, "request id", uuid.NewString()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I found that debugging reconciliation calls can be a PITA, so I'm slowly adding these to the functions.
a8af148
to
23b1dcb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Verified, working as expected 🏅 Changes looks good to me 👍
…dden for one gateway but not for all gateways
…vour of duplicate limit definitions for each independent domain/namespace
23b1dcb
to
34a2e47
Compare
* Fix override RLPs on multiple gateway parents * fix: all rlps should go to the limits config - maybe there are overridden for one gateway but not for all gateways * rollback simplified wasm config based on fallback to overrides, in favour of duplicate limit definitions for each independent domain/namespace * fix: RLP Enforced condition with multiple gateway parents * go mod tidy
Before:
We are currently wrongly generating the wasm configs for cases of multiple gateway parents linked to routes, having override RateLimitPolicies targeting the gateways and an overridden route policy.
The overridden policy config ends up in the WasmPlugin and in the Limitador CR with mismatching
domain/namespace
, causing the override policy to never be enforced – in spite of the status reporting otherwise.After:
This PR simplifies the configuration of overridden RateLimitPolicies.
A route RateLimitPolicy overridden at a particular gateway will no longer be added to the gateway's WasmPlugin config; rather, the override gateway policy will, with its
domain
value kept unchanged, as if all routes under the gateway were not targeted by policies.In the Limitador CR, all RateLimitPolicies (override and overridden) will be added, even when some never get triggered (due to been overridden.)
Verification
Setup
Send requests
Repeat the following requests as many times as needed after each state transition between creating and updating policies:
curl --resolve api.external:80:172.18.0.10 "http://api.external/cars"
curl --resolve api.internal:80:172.18.0.11 "http://api.internal/cars"
curl --resolve www.external:80:172.18.0.10 "http://www.external/cars"
curl --resolve www.internal:80:172.18.0.11 "http://www.internal/cars"
What to look at in the responses:
authpolicy
is injected containing the name of the policy that was enforced*.external
and*.internal
traffic*.internal
traffic; toystore api specific policy (1rp10s) must be enforced atapi.external
traffic, while external gateway override (3rp10s) continues to be enforced at the rest of*.external
(i.e.www.external
)Create policies
Change a gateway policy from
overrides
→defaults