From 41066fb17ee1743ba79db3ab297aea8faa64be4d Mon Sep 17 00:00:00 2001 From: Docs Deploy Date: Tue, 12 Nov 2024 11:47:12 +0000 Subject: [PATCH] Deployed 5756cdc to dev with MkDocs 1.5.3 and mike 2.1.0 --- .../docs/api-conventions/index.html | 3499 +++++++++++++++++ ...olicy.yaml => kuadrant_v1_authpolicy.yaml} | 10 +- ...policy.yaml => kuadrant_v1_dnspolicy.yaml} | 5 +- ....yaml => kuadrant_v1_ratelimitpolicy.yaml} | 7 +- ...policy.yaml => kuadrant_v1_tlspolicy.yaml} | 2 +- .../config/samples/kustomization.yaml | 8 +- dev/kuadrant-operator/doc/auth/index.html | 6 +- .../doc/development/index.html | 5 +- dev/kuadrant-operator/doc/dns/index.html | 70 +- .../doc/dnshealthchecks/index.html | 2 +- .../doc/install/install-openshift/index.html | 8 +- .../rlp-target-gateway-resource/index.html | 2 +- .../doc/rate-limiting/index.html | 301 +- .../doc/reference/authpolicy/index.html | 4 +- .../doc/reference/dnspolicy/index.html | 2 +- .../doc/reference/ratelimitpolicy/index.html | 151 +- dev/kuadrant-operator/doc/tls/index.html | 2 +- .../index.html | 6 +- .../index.html | 32 +- .../index.html | 15 +- .../index.html | 2 +- .../doc/user-guides/gateway-dns/index.html | 2 +- .../index.html | 7 +- .../doc/user-guides/gateway-tls/index.html | 2 +- .../index.html | 13 +- .../secure-protect-connect/index.html | 55 +- .../simple-rl-for-app-developers/index.html | 13 +- .../dnspolicy/dnspolicy-bad-strategy.yaml | 2 +- .../dnspolicy/dnspolicy-exclude-address.yaml | 2 +- .../dnspolicy/dnspolicy-healthchecks.yaml | 2 +- .../examples/dnspolicy/dnspolicy.yaml | 2 +- .../examples/toystore/authpolicy.yaml | 6 +- .../toystore/authpolicy_jwt-k8s-authnz.yaml | 2 +- .../toystore/ratelimitpolicy_gateway.yaml | 16 +- .../toystore/ratelimitpolicy_httproute.yaml | 50 +- dev/kuadrant-operator/index.html | 4 +- dev/search/search_index.json | 2 +- dev/sitemap.xml | 253 +- dev/sitemap.xml.gz | Bin 1554 -> 1565 bytes 39 files changed, 3961 insertions(+), 611 deletions(-) create mode 100644 dev/architecture/docs/api-conventions/index.html rename dev/kuadrant-operator/config/samples/{kuadrant_v1beta3_authpolicy.yaml => kuadrant_v1_authpolicy.yaml} (61%) rename dev/kuadrant-operator/config/samples/{kuadrant_v1alpha1_dnspolicy.yaml => kuadrant_v1_dnspolicy.yaml} (73%) rename dev/kuadrant-operator/config/samples/{kuadrant_v1beta3_ratelimitpolicy.yaml => kuadrant_v1_ratelimitpolicy.yaml} (66%) rename dev/kuadrant-operator/config/samples/{kuadrant_v1alpha1_tlspolicy.yaml => kuadrant_v1_tlspolicy.yaml} (88%) diff --git a/dev/architecture/docs/api-conventions/index.html b/dev/architecture/docs/api-conventions/index.html new file mode 100644 index 000000000..a44ceeb46 --- /dev/null +++ b/dev/architecture/docs/api-conventions/index.html @@ -0,0 +1,3499 @@ + + + + + + + + + + + + + + + + + + + + + Kuadrant API Conventions - Kuadrant Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + + + + + + +

Kuadrant API Conventions

+

This document outlines a none exhaustive set of conventions that should be used when defining Kuadrant APIs. It is initially focused around the concept of a policy API as these make up the bulk of our public facing APIs. It is expected that this set of conventions will grow as needed overtime.

+

General rule of thumb

+

If in doubt, first check if a similar API or field exists in the Gateway API spec and re-use that definition to specify what you need in your API. If you need to differ, ensure you explain why in any RFC or PR.

+

Below are some common examples of these fields and specifications:

+

Policy Attachment APIs

+

Policy APIs must follow the specification laid out by the Gateway API policy attachment designs. First step is to understand if you are going to design or are working on a direct or inherited policy. The linked docs will help with this but if unsure reach out on github or slack.

+

Within the linked docs are set of requirements for each type of policy:

+

Direct Policy Requirements

+

Inherited Policy Requirements

+

Existing direct policy API

+

Existing inherited policy API

+

Beyond the set of requirement outlined in these specifications, Kuadrant has an additional set of conventions that are used in order to try and ensure our APIs remain consistent and familiar for users of the Gateway API. Most if not all of these come directly from looking at Gateway API.

+

API Fields and Types

+

Durations

+

A duration is a field expressing something that configures behaviour that should happen according to a specified duration of time. Examples of this include but are not limited to:

+
    +
  • RateLimit counter expiry
    • +
  • HealthCheck interval (how often to do the check)
    • +
+

Any API field that expresses this type of time bound behaviour should use a type of time.Duration allowing the duration to be specified in a single field and must match ^([0-9]{1,5}(h|m|s|ms)){1,4}$:

+

Examples:

+

20ms,20s,20m,20h

+

more detail and information

+

field names for this type of configuration are left up to the designer of the API as they are often specific to the task at hand: IE with a health check it is called an interval within a limit it is called a duration for the timeout filter in HTTPRoute it is called request and backendRequest

+

hostname | hostnames

+

When asking for a hostname the field in the API should be named hostname rather than other options such as host, domain etc. The type used for this should be a string or an alias to a string. The plural of this for an array should be hostnames. This also aligns with how the Gateway API specifies these fields. where possible re-use the Gateway API types:

+

HostnameType:

+

Gateway Listener host

+

HTTPRoute hostnames

+

protocol

+

If there is a need to specify a protocol in the API the field for asking for this should be named: protocol and should accept a string or an alias to a string where possible use ProtocolType provided by Gateway API

+

port

+

If there is a need to specify a port in the API, the field should be named port and should accept an int32 with a min of 1 and a max of 65535. Where possible use PortNumberType provided by Gateway API

+

status

+

For more information on status please refer to

+

Policy Status

+ + + + + + + + + + + + + +
+
+ + + +
+ +
+ +
+
+

Copyright The Kuadrant Contributors.

+

The Linux Foundation® (TLF) has registered trademarks and uses trademarks.

+

For a list of TLF trademarks, see Trademark Usage

+
+ + +
+ +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/dev/kuadrant-operator/config/samples/kuadrant_v1beta3_authpolicy.yaml b/dev/kuadrant-operator/config/samples/kuadrant_v1_authpolicy.yaml similarity index 61% rename from dev/kuadrant-operator/config/samples/kuadrant_v1beta3_authpolicy.yaml rename to dev/kuadrant-operator/config/samples/kuadrant_v1_authpolicy.yaml index ad9706f54..483113058 100644 --- a/dev/kuadrant-operator/config/samples/kuadrant_v1beta3_authpolicy.yaml +++ b/dev/kuadrant-operator/config/samples/kuadrant_v1_authpolicy.yaml @@ -1,8 +1,8 @@ --- -apiVersion: kuadrant.io/v1beta3 +apiVersion: kuadrant.io/v1 kind: AuthPolicy metadata: - name: toystore + name: authpolicy-sample spec: targetRef: group: gateway.networking.k8s.io @@ -13,6 +13,6 @@ spec: "apikey": apiKey: selector: {} - credentials: - authorizationHeader: - prefix: APIKEY + credentials: + authorizationHeader: + prefix: APIKEY diff --git a/dev/kuadrant-operator/config/samples/kuadrant_v1alpha1_dnspolicy.yaml b/dev/kuadrant-operator/config/samples/kuadrant_v1_dnspolicy.yaml similarity index 73% rename from dev/kuadrant-operator/config/samples/kuadrant_v1alpha1_dnspolicy.yaml rename to dev/kuadrant-operator/config/samples/kuadrant_v1_dnspolicy.yaml index 10dc274ce..0f669a71d 100644 --- a/dev/kuadrant-operator/config/samples/kuadrant_v1alpha1_dnspolicy.yaml +++ b/dev/kuadrant-operator/config/samples/kuadrant_v1_dnspolicy.yaml @@ -1,5 +1,5 @@ --- -apiVersion: kuadrant.io/v1alpha1 +apiVersion: kuadrant.io/v1 kind: DNSPolicy metadata: name: dnspolicy-sample @@ -9,5 +9,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway healthCheck: - endpoint: / protocol: HTTP + providerRefs: + - name: "provider-ref" diff --git a/dev/kuadrant-operator/config/samples/kuadrant_v1beta3_ratelimitpolicy.yaml b/dev/kuadrant-operator/config/samples/kuadrant_v1_ratelimitpolicy.yaml similarity index 66% rename from dev/kuadrant-operator/config/samples/kuadrant_v1beta3_ratelimitpolicy.yaml rename to dev/kuadrant-operator/config/samples/kuadrant_v1_ratelimitpolicy.yaml index a6ec4819f..f5f6e3825 100644 --- a/dev/kuadrant-operator/config/samples/kuadrant_v1beta3_ratelimitpolicy.yaml +++ b/dev/kuadrant-operator/config/samples/kuadrant_v1_ratelimitpolicy.yaml @@ -1,8 +1,8 @@ --- -apiVersion: kuadrant.io/v1beta3 +apiVersion: kuadrant.io/v1 kind: RateLimitPolicy metadata: - name: toystore + name: ratelimitpolicy-sample spec: targetRef: group: gateway.networking.k8s.io @@ -12,5 +12,4 @@ spec: toys: rates: - limit: 50 - duration: 1 - unit: minute + window: 1m diff --git a/dev/kuadrant-operator/config/samples/kuadrant_v1alpha1_tlspolicy.yaml b/dev/kuadrant-operator/config/samples/kuadrant_v1_tlspolicy.yaml similarity index 88% rename from dev/kuadrant-operator/config/samples/kuadrant_v1alpha1_tlspolicy.yaml rename to dev/kuadrant-operator/config/samples/kuadrant_v1_tlspolicy.yaml index 89dc838d0..038327f0a 100644 --- a/dev/kuadrant-operator/config/samples/kuadrant_v1alpha1_tlspolicy.yaml +++ b/dev/kuadrant-operator/config/samples/kuadrant_v1_tlspolicy.yaml @@ -1,5 +1,5 @@ --- -apiVersion: kuadrant.io/v1alpha1 +apiVersion: kuadrant.io/v1 kind: TLSPolicy metadata: name: tlspolicy-sample diff --git a/dev/kuadrant-operator/config/samples/kustomization.yaml b/dev/kuadrant-operator/config/samples/kustomization.yaml index 55db30b81..2670b77de 100644 --- a/dev/kuadrant-operator/config/samples/kustomization.yaml +++ b/dev/kuadrant-operator/config/samples/kustomization.yaml @@ -1,8 +1,8 @@ ## Append samples you want in your CSV to this file as resources ## resources: - kuadrant_v1beta1_kuadrant.yaml -- kuadrant_v1beta3_authpolicy.yaml -- kuadrant_v1beta3_ratelimitpolicy.yaml -- kuadrant_v1alpha1_dnspolicy.yaml -- kuadrant_v1alpha1_tlspolicy.yaml +- kuadrant_v1_authpolicy.yaml +- kuadrant_v1_ratelimitpolicy.yaml +- kuadrant_v1_dnspolicy.yaml +- kuadrant_v1_tlspolicy.yaml #+kubebuilder:scaffold:manifestskustomizesamples diff --git a/dev/kuadrant-operator/doc/auth/index.html b/dev/kuadrant-operator/doc/auth/index.html index 4d4e709af..65dbbe556 100644 --- a/dev/kuadrant-operator/doc/auth/index.html +++ b/dev/kuadrant-operator/doc/auth/index.html @@ -3831,7 +3831,7 @@

OverviewHigh-level example and field definition

-
apiVersion: kuadrant.io/v1beta3
+
apiVersion: kuadrant.io/v1
 kind: AuthPolicy
 metadata:
   name: my-auth-policy
@@ -3957,7 +3957,7 @@ 
Targeting a HTTPRoute network
 
When an AuthPolicy targets a HTTPRoute, the policy is enforced to all traffic routed according to the rules and hostnames specified in the HTTPRoute, across all Gateways referenced in the spec.parentRefs field of the HTTPRoute.

 
The targeted HTTPRoute's rules and/or hostnames to which the policy must be enforced can be filtered to specific subsets.

 
Target a HTTPRoute by setting the spec.targetRef field of the AuthPolicy as follows:

-
apiVersion: kuadrant.io/v1beta3
+
apiVersion: kuadrant.io/v1
 kind: AuthPolicy
 metadata:
   name: my-route-auth
@@ -4006,7 +4006,7 @@ 
Targeting a Gateway networking
 
Defaults provide cluster operators with the ability to protect the infrastructure against unplanned and malicious network traffic attempt, such as by setting preemptive "deny-all" policies on hostnames and hostname wildcards.

 
Inversely, a gateway policy that specify overrides declares a set of rules to be enforced on all routes attached to the gateway, thus atomically replacing any more specific policy occasionally attached to any of those routes.

 
Target a Gateway HTTPRoute by setting the spec.targetRef field of the AuthPolicy as follows:

-
apiVersion: kuadrant.io/v1beta3
+
apiVersion: kuadrant.io/v1
 kind: AuthPolicy
 metadata:
   name: my-gw-auth
diff --git a/dev/kuadrant-operator/doc/development/index.html b/dev/kuadrant-operator/doc/development/index.html
index 9ad84904e..c558cc4bd 100644
--- a/dev/kuadrant-operator/doc/development/index.html
+++ b/dev/kuadrant-operator/doc/development/index.html
@@ -3903,8 +3903,9 @@ 
Build kuadrant operator bundle ima
             [AUTHORINO_OPERATOR_BUNDLE_IMG=quay.io/kuadrant/authorino-operator-bundle:latest] \
             [DNS_OPERATOR_BUNDLE_IMG=quay.io/kuadrant/dns-operator-bundle:latest] \
             [RELATED_IMAGE_WASMSHIM=oci://quay.io/kuadrant/wasm-shim:latest] \
-            [CHANNELS=alpha] \
-            [DEFAULT_CHANNEL=alpha]
+            [RELATED_IMAGE_CONSOLEPLUGIN=quay.io/kuadrant/console-plugin:latest] \
+            [CHANNELS=alpha] \
+            [DEFAULT_CHANNEL=alpha]
 

 
    
 
  • Build the bundle image from the manifests
    • 
diff --git a/dev/kuadrant-operator/doc/dns/index.html b/dev/kuadrant-operator/doc/dns/index.html
index ca1c97f08..903df45ce 100644
--- a/dev/kuadrant-operator/doc/dns/index.html
+++ b/dev/kuadrant-operator/doc/dns/index.html
@@ -3685,7 +3685,7 @@ 
    OverviewHigh-level example and field definition
    
-
    apiVersion: kuadrant.io/v1alpha1
+
    apiVersion: kuadrant.io/v1
 kind: DNSPolicy
 metadata:
   name: my-dns-policy
@@ -3693,40 +3693,42 @@ 
    High-level example and field de
   # reference to an existing networking resource to attach the policy to
   # it can only be a Gateway API Gateway resource
   # it can only refer to objects in the same namespace as the DNSPolicy
-  targetRef:
-    group: gateway.networking.k8s.io
-    kind: Gateway
-    name: mygateway
-
- # reference to an existing secret resource containing provider credentials and configuration
- # it can only refer to Secrets in the same namespace as the DNSPolicy that have the type kuadrant.io/(provider) e.g kuadrant.io/aws
-  providerRefs:
-
-   - name: my-aws-credentials
+  # it can target a specific listener using sectionName 
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: Gateway
+    name: mygateway
+    sectionName: api # (optional) if not set policy applies to all listeners that do not have a policy attached directly
+
+ # reference to an existing secret resource containing provider credentials and configuration
+ # it can only refer to Secrets in the same namespace as the DNSPolicy that have the type kuadrant.io/(provider) e.g kuadrant.io/aws
+  providerRefs:
 
-  # (optional) loadbalancing specification
-  # use it for providing the specification of how dns will be configured in order to provide balancing of load across multiple clusters
-  loadBalancing:
-    # default geo to be applied to records
-    defaultGeo: true
-    # weighted specification
-    weight: 100
-    # 
-    geo: IE
-
-  # (optional) health check specification
-  # health check probes with the following specification will be created for each DNS target
-  healthCheck:
-    allowInsecureCertificates: true
-    endpoint: /
-    expectedResponses:
-
-      - 200
-      - 201
-      - 301
-    failureThreshold: 5
-    port: 443
-    protocol: https
+   - name: my-aws-credentials
+
+  # (optional) loadbalancing specification
+  # use it for providing the specification of how dns will be configured in order to provide balancing of load across multiple clusters
+  loadBalancing:
+    # default geo to be applied to records
+    defaultGeo: true
+    # weighted specification
+    weight: 100
+    # 
+    geo: IE
+
+  # (optional) health check specification
+  # health check probes with the following specification will be created for each DNS target
+  healthCheck:
+    allowInsecureCertificates: true
+    endpoint: /
+    expectedResponses:
+
+      - 200
+      - 201
+      - 301
+    failureThreshold: 5
+    port: 443
+    protocol: https
 
    
 
    Check out the API reference for a full specification of the DNSPolicy CRD.
    
 
    Using the DNSPolicy
    
diff --git a/dev/kuadrant-operator/doc/dnshealthchecks/index.html b/dev/kuadrant-operator/doc/dnshealthchecks/index.html
index 2f734d586..1575fe06b 100644
--- a/dev/kuadrant-operator/doc/dnshealthchecks/index.html
+++ b/dev/kuadrant-operator/doc/dnshealthchecks/index.html
@@ -3449,7 +3449,7 @@ 
    Configuration of Health Checks
    apiVersion: kuadrant.io/v1alpha1
+
    apiVersion: kuadrant.io/v1
 kind: DNSPolicy
 metadata:
   name: prod-web
diff --git a/dev/kuadrant-operator/doc/install/install-openshift/index.html b/dev/kuadrant-operator/doc/install/install-openshift/index.html
index b3272dea4..caee66743 100644
--- a/dev/kuadrant-operator/doc/install/install-openshift/index.html
+++ b/dev/kuadrant-operator/doc/install/install-openshift/index.html
@@ -4019,7 +4019,7 @@ 
    Step 6 -
 The example dashboards and alerts for observing Kuadrant functionality use low-level CPU metrics and network metrics available from the user monitoring stack in OpenShift. They also use resource state metrics from Gateway API and Kuadrant resources.
    
 
    To scrape these additional metrics, you can install a kube-state-metrics instance, with a custom resource configuration as follows:
    
 
    kubectl apply -f https://raw.githubusercontent.com/Kuadrant/kuadrant-operator/main/config/observability/openshift/kube-state-metrics.yaml
-kubectl apply -k https://github.com/Kuadrant/gateway-api-state-metrics?ref=main
+kubectl apply -k https://github.com/Kuadrant/gateway-api-state-metrics/config/kuadrant?ref=0.5.0
 
    
 
    To enable request metrics in Istio and scrape them, create the following resource:
    
 
    kubectl apply -f https://raw.githubusercontent.com/Kuadrant/kuadrant-operator/refs/heads/main/config/observability/prometheus/monitors/istio/service-monitor-istiod.yaml
@@ -4032,7 +4032,8 @@ 
    Step 6 -
 
    kubectl apply -f https://raw.githubusercontent.com/Kuadrant/kuadrant-operator/main/config/observability/openshift/telemetry.yaml
 
    
 
    You can configure scraping of metrics from the various Kuadrant operators with the below resources.
    
-
    kubectl apply -f https://raw.githubusercontent.com/Kuadrant/kuadrant-operator/refs/heads/main/config/observability/prometheus/monitors/operators.yaml
+
    kubectl create ns kuadrant-system
+kubectl apply -f https://raw.githubusercontent.com/Kuadrant/kuadrant-operator/refs/heads/main/config/observability/prometheus/monitors/operators.yaml
 
    
 
    
 
    Note
    
@@ -4048,7 +4049,8 @@ 
    Step 6 -
 This allows low level Istio & envoy metrics to be joined with Gateway API state metrics.
    
 
    
 
    Step 7 - Setup the catalogsource
    
-
    Before installing the Kuadrant Operator, you must enter the following commands to set up secrets that you will use later:
    
+
    Before installing the Kuadrant Operator, you must enter the following commands to set up secrets that you will use later.
+If you haven't aleady created the kuadrant-system namespace during the optional observability setup, do that first:
    
 
    kubectl create ns kuadrant-system
 
    
 
    Set up a CatalogSource as follows:
    
diff --git a/dev/kuadrant-operator/doc/proposals/rlp-target-gateway-resource/index.html b/dev/kuadrant-operator/doc/proposals/rlp-target-gateway-resource/index.html
index e30216e65..66cfd1c4e 100644
--- a/dev/kuadrant-operator/doc/proposals/rlp-target-gateway-resource/index.html
+++ b/dev/kuadrant-operator/doc/proposals/rlp-target-gateway-resource/index.html
@@ -3554,7 +3554,7 @@ 
    Envoy's Rate Limit Service Protocol<
 return an OVER_LIMIT response if any of them are over limit.
    
 
    Schema (CRD) of the RateLimitPolicy
    
 
    ---
-apiVersion: kuadrant.io/v1beta3
+apiVersion: kuadrant.io/v1
 kind: RateLimitPolicy
 metadata:
   name: my-rate-limit-policy
diff --git a/dev/kuadrant-operator/doc/rate-limiting/index.html b/dev/kuadrant-operator/doc/rate-limiting/index.html
index 0511cac98..2dc9bba1d 100644
--- a/dev/kuadrant-operator/doc/rate-limiting/index.html
+++ b/dev/kuadrant-operator/doc/rate-limiting/index.html
@@ -1012,21 +1012,6 @@
     
   
   
-    
-  
 
         
       

@@ -3740,21 +3725,6 @@
     
   
   
-    
-  
 
         
       
@@ -3834,7 +3804,7 @@ 
OverviewHigh-level example and field definition

-
apiVersion: kuadrant.io/v1beta3
+
apiVersion: kuadrant.io/v1
 kind: RateLimitPolicy
 metadata:
   name: my-rate-limit-policy
@@ -3882,7 +3852,7 @@ 
Using the RateLimitPolicyTargeting a HTTPRoute networking resource

 
When a RateLimitPolicy targets a HTTPRoute, the policy is enforced to all traffic routed according to the rules and hostnames specified in the HTTPRoute, across all Gateways referenced in the spec.parentRefs field of the HTTPRoute.

 
Target a HTTPRoute by setting the spec.targetRef field of the RateLimitPolicy as follows:

-
apiVersion: kuadrant.io/v1beta3
+
apiVersion: kuadrant.io/v1
 kind: RateLimitPolicy
 metadata:
   name: <RateLimitPolicy name>
@@ -3904,7 +3874,7 @@ 
Targeting a Gateway networking
 
Defaults provide cluster operators with the ability to protect the infrastructure against unplanned and malicious network traffic attempt, such as by setting safe default limits on hostnames and hostname wildcards.

 
Inversely, a gateway policy that specify overrides declares a set of rules to be enforced on all routes attached to the gateway, thus atomically replacing any more specific policy occasionally attached to any of those routes.

 
Target a Gateway HTTPRoute by setting the spec.targetRef field of the RateLimitPolicy as follows:

-
apiVersion: kuadrant.io/v1beta3
+
apiVersion: kuadrant.io/v1
 kind: RateLimitPolicy
 metadata:
   name: <RateLimitPolicy name>
@@ -3969,38 +3939,28 @@ 
Limit definition      rates:
 
       - limit: 5000
-        duration: 1
-        unit: second
-
-    "toystore-api-per-username":
-      rates:
-
-      - limit: 100
-        duration: 1
-        unit: second
-      - limit: 1000
-        duration: 1
-        unit: minute
-      counters:
-      - auth.identity.username
-      when:
-      - selector: request.host
-        operator: eq
-        value: "api.toystore.com"
-
-    "toystore-admin-unverified-users":
-      rates:
-
-      - limit: 250
-        duration: 1
-        unit: second
-      when:
-      - selector: request.host
-        operator: eq
-        value: "admin.toystore.com"
-      - selector: auth.identity.email_verified
-        operator: eq
-        value: "false"
+        window: 1s
+
+    "toystore-api-per-username":
+      rates:
+
+      - limit: 100
+        window: 1s
+      - limit: 1000
+        window: 1m
+      counters:
+      - expression: auth.identity.username
+      when:
+      - predicate: request.host == 'api.toystore.com'
+
+    "toystore-admin-unverified-users":
+      rates:
+
+      - limit: 250
+        window: 1s
+      when:
+      - predicate: request.host == 'admin.toystore.com'
+      - predicate: !auth.identity.email_verified
 

 
@@ -4038,77 +3998,9 @@ 
ExamplesKnown limitations
    
-
  • One HTTPRoute can only be targeted by one RateLimitPolicy.
    • 
-
  • One Gateway can only be targeted by one RateLimitPolicy.
    • 
 
  • RateLimitPolicies can only target HTTPRoutes/Gateways defined within the same namespace of the RateLimitPolicy.
    • 
 
  • 2+ RateLimitPolicies cannot target network resources that define/inherit the same exact hostname.
    • 
 

-
Limitation: Multiple network resources with identical hostnames

-
Kuadrant currently does not support multiple RateLimitPolicies simultaneously targeting network resources that declare identical hostnames. This includes multiple HTTPRoutes that specify the same hostnames in the spec.hostnames field, as well as HTTPRoutes that specify a hostname that is identical to a hostname specified in a listener of one of the route's parent gateways or HTTPRoutes that don't specify any hostname at all thus inheriting the hostnames from the parent gateways. In any of these cases, a maximum of one RateLimitPolicy targeting any of those resources that specify identical hostnames is allowed.

-
Moreover, having multiple resources that declare identical hostnames may lead to unexpected behavior and therefore should be avoided.

-
This limitation is rooted at the underlying components configured by Kuadrant for the implementation of its policies and the lack of information in the data plane regarding the exact route that honored by the API gateway in cases of conflicting hostnames.

-
To exemplify one way this limitation can impact deployments, consider the following topology:

-
                 ┌──────────────┐
-                 │   Gateway    │
-                 ├──────────────┤
-          ┌─────►│ listeners:   │◄──────┐
-          │      │ - host: *.io │       │
-          │      └──────────────┘       │
-          │                             │
-          │                             │
-┌─────────┴─────────┐        ┌──────────┴────────┐
-│     HTTPRoute     │        │     HTTPRoute     │
-│     (route-a)     │        │     (route-b)     │
-├───────────────────┤        ├───────────────────┤
-│ hostnames:        │        │ hostnames:        │
-│ - app.io          │        │ - app.io          │
-│ rules:            │        │ rules:            │
-│ - matches:        │        │ - matches:        │
-│   - path:         │        │   - path:         │
-│       value: /foo │        │       value: /bar │
-└───────────────────┘        └───────────────────┘
-          ▲                            ▲
-          │                            │
- ┌────────┴────────┐           ┌───────┴─────────┐
- │ RateLimitPolicy │           │ RateLimitPolicy │
- │   (policy-1)    │           │   (policy-2)    │
- └─────────────────┘           └─────────────────┘
-

-
In the example above, with the policy-1 resource created before policy-2, policy-2 will be enforced on all requests to app.io/bar while policy-1 will not be enforced at all. I.e. app.io/foo will not be rate-limited. Nevertheless, both policies will report status condition as Enforced.

-
Notice the enforcement of policy-2 and no enforcement of policy-1 is the opposite behavior as the analogous problem with the Kuadrant AuthPolicy.

-
A different way the limitation applies is when two or more routes of a gateway declare the exact same hostname and a gateway policy is defined with expectation to set default rules for the cases not covered by more specific policies. E.g.:

-
                                    ┌─────────────────┐
-                         ┌──────────┤ RateLimitPolicy │
-                         │          │    (policy-2)   │
-                         ▼          └─────────────────┘
-                 ┌──────────────┐
-                 │   Gateway    │
-                 ├──────────────┤
-          ┌─────►│ listeners:   │◄──────┐
-          │      │ - host: *.io │       │
-          │      └──────────────┘       │
-          │                             │
-          │                             │
-┌─────────┴─────────┐        ┌──────────┴────────┐
-│     HTTPRoute     │        │     HTTPRoute     │
-│     (route-a)     │        │     (route-b)     │
-├───────────────────┤        ├───────────────────┤
-│ hostnames:        │        │ hostnames:        │
-│ - app.io          │        │ - app.io          │
-│ rules:            │        │ rules:            │
-│ - matches:        │        │ - matches:        │
-│   - path:         │        │   - path:         │
-│       value: /foo │        │       value: /bar │
-└───────────────────┘        └───────────────────┘
-          ▲
-          │
- ┌────────┴────────┐
- │ RateLimitPolicy │
- │   (policy-1)    │
- └─────────────────┘
-

-
Once again, both policies will report status condition as Enforced. However, in this case, only policy-1 will be enforced on requests to app.io/foo, while policy-2 will not be enforced at all. I.e. app.io/bar will not be not rate-limited. This is same behavior as the analogous problem with the Kuadrant AuthPolicy.

-
To avoid these problems, use different hostnames in each route.
Implementation details
Driven by limitations related to how Istio injects configuration in the filter chains of the ingress gateways, Kuadrant relies on Envoy's Wasm Network filter in the data plane, to manage the integration with rate limiting service ("Limitador"), instead of the Rate Limit filter.
Motivation: Multiple rate limit domains

@@ -4127,85 +4019,70 @@ 
Implementation detailsComponents remain compliant with industry protocols and flexible for different integration options.
 
 
A Kuadrant wasm-shim configuration for one RateLimitPolicy custom resources targeting a HTTPRoute looks like the following and it is generated automatically by the Kuadrant control plane:

-
apiVersion: extensions.istio.io/v1alpha1
-kind: WasmPlugin
-metadata:
-  creationTimestamp: "2024-10-01T16:59:40Z"
-  generation: 1
-  name: kuadrant-kuadrant-ingressgateway
-  namespace: gateway-system
-  ownerReferences:
-
-  - apiVersion: gateway.networking.k8s.io/v1
-    blockOwnerDeletion: true
-    controller: true
-    kind: Gateway
-    name: kuadrant-ingressgateway
-    uid: 0298355b-fb30-4442-af2b-88d0c05bd2bd
-  resourceVersion: "11253"
-  uid: 36ef1fb7-9eca-46c7-af63-fe783f40148c
-spec:
-  phase: STATS
-  pluginConfig:
-    extensions:
-      limitador:
-        endpoint: kuadrant-rate-limiting-service
-        failureMode: allow
-        type: ratelimit
-    policies:
-    - hostnames:
-      - '*.toystore.website'
-      - '*.toystore.io'
-      name: gateway-system/app-rlp
-      rules:
-      - actions:
-        - data:
-          - static:
-              key: limit.toystore_assets_all_domains__b61ee8e6
-              value: "1"
-          extension: limitador
-          scope: gateway-system/app-rlp
-        conditions:
-        - allOf:
-          - operator: startswith
-            selector: request.url_path
-            value: /assets
-          - operator: endswith
-            selector: request.host
-            value: .toystore.website
-      - actions:
-        - data:
-          - static:
-              key: limit.toystore_v1_website_unauthenticated__377837ee
-              value: "1"
-          extension: limitador
-          scope: gateway-system/app-rlp
-        conditions:
-        - allOf:
-          - operator: startswith
-            selector: request.url_path
-            value: /v1
-          - operator: endswith
-            selector: request.host
-            value: .toystore.website
-          - operator: eq
-            selector: auth.identity.username
-            value: ""
-        - allOf:
-          - operator: startswith
-            selector: request.url_path
-            value: /assets
-          - operator: endswith
-            selector: request.host
-            value: .toystore.website
-          - operator: eq
-            selector: auth.identity.username
-            value: ""
-  targetRef:
-    group: gateway.networking.k8s.io
-    kind: Gateway
-    name: kuadrant-ingressgateway
-  url: oci://quay.io/kuadrant/wasm-shim:latest
+
apiVersion: extensions.istio.io/v1alpha1
+kind: WasmPlugin
+metadata:
+  creationTimestamp: "2024-10-01T16:59:40Z"
+  generation: 1
+  name: kuadrant-kuadrant-ingressgateway
+  namespace: gateway-system
+  ownerReferences:
+
+  - apiVersion: gateway.networking.k8s.io/v1
+    blockOwnerDeletion: true
+    controller: true
+    kind: Gateway
+    name: kuadrant-ingressgateway
+    uid: 0298355b-fb30-4442-af2b-88d0c05bd2bd
+  resourceVersion: "11253"
+  uid: 36ef1fb7-9eca-46c7-af63-fe783f40148c
+spec:
+  phase: STATS
+  pluginConfig:
+    services:
+      ratelimit-service:
+        type: ratelimit
+        endpoint: ratelimit-cluster
+        failureMode: allow
+    actionSets:
+      - name: some_name_0
+        routeRuleConditions:
+          hostnames: 
+          - '*.toystore.website'
+          - '*.toystore.io'
+          predicates:
+          - request.url_path.startsWith("/assets")
+        actions:
+        - service: ratelimit-service
+          scope: gateway-system/app-rlp
+          predicates:
+          - request.host.endsWith('.toystore.website')
+          data:
+          - expression:
+              key: limit.toystore_assets_all_domains__b61ee8e6
+              value: "1"
+      - name: some_name_1
+        routeRuleConditions:
+          hostnames: 
+          - '*.toystore.website'
+          - '*.toystore.io'
+          predicates:
+          - request.url_path.startsWith("/v1")
+        actions:
+        - service: ratelimit-service
+          scope: gateway-system/app-rlp
+          predicates:
+          - request.host.endsWith('.toystore.website')
+          - auth.identity.username == ""
+          data:
+          - expression:
+              key: limit.toystore_v1_website_unauthenticated__377837ee
+              value: "1"
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: Gateway
+    name: kuadrant-ingressgateway
+  url: oci://quay.io/kuadrant/wasm-shim:latest
 

 

 

diff --git a/dev/kuadrant-operator/doc/reference/authpolicy/index.html b/dev/kuadrant-operator/doc/reference/authpolicy/index.html
index 22e4c0857..56a325623 100644
--- a/dev/kuadrant-operator/doc/reference/authpolicy/index.html
+++ b/dev/kuadrant-operator/doc/reference/authpolicy/index.html
@@ -4167,10 +4167,10 @@ 
SuccessResponseSpecSuccessResponseItem>
 

-
+

 
 
 
 
 
NoCustom success response items wrapped as Envoy Dynamic Metadata. Use it to pass data along to other proxy filters, such as the rate-limit filter.Custom success response items made available to other filters managed by Kuadrant (i.e. Rate Limit).
 

 
 

diff --git a/dev/kuadrant-operator/doc/reference/dnspolicy/index.html b/dev/kuadrant-operator/doc/reference/dnspolicy/index.html
index 7f636c0e6..d372551da 100644
--- a/dev/kuadrant-operator/doc/reference/dnspolicy/index.html
+++ b/dev/kuadrant-operator/doc/reference/dnspolicy/index.html
@@ -3642,7 +3642,7 @@ 
DNSPolicySpec
 
 targetRef
-Gateway API LocalPolicyTargetReference
+Gateway API LocalPolicyTargetReferenceWithSectionName 
 Yes
 Reference to a Kubernetes resource that the policy attaches to
 
diff --git a/dev/kuadrant-operator/doc/reference/ratelimitpolicy/index.html b/dev/kuadrant-operator/doc/reference/ratelimitpolicy/index.html
index 0b6ebe583..c7d4edb92 100644
--- a/dev/kuadrant-operator/doc/reference/ratelimitpolicy/index.html
+++ b/dev/kuadrant-operator/doc/reference/ratelimitpolicy/index.html
@@ -907,28 +907,37 @@
 
         
           
  • 
-  
+  
     
-      Limit
+      Predicate
     
   
   
-