-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RLP v2 controller #199
RLP v2 controller #199
Conversation
ready for initial review @guicassolato Still lot of work to be done, but sets a baseline we can merge in |
// ContextSelector defines one item from the well known attributes | ||
// Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes | ||
// Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's probably going to be replaced with https://github.com/Kuadrant/architecture/blob/rfc/well-known-attributes/rfcs/0000-well-known-attributes.md (once merged)
pkg/rlptools/wasm_utils.go
Outdated
if rlp == nil { | ||
return flattenActions | ||
} | ||
// TODO implement one of constraint |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see at least a couple ways to implement this. E.g. https://github.com/Kuadrant/authorino/blob/5db6fb9153d5229188b03292249cbf04bfb5fafb/install/crd/kustomization.yaml#L15-L21.
Is that what you had in mind? Or perhaps a validating webhook instead? Or yet, "late" in the process, in the controller, during reconciliation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the OpenAPIv3 validation that prevents objects to be created and/or updated without needing any validation webhook.
pkg/rlptools/wasm_utils.go
Outdated
) | ||
|
||
type GatewayAction struct { | ||
Configurations []kuadrantv1beta1.Configuration `json:"configurations"` | ||
type SelectorSpec struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we move this or part of it to a common package?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good idea. What do you propose?
github.com/kuadrant/kuadrant-operator/api/v1beta2
?github.com/kuadrant/kuadrant-operator/pkg/types
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done, moved to github.com/kuadrant/kuadrant-operator/pkg/rlptools/wasm
pkg/rlptools/wasm_utils.go
Outdated
// They are named by a dot-separated path (e.g. request.path) | ||
// Examples: | ||
// "request.path" -> The path portion of the URL | ||
Selector string `json:"selector"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about defining a type WellknownSelector string
?
Selector string `json:"selector"` | |
Selector WellknownSelector `json:"selector"` |
It would also serve as the type for PatternExpression.Selector
:
Selector string `json:"selector"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in
type ContextSelector string |
ContextSelector
. Shall we change that as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
using ContextSelector
in WASM plugin Configuration object
pkg/rlptools/wasm_utils.go
Outdated
// +optional | ||
GatewayActions []GatewayAction `json:"gateway_actions,omitempty"` | ||
Rules []Rule `json:"rules,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we also renaming failure_mode_deny
and rate_limit_policies
as in Kuadrant/wasm-shim#35 (comment)?
5c06205
to
3966aa6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent, @eguzki! 🚀
I've left a few reminders for when continuing the work in the next PRs.
for domain, rules := range wasmRulesByDomain { | ||
rateLimitPolicy := wasm.RateLimitPolicy{ | ||
Name: domain, | ||
Domain: common.MarshallNamespace(gw.Key(), domain), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
conditions := make([]wasm.Condition, 0) | ||
|
||
for routeSelectorIdx := range limit.RouteSelectors { | ||
// TODO(eastizle): what if there are only Hostnames (i.e. empty "matches" list) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That means it matches all HTTPRouteRules.
for matchIdx := range limit.RouteSelectors[routeSelectorIdx].Matches { | ||
condition := wasm.Condition{ | ||
AllOf: patternExpresionsFromMatch(&limit.RouteSelectors[routeSelectorIdx].Matches[matchIdx]), | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, the Wasm conditions should not come directly from the limit, but use the limit's routeSelectors
to select the rules from within the HTTPRoutes: #200
// merge when expression in the same condition | ||
// must be done after adding route level conditions when no route selector are available | ||
// prevent conditions only filled with "when" definitions | ||
for whenIdx := range limit.When { | ||
for idx := range conditions { | ||
conditions[idx].AllOf = append(conditions[idx].AllOf, patternExpresionFromWhen(limit.When[whenIdx])) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're drifting a bit from the proposed "soft conditions" implemented in Limitador (see last bullet point at https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#highlights), by going one step ahead to improve performance.
By evaluating the RLP's when
condition as a normal condition in the Wasm shim (just like the conditions built from routeSelectors
), the RL request will only be sent to Limitador when there's truly at least one limit whose counters to increment.
@guicassolato consider rebasing |
What
First implementation of the RLP v2 controller
Many issues to address and
TODO
in the code. But this is a working controller with limited functionality (yet)No doc, no tests
Verification steps
kubectl apply -f examples/toystore/toystore.yaml
Check Limitador's configuration
Check WASM plugin config
Note that e2e rate limiting does not work. WASM shim work Kuadrant/wasm-shim#35 is needed.