Add rate limiting middleware

custom-requirements.txt

@@ -11,5 +11,6 @@ uwsgi-shortmsecs
 raven
 -e git+https://github.com/sapcc/octavia-f5-provider-driver.git@stable/yoga-m3#egg=octavia-f5-provider-driver
 git+https://github.com/sapcc/openstack-watcher-middleware.git#egg=watcher-middleware
+git+https://github.com/sapcc/openstack-rate-limit-middleware.git#egg=rate-limit-middleware
 git+https://github.com/sapcc/openstack-audit-middleware.git@master#egg=audit-middleware
 git+https://github.com/sapcc/openstack-uwsgi-middleware.git@main#egg=uwsgi-middleware

octavia/api/app.py

@@ -14,6 +14,7 @@
 
 import sys
 
+import rate_limit as ratelimitmiddleware
 # Try using custom auditmiddleware
 try:
     import auditmiddleware as audit_middleware
@@ -86,16 +87,33 @@ def setup_app(pecan_config=None, debug=False, argv=None):
 def _wrap_app(app):
     """Wraps wsgi app with additional middlewares."""
 
-    # This needs to be the first middleware (and the last in the chain)
+    # UWSGI needs to be the first middleware (and the last in the chain)
     try:
         from uwsgi_middleware import uwsgi
         app = uwsgi.Uwsgi(app)
     except (EnvironmentError, OSError, ImportError) as e:
         LOG.debug("Could not load uwsgi middleware: %s", e)
 
+    # Inject Request ID
     app = request_id.RequestId(app)
 
     if CONF.audit.enabled:
+
+        # rate limiting - depends on audit middleware, therefore must stand
+        # before it in order to appear after it in the chain
+        app = ratelimitmiddleware.OpenStackRateLimitMiddleware(
+                app,
+                config_file=CONF.rate_limiting.config_file,
+                service_type=CONF.rate_limiting.service_type,
+                rate_limit_by=CONF.rate_limiting.rate_limit_by,
+                max_sleep_time_seconds=CONF.rate_limiting.max_sleep_time_seconds,
+                backend_host=CONF.rate_limiting.backend_host,
+                backend_port=CONF.rate_limiting.backend_port,
+                backend_max_connections=CONF.rate_limiting.backend_max_connections,
+                backend_timeout_seconds=CONF.rate_limiting.backend_timeout_seconds,
+                )
+
+        # audit middleware
         try:
             app = audit_middleware.AuditMiddleware(
                 app,

octavia/common/config.py

@@ -822,6 +822,32 @@
                        'using tagged statsd metrics.')),
 ]
 
+rate_limiting_opts = [
+    cfg.StrOpt('config_file', default="/etc/octavia/ratelimit.yaml",
+        help=_('Path to the rate limiting middleware configuration file')),
+    cfg.StrOpt('service_type', default="loadbalancer",
+        help=_('The service type according to CADF specification')),
+    cfg.StrOpt('rate_limit_by',
+        help=_('Per default rate limits are applied based on '
+               '`initiator_project_id`. However, this can also be se to '
+               '`initiator_host_address` or `target_project_id`')),
+    cfg.IntOpt('max_sleep_time_seconds', default=20,
+        help=_('The maximal time a request can be suspended in seconds. '
+                'Instead of immediately returning a rate limit response, '
+                'a request can be suspended until the specified maximum '
+                'duration to fit the configured rate limit. This feature '
+                'can be disabled by setting the max sleep time to 0 seconds.')),
+    cfg.StrOpt('backend_host', default="127.0.0.1",
+        help=_('Redis backend host for rate limiting middleware')),
+    cfg.PortOpt('backend_port', default=6379,
+        help=_('Redis backend port for rate limiting middleware')),
+    cfg.IntOpt('backend_max_connections', default=100,
+        help=_('Maximum connections for redis connection pool.')),
+    cfg.IntOpt('backend_timeout_seconds', default=2,
+        help=_('Timeout for obtaining a connection to the backend. '
+               'It should be >= 1 second. Skips rate limit on timeout.')),
+]
+
 driver_agent_opts = [
     cfg.StrOpt('status_socket_path',
                default='/var/run/octavia/status.sock',
@@ -882,15 +908,6 @@
                help=_('The name of the service according to CADF')),
     cfg.StrOpt('config_file',
                help=_('Path to configuration file')),
-    cfg.StrOpt('statsd_host',
-               default='127.0.0.1',
-               help=_('Host of the StatsD backend')),
-    cfg.StrOpt('statsd_namespace',
-               default='openstack_watcher',
-               help=_('Namespace to use for metrics')),
-    cfg.IntOpt('statsd_port',
-               default=9125,
-               help=_('Port of the StatsD backend')),
     cfg.BoolOpt('target_project_id_from_path',
                 default=False,
                 help=_('Whether to get the target project uid from the path')),
@@ -928,6 +945,7 @@
 cfg.CONF.register_opts(neutron_opts, group='neutron')
 cfg.CONF.register_opts(quota_opts, group='quotas')
 cfg.CONF.register_opts(audit_opts, group='audit')
+cfg.CONF.register_opts(rate_limiting_opts, group='rate_limiting')
 cfg.CONF.register_opts(driver_agent_opts, group='driver_agent')
 
 cfg.CONF.register_opts(local.certgen_opts, group='certificates')

test-requirements.txt

@@ -19,3 +19,6 @@ tempest>=23.0.0 # Apache-2.0
 # Required for pep8 - doc8 tests
 sphinx>=2.0.0,!=2.1.0 # BSD
 bashate>=0.5.1 # Apache-2.0
+
+# Any requirements we need for CCloud
+git+https://github.com/sapcc/openstack-rate-limit-middleware.git#egg=rate-limit-middleware