Skip to content

DO-NOT-MERGE #7426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
vepatel wants to merge 15 commits into from
Closed

DO-NOT-MERGE #7426

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
0c80c4a
allow container image to be built in project root or tests directory
pdabelf5 Feb 21, 2025
64f5736
add vsr test to rate limit by JWT claim
pdabelf5 Feb 24, 2025
5ebbf1b
make all nginx variables use underscores rather than hyphens
pdabelf5 Feb 25, 2025
00092d0
add e2e tests for tiered rate limits
pdabelf5 Feb 25, 2025
e6a66b1
allow +1 request in rate limit tests
pdabelf5 Feb 26, 2025
be5115f
add debug
pdabelf5 Feb 27, 2025
c0366e8
test only one rl test
pdabelf5 Feb 27, 2025
14d9b1a
only run my test please
pdabelf5 Feb 27, 2025
0e8fc3e
re-add all tests
pdabelf5 Feb 27, 2025
e7a77de
remove custom marker
pdabelf5 Feb 27, 2025
431df53
remove debug line
pdabelf5 Feb 27, 2025
f64340f
remove event assertion
pdabelf5 Feb 28, 2025
8b5eab1
use delete and create
vepatel Feb 28, 2025
05db68c
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Feb 28, 2025
ba4fdda
run rl tests in own job
vepatel Feb 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions .github/data/matrix-smoke-plus.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,19 +64,26 @@
"platforms": "linux/arm64, linux/amd64"
},
{
"label": "policies 1/2",
"label": "policies 1/3",
"image": "ubi-9-plus",
"type": "plus",
"marker": "'policies and not policies_ac and not policies_jwt and not policies_mtls'",
"marker": "'policies and not policies_ac and not policies_jwt and not policies_mtls and not policies_rl'",
"platforms": "linux/arm64, linux/amd64, linux/s390x"
},
{
"label": "policies 2/2",
"label": "policies 2/3",
"image": "ubi-9-plus",
"type": "plus",
"marker": "'policies_ac or policies_jwt or policies_mtls'",
"platforms": "linux/arm64, linux/amd64, linux/s390x"
},
{
"label": "policies 3/3",
"image": "ubi-9-plus",
"type": "plus",
"marker": "policies_rl",
"platforms": "linux/arm64, linux/amd64, linux/s390x"
},
{
"label": "OIDC-UI 1/1",
"image": "debian-plus",
Expand Down
10 changes: 5 additions & 5 deletions internal/configs/virtualserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1048,7 +1048,7 @@ func (p *policiesCfg) addRateLimitConfig(
) *validationResults {
res := newValidationResults()

rlZoneName := fmt.Sprintf("pol_rl_%v_%v_%v_%v", polNamespace, polName, ownerDetails.vsNamespace, ownerDetails.vsName)
rlZoneName := rfc1123ToSnake(fmt.Sprintf("pol_rl_%v_%v_%v_%v", polNamespace, polName, ownerDetails.vsNamespace, ownerDetails.vsName))
if rateLimit.Condition != nil && rateLimit.Condition.JWT.Claim != "" && rateLimit.Condition.JWT.Match != "" {
lrz := generateGroupedLimitReqZone(rlZoneName, rateLimit, podReplicas, ownerDetails)
p.RateLimit.PolicyGroupMaps = append(p.RateLimit.PolicyGroupMaps, *generateLRZPolicyGroupMap(lrz))
Expand Down Expand Up @@ -1778,16 +1778,16 @@ func generateGroupedLimitReqZone(zoneName string,
strings.ToLower(rateLimitPol.Condition.JWT.Match),
)

lrz.GroupVariable = fmt.Sprintf("$rl_%s_%s_group_%s",
lrz.GroupVariable = rfc1123ToSnake(fmt.Sprintf("$rl_%s_%s_group_%s",
ownerDetails.vsNamespace,
ownerDetails.vsName,
strings.ToLower(
strings.Join(
strings.Split(rateLimitPol.Condition.JWT.Claim, "."), "_",
),
),
)
lrz.Key = fmt.Sprintf("$%s", strings.Replace(zoneName, "-", "_", -1))
))
lrz.Key = rfc1123ToSnake(fmt.Sprintf("$%s", zoneName))
lrz.PolicyResult = rateLimitPol.Key
lrz.GroupDefault = rateLimitPol.Condition.Default
lrz.GroupSource = generateAuthJwtClaimSetVariable(rateLimitPol.Condition.JWT.Claim, ownerDetails.vsNamespace, ownerDetails.vsName)
Expand Down Expand Up @@ -1858,7 +1858,7 @@ func generateAuthJwtClaimSet(jwtCondition conf_v1.JWTCondition, owner policyOwne
}

func generateAuthJwtClaimSetVariable(claim string, vsNamespace string, vsName string) string {
return fmt.Sprintf("$jwt_%v_%v_%v", vsNamespace, vsName, strings.Join(strings.Split(claim, "."), "_"))
return strings.ReplaceAll(fmt.Sprintf("$jwt_%v_%v_%v", vsNamespace, vsName, strings.Join(strings.Split(claim, "."), "_")), "-", "_")
}

func generateAuthJwtClaimSetClaim(claim string) string {
Expand Down
74 changes: 37 additions & 37 deletions internal/configs/virtualserver_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6570,7 +6570,7 @@ func TestGenerateVirtualServerConfigRateLimitGroups(t *testing.T) {
LimitReqZones: []version2.LimitReqZone{
{
Key: "$pol_rl_default_premium_rate_limit_policy_default_cafe",
ZoneName: "pol_rl_default_premium-rate-limit-policy_default_cafe",
ZoneName: "pol_rl_default_premium_rate_limit_policy_default_cafe",
ZoneSize: "10M",
Rate: "10r/s",
PolicyResult: "$jwt_claim_sub",
Expand All @@ -6581,7 +6581,7 @@ func TestGenerateVirtualServerConfigRateLimitGroups(t *testing.T) {
},
{
Key: "$pol_rl_default_basic_rate_limit_policy_default_cafe",
ZoneName: "pol_rl_default_basic-rate-limit-policy_default_cafe",
ZoneName: "pol_rl_default_basic_rate_limit_policy_default_cafe",
ZoneSize: "20M",
Rate: "20r/s",
PolicyResult: "$jwt_claim_sub",
Expand All @@ -6598,8 +6598,8 @@ func TestGenerateVirtualServerConfigRateLimitGroups(t *testing.T) {
VSNamespace: "default",
VSName: "cafe",
LimitReqs: []version2.LimitReq{
{ZoneName: "pol_rl_default_premium-rate-limit-policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_basic-rate-limit-policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_premium_rate_limit_policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_basic_rate_limit_policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
},
LimitReqOptions: version2.LimitReqOptions{
DryRun: false,
Expand Down Expand Up @@ -6805,7 +6805,7 @@ func TestGenerateVirtualServerConfigRateLimitGroups(t *testing.T) {
LimitReqZones: []version2.LimitReqZone{
{
Key: "$pol_rl_default_premium_rate_limit_policy_default_cafe",
ZoneName: "pol_rl_default_premium-rate-limit-policy_default_cafe",
ZoneName: "pol_rl_default_premium_rate_limit_policy_default_cafe",
ZoneSize: "10M",
Rate: "10r/s",
PolicyResult: "$jwt_claim_sub",
Expand All @@ -6816,7 +6816,7 @@ func TestGenerateVirtualServerConfigRateLimitGroups(t *testing.T) {
},
{
Key: "$pol_rl_default_basic_rate_limit_policy_default_cafe",
ZoneName: "pol_rl_default_basic-rate-limit-policy_default_cafe",
ZoneName: "pol_rl_default_basic_rate_limit_policy_default_cafe",
ZoneSize: "20M",
Rate: "20r/s",
PolicyResult: "$jwt_claim_sub",
Expand All @@ -6834,8 +6834,8 @@ func TestGenerateVirtualServerConfigRateLimitGroups(t *testing.T) {
VSNamespace: "default",
VSName: "cafe",
LimitReqs: []version2.LimitReq{
{ZoneName: "pol_rl_default_premium-rate-limit-policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_basic-rate-limit-policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_premium_rate_limit_policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_basic_rate_limit_policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
},
LimitReqOptions: version2.LimitReqOptions{
DryRun: false,
Expand Down Expand Up @@ -7041,7 +7041,7 @@ func TestGenerateVirtualServerConfigRateLimitGroups(t *testing.T) {
LimitReqZones: []version2.LimitReqZone{
{
Key: "$pol_rl_default_premium_rate_limit_policy_default_cafe",
ZoneName: "pol_rl_default_premium-rate-limit-policy_default_cafe",
ZoneName: "pol_rl_default_premium_rate_limit_policy_default_cafe",
ZoneSize: "10M",
Rate: "10r/s",
PolicyResult: "$jwt_claim_sub",
Expand All @@ -7052,7 +7052,7 @@ func TestGenerateVirtualServerConfigRateLimitGroups(t *testing.T) {
},
{
Key: "$pol_rl_default_basic_rate_limit_policy_default_cafe",
ZoneName: "pol_rl_default_basic-rate-limit-policy_default_cafe",
ZoneName: "pol_rl_default_basic_rate_limit_policy_default_cafe",
ZoneSize: "20M",
Rate: "20r/s",
PolicyResult: "$jwt_claim_sub",
Expand Down Expand Up @@ -7081,8 +7081,8 @@ func TestGenerateVirtualServerConfigRateLimitGroups(t *testing.T) {
ProxySetHeaders: []version2.Header{{Name: "Host", Value: "$host"}},
ServiceName: "tea-svc",
LimitReqs: []version2.LimitReq{
{ZoneName: "pol_rl_default_premium-rate-limit-policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_basic-rate-limit-policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_premium_rate_limit_policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_basic_rate_limit_policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
},
LimitReqOptions: version2.LimitReqOptions{
DryRun: false,
Expand Down Expand Up @@ -7296,7 +7296,7 @@ func TestGenerateVirtualServerConfigRateLimitGroups(t *testing.T) {
LimitReqZones: []version2.LimitReqZone{
{
Key: "$pol_rl_default_premium_rate_limit_policy_default_cafe",
ZoneName: "pol_rl_default_premium-rate-limit-policy_default_cafe",
ZoneName: "pol_rl_default_premium_rate_limit_policy_default_cafe",
ZoneSize: "10M",
Rate: "10r/s",
PolicyResult: "$jwt_claim_sub",
Expand All @@ -7307,7 +7307,7 @@ func TestGenerateVirtualServerConfigRateLimitGroups(t *testing.T) {
},
{
Key: "$pol_rl_default_basic_rate_limit_policy_default_cafe",
ZoneName: "pol_rl_default_basic-rate-limit-policy_default_cafe",
ZoneName: "pol_rl_default_basic_rate_limit_policy_default_cafe",
ZoneSize: "20M",
Rate: "20r/s",
PolicyResult: "$jwt_claim_sub",
Expand Down Expand Up @@ -7350,8 +7350,8 @@ func TestGenerateVirtualServerConfigRateLimitGroups(t *testing.T) {
VSRName: "tea",
VSRNamespace: "default",
LimitReqs: []version2.LimitReq{
{ZoneName: "pol_rl_default_premium-rate-limit-policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_basic-rate-limit-policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_premium_rate_limit_policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_basic_rate_limit_policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
},
LimitReqOptions: version2.LimitReqOptions{
DryRun: false,
Expand Down Expand Up @@ -7562,7 +7562,7 @@ func TestGenerateVirtualServerConfigRateLimitGroups(t *testing.T) {
LimitReqZones: []version2.LimitReqZone{
{
Key: "$pol_rl_default_premium_rate_limit_policy_default_cafe",
ZoneName: "pol_rl_default_premium-rate-limit-policy_default_cafe",
ZoneName: "pol_rl_default_premium_rate_limit_policy_default_cafe",
ZoneSize: "10M",
Rate: "10r/s",
PolicyResult: "$jwt_claim_sub",
Expand All @@ -7573,7 +7573,7 @@ func TestGenerateVirtualServerConfigRateLimitGroups(t *testing.T) {
},
{
Key: "$pol_rl_default_basic_rate_limit_policy_default_cafe",
ZoneName: "pol_rl_default_basic-rate-limit-policy_default_cafe",
ZoneName: "pol_rl_default_basic_rate_limit_policy_default_cafe",
ZoneSize: "20M",
Rate: "20r/s",
PolicyResult: "$jwt_claim_sub",
Expand All @@ -7591,8 +7591,8 @@ func TestGenerateVirtualServerConfigRateLimitGroups(t *testing.T) {
VSNamespace: "default",
VSName: "cafe",
LimitReqs: []version2.LimitReq{
{ZoneName: "pol_rl_default_premium-rate-limit-policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_basic-rate-limit-policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_premium_rate_limit_policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_basic_rate_limit_policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
},
LimitReqOptions: version2.LimitReqOptions{
DryRun: false,
Expand Down Expand Up @@ -7625,8 +7625,8 @@ func TestGenerateVirtualServerConfigRateLimitGroups(t *testing.T) {
VSRName: "tea",
VSRNamespace: "default",
LimitReqs: []version2.LimitReq{
{ZoneName: "pol_rl_default_premium-rate-limit-policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_basic-rate-limit-policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_premium_rate_limit_policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_basic_rate_limit_policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
},
LimitReqOptions: version2.LimitReqOptions{
DryRun: false,
Expand Down Expand Up @@ -7857,7 +7857,7 @@ func TestGenerateVirtualServerConfigWithRateLimitGroupsWarning(t *testing.T) {
},
{
Key: "$pol_rl_default_basic_rate_limit_policy_default_cafe",
ZoneName: "pol_rl_default_basic-rate-limit-policy_default_cafe",
ZoneName: "pol_rl_default_basic_rate_limit_policy_default_cafe",
ZoneSize: "20M",
Rate: "20r/s",
PolicyResult: "$jwt_claim_sub",
Expand All @@ -7874,8 +7874,8 @@ func TestGenerateVirtualServerConfigWithRateLimitGroupsWarning(t *testing.T) {
VSNamespace: "default",
VSName: "cafe",
LimitReqs: []version2.LimitReq{
{ZoneName: "pol_rl_default_premium-rate-limit-policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_basic-rate-limit-policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_premium_rate_limit_policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
{ZoneName: "pol_rl_default_basic_rate_limit_policy_default_cafe", Burst: 0, NoDelay: false, Delay: 0},
},
LimitReqOptions: version2.LimitReqOptions{
DryRun: false,
Expand Down Expand Up @@ -8131,15 +8131,15 @@ func TestGeneratePolicies(t *testing.T) {
RateLimit: rateLimit{
Reqs: []version2.LimitReq{
{
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
ZoneName: "pol_rl_default_rateLimit_policy_default_test",
},
},
Zones: []version2.LimitReqZone{
{
Key: "test",
ZoneSize: "10M",
Rate: "10r/s",
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
ZoneName: "pol_rl_default_rateLimit_policy_default_test",
},
},
Options: version2.LimitReqOptions{
Expand Down Expand Up @@ -8188,13 +8188,13 @@ func TestGeneratePolicies(t *testing.T) {
Key: "test",
ZoneSize: "10M",
Rate: "10r/s",
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
ZoneName: "pol_rl_default_rateLimit_policy_default_test",
},
{
Key: "test2",
ZoneSize: "20M",
Rate: "20r/s",
ZoneName: "pol_rl_default_rateLimit-policy2_default_test",
ZoneName: "pol_rl_default_rateLimit_policy2_default_test",
},
},
Options: version2.LimitReqOptions{
Expand All @@ -8203,10 +8203,10 @@ func TestGeneratePolicies(t *testing.T) {
},
Reqs: []version2.LimitReq{
{
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
ZoneName: "pol_rl_default_rateLimit_policy_default_test",
},
{
ZoneName: "pol_rl_default_rateLimit-policy2_default_test",
ZoneName: "pol_rl_default_rateLimit_policy2_default_test",
},
},
},
Expand Down Expand Up @@ -8240,7 +8240,7 @@ func TestGeneratePolicies(t *testing.T) {
Key: "test",
ZoneSize: "10M",
Rate: "5r/s",
ZoneName: "pol_rl_default_rateLimitScale-policy_default_test",
ZoneName: "pol_rl_default_rateLimitScale_policy_default_test",
},
},
Options: version2.LimitReqOptions{
Expand All @@ -8249,7 +8249,7 @@ func TestGeneratePolicies(t *testing.T) {
},
Reqs: []version2.LimitReq{
{
ZoneName: "pol_rl_default_rateLimitScale-policy_default_test",
ZoneName: "pol_rl_default_rateLimitScale_policy_default_test",
},
},
},
Expand Down Expand Up @@ -8962,13 +8962,13 @@ func TestGeneratePoliciesFails(t *testing.T) {
Key: "test",
ZoneSize: "10M",
Rate: "10r/s",
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
ZoneName: "pol_rl_default_rateLimit_policy_default_test",
},
{
Key: "test2",
ZoneSize: "20M",
Rate: "20r/s",
ZoneName: "pol_rl_default_rateLimit-policy2_default_test",
ZoneName: "pol_rl_default_rateLimit_policy2_default_test",
},
},
Options: version2.LimitReqOptions{
Expand All @@ -8977,10 +8977,10 @@ func TestGeneratePoliciesFails(t *testing.T) {
},
Reqs: []version2.LimitReq{
{
ZoneName: "pol_rl_default_rateLimit-policy_default_test",
ZoneName: "pol_rl_default_rateLimit_policy_default_test",
},
{
ZoneName: "pol_rl_default_rateLimit-policy2_default_test",
ZoneName: "pol_rl_default_rateLimit_policy2_default_test",
},
},
},
Expand Down
20 changes: 8 additions & 12 deletions tests/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# syntax=docker/dockerfile:1.5
# syntax=docker/dockerfile:1.11
# this is here so we can grab the latest version of kind and have dependabot keep it up to date
FROM kindest/node:v1.32.2@sha256:f226345927d7e348497136874b6d207e0b32cc52154ad8323129352923a3142f

Expand All @@ -8,27 +8,23 @@ FROM quay.io/skopeo/stable:v1.17.0
FROM python:3.13@sha256:08471c63c5fdf2644adc142a7fa8d0290eb405cda14c473fbe5b4cd0933af601

RUN apt-get update \
&& apt-get install -y curl git \
&& apt-get install -y curl git apache2-utils \
&& rm -rf /var/lib/apt/lists/*

WORKDIR /workspace/tests

COPY --link tests/requirements.txt /workspace/tests/
RUN pip install --require-hashes -r requirements.txt --no-deps
RUN playwright install --with-deps chromium

COPY --link tests/requirements.txt /workspace/tests/
COPY --link deployments /workspace/deployments
COPY --link config /workspace/config
COPY --link tests /workspace/tests
COPY --link pyproject.toml /workspace/pyproject.toml

RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl \
&& install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl \
&& apt-get update && apt-get install -y apache2-utils
&& curl https://get.docker.com/builds/Linux/x86_64/docker-latest.tgz | tar xvz -C /tmp/ && mv /tmp/docker/docker /usr/bin/docker

RUN apt update -y \
&& curl https://get.docker.com/builds/Linux/x86_64/docker-latest.tgz | tar xvz -C /tmp/ && mv /tmp/docker/docker /usr/bin/docker

COPY --link tests /workspace/tests

COPY --link pyproject.toml /workspace/
RUN pip install --require-hashes -r requirements.txt --no-deps
RUN playwright install --with-deps chromium

ENTRYPOINT ["python3", "-m", "pytest"]
Loading
Loading