Question: Returning custom gRPC header or status in rate limiting #4901
Comments
josephschorr
added
kind/question
|
Hey @josephschorr! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace |
|
Have you tried having your RLS return specialized response headers using this field in the RLS response? https://github.com/envoyproxy/data-plane-api/blob/c65cd6eeca57c6e56f0ee044ca33b8b275e480ec/envoy/service/ratelimit/v3/rls.proto#L196 |
|
there is also this field: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-field-extensions-filters-http-ratelimit-v3-ratelimit-rate-limited-as-resource-exhausted which might be good for us to turn on generally |
|
updated the link above ^ |
|
@sunjayBhatia yeah that's the flag we were looking into, but Contour does not expose it. We are totally fine if you guys decide to turn it on by default, but that may be an unexpected breaking change to clients already expecting |
|
I've opened #4971 to implement this |
skriss
added
kind/feature
skriss
pushed a commit
that referenced
this issue
Jan 12, 2023
The Rate Limit filter in Envoy translates a 429 HTTP response code to UNAVAILABLE as specified in the gRPC mapping document, but Google recommends translating it to RESOURCE_EXHAUSTED (see https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md) This commit introduces a new setting to allow contour to forward the same parameter introduced in envoyproxy/envoy#4879 The default value is disabled to retain the original behaviour of returning UNAVAILABLE, as changing it would be a breaking change. Closes #4901. Signed-off-by: Víctor Roldán Betancort <vroldanbet@authzed.com>
yangyy93
pushed a commit
to projectsesame/contour
that referenced
this issue
Feb 16, 2023
…ectcontour#4971) The Rate Limit filter in Envoy translates a 429 HTTP response code to UNAVAILABLE as specified in the gRPC mapping document, but Google recommends translating it to RESOURCE_EXHAUSTED (see https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md) This commit introduces a new setting to allow contour to forward the same parameter introduced in envoyproxy/envoy#4879 The default value is disabled to retain the original behaviour of returning UNAVAILABLE, as changing it would be a breaking change. Closes projectcontour#4901. Signed-off-by: Víctor Roldán Betancort <vroldanbet@authzed.com> Signed-off-by: yy <yang.yang@daocloud.io>
yangyy93
pushed a commit
to projectsesame/contour
that referenced
this issue
Feb 16, 2023
…ectcontour#4971) The Rate Limit filter in Envoy translates a 429 HTTP response code to UNAVAILABLE as specified in the gRPC mapping document, but Google recommends translating it to RESOURCE_EXHAUSTED (see https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md) This commit introduces a new setting to allow contour to forward the same parameter introduced in envoyproxy/envoy#4879 The default value is disabled to retain the original behaviour of returning UNAVAILABLE, as changing it would be a breaking change. Closes projectcontour#4901. Signed-off-by: Víctor Roldán Betancort <vroldanbet@authzed.com> Signed-off-by: yy <yang.yang@daocloud.io>
yangyy93
pushed a commit
to projectsesame/contour
that referenced
this issue
Feb 16, 2023
…ectcontour#4971) The Rate Limit filter in Envoy translates a 429 HTTP response code to UNAVAILABLE as specified in the gRPC mapping document, but Google recommends translating it to RESOURCE_EXHAUSTED (see https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md) This commit introduces a new setting to allow contour to forward the same parameter introduced in envoyproxy/envoy#4879 The default value is disabled to retain the original behaviour of returning UNAVAILABLE, as changing it would be a breaking change. Closes projectcontour#4901. Signed-off-by: Víctor Roldán Betancort <vroldanbet@authzed.com> Signed-off-by: yy <yang.yang@daocloud.io>
yangyy93
pushed a commit
to projectsesame/contour
that referenced
this issue
Feb 16, 2023
…ectcontour#4971) The Rate Limit filter in Envoy translates a 429 HTTP response code to UNAVAILABLE as specified in the gRPC mapping document, but Google recommends translating it to RESOURCE_EXHAUSTED (see https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md) This commit introduces a new setting to allow contour to forward the same parameter introduced in envoyproxy/envoy#4879 The default value is disabled to retain the original behaviour of returning UNAVAILABLE, as changing it would be a breaking change. Closes projectcontour#4901. Signed-off-by: Víctor Roldán Betancort <vroldanbet@authzed.com> Signed-off-by: yy <yang.yang@daocloud.io>
vmw-yingy
pushed a commit
to vmw-yingy/contour
that referenced
this issue
Feb 28, 2023
…ectcontour#4971) The Rate Limit filter in Envoy translates a 429 HTTP response code to UNAVAILABLE as specified in the gRPC mapping document, but Google recommends translating it to RESOURCE_EXHAUSTED (see https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md) This commit introduces a new setting to allow contour to forward the same parameter introduced in envoyproxy/envoy#4879 The default value is disabled to retain the original behaviour of returning UNAVAILABLE, as changing it would be a breaking change. Closes projectcontour#4901. Signed-off-by: Víctor Roldán Betancort <vroldanbet@authzed.com>
yangyy93
added a commit
to projectsesame/contour
that referenced
this issue
Mar 10, 2023
Signed-off-by: yy <yang.yang@daocloud.io> add some unit test Signed-off-by: yy <yang.yang@daocloud.io> git rebase Signed-off-by: yy <yang.yang@daocloud.io> expose configuration for envoy's RateLimitedAsResourceExhausted (projectcontour#4971) The Rate Limit filter in Envoy translates a 429 HTTP response code to UNAVAILABLE as specified in the gRPC mapping document, but Google recommends translating it to RESOURCE_EXHAUSTED (see https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md) This commit introduces a new setting to allow contour to forward the same parameter introduced in envoyproxy/envoy#4879 The default value is disabled to retain the original behaviour of returning UNAVAILABLE, as changing it would be a breaking change. Closes projectcontour#4901. Signed-off-by: Víctor Roldán Betancort <vroldanbet@authzed.com> Signed-off-by: yy <yang.yang@daocloud.io> rebase Signed-off-by: yy <yang.yang@daocloud.io> update tracing config validate Signed-off-by: yy <yang.yang@daocloud.io> make generate Signed-off-by: yy <yang.yang@daocloud.io> add chengelog Signed-off-by: yy <yang.yang@daocloud.io> update make general Signed-off-by: yy <yang.yang@daocloud.io> goimport Signed-off-by: yy <yang.yang@daocloud.io> update tracing Signed-off-by: yy <yang.yang@daocloud.io> fix golint Signed-off-by: yy <yang.yang@daocloud.io> update test Signed-off-by: yy <yang.yang@daocloud.io> delete unused code Signed-off-by: yy <yang.yang@daocloud.io> delete error file Signed-off-by: yy <yang.yang@daocloud.io> update changelog Signed-off-by: yy <yang.yang@daocloud.io> fix some mistake Signed-off-by: yy <yang.yang@daocloud.io>
yangyy93
added a commit
to projectsesame/contour
that referenced
this issue
Mar 27, 2023
Signed-off-by: yy <yang.yang@daocloud.io> add some unit test Signed-off-by: yy <yang.yang@daocloud.io> git rebase Signed-off-by: yy <yang.yang@daocloud.io> expose configuration for envoy's RateLimitedAsResourceExhausted (projectcontour#4971) The Rate Limit filter in Envoy translates a 429 HTTP response code to UNAVAILABLE as specified in the gRPC mapping document, but Google recommends translating it to RESOURCE_EXHAUSTED (see https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md) This commit introduces a new setting to allow contour to forward the same parameter introduced in envoyproxy/envoy#4879 The default value is disabled to retain the original behaviour of returning UNAVAILABLE, as changing it would be a breaking change. Closes projectcontour#4901. Signed-off-by: Víctor Roldán Betancort <vroldanbet@authzed.com> Signed-off-by: yy <yang.yang@daocloud.io> rebase Signed-off-by: yy <yang.yang@daocloud.io> update tracing config validate Signed-off-by: yy <yang.yang@daocloud.io> make generate Signed-off-by: yy <yang.yang@daocloud.io> add chengelog Signed-off-by: yy <yang.yang@daocloud.io> update make general Signed-off-by: yy <yang.yang@daocloud.io> goimport Signed-off-by: yy <yang.yang@daocloud.io> update tracing Signed-off-by: yy <yang.yang@daocloud.io> fix golint Signed-off-by: yy <yang.yang@daocloud.io> update test Signed-off-by: yy <yang.yang@daocloud.io> delete unused code Signed-off-by: yy <yang.yang@daocloud.io> delete error file Signed-off-by: yy <yang.yang@daocloud.io> update changelog Signed-off-by: yy <yang.yang@daocloud.io> fix some mistake Signed-off-by: yy <yang.yang@daocloud.io>
yangyy93
added a commit
to projectsesame/contour
that referenced
this issue
Mar 27, 2023
Signed-off-by: yy <yang.yang@daocloud.io> add some unit test Signed-off-by: yy <yang.yang@daocloud.io> git rebase Signed-off-by: yy <yang.yang@daocloud.io> expose configuration for envoy's RateLimitedAsResourceExhausted (projectcontour#4971) The Rate Limit filter in Envoy translates a 429 HTTP response code to UNAVAILABLE as specified in the gRPC mapping document, but Google recommends translating it to RESOURCE_EXHAUSTED (see https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md) This commit introduces a new setting to allow contour to forward the same parameter introduced in envoyproxy/envoy#4879 The default value is disabled to retain the original behaviour of returning UNAVAILABLE, as changing it would be a breaking change. Closes projectcontour#4901. Signed-off-by: Víctor Roldán Betancort <vroldanbet@authzed.com> Signed-off-by: yy <yang.yang@daocloud.io> rebase Signed-off-by: yy <yang.yang@daocloud.io> update tracing config validate Signed-off-by: yy <yang.yang@daocloud.io> make generate Signed-off-by: yy <yang.yang@daocloud.io> add chengelog Signed-off-by: yy <yang.yang@daocloud.io> update make general Signed-off-by: yy <yang.yang@daocloud.io> goimport Signed-off-by: yy <yang.yang@daocloud.io> update tracing Signed-off-by: yy <yang.yang@daocloud.io> fix golint Signed-off-by: yy <yang.yang@daocloud.io> update test Signed-off-by: yy <yang.yang@daocloud.io> delete unused code Signed-off-by: yy <yang.yang@daocloud.io> delete error file Signed-off-by: yy <yang.yang@daocloud.io> update changelog Signed-off-by: yy <yang.yang@daocloud.io> fix some mistake Signed-off-by: yy <yang.yang@daocloud.io> feat: Add HTTP support for External Auth (projectcontour#4994) Support globally configuring an external auth server which is enabled by default for all vhosts, both HTTP and HTTPS. Closes projectcontour#4954. Signed-off-by: claytonig <claytonivorgonsalves@gmail.com> Signed-off-by: yy <yang.yang@daocloud.io> refactor DAG and DAG consumers to support >2 Listeners (projectcontour#5128) Updates projectcontour#4960. Signed-off-by: Steve Kriss <krisss@vmware.com> Signed-off-by: yy <yang.yang@daocloud.io> resolve conflict Signed-off-by: yy <yang.yang@daocloud.io> fix Signed-off-by: yy <yang.yang@daocloud.io>
yangyy93
added a commit
to projectsesame/contour
that referenced
this issue
Mar 27, 2023
Signed-off-by: yy <yang.yang@daocloud.io> add some unit test Signed-off-by: yy <yang.yang@daocloud.io> git rebase Signed-off-by: yy <yang.yang@daocloud.io> expose configuration for envoy's RateLimitedAsResourceExhausted (projectcontour#4971) The Rate Limit filter in Envoy translates a 429 HTTP response code to UNAVAILABLE as specified in the gRPC mapping document, but Google recommends translating it to RESOURCE_EXHAUSTED (see https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md) This commit introduces a new setting to allow contour to forward the same parameter introduced in envoyproxy/envoy#4879 The default value is disabled to retain the original behaviour of returning UNAVAILABLE, as changing it would be a breaking change. Closes projectcontour#4901. Signed-off-by: Víctor Roldán Betancort <vroldanbet@authzed.com> Signed-off-by: yy <yang.yang@daocloud.io> rebase Signed-off-by: yy <yang.yang@daocloud.io> update tracing config validate Signed-off-by: yy <yang.yang@daocloud.io> make generate Signed-off-by: yy <yang.yang@daocloud.io> add chengelog Signed-off-by: yy <yang.yang@daocloud.io> update make general Signed-off-by: yy <yang.yang@daocloud.io> goimport Signed-off-by: yy <yang.yang@daocloud.io> update tracing Signed-off-by: yy <yang.yang@daocloud.io> fix golint Signed-off-by: yy <yang.yang@daocloud.io> update test Signed-off-by: yy <yang.yang@daocloud.io> delete unused code Signed-off-by: yy <yang.yang@daocloud.io> delete error file Signed-off-by: yy <yang.yang@daocloud.io> update changelog Signed-off-by: yy <yang.yang@daocloud.io> fix some mistake Signed-off-by: yy <yang.yang@daocloud.io> feat: Add HTTP support for External Auth (projectcontour#4994) Support globally configuring an external auth server which is enabled by default for all vhosts, both HTTP and HTTPS. Closes projectcontour#4954. Signed-off-by: claytonig <claytonivorgonsalves@gmail.com> Signed-off-by: yy <yang.yang@daocloud.io> refactor DAG and DAG consumers to support >2 Listeners (projectcontour#5128) Updates projectcontour#4960. Signed-off-by: Steve Kriss <krisss@vmware.com> Signed-off-by: yy <yang.yang@daocloud.io> resolve conflict Signed-off-by: yy <yang.yang@daocloud.io> fix Signed-off-by: yy <yang.yang@daocloud.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What question do you have?:
I'm curious to know if there is a way to set a custom gRPC status code and/or header to be returned if a rate limit is exceeded via the contour rate limiting system, rather than simply returning 429. The 429 error gets mapped by gRPC into an
UNAVAILABLEerror without much user-visible context, and we'd like to provide a nicer error message.The text was updated successfully, but these errors were encountered: