Skip to content

Commit

Permalink
expose configuration for envoy's RateLimitedAsResourceExhausted
Browse files Browse the repository at this point in the history 
The Rate Limit filter in Envoy translates a 429 HTTP response code
to UNAVAILABLE as specified in the gRPC mapping document, but Google recommends
translating it to RESOURCE_EXHAUSTED
(see https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md)

This commit introduces a new setting to allow contour to forward the same parameter
introduced in envoyproxy/envoy#4879

The default value is disabled to retain the original behaviour of returning UNAVAILABLE,
as changing it would be a breaking change.

Signed-off-by: Víctor Roldán Betancort <vroldanbet@authzed.com>
  • Loading branch information
@vroldanbet
vroldanbet committed Jan 11, 2023
1 parent 02ff5b4 commit 147084d
Show file tree
Hide file tree
Showing 18 changed files with 218 additions and 76 deletions.
6 changes: 6 additions & 0 deletions apis/projectcontour/v1alpha1/contourconfig.go
View file
Expand Up @@ -619,6 +619,12 @@ type RateLimitServiceConfig struct {
// ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
// +optional
EnableXRateLimitHeaders *bool `json:"enableXRateLimitHeaders,omitempty"`

// EnableResourceExhaustedCode enables translating error code 429 to
// grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE
//
// +optional
EnableResourceExhaustedCode *bool `json:"enableResourceExhaustedCode,omitempty"`
}

// PolicyConfig holds default policy used if not explicitly set by the user
Expand Down
5 changes: 5 additions & 0 deletions apis/projectcontour/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions changelogs/unreleased/4971-vroldanbet-small.md
View file
@@ -0,0 +1 @@
expose configuration for envoy's RateLimitedAsResourceExhausted
13 changes: 7 additions & 6 deletions cmd/contour/serve.go
View file
Expand Up @@ -610,12 +610,13 @@ func (s *Server) setupRateLimitService(contourConfiguration contour_api_v1alpha1
}

return &xdscache_v3.RateLimitConfig{
ExtensionService: key,
SNI: sni,
Domain: contourConfiguration.RateLimitService.Domain,
Timeout: responseTimeout,
FailOpen: ref.Val(contourConfiguration.RateLimitService.FailOpen, false),
EnableXRateLimitHeaders: ref.Val(contourConfiguration.RateLimitService.EnableXRateLimitHeaders, false),
ExtensionService: key,
SNI: sni,
Domain: contourConfiguration.RateLimitService.Domain,
Timeout: responseTimeout,
FailOpen: ref.Val(contourConfiguration.RateLimitService.FailOpen, false),
EnableXRateLimitHeaders: ref.Val(contourConfiguration.RateLimitService.EnableXRateLimitHeaders, false),
EnableResourceExhaustedCode: ref.Val(contourConfiguration.RateLimitService.EnableResourceExhaustedCode, false),
}, nil
}

Expand Down
7 changes: 4 additions & 3 deletions cmd/contour/servecontext.go
View file
Expand Up @@ -371,9 +371,10 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha
Name: nsedName.Name,
Namespace: nsedName.Namespace,
},
Domain: ctx.Config.RateLimitService.Domain,
FailOpen: ref.To(ctx.Config.RateLimitService.FailOpen),
EnableXRateLimitHeaders: ref.To(ctx.Config.RateLimitService.EnableXRateLimitHeaders),
Domain: ctx.Config.RateLimitService.Domain,
FailOpen: ref.To(ctx.Config.RateLimitService.FailOpen),
EnableXRateLimitHeaders: ref.To(ctx.Config.RateLimitService.EnableXRateLimitHeaders),
EnableResourceExhaustedCode: ref.To(ctx.Config.RateLimitService.EnableResourceExhaustedCode),
}
}

Expand Down
3 changes: 3 additions & 0 deletions examples/contour/01-contour-config.yaml
View file
Expand Up @@ -145,6 +145,9 @@ data:
# Limit Service is consulted for a request.
# ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
# enableXRateLimitHeaders: false
# Defines whether to translate status code 429 to grpc code RESOURCE_EXHAUSTED
# instead of the default UNAVAILABLE
# enableResourceExhaustedCode: false
#
# Global Policy settings.
# policy:
Expand Down
16 changes: 13 additions & 3 deletions examples/contour/01-crds.yaml
View file
Expand Up @@ -521,6 +521,11 @@ spec:
domain:
description: Domain is passed to the Rate Limit Service.
type: string
enableResourceExhaustedCode:
description: EnableResourceExhaustedCode enables translating error
code 429 to grpc code RESOURCE_EXHAUSTED. When disabled it's
translated to UNAVAILABLE
type: boolean
enableXRateLimitHeaders:
description: "EnableXRateLimitHeaders defines whether to include
the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining,
Expand Down Expand Up @@ -1006,7 +1011,7 @@ spec:
feature gate. \n This field is immutable."
items:
x-kubernetes-map-type: atomic
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: Name must match the name of one entry in
Expand Down Expand Up @@ -1818,7 +1823,7 @@ spec:
gate. \n This field is immutable."
items:
x-kubernetes-map-type: atomic
description: ResourceClaim references
description: ResourceClaim references
one entry in PodSpec.ResourceClaims.
properties:
name:
Expand Down Expand Up @@ -2974,7 +2979,7 @@ spec:
feature gate. \n This field is immutable."
items:
x-kubernetes-map-type: atomic
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: Name must match the name of one entry in
Expand Down Expand Up @@ -3521,6 +3526,11 @@ spec:
domain:
description: Domain is passed to the Rate Limit Service.
type: string
enableResourceExhaustedCode:
description: EnableResourceExhaustedCode enables translating
error code 429 to grpc code RESOURCE_EXHAUSTED. When disabled
it's translated to UNAVAILABLE
type: boolean
enableXRateLimitHeaders:
description: "EnableXRateLimitHeaders defines whether to include
the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining,
Expand Down
19 changes: 16 additions & 3 deletions examples/render/contour-deployment.yaml
View file
Expand Up @@ -178,6 +178,9 @@ data:
# Limit Service is consulted for a request.
# ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
# enableXRateLimitHeaders: false
# Defines whether to translate status code 429 to grpc code RESOURCE_EXHAUSTED
# instead of the default UNAVAILABLE
# enableResourceExhaustedCode: false
#
# Global Policy settings.
# policy:
Expand Down Expand Up @@ -731,6 +734,11 @@ spec:
domain:
description: Domain is passed to the Rate Limit Service.
type: string
enableResourceExhaustedCode:
description: EnableResourceExhaustedCode enables translating error
code 429 to grpc code RESOURCE_EXHAUSTED. When disabled it's
translated to UNAVAILABLE
type: boolean
enableXRateLimitHeaders:
description: "EnableXRateLimitHeaders defines whether to include
the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining,
Expand Down Expand Up @@ -1216,7 +1224,7 @@ spec:
feature gate. \n This field is immutable."
items:
x-kubernetes-map-type: atomic
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: Name must match the name of one entry in
Expand Down Expand Up @@ -2028,7 +2036,7 @@ spec:
gate. \n This field is immutable."
items:
x-kubernetes-map-type: atomic
description: ResourceClaim references
description: ResourceClaim references
one entry in PodSpec.ResourceClaims.
properties:
name:
Expand Down Expand Up @@ -3184,7 +3192,7 @@ spec:
feature gate. \n This field is immutable."
items:
x-kubernetes-map-type: atomic
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: Name must match the name of one entry in
Expand Down Expand Up @@ -3731,6 +3739,11 @@ spec:
domain:
description: Domain is passed to the Rate Limit Service.
type: string
enableResourceExhaustedCode:
description: EnableResourceExhaustedCode enables translating
error code 429 to grpc code RESOURCE_EXHAUSTED. When disabled
it's translated to UNAVAILABLE
type: boolean
enableXRateLimitHeaders:
description: "EnableXRateLimitHeaders defines whether to include
the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining,
Expand Down
16 changes: 13 additions & 3 deletions examples/render/contour-gateway-provisioner.yaml
View file
Expand Up @@ -535,6 +535,11 @@ spec:
domain:
description: Domain is passed to the Rate Limit Service.
type: string
enableResourceExhaustedCode:
description: EnableResourceExhaustedCode enables translating error
code 429 to grpc code RESOURCE_EXHAUSTED. When disabled it's
translated to UNAVAILABLE
type: boolean
enableXRateLimitHeaders:
description: "EnableXRateLimitHeaders defines whether to include
the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining,
Expand Down Expand Up @@ -1020,7 +1025,7 @@ spec:
feature gate. \n This field is immutable."
items:
x-kubernetes-map-type: atomic
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: Name must match the name of one entry in
Expand Down Expand Up @@ -1832,7 +1837,7 @@ spec:
gate. \n This field is immutable."
items:
x-kubernetes-map-type: atomic
description: ResourceClaim references
description: ResourceClaim references
one entry in PodSpec.ResourceClaims.
properties:
name:
Expand Down Expand Up @@ -2988,7 +2993,7 @@ spec:
feature gate. \n This field is immutable."
items:
x-kubernetes-map-type: atomic
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: Name must match the name of one entry in
Expand Down Expand Up @@ -3535,6 +3540,11 @@ spec:
domain:
description: Domain is passed to the Rate Limit Service.
type: string
enableResourceExhaustedCode:
description: EnableResourceExhaustedCode enables translating
error code 429 to grpc code RESOURCE_EXHAUSTED. When disabled
it's translated to UNAVAILABLE
type: boolean
enableXRateLimitHeaders:
description: "EnableXRateLimitHeaders defines whether to include
the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining,
Expand Down
19 changes: 16 additions & 3 deletions examples/render/contour-gateway.yaml
View file
Expand Up @@ -184,6 +184,9 @@ data:
# Limit Service is consulted for a request.
# ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
# enableXRateLimitHeaders: false
# Defines whether to translate status code 429 to grpc code RESOURCE_EXHAUSTED
# instead of the default UNAVAILABLE
# enableResourceExhaustedCode: false
#
# Global Policy settings.
# policy:
Expand Down Expand Up @@ -737,6 +740,11 @@ spec:
domain:
description: Domain is passed to the Rate Limit Service.
type: string
enableResourceExhaustedCode:
description: EnableResourceExhaustedCode enables translating error
code 429 to grpc code RESOURCE_EXHAUSTED. When disabled it's
translated to UNAVAILABLE
type: boolean
enableXRateLimitHeaders:
description: "EnableXRateLimitHeaders defines whether to include
the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining,
Expand Down Expand Up @@ -1222,7 +1230,7 @@ spec:
feature gate. \n This field is immutable."
items:
x-kubernetes-map-type: atomic
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: Name must match the name of one entry in
Expand Down Expand Up @@ -2034,7 +2042,7 @@ spec:
gate. \n This field is immutable."
items:
x-kubernetes-map-type: atomic
description: ResourceClaim references
description: ResourceClaim references
one entry in PodSpec.ResourceClaims.
properties:
name:
Expand Down Expand Up @@ -3190,7 +3198,7 @@ spec:
feature gate. \n This field is immutable."
items:
x-kubernetes-map-type: atomic
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: Name must match the name of one entry in
Expand Down Expand Up @@ -3737,6 +3745,11 @@ spec:
domain:
description: Domain is passed to the Rate Limit Service.
type: string
enableResourceExhaustedCode:
description: EnableResourceExhaustedCode enables translating
error code 429 to grpc code RESOURCE_EXHAUSTED. When disabled
it's translated to UNAVAILABLE
type: boolean
enableXRateLimitHeaders:
description: "EnableXRateLimitHeaders defines whether to include
the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining,
Expand Down
19 changes: 16 additions & 3 deletions examples/render/contour.yaml
View file
Expand Up @@ -178,6 +178,9 @@ data:
# Limit Service is consulted for a request.
# ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
# enableXRateLimitHeaders: false
# Defines whether to translate status code 429 to grpc code RESOURCE_EXHAUSTED
# instead of the default UNAVAILABLE
# enableResourceExhaustedCode: false
#
# Global Policy settings.
# policy:
Expand Down Expand Up @@ -731,6 +734,11 @@ spec:
domain:
description: Domain is passed to the Rate Limit Service.
type: string
enableResourceExhaustedCode:
description: EnableResourceExhaustedCode enables translating error
code 429 to grpc code RESOURCE_EXHAUSTED. When disabled it's
translated to UNAVAILABLE
type: boolean
enableXRateLimitHeaders:
description: "EnableXRateLimitHeaders defines whether to include
the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining,
Expand Down Expand Up @@ -1216,7 +1224,7 @@ spec:
feature gate. \n This field is immutable."
items:
x-kubernetes-map-type: atomic
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: Name must match the name of one entry in
Expand Down Expand Up @@ -2028,7 +2036,7 @@ spec:
gate. \n This field is immutable."
items:
x-kubernetes-map-type: atomic
description: ResourceClaim references
description: ResourceClaim references
one entry in PodSpec.ResourceClaims.
properties:
name:
Expand Down Expand Up @@ -3184,7 +3192,7 @@ spec:
feature gate. \n This field is immutable."
items:
x-kubernetes-map-type: atomic
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: Name must match the name of one entry in
Expand Down Expand Up @@ -3731,6 +3739,11 @@ spec:
domain:
description: Domain is passed to the Rate Limit Service.
type: string
enableResourceExhaustedCode:
description: EnableResourceExhaustedCode enables translating
error code 429 to grpc code RESOURCE_EXHAUSTED. When disabled
it's translated to UNAVAILABLE
type: boolean
enableXRateLimitHeaders:
description: "EnableXRateLimitHeaders defines whether to include
the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining,
Expand Down

0 comments on commit 147084d

Please sign in to comment.