Plug in rate limit service URL into xds cluster (#983)

arkodg · web-flow · commit 1b263803f45f · 2023-02-07T13:24:59.000-08:00
* Plug in rate limit service URL into xds cluster

Signed-off-by: Arko Dasgupta &lt;arko@tetrate.io&gt;

* more guardrails

Signed-off-by: Arko Dasgupta &lt;arko@tetrate.io&gt;

* set to grpcPort and pin image

Signed-off-by: Arko Dasgupta &lt;arko@tetrate.io&gt;
diff --git a/internal/globalratelimit/runner/runner.go b/internal/globalratelimit/runner/runner.go
@@ -48,9 +48,15 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) {
 		var xdsIRs []*ir.Xds
 		snapshot := <-xdsIRCh
 		r.Logger.Info("received a notification")
+		// Skip translation if state is empty
+		if len(snapshot.State) == 0 {
+			continue
+		}
+
 		for _, value := range snapshot.State {
 			xdsIRs = append(xdsIRs, value)
 		}
+
 		// Translate to ratelimit infra IR
 		result, err := r.translate(xdsIRs)
 		if err != nil {
diff --git a/internal/infrastructure/kubernetes/deployment.go b/internal/infrastructure/kubernetes/deployment.go
@@ -53,10 +53,10 @@ const (
 
 	// rateLimitInfraName is the name for rate-limit resources.
 	rateLimitInfraName = "envoy-ratelimit"
-	// rateLimitInfraHTTPPort is the http port that the rate limit service listens on.
-	rateLimitInfraHTTPPort = 8080
+	// rateLimitInfraGRPCPort is the grpc port that the rate limit service listens on.
+	rateLimitInfraGRPCPort = 8081
 	// rateLimitInfraImage is the container image for the rate limit service.
-	rateLimitInfraImage = "envoyproxy/ratelimit:latest"
+	rateLimitInfraImage = "envoyproxy/ratelimit:f28024e3"
 )
 
 //go:embed bootstrap.yaml.tpl
@@ -362,7 +362,7 @@ func expectedRateLimitContainers(infra *ir.RateLimitInfra) []corev1.Container {
 	ports := []corev1.ContainerPort{
 		{
 			Name:          "http",
-			ContainerPort: rateLimitInfraHTTPPort,
+			ContainerPort: rateLimitInfraGRPCPort,
 			Protocol:      corev1.ProtocolTCP,
 		},
 	}
diff --git a/internal/infrastructure/kubernetes/service.go b/internal/infrastructure/kubernetes/service.go
@@ -125,8 +125,8 @@ func (i *Infra) expectedRateLimitService(_ *ir.RateLimitInfra) *corev1.Service {
 		{
 			Name:       "http",
 			Protocol:   corev1.ProtocolTCP,
-			Port:       rateLimitInfraHTTPPort,
-			TargetPort: intstr.IntOrString{IntVal: rateLimitInfraHTTPPort},
+			Port:       rateLimitInfraGRPCPort,
+			TargetPort: intstr.IntOrString{IntVal: rateLimitInfraGRPCPort},
 		},
 	}
 
@@ -151,6 +151,11 @@ func (i *Infra) expectedRateLimitService(_ *ir.RateLimitInfra) *corev1.Service {
 	return svc
 }
 
+// GetRateLimitServiceURL returns the URL for the rate limit service.
+func GetRateLimitServiceURL(namespace string) string {
+	return fmt.Sprintf("grpc://%s.%s.svc.cluster.local:%d", rateLimitInfraName, namespace, rateLimitInfraGRPCPort)
+}
+
 // createOrUpdateRateLimitService creates a Service in the kube api server based on the provided infra,
 // if it doesn't exist or updates it if it does.
 func (i *Infra) createOrUpdateRateLimitService(ctx context.Context, infra *ir.RateLimitInfra) error {
diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go
@@ -52,7 +52,7 @@ func buildXdsTCPListener(name, address string, port uint32) *listener.Listener {
 	}
 }
 
-func addXdsHTTPFilterChain(xdsListener *listener.Listener, irListener *ir.HTTPListener) error {
+func (t *Translator) addXdsHTTPFilterChain(xdsListener *listener.Listener, irListener *ir.HTTPListener) error {
 	routerAny, err := anypb.New(&router.Router{})
 	if err != nil {
 		return err
@@ -121,7 +121,7 @@ func addXdsHTTPFilterChain(xdsListener *listener.Listener, irListener *ir.HTTPLi
 
 	// TODO: Make this a generic interface for all API Gateway features.
 	//       https://github.com/envoyproxy/gateway/issues/882
-	patchHCMWithRateLimit(mgr, irListener)
+	t.patchHCMWithRateLimit(mgr, irListener)
 
 	// Add the jwt authn filter, if needed.
 	if err := patchHCMWithJwtAuthnFilter(mgr, irListener); err != nil {
diff --git a/internal/xds/translator/ratelimit.go b/internal/xds/translator/ratelimit.go
@@ -7,6 +7,7 @@ package translator
 
 import (
 	"bytes"
+	"net/url"
 	"strconv"
 	"time"
 
@@ -29,9 +30,9 @@ import (
 
 // patchHCMWithRateLimit builds and appends the Rate Limit Filter to the HTTP connection manager
 // if applicable and it does not already exist.
-func patchHCMWithRateLimit(mgr *hcm.HttpConnectionManager, irListener *ir.HTTPListener) {
+func (t *Translator) patchHCMWithRateLimit(mgr *hcm.HttpConnectionManager, irListener *ir.HTTPListener) {
 	// Return early if rate limits dont exist
-	if !isRateLimitPresent(irListener) {
+	if !t.isRateLimitPresent(irListener) {
 		return
 	}
 
@@ -48,7 +49,11 @@ func patchHCMWithRateLimit(mgr *hcm.HttpConnectionManager, irListener *ir.HTTPLi
 }
 
 // isRateLimitPresent returns true if rate limit config exists for the listener.
-func isRateLimitPresent(irListener *ir.HTTPListener) bool {
+func (t *Translator) isRateLimitPresent(irListener *ir.HTTPListener) bool {
+	// Return false if global ratelimiting is disabled.
+	if t.GlobalRateLimit == nil {
+		return false
+	}
 	// Return true if rate limit config exists.
 	for _, route := range irListener.Routes {
 		if route.RateLimit != nil && route.RateLimit.Global != nil {
@@ -256,14 +261,14 @@ func buildRateLimitServiceDescriptors(descriptorPrefix string, global *ir.Global
 	return yamlDescs
 }
 
-func buildRateLimitServiceCluster(irListener *ir.HTTPListener) *cluster.Cluster {
+func (t *Translator) buildRateLimitServiceCluster(irListener *ir.HTTPListener) *cluster.Cluster {
 	// Return early if rate limits dont exist.
-	if !isRateLimitPresent(irListener) {
+	if !t.isRateLimitPresent(irListener) {
 		return nil
 	}
 
 	clusterName := getRateLimitServiceClusterName()
-	host, port := getRateLimitServiceGrpcHostPort()
+	host, port := t.getRateLimitServiceGrpcHostPort()
 	rateLimitServerCluster := &cluster.Cluster{
 		Name:                 clusterName,
 		ClusterDiscoveryType: &cluster.Cluster_Type{Type: cluster.Cluster_STRICT_DNS},
@@ -317,6 +322,14 @@ func getRateLimitDomain(irListener *ir.HTTPListener) string {
 	return irListener.Name
 }
 
-func getRateLimitServiceGrpcHostPort() (string, int) {
-	return "TODO", 0
+func (t *Translator) getRateLimitServiceGrpcHostPort() (string, int) {
+	u, err := url.Parse(t.GlobalRateLimit.ServiceURL)
+	if err != nil {
+		panic(err)
+	}
+	p, err := strconv.Atoi(u.Port())
+	if err != nil {
+		panic(err)
+	}
+	return u.Hostname(), p
 }
diff --git a/internal/xds/translator/runner/runner.go b/internal/xds/translator/runner/runner.go
@@ -9,6 +9,7 @@ import (
 	"context"
 
 	"github.com/envoyproxy/gateway/internal/envoygateway/config"
+	infra "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes"
 	"github.com/envoyproxy/gateway/internal/ir"
 	"github.com/envoyproxy/gateway/internal/message"
 	"github.com/envoyproxy/gateway/internal/xds/translator"
@@ -52,7 +53,16 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) {
 				r.Xds.Delete(key)
 			} else {
 				// Translate to xds resources
-				result, err := translator.Translate(val)
+				t := &translator.Translator{}
+
+				// Set the rate limit service URL if global rate limiting is enabled.
+				if r.EnvoyGateway.RateLimit != nil {
+					t.GlobalRateLimit = &translator.GlobalRateLimitSettings{
+						ServiceURL: infra.GetRateLimitServiceURL(r.Namespace),
+					}
+				}
+
+				result, err := t.Translate(val)
 				if err != nil {
 					r.Logger.Error(err, "failed to translate xds ir")
 				} else {
diff --git a/internal/xds/translator/testdata/out/xds-ir/authn-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authn-ratelimit.clusters.yaml
@@ -63,8 +63,8 @@
       - endpoint:
           address:
             socketAddress:
-              address: TODO
-              portValue: 0
+              address: envoy-ratelimit.envoy-gateway-system.svc.cluster.local
+              portValue: 8081
   name: ratelimit_cluster
   respectDnsTtl: true
   type: STRICT_DNS
diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml
@@ -63,8 +63,8 @@
       - endpoint:
           address:
             socketAddress:
-              address: TODO
-              portValue: 0
+              address: envoy-ratelimit.envoy-gateway-system.svc.cluster.local
+              portValue: 8081
   name: ratelimit_cluster
   respectDnsTtl: true
   type: STRICT_DNS
diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go
@@ -20,15 +20,28 @@ import (
 	"github.com/envoyproxy/gateway/internal/xds/types"
 )
 
+// Translator translates the xDS IR into xDS resources.
+type Translator struct {
+	// GlobalRateLimit holds the global rate limit settings
+	// required during xds translation.
+	GlobalRateLimit *GlobalRateLimitSettings
+}
+
+type GlobalRateLimitSettings struct {
+	// ServiceURL is the URL of the global
+	// rate limit service.
+	ServiceURL string
+}
+
 // Translate translates the XDS IR into xDS resources
-func Translate(ir *ir.Xds) (*types.ResourceVersionTable, error) {
+func (t *Translator) Translate(ir *ir.Xds) (*types.ResourceVersionTable, error) {
 	if ir == nil {
 		return nil, errors.New("ir is nil")
 	}
 
 	tCtx := new(types.ResourceVersionTable)
 
-	if err := processHTTPListenerXdsTranslation(tCtx, ir.HTTP); err != nil {
+	if err := t.processHTTPListenerXdsTranslation(tCtx, ir.HTTP); err != nil {
 		return nil, err
 	}
 
@@ -43,7 +56,7 @@ func Translate(ir *ir.Xds) (*types.ResourceVersionTable, error) {
 	return tCtx, nil
 }
 
-func processHTTPListenerXdsTranslation(tCtx *types.ResourceVersionTable, httpListeners []*ir.HTTPListener) error {
+func (t *Translator) processHTTPListenerXdsTranslation(tCtx *types.ResourceVersionTable, httpListeners []*ir.HTTPListener) error {
 	for _, httpListener := range httpListeners {
 		addFilterChain := true
 		var xdsRouteCfg *route.RouteConfiguration
@@ -70,7 +83,7 @@ func processHTTPListenerXdsTranslation(tCtx *types.ResourceVersionTable, httpLis
 		}
 
 		if addFilterChain {
-			if err := addXdsHTTPFilterChain(xdsListener, httpListener); err != nil {
+			if err := t.addXdsHTTPFilterChain(xdsListener, httpListener); err != nil {
 				return err
 			}
 		}
@@ -127,7 +140,7 @@ func processHTTPListenerXdsTranslation(tCtx *types.ResourceVersionTable, httpLis
 		// This is current O(n) right now, but it also leverages an existing
 		// object without allocating new memory. Consider improving it in the future.
 		if rlCluster := findXdsCluster(tCtx, getRateLimitServiceClusterName()); rlCluster == nil {
-			rlCluster := buildRateLimitServiceCluster(httpListener)
+			rlCluster := t.buildRateLimitServiceCluster(httpListener)
 			// Add cluster
 			if rlCluster != nil {
 				tCtx.AddXdsResource(resource.ClusterType, rlCluster)
diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go
@@ -19,6 +19,7 @@ import (
 	"google.golang.org/protobuf/proto"
 	"sigs.k8s.io/yaml"
 
+	infra "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes"
 	"github.com/envoyproxy/gateway/internal/ir"
 )
 
@@ -126,7 +127,12 @@ func TestTranslateXds(t *testing.T) {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			ir := requireXdsIRFromInputTestData(t, "xds-ir", tc.name+".yaml")
-			tCtx, err := Translate(ir)
+			tr := &Translator{
+				GlobalRateLimit: &GlobalRateLimitSettings{
+					ServiceURL: infra.GetRateLimitServiceURL("envoy-gateway-system"),
+				},
+			}
+			tCtx, err := tr.Translate(ir)
 			require.NoError(t, err)
 			listeners := tCtx.XdsResources[resource.ListenerType]
 			routes := tCtx.XdsResources[resource.RouteType]

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ func buildXdsTCPListener(name, address string, port uint32) *listener.Listener {`
`52`	`52`	`}`
`53`	`53`	`}`
`54`	`54`
`55`		`-func addXdsHTTPFilterChain(xdsListener listener.Listener, irListener ir.HTTPListener) error {`
	`55`	`+func (t Translator) addXdsHTTPFilterChain(xdsListener listener.Listener, irListener *ir.HTTPListener) error {`
`56`	`56`	`routerAny, err := anypb.New(&router.Router{})`
`57`	`57`	`if err != nil {`
`58`	`58`	`return err`
`@@ -121,7 +121,7 @@ func addXdsHTTPFilterChain(xdsListener listener.Listener, irListener ir.HTTPLi`
`121`	`121`
`122`	`122`	`// TODO: Make this a generic interface for all API Gateway features.`
`123`	`123`	`// https://github.com/envoyproxy/gateway/issues/882`
`124`		`- patchHCMWithRateLimit(mgr, irListener)`
	`124`	`+ t.patchHCMWithRateLimit(mgr, irListener)`
`125`	`125`
`126`	`126`	`// Add the jwt authn filter, if needed.`
`127`	`127`	`if err := patchHCMWithJwtAuthnFilter(mgr, irListener); err != nil {`