BUG/MEDIUM: fix error on rate-limit-requests

hdurand0710 · Gopher Bot · commit ef11dd9a64d7 · 2026-02-02T10:35:21.000Z
With this commit, we allow to enable or not rate limit based on the present of rate-limit-request annotation.
If rate-limit-request is set, then other annotations related to rate-limit have default values:
- "rate-limit-size":        "100k",
- "rate-limit-period":      "1s",
- "rate-limit-status-code": "403",
but can be set as annotation too.
Commit 'MINOR: rate-limit: add rate-limit-whitelist annotation to exclude IPs' did reveal that we were  missing a default value for rate-limit-requests.
This was generating error logs during each cycle.
diff --git a/pkg/annotations/common/main.go b/pkg/annotations/common/main.go
@@ -52,30 +52,27 @@ func GetK8sPath(annotationName string, annotations ...map[string]string) (ns, na
 }
 
 var DefaultValues = map[string]string{
-	"auth-realm":             "Protected Content",
-	"check":                  "true",
-	"cors-allow-origin":      "*",
-	"cors-allow-methods":     "*",
-	"cors-allow-headers":     "*",
-	"cors-max-age":           "5s",
-	"cookie-indirect":        "true",
-	"cookie-nocache":         "true",
-	"cookie-type":            "insert",
-	"forwarded-for":          "true",
-	"load-balance":           "roundrobin",
-	"rate-limit-size":        "100k",
-	"rate-limit-period":      "1s",
-	"rate-limit-status-code": "403",
-	"request-capture-len":    "128",
-	"ssl-redirect-code":      "302",
-	"request-redirect-code":  "302",
-	"ssl-redirect-port":      "8443",
-	"ssl-passthrough":        "false",
-	"server-ssl":             "false",
-	"scale-server-slots":     "42",
-	"client-crt-optional":    "false",
-	"tls-alpn":               "h2,http/1.1",
-	"quic-alt-svc-max-age":   "60",
+	"auth-realm":            "Protected Content",
+	"check":                 "true",
+	"cors-allow-origin":     "*",
+	"cors-allow-methods":    "*",
+	"cors-allow-headers":    "*",
+	"cors-max-age":          "5s",
+	"cookie-indirect":       "true",
+	"cookie-nocache":        "true",
+	"cookie-type":           "insert",
+	"forwarded-for":         "true",
+	"load-balance":          "roundrobin",
+	"request-capture-len":   "128",
+	"ssl-redirect-code":     "302",
+	"request-redirect-code": "302",
+	"ssl-redirect-port":     "8443",
+	"ssl-passthrough":       "false",
+	"server-ssl":            "false",
+	"scale-server-slots":    "42",
+	"client-crt-optional":   "false",
+	"tls-alpn":              "h2,http/1.1",
+	"quic-alt-svc-max-age":  "60",
 }
 
 // GetValuesAndIndices retrieves values of a specific annotation from multiple annotations maps.
diff --git a/pkg/haproxy/rules/reqRatelimit.go b/pkg/haproxy/rules/reqRatelimit.go
@@ -20,6 +20,10 @@ type ReqRateLimit struct {
 	WhitelistMaps  []maps.Path // Pattern file references
 }
 
+const (
+	defaultRateLimitStatueCode = "403"
+)
+
 func (r ReqRateLimit) GetType() Type {
 	return REQ_RATELIMIT
 }
@@ -28,8 +32,18 @@ func (r ReqRateLimit) Create(client api.HAProxyClient, frontend *models.Frontend
 	if frontend.Mode == "tcp" {
 		return errors.New("request Track cannot be configured in TCP mode")
 	}
+
+	// ReqsLimit == 0 means rate-limit disabled
+	if r.ReqsLimit == 0 {
+		return nil
+	}
 	condTest := fmt.Sprintf("{ sc0_http_req_rate(%s) gt %d }", r.TableName, r.ReqsLimit)
 
+	err := r.applyDefaults()
+	if err != nil {
+		return err
+	}
+
 	// Build whitelist conditions if configured
 	// If whitelist is set, only apply rate limiting if source IP is NOT in the whitelist
 	if len(r.WhitelistIPs) > 0 || len(r.WhitelistMaps) > 0 {
@@ -58,3 +72,14 @@ func (r ReqRateLimit) Create(client api.HAProxyClient, frontend *models.Frontend
 	}
 	return client.FrontendHTTPRequestRuleCreate(0, frontend.Name, httpRule, ingressACL)
 }
+
+func (r *ReqRateLimit) applyDefaults() error {
+	if r.DenyStatusCode == 0 {
+		code, err := utils.ParseInt(defaultRateLimitStatueCode)
+		if err != nil {
+			return err
+		}
+		r.DenyStatusCode = code
+	}
+	return nil
+}
diff --git a/pkg/haproxy/rules/reqTrack.go b/pkg/haproxy/rules/reqTrack.go
@@ -18,6 +18,11 @@ type ReqTrack struct {
 	TrackKey    string
 }
 
+const (
+	defaultPeriod    = "1s"
+	defaultTableSize = "100k"
+)
+
 func (r ReqTrack) GetType() Type {
 	return REQ_TRACK
 }
@@ -26,6 +31,10 @@ func (r ReqTrack) Create(client api.HAProxyClient, frontend *models.Frontend, in
 	if frontend.Mode == "tcp" {
 		return errors.New("request Track cannot be configured in TCP mode")
 	}
+	err := r.applyDefaults()
+	if err != nil {
+		return err
+	}
 
 	// Create tracking table.
 	if !client.BackendUsed(r.TableName) {
@@ -54,3 +63,21 @@ func (r ReqTrack) Create(client api.HAProxyClient, frontend *models.Frontend, in
 	}
 	return client.FrontendHTTPRequestRuleCreate(0, frontend.Name, httpRule, ingressACL)
 }
+
+func (r *ReqTrack) applyDefaults() error {
+	if r.TablePeriod == nil {
+		period, err := utils.ParseTime(defaultPeriod)
+		if err != nil {
+			return err
+		}
+		r.TablePeriod = utils.PtrInt64(*period)
+	}
+	if r.TableSize == nil {
+		size, err := utils.ParseSize(defaultTableSize)
+		if err != nil {
+			return err
+		}
+		r.TableSize = size
+	}
+	return nil
+}
