Envoy rate limit descriptor fix #11153
Conversation
Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
|
Need to add associated documentation changes for the new configuration option. Opening PR so that @ramaraochavali can view it. |
Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
| @@ -1385,6 +1385,10 @@ message RateLimit { | |||
|
|
|||
| // The key to use in the descriptor entry. | |||
| string descriptor_key = 2 [(validate.rules).string = {min_bytes: 1}]; | |||
|
|
|||
| // The optional parameter which determines if the RLS is called if a request | |||
There was a problem hiding this comment.
If set to true, Envoy skips the descriptor while calling rate limiting service when header is not present in the request. Defaults to false, which skips calling rate limiting service if this header is not present in the request.
| @@ -38,10 +38,14 @@ bool RequestHeadersAction::populateDescriptor(const Router::RouteEntry&, | |||
| const Http::HeaderMap& headers, | |||
| const Network::Address::Instance&) const { | |||
| const Http::HeaderEntry* header_value = headers.get(header_name_); | |||
| if (!header_value) { | |||
| if (!header_value && !skip_if_absent_) { | |||
There was a problem hiding this comment.
nit: Simplify it like this and add a comment
if (!header_value) {
return skip_if_absent_;
}
| @@ -366,6 +366,94 @@ TEST_F(RateLimitPolicyEntryTest, RequestHeaders) { | |||
| testing::ContainerEq(descriptors_)); | |||
| } | |||
|
|
|||
| // Validate that a descriptor is added if at least one request header has value. | |||
| TEST_F(RateLimitPolicyEntryTest, RequestHeadersPartialMatchWithSkipIfAbsent) { | |||
There was a problem hiding this comment.
/s/RequestHeadersPartialMatchWithSkipIfAbsent/RequestHeadersWithSkipIfAbsent
| testing::ContainerEq(descriptors_)); | ||
| } | ||
|
|
||
| TEST_F(RateLimitPolicyEntryTest, RequestHeadersPartialMatchWithoutSkipIfAbsent) { |
There was a problem hiding this comment.
/s/RequestHeadersPartialMatchWithoutSkipIfAbsent/RequestHeadersWithDefaultSkipIfAbsent and add a comment above the test
| testing::ContainerEq(descriptors_)); | ||
| } | ||
|
|
||
| TEST_F(RateLimitPolicyEntryTest, RequestHeadersMatchDefaultSkipIfAbsent) { |
| EXPECT_TRUE(descriptors_.empty()); | ||
| } | ||
|
|
||
| TEST_F(RateLimitPolicyEntryTest, RequestHeadersCompleteMatch) { |
There was a problem hiding this comment.
This also should have been tested already
|
Add a version history entry https://github.com/envoyproxy/envoy/blob/master/docs/root/version_history/current.rst in alpha order |
Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
| @@ -39,10 +39,11 @@ Changes | |||
| * network filters: added a :ref:`rocketmq proxy filter <config_network_filters_rocketmq_proxy>`. | |||
| * prometheus stats: fix the sort order of output lines to comply with the standard. | |||
| * request_id: added to :ref:`always_set_request_id_in_response setting <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.always_set_request_id_in_response>` | |||
| to set :ref:`x-request-id <config_http_conn_man_headers_x-request-id>` header in response even if | |||
| to set :ref:`x-request-id <config_http_conn_man_headers_x-request-id>` header in response even if skip_if_absent | |||
There was a problem hiding this comment.
not needed change looks like?
There was a problem hiding this comment.
Yup, pushing the fix, accidental change
Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
| @@ -1385,6 +1385,11 @@ message RateLimit { | |||
|
|
|||
| // The key to use in the descriptor entry. | |||
| string descriptor_key = 2 [(validate.rules).string = {min_bytes: 1}]; | |||
|
|
|||
| // If set to true, Envoy skips the descriptor while calling rate limiting service | |||
| // when header is not present in the request. Defaults to false, which skips calling | |||
There was a problem hiding this comment.
| // when header is not present in the request. Defaults to false, which skips calling | |
| // when header is not present in the request. By default this skips calling |
i.e. it's redundant to say that the default of a primitive proto3 type is false, but your description of the actual behavior is very helpful.
There was a problem hiding this comment.
Sounds good, @htuch! Pushed the changes as you suggested! Thanks!
| @@ -43,6 +43,7 @@ Changes | |||
| tracing is not forced. | |||
| * router: allow retries of streaming or incomplete requests. This removes stat `rq_retry_skipped_request_not_complete`. | |||
| * router: allow retries by default when upstream responds with :ref:`x-envoy-overloaded <config_http_filters_router_x-envoy-overloaded_set>`. | |||
| * router: allow Rate Limiting service to be called in case of missing request header for a descriptor if the :ref:`skip_if_absent <envoy_v3_api_field_config.route.v3.RateLimit.Action.RequestHeaders.skip_if_absent>` field is set to true. | |||
Signed-off-by: Rohan Seth <rohan@Rohans-MacBook-Pro.local>
karbon0x
force-pushed
the
envoy-rate-limit-descriptor-fix
branch
from
26eebbf to
9cfaeaa
Compare
|
@rohan07 please never force push. It makes reviews much more difficult. Thanks! |
| @@ -38,10 +38,11 @@ bool RequestHeadersAction::populateDescriptor(const Router::RouteEntry&, | |||
| const Http::HeaderMap& headers, | |||
| const Network::Address::Instance&) const { | |||
| const Http::HeaderEntry* header_value = headers.get(header_name_); | |||
|
|
|||
| // If header is not present and skip_if_absent_ is true, ignore the descriptor | |||
There was a problem hiding this comment.
This comment is still not correct. Returning has no bearing on whether skip_if_absent_ is true?
|
Thanks please merge master and force push to fix DCO. /wait |
|
Apologies @mattklein123 - My previous force push was also because of the DCO. I was experiencing some performance issues with my old machine so had to get a new one. |
karbon0x
force-pushed
the
envoy-rate-limit-descriptor-fix
branch
3 times, most recently
from
c7c58a2 to
a83afa4
Compare
Signed-off-by: Rohan Seth <rohan@Rohans-MacBook-Pro.local>
karbon0x
force-pushed
the
envoy-rate-limit-descriptor-fix
branch
from
ca3ca83 to
281b9e4
Compare
…descriptor-fix Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
|
Hi @mattklein123 - Apologies again, it wasn't allowing me to sign off on my previous commit using my new machine for some reason, it worked from my previous machine. Thanks for your help! |
|
Hi @mattklein123 - I am seeing some of the other PR's which are open facing the same issue with circleci/coverage failing (with 96.7%, lower than the 97% threshold). I believe during my earlier commits, the particular test was passing. Can you please advise the future steps I should take? |
|
/retest |
|
🔨 rebuilding |
…descriptor-fix Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
For an explanation of how to fill out the fields, please see the relevant section
in PULL_REQUESTS.md
Description: It resolves - #10124 indirectly by adding an extra config flag to RequestHeaders through which it is possible for descriptors to be sent on a partial match
Risk Level: low - optional feature
Testing: unit tests added
Docs Changes: Added
Release Notes: Added
[Optional Fixes #Issue] Fixes #10124
[Optional Deprecated:]