CE: Remove RequestLimiter config plumbing (#28592)

This PR provides some plumbing for the enterprise counterpart PR: hashicorp/vault-enterprise#6791
hashicorp · Oct 4, 2024 · 6a145af · 6a145af
1 parent c7b029e
commit 6a145af
Show file tree

Hide file tree

Showing 8 changed files with 38 additions and 156 deletions.
diff --git a/command/command_stubs_oss.go b/command/command_stubs_oss.go
@@ -27,8 +27,7 @@ func entGetFIPSInfoKey() string {
 	return ""
 }
 
-func entGetRequestLimiterStatus(coreConfig vault.CoreConfig) string {
-	return ""
+func entCheckRequestLimiter(_cmd *ServerCommand, _config *server.Config) {
 }
 
 func entExtendAddonHandlers(handlers *vaultHandlers) {}
diff --git a/command/server.go b/command/server.go
@@ -448,6 +448,8 @@ func (c *ServerCommand) parseConfig() (*server.Config, []configutil.ConfigError,
 		config.Entropy = nil
 	}
 
+	entCheckRequestLimiter(c, config)
+
 	return config, configErrors, nil
 }
 
@@ -1431,12 +1433,6 @@ func (c *ServerCommand) Run(args []string) int {
 		info["HCP resource ID"] = config.HCPLinkConf.Resource.ID
 	}
 
-	requestLimiterStatus := entGetRequestLimiterStatus(coreConfig)
-	if requestLimiterStatus != "" {
-		infoKeys = append(infoKeys, "request limiter")
-		info["request limiter"] = requestLimiterStatus
-	}
-
 	infoKeys = append(infoKeys, "administrative namespace")
 	info["administrative namespace"] = config.AdministrativeNamespacePath
 

diff --git a/website/content/docs/concepts/request-limiter/index.mdx b/website/content/docs/concepts/request-limiter/index.mdx
diff --git a/website/content/docs/configuration/index.mdx b/website/content/docs/configuration/index.mdx
@@ -224,14 +224,14 @@ can have a negative effect on performance due to the tracking of each lock attem
   This can also be specified via the `VAULT_LOG_LEVEL` environment variable.
 
   <Note>
-  
+
   On SIGHUP (`sudo kill -s HUP` _pid of vault_), if a valid value is specified, Vault will update the existing log level,
   overriding (even if specified) both the CLI flag and environment variable.
 
   </Note>
 
   <Note>
-  
+
   Not all parts of Vault's logging can have its log level be changed dynamically this way; in particular,
   secrets/auth plugins are currently not updated dynamically.
 
@@ -257,9 +257,6 @@ can have a negative effect on performance due to the tracking of each lock attem
   When `imprecise_lease_role_tracking` is set to true and a new role-based quota is enabled, subsequent lease counts start from 0.
   `imprecise_lease_role_tracking` affects role-based lease count quotas, but reduces latencies when not using role based quotas.
 
-- `request_limiter` `([Request Limiter][request-limiter]: <none>)` – Allows
-  operators to enable Vault's Request Limiter functionality.
-
 ### High availability parameters
 
 The following parameters are used on backends that support [high availability][high-availability].
@@ -304,7 +301,7 @@ The following parameters are only used with Vault Enterprise
   provided via the environment variable `VAULT_LICENSE_PATH`, or the license
   itself can be provided in the environment variable `VAULT_LICENSE`.
 
-- `administrative_namespace_path` `(string: "")` - Specifies the absolute path 
+- `administrative_namespace_path` `(string: "")` - Specifies the absolute path
   to the Vault namespace to be used as an [Administrative namespace](/vault/docs/enterprise/namespaces/create-admin-namespace).
 
 [storage-backend]: /vault/docs/configuration/storage
@@ -315,4 +312,3 @@ The following parameters are only used with Vault Enterprise
 [sentinel]: /vault/docs/configuration/sentinel
 [high-availability]: /vault/docs/concepts/ha
 [plugins]: /vault/docs/plugins
-[request-limiter]: /vault/docs/concepts/request-limiter
diff --git a/website/content/docs/configuration/listener/tcp/index.mdx b/website/content/docs/configuration/listener/tcp/index.mdx
@@ -296,10 +296,6 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co
 - `disable_replication_status_endpoints` `(bool: false)` - Disables replication
   status endpoints for the configured listener when set to `true`.
 
-- `disable_request_limiter` `(bool: false)` - Disables the request limiter for
-  this listener. The default configuration will honor the global
-  [configuration](/vault/docs/configuration/request-limiter).
-
 ### `telemetry` parameters
 
 - `unauthenticated_metrics_access` `(bool: false)` - If set to true, allows

diff --git a/website/content/docs/configuration/request-limiter.mdx b/website/content/docs/configuration/request-limiter.mdx
diff --git a/website/content/docs/upgrading/upgrade-to-1.18.x.mdx b/website/content/docs/upgrading/upgrade-to-1.18.x.mdx
@@ -97,3 +97,35 @@ kubectl exec -ti <NAME> -- wget https://github.com/moparisthebest/static-curl/re
 ```
 
 **NOTE:** When using this option you'll want to verify that the static binary comes from a trusted source.
+
+### Request limiter configuration removal
+
+Vault 1.16.0 included an experimental request limiter. The limiter was disabled
+by default with an opt-in `request_limiter` configuration.
+
+Further testing indicated that an alternative approach improves performance and
+reduces risk for many workloads. Vault 1.17.0 included a new [adaptive overload
+protection](/vault/docs/concepts/adaptive-overload-protection) feature that
+prevents outages when Vault is overwhelmed by write requests.
+
+Adaptive overload protection was a beta feature in 1.17.0.
+
+As of Vault 1.18.0, the adaptive overload protection feature for writes is
+now GA and enabled by default for the integrated storage backend.
+
+The beta `request_limiter` configuration stanza is officially removed in Vault 1.18.0.
+
+Vault will output two types of warnings if the `request_limiter` stanza is
+detected in your Vault config.
+
+1. A UI warning message printed to `stderr`:
+
+```text
+WARNING: Request Limiter configuration is no longer supported; overriding server configuration to disable
+```
+
+2. A log line with level `WARN`, appearing in Vault's logs:
+
+```text
+... [WARN]  unknown or unsupported field request_limiter found in configuration at config.hcl:22:1
+```
diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json
@@ -321,25 +321,6 @@
           "color": "neutral"
         }
       },
-      {
-        "title": "Request Limiter",
-        "badge": {
-          "text": "ENTERPRISE | DEPRECATED",
-          "type": "outlined",
-          "color": "neutral"
-        },
-        "routes": [
-          {
-            "title": "Overview",
-            "path": "concepts/request-limiter",
-            "badge": {
-              "text": "BETA",
-              "type": "outlined",
-              "color": "highlight"
-            }
-          }
-        ]
-      },
       {
         "title": "Adaptive overload protection",
         "badge": {
@@ -595,10 +576,6 @@
         "title": "<code>telemetry</code>",
         "path": "configuration/telemetry"
       },
-      {
-        "title": "<code>Request Limiter</code>",
-        "path": "configuration/request-limiter"
-      },
       {
         "title": "Adaptive overload protection",
         "path": "configuration/adaptive-overload-protection"