8000 Rate limit with zone sync and scale by pdabelf5 · Pull Request #7521 · nginx/kubernetes-ingress · GitHub
[go: up one dir, main page]
Skip to content

Rate limit with zone sync and scale #7521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 17 commits into from
Mar 25, 2025
Merged

Rate limit with zone sync and scale #7521

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
fc14f54
suppress scale when using zone sync on ratelimit policy
pdabelf5 Mar 3, 2025
075d22c
remove warning event from vs
AlexFenlon Mar 13, 2025
bb9f322
add ingress zonesync test
pdabelf5 Mar 14, 2025
74e04a5
fix VS becoming invalid when applying zone-sync after VS
AlexFenlon Mar 14, 2025
ed4e730
fix ingress bug becoming invalid when applying zone-sync after ingres…
AlexFenlon Mar 14, 2025
8000
51976c7
updates to simplify zone name with sync
pdabelf5 Mar 17, 2025
af45a63
update ingress tests
pdabelf5 Mar 17, 2025
5d6e6f1
set correct ingress name for minion test
pdabelf5 Mar 17, 2025
c60b953
clean up test markers
pdabelf5 Mar 17, 2025
d36f56b
Merge branch 'main' into scale-no-warnings
pdabelf5 Mar 17, 2025
6efd1af
skip plus test in oss
pdabelf5 Mar 17, 2025
26206bf
remove comment as it works
AlexFenlon Mar 18, 2025
d658083
Merge branch 'main' into scale-no-warnings
AlexFenlon Mar 18, 2025
913a9c7
Merge branch 'main' into scale-no-warnings
AlexFenlon Mar 24, 2025
0a03fe6
Merge branch 'main' into scale-no-warnings
pdabelf5 Mar 24, 2025
42475e8
Merge branch 'main' into scale-no-warnings
AlexFenlon Mar 24, 2025
243196b
Merge branch 'main' into scale-no-warnings
pdabelf5 Mar 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion internal/configs/ingress.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,9 @@ func generateNginxCfg(p NginxCfgParams) (version1.IngressNginxConfig, Warnings)

if cfgParams.LimitReqRate != "" {
zoneName := p.ingEx.Ingress.Namespace + "/" + p.ingEx.Ingress.Name
if p.ingEx.ZoneSync {
zoneName = fmt.Sprintf("%v_sync", zoneName)
}
loc.LimitReq = &version1.LimitReq{
Zone: zoneName,
Burst: cfgParams.LimitReqBurst,
Expand All @@ -284,7 +287,12 @@ func generateNginxCfg(p NginxCfgParams) (version1.IngressNginxConfig, Warnings)
if !limitReqZoneExists(limitReqZones, zoneName) {
rate := cfgParams.LimitReqRate
if cfgParams.LimitReqScale && p.ingressControllerReplicas > 0 {
rate = scaleRatelimit(rate, p.ingressControllerReplicas)
if p.ingEx.ZoneSync {
warningText := fmt.Sprintf("Ingress %s/%s: both zone sync and rate limit scale are enabled, the rate limit scale value will not be used.", p.ingEx.Ingress.Namespace, p.ingEx.Ingress.Name)
nl.Warn(l, warningText)
} else {
rate = scaleRatelimit(rate, p.ingressControllerReplicas)
}
}
limitReqZones = append(limitReqZones, version1.LimitReqZone{
Name: zoneName,
Expand Down
10 changes: 2 additions & 8 deletions internal/configs/ingress_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1173,7 +1173,7 @@ func TestGenerateNginxCfgForLimitReqZoneSync(t *testing.T) {

expectedZones := []version1.LimitReqZone{
{
Name: "default/cafe-ingress",
Name: "default/cafe-ingress_sync",
Key: "${request_uri}",
Size: "11m",
Rate: "200r/s",
Expand Down Expand Up @@ -1337,14 +1337,11 @@ func TestGenerateNginxCfgForLimitReqWithScaling(t *testing.T) {
for _, server := range result.Servers {
for _, location := range server.Locations {
if !reflect.DeepEqual(location.LimitReq, expectedReqs) {
t.Errorf("generateNginxCfg returned \n%v, but expected \n%v", result.LimitReqZones, expectedZones)
t.Errorf("generateNginxCfg returned \n%v, but expected \n%v", location.LimitReq, expectedReqs)
}
}
}

if !reflect.DeepEqual(result.LimitReqZones, expectedZones) {
t.Errorf("generateNginxCfg returned \n%v, but expected \n%v", result.LimitReqZones, expectedZones)
}
if len(warnings) != 0 {
t.Errorf("generateNginxCfg returned warnings: %v", warnings)
}
Expand Down Expand Up @@ -1431,9 +1428,6 @@ func TestGenerateNginxCfgForMergeableIngressesForLimitReqWithScaling(t *testing.
}
}

if !reflect.DeepEqual(result.LimitReqZones, expectedZones) {
t.Errorf("generateNginxCfg returned \n%v, but expected \n%v", result.LimitReqZones, expectedZones)
}
if len(warnings) != 0 {
t.Errorf("generateNginxCfg returned warnings: %v", warnings)
}
Expand Down
29 changes: 28 additions & 1 deletion internal/configs/version1/__snapshots__/template_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1217,7 +1217,7 @@ server {
# configuration for default/myingress


limit_req_zone ${binary_remote_addr} zone=default/zone1:10m rate=200r/s sync;
limit_req_zone ${binary_remote_addr} zone=default/zone1_sync:10m rate=200r/s sync;



Expand All @@ -1235,6 +1235,33 @@ server {



location / {
set $service "";
status_zone "";
proxy_http_version 1.1;

proxy_connect_timeout ;
proxy_read_timeout ;
proxy_send_timeout ;
client_max_body_size ;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_pass http://test;


limit_req zone=default/myingress_sync burst=100;


limit_req_status 429;

}

}

---
Expand Down
2 changes: 1 addition & 1 deletion internal/configs/version1/nginx-plus.ingress.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -321,7 +321,7 @@ server {
{{- end}}

{{with $location.LimitReq}}
limit_req zone={{ $location.LimitReq.Zone }} {{if $location.LimitReq.Burst}}burst={{$location.LimitReq.Burst}}{{end}} {{if $location.LimitReq.NoDelay}}nodelay{{else if $location.LimitReq.Delay}}delay={{$location.LimitReq.Delay}}{{end}};
limit_req zone={{ $location.LimitReq.Zone }}{{- if $location.LimitReq.Burst }} burst={{$location.LimitReq.Burst}}{{- end }}{{- if $location.LimitReq.NoDelay }} nodelay{{- else if $location.LimitReq.Delay }} delay={{$location.LimitReq.Delay}}{{- end }};
{{if $location.LimitReq.DryRun}}limit_req_dry_run on;{{end}}
{{if $location.LimitReq.LogLevel}}limit_req_log_level {{$location.LimitReq.LogLevel}};{{end}}
{{if $location.LimitReq.RejectCode}}limit_req_status {{$location.LimitReq.RejectCode}};{{end}}
Expand Down
16 changes: 14 additions & 2 deletions internal/configs/version1/template_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1829,11 +1829,22 @@ func TestExecuteTemplate_ForIngressForNGINXPlusWithRequestRateLimitZoneSync(t *t
Servers: []Server{
{
Name: "test.example.com",
Locations: []Location{
{
Path: "/",
Upstream: testUpstream,
LimitReq: &LimitReq{
Zone: "default/myingress_sync",
Burst: 100,
RejectCode: 429,
},
},
},
},
},
LimitReqZones: []LimitReqZone{
{
Name: "default/zone1",
Name: "default/zone1_sync",
Key: "${binary_remote_addr}",
Size: "10m",
Rate: "200r/s",
Expand All @@ -1850,7 +1861,8 @@ func TestExecuteTemplate_ForIngressForNGINXPlusWithRequestRateLimitZoneSync(t *t
ingConf := buf.String()

wantDirectives := []string{
"limit_req_zone ${binary_remote_addr} zone=default/zone1:10m rate=200r/s sync;",
"limit_req_zone ${binary_remote_addr} zone=default/zone1_sync:10m rate=200r/s sync;",
"limit_req zone=default/myingress_sync burst=100;",
}

for _, want := range wantDirectives {
Expand Down
6 changes: 3 additions & 3 deletions internal/configs/version2/__snapshots__/templates_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2913,7 +2913,7 @@ map $http_x_version $match_0_0 {
default 0;
}
# HTTP snippet
limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s sync;
limit_req_zone $url zone=pol_rl_test_test_test_sync:10m rate=10r/s sync;

server {
listen 80 proxy_protocol;
Expand Down Expand Up @@ -2948,7 +2948,7 @@ server {
allow all;
limit_req_log_level error;
limit_req_status 503;
limit_req zone=pol_rl_test_test_test burst=5 delay=10;
limit_req zone=pol_rl_test_test_test_sync burst=5 delay=10;
auth_jwt "My Api";
auth_jwt_key_file jwk-secret;
app_protect_enable on;
Expand Down Expand Up @@ -3021,7 +3021,7 @@ server {
deny all;
deny 127.0.0.1;
allow all;
limit_req zone=loc_pol_rl_test_test_test;
limit_req zone=loc_pol_rl_test_test_test_sync;


proxy_ssl_certificate egress-mtls-secret.pem;
Expand Down
Loading
0