RLP v2 CRD

[eguzki]

Fixes #179

From RFC 0001

Group	Version	Kind
kuadrant.io	v2beta1	RateLimitPolicy

Example with all fields:

apiVersion: kuadrant.io/v2beta1
kind: RateLimitPolicy
metadata: {}
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: <HTTPROUTE-NAME>
  limits:
    <limit-name>:
      routeSelectors:           
      - hostnames:
         - "*.example.com"
        matches:                # []HTTPRouteMatch
        - path:                      # HTTPPathMatch 
            type: PathPrefix
            value: "/toys"
          method: GET          # HTTPMethod 
          headers:                # []HTTPHeaderMatch 
          - type: Exact
            name: "X-Canary"
            value: "1"
          queryParams:      # []HTTPQueryParamMatch 
          - type: Exact
            name: "q"
            value: "1"
      rates:
      - limit: 50
        duration: 1
        unit: minute
      counters:
      - auth.identity.username
      - context.request.http.path
      when:
      - selector: auth.identity.group
        operator: neq
        value: admin

[eguzki]

🤷

[eguzki]

this PR targets https://github.com/Kuadrant/kuadrant-operator/tree/rlp-v2-base

[eguzki]

Those well known selectors need to be properly documented

[guicassolato]

For RLP, I thought we were going with only eq and neq for now, so nothing needs to change in Limitador.

Suggested change

	// +kubebuilder:validation:Enum:=eq;neq;incl;excl;matches
	// +kubebuilder:validation:Enum:=eq;neq

[eguzki]

Well, not necessarily when conditions are going to be applied in Limitador. The wasm-shim can enforce those rules as well to save Limitador's traffic.

But It's ok to start with only eq and neq for now. We can extend those later.

[guicassolato]

Probably a debate for another forum, when discussing the attributions of the wasm-whim rather...

You are right about the wasm-shim technically being capable of enforcing all kinds of user-defined conditions (route related or non-route related) if we want it to. After all, it's all data the wasm-shim will need to request anyway to build the descriptors for the RL request.

I personally have always thought on route-related conditions evaluated by the wasm-shim and translated into one single descriptor to be matched by one single Limitador condition, which is the one with the identifier of the limit; and then conditions not related to route attributes, transparently passed along by the wasm-shim in the RL request and evaluated only by Limitador. But it doesn't have to be this way.

What I think you're suggesting as alternative is a bit bolder and could/would make the wasm-shim the solely evaluator of user-defined conditions effectively. Perhaps saving requests to Limitador is enough reason to do that.

Of course, requests to Limitador can only be saved when none of the limits have matching conditions, after all it takes only one single limit definition to have a matching condition for the wasm-shim to have to call Limitador. But perhaps the wasm-shim could be more selective and inject less descriptors when building requests to Limitador – i.e., only the ones for matching limit identifiers, because other conditions were all evaluated upfront by the wasm-shim itself and the limits are known to have to be triggered?

So less requests to Limitador and less conditions evaluated by Limitador in the cases where a RL request is unavoidable. 🤔

[didierofrivia]

If we already have some identified, maybe we could enum them ?

[eguzki]

the list is too big and we also do not want to limit to a set of options, do we? It is all about a context with attributes that can be added dynamically.

Right, @guicassolato ? BTW, do we know if this is documented? do we have a link?

[guicassolato]

It is documented, but it isn't. Perhaps the closest thing we've got is https://github.com/Kuadrant/authorino/blob/main/docs/architecture.md#the-authorization-json, combined with https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto#envoy-v3-api-msg-service-auth-v3-checkrequest. What's not explicitly there is because it's really an open struct. But we do need a proper doc explaining it, with examples and all.

In the case of Authorino, the selectors include this as well: https://github.com/Kuadrant/authorino/blob/main/docs/features.md#common-feature-json-paths-valuefromauthjson

[guicassolato]

Adding as well https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors, which is already in a comment below and may be the best doc we had on the topic so far.

[eguzki]

The Envoy's Ext-Authz CheckRequest.AttributeContext type context may not be the same a wasm filter (or any filter) may access to.

This is promising doc: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes

[guicassolato]

I wonder if it shouldn't be v1beta2, provided v1beta1 may never become v1. WDYT?

#179 (comment)

[guicassolato]

I think some of these were removed.

[guicassolato]

Authorino conditions support only string comparisons too. I've been wondering lately if we shouldn't try to support any JSON/YAML value type. In the future, this may be helpful for numeric operators (e.g. greater than, lower than, etc), array lookups, etc. WDYT?

[eguzki]

Good point. For now, as the condition operator is either eq or neq, I would stick to literal (string).

[guicassolato]

This means a validation (which I like!) against the following pattern:

^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

Only to highlight that the example provided in the description of the PR (*example.com) is not valid.

[eguzki]

good catch! I will change it. (I think it was a typo anyway)

[eguzki]

ready for a new review @guicassolato

[didierofrivia]

Oh, so, we will still only cover the usage of HTTPRoute and Gateway. I thought for this v2 we were thinking on adding GatewayClass.. not sure about the VirtualService

[eguzki]

Currently, it is only HTTPRoute. #156

[didierofrivia]

Would be informative if we show in the error the valid namespace

[eguzki]

It's the current one. The rate limit policy's namespace.

Anyway, this is only about the CRD we can improve that in coming PR's with actual implementation

[guicassolato]

Worth saving the cost of cmp.Diff if !logger.V(1).Enabled()?

[guicassolato]

I wonder if order matters. If it does matter, do we want to enforce same order? I'm guessing "yes, we do", right?

[eguzki]

I have removed the GatewaysRateLimits struct from the status section of the CRD. I guess this is still a valid feature, but needs to be refactored entirely. We can add items to the status later when we implement the feature. Does it sound good to you?