internal/xdscache: include global rate limits for secure vhosts

Fixes a bug where global rate limit policies were being ignored when defined at the virtual host level on secure vhosts. Fixes #3409. Signed-off-by: Steve Kriss <krisss@vmware.com>
projectcontour · Feb 25, 2021 · 8aeae97 · 8aeae97
1 parent 47abf22
commit 8aeae97
Show file tree

Hide file tree

Showing 3 changed files with 223 additions and 0 deletions.
diff --git a/_integration/testsuite/httpproxy/020-global-rate-limiting.yaml b/_integration/testsuite/httpproxy/020-global-rate-limiting.yaml
@@ -37,6 +37,8 @@ $apply:
 
 ---
 
+# Test Case 1: non-TLS virtual hosts
+
 # Create the HTTPProxy without rate limits first
 # and wait until we get a 200 from it before applying
 # rate limits and counting responses. This ensures
@@ -229,3 +231,208 @@ Response := client.Get({
 check_for_status_code [msg] {
   msg := expect.response_status_is(Response, 200)
 }
+
+---
+
+# Test Case 2: TLS virtual hosts
+
+# Create a self-signed issuer to give us secrets.
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tlsvhostratelimit
+spec:
+  dnsNames:
+  - tls.vhostratelimit.projectcontour.io
+  secretName: tlsvhostratelimit
+  issuerRef:
+    name: selfsigned
+    kind: ClusterIssuer
+
+---
+
+# TLS vhost with a global rate limit policy on the virtual host.
+
+apiVersion: projectcontour.io/v1
+kind: HTTPProxy
+metadata:
+  name: tlsvhostratelimit
+spec:
+  virtualhost:
+    fqdn: tls.vhostratelimit.projectcontour.io
+    tls:
+      secretName: tlsrouteratelimit
+    rateLimitPolicy:
+      global:
+        descriptors:
+          - entries:
+              - genericKey:
+                  value: tlsvhostlimit
+  routes:
+  - services:
+    - name: echo
+      port: 80
+---
+
+# Make a request against the proxy, confirm a 200 response
+# is returned since we're allowed one request per hour.
+
+import data.contour.http.client
+import data.contour.http.client.url
+import data.contour.http.expect
+
+Response := client.Get({
+  "url": url.https("/"),
+  "headers": {
+    "Host": "tls.vhostratelimit.projectcontour.io",
+    "User-Agent": client.ua("global-rate-limit"),
+  },
+  "tls_insecure_skip_verify": true,
+})
+
+check_for_status_code [msg] {
+  msg := expect.response_status_is(Response, 200)
+}
+
+---
+
+# Make another request against the proxy, confirm a 429
+# response is now gotten since we've exceeded the rate
+# limit.
+
+import data.contour.http.client
+import data.contour.http.client.url
+import data.contour.http.expect
+
+Response := client.Get({
+  "url": url.https("/"),
+  "headers": {
+    "Host": "tls.vhostratelimit.projectcontour.io",
+    "User-Agent": client.ua("global-rate-limit"),
+  },
+  "tls_insecure_skip_verify": true,
+})
+
+check_for_status_code [msg] {
+  msg := expect.response_status_is(Response, 429)
+}
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tlsrouteratelimit
+spec:
+  dnsNames:
+  - tls.routeratelimit.projectcontour.io
+  secretName: tlsrouteratelimit
+  issuerRef:
+    name: selfsigned
+    kind: ClusterIssuer
+
+---
+
+# TLS vhost with a global rate limit policy on the route.
+
+apiVersion: projectcontour.io/v1
+kind: HTTPProxy
+metadata:
+  name: tlsrouteratelimit
+spec:
+  virtualhost:
+    fqdn: tls.routeratelimit.projectcontour.io
+    tls:
+      secretName: tlsvhostratelimit
+  routes:
+  - services:
+    - name: echo
+      port: 80
+    rateLimitPolicy:
+      global:
+        descriptors:
+          - entries:
+              - genericKey:
+                  value: tlsroutelimit
+  - conditions:
+      - prefix: /unlimited
+    services:
+    - name: echo
+      port: 80
+---
+
+# Make a request against the proxy, confirm a 200 response
+# is returned since we're allowed one request per hour.
+
+import data.contour.http.client
+import data.contour.http.client.url
+import data.contour.http.expect
+
+Response := client.Get({
+  "url": url.https("/"),
+  "headers": {
+    "Host": "tls.routeratelimit.projectcontour.io",
+    "User-Agent": client.ua("global-rate-limit"),
+  },
+  "tls_insecure_skip_verify": true,
+})
+
+check_for_status_code [msg] {
+  msg := expect.response_status_is(Response, 200)
+}
+
+---
+
+# Make another request against the proxy, confirm a 429
+# response is now gotten since we've exceeded the rate
+# limit.
+
+import data.contour.http.client
+import data.contour.http.client.url
+import data.contour.http.expect
+
+Response := client.Get({
+  "url": url.https("/"),
+  "headers": {
+    "Host": "tls.routeratelimit.projectcontour.io",
+    "User-Agent": client.ua("global-rate-limit"),
+  },
+  "tls_insecure_skip_verify": true,
+})
+
+check_for_status_code [msg] {
+  msg := expect.response_status_is(Response, 429)
+}
+
+---
+
+# Make a request against the route that doesn't have
+# rate limiting to confirm we still get a 200 for that
+# route.
+
+import data.contour.http.client
+import data.contour.http.client.url
+import data.contour.http.expect
+
+Response := client.Get({
+  "url": url.https("/unlimited"),
+  "headers": {
+    "Host": "tls.routeratelimit.projectcontour.io",
+    "User-Agent": client.ua("global-rate-limit"),
+  },
+  "tls_insecure_skip_verify": true,
+})
+
+check_for_status_code [msg] {
+  msg := expect.response_status_is(Response, 200)
+}
diff --git a/_integration/testsuite/install-ratelimit-service.sh b/_integration/testsuite/install-ratelimit-service.sh
@@ -51,6 +51,16 @@ data:
         rate_limit:
           unit: hour
           requests_per_unit: 1
+      - key: generic_key
+        value: tlsvhostlimit
+        rate_limit:
+          unit: hour
+          requests_per_unit: 1
+      - key: generic_key
+        value: tlsroutelimit
+        rate_limit:
+          unit: hour
+          requests_per_unit: 1
 EOF
 
 # Create the ratelimit deployment, service and extension service.

diff --git a/internal/xdscache/v3/route.go b/internal/xdscache/v3/route.go
@@ -248,6 +248,9 @@ func (v *routeVisitor) onSecureVirtualHost(svh *dag.SecureVirtualHost) {
 			}
 			evh.TypedPerFilterConfig["envoy.filters.http.local_ratelimit"] = envoy_v3.LocalRateLimitConfig(svh.RateLimitPolicy.Local, "vhost."+svh.Name)
 		}
+		if svh.RateLimitPolicy != nil && svh.RateLimitPolicy.Global != nil {
+			evh.RateLimits = envoy_v3.GlobalRateLimits(svh.RateLimitPolicy.Global.Descriptors)
+		}
 
 		v.routes[name].VirtualHosts = append(v.routes[name].VirtualHosts, evh)
 
@@ -270,6 +273,9 @@ func (v *routeVisitor) onSecureVirtualHost(svh *dag.SecureVirtualHost) {
 				}
 				fvh.TypedPerFilterConfig["envoy.filters.http.local_ratelimit"] = envoy_v3.LocalRateLimitConfig(svh.RateLimitPolicy.Local, "vhost."+svh.Name)
 			}
+			if svh.RateLimitPolicy != nil && svh.RateLimitPolicy.Global != nil {
+				fvh.RateLimits = envoy_v3.GlobalRateLimits(svh.RateLimitPolicy.Global.Descriptors)
+			}
 
 			v.routes[ENVOY_FALLBACK_ROUTECONFIG].VirtualHosts = append(v.routes[ENVOY_FALLBACK_ROUTECONFIG].VirtualHosts, fvh)
 		}