Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

global rate limiting policy ignored when defined for a TLS virtual host at the vhost level #3409

Closed
skriss opened this issue Feb 25, 2021 · 0 comments · Fixed by #3410
Closed

global rate limiting policy ignored when defined for a TLS virtual host at the vhost level #3409

skriss opened this issue Feb 25, 2021 · 0 comments · Fixed by #3410
Assignees
@skriss
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@skriss
Copy link
Member

skriss commented Feb 25, 2021
edited
Loading

What steps did you take and what happened:

  1. Define a proxy like the following:
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: proxy-1
spec:
  routes:
  - services:
    - name: s1
      port: 80
  virtualhost:
    fqdn: contour.stevekriss.com
    tls:
      secretName: proxy-1-cert
    rateLimitPolicy:
      global:
        descriptors:
        - entries:
          - remoteAddress: {}
  1. Configure a rate limit on remote address in the RLS.
  2. curl contour.stevekriss.com repeatedly, observe the rate limit not taking effect

What did you expect to happen:

The rate limit should take effect.

Anything else you would like to add:

Global rate limit policies for non-TLS vhosts work fine. Also, global rate limit policies defined on individual routes for a TLS vhost work fine.

As such, a valid workaround is to define your global rate limit policy once for each route on your TLS vhost.

Environment:

  • Contour version: 1.13
@skriss skriss added the kind/bug Categorizes issue or PR as related to a bug. label Feb 25, 2021
@skriss skriss self-assigned this Feb 25, 2021
skriss added a commit to skriss/contour that referenced this issue Feb 25, 2021
@skriss
internal/xdscache: include global rate limits for secure vhosts
85d5643 
Fixes a bug where global rate limit policies were being ignored
when defined at the virtual host level on secure vhosts.

Fixes projectcontour#3409.

Signed-off-by: Steve Kriss <krisss@vmware.com>
@skriss skriss mentioned this issue Feb 25, 2021
Merged
skriss added a commit to skriss/contour that referenced this issue Feb 25, 2021
@skriss
internal/xdscache: include global rate limits for secure vhosts
8aeae97 
Fixes a bug where global rate limit policies were being ignored
when defined at the virtual host level on secure vhosts.

Fixes projectcontour#3409.

Signed-off-by: Steve Kriss <krisss@vmware.com>
skriss added a commit to skriss/contour that referenced this issue Feb 25, 2021
@skriss
internal/xdscache: include global rate limits for secure vhosts
64a1937 
Fixes a bug where global rate limit policies were being ignored
when defined at the virtual host level on secure vhosts.

Fixes projectcontour#3409.

Signed-off-by: Steve Kriss <krisss@vmware.com>
skriss added a commit to skriss/contour that referenced this issue Feb 26, 2021
@skriss
internal/xdscache: include global rate limits for secure vhosts
9d99bfa 
Fixes a bug where global rate limit policies were being ignored
when defined at the virtual host level on secure vhosts.

Fixes projectcontour#3409.

Signed-off-by: Steve Kriss <krisss@vmware.com>
skriss added a commit that referenced this issue Feb 26, 2021
@skriss
internal/xdscache: include global rate limits for secure vhosts (#3410)
a9a12d9 
Fixes a bug where global rate limit policies were being ignored
when defined at the virtual host level on secure vhosts.

Fixes #3409.

Signed-off-by: Steve Kriss <krisss@vmware.com>
skriss added a commit to skriss/contour that referenced this issue Mar 1, 2021
@skriss
internal/xdscache: include global rate limits for secure vhosts (proj…
d623bd0 
…ectcontour#3410)

Fixes a bug where global rate limit policies were being ignored
when defined at the virtual host level on secure vhosts.

Fixes projectcontour#3409.

Signed-off-by: Steve Kriss <krisss@vmware.com>
skriss added a commit that referenced this issue Mar 1, 2021
@skriss
v1.13.1 cherrypicks (#3423)
2f5f6fb 
* internal/xdscache: include global rate limits for secure vhosts (#3410)

Fixes a bug where global rate limit policies were being ignored
when defined at the virtual host level on secure vhosts.

Fixes #3409.

Signed-off-by: Steve Kriss <krisss@vmware.com>

* cmd/contour: pass pointers to StatusAddressUpdater (#3412)

Fixes an issue where non-pointers were being passed to
the StatusAddressUpdater when the load balancer address
changed, which was resulting in HTTPProxies/Ingresses
not immediately getting updated with the new address.

Fixes #3411.

Signed-off-by: Steve Kriss <krisss@vmware.com>

* examples: update Envoy to 1.17.1 (#3417)

Signed-off-by: Steve Kriss <krisss@vmware.com>
@skriss skriss mentioned this issue Mar 22, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skriss skriss

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

internal/xdscache: include global rate limits for secure vhosts skriss/contour
1 participant
@skriss