Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Add basic per-user rate-limiting #5

Merged
merged 2 commits into from
Nov 23, 2022
Merged

✨ Add basic per-user rate-limiting #5

merged 2 commits into from
Nov 23, 2022

Conversation

hardys
Copy link

@hardys hardys commented Nov 11, 2022

Summary

This adds basic per-user rate-limiting, which can be tested by running alongside a sharded-test-server (on a different port to the existing proxy instance), e.g:

./bin/cps-front-proxy --mapping-file=.cps-front-proxy/mapping.yaml --root-directory=.cps-front-proxy --root-kubeconfig=$KCPDIR/.kcp/root.kubeconfig --client-ca-file=$KCPDIR/.kcp/client-ca.crt --tls-cert-file=$KCPDIR/.kcp-front-proxy/apiserver.crt --tls-private-key-file=$KCPDIR/.kcp-front-proxy/apiserver.key --secure-port=6453 --token-auth-file=$KCPDIR/test/e2e/framework/auth-tokens.csv --service-account-key-file=$KCPDIR/.kcp/service-account.crt --ratelimit-request-limit=1

Note .cps-front-proxy/mapping.yaml is just a copy of the KCP file, but with relative paths replaced with absolute ones

We can then see rate-limiting working here with the default ratelimit-burst-limit (5) we see something like this:

$ for i in $(seq 1 10); do curl --insecure https://localhost:6453 --header 'Authorization: Bearer user-2-token'; done
404 page not found
404 page not found
404 page not found
404 page not found
404 page not found
Too many requests, please try again later.
Too many requests, please try again later.
Too many requests, please try again later.
Too many requests, please try again later.
Too many requests, please try again later.

@hardys
Copy link
Author

hardys commented Nov 11, 2022

/cc @csams

@openshift-ci openshift-ci bot requested a review from csams November 11, 2022 17:26
@hardys
Copy link
Author

hardys commented Nov 21, 2022

I decoupled this from #3 since it seems we're still in the discussion phase with that, @csams I reused your options/config changes so added you as a co-author, PTAL :)

@hardys hardys changed the title [WIP] ✨ Add basic per-user rate-limiting ✨ Add basic per-user rate-limiting Nov 22, 2022
stevekuznetsov
stevekuznetsov reviewed Nov 22, 2022
View reviewed changes
Copy link
Contributor

@stevekuznetsov stevekuznetsov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tiny nits, otherwise this looks good!

@csams
Add per-user rate limiting
6bc3623 
Co-Authored-By: Christopher Sams <csams@redhat.com>
@hardys hardys requested review from stevekuznetsov and removed request for ncdc and csams November 23, 2022 14:02
@stevekuznetsov
Copy link
Contributor

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm label Nov 23, 2022
@openshift-ci
Copy link

openshift-ci bot commented Nov 23, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: stevekuznetsov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit 4a7e8ad into redhat-cps:main Nov 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevekuznetsov stevekuznetsov Awaiting requested review from stevekuznetsov

Assignees

@stevekuznetsov stevekuznetsov

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hardys @stevekuznetsov @openshift-merge-robot