Remove global-rate-limit feature (#11851)

2024-08-25 17:03:29 -03:00 · 2024-08-25 17:03:29 -03:00 · 21cd966d1c
commit 21cd966d1c
parent 5243b9b90a
25 changed files with 28 additions and 1326 deletions
--- a/internal/ingress/annotations/annotations.go
+++ b/internal/ingress/annotations/annotations.go
@ -39,7 +39,6 @@ import (
 	"k8s.io/ingress-nginx/internal/ingress/annotations/defaultbackend"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/disableproxyintercepterrors"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi"
-	"k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/http2pushpreload"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/ipallowlist"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist"
@ -98,7 +97,6 @@ type Ingress struct {
 	Proxy                       proxy.Config
 	ProxySSL                    proxyssl.Config
 	RateLimit                   ratelimit.Config
-	GlobalRateLimit             globalratelimit.Config
 	Redirect                    redirect.Config
 	Rewrite                     rewrite.Config
 	Satisfy                     string
@ -147,7 +145,6 @@ func NewAnnotationFactory(cfg resolver.Resolver) map[string]parser.IngressAnnota
 		"Proxy":                       proxy.NewParser(cfg),
 		"ProxySSL":                    proxyssl.NewParser(cfg),
 		"RateLimit":                   ratelimit.NewParser(cfg),
-		"GlobalRateLimit":             globalratelimit.NewParser(cfg),
 		"Redirect":                    redirect.NewParser(cfg),
 		"Rewrite":                     rewrite.NewParser(cfg),
 		"Satisfy":                     satisfy.NewParser(cfg),
--- a/internal/ingress/annotations/globalratelimit/main.go
+++ b/internal/ingress/annotations/globalratelimit/main.go
@ -1,179 +0,0 @@
-/*
-Copyright 2020 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package globalratelimit
-
-import (
-	"fmt"
-	"strings"
-	"time"
-
-	networking "k8s.io/api/networking/v1"
-	"k8s.io/klog/v2"
-
-	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
-	ing_errors "k8s.io/ingress-nginx/internal/ingress/errors"
-	"k8s.io/ingress-nginx/internal/ingress/resolver"
-	"k8s.io/ingress-nginx/internal/net"
-	"k8s.io/ingress-nginx/pkg/util/sets"
-)
-
-const defaultKey = "$remote_addr"
-
-const (
-	globalRateLimitAnnotation             = "global-rate-limit"
-	globalRateLimitWindowAnnotation       = "global-rate-limit-window"
-	globalRateLimitKeyAnnotation          = "global-rate-limit-key"
-	globalRateLimitIgnoredCidrsAnnotation = "global-rate-limit-ignored-cidrs"
-)
-
-var globalRateLimitAnnotationConfig = parser.Annotation{
-	Group: "ratelimit",
-	Annotations: parser.AnnotationFields{
-		globalRateLimitAnnotation: {
-			Validator:     parser.ValidateInt,
-			Scope:         parser.AnnotationScopeIngress,
-			Risk:          parser.AnnotationRiskLow,
-			Documentation: `This annotation configures maximum allowed number of requests per window`,
-		},
-		globalRateLimitWindowAnnotation: {
-			Validator:     parser.ValidateDuration,
-			Scope:         parser.AnnotationScopeIngress,
-			Risk:          parser.AnnotationRiskLow,
-			Documentation: `Configures a time window (i.e 1m) that the limit is applied`,
-		},
-		globalRateLimitKeyAnnotation: {
-			Validator: parser.ValidateRegex(parser.NGINXVariable, true),
-			Scope:     parser.AnnotationScopeIngress,
-			Risk:      parser.AnnotationRiskHigh,
-			Documentation: `This annotation Configures a key for counting the samples. Defaults to $remote_addr. 
-			You can also combine multiple NGINX variables here, like ${remote_addr}-${http_x_api_client} which would mean the limit will be applied to 
-			requests coming from the same API client (indicated by X-API-Client HTTP request header) with the same source IP address`,
-		},
-		globalRateLimitIgnoredCidrsAnnotation: {
-			Validator: parser.ValidateCIDRs,
-			Scope:     parser.AnnotationScopeIngress,
-			Risk:      parser.AnnotationRiskMedium,
-			Documentation: `This annotation defines a comma separated list of IPs and CIDRs to match client IP against. 
-			When there's a match request is not considered for rate limiting.`,
-		},
-	},
-}
-
-// Config encapsulates all global rate limit attributes
-type Config struct {
-	Namespace    string   `json:"namespace"`
-	Limit        int      `json:"limit"`
-	WindowSize   int      `json:"window-size"`
-	Key          string   `json:"key"`
-	IgnoredCIDRs []string `json:"ignored-cidrs"`
-}
-
-// Equal tests for equality between two Config types
-func (l *Config) Equal(r *Config) bool {
-	if l.Namespace != r.Namespace {
-		return false
-	}
-	if l.Limit != r.Limit {
-		return false
-	}
-	if l.WindowSize != r.WindowSize {
-		return false
-	}
-	if l.Key != r.Key {
-		return false
-	}
-	if len(l.IgnoredCIDRs) != len(r.IgnoredCIDRs) || !sets.StringElementsMatch(l.IgnoredCIDRs, r.IgnoredCIDRs) {
-		return false
-	}
-
-	return true
-}
-
-type globalratelimit struct {
-	r                resolver.Resolver
-	annotationConfig parser.Annotation
-}
-
-// NewParser creates a new globalratelimit annotation parser
-func NewParser(r resolver.Resolver) parser.IngressAnnotation {
-	return globalratelimit{
-		r:                r,
-		annotationConfig: globalRateLimitAnnotationConfig,
-	}
-}
-
-// Parse extracts globalratelimit annotations from the given ingress
-// and returns them structured as Config type
-func (a globalratelimit) Parse(ing *networking.Ingress) (interface{}, error) {
-	config := &Config{}
-
-	limit, err := parser.GetIntAnnotation(globalRateLimitAnnotation, ing, a.annotationConfig.Annotations)
-	if err != nil && ing_errors.IsInvalidContent(err) {
-		return nil, err
-	}
-	rawWindowSize, err := parser.GetStringAnnotation(globalRateLimitWindowAnnotation, ing, a.annotationConfig.Annotations)
-	if err != nil && ing_errors.IsValidationError(err) {
-		return config, ing_errors.LocationDeniedError{
-			Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: %w", err),
-		}
-	}
-
-	if limit == 0 || rawWindowSize == "" {
-		return config, nil
-	}
-
-	windowSize, err := time.ParseDuration(rawWindowSize)
-	if err != nil {
-		return config, ing_errors.LocationDeniedError{
-			Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: %w", err),
-		}
-	}
-
-	key, err := parser.GetStringAnnotation(globalRateLimitKeyAnnotation, ing, a.annotationConfig.Annotations)
-	if err != nil {
-		klog.Warningf("invalid %s, defaulting to %s", globalRateLimitKeyAnnotation, defaultKey)
-	}
-	if key == "" {
-		key = defaultKey
-	}
-
-	rawIgnoredCIDRs, err := parser.GetStringAnnotation(globalRateLimitIgnoredCidrsAnnotation, ing, a.annotationConfig.Annotations)
-	if err != nil && ing_errors.IsInvalidContent(err) {
-		return nil, err
-	}
-	ignoredCIDRs, err := net.ParseCIDRs(rawIgnoredCIDRs)
-	if err != nil {
-		return nil, err
-	}
-
-	config.Namespace = strings.ReplaceAll(string(ing.UID), "-", "")
-	config.Limit = limit
-	config.WindowSize = int(windowSize.Seconds())
-	config.Key = key
-	config.IgnoredCIDRs = ignoredCIDRs
-
-	return config, nil
-}
-
-func (a globalratelimit) GetDocumentation() parser.AnnotationFields {
-	return a.annotationConfig.Annotations
-}
-
-func (a globalratelimit) Validate(anns map[string]string) error {
-	maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
-	return parser.CheckAnnotationRisk(anns, maxrisk, globalRateLimitAnnotationConfig.Annotations)
-}
--- a/internal/ingress/annotations/globalratelimit/main_test.go
+++ b/internal/ingress/annotations/globalratelimit/main_test.go
@ -1,211 +0,0 @@
-/*
-Copyright 2020 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package globalratelimit
-
-import (
-	"encoding/json"
-	"fmt"
-	"testing"
-
-	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1"
-	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
-	ing_errors "k8s.io/ingress-nginx/internal/ingress/errors"
-	"k8s.io/ingress-nginx/internal/ingress/resolver"
-)
-
-const (
-	UID         = "31285d47-b150-4dcf-bd6f-12c46d769f6e"
-	expectedUID = "31285d47b1504dcfbd6f12c46d769f6e"
-)
-
-func buildIngress() *networking.Ingress {
-	defaultBackend := networking.IngressBackend{
-		Service: &networking.IngressServiceBackend{
-			Name: "default-backend",
-			Port: networking.ServiceBackendPort{
-				Number: 80,
-			},
-		},
-	}
-
-	return &networking.Ingress{
-		ObjectMeta: meta_v1.ObjectMeta{
-			Name:      "foo",
-			Namespace: api.NamespaceDefault,
-			UID:       UID,
-		},
-		Spec: networking.IngressSpec{
-			DefaultBackend: &networking.IngressBackend{
-				Service: &networking.IngressServiceBackend{
-					Name: "default-backend",
-					Port: networking.ServiceBackendPort{
-						Number: 80,
-					},
-				},
-			},
-			Rules: []networking.IngressRule{
-				{
-					Host: "foo.bar.com",
-					IngressRuleValue: networking.IngressRuleValue{
-						HTTP: &networking.HTTPIngressRuleValue{
-							Paths: []networking.HTTPIngressPath{
-								{
-									Path:    "/foo",
-									Backend: defaultBackend,
-								},
-							},
-						},
-					},
-				},
-			},
-		},
-	}
-}
-
-type mockBackend struct {
-	resolver.Mock
-}
-
-func TestGlobalRateLimiting(t *testing.T) {
-	ing := buildIngress()
-
-	annRateLimit := parser.GetAnnotationWithPrefix("global-rate-limit")
-	annRateLimitWindow := parser.GetAnnotationWithPrefix("global-rate-limit-window")
-	annRateLimitKey := parser.GetAnnotationWithPrefix("global-rate-limit-key")
-	annRateLimitIgnoredCIDRs := parser.GetAnnotationWithPrefix("global-rate-limit-ignored-cidrs")
-
-	testCases := []struct {
-		title          string
-		annotations    map[string]string
-		expectedConfig *Config
-		expectedErr    error
-	}{
-		{
-			"no annotation",
-			nil,
-			&Config{},
-			nil,
-		},
-		{
-			"minimum required annotations",
-			map[string]string{
-				annRateLimit:       "100",
-				annRateLimitWindow: "2m",
-			},
-			&Config{
-				Namespace:    expectedUID,
-				Limit:        100,
-				WindowSize:   120,
-				Key:          "$remote_addr",
-				IgnoredCIDRs: make([]string, 0),
-			},
-			nil,
-		},
-		{
-			"global-rate-limit-key annotation",
-			map[string]string{
-				annRateLimit:       "100",
-				annRateLimitWindow: "2m",
-				annRateLimitKey:    "$http_x_api_user",
-			},
-			&Config{
-				Namespace:    expectedUID,
-				Limit:        100,
-				WindowSize:   120,
-				Key:          "$http_x_api_user",
-				IgnoredCIDRs: make([]string, 0),
-			},
-			nil,
-		},
-		{
-			"global-rate-limit-ignored-cidrs annotation",
-			map[string]string{
-				annRateLimit:             "100",
-				annRateLimitWindow:       "2m",
-				annRateLimitKey:          "$http_x_api_user",
-				annRateLimitIgnoredCIDRs: "127.0.0.1, 200.200.24.0/24",
-			},
-			&Config{
-				Namespace:    expectedUID,
-				Limit:        100,
-				WindowSize:   120,
-				Key:          "$http_x_api_user",
-				IgnoredCIDRs: []string{"127.0.0.1", "200.200.24.0/24"},
-			},
-			nil,
-		},
-		{
-			"global-rate-limit-complex-key",
-			map[string]string{
-				annRateLimit:       "100",
-				annRateLimitWindow: "2m",
-				annRateLimitKey:    "${http_x_api_user}${otherinfo}",
-			},
-			&Config{
-				Namespace:    expectedUID,
-				Limit:        100,
-				WindowSize:   120,
-				Key:          "${http_x_api_user}${otherinfo}",
-				IgnoredCIDRs: make([]string, 0),
-			},
-			nil,
-		},
-		{
-			"incorrect duration for window",
-			map[string]string{
-				annRateLimit:       "100",
-				annRateLimitWindow: "2mb",
-				annRateLimitKey:    "$http_x_api_user",
-			},
-			&Config{},
-			ing_errors.ValidationError{
-				Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: annotation nginx.ingress.kubernetes.io/global-rate-limit-window contains invalid value"),
-			},
-		},
-	}
-
-	for _, testCase := range testCases {
-		ing.SetAnnotations(testCase.annotations)
-
-		i, actualErr := NewParser(mockBackend{}).Parse(ing)
-		if (testCase.expectedErr == nil || actualErr == nil) && testCase.expectedErr != actualErr {
-			t.Errorf("%s expected error '%v' but got '%v'", testCase.title, testCase.expectedErr, actualErr)
-		} else if testCase.expectedErr != nil && actualErr != nil &&
-			testCase.expectedErr.Error() != actualErr.Error() {
-			t.Errorf("expected error '%v' but got '%v'", testCase.expectedErr, actualErr)
-		}
-
-		actualConfig, ok := i.(*Config)
-		if !ok {
-			t.Errorf("expected Config type but got %T", i)
-		}
-		if !testCase.expectedConfig.Equal(actualConfig) {
-			expectedJSON, err := json.Marshal(testCase.expectedConfig)
-			if err != nil {
-				t.Errorf("failed to marshal expected config: %v", err)
-			}
-			actualJSON, err := json.Marshal(actualConfig)
-			if err != nil {
-				t.Errorf("failed to marshal actual config: %v", err)
-			}
-			t.Errorf("%v: expected config '%s' but got '%s'", testCase.title, expectedJSON, actualJSON)
-		}
-	}
-}