feat: add query parameter match support in ratelimit

Signed-off-by: sachin maurya <[email protected]>

Author: slayer321

api/v1alpha1/ratelimit_types.go

@@ -197,6 +197,19 @@ type RateLimitSelectCondition struct {
 	//
 	// +optional
 	SourceCIDR *SourceMatch `json:"sourceCIDR,omitempty"`
+
+	// Rate limit on query parameters.
+	// +optional
+	QueryParameters *QueryParameters `json:"queryParameters,omitempty"`
+}
+
+type QueryParameters struct {
+	// The name of the query parameter to use for rate limiting.
+	// Value of this query parameter is used to populate the value of the descriptor entry for the descriptor_key.
+	QueryParameterName string `json:"queryParameterName,omitempty"`
+	// The key to use when creating the rate limit descriptor entry.
+	// This descriptor key will be used to identify the rate limit rule in the rate limiting service.
+	DescriptorKey string `json:"descriptorKey,omitempty"`
 }
 
 // +kubebuilder:validation:Enum=Exact;Distinct

api/v1alpha1/zz_generated.deepcopy.go

@@ -994,6 +994,20 @@ spec:
                                       type: object
                                     maxItems: 16
                                     type: array
+                                  queryParameters:
+                                    description: Rate limit on query parameters.
+                                    properties:
+                                      descriptorKey:
+                                        description: |-
+                                          The key to use when creating the rate limit descriptor entry.
+                                          This descriptor key will be used to identify the rate limit rule in the rate limiting service.
+                                        type: string
+                                      queryParameterName:
+                                        description: |-
+                                          The name of the query parameter to use for rate limiting.
+                                          Value of this query parameter is used to populate the value of the descriptor entry for the descriptor_key.
+                                        type: string
+                                    type: object
                                   sourceCIDR:
                                     description: |-
                                       SourceCIDR is the client IP Address range to match on.
@@ -1245,6 +1259,20 @@ spec:
                                       type: object
                                     maxItems: 16
                                     type: array
+                                  queryParameters:
+                                    description: Rate limit on query parameters.
+                                    properties:
+                                      descriptorKey:
+                                        description: |-
+                                          The key to use when creating the rate limit descriptor entry.
+                                          This descriptor key will be used to identify the rate limit rule in the rate limiting service.
+                                        type: string
+                                      queryParameterName:
+                                        description: |-
+                                          The name of the query parameter to use for rate limiting.
+                                          Value of this query parameter is used to populate the value of the descriptor entry for the descriptor_key.
+                                        type: string
+                                    type: object
                                   sourceCIDR:
                                     description: |-
                                       SourceCIDR is the client IP Address range to match on.

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml

@@ -993,6 +993,20 @@ spec:
                                       type: object
                                     maxItems: 16
                                     type: array
+                                  queryParameters:
+                                    description: Rate limit on query parameters.
+                                    properties:
+                                      descriptorKey:
+                                        description: |-
+                                          The key to use when creating the rate limit descriptor entry.
+                                          This descriptor key will be used to identify the rate limit rule in the rate limiting service.
+                                        type: string
+                                      queryParameterName:
+                                        description: |-
+                                          The name of the query parameter to use for rate limiting.
+                                          Value of this query parameter is used to populate the value of the descriptor entry for the descriptor_key.
+                                        type: string
+                                    type: object
                                   sourceCIDR:
                                     description: |-
                                       SourceCIDR is the client IP Address range to match on.
@@ -1244,6 +1258,20 @@ spec:
                                       type: object
                                     maxItems: 16
                                     type: array
+                                  queryParameters:
+                                    description: Rate limit on query parameters.
+                                    properties:
+                                      descriptorKey:
+                                        description: |-
+                                          The key to use when creating the rate limit descriptor entry.
+                                          This descriptor key will be used to identify the rate limit rule in the rate limiting service.
+                                        type: string
+                                      queryParameterName:
+                                        description: |-
+                                          The name of the query parameter to use for rate limiting.
+                                          Value of this query parameter is used to populate the value of the descriptor entry for the descriptor_key.
+                                        type: string
+                                    type: object
                                   sourceCIDR:
                                     description: |-
                                       SourceCIDR is the client IP Address range to match on.

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml

@@ -891,10 +891,10 @@ func buildRateLimitRule(rule egv1a1.RateLimitRule) (*ir.RateLimitRule, error) {
 	}
 
 	for _, match := range rule.ClientSelectors {
-		if len(match.Headers) == 0 && match.SourceCIDR == nil {
+		if len(match.Headers) == 0 && match.SourceCIDR == nil && match.QueryParameters == nil {
 			return nil, fmt.Errorf(
 				"unable to translate rateLimit. At least one of the" +
-					" header or sourceCIDR must be specified")
+					" header, sourceCIDR, or queryParameters must be specified")
 		}
 		for _, header := range match.Headers {
 			switch {
@@ -950,6 +950,17 @@ func buildRateLimitRule(rule egv1a1.RateLimitRule) (*ir.RateLimitRule, error) {
 			cidrMatch.Distinct = distinct
 			irRule.CIDRMatch = cidrMatch
 		}
+
+		if match.QueryParameters != nil {
+			// Validate QueryParameters
+			if match.QueryParameters.QueryParameterName == "" {
+				return nil, fmt.Errorf("queryParameterName is required when QueryParameters is specified")
+			}
+			if match.QueryParameters.DescriptorKey == "" {
+				return nil, fmt.Errorf("descriptorKey is required when QueryParameters is specified")
+			}
+			irRule.QueryParameters = (*ir.QueryParameters)(match.QueryParameters)
+		}
 	}
 
 	if cost := rule.Cost; cost != nil {

internal/gatewayapi/backendtrafficpolicy.go

@@ -2242,6 +2242,8 @@ type RateLimitRule struct {
 	HeaderMatches []*StringMatch `json:"headerMatches" yaml:"headerMatches"`
 	// CIDRMatch define the match conditions on the source IP's CIDR for this route.
 	CIDRMatch *CIDRMatch `json:"cidrMatch,omitempty" yaml:"cidrMatch,omitempty"`
+	// Rate limit on query parameters.
+	QueryParameters *QueryParameters `json:"queryParameters,omitempty" yaml:"queryParameters,omitempty"`
 	// Limit holds the rate limit values.
 	Limit RateLimitValue `json:"limit,omitempty" yaml:"limit,omitempty"`
 	// RequestCost specifies the cost of the request.
@@ -2259,6 +2261,12 @@ type RateLimitRule struct {
 	Name string `json:"name,omitempty" yaml:"name,omitempty"`
 }
 
+// +k8s:deepcopy-gen=true
+type QueryParameters struct {
+	QueryParameterName string `json:"queryParameterName,omitempty" yaml:"queryParameterName,omitempty"`
+	DescriptorKey      string `json:"descriptorKey,omitempty" yaml:"descriptorKey,omitempty"`
+}
+
 // RateLimitCost specifies the cost of the request or response.
 // +k8s:deepcopy-gen=true
 type RateLimitCost struct {
@@ -2278,7 +2286,7 @@ type CIDRMatch struct {
 
 // TODO zhaohuabing: remove this function
 func (r *RateLimitRule) IsMatchSet() bool {
-	return len(r.HeaderMatches) != 0 || r.CIDRMatch != nil
+	return len(r.HeaderMatches) != 0 || r.CIDRMatch != nil || r.QueryParameters != nil
 }
 
 type RateLimitUnit egv1a1.RateLimitUnit

internal/ir/xds.go

@@ -304,6 +304,22 @@ func buildRouteLocalRateLimits(local *ir.LocalRateLimit) (
 				rlActions = append(rlActions, action)
 			}
 		}
+		if rule.QueryParameters != nil {
+			queryParam := &routev3.RateLimit_Action_QueryParameters{}
+			queryParam.DescriptorKey = rule.QueryParameters.DescriptorKey
+			queryParam.QueryParameterName = rule.QueryParameters.QueryParameterName
+			action := &routev3.RateLimit_Action{
+				ActionSpecifier: &routev3.RateLimit_Action_QueryParameters_{
+					QueryParameters: queryParam,
+				},
+			}
+			rlActions = append(rlActions, action)
+
+			entry := &rlv3.RateLimitDescriptor_Entry{
+				Key: rule.QueryParameters.DescriptorKey,
+			}
+			descriptorEntries = append(descriptorEntries, entry)
+		}
 
 		rateLimit := &routev3.RateLimit{Actions: rlActions}
 		rateLimits = append(rateLimits, rateLimit)

internal/ir/zz_generated.deepcopy.go

@@ -336,6 +336,18 @@ func buildRouteRateLimits(route *ir.HTTPRoute) (rateLimits []*routev3.RateLimit,
 			}
 		}
 
+		if rule.QueryParameters != nil {
+			queryParam := &routev3.RateLimit_Action_QueryParameters{}
+			queryParam.DescriptorKey = rule.QueryParameters.DescriptorKey
+			queryParam.QueryParameterName = rule.QueryParameters.QueryParameterName
+			action := &routev3.RateLimit_Action{
+				ActionSpecifier: &routev3.RateLimit_Action_QueryParameters_{
+					QueryParameters: queryParam,
+				},
+			}
+			rlActions = append(rlActions, action)
+		}
+
 		// Case when both header and cidr match are not set and the ratelimit
 		// will be applied to all traffic.
 		// 3) No Match (apply to all traffic)
@@ -598,7 +610,8 @@ func buildRateLimitServiceDescriptors(route *ir.HTTPRoute) []*rlsconfv3.RateLimi
 	// the order in which ratelimit actions are built:
 	//  1) Header Matches
 	//  2) CIDR Match
-	//  3) No Match
+	//  3) Query Parameters
+	//  4) No Match
 
 	for rIdx, rule := range global.Rules {
 		rateLimitPolicy := &rlsconfv3.RateLimitPolicy{
@@ -682,9 +695,26 @@ func buildRateLimitServiceDescriptors(route *ir.HTTPRoute) []*rlsconfv3.RateLimi
 				cur = pbDesc
 			}
 		}
-		// Case when both header and cidr match are not set and the ratelimit
+
+		// 3) Query Parameters
+		if rule.QueryParameters != nil {
+			pbDesc := new(rlsconfv3.RateLimitDescriptor)
+			pbDesc.Key = rule.QueryParameters.DescriptorKey
+			pbDesc.Value = ""
+
+			if cur != nil {
+				// The header or cidr match descriptor chain exists, add current
+				// descriptor to the chain.
+				cur.Descriptors = []*rlsconfv3.RateLimitDescriptor{pbDesc}
+			} else {
+				head = pbDesc
+			}
+			cur = pbDesc
+		}
+
+		// Case when both header, cidr match, and query parameters are not set and the ratelimit
 		// will be applied to all traffic.
-		// 3) No Match (apply to all traffic)
+		// 4) No Match (apply to all traffic)
 		if !rule.IsMatchSet() {
 			pbDesc := new(rlsconfv3.RateLimitDescriptor)
 			pbDesc.Key = getRouteRuleDescriptor(domainRuleIdx, -1)

internal/xds/translator/local_ratelimit.go

@@ -0,0 +1,34 @@
+http:
+- name: "first-listener"
+  address: "0.0.0.0"
+  port: 10080
+  hostnames:
+  - "*"
+  path:
+    mergeSlashes: true
+    escapedSlashesAction: UnescapeAndRedirect
+  routes:
+  - name: "first-route"
+    traffic:
+      rateLimit:
+        global:
+          rules:
+          - name: "test-namespace/test-policy-1/rule/0"
+            headerMatches:
+            - name: "x-user-id"
+              exact: "one"
+            queryParameters:
+              queryParameterName: "user"
+              descriptorKey: "user_param"
+            limit:
+              requests: 5
+              unit: second
+            shared: false
+    pathMatch:
+      exact: "foo/bar"
+    destination:
+      name: "first-route-dest"
+      settings:
+      - endpoints:
+        - host: "1.2.3.4"
+          port: 50000