feat: add query parameter match support in ratelimit

Signed-off-by: sachin maurya <[email protected]>

Author: slayer321

api/v1alpha1/ratelimit_types.go

@@ -197,6 +197,19 @@ type RateLimitSelectCondition struct {
 	//
 	// +optional
 	SourceCIDR *SourceMatch `json:"sourceCIDR,omitempty"`
+
+	// Rate limit on query parameters.
+	// +optional
+	QueryParameters *QueryParameters `json:"queryParameters,omitempty"`
+}
+
+type QueryParameters struct {
+	// The name of the query parameter to use for rate limiting.
+	// Value of this query parameter is used to populate the value of the descriptor entry for the descriptor_key.
+	QueryParameterName string `json:"queryParameterName,omitempty"`
+	// The key to use when creating the rate limit descriptor entry.
+	// This descriptor key will be used to identify the rate limit rule in the rate limiting service.
+	DescriptorKey string `json:"descriptorKey,omitempty"`
 }
 
 // +kubebuilder:validation:Enum=Exact;Distinct

api/v1alpha1/zz_generated.deepcopy.go

@@ -959,6 +959,20 @@ spec:
                                       type: object
                                     maxItems: 16
                                     type: array
+                                  queryParameters:
+                                    description: Rate limit on query parameters.
+                                    properties:
+                                      descriptorKey:
+                                        description: |-
+                                          The key to use when creating the rate limit descriptor entry.
+                                          This descriptor key will be used to identify the rate limit rule in the rate limiting service.
+                                        type: string
+                                      queryParameterName:
+                                        description: |-
+                                          The name of the query parameter to use for rate limiting.
+                                          Value of this query parameter is used to populate the value of the descriptor entry for the descriptor_key.
+                                        type: string
+                                    type: object
                                   sourceCIDR:
                                     description: |-
                                       SourceCIDR is the client IP Address range to match on.
@@ -1210,6 +1224,20 @@ spec:
                                       type: object
                                     maxItems: 16
                                     type: array
+                                  queryParameters:
+                                    description: Rate limit on query parameters.
+                                    properties:
+                                      descriptorKey:
+                                        description: |-
+                                          The key to use when creating the rate limit descriptor entry.
+                                          This descriptor key will be used to identify the rate limit rule in the rate limiting service.
+                                        type: string
+                                      queryParameterName:
+                                        description: |-
+                                          The name of the query parameter to use for rate limiting.
+                                          Value of this query parameter is used to populate the value of the descriptor entry for the descriptor_key.
+                                        type: string
+                                    type: object
                                   sourceCIDR:
                                     description: |-
                                       SourceCIDR is the client IP Address range to match on.

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml

@@ -958,6 +958,20 @@ spec:
                                       type: object
                                     maxItems: 16
                                     type: array
+                                  queryParameters:
+                                    description: Rate limit on query parameters.
+                                    properties:
+                                      descriptorKey:
+                                        description: |-
+                                          The key to use when creating the rate limit descriptor entry.
+                                          This descriptor key will be used to identify the rate limit rule in the rate limiting service.
+                                        type: string
+                                      queryParameterName:
+                                        description: |-
+                                          The name of the query parameter to use for rate limiting.
+                                          Value of this query parameter is used to populate the value of the descriptor entry for the descriptor_key.
+                                        type: string
+                                    type: object
                                   sourceCIDR:
                                     description: |-
                                       SourceCIDR is the client IP Address range to match on.
@@ -1209,6 +1223,20 @@ spec:
                                       type: object
                                     maxItems: 16
                                     type: array
+                                  queryParameters:
+                                    description: Rate limit on query parameters.
+                                    properties:
+                                      descriptorKey:
+                                        description: |-
+                                          The key to use when creating the rate limit descriptor entry.
+                                          This descriptor key will be used to identify the rate limit rule in the rate limiting service.
+                                        type: string
+                                      queryParameterName:
+                                        description: |-
+                                          The name of the query parameter to use for rate limiting.
+                                          Value of this query parameter is used to populate the value of the descriptor entry for the descriptor_key.
+                                        type: string
+                                    type: object
                                   sourceCIDR:
                                     description: |-
                                       SourceCIDR is the client IP Address range to match on.

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml

@@ -950,6 +950,17 @@ func buildRateLimitRule(rule egv1a1.RateLimitRule) (*ir.RateLimitRule, error) {
 			cidrMatch.Distinct = distinct
 			irRule.CIDRMatch = cidrMatch
 		}
+
+		if match.QueryParameters != nil {
+			// Validate QueryParameters
+			if match.QueryParameters.QueryParameterName == "" {
+				return nil, fmt.Errorf("queryParameterName is required when QueryParameters is specified")
+			}
+			if match.QueryParameters.DescriptorKey == "" {
+				return nil, fmt.Errorf("descriptorKey is required when QueryParameters is specified")
+			}
+			irRule.QueryParameters = (*ir.QueryParameters)(match.QueryParameters)
+		}
 	}
 
 	if cost := rule.Cost; cost != nil {

internal/gatewayapi/backendtrafficpolicy.go

@@ -2239,6 +2239,8 @@ type RateLimitRule struct {
 	HeaderMatches []*StringMatch `json:"headerMatches" yaml:"headerMatches"`
 	// CIDRMatch define the match conditions on the source IP's CIDR for this route.
 	CIDRMatch *CIDRMatch `json:"cidrMatch,omitempty" yaml:"cidrMatch,omitempty"`
+	// Rate limit on query parameters.
+	QueryParameters *QueryParameters `json:"queryParameters,omitempty" yaml:"queryParameters,omitempty"`
 	// Limit holds the rate limit values.
 	Limit RateLimitValue `json:"limit,omitempty" yaml:"limit,omitempty"`
 	// RequestCost specifies the cost of the request.
@@ -2256,6 +2258,12 @@ type RateLimitRule struct {
 	Name string `json:"name,omitempty" yaml:"name,omitempty"`
 }
 
+// +k8s:deepcopy-gen=true
+type QueryParameters struct {
+	QueryParameterName string `json:"queryParameterName,omitempty" yaml:"queryParameterName,omitempty"`
+	DescriptorKey      string `json:"descriptorKey,omitempty" yaml:"descriptorKey,omitempty"`
+}
+
 // RateLimitCost specifies the cost of the request or response.
 // +k8s:deepcopy-gen=true
 type RateLimitCost struct {

internal/ir/xds.go

@@ -304,6 +304,17 @@ func buildRouteLocalRateLimits(local *ir.LocalRateLimit) (
 				rlActions = append(rlActions, action)
 			}
 		}
+		if rule.QueryParameters != nil {
+			queryParam := &routev3.RateLimit_Action_QueryParameters{}
+			queryParam.DescriptorKey = rule.QueryParameters.DescriptorKey
+			queryParam.QueryParameterName = rule.QueryParameters.QueryParameterName
+			action := &routev3.RateLimit_Action{
+				ActionSpecifier: &routev3.RateLimit_Action_QueryParameters_{
+					QueryParameters: queryParam,
+				},
+			}
+			rlActions = append(rlActions, action)
+		}
 
 		rateLimit := &routev3.RateLimit{Actions: rlActions}
 		rateLimits = append(rateLimits, rateLimit)

internal/ir/zz_generated.deepcopy.go

@@ -336,6 +336,18 @@ func buildRouteRateLimits(route *ir.HTTPRoute) (rateLimits []*routev3.RateLimit,
 			}
 		}
 
+		if rule.QueryParameters != nil {
+			queryParam := &routev3.RateLimit_Action_QueryParameters{}
+			queryParam.DescriptorKey = rule.QueryParameters.DescriptorKey
+			queryParam.QueryParameterName = rule.QueryParameters.QueryParameterName
+			action := &routev3.RateLimit_Action{
+				ActionSpecifier: &routev3.RateLimit_Action_QueryParameters_{
+					QueryParameters: queryParam,
+				},
+			}
+			rlActions = append(rlActions, action)
+		}
+
 		// Case when both header and cidr match are not set and the ratelimit
 		// will be applied to all traffic.
 		// 3) No Match (apply to all traffic)

internal/xds/translator/local_ratelimit.go

@@ -0,0 +1,34 @@
+http:
+- name: "first-listener"
+  address: "0.0.0.0"
+  port: 10080
+  hostnames:
+  - "*"
+  path:
+    mergeSlashes: true
+    escapedSlashesAction: UnescapeAndRedirect
+  routes:
+  - name: "first-route"
+    traffic:
+      rateLimit:
+        global:
+          rules:
+          - name: "test-namespace/test-policy-1/rule/0"
+            headerMatches:
+            - name: "x-user-id"
+              exact: "one"
+            queryParameters:
+              queryParameterName: "user"
+              descriptorKey: "user_param"
+            limit:
+              requests: 5
+              unit: second
+            shared: false
+    pathMatch:
+      exact: "foo/bar"
+    destination:
+      name: "first-route-dest"
+      settings:
+      - endpoints:
+        - host: "1.2.3.4"
+          port: 50000