Rate limit with zone sync and scale (#7521)

Author: pdabelf5

internal/configs/ingress.go

@@ -272,6 +272,9 @@ func generateNginxCfg(p NginxCfgParams) (version1.IngressNginxConfig, Warnings)
 
 			if cfgParams.LimitReqRate != "" {
 				zoneName := p.ingEx.Ingress.Namespace + "/" + p.ingEx.Ingress.Name
+				if p.ingEx.ZoneSync {
+					zoneName = fmt.Sprintf("%v_sync", zoneName)
+				}
 				loc.LimitReq = &version1.LimitReq{
 					Zone:       zoneName,
 					Burst:      cfgParams.LimitReqBurst,
@@ -284,7 +287,12 @@ func generateNginxCfg(p NginxCfgParams) (version1.IngressNginxConfig, Warnings)
 				if !limitReqZoneExists(limitReqZones, zoneName) {
 					rate := cfgParams.LimitReqRate
 					if cfgParams.LimitReqScale && p.ingressControllerReplicas > 0 {
-						rate = scaleRatelimit(rate, p.ingressControllerReplicas)
+						if p.ingEx.ZoneSync {
+							warningText := fmt.Sprintf("Ingress %s/%s: both zone sync and rate limit scale are enabled, the rate limit scale value will not be used.", p.ingEx.Ingress.Namespace, p.ingEx.Ingress.Name)
+							nl.Warn(l, warningText)
+						} else {
+							rate = scaleRatelimit(rate, p.ingressControllerReplicas)
+						}
 					}
 					limitReqZones = append(limitReqZones, version1.LimitReqZone{
 						Name: zoneName,

internal/configs/ingress_test.go

@@ -1173,7 +1173,7 @@ func TestGenerateNginxCfgForLimitReqZoneSync(t *testing.T) {
 
 	expectedZones := []version1.LimitReqZone{
 		{
-			Name: "default/cafe-ingress",
+			Name: "default/cafe-ingress_sync",
 			Key:  "${request_uri}",
 			Size: "11m",
 			Rate: "200r/s",
@@ -1337,14 +1337,11 @@ func TestGenerateNginxCfgForLimitReqWithScaling(t *testing.T) {
 	for _, server := range result.Servers {
 		for _, location := range server.Locations {
 			if !reflect.DeepEqual(location.LimitReq, expectedReqs) {
-				t.Errorf("generateNginxCfg returned \n%v,  but expected \n%v", result.LimitReqZones, expectedZones)
+				t.Errorf("generateNginxCfg returned \n%v,  but expected \n%v", location.LimitReq, expectedReqs)
 			}
 		}
 	}
 
-	if !reflect.DeepEqual(result.LimitReqZones, expectedZones) {
-		t.Errorf("generateNginxCfg returned \n%v,  but expected \n%v", result.LimitReqZones, expectedZones)
-	}
 	if len(warnings) != 0 {
 		t.Errorf("generateNginxCfg returned warnings: %v", warnings)
 	}
@@ -1431,9 +1428,6 @@ func TestGenerateNginxCfgForMergeableIngressesForLimitReqWithScaling(t *testing.
 		}
 	}
 
-	if !reflect.DeepEqual(result.LimitReqZones, expectedZones) {
-		t.Errorf("generateNginxCfg returned \n%v,  but expected \n%v", result.LimitReqZones, expectedZones)
-	}
 	if len(warnings) != 0 {
 		t.Errorf("generateNginxCfg returned warnings: %v", warnings)
 	}

internal/configs/version1/__snapshots__/template_test.snap

@@ -1217,7 +1217,7 @@ server {
 # configuration for default/myingress
 
 
-limit_req_zone ${binary_remote_addr} zone=default/zone1:10m rate=200r/s sync;
+limit_req_zone ${binary_remote_addr} zone=default/zone1_sync:10m rate=200r/s sync;
 
 
 
@@ -1235,6 +1235,33 @@ server {
     
 
     
+    location / {
+        set $service "";
+        status_zone "";
+        proxy_http_version 1.1;
+
+        proxy_connect_timeout ;
+        proxy_read_timeout ;
+        proxy_send_timeout ;
+        client_max_body_size ;
+        
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+        proxy_pass http://test;
+
+        
+        limit_req zone=default/myingress_sync burst=100;
+        
+        
+        limit_req_status 429;
+        
+    }
+    
 }
 
 ---

internal/configs/version1/nginx-plus.ingress.tmpl

@@ -321,7 +321,7 @@ server {
 		{{- end}}
 
 		{{with $location.LimitReq}}
-		limit_req zone={{ $location.LimitReq.Zone }} {{if $location.LimitReq.Burst}}burst={{$location.LimitReq.Burst}}{{end}} {{if $location.LimitReq.NoDelay}}nodelay{{else if $location.LimitReq.Delay}}delay={{$location.LimitReq.Delay}}{{end}};
+		limit_req zone={{ $location.LimitReq.Zone }}{{- if $location.LimitReq.Burst }} burst={{$location.LimitReq.Burst}}{{- end }}{{- if $location.LimitReq.NoDelay }} nodelay{{- else if $location.LimitReq.Delay }} delay={{$location.LimitReq.Delay}}{{- end }};
 		{{if $location.LimitReq.DryRun}}limit_req_dry_run on;{{end}}
 		{{if $location.LimitReq.LogLevel}}limit_req_log_level {{$location.LimitReq.LogLevel}};{{end}}
 		{{if $location.LimitReq.RejectCode}}limit_req_status {{$location.LimitReq.RejectCode}};{{end}}

internal/configs/version1/template_test.go

@@ -1829,11 +1829,22 @@ func TestExecuteTemplate_ForIngressForNGINXPlusWithRequestRateLimitZoneSync(t *t
 		Servers: []Server{
 			{
 				Name: "test.example.com",
+				Locations: []Location{
+					{
+						Path:     "/",
+						Upstream: testUpstream,
+						LimitReq: &LimitReq{
+							Zone:       "default/myingress_sync",
+							Burst:      100,
+							RejectCode: 429,
+						},
+					},
+				},
 			},
 		},
 		LimitReqZones: []LimitReqZone{
 			{
-				Name: "default/zone1",
+				Name: "default/zone1_sync",
 				Key:  "${binary_remote_addr}",
 				Size: "10m",
 				Rate: "200r/s",
@@ -1850,7 +1861,8 @@ func TestExecuteTemplate_ForIngressForNGINXPlusWithRequestRateLimitZoneSync(t *t
 	ingConf := buf.String()
 
 	wantDirectives := []string{
-		"limit_req_zone ${binary_remote_addr} zone=default/zone1:10m rate=200r/s sync;",
+		"limit_req_zone ${binary_remote_addr} zone=default/zone1_sync:10m rate=200r/s sync;",
+		"limit_req zone=default/myingress_sync burst=100;",
 	}
 
 	for _, want := range wantDirectives {

internal/configs/version2/__snapshots__/templates_test.snap

@@ -2913,7 +2913,7 @@ map $http_x_version $match_0_0 {
     default 0;
 }
 # HTTP snippet
-limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s sync;
+limit_req_zone $url zone=pol_rl_test_test_test_sync:10m rate=10r/s sync;
 
 server {
     listen 80 proxy_protocol;
@@ -2948,7 +2948,7 @@ server {
     allow all;
     limit_req_log_level error;
     limit_req_status 503;
-    limit_req zone=pol_rl_test_test_test burst=5 delay=10;
+    limit_req zone=pol_rl_test_test_test_sync burst=5 delay=10;
     auth_jwt "My Api";
     auth_jwt_key_file jwk-secret;
     app_protect_enable on;
@@ -3021,7 +3021,7 @@ server {
         deny all;
         deny 127.0.0.1;
         allow all;
-        limit_req zone=loc_pol_rl_test_test_test;
+        limit_req zone=loc_pol_rl_test_test_test_sync;
 
 
         proxy_ssl_certificate egress-mtls-secret.pem;