tests updates and additions

policy-controller/k8s/index/src/inbound/tests.rs

@@ -2,6 +2,7 @@ mod annotation;
 mod authorization_policy;
 mod grpc_routes;
 mod http_routes;
+mod ratelimit_policy;
 mod server_authorization;
 
 use crate::{
@@ -239,6 +240,7 @@ impl TestConfig {
         InboundServer {
             reference: ServerRef::Default(self.default_policy.as_str()),
             authorizations: mk_default_policy(self.default_policy, self.cluster.networks.clone()),
+            ratelimit: None,
             protocol: ProxyProtocol::Detect {
                 timeout: self.detect_timeout,
             },

policy-controller/k8s/index/src/inbound/tests/annotation.rs

@@ -114,6 +114,7 @@ fn authenticated_annotated() {
             InboundServer {
                 reference: ServerRef::Default(policy.as_str()),
                 authorizations: mk_default_policy(policy, test.cluster.networks),
+                ratelimit: None,
                 protocol: ProxyProtocol::Detect {
                     timeout: test.detect_timeout,
                 },

policy-controller/k8s/index/src/inbound/tests/authorization_policy.rs

@@ -33,6 +33,7 @@ fn links_authorization_policy_with_mtls_name() {
         InboundServer {
             reference: ServerRef::Server("srv-8080".to_string()),
             authorizations: Default::default(),
+            ratelimit: None,
             protocol: ProxyProtocol::Http1,
             http_routes: mk_default_http_routes(),
             grpc_routes: mk_default_grpc_routes(),
@@ -88,6 +89,7 @@ fn links_authorization_policy_with_mtls_name() {
             )
             .into_iter()
             .collect(),
+            ratelimit: None,
             protocol: ProxyProtocol::Http1,
             http_routes: mk_default_http_routes(),
             grpc_routes: mk_default_grpc_routes(),
@@ -125,6 +127,7 @@ fn authorization_targets_namespace() {
         InboundServer {
             reference: ServerRef::Server("srv-8080".to_string()),
             authorizations: Default::default(),
+            ratelimit: None,
             protocol: ProxyProtocol::Http1,
             http_routes: mk_default_http_routes(),
             grpc_routes: mk_default_grpc_routes(),
@@ -180,6 +183,7 @@ fn authorization_targets_namespace() {
             )
             .into_iter()
             .collect(),
+            ratelimit: None,
             protocol: ProxyProtocol::Http1,
             http_routes: mk_default_http_routes(),
             grpc_routes: mk_default_grpc_routes(),
@@ -217,6 +221,7 @@ fn links_authorization_policy_with_service_account() {
         InboundServer {
             reference: ServerRef::Server("srv-8080".to_string()),
             authorizations: Default::default(),
+            ratelimit: None,
             protocol: ProxyProtocol::Http1,
             http_routes: mk_default_http_routes(),
             grpc_routes: mk_default_grpc_routes(),
@@ -266,6 +271,7 @@ fn links_authorization_policy_with_service_account() {
             )
             .into_iter()
             .collect(),
+            ratelimit: None,
             protocol: ProxyProtocol::Http1,
             http_routes: mk_default_http_routes(),
             grpc_routes: mk_default_grpc_routes(),
@@ -368,6 +374,7 @@ fn authorization_policy_prevents_index_deletion() {
         InboundServer {
             reference: ServerRef::Server("srv-8080".to_string()),
             authorizations: Default::default(),
+            ratelimit: None,
             protocol: ProxyProtocol::Http1,
             http_routes: hashmap!(RouteRef::Resource(routes::GroupKindName{
                 group: "policy.linkerd.io".into(),

policy-controller/k8s/index/src/inbound/tests/grpc_routes.rs

@@ -31,6 +31,7 @@ fn server_with_default_route() {
         InboundServer {
             reference: ServerRef::Server("srv-8080".to_string()),
             authorizations: Default::default(),
+            ratelimit: None,
             protocol: ProxyProtocol::Grpc,
             http_routes: mk_default_http_routes(),
             grpc_routes: mk_default_grpc_routes(),

policy-controller/k8s/index/src/inbound/tests/http_routes.rs

@@ -39,6 +39,7 @@ fn route_attaches_to_server() {
         InboundServer {
             reference: ServerRef::Server("srv-8080".to_string()),
             authorizations: Default::default(),
+            ratelimit: None,
             protocol: ProxyProtocol::Http1,
             http_routes: mk_default_http_routes(),
             grpc_routes: mk_default_grpc_routes(),

policy-controller/k8s/index/src/inbound/tests/ratelimit_policy.rs

@@ -0,0 +1,109 @@
+use super::*;
+use linkerd_policy_controller_core::inbound::{Limit, Override, RateLimit};
+
+#[test]
+fn ratelimit_policy_with_server() {
+    let test = TestConfig::default();
+
+    let mut pod = mk_pod("ns-0", "pod-0", Some(("container-0", None)));
+    pod.labels_mut()
+        .insert("app".to_string(), "app-0".to_string());
+    test.index.write().apply(pod);
+
+    let mut rx = test
+        .index
+        .write()
+        .pod_server_rx("ns-0", "pod-0", 8080.try_into().unwrap())
+        .expect("pod-0.ns-0 should exist");
+    assert_eq!(*rx.borrow_and_update(), test.default_server());
+
+    test.index.write().apply(mk_server(
+        "ns-0",
+        "srv-8080",
+        Port::Number(8080.try_into().unwrap()),
+        None,
+        Some(("app", "app-0")),
+        Some(k8s::policy::server::ProxyProtocol::Http1),
+    ));
+    assert!(rx.has_changed().unwrap());
+    assert_eq!(
+        *rx.borrow_and_update(),
+        InboundServer {
+            reference: ServerRef::Server("srv-8080".to_string()),
+            authorizations: Default::default(),
+            ratelimit: None,
+            protocol: ProxyProtocol::Http1,
+            http_routes: mk_default_http_routes(),
+            grpc_routes: mk_default_grpc_routes(),
+        },
+    );
+
+    let ratelimit = RateLimit {
+        name: "ratelimit-0".to_string(),
+        total: Some(Limit {
+            requests_per_second: 1000,
+        }),
+        identity: None,
+        overrides: vec![Override {
+            requests_per_second: 500,
+            client_identities: vec![
+                "client-0.ns-0.serviceaccount.identity.linkerd.cluster.example.com".to_string(),
+            ],
+        }],
+    };
+    test.index.write().apply(mk_ratelimit(
+        "ns-0",
+        "ratelimit-0",
+        Some(k8s::policy::Limit {
+            requests_per_second: 1000,
+        }),
+        vec![k8s::policy::Override {
+            requests_per_second: 500,
+            client_refs: vec![NamespacedTargetRef {
+                group: None,
+                kind: "ServiceAccount".to_string(),
+                name: "client-0".to_string(),
+                namespace: None,
+            }],
+        }],
+        "srv-8080",
+    ));
+    assert!(rx.has_changed().unwrap());
+    assert_eq!(
+        *rx.borrow_and_update(),
+        InboundServer {
+            reference: ServerRef::Server("srv-8080".to_string()),
+            authorizations: Default::default(),
+            ratelimit: Some(ratelimit),
+            protocol: ProxyProtocol::Http1,
+            http_routes: mk_default_http_routes(),
+            grpc_routes: mk_default_grpc_routes(),
+        },
+    );
+}
+
+fn mk_ratelimit(
+    ns: impl ToString,
+    name: impl ToString,
+    total: Option<k8s::policy::Limit>,
+    overrides: Vec<k8s::policy::Override>,
+    server_name: impl ToString,
+) -> k8s::policy::HTTPLocalRateLimitPolicy {
+    k8s::policy::HTTPLocalRateLimitPolicy {
+        metadata: k8s::ObjectMeta {
+            namespace: Some(ns.to_string()),
+            name: Some(name.to_string()),
+            ..Default::default()
+        },
+        spec: k8s::policy::RateLimitPolicySpec {
+            target_ref: LocalTargetRef {
+                group: Some("policy.linkerd.io".to_string()),
+                kind: "Server".to_string(),
+                name: server_name.to_string(),
+            },
+            total,
+            identity: None,
+            overrides: Some(overrides),
+        },
+    }
+}

policy-controller/k8s/index/src/inbound/tests/server_authorization.rs

@@ -42,6 +42,7 @@ fn link_server_authz(selector: ServerSelector) {
         InboundServer {
             reference: ServerRef::Server("srv-8080".to_string()),
             authorizations: Default::default(),
+            ratelimit: None,
             protocol: ProxyProtocol::Http1,
             http_routes: mk_default_http_routes(),
             grpc_routes: mk_default_grpc_routes(),

policy-test/src/grpc.rs

@@ -52,6 +52,7 @@ macro_rules! assert_protocol_detect {
                             $crate::grpc::defaults::http_route(),
                             $crate::grpc::defaults::probe_route(),
                         ],
+                        http_local_rate_limit: None,
                     }
                 )),
             }),
@@ -71,6 +72,7 @@ macro_rules! assert_protocol_detect_external {
                     inbound::proxy_protocol::Detect {
                         timeout: Some(std::time::Duration::from_secs(10).try_into().unwrap()),
                         http_routes: vec![$crate::grpc::defaults::http_route()],
+                        http_local_rate_limit: None,
                     }
                 ))
             })
@@ -376,24 +378,81 @@ impl hyper::service::Service<hyper::Request<tonic::body::BoxBody>> for GrpcHttp
 pub mod defaults {
     use super::*;
 
-    pub fn proxy_protocol() -> inbound::ProxyProtocol {
+    pub fn proxy_protocol(
+        local_rate_limit: Option<inbound::HttpLocalRateLimit>,
+    ) -> inbound::ProxyProtocol {
         use inbound::proxy_protocol::{Http1, Kind};
         inbound::ProxyProtocol {
             kind: Some(Kind::Http1(Http1 {
                 routes: vec![http_route(), probe_route()],
+                local_rate_limit,
             })),
         }
     }
 
+    pub fn proxy_protocol_no_ratelimit() -> inbound::ProxyProtocol {
+        proxy_protocol(None)
+    }
+
     pub fn proxy_protocol_external() -> inbound::ProxyProtocol {
         use inbound::proxy_protocol::{Http1, Kind};
         inbound::ProxyProtocol {
             kind: Some(Kind::Http1(Http1 {
                 routes: vec![http_route()],
+                local_rate_limit: None,
             })),
         }
     }
 
+    pub fn http_local_ratelimit(
+        name: &str,
+        rps_total: Option<u32>,
+        rps_identity: Option<u32>,
+        overrides: Vec<(u32, Vec<String>)>,
+    ) -> inbound::HttpLocalRateLimit {
+        use inbound::http_local_rate_limit::{r#override, Limit, Override};
+        use meta::{metadata, Metadata, Resource};
+
+        let overrides = overrides
+            .iter()
+            .map(|ovr| {
+                let identities = r#override::ClientIdentities {
+                    identities: ovr
+                        .1
+                        .iter()
+                        .map(|name| inbound::Identity {
+                            name: name.to_string(),
+                        })
+                        .collect(),
+                };
+                Override {
+                    limit: Some(Limit {
+                        requests_per_second: ovr.0,
+                    }),
+                    clients: Some(identities),
+                }
+            })
+            .collect();
+
+        inbound::HttpLocalRateLimit {
+            metadata: Some(Metadata {
+                kind: Some(metadata::Kind::Resource(Resource {
+                    group: "policy.linkerd.io".to_string(),
+                    kind: "HTTPLocalRateLimitPolicy".to_string(),
+                    name: name.to_owned(),
+                    ..Default::default()
+                })),
+            }),
+            total: rps_total.map(|requests_per_second| Limit {
+                requests_per_second,
+            }),
+            identity: rps_identity.map(|requests_per_second| Limit {
+                requests_per_second,
+            }),
+            overrides,
+        }
+    }
+
     pub fn http_route() -> inbound::HttpRoute {
         use http_route::{path_match, HttpRouteMatch, PathMatch};
         use inbound::{http_route::Rule, HttpRoute};