feat(translator): implement ratelimit costs

[mathetake]

What type of PR is this?

The API implementation

What this PR does / why we need it:

This is the follow up on #4957 and implement the API.

Which issue(s) this PR fixes:
Fixes #4756

Release Notes: Yes

[codecov]

Codecov Report

Attention: Patch coverage is 87.80488% with 10 lines in your changes missing coverage. Please review.

Project coverage is 66.85%. Comparing base (da987da) to head (758f5f5).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/xds/translator/ratelimit.go	85.93%	7 Missing and 2 partials ⚠️
internal/xds/translator/httpfilters.go	0.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5035      +/-   ##
==========================================
+ Coverage   66.81%   66.85%   +0.03%     
==========================================
  Files         211      211              
  Lines       32854    32928      +74     
==========================================
+ Hits        21952    22014      +62     
- Misses       9579     9587       +8     
- Partials     1323     1327       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[zirain]

I think we have e2e for costPerReq, able to add one for costPreResponse?

[mathetake]

can the e2e use the latest envoyproxy/ratelimit?

[zirain]

can the e2e use the latest envoyproxy/ratelimit?

IIRC, master branch always use the latest one.

[mathetake]

ok cool

[arkodg]

that was fast 😅

now that EG supports writing metadata via ext proc #5023 would be great if we can have an e2e where the ext proc inserts a fixed metadata that is used by the ratelimit API

[mathetake]

2025-01-11T18:29:53.4823172Z         < X-Ratelimit-Remaining: 20

2025-01-11T18:29:53.4856372Z         < X-Ratelimit-Remaining: 18

2025-01-11T18:29:53.4884601Z         < X-Ratelimit-Remaining: 16

2025-01-11T18:29:53.4919980Z         < X-Ratelimit-Remaining: 14

looks like applyOnStreamDone is working fine but the per-descriptor is not working (both request and response costing 1 regardless of config)

[mathetake]

from envoyproxy/envoy#37684:

added the per descriptor custom hits addend support (only for rate_limits in the RateLimitPerRoute for now).

maybe this is something to do with it

[mathetake]

ok @arkodg looks like @wbpcode introduced the newRateLimitPerRoute used in type_per_filter_config vs the legacy existing rate limit config on route virtual_host.

and only the new one currently supports per-descriptor hits_addend

I think we have to either add support per-descriptor hits_addend to the legacy route/virtual_host config or migrate EG to use the new RateLimitPerRoute, which i think is not suitable as it will break the existing EG cluster (requiring the newest Envoy version)

[mathetake]

i will take a look at the envoy code monday to see how hard to support them in the legacy config

[mathetake]

I think it only requires to do some small refactoring...

[mathetake]

envoyproxy/envoy#37972 this should fix the test

[mathetake]

the required change in envoy seems a bit trickier than i thought... (the change itself is small but the build constraints by Envoy mobile makes it impossible as-is which in turn requires quite a refactoring around formatter...)

[arkodg]

@mathetake can we copy the user defined metadata into the ratelimit hits addend metadata field using a filter instead, in a per route filter way ?

[mathetake]

not sure what you meant but one workaround here is to use typed_per_filter_config RateLimitConfig instead of route-embedded-legacy rate limit only when costs are configured (which allows us to assume its latest Envoy) and i think that should work. Having said that though, I found the workaround in the envoyside and waiting for @wbpcode to review

[mathetake]

ok tomorrow i will work on the workaround mentioned ^^

[mathetake]

ok passing now!!!!!

[mathetake]

this is almost identical with the usecase with ai-gateway - except that the extproc sets the dynamic metadata on responseHeaders hook vs ai-gateway in responseBody hook. Either should work from Envoy pov as the response cost is applied when stream is closing

[mathetake]

come on CI queue

[mathetake]

ping @arkodg @zirain - passing now

[arkodg]

cc @zhaohuabing this introduces another design pattern to do per route filter config

[mathetake]

yeah i was too lazy to do the right abstraction 😉

[mathetake]

so anyways when we can set the floor Envoy version to v1.33, then we should be able to migrate to this typed_per_filter_config global rate limit unconditionally since that's the latest way (having support for per-descriptor-hits-addend) vs the current route-embedded config is legacy one

[zhaohuabing]

Yeah, typed_per_filter_config is the way to go - it aligns with the approach used by all other filters for per-route configurations.

We can address htis in a seperate PR later.

[arkodg]

@arkodg like this ? 8a016ba

hey @mathetake you'll also need to run make testdata to generate the IR

[mathetake]

hmmm doesn't make any diff

[mathetake]

@arkodg passing all tests modulo unrelated flake so can we merge?

[zhaohuabing]

Look good. Fixed the conflicts then we can merge it.

[mathetake]

/retest

[arkodg]

LGTM thanks !

[mathetake]

come on

[mathetake]

/retest

[mathetake]

man the tests are too flaky 🤷 nothing to do with this PR