linkerd2/policy-test/tests/admit_http_local_ratelimit_policy.rs at fb6988bcc2abcc2af820beb0d564231c451bb4ea · linkerd/linkerd2 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
use k8s_openapi::chrono;
use linkerd_policy_controller_k8s_api::{
    self as api,
    policy::{
        HttpLocalRateLimitPolicy, HttpLocalRateLimitPolicyStatus, Limit, LocalTargetRef,
        NamespacedTargetRef, Override, RateLimitPolicySpec,
    },
};
use linkerd_policy_test::admission;

#[tokio::test(flavor = "current_thread")]
async fn accepts_valid() {
    admission::accepts(|ns| {
        mk_ratelimiter(ns, default_target_ref(), 1000, 100, default_overrides())
    })
    .await;
}

#[tokio::test(flavor = "current_thread")]
async fn rejects_target_ref_deployment() {
    let target_ref = LocalTargetRef {
        group: Some("apps".to_string()),
        kind: "Deployment".to_string(),
        name: "api".to_string(),
    };
    admission::rejects(|ns| mk_ratelimiter(ns, target_ref, 1000, 100, default_overrides())).await;
}

#[tokio::test(flavor = "current_thread")]
async fn rejects_identity_rps_higher_than_total() {
    admission::rejects(|ns| {
        mk_ratelimiter(ns, default_target_ref(), 1000, 2000, default_overrides())
    })
    .await;
}

#[tokio::test(flavor = "current_thread")]
async fn rejects_overrides_rps_higher_than_total() {
    let overrides = vec![Override {
        requests_per_second: 2000,
        client_refs: vec![NamespacedTargetRef {
            group: Some("".to_string()),
            kind: "ServiceAccount".to_string(),
            name: "sa-1".to_string(),
            namespace: Some("linkerd".to_string()),
        }],
    }];
    admission::rejects(|ns| mk_ratelimiter(ns, default_target_ref(), 1000, 2000, overrides)).await;
}

fn default_target_ref() -> LocalTargetRef {
    LocalTargetRef {
        group: Some("policy.linkerd.io".to_string()),
        kind: "Server".to_string(),
        name: "api".to_string(),
    }
}

fn default_overrides() -> Vec<Override> {
    vec![Override {
        requests_per_second: 200,
        client_refs: vec![NamespacedTargetRef {
            group: Some("".to_string()),
            kind: "ServiceAccount".to_string(),
            name: "sa-1".to_string(),
            namespace: Some("linkerd".to_string()),
        }],
    }]
}

fn mk_ratelimiter(
    namespace: String,
    target_ref: LocalTargetRef,
    total_rps: u32,
    identity_rps: u32,
    overrides: Vec<Override>,
) -> HttpLocalRateLimitPolicy {
    HttpLocalRateLimitPolicy {
        metadata: api::ObjectMeta {
            namespace: Some(namespace),
            name: Some("test".to_string()),
            ..Default::default()
        },
        spec: RateLimitPolicySpec {
            target_ref,
            total: Some(Limit {
                requests_per_second: total_rps,
            }),
            identity: Some(Limit {
                requests_per_second: identity_rps,
            }),
            overrides: Some(overrides),
        },
        status: Some(HttpLocalRateLimitPolicyStatus {
            conditions: vec![api::Condition {
                last_transition_time: api::Time(chrono::DateTime::<chrono::Utc>::MIN_UTC),
                message: "".to_string(),
                observed_generation: None,
                reason: "".to_string(),
                status: "True".to_string(),
                type_: "Accepted".to_string(),
            }],
            target_ref: LocalTargetRef {
                group: Some("policy.linkerd.io".to_string()),
                kind: "Server".to_string(),
                name: "linkerd-admin".to_string(),
            },
        }),
    }
}