limitador icon indicating copy to clipboard operation
limitador copied to clipboard
verified publisher icon Kuadrant

Limiting requests based on keycloak username problem

Open averevki opened this issue 1 year ago • 0 comments

Since 2024-12-17 nightly kuadrant-operator-catalog image, we have our test that should limit requests based on the keycloak user username failing. It doesn't limit requests for users anymore. Setup is similar with one of the kuadrant user-guides but without the kubernetes identity. Can you please help me to understand what's wrong with ours?

There could have been a change in structure we are not aware of, but I didn't find any new commits around this date. I did some research, and from docs it seems like the RLP counter value might be something different. Something like metadata.filter_metadata.envoy\.filters\.http\.ext_authz.identity.user to fetch dynamic metadata, but I wasn't been able to make limitador parse this value.

Also, for the future debugging, is there a method to check what dynamic metadata is actually parsed? Thank you

Kuadrant operator image: nightly-11-02-2025 Limitador image: c31e42f370bc1fec921a422777a120478b8a319a Authorino image: v0.20.0 Wasm image: abe70bb1251bf9c0db3ee86f52759b11b5dedbe3 Red Had Build of Keycloak operator version: 26.0.9-opr.1

AuthPolicy 
spec:
  rules:
    authentication:
      default:
        credentials:
          authorizationHeader:
            prefix: Bearer
        jwt:
          issuerUrl: 'http://1.2.3.4:8080/realms/realm-averevki--maic'
          ttl: 0
        metrics: false
        priority: 0
    response:
      success:
        filters:
          identity:
            json:
              properties:
                user:
                  selector: auth.identity.preferred_username
            metrics: false
            priority: 0
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: route-averevki--1gdn
RateLimitPolicy 
spec:
  limits:
    basic:
      counters:
        - expression: auth.identity.user
      rates:
        - limit: 5
          window: 60s
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: route-averevki--1gdn
Gateway 
spec:
  gatewayClassName: istio
  listeners:
    - allowedRoutes:
        namespaces:
          from: Same
      hostname: '*.apps.kua.redhat.com'
      name: api
      port: 80
      protocol: HTTP
HTTPRoute 
spec:
  hostnames:
    - hostname-averevki--bpa-kuadrant.apps.kua.redhat.com
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: gw-averevki--nlej
  rules:
    - backendRefs:
        - group: ''
          kind: Service
          name: httpbin-averevki--j5ge
          namespace: kuadrant
          port: 8080
          weight: 1
      matches:
        - path:
            type: PathPrefix
            value: /

averevki avatar Feb 11 '25 16:02 averevki