[rlp-v2] do not use gateway name nor host in the RL domain

[guicassolato]

Fixes the reconciliation of the Limitador CR, pairing it with the reconciled wasm config (WasmPlugin CR), so

• rate limit definitions won't be duplicated in the Limitador CR;
• limits can be defined crossing gateways and hostnames and yet be treated as the same limit in Limitador (case of simple RLPs that target HTTPRoutes with multiple Gateway parent refs)

Closes #201

Verification steps

Verification steps for a scenario with 2 Gateways, 3 HTTPRoutes and 4 RateLimitPolicies.

Intro

Disclaimer

Please keep in mind that we are implementing Direct Policy Attachment and not yet Inherited Policy Attachment. I.e.,

• no default and overrides;
• when a policy targets a HTTPRoute, that policy fully replaces any other policies that might exist targeting the HTTPRoute's parents Gateways.

Topology

               *.website
               *.io            *.local
                 │                │
                 ▼                ▼
┌───────┐    ┌──────┐         ┌──────┐     ┌───────┐
│ rlp-1 ├───►│ gw-1 │         │ gw-2 │◄────┤ rlp-2 │
└───────┘    └─┬──┬─┘         └─┬──┬─┘     └───────┘
               │  │             │  │
         ┌─────┘  └──────┬──────┘  └────┐
         │               │              │
    ┌────┴────┐     ┌────┴────┐    ┌────┴────┐
    │ route-1 │     │ route-2 │    │ route-3 │
    └─────────┘     └─────────┘    └─────────┘
         ▲               ▲
         │               │
     ┌───┴───┐       ┌───┴───┐
     │ rlp-3 │       │ rlp-4 │
     └───────┘       └───────┘

Description of the network resources

• gw-1: N/S (internet) traffic gateway; declares 2 listeners: *.website (for public websites) and *.io (for APIs exposed to the internet)
• gw-2: E/W (local) traffic gateway; declares 1 listener – *.local (for APIs consumed within the network)
• route-1: attached to the N/S (internet) gateway only; catches traffic directed to *.toystore.(website|io); declares 2 route rules: GET /v1/* or POST /v1/*, and /assets/*
• route-2: attached to both gateways; catches traffic directed to status.(io|local); declares 1 route rule: /* ("catch-all")
• route-3: attached to the E/W local gateway only; catches the complement of the traffic directed to *.local (i.e. all except status.local); declares 2 route rules: /v1/* and /v2/*

State transitions

After setting the topology as described above, each RLP (from 1 to 4) will be created in sequence. This will trigger (4x) the reconciliation of the WasmPlugin CRs named kuadrant-gw-1 and kuadrant-gw-2, respectivelly for each gateway.

A WasmPlugin contains the configs for the RLPs and corresponding affected HTTPRoutes, according to the targetRefs of each RLP. For example, when rlp-1 is created, because it affects two HTTPRoutes (i.e. route-1 and route-2, by declaring gw-1 as parent), a WasmPlugin CR will be created for this gateway, with name kuadrant-gw-1, and containing instructions to activate the limits declared in rlp-1 for the route rules stated by route-1 and route-2. Later, when rlp-3 is created, it replaces rlp-1 as the desired state for protecting route-1; nevertheless, rlp-1 remains valid for any traffic that flows through gw-1 to route-2, until rlp-4 is created.

Similarly, and for all the other RLPs and affected HTTPRoutes, the table below describes the expected states of the WasmPluging CRs after the creation of each policy.

State	After steps	WasmPlugins reconciled	Config contains limits from RLPs	Activated on matches from
0	① ② ③	∅	N/A	N/A
1	④ rlp-1	kuadrant-gw-1	rlp-1	route-1 | route-2
2	⑤ rlp-2	kuadrant-gw-2	rlp-2	route-2 | route-3
3	⑥ rlp-3	kuadrant-gw-1	rlp-1	route-2
			rlp-3	route-1
		kuadrant-gw-2	rlp-2	route-2 | route-3
4	⑦ rlp-4	kuadrant-gw-1	rlp-1	∅
			rlp-3	route-1
			rlp-4	route-2
		kuadrant-gw-2	rlp-2	route-3
			rlp-4	route-2

Expected final state

After the creation of all RLPs, any additional event that does not change the topology reconciles the following final state:

WasmPlugin	Limits from	Activated on
kuadrant-gw-1	rlp-1	∅
	rlp-3	route-1
	rlp-4	route-2
kuadrant-gw-2	rlp-2	route-3
	rlp-4	route-2

At the final state, the following back reference annotations are expected to be found in each of the targeted network resources:

Gateway	Annotation	RLPs
gw-1	kuadrant.io/ratelimitpolicies	rlp-1, rlp-3, rlp-4
	kuadrant.io/ratelimitpolicy	rlp-1
gw-2	kuadrant.io/ratelimitpolicies	rlp-2, rlp-4
	kuadrant.io/ratelimitpolicy	rlp-2
route-1	kuadrant.io/ratelimitpolicy	rlp-3
route-2	kuadrant.io/ratelimitpolicy	rlp-4
route-3	∅

Steps ① → ⑦

① Setup

make local-setup

kubectl -n kuadrant-system apply -f - <<EOF
apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant
spec: {}
EOF

kubectl apply -f examples/toystore/toystore.yaml

② Create the Gateways

kubectl -n istio-system apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: gw-1
  annotations:
    kuadrant.io/namespace: kuadrant-system
    networking.istio.io/service-type: ClusterIP
spec:
  gatewayClassName: istio
  listeners:
  - name: websites
    port: 80
    protocol: HTTP
    hostname: '*.website'
    allowedRoutes:
      namespaces:
        from: All
  - name: apis
    port: 80
    protocol: HTTP
    hostname: '*.io'
    allowedRoutes:
      namespaces:
        from: All
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: gw-2
  annotations:
    kuadrant.io/namespace: kuadrant-system
    networking.istio.io/service-type: ClusterIP
spec:
  gatewayClassName: istio
  listeners:
  - name: local
    port: 80
    protocol: HTTP
    hostname: '*.local'
    allowedRoutes:
      namespaces:
        from: All
EOF

③ Create the HTTPRoutes

kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: route-1
spec:
  parentRefs:
  - namespace: istio-system
    name: gw-1
  hostnames:
  - "*.toystore.website"
  - "*.toystore.io"
  rules:
  - matches:
    - method: GET
      path: { value: "/v1/", type: PathPrefix }
    - method: POST
      path: { value: "/v1/", type: PathPrefix }
    backendRefs:
    - name: toystore
      port: 80
  - matches:
    - path: { value: "/assets/", type: PathPrefix }
    backendRefs:
    - name: toystore
      port: 80
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: route-2
spec:
  parentRefs:
  - namespace: istio-system
    name: gw-1
  - namespace: istio-system
    name: gw-2
  hostnames:
  - status.io
  - status.local
  rules:
  - backendRefs:
    - name: toystore
      port: 80
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: route-3
spec:
  parentRefs:
  - namespace: istio-system
    name: gw-2
  rules:
  - matches:
    - path: { value: "/v1/", type: PathPrefix }
    - path: { value: "/v2/", type: PathPrefix }
    backendRefs:
    - name: toystore
      port: 80
EOF

Check no WasmPlugins created at this stage:

kubectl get wasmplugins -A
# No resources found

④ Create rlp-1 targetting gw-1

kubectl -n istio-system apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
kind: RateLimitPolicy
metadata:
  name: rlp-1
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: gw-1
  limits:
    internet-traffic-all:
      rates:
      - limit: 1000
        duration: 1
        unit: second
    internet-traffic-apis-per-host:
      rates:
      - limit: 200
        duration: 1
        unit: second
      counters:
      - request.host
      when:
      - selector: request.host
        operator: endswith
        value: .io
EOF

Check the WasmPlugin for gateway gw-1:

kubectl get wasmplugin/kuadrant-gw-1 -n istio-system -o yaml

Expected output

apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
  name: kuadrant-gw-1
  namespace: istio-system
  …
spec:
  phase: STATS
  pluginConfig:
    failureMode: deny
    rateLimitPolicies:
    - domain: istio-system/rlp-1
      hostnames:
      - '*.website'
      - '*.io'
      name: istio-system/rlp-1
      rules:
      - conditions:
        - allOf:
          - operator: startswith
            selector: request.url_path
            value: /v1/
          - operator: eq
            selector: request.method
            value: GET
        - allOf:
          - operator: startswith
            selector: request.url_path
            value: /v1/
          - operator: eq
            selector: request.method
            value: POST
        - allOf:
          - operator: startswith
            selector: request.url_path
            value: /assets/
        - allOf:
          - operator: startswith
            selector: request.url_path
            value: /
        data:
        - static:
            key: limit.internet_traffic_all__593de456
            value: "1"
      - conditions:
        - allOf:
          - operator: startswith
            selector: request.url_path
            value: /v1/
          - operator: eq
            selector: request.method
            value: GET
          - operator: endswith
            selector: request.host
            value: .io
        - allOf:
          - operator: startswith
            selector: request.url_path
            value: /v1/
          - operator: eq
            selector: request.method
            value: POST
          - operator: endswith
            selector: request.host
            value: .io
        - allOf:
          - operator: startswith
            selector: request.url_path
            value: /assets/
          - operator: endswith
            selector: request.host
            value: .io
        - allOf:
          - operator: startswith
            selector: request.url_path
            value: /
          - operator: endswith
            selector: request.host
            value: .io
        data:
        - static:
            key: limit.internet_traffic_apis_per_host__a2b149d2
            value: "1"
        - selector:
            selector: request.host
      service: kuadrant-rate-limiting-service
  selector:
    matchLabels:
      istio.io/gateway-name: gw-1
  url: oci://quay.io/kuadrant/wasm-shim:latest

No WasmPlugin for gateway gw-2 should exist at this point.

Check the Limitador CR:

kubectl get limitador limitador -n kuadrant-system -o yaml

Expected output

apiVersion: limitador.kuadrant.io/v1alpha1
kind: Limitador
metadata:
  name: limitador
  namespace: kuadrant-system
  …
spec:
  limits:
  - conditions:
    - limit.internet_traffic_all__593de456 == "1"
    max_value: 1000
    namespace: istio-system/rlp-1
    seconds: 1
    variables: []
  - conditions:
    - limit.internet_traffic_apis_per_host__a2b149d2 == "1"
    max_value: 200
    namespace: istio-system/rlp-1
    seconds: 1
    variables:
    - request.host
status:
  conditions:
  - lastTransitionTime: "2023-07-14T14:56:55Z"
    message: Limitador is ready
    reason: Ready
    status: "True"
    type: Ready
  observedGeneration: 2
  service:
    host: limitador-limitador.kuadrant-system.svc.cluster.local
    ports:
      grpc: 8081
      http: 8080

⑤ Create rlp-2 targetting gw-2

kubectl -n istio-system apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
kind: RateLimitPolicy
metadata:
  name: rlp-2
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: gw-2
  limits:
    local-traffic-non-admins-per-host:
      rates:
      - limit: 2
        duration: 10
        unit: second
      counters:
      - request.host
      when:
      - selector: auth.identity.admin # abstraction for 'metadata.filter_metadata.envoy\.filters\.http\.ext_authz.identity.admin'
        operator: neq
        value: "true"
EOF

Check the WasmPlugin for gateway gw-2:

kubectl get wasmplugin/kuadrant-gw-2 -n istio-system -o yaml

Expected output

apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
  name: kuadrant-gw-2
  namespace: istio-system
  …
spec:
  phase: STATS
  pluginConfig:
    failureMode: deny
    rateLimitPolicies:
    - domain: istio-system/rlp-2
      hostnames:
      - '*.local'
      name: istio-system/rlp-2
      rules:
      - conditions:
        - allOf:
          - operator: startswith
            selector: request.url_path
            value: /
          - operator: neq
            selector: auth.identity.admin
            value: "true"
        - allOf:
          - operator: startswith
            selector: request.url_path
            value: /v1/
          - operator: neq
            selector: auth.identity.admin
            value: "true"
        - allOf:
          - operator: startswith
            selector: request.url_path
            value: /v2/
          - operator: neq
            selector: auth.identity.admin
            value: "true"
        data:
        - static:
            key: limit.local_traffic_non_admins_per_host__869a3d40
            value: "1"
        - selector:
            selector: request.host
      service: kuadrant-rate-limiting-service
  selector:
    matchLabels:
      istio.io/gateway-name: gw-2
  url: oci://quay.io/kuadrant/wasm-shim:latest

The WasmPlugin for gateway gw-1 should be unchanged.

Check the Limitador CR:

kubectl get limitador limitador -n kuadrant-system -o yaml

Expected output

apiVersion: limitador.kuadrant.io/v1alpha1
kind: Limitador
metadata:
  name: limitador
  namespace: kuadrant-system
  …
spec:
  limits:
  - conditions:
    - limit.internet_traffic_all__593de456 == "1"
    max_value: 1000
    namespace: istio-system/rlp-1
    seconds: 1
    variables: []
  - conditions:
    - limit.internet_traffic_apis_per_host__a2b149d2 == "1"
    max_value: 200
    namespace: istio-system/rlp-1
    seconds: 1
    variables:
    - request.host
  - conditions:
    - limit.local_traffic_non_admins_per_host__869a3d40 == "1"
    max_value: 2
    namespace: istio-system/rlp-2
    seconds: 10
    variables:
    - request.host
status:
  conditions:
  - lastTransitionTime: "2023-07-14T14:56:55Z"
    message: Limitador is ready
    reason: Ready
    status: "True"
    type: Ready
  observedGeneration: 3
  service:
    host: limitador-limitador.kuadrant-system.svc.cluster.local
    ports:
      grpc: 8081
      http: 8080

⑥ Create rlp-3 targetting route-1

kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
kind: RateLimitPolicy
metadata:
  name: rlp-3
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: route-1
  limits:
    toystore-v1-website-unauthenticated:
      rates:
      - limit: 50
        duration: 1
        unit: minute
      routeSelectors:
      - matches: # matches the 1st HTTPRouteRule (GET|POST /v1/*)
        - path:
            type: PathPrefix
            value: "/v1/"
        hostnames:
        - "*.toystore.website"
      when:
      - selector: auth.identity.username
        operator: eq
        value: ""
    toystore-assets-all-domains:
      rates:
      - limit: 5
        duration: 1
        unit: minute
      - limit: 100
        duration: 12
        unit: hour
      routeSelectors:
      - matches: # matches the 2nd HTTPRouteRule (/assets/*)
        - path:
            type: PathPrefix
            value: "/assets/"
EOF

Check the WasmPlugin for gateway gw-1:

kubectl get wasmplugin/kuadrant-gw-1 -n istio-system -o yaml

Expected output

apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
  name: kuadrant-gw-1
  namespace: istio-system
  …
spec:
  phase: STATS
  pluginConfig:
    failureMode: deny
    rateLimitPolicies:
    - domain: istio-system/rlp-1
      hostnames:
      - '*.website'
      - '*.io'
      name: istio-system/rlp-1
      rules:
      - conditions:
        - allOf: # from route-2
          - operator: startswith
            selector: request.url_path
            value: /
        data:
        - static:
            key: limit.internet_traffic_all__593de456
            value: "1"
      - conditions:
        - allOf: # from route-2
          - operator: startswith
            selector: request.url_path
            value: /
          - operator: endswith
            selector: request.host
            value: .io
        data:
        - static:
            key: limit.internet_traffic_apis_per_host__a2b149d2
            value: "1"
        - selector:
            selector: request.host
      service: kuadrant-rate-limiting-service
    - domain: istio-system/rlp-3
      hostnames:
      - '*.toystore.website'
      - '*.toystore.io'
      name: default/rlp-3
      rules:
      - conditions:
        - allOf: # from route-1
          - operator: startswith
            selector: request.url_path
            value: /assets/
        data:
        - static:
            key: limit.toystore_assets_all_domains__8cfb7371
            value: "1"
      - conditions:
        - allOf: # from route-1
          - operator: startswith
            selector: request.url_path
            value: /v1/
          - operator: eq
            selector: request.method
            value: GET
          - operator: endswith
            selector: request.host
            value: .toystore.website
          - operator: eq
            selector: auth.identity.username
            value: ""
        - allOf: # from route-1
          - operator: startswith
            selector: request.url_path
            value: /v1/
          - operator: eq
            selector: request.method
            value: POST
          - operator: endswith
            selector: request.host
            value: .toystore.website
          - operator: eq
            selector: auth.identity.username
            value: ""
        data:
        - static:
            key: limit.toystore_v1_website_unauthenticated__3f9c40c6
            value: "1"
      service: kuadrant-rate-limiting-service
  selector:
    matchLabels:
      istio.io/gateway-name: gw-1
  url: oci://quay.io/kuadrant/wasm-shim:latest

The WasmPlugin for gateway gw-2 should be unchanged.

Check the Limitador CR:

kubectl get limitador limitador -n kuadrant-system -o yaml

Expected output

apiVersion: limitador.kuadrant.io/v1alpha1
kind: Limitador
metadata:
  name: limitador
  namespace: kuadrant-system
  …
spec:
  limits:
  - conditions:
    - limit.internet_traffic_apis_per_host__a2b149d2 == "1"
    max_value: 200
    namespace: istio-system/rlp-1
    seconds: 1
    variables:
    - request.host
  - conditions:
    - limit.internet_traffic_all__593de456 == "1"
    max_value: 1000
    namespace: istio-system/rlp-1
    seconds: 1
    variables: []
  - conditions:
    - limit.local_traffic_non_admins_per_host__869a3d40 == "1"
    max_value: 2
    namespace: istio-system/rlp-2
    seconds: 10
    variables:
    - request.host
  - conditions:
    - limit.toystore_assets_all_domains__8cfb7371 == "1"
    max_value: 5
    namespace: default/rlp-3
    seconds: 60
    variables: []
  - conditions:
    - limit.toystore_assets_all_domains__8cfb7371 == "1"
    max_value: 100
    namespace: default/rlp-3
    seconds: 43200
    variables: []
  - conditions:
    - limit.toystore_v1_website_unauthenticated__3f9c40c6 == "1"
    max_value: 50
    namespace: default/rlp-3
    seconds: 60
    variables: []
status:
  conditions:
  - lastTransitionTime: "2023-07-14T14:56:55Z"
    message: Limitador is ready
    reason: Ready
    status: "True"
    type: Ready
  observedGeneration: 4
  service:
    host: limitador-limitador.kuadrant-system.svc.cluster.local
    ports:
      grpc: 8081
      http: 8080

⑦ Create rlp-4 targetting route-2

kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
kind: RateLimitPolicy
metadata:
  name: rlp-4
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: route-2
  limits:
    status-per-ip:
      rates:
      - limit: 10
        duration: 5
        unit: minute
      counters:
      - source.address
EOF

Check the WasmPlugins for both gateways:

kubectl get wasmplugin/kuadrant-gw-1 -n istio-system -o yaml

Expected output

apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
  name: kuadrant-gw-1
  namespace: istio-system
  …
spec:
  phase: STATS
  pluginConfig:
    failureMode: deny
    rateLimitPolicies:
    - domain: istio-system/rlp-3
      hostnames:
      - '*.toystore.website'
      - '*.toystore.io'
      name: default/rlp-3
      rules:
      - conditions:
        - allOf: # from route-1
          - operator: startswith
            selector: request.url_path
            value: /assets/
        data:
        - static:
            key: limit.toystore_assets_all_domains__8cfb7371
            value: "1"
      - conditions:
        - allOf: # from route-1
          - operator: startswith
            selector: request.url_path
            value: /v1/
          - operator: eq
            selector: request.method
            value: GET
          - operator: endswith
            selector: request.host
            value: .toystore.website
          - operator: eq
            selector: auth.identity.username
            value: ""
        - allOf: # from route-1
          - operator: startswith
            selector: request.url_path
            value: /v1/
          - operator: eq
            selector: request.method
            value: POST
          - operator: endswith
            selector: request.host
            value: .toystore.website
          - operator: eq
            selector: auth.identity.username
            value: ""
        data:
        - static:
            key: limit.toystore_v1_website_unauthenticated__3f9c40c6
            value: "1"
      service: kuadrant-rate-limiting-service
    - domain: istio-system/rlp-4
      hostnames:
      - status.io
      name: default/rlp-4
      rules:
      - conditions:
        - allOf: # from route-2
          - operator: startswith
            selector: request.url_path
            value: /
        data:
        - static:
            key: limit.status_per_ip__5fa6a0cd
            value: "1"
        - selector:
            selector: source.address
      service: kuadrant-rate-limiting-service
  selector:
    matchLabels:
      istio.io/gateway-name: gw-1
  url: oci://quay.io/kuadrant/wasm-shim:latest

kubectl get wasmplugin/kuadrant-gw-2 -n istio-system -o yaml

Expected output

apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
  name: kuadrant-gw-2
  namespace: istio-system
  …
spec:
  phase: STATS
  pluginConfig:
    failureMode: deny
    rateLimitPolicies:
    - domain: istio-system/rlp-2
      hostnames:
      - '*.local'
      name: istio-system/rlp-2
      rules:
      - conditions:
        - allOf: # from route-3
          - operator: startswith
            selector: request.url_path
            value: /v1/
          - operator: neq
            selector: auth.identity.admin
            value: "true"
        - allOf: # from route-3
          - operator: startswith
            selector: request.url_path
            value: /v2/
          - operator: neq
            selector: auth.identity.admin
            value: "true"
        data:
        - static:
            key: limit.local_traffic_non_admins_per_host__869a3d40
            value: "1"
        - selector:
            selector: request.host
      service: kuadrant-rate-limiting-service
    - domain: istio-system/rlp-4
      hostnames:
      - status.local
      name: default/rlp-4
      rules:
      - conditions:
        - allOf: # from route-2
          - operator: startswith
            selector: request.url_path
            value: /
        data:
        - static:
            key: limit.status_per_ip__5fa6a0cd
            value: "1"
        - selector:
            selector: source.address
      service: kuadrant-rate-limiting-service
  selector:
    matchLabels:
      istio.io/gateway-name: gw-2
  url: oci://quay.io/kuadrant/wasm-shim:latest

Check the Limitador CR:

kubectl get limitador limitador -n kuadrant-system -o yaml

Expected output

apiVersion: limitador.kuadrant.io/v1alpha1
kind: Limitador
metadata:
  name: limitador
  namespace: kuadrant-system
  …
spec:
  limits:
  - conditions:
    - limit.internet_traffic_all__593de456 == "1"
    max_value: 1000
    namespace: istio-system/rlp-1
    seconds: 1
    variables: []
  - conditions:
    - limit.internet_traffic_apis_per_host__a2b149d2 == "1"
    max_value: 200
    namespace: istio-system/rlp-1
    seconds: 1
    variables:
    - request.host
  - conditions:
    - limit.local_traffic_non_admins_per_host__869a3d40 == "1"
    max_value: 2
    namespace: istio-system/rlp-2
    seconds: 10
    variables:
    - request.host
  - conditions:
    - limit.toystore_assets_all_domains__8cfb7371 == "1"
    max_value: 5
    namespace: default/rlp-3
    seconds: 60
    variables: []
  - conditions:
    - limit.toystore_assets_all_domains__8cfb7371 == "1"
    max_value: 100
    namespace: default/rlp-3
    seconds: 43200
    variables: []
  - conditions:
    - limit.toystore_v1_website_unauthenticated__3f9c40c6 == "1"
    max_value: 50
    namespace: default/rlp-3
    seconds: 60
    variables: []
  - conditions:
    - limit.status_per_ip__5fa6a0cd == "1"
    max_value: 10
    namespace: default/rlp-4
    seconds: 300
    variables:
    - source.address
status:
  conditions:
  - lastTransitionTime: "2023-07-14T14:56:55Z"
    message: Limitador is ready
    reason: Ready
    status: "True"
    type: Ready
  observedGeneration: 5
  service:
    host: limitador-limitador.kuadrant-system.svc.cluster.local
    ports:
      grpc: 8081
      http: 8080

[Boomatang]

Only the small question about sorting the conditions and variables. Other than this works as describe in PR.

[eguzki]

Verification steps working as expected.

After a quick review, LGTM. Probably it would be good to have another reviewer's LGTM

[eguzki]

This is the only thing I would like to rise.

The previous implementation was designed with a premise: try to avoid "Get all gateways" or "Get all routes" from the cluster. The approach was to reconcile deltas coming from the RLP instance causing the event.

Something that deserves further consideration, maybe for another PR