Tiered Rate limit group maps

[pdabelf5]

Proposed changes

Generate NGINX maps to tie the JWT claim to the ratelimit zone key.

This change adds two maps, one for each tiered rate (this map sets the rate limit zone key variable), aka the policy map, the other map aka the JWT claim map, sets the source variable of the policy map based on the content of the JWT claim.
It also follows the existing rate limit design, when the same policy is applied within the same VirtualServer, they share the rate limit zone.

Given Policies:

apiVersion: k8s.nginx.org/v1 kind: Policy metadata: name: rate-limit-jwt-premium spec: rateLimit: rate: 100r/s key: ${jwt_claim_sub} zoneSize: 10M condition: jwt: claim: user_details.level match: Premium --- apiVersion: k8s.nginx.org/v1 kind: Policy metadata: name: rate-limit-jwt-basic spec: rateLimit: rate: 10r/s key: ${jwt_claim_sub} zoneSize: 10M condition: jwt: claim: user_details.level match: Basic default: true 

Applied on VirtualServer:

apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: cafe spec: host: cafe.example.com tls: secret: cafe-secret upstreams: - name: backend service: backend-svc port: 80 policies: - name: rate-limit-jwt-premium - name: rate-limit-jwt-basic routes: - path: / action: pass: backend 

A JWT of:

{ "user_details": { "level": "Premium" }, "sub": "client5", } 

Will result in:

auth_jwt_claim_set $jwt_default_cafe_user_details_level user_details level; map $jwt_default_cafe_user_details_level $rl_default_cafe_group_user_details_level { Basic rl_default_cafe_match_basic; default rl_default_cafe_match_basic; Premium rl_default_cafe_match_premium; } map $rl_default_cafe_group_user_details_level $pol_rl_default_rate_limit_jwt_premium_default_cafe { default ''; rl_default_cafe_match_premium Val${jwt_claim_sub}; } map $rl_default_cafe_group_user_details_level $pol_rl_default_rate_limit_jwt_basic_default_cafe { default ''; rl_default_cafe_match_basic Val${jwt_claim_sub}; } limit_req_zone $pol_rl_default_rate_limit_jwt_premium_default_cafe zone=pol_rl_default_rate-limit-jwt-premium_default_cafe:10M rate=30r/s; limit_req_zone $pol_rl_default_rate_limit_jwt_basic_default_cafe zone=pol_rl_default_rate-limit-jwt-basic_default_cafe:10M rate=1r/s; 

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

[codecov]

Codecov Report

Attention: Patch coverage is 85.97561% with 23 lines in your changes missing coverage. Please review.

Project coverage is 53.08%. Comparing base (dc64fb4) to head (fe4011d).
Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/configs/version2/http.go	0.00%	20 Missing ⚠️
internal/configs/virtualserver.go	97.91%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@ Coverage Diff @@ ## main #7390 +/- ## ========================================== + Coverage 52.82% 53.08% +0.26%  ========================================== Files 89 89 Lines 20922 21074 +152 ========================================== + Hits 11052 11188 +136  - Misses 9407 9421 +14  - Partials 463 465 +2 

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.