Page MenuHomePhabricator
Create Task
Maniphest T406490

Test api rate limiting on staging cluster
Closed, ResolvedPublic8 Estimated Story Points
Actions

Description

Deploy rate limiting for the rest gateway on the staging cluster for manual testing.

Steps:

  • Create a list of URLs to test against (using bash/curl, Siege, or Locust)
  • Enforce limits on all routes, but only if the client specifies the x-wmf-user-class header (or equivalent). Test that rate limit is enforced.
  • Set global shadow mode, test that rate limit is no longer enforced but logs/stats provide useful information
  • Enable rate limiting (in shadow mode) on routes that opt into rate limiting, regardless of the x-wmf-user-class being given (and ensure such headers are ignored if thy come from the client).

Stretch:

  • Test selectiv shadow mode [needs Envoy 1.33]

For the purpose of this test, the rate limits should be configured very log, e.g. 3 per minute for anon and 10 per minute for users.

Details

Due Date
Oct 10 2025, 10:00 PM
Other Assignee
Clement_Goubert

Related Objects
Search...

Event Timeline

daniel created this task.Oct 6 2025, 1:30 PM
daniel set the point value for this task to 8.
daniel set Due Date to Oct 10 2025, 10:00 PM.
daniel edited parent tasks, added: T398919: Epic: API rate limiting dry run (WE5.1.3b); removed: T405544: Add support for rate limiting rest gateway routes to api-gateway helm chart.Oct 6 2025, 2:43 PM
daniel updated the task description. (Show Details)Oct 6 2025, 2:51 PM
gerritbot added a comment.Oct 7 2025, 11:16 AM

Change #1194174 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/deployment-charts@master] rest-gateway: Deploy rate limiting in staging

https://gerrit.wikimedia.org/r/1194174

gerritbot added a project: Patch-For-Review.Oct 7 2025, 11:16 AM
JTweed-WMF moved this task from Inbox, needs triage to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.Oct 13 2025, 2:31 PM
daniel reassigned this task from daniel to Clement_Goubert.Oct 21 2025, 1:20 PM
daniel added a subtask: T405574: api-gateway helm chart: add ability to test rate limiting for rest-gateway routes.
Clement_Goubert added a comment.Oct 22 2025, 12:34 PM

The rate-limiting core patch is now merged, nothing is turned on anywhere but there's no issues with the changes that are currently made (lua, headers, etc.).
We're in pretty good shape to enable it in staging and start testing.

gerritbot added a comment.Oct 23 2025, 9:54 AM

Change #1194174 merged by jenkins-bot:

[operations/deployment-charts@master] rest-gateway: Deploy rate limiting in staging

https://gerrit.wikimedia.org/r/1194174

Maintenance_bot removed a project: Patch-For-Review.Oct 23 2025, 10:31 AM
Clement_Goubert added a comment.EditedOct 23 2025, 11:29 AM

Action items:

  • Get a better set of routes in staging, the ones in here now are not conducive to testing.
  • Fix no-csp disabling the lua completely
gerritbot added a comment.Oct 23 2025, 12:20 PM

Change #1198310 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/deployment-charts@master] api-gateway: Use metadata to flip csp header handling

https://gerrit.wikimedia.org/r/1198310

gerritbot added a project: Patch-For-Review.Oct 23 2025, 12:20 PM
gerritbot added a comment.Oct 27 2025, 12:10 PM

Change #1198953 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/deployment-charts@master] api-gateway: csp header handling

https://gerrit.wikimedia.org/r/1198953

gerritbot added a comment.Oct 27 2025, 1:28 PM

Change #1198310 merged by jenkins-bot:

[operations/deployment-charts@master] api-gateway: Use metadata to flip csp header handling

https://gerrit.wikimedia.org/r/1198310

gerritbot added a comment.Oct 27 2025, 2:00 PM

Change #1198953 merged by jenkins-bot:

[operations/deployment-charts@master] api-gateway: csp header handling

https://gerrit.wikimedia.org/r/1198953

gerritbot added a comment.Oct 27 2025, 2:09 PM

Change #1198987 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/deployment-charts@master] rest-gateway: Fix csp_enabled configuration

https://gerrit.wikimedia.org/r/1198987

gerritbot added a comment.Oct 27 2025, 2:19 PM

Change #1198987 merged by jenkins-bot:

[operations/deployment-charts@master] rest-gateway: Fix csp_enabled configuration

https://gerrit.wikimedia.org/r/1198987

Maintenance_bot removed a project: Patch-For-Review.Oct 27 2025, 2:30 PM
gerritbot added a comment.Oct 28 2025, 3:27 PM

Change #1199331 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/deployment-charts@master] api-gateway: Release patch for ratelimit test

https://gerrit.wikimedia.org/r/1199331

gerritbot added a project: Patch-For-Review.Oct 28 2025, 3:27 PM
daniel added a parent task: T406498: Test api rate limiting on production cluster.Oct 30 2025, 5:04 PM
daniel closed this task as Resolved.EditedOct 30 2025, 5:36 PM

Completes successfully with one caveat. Test plan and protocol at https://docs.google.com/document/d/1lWAPTQs5WwLdzxA621qkMyUggiNfgCpKi3TObEU6XA0/edit?pli=1&tab=t.3tvjcm43fthr#heading=h.ayqizepthr36

Caveat: Per-route rate limit configuration (needed e.g. for selective shadow mode) needs Envoy 1.33, it is broken in earlier versions. But we can still turn rate limiting off and on per route, and we have global shadow mode. That's sufficient for the initial rollout.

daniel updated the task description. (Show Details)Oct 30 2025, 5:37 PM
daniel updated the task description. (Show Details)
daniel mentioned this in T402914: Set up a rest-gateway deployment for rate limiting testing.Oct 30 2025, 5:41 PM
daniel closed subtask T405574: api-gateway helm chart: add ability to test rate limiting for rest-gateway routes as Resolved.Oct 30 2025, 5:57 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits