feat(ratelimit): Increase default values (#4129)

This increases the default rate limits to:

- 1,500 reqs / 30 seconds for list actions in total
- 1,500 reqs / 30 seconds for list actions per IP address
- 150 reqs / 30 seconds for list actions per auth token

And for all other actions:

- 30,000 reqs / 30 seconds for list actions in total
- 30,000 reqs / 30 seconds for list actions per IP address
- 3,000 reqs / 30 seconds for list actions per auth token

This seems to be a reasonable default for a small to medium size cluster
based on some scale testing.

(cherry picked from commit 237c8b6084)

internal/cmd/commands/server/controller_ratelimit_reload_test.go

@@ -234,7 +234,7 @@ func TestRealodControllerRateLimits(t *testing.T) {
 	// unauthed request, so we expect a 400
 	assert.Equal(t, http.StatusBadRequest, r.StatusCode)
 	assert.Equal(t, `limit=2, remaining=1, reset=60`, r.Header.Get("Ratelimit"))
-	assert.Equal(t, `2;w=60;comment="total", 60;w=30;comment="ip-address", 60;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
+	assert.Equal(t, `2;w=60;comment="total", 1500;w=30;comment="ip-address", 150;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
 
 	r, err = c.Do(func() *http.Request {
 		r, err := http.NewRequest(http.MethodGet, `http://127.0.0.1:9500/v1/targets`, nil)
@@ -245,7 +245,7 @@ func TestRealodControllerRateLimits(t *testing.T) {
 	// unauthed request, so we expect a 400
 	assert.Equal(t, http.StatusBadRequest, r.StatusCode)
 	assert.Equal(t, `limit=2, remaining=0, reset=60`, r.Header.Get("Ratelimit"))
-	assert.Equal(t, `2;w=60;comment="total", 60;w=30;comment="ip-address", 60;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
+	assert.Equal(t, `2;w=60;comment="total", 1500;w=30;comment="ip-address", 150;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
 
 	r, err = c.Do(func() *http.Request {
 		r, err := http.NewRequest(http.MethodGet, `http://127.0.0.1:9500/v1/targets`, nil)
@@ -256,7 +256,7 @@ func TestRealodControllerRateLimits(t *testing.T) {
 	// out of quota, so we expect a 429
 	assert.Equal(t, http.StatusTooManyRequests, r.StatusCode)
 	assert.Equal(t, `limit=2, remaining=0, reset=60`, r.Header.Get("Ratelimit"))
-	assert.Equal(t, `2;w=60;comment="total", 60;w=30;comment="ip-address", 60;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
+	assert.Equal(t, `2;w=60;comment="total", 1500;w=30;comment="ip-address", 150;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
 
 	cmd.SighupCh <- struct{}{}
 	select {
@@ -276,7 +276,7 @@ func TestRealodControllerRateLimits(t *testing.T) {
 	// unauthed request, so we expect a 400
 	assert.Equal(t, http.StatusBadRequest, r.StatusCode)
 	assert.Equal(t, `limit=5, remaining=4, reset=60`, r.Header.Get("Ratelimit"))
-	assert.Equal(t, `5;w=60;comment="total", 60;w=30;comment="ip-address", 60;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
+	assert.Equal(t, `5;w=60;comment="total", 1500;w=30;comment="ip-address", 150;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
 
 	cmd.ShutdownCh <- struct{}{}
 	wg.Wait()
@@ -329,7 +329,7 @@ func TestRealodControllerRateLimitsSameConfig(t *testing.T) {
 	// unauthed request, so we expect a 400
 	assert.Equal(t, http.StatusBadRequest, r.StatusCode)
 	assert.Equal(t, `limit=2, remaining=1, reset=60`, r.Header.Get("Ratelimit"))
-	assert.Equal(t, `2;w=60;comment="total", 60;w=30;comment="ip-address", 60;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
+	assert.Equal(t, `2;w=60;comment="total", 1500;w=30;comment="ip-address", 150;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
 
 	r, err = c.Do(func() *http.Request {
 		r, err := http.NewRequest(http.MethodGet, `http://127.0.0.1:9500/v1/targets`, nil)
@@ -340,7 +340,7 @@ func TestRealodControllerRateLimitsSameConfig(t *testing.T) {
 	// unauthed request, so we expect a 400
 	assert.Equal(t, http.StatusBadRequest, r.StatusCode)
 	assert.Equal(t, `limit=2, remaining=0, reset=60`, r.Header.Get("Ratelimit"))
-	assert.Equal(t, `2;w=60;comment="total", 60;w=30;comment="ip-address", 60;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
+	assert.Equal(t, `2;w=60;comment="total", 1500;w=30;comment="ip-address", 150;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
 
 	r, err = c.Do(func() *http.Request {
 		r, err := http.NewRequest(http.MethodGet, `http://127.0.0.1:9500/v1/targets`, nil)
@@ -351,7 +351,7 @@ func TestRealodControllerRateLimitsSameConfig(t *testing.T) {
 	// out of quota, so we expect a 429
 	assert.Equal(t, http.StatusTooManyRequests, r.StatusCode)
 	assert.Equal(t, `limit=2, remaining=0, reset=60`, r.Header.Get("Ratelimit"))
-	assert.Equal(t, `2;w=60;comment="total", 60;w=30;comment="ip-address", 60;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
+	assert.Equal(t, `2;w=60;comment="total", 1500;w=30;comment="ip-address", 150;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
 
 	cmd.SighupCh <- struct{}{}
 	select {
@@ -371,7 +371,7 @@ func TestRealodControllerRateLimitsSameConfig(t *testing.T) {
 	// should still be rate limited, so 429
 	assert.Equal(t, http.StatusTooManyRequests, r.StatusCode)
 	assert.Equal(t, `limit=2, remaining=0, reset=60`, r.Header.Get("Ratelimit"))
-	assert.Equal(t, `2;w=60;comment="total", 60;w=30;comment="ip-address", 60;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
+	assert.Equal(t, `2;w=60;comment="total", 1500;w=30;comment="ip-address", 150;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
 
 	cmd.ShutdownCh <- struct{}{}
 	wg.Wait()
@@ -427,7 +427,7 @@ func TestRealodControllerRateLimitsDisable(t *testing.T) {
 	// unauthed request, so we expect a 400
 	assert.Equal(t, http.StatusBadRequest, r.StatusCode)
 	assert.Equal(t, `limit=2, remaining=1, reset=60`, r.Header.Get("Ratelimit"))
-	assert.Equal(t, `2;w=60;comment="total", 60;w=30;comment="ip-address", 60;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
+	assert.Equal(t, `2;w=60;comment="total", 1500;w=30;comment="ip-address", 150;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
 
 	r, err = c.Do(func() *http.Request {
 		r, err := http.NewRequest(http.MethodGet, `http://127.0.0.1:9500/v1/targets`, nil)
@@ -438,7 +438,7 @@ func TestRealodControllerRateLimitsDisable(t *testing.T) {
 	// unauthed request, so we expect a 400
 	assert.Equal(t, http.StatusBadRequest, r.StatusCode)
 	assert.Equal(t, `limit=2, remaining=0, reset=60`, r.Header.Get("Ratelimit"))
-	assert.Equal(t, `2;w=60;comment="total", 60;w=30;comment="ip-address", 60;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
+	assert.Equal(t, `2;w=60;comment="total", 1500;w=30;comment="ip-address", 150;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
 
 	r, err = c.Do(func() *http.Request {
 		r, err := http.NewRequest(http.MethodGet, `http://127.0.0.1:9500/v1/targets`, nil)
@@ -449,7 +449,7 @@ func TestRealodControllerRateLimitsDisable(t *testing.T) {
 	// out of quota, so we expect a 429
 	assert.Equal(t, http.StatusTooManyRequests, r.StatusCode)
 	assert.Equal(t, `limit=2, remaining=0, reset=60`, r.Header.Get("Ratelimit"))
-	assert.Equal(t, `2;w=60;comment="total", 60;w=30;comment="ip-address", 60;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
+	assert.Equal(t, `2;w=60;comment="total", 1500;w=30;comment="ip-address", 150;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
 
 	cmd.SighupCh <- struct{}{}
 	select {
@@ -546,7 +546,7 @@ func TestRealodControllerRateLimitsEnable(t *testing.T) {
 	// unauthed request, so we expect a 400
 	assert.Equal(t, http.StatusBadRequest, r.StatusCode)
 	assert.Equal(t, `limit=2, remaining=1, reset=60`, r.Header.Get("Ratelimit"))
-	assert.Equal(t, `2;w=60;comment="total", 60;w=30;comment="ip-address", 60;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
+	assert.Equal(t, `2;w=60;comment="total", 1500;w=30;comment="ip-address", 150;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
 
 	r, err = c.Do(func() *http.Request {
 		r, err := http.NewRequest(http.MethodGet, `http://127.0.0.1:9500/v1/targets`, nil)
@@ -557,7 +557,7 @@ func TestRealodControllerRateLimitsEnable(t *testing.T) {
 	// unauthed request, so we expect a 400
 	assert.Equal(t, http.StatusBadRequest, r.StatusCode)
 	assert.Equal(t, `limit=2, remaining=0, reset=60`, r.Header.Get("Ratelimit"))
-	assert.Equal(t, `2;w=60;comment="total", 60;w=30;comment="ip-address", 60;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
+	assert.Equal(t, `2;w=60;comment="total", 1500;w=30;comment="ip-address", 150;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
 
 	r, err = c.Do(func() *http.Request {
 		r, err := http.NewRequest(http.MethodGet, `http://127.0.0.1:9500/v1/targets`, nil)
@@ -568,7 +568,7 @@ func TestRealodControllerRateLimitsEnable(t *testing.T) {
 	// out of quota, so we expect a 429
 	assert.Equal(t, http.StatusTooManyRequests, r.StatusCode)
 	assert.Equal(t, `limit=2, remaining=0, reset=60`, r.Header.Get("Ratelimit"))
-	assert.Equal(t, `2;w=60;comment="total", 60;w=30;comment="ip-address", 60;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
+	assert.Equal(t, `2;w=60;comment="total", 1500;w=30;comment="ip-address", 150;w=30;comment="auth-token"`, r.Header.Get("Ratelimit-Policy"))
 
 	cmd.ShutdownCh <- struct{}{}
 	wg.Wait()

internal/ratelimit/config.go

@@ -40,13 +40,13 @@ import (
 
 // Defaults used when creating default rate.Limits.
 const (
-	DefaultInTotalRequestLimit       = 3000
-	DefaultIpAddressRequestLimit     = 3000
+	DefaultInTotalRequestLimit       = 30000
+	DefaultIpAddressRequestLimit     = 30000
 	DefaultAuthTokenRequestLimit     = 3000
 	DefaultPeriod                    = time.Second * 30
-	DefaultInTotalListRequestLimit   = 60
-	DefaultIpAddressListRequestLimit = 60
-	DefaultAuthTokenListRequestLimit = 60
+	DefaultInTotalListRequestLimit   = 1500
+	DefaultIpAddressListRequestLimit = 1500
+	DefaultAuthTokenListRequestLimit = 150
 	DefaultListPeriod                = time.Second * 30
 )