[common-go] Add keyed gRPC rate limits

[csweichel]

Description

This PR adds support for message-keyed gRPC rate limits to common-go.
Using this functionality, we can e.g. add per-user rate limits in ws-manager.

For example:

{
    "rateLimits": {
        "/wsman.WorkspaceManager/StartWorkspace": {
            "bucketSize": 5,
            "refillInterval": "1s",
            "key": "metadata.owner",
            "keyCacheSize": 200
        }
    }
}

would impose a 5 workspaces per second rate limit per workspace owner.

How to test

• See unit test
• Manually add the config to ws-manager and use loadgen

Release Notes

[ws-manager] Support more fine-grained rate limits

[csweichel]

/werft run with-clean-slate

👍 started the job as gitpod-build-cw-grpc-rl-fields.4
(with .werft/ from main)

[easyCZ]

https://github.com/grpc-ecosystem/go-grpc-middleware offers a rate limit implementation, this may be possibly cheaper to use than building our own.

I've used it in the past and worked well. It has built in support for sharing the rate limits across instances (but can be used without it).

[csweichel]

https://github.com/grpc-ecosystem/go-grpc-middleware offers a rate limit implementation, this may be possibly cheaper to use than building our own.

I've used it in the past and worked well. It has built in support for sharing the rate limits across instances (but can be used without it).

We looked at that implementation prior to rolling our own.
AFAIK it does not support

• per method rate limiting
• "keyed" rate limiting as is introduced in this PR.

We use the exact same rate limiting package as go-grpc-middleware under the hood (basically took inspiration from that package), hence could also support rate limiting across multiple instances.

[easyCZ]

Looking good, left a couple comments. Could you please also add metrics to expose the following:

1. Rate limited count, by method
2. Hit rate on the LRU

Can be in seperate follow-up PRs, but we should be able to observe this before we deploy it to prod.

[easyCZ]

The map here should probably be made private. As implemented, updates to the map are not concurrency safe so we shouldn't be exposing it.

[easyCZ]

Suggested change

	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error) {
	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {

we're not using the named returns

[csweichel]

they indicate what's returned though :)

[geropl]

question: this immediately throws creates and trashes a limiter struct on stack AFAIU which could be avoided by not using ContainsOrAdd.

[csweichel]

Agreed - not doing it this way requires extra locking because this operation can happen concurrently.

We could also ignore the concurrency for the time being and go with a Peek followed by an Add, running the risk to mis-account for a key during very high call-rate situations.

[geropl]

Code LGTM, and seems to work. Left minor comments.

[csweichel]

Added metrics

[easyCZ]

I believe the metrics here also need to be registered, to be picked up by prometheus, otherwise they are just local counters which won't show up on /metrics endpoint.

See https://pkg.go.dev/github.com/prometheus/client_golang/prometheus#Register

[easyCZ]

In this case, I'd actually hoist the counter definition outside of this instantiation and make it package private variable. You can use https://pkg.go.dev/github.com/prometheus/client_golang/prometheus/promauto to simplify the registration.

This will work because the metrics scraper also adds labels for the pod/service so we can differentiate the various metrics when querying.

[sagor999]

It registers them here:

gitpod/components/ws-manager/cmd/run.go

Line 122 in 29ba28f

metrics.Registry.MustRegister(ratelimits)

[easyCZ]

My bad, missed this. Normally, I'd expect the registration to happen in this file and automatically without requiring an extra call. The risk here is that a component uses the rate limiting interceptor but doesn't register the metric.

The other issue is that this would panic on startup, but CI doesn't catch this.

[easyCZ]

One way to address this would be accept the metrics registry when constructing the interceptor. This would signal to the caller that they control the registry and need to register it.

It would also make it possible to inject a registry in tests which would allow us to test the metrics, if we wanted to.

[csweichel]

For a while now we've adopted the pattern to make things implement the prometheus.Collector interface so that they can be registered.
Testing is just as easy as passing in the registry, but it doesn't mandate that someone uses metrics.
The "registration error at runtime" behaviour is also the same.

[easyCZ]

Thanks. I'd personally like the need for registration to be more explicit (and to use DI to pass the registry in) but given this is an existing pattern, better to stick to it than introduce yet another. Thanks for the info.

[easyCZ]

Copy-paste error with the name in callCounter. Once the metrics are registered (other comment), this would cause a panic/error.

[sagor999]

just need to fix metrics name copy paste error.

[sagor999]

It registers them here:

gitpod/components/ws-manager/cmd/run.go

Line 122 in 29ba28f

metrics.Registry.MustRegister(ratelimits)

[sagor999]

/hold to make sure metrics name gets fixed before merge. feel free to remove hold once addressed.

[csweichel]

fixed the metrics name

[csweichel]

/hold cancel

[felladrin]

Checked the code, and also took into account other reviewers comments and the test case. ✅