bug: ratelimit: error when applying ratelimit local rate descriptor limit is not a multiple of token bucket fill timer

[Ressetkk]

When I deploy RateLimit CR with the following configuration I get an error:

2025-01-23T08:57:10.149539Z     warning envoy config external/envoy/source/extensions/config_subscription/grpc/grpc_subscription_impl.cc:138      gRPC config for type.googleapis.com/envoy.config.listener.v3.Listener rejected: Error adding/updating listener(s) virtualInbound: local rate descriptor limit is not a multiple of token bucket fill timer

Local rate limit configuration is not applied, but in the status CR reports that rate limit is Ready.

kubectl get ratelimits.gateway.kyma-project.io -n test ratelimit-sample 
NAME               STATUS   AGE
ratelimit-sample   Ready    4m57s

When user applies RateLimit CR, where any descriptor's fill interval is not a multiplication of default bucket fill interval defined in rate limit, validation should result in an error.

The error comes directly from envoy. https://github.com/envoyproxy/envoy/blob/main/source/extensions/filters/common/local_ratelimit/local_ratelimit_impl.cc#L221-L224

Also in Envoy docs it's stated that:

In the current implementation the descriptor’s token bucket fill_interval must be a multiple global token bucket’s fill interval.

The descriptors must match verbatim for rate limiting to apply. There is no partial match by a subset of descriptor entries in the current implementation.

We need to cover that exception in validation, or parse any exception directly from Envoy and reflect that in resource status.

Steps to reproduce
Deploy httpbin, expose it and deploy APIRule:

kubectl create namespace test
kubectl label namespace test istio-injection=enabled
kubectl run httpbin --namespace test --image=kennethreitz/httpbin --labels app=httpbin
kubectl expose --namespace test pod httpbin --port 80
cat <<EOF | kubectl apply -f -
apiVersion: gateway.kyma-project.io/v2alpha1
kind: APIRule
metadata:
  name: httpbin
  namespace: test
spec:
  hosts:
    - httpbin.local.kyma.dev
  gateway: kyma-system/kyma-gateway
  rules:
    - path: /*
      service:
        name: httpbin
        port: 80
      methods: ["GET","POST"]
      noAuth: true
EOF

Apply the following RateLimit CR:

cat <<EOF | kubectl apply -f -
apiVersion: gateway.kyma-project.io/v1alpha1
kind: RateLimit
metadata:
  labels:
    app: httpbin
  name: ratelimit-sample
  namespace: test
spec:
  selectorLabels:
    app: httpbin
  enableResponseHeaders: true
  local:
    defaultBucket:
      maxTokens: 5
      tokensPerFill: 5
      fillInterval: 10m
    buckets:
      - path: /ip
        bucket:
          maxTokens: 13
          tokensPerFill: 13
          fillInterval: 30s
EOF

Check the logs of Istio-proxy sidecar in httpbin workload:

kubectl logs -n test httpbin istio-proxy

/kind bug
/area api-gateway

[mluk-sap]

Done
PR: #1636