[Resolved] Istio 1.9.1 Local Rate Limit with descriptors

Has anyone been able to set local rate limit with descriptors in Istio 1.9+?

I have not been able to find the right place to put the rate limit actions to work with local rate limit. I see examples with setting it for global rate limit config.

I am not sure if this is a limitation in EnvoyFilter API w.r.t how local rate limit with descriptors’ actions need to be set up for Envoy to work correctly. For reference, I have opened this issue in git EnvoyFilter configuration for http local rate limit with descriptors · Issue #31324 · istio/istio · GitHub

Update: it turns out we can configure the local rate limit descriptors’ actions for the route like this.

   - applyTo: HTTP_ROUTE
      match:
        context: SIDECAR_INBOUND
        routeConfiguration:
          vhost:
            name: "inbound|http|8000"
            route:
              name: "default"
      patch:
        operation: MERGE
        value:
          route:
            rate_limits:
            - actions:
              - request_headers:
                  header_name: user-id
                  descriptor_key: id
          typed_per_filter_config:
            envoy.filters.http.local_ratelimit:
              "@type": type.googleapis.com/udpa.type.v1.TypedStruct
              type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
              value:

This is my full config

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpbin-inbound-8000
  namespace: app-namespace
spec:
  workloadSelector:
    labels:
      app: httpbin
  configPatches:
    - applyTo: HTTP_FILTER
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.filters.http.local_ratelimit
          typed_config:
            "@type": type.googleapis.com/udpa.type.v1.TypedStruct
            type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
            value:
              stat_prefix: http_local_rate_limiter

    - applyTo: HTTP_ROUTE
      match:
        context: SIDECAR_INBOUND
        routeConfiguration:
          vhost:
            name: "inbound|http|8000"
      patch:
        operation: MERGE
        value:
          route:
            rate_limits:
              - actions:
                - request_headers:
                    header_name: "user-id"
                    descriptor_key: "ID"

          typed_per_filter_config:
            envoy.filters.http.local_ratelimit:
              "@type": type.googleapis.com/udpa.type.v1.TypedStruct
              type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
              value:
                stat_prefix: http_local_rate_limiter
                descriptors:
                # each descriptor limit MUST be a multiple of the
                # default limit, otherwise, sidecar fails to inject
                # or config fails to update on existing sidecar

                #local rate descriptor limit is not a multiple of token bucket fill timer

                 - entries:
                   - key: ID
                     value: a
                   token_bucket:
                     max_tokens: 2
                     tokens_per_fill: 2
                     fill_interval: 20s
                 - entries:
                   - key: ID
                     value: b
                   token_bucket:
                     max_tokens: 2
                     tokens_per_fill: 2
                     fill_interval: 20s


                filter_enabled:
                  runtime_key: local_rate_limit_enabled
                  default_value:
                    numerator: 100
                    denominator: HUNDRED
                filter_enforced:
                  runtime_key: local_rate_limit_enforced
                  default_value:
                    numerator: 100
                    denominator: HUNDRED
                response_headers_to_add:
                  - append: false
                    header:
                      key: x-local-rate-limit
                      value: 'true'
                token_bucket:
                  max_tokens: 10
                  tokens_per_fill: 10
                  fill_interval: 20s