chore(gateway): Add logs RateLimiter for Gateway

api/gateway/v1alpha1/gateway_types.go

@@ -78,6 +78,19 @@ type GatewayBGPNeighbor struct {
 type GatewayLogs struct {
 	Default GatewayLogLevel            `json:"default,omitempty"`
 	Tags    map[string]GatewayLogLevel `json:"tags,omitempty"`
+	// RateLimit optionally throttles repeated log messages using a token
+	// bucket. When unset, log output is not rate limited.
+	RateLimit *GatewayLogRateLimit `json:"rateLimit,omitempty"`
+}
+
+// GatewayLogRateLimit configures the token-bucket rate limiter applied to log
+// output. Both fields must be greater than zero when the limiter is set.
+type GatewayLogRateLimit struct {
+	// Burst is the maximum number of log messages allowed in a burst, i.e. the
+	// token bucket capacity
+	Burst uint32 `json:"burst,omitempty"`
+	// ReplenishPerSecond is the number of tokens (messages) replenished per second
+	ReplenishPerSecond uint32 `json:"replenishPerSecond,omitempty"`
 }
 
 type GatewayLogLevel string
@@ -185,6 +198,15 @@ func (gw *Gateway) Validate(ctx context.Context, kube kclient.Reader, fabricCfg
 		return fmt.Errorf("workers should be between 1 and 64: %w", ErrInvalidGW)
 	}
 
+	if rl := gw.Spec.Logs.RateLimit; rl != nil {
+		if rl.Burst == 0 {
+			return fmt.Errorf("log rate limit burst must be greater than 0: %w", ErrInvalidGW)
+		}
+		if rl.ReplenishPerSecond == 0 {
+			return fmt.Errorf("log rate limit replenishPerSecond must be greater than 0: %w", ErrInvalidGW)
+		}
+	}
+
 	protoIP, err := netip.ParsePrefix(gw.Spec.ProtocolIP)
 	if err != nil {
 		return fmt.Errorf("invalid ProtocolIP %s: %w", gw.Spec.ProtocolIP, errors.Join(err, ErrInvalidGW))

api/gateway/v1alpha1/gateway_types_test.go

@@ -277,6 +277,29 @@ func TestGatewayValidate(t *testing.T) {
 			objs: base,
 			err:  v1alpha1.ErrInvalidGW,
 		},
+		{
+			name: "test-log-rate-limit-valid",
+			gw: *gwa("gw-1", func(gw *v1alpha1.Gateway) {
+				gw.Spec.Logs.RateLimit = &v1alpha1.GatewayLogRateLimit{Burst: 50, ReplenishPerSecond: 5}
+			}),
+			objs: base,
+		},
+		{
+			name: "test-log-rate-limit-zero-burst",
+			gw: *gwa("gw-1", func(gw *v1alpha1.Gateway) {
+				gw.Spec.Logs.RateLimit = &v1alpha1.GatewayLogRateLimit{Burst: 0, ReplenishPerSecond: 5}
+			}),
+			objs: base,
+			err:  v1alpha1.ErrInvalidGW,
+		},
+		{
+			name: "test-log-rate-limit-zero-replenish",
+			gw: *gwa("gw-1", func(gw *v1alpha1.Gateway) {
+				gw.Spec.Logs.RateLimit = &v1alpha1.GatewayLogRateLimit{Burst: 50, ReplenishPerSecond: 0}
+			}),
+			objs: base,
+			err:  v1alpha1.ErrInvalidGW,
+		},
 	}
 
 	scheme := runtime.NewScheme()

config/crd/bases/gateway.githedgehog.com_gateways.yaml

@@ -113,6 +113,23 @@ spec:
                 properties:
                   default:
                     type: string
+                  rateLimit:
+                    description: |-
+                      RateLimit optionally throttles repeated log messages using a token
+                      bucket. When unset, log output is not rate limited.
+                    properties:
+                      burst:
+                        description: |-
+                          Burst is the maximum number of log messages allowed in a burst, i.e. the
+                          token bucket capacity
+                        format: int32
+                        type: integer
+                      replenishPerSecond:
+                        description: ReplenishPerSecond is the number of tokens (messages)
+                          replenished per second
+                        format: int32
+                        type: integer
+                    type: object
                   tags:
                     additionalProperties:
                       type: string

config/crd/bases/gwint.githedgehog.com_gatewayagents.yaml

@@ -141,6 +141,23 @@ spec:
                     properties:
                       default:
                         type: string
+                      rateLimit:
+                        description: |-
+                          RateLimit optionally throttles repeated log messages using a token
+                          bucket. When unset, log output is not rate limited.
+                        properties:
+                          burst:
+                            description: |-
+                              Burst is the maximum number of log messages allowed in a burst, i.e. the
+                              token bucket capacity
+                            format: int32
+                            type: integer
+                          replenishPerSecond:
+                            description: ReplenishPerSecond is the number of tokens
+                              (messages) replenished per second
+                            format: int32
+                            type: integer
+                        type: object
                       tags:
                         additionalProperties:
                           type: string

docs/api.md

@@ -991,6 +991,24 @@ _Appears in:_
 | `trace` |  |
 
 
+#### GatewayLogRateLimit
+
+
+
+GatewayLogRateLimit configures the token-bucket rate limiter applied to log
+output. Both fields must be greater than zero when the limiter is set.
+
+
+
+_Appears in:_
+- [GatewayLogs](#gatewaylogs)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `burst` _integer_ | Burst is the maximum number of log messages allowed in a burst, i.e. the<br />token bucket capacity |  |  |
+| `replenishPerSecond` _integer_ | ReplenishPerSecond is the number of tokens (messages) replenished per second |  |  |
+
+
 #### GatewayLogs
 
 
@@ -1006,6 +1024,7 @@ _Appears in:_
 | --- | --- | --- | --- |
 | `default` _[GatewayLogLevel](#gatewayloglevel)_ |  |  |  |
 | `tags` _object (keys:string, values:[GatewayLogLevel](#gatewayloglevel))_ |  |  |  |
+| `rateLimit` _[GatewayLogRateLimit](#gatewaylogratelimit)_ | RateLimit optionally throttles repeated log messages using a token<br />bucket. When unset, log output is not rate limited. |  |  |
 
 
 #### GatewayPeering