Tiered Rate limit group maps

[pdabelf5]

Proposed changes

Generate NGINX maps to tie the JWT claim to the ratelimit zone key.

This change adds two maps, one for each tiered rate (this map sets the rate limit zone key variable), aka the policy map, the other map aka the JWT claim map, sets the source variable of the policy map based on the content of the JWT claim.
It also follows the existing rate limit design, when the same policy is applied within the same VirtualServer, they share the rate limit zone.

Given Policies:

apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
  name: rate-limit-jwt-premium
spec:
  rateLimit:
    rate: 100r/s
    key: ${jwt_claim_sub}
    zoneSize: 10M
    condition:
      jwt:
        claim: user_details.level
        match: Premium
---
apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
  name: rate-limit-jwt-basic
spec:
  rateLimit:
    rate: 10r/s
    key: ${jwt_claim_sub}
    zoneSize: 10M
    condition:
      jwt:
        claim: user_details.level
        match: Basic
      default: true

Applied on VirtualServer:

apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: cafe
spec:
  host: cafe.example.com
  tls:
    secret: cafe-secret
  upstreams:
  - name: backend
    service: backend-svc
    port: 80
  policies:
  - name: rate-limit-jwt-premium
  - name: rate-limit-jwt-basic
  routes:
  - path: /
    action:
      pass: backend

A JWT of:

{
  "user_details": {
    "level": "Premium"
  },
  "sub": "client5",
}

Will result in:

auth_jwt_claim_set $jwt_default_cafe_user_details_level user_details level;
map $jwt_default_cafe_user_details_level $rl_default_cafe_group_user_details_level {
    Basic rl_default_cafe_match_basic;
    default rl_default_cafe_match_basic;
    Premium rl_default_cafe_match_premium;
}
map $rl_default_cafe_group_user_details_level $pol_rl_default_rate_limit_jwt_premium_default_cafe {
    default '';
    rl_default_cafe_match_premium Val${jwt_claim_sub};
}
map $rl_default_cafe_group_user_details_level $pol_rl_default_rate_limit_jwt_basic_default_cafe {
    default '';
    rl_default_cafe_match_basic Val${jwt_claim_sub};
}
limit_req_zone $pol_rl_default_rate_limit_jwt_premium_default_cafe zone=pol_rl_default_rate-limit-jwt-premium_default_cafe:10M rate=30r/s;
limit_req_zone $pol_rl_default_rate_limit_jwt_basic_default_cafe zone=pol_rl_default_rate-limit-jwt-basic_default_cafe:10M rate=1r/s;

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

[codecov]

Codecov Report

Attention: Patch coverage is 85.97561% with 23 lines in your changes missing coverage. Please review.

Project coverage is 53.08%. Comparing base (dc64fb4) to head (fe4011d).
Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/configs/version2/http.go	0.00%	20 Missing ⚠️
internal/configs/virtualserver.go	97.91%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7390      +/-   ##
==========================================
+ Coverage   52.82%   53.08%   +0.26%     
==========================================
  Files          89       89              
  Lines       20922    21074     +152     
==========================================
+ Hits        11052    11188     +136     
- Misses       9407     9421      +14     
- Partials      463      465       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.