Mansi/rate limiter (#23274)

* intial changes for adding global rate limit

* Adding controller for updating limiter on config-entry update

* code refactoring and writing test cases

* pipeline fix

* reverting changes not required

* testcase fix

* changing config entry type

* adding ConfigEntry.get rpc to default exemption for global rate as for consul k8s its required

* updating return condition when global rate is enabled

* Adding changelog

* Review comment

* Adding consistant alias

* Fixing tests

* Adding nil check

Author: panman90

.changelog/23274.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+Global Rate Limiter: a new "rate-limit" config entry kind that enables dynamic, cluster-wide RPC rate limiting stored in Raft and automatically replicated to all servers. This allows operators to apply or adjust global rate limits at runtime without restarting Consul servers — a critical capability for emergency scenarios where the cluster is under excessive load.
+```

agent/consul/fsm/decode_downgrade.go

@@ -593,6 +593,8 @@ func MakeShadowConfigEntry(kind, name string) (structs.ConfigEntry, error) {
 	switch kind {
 	case structs.RateLimitIPConfig:
 		return nil, ErrDroppingTenantedReq
+	case structs.RateLimit:
+		return &ShadowGlobalRateLimitConfigEntry{GlobalRateLimitConfigEntry: &structs.GlobalRateLimitConfigEntry{Name: name}}, nil
 	case structs.ServiceDefaults:
 		return &ShadowServiceConfigEntry{ServiceConfigEntry: &structs.ServiceConfigEntry{Name: name}}, nil
 	case structs.ProxyDefaults:
@@ -1020,3 +1022,12 @@ type ShadowJWTProviderConfigEntry struct {
 func (s ShadowJWTProviderConfigEntry) GetRealConfigEntry() structs.ConfigEntry {
 	return s.JWTProviderConfigEntry
 }
+
+type ShadowGlobalRateLimitConfigEntry struct {
+	ShadowBase
+	*structs.GlobalRateLimitConfigEntry
+}
+
+func (s ShadowGlobalRateLimitConfigEntry) GetRealConfigEntry() structs.ConfigEntry {
+	return s.GlobalRateLimitConfigEntry
+}

agent/consul/fsm/fsm.go

@@ -433,6 +433,11 @@ func (c *FSM) registerStreamSnapshotHandlers() {
 	}, true)
 	panicIfErr(err)
 
+	err = c.deps.Publisher.RegisterHandler(state.EventTopicGlobalRateLimit, func(req stream.SubscribeRequest, buf stream.SnapshotAppender) (uint64, error) {
+		return c.State().GlobalRateLimiterSnapshot(req, buf)
+	}, true)
+	panicIfErr(err)
+
 	err = c.deps.Publisher.RegisterHandler(state.EventTopicSamenessGroup, func(req stream.SubscribeRequest, buf stream.SnapshotAppender) (uint64, error) {
 		return c.State().SamenessGroupSnapshot(req, buf)
 	}, true)

agent/consul/rate/controller/controller_ratelimiter_ce.go

@@ -0,0 +1,85 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package controller
+
+import (
+	"context"
+
+	"github.com/hashicorp/go-hclog"
+
+	"github.com/hashicorp/consul/agent/consul/controller"
+	"github.com/hashicorp/consul/agent/consul/state"
+	"github.com/hashicorp/consul/agent/consul/stream"
+	"github.com/hashicorp/consul/agent/structs"
+)
+
+//go:generate mockery --name ceReadEntryFunc --inpackage --filename mock_ceReadEntry.go
+type ceReadEntryFunc func(k string, n string) (uint64, structs.ConfigEntry, error)
+
+//go:generate mockery --name ceUpdater --inpackage --filename mock_ceUpdater.go
+type ceUpdater interface {
+	UpdateGlobalRateLimitConfig(cfg *structs.GlobalRateLimitConfigEntry)
+}
+
+type rateLimiterReconciler struct {
+	readEntry  ceReadEntryFunc
+	logger     hclog.Logger
+	controller controller.Controller
+	updater    ceUpdater
+}
+
+func (r rateLimiterReconciler) Reconcile(ctx context.Context, req controller.Request) error {
+	switch req.Kind {
+	case structs.RateLimit:
+		return reconcileEntry(r.readEntry, requestLogger(r.logger, req), ctx, req, r.updater)
+	default:
+		return nil
+	}
+}
+
+func reconcileEntry(readEntry ceReadEntryFunc, logger hclog.Logger, _ context.Context, req controller.Request, updater ceUpdater) error {
+	_, entry, err := readEntry(req.Kind, req.Name)
+	if err != nil {
+		logger.Warn("error fetching config entry for reconciliation request", "error", err)
+		return err
+	}
+
+	// Entry is deleted — reset to empty config
+	if entry == nil {
+		updater.UpdateGlobalRateLimitConfig(nil)
+		return nil
+	}
+
+	// Update with the actual config entry when it exists
+	cfg, ok := entry.(*structs.GlobalRateLimitConfigEntry)
+	if !ok {
+		logger.Error("failed to cast config entry to GlobalRateLimitConfigEntry",
+			"entry_type", entry.GetKind())
+		return nil
+	}
+	updater.UpdateGlobalRateLimitConfig(cfg)
+	return nil
+}
+
+// NewRateLimiterController initializes a controller that reconciles rate limiter config
+func NewRateLimiterController(readEntry ceReadEntryFunc, publisher state.EventPublisher, logger hclog.Logger, updater ceUpdater) controller.Controller {
+	reconciler := &rateLimiterReconciler{
+		readEntry: readEntry,
+		logger:    logger,
+		updater:   updater,
+	}
+	reconciler.controller = controller.New(publisher, reconciler).
+		WithLogger(logger.With("controller", "rateLimiterController"))
+	return reconciler.controller.Subscribe(
+		&stream.SubscribeRequest{
+			Topic:   state.EventTopicGlobalRateLimit,
+			Subject: stream.SubjectWildcard,
+		},
+	)
+}
+
+// requestLogger returns a logger with request-specific fields.
+func requestLogger(logger hclog.Logger, request controller.Request) hclog.Logger {
+	return logger.With("kind", request.Kind, "name", request.Name)
+}

agent/consul/rate/controller/controller_ratelimiter_ce_test.go

@@ -0,0 +1,173 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !consulent
+
+package controller
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/go-hclog"
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
+
+	"github.com/hashicorp/consul/agent/consul/controller"
+	"github.com/hashicorp/consul/agent/consul/stream"
+	"github.com/hashicorp/consul/agent/structs"
+)
+
+// TestReconcileEntry_Success tests the successful reconciliation of a rate limit entry.
+func TestReconcileEntry_Success(t *testing.T) {
+	logger := hclog.NewNullLogger()
+
+	// Create a sample rate limit config entry
+	cfg := &structs.GlobalRateLimitConfigEntry{
+		Kind: structs.RateLimit,
+		Name: "global",
+	}
+
+	mockReadEntry := NewMockceReadEntryFunc()
+	mockReadEntry.On("Execute", structs.RateLimit, "global").
+		Return(uint64(1), cfg, nil)
+
+	// Mock the updater
+	mockUpdater := NewMockceUpdater()
+	mockUpdater.On("UpdateGlobalRateLimitConfig", cfg).Return()
+
+	req := controller.Request{
+		Kind: structs.RateLimit,
+		Name: "global",
+	}
+
+	// Call reconcileEntry
+	err := reconcileEntry(mockReadEntry.Execute, logger, context.Background(), req, mockUpdater)
+
+	require.NoError(t, err)
+	mockReadEntry.AssertCalled(t, "Execute", structs.RateLimit, "global")
+	mockUpdater.AssertCalled(t, "UpdateGlobalRateLimitConfig", cfg)
+	mockUpdater.AssertNumberOfCalls(t, "UpdateGlobalRateLimitConfig", 1)
+}
+
+// TestReconcileEntry_EntryNotFound tests reconciliation when the config entry is not found.
+func TestReconcileEntry_EntryNotFound(t *testing.T) {
+	logger := hclog.NewNullLogger()
+
+	// Mock the readEntry function returning nil (entry not found)
+	mockReadEntry := NewMockceReadEntryFunc()
+	mockReadEntry.On("Execute", structs.RateLimit, "non-existent").
+		Return(uint64(0), nil, nil)
+
+	// Mock the updater
+	mockUpdater := NewMockceUpdater()
+	mockUpdater.On("UpdateGlobalRateLimitConfig", mock.MatchedBy(func(cfg *structs.GlobalRateLimitConfigEntry) bool {
+		return cfg == nil
+	})).Return()
+
+	req := controller.Request{
+		Kind: structs.RateLimit,
+		Name: "non-existent",
+	}
+
+	// Call reconcileEntry
+	err := reconcileEntry(mockReadEntry.Execute, logger, context.Background(), req, mockUpdater)
+
+	require.NoError(t, err)
+	mockReadEntry.AssertCalled(t, "Execute", structs.RateLimit, "non-existent")
+	mockUpdater.AssertNumberOfCalls(t, "UpdateGlobalRateLimitConfig", 1)
+}
+
+// TestReconcileEntry_ReadError tests reconciliation when reading the config entry fails.
+func TestReconcileEntry_ReadError(t *testing.T) {
+	logger := hclog.NewNullLogger()
+
+	// Mock the readEntry function returning an error
+	expectedErr := errors.New("failed to read from store")
+
+	mockReadEntry := NewMockceReadEntryFunc()
+	mockReadEntry.On("Execute", structs.RateLimit, "global").
+		Return(uint64(0), nil, expectedErr)
+
+	// Mock the updater - should not be called
+	mockUpdater := NewMockceUpdater()
+
+	req := controller.Request{
+		Kind: structs.RateLimit,
+		Name: "global",
+	}
+
+	// Call reconcileEntry
+	err := reconcileEntry(mockReadEntry.Execute, logger, context.Background(), req, mockUpdater)
+
+	require.Error(t, err)
+	require.Equal(t, expectedErr, err)
+	mockReadEntry.AssertCalled(t, "Execute", structs.RateLimit, "global")
+	mockUpdater.AssertNotCalled(t, "UpdateGlobalRateLimitConfig")
+}
+
+// TestReconcileEntry_InvalidCast tests reconciliation when the entry cannot be cast to GlobalRateLimitConfigEntry.
+func TestReconcileEntry_InvalidCast(t *testing.T) {
+	logger := hclog.NewNullLogger()
+
+	// Create a different type of config entry (not GlobalRateLimitConfigEntry)
+	// We can use a simple string to simulate a non-matching type
+	invalidEntry := &structs.ProxyConfigEntry{} // Different config entry type
+
+	mockReadEntry := NewMockceReadEntryFunc()
+	mockReadEntry.On("Execute", structs.RateLimit, "global").
+		Return(uint64(1), invalidEntry, nil)
+
+	// Mock the updater - should not be called when cast fails
+	mockUpdater := NewMockceUpdater()
+
+	req := controller.Request{
+		Kind: structs.RateLimit,
+		Name: "global",
+	}
+
+	// Call reconcileEntry
+	err := reconcileEntry(mockReadEntry.Execute, logger, context.Background(), req, mockUpdater)
+
+	require.NoError(t, err)
+	mockReadEntry.AssertCalled(t, "Execute", structs.RateLimit, "global")
+	mockUpdater.AssertNotCalled(t, "UpdateGlobalRateLimitConfig")
+}
+
+// TestReconcilerReconcile_UnknownKind tests the Reconcile method with an unknown kind (should return nil).
+func TestReconcilerReconcile_UnknownKind(t *testing.T) {
+	mockReadEntry := NewMockceReadEntryFunc()
+	mockUpdater := NewMockceUpdater()
+
+	reconciler := &rateLimiterReconciler{
+		readEntry: mockReadEntry.Execute,
+		logger:    hclog.NewNullLogger(),
+		updater:   mockUpdater,
+	}
+
+	req := controller.Request{
+		Kind: "unknown-kind",
+		Name: "test-config",
+	}
+
+	err := reconciler.Reconcile(context.Background(), req)
+
+	require.NoError(t, err)
+	mockReadEntry.AssertNotCalled(t, "Execute")
+	mockUpdater.AssertNotCalled(t, "UpdateGlobalRateLimitConfig")
+}
+
+// TestNewRateLimiterController_InitializesController tests that NewRateLimiterController properly initializes the controller.
+func TestNewRateLimiterController_InitializesController(t *testing.T) {
+	mockReadEntry := NewMockceReadEntryFunc()
+	publisher := stream.NewEventPublisher(1 * time.Millisecond)
+	logger := hclog.NewNullLogger()
+	mockUpdater := NewMockceUpdater()
+
+	ctrl := NewRateLimiterController(mockReadEntry.Execute, publisher, logger, mockUpdater)
+
+	// Verify that the controller is not nil
+	require.NotNil(t, ctrl)
+}