Skip to content

feat(api): share rate-limit counters across replicas via Redis (ADR-0001)#207

Merged
doughknee merged 1 commit into
mainfrom
feat/redis-rate-limit
Jun 10, 2026
Merged

feat(api): share rate-limit counters across replicas via Redis (ADR-0001)#207
doughknee merged 1 commit into
mainfrom
feat/redis-rate-limit

Conversation

@doughknee

@doughknee doughknee commented Jun 10, 2026

Copy link
Copy Markdown
Owner

Summary

Action item 2 of ADR-0001.

  • Fiber's limiter middleware keeps counters in process memory, so replicas: N gives every IP N× the configured budget (120/min general, 10/5min OAuth)
  • Back both limiters with a fiber.Storage adapter over the existing Redis client (ratelimit: key prefix; the two limiters' key spaces stay disjoint via their KeyGenerators)
  • Fails open on Redis errors: Get reports "no entry", Set/Delete swallow with a rate-limited log. Abuse protection turning a Redis blip into a full API outage would be strictly worse than briefly unmetered traffic

Test plan

  • New tests: counter round-trip with TTL expiry (miniredis FastForward), missing-key semantics, delete, and the load-bearing fail-open-when-Redis-down case
  • go vet + full unit suite pass locally
  • backend-tests green on this PR
  • After merge + deploy: hit a non-exempt endpoint >120×/min, confirm 429 and that ratelimit:* keys appear in Redis

🤖 Generated with Claude Code

@doughknee
feat(api): share rate-limit counters across replicas via Redis (ADR-0…
5b1dcdd 
…001)

Fiber''s limiter middleware kept counters in process memory, so N
replicas would give every IP N times the configured budget. Back both
limiters (general + OAuth) with a fiber.Storage adapter over the
existing Redis client under a ratelimit: key prefix.

Fails open on Redis errors — Get reports "no entry", Set/Delete
swallow with a rate-limited log — because abuse protection erroring
into a full API outage when Redis blips would be strictly worse.

Implements action item 2 of docs/adr/0001-sse-multi-replica.md.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@doughknee doughknee mentioned this pull request Jun 10, 2026
Merged
3 tasks
@doughknee doughknee merged commit bd5b456 into main Jun 10, 2026
8 checks passed
@doughknee doughknee deleted the feat/redis-rate-limit branch June 10, 2026 19:34
doughknee added a commit that referenced this pull request Jun 10, 2026
@doughknee
feat(k8s): scale core-api to 2 replicas with PDB and surge-only rollo…
9b659e1 
…uts (#208)

Implements action items 3 and 5 of docs/adr/0001-sse-multi-replica.md.
Prereqs landed first: sse:ctl:resubscribe control channel (#206) and
Redis-backed rate-limit counters (#207). With those in, no remaining
core-api state assumes a single pod.

- replicas: 2 with maxUnavailable: 0 / maxSurge: 1 so deploys never
  drop below capacity; SSE clients ride through on their 3s retry
- PodDisruptionBudget (minAvailable: 1) so node drains and cluster
  upgrades cannot take the whole API down
- cdc-runbook diagram now shows the per-replica Redis pub/sub fan-out
  and the resubscribe control channel

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@doughknee