envoyproxy/gateway

`BackendTrafficPolicy`: emit `Retry-After` header on rate-limit 429 responses

Open

#9.078 geöffnet am 25. Mai 2026

Auf GitHub ansehen
 (4 Kommentare) (2 Reaktionen) (0 zugewiesene Personen)Go (802 Forks)auto 404
help wantedkind/feature

Repository-Metriken

Stars
 (2.871 Stars)
PR-Merge-Metriken
 (PR-Metriken ausstehend)

Beschreibung

Description:

The global rate-limit filter in EG emits the IETF draft-03 triple (x-ratelimit-limit, x-ratelimit-remaining, x-ratelimit-reset) on both 200 and 429 responses, but does not emit Retry-After on the 429.

Retry-After on 429 is the convention defined by RFC 6585 section 4, with the field itself defined by RFC 9110 section 10.2.3 as HTTP-date / delay-seconds. Operators today have to bridge this gap themselves, typically with a Lua filter via EnvoyExtensionPolicy that copies x-ratelimit-reset into Retry-After on 429. The information is already in the filter; only the emission is missing.

Proposal: add a option to BackendTrafficPolicy.spec.rateLimit (and the local rate-limit equivalent) that opts the rule or policy into emitting Retry-After: <delay-seconds> on rate-limited 429 responses, sourced from the same reset value the filter already computes. Sketch:

spec:
  rateLimit:
    type: Global
    global:
      emitRetryAfter: true   # or per-rule, mirroring xRateLimitHeaders
      rules: [ ... ]

The value would be an integer matching the current x-ratelimit-reset semantics: most-restrictive matched rule's seconds-until-reset, clamped to ≥1. Emission is conditional on the 429, not on every response, to match RFC 6585 section 4 semantics.

This works for both the RLS-backed global filter and the local rate-limit filter; the underlying delay value is already computed in both paths.

Relevant Links:

Contributor Guide