add CRE settings for gateway relay rate limits

nadahalli · nadahalli · commit a1ee74b2d372 · 2026-04-01T13:29:04.000+02:00
diff --git a/pkg/settings/cresettings/README.md b/pkg/settings/cresettings/README.md
@@ -42,6 +42,8 @@ flowchart
 %%      DON nodes → gateway (separate from the inbound trigger flow)
         GatewayHTTPGlobalRate[\GatewayHTTPGlobalRate/]:::rate
         GatewayHTTPPerNodeRate[\GatewayHTTPPerNodeRate/]:::rate
+        GatewayConfidentialRelayGlobalRate[\GatewayConfidentialRelayGlobalRate/]:::rate
+        GatewayConfidentialRelayPerNodeRate[\GatewayConfidentialRelayPerNodeRate/]:::rate
     end
 %%    WorkflowLimit - Deprecated
 %%    TODO unused
diff --git a/pkg/settings/cresettings/defaults.json b/pkg/settings/cresettings/defaults.json
@@ -5,6 +5,8 @@
 	"GatewayVaultManagementEnabled": "true",
 	"GatewayHTTPGlobalRate": "500rps:500",
 	"GatewayHTTPPerNodeRate": "100rps:100",
+	"GatewayConfidentialRelayGlobalRate": "50rps:10",
+	"GatewayConfidentialRelayPerNodeRate": "10rps:10",
 	"TriggerRegistrationStatusUpdateTimeout": "0s",
 	"VaultCiphertextSizeLimit": "2kb",
 	"VaultShareSizeLimit": "600b",
diff --git a/pkg/settings/cresettings/defaults.toml b/pkg/settings/cresettings/defaults.toml
@@ -4,6 +4,8 @@ GatewayIncomingPayloadSizeLimit = '1mb'
 GatewayVaultManagementEnabled = 'true'
 GatewayHTTPGlobalRate = '500rps:500'
 GatewayHTTPPerNodeRate = '100rps:100'
+GatewayConfidentialRelayGlobalRate = '50rps:10'
+GatewayConfidentialRelayPerNodeRate = '10rps:10'
 TriggerRegistrationStatusUpdateTimeout = '0s'
 VaultCiphertextSizeLimit = '2kb'
 VaultShareSizeLimit = '600b'
diff --git a/pkg/settings/cresettings/settings.go b/pkg/settings/cresettings/settings.go
@@ -58,6 +58,8 @@ var Default = Schema{
 	GatewayVaultManagementEnabled:          Bool(true),
 	GatewayHTTPGlobalRate:                  Rate(rate.Limit(500), 500),
 	GatewayHTTPPerNodeRate:                 Rate(rate.Limit(100), 100),
+	GatewayConfidentialRelayGlobalRate:     Rate(rate.Limit(50), 10),
+	GatewayConfidentialRelayPerNodeRate:    Rate(rate.Limit(10), 10),
 	TriggerRegistrationStatusUpdateTimeout: Duration(0 * time.Second),
 	// DANGER(cedric): Be extremely careful changing these vault limits as they act as a default value
 	// used by the Vault OCR plugin -- changing these values could cause issues with the plugin during an image
@@ -215,6 +217,8 @@ type Schema struct {
 	GatewayVaultManagementEnabled          Setting[bool]
 	GatewayHTTPGlobalRate                  Setting[config.Rate]
 	GatewayHTTPPerNodeRate                 Setting[config.Rate]
+	GatewayConfidentialRelayGlobalRate     Setting[config.Rate]
+	GatewayConfidentialRelayPerNodeRate    Setting[config.Rate]
 	TriggerRegistrationStatusUpdateTimeout Setting[time.Duration]
 
 	VaultCiphertextSizeLimit          Setting[config.Size]
diff --git a/pkg/settings/cresettings/settings_test.go b/pkg/settings/cresettings/settings_test.go
@@ -71,6 +71,8 @@ func TestSchema_Unmarshal(t *testing.T) {
 	"GatewayUnauthenticatedRequestRateLimitPerIP": "1rps:100",
 	"GatewayIncomingPayloadSizeLimit": "14kb",
     "GatewayVaultManagementEnabled": "true",
+	"GatewayConfidentialRelayGlobalRate": "20rps:7",
+	"GatewayConfidentialRelayPerNodeRate": "4rps:2",
 	"PerOrg": {
 		"ZeroBalancePruningTimeout": "48h"
 	},
@@ -122,6 +124,8 @@ func TestSchema_Unmarshal(t *testing.T) {
 	assert.Equal(t, 500, cfg.WorkflowLimit.DefaultValue)
 	assert.Equal(t, 14*config.KByte, cfg.GatewayIncomingPayloadSizeLimit.DefaultValue)
 	assert.Equal(t, true, cfg.GatewayVaultManagementEnabled.DefaultValue)
+	assert.Equal(t, config.Rate{Limit: rate.Limit(20), Burst: 7}, cfg.GatewayConfidentialRelayGlobalRate.DefaultValue)
+	assert.Equal(t, config.Rate{Limit: rate.Limit(4), Burst: 2}, cfg.GatewayConfidentialRelayPerNodeRate.DefaultValue)
 	assert.Equal(t, 48*time.Hour, cfg.PerOrg.ZeroBalancePruningTimeout.DefaultValue)
 	assert.Equal(t, 99, cfg.PerOwner.WorkflowExecutionConcurrencyLimit.DefaultValue)
 	assert.Equal(t, 250*config.MByte, cfg.PerWorkflow.WASMMemoryLimit.DefaultValue)
