Add rate limiting CRD types and token-bucket package (#4577)

* Add rate limiting types to MCPServerSpec

Add RateLimitConfig, RateLimitBucket, and ToolRateLimitConfig CRD types
to support configurable token-bucket rate limiting on MCPServer. The
rateLimiting field accepts shared and per-tool bucket configs with
maxTokens and refillPeriod (metav1.Duration) parameters.

"Shared" denotes a bucket shared across all users, distinguishing it
from future per-user buckets (#4550).

CEL validation ensures:
- At least one of shared or tools is configured
- Redis session storage is required when rateLimiting is set

ToolRateLimitConfig.Shared is required since a tool entry without a
bucket is meaningless. Tools uses +listType=map with +listMapKey=name
to reject duplicate tool names at admission.

Part of #4551

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add token-bucket rate limiter package with tests

Introduce pkg/ratelimit/ with a public Limiter interface and internal
token bucket implementation backed by a Redis Lua script.

Public API surface is minimal:
- Limiter interface with Allow(ctx, toolName, userID)
- Decision result type with Allowed and RetryAfter
- NewLimiter constructor accepting CRD types directly

Internal (pkg/ratelimit/internal/bucket/):
- Atomic multi-key Lua script that checks all buckets before consuming
  from any, preventing rejected per-tool calls from draining the
  server-level budget
- Uses Redis TIME for clock consistency and miniredis testability
- Guards against negative elapsed time from clock drift
- Key format and derivation fully encapsulated in the internal package

Tests cover all acceptance criteria for global rate limits:
- AC3: requests exceeding maxTokens are rejected
- AC4: Retry-After computed from the bucket refill rate
- AC5: per-tool limit on one tool does not affect other tools
- AC6: request must pass both server-level and per-tool limits
- Atomic multi-bucket: tool rejection does not drain server budget
- Redis unavailability returns error (fail-open is caller's job)
- No-op limiter when config is nil

Part of #4551

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jerm-dro

cmd/thv-operator/api/v1alpha1/mcpserver_types.go

@@ -154,6 +154,7 @@ const SessionStorageProviderRedis = "redis"
 //
 // +kubebuilder:validation:XValidation:rule="!(has(self.oidcConfig) && has(self.oidcConfigRef))",message="oidcConfig and oidcConfigRef are mutually exclusive; use oidcConfigRef to reference a shared MCPOIDCConfig"
 // +kubebuilder:validation:XValidation:rule="!(has(self.telemetry) && has(self.telemetryConfigRef))",message="telemetry and telemetryConfigRef are mutually exclusive; migrate to telemetryConfigRef"
+// +kubebuilder:validation:XValidation:rule="!has(self.rateLimiting) || (has(self.sessionStorage) && self.sessionStorage.provider == 'redis')",message="rateLimiting requires sessionStorage with provider 'redis'"
 //
 //nolint:lll // CEL validation rules exceed line length limit
 type MCPServerSpec struct {
@@ -331,6 +332,11 @@ type MCPServerSpec struct {
 	// When nil, no session storage is configured.
 	// +optional
 	SessionStorage *SessionStorageConfig `json:"sessionStorage,omitempty"`
+
+	// RateLimiting defines rate limiting configuration for the MCP server.
+	// Requires Redis session storage to be configured for distributed rate limiting.
+	// +optional
+	RateLimiting *RateLimitConfig `json:"rateLimiting,omitempty"`
 }
 
 // ResourceOverrides defines overrides for annotations and labels on created resources
@@ -481,6 +487,54 @@ type SessionStorageConfig struct {
 	PasswordRef *SecretKeyRef `json:"passwordRef,omitempty"`
 }
 
+// RateLimitConfig defines rate limiting configuration for an MCP server.
+// At least one of shared or tools must be configured.
+//
+// +kubebuilder:validation:XValidation:rule="has(self.shared) || (has(self.tools) && size(self.tools) > 0)",message="at least one of shared or tools must be configured"
+//
+//nolint:lll // CEL validation rules exceed line length limit
+type RateLimitConfig struct {
+	// Shared defines a token bucket shared across all users for the entire server.
+	// +optional
+	Shared *RateLimitBucket `json:"shared,omitempty"`
+
+	// Tools defines per-tool rate limit overrides.
+	// Each entry applies additional rate limits to calls targeting a specific tool name.
+	// A request must pass both the server-level limit and the per-tool limit.
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	Tools []ToolRateLimitConfig `json:"tools,omitempty"`
+}
+
+// RateLimitBucket defines a token bucket configuration.
+type RateLimitBucket struct {
+	// MaxTokens is the maximum number of tokens (bucket capacity).
+	// This is also the burst size: the maximum number of requests that can be served
+	// instantaneously before the bucket is depleted.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Minimum=1
+	MaxTokens int32 `json:"maxTokens"`
+
+	// RefillPeriod is the duration to fully refill the bucket from zero to maxTokens.
+	// The effective refill rate is maxTokens / refillPeriod tokens per second.
+	// Format: Go duration string (e.g., "1m0s", "30s", "1h0m0s").
+	// +kubebuilder:validation:Required
+	RefillPeriod metav1.Duration `json:"refillPeriod"`
+}
+
+// ToolRateLimitConfig defines rate limits for a specific tool.
+type ToolRateLimitConfig struct {
+	// Name is the MCP tool name this limit applies to.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+
+	// Shared defines a token bucket shared across all users for this specific tool.
+	// +kubebuilder:validation:Required
+	Shared *RateLimitBucket `json:"shared"`
+}
+
 // Permission profile types
 const (
 	// PermissionProfileTypeBuiltin is the type for built-in permission profiles

cmd/thv-operator/api/v1alpha1/mcpserver_types_test.go

@@ -6,9 +6,11 @@ package v1alpha1
 import (
 	"encoding/json"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 func TestSessionStorageConfigJSONRoundtrip(t *testing.T) {
@@ -65,6 +67,55 @@ func TestSessionStorageConfigJSONRoundtrip(t *testing.T) {
 	}
 }
 
+func TestRateLimitConfigJSONRoundtrip(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name     string
+		input    RateLimitConfig
+		wantJSON string
+	}{
+		{
+			name: "shared only",
+			input: RateLimitConfig{
+				Shared: &RateLimitBucket{MaxTokens: 100, RefillPeriod: metav1.Duration{Duration: time.Minute}},
+			},
+			wantJSON: `{"shared":{"maxTokens":100,"refillPeriod":"1m0s"}}`,
+		},
+		{
+			name: "tools only",
+			input: RateLimitConfig{
+				Tools: []ToolRateLimitConfig{
+					{Name: "search", Shared: &RateLimitBucket{MaxTokens: 5, RefillPeriod: metav1.Duration{Duration: 10 * time.Second}}},
+				},
+			},
+			wantJSON: `{"tools":[{"name":"search","shared":{"maxTokens":5,"refillPeriod":"10s"}}]}`,
+		},
+		{
+			name: "shared with tools",
+			input: RateLimitConfig{
+				Shared: &RateLimitBucket{MaxTokens: 100, RefillPeriod: metav1.Duration{Duration: time.Minute}},
+				Tools: []ToolRateLimitConfig{
+					{
+						Name:   "search",
+						Shared: &RateLimitBucket{MaxTokens: 5, RefillPeriod: metav1.Duration{Duration: 10 * time.Second}},
+					},
+				},
+			},
+			wantJSON: `{"shared":{"maxTokens":100,"refillPeriod":"1m0s"},"tools":[{"name":"search","shared":{"maxTokens":5,"refillPeriod":"10s"}}]}`,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			b, err := json.Marshal(tc.input)
+			require.NoError(t, err)
+			assert.JSONEq(t, tc.wantJSON, string(b))
+		})
+	}
+}
+
 func TestMCPServerSpecScalingFieldsJSONRoundtrip(t *testing.T) {
 	t.Parallel()
 
@@ -80,7 +131,7 @@ func TestMCPServerSpecScalingFieldsJSONRoundtrip(t *testing.T) {
 		{
 			name:       "nil replicas are omitted",
 			spec:       MCPServerSpec{Image: "example/mcp:latest"},
-			wantAbsent: []string{`"replicas"`, `"backendReplicas"`, `"sessionStorage"`},
+			wantAbsent: []string{`"replicas"`, `"backendReplicas"`, `"sessionStorage"`, `"rateLimiting"`},
 		},
 		{
 			name: "set replicas are serialized",
@@ -102,6 +153,16 @@ func TestMCPServerSpecScalingFieldsJSONRoundtrip(t *testing.T) {
 			},
 			wantKeys: []string{`"sessionStorage"`, `"provider":"redis"`},
 		},
+		{
+			name: "rateLimiting is serialized when set",
+			spec: MCPServerSpec{
+				Image: "example/mcp:latest",
+				RateLimiting: &RateLimitConfig{
+					Shared: &RateLimitBucket{MaxTokens: 100, RefillPeriod: metav1.Duration{Duration: time.Minute}},
+				},
+			},
+			wantKeys: []string{`"rateLimiting"`, `"maxTokens":100`, `"refillPeriod":"1m0s"`},
+		},
 	}
 
 	for _, tc := range tests {

cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go

@@ -497,6 +497,82 @@ spec:
                 maximum: 65535
                 minimum: 1
                 type: integer
+              rateLimiting:
+                description: |-
+                  RateLimiting defines rate limiting configuration for the MCP server.
+                  Requires Redis session storage to be configured for distributed rate limiting.
+                properties:
+                  shared:
+                    description: Shared defines a token bucket shared across all users
+                      for the entire server.
+                    properties:
+                      maxTokens:
+                        description: |-
+                          MaxTokens is the maximum number of tokens (bucket capacity).
+                          This is also the burst size: the maximum number of requests that can be served
+                          instantaneously before the bucket is depleted.
+                        format: int32
+                        minimum: 1
+                        type: integer
+                      refillPeriod:
+                        description: |-
+                          RefillPeriod is the duration to fully refill the bucket from zero to maxTokens.
+                          The effective refill rate is maxTokens / refillPeriod tokens per second.
+                          Format: Go duration string (e.g., "1m0s", "30s", "1h0m0s").
+                        type: string
+                    required:
+                    - maxTokens
+                    - refillPeriod
+                    type: object
+                  tools:
+                    description: |-
+                      Tools defines per-tool rate limit overrides.
+                      Each entry applies additional rate limits to calls targeting a specific tool name.
+                      A request must pass both the server-level limit and the per-tool limit.
+                    items:
+                      description: ToolRateLimitConfig defines rate limits for a specific
+                        tool.
+                      properties:
+                        name:
+                          description: Name is the MCP tool name this limit applies
+                            to.
+                          minLength: 1
+                          type: string
+                        shared:
+                          description: Shared defines a token bucket shared across
+                            all users for this specific tool.
+                          properties:
+                            maxTokens:
+                              description: |-
+                                MaxTokens is the maximum number of tokens (bucket capacity).
+                                This is also the burst size: the maximum number of requests that can be served
+                                instantaneously before the bucket is depleted.
+                              format: int32
+                              minimum: 1
+                              type: integer
+                            refillPeriod:
+                              description: |-
+                                RefillPeriod is the duration to fully refill the bucket from zero to maxTokens.
+                                The effective refill rate is maxTokens / refillPeriod tokens per second.
+                                Format: Go duration string (e.g., "1m0s", "30s", "1h0m0s").
+                              type: string
+                          required:
+                          - maxTokens
+                          - refillPeriod
+                          type: object
+                      required:
+                      - name
+                      - shared
+                      type: object
+                    type: array
+                    x-kubernetes-list-map-keys:
+                    - name
+                    x-kubernetes-list-type: map
+                type: object
+                x-kubernetes-validations:
+                - message: at least one of shared or tools must be configured
+                  rule: has(self.shared) || (has(self.tools) && size(self.tools) >
+                    0)
               replicas:
                 description: |-
                   Replicas is the desired number of proxy runner (thv run) pod replicas.
@@ -886,6 +962,9 @@ spec:
             - message: telemetry and telemetryConfigRef are mutually exclusive; migrate
                 to telemetryConfigRef
               rule: '!(has(self.telemetry) && has(self.telemetryConfigRef))'
+            - message: rateLimiting requires sessionStorage with provider 'redis'
+              rule: '!has(self.rateLimiting) || (has(self.sessionStorage) && self.sessionStorage.provider
+                == ''redis'')'
           status:
             description: MCPServerStatus defines the observed state of MCPServer
             properties: