Add global rate limiting to prevent rapid deployment churn

Implements global rate limiting using golang.org/x/time/rate.Limiter to
prevent Wave from updating deployments too frequently when secrets or
configmaps change rapidly.

This prevents scenarios where a buggy controller rapidly updating secrets
causes Wave to rapidly update deployments, which can overwhelm the
Kubernetes API server.

Key features:
- Token bucket rate limiting (default: 1 update/sec globally, burst of 10)
- Global rate limiting shared across all deployments/statefulsets/daemonsets
- Configurable via --update-rate and --update-burst flags
- Configurable via Helm chart (updateRate and updateBurst values)
- Stalls operator pipeline via Wait() instead of requeueing
- Thread-safe implementation using rate.Limiter

Technical details:
- Uses standard library golang.org/x/time/rate for token bucket algorithm
- Burst allows initial rapid updates, then enforces steady-state rate
- Infinite rate (math.Inf) disables rate limiting for testing
- All resources share single global rate limiter

Fixes #182

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: toelke

charts/wave/templates/deployment.yaml

@@ -35,6 +35,12 @@ spec:
           {{- if .Values.syncPeriod }}
             - --sync-period={{ .Values.syncPeriod }}
           {{- end }}
+          {{- if .Values.updateRate }}
+            - --update-rate={{ .Values.updateRate }}
+          {{- end }}
+          {{- if .Values.updateBurst }}
+            - --update-burst={{ .Values.updateBurst }}
+          {{- end }}
           {{- if .Values.webhooks.enabled }}
             - --enable-webhooks=true
           {{- end }}

charts/wave/values.yaml

@@ -53,6 +53,14 @@ webhooks:
 # Period for reconciliation
 # syncPeriod: 5m
 
+# Global rate limiting for updates to prevent rapid deployment churn
+# Rate limit is shared across all deployments, statefulsets, and daemonsets
+# updateRate: maximum updates per second globally (default: 1.0 = 1 update per second)
+# updateBurst: maximum burst size (default: 10 = allow 10 immediate updates)
+# Set updateRate to 0 or very high value to disable rate limiting
+updateRate: 1.0
+updateBurst: 10
+
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little

cmd/manager/main.go

@@ -47,6 +47,8 @@ var (
 	leaderElectionID        = flag.String("leader-election-id", "", "Name of the configmap used by the leader election system")
 	leaderElectionNamespace = flag.String("leader-election-namespace", "", "Namespace for the configmap used by the leader election system")
 	syncPeriod              = flag.Duration("sync-period", 10*time.Hour, "Reconcile sync period")
+	updateRate              = flag.Float64("update-rate", core.DefaultUpdateRate, "Global maximum update rate per second (default: 1.0 = 1 update per second)")
+	updateBurst             = flag.Int("update-burst", core.DefaultUpdateBurst, "Global maximum burst size for updates (default: 10 immediate updates allowed)")
 	showVersion             = flag.Bool("version", false, "Show version and exit")
 	enableWebhooks          = flag.Bool("enable-webhooks", false, "Enable webhooks")
 	namespaces              = flag.String("namespaces", "", "Comma-separated list of namespaces to watch. Defaults to all namespaces.")
@@ -109,22 +111,26 @@ func main() {
 
 	// Setup all Controllers
 	setupLog.Info("Setting up controller")
-	if err := controller.AddToManager(mgr); err != nil {
+	controllerConfig := controller.Config{
+		UpdateRate:  *updateRate,
+		UpdateBurst: *updateBurst,
+	}
+	if err := controller.AddToManager(mgr, controllerConfig); err != nil {
 		setupLog.Error(err, "unable to register controllers to the manager")
 		os.Exit(1)
 	}
 	if *enableWebhooks {
-		if err := deployment.AddDeploymentWebhook(mgr); err != nil {
+		if err := deployment.AddDeploymentWebhook(mgr, *updateRate, *updateBurst); err != nil {
 			setupLog.Error(err, "unable to create webhook", "webhook", "Deployment")
 			os.Exit(1)
 		}
 
-		if err := statefulset.AddStatefulSetWebhook(mgr); err != nil {
+		if err := statefulset.AddStatefulSetWebhook(mgr, *updateRate, *updateBurst); err != nil {
 			setupLog.Error(err, "unable to create webhook", "webhook", "StatefulSet")
 			os.Exit(1)
 		}
 
-		if err := daemonset.AddDaemonSetWebhook(mgr); err != nil {
+		if err := daemonset.AddDaemonSetWebhook(mgr, *updateRate, *updateBurst); err != nil {
 			setupLog.Error(err, "unable to create webhook", "webhook", "DaemonSet")
 			os.Exit(1)
 		}

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.27.1
 	github.com/onsi/gomega v1.38.2
 	github.com/prometheus/client_golang v1.22.0
+	golang.org/x/time v0.9.0
 	k8s.io/api v0.34.1
 	k8s.io/apimachinery v0.34.1
 	k8s.io/client-go v0.34.1
@@ -71,7 +72,6 @@ require (
 	golang.org/x/sys v0.37.0 // indirect
 	golang.org/x/term v0.36.0 // indirect
 	golang.org/x/text v0.30.0 // indirect
-	golang.org/x/time v0.9.0 // indirect
 	golang.org/x/tools v0.38.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect

hack/test-update-throttling.sh

@@ -0,0 +1,180 @@
+#!/usr/bin/env bash
+#
+# Test script for Wave's global rate limiting feature.
+#
+# Usage: ./hack/test-update-throttling.sh [kubernetes-version] [update-rate] [update-burst]
+#
+# Arguments:
+#   kubernetes-version: Kubernetes version for minikube (default: v1.21)
+#   update-rate:        Updates per second globally (default: 0.2 = 1 update per 5 seconds)
+#   update-burst:       Maximum burst size (default: 2)
+#
+# Examples:
+#   ./hack/test-update-throttling.sh                    # Use defaults
+#   ./hack/test-update-throttling.sh v1.21 0.5 5       # 0.5 updates/sec, burst of 5
+#   ./hack/test-update-throttling.sh v1.21 1.0 10      # 1 update/sec, burst of 10 (production defaults)
+
+set -eu
+set -o pipefail
+
+helm --help > /dev/null 2>&1 || {
+  echo "helm is not installed"
+  exit 1
+}
+
+kubectl --help > /dev/null 2>&1 || {
+  echo "kubectl is not installed"
+  exit 1
+}
+
+MINIKUBE_ALREADY_RUNNING=0
+kubectl get node minikube >/dev/null 2>&1 && MINIKUBE_ALREADY_RUNNING=1
+
+minikube --help > /dev/null 2>&1 || {
+  echo "minikube is not installed"
+  exit 1
+}
+
+KUBERNETES_VERSION=${1:-v1.21}
+UPDATE_RATE=${2:-0.2}
+UPDATE_BURST=${3:-2}
+
+[ $MINIKUBE_ALREADY_RUNNING  -eq 0 ] && {
+	echo Starting minikube...
+	minikube start --kubernetes-version "$KUBERNETES_VERSION"
+	trap "minikube delete" EXIT
+}
+
+eval $(minikube -p minikube docker-env)
+docker build -f ./Dockerfile -t wave-local:local .
+
+echo Installing wave with updateRate=${UPDATE_RATE} updateBurst=${UPDATE_BURST}...
+helm install wave charts/wave --set image.name=wave-local --set image.tag=local --set updateRate=${UPDATE_RATE} --set updateBurst=${UPDATE_BURST}
+
+while [ "$(kubectl get pods -n default | grep -cE 'wave-wave')" -gt 1 ]; do echo Waiting for \"wave\" to be scheduled; sleep 10; done
+
+while [ "$(kubectl get pods -A | grep -cEv 'Running|Completed')" -gt 1 ]; do echo Waiting for \"cluster\" to start; sleep 10; done
+
+echo Creating test resources...
+kubectl apply -f - <<'EOF'
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: throttle-test
+data:
+  counter: "0"
+  timestamp: "0"
+EOF
+
+kubectl apply -f - <<'EOF'
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: throttle-test
+  annotations:
+    wave.pusher.com/update-on-config-change: "true"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: throttle-test
+  template:
+    metadata:
+      labels:
+        app: throttle-test
+    spec:
+      containers:
+      - name: test
+        image: nixery.dev/shell/bash
+        command:
+          - /bin/bash
+          - -c
+          - |
+            echo "Pod started at $(date +%s)"
+            echo "Counter: $(cat /etc/config/counter)"
+            sleep infinity
+        volumeMounts:
+        - name: config
+          mountPath: /etc/config
+      volumes:
+      - name: config
+        configMap:
+          name: throttle-test
+EOF
+
+echo Waiting for initial deployment to be ready...
+kubectl wait --for=condition=available --timeout=60s deployment/throttle-test
+
+# Get the initial pod name and creation time
+INITIAL_POD=$(kubectl get pods -l app=throttle-test -o jsonpath='{.items[0].metadata.name}')
+INITIAL_CREATION=$(kubectl get pod $INITIAL_POD -o jsonpath='{.metadata.creationTimestamp}')
+echo "Initial pod: $INITIAL_POD created at $INITIAL_CREATION"
+
+# Record start time
+START_TIME=$(date +%s)
+
+echo ""
+echo "Testing update throttling by rapidly updating the ConfigMap..."
+echo "Expected behavior with updateRate=${UPDATE_RATE} updateBurst=${UPDATE_BURST}:"
+echo "  - First ${UPDATE_BURST} updates will happen immediately (burst tokens)"
+echo "  - Subsequent updates will be rate-limited to ${UPDATE_RATE} per second"
+echo ""
+
+# Rapidly update the ConfigMap 10 times
+for i in 1 2 3 4 5 6 7 8 9 10; do
+  echo "Update $i at $(date +%H:%M:%S)"
+  kubectl patch configmap throttle-test --type merge -p "{\"data\":{\"counter\":\"$i\",\"timestamp\":\"$(date +%s)\"}}"
+  sleep 1
+done
+
+echo ""
+echo "Waiting 20 seconds to observe throttling behavior..."
+sleep 20
+
+# Check how many pod restarts/updates occurred
+echo ""
+echo "Checking deployment update history..."
+kubectl get replicasets -l app=throttle-test -o wide
+
+# Get all pods that were created (including terminated ones)
+echo ""
+echo "Checking pod creation times..."
+POD_COUNT=$(kubectl get pods -l app=throttle-test --show-all 2>/dev/null | grep -c throttle-test || kubectl get pods -l app=throttle-test | grep -c throttle-test)
+echo "Total pods created: $POD_COUNT"
+
+# Get the deployment's pod template hash changes
+HASH_CHANGES=$(kubectl get replicasets -l app=throttle-test -o jsonpath='{range .items[*]}{.metadata.creationTimestamp}{"\t"}{.spec.template.spec.containers[0].image}{"\t"}{.spec.replicas}{"\n"}{end}')
+echo ""
+echo "ReplicaSet history (creation time, image, replicas):"
+echo "$HASH_CHANGES"
+
+# Count how many distinct replicasets were created
+RS_COUNT=$(kubectl get replicasets -l app=throttle-test --no-headers | wc -l)
+echo ""
+echo "Number of ReplicaSets created: $RS_COUNT"
+
+# Check wave controller logs for throttling messages
+echo ""
+echo "Wave controller logs (throttling messages):"
+kubectl logs -l app=wave --tail=50 | grep -i "throttl\|delayed" || echo "No throttling messages found in logs"
+
+# Verify throttling worked
+# Calculate expected updates: burst + (rate * time)
+# With rate=0.2, burst=2, and ~30 seconds total time:
+# Expected: 2 (burst) + (0.2 * 30) = 2 + 6 = 8 updates max
+# We'll allow some margin and expect ≤9 to account for timing variations
+echo ""
+echo "=== Test Results ==="
+EXPECTED_MAX=$((UPDATE_BURST + 7))
+if [ "$RS_COUNT" -le "$EXPECTED_MAX" ]; then
+  echo "✓ PASS: Rate limiting is working correctly"
+  echo "  - ConfigMap was updated 10 times rapidly"
+  echo "  - $RS_COUNT deployment updates occurred (expected ≤${EXPECTED_MAX} with rate=${UPDATE_RATE}/sec, burst=${UPDATE_BURST})"
+  echo "  - Burst allowed ${UPDATE_BURST} immediate updates, then rate-limited to ${UPDATE_RATE} per second"
+  exit 0
+else
+  echo "✗ FAIL: Rate limiting may not be working correctly"
+  echo "  - ConfigMap was updated 10 times rapidly"
+  echo "  - $RS_COUNT deployment updates occurred (expected ≤${EXPECTED_MAX} with rate=${UPDATE_RATE}/sec, burst=${UPDATE_BURST})"
+  exit 1
+fi

pkg/controller/add_daemonset.go

@@ -18,9 +18,12 @@ package controller
 
 import (
 	"github.com/wave-k8s/wave/pkg/controller/daemonset"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
 )
 
 func init() {
 	// AddToManagerFuncs is a list of functions to create controllers and add them to a manager.
-	AddToManagerFuncs = append(AddToManagerFuncs, daemonset.Add)
+	AddToManagerFuncs = append(AddToManagerFuncs, func(mgr manager.Manager, cfg Config) error {
+		return daemonset.Add(mgr, cfg.UpdateRate, cfg.UpdateBurst)
+	})
 }

pkg/controller/add_deployment.go

@@ -18,9 +18,12 @@ package controller
 
 import (
 	"github.com/wave-k8s/wave/pkg/controller/deployment"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
 )
 
 func init() {
 	// AddToManagerFuncs is a list of functions to create controllers and add them to a manager.
-	AddToManagerFuncs = append(AddToManagerFuncs, deployment.Add)
+	AddToManagerFuncs = append(AddToManagerFuncs, func(mgr manager.Manager, cfg Config) error {
+		return deployment.Add(mgr, cfg.UpdateRate, cfg.UpdateBurst)
+	})
 }

pkg/controller/add_statefulset.go

@@ -18,9 +18,12 @@ package controller
 
 import (
 	"github.com/wave-k8s/wave/pkg/controller/statefulset"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
 )
 
 func init() {
 	// AddToManagerFuncs is a list of functions to create controllers and add them to a manager.
-	AddToManagerFuncs = append(AddToManagerFuncs, statefulset.Add)
+	AddToManagerFuncs = append(AddToManagerFuncs, func(mgr manager.Manager, cfg Config) error {
+		return statefulset.Add(mgr, cfg.UpdateRate, cfg.UpdateBurst)
+	})
 }

pkg/controller/controller.go

@@ -20,13 +20,19 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 )
 
+// Config holds configuration options for controllers
+type Config struct {
+	UpdateRate  float64 // updates per second
+	UpdateBurst int     // maximum burst size
+}
+
 // AddToManagerFuncs is a list of functions to add all Controllers to the Manager
-var AddToManagerFuncs []func(manager.Manager) error
+var AddToManagerFuncs []func(manager.Manager, Config) error
 
-// AddToManager adds all Controllers to the Manager
-func AddToManager(m manager.Manager) error {
+// AddToManager adds all Controllers to the Manager with the given configuration
+func AddToManager(m manager.Manager, cfg Config) error {
 	for _, f := range AddToManagerFuncs {
-		if err := f(m); err != nil {
+		if err := f(m, cfg); err != nil {
 			return err
 		}
 	}

pkg/controller/daemonset/daemonset_controller.go

@@ -33,16 +33,16 @@ import (
 
 // Add creates a new DaemonSet Controller and adds it to the Manager with default RBAC. The Manager will set fields on the Controller
 // and Start it when the Manager is Started.
-func Add(mgr manager.Manager) error {
-	r := newReconciler(mgr)
+func Add(mgr manager.Manager, updateRate float64, updateBurst int) error {
+	r := newReconciler(mgr, updateRate, updateBurst)
 	return add(mgr, r, r.handler)
 }
 
 // newReconciler returns a new reconcile.Reconciler
-func newReconciler(mgr manager.Manager) *ReconcileDaemonSet {
+func newReconciler(mgr manager.Manager, updateRate float64, updateBurst int) *ReconcileDaemonSet {
 	return &ReconcileDaemonSet{
 		scheme:  mgr.GetScheme(),
-		handler: core.NewHandler[*appsv1.DaemonSet](mgr.GetClient(), mgr.GetEventRecorderFor("wave")),
+		handler: core.NewHandler[*appsv1.DaemonSet](mgr.GetClient(), mgr.GetEventRecorderFor("wave"), updateRate, updateBurst),
 	}
 }