feat: inject backend quota rate limit filter for QuotaPolicy

[yuzisun]

Description
This is the first step for quota aware routing by injecting the backend quota rate limit filter when there is QuotaPolicy attached to the AIServiceBackend specified in the upstream cluster.

End-to-End Data Flow

User creates QuotaPolicy CR
↓
QuotaPolicy Controller reconciles
↓ translator.BuildRateLimitConfigs()
RateLimitConfig protobuf built (descriptor tree)
↓ runner.UpdateConfigs()
xDS snapshot pushed to rate limit service via gRPC
↓
Extension Server injects filter + actions into Envoy xDS

Request arrives at Envoy
↓ (request-time rate limit check)
If no available quota → 429; else continue
↓
ext_proc processes request/response, extracts token usage
↓ (stream-done rate limit action)
Rate limit filter sends HitsAddend to service
↓
Rate limit service increments Redis counter by token count

Related Issues/PRs (if applicable)
Related PR: #1709

[codecov-commenter]

Codecov Report

❌ Patch coverage is 87.58357% with 130 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.58%. Comparing base (edef4c5) to head (c2986f0).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/controller/gateway.go	21.56%	38 Missing and 2 partials ⚠️
internal/extensionserver/quota_ratelimit.go	93.21%	20 Missing and 17 partials ⚠️
internal/controller/quota_policy.go	82.08%	18 Missing and 6 partials ⚠️
internal/ratelimit/translator/translator.go	92.57%	11 Missing and 4 partials ⚠️
internal/ratelimit/runner/runner.go	84.00%	4 Missing and 4 partials ⚠️
internal/extensionserver/post_translate_modify.go	33.33%	1 Missing and 1 partial ⚠️
internal/extproc/processor_impl.go	80.00%	1 Missing and 1 partial ⚠️
internal/ratelimit/translator/merge.go	95.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1869      +/-   ##
==========================================
+ Coverage   84.42%   84.58%   +0.15%     
==========================================
  Files         134      139       +5     
  Lines       19162    20203    +1041     
==========================================
+ Hits        16177    17088     +911     
- Misses       1998     2092      +94     
- Partials      987     1023      +36     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[yuzisun]

@yanavlasov @johnugeorge @nacx

[johnugeorge]

Correct me if I am wrong

1. Currently, it doesn't handle multiple quotaPolicies on the same backend. We will have to merge descriptors under the same domain. Can you create an issue to track it?
2. We should keep new rate limit service optional under a quota helm flag.

Question: How much latency is added if the request passes through the second ratelimit filter(if enabled)?

[yuzisun]

Correct me if I am wrong

1. Currently, it doesn't handle multiple quotaPolicies on the same backend. We will have to merge descriptors under the same domain. Can you create an issue to track it?

created #1971

2. We should keep new rate limit service optional under a quota helm flag.

will address

Question: How much latency is added if the request passes through the second ratelimit filter(if enabled)?

The second ratelimit filter adds 5ms 99% and 3ms 50% to the total latency.

[nacx]

Did another review. Here are some additional notes to the comments:

• The CostExpression seems not yet to be implemented. Should we add a comment in the API saying the field will be implemented in the future, so users know the field is not taken into account yet?
• The mode seems not to be used, but it is required in the API. Is this a leftover or something that needs to be taken into account?

[aabchoo]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces backend-level quota rate limiting using the new QuotaPolicy CRD, implementing a controller, an xDS config runner, and translation logic to configure Envoy's rate limit service. Key feedback includes addressing non-deterministic map iteration in the controller's config merging to prevent random xDS snapshot flips, performing deep copies of descriptors during merging to avoid cache corruption, and adding validation to ensure parsed rule indices are non-negative to prevent potential out-of-bounds panics.

[aabchoo]

Quota Policy's model name is now based on the model name override. Updated documentation to outline that.

RateLimitPerRoute is based on the httproute rule and cross-references the backend name + model name override. Multiple backends for a rule means the route will send multiple descriptors for the potential "match". Response path will only update the override+backend routed.