Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Rate Limit using Istio Envoy #674

Merged
merged 5 commits into from
Dec 1, 2023
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ spec:
metadata:
labels:
app.kubernetes.io/instance: {{ .Values.name }}
sidecar.istio.io/inject: "false"
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 60
Expand Down
2 changes: 1 addition & 1 deletion build/charts/yorkie-cluster/templates/namespace.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@ metadata:
## Because we only need to load balance worklaods to Yorkie service,
## we don't need sidecar proxy for service mesh.
## We are only using Istio's ingressgateway envoy for load balancing.
istio-injection: disabled
istio-injection: enabled
krapie marked this conversation as resolved.
Show resolved Hide resolved
13 changes: 13 additions & 0 deletions build/charts/yorkie-cluster/templates/ratelimit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: ratelimit-config
namespace: {{ .Values.yorkie.namespace }}
data:
config.yaml: |
domain: {{ .Values.ratelimit.domain }}
descriptors:
- key: PATH
rate_limit:
unit: {{ .Values.ratelimit.unit }}
requests_per_unit: {{ .Values.ratelimit.requestsPerUnit }}
krapie marked this conversation as resolved.
Show resolved Hide resolved
63 changes: 63 additions & 0 deletions build/charts/yorkie-cluster/templates/ratelimit-envoy-filter.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: filter-ratelimit
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.ratelimit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
# Match it to the ratelimit service config
domain: {{ .Values.ratelimit.domain }}
failure_mode_deny: true
timeout: 10s
rate_limit_service:
grpc_service:
envoy_grpc:
cluster_name: outbound|8081||ratelimit.yorkie.svc.cluster.local
authority: ratelimit.yorkie.svc.cluster.local
transport_api_version: V3
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: filter-ratelimit-svc
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: VIRTUAL_HOST
match:
context: GATEWAY
routeConfiguration:
vhost:
name: ""
route:
action: ANY
patch:
operation: MERGE
# Applies the rate limit rules.
value:
rate_limits:
- actions:
- request_headers:
header_name: ":path"
descriptor_key: "PATH"
krapie marked this conversation as resolved.
Show resolved Hide resolved
117 changes: 117 additions & 0 deletions build/charts/yorkie-cluster/templates/ratelimit-service.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
apiVersion: v1
kind: Service
metadata:
name: redis
namespace: {{ .Values.yorkie.namespace }}
labels:
app: redis
spec:
ports:
- name: redis
port: 6379
selector:
app: redis
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: {{ .Values.yorkie.namespace }}
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- image: redis:alpine
imagePullPolicy: Always
name: redis
ports:
- name: redis
containerPort: 6379
restartPolicy: Always
serviceAccountName: ""
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.ratelimit.name }}
namespace: {{ .Values.yorkie.namespace }}
labels:
app: {{ .Values.ratelimit.name }}
spec:
ports:
- name: http-port
port: 8080
targetPort: 8080
protocol: TCP
- name: grpc-port
port: 8081
targetPort: 8081
protocol: TCP
- name: http-debug
port: 6070
targetPort: 6070
protocol: TCP
selector:
app: ratelimit
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.ratelimit.name }}
namespace: {{ .Values.yorkie.namespace }}
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Values.ratelimit.name }}
strategy:
type: Recreate
template:
metadata:
labels:
app: ratelimit
spec:
containers:
- image: envoyproxy/ratelimit:9d8d70a8 # 2022/08/16
imagePullPolicy: Always
name: ratelimit
command: ["/bin/ratelimit"]
env:
- name: LOG_LEVEL
value: debug
- name: REDIS_SOCKET_TYPE
value: tcp
- name: REDIS_URL
value: redis:6379
- name: USE_STATSD
value: "false"
- name: RUNTIME_ROOT
value: /data
- name: RUNTIME_SUBDIRECTORY
value: ratelimit
- name: RUNTIME_WATCH_ROOT
value: "false"
- name: RUNTIME_IGNOREDOTFILES
value: "true"
- name: HOST
value: "::"
- name: GRPC_HOST
value: "::"
ports:
- containerPort: 8080
- containerPort: 8081
- containerPort: 6070
volumeMounts:
- name: config-volume
mountPath: /data/ratelimit/config
volumes:
- name: config-volume
configMap:
name: ratelimit-config
krapie marked this conversation as resolved.
Show resolved Hide resolved
7 changes: 7 additions & 0 deletions build/charts/yorkie-cluster/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -67,3 +67,10 @@ ingress:
alb:
enabled: false
certArn: arn:aws:acm:ap-northeast-2:123412341234:certificate/1234-1234-1234-1234-1234

# Configuration for ratelimit
ratelimit:
name: ratelimit
unit: minute
requestsPerUnit: 100
domain: yorkie-ratelimit