Add Rate Limit using Istio Envoy

build/charts/yorkie-cluster/templates/istio/ratelimit/config.yaml

@@ -0,0 +1,15 @@
+{{ if .Values.ratelimit.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.ratelimit.name }}-config
+  namespace: istio-system
+data:
+  config.yaml: |
+    domain: {{ .Values.ratelimit.domain }}
+    descriptors:
+      - key: PATH
+        rate_limit:
+          unit: {{ .Values.ratelimit.unit }}
+          requests_per_unit: {{ .Values.ratelimit.requestsPerUnit }}
+{{ end }}

build/charts/yorkie-cluster/templates/istio/ratelimit/deployment.yaml

@@ -0,0 +1,56 @@
+{{ if .Values.ratelimit.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.ratelimit.name }}
+  namespace: istio-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Values.ratelimit.name }}
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: ratelimit
+    spec:
+      containers:
+      - image: envoyproxy/ratelimit:9d8d70a8 # 2022/08/16
+        imagePullPolicy: Always
+        name: ratelimit
+        command: ["/bin/ratelimit"]
+        env:
+        - name: LOG_LEVEL
+          value: debug
+        - name: REDIS_SOCKET_TYPE
+          value: tcp
+        - name: REDIS_URL
+          value: {{ .Values.ratelimit.name }}-redis:6379
+        - name: USE_STATSD
+          value: "false"
+        - name: RUNTIME_ROOT
+          value: /data
+        - name: RUNTIME_SUBDIRECTORY
+          value: ratelimit
+        - name: RUNTIME_WATCH_ROOT
+          value: "false"
+        - name: RUNTIME_IGNOREDOTFILES
+          value: "true"
+        - name: HOST
+          value: "::"
+        - name: GRPC_HOST
+          value: "::"
+        ports:
+        - containerPort: 8080
+        - containerPort: 8081
+        - containerPort: 6070
+        volumeMounts:
+        - name: config-volume
+          mountPath: /data/ratelimit/config
+      volumes:
+      - name: config-volume
+        configMap:
+          name: ratelimit-config
+{{ end }}

build/charts/yorkie-cluster/templates/istio/ratelimit/envoy-filter.yaml

@@ -0,0 +1,65 @@
+{{ if .Values.ratelimit.enabled }}
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: filter-ratelimit
+  namespace: istio-system
+spec:
+  workloadSelector:
+    labels:
+      istio: ingressgateway
+  configPatches:
+    - applyTo: HTTP_FILTER
+      match:
+        context: GATEWAY
+        listener:
+          filterChain:
+            filter:
+              name: "envoy.filters.network.http_connection_manager"
+              subFilter:
+                name: "envoy.filters.http.router"
+      patch:
+        operation: INSERT_BEFORE
+        value:
+          name: envoy.filters.http.ratelimit
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
+            # Match it to the ratelimit service config
+            domain: {{ .Values.ratelimit.domain }}
+            failure_mode_deny: true
+            timeout: 10s
+            rate_limit_service:
+              grpc_service:
+                envoy_grpc:
+                  cluster_name: outbound|8081||{{ .Values.ratelimit.name }}.istio-system.svc.cluster.local
+                  authority: {{ .Values.ratelimit.name }}.istio-system.svc.cluster.local
+              transport_api_version: V3
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: filter-ratelimit-svc
+  namespace: istio-system
+spec:
+  workloadSelector:
+    labels:
+      istio: ingressgateway
+  configPatches:
+    - applyTo: VIRTUAL_HOST
+      match:
+        context: GATEWAY
+        routeConfiguration:
+          vhost:
+            name: ""
+            route:
+              action: ANY
+      patch:
+        operation: MERGE
+        # Applies the rate limit rules.
+        value:
+          rate_limits:
+            - actions:
+              - request_headers:
+                  header_name: ":path"
+                  descriptor_key: "PATH"
+{{ end }}

build/charts/yorkie-cluster/templates/istio/ratelimit/redis/deployment.yaml

@@ -0,0 +1,26 @@
+{{ if .Values.ratelimit.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.ratelimit.name }}-redis
+  namespace: istio-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+      - image: redis:alpine
+        imagePullPolicy: Always
+        name: redis
+        ports:
+        - name: redis
+          containerPort: 6379
+      restartPolicy: Always
+      serviceAccountName: ""
+{{ end }}

build/charts/yorkie-cluster/templates/istio/ratelimit/redis/service.yaml

@@ -0,0 +1,15 @@
+{{ if .Values.ratelimit.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.ratelimit.name }}-redis
+  namespace: istio-system
+  labels:
+    app: redis
+spec:
+  ports:
+  - name: redis
+    port: 6379
+  selector:
+    app: redis
+{{ end }}

build/charts/yorkie-cluster/templates/istio/ratelimit/service.yaml

@@ -0,0 +1,25 @@
+{{ if .Values.ratelimit.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.ratelimit.name }}
+  namespace: istio-system
+  labels:
+    app: {{ .Values.ratelimit.name }}
+spec:
+  ports:
+  - name: http-port
+    port: 8080
+    targetPort: 8080
+    protocol: TCP
+  - name: grpc-port
+    port: 8081
+    targetPort: 8081
+    protocol: TCP
+  - name: http-debug
+    port: 6070
+    targetPort: 6070
+    protocol: TCP
+  selector:
+    app: ratelimit
+{{ end }}

build/charts/yorkie-cluster/values.yaml

@@ -67,3 +67,11 @@ ingress:
   alb:
     enabled: false
     certArn: arn:aws:acm:ap-northeast-2:123412341234:certificate/1234-1234-1234-1234-1234
+
+# Configuration for ratelimit
+ratelimit:
+  enabled: false
+  name: ratelimit
+  unit: minute
+  requestsPerUnit: 10000
+  domain: yorkie-ratelimit