ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 22 Packages Projects Releases Wiki Activity

feat: more envoy-ratelimit tuning, cleanups

Browse Source
This commit is contained in:
Stefan Reimer 2025-02-27 15:11:37 +00:00
parent ed48d93aaf
commit 9fc9843283
13 changed files with 52 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/envoy-ratelimit/Chart.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v2
name: envoy-ratelimit
description: Envoy gobal ratelimiting service - part of KubeZero
type: application
version: 0.1.0
version: 0.1.2
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:

106
charts/envoy-ratelimit/templates/config-statds-exporter.yaml
View File

@ -1,106 +0,0 @@
{{- if .Values.metrics.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: ratelimit-statsd-exporter-config
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
data:
config.yaml: |
defaults:
ttl: 1m # Resets the metrics every minute
mappings:
- match:
"ratelimit.service.rate_limit.*.*.near_limit"
name: "ratelimit_service_rate_limit_near_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
- match:
"ratelimit.service.rate_limit.*.*.over_limit"
name: "ratelimit_service_rate_limit_over_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
- match:
"ratelimit.service.rate_limit.*.*.total_hits"
name: "ratelimit_service_rate_limit_total_hits"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
- match:
"ratelimit.service.rate_limit.*.*.within_limit"
name: "ratelimit_service_rate_limit_within_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
- match:
"ratelimit.service.rate_limit.*.*.*.near_limit"
name: "ratelimit_service_rate_limit_near_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
key2: "$3"
- match:
"ratelimit.service.rate_limit.*.*.*.over_limit"
name: "ratelimit_service_rate_limit_over_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
key2: "$3"
- match:
"ratelimit.service.rate_limit.*.*.*.total_hits"
name: "ratelimit_service_rate_limit_total_hits"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
key2: "$3"
- match:
"ratelimit.service.rate_limit.*.*.*.within_limit"
name: "ratelimit_service_rate_limit_within_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
key2: "$3"
- match:
"ratelimit.service.call.should_rate_limit.*"
name: "ratelimit_service_should_rate_limit_error"
match_metric_type: counter
labels:
err_type: "$1"
- match:
"ratelimit_server.*.total_requests"
name: "ratelimit_service_total_requests"
match_metric_type: counter
labels:
grpc_method: "$1"
- match:
"ratelimit_server.*.response_time"
name: "ratelimit_service_response_time_seconds"
timer_type: histogram
labels:
grpc_method: "$1"
- match:
"ratelimit.service.config_load_success"
name: "ratelimit_service_config_load_success"
match_metric_type: counter
ttl: 3m
- match:
"ratelimit.service.config_load_error"
name: "ratelimit_service_config_load_error"
match_metric_type: counter
ttl: 3m
- match: "."
match_type: "regex"
action: "drop"
name: "dropped"
{{- end }}

34
charts/envoy-ratelimit/templates/deployment.yaml
View File

@ -16,7 +16,7 @@ spec:
app: ratelimit
spec:
containers:
- image: envoyproxy/ratelimit:b42701cb # 2021/08/12
- image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: IfNotPresent
name: ratelimit
command: ["/bin/ratelimit"]
@ -28,13 +28,11 @@ spec:
- name: REDIS_SOCKET_TYPE
value: tcp
- name: REDIS_URL
value: ratelimit-redis:6379
- name: USE_STATSD
value: ratelimit-valkey:6379
- name: USE_PROMETHEUS
value: "true"
- name: STATSD_HOST
value: "localhost"
- name: STATSD_PORT
value: "9125"
- name: USE_STATSD
value: "false"
- name: RUNTIME_ROOT
value: /data
- name: RUNTIME_SUBDIRECTORY
@ -46,8 +44,8 @@ spec:
- name: LOCAL_CACHE_SIZE_IN_BYTES
value: "{{ default 0 .Values.localCacheSize | int }}"
ports:
#- containerPort: 8080
- containerPort: 8081
#- containerPort: 8080
#- containerPort: 6070
volumeMounts:
- name: ratelimit-config
@ -59,27 +57,7 @@ spec:
limits:
cpu: 1
memory: 256Mi
- name: statsd-exporter
image: docker.io/prom/statsd-exporter:v0.21.0
imagePullPolicy: Always
args: ["--statsd.mapping-config=/etc/statsd-exporter/config.yaml"]
ports:
- containerPort: 9125
# - containerPort: 9102
resources:
requests:
cpu: 50m
memory: 32Mi
limits:
cpu: 200m
memory: 64Mi
volumeMounts:
- name: statsd-exporter-config
mountPath: /etc/statsd-exporter
volumes:
- name: ratelimit-config
configMap:
name: ratelimit-config
- name: statsd-exporter-config
configMap:
name: ratelimit-statsd-exporter-config

4
charts/envoy-ratelimit/templates/service.yaml
View File

@ -20,8 +20,8 @@ spec:
# targetPort: 6070
# protocol: TCP
- name: http-monitoring
port: 9102
targetPort: 9102
port: 9090
targetPort: 9090
protocol: TCP
selector:
app: ratelimit

12
charts/envoy-ratelimit/templates/redis-deployment.yaml → charts/envoy-ratelimit/templates/valkey-deployment.yaml
View File

@ -1,24 +1,24 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: ratelimit-redis
name: ratelimit-valkey
namespace: {{ .Release.Namespace }}
spec:
replicas: 1
selector:
matchLabels:
app: ratelimit-redis
app: ratelimit-valkey
template:
metadata:
labels:
app: ratelimit-redis
app: ratelimit-valkey
spec:
containers:
- image: redis:6-alpine
- image: valkey/valkey:8.1-alpine3.21
imagePullPolicy: IfNotPresent
name: redis
name: valkey
ports:
- name: redis
- name: valkey
containerPort: 6379
restartPolicy: Always
serviceAccountName: ""

8
charts/envoy-ratelimit/templates/redis-service.yaml → charts/envoy-ratelimit/templates/valkey-service.yaml
View File

@ -1,13 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: ratelimit-redis
name: ratelimit-valkey
namespace: {{ .Release.Namespace }}
labels:
app: ratelimit-redis
app: ratelimit-valkey
spec:
ports:
- name: redis
- name: valkey
port: 6379
selector:
app: ratelimit-redis
app: ratelimit-valkey

32
charts/envoy-ratelimit/values.yaml
View File

@ -1,3 +1,8 @@
image:
repository: envoyproxy/ratelimit
# see: https://hub.docker.com/r/envoyproxy/ratelimit/tags
tag: 80b15778
log:
level: warn
format: json
@ -8,19 +13,26 @@ localCacheSize: 1048576
# Wether to block requests if ratelimiting is down
failureModeDeny: false
# rate limit descriptors for each domain, examples 10 req/s per sourceIP
# rate limit descriptors for each domain
# - slow: 1 req/s over a minute per sourceIP
descriptors:
ingress:
- key: remote_address
rate_limit:
unit: second
requests_per_unit: 10
- key: speed
value: slow
descriptors:
- key: remote_address
rate_limit:
unit: minute
requests_per_unit: 60
privateIngress:
- key: remote_address
rate_limit:
unit: second
requests_per_unit: 10
- key: speed
value: slow
descriptors:
- key: remote_address
rate_limit:
unit: minute
requests_per_unit: 60
metrics:
enabled: true
enabled: false

2
charts/kubezero-ci/Chart.yaml
View File

@ -15,7 +15,7 @@ maintainers:
email: stefan@zero-downtime.net
dependencies:
- name: kubezero-lib
version: 0.1.6
version: 0.2.1
repository: https://cdn.zero-downtime.net/charts/
- name: gitea
version: 10.6.0

6
charts/kubezero-ci/values.yaml
View File

@ -16,6 +16,10 @@ gitea:
claimName: data-gitea-0
size: 4Gi
service:
http:
port: 80
securityContext:
allowPrivilegeEscalation: false
capabilities:
@ -298,7 +302,7 @@ renovate:
LOG_FORMAT: json
cronjob:
concurrencyPolicy: Forbid
jobBackoffLimit: 3
jobBackoffLimit: 2
schedule: "0 3 * * *"
successfulJobsHistoryLimit: 1

2
charts/kubezero-istio/Chart.yaml
View File

@ -16,7 +16,7 @@ dependencies:
version: 0.2.1
repository: https://cdn.zero-downtime.net/charts/
- name: envoy-ratelimit
version: 0.1.0
version: 0.1.2
repository: https://cdn.zero-downtime.net/charts/
condition: envoy-ratelimit.enabled
- name: base

2
charts/kubezero-istio/README.md
View File

@ -20,7 +20,7 @@ Kubernetes: `>= 1.30.0-0`
| Repository | Name | Version |
|------------|------|---------|
| https://cdn.zero-downtime.net/charts/ | envoy-ratelimit | 0.1.0 |
| https://cdn.zero-downtime.net/charts/ | envoy-ratelimit | 0.1.2 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
| https://istio-release.storage.googleapis.com/charts | base | 1.24.3 |
| https://istio-release.storage.googleapis.com/charts | istiod | 1.24.3 |

24
charts/kubezero-istio/values.yaml
View File

@ -56,29 +56,7 @@ kiali-server:
#url: "kiali.example.com"
# for available options see envoy-ratelimit chart
envoy-ratelimit:
enabled: false
log:
level: warn
format: json
# 1MB local cache for already reached limits to reduce calls to Redis
localCacheSize: 1048576
# Wether to block requests if ratelimiting is down
failureModeDeny: false
# rate limit descriptors for each domain, examples 10 req/s per sourceIP
descriptors:
ingress:
- key: remote_address
rate_limit:
unit: second
requests_per_unit: 10
privateIngress:
- key: remote_address
rate_limit:
unit: second
requests_per_unit: 10

4
charts/kubezero/templates/istio.yaml
View File

@ -28,8 +28,8 @@ kiali-server:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.istio.rateLimiting }}
rateLimiting:
{{- with index .Values "istio" "envoy-ratelimit" }}
envoy-ratelimit:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}