diff --git a/charts/envoy-ratelimit/Chart.yaml b/charts/envoy-ratelimit/Chart.yaml index 438769bc..4a551880 100644 --- a/charts/envoy-ratelimit/Chart.yaml +++ b/charts/envoy-ratelimit/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: envoy-ratelimit description: Envoy gobal ratelimiting service - part of KubeZero type: application -version: 0.1.0 +version: 0.1.2 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/envoy-ratelimit/templates/config-statds-exporter.yaml b/charts/envoy-ratelimit/templates/config-statds-exporter.yaml deleted file mode 100644 index 41ade6c0..00000000 --- a/charts/envoy-ratelimit/templates/config-statds-exporter.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- if .Values.metrics.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: ratelimit-statsd-exporter-config - namespace: {{ .Release.Namespace }} - labels: - {{- include "kubezero-lib.labels" . | nindent 4 }} -data: - config.yaml: | - defaults: - ttl: 1m # Resets the metrics every minute - mappings: - - match: - "ratelimit.service.rate_limit.*.*.near_limit" - name: "ratelimit_service_rate_limit_near_limit" - timer_type: "histogram" - labels: - domain: "$1" - key1: "$2" - - match: - "ratelimit.service.rate_limit.*.*.over_limit" - name: "ratelimit_service_rate_limit_over_limit" - timer_type: "histogram" - labels: - domain: "$1" - key1: "$2" - - match: - "ratelimit.service.rate_limit.*.*.total_hits" - name: "ratelimit_service_rate_limit_total_hits" - timer_type: "histogram" - labels: - domain: "$1" - key1: "$2" - - match: - "ratelimit.service.rate_limit.*.*.within_limit" - name: "ratelimit_service_rate_limit_within_limit" - timer_type: "histogram" - labels: - domain: "$1" - key1: "$2" - - match: - "ratelimit.service.rate_limit.*.*.*.near_limit" - name: "ratelimit_service_rate_limit_near_limit" - timer_type: "histogram" - labels: - domain: "$1" - key1: "$2" - key2: "$3" - - match: - "ratelimit.service.rate_limit.*.*.*.over_limit" - name: "ratelimit_service_rate_limit_over_limit" - timer_type: "histogram" - labels: - domain: "$1" - key1: "$2" - key2: "$3" - - match: - "ratelimit.service.rate_limit.*.*.*.total_hits" - name: "ratelimit_service_rate_limit_total_hits" - timer_type: "histogram" - labels: - domain: "$1" - key1: "$2" - key2: "$3" - - match: - "ratelimit.service.rate_limit.*.*.*.within_limit" - name: "ratelimit_service_rate_limit_within_limit" - timer_type: "histogram" - labels: - domain: "$1" - key1: "$2" - key2: "$3" - - match: - "ratelimit.service.call.should_rate_limit.*" - name: "ratelimit_service_should_rate_limit_error" - match_metric_type: counter - labels: - err_type: "$1" - - match: - "ratelimit_server.*.total_requests" - name: "ratelimit_service_total_requests" - match_metric_type: counter - labels: - grpc_method: "$1" - - match: - "ratelimit_server.*.response_time" - name: "ratelimit_service_response_time_seconds" - timer_type: histogram - labels: - grpc_method: "$1" - - match: - "ratelimit.service.config_load_success" - name: "ratelimit_service_config_load_success" - match_metric_type: counter - ttl: 3m - - match: - "ratelimit.service.config_load_error" - name: "ratelimit_service_config_load_error" - match_metric_type: counter - ttl: 3m - - match: "." - match_type: "regex" - action: "drop" - name: "dropped" -{{- end }} diff --git a/charts/envoy-ratelimit/templates/deployment.yaml b/charts/envoy-ratelimit/templates/deployment.yaml index 6264b76b..1c143b8f 100644 --- a/charts/envoy-ratelimit/templates/deployment.yaml +++ b/charts/envoy-ratelimit/templates/deployment.yaml @@ -16,7 +16,7 @@ spec: app: ratelimit spec: containers: - - image: envoyproxy/ratelimit:b42701cb # 2021/08/12 + - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} imagePullPolicy: IfNotPresent name: ratelimit command: ["/bin/ratelimit"] @@ -28,13 +28,11 @@ spec: - name: REDIS_SOCKET_TYPE value: tcp - name: REDIS_URL - value: ratelimit-redis:6379 - - name: USE_STATSD + value: ratelimit-valkey:6379 + - name: USE_PROMETHEUS value: "true" - - name: STATSD_HOST - value: "localhost" - - name: STATSD_PORT - value: "9125" + - name: USE_STATSD + value: "false" - name: RUNTIME_ROOT value: /data - name: RUNTIME_SUBDIRECTORY @@ -46,8 +44,8 @@ spec: - name: LOCAL_CACHE_SIZE_IN_BYTES value: "{{ default 0 .Values.localCacheSize | int }}" ports: - #- containerPort: 8080 - containerPort: 8081 + #- containerPort: 8080 #- containerPort: 6070 volumeMounts: - name: ratelimit-config @@ -59,27 +57,7 @@ spec: limits: cpu: 1 memory: 256Mi - - name: statsd-exporter - image: docker.io/prom/statsd-exporter:v0.21.0 - imagePullPolicy: Always - args: ["--statsd.mapping-config=/etc/statsd-exporter/config.yaml"] - ports: - - containerPort: 9125 - # - containerPort: 9102 - resources: - requests: - cpu: 50m - memory: 32Mi - limits: - cpu: 200m - memory: 64Mi - volumeMounts: - - name: statsd-exporter-config - mountPath: /etc/statsd-exporter volumes: - name: ratelimit-config configMap: name: ratelimit-config - - name: statsd-exporter-config - configMap: - name: ratelimit-statsd-exporter-config diff --git a/charts/envoy-ratelimit/templates/service.yaml b/charts/envoy-ratelimit/templates/service.yaml index 254dbab4..c95aa546 100644 --- a/charts/envoy-ratelimit/templates/service.yaml +++ b/charts/envoy-ratelimit/templates/service.yaml @@ -20,8 +20,8 @@ spec: # targetPort: 6070 # protocol: TCP - name: http-monitoring - port: 9102 - targetPort: 9102 + port: 9090 + targetPort: 9090 protocol: TCP selector: app: ratelimit diff --git a/charts/envoy-ratelimit/templates/redis-deployment.yaml b/charts/envoy-ratelimit/templates/valkey-deployment.yaml similarity index 66% rename from charts/envoy-ratelimit/templates/redis-deployment.yaml rename to charts/envoy-ratelimit/templates/valkey-deployment.yaml index 6d999266..35258a86 100644 --- a/charts/envoy-ratelimit/templates/redis-deployment.yaml +++ b/charts/envoy-ratelimit/templates/valkey-deployment.yaml @@ -1,24 +1,24 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: ratelimit-redis + name: ratelimit-valkey namespace: {{ .Release.Namespace }} spec: replicas: 1 selector: matchLabels: - app: ratelimit-redis + app: ratelimit-valkey template: metadata: labels: - app: ratelimit-redis + app: ratelimit-valkey spec: containers: - - image: redis:6-alpine + - image: valkey/valkey:8.1-alpine3.21 imagePullPolicy: IfNotPresent - name: redis + name: valkey ports: - - name: redis + - name: valkey containerPort: 6379 restartPolicy: Always serviceAccountName: "" diff --git a/charts/envoy-ratelimit/templates/redis-service.yaml b/charts/envoy-ratelimit/templates/valkey-service.yaml similarity index 57% rename from charts/envoy-ratelimit/templates/redis-service.yaml rename to charts/envoy-ratelimit/templates/valkey-service.yaml index 0f9bdd90..7db83141 100644 --- a/charts/envoy-ratelimit/templates/redis-service.yaml +++ b/charts/envoy-ratelimit/templates/valkey-service.yaml @@ -1,13 +1,13 @@ apiVersion: v1 kind: Service metadata: - name: ratelimit-redis + name: ratelimit-valkey namespace: {{ .Release.Namespace }} labels: - app: ratelimit-redis + app: ratelimit-valkey spec: ports: - - name: redis + - name: valkey port: 6379 selector: - app: ratelimit-redis + app: ratelimit-valkey diff --git a/charts/envoy-ratelimit/values.yaml b/charts/envoy-ratelimit/values.yaml index ab47791d..773e058b 100644 --- a/charts/envoy-ratelimit/values.yaml +++ b/charts/envoy-ratelimit/values.yaml @@ -1,3 +1,8 @@ +image: + repository: envoyproxy/ratelimit + # see: https://hub.docker.com/r/envoyproxy/ratelimit/tags + tag: 80b15778 + log: level: warn format: json @@ -8,19 +13,26 @@ localCacheSize: 1048576 # Wether to block requests if ratelimiting is down failureModeDeny: false -# rate limit descriptors for each domain, examples 10 req/s per sourceIP +# rate limit descriptors for each domain +# - slow: 1 req/s over a minute per sourceIP descriptors: ingress: - - key: remote_address - rate_limit: - unit: second - requests_per_unit: 10 + - key: speed + value: slow + descriptors: + - key: remote_address + rate_limit: + unit: minute + requests_per_unit: 60 privateIngress: - - key: remote_address - rate_limit: - unit: second - requests_per_unit: 10 + - key: speed + value: slow + descriptors: + - key: remote_address + rate_limit: + unit: minute + requests_per_unit: 60 metrics: - enabled: true + enabled: false diff --git a/charts/kubezero-ci/Chart.yaml b/charts/kubezero-ci/Chart.yaml index dbdcc87f..43e1ca6a 100644 --- a/charts/kubezero-ci/Chart.yaml +++ b/charts/kubezero-ci/Chart.yaml @@ -15,7 +15,7 @@ maintainers: email: stefan@zero-downtime.net dependencies: - name: kubezero-lib - version: 0.1.6 + version: 0.2.1 repository: https://cdn.zero-downtime.net/charts/ - name: gitea version: 10.6.0 diff --git a/charts/kubezero-ci/values.yaml b/charts/kubezero-ci/values.yaml index 3ee36865..a241fb77 100644 --- a/charts/kubezero-ci/values.yaml +++ b/charts/kubezero-ci/values.yaml @@ -16,6 +16,10 @@ gitea: claimName: data-gitea-0 size: 4Gi + service: + http: + port: 80 + securityContext: allowPrivilegeEscalation: false capabilities: @@ -298,7 +302,7 @@ renovate: LOG_FORMAT: json cronjob: concurrencyPolicy: Forbid - jobBackoffLimit: 3 + jobBackoffLimit: 2 schedule: "0 3 * * *" successfulJobsHistoryLimit: 1 diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index dace6f21..6125a065 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -16,7 +16,7 @@ dependencies: version: 0.2.1 repository: https://cdn.zero-downtime.net/charts/ - name: envoy-ratelimit - version: 0.1.0 + version: 0.1.2 repository: https://cdn.zero-downtime.net/charts/ condition: envoy-ratelimit.enabled - name: base diff --git a/charts/kubezero-istio/README.md b/charts/kubezero-istio/README.md index a15b9fb9..cf71a856 100644 --- a/charts/kubezero-istio/README.md +++ b/charts/kubezero-istio/README.md @@ -20,7 +20,7 @@ Kubernetes: `>= 1.30.0-0` | Repository | Name | Version | |------------|------|---------| -| https://cdn.zero-downtime.net/charts/ | envoy-ratelimit | 0.1.0 | +| https://cdn.zero-downtime.net/charts/ | envoy-ratelimit | 0.1.2 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 | | https://istio-release.storage.googleapis.com/charts | base | 1.24.3 | | https://istio-release.storage.googleapis.com/charts | istiod | 1.24.3 | diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index 99b4d4d0..6c625564 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -56,29 +56,7 @@ kiali-server: #url: "kiali.example.com" +# for available options see envoy-ratelimit chart envoy-ratelimit: enabled: false - log: - level: warn - format: json - - # 1MB local cache for already reached limits to reduce calls to Redis - localCacheSize: 1048576 - - # Wether to block requests if ratelimiting is down - failureModeDeny: false - - # rate limit descriptors for each domain, examples 10 req/s per sourceIP - descriptors: - ingress: - - key: remote_address - rate_limit: - unit: second - requests_per_unit: 10 - - privateIngress: - - key: remote_address - rate_limit: - unit: second - requests_per_unit: 10 diff --git a/charts/kubezero/templates/istio.yaml b/charts/kubezero/templates/istio.yaml index 90bc4230..1db57fba 100644 --- a/charts/kubezero/templates/istio.yaml +++ b/charts/kubezero/templates/istio.yaml @@ -28,8 +28,8 @@ kiali-server: {{- toYaml . | nindent 2 }} {{- end }} -{{- with .Values.istio.rateLimiting }} -rateLimiting: +{{- with index .Values "istio" "envoy-ratelimit" }} +envoy-ratelimit: {{- toYaml . | nindent 2 }} {{- end }} {{- end }}