ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 22 Packages Projects Releases Wiki Activity

feat: more envoy-ratelimit tuning, cleanups

Browse Source
This commit is contained in:
Stefan Reimer 2025-02-27 15:11:37 +00:00
parent ed48d93aaf
commit 9fc9843283
13 changed files with 52 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/envoy-ratelimit/Chart.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v2
name: envoy-ratelimit name: envoy-ratelimit
description: Envoy gobal ratelimiting service - part of KubeZero description: Envoy gobal ratelimiting service - part of KubeZero
type: application type: application
version: 0.1.0 version: 0.1.2
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:

106
charts/envoy-ratelimit/templates/config-statds-exporter.yaml
View File

@ -1,106 +0,0 @@
{{- if .Values.metrics.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: ratelimit-statsd-exporter-config
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
data:
config.yaml: |
defaults:
ttl: 1m # Resets the metrics every minute
mappings:
- match:
"ratelimit.service.rate_limit.*.*.near_limit"
name: "ratelimit_service_rate_limit_near_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
- match:
"ratelimit.service.rate_limit.*.*.over_limit"
name: "ratelimit_service_rate_limit_over_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
- match:
"ratelimit.service.rate_limit.*.*.total_hits"
name: "ratelimit_service_rate_limit_total_hits"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
- match:
"ratelimit.service.rate_limit.*.*.within_limit"
name: "ratelimit_service_rate_limit_within_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
- match:
"ratelimit.service.rate_limit.*.*.*.near_limit"
name: "ratelimit_service_rate_limit_near_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
key2: "$3"
- match:
"ratelimit.service.rate_limit.*.*.*.over_limit"
name: "ratelimit_service_rate_limit_over_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
key2: "$3"
- match:
"ratelimit.service.rate_limit.*.*.*.total_hits"
name: "ratelimit_service_rate_limit_total_hits"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
key2: "$3"
- match:
"ratelimit.service.rate_limit.*.*.*.within_limit"
name: "ratelimit_service_rate_limit_within_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
key2: "$3"
- match:
"ratelimit.service.call.should_rate_limit.*"
name: "ratelimit_service_should_rate_limit_error"
match_metric_type: counter
labels:
err_type: "$1"
- match:
"ratelimit_server.*.total_requests"
name: "ratelimit_service_total_requests"
match_metric_type: counter
labels:
grpc_method: "$1"
- match:
"ratelimit_server.*.response_time"
name: "ratelimit_service_response_time_seconds"
timer_type: histogram
labels:
grpc_method: "$1"
- match:
"ratelimit.service.config_load_success"
name: "ratelimit_service_config_load_success"
match_metric_type: counter
ttl: 3m
- match:
"ratelimit.service.config_load_error"
name: "ratelimit_service_config_load_error"
match_metric_type: counter
ttl: 3m
- match: "."
match_type: "regex"
action: "drop"
name: "dropped"
{{- end }}

34
charts/envoy-ratelimit/templates/deployment.yaml
View File

@ -16,7 +16,7 @@ spec:
app: ratelimit app: ratelimit
spec: spec:
containers: containers:
- image: envoyproxy/ratelimit:b42701cb # 2021/08/12 - image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: ratelimit name: ratelimit
command: ["/bin/ratelimit"] command: ["/bin/ratelimit"]
@ -28,13 +28,11 @@ spec:
- name: REDIS_SOCKET_TYPE - name: REDIS_SOCKET_TYPE
value: tcp value: tcp
- name: REDIS_URL - name: REDIS_URL
value: ratelimit-redis:6379 value: ratelimit-valkey:6379
- name: USE_STATSD - name: USE_PROMETHEUS
value: "true" value: "true"
- name: STATSD_HOST - name: USE_STATSD
value: "localhost" value: "false"
- name: STATSD_PORT
value: "9125"
- name: RUNTIME_ROOT - name: RUNTIME_ROOT
value: /data value: /data
- name: RUNTIME_SUBDIRECTORY - name: RUNTIME_SUBDIRECTORY
@ -46,8 +44,8 @@ spec:
- name: LOCAL_CACHE_SIZE_IN_BYTES - name: LOCAL_CACHE_SIZE_IN_BYTES
value: "{{ default 0 .Values.localCacheSize | int }}" value: "{{ default 0 .Values.localCacheSize | int }}"
ports: ports:
#- containerPort: 8080
- containerPort: 8081 - containerPort: 8081
#- containerPort: 8080
#- containerPort: 6070 #- containerPort: 6070
volumeMounts: volumeMounts:
- name: ratelimit-config - name: ratelimit-config
@ -59,27 +57,7 @@ spec:
limits: limits:
cpu: 1 cpu: 1
memory: 256Mi memory: 256Mi
- name: statsd-exporter
image: docker.io/prom/statsd-exporter:v0.21.0
imagePullPolicy: Always
args: ["--statsd.mapping-config=/etc/statsd-exporter/config.yaml"]
ports:
- containerPort: 9125
# - containerPort: 9102
resources:
requests:
cpu: 50m
memory: 32Mi
limits:
cpu: 200m
memory: 64Mi
volumeMounts:
- name: statsd-exporter-config
mountPath: /etc/statsd-exporter
volumes: volumes:
- name: ratelimit-config - name: ratelimit-config
configMap: configMap:
name: ratelimit-config name: ratelimit-config
- name: statsd-exporter-config
configMap:
name: ratelimit-statsd-exporter-config

4
charts/envoy-ratelimit/templates/service.yaml
View File

@ -20,8 +20,8 @@ spec:
# targetPort: 6070 # targetPort: 6070
# protocol: TCP # protocol: TCP
- name: http-monitoring - name: http-monitoring
port: 9102 port: 9090
targetPort: 9102 targetPort: 9090
protocol: TCP protocol: TCP
selector: selector:
app: ratelimit app: ratelimit

12
charts/envoy-ratelimit/templates/redis-deployment.yaml → charts/envoy-ratelimit/templates/valkey-deployment.yaml
View File

@ -1,24 +1,24 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: ratelimit-redis name: ratelimit-valkey
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app: ratelimit-redis app: ratelimit-valkey
template: template:
metadata: metadata:
labels: labels:
app: ratelimit-redis app: ratelimit-valkey
spec: spec:
containers: containers:
- image: redis:6-alpine - image: valkey/valkey:8.1-alpine3.21
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: redis name: valkey
ports: ports:
- name: redis - name: valkey
containerPort: 6379 containerPort: 6379
restartPolicy: Always restartPolicy: Always
serviceAccountName: "" serviceAccountName: ""

8
charts/envoy-ratelimit/templates/redis-service.yaml → charts/envoy-ratelimit/templates/valkey-service.yaml
View File

@ -1,13 +1,13 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: ratelimit-redis name: ratelimit-valkey
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app: ratelimit-redis app: ratelimit-valkey
spec: spec:
ports: ports:
- name: redis - name: valkey
port: 6379 port: 6379
selector: selector:
app: ratelimit-redis app: ratelimit-valkey

24
charts/envoy-ratelimit/values.yaml
View File

@ -1,3 +1,8 @@
image:
repository: envoyproxy/ratelimit
# see: https://hub.docker.com/r/envoyproxy/ratelimit/tags
tag: 80b15778
log: log:
level: warn level: warn
format: json format: json
@ -8,19 +13,26 @@ localCacheSize: 1048576
# Wether to block requests if ratelimiting is down # Wether to block requests if ratelimiting is down
failureModeDeny: false failureModeDeny: false
# rate limit descriptors for each domain, examples 10 req/s per sourceIP # rate limit descriptors for each domain
# - slow: 1 req/s over a minute per sourceIP
descriptors: descriptors:
ingress: ingress:
- key: speed
value: slow
descriptors:
- key: remote_address - key: remote_address
rate_limit: rate_limit:
unit: second unit: minute
requests_per_unit: 10 requests_per_unit: 60
privateIngress: privateIngress:
- key: speed
value: slow
descriptors:
- key: remote_address - key: remote_address
rate_limit: rate_limit:
unit: second unit: minute
requests_per_unit: 10 requests_per_unit: 60
metrics: metrics:
enabled: true enabled: false

2
charts/kubezero-ci/Chart.yaml
View File

@ -15,7 +15,7 @@ maintainers:
email: stefan@zero-downtime.net email: stefan@zero-downtime.net
dependencies: dependencies:
- name: kubezero-lib - name: kubezero-lib
version: 0.1.6 version: 0.2.1
repository: https://cdn.zero-downtime.net/charts/ repository: https://cdn.zero-downtime.net/charts/
- name: gitea - name: gitea
version: 10.6.0 version: 10.6.0

6
charts/kubezero-ci/values.yaml
View File

@ -16,6 +16,10 @@ gitea:
claimName: data-gitea-0 claimName: data-gitea-0
size: 4Gi size: 4Gi
service:
http:
port: 80
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
@ -298,7 +302,7 @@ renovate:
LOG_FORMAT: json LOG_FORMAT: json
cronjob: cronjob:
concurrencyPolicy: Forbid concurrencyPolicy: Forbid
jobBackoffLimit: 3 jobBackoffLimit: 2
schedule: "0 3 * * *" schedule: "0 3 * * *"
successfulJobsHistoryLimit: 1 successfulJobsHistoryLimit: 1

2
charts/kubezero-istio/Chart.yaml
View File

@ -16,7 +16,7 @@ dependencies:
version: 0.2.1 version: 0.2.1
repository: https://cdn.zero-downtime.net/charts/ repository: https://cdn.zero-downtime.net/charts/
- name: envoy-ratelimit - name: envoy-ratelimit
version: 0.1.0 version: 0.1.2
repository: https://cdn.zero-downtime.net/charts/ repository: https://cdn.zero-downtime.net/charts/
condition: envoy-ratelimit.enabled condition: envoy-ratelimit.enabled
- name: base - name: base

2
charts/kubezero-istio/README.md
View File

@ -20,7 +20,7 @@ Kubernetes: `>= 1.30.0-0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://cdn.zero-downtime.net/charts/ | envoy-ratelimit | 0.1.0 | | https://cdn.zero-downtime.net/charts/ | envoy-ratelimit | 0.1.2 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
| https://istio-release.storage.googleapis.com/charts | base | 1.24.3 | | https://istio-release.storage.googleapis.com/charts | base | 1.24.3 |
| https://istio-release.storage.googleapis.com/charts | istiod | 1.24.3 | | https://istio-release.storage.googleapis.com/charts | istiod | 1.24.3 |

24
charts/kubezero-istio/values.yaml
View File

@ -56,29 +56,7 @@ kiali-server:
#url: "kiali.example.com" #url: "kiali.example.com"
# for available options see envoy-ratelimit chart
envoy-ratelimit: envoy-ratelimit:
enabled: false enabled: false
log:
level: warn
format: json
# 1MB local cache for already reached limits to reduce calls to Redis
localCacheSize: 1048576
# Wether to block requests if ratelimiting is down
failureModeDeny: false
# rate limit descriptors for each domain, examples 10 req/s per sourceIP
descriptors:
ingress:
- key: remote_address
rate_limit:
unit: second
requests_per_unit: 10
privateIngress:
- key: remote_address
rate_limit:
unit: second
requests_per_unit: 10

4
charts/kubezero/templates/istio.yaml
View File

@ -28,8 +28,8 @@ kiali-server:
{{- toYaml . | nindent 2 }} {{- toYaml . | nindent 2 }}
{{- end }} {{- end }}
{{- with .Values.istio.rateLimiting }} {{- with index .Values "istio" "envoy-ratelimit" }}
rateLimiting: envoy-ratelimit:
{{- toYaml . | nindent 2 }} {{- toYaml . | nindent 2 }}
{{- end }} {{- end }}
{{- end }} {{- end }}