117 lines
3.4 KiB
YAML
117 lines
3.4 KiB
YAML
{{- if .Values.rateLimiting.enabled }}
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: EnvoyFilter
|
|
metadata:
|
|
name: ingressgateway-ratelimit
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
|
spec:
|
|
workloadSelector:
|
|
labels:
|
|
istio: ingressgateway
|
|
configPatches:
|
|
- applyTo: HTTP_FILTER
|
|
match:
|
|
context: GATEWAY
|
|
listener:
|
|
filterChain:
|
|
filter:
|
|
name: "envoy.filters.network.http_connection_manager"
|
|
subFilter:
|
|
name: "envoy.filters.http.router"
|
|
patch:
|
|
operation: INSERT_BEFORE
|
|
value:
|
|
name: envoy.filters.http.ratelimit
|
|
typed_config:
|
|
"@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
|
|
domain: ingress
|
|
failure_mode_deny: {{ .Values.rateLimiting.failureModeDeny }}
|
|
timeout: 0.5s
|
|
rate_limit_service:
|
|
grpc_service:
|
|
envoy_grpc:
|
|
cluster_name: rate_limit_cluster
|
|
transport_api_version: V3
|
|
- applyTo: CLUSTER
|
|
match:
|
|
cluster:
|
|
service: ratelimit.default.svc.cluster.local
|
|
patch:
|
|
operation: ADD
|
|
value:
|
|
name: rate_limit_cluster
|
|
type: STRICT_DNS
|
|
connect_timeout: 0.5s
|
|
lb_policy: ROUND_ROBIN
|
|
http2_protocol_options: {}
|
|
load_assignment:
|
|
cluster_name: rate_limit_cluster
|
|
endpoints:
|
|
- lb_endpoints:
|
|
- endpoint:
|
|
address:
|
|
socket_address:
|
|
address: ratelimit.istio-system
|
|
port_value: 8081
|
|
|
|
---
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: EnvoyFilter
|
|
metadata:
|
|
name: private-ingressgateway-ratelimit
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
|
spec:
|
|
workloadSelector:
|
|
labels:
|
|
istio: private-ingressgateway
|
|
configPatches:
|
|
- applyTo: HTTP_FILTER
|
|
match:
|
|
context: GATEWAY
|
|
listener:
|
|
filterChain:
|
|
filter:
|
|
name: "envoy.filters.network.http_connection_manager"
|
|
subFilter:
|
|
name: "envoy.filters.http.router"
|
|
patch:
|
|
operation: INSERT_BEFORE
|
|
value:
|
|
name: envoy.filters.http.ratelimit
|
|
typed_config:
|
|
"@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
|
|
domain: private-ingress
|
|
failure_mode_deny: {{ .Values.rateLimiting.failureModeDeny }}
|
|
timeout: 0.5s
|
|
rate_limit_service:
|
|
grpc_service:
|
|
envoy_grpc:
|
|
cluster_name: rate_limit_cluster
|
|
transport_api_version: V3
|
|
- applyTo: CLUSTER
|
|
match:
|
|
cluster:
|
|
service: ratelimit.default.svc.cluster.local
|
|
patch:
|
|
operation: ADD
|
|
value:
|
|
name: rate_limit_cluster
|
|
type: STRICT_DNS
|
|
connect_timeout: 0.5s
|
|
lb_policy: ROUND_ROBIN
|
|
http2_protocol_options: {}
|
|
load_assignment:
|
|
cluster_name: rate_limit_cluster
|
|
endpoints:
|
|
- lb_endpoints:
|
|
- endpoint:
|
|
address:
|
|
socket_address:
|
|
address: ratelimit.istio-system
|
|
port_value: 8081
|
|
{{- end }}
|