Istio Ratelimit Manifests

manifests.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: envoy-limitsvc-redis
    component: redis
  name: envoy-limitsvc-redis-dep
  namespace: istio-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: envoy-limitsvc-redis
      component: redis
  template:
    metadata:
      labels:
        app: envoy-limitsvc-redis
        component: redis
    spec:
      containers:
        - image: redis:6.0.6
          imagePullPolicy: IfNotPresent
          name: redis
          resources:
            limits:
              cpu: 1500m
              memory: 512Mi
            requests:
              cpu: 200m
              memory: 256Mi
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: envoy-limitsvc-redis
  name: envoy-limitsvc-state
  namespace: istio-system
spec:
  ports:
    - name: envoy-limitsvc-state
      port: 6379
      protocol: TCP
      targetPort: 6379
  selector:
    app: envoy-limitsvc-redis
    component: redis
---
apiVersion: v1
data:
  config.yaml: |
    domain: example-ratelimit
    descriptors:
    - key: header_match
      rate_limit:
        requests_per_unit: 4
        unit: minute
      value: path
kind: ConfigMap
metadata:
  labels:
    app: envoy-limitsvc
  name: envoy-limitsvc-config
  namespace: istio-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: envoy-limitsvc
    component: server
  name: envoy-limitsvc-dep
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: envoy-limitsvc
      component: server
  template:
    metadata:
      labels:
        app: envoy-limitsvc
        component: server
    spec:
      containers:
        - command:
            - /bin/ratelimit
          env:
            - name: REDIS_SOCKET_TYPE
              value: tcp
            - name: REDIS_URL
              value: envoy-limitsvc-state.istio-system.svc.cluster.local:6379
            - name: RUNTIME_ROOT
              value: /data
            - name: RUNTIME_SUBDIRECTORY
              value: ratelimit
            - name: RUNTIME_IGNOREDOTFILES
              value: "true"
            - name: RUNTIME_WATCH_ROOT
              value: "false"
          image: envoyproxy/ratelimit:4d2efd61 # Master as of January 4, 2021
          name: server
          resources:
            limits:
              cpu: 1500m
              memory: 512Mi
            requests:
              cpu: 200m
              memory: 256Mi
          volumeMounts:
            - mountPath: /data/ratelimit/config
              name: config-volume
      volumes:
        - configMap:
            defaultMode: 420
            name: envoy-limitsvc-config
          name: config-volume
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: envoy-limitsvc
  name: envoy-limitsvc
  namespace: istio-system
spec:
  ports:
    - name: envoy-limitsvc
      port: 42080
      protocol: TCP
      targetPort: 8080
    - name: envoy-limitsvc-grpc
      port: 42081
      protocol: TCP
      targetPort: 8081
  selector:
    app: envoy-limitsvc
    component: server
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: filter-ratelimit
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
    - applyTo: CLUSTER
      match:
        proxy:
          proxyVersion: ^1\.15.*
        cluster:
          # kubernetes dns of your ratelimit service
          service: envoy-limitsvc.istio-system.svc.cluster.local
      patch:
        operation: ADD
        value:
          name: rate_limit_cluster
          type: STRICT_DNS
          connect_timeout: 10s
          lb_policy: ROUND_ROBIN
          http2_protocol_options: {}
          load_assignment:
            # arbitrary  name
            cluster_name: rate_limit_cluster
            endpoints:
              - lb_endpoints:
                  - endpoint:
                      address:
                        socket_address:
                          # kubernetes dns of your ratelimit service
                          address: envoy-limitsvc.istio-system.svc.cluster.local
                          port_value: 8081
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          filterChain:
            filter:
              name: "envoy.filters.network.http_connection_manager"
              subFilter:
                name: "envoy.filters.http.router"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.filters.http.router
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
            # arbirary domain, ensure it matches with the domain used in the ratelimit service config
            domain: example-ratelimit
            failure_mode_deny: true
            rate_limit_service:
              grpc_service:
                envoy_grpc:
                  # must match load_assignment.cluster_name from the patch to the CLUSTER above
                  cluster_name: rate_limit_cluster
                timeout: 10s
              transport_api_version: V3
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: filter-ratelimit-svc
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
    - applyTo: VIRTUAL_HOST
      match:
        proxy:
          proxyVersion: ^1\.15.*
        context: GATEWAY
        routeConfiguration:
          # Should be in the namespace/name format. Use this field in conjunction with the portNumber and portName to
          # accurately select the Envoy route configuration for a specific HTTPS server within a gateway config object.
          gateway: sb-1yyvnmt0it/sb-1yyvnmt0it-gateway
          portNumber: 443
          portName: https
      patch:
        operation: MERGE
        value:
          rate_limits:
            - actions:
                - request_headers:
                    header_name: ":path"