vnayar · February 22, 2024 17:01
diff --git a/envoy-global-ratelimit.yaml b/envoy-global-ratelimit.yaml
 # Resources loaded at boot, rather than dynamically via APIs.
 # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap-staticresources
 static_resources:
  # A listener wraps an address to bind to and filters to run on messages on that address.
  # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-msg-config-listener-v3-listener
  listeners:
    # The address of an interface to bind to. Interfaces can be sockets, pipes, or internal addresses.
    # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-address
    - address:
        # This address is for a network socket, with an IP and a port.
        # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-socketaddress
        socket_address:
          # The value 0.0.0.0 indicates that all interfaces will be bound to.
          address: 0.0.0.0
          # The IP port number to bind to.
          port_value: 8080
      # Filter chains wrap several related configurations, e.g. match criteria, TLS context, filters, etc.
      # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#envoy-v3-api-msg-config-listener-v3-filterchain
      filter_chains:
        # An ordered list of filters to apply to connections.
        # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#envoy-v3-api-msg-config-listener-v3-filter
        - filters:
          - name: envoy.filters.network.http_connection_manager
            # A generic configuration whose fields vary with its "@type".
            typed_config:
              # The HttpConnectionManager filter converts raw data into HTTP messages, logging,
              # tracing, header manipulation, routing, and statistics.
              # https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#arch-overview-http-conn-man
              # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#extension-envoy-filters-network-http-connection-manager
              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
              # The human readable prefix used when emitting statistics.
              stat_prefix: ingress_http

              # The static routing table used by this filter. Individual routes may also add "rate
              # limit descriptors", essentially tags, to requests which may be referenced in the
              # "http_filters" config.
              # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route.proto#envoy-v3-api-msg-config-route-v3-routeconfiguration
              route_config:
                name: local_route
                # An array of virtual hosts which will compose the routing table.
                # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-virtualhost
                virtual_hosts:
                  - name: app
                    # A list of domains, e.g. *.foo.com, that will match this virtual host.
                    domains:
                      - "*"
                    # A list of routes to match against requests, the first one that matches will be used.
                    # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-route
                    routes:
                      # The conditions that a request must satisfy to follow this route.
                      # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-routematch
                      - match:
                          # A match against the beginning of the :path pseudo-header.
                          prefix: "/"
                        # The routing action to take if the request matches the conditions.
                        # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-routeaction
                        route:
                          host_rewrite_literal: www.envoyproxy.io
                          cluster: service_envoyproxy_io
                          rate_limits:
                            - actions:
                                # Read a request header and use its value to set the value of a descriptor entry.
                                # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-ratelimit-action-requestheaders
                                - request_headers:
                                    descriptor_key: key1
                                    # The header whose value should used as the descriptor map entry value.
                                    header_name: key1
                                    # Leave the header out of the descriptor if missing.
                                    # By default, rate limiting is skipped if a header is missing.
                                    skip_if_absent: true
                                - request_headers:
                                    descriptor_key: key2
                                    header_name: key2
                                    skip_if_absent: true
                                - request_headers:
                                    descriptor_key: key3
                                    header_name: key3
                                    skip_if_absent: true
                                - request_headers:
                                    descriptor_key: key4
                                    header_name: key4
                                    skip_if_absent: true
              # Individual filters applied by the HTTP Connection Manager.
              # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-msg-extensions-filters-network-http-connection-manager-v3-httpfilter
              http_filters:
                # The ratelimit filter checks with the Routelimit Service to perform global route limiting.
                # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-msg-extensions-filters-http-ratelimit-v3-ratelimit
                - name: envoy.filters.http.ratelimit
                  typed_config:
                    "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
                    # The domain makes a unique namespace when matching against descriptors.
                    domain: app
                    # Limit the rate filter to internal, external, or both types of requests.
                    # Internal requests are identified by the header 'x-envoy-internal: true'.
                    request_type: external
                    # What is this?
                    stage: 0
                    # Apparently Ratelimit Services can return RESOURCE_EXHAUSTED instead of UNAVAILABLE.
                    rate_limited_as_resource_exhausted: true
                    # Indicate whether a failure in the ratelimit service should result in requests being denied.
                    failure_mode_deny: false
                    # Format ratelimit headers using the IETF draft format:
                    # https://datatracker.ietf.org/doc/id/draft-polli-ratelimit-headers-03.html
                    enable_x_ratelimit_headers: DRAFT_VERSION_03
                    # Specify where to find the ratelimit service.
                    rate_limit_service:
                      # The location of the Ratelimit Service must be defined as a cluster.
                      grpc_service:
                        envoy_grpc:
                          cluster_name: ratelimit_service
                      # The version factors into the endpoint for contacting the Ratelimit Service
                      transport_api_version: V3
                # The router filter performs HTTP forwarding with optional logic for retries, statistics, etc.
                # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#extension-envoy-filters-http-router
                # https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router
                - name: envoy.filters.http.router
                  typed_config:
                    "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  # Configurations for logically similar upstream hosts, called clusters, that Envoy connects to.
  # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster
  clusters:
    - name: ratelimit_service
      type: STRICT_DNS
      connect_timeout: 1s
      lb_policy: ROUND_ROBIN
      protocol_selection: USE_CONFIGURED_PROTOCOL
      http2_protocol_options: {}
      load_assignment:
        cluster_name: ratelimit_service
        endpoints:
          - lb_endpoints:
            - endpoint:
                address:
                  socket_address:
                    address: 127.0.0.1
                    port_value: 9001
    - name: service_envoyproxy_io
      # The cluster type, in this case, discover the target via a DNS lookup.
      # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-enum-config-cluster-v3-cluster-discoverytype
      type: LOGICAL_DNS
      connect_timeout: 500s
      dns_lookup_family: V4_ONLY
      # For endpoints that are part of the cluster, determine how requests are distributed.
      # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint.proto#envoy-v3-api-msg-config-endpoint-v3-clusterloadassignment
      load_assignment:
        cluster_name: service_envoyproxy_io
        endpoints:
          # A list of endpoints that belong to this cluster.
          # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint_components.proto#envoy-v3-api-msg-config-endpoint-v3-localitylbendpoints
          - lb_endpoints:
              # A single endpoint, it's load-balancing weight, etc.
              # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint_components.proto#envoy-v3-api-msg-config-endpoint-v3-lbendpoint
              - endpoint:
                  address:
                    socket_address:
                      address: www.envoyproxy.io
                      port_value: 443
      # A customized transport socket, in this case, with TLS enabled.
      # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#envoy-v3-api-msg-config-core-v3-transportsocket
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
          # Server Name Indication, the server being contacted in step 1 of the TLS handshake.
          sni: www.envoyproxy.io
	# Resources loaded at boot, rather than dynamically via APIs.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap-staticresources
	static_resources:
	# A listener wraps an address to bind to and filters to run on messages on that address.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-msg-config-listener-v3-listener
	listeners:
	# The address of an interface to bind to. Interfaces can be sockets, pipes, or internal addresses.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-address
	- address:
	# This address is for a network socket, with an IP and a port.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-socketaddress
	socket_address:
	# The value 0.0.0.0 indicates that all interfaces will be bound to.
	address: 0.0.0.0
	# The IP port number to bind to.
	port_value: 8080
	# Filter chains wrap several related configurations, e.g. match criteria, TLS context, filters, etc.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#envoy-v3-api-msg-config-listener-v3-filterchain
	filter_chains:
	# An ordered list of filters to apply to connections.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#envoy-v3-api-msg-config-listener-v3-filter
	- filters:
	- name: envoy.filters.network.http_connection_manager
	# A generic configuration whose fields vary with its "@type".
	typed_config:
	# The HttpConnectionManager filter converts raw data into HTTP messages, logging,
	# tracing, header manipulation, routing, and statistics.
	# https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#arch-overview-http-conn-man
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#extension-envoy-filters-network-http-connection-manager
	"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
	# The human readable prefix used when emitting statistics.
	stat_prefix: ingress_http

	# The static routing table used by this filter. Individual routes may also add "rate
	# limit descriptors", essentially tags, to requests which may be referenced in the
	# "http_filters" config.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route.proto#envoy-v3-api-msg-config-route-v3-routeconfiguration
	route_config:
	name: local_route
	# An array of virtual hosts which will compose the routing table.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-virtualhost
	virtual_hosts:
	- name: app
	# A list of domains, e.g. *.foo.com, that will match this virtual host.
	domains:
	- "*"
	# A list of routes to match against requests, the first one that matches will be used.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-route
	routes:
	# The conditions that a request must satisfy to follow this route.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-routematch
	- match:
	# A match against the beginning of the :path pseudo-header.
	prefix: "/"
	# The routing action to take if the request matches the conditions.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-routeaction
	route:
	host_rewrite_literal: www.envoyproxy.io
	cluster: service_envoyproxy_io
	rate_limits:
	- actions:
	# Read a request header and use its value to set the value of a descriptor entry.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-ratelimit-action-requestheaders
	- request_headers:
	descriptor_key: key1
	# The header whose value should used as the descriptor map entry value.
	header_name: key1
	# Leave the header out of the descriptor if missing.
	# By default, rate limiting is skipped if a header is missing.
	skip_if_absent: true
	- request_headers:
	descriptor_key: key2
	header_name: key2
	skip_if_absent: true
	- request_headers:
	descriptor_key: key3
	header_name: key3
	skip_if_absent: true
	- request_headers:
	descriptor_key: key4
	header_name: key4
	skip_if_absent: true
	# Individual filters applied by the HTTP Connection Manager.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-msg-extensions-filters-network-http-connection-manager-v3-httpfilter
	http_filters:
	# The ratelimit filter checks with the Routelimit Service to perform global route limiting.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-msg-extensions-filters-http-ratelimit-v3-ratelimit
	- name: envoy.filters.http.ratelimit
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
	# The domain makes a unique namespace when matching against descriptors.
	domain: app
	# Limit the rate filter to internal, external, or both types of requests.
	# Internal requests are identified by the header 'x-envoy-internal: true'.
	request_type: external
	# What is this?
	stage: 0
	# Apparently Ratelimit Services can return RESOURCE_EXHAUSTED instead of UNAVAILABLE.
	rate_limited_as_resource_exhausted: true
	# Indicate whether a failure in the ratelimit service should result in requests being denied.
	failure_mode_deny: false
	# Format ratelimit headers using the IETF draft format:
	# https://datatracker.ietf.org/doc/id/draft-polli-ratelimit-headers-03.html
	enable_x_ratelimit_headers: DRAFT_VERSION_03
	# Specify where to find the ratelimit service.
	rate_limit_service:
	# The location of the Ratelimit Service must be defined as a cluster.
	grpc_service:
	envoy_grpc:
	cluster_name: ratelimit_service
	# The version factors into the endpoint for contacting the Ratelimit Service
	transport_api_version: V3
	# The router filter performs HTTP forwarding with optional logic for retries, statistics, etc.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#extension-envoy-filters-http-router
	# https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router
	- name: envoy.filters.http.router
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
	# Configurations for logically similar upstream hosts, called clusters, that Envoy connects to.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster
	clusters:
	- name: ratelimit_service
	type: STRICT_DNS
	connect_timeout: 1s
	lb_policy: ROUND_ROBIN
	protocol_selection: USE_CONFIGURED_PROTOCOL
	http2_protocol_options: {}
	load_assignment:
	cluster_name: ratelimit_service
	endpoints:
	- lb_endpoints:
	- endpoint:
	address:
	socket_address:
	address: 127.0.0.1
	port_value: 9001
	- name: service_envoyproxy_io
	# The cluster type, in this case, discover the target via a DNS lookup.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-enum-config-cluster-v3-cluster-discoverytype
	type: LOGICAL_DNS
	connect_timeout: 500s
	dns_lookup_family: V4_ONLY
	# For endpoints that are part of the cluster, determine how requests are distributed.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint.proto#envoy-v3-api-msg-config-endpoint-v3-clusterloadassignment
	load_assignment:
	cluster_name: service_envoyproxy_io
	endpoints:
	# A list of endpoints that belong to this cluster.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint_components.proto#envoy-v3-api-msg-config-endpoint-v3-localitylbendpoints
	- lb_endpoints:
	# A single endpoint, it's load-balancing weight, etc.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint_components.proto#envoy-v3-api-msg-config-endpoint-v3-lbendpoint
	- endpoint:
	address:
	socket_address:
	address: www.envoyproxy.io
	port_value: 443
	# A customized transport socket, in this case, with TLS enabled.
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#envoy-v3-api-msg-config-core-v3-transportsocket
	transport_socket:
	name: envoy.transport_sockets.tls
	typed_config:
	# https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto
	"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
	# Server Name Indication, the server being contacted in step 1 of the TLS handshake.
	sni: www.envoyproxy.io