Enabling the Internal Rate Limiting Server
TSB comes with a rate limiting server component for every control plane cluster. By default this is disabled.
This section will only discuss installation procedures for the internal mode, and not for installation of external servers.
Configuration
The rate limit server can be enabled by explicitly specifying configuration for the rateLimitServer
component in the ControlPlane Operator API and applying it to the relevant control plane clusters.
The rateLimitServer
requires a Redis backend to keep track of the rate limiting attribute counts and its details need to be included in the configuration.
Your Control Plane operator configuration may look like the example below:
apiVersion: install.tetrate.io/v1alpha1
kind: ControlPlane
metadata:
name: controlplane
namespace: istio-system
spec:
# ... omitted ...
components:
rateLimitServer:
domain: <domain>
backend:
redis:
uri: <redis-uri>
Note the introduction of rateLimitServer
in the components
object.
The value for domain
is used to group the storage metadata for rate limits. Specifying the same domain
for all Control Planes will effectively allow you to configure global rate limiting across all clusters. If you use different values for domain
, then the rate limiting effects are localized to only those clusters that are looking at the same domain
. This assumes that the Control Planes are specifying the same Redis server.
We recommend that you specify the same domain only within clusters in the same geographic region, for example us-east
.
The value for redis-uri
is the server name and port of the Redis instance to use.
You are responsible in making sure that this URI is reachable from the control plane cluster(s).
Redis Authentication
If your Redis database requires a password, you can either create the secret yourself:
kubectl -n istio-system create secret generic \
redis-credentials \
--from-literal=REDIS_AUTH=<password>
If you are running TSB >= 1.4.0, you can specify it in using the --redis-password
argument in the tctl install manifest control-plane-secrets
command to generate the appropriate secrets.
TLS
If your Redis database supports in-transit encryption (TLS), you will need to enable TLS in
the Ratelimit Redis client by setting the REDIS_TLS
key to true
in the redis-credentials
secret:
kubectl -n istio-system create secret generic \
redis-credentials \
--from-literal=REDIS_AUTH=<password>
--from-literal=REDIS_TLS=true
If you are running TSB >= 1.5.0, you can specify it in using the --redis-tls
argument in the tctl install manifest control-plane-secrets
command to generate the appropriate secrets. You can also specify a custom CA certificate to validate the TLS connection using the --redis-tls-ca-cert
argument as well as the Redis Client key and certificate (if client certificate authentication is enabled) using --redis-tls-client-key
and redis-tls-client-cert
respectively in the tctl install manifest control-plane-secrets
command which will generate the appropriate redis-credentials
secret.
Deploying The Server
Create a manifest using the example shown so far. Make sure to include all of the necessary fields for the Control Plane that has been omitted in the previous example.
If you are updating an existing Control Plane, you can use kubectl get controlplane -n istio-system -o yaml
to obtain the current values.
Save the manifest into a file, e.g. control-plane-with-rate-limiting.yaml
, and then apply it using kubectl
:
kubectl apply -f control-plane-with-rate-limiting.yaml
To check if the rate limit server is properly running in the cluster, execute the following command:
$ kubectl get pods -n istio-system | grep ratelimit
ratelimit-server-864654b5b5-d77bq 1/1 Running 2 2d1h