From 4816db430425224198f423c371cbdde156e005f3 Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 2 Mar 2024 10:21:49 +0800 Subject: [PATCH] ratelimit support prometheus (#2729) * ratelimit support prometheus Signed-off-by: zirain * lint Signed-off-by: zirain * use 19001 Signed-off-by: zirain --------- Signed-off-by: zirain --- api/v1alpha1/envoygateway_types.go | 19 ++++ api/v1alpha1/zz_generated.deepcopy.go | 60 ++++++++++ .../kubernetes/ratelimit/resource.go | 57 +++++++++- .../kubernetes/ratelimit/resource_provider.go | 51 ++++++++- .../ratelimit/resource_provider_test.go | 74 +++++++++++++ .../kubernetes/ratelimit/statsd_conf.yaml | 92 ++++++++++++++++ .../testdata/deployments/custom.yaml | 85 +++++++++----- .../testdata/deployments/default-env.yaml | 83 +++++++++----- .../testdata/deployments/default.yaml | 77 +++++++++---- ...{affinity.yaml => disable-prometheus.yaml} | 75 +++++-------- .../testdata/deployments/extension-env.yaml | 83 +++++++++----- .../testdata/deployments/override-env.yaml | 83 +++++++++----- .../deployments/patch-deployment.yaml | 77 +++++++++---- .../deployments/redis-tls-settings.yaml | 91 +++++++++------ .../testdata/deployments/tolerations.yaml | 95 ++++++++++------ .../testdata/deployments/volumes.yaml | 95 ++++++++++------ .../deployments/with-node-selector.yaml | 77 +++++++++---- .../with-topology-spread-constraints.yaml | 85 +++++++++----- .../testdata/envoy-ratelimit-configmap.yaml | 104 ++++++++++++++++++ site/content/en/latest/api/extension_types.md | 43 ++++++++ tools/make/golang.mk | 6 +- 21 files changed, 1159 insertions(+), 353 deletions(-) create mode 100644 internal/infrastructure/kubernetes/ratelimit/statsd_conf.yaml rename internal/infrastructure/kubernetes/ratelimit/testdata/deployments/{affinity.yaml => disable-prometheus.yaml} (79%) create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/envoy-ratelimit-configmap.yaml diff --git a/api/v1alpha1/envoygateway_types.go b/api/v1alpha1/envoygateway_types.go index 881b4d36443..145fc9b5fca 100644 --- a/api/v1alpha1/envoygateway_types.go +++ b/api/v1alpha1/envoygateway_types.go @@ -326,6 +326,25 @@ type RateLimit struct { // otherwise, don't let the traffic pass and return 500. // If not set, FailClosed is False. FailClosed bool `json:"failClosed"` + + // Telemetry defines telemetry configuration for RateLimit. + // +optional + Telemetry *RateLimitTelemetry `json:"telemetry,omitempty"` +} + +type RateLimitTelemetry struct { + // Metrics defines metrics configuration for RateLimit. + Metrics *RateLimitMetrics `json:"metrics,omitempty"` +} + +type RateLimitMetrics struct { + // Prometheus defines the configuration for prometheus endpoint. + Prometheus *RateLimitMetricsPrometheusProvider `json:"prometheus,omitempty"` +} + +type RateLimitMetricsPrometheusProvider struct { + // Disable the Prometheus endpoint. + Disable bool `json:"disable,omitempty"` } // RateLimitDatabaseBackend defines the configuration associated with diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index cd7a740bd4f..1f297bfe857 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2912,6 +2912,11 @@ func (in *RateLimit) DeepCopyInto(out *RateLimit) { *out = new(v1.Duration) **out = **in } + if in.Telemetry != nil { + in, out := &in.Telemetry, &out.Telemetry + *out = new(RateLimitTelemetry) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimit. @@ -2944,6 +2949,41 @@ func (in *RateLimitDatabaseBackend) DeepCopy() *RateLimitDatabaseBackend { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RateLimitMetrics) DeepCopyInto(out *RateLimitMetrics) { + *out = *in + if in.Prometheus != nil { + in, out := &in.Prometheus, &out.Prometheus + *out = new(RateLimitMetricsPrometheusProvider) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitMetrics. +func (in *RateLimitMetrics) DeepCopy() *RateLimitMetrics { + if in == nil { + return nil + } + out := new(RateLimitMetrics) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RateLimitMetricsPrometheusProvider) DeepCopyInto(out *RateLimitMetricsPrometheusProvider) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitMetricsPrometheusProvider. +func (in *RateLimitMetricsPrometheusProvider) DeepCopy() *RateLimitMetricsPrometheusProvider { + if in == nil { + return nil + } + out := new(RateLimitMetricsPrometheusProvider) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RateLimitRedisSettings) DeepCopyInto(out *RateLimitRedisSettings) { *out = *in @@ -3039,6 +3079,26 @@ func (in *RateLimitSpec) DeepCopy() *RateLimitSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RateLimitTelemetry) DeepCopyInto(out *RateLimitTelemetry) { + *out = *in + if in.Metrics != nil { + in, out := &in.Metrics, &out.Metrics + *out = new(RateLimitMetrics) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitTelemetry. +func (in *RateLimitTelemetry) DeepCopy() *RateLimitTelemetry { + if in == nil { + return nil + } + out := new(RateLimitTelemetry) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RateLimitValue) DeepCopyInto(out *RateLimitValue) { *out = *in diff --git a/internal/infrastructure/kubernetes/ratelimit/resource.go b/internal/infrastructure/kubernetes/ratelimit/resource.go index b0d44694e2c..b6924aab00c 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource.go @@ -91,7 +91,9 @@ const ( // ReadinessPath is readiness path for readiness probe. ReadinessPath = "/healthcheck" // ReadinessPort is readiness port for readiness probe. - ReadinessPort = 8080 + ReadinessPort = 8080 + StatsdPort = 9125 + PrometheusPort = 19001 ) // GetServiceURL returns the URL for the rate limit service. @@ -163,9 +165,47 @@ func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitDeploymen }, } + if enablePrometheus(rateLimit) { + containers = append(containers, promStatsdExporterContainer()) + } + return containers } +func promStatsdExporterContainer() corev1.Container { + return corev1.Container{ + Name: "prom-statsd-exporter", + Image: "prom/statsd-exporter:v0.18.0", + ImagePullPolicy: corev1.PullIfNotPresent, + Command: []string{ + "/bin/statsd_exporter", + fmt.Sprintf("--web.listen-address=:%d", PrometheusPort), + "--statsd.mapping-config=/etc/statsd-exporter/conf.yaml", + }, + Ports: []corev1.ContainerPort{ + { + Name: "statsd", + ContainerPort: StatsdPort, + Protocol: corev1.ProtocolTCP, + }, + { + Name: "metrics", + ContainerPort: PrometheusPort, + Protocol: corev1.ProtocolTCP, + }, + }, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "statsd-exporter-config", + ReadOnly: true, + MountPath: "/etc/statsd-exporter", + }, + }, + TerminationMessagePolicy: corev1.TerminationMessageReadFile, + TerminationMessagePath: "/dev/termination-log", + } +} + // expectedContainerVolumeMounts returns expected rateLimit container volume mounts. func expectedContainerVolumeMounts(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec) []corev1.VolumeMount { var volumeMounts []corev1.VolumeMount @@ -214,6 +254,21 @@ func expectedDeploymentVolumes(rateLimit *egv1a1.RateLimit, rateLimitDeployment }, }) + if enablePrometheus(rateLimit) { + volumes = append(volumes, corev1.Volume{ + Name: "statsd-exporter-config", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "statsd-exporter-config", + }, + Optional: ptr.To(true), + DefaultMode: ptr.To[int32](420), + }, + }, + }) + } + return resource.ExpectedDeploymentVolumes(rateLimitDeployment.Pod, volumes) } diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go index 5e4a2a2639b..b7e8867e483 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go @@ -6,6 +6,9 @@ package ratelimit import ( + _ "embed" + "strconv" + appsv1 "k8s.io/api/apps/v1" autoscalingv2 "k8s.io/api/autoscaling/v2" corev1 "k8s.io/api/core/v1" @@ -24,8 +27,12 @@ const ( ResourceKindService = "Service" ResourceKindDeployment = "Deployment" ResourceKindServiceAccount = "ServiceAccount" + appsAPIVersion = "apps/v1" ) +//go:embed statsd_conf.yaml +var statsConf string + type ResourceRender struct { // Namespace is the Namespace used for managed infra. Namespace string @@ -51,9 +58,36 @@ func (r *ResourceRender) Name() string { return InfraName } -// ConfigMap is deprecated since ratelimit supports xds grpc config server. +func enablePrometheus(rl *egv1a1.RateLimit) bool { + if rl != nil && + rl.Telemetry != nil && + rl.Telemetry.Metrics.Prometheus != nil { + return !rl.Telemetry.Metrics.Prometheus.Disable + } + + return true +} + +// ConfigMap returns the expected rate limit ConfigMap based on the provided infra. func (r *ResourceRender) ConfigMap() (*corev1.ConfigMap, error) { - return nil, nil + if !enablePrometheus(r.rateLimit) { + return nil, nil + } + + return &corev1.ConfigMap{ + TypeMeta: metav1.TypeMeta{ + Kind: "ConfigMap", + APIVersion: "v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: r.Namespace, + Name: "statsd-exporter-config", + Labels: rateLimitLabels(), + }, + Data: map[string]string{ + "conf.yaml": statsConf, + }, + }, nil } // Service returns the expected rate limit Service based on the provided infra. @@ -139,13 +173,18 @@ func (r *ResourceRender) ServiceAccount() (*corev1.ServiceAccount, error) { // Deployment returns the expected rate limit Deployment based on the provided infra. func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { - const apiVersion = "apps/v1" - containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDeployment) labels := rateLimitLabels() selector := resource.GetSelector(labels) var annotations map[string]string + if enablePrometheus(r.rateLimit) { + annotations = map[string]string{ + "prometheus.io/path": "/metrics", + "prometheus.io/port": strconv.Itoa(PrometheusPort), + "prometheus.io/scrape": "true", + } + } if r.rateLimitDeployment.Pod.Annotations != nil { annotations = r.rateLimitDeployment.Pod.Annotations } @@ -153,7 +192,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { deployment := &appsv1.Deployment{ TypeMeta: metav1.TypeMeta{ Kind: ResourceKindDeployment, - APIVersion: apiVersion, + APIVersion: appsAPIVersion, }, ObjectMeta: metav1.ObjectMeta{ Namespace: r.Namespace, @@ -197,7 +236,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { deployment.OwnerReferences = []metav1.OwnerReference{ { Kind: ResourceKindDeployment, - APIVersion: apiVersion, + APIVersion: appsAPIVersion, Name: "envoy-gateway", UID: uid, }, diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go index 2b8d774d14c..6fc476e85d2 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go @@ -6,6 +6,7 @@ package ratelimit import ( + "flag" "fmt" "os" "testing" @@ -26,6 +27,10 @@ import ( "github.com/envoyproxy/gateway/internal/envoygateway/config" ) +var ( + overrideTestData = flag.Bool("override-testdata", false, "if override the test output data.") +) + const ( // RedisAuthEnvVar is the redis auth. RedisAuthEnvVar = "REDIS_AUTH" @@ -152,6 +157,47 @@ func loadService() (*corev1.Service, error) { return svc, nil } +func TestConfigmap(t *testing.T) { + cfg, err := config.New() + require.NoError(t, err) + + cfg.EnvoyGateway.RateLimit = &egv1a1.RateLimit{ + Backend: egv1a1.RateLimitDatabaseBackend{ + Type: egv1a1.RedisBackendType, + Redis: &egv1a1.RateLimitRedisSettings{ + URL: "redis.redis.svc:6379", + }, + }, + } + r := NewResourceRender(cfg.Namespace, cfg.EnvoyGateway, ownerReferenceUID) + cm, err := r.ConfigMap() + require.NoError(t, err) + + if *overrideTestData { + cmYAML, err := yaml.Marshal(cm) + require.NoError(t, err) + // nolint:gosec + err = os.WriteFile("testdata/envoy-ratelimit-configmap.yaml", cmYAML, 0644) + require.NoError(t, err) + return + } + + expected, err := loadConfigmap() + require.NoError(t, err) + + assert.Equal(t, expected, cm) +} + +func loadConfigmap() (*corev1.ConfigMap, error) { + configmapYAML, err := os.ReadFile("testdata/envoy-ratelimit-configmap.yaml") + if err != nil { + return nil, err + } + cm := &corev1.ConfigMap{} + _ = yaml.Unmarshal(configmapYAML, cm) + return cm, nil +} + func TestDeployment(t *testing.T) { cfg, err := config.New() require.NoError(t, err) @@ -173,6 +219,25 @@ func TestDeployment(t *testing.T) { rateLimit: rateLimit, deploy: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDeployment, }, + { + caseName: "disable-prometheus", + rateLimit: &egv1a1.RateLimit{ + Backend: egv1a1.RateLimitDatabaseBackend{ + Type: egv1a1.RedisBackendType, + Redis: &egv1a1.RateLimitRedisSettings{ + URL: "redis.redis.svc:6379", + }, + }, + Telemetry: &egv1a1.RateLimitTelemetry{ + Metrics: &egv1a1.RateLimitMetrics{ + Prometheus: &egv1a1.RateLimitMetricsPrometheusProvider{ + Disable: true, + }, + }, + }, + }, + deploy: cfg.EnvoyGateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().RateLimitDeployment, + }, { caseName: "patch-deployment", rateLimit: rateLimit, @@ -566,6 +631,15 @@ func TestDeployment(t *testing.T) { dp, err := r.Deployment() require.NoError(t, err) + if *overrideTestData { + deploymentYAML, err := yaml.Marshal(dp) + require.NoError(t, err) + // nolint:gosec + err = os.WriteFile(fmt.Sprintf("testdata/deployments/%s.yaml", tc.caseName), deploymentYAML, 0644) + require.NoError(t, err) + return + } + expected, err := loadDeployment(tc.caseName) require.NoError(t, err) diff --git a/internal/infrastructure/kubernetes/ratelimit/statsd_conf.yaml b/internal/infrastructure/kubernetes/ratelimit/statsd_conf.yaml new file mode 100644 index 00000000000..4ded9cb6025 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/statsd_conf.yaml @@ -0,0 +1,92 @@ +mappings: + - match: "ratelimit.service.rate_limit.*.*.near_limit" + name: "ratelimit_service_rate_limit_near_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + - match: "ratelimit.service.rate_limit.*.*.over_limit" + name: "ratelimit_service_rate_limit_over_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + - match: "ratelimit.service.rate_limit.*.*.total_hits" + name: "ratelimit_service_rate_limit_total_hits" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + - match: "ratelimit.service.rate_limit.*.*.within_limit" + name: "ratelimit_service_rate_limit_within_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + + - match: "ratelimit.service.rate_limit.*.*.*.near_limit" + name: "ratelimit_service_rate_limit_near_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + key2: "$3" + - match: "ratelimit.service.rate_limit.*.*.*.over_limit" + name: "ratelimit_service_rate_limit_over_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + key2: "$3" + - match: "ratelimit.service.rate_limit.*.*.*.total_hits" + name: "ratelimit_service_rate_limit_total_hits" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + key2: "$3" + - match: "ratelimit.service.rate_limit.*.*.*.within_limit" + name: "ratelimit_service_rate_limit_within_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + key2: "$3" + + - match: "ratelimit.service.call.should_rate_limit.*" + name: "ratelimit_service_should_rate_limit_error" + match_metric_type: counter + labels: + err_type: "$1" + + - match: "ratelimit_server.*.total_requests" + name: "ratelimit_service_total_requests" + match_metric_type: counter + labels: + grpc_method: "$1" + + - match: "ratelimit_server.*.response_time" + name: "ratelimit_service_response_time_seconds" + timer_type: histogram + labels: + grpc_method: "$1" + + - match: "ratelimit.service.config_load_success" + name: "ratelimit_service_config_load_success" + match_metric_type: counter + - match: "ratelimit.service.config_load_error" + name: "ratelimit_service_config_load_error" + match_metric_type: counter + + - match: "ratelimit.service.rate_limit.*.*.*.shadow_mode" + name: "ratelimit_service_rate_limit_shadow_mode" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + key2: "$3" + + - match: "." + match_type: "regex" + action: "drop" + name: "dropped" diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml index c922b53f519..216627b3d9b 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml @@ -1,10 +1,11 @@ apiVersion: apps/v1 kind: Deployment metadata: + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit name: envoy-ratelimit namespace: envoy-gateway-system ownerReferences: @@ -13,25 +14,27 @@ metadata: name: envoy-gateway uid: test-owner-reference-uid-for-deployment spec: + progressDeadlineSeconds: 600 replicas: 2 - strategy: - type: RollingUpdate + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + strategy: + type: RollingUpdate template: metadata: + annotations: + prometheus.io/scrape: "true" + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway - annotations: - prometheus.io/scrape: "true" + app.kubernetes.io/name: envoy-ratelimit spec: automountServiceAccountToken: false - hostNetwork: true containers: - command: - /bin/ratelimit @@ -61,19 +64,19 @@ spec: - name: GRPC_SERVER_USE_TLS value: "true" - name: GRPC_SERVER_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: GRPC_SERVER_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: GRPC_SERVER_TLS_CA_CERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: CONFIG_GRPC_XDS_SERVER_USE_TLS value: "true" - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: FORCE_START_WITHOUT_INITIAL_CONFIG value: "true" image: custom-image @@ -83,8 +86,15 @@ spec: - containerPort: 8081 name: grpc protocol: TCP - securityContext: - privileged: true + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 resources: limits: cpu: 400m @@ -92,32 +102,51 @@ spec: requests: cpu: 200m memory: 1Gi + securityContext: + privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /certs name: certs readOnly: true - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 + - command: + - /bin/statsd_exporter + - --web.listen-address=:19001 + - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml + image: prom/statsd-exporter:v0.18.0 + imagePullPolicy: IfNotPresent + name: prom-statsd-exporter + ports: + - containerPort: 9125 + name: statsd + protocol: TCP + - containerPort: 19001 + name: metrics + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true dnsPolicy: ClusterFirst + hostNetwork: true restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: envoy-ratelimit securityContext: runAsUser: 1000 + serviceAccountName: envoy-ratelimit terminationGracePeriodSeconds: 300 volumes: - name: certs secret: + defaultMode: 420 secretName: envoy-rate-limit + - configMap: defaultMode: 420 - revisionHistoryLimit: 10 - progressDeadlineSeconds: 600 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config +status: {} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml index b34ab0fe254..5f0c2f8683f 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml @@ -1,10 +1,11 @@ apiVersion: apps/v1 kind: Deployment metadata: + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit name: envoy-ratelimit namespace: envoy-gateway-system ownerReferences: @@ -13,22 +14,25 @@ metadata: name: envoy-gateway uid: test-owner-reference-uid-for-deployment spec: + progressDeadlineSeconds: 600 replicas: 2 - strategy: - type: RollingUpdate + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + strategy: + type: RollingUpdate template: metadata: + annotations: + prometheus.io/scrape: "true" + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway - annotations: - prometheus.io/scrape: "true" + app.kubernetes.io/name: envoy-ratelimit spec: automountServiceAccountToken: false containers: @@ -60,19 +64,19 @@ spec: - name: GRPC_SERVER_USE_TLS value: "true" - name: GRPC_SERVER_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: GRPC_SERVER_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: GRPC_SERVER_TLS_CA_CERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: CONFIG_GRPC_XDS_SERVER_USE_TLS value: "true" - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: FORCE_START_WITHOUT_INITIAL_CONFIG value: "true" image: custom-image @@ -82,8 +86,15 @@ spec: - containerPort: 8081 name: grpc protocol: TCP - securityContext: - privileged: true + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 resources: limits: cpu: 400m @@ -91,32 +102,50 @@ spec: requests: cpu: 200m memory: 1Gi + securityContext: + privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /certs name: certs readOnly: true - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 + - command: + - /bin/statsd_exporter + - --web.listen-address=:19001 + - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml + image: prom/statsd-exporter:v0.18.0 + imagePullPolicy: IfNotPresent + name: prom-statsd-exporter + ports: + - containerPort: 9125 + name: statsd + protocol: TCP + - containerPort: 19001 + name: metrics + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: envoy-ratelimit securityContext: runAsUser: 1000 + serviceAccountName: envoy-ratelimit terminationGracePeriodSeconds: 300 volumes: - name: certs secret: + defaultMode: 420 secretName: envoy-rate-limit + - configMap: defaultMode: 420 - revisionHistoryLimit: 10 - progressDeadlineSeconds: 600 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config +status: {} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml index a9451dae13c..759a9c60199 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml @@ -1,10 +1,11 @@ apiVersion: apps/v1 kind: Deployment metadata: + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit name: envoy-ratelimit namespace: envoy-gateway-system ownerReferences: @@ -13,20 +14,27 @@ metadata: name: envoy-gateway uid: test-owner-reference-uid-for-deployment spec: + progressDeadlineSeconds: 600 replicas: 1 - strategy: - type: RollingUpdate + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + strategy: + type: RollingUpdate template: metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit spec: automountServiceAccountToken: false containers: @@ -58,19 +66,19 @@ spec: - name: GRPC_SERVER_USE_TLS value: "true" - name: GRPC_SERVER_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: GRPC_SERVER_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: GRPC_SERVER_TLS_CA_CERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: CONFIG_GRPC_XDS_SERVER_USE_TLS value: "true" - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: FORCE_START_WITHOUT_INITIAL_CONFIG value: "true" image: envoyproxy/ratelimit:master @@ -80,6 +88,15 @@ spec: - containerPort: 8081 name: grpc protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 resources: requests: cpu: 100m @@ -90,15 +107,27 @@ spec: - mountPath: /certs name: certs readOnly: true - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 + - command: + - /bin/statsd_exporter + - --web.listen-address=:19001 + - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml + image: prom/statsd-exporter:v0.18.0 + imagePullPolicy: IfNotPresent + name: prom-statsd-exporter + ports: + - containerPort: 9125 + name: statsd + protocol: TCP + - containerPort: 19001 + name: metrics + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler @@ -107,7 +136,11 @@ spec: volumes: - name: certs secret: + defaultMode: 420 secretName: envoy-rate-limit + - configMap: defaultMode: 420 - revisionHistoryLimit: 10 - progressDeadlineSeconds: 600 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config +status: {} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/affinity.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml similarity index 79% rename from internal/infrastructure/kubernetes/ratelimit/testdata/deployments/affinity.yaml rename to internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml index fa2e11f2a2e..25da4c56e25 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/affinity.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml @@ -1,10 +1,11 @@ apiVersion: apps/v1 kind: Deployment metadata: + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit name: envoy-ratelimit namespace: envoy-gateway-system ownerReferences: @@ -13,22 +14,23 @@ metadata: name: envoy-gateway uid: test-owner-reference-uid-for-deployment spec: - replicas: 2 - strategy: - type: RollingUpdate + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + strategy: + type: RollingUpdate template: metadata: + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway - annotations: - prometheus.io/scrape: "true" + app.kubernetes.io/name: envoy-ratelimit spec: automountServiceAccountToken: false containers: @@ -50,7 +52,7 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "true" + value: "false" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL @@ -60,43 +62,28 @@ spec: - name: GRPC_SERVER_USE_TLS value: "true" - name: GRPC_SERVER_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: GRPC_SERVER_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: GRPC_SERVER_TLS_CA_CERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: CONFIG_GRPC_XDS_SERVER_USE_TLS value: "true" - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: FORCE_START_WITHOUT_INITIAL_CONFIG value: "true" - image: custom-image + image: envoyproxy/ratelimit:master imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: - containerPort: 8081 name: grpc protocol: TCP - securityContext: - privileged: true - resources: - limits: - cpu: 400m - memory: 2Gi - requests: - cpu: 200m - memory: 1Gi - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /certs - name: certs - readOnly: true readinessProbe: failureThreshold: 3 httpGet: @@ -106,26 +93,24 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-ratelimit - securityContext: - runAsUser: 1000 - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: cloud.google.com/gke-nodepool - operator: In - values: - - router-node terminationGracePeriodSeconds: 300 volumes: - name: certs secret: - secretName: envoy-rate-limit defaultMode: 420 - revisionHistoryLimit: 10 - progressDeadlineSeconds: 600 + secretName: envoy-rate-limit +status: {} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml index 59c0f8089ca..81295ee4439 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml @@ -1,10 +1,11 @@ apiVersion: apps/v1 kind: Deployment metadata: + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit name: envoy-ratelimit namespace: envoy-gateway-system ownerReferences: @@ -13,22 +14,25 @@ metadata: name: envoy-gateway uid: test-owner-reference-uid-for-deployment spec: + progressDeadlineSeconds: 600 replicas: 2 - strategy: - type: RollingUpdate + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + strategy: + type: RollingUpdate template: metadata: + annotations: + prometheus.io/scrape: "true" + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway - annotations: - prometheus.io/scrape: "true" + app.kubernetes.io/name: envoy-ratelimit spec: automountServiceAccountToken: false containers: @@ -60,19 +64,19 @@ spec: - name: GRPC_SERVER_USE_TLS value: "true" - name: GRPC_SERVER_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: GRPC_SERVER_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: GRPC_SERVER_TLS_CA_CERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: CONFIG_GRPC_XDS_SERVER_USE_TLS value: "true" - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: FORCE_START_WITHOUT_INITIAL_CONFIG value: "true" - name: env_a @@ -86,8 +90,15 @@ spec: - containerPort: 8081 name: grpc protocol: TCP - securityContext: - privileged: true + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 resources: limits: cpu: 400m @@ -95,32 +106,50 @@ spec: requests: cpu: 200m memory: 1Gi + securityContext: + privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /certs name: certs readOnly: true - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 + - command: + - /bin/statsd_exporter + - --web.listen-address=:19001 + - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml + image: prom/statsd-exporter:v0.18.0 + imagePullPolicy: IfNotPresent + name: prom-statsd-exporter + ports: + - containerPort: 9125 + name: statsd + protocol: TCP + - containerPort: 19001 + name: metrics + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: envoy-ratelimit securityContext: runAsUser: 1000 + serviceAccountName: envoy-ratelimit terminationGracePeriodSeconds: 300 volumes: - name: certs secret: + defaultMode: 420 secretName: envoy-rate-limit + - configMap: defaultMode: 420 - revisionHistoryLimit: 10 - progressDeadlineSeconds: 600 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config +status: {} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml index a87dd79bd9c..24ac22c8a6a 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml @@ -1,10 +1,11 @@ apiVersion: apps/v1 kind: Deployment metadata: + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit name: envoy-ratelimit namespace: envoy-gateway-system ownerReferences: @@ -13,22 +14,25 @@ metadata: name: envoy-gateway uid: test-owner-reference-uid-for-deployment spec: + progressDeadlineSeconds: 600 replicas: 2 - strategy: - type: RollingUpdate + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + strategy: + type: RollingUpdate template: metadata: + annotations: + prometheus.io/scrape: "true" + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway - annotations: - prometheus.io/scrape: "true" + app.kubernetes.io/name: envoy-ratelimit spec: automountServiceAccountToken: false containers: @@ -60,19 +64,19 @@ spec: - name: GRPC_SERVER_USE_TLS value: "true" - name: GRPC_SERVER_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: GRPC_SERVER_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: GRPC_SERVER_TLS_CA_CERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: CONFIG_GRPC_XDS_SERVER_USE_TLS value: "true" - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: FORCE_START_WITHOUT_INITIAL_CONFIG value: "true" image: custom-image @@ -82,8 +86,15 @@ spec: - containerPort: 8081 name: grpc protocol: TCP - securityContext: - privileged: true + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 resources: limits: cpu: 400m @@ -91,32 +102,50 @@ spec: requests: cpu: 200m memory: 1Gi + securityContext: + privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /certs name: certs readOnly: true - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 + - command: + - /bin/statsd_exporter + - --web.listen-address=:19001 + - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml + image: prom/statsd-exporter:v0.18.0 + imagePullPolicy: IfNotPresent + name: prom-statsd-exporter + ports: + - containerPort: 9125 + name: statsd + protocol: TCP + - containerPort: 19001 + name: metrics + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: envoy-ratelimit securityContext: runAsUser: 1000 + serviceAccountName: envoy-ratelimit terminationGracePeriodSeconds: 300 volumes: - name: certs secret: + defaultMode: 420 secretName: envoy-rate-limit + - configMap: defaultMode: 420 - revisionHistoryLimit: 10 - progressDeadlineSeconds: 600 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config +status: {} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml index c9e915ef9b0..3f075c640a7 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml @@ -1,10 +1,11 @@ apiVersion: apps/v1 kind: Deployment metadata: + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit name: envoy-ratelimit namespace: envoy-gateway-system ownerReferences: @@ -13,20 +14,27 @@ metadata: name: envoy-gateway uid: test-owner-reference-uid-for-deployment spec: + progressDeadlineSeconds: 600 replicas: 1 - strategy: - type: RollingUpdate + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + strategy: + type: RollingUpdate template: metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit spec: automountServiceAccountToken: false containers: @@ -58,19 +66,19 @@ spec: - name: GRPC_SERVER_USE_TLS value: "true" - name: GRPC_SERVER_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: GRPC_SERVER_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: GRPC_SERVER_TLS_CA_CERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: CONFIG_GRPC_XDS_SERVER_USE_TLS value: "true" - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: FORCE_START_WITHOUT_INITIAL_CONFIG value: "true" image: envoyproxy/ratelimit:master @@ -80,6 +88,15 @@ spec: - containerPort: 8081 name: grpc protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 resources: requests: cpu: 100m @@ -90,15 +107,27 @@ spec: - mountPath: /certs name: certs readOnly: true - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 + - command: + - /bin/statsd_exporter + - --web.listen-address=:19001 + - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml + image: prom/statsd-exporter:v0.18.0 + imagePullPolicy: IfNotPresent + name: prom-statsd-exporter + ports: + - containerPort: 9125 + name: statsd + protocol: TCP + - containerPort: 19001 + name: metrics + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true dnsPolicy: ClusterFirstWithHostNet hostNetwork: true restartPolicy: Always @@ -108,7 +137,11 @@ spec: volumes: - name: certs secret: + defaultMode: 420 secretName: envoy-rate-limit + - configMap: defaultMode: 420 - revisionHistoryLimit: 10 - progressDeadlineSeconds: 600 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config +status: {} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml index 136101fd9bd..f14702fcf43 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml @@ -1,10 +1,11 @@ apiVersion: apps/v1 kind: Deployment metadata: + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit name: envoy-ratelimit namespace: envoy-gateway-system ownerReferences: @@ -13,22 +14,25 @@ metadata: name: envoy-gateway uid: test-owner-reference-uid-for-deployment spec: + progressDeadlineSeconds: 600 replicas: 2 - strategy: - type: RollingUpdate + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + strategy: + type: RollingUpdate template: metadata: + annotations: + prometheus.io/scrape: "true" + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway - annotations: - prometheus.io/scrape: "true" + app.kubernetes.io/name: envoy-ratelimit spec: automountServiceAccountToken: false containers: @@ -60,29 +64,29 @@ spec: - name: GRPC_SERVER_USE_TLS value: "true" - name: GRPC_SERVER_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: GRPC_SERVER_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: GRPC_SERVER_TLS_CA_CERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: CONFIG_GRPC_XDS_SERVER_USE_TLS value: "true" - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: FORCE_START_WITHOUT_INITIAL_CONFIG value: "true" - name: REDIS_TLS value: "true" - name: REDIS_TLS_CLIENT_CERT - value: "/redis-certs/tls.crt" + value: /redis-certs/tls.crt - name: REDIS_TLS_CLIENT_KEY - value: "/redis-certs/tls.key" + value: /redis-certs/tls.key - name: REDIS_AUTH - value: "redis_auth_password" + value: redis_auth_password image: custom-image imagePullPolicy: IfNotPresent name: envoy-ratelimit @@ -90,8 +94,15 @@ spec: - containerPort: 8081 name: grpc protocol: TCP - securityContext: - privileged: true + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 resources: limits: cpu: 400m @@ -99,6 +110,8 @@ spec: requests: cpu: 200m memory: 1Gi + securityContext: + privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: @@ -108,30 +121,46 @@ spec: - mountPath: /redis-certs name: redis-certs readOnly: true - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 + - command: + - /bin/statsd_exporter + - --web.listen-address=:19001 + - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml + image: prom/statsd-exporter:v0.18.0 + imagePullPolicy: IfNotPresent + name: prom-statsd-exporter + ports: + - containerPort: 9125 + name: statsd + protocol: TCP + - containerPort: 19001 + name: metrics + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: envoy-ratelimit securityContext: runAsUser: 1000 + serviceAccountName: envoy-ratelimit terminationGracePeriodSeconds: 300 volumes: - name: redis-certs secret: - secretName: ratelimit-cert defaultMode: 420 + secretName: ratelimit-cert - name: certs secret: + defaultMode: 420 secretName: envoy-rate-limit + - configMap: defaultMode: 420 - revisionHistoryLimit: 10 - progressDeadlineSeconds: 600 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config +status: {} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml index eac44ebd0e4..48e776db25a 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml @@ -1,10 +1,11 @@ apiVersion: apps/v1 kind: Deployment metadata: + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit name: envoy-ratelimit namespace: envoy-gateway-system ownerReferences: @@ -13,22 +14,25 @@ metadata: name: envoy-gateway uid: test-owner-reference-uid-for-deployment spec: + progressDeadlineSeconds: 600 replicas: 2 - strategy: - type: RollingUpdate + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + strategy: + type: RollingUpdate template: metadata: + annotations: + prometheus.io/scrape: "true" + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway - annotations: - prometheus.io/scrape: "true" + app.kubernetes.io/name: envoy-ratelimit spec: automountServiceAccountToken: false containers: @@ -60,29 +64,29 @@ spec: - name: GRPC_SERVER_USE_TLS value: "true" - name: GRPC_SERVER_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: GRPC_SERVER_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: GRPC_SERVER_TLS_CA_CERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: CONFIG_GRPC_XDS_SERVER_USE_TLS value: "true" - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: FORCE_START_WITHOUT_INITIAL_CONFIG value: "true" - name: REDIS_TLS value: "true" - name: REDIS_TLS_CLIENT_CERT - value: "/redis-certs/tls.crt" + value: /redis-certs/tls.crt - name: REDIS_TLS_CLIENT_KEY - value: "/redis-certs/tls.key" + value: /redis-certs/tls.key - name: REDIS_AUTH - value: "redis_auth_password" + value: redis_auth_password image: custom-image imagePullPolicy: IfNotPresent name: envoy-ratelimit @@ -90,8 +94,15 @@ spec: - containerPort: 8081 name: grpc protocol: TCP - securityContext: - privileged: true + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 resources: limits: cpu: 400m @@ -99,6 +110,8 @@ spec: requests: cpu: 200m memory: 1Gi + securityContext: + privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: @@ -108,35 +121,51 @@ spec: - mountPath: /redis-certs name: redis-certs readOnly: true - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 + - command: + - /bin/statsd_exporter + - --web.listen-address=:19001 + - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml + image: prom/statsd-exporter:v0.18.0 + imagePullPolicy: IfNotPresent + name: prom-statsd-exporter + ports: + - containerPort: 9125 + name: statsd + protocol: TCP + - containerPort: 19001 + name: metrics + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: envoy-ratelimit securityContext: runAsUser: 1000 + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 tolerations: - effect: NoSchedule key: node-type operator: Exists - value: "router" - terminationGracePeriodSeconds: 300 + value: router volumes: - name: redis-certs secret: - secretName: ratelimit-cert defaultMode: 420 + secretName: ratelimit-cert - name: certs secret: + defaultMode: 420 secretName: envoy-rate-limit + - configMap: defaultMode: 420 - revisionHistoryLimit: 10 - progressDeadlineSeconds: 600 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config +status: {} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml index 1ba74b57c86..78534d7af12 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml @@ -1,10 +1,11 @@ apiVersion: apps/v1 kind: Deployment metadata: + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit name: envoy-ratelimit namespace: envoy-gateway-system ownerReferences: @@ -13,22 +14,25 @@ metadata: name: envoy-gateway uid: test-owner-reference-uid-for-deployment spec: + progressDeadlineSeconds: 600 replicas: 2 - strategy: - type: RollingUpdate + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + strategy: + type: RollingUpdate template: metadata: + annotations: + prometheus.io/scrape: "true" + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway - annotations: - prometheus.io/scrape: "true" + app.kubernetes.io/name: envoy-ratelimit spec: automountServiceAccountToken: false containers: @@ -60,29 +64,29 @@ spec: - name: GRPC_SERVER_USE_TLS value: "true" - name: GRPC_SERVER_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: GRPC_SERVER_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: GRPC_SERVER_TLS_CA_CERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: CONFIG_GRPC_XDS_SERVER_USE_TLS value: "true" - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: FORCE_START_WITHOUT_INITIAL_CONFIG value: "true" - name: REDIS_TLS value: "true" - name: REDIS_TLS_CLIENT_CERT - value: "/redis-certs/tls.crt" + value: /redis-certs/tls.crt - name: REDIS_TLS_CLIENT_KEY - value: "/redis-certs/tls.key" + value: /redis-certs/tls.key - name: REDIS_AUTH - value: "redis_auth_password" + value: redis_auth_password image: custom-image imagePullPolicy: IfNotPresent name: envoy-ratelimit @@ -90,8 +94,15 @@ spec: - containerPort: 8081 name: grpc protocol: TCP - securityContext: - privileged: true + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 resources: limits: cpu: 400m @@ -99,6 +110,8 @@ spec: requests: cpu: 200m memory: 1Gi + securityContext: + privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: @@ -108,35 +121,51 @@ spec: - mountPath: /redis-certs name: redis-certs readOnly: true - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 + - command: + - /bin/statsd_exporter + - --web.listen-address=:19001 + - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml + image: prom/statsd-exporter:v0.18.0 + imagePullPolicy: IfNotPresent + name: prom-statsd-exporter + ports: + - containerPort: 9125 + name: statsd + protocol: TCP + - containerPort: 19001 + name: metrics + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - serviceAccountName: envoy-ratelimit securityContext: runAsUser: 1000 + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 tolerations: - effect: NoSchedule key: node-type operator: Exists - value: "router" - terminationGracePeriodSeconds: 300 + value: router volumes: - name: redis-certs secret: - secretName: ratelimit-cert-origin defaultMode: 420 + secretName: ratelimit-cert-origin - name: certs secret: + defaultMode: 420 secretName: custom-cert + - configMap: defaultMode: 420 - revisionHistoryLimit: 10 - progressDeadlineSeconds: 600 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config +status: {} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml index 55864cd9995..a83f8432aaa 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml @@ -1,10 +1,11 @@ apiVersion: apps/v1 kind: Deployment metadata: + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit name: envoy-ratelimit namespace: envoy-gateway-system ownerReferences: @@ -13,20 +14,27 @@ metadata: name: envoy-gateway uid: test-owner-reference-uid-for-deployment spec: + progressDeadlineSeconds: 600 replicas: 1 - strategy: - type: RollingUpdate + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + strategy: + type: RollingUpdate template: metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit spec: automountServiceAccountToken: false containers: @@ -58,19 +66,19 @@ spec: - name: GRPC_SERVER_USE_TLS value: "true" - name: GRPC_SERVER_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: GRPC_SERVER_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: GRPC_SERVER_TLS_CA_CERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: CONFIG_GRPC_XDS_SERVER_USE_TLS value: "true" - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: FORCE_START_WITHOUT_INITIAL_CONFIG value: "true" image: envoyproxy/ratelimit:master @@ -80,6 +88,15 @@ spec: - containerPort: 8081 name: grpc protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 resources: requests: cpu: 100m @@ -90,15 +107,27 @@ spec: - mountPath: /certs name: certs readOnly: true - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 + - command: + - /bin/statsd_exporter + - --web.listen-address=:19001 + - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml + image: prom/statsd-exporter:v0.18.0 + imagePullPolicy: IfNotPresent + name: prom-statsd-exporter + ports: + - containerPort: 9125 + name: statsd + protocol: TCP + - containerPort: 19001 + name: metrics + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true dnsPolicy: ClusterFirst nodeSelector: key1: value1 @@ -110,7 +139,11 @@ spec: volumes: - name: certs secret: + defaultMode: 420 secretName: envoy-rate-limit + - configMap: defaultMode: 420 - revisionHistoryLimit: 10 - progressDeadlineSeconds: 600 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config +status: {} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml index d647ef00065..bddb780d39b 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml @@ -1,10 +1,11 @@ apiVersion: apps/v1 kind: Deployment metadata: + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit name: envoy-ratelimit namespace: envoy-gateway-system ownerReferences: @@ -13,20 +14,27 @@ metadata: name: envoy-gateway uid: test-owner-reference-uid-for-deployment spec: + progressDeadlineSeconds: 600 replicas: 1 - strategy: - type: RollingUpdate + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + strategy: + type: RollingUpdate template: metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null labels: - app.kubernetes.io/name: envoy-ratelimit app.kubernetes.io/component: ratelimit app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit spec: automountServiceAccountToken: false containers: @@ -58,19 +66,19 @@ spec: - name: GRPC_SERVER_USE_TLS value: "true" - name: GRPC_SERVER_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: GRPC_SERVER_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: GRPC_SERVER_TLS_CA_CERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: CONFIG_GRPC_XDS_SERVER_USE_TLS value: "true" - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT - value: "/certs/tls.crt" + value: /certs/tls.crt - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY - value: "/certs/tls.key" + value: /certs/tls.key - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT - value: "/certs/ca.crt" + value: /certs/ca.crt - name: FORCE_START_WITHOUT_INITIAL_CONFIG value: "true" image: envoyproxy/ratelimit:master @@ -80,6 +88,15 @@ spec: - containerPort: 8081 name: grpc protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 resources: requests: cpu: 100m @@ -90,33 +107,49 @@ spec: - mountPath: /certs name: certs readOnly: true - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8080 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 + - command: + - /bin/statsd_exporter + - --web.listen-address=:19001 + - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml + image: prom/statsd-exporter:v0.18.0 + imagePullPolicy: IfNotPresent + name: prom-statsd-exporter + ports: + - containerPort: 9125 + name: statsd + protocol: TCP + - containerPort: 19001 + name: metrics + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-ratelimit terminationGracePeriodSeconds: 300 topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: + - labelSelector: matchLabels: app: foo matchLabelKeys: - pod-template-hash + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule volumes: - name: certs secret: + defaultMode: 420 secretName: envoy-rate-limit + - configMap: defaultMode: 420 - revisionHistoryLimit: 10 - progressDeadlineSeconds: 600 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config +status: {} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/envoy-ratelimit-configmap.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/envoy-ratelimit-configmap.yaml new file mode 100644 index 00000000000..eee9062f051 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/envoy-ratelimit-configmap.yaml @@ -0,0 +1,104 @@ +apiVersion: v1 +data: + conf.yaml: | + mappings: + - match: "ratelimit.service.rate_limit.*.*.near_limit" + name: "ratelimit_service_rate_limit_near_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + - match: "ratelimit.service.rate_limit.*.*.over_limit" + name: "ratelimit_service_rate_limit_over_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + - match: "ratelimit.service.rate_limit.*.*.total_hits" + name: "ratelimit_service_rate_limit_total_hits" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + - match: "ratelimit.service.rate_limit.*.*.within_limit" + name: "ratelimit_service_rate_limit_within_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + + - match: "ratelimit.service.rate_limit.*.*.*.near_limit" + name: "ratelimit_service_rate_limit_near_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + key2: "$3" + - match: "ratelimit.service.rate_limit.*.*.*.over_limit" + name: "ratelimit_service_rate_limit_over_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + key2: "$3" + - match: "ratelimit.service.rate_limit.*.*.*.total_hits" + name: "ratelimit_service_rate_limit_total_hits" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + key2: "$3" + - match: "ratelimit.service.rate_limit.*.*.*.within_limit" + name: "ratelimit_service_rate_limit_within_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + key2: "$3" + + - match: "ratelimit.service.call.should_rate_limit.*" + name: "ratelimit_service_should_rate_limit_error" + match_metric_type: counter + labels: + err_type: "$1" + + - match: "ratelimit_server.*.total_requests" + name: "ratelimit_service_total_requests" + match_metric_type: counter + labels: + grpc_method: "$1" + + - match: "ratelimit_server.*.response_time" + name: "ratelimit_service_response_time_seconds" + timer_type: histogram + labels: + grpc_method: "$1" + + - match: "ratelimit.service.config_load_success" + name: "ratelimit_service_config_load_success" + match_metric_type: counter + - match: "ratelimit.service.config_load_error" + name: "ratelimit_service_config_load_error" + match_metric_type: counter + + - match: "ratelimit.service.rate_limit.*.*.*.shadow_mode" + name: "ratelimit_service_rate_limit_shadow_mode" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + key2: "$3" + + - match: "." + match_type: "regex" + action: "drop" + name: "dropped" +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: statsd-exporter-config + namespace: envoy-gateway-system diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index f5efa77d936..a445b13ef54 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2006,6 +2006,7 @@ _Appears in:_ | `backend` | _[RateLimitDatabaseBackend](#ratelimitdatabasebackend)_ | true | Backend holds the configuration associated with the database backend used by the rate limit service to store state associated with global ratelimiting. | | `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | Timeout specifies the timeout period for the proxy to access the ratelimit server If not set, timeout is 20ms. | | `failClosed` | _boolean_ | true | FailClosed is a switch used to control the flow of traffic when the response from the ratelimit server cannot be obtained. If FailClosed is false, let the traffic pass, otherwise, don't let the traffic pass and return 500. If not set, FailClosed is False. | +| `telemetry` | _[RateLimitTelemetry](#ratelimittelemetry)_ | false | Telemetry defines telemetry configuration for RateLimit. | #### RateLimitDatabaseBackend @@ -2034,6 +2035,34 @@ _Appears in:_ +#### RateLimitMetrics + + + + + +_Appears in:_ +- [RateLimitTelemetry](#ratelimittelemetry) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `prometheus` | _[RateLimitMetricsPrometheusProvider](#ratelimitmetricsprometheusprovider)_ | true | Prometheus defines the configuration for prometheus endpoint. | + + +#### RateLimitMetricsPrometheusProvider + + + + + +_Appears in:_ +- [RateLimitMetrics](#ratelimitmetrics) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `disable` | _boolean_ | true | Disable the Prometheus endpoint. | + + #### RateLimitRedisSettings @@ -2096,6 +2125,20 @@ _Appears in:_ | `local` | _[LocalRateLimit](#localratelimit)_ | false | Local defines local rate limit configuration. | +#### RateLimitTelemetry + + + + + +_Appears in:_ +- [RateLimit](#ratelimit) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `metrics` | _[RateLimitMetrics](#ratelimitmetrics)_ | true | Metrics defines metrics configuration for RateLimit. | + + #### RateLimitType _Underlying type:_ _string_ diff --git a/tools/make/golang.mk b/tools/make/golang.mk index aa52b08482d..96b13012957 100644 --- a/tools/make/golang.mk +++ b/tools/make/golang.mk @@ -50,9 +50,9 @@ go.testdata.complete: ## Override test ouputdata @$(LOG_TARGET) go test -timeout 30s github.com/envoyproxy/gateway/internal/xds/translator --override-testdata=true go test -timeout 30s github.com/envoyproxy/gateway/internal/cmd/egctl --override-testdata=true - go test -timeout 30s github.com/envoyproxy/gateway/internal/gatewayapi --override-testdata=true - # 30s is not enough for the test to complete - go test -timeout 60s github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/proxy --override-testdata=true + go test -timeout 30s github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/ratelimit --override-testdata=true + go test -timeout 30s github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/proxy --override-testdata=true + go test -timeout 60s github.com/envoyproxy/gateway/internal/gatewayapi --override-testdata=true .PHONY: go.test.coverage go.test.coverage: $(tools/setup-envtest) ## Run go unit and integration tests in GitHub Actions