Description
The configuration for the full Envoy API Gateway with Rate Limiter is production ready.
Done Criteria
- Rate limiter is built into container
- Configurable via values file
- Ensure in case of failure, system fails open
Description
The configuration for the full Envoy API Gateway with Rate Limiter is production ready.
Done Criteria
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | • eprodromou | T235270 Wikimedia API Gateway | |||
Open | None | T255034 Wikimedia API Gateway Long-term Use | |||
Resolved | • Clarakosi | T254914 Finalise Envoy configuration with completed Rate Limiter | |||
Resolved | • Clarakosi | T260591 Move rate limits configuration from route to virtual host | |||
Resolved | • Clarakosi | T261350 Envoy ratelimit config cleanups after 1.16 |
Change 619804 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[operations/deployment-charts@master] Configure ratelimiter to support authenticated/anon limits for api
Change 619804 merged by jenkins-bot:
[operations/deployment-charts@master] Configure ratelimiter to support authenticated/anon limits for api
Change 620766 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[operations/deployment-charts@master] Switch ratelimit service to V3 protocol
Change 620766 merged by jenkins-bot:
[operations/deployment-charts@master] Switch ratelimit service to V3 protocol
The above patches were deployed, however we can't mark this as done:
Moving to blocked.
The config is almost done, but until 1.16 anon rate limits do not work since there's no support for default descriptor values. We should try to workaround that.
Change 622650 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[operations/deployment-charts@master] Api-gateway: implement fallback for anon users in lua until envoy 1.16
Change 622650 merged by jenkins-bot:
[operations/deployment-charts@master] Api-gateway: implement fallback for anon users in lua until envoy 1.16
I guess I'm gonna put this into blocked, case in order to verify it all works correctly, we need everything else - JWT issuing with private claims, JWT verification with the correct key etc.