Page MenuHomePhabricator

Finalise Envoy configuration with completed Rate Limiter
Open, MediumPublic

Description

Description
The configuration for the full Envoy API Gateway with Rate Limiter is production ready.

Done Criteria

  • Rate limiter is built into container
  • Configurable via values file
  • Ensure in case of failure, system fails open

Event Timeline

WDoranWMF created this task.Jun 9 2020, 4:35 PM
WDoranWMF triaged this task as Medium priority.Jun 9 2020, 4:45 PM
hnowlan claimed this task.Jul 8 2020, 4:16 PM

Change 619804 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[operations/deployment-charts@master] Configure ratelimiter to support authenticated/anon limits for api

https://gerrit.wikimedia.org/r/619804

Change 619804 merged by jenkins-bot:
[operations/deployment-charts@master] Configure ratelimiter to support authenticated/anon limits for api

https://gerrit.wikimedia.org/r/619804

Change 620766 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[operations/deployment-charts@master] Switch ratelimit service to V3 protocol

https://gerrit.wikimedia.org/r/620766

Change 620766 merged by jenkins-bot:
[operations/deployment-charts@master] Switch ratelimit service to V3 protocol

https://gerrit.wikimedia.org/r/620766

Pchelolo added a subscriber: Clarakosi.

The above patches were deployed, however we can't mark this as done:

  • anon rate limits are not working yet. They depend on a feature @Clarakosi introduced into envoy, but that will only be available in 1.16 that we are patiently waiting for. Once we update, one line needs to be uncommented and it should start working.
  • authenticated rate limits depend on OAuthRateLimiter.

Moving to blocked.

The config is almost done, but until 1.16 anon rate limits do not work since there's no support for default descriptor values. We should try to workaround that.

Change 622650 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[operations/deployment-charts@master] Api-gateway: implement fallback for anon users in lua until envoy 1.16

https://gerrit.wikimedia.org/r/622650

Change 622650 merged by jenkins-bot:
[operations/deployment-charts@master] Api-gateway: implement fallback for anon users in lua until envoy 1.16

https://gerrit.wikimedia.org/r/622650

I guess I'm gonna put this into blocked, case in order to verify it all works correctly, we need everything else - JWT issuing with private claims, JWT verification with the correct key etc.