Rate limiter
Review how the Gloo rate limiting server backs up data and your setup options to make the backing database more resilient.
For more information about the feature, see Rate limit.
What data gets stored
The rate limiter stores information for limiting requests in the backing database, including the following information. For an example of how to check the data that gets stored, see Review data in Redis.
- The generated unique key for the request
- The associated count against the rate limit
The configuration data of the Gloo custom resources are stored by the management server in its backing database.
Backing storage options
Review the following options for setting up backing storage.
Option | Use case | Benefits | Drawbacks |
---|---|---|---|
Default: Built-in local Redis | Proof of concept and staging environments in single clusters |
|
|
Bring your own Redis | Production-level, multicluster environments |
|
|
Default local Redis
When you install Gloo Mesh Enterprise, a local Redis instance redis
is set up in the gloo-mesh-addons
namespace of the workload cluster. The rate limiting server automatically reads and writes to this Redis instance.
The default setup is equivalent to setting the rateLimiter.redis.enabled
Helm value to true
.
Using a local Redis instance is not a recommended practice for production. To achieve higher availability, disaster recovery and add other security features, bring your own Redis instance instead.
Bring your own Redis
Instead of using the built-in local Redis instance, you can achieve higher availability, disaster recovery, and enhanced control and security by bringing your own Redis cluster. You can choose between a local or externally hosted instance. For a local instance, you can install the Redis cluster within the Gloo management cluster and run it alongside the rate limiter. For an external instance, you can create an instance outside your cluster environment, such as Redis Enterprise or a cloud provider service like AWS ElastiCache. Then, you include the settings for your local or external Redis instance when you install or upgrade your Gloo Helm chart.
Using a Redis or AWS ElastiCache instance in cluster mode is currently not supported.
When you bring your own Redis cluster, you can customize the following aspects:
- Authentication: To authenticate with your Redis instance, you can configure Gloo Mesh Enterprise to use a username and password when connecting to Redis. Depending on your Redis provider, you might only need to specify a password to authenticate with Redis. You store these credentials in a Kubernetes secret on the management cluster.
- TLS certificates: For enhanced security, you can use TLS certificates to authenticate with your Redis cluster. Note that your Redis instance must be configured to accept TLS connections. You store the certificate that you want to use in a Kubernetes secret on the management cluster.
- Connection: You can optionally set connection parameters, such as the maximum number of active connections, retries, or number of idle connections.
- Database: You can optionally specify the database instance within your Redis cluster that you want to connect to.
Keep in mind that your external Redis database usually must be in the same cloud provider as your Gloo cluster, such as AWS ElastiCache and EC2 instances. Also, you must configure both the Gloo external auth and Gloo portal servers in your cluster to read from and write to the same Redis database. Any settings for your Redis instance, such as the maximum number of retries, are shared between these components.
Create or use an existing Redis cluster, such as AWS ElastiCache or Google Cloud Memorystore.
Make sure that you can connect to your instance from the Gloo management cluster. For example, your cloud provider might require for the cluster and Redis instance to share the same virtual private network (VPC). For more information, consult your cloud provider documentation, such as AWS ElastiCache or Google Cloud Memorystore.
Choose how to authenticate with your Redis cluster. Depending on your Redis provider, you might be required to use a specific authentication method, such as TLS certificates or a username and password.
Create a Kubernetes secret to store your Redis authentication credentials. If you apply a YAML configuration file, make sure to encode the values in base64.
Username and password: If your Redis auth doesn’t have an explicit username, specify
default
. For the password, specify your auth string.TLS certificates:
kubectl apply -f- <<EOF apiVersion: v1 kind: Secret type: Opaque metadata: name: redis-certs-keys namespace: gloo-mesh-addons data: redis.crt: "<TLS_certificate>" EOF
Follow the Upgrade guide to get your Gloo Platform Helm installation configuration file.
In your Helm values file, add the following information. For more information, see the Helm reference docs.
Helm setting Description extAuthService.enabled
Enable this value to deploy the external auth server alongside the rate limiter server. For more backing database options, see External auth server If you do not include this value, any existing external auth service is removed.rateLimiter.enabled
Enable this value to deploy the rate limiter server. rateLimiter.redis.enabled
Set this option to false
to disable the built-in local Redis deployment.rateLimiter.redis.hostname
Replace $REDIS_HOST
with the host that the Redis instance is available on. This host might need to be on the same virtual private network as your cluster or need to have a VPN connection.- An example Amazon ElastiCache host might look like
redis-cluster.ameaqx.0001.use1.cache.amazonaws.com
. For more information, see the Amazon ElastiCache docs. - An example Google Cloud Memorystore host might look like
10.xxx.xx.xx
in the same VPC as your cluster. Note: If you use an IP address, do not include the port6379
, which is appended for you. For more information, see the Google Cloud Memorystore docs.
rateLimiter.redis.auth.enabled
Add this section if you want to authenticate with your Redis cluster by using a username and password. For the password, specify your auth string. To authenticate by using TLS certificates, remove this section and configure redis.certs
instead.rateLimiter.redis.certs.enabled
Add this section if you want to authenticate with your Redis cluster by using TLS certificates. To authenticate by using a username and password, remove this section and configure redis.auth
instead.rateLimiter.redis.service.socket
If you enable authentication via TLS certificates, set this value to tls
.- An example Amazon ElastiCache host might look like
Continue with the Upgrade guide to reinstall the Gloo rate limiter add-on with your own Redis instance.
Optional: Verify that the rate limiter server is configured with your external Redis database details.
- Verify that the secrets are created.
kubectl get secrets -n gloo-mesh-addons
- Apply a basic rate limit policy and send a test request that gets rate limited.
- Review the rate limiting data in Redis.
- Verify that the secrets are created.