Rate limit server setup

As a platform administrator, you can set up the Gloo Mesh rate limit server while registering your workload clusters. By default, one rate limit server is deployed per cluster. If you have more specific rate limiting requirements, you can set up more servers, such as one per workspace, or create the rate limit server in a different namespace.

Then, you might delegate the configuration and settings for the rate limit server to the app owner or workspace administrator.

For more information about how the rate limit server resources work together, see About rate limiting.

Server setup

During Gloo Mesh registration, set up your workload clusters to use the Envoy Go/gRPC rate limit service.

Server config

Configure the descriptors with the rate limiting rules for the server to accept. You can reuse the same config for multiple servers. To rate limit a request, the action from the client config must match with one of the descriptors in the server config.

Server settings

Optionally set up how a client, such as a sidecar or gateway proxy, connects to the rate limit server, such as adding a request timeout.

Client config

Configure the actions for the Envoy client to take, by matching the action to the server descriptor. You can reuse the same client config for multiple destinations or routes.

Rate limit server setup

During Gloo Mesh registration, set up your workload clusters to use the Envoy Go/gRPC rate limit service. The server must be set up, configured, and healthy for rate limit policies to work. Platform admins typically install the server, because they have access to modify the Gloo Mesh agent installation on your workload clusters.

By default, one rate limit server is deployed per cluster. If you have more specific rate limiting requirements, you can set up more servers, such as one per workspace.

For more information, see Setting up rate limiting in the workload cluster setup guide.

Rate limit server config

Configure the descriptors with the rate limiting rules for the server to accept. You can reuse the same config for multiple servers. To rate limit a request, the action from the client config must match with one of the descriptors in the server config. You must create a rate limit server configuration before using rate limit policies. The platform admin, app owner, or workspace admin might configure the rate limit server.

Review the following example YAML file for a rate limit server config. For more information, see the API docs.


apiVersion: admin.gloo.solo.io/v2
kind: RateLimitServerConfig
metadata:
  annotations:
    cluster.solo.io/cluster: ""
  name: rl-server-config
  namespace: gloo-mesh-addons
spec:
  destinationServers:
  - port:
      number: 8083
    ref:
      cluster: cluster-1
      name: rate-limiter
      namespace: gloo-mesh-addons
  raw:
    descriptors:
    - key: generic_key
      rateLimit:
        requestsPerUnit: 1
        unit: DAY
      value: counter
Review the following table to understand this configuration.
Setting Description
spec.destinationServers This example uses the default rate-limiter server in the gloo-mesh namespace on port 8083.
spec.raw.descriptors Set up a raw configuration for the rate limit server to enforce for your policies. Make sure that any rate limit client config that you create does not conflict with this server config. In this example, one rate limit descriptor is set up for requests that match the key: value label of generic_key: counter. These requests are rate limited to 1 per day. For more information, see the descriptors API reference.

Rate limit server settings

Optionally set up how a client, such as a sidecar or gateway proxy, connects to the rate limit server, such as adding a request timeout. Rate limit server settings are an optional resource, unless you have multiple servers per cluster or if the rate limit server has a non-default name or namespace.

If you don't create rate limit server settings, you must select the server to use in the rate limit policy or the rate limit client config. The app owner or app developer might create the rate limit server settings.

Review the following example YAML file for a rate limit server config. For more information, see the API docs.


apiVersion: admin.gloo.solo.io/v2
kind: RateLimitServerSettings
metadata:
  annotations:
    cluster.solo.io/cluster: ""
  name: rl-server
  namespace: bookinfo
spec:
  destinationServer:
    port:
      number: 8083
    ref:
      cluster: cluster-1
      name: rate-limiter
      namespace: gloo-mesh-addons
Review the following table to understand this configuration.
Setting Description
spec.destinationServer This example connects to the default rate-limiter server in the gloo-mesh namespace on port 8083. No special connection settings such as timeouts or denials are set.

Rate limit client config

Configure the actions for the Envoy client to take, by matching the action to the server descriptor. You can reuse the same client config for multiple destinations or routes. You must create a rate limit client configuration before using rate limit policies. The operator or app owner might configure the rate limit client.

Review the following example YAML file for a rate limit client config. For more information, see the API docs.


apiVersion: trafficcontrol.policy.gloo.solo.io/v2
kind: RateLimitClientConfig
metadata:
  annotations:
    cluster.solo.io/cluster: ""
  name: rl-client-config
  namespace: bookinfo
spec:
  raw:
    rateLimits:
    - actions:
      - genericKey:
          descriptorValue: counter
      limit:
        dynamicMetadata:
          metadataKey:
            key: envoy.filters.http.ext_authz
            path:
            - key: opa_auth
            - key: rateLimit
Review the following table to understand this configuration.
Setting Description
spec.raw Set up a raw-style configuration for the rate limit client (the Envoy proxy) to enforce for your policies. Make sure that this rate limit client config does not conflict with the server config. In this example, the action generic_key: counter matches the expected descriptor in the server config. For other possible rate limiting actions such as on request headers, see the API docs.