Merge pull request #99 from RADAR-base/mp-ingress

Fixed MP rate limiting
RADAR-base · Nov 8, 2023 · 039430a · 039430a
2 parents 4154ebf + 59e1b17
commit 039430a
Show file tree

Hide file tree

Showing 4 changed files with 88 additions and 10 deletions.
diff --git a/charts/management-portal/Chart.yaml b/charts/management-portal/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "2.0.0"
 description: A Helm chart for RADAR-Base Management Portal to manage projects and participants throughout RADAR-base.
 name: management-portal
-version: 1.0.3
+version: 1.0.4
 icon: "http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png"
 sources:
 - https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/management-portal

diff --git a/charts/management-portal/README.md b/charts/management-portal/README.md
@@ -3,7 +3,7 @@
 # management-portal
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/management-portal)](https://artifacthub.io/packages/helm/radar-base/management-portal)
 
-![Version: 1.0.3](https://img.shields.io/badge/Version-1.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.0](https://img.shields.io/badge/AppVersion-2.0.0-informational?style=flat-square)
+![Version: 1.0.4](https://img.shields.io/badge/Version-1.0.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.0](https://img.shields.io/badge/AppVersion-2.0.0-informational?style=flat-square)
 
 A Helm chart for RADAR-Base Management Portal to manage projects and participants throughout RADAR-base.
 
@@ -49,6 +49,13 @@ A Helm chart for RADAR-Base Management Portal to manage projects and participant
 | ingress.ingressClassName | string | `"nginx"` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) |
 | ingress.hosts | list | `["localhost"]` | Hosts to accept requests from |
 | ingress.tls.secretName | string | `"radar-base-tls-managementportal"` | TLS Secret Name |
+| ingress_rate_limited.enabled | bool | `true` | Enable ingress controller resource |
+| ingress_rate_limited.annotations | object | check values.yaml | Annotations that define default ingress class, certificate issuer and rate limiter |
+| ingress_rate_limited.paths | list | `["/managementportal/oauth/token","/managementportal/login","/managementportal/api/meta-token"]` | Path within the url structure |
+| ingress_rate_limited.pathType | string | `"ImplementationSpecific"` | Ingress Path type |
+| ingress_rate_limited.ingressClassName | string | `"nginx"` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) |
+| ingress_rate_limited.hosts | list | `["localhost"]` | Hosts to accept requests from |
+| ingress_rate_limited.tls.secretName | string | `"radar-base-tls-managementportal-rate-limited"` | TLS Secret Name |
 | resources.limits | object | `{"cpu":2,"memory":"1700Mi"}` | CPU/Memory resource limits |
 | resources.requests | object | `{"cpu":"100m","memory":"512Mi"}` | CPU/Memory resource requests |
 | nodeSelector | object | `{}` | Node labels for pod assignment |

diff --git a/charts/management-portal/templates/ingress-rate-limited.yaml b/charts/management-portal/templates/ingress-rate-limited.yaml
@@ -0,0 +1,53 @@
+{{- if .Values.ingress_rate_limited.enabled -}}
+{{- $fullName := include "management-portal.fullname" . -}}
+{{- $paths := .Values.ingress_rate_limited.paths -}}
+{{- $hosts := .Values.ingress_rate_limited.hosts -}}
+{{- $svcPort := .Values.service.port -}}
+{{- $pathType := .Values.ingress_rate_limited.pathType -}}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+{{ include "management-portal.labels" . | indent 4 }}
+  {{- with .Values.ingress_rate_limited.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress_rate_limited.ingressClassName | quote }}
+{{- if .Values.ingress_rate_limited.tls }}
+  tls:
+    - hosts:
+      {{- range $hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .Values.ingress_rate_limited.tls.secretName }}
+{{- end }}
+  rules:
+  {{- range .Values.ingress_rate_limited.hosts }}
+    - host: {{ . | quote }}
+      http:
+        paths:
+          {{- range $paths }}
+          - path: {{ . | quote }}
+            {{- if and $pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ $pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/charts/management-portal/values.yaml b/charts/management-portal/values.yaml
@@ -48,14 +48,6 @@ ingress:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     nginx.ingress.kubernetes.io/enable-cors: "true"
-    nginx.ingress.kubernetes.io/server-snippet: |
-      location /managementportal/oauth/ {
-        # Allow 20 fast-following requests, like when authorizing a user.
-        limit_req zone=login_limit burst=20;
-      }
-      location /managementportal/api/meta-token/ {
-        limit_req zone=login_limit;
-      }
   # -- Path within the url structure
   path: "/managementportal"
   # -- Ingress Path type
@@ -69,6 +61,32 @@ ingress:
     # -- TLS Secret Name
     secretName: radar-base-tls-managementportal
 
+ingress_rate_limited:
+  # -- Enable ingress controller resource
+  enabled: true
+  # -- Annotations that define default ingress class, certificate issuer and rate limiter
+  # @default -- check values.yaml
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/server-snippet: |
+      limit_req zone=login_limit;
+  # -- Path within the url structure
+  paths:
+  - "/managementportal/oauth/token"
+  - "/managementportal/login"
+  - "/managementportal/api/meta-token"
+  # -- Ingress Path type
+  pathType: ImplementationSpecific
+  # -- IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
+  ingressClassName: nginx
+  # -- Hosts to accept requests from
+  hosts:
+    - localhost
+  tls:
+    # -- TLS Secret Name
+    secretName: radar-base-tls-managementportal-rate-limited
+
 resources:
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little