From 59e1b1715ac3086dfef9077ca30d79f2c58a706a Mon Sep 17 00:00:00 2001 From: Keyvan Date: Fri, 6 Oct 2023 13:44:22 +0200 Subject: [PATCH] Fixed MP rate limiting --- charts/management-portal/Chart.yaml | 2 +- charts/management-portal/README.md | 9 +++- .../templates/ingress-rate-limited.yaml | 53 +++++++++++++++++++ charts/management-portal/values.yaml | 34 +++++++++--- 4 files changed, 88 insertions(+), 10 deletions(-) create mode 100644 charts/management-portal/templates/ingress-rate-limited.yaml diff --git a/charts/management-portal/Chart.yaml b/charts/management-portal/Chart.yaml index 22eea30f..ef8e65bf 100644 --- a/charts/management-portal/Chart.yaml +++ b/charts/management-portal/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "2.0.0" description: A Helm chart for RADAR-Base Management Portal to manage projects and participants throughout RADAR-base. name: management-portal -version: 1.0.3 +version: 1.0.4 icon: "http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png" sources: - https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/management-portal diff --git a/charts/management-portal/README.md b/charts/management-portal/README.md index d365d729..811b2fa4 100644 --- a/charts/management-portal/README.md +++ b/charts/management-portal/README.md @@ -3,7 +3,7 @@ # management-portal [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/management-portal)](https://artifacthub.io/packages/helm/radar-base/management-portal) -![Version: 1.0.3](https://img.shields.io/badge/Version-1.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.0](https://img.shields.io/badge/AppVersion-2.0.0-informational?style=flat-square) +![Version: 1.0.4](https://img.shields.io/badge/Version-1.0.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.0](https://img.shields.io/badge/AppVersion-2.0.0-informational?style=flat-square) A Helm chart for RADAR-Base Management Portal to manage projects and participants throughout RADAR-base. @@ -49,6 +49,13 @@ A Helm chart for RADAR-Base Management Portal to manage projects and participant | ingress.ingressClassName | string | `"nginx"` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | | ingress.hosts | list | `["localhost"]` | Hosts to accept requests from | | ingress.tls.secretName | string | `"radar-base-tls-managementportal"` | TLS Secret Name | +| ingress_rate_limited.enabled | bool | `true` | Enable ingress controller resource | +| ingress_rate_limited.annotations | object | check values.yaml | Annotations that define default ingress class, certificate issuer and rate limiter | +| ingress_rate_limited.paths | list | `["/managementportal/oauth/token","/managementportal/login","/managementportal/api/meta-token"]` | Path within the url structure | +| ingress_rate_limited.pathType | string | `"ImplementationSpecific"` | Ingress Path type | +| ingress_rate_limited.ingressClassName | string | `"nginx"` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | +| ingress_rate_limited.hosts | list | `["localhost"]` | Hosts to accept requests from | +| ingress_rate_limited.tls.secretName | string | `"radar-base-tls-managementportal-rate-limited"` | TLS Secret Name | | resources.limits | object | `{"cpu":2,"memory":"1700Mi"}` | CPU/Memory resource limits | | resources.requests | object | `{"cpu":"100m","memory":"512Mi"}` | CPU/Memory resource requests | | nodeSelector | object | `{}` | Node labels for pod assignment | diff --git a/charts/management-portal/templates/ingress-rate-limited.yaml b/charts/management-portal/templates/ingress-rate-limited.yaml new file mode 100644 index 00000000..9e0f4716 --- /dev/null +++ b/charts/management-portal/templates/ingress-rate-limited.yaml @@ -0,0 +1,53 @@ +{{- if .Values.ingress_rate_limited.enabled -}} +{{- $fullName := include "management-portal.fullname" . -}} +{{- $paths := .Values.ingress_rate_limited.paths -}} +{{- $hosts := .Values.ingress_rate_limited.hosts -}} +{{- $svcPort := .Values.service.port -}} +{{- $pathType := .Values.ingress_rate_limited.pathType -}} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: +{{ include "management-portal.labels" . | indent 4 }} + {{- with .Values.ingress_rate_limited.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.ingress_rate_limited.ingressClassName | quote }} +{{- if .Values.ingress_rate_limited.tls }} + tls: + - hosts: + {{- range $hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .Values.ingress_rate_limited.tls.secretName }} +{{- end }} + rules: + {{- range .Values.ingress_rate_limited.hosts }} + - host: {{ . | quote }} + http: + paths: + {{- range $paths }} + - path: {{ . | quote }} + {{- if and $pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ $pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/management-portal/values.yaml b/charts/management-portal/values.yaml index 6587165f..72ed347b 100644 --- a/charts/management-portal/values.yaml +++ b/charts/management-portal/values.yaml @@ -48,14 +48,6 @@ ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/server-snippet: | - location /managementportal/oauth/ { - # Allow 20 fast-following requests, like when authorizing a user. - limit_req zone=login_limit burst=20; - } - location /managementportal/api/meta-token/ { - limit_req zone=login_limit; - } # -- Path within the url structure path: "/managementportal" # -- Ingress Path type @@ -69,6 +61,32 @@ ingress: # -- TLS Secret Name secretName: radar-base-tls-managementportal +ingress_rate_limited: + # -- Enable ingress controller resource + enabled: true + # -- Annotations that define default ingress class, certificate issuer and rate limiter + # @default -- check values.yaml + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/server-snippet: | + limit_req zone=login_limit; + # -- Path within the url structure + paths: + - "/managementportal/oauth/token" + - "/managementportal/login" + - "/managementportal/api/meta-token" + # -- Ingress Path type + pathType: ImplementationSpecific + # -- IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ingressClassName: nginx + # -- Hosts to accept requests from + hosts: + - localhost + tls: + # -- TLS Secret Name + secretName: radar-base-tls-managementportal-rate-limited + resources: # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little