From f3c3f0f4da592137d620342940fba7336ff48293 Mon Sep 17 00:00:00 2001 From: Venktesh Date: Thu, 11 Jan 2024 12:09:05 +0000 Subject: [PATCH 1/6] Add rate-limit example --- .../custom-annotations/README.md | 3 + .../ingress-resources/rate-limit/README.md | 76 +++++++++++++++++++ .../rate-limit/cafe-ingress.yaml | 32 ++++++++ .../rate-limit/cafe-secret.yaml | 8 ++ .../ingress-resources/rate-limit/cafe.yaml | 66 ++++++++++++++++ 5 files changed, 185 insertions(+) create mode 100644 examples/ingress-resources/rate-limit/README.md create mode 100644 examples/ingress-resources/rate-limit/cafe-ingress.yaml create mode 100644 examples/ingress-resources/rate-limit/cafe-secret.yaml create mode 100644 examples/ingress-resources/rate-limit/cafe.yaml diff --git a/examples/ingress-resources/custom-annotations/README.md b/examples/ingress-resources/custom-annotations/README.md index 1980d6c033..a62df3d511 100644 --- a/examples/ingress-resources/custom-annotations/README.md +++ b/examples/ingress-resources/custom-annotations/README.md @@ -3,6 +3,9 @@ Custom annotations enable you to quickly extend the Ingress resource to support many advanced features of NGINX, such as rate limiting, caching, etc. +**Note**: Rate-limiting is now available with native annotation support, however this guide is still applicable for other +Nginx functionalities. + Let's create a set of custom annotations to support [rate-limiting](https://nginx.org/en/docs/http/ngx_http_limit_req_module.html): diff --git a/examples/ingress-resources/rate-limit/README.md b/examples/ingress-resources/rate-limit/README.md new file mode 100644 index 0000000000..3b8181c265 --- /dev/null +++ b/examples/ingress-resources/rate-limit/README.md @@ -0,0 +1,76 @@ +# Example + +In this example we deploy the NGINX or NGINX Plus Ingress Controller, a simple web application and then configure load +balancing for that application using the Ingress resource with rate-limiting configures via annotaions. + +## Running the Example + +## 1. Deploy the Ingress Controller + +1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-manifests/) + instructions to deploy the Ingress Controller. + +2. Save the public IP address of the Ingress Controller into a shell variable: + + ```console + IC_IP=XXX.YYY.ZZZ.III + ``` + +3. Save the HTTPS port of the Ingress Controller into a shell variable: + + ```console + IC_HTTPS_PORT= + ``` + +## 2. Deploy the Cafe Application + +Create the coffee and the tea deployments and services: + +```console +kubectl create -f cafe.yaml +``` + +## 3. Configure Load Balancing + +1. Create a secret with an SSL certificate and a key: + + ```console + kubectl create -f cafe-secret.yaml + ``` + +2. Create an Ingress resource: + + ```console + kubectl create -f cafe-ingress.yaml + ``` + +## 4. Test the Application + + Let's test the configuration. If you access the application at a rate that exceeds one request per second, NGINX will + start rejecting your requests: + + To get coffee: + + ```console + curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/coffee --insecure + ``` + + ```text + Server address: 10.12.0.18:80 + Server name: coffee-7586895968-r26zn + ... + ``` + + ```console + curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/coffee --insecure + ``` + + ```text + + 429 Too Many Requests + +

429 Too Many Requests

+
nginx/1.25.3
+ + + ``` diff --git a/examples/ingress-resources/rate-limit/cafe-ingress.yaml b/examples/ingress-resources/rate-limit/cafe-ingress.yaml new file mode 100644 index 0000000000..450d82a144 --- /dev/null +++ b/examples/ingress-resources/rate-limit/cafe-ingress.yaml @@ -0,0 +1,32 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: cafe-ingress + annotations: + nginx.org/limit-req-rate: 1r/s + nginx.org/limit-req-key: ${binary_remote_addr} + nginx.org/limit-req-zone-size: 10M +spec: + ingressClassName: nginx + tls: + - hosts: + - cafe.example.com + secretName: cafe-secret + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 diff --git a/examples/ingress-resources/rate-limit/cafe-secret.yaml b/examples/ingress-resources/rate-limit/cafe-secret.yaml new file mode 100644 index 0000000000..8f9fd84855 --- /dev/null +++ b/examples/ingress-resources/rate-limit/cafe-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cafe-secret +type: kubernetes.io/tls +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMakNDQWhZQ0NRREFPRjl0THNhWFdqQU5CZ2txaGtpRzl3MEJBUXNGQURCYU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MApaREViTUJrR0ExVUVBd3dTWTJGbVpTNWxlR0Z0Y0d4bExtTnZiU0FnTUI0WERURTRNRGt4TWpFMk1UVXpOVm9YCkRUSXpNRGt4TVRFMk1UVXpOVm93V0RFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01Ba05CTVNFd0h3WUQKVlFRS0RCaEpiblJsY201bGRDQlhhV1JuYVhSeklGQjBlU0JNZEdReEdUQVhCZ05WQkFNTUVHTmhabVV1WlhoaApiWEJzWlM1amIyMHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDcDZLbjdzeTgxCnAwanVKL2N5ayt2Q0FtbHNmanRGTTJtdVpOSzBLdGVjcUcyZmpXUWI1NXhRMVlGQTJYT1N3SEFZdlNkd0kyaloKcnVXOHFYWENMMnJiNENaQ0Z4d3BWRUNyY3hkam0zdGVWaVJYVnNZSW1tSkhQUFN5UWdwaW9iczl4N0RsTGM2SQpCQTBaalVPeWwwUHFHOVNKZXhNVjczV0lJYTVyRFZTRjJyNGtTa2JBajREY2o3TFhlRmxWWEgySTVYd1hDcHRDCm42N0pDZzQyZitrOHdnemNSVnA4WFprWldaVmp3cTlSVUtEWG1GQjJZeU4xWEVXZFowZXdSdUtZVUpsc202OTIKc2tPcktRajB2a29QbjQxRUUvK1RhVkVwcUxUUm9VWTNyemc3RGtkemZkQml6Rk8yZHNQTkZ4MkNXMGpYa05MdgpLbzI1Q1pyT2hYQUhBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLSEZDY3lPalp2b0hzd1VCTWRMClJkSEliMzgzcFdGeW5acS9MdVVvdnNWQTU4QjBDZzdCRWZ5NXZXVlZycTVSSWt2NGxaODFOMjl4MjFkMUpINnIKalNuUXgrRFhDTy9USkVWNWxTQ1VwSUd6RVVZYVVQZ1J5anNNL05VZENKOHVIVmhaSitTNkZBK0NuT0Q5cm4yaQpaQmVQQ0k1ckh3RVh3bm5sOHl3aWozdnZRNXpISXV5QmdsV3IvUXl1aTlmalBwd1dVdlVtNG52NVNNRzl6Q1Y3ClBwdXd2dWF0cWpPMTIwOEJqZkUvY1pISWc4SHc5bXZXOXg5QytJUU1JTURFN2IvZzZPY0s3TEdUTHdsRnh2QTgKN1dqRWVxdW5heUlwaE1oS1JYVmYxTjM0OWVOOThFejM4Zk9USFRQYmRKakZBL1BjQytHeW1lK2lHdDVPUWRGaAp5UkU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcWVpcCs3TXZOYWRJN2lmM01wUHJ3Z0pwYkg0N1JUTnBybVRTdENyWG5LaHRuNDFrCkcrZWNVTldCUU5semtzQndHTDBuY0NObzJhN2x2S2wxd2k5cTIrQW1RaGNjS1ZSQXEzTVhZNXQ3WGxZa1YxYkcKQ0pwaVJ6ejBza0lLWXFHN1BjZXc1UzNPaUFRTkdZMURzcGRENmh2VWlYc1RGZTkxaUNHdWF3MVVoZHErSkVwRwp3SStBM0kreTEzaFpWVng5aU9WOEZ3cWJRcCt1eVFvT05uL3BQTUlNM0VWYWZGMlpHVm1WWThLdlVWQ2cxNWhRCmRtTWpkVnhGbldkSHNFYmltRkNaYkp1dmRySkRxeWtJOUw1S0Q1K05SQlAvazJsUkthaTAwYUZHTjY4NE93NUgKYzMzUVlzeFR0bmJEelJjZGdsdEkxNURTN3lxTnVRbWF6b1Z3QndJREFRQUJBb0lCQVFDUFNkU1luUXRTUHlxbApGZlZGcFRPc29PWVJoZjhzSStpYkZ4SU91UmF1V2VoaEp4ZG01Uk9ScEF6bUNMeUw1VmhqdEptZTIyM2dMcncyCk45OUVqVUtiL1ZPbVp1RHNCYzZvQ0Y2UU5SNThkejhjbk9SVGV3Y290c0pSMXBuMWhobG5SNUhxSkpCSmFzazEKWkVuVVFmY1hackw5NGxvOUpIM0UrVXFqbzFGRnM4eHhFOHdvUEJxalpzVjdwUlVaZ0MzTGh4bndMU0V4eUZvNApjeGI5U09HNU9tQUpvelN0Rm9RMkdKT2VzOHJKNXFmZHZ5dGdnOXhiTGFRTC94MGtwUTYyQm9GTUJEZHFPZVBXCktmUDV6WjYvMDcvdnBqNDh5QTFRMzJQem9idWJzQkxkM0tjbjMyamZtMUU3cHJ0V2wrSmVPRmlPem5CUUZKYk4KNHFQVlJ6NWhBb0dCQU50V3l4aE5DU0x1NFArWGdLeWNrbGpKNkY1NjY4Zk5qNUN6Z0ZScUowOXpuMFRsc05ybwpGVExaY3hEcW5SM0hQWU00MkpFUmgySi9xREZaeW5SUW8zY2czb2VpdlVkQlZHWTgrRkkxVzBxZHViL0w5K3l1CmVkT1pUUTVYbUdHcDZyNmpleHltY0ppbS9Pc0IzWm5ZT3BPcmxEN1NQbUJ2ek5MazRNRjZneGJYQW9HQkFNWk8KMHA2SGJCbWNQMHRqRlhmY0tFNzdJbUxtMHNBRzR1SG9VeDBlUGovMnFyblRuT0JCTkU0TXZnRHVUSnp5K2NhVQprOFJxbWRIQ2JIelRlNmZ6WXEvOWl0OHNaNzdLVk4xcWtiSWN1YytSVHhBOW5OaDFUanNSbmU3NFowajFGQ0xrCmhIY3FIMHJpN1BZU0tIVEU4RnZGQ3haWWRidUI4NENtWmlodnhicFJBb0dBSWJqcWFNWVBUWXVrbENkYTVTNzkKWVNGSjFKelplMUtqYS8vdER3MXpGY2dWQ0thMzFqQXdjaXowZi9sU1JxM0hTMUdHR21lemhQVlRpcUxmZVpxYwpSMGlLYmhnYk9jVlZrSkozSzB5QXlLd1BUdW14S0haNnpJbVpTMGMwYW0rUlk5WUdxNVQ3WXJ6cHpjZnZwaU9VCmZmZTNSeUZUN2NmQ21mb09oREN0enVrQ2dZQjMwb0xDMVJMRk9ycW40M3ZDUzUxemM1em9ZNDR1QnpzcHd3WU4KVHd2UC9FeFdNZjNWSnJEakJDSCtULzZzeXNlUGJKRUltbHpNK0l3eXRGcEFOZmlJWEV0LzQ4WGY2ME54OGdXTQp1SHl4Wlp4L05LdER3MFY4dlgxUE9ucTJBNWVpS2ErOGpSQVJZS0pMWU5kZkR1d29seHZHNmJaaGtQaS80RXRUCjNZMThzUUtCZ0h0S2JrKzdsTkpWZXN3WEU1Y1VHNkVEVXNEZS8yVWE3ZlhwN0ZjanFCRW9hcDFMU3crNlRYcDAKWmdybUtFOEFSek00NytFSkhVdmlpcS9udXBFMTVnMGtKVzNzeWhwVTl6WkxPN2x0QjBLSWtPOVpSY21Vam84UQpjcExsSE1BcWJMSjhXWUdKQ2toaVd4eWFsNmhZVHlXWTRjVmtDMHh0VGwvaFVFOUllTktvCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== diff --git a/examples/ingress-resources/rate-limit/cafe.yaml b/examples/ingress-resources/rate-limit/cafe.yaml new file mode 100644 index 0000000000..cda0f23573 --- /dev/null +++ b/examples/ingress-resources/rate-limit/cafe.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: coffee +spec: + replicas: 2 + selector: + matchLabels: + app: coffee + template: + metadata: + labels: + app: coffee + spec: + containers: + - name: coffee + image: nginxdemos/nginx-hello:plain-text + ports: + - containerPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: coffee-svc +spec: + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + name: http + selector: + app: coffee +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tea +spec: + replicas: 3 + selector: + matchLabels: + app: tea + template: + metadata: + labels: + app: tea + spec: + containers: + - name: tea + image: nginxdemos/nginx-hello:plain-text + ports: + - containerPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: tea-svc + labels: +spec: + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + name: http + selector: + app: tea From b66f11a692da90838d912b5a0c0e5990f3fde200 Mon Sep 17 00:00:00 2001 From: Venktesh Date: Thu, 11 Jan 2024 12:13:12 +0000 Subject: [PATCH 2/6] fix indentation --- examples/ingress-resources/rate-limit/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/ingress-resources/rate-limit/README.md b/examples/ingress-resources/rate-limit/README.md index 3b8181c265..531119778a 100644 --- a/examples/ingress-resources/rate-limit/README.md +++ b/examples/ingress-resources/rate-limit/README.md @@ -24,11 +24,11 @@ balancing for that application using the Ingress resource with rate-limiting con ## 2. Deploy the Cafe Application -Create the coffee and the tea deployments and services: + Create the coffee and the tea deployments and services: -```console -kubectl create -f cafe.yaml -``` + ```console + kubectl create -f cafe.yaml + ``` ## 3. Configure Load Balancing From 25c17c8881cdc2f74a386bd7f3ffc270d9532baf Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Thu, 11 Jan 2024 12:13:43 +0000 Subject: [PATCH 3/6] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- examples/ingress-resources/custom-annotations/README.md | 2 +- examples/ingress-resources/rate-limit/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/ingress-resources/custom-annotations/README.md b/examples/ingress-resources/custom-annotations/README.md index a62df3d511..49494435ef 100644 --- a/examples/ingress-resources/custom-annotations/README.md +++ b/examples/ingress-resources/custom-annotations/README.md @@ -3,7 +3,7 @@ Custom annotations enable you to quickly extend the Ingress resource to support many advanced features of NGINX, such as rate limiting, caching, etc. -**Note**: Rate-limiting is now available with native annotation support, however this guide is still applicable for other +**Note**: Rate-limiting is now available with native annotation support, however this guide is still applicable for other Nginx functionalities. Let's create a set of custom annotations to support diff --git a/examples/ingress-resources/rate-limit/README.md b/examples/ingress-resources/rate-limit/README.md index 531119778a..a4090b0d78 100644 --- a/examples/ingress-resources/rate-limit/README.md +++ b/examples/ingress-resources/rate-limit/README.md @@ -64,7 +64,7 @@ balancing for that application using the Ingress resource with rate-limiting con ```console curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/coffee --insecure ``` - + ```text 429 Too Many Requests From d4b46143e6591502eec7f6f6c846364adac6ec0e Mon Sep 17 00:00:00 2001 From: Venktesh Date: Thu, 11 Jan 2024 12:18:35 +0000 Subject: [PATCH 4/6] fix md errors --- examples/ingress-resources/rate-limit/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/ingress-resources/rate-limit/README.md b/examples/ingress-resources/rate-limit/README.md index a4090b0d78..1b468d0359 100644 --- a/examples/ingress-resources/rate-limit/README.md +++ b/examples/ingress-resources/rate-limit/README.md @@ -24,7 +24,7 @@ balancing for that application using the Ingress resource with rate-limiting con ## 2. Deploy the Cafe Application - Create the coffee and the tea deployments and services: +1. Create the coffee and the tea deployments and services: ```console kubectl create -f cafe.yaml @@ -46,7 +46,7 @@ balancing for that application using the Ingress resource with rate-limiting con ## 4. Test the Application - Let's test the configuration. If you access the application at a rate that exceeds one request per second, NGINX will +1. Let's test the configuration. If you access the application at a rate that exceeds one request per second, NGINX will start rejecting your requests: To get coffee: From 32b5c08da9afa2627164d2549935fad6c1ab812a Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Thu, 11 Jan 2024 12:35:52 +0000 Subject: [PATCH 5/6] update with review suggestions Co-authored-by: Alan Dooley Signed-off-by: Venktesh Shivam Patel --- examples/ingress-resources/custom-annotations/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/ingress-resources/custom-annotations/README.md b/examples/ingress-resources/custom-annotations/README.md index 49494435ef..8ee6464b31 100644 --- a/examples/ingress-resources/custom-annotations/README.md +++ b/examples/ingress-resources/custom-annotations/README.md @@ -4,7 +4,7 @@ Custom annotations enable you to quickly extend the Ingress resource to support rate limiting, caching, etc. **Note**: Rate-limiting is now available with native annotation support, however this guide is still applicable for other -Nginx functionalities. +NGINX functionalities. Let's create a set of custom annotations to support [rate-limiting](https://nginx.org/en/docs/http/ngx_http_limit_req_module.html): From 3b10cd0697d6a6a640d46e8aa4c1835ef5b950b6 Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Thu, 11 Jan 2024 12:35:59 +0000 Subject: [PATCH 6/6] update with review suggestions Co-authored-by: Alan Dooley Signed-off-by: Venktesh Shivam Patel --- examples/ingress-resources/rate-limit/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/ingress-resources/rate-limit/README.md b/examples/ingress-resources/rate-limit/README.md index 1b468d0359..e5f8dfafd6 100644 --- a/examples/ingress-resources/rate-limit/README.md +++ b/examples/ingress-resources/rate-limit/README.md @@ -1,6 +1,6 @@ # Example -In this example we deploy the NGINX or NGINX Plus Ingress Controller, a simple web application and then configure load +In this example we deploy NGINX or NGINX Plus Ingress Controller, a simple web application and then configure load balancing for that application using the Ingress resource with rate-limiting configures via annotaions. ## Running the Example