From e156b7c7a1f85b623265ae98fb8f2f79af70e785 Mon Sep 17 00:00:00 2001 From: "d.viti" Date: Tue, 7 Oct 2025 15:01:22 +0200 Subject: [PATCH] Refactor ADC config to use AI rate limiting for /api route --- adc.yaml | 50 ++++++ diff.yaml | 164 ++++++++++++++++++ .../templates/configmap-adc.yaml | 106 +++-------- helm/api7ee-demo-k8s/values.yaml | 9 +- 4 files changed, 245 insertions(+), 84 deletions(-) create mode 100644 adc.yaml create mode 100644 diff.yaml diff --git a/adc.yaml b/adc.yaml new file mode 100644 index 0000000..a861399 --- /dev/null +++ b/adc.yaml @@ -0,0 +1,50 @@ +services: + - name: apache-service + hosts: + - commandware.it + upstream: + name: apache-upstream + scheme: http + type: roundrobin + nodes: + - host: apache-service.api7ee.svc.cluster.local + port: 80 + weight: 100 + routes: + - name: apache-route + uris: + - /* + vars: + - - uri + - "~~" + - "^(?!/api)" + priority: 1 + plugins: + redirect: + http_to_https: true + + - name: nginx-api-service + hosts: + - commandware.it + upstream: + name: nginx-upstream + scheme: http + type: roundrobin + nodes: + - host: nginx-service.api7ee.svc.cluster.local + port: 80 + weight: 100 + routes: + - name: nginx-api-route + uris: + - /api + - /api/* + priority: 10 + plugins: + redirect: + http_to_https: true + ai-rate-limiting: + limit: 100 + time_window: 60 + rejected_code: 429 + limit_strategy: "total_tokens" diff --git a/diff.yaml b/diff.yaml new file mode 100644 index 0000000..ad96b3b --- /dev/null +++ b/diff.yaml @@ -0,0 +1,164 @@ +- resourceType: route + type: update + resourceId: 300352210d490360aa898cc92cc1ebd72eaaa51a + resourceName: apache-route + oldValue: + uris: + - /* + name: apache-route + plugins: + redirect: + http_to_https: true + priority: 1 + vars: + - - uri + - ~~ + - ^(?!/api) + newValue: + name: apache-route + hosts: + - commandware.it + uris: + - /* + priority: 1 + vars: + - - uri + - ~~ + - ^(?!/api) + plugins: + redirect: + http_to_https: true + diff: + - kind: 'N' + path: + - hosts + rhs: + - commandware.it + parentId: d67f707ab99345fbe8bf7e21a73b7c0136ad5a27 +- resourceType: route + type: update + resourceId: 1704231ea22866bfc59bf5bc58efb578c6e4cb1a + resourceName: nginx-api-route + oldValue: + uris: + - /api + - /api/* + name: nginx-api-route + plugins: + ai-rate-limiting: + limit: 100 + limit_strategy: total_tokens + rejected_code: 429 + time_window: 60 + redirect: + http_to_https: true + priority: 10 + newValue: + name: nginx-api-route + hosts: + - commandware.it + uris: + - /api + - /api/* + priority: 10 + plugins: + redirect: + http_to_https: true + ai-rate-limiting: + limit: 100 + time_window: 60 + rejected_code: 429 + limit_strategy: total_tokens + diff: + - kind: 'N' + path: + - hosts + rhs: + - commandware.it + parentId: c87a0166e1c37ecfd013d6e5db2dbec88b710939 +- resourceType: service + type: update + resourceId: d67f707ab99345fbe8bf7e21a73b7c0136ad5a27 + resourceName: apache-service + oldValue: + name: apache-service + upstream: + name: apache-upstream + type: roundrobin + hash_on: vars + nodes: + - host: apache-service.api7ee.svc.cluster.local + port: 80 + weight: 100 + priority: 0 + scheme: http + retry_timeout: 0 + pass_host: pass + strip_path_prefix: true + newValue: + name: apache-service + upstream: + name: apache-upstream + type: roundrobin + nodes: + - host: apache-service.api7ee.svc.cluster.local + port: 80 + weight: 100 + priority: 0 + scheme: http + pass_host: pass + strip_path_prefix: true + diff: + - kind: D + path: + - upstream + - hash_on + lhs: vars + - kind: D + path: + - upstream + - retry_timeout + lhs: 0 +- resourceType: service + type: update + resourceId: c87a0166e1c37ecfd013d6e5db2dbec88b710939 + resourceName: nginx-api-service + oldValue: + name: nginx-api-service + upstream: + name: nginx-upstream + type: roundrobin + hash_on: vars + nodes: + - host: nginx-service.api7ee.svc.cluster.local + port: 80 + weight: 100 + priority: 0 + scheme: http + retry_timeout: 0 + pass_host: pass + strip_path_prefix: true + newValue: + name: nginx-api-service + upstream: + name: nginx-upstream + type: roundrobin + nodes: + - host: nginx-service.api7ee.svc.cluster.local + port: 80 + weight: 100 + priority: 0 + scheme: http + pass_host: pass + strip_path_prefix: true + diff: + - kind: D + path: + - upstream + - hash_on + lhs: vars + - kind: D + path: + - upstream + - retry_timeout + lhs: 0 diff --git a/helm/api7ee-demo-k8s/templates/configmap-adc.yaml b/helm/api7ee-demo-k8s/templates/configmap-adc.yaml index d78e8ed..a2701aa 100644 --- a/helm/api7ee-demo-k8s/templates/configmap-adc.yaml +++ b/helm/api7ee-demo-k8s/templates/configmap-adc.yaml @@ -9,115 +9,61 @@ metadata: data: adc-config.yaml: | services: - {{- if .Values.web.enabled }} - - name: web-service + - name: apache-service + hosts: + - {{ (first .Values.api7.hosts) | quote }} upstream: - name: web-upstream + name: apache-upstream scheme: http type: roundrobin - {{- if .Values.api7.serviceDiscovery.enabled }} - discovery_type: kubernetes - service_name: {{ .Release.Namespace }}/{{ include "api7ee.fullname" . }}-web:http - {{- else }} nodes: - - host: {{ include "api7ee.fullname" . }}-web.{{ .Release.Namespace }}.svc.cluster.local - port: {{ .Values.web.service.port }} + - host: apache-service.{{ .Release.Namespace }}.svc.cluster.local + port: 80 weight: 100 - {{- end }} routes: - - name: web-route + - name: apache-route uris: - /* - hosts: - {{- range .Values.api7.hosts }} - - {{ . | quote }} - {{- end }} - priority: 0 + vars: + - - uri + - "~~" + - "^(?!/api)" + priority: 1 plugins: {{- if .Values.api7.tls.enabled }} redirect: http_to_https: true {{- end }} - {{- if .Values.api7.plugins.rateLimit.enabled }} - limit-count: - count: {{ .Values.api7.plugins.rateLimit.count }} - time_window: {{ .Values.api7.plugins.rateLimit.timeWindow }} - rejected_code: 429 - {{- end }} - {{- if .Values.api7.plugins.cors.enabled }} - cors: - allow_origins: {{ .Values.api7.plugins.cors.allowOrigins | toJson }} - allow_methods: {{ .Values.api7.plugins.cors.allowMethods | toJson }} - allow_headers: {{ .Values.api7.plugins.cors.allowHeaders | toJson }} - expose_headers: {{ .Values.api7.plugins.cors.exposeHeaders | toJson }} - max_age: {{ .Values.api7.plugins.cors.maxAge }} - allow_credentials: {{ .Values.api7.plugins.cors.allowCredentials }} - {{- end }} - {{- end }} - {{- if .Values.api.enabled }} - - name: api-service + - name: nginx-api-service + hosts: + - {{ (first .Values.api7.hosts) | quote }} upstream: - name: api-upstream + name: nginx-upstream scheme: http type: roundrobin - {{- if .Values.api7.serviceDiscovery.enabled }} - discovery_type: kubernetes - service_name: {{ .Release.Namespace }}/{{ include "api7ee.fullname" . }}-api:http - {{- else }} nodes: - - host: {{ include "api7ee.fullname" . }}-api.{{ .Release.Namespace }}.svc.cluster.local - port: {{ .Values.api.service.port }} + - host: nginx-service.{{ .Release.Namespace }}.svc.cluster.local + port: 80 weight: 100 - {{- end }} routes: - - name: api-route + - name: nginx-api-route uris: - /api - /api/* - hosts: - {{- range .Values.api7.hosts }} - - {{ . | quote }} - {{- end }} priority: 10 plugins: {{- if .Values.api7.tls.enabled }} redirect: http_to_https: true {{- end }} - proxy-rewrite: - regex_uri: - - ^/api/(.*) - - /$1 - {{- if .Values.api7.plugins.rateLimit.enabled }} - limit-count: - count: {{ .Values.api7.plugins.rateLimit.apiCount | default .Values.api7.plugins.rateLimit.count }} - time_window: {{ .Values.api7.plugins.rateLimit.timeWindow }} - rejected_code: 429 + {{- if .Values.api7.plugins.aiRateLimit.enabled }} + ai-rate-limiting: + limit: {{ .Values.api7.plugins.aiRateLimit.limit }} + time_window: {{ .Values.api7.plugins.aiRateLimit.timeWindow }} + rejected_code: {{ .Values.api7.plugins.aiRateLimit.rejectedCode }} + limit_strategy: {{ .Values.api7.plugins.aiRateLimit.limitStrategy | quote }} {{- end }} - {{- if .Values.api7.plugins.auth.enabled }} - key-auth: - header: {{ .Values.api7.plugins.auth.header | default "X-API-Key" }} - {{- end }} - {{- end }} - - {{- if .Values.api7.tls.enabled }} - ssls: - - snis: - {{- range .Values.api7.hosts }} - - {{ . | quote }} - {{- end }} - certificates: - {{- if .Values.api7.tls.certManager.enabled }} - - certificate: /etc/ssl/certs/tls.crt - key: /etc/ssl/certs/tls.key - {{- else if .Values.api7.tls.certificate }} - - certificate: | - {{ .Values.api7.tls.certificate | nindent 14 }} - key: | - {{ .Values.api7.tls.key | nindent 14 }} - {{- end }} - {{- end }} {{- if .Values.api7.plugins.auth.enabled }} consumers: @@ -144,4 +90,4 @@ data: batch_max_size: {{ .Values.api7.plugins.logging.batchMaxSize | default 1000 }} inactive_timeout: {{ .Values.api7.plugins.logging.inactiveTimeout | default 5 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm/api7ee-demo-k8s/values.yaml b/helm/api7ee-demo-k8s/values.yaml index 520cdee..c3e1b93 100644 --- a/helm/api7ee-demo-k8s/values.yaml +++ b/helm/api7ee-demo-k8s/values.yaml @@ -247,12 +247,13 @@ api7: # API7 Plugins Configuration plugins: - # Rate limiting - rateLimit: + # AI Rate limiting (for /api route) + aiRateLimit: enabled: true - count: 100 + limit: 100 timeWindow: 60 - apiCount: 1000 # Higher limit for API endpoints + rejectedCode: 429 + limitStrategy: "total_tokens" # CORS configuration cors: