External Rate Limiting with TLS Verification

Once you have configured an external rate limit server, you may want to secure the traffic to the rate limit service. TSB supports specifying TLS or mTLS parameters for securing communication to external rate limit servers. This document will show you how to configure TLS validation for an external rate limit server by adding CA certificate to the rate limiting configuration.

Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts
✓ Install the TSB environment. You can use TSB demo for quick install
✓ Completed TSB usage quickstart. This document assumes you already created Tenant and are familiar with Workspace and Config Groups. Also you need to configure tctl to your TSB environment.
✓ Competed Setting Up an External Rate Limiting Server. This document will continue what you have done in Setting Up an External Rate Limiting Server. You will work in ext-ratelimit namespace, and should already have an Ingress Gateway with external rate limit properly configured

TLS certificate

To enable TLS for Ingress Gateway to rate limit service traffic, you must have a TLS certificate. This document assumes you already have TLS certificates which usually include server certificate and private key along with the CA as root certificate that will be used by the client.

This document assumes the presence of the following files. If you are using different file names, please change them accordingly:

File name Description
ratelimit.crt The server certificate
ratelimit.key The certificate private key
ratelimit-ca.crt The CA certificate

:::note self signed certificate For the purpose of example, you may opt to use a self-signed certificate. You may generate a self-signed certificate using the script show here, but make sure to adjust the input parameters accordingly. :::note

Once you have the certificate files, create Kubernetes secret using server certificate and private key.

kubectl create secret tls -n ext-ratelimit ratelimit-certs \
  --cert=ratelimit.crt \

Deploy Rate Limit Service with TLS certificate

In this example you will use the Envoy rate limit service. The Envoy proxy sidecar acts as pass through proxy that will validate and terminate TLS before sending the request to the rate limit service.

Create a configuration file for Envoy with the following content as proxy-config-tls.yaml


Execute the following to store the configuration in Kubernetes as a ConfigMap.

kubectl create configmap -n ext-ratelimit ratelimit-proxy \

You will need to deploy the rate limit service with an Envoy sidecar to terminate TLS. Create a file called ratelimit-tls.yaml with the following content.


Then apply this using kubectl:

kubectl apply -f ratelimit-tls.yaml

Once you applied the new configuration, make sure that the ratelimit-tls service is running properly. Note that if you have followed the instructions from Setting Up an External Rate Limiting Server, you will also see ratelimit and redis services as well.

kubectl get pods -n ext-ratelimit

NAME                             READY   STATUS    RESTARTS   AGE
ratelimit-d5c5b64ff-m87dt        1/1     Running   0          2h
ratelimit-tls-568c5cdc69-z82xf   2/2     Running   0          89s
redis-7d757c948f-42sxg           1/1     Running   0          2h

Enable TLS validation for rate limit server in Ingress Gateway

The ratelimit-tls service can now terminate TLS, but the Ingress Gateway must also be configured to validate the TLS connections.

First, create a ConfigMap named ratelimit-ca to store the CA information from ratelimit-ca.crt:

kubectl create configmap -n httpbin ratelimit-ca \

Then add the ratelimit-ca ConfigMap into the Ingress Gateway pod. To do this, you will need to edit the httpbin-ingress-gateway.yaml file and add an overlay that reads the ConfigMap you have created in the previous steps, then mount the configuration in the ingress gateway deployment.


Apply with kubectl to update existing ingress gateway

kubectl apply -f httpbin-ingress-gateway.yaml

Finally, update the Ingress Gateway configuration in ext-ratelimit-ingress-gateway.yaml and enable TLS validation:


And apply with tctl

tctl apply -f ext-ratelimit-ingress-gateway-tls.yaml


To verify that the setup is working, you can use the same testing steps as shown in the Testing steps for “Setting Up an External Rate Limiting Server