External Rate Limiting with TLS Verification
Once you have configured an external rate limit server, you may want to secure the traffic to the rate limit service. TSB supports specifying TLS or mTLS parameters for securing communication to external rate limit servers. This document will show you how to configure TLS validation for an external rate limit server by adding CA certificate to the rate limiting configuration.
Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts
✓ Install the TSB environment. You can use TSB demo for quick install
✓ Completed TSB usage quickstart. This document assumes you already created Tenant and are familiar with Workspace and Config Groups. Also you need to configure tctl to your TSB environment.
✓ Competed Setting Up an External Rate Limiting Server. This document will continue what you have done in Setting Up an External Rate Limiting Server. You will work in
ext-ratelimit namespace, and should already have an Ingress Gateway with external rate limit properly configured
To enable TLS for Ingress Gateway to rate limit service traffic, you must have a TLS certificate. This document assumes you already have TLS certificates which usually include server certificate and private key along with the CA as root certificate that will be used by the client.
This document assumes the presence of the following files. If you are using different file names, please change them accordingly:
||The server certificate|
||The certificate private key|
||The CA certificate|
:::note self signed certificate For the purpose of example, you may opt to use a self-signed certificate. You may generate a self-signed certificate using the script show here, but make sure to adjust the input parameters accordingly. :::note
Once you have the certificate files, create Kubernetes secret using server certificate and private key.
kubectl create secret tls -n ext-ratelimit ratelimit-certs \ --cert=ratelimit.crt \ --key=ratelimit.key
Deploy Rate Limit Service with TLS certificate
In this example you will use the Envoy rate limit service. The Envoy proxy sidecar acts as pass through proxy that will validate and terminate TLS before sending the request to the rate limit service.
Create a configuration file for Envoy with the following content as
Execute the following to store the configuration in Kubernetes as a
kubectl create configmap -n ext-ratelimit ratelimit-proxy \ --from-file=proxy-config-tls.yaml
You will need to deploy the rate limit service with an Envoy sidecar to terminate TLS.
Create a file called
ratelimit-tls.yaml with the following content.
Then apply this using
kubectl apply -f ratelimit-tls.yaml
Once you applied the new configuration, make sure that the
ratelimit-tls service is running properly.
Note that if you have followed the instructions from Setting Up an External Rate Limiting Server, you will also see
redis services as well.
kubectl get pods -n ext-ratelimit NAME READY STATUS RESTARTS AGE ratelimit-d5c5b64ff-m87dt 1/1 Running 0 2h ratelimit-tls-568c5cdc69-z82xf 2/2 Running 0 89s redis-7d757c948f-42sxg 1/1 Running 0 2h
Enable TLS validation for rate limit server in Ingress Gateway
ratelimit-tls service can now terminate TLS, but the Ingress Gateway must also be configured to validate the TLS connections.
First, create a
ratelimit-ca to store the CA information from
kubectl create configmap -n httpbin ratelimit-ca \ --from-file=ratelimit-ca.crt
Then add the
ConfigMap into the Ingress Gateway pod. To do this, you will need to edit the
httpbin-ingress-gateway.yaml file and add an overlay that reads the
ConfigMap you have created in the previous steps, then mount the configuration in the ingress gateway deployment.
Apply with kubectl to update existing ingress gateway
kubectl apply -f httpbin-ingress-gateway.yaml
Finally, update the Ingress Gateway configuration in
ext-ratelimit-ingress-gateway.yaml and enable TLS validation:
And apply with tctl
tctl apply -f ext-ratelimit-ingress-gateway-tls.yaml
To verify that the setup is working, you can use the same testing steps as shown in the Testing steps for “Setting Up an External Rate Limiting Server