tarun-google commented on code in PR #37285: URL: https://github.com/apache/beam/pull/37285#discussion_r2699742868
########## examples/terraform/envoy-ratelimiter/README.md: ########## @@ -0,0 +1,167 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> + +# Envoy Rate Limiter on GKE (Terraform) +This directory contains a production-ready Terraform module to deploy a scalable **Envoy Rate Limit Service** on Google Kubernetes Engine (GKE) Autopilot. + +## Architectures: +- **GKE Autopilot**: Fully managed, serverless Kubernetes environment. + - **Private Cluster**: Nodes have internal IPs only. + - **Cloud NAT (Prerequisite)**: Allows private nodes to pull Docker images. +- **Envoy Rate Limit Service**: A stateless Go/gRPC service that handles rate limit logic. +- **Redis**: Stores the rate limit counters. +- **StatsD Exporter**: Sidecar container that converts StatsD metrics to Prometheus format, exposed on port `9102`. +- **Internal Load Balancer**: A Google Cloud TCP Load Balancer exposing the Rate Limit service internally within the VPC. + +## Prerequisites: +### Following items need to be setup for Envoy Rate Limiter deployment on GCP: +1. [GCP project](https://cloud.google.com/resource-manager/docs/creating-managing-projects) + +2. [Tools Installed](https://cloud.google.com/sdk/docs/install): + - [Terraform](https://www.terraform.io/downloads.html) >= 1.0 + - [Google Cloud SDK](https://cloud.google.com/sdk/docs/install) (`gcloud`) + - [kubectl](https://kubernetes.io/docs/tasks/tools/) + +3. APIs Enabled: + ```bash + gcloud services enable container.googleapis.com compute.googleapis.com + ``` + +4. **Network Configuration**: + - **Cloud NAT**: Must exist in the region to allow Private Nodes to pull images and reach external APIs. Follow [this](https://docs.cloud.google.com/nat/docs/gke-example#create-nat) for more details. + **Helper Command** (if you need to create one): + ```bash + gcloud compute routers create nat-router --network <VPC_NAME> --region <REGION> + gcloud compute routers nats create nat-config \ + --router=nat-router \ + --region=<REGION> \ + --auto-allocated-nat-external-ips \ + --nat-all-subnet-ip-ranges + ``` + - **Validation via Console**: + 1. Go to **Network Services** > **Cloud NAT** in the Google Cloud Console. + 2. Verify a NAT Gateway exists for your **Region** and **VPC Network**. + 3. Ensure it is configured to apply to **Primary and Secondary ranges** (or at least the ranges GKE will use). + +# Prepare deployment configuration: +1. Create a `terraform.tfvars` file to define variables specific to your environment: Review Comment: Added the file -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
