diff --git a/charts/puris/Chart.yaml b/charts/puris/Chart.yaml index aaf289f9..33563bdc 100644 --- a/charts/puris/Chart.yaml +++ b/charts/puris/Chart.yaml @@ -25,12 +25,12 @@ description: A helm chart for Kubernetes deployment of PURIS type: application home: https://github.com/eclipse-tractusx/puris sources: - - https://github.com/eclipse-tractusx/puris + - https://github.com/eclipse-tractusx/puris dependencies: - - condition: postgresql.enabled - name: postgresql - repository: https://charts.bitnami.com/bitnami - version: 12.12.x + - condition: postgresql.enabled + name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 12.12.x # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. diff --git a/charts/puris/README.md b/charts/puris/README.md index 441f19e9..d67c477a 100644 --- a/charts/puris/README.md +++ b/charts/puris/README.md @@ -156,6 +156,9 @@ $ helm install puris --namespace puris --create-namespace . | frontend.puris.keycloak.realm | string | `"Catena-X"` | Name of the Realm of the keycloak instance. | | frontend.puris.keycloak.redirectUrlFrontend | string | `"https://your-frontend-url.com"` | URL to use as keycloak redirect url. | | frontend.puris.keycloak.url | string | `"https://idp.com/auth"` | The URL to the IDP that should be used. | +| frontend.puris.rateLimiting.burst | int | `30` | Burst rate limiting for nginx. | +| frontend.puris.rateLimiting.limit | string | `"10m"` | Bucket zone limit for rate limiting in nginx. | +| frontend.puris.rateLimiting.rate | string | `"10r/s"` | Allowed rates per second for nginx rate limiting. | | frontend.readinessProbe | object | `{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Checks if the pod is fully ready to operate | | frontend.readinessProbe.failureThreshold | int | `3` | Number of failures (threshold) for a readiness probe | | frontend.readinessProbe.initialDelaySeconds | int | `10` | Delay in seconds after which an initial readiness probe is checked | diff --git a/charts/puris/templates/frontend-deployment.yaml b/charts/puris/templates/frontend-deployment.yaml index ce753708..d3ec2186 100644 --- a/charts/puris/templates/frontend-deployment.yaml +++ b/charts/puris/templates/frontend-deployment.yaml @@ -72,6 +72,12 @@ spec: value: "{{ .Values.frontend.puris.keycloak.clientId }}" - name: IDP_REDIRECT_URL_FRONTEND value: "{{ .Values.frontend.puris.keycloak.redirectUrlFrontend }}" + - name: NGINX_RATE_LIMIT + value: "{{ .Values.frontend.puris.rateLimiting.limit }}" + - name: NGINX_BURST + value: "{{ .Values.frontend.puris.rateLimiting.burst }}" + - name: NGINX_RATE + value: "{{ .Values.frontend.puris.rateLimiting.rate }}" ###################################### ## Additional environment variables ## ###################################### diff --git a/charts/puris/values.yaml b/charts/puris/values.yaml index 4b230d0b..4079c57e 100644 --- a/charts/puris/values.yaml +++ b/charts/puris/values.yaml @@ -162,7 +162,7 @@ frontend: # -- Delay in seconds after which an initial readiness probe is checked initialDelaySeconds: 10 # -- Wait time in seconds between readiness probes - periodSeconds: 80 + periodSeconds: 10 # -- Number of trys until a pod is marked ready successThreshold: 1 # -- Timeout in seconds of the readiness probe @@ -206,6 +206,13 @@ frontend: clientId: "appXYZ" # -- URL to use as keycloak redirect url. redirectUrlFrontend: "https://your-frontend-url.com" + rateLimiting: + # -- Bucket zone limit for rate limiting in nginx. + limit: 10m + # -- Burst rate limiting for nginx. + burst: 30 + # -- Allowed rates per second for nginx rate limiting. + rate: 10r/s # -- Extra environment variables that will be passed onto the frontend deployment pods env: {} @@ -348,9 +355,9 @@ backend: # -- Number of failures (threshold) for a readiness probe failureThreshold: 3 # -- Delay in seconds after which an initial readiness probe is checked - initialDelaySeconds: 120 + initialDelaySeconds: 250 # -- Wait time in seconds between readiness probes - periodSeconds: 60 + periodSeconds: 25 # -- Number of trys until a pod is marked ready successThreshold: 1 # -- Timeout in seconds of the readiness probe @@ -360,8 +367,8 @@ backend: # -- Secret for backend passwords. For more information look into 'backend-secrets.yaml' file. existingSecret: "secret-backend-puris" api: - # -- The API key of the PURIS application. Secret-key 'puris-api-key'. - key: "test2" + # -- The API key of the PURIS application + key: "test" # -- The root directory of the API rootDir: /catena datasource: @@ -371,7 +378,7 @@ backend: url: jdbc:postgresql://postgresql-name:5432/puris-database # -- Username of the database. Ignored if postgres.enabled is true. username: db-user - # -- Password for the database user. Ignored if postgres.enabled is true. Secret-key 'puris-datasource-password'. + # -- Password for the database user. Ignored if postgres.enabled is true. password: edc: controlplane: @@ -382,7 +389,7 @@ backend: protocol: # -- Url to the EDC controlplane protocol API of the edc url: "https://your-edc-address:8184/api/v1/dsp" - # -- Key for the EDC control plane. Secret-key 'puris-edc-controlplane-key' + # -- Key for the EDC control plane key: "password" own: # -- Own BPNL of the EDC @@ -395,7 +402,7 @@ backend: country: "Germany" site: # -- Own site name - name: "puris-test" + name: "YOUR-SITE-NAME" # -- Own street and number streetnumber: "Musterstraße 110A" # -- Own zipcode and city @@ -405,7 +412,7 @@ backend: demonstrator: # -- Current role of the PURIS demonstrator. Default value should be empty. # Can be set to "customer" or "supplier" to enable demonstration setup - role: "customer" + role: jpa: hibernate: # -- Initialises SQL database with Hibernate property "create" to allow Hibernate to first drop all tables and then create new ones diff --git a/docs/adminGuide/Admin_Guide.md b/docs/adminGuide/Admin_Guide.md index e25e893f..5f3a3b7e 100644 --- a/docs/adminGuide/Admin_Guide.md +++ b/docs/adminGuide/Admin_Guide.md @@ -94,6 +94,16 @@ Thus, it may seem that the Credential is available, but isn't. Same applies to t _Note: Please refer to the [Portal's documentation on how to sign use case agreements](https://github.com/eclipse-tractusx/portal-assets/blob/main/docs/user/06.%20Certificates/01.%20UseCase%20Participation.md)._ +## Rate Limiting using nginx + +Rate limiting is by default enabled in the puris frontend served by nginx and can be dynamically configured. +In order to adjust any variables of nginx's rate limiting or disable it, one has to modify the respective variables in either the +local docker deployment by setting the necessary environment variables, or by modifying the variables in the helm chart values.yaml. + +These variables then get dynamically injected in the nginx.conf file, which is then copied to the docker image to be used by nginx. +That means that the rate limiting can be disabled by modifying the nginx.conf file in the frontend folder. This is also the place +to insert and override any other nginx configurations. + ## Serving with HTTPS / SSL Serving with SSL is available for Docker and Helm Deployment. In local deployment directly with mvn (backend) and diff --git a/frontend/Dockerfile b/frontend/Dockerfile index 823dcd57..20305ca1 100644 --- a/frontend/Dockerfile +++ b/frontend/Dockerfile @@ -56,6 +56,8 @@ ENV JSFOLDER=/usr/share/nginx/html/assets/*.js # use root user to install moreutils for sponge in start-nginx to substring env workaround USER root +COPY ./nginx.conf /etc/nginx/nginx.conf +RUN chmod 117 /etc/nginx/nginx.conf COPY ./start-nginx.sh /usr/bin/start-nginx.sh RUN apk --no-cache add moreutils diff --git a/frontend/nginx.conf b/frontend/nginx.conf new file mode 100755 index 00000000..586abca8 --- /dev/null +++ b/frontend/nginx.conf @@ -0,0 +1,46 @@ +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /tmp/nginx.pid; + +events { + worker_connections 1024; +} + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + limit_req_zone $binary_remote_addr zone=zoneLimit:${NGINX_RATE_LIMIT} rate=${NGINX_RATE}; + limit_req_status 503; + + server { + listen 8080; + server_name localhost; + + location / { + limit_req zone=zoneLimit burst=${NGINX_BURST} nodelay; + root /usr/share/nginx/html; + index index.html index.htm; + } + } +} diff --git a/frontend/start-nginx.sh b/frontend/start-nginx.sh index 780ece71..1d8a701f 100755 --- a/frontend/start-nginx.sh +++ b/frontend/start-nginx.sh @@ -18,4 +18,7 @@ do envsubst $EXISTING_VARS < $file | sponge $file echo -e "\r\n" done + +envsubst $EXISTING_VARS < /etc/nginx/nginx.conf | sponge /etc/nginx/nginx.conf + nginx -g 'daemon off;' diff --git a/local/docker-compose.yaml b/local/docker-compose.yaml index 5074c44a..65356260 100644 --- a/local/docker-compose.yaml +++ b/local/docker-compose.yaml @@ -42,6 +42,9 @@ services: - ENDPOINT_UPDATE_REPORTED_PRODUCT_STOCKS=stockView/update-reported-product-stocks?ownMaterialNumber= - ENDPOINT_PARTNER_OWNSITES=partners/ownSites - IDP_DISABLE=true + - NGINX_RATE_LIMIT=10m + - NGINX_BURST=30 + - NGINX_RATE=10r/s networks: - miw-net extra_hosts: @@ -172,6 +175,9 @@ services: - ENDPOINT_UPDATE_REPORTED_PRODUCT_STOCKS=stockView/update-reported-product-stocks?ownMaterialNumber= - ENDPOINT_PARTNER_OWNSITES=partners/ownSites - IDP_DISABLE=true + - NGINX_RATE_LIMIT=10m + - NGINX_BURST=30 + - NGINX_RATE=10r/s networks: - miw-net extra_hosts: