-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Loadbalancer #289
Loadbalancer #289
Conversation
Probabl we will need to setup a domain in order to make it work. |
Update: I was able to sync with the team on this, and I think we might put MPC-recovery behind EMS, which I can configure CORS and rate limiting as well. We can even use the existing Cloud Run URL for testing until we can nail down a domain. I'll just need to know what the CORS policy should look like and what rate limits we want. |
@kmaus-near what is EMS? |
EMS (Endpoint Management System) is what sits in front of services and acts as a loadbalancer. It uses Kong Ingress controller on our K8s cluster. Currently it sits in front of services like queryAPI, Enhanced API, and the FastAuth relayer. Currently we typically rate limit via Kong consumers that utilize and API key sent with request headers, but it can be configured to use other methods as well (consumer, credential, ip, service, header, and path). Once I have the CORS policy you guys want to use I can have this set up relatively quickly. |
After near/near-discovery#336 is merged, the relayer will be targeted by near discovery domains and signer app domains but the mpc recovery service will only be targeted by signer app domains. Currently everything is targeted by near discovery domains. For near discovery we have:
For the signer app we have
Does this help answer the question? |
Thank you @esaminu ! |
Got some follow up questions from the team with a request: If you guys happen to have a diagram and flow chart you guys could share with us so we can get a better picture of the entire MPC architecture that would be awesome. Also there's a question as to why CORS will be changing so frequently vs allowing all origins, and will probably have to run that by the security team if that's the case. Rate limiting is pretty easily configurable so changing that frequently shouldn't be an issue, the main concern is CORS policy and a data flow/architecture diagram for more context into the environments. Thanks guys! |
@volovyks I think we should allowlist everything for the mpc recovery service and then remove the near discovery domains once the release is live and stable |
@esaminu everything is allowlisted and there is no ratelimiting now. But we want to add it. I agree that that is not critical since we do not have a lot of partners at the moment. |
@kmaus-near Here is a 10 minute schema: https://miro.com/app/board/uXjVMkxMEZk=/?share_link_id=827371266226 |
Synced with @kmaus-near and @esaminu. We desided to stick the the EMS rate limiting and skip the corse protection since it's covered with rate limiting. For the rate limiting we agreed on next setup:
The list of domains can be found in the comment above. This limitations should be added to the newly created MPC Leader Node (@itegulov, please, post it here once we have it). @kmaus-near tell me if there is any other blockers. |
The list of domains for prod is only
Everything elese is testnet/dev envs. |
Do you guys have an example request I can make to test the rate limit? Everything should be ready to go, just need to verify that it works as intended. |
Also out of curiously, what is the driving force behind the planned Monday release? A few people are asking me on my end. |
@kmaus-near hard deadline :) |
No description provided.