enabled missing configuration for custom filters

- OAuth2 Tokeninfo Filters
- OAuth2 Grant Flow
- Open Policy Agent
- Rate Limiter
- Compression

Author: vlktna

cluster/manifests/02-skipper-validation-webhook/deployment.yaml

@@ -53,6 +53,45 @@ spec:
       containers:
       - name: skipper-admission-webhook
         image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.22.142
+        env:
+{{ if or (eq .Cluster.ConfigItems.skipper_local_tokeninfo "production") (eq .Cluster.ConfigItems.skipper_local_tokeninfo "bridge") }}
+        - name: LOCAL_TOKENINFO
+          value: "true"
+        - name: ENABLE_OPENTRACING
+          value: "true"
+        - name: OPENTRACING_LIGHTSTEP_COMPONENT_NAME
+          value: "tokeninfo-skipper-ingress"
+        - name: OPENTRACING_LIGHTSTEP_ACCESS_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: skipper-ingress
+              key: lightstep-token
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_local_tokeninfo "bridge" }}
+        - name: LOCAL_TOKENINFO_SANDBOX
+          value: "true"
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_lua_scripts_enabled "true" }}
+        - name: LUA_PATH
+          value: /etc/skipper/lua/?.lua
+        - name: DATADOME_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: skipper-ingress
+              key: datadome-api-key
+        - name: KASADA_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: skipper-ingress
+              key: kasada-api-key
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_open_policy_agent_enabled "true" }}
+        - name: STYRA_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: skipper-ingress
+              key: styra-token
+{{ end }}
         args:
           - skipper
           - -support-listener=:9981
@@ -73,6 +112,20 @@ spec:
           - "-disable-metrics-compat"
           - "-histogram-metric-buckets=.0001,.00025,.0005,.00075,.001,.0025,.005,.0075,.01,.025,.05,.075,.1,.2,.3,.4,.5,.75,1,2,3,4,5,7,10,15,20,30,60,120,300,600"
           - "-disabled-filters={{ .Cluster.ConfigItems.skipper_disabled_filters }}"
+          - "-compress-encodings={{ .Cluster.ConfigItems.skipper_compress_encodings }}"
+          - "-enable-ratelimits"
+{{ if eq .Cluster.ConfigItems.skipper_ingress_redis_swarm_enabled "true" }}
+          - "-enable-swarm"
+          - "-swarm-redis-dial-timeout={{ .Cluster.ConfigItems.skipper_redis_dial_timeout }}"
+          - "-swarm-redis-pool-timeout={{ .Cluster.ConfigItems.skipper_redis_pool_timeout }}"
+          - "-swarm-redis-read-timeout={{ .Cluster.ConfigItems.skipper_redis_read_timeout }}"
+          - "-swarm-redis-write-timeout={{ .Cluster.ConfigItems.skipper_redis_write_timeout }}"
+          - "-cluster-ratelimit-max-group-shards={{ .Cluster.ConfigItems.skipper_cluster_ratelimit_max_group_shards }}"
+          - "-swarm-redis-min-conns={{ .Cluster.ConfigItems.skipper_redis_min_conns }}"
+          - "-swarm-redis-max-conns={{ .Cluster.ConfigItems.skipper_redis_max_conns }}"
+          - "-cluster-ratelimit-max-group-shards={{ .Cluster.ConfigItems.skipper_cluster_ratelimit_max_group_shards }}"
+{{ end }}
+          - "-lua-sources={{ .Cluster.ConfigItems.skipper_lua_sources }}"
           - "-default-filters-dir=/etc/config/default-filters"
           - '-default-filters-prepend={{ .Cluster.ConfigItems.skipper_default_filters }}'
           - '-default-filters-append={{ .Cluster.ConfigItems.skipper_default_filters_authentication }}'
@@ -81,6 +134,35 @@ spec:
           - '-kubernetes-annotation-filters-append={{ .Cluster.ConfigItems.skipper_kubernetes_annotation_filters_append }}'
           - '-kubernetes-east-west-range-annotation-predicates={{ .Cluster.ConfigItems.skipper_kubernetes_east_west_range_annotation_predicates }}'
           - '-kubernetes-east-west-range-annotation-filters-append={{ .Cluster.ConfigItems.skipper_kubernetes_east_west_range_annotation_filters_append }}'
+{{ if eq .Cluster.ConfigItems.skipper_local_tokeninfo "bridge" }}
+          - "-oauth2-tokeninfo-url=http://127.0.0.1:9000/oauth2/tokeninfo"
+          - "-status-checks=http://127.0.0.1:9021/health,http://127.0.0.1:9121/health,http://127.0.0.1:9000/healthz"
+{{ else if eq .Cluster.ConfigItems.skipper_local_tokeninfo "production" }}
+          - "-oauth2-tokeninfo-url=http://127.0.0.1:9021/oauth2/tokeninfo"
+          - "-status-checks=http://127.0.0.1:9021/health"
+{{ end }}
+          - "-oauth2-tokeninfo-cache-size={{ .Cluster.ConfigItems.skipper_tokeninfo_cache_size }}"
+          - "-oauth2-tokeninfo-cache-ttl={{ .Cluster.ConfigItems.skipper_tokeninfo_cache_ttl }}"
+{{ if eq .Cluster.ConfigItems.skipper_oauth2_ui_login "true" }}
+          - "-enable-oauth2-grant-flow"
+          - "-oauth2-auth-url={{ .Cluster.ConfigItems.skipper_oauth2_auth_url }}"
+          - "-oauth2-token-url={{ .Cluster.ConfigItems.skipper_oauth2_token_url }}"
+          - "-oauth2-secret-file=/etc/skipper/secret/encryption-key"
+          - "-oauth2-client-id-file=/etc/skipper/hostname-credentials/{host}-grant-credentials-employee-client-id"
+          - "-oauth2-client-secret-file=/etc/skipper/hostname-credentials/{host}-grant-credentials-employee-client-secret"
+          - "-credentials-update-interval=1m"
+          - "-oauth2-token-cookie-name={{ .Cluster.ConfigItems.skipper_oauth2_cookie_name }}"
+          - "-oauth2-token-cookie-remove-subdomains=0"
+          - "-oauth2-callback-path={{ .Cluster.ConfigItems.skipper_oauth2_redirect_uri_path }}"
+          - "-oauth2-grant-tokeninfo-keys={{ .Cluster.ConfigItems.skipper_oauth2_ui_login_tokeninfo_keys }}"
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_open_policy_agent_enabled "true" }}
+          - "-enable-open-policy-agent"
+          - "-open-policy-agent-config-template=/etc/skipper/open-policy-agent/opaconfig.yaml"
+          - "-open-policy-agent-envoy-metadata=/etc/skipper/open-policy-agent/envoymetadata.json"
+          - "-enable-open-policy-agent-data-preprocessing-optimization={{ .Cluster.ConfigItems.skipper_open_policy_agent_data_preprocessing_optimization_enabled }}"
+          - "-enable-open-policy-agent-preloading={{ .Cluster.ConfigItems.skipper_open_policy_agent_preloading_enabled }}"
+{{ end }}
         lifecycle:
           preStop:
             sleep:
@@ -110,6 +192,24 @@ spec:
             readOnly: true
           - name: filters
             mountPath: /etc/config/default-filters
+{{ if eq .Cluster.ConfigItems.skipper_lua_scripts_enabled "true" }}
+          - name: lua
+            mountPath: /etc/skipper/lua
+            readOnly: true
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_oauth2_ui_login "true"}}
+          - name: hostname-credentials
+            mountPath: /etc/skipper/hostname-credentials
+            readOnly: true
+          - name: encryption-key
+            mountPath: /etc/skipper/secret
+            readOnly: true
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_open_policy_agent_enabled "true" }}
+          - name: open-policy-agent-config
+            mountPath: /etc/skipper/open-policy-agent
+            readOnly: true
+{{ end }}
       volumes:
       - name: tls-certs
         secret:
@@ -118,3 +218,22 @@ spec:
         configMap:
           name: skipper-default-filters
           optional: true
+{{ if eq .Cluster.ConfigItems.skipper_lua_scripts_enabled "true" }}
+      - name: lua
+        configMap:
+          name: skipper-ingress-lua
+          optional: true
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_oauth2_ui_login "true"}}
+      - name: hostname-credentials
+        secret:
+          secretName: hostname-credentials
+      - name: encryption-key
+        secret:
+          secretName: skipper-ingress
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_open_policy_agent_enabled "true" }}
+      - name: open-policy-agent-config
+        configMap:
+          name: open-policy-agent-config
+{{ end }}