enabled missing configuration for custom filters

- OAuth2 Tokeninfo Filters
- OAuth2 Grant Flow
- Open Policy Agent
- Rate Limiter
- Compression

Author: vlktna

cluster/manifests/02-skipper-validation-webhook/deployment.yaml

@@ -53,6 +53,54 @@ spec:
       containers:
       - name: skipper-admission-webhook
         image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.22.142
+        env:
+        - name: LIGHTSTEP_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: skipper-ingress
+              key: lightstep-token
+{{ if or (eq .Cluster.ConfigItems.skipper_local_tokeninfo "production") (eq .Cluster.ConfigItems.skipper_local_tokeninfo "bridge") }}
+        - name: LOCAL_TOKENINFO
+          value: "true"
+        - name: ENABLE_OPENTRACING
+          value: "true"
+        - name: OPENTRACING_LIGHTSTEP_COMPONENT_NAME
+          value: "tokeninfo-skipper-ingress"
+        - name: OPENTRACING_LIGHTSTEP_ACCESS_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: skipper-ingress
+              key: lightstep-token
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_local_tokeninfo "bridge" }}
+        - name: LOCAL_TOKENINFO_SANDBOX
+          value: "true"
+{{ end }}
+{{ if or (eq .Cluster.ConfigItems.nlb_switch "pre") (eq .Cluster.ConfigItems.nlb_switch "exec") }}
+        - name: HTTP_REDIRECT
+          value: "true"
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_lua_scripts_enabled "true" }}
+        - name: LUA_PATH
+          value: /etc/skipper/lua/?.lua
+        - name: DATADOME_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: skipper-ingress
+              key: datadome-api-key
+        - name: KASADA_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: skipper-ingress
+              key: kasada-api-key
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_open_policy_agent_enabled "true" }}
+        - name: STYRA_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: skipper-ingress
+              key: styra-token
+{{ end }}
         args:
           - skipper
           - -support-listener=:9981
@@ -73,6 +121,22 @@ spec:
           - "-disable-metrics-compat"
           - "-histogram-metric-buckets=.0001,.00025,.0005,.00075,.001,.0025,.005,.0075,.01,.025,.05,.075,.1,.2,.3,.4,.5,.75,1,2,3,4,5,7,10,15,20,30,60,120,300,600"
           - "-disabled-filters={{ .Cluster.ConfigItems.skipper_disabled_filters }}"
+          - "-compress-encodings={{ .Cluster.ConfigItems.skipper_compress_encodings }}"
+          - "-enable-ratelimits"
+{{ if eq .Cluster.ConfigItems.skipper_ingress_redis_swarm_enabled "true" }}
+          - "-enable-swarm"
+          - "-swarm-redis-dial-timeout={{ .Cluster.ConfigItems.skipper_redis_dial_timeout }}"
+          - "-swarm-redis-pool-timeout={{ .Cluster.ConfigItems.skipper_redis_pool_timeout }}"
+          - "-swarm-redis-read-timeout={{ .Cluster.ConfigItems.skipper_redis_read_timeout }}"
+          - "-swarm-redis-write-timeout={{ .Cluster.ConfigItems.skipper_redis_write_timeout }}"
+          - "-cluster-ratelimit-max-group-shards={{ .Cluster.ConfigItems.skipper_cluster_ratelimit_max_group_shards }}"
+          - "-swarm-redis-min-conns={{ .Cluster.ConfigItems.skipper_redis_min_conns }}"
+          - "-swarm-redis-max-conns={{ .Cluster.ConfigItems.skipper_redis_max_conns }}"
+          - "-kubernetes-redis-service-namespace=kube-system"
+          - "-kubernetes-redis-service-name=skipper-ingress-redis"
+          - "-kubernetes-redis-service-port=6379"
+{{ end }}
+          - "-lua-sources={{ .Cluster.ConfigItems.skipper_lua_sources }}"
           - "-default-filters-dir=/etc/config/default-filters"
           - '-default-filters-prepend={{ .Cluster.ConfigItems.skipper_default_filters }}'
           - '-default-filters-append={{ .Cluster.ConfigItems.skipper_default_filters_authentication }}'
@@ -81,6 +145,60 @@ spec:
           - '-kubernetes-annotation-filters-append={{ .Cluster.ConfigItems.skipper_kubernetes_annotation_filters_append }}'
           - '-kubernetes-east-west-range-annotation-predicates={{ .Cluster.ConfigItems.skipper_kubernetes_east_west_range_annotation_predicates }}'
           - '-kubernetes-east-west-range-annotation-filters-append={{ .Cluster.ConfigItems.skipper_kubernetes_east_west_range_annotation_filters_append }}'
+{{ if eq .Cluster.ConfigItems.skipper_local_tokeninfo "bridge" }}
+          - "-oauth2-tokeninfo-url=http://127.0.0.1:9000/oauth2/tokeninfo"
+          - "-status-checks=http://127.0.0.1:9021/health,http://127.0.0.1:9121/health,http://127.0.0.1:9000/healthz"
+{{ else if eq .Cluster.ConfigItems.skipper_local_tokeninfo "production" }}
+          - "-oauth2-tokeninfo-url=http://127.0.0.1:9021/oauth2/tokeninfo"
+          - "-status-checks=http://127.0.0.1:9021/health"
+{{ end }}
+          - "-oauth2-tokeninfo-cache-size={{ .Cluster.ConfigItems.skipper_tokeninfo_cache_size }}"
+          - "-oauth2-tokeninfo-cache-ttl={{ .Cluster.ConfigItems.skipper_tokeninfo_cache_ttl }}"
+{{ if eq .Cluster.ConfigItems.skipper_oauth2_ui_login "true" }}
+          - "-enable-oauth2-grant-flow"
+          - "-oauth2-auth-url={{ .Cluster.ConfigItems.skipper_oauth2_auth_url }}"
+          - "-oauth2-token-url={{ .Cluster.ConfigItems.skipper_oauth2_token_url }}"
+          - "-oauth2-secret-file=/etc/skipper/secret/encryption-key"
+          - "-oauth2-client-id-file=/etc/skipper/hostname-credentials/{host}-grant-credentials-employee-client-id"
+          - "-oauth2-client-secret-file=/etc/skipper/hostname-credentials/{host}-grant-credentials-employee-client-secret"
+          - "-credentials-update-interval=1m"
+          - "-oauth2-token-cookie-name={{ .Cluster.ConfigItems.skipper_oauth2_cookie_name }}"
+          - "-oauth2-token-cookie-remove-subdomains=0"
+          - "-oauth2-callback-path={{ .Cluster.ConfigItems.skipper_oauth2_redirect_uri_path }}"
+          - "-oauth2-grant-tokeninfo-keys={{ .Cluster.ConfigItems.skipper_oauth2_ui_login_tokeninfo_keys }}"
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_open_policy_agent_enabled "true" }}
+          - "-enable-open-policy-agent"
+          - "-open-policy-agent-config-template=/etc/skipper/open-policy-agent/opaconfig.yaml"
+          - "-open-policy-agent-envoy-metadata=/etc/skipper/open-policy-agent/envoymetadata.json"
+          - "-enable-open-policy-agent-data-preprocessing-optimization={{ .Cluster.ConfigItems.skipper_open_policy_agent_data_preprocessing_optimization_enabled }}"
+          - "-enable-open-policy-agent-preloading={{ .Cluster.ConfigItems.skipper_open_policy_agent_preloading_enabled }}"
+{{ end }}
+          - >-
+            -opentracing=lightstep
+            component-name=skipper-validation-webhook
+            token=$(LIGHTSTEP_TOKEN)
+            collector={{ .Cluster.ConfigItems.tracing_collector_host }}:8444
+            cmd-line=skipper-validation-webhook
+            tag=application=skipper-ingress
+            tag=component=webhook
+            tag=account={{ .Cluster.Alias }}
+            tag=cluster={{ .Cluster.Alias }}
+            tag=artifact=926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.22.142
+            max-buffered-spans={{ .Cluster.ConfigItems.skipper_ingress_tracing_buffer }}
+            grpc-max-msg-size={{ .Cluster.ConfigItems.skipper_ingress_lightstep_grpc_max_msg_size }}
+            max-period={{ .Cluster.ConfigItems.skipper_ingress_lightstep_max_period }}
+            min-period={{ .Cluster.ConfigItems.skipper_ingress_lightstep_min_period }}
+            max-log-key-len={{ .Cluster.ConfigItems.skipper_ingress_lightstep_max_log_key_len }}
+            max-log-value-len={{ .Cluster.ConfigItems.skipper_ingress_lightstep_max_log_value_len }}
+            max-logs-per-span={{ .Cluster.ConfigItems.skipper_ingress_lightstep_max_logs_per_span }}
+            propagators={{ .Cluster.ConfigItems.skipper_ingress_lightstep_propagators }}
+            {{ .Cluster.ConfigItems.skipper_ingress_lightstep_log_events }}
+          - "-opentracing-excluded-proxy-tags={{ .Cluster.ConfigItems.skipper_ingress_opentracing_excluded_proxy_tags }}"
+{{ if eq .Cluster.ConfigItems.skipper_ingress_opentracing_backend_name_tag "true" }}
+          - "-opentracing-backend-name-tag"
+{{ end }}
+          - "-opentracing-disable-filter-spans={{ .Cluster.ConfigItems.skipper_opentracing_disable_filter_spans }}"
         lifecycle:
           preStop:
             sleep:
@@ -110,6 +228,24 @@ spec:
             readOnly: true
           - name: filters
             mountPath: /etc/config/default-filters
+{{ if eq .Cluster.ConfigItems.skipper_lua_scripts_enabled "true" }}
+          - name: lua
+            mountPath: /etc/skipper/lua
+            readOnly: true
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_oauth2_ui_login "true"}}
+          - name: hostname-credentials
+            mountPath: /etc/skipper/hostname-credentials
+            readOnly: true
+          - name: encryption-key
+            mountPath: /etc/skipper/secret
+            readOnly: true
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_open_policy_agent_enabled "true" }}
+          - name: open-policy-agent-config
+            mountPath: /etc/skipper/open-policy-agent
+            readOnly: true
+{{ end }}
       volumes:
       - name: tls-certs
         secret:
@@ -118,3 +254,22 @@ spec:
         configMap:
           name: skipper-default-filters
           optional: true
+{{ if eq .Cluster.ConfigItems.skipper_lua_scripts_enabled "true" }}
+      - name: lua
+        configMap:
+          name: skipper-ingress-lua
+          optional: true
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_oauth2_ui_login "true"}}
+      - name: hostname-credentials
+        secret:
+          secretName: hostname-credentials
+      - name: encryption-key
+        secret:
+          secretName: skipper-ingress
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_open_policy_agent_enabled "true" }}
+      - name: open-policy-agent-config
+        configMap:
+          name: open-policy-agent-config
+{{ end }}