Merge pull request #10165 from zalando-incubator/enabled-missing-configuration-for-custom-filters

szuecs · web-flow · commit afa19e5ece89 · 2025-12-04T13:21:53.000+01:00
skipper-validation-webhook: enabled missing configuration for custom filters
diff --git a/cluster/manifests/02-skipper-validation-webhook/01-rbac.yaml b/cluster/manifests/02-skipper-validation-webhook/01-rbac.yaml
@@ -0,0 +1,66 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: skipper-validation-webhook
+  namespace: kube-system
+  labels:
+    application: skipper-ingress
+    component: webhook
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: skipper-validation-webhook
+rules:
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+- apiGroups: [""]
+  resources: ["namespaces", "services", "endpoints", "pods"]
+  verbs: ["get", "list"]
+- apiGroups:
+    - discovery.k8s.io
+  resources:
+    - endpointslices
+  verbs:
+    - get
+    - list
+- apiGroups:
+  - zalando.org
+  resources:
+  - routegroups
+  verbs:
+  - get
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: skipper-validation-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: skipper-validation-webhook
+subjects:
+- kind: ServiceAccount
+  name: skipper-validation-webhook
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: skipper-validation-webhook-privileged-psp
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: privileged-psp
+subjects:
+- kind: ServiceAccount
+  name: skipper-validation-webhook
+  namespace: kube-system
+
diff --git a/cluster/manifests/02-skipper-validation-webhook/configmap-open-policy-agent.yaml b/cluster/manifests/02-skipper-validation-webhook/configmap-open-policy-agent.yaml
diff --git a/cluster/manifests/02-skipper-validation-webhook/deployment.yaml b/cluster/manifests/02-skipper-validation-webhook/deployment.yaml
@@ -50,17 +50,55 @@ spec:
           - name: ndots
             value: "1"
       priorityClassName: system-cluster-critical
+      serviceAccountName: skipper-validation-webhook
       containers:
       - name: skipper-admission-webhook
         image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.22.142
+        env:
+{{ if or (eq .Cluster.ConfigItems.skipper_local_tokeninfo "production") (eq .Cluster.ConfigItems.skipper_local_tokeninfo "bridge") }}
+        - name: LOCAL_TOKENINFO
+          value: "true"
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_local_tokeninfo "bridge" }}
+        - name: LOCAL_TOKENINFO_SANDBOX
+          value: "true"
+{{ end }}
+{{ if or (eq .Cluster.ConfigItems.nlb_switch "pre") (eq .Cluster.ConfigItems.nlb_switch "exec") }}
+        - name: HTTP_REDIRECT
+          value: "true"
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_lua_scripts_enabled "true" }}
+        - name: LUA_PATH
+          value: /etc/skipper/lua/?.lua
+        - name: DATADOME_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: skipper-ingress
+              key: datadome-api-key
+        - name: KASADA_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: skipper-ingress
+              key: kasada-api-key
+{{ end }}
         args:
           - skipper
-          - -support-listener=:9981
-          - --validation-webhook-enabled=true
-          - --validation-webhook-address=:9085
-          - --validation-webhook-cert-file=/etc/tls-certs/skipper-validation-webhook.pem
-          - --validation-webhook-key-file=/etc/tls-certs/skipper-validation-webhook-key.pem
-          - "--enable-advanced-validation={{ .Cluster.ConfigItems.enable_advanced_validation }}"
+          - "-support-listener=:9981"
+          - "-validation-webhook-enabled=true"
+          - "-validation-webhook-address=:9085"
+          - "-validation-webhook-cert-file=/etc/tls-certs/skipper-validation-webhook.pem"
+          - "-validation-webhook-key-file=/etc/tls-certs/skipper-validation-webhook-key.pem"
+          - "-enable-profile"
+          - "-memory-profile-rate={{ .Cluster.ConfigItems.skipper_memory_profile_rate }}"
+          - "-block-profile-rate={{ .Cluster.ConfigItems.skipper_block_profile_rate }}"
+          - "-mutex-profile-fraction={{ .Cluster.ConfigItems.skipper_mutex_profile_fraction }}"
+          - "-kubernetes"
+          - "-kubernetes-in-cluster"
+          - "-kubernetes-healthcheck=false" # see -inline-routes
+          - "-kubernetes-path-mode=path-prefix"
+          - "-enable-kubernetes-endpointslices={{ .Cluster.ConfigItems.skipper_endpointslices_enabled }}"
+          - "-enable-advanced-validation={{ .Cluster.ConfigItems.enable_advanced_validation }}"
+          - "-source-poll-timeout=9223372036854775807" # Max Duration
           - "-metrics-flavour=prometheus"
           - "-metrics-exp-decay-sample"
           - "-enable-prometheus-start-label={{ .Cluster.ConfigItems.skipper_prometheus_start_label_enabled }}"
@@ -73,6 +111,22 @@ spec:
           - "-disable-metrics-compat"
           - "-histogram-metric-buckets=.0001,.00025,.0005,.00075,.001,.0025,.005,.0075,.01,.025,.05,.075,.1,.2,.3,.4,.5,.75,1,2,3,4,5,7,10,15,20,30,60,120,300,600"
           - "-disabled-filters={{ .Cluster.ConfigItems.skipper_disabled_filters }}"
+          - "-compress-encodings={{ .Cluster.ConfigItems.skipper_compress_encodings }}"
+          - "-enable-ratelimits"
+{{ if eq .Cluster.ConfigItems.skipper_ingress_redis_swarm_enabled "true" }}
+          - "-enable-swarm"
+          - "-swarm-redis-dial-timeout={{ .Cluster.ConfigItems.skipper_redis_dial_timeout }}"
+          - "-swarm-redis-pool-timeout={{ .Cluster.ConfigItems.skipper_redis_pool_timeout }}"
+          - "-swarm-redis-read-timeout={{ .Cluster.ConfigItems.skipper_redis_read_timeout }}"
+          - "-swarm-redis-write-timeout={{ .Cluster.ConfigItems.skipper_redis_write_timeout }}"
+          - "-cluster-ratelimit-max-group-shards={{ .Cluster.ConfigItems.skipper_cluster_ratelimit_max_group_shards }}"
+          - "-swarm-redis-min-conns={{ .Cluster.ConfigItems.skipper_redis_min_conns }}"
+          - "-swarm-redis-max-conns={{ .Cluster.ConfigItems.skipper_redis_max_conns }}"
+          - "-kubernetes-redis-service-namespace=kube-system"
+          - "-kubernetes-redis-service-name=skipper-ingress-redis"
+          - "-kubernetes-redis-service-port=6379"
+{{ end }}
+          - "-lua-sources={{ .Cluster.ConfigItems.skipper_lua_sources }}"
           - "-default-filters-dir=/etc/config/default-filters"
           - '-default-filters-prepend={{ .Cluster.ConfigItems.skipper_default_filters }}'
           - '-default-filters-append={{ .Cluster.ConfigItems.skipper_default_filters_authentication }}'
@@ -81,6 +135,27 @@ spec:
           - '-kubernetes-annotation-filters-append={{ .Cluster.ConfigItems.skipper_kubernetes_annotation_filters_append }}'
           - '-kubernetes-east-west-range-annotation-predicates={{ .Cluster.ConfigItems.skipper_kubernetes_east_west_range_annotation_predicates }}'
           - '-kubernetes-east-west-range-annotation-filters-append={{ .Cluster.ConfigItems.skipper_kubernetes_east_west_range_annotation_filters_append }}'
+          - "-oauth2-tokeninfo-url=http://127.0.0.1:9021/oauth2/tokeninfo"
+{{ if eq .Cluster.ConfigItems.skipper_oauth2_ui_login "true" }}
+          - "-enable-oauth2-grant-flow"
+          - "-oauth2-auth-url={{ .Cluster.ConfigItems.skipper_oauth2_auth_url }}"
+          - "-oauth2-token-url={{ .Cluster.ConfigItems.skipper_oauth2_token_url }}"
+          - "-oauth2-secret-file=/etc/skipper/secret/encryption-key"
+          - "-oauth2-client-id-file=/etc/skipper/hostname-credentials/{host}-grant-credentials-employee-client-id"
+          - "-oauth2-client-secret-file=/etc/skipper/hostname-credentials/{host}-grant-credentials-employee-client-secret"
+          - "-credentials-update-interval=1m"
+          - "-oauth2-token-cookie-name={{ .Cluster.ConfigItems.skipper_oauth2_cookie_name }}"
+          - "-oauth2-token-cookie-remove-subdomains=0"
+          - "-oauth2-callback-path={{ .Cluster.ConfigItems.skipper_oauth2_redirect_uri_path }}"
+          - "-oauth2-grant-tokeninfo-keys={{ .Cluster.ConfigItems.skipper_oauth2_ui_login_tokeninfo_keys }}"
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_open_policy_agent_enabled "true" }}
+          - "-enable-open-policy-agent"
+          - "-open-policy-agent-config-template=/etc/skipper/open-policy-agent/opaconfig.yaml"
+          - "-open-policy-agent-envoy-metadata=/etc/skipper/open-policy-agent/envoymetadata.json"
+          - "-enable-open-policy-agent-data-preprocessing-optimization={{ .Cluster.ConfigItems.skipper_open_policy_agent_data_preprocessing_optimization_enabled }}"
+          - "-enable-open-policy-agent-preloading={{ .Cluster.ConfigItems.skipper_open_policy_agent_preloading_enabled }}"
+{{ end }}
         lifecycle:
           preStop:
             sleep:
@@ -110,6 +185,24 @@ spec:
             readOnly: true
           - name: filters
             mountPath: /etc/config/default-filters
+{{ if eq .Cluster.ConfigItems.skipper_lua_scripts_enabled "true" }}
+          - name: lua
+            mountPath: /etc/skipper/lua
+            readOnly: true
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_oauth2_ui_login "true"}}
+          - name: hostname-credentials
+            mountPath: /etc/skipper/hostname-credentials
+            readOnly: true
+          - name: encryption-key
+            mountPath: /etc/skipper/secret
+            readOnly: true
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_open_policy_agent_enabled "true" }}
+          - name: open-policy-agent-config
+            mountPath: /etc/skipper/open-policy-agent
+            readOnly: true
+{{ end }}
       volumes:
       - name: tls-certs
         secret:
@@ -118,3 +211,22 @@ spec:
         configMap:
           name: skipper-default-filters
           optional: true
+{{ if eq .Cluster.ConfigItems.skipper_lua_scripts_enabled "true" }}
+      - name: lua
+        configMap:
+          name: skipper-ingress-lua
+          optional: true
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_oauth2_ui_login "true"}}
+      - name: hostname-credentials
+        secret:
+          secretName: hostname-credentials
+      - name: encryption-key
+        secret:
+          secretName: skipper-ingress
+{{ end }}
+{{ if eq .Cluster.ConfigItems.skipper_open_policy_agent_enabled "true" }}
+      - name: open-policy-agent-config
+        configMap:
+          name: open-policy-agent-config
+{{ end }}
