Built-in legacy plugins
Otoroshi provides some plugins out of the box. Here is the available plugins with their documentation and reference configuration
Access log (CLF)
Infos
- plugin type:
transformer
- configuration root:
AccessLog
Description
With this plugin, any access to a service will be logged in CLF format.
Log format is the following:
"$service" $clientAddress - "$userId" [$timestamp] "$host $method $path $protocol" "$status $statusTxt" $size $snowflake "$to" "$referer" "$userAgent" $http $duration $errorMsg
The plugin accepts the following configuration
{
"AccessLog": {
"enabled": true,
"statuses": [], // list of status to enable logs, if none, log everything
"paths": [], // list of paths to enable logs, if none, log everything
"methods": [], // list of http methods to enable logs, if none, log everything
"identities": [] // list of identities to enable logs, if none, log everything
}
}
Default configuration
{
"AccessLog" : {
"enabled" : true,
"statuses" : [ ],
"paths" : [ ],
"methods" : [ ],
"identities" : [ ]
}
}
transformerAccess log (JSON)
Infos
- plugin type:
transformer
- configuration root:
AccessLog
Description
With this plugin, any access to a service will be logged in json format.
The plugin accepts the following configuration
{
"AccessLog": {
"enabled": true,
"statuses": [], // list of status to enable logs, if none, log everything
"paths": [], // list of paths to enable logs, if none, log everything
"methods": [], // list of http methods to enable logs, if none, log everything
"identities": [] // list of identities to enable logs, if none, log everything
}
}
Default configuration
{
"AccessLog" : {
"enabled" : true,
"statuses" : [ ],
"paths" : [ ],
"methods" : [ ],
"identities" : [ ]
}
}
transformerKafka access log
Infos
- plugin type:
transformer
- configuration root:
KafkaAccessLog
Description
With this plugin, any access to a service will be logged as an event in a kafka topic.
The plugin accepts the following configuration
{
"KafkaAccessLog": {
"enabled": true,
"topic": "otoroshi-access-log",
"statuses": [], // list of status to enable logs, if none, log everything
"paths": [], // list of paths to enable logs, if none, log everything
"methods": [], // list of http methods to enable logs, if none, log everything
"identities": [] // list of identities to enable logs, if none, log everything
}
}
Default configuration
{
"KafkaAccessLog" : {
"enabled" : true,
"topic" : "otoroshi-access-log",
"statuses" : [ ],
"paths" : [ ],
"methods" : [ ],
"identities" : [ ]
}
}
transformerBasic Auth. caller
Infos
- plugin type:
transformer
- configuration root:
BasicAuthCaller
Description
This plugin can be used to call api that are authenticated using basic auth.
This plugin accepts the following configuration
{ “username” : “the_username”, “password” : “the_password”, “headerName” : “Authorization”, “headerValueFormat” : “Basic %s” }
Default configuration
{
"username" : "the_username",
"password" : "the_password",
"headerName" : "Authorization",
"headerValueFormat" : "Basic %s"
}
transformerOAuth2 caller
Infos
- plugin type:
transformer
- configuration root:
OAuth2Caller
Description
This plugin can be used to call api that are authenticated using OAuth2 client_credential/password flow. Do not forget to enable client retry to handle token generation on expire.
This plugin accepts the following configuration
{ “kind” : “the oauth2 flow, can be ‘client_credentials’ or ‘password’”, “url” : “https://127.0.0.1:8080/oauth/token", ”method“ : ”POST“, ”headerName“ : ”Authorization“, ”headerValueFormat“ : ”Bearer %s“, ”jsonPayload“ : false, ”clientId“ : ”the client_id“, ”clientSecret“ : ”the client_secret“, ”scope“ : ”an optional scope“, ”audience“ : ”an optional audience“, ”user“ : ”an optional username if using password flow“, ”password“ : ”an optional password if using password flow“, ”cacheTokenSeconds“ : ”the number of second to wait before asking for a new token“, ”tlsConfig“ : ”an optional TLS settings object" }
Default configuration
{
"kind" : "the oauth2 flow, can be 'client_credentials' or 'password'",
"url" : "https://127.0.0.1:8080/oauth/token",
"method" : "POST",
"headerName" : "Authorization",
"headerValueFormat" : "Bearer %s",
"jsonPayload" : false,
"clientId" : "the client_id",
"clientSecret" : "the client_secret",
"scope" : "an optional scope",
"audience" : "an optional audience",
"user" : "an optional username if using password flow",
"password" : "an optional password if using password flow",
"cacheTokenSeconds" : "the number of second to wait before asking for a new token",
"tlsConfig" : "an optional TLS settings object"
}
transformerResponse Cache
Infos
- plugin type:
transformer
- configuration root:
ResponseCache
Description
This plugin can cache responses from target services in the otoroshi datasstore It also provides a debug UI at /.well-known/otoroshi/bodylogger
.
This plugin can accept the following configuration
{
"ResponseCache": {
"enabled": true, // enabled cache
"ttl": 300000, // store it for some times (5 minutes by default)
"maxSize": 5242880, // max body size (body will be cut after that)
"autoClean": true, // cleanup older keys when all bigger than maxSize
"filter": { // cache only for some status, method and paths
"statuses": [],
"methods": [],
"paths": [],
"not": {
"statuses": [],
"methods": [],
"paths": []
}
}
}
}
Default configuration
{
"ResponseCache" : {
"enabled" : true,
"ttl" : 3600000,
"maxSize" : 52428800,
"autoClean" : true,
"filter" : {
"statuses" : [ ],
"methods" : [ ],
"paths" : [ ],
"not" : {
"statuses" : [ ],
"methods" : [ ],
"paths" : [ ]
}
}
}
}
transformerClient certificate header
Infos
- plugin type:
transformer
- configuration root:
ClientCertChain
Description
This plugin pass client certificate informations to the target in headers.
This plugin can accept the following configuration
{
"ClientCertChain": {
"pem": { // send client cert as PEM format in a header
"send": false,
"header": "X-Client-Cert-Pem"
},
"dns": { // send JSON array of DNs in a header
"send": false,
"header": "X-Client-Cert-DNs"
},
"chain": { // send JSON representation of client cert chain in a header
"send": true,
"header": "X-Client-Cert-Chain"
},
"claims": { // pass JSON representation of client cert chain in the otoroshi JWT token
"send": false,
"name": "clientCertChain"
}
}
}
Default configuration
{
"ClientCertChain" : {
"pem" : {
"send" : false,
"header" : "X-Client-Cert-Pem"
},
"dns" : {
"send" : false,
"header" : "X-Client-Cert-DNs"
},
"chain" : {
"send" : true,
"header" : "X-Client-Cert-Chain"
},
"claims" : {
"send" : false,
"name" : "clientCertChain"
}
}
}
transformerDefer Responses
Infos
- plugin type:
transformer
- configuration root:
DeferPlugin
Description
This plugin will expect a X-Defer
header or a defer
query param and defer the response according to the value in milliseconds. This plugin is some kind of inside joke as one a our customer ask us to make slower apis.
This plugin can accept the following configuration
{
"DeferPlugin": {
"defaultDefer": 0 // default defer in millis
}
}
Default configuration
{
"DeferPlugin" : {
"defaultDefer" : 0
}
}
transformerSelf registration endpoints (service discovery)
Infos
- plugin type:
transformer
- configuration root:
DiscoverySelfRegistration
Description
This plugin add support for self registration endpoint on a specific service.
This plugin accepts the following configuration:
Default configuration
{
"DiscoverySelfRegistration" : {
"hosts" : [ ],
"targetTemplate" : { },
"registrationTtl" : 60000
}
}
transformerGeolocation endpoint
Infos
- plugin type:
transformer
- configuration root:
none
Description
This plugin will expose current geolocation informations on the following endpoint.
/.well-known/otoroshi/plugins/geolocation
Geolocation header
Infos
- plugin type:
transformer
- configuration root:
GeolocationInfoHeader
Description
This plugin will send informations extracted by the Geolocation details extractor to the target service in a header.
This plugin can accept the following configuration
{
"GeolocationInfoHeader": {
"headerName": "X-Geolocation-Info" // header in which info will be sent
}
}
Default configuration
{
"GeolocationInfoHeader" : {
"headerName" : "X-Geolocation-Info"
}
}
transformerHMAC caller plugin
Infos
- plugin type:
transformer
- configuration root:
HMACCallerPlugin
Description
This plugin can be used to call a “protected” api by an HMAC signature. It will adds a signature with the secret configured on the plugin. The signature string will always the content of the header list listed in the plugin configuration.
Default configuration
{
"HMACCallerPlugin" : {
"secret" : "my-defaut-secret",
"algo" : "HMAC-SHA512"
}
}
transformerIzanami Canary Campaign
Infos
- plugin type:
transformer
- configuration root:
IzanamiCanary
Description
This plugin allow you to perform canary testing based on an izanami experiment campaign (A/B test).
This plugin can accept the following configuration
{
"IzanamiCanary" : {
"experimentId" : "foo:bar:qix",
"configId" : "foo:bar:qix:config",
"izanamiUrl" : "https://izanami.foo.bar",
"izanamiClientId" : "client",
"izanamiClientSecret" : "secret",
"timeout" : 5000,
"mtls" : {
"certs" : [ ],
"trustedCerts" : [ ],
"mtls" : false,
"loose" : false,
"trustAll" : false
}
}
}
Default configuration
{
"IzanamiCanary" : {
"experimentId" : "foo:bar:qix",
"configId" : "foo:bar:qix:config",
"izanamiUrl" : "https://izanami.foo.bar",
"izanamiClientId" : "client",
"izanamiClientSecret" : "secret",
"timeout" : 5000,
"mtls" : {
"certs" : [ ],
"trustedCerts" : [ ],
"mtls" : false,
"loose" : false,
"trustAll" : false
}
}
}
transformerIzanami APIs Proxy
Infos
- plugin type:
transformer
- configuration root:
IzanamiProxy
Description
This plugin exposes routes to proxy Izanami configuration and features tree APIs.
This plugin can accept the following configuration
{
"IzanamiProxy" : {
"path" : "/api/izanami",
"featurePattern" : "*",
"configPattern" : "*",
"autoContext" : false,
"featuresEnabled" : true,
"featuresWithContextEnabled" : true,
"configurationEnabled" : false,
"izanamiUrl" : "https://izanami.foo.bar",
"izanamiClientId" : "client",
"izanamiClientSecret" : "secret",
"timeout" : 5000
}
}
Default configuration
{
"IzanamiProxy" : {
"path" : "/api/izanami",
"featurePattern" : "*",
"configPattern" : "*",
"autoContext" : false,
"featuresEnabled" : true,
"featuresWithContextEnabled" : true,
"configurationEnabled" : false,
"izanamiUrl" : "https://izanami.foo.bar",
"izanamiClientId" : "client",
"izanamiClientSecret" : "secret",
"timeout" : 5000
}
}
transformerJQ bodies transformer
Infos
- plugin type:
transformer
- configuration root:
JqBodyTransformer
Description
This plugin let you transform JSON bodies (in requests and responses) using JQ filters.
Some JSON variables are accessible by default :
$url
: the request url$path
: the request path$domain
: the request domain$method
: the request method$headers
: the current request headers (with name in lowercase)$queryParams
: the current request query params$otoToken
: the otoroshi protocol token (if one)$inToken
: the first matched JWT token as is (from verifiers, if one)$token
: the first matched JWT token as is (from verifiers, if one)$user
: the current user (if one)$apikey
: the current apikey (if one)
This plugin can accept the following configuration
{
"JqBodyTransformer" : {
"request" : {
"filter" : ".",
"included" : [ ],
"excluded" : [ ]
},
"response" : {
"filter" : ".",
"included" : [ ],
"excluded" : [ ]
}
}
}
Default configuration
{
"JqBodyTransformer" : {
"request" : {
"filter" : ".",
"included" : [ ],
"excluded" : [ ]
},
"response" : {
"filter" : ".",
"included" : [ ],
"excluded" : [ ]
}
}
}
transformerHtml Patcher
Infos
- plugin type:
transformer
- configuration root:
HtmlPatcher
Description
This plugin can inject elements in html pages (in the body or in the head) returned by the service
Default configuration
{
"HtmlPatcher" : {
"appendHead" : [ ],
"appendBody" : [ ]
}
}
transformerLog4Shell mitigation plugin
Infos
- plugin type:
transformer
- configuration root:
Log4ShellFilter
Description
This plugin try to detect Log4Shell attacks in request and block them.
This plugin can accept the following configuration
{
"Log4ShellFilter": {
"status": 200, // the status send back when an attack expression is found
"body": "", // the body send back when an attack expression is found
"parseBody": false // enables request body parsing to find attack expression
}
}
Default configuration
{
"Log4ShellFilter" : {
"status" : 200,
"body" : "",
"parseBody" : false
}
}
transformerBody logger
Infos
- plugin type:
transformer
- configuration root:
BodyLogger
Description
This plugin can log body present in request and response. It can just logs it, store in in the redis store with a ttl and send it to analytics. It also provides a debug UI at /.well-known/otoroshi/bodylogger
.
This plugin can accept the following configuration
{
"BodyLogger": {
"enabled": true, // enabled logging
"log": true, // just log it
"store": false, // store bodies in datastore
"ttl": 300000, // store it for some times (5 minutes by default)
"sendToAnalytics": false, // send bodies to analytics
"maxSize": 5242880, // max body size (body will be cut after that)
"password": "password", // password for the ui, if none, it's public
"filter": { // log only for some status, method and paths
"statuses": [],
"methods": [],
"paths": [],
"not": {
"statuses": [],
"methods": [],
"paths": []
}
}
}
}
Default configuration
{
"BodyLogger" : {
"enabled" : true,
"log" : true,
"store" : false,
"ttl" : 300000,
"sendToAnalytics" : false,
"maxSize" : 5242880,
"password" : "password",
"filter" : {
"statuses" : [ ],
"methods" : [ ],
"paths" : [ ],
"not" : {
"statuses" : [ ],
"methods" : [ ],
"paths" : [ ]
}
}
}
}
transformerMirroring plugin
Infos
- plugin type:
transformer
- configuration root:
MirroringPlugin
Description
This plugin will mirror every request to other targets
This plugin can accept the following configuration
{
"MirroringPlugin": {
"enabled": true, // enabled mirroring
"to": "https://foo.bar.dev", // the url of the service to mirror
}
}
Default configuration
{
"MirroringPlugin" : {
"enabled" : true,
"to" : "https://foo.bar.dev",
"captureResponse" : false,
"generateEvents" : false
}
}
transformerOAuth1 caller
Infos
- plugin type:
transformer
- configuration root:
OAuth1Caller
Description
This plugin can be used to call api that are authenticated using OAuth1. Consumer key, secret, and OAuth token et OAuth token secret can be pass through the metadata of an api key or via the configuration of this plugin.
Default configuration
{
"OAuth1Caller" : {
"algo" : "HmacSHA512"
}
}
transformerOIDC headers
Infos
- plugin type:
transformer
- configuration root:
OIDCHeaders
Description
This plugin injects headers containing tokens and profile from current OIDC provider.
Default configuration
{
"OIDCHeaders" : {
"profile" : {
"send" : true,
"headerName" : "X-OIDC-User"
},
"idtoken" : {
"send" : false,
"name" : "id_token",
"headerName" : "X-OIDC-Id-Token",
"jwt" : true
},
"accesstoken" : {
"send" : false,
"name" : "access_token",
"headerName" : "X-OIDC-Access-Token",
"jwt" : true
}
}
}
transformerSecurity Txt
Infos
- plugin type:
transformer
- configuration root:
SecurityTxt
Description
This plugin exposes a special route /.well-known/security.txt
as proposed at https://securitytxt.org/.
This plugin can accept the following configuration
{
"SecurityTxt": {
"Contact": "contact@foo.bar", // mandatory, a link or e-mail address for people to contact you about security issues
"Encryption": "http://url-to-public-key", // optional, a link to a key which security researchers should use to securely talk to you
"Acknowledgments": "http://url", // optional, a link to a web page where you say thank you to security researchers who have helped you
"Preferred-Languages": "en, fr, es", // optional
"Policy": "http://url", // optional, a link to a policy detailing what security researchers should do when searching for or reporting security issues
"Hiring": "http://url", // optional, a link to any security-related job openings in your organisation
}
}
Default configuration
{
"SecurityTxt" : {
"Contact" : "contact@foo.bar",
"Encryption" : "https://...",
"Acknowledgments" : "https://...",
"Preferred-Languages" : "en, fr",
"Policy" : "https://...",
"Hiring" : "https://..."
}
}
transformerStatic Response
Infos
- plugin type:
transformer
- configuration root:
StaticResponse
Description
This plugin returns a static response for any request
Default configuration
{
"StaticResponse" : {
"status" : 200,
"headers" : {
"Content-Type" : "application/json"
},
"body" : "{\"message\":\"hello world!\"}",
"bodyBase64" : null
}
}
transformerUser-Agent endpoint
Infos
- plugin type:
transformer
- configuration root:
none
Description
This plugin will expose current user-agent informations on the following endpoint.
/.well-known/otoroshi/plugins/user-agent
User-Agent header
Infos
- plugin type:
transformer
- configuration root:
UserAgentInfoHeader
Description
This plugin will sent informations extracted by the User-Agent details extractor to the target service in a header.
This plugin can accept the following configuration
{
"UserAgentInfoHeader": {
"headerName": "X-User-Agent-Info" // header in which info will be sent
}
}
Default configuration
{
"UserAgentInfoHeader" : {
"headerName" : "X-User-Agent-Info"
}
}
transformer[DEPRECATED] Workflow endpoint
Infos
- plugin type:
transformer
- configuration root:
WorkflowEndpoint
Description
This plugin runs a workflow and return the response
Default configuration
{
"WorkflowEndpoint" : {
"workflow" : { }
}
}
transformerBiscuit token validator
Infos
- plugin type:
validator
- configuration root:
none
Description
This plugin validates a Biscuit token.
Default configuration
{
"publicKey" : "xxxxxx",
"checks" : [ ],
"facts" : [ ],
"resources" : [ ],
"rules" : [ ],
"revocation_ids" : [ ],
"enforce" : false,
"extractor" : {
"type" : "header",
"name" : "Authorization"
}
}
validatorClient Certificate + Api Key only
Infos
- plugin type:
validator
- configuration root:
none
Description
Check if a client certificate is present in the request and that the apikey used matches the client certificate. You can set the client cert. DN in an apikey metadata named allowed-client-cert-dn
Client certificate matching (over http)
Infos
- plugin type:
validator
- configuration root:
HasClientCertMatchingHttpValidator
Description
Check if client certificate matches the following configuration
expected response from http service is
{
"serialNumbers": [], // allowed certificated serial numbers
"subjectDNs": [], // allowed certificated DNs
"issuerDNs": [], // allowed certificated issuer DNs
"regexSubjectDNs": [], // allowed certificated DNs matching regex
"regexIssuerDNs": [], // allowed certificated issuer DNs matching regex
}
This plugin can accept the following configuration
{
"HasClientCertMatchingValidator": {
"url": "...", // url for the call
"headers": {}, // http header for the call
"ttl": 600000, // cache ttl,
"mtlsConfig": {
"certId": "xxxxx",
"mtls": false,
"loose": false
}
}
}
Default configuration
{
"HasClientCertMatchingHttpValidator" : {
"url" : "http://foo.bar",
"ttl" : 600000,
"headers" : { },
"mtlsConfig" : {
"certId" : "...",
"mtls" : false,
"loose" : false
}
}
}
validatorClient certificate matching
Infos
- plugin type:
validator
- configuration root:
HasClientCertMatchingValidator
Description
Check if client certificate matches the following configuration
This plugin can accept the following configuration
{
"HasClientCertMatchingValidator": {
"serialNumbers": [], // allowed certificated serial numbers
"subjectDNs": [], // allowed certificated DNs
"issuerDNs": [], // allowed certificated issuer DNs
"regexSubjectDNs": [], // allowed certificated DNs matching regex
"regexIssuerDNs": [], // allowed certificated issuer DNs matching regex
}
}
Default configuration
{
"HasClientCertMatchingValidator" : {
"serialNumbers" : [ ],
"subjectDNs" : [ ],
"issuerDNs" : [ ],
"regexSubjectDNs" : [ ],
"regexIssuerDNs" : [ ]
}
}
validatorClient Certificate Only
Infos
- plugin type:
validator
- configuration root:
none
Description
Check if a client certificate is present in the request
validatorHMAC access validator
Infos
- plugin type:
validator
- configuration root:
HMACAccessValidator
Description
This plugin can be used to check if a HMAC signature is present and valid in Authorization header.
Default configuration
{
"HMACAccessValidator" : {
"secret" : ""
}
}
Documentation
The HMAC signature needs to be set on the Authorization
or Proxy-Authorization
header. The format of this header should be : hmac algorithm="<ALGORITHM>", headers="<HEADER>", signature="<SIGNATURE>"
As example, a simple nodeJS call with the expected header ```js const crypto = require(‘crypto’); const fetch = require(‘node-fetch’);
const date = new Date() const secret = “my-secret” // equal to the api key secret by default
const algo = “sha512” const signature = crypto.createHmac(algo, secret) .update(date.getTime().toString()) .digest(‘base64’);
fetch(’http://myservice.oto.tools:9999/api/test', { headers: { “Otoroshi-Client-Id”: “my-id”, “Otoroshi-Client-Secret”: “my-secret”, “Date”: date.getTime().toString(), “Authorization”: hmac algorithm="hmac-${algo}", headers="Date", signature="${signature}"
, “Accept”: “application/json” } }) .then(r => r.json()) .then(console.log) ``` In this example, we have an Otoroshi service deployed on http://myservice.oto.tools:9999/api/test, protected by api keys. The secret used is the secret of the api key (by default, but you can change it and define a secret on the plugin configuration). We send the base64 encoded date of the day, signed by the secret, in the Authorization header. We specify the headers signed and the type of algorithm used. You can sign more than one header but you have to list them in the headers fields (each one separate by a space, example : headers=“Date KeyId”). The algorithm used can be HMAC-SHA1, HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512.
OIDC access_token validator
Infos
- plugin type:
validator
- configuration root:
OIDCAccessTokenValidator
Description
This plugin will use the third party apikey configuration and apply it while keeping the apikey mecanism of otoroshi. Use it to combine apikey validation and OIDC access_token validation.
This plugin can accept the following configuration
{
"OIDCAccessTokenValidator": {
"enabled": true,
"atLeastOne": false,
// config is optional and can be either an object config or an array of objects
"config": {
"enabled" : true,
"quotasEnabled" : true,
"uniqueApiKey" : false,
"type" : "OIDC",
"oidcConfigRef" : "some-oidc-auth-module-id",
"localVerificationOnly" : false,
"mode" : "Tmp",
"ttl" : 0,
"headerName" : "Authorization",
"throttlingQuota" : 100,
"dailyQuota" : 10000000,
"monthlyQuota" : 10000000,
"excludedPatterns" : [ ],
"scopes" : [ ],
"rolesPath" : [ ],
"roles" : [ ]
}
}
}
Default configuration
{
"OIDCAccessTokenValidator" : {
"enabled" : true,
"atLeastOne" : false,
"config" : {
"enabled" : true,
"quotasEnabled" : true,
"uniqueApiKey" : false,
"type" : "OIDC",
"oidcConfigRef" : "some-oidc-auth-module-id",
"localVerificationOnly" : false,
"mode" : "Tmp",
"ttl" : 0,
"headerName" : "Authorization",
"throttlingQuota" : 100,
"dailyQuota" : 10000000,
"monthlyQuota" : 10000000,
"excludedPatterns" : [ ],
"scopes" : [ ],
"rolesPath" : [ ],
"roles" : [ ]
}
}
}
validatorPublic quotas
Infos
- plugin type:
validator
- configuration root:
ServiceQuotas
Description
This plugin will enforce public quotas on the current service
Default configuration
{
"ServiceQuotas" : {
"throttlingQuota" : 100,
"dailyQuota" : 10000000,
"monthlyQuota" : 10000000
}
}
validatorAllowed users only
Infos
- plugin type:
validator
- configuration root:
HasAllowedUsersValidator
Description
This plugin only let allowed users pass
This plugin can accept the following configuration
{
"HasAllowedUsersValidator": {
"usernames": [], // allowed usernames
"emails": [], // allowed user email addresses
"emailDomains": [], // allowed user email domains
"metadataMatch": [], // json path expressions to match against user metadata. passes if one match
"metadataNotMatch": [], // json path expressions to match against user metadata. passes if none match
"profileMatch": [], // json path expressions to match against user profile. passes if one match
"profileNotMatch": [], // json path expressions to match against user profile. passes if none match
}
}
Default configuration
{
"HasAllowedUsersValidator" : {
"usernames" : [ ],
"emails" : [ ],
"emailDomains" : [ ],
"metadataMatch" : [ ],
"metadataNotMatch" : [ ],
"profileMatch" : [ ],
"profileNotMatch" : [ ]
}
}
validatorApikey auth module
Infos
- plugin type:
preroute
- configuration root:
ApikeyAuthModule
Description
This plugin adds basic auth on service where credentials are valid apikeys on the current service.
Default configuration
{
"ApikeyAuthModule" : {
"realm" : "apikey-auth-module-realm",
"noneTagIn" : [ ],
"oneTagIn" : [ ],
"allTagsIn" : [ ],
"noneMetaIn" : [ ],
"oneMetaIn" : [ ],
"allMetaIn" : [ ],
"noneMetaKeysIn" : [ ],
"oneMetaKeyIn" : [ ],
"allMetaKeysIn" : [ ]
}
}
prerouteClient certificate as apikey
Infos
- plugin type:
preroute
- configuration root:
CertificateAsApikey
Description
This plugin uses client certificate as an apikey. The apikey will be stored for classic apikey usage
Default configuration
{
"CertificateAsApikey" : {
"readOnly" : false,
"allowClientIdOnly" : false,
"throttlingQuota" : 100,
"dailyQuota" : 10000000,
"monthlyQuota" : 10000000,
"constrainedServicesOnly" : false,
"tags" : [ ],
"metadata" : { }
}
}
prerouteClient Credential Flow ApiKey extractor
Infos
- plugin type:
preroute
- configuration root:
none
Description
This plugin can extract an apikey from an opaque access_token generate by the ClientCredentialFlow
plugin
Apikey from Biscuit token extractor
Infos
- plugin type:
preroute
- configuration root:
none
Description
This plugin extract an from a Biscuit token where the biscuit has an #authority fact ‘client_id’ containing apikey client_id and an #authority fact ‘client_sign’ that is the HMAC256 signature of the apikey client_id with the apikey client_secret
Default configuration
{
"publicKey" : "xxxxxx",
"checks" : [ ],
"facts" : [ ],
"resources" : [ ],
"rules" : [ ],
"revocation_ids" : [ ],
"enforce" : false,
"extractor" : {
"type" : "header",
"name" : "Authorization"
}
}
prerouteService discovery target selector (service discovery)
Infos
- plugin type:
preroute
- configuration root:
DiscoverySelfRegistration
Description
This plugin select a target in the pool of discovered targets for this service. Use in combination with either DiscoverySelfRegistrationSink
or DiscoverySelfRegistrationTransformer
to make it work using the self registration
pattern. Or use an implementation of DiscoveryJob
for the third party registration pattern
.
This plugin accepts the following configuration:
Default configuration
{
"DiscoverySelfRegistration" : {
"hosts" : [ ],
"targetTemplate" : { },
"registrationTtl" : 60000
}
}
prerouteGeolocation details extractor (using IpStack api)
Infos
- plugin type:
preroute
- configuration root:
GeolocationInfo
Description
This plugin extract geolocation informations from ip address using the IpStack dbs. The informations are store in plugins attrs for other plugins to use
This plugin can accept the following configuration
{
"GeolocationInfo": {
"apikey": "xxxxxxx",
"timeout": 2000, // timeout in ms
"log": false // will log geolocation details
}
}
Default configuration
{
"GeolocationInfo" : {
"apikey" : "xxxxxxx",
"timeout" : 2000,
"log" : false
}
}
prerouteGeolocation details extractor (using Maxmind db)
Infos
- plugin type:
preroute
- configuration root:
GeolocationInfo
Description
This plugin extract geolocation informations from ip address using the Maxmind dbs. The informations are store in plugins attrs for other plugins to use
This plugin can accept the following configuration
{
"GeolocationInfo": {
"path": "/foo/bar/cities.mmdb", // file path, can be "global"
"log": false // will log geolocation details
}
}
Default configuration
{
"GeolocationInfo" : {
"path" : "global",
"log" : false
}
}
prerouteJwt user extractor
Infos
- plugin type:
preroute
- configuration root:
JwtUserExtractor
Description
This plugin extract a user from a JWT token
Default configuration
{
"JwtUserExtractor" : {
"verifier" : "",
"strict" : true,
"namePath" : "name",
"emailPath" : "email",
"metaPath" : null
}
}
prerouteOIDC access_token as apikey
Infos
- plugin type:
preroute
- configuration root:
OIDCAccessTokenAsApikey
Description
This plugin will use the third party apikey configuration to generate an apikey
This plugin can accept the following configuration
{
"OIDCAccessTokenValidator": {
"enabled": true,
"atLeastOne": false,
// config is optional and can be either an object config or an array of objects
"config": {
"enabled" : true,
"quotasEnabled" : true,
"uniqueApiKey" : false,
"type" : "OIDC",
"oidcConfigRef" : "some-oidc-auth-module-id",
"localVerificationOnly" : false,
"mode" : "Tmp",
"ttl" : 0,
"headerName" : "Authorization",
"throttlingQuota" : 100,
"dailyQuota" : 10000000,
"monthlyQuota" : 10000000,
"excludedPatterns" : [ ],
"scopes" : [ ],
"rolesPath" : [ ],
"roles" : [ ]
}
}
}
Default configuration
{
"OIDCAccessTokenAsApikey" : {
"enabled" : true,
"atLeastOne" : false,
"config" : {
"enabled" : true,
"quotasEnabled" : true,
"uniqueApiKey" : false,
"type" : "OIDC",
"oidcConfigRef" : "some-oidc-auth-module-id",
"localVerificationOnly" : false,
"mode" : "Tmp",
"ttl" : 0,
"headerName" : "Authorization",
"throttlingQuota" : 100,
"dailyQuota" : 10000000,
"monthlyQuota" : 10000000,
"excludedPatterns" : [ ],
"scopes" : [ ],
"rolesPath" : [ ],
"roles" : [ ]
}
}
}
prerouteUser-Agent details extractor
Infos
- plugin type:
preroute
- configuration root:
UserAgentInfo
Description
This plugin extract informations from User-Agent header such as browsser version, OS version, etc. The informations are store in plugins attrs for other plugins to use
This plugin can accept the following configuration
{
"UserAgentInfo": {
"log": false // will log user-agent details
}
}
Default configuration
{
"UserAgentInfo" : {
"log" : false
}
}
prerouteClient Credential Service
Infos
- plugin type:
sink
- configuration root:
ClientCredentialService
Description
This plugin add an an oauth client credentials service (https://unhandleddomain/.well-known/otoroshi/oauth/token
) to create an access_token given a client id and secret.
{
"ClientCredentialService" : {
"domain" : "*",
"expiration" : 3600000,
"defaultKeyPair" : "otoroshi-jwt-signing",
"secure" : true
}
}
Default configuration
{
"ClientCredentialService" : {
"domain" : "*",
"expiration" : 3600000,
"defaultKeyPair" : "otoroshi-jwt-signing",
"secure" : true
}
}
sinkGlobal self registration endpoints (service discovery)
Infos
- plugin type:
sink
- configuration root:
DiscoverySelfRegistration
Description
This plugin add support for self registration endpoint on specific hostnames.
This plugin accepts the following configuration:
Default configuration
{
"DiscoverySelfRegistration" : {
"hosts" : [ ],
"targetTemplate" : { },
"registrationTtl" : 60000
}
}
sinkKubernetes admission validator webhook
Infos
- plugin type:
sink
- configuration root:
none
Description
This plugin exposes a webhook to kubernetes to handle manifests validation
sinkKubernetes sidecar injector webhook
Infos
- plugin type:
sink
- configuration root:
none
Description
This plugin exposes a webhook to kubernetes to inject otoroshi-sidecar in pods
sinkOtoroshi state exporter job
Infos
- plugin type:
job
- configuration root:
StateExporter
Description
This job send an event containing the full otoroshi export every n seconds
Default configuration
{
"StateExporter" : {
"every_sec" : 3600,
"format" : "json"
}
}
jobTailscale certificate fetcher job
Infos
- plugin type:
job
- configuration root:
none
Description
This job will fetch certificates from Tailscale ACME provider
jobTailscale targets job
Infos
- plugin type:
job
- configuration root:
none
Description
This job will aggregates Tailscale possible online targets
jobKubernetes Ingress Controller
Infos
- plugin type:
job
- configuration root:
KubernetesConfig
Description
This plugin enables Otoroshi as an Ingress Controller
{
"KubernetesConfig" : {
"endpoint" : "https://kube.cluster.dev",
"token" : "xxx",
"userPassword" : "user:password",
"caCert" : "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
"trust" : false,
"namespaces" : [ "*" ],
"labels" : { },
"namespacesLabels" : { },
"ingressClasses" : [ "otoroshi" ],
"defaultGroup" : "default",
"ingresses" : true,
"crds" : true,
"crdsOverride" : false,
"coreDnsIntegration" : false,
"coreDnsIntegrationDryRun" : false,
"coreDnsAzure" : false,
"kubeLeader" : false,
"restartDependantDeployments" : true,
"useProxyState" : false,
"watch" : true,
"syncDaikokuApikeysOnly" : false,
"kubeSystemNamespace" : "kube-system",
"coreDnsConfigMapName" : "coredns",
"coreDnsDeploymentName" : "coredns",
"corednsPort" : 53,
"otoroshiServiceName" : "otoroshi-service",
"otoroshiNamespace" : "otoroshi",
"clusterDomain" : "cluster.local",
"syncIntervalSeconds" : 60,
"coreDnsEnv" : null,
"watchTimeoutSeconds" : 60,
"watchGracePeriodSeconds" : 5,
"mutatingWebhookName" : "otoroshi-admission-webhook-injector",
"validatingWebhookName" : "otoroshi-admission-webhook-validation",
"meshDomain" : "otoroshi.mesh",
"openshiftDnsOperatorIntegration" : false,
"openshiftDnsOperatorCoreDnsNamespace" : "otoroshi",
"openshiftDnsOperatorCoreDnsName" : "otoroshi-dns",
"openshiftDnsOperatorCoreDnsPort" : 5353,
"kubeDnsOperatorIntegration" : false,
"kubeDnsOperatorCoreDnsNamespace" : "otoroshi",
"kubeDnsOperatorCoreDnsName" : "otoroshi-dns",
"kubeDnsOperatorCoreDnsPort" : 5353,
"connectionTimeout" : 5000,
"idleTimeout" : 30000,
"callAndStreamTimeout" : 30000,
"templates" : {
"service-group" : { },
"service-descriptor" : { },
"apikeys" : { },
"global-config" : { },
"jwt-verifier" : { },
"tcp-service" : { },
"certificate" : { },
"auth-module" : { },
"script" : { },
"data-exporters" : { },
"organizations" : { },
"teams" : { },
"admins" : { },
"webhooks" : { }
}
}
}
Default configuration
{
"KubernetesConfig" : {
"endpoint" : "https://kube.cluster.dev",
"token" : "xxx",
"userPassword" : "user:password",
"caCert" : "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
"trust" : false,
"namespaces" : [ "*" ],
"labels" : { },
"namespacesLabels" : { },
"ingressClasses" : [ "otoroshi" ],
"defaultGroup" : "default",
"ingresses" : true,
"crds" : true,
"crdsOverride" : false,
"coreDnsIntegration" : false,
"coreDnsIntegrationDryRun" : false,
"coreDnsAzure" : false,
"kubeLeader" : false,
"restartDependantDeployments" : true,
"useProxyState" : false,
"watch" : true,
"syncDaikokuApikeysOnly" : false,
"kubeSystemNamespace" : "kube-system",
"coreDnsConfigMapName" : "coredns",
"coreDnsDeploymentName" : "coredns",
"corednsPort" : 53,
"otoroshiServiceName" : "otoroshi-service",
"otoroshiNamespace" : "otoroshi",
"clusterDomain" : "cluster.local",
"syncIntervalSeconds" : 60,
"coreDnsEnv" : null,
"watchTimeoutSeconds" : 60,
"watchGracePeriodSeconds" : 5,
"mutatingWebhookName" : "otoroshi-admission-webhook-injector",
"validatingWebhookName" : "otoroshi-admission-webhook-validation",
"meshDomain" : "otoroshi.mesh",
"openshiftDnsOperatorIntegration" : false,
"openshiftDnsOperatorCoreDnsNamespace" : "otoroshi",
"openshiftDnsOperatorCoreDnsName" : "otoroshi-dns",
"openshiftDnsOperatorCoreDnsPort" : 5353,
"kubeDnsOperatorIntegration" : false,
"kubeDnsOperatorCoreDnsNamespace" : "otoroshi",
"kubeDnsOperatorCoreDnsName" : "otoroshi-dns",
"kubeDnsOperatorCoreDnsPort" : 5353,
"connectionTimeout" : 5000,
"idleTimeout" : 30000,
"callAndStreamTimeout" : 30000,
"templates" : {
"service-group" : { },
"service-descriptor" : { },
"apikeys" : { },
"global-config" : { },
"jwt-verifier" : { },
"tcp-service" : { },
"certificate" : { },
"auth-module" : { },
"script" : { },
"data-exporters" : { },
"organizations" : { },
"teams" : { },
"admins" : { },
"webhooks" : { }
}
}
}
jobKubernetes Otoroshi CRDs Controller
Infos
- plugin type:
job
- configuration root:
KubernetesConfig
Description
This plugin enables Otoroshi CRDs Controller
{
"KubernetesConfig" : {
"endpoint" : "https://kube.cluster.dev",
"token" : "xxx",
"userPassword" : "user:password",
"caCert" : "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
"trust" : false,
"namespaces" : [ "*" ],
"labels" : { },
"namespacesLabels" : { },
"ingressClasses" : [ "otoroshi" ],
"defaultGroup" : "default",
"ingresses" : true,
"crds" : true,
"crdsOverride" : false,
"coreDnsIntegration" : false,
"coreDnsIntegrationDryRun" : false,
"coreDnsAzure" : false,
"kubeLeader" : false,
"restartDependantDeployments" : true,
"useProxyState" : false,
"watch" : true,
"syncDaikokuApikeysOnly" : false,
"kubeSystemNamespace" : "kube-system",
"coreDnsConfigMapName" : "coredns",
"coreDnsDeploymentName" : "coredns",
"corednsPort" : 53,
"otoroshiServiceName" : "otoroshi-service",
"otoroshiNamespace" : "otoroshi",
"clusterDomain" : "cluster.local",
"syncIntervalSeconds" : 60,
"coreDnsEnv" : null,
"watchTimeoutSeconds" : 60,
"watchGracePeriodSeconds" : 5,
"mutatingWebhookName" : "otoroshi-admission-webhook-injector",
"validatingWebhookName" : "otoroshi-admission-webhook-validation",
"meshDomain" : "otoroshi.mesh",
"openshiftDnsOperatorIntegration" : false,
"openshiftDnsOperatorCoreDnsNamespace" : "otoroshi",
"openshiftDnsOperatorCoreDnsName" : "otoroshi-dns",
"openshiftDnsOperatorCoreDnsPort" : 5353,
"kubeDnsOperatorIntegration" : false,
"kubeDnsOperatorCoreDnsNamespace" : "otoroshi",
"kubeDnsOperatorCoreDnsName" : "otoroshi-dns",
"kubeDnsOperatorCoreDnsPort" : 5353,
"connectionTimeout" : 5000,
"idleTimeout" : 30000,
"callAndStreamTimeout" : 30000,
"templates" : {
"service-group" : { },
"service-descriptor" : { },
"apikeys" : { },
"global-config" : { },
"jwt-verifier" : { },
"tcp-service" : { },
"certificate" : { },
"auth-module" : { },
"script" : { },
"data-exporters" : { },
"organizations" : { },
"teams" : { },
"admins" : { },
"webhooks" : { }
}
}
}
Default configuration
{
"KubernetesConfig" : {
"endpoint" : "https://kube.cluster.dev",
"token" : "xxx",
"userPassword" : "user:password",
"caCert" : "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
"trust" : false,
"namespaces" : [ "*" ],
"labels" : { },
"namespacesLabels" : { },
"ingressClasses" : [ "otoroshi" ],
"defaultGroup" : "default",
"ingresses" : true,
"crds" : true,
"crdsOverride" : false,
"coreDnsIntegration" : false,
"coreDnsIntegrationDryRun" : false,
"coreDnsAzure" : false,
"kubeLeader" : false,
"restartDependantDeployments" : true,
"useProxyState" : false,
"watch" : true,
"syncDaikokuApikeysOnly" : false,
"kubeSystemNamespace" : "kube-system",
"coreDnsConfigMapName" : "coredns",
"coreDnsDeploymentName" : "coredns",
"corednsPort" : 53,
"otoroshiServiceName" : "otoroshi-service",
"otoroshiNamespace" : "otoroshi",
"clusterDomain" : "cluster.local",
"syncIntervalSeconds" : 60,
"coreDnsEnv" : null,
"watchTimeoutSeconds" : 60,
"watchGracePeriodSeconds" : 5,
"mutatingWebhookName" : "otoroshi-admission-webhook-injector",
"validatingWebhookName" : "otoroshi-admission-webhook-validation",
"meshDomain" : "otoroshi.mesh",
"openshiftDnsOperatorIntegration" : false,
"openshiftDnsOperatorCoreDnsNamespace" : "otoroshi",
"openshiftDnsOperatorCoreDnsName" : "otoroshi-dns",
"openshiftDnsOperatorCoreDnsPort" : 5353,
"kubeDnsOperatorIntegration" : false,
"kubeDnsOperatorCoreDnsNamespace" : "otoroshi",
"kubeDnsOperatorCoreDnsName" : "otoroshi-dns",
"kubeDnsOperatorCoreDnsPort" : 5353,
"connectionTimeout" : 5000,
"idleTimeout" : 30000,
"callAndStreamTimeout" : 30000,
"templates" : {
"service-group" : { },
"service-descriptor" : { },
"apikeys" : { },
"global-config" : { },
"jwt-verifier" : { },
"tcp-service" : { },
"certificate" : { },
"auth-module" : { },
"script" : { },
"data-exporters" : { },
"organizations" : { },
"teams" : { },
"admins" : { },
"webhooks" : { }
}
}
}
jobKubernetes to Otoroshi certs. synchronizer
Infos
- plugin type:
job
- configuration root:
KubernetesConfig
Description
This plugin syncs. TLS secrets from Kubernetes to Otoroshi
{
"KubernetesConfig" : {
"endpoint" : "https://kube.cluster.dev",
"token" : "xxx",
"userPassword" : "user:password",
"caCert" : "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
"trust" : false,
"namespaces" : [ "*" ],
"labels" : { },
"namespacesLabels" : { },
"ingressClasses" : [ "otoroshi" ],
"defaultGroup" : "default",
"ingresses" : true,
"crds" : true,
"crdsOverride" : false,
"coreDnsIntegration" : false,
"coreDnsIntegrationDryRun" : false,
"coreDnsAzure" : false,
"kubeLeader" : false,
"restartDependantDeployments" : true,
"useProxyState" : false,
"watch" : true,
"syncDaikokuApikeysOnly" : false,
"kubeSystemNamespace" : "kube-system",
"coreDnsConfigMapName" : "coredns",
"coreDnsDeploymentName" : "coredns",
"corednsPort" : 53,
"otoroshiServiceName" : "otoroshi-service",
"otoroshiNamespace" : "otoroshi",
"clusterDomain" : "cluster.local",
"syncIntervalSeconds" : 60,
"coreDnsEnv" : null,
"watchTimeoutSeconds" : 60,
"watchGracePeriodSeconds" : 5,
"mutatingWebhookName" : "otoroshi-admission-webhook-injector",
"validatingWebhookName" : "otoroshi-admission-webhook-validation",
"meshDomain" : "otoroshi.mesh",
"openshiftDnsOperatorIntegration" : false,
"openshiftDnsOperatorCoreDnsNamespace" : "otoroshi",
"openshiftDnsOperatorCoreDnsName" : "otoroshi-dns",
"openshiftDnsOperatorCoreDnsPort" : 5353,
"kubeDnsOperatorIntegration" : false,
"kubeDnsOperatorCoreDnsNamespace" : "otoroshi",
"kubeDnsOperatorCoreDnsName" : "otoroshi-dns",
"kubeDnsOperatorCoreDnsPort" : 5353,
"connectionTimeout" : 5000,
"idleTimeout" : 30000,
"callAndStreamTimeout" : 30000,
"templates" : {
"service-group" : { },
"service-descriptor" : { },
"apikeys" : { },
"global-config" : { },
"jwt-verifier" : { },
"tcp-service" : { },
"certificate" : { },
"auth-module" : { },
"script" : { },
"data-exporters" : { },
"organizations" : { },
"teams" : { },
"admins" : { },
"webhooks" : { }
}
}
}
Default configuration
{
"KubernetesConfig" : {
"endpoint" : "https://kube.cluster.dev",
"token" : "xxx",
"userPassword" : "user:password",
"caCert" : "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
"trust" : false,
"namespaces" : [ "*" ],
"labels" : { },
"namespacesLabels" : { },
"ingressClasses" : [ "otoroshi" ],
"defaultGroup" : "default",
"ingresses" : true,
"crds" : true,
"crdsOverride" : false,
"coreDnsIntegration" : false,
"coreDnsIntegrationDryRun" : false,
"coreDnsAzure" : false,
"kubeLeader" : false,
"restartDependantDeployments" : true,
"useProxyState" : false,
"watch" : true,
"syncDaikokuApikeysOnly" : false,
"kubeSystemNamespace" : "kube-system",
"coreDnsConfigMapName" : "coredns",
"coreDnsDeploymentName" : "coredns",
"corednsPort" : 53,
"otoroshiServiceName" : "otoroshi-service",
"otoroshiNamespace" : "otoroshi",
"clusterDomain" : "cluster.local",
"syncIntervalSeconds" : 60,
"coreDnsEnv" : null,
"watchTimeoutSeconds" : 60,
"watchGracePeriodSeconds" : 5,
"mutatingWebhookName" : "otoroshi-admission-webhook-injector",
"validatingWebhookName" : "otoroshi-admission-webhook-validation",
"meshDomain" : "otoroshi.mesh",
"openshiftDnsOperatorIntegration" : false,
"openshiftDnsOperatorCoreDnsNamespace" : "otoroshi",
"openshiftDnsOperatorCoreDnsName" : "otoroshi-dns",
"openshiftDnsOperatorCoreDnsPort" : 5353,
"kubeDnsOperatorIntegration" : false,
"kubeDnsOperatorCoreDnsNamespace" : "otoroshi",
"kubeDnsOperatorCoreDnsName" : "otoroshi-dns",
"kubeDnsOperatorCoreDnsPort" : 5353,
"connectionTimeout" : 5000,
"idleTimeout" : 30000,
"callAndStreamTimeout" : 30000,
"templates" : {
"service-group" : { },
"service-descriptor" : { },
"apikeys" : { },
"global-config" : { },
"jwt-verifier" : { },
"tcp-service" : { },
"certificate" : { },
"auth-module" : { },
"script" : { },
"data-exporters" : { },
"organizations" : { },
"teams" : { },
"admins" : { },
"webhooks" : { }
}
}
}
jobOtoroshi certs. to Kubernetes secrets synchronizer
Infos
- plugin type:
job
- configuration root:
KubernetesConfig
Description
This plugin syncs. Otoroshi certs to Kubernetes TLS secrets
{
"KubernetesConfig" : {
"endpoint" : "https://kube.cluster.dev",
"token" : "xxx",
"userPassword" : "user:password",
"caCert" : "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
"trust" : false,
"namespaces" : [ "*" ],
"labels" : { },
"namespacesLabels" : { },
"ingressClasses" : [ "otoroshi" ],
"defaultGroup" : "default",
"ingresses" : true,
"crds" : true,
"crdsOverride" : false,
"coreDnsIntegration" : false,
"coreDnsIntegrationDryRun" : false,
"coreDnsAzure" : false,
"kubeLeader" : false,
"restartDependantDeployments" : true,
"useProxyState" : false,
"watch" : true,
"syncDaikokuApikeysOnly" : false,
"kubeSystemNamespace" : "kube-system",
"coreDnsConfigMapName" : "coredns",
"coreDnsDeploymentName" : "coredns",
"corednsPort" : 53,
"otoroshiServiceName" : "otoroshi-service",
"otoroshiNamespace" : "otoroshi",
"clusterDomain" : "cluster.local",
"syncIntervalSeconds" : 60,
"coreDnsEnv" : null,
"watchTimeoutSeconds" : 60,
"watchGracePeriodSeconds" : 5,
"mutatingWebhookName" : "otoroshi-admission-webhook-injector",
"validatingWebhookName" : "otoroshi-admission-webhook-validation",
"meshDomain" : "otoroshi.mesh",
"openshiftDnsOperatorIntegration" : false,
"openshiftDnsOperatorCoreDnsNamespace" : "otoroshi",
"openshiftDnsOperatorCoreDnsName" : "otoroshi-dns",
"openshiftDnsOperatorCoreDnsPort" : 5353,
"kubeDnsOperatorIntegration" : false,
"kubeDnsOperatorCoreDnsNamespace" : "otoroshi",
"kubeDnsOperatorCoreDnsName" : "otoroshi-dns",
"kubeDnsOperatorCoreDnsPort" : 5353,
"connectionTimeout" : 5000,
"idleTimeout" : 30000,
"callAndStreamTimeout" : 30000,
"templates" : {
"service-group" : { },
"service-descriptor" : { },
"apikeys" : { },
"global-config" : { },
"jwt-verifier" : { },
"tcp-service" : { },
"certificate" : { },
"auth-module" : { },
"script" : { },
"data-exporters" : { },
"organizations" : { },
"teams" : { },
"admins" : { },
"webhooks" : { }
}
}
}
Default configuration
{
"KubernetesConfig" : {
"endpoint" : "https://kube.cluster.dev",
"token" : "xxx",
"userPassword" : "user:password",
"caCert" : "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
"trust" : false,
"namespaces" : [ "*" ],
"labels" : { },
"namespacesLabels" : { },
"ingressClasses" : [ "otoroshi" ],
"defaultGroup" : "default",
"ingresses" : true,
"crds" : true,
"crdsOverride" : false,
"coreDnsIntegration" : false,
"coreDnsIntegrationDryRun" : false,
"coreDnsAzure" : false,
"kubeLeader" : false,
"restartDependantDeployments" : true,
"useProxyState" : false,
"watch" : true,
"syncDaikokuApikeysOnly" : false,
"kubeSystemNamespace" : "kube-system",
"coreDnsConfigMapName" : "coredns",
"coreDnsDeploymentName" : "coredns",
"corednsPort" : 53,
"otoroshiServiceName" : "otoroshi-service",
"otoroshiNamespace" : "otoroshi",
"clusterDomain" : "cluster.local",
"syncIntervalSeconds" : 60,
"coreDnsEnv" : null,
"watchTimeoutSeconds" : 60,
"watchGracePeriodSeconds" : 5,
"mutatingWebhookName" : "otoroshi-admission-webhook-injector",
"validatingWebhookName" : "otoroshi-admission-webhook-validation",
"meshDomain" : "otoroshi.mesh",
"openshiftDnsOperatorIntegration" : false,
"openshiftDnsOperatorCoreDnsNamespace" : "otoroshi",
"openshiftDnsOperatorCoreDnsName" : "otoroshi-dns",
"openshiftDnsOperatorCoreDnsPort" : 5353,
"kubeDnsOperatorIntegration" : false,
"kubeDnsOperatorCoreDnsNamespace" : "otoroshi",
"kubeDnsOperatorCoreDnsName" : "otoroshi-dns",
"kubeDnsOperatorCoreDnsPort" : 5353,
"connectionTimeout" : 5000,
"idleTimeout" : 30000,
"callAndStreamTimeout" : 30000,
"templates" : {
"service-group" : { },
"service-descriptor" : { },
"apikeys" : { },
"global-config" : { },
"jwt-verifier" : { },
"tcp-service" : { },
"certificate" : { },
"auth-module" : { },
"script" : { },
"data-exporters" : { },
"organizations" : { },
"teams" : { },
"admins" : { },
"webhooks" : { }
}
}
}
jobOtoroshi next proxy engine (experimental)
Infos
- plugin type:
request-handler
- configuration root:
NextGenProxyEngine
Description
This plugin holds the next generation otoroshi proxy engine implementation. This engine is experimental and may not work as expected !
You can active this plugin only on some domain names so you can easily A/B test the new engine. The new proxy engine is designed to be more reactive and more efficient generally. It is also designed to be very efficient on path routing where it wasn’t the old engines strong suit.
The idea is to only rely on plugins to work and avoid losing time with features that are not used in service descriptors. An automated conversion happens for every service descriptor. If the exposed domain is handled by this plugin, it will be served by this plugin. This plugin introduces new entities that will replace (one day maybe) service descriptors:
routes
: a unique routing rule based on hostname, path, method and headers that will execute a bunch of pluginsroute-compositions
: multiple routing rules based on hostname, path, method and headers that will execute the same list of pluginsbackends
: a list of targets to contact a backend
as an example, let say you want to use the new engine on your service exposed on api.foo.bar/api
. To do that, just add the plugin in the global plugins
section of the danger zone, inject the default configuration, enabled it and in domains
add the value api.foo.bar
(it is possible to use *.foo.bar
if that’s what you want to do). The next time a request hits the api.foo.bar
domain, the new engine will handle it instead of the old one.
Default configuration
{
"NextGenProxyEngine" : {
"enabled" : true,
"domains" : [ "*" ],
"deny_domains" : [ ],
"reporting" : true,
"merge_sync_steps" : true,
"export_reporting" : false,
"apply_legacy_checks" : true,
"debug" : false,
"capture" : false,
"captureMaxEntitySize" : 4194304,
"debug_headers" : false,
"routing_strategy" : "tree"
}
}
request-handlerForward traffic
Infos
- plugin type:
request-handler
- configuration root:
ForwardTrafficHandler
Description
This plugin can be use to perform a raw traffic forward to an URL without passing through otoroshi routing
Default configuration
{
"ForwardTrafficHandler" : {
"domains" : {
"my.domain.tld" : {
"baseUrl" : "https://my.otherdomain.tld",
"secret" : "jwt signing secret",
"service" : {
"id" : "service id for analytics",
"name" : "service name for analytics"
}
}
}
}
}
request-handler