SYSTEM Cited by 3 sources

Skipper (Zalando HTTP proxy)

Definition

Skipper (github.com/zalando/skipper) is an HTTP router and reverse-proxy written in Go by Zalando, designed to be composable out of small filters and predicates along a routing DSL. At Zalando it is deployed as the default Kubernetes Ingress proxy across 140+ clusters (Source: sources/2020-06-30-zalando-launching-the-engineering-blog), sitting behind AWS ALBs provisioned by the Kubernetes Ingress Controller for AWS and in front of application pods.

What makes it distinctive

• Eskip routing DSL — routes are declarative, composed as predicate_chain -> filter_chain -> backend. Filters like compress(), setPath("/..."), inlineContent(...), setDynamicBackendUrl(...) chain with -> before the final backend token. Example from the Zalando blog-launch post: * -> compress() -> setDynamicBackendUrl("http://<BUCKET>.s3-website.<REGION>.amazonaws.com") -> <dynamic>; — this annotation (attached to an Ingress as zalando.org/skipper-routes) rewrites every request so the ingress proxies to an S3 static-website endpoint with edge gzip compression.

• Dynamic backends via <dynamic> sentinel — backends can be resolved from request headers or from filters at request time (setDynamicBackendUrl), which is how Skipper can front a non-Kubernetes origin (S3 website, a legacy host, etc.) without needing a Service/Endpoints pair.

• Rich filter library for L7 manipulation — compress() adds gzip encoding that upstreams don't provide; ratelimit(...), oauthTokeninfoAnyScope(...), stripQuery(), header add/remove/set filters, response-body rewriting. Used as the platform-wide policy enforcement point at Zalando.

• Ingress annotation integration — rather than a custom CRD for routes, Skipper reads routes from Kubernetes Ingress objects with the zalando.org/skipper-routes annotation containing eskip DSL. This keeps the Kubernetes-native API surface intact while exposing Skipper's full filter capability.

Seen in

• sources/2020-06-30-zalando-launching-the-engineering-blog — reused as the edge proxy for engineering.zalando.com instead of standing up CloudFront; single ingress-annotation route proxies to S3 website endpoint with compress() for gzip.
• sources/2021-03-01-zalando-building-an-end-to-end-load-test-automation-system-on-top-of-kubernetes — Skipper's header-based routing is the substrate that lets a single service instance in Zalando Payments' test cluster dynamically switch between the real external dependency and its Hoverfly mock per request, based on whether the request carries a load-test tag. Canonical instance of patterns/header-routed-mock-vs-real-dependency; the tight integration of predicate-filtered eskip routes with existing Ingress deployments is what makes this a zero-new-infrastructure pattern at Zalando.
• sources/2021-06-30-zalando-how-we-use-kotlin-for-backend-services — Skipper's OAuth token-info filters (oauthTokeninfoAnyScope(...), etc.) named as the first of three default AuthN/AuthZ options for new Kotlin backend services at Zalando (the other two: Route Groups and Fabric Gateway). Rationale given: Skipper "is designed to handle a large number of requests and is less likely to be misconfigured than for example Spring security" — a misconfiguration-at-scale argument for the central choke-point gateway over per-service auth libraries.

Comparable systems

• nginx / Envoy / HAProxy — general-purpose L7 proxies. Envoy is the dominant K8s ingress in service-mesh contexts; Skipper's differentiator is the eskip DSL and the tight integration with Ingress annotations at Zalando scale.
• Pingora (Cloudflare) — Rust, internal to CF.
• Fly Proxy — Go, runs Fly.io's anycast edge.

Related

• systems/kubernetes · systems/external-dns · systems/kube-ingress-aws-controller · systems/fabric-gateway-zalando · companies/zalando