zalando · wisinghe · Nov 18, 2025 · Nov 18, 2025 · Nov 18, 2025 · Nov 19, 2025
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -0,0 +1,13 @@
+# Add 'docs' to any changes within 'docs' folder or any subfolders
+documentation:
+- changed-files:
+  - any-glob-to-any-file:
+    - 'docs/**/*'
+
+# Add 'enhancement' label to any PR where the head branch name starts with `feature/` in the name
+enhancement:
+  - head-branch: ['^feature/']
+
+# Add 'codefreeze' label to any PR that is opened against the `cw2025` branch
+codefreeze:
+  - base-branch: 'cw2025'
diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml
@@ -0,0 +1,15 @@
+name: "Pull Request Labeler"
+on:
+- pull_request_target
+
+permissions: {}
+
+jobs:
+  labeler:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
+
diff --git a/config/config.go b/config/config.go
@@ -317,6 +317,7 @@ type Config struct {
 	OpenPolicyAgentControlLoopMaxJitter                time.Duration `yaml:"open-policy-agent-control-loop-max-jitter"`
 	EnableOpenPolicyAgentDataPreProcessingOptimization bool          `yaml:"enable-open-policy-agent-data-preprocessing-optimization"`
 	EnableOpenPolicyAgentPreloading                    bool          `yaml:"enable-open-policy-agent-preloading"`
+	EnableEnterpriseOpenPolicyAgentPlugins             bool          `yaml:"enable-enterprise-open-policy-agent"`
 	OpenPolicyAgentConfigTemplate                      string        `yaml:"open-policy-agent-config-template"`
 	OpenPolicyAgentEnvoyMetadata                       string        `yaml:"open-policy-agent-envoy-metadata"`
 	OpenPolicyAgentCleanerInterval                     time.Duration `yaml:"open-policy-agent-cleaner-interval"`
@@ -571,6 +572,7 @@ func NewConfig() *Config {
 	flag.Int64Var(&cfg.OpenPolicyAgentMaxRequestBodySize, "open-policy-agent-max-request-body-size", openpolicyagent.DefaultMaxRequestBodySize, "Maximum number of bytes from a http request body that are passed as input to the policy")
 	flag.Int64Var(&cfg.OpenPolicyAgentRequestBodyBufferSize, "open-policy-agent-request-body-buffer-size", openpolicyagent.DefaultRequestBodyBufferSize, "Read buffer size for the request body")
 	flag.Int64Var(&cfg.OpenPolicyAgentMaxMemoryBodyParsing, "open-policy-agent-max-memory-body-parsing", openpolicyagent.DefaultMaxMemoryBodyParsing, "Total number of bytes used to parse http request bodies across all requests. Once the limit is met, requests will be rejected.")
+	flag.BoolVar(&cfg.EnableEnterpriseOpenPolicyAgentPlugins, "enable-enterprise-open-policy-agent", false, "Allowing open policy agent to load additional plugins which are available with EOPA. EOPA has been donated to the OPA community")
 
 	// TLS client certs
 	flag.StringVar(&cfg.ClientKeyFile, "client-tls-key", "", "TLS Key file for backend connections, multiple keys may be given comma separated - the order must match the certs")
@@ -1041,6 +1043,7 @@ func (c *Config) ToOptions() skipper.Options {
 		OpenPolicyAgentControlLoopMaxJitter:                c.OpenPolicyAgentControlLoopMaxJitter,
 		EnableOpenPolicyAgentDataPreProcessingOptimization: c.EnableOpenPolicyAgentDataPreProcessingOptimization,
 		EnableOpenPolicyAgentPreloading:                    c.EnableOpenPolicyAgentPreloading,
+		EnableEnterpriseOpenPolicyAgentPlugins:             c.EnableEnterpriseOpenPolicyAgentPlugins,
 		OpenPolicyAgentConfigTemplate:                      c.OpenPolicyAgentConfigTemplate,
 		OpenPolicyAgentEnvoyMetadata:                       c.OpenPolicyAgentEnvoyMetadata,
 		OpenPolicyAgentCleanerInterval:                     c.OpenPolicyAgentCleanerInterval,

diff --git a/filters/openpolicyagent/internal/eopa/eopa.go b/filters/openpolicyagent/internal/eopa/eopa.go
@@ -0,0 +1,33 @@
+// Package eopa provides enterprise opa plugins aggregation.
+package eopa
+
+import (
+	"github.com/open-policy-agent/eopa/pkg/plugins/data"
+	"github.com/open-policy-agent/opa/v1/hooks"
+	"github.com/open-policy-agent/opa/v1/logging"
+	"github.com/open-policy-agent/opa/v1/plugins"
+	"github.com/open-policy-agent/opa/v1/storage"
+
+	"github.com/open-policy-agent/eopa/pkg/builtins"
+	"github.com/open-policy-agent/eopa/pkg/ekm"
+	eopaDl "github.com/open-policy-agent/eopa/pkg/plugins/decision_logs"
+	"github.com/open-policy-agent/eopa/pkg/rego_vm"
+	eopaStorage "github.com/open-policy-agent/eopa/pkg/storage"
+)
+
+func Init() (fs map[string]plugins.Factory, configHook hooks.Hook, store storage.Store) {
+	rego_vm.SetDefault(true)
+	builtins.Init()
+
+	ekmHook := ekm.NewEKM()
+	ekmHook.SetLogger(logging.NewNoOpLogger())
+
+	return Plugins(), ekmHook, eopaStorage.New()
+}
+
+func Plugins() map[string]plugins.Factory {
+	return map[string]plugins.Factory{
+		data.Name:           data.Factory(),
+		eopaDl.DLPluginName: eopaDl.Factory(),
+	}
+}