credential injector: api for credential injector http filter (#27769)
Signed-off-by: huabing zhao <zhaohuabing@gmail.com> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Co-authored-by: Andrei Nistor <andrei@nistor.tech> Co-authored-by: Yaroslav Skopets <yaroslav@tetrate.io> Mirrored from https://github.com/envoyproxy/envoy @ 430a45f94954b07a106eafc30be1bae24a40b3afmain
parent
33c2ce7942
commit
2139575afa
8 changed files with 277 additions and 0 deletions
@ -0,0 +1,13 @@ |
|||||||
|
# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. |
||||||
|
|
||||||
|
load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") |
||||||
|
|
||||||
|
licenses(["notice"]) # Apache 2 |
||||||
|
|
||||||
|
api_proto_package( |
||||||
|
deps = [ |
||||||
|
"//envoy/config/core/v3:pkg", |
||||||
|
"@com_github_cncf_udpa//udpa/annotations:pkg", |
||||||
|
"@com_github_cncf_udpa//xds/annotations/v3:pkg", |
||||||
|
], |
||||||
|
) |
@ -0,0 +1,85 @@ |
|||||||
|
syntax = "proto3"; |
||||||
|
|
||||||
|
package envoy.extensions.filters.http.credential_injector.v3; |
||||||
|
|
||||||
|
import "envoy/config/core/v3/extension.proto"; |
||||||
|
|
||||||
|
import "xds/annotations/v3/status.proto"; |
||||||
|
|
||||||
|
import "udpa/annotations/status.proto"; |
||||||
|
import "validate/validate.proto"; |
||||||
|
|
||||||
|
option java_package = "io.envoyproxy.envoy.extensions.filters.http.credential_injector.v3"; |
||||||
|
option java_outer_classname = "CredentialInjectorProto"; |
||||||
|
option java_multiple_files = true; |
||||||
|
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/credential_injector/v3;credential_injectorv3"; |
||||||
|
option (udpa.annotations.file_status).package_version_status = ACTIVE; |
||||||
|
option (xds.annotations.v3.file_status).work_in_progress = true; |
||||||
|
|
||||||
|
// [#protodoc-title: Credential Injector] |
||||||
|
// [#not-implemented-hide:] |
||||||
|
// Credential Injector :ref:`configuration overview <config_http_filters_credential_injector>`. |
||||||
|
// [#extension: envoy.filters.http.credential_injector] |
||||||
|
|
||||||
|
// Credential Injector injects credentials into outgoing HTTP requests. The filter configuration is used to retrieve the credentials, or |
||||||
|
// they can be requested through the OAuth2 client credential grant. The credentials obtained are then injected into the Authorization header |
||||||
|
// of the proxied HTTP requests, utilizing either the Basic or Bearer scheme. |
||||||
|
// |
||||||
|
// If the credential is not present, the request will fail with 401 Unauthorized if fail_if_not_present is set to true. |
||||||
|
// |
||||||
|
// Notice: This filter is intended to be used for workload authentication, which means that the identity associated with the inserted credential |
||||||
|
// is considered as the identity of the workload behind the envoy proxy(in this case, envoy is typically deployed as a sidecar alongside that |
||||||
|
// workload). Please note that this filter does not handle end user authentication. Its purpose is solely to authenticate the workload itself. |
||||||
|
// |
||||||
|
// Here is an example of CredentialInjector configuration with Generic credential, which injects an HTTP Basic Auth credential into the proxied requests. |
||||||
|
// |
||||||
|
// .. code-block:: yaml |
||||||
|
// |
||||||
|
// overwrite: true |
||||||
|
// fail_if_not_present: true |
||||||
|
// credential: |
||||||
|
// name: generic_credential |
||||||
|
// typed_config: |
||||||
|
// "@type": type.googleapis.com/envoy.extensions.injected_credentials.generic.v3.Generic |
||||||
|
// credential: |
||||||
|
// name: credential |
||||||
|
// sds_config: |
||||||
|
// path_config_source: |
||||||
|
// path: credential.yaml |
||||||
|
// header: Authorization |
||||||
|
// |
||||||
|
// credential.yaml for Basic Auth: |
||||||
|
// .. code-block:: yaml |
||||||
|
// |
||||||
|
// resources: |
||||||
|
// - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" |
||||||
|
// name: credential |
||||||
|
// generic_secret: |
||||||
|
// secret: |
||||||
|
// inline_string: "Basic base64EncodedUsernamePassword" |
||||||
|
// |
||||||
|
// It can also be configured to inject a Bearer token into the proxied requests. |
||||||
|
// credential.yaml for Bearer Token: |
||||||
|
// .. code-block:: yaml |
||||||
|
// |
||||||
|
// resources: |
||||||
|
// - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" |
||||||
|
// name: credential |
||||||
|
// generic_secret: |
||||||
|
// secret: |
||||||
|
// inline_string: "Bearer myToken" |
||||||
|
// |
||||||
|
message CredentialInjector { |
||||||
|
// Whether to overwrite the value or not if the injected headers already exist. |
||||||
|
// Value defaults to false. |
||||||
|
bool overwrite = 1; |
||||||
|
|
||||||
|
// Whether to fail the request if the credential is not present. |
||||||
|
// Value defaults to false. |
||||||
|
// If set to true, the request will fail with 401 Unauthorized if the credential is not present. |
||||||
|
bool fail_if_not_present = 2; |
||||||
|
|
||||||
|
// The credential to inject into the proxied requests |
||||||
|
// TODO add extension-category |
||||||
|
config.core.v3.TypedExtensionConfig credential = 3 [(validate.rules).message = {required: true}]; |
||||||
|
} |
@ -0,0 +1,13 @@ |
|||||||
|
# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. |
||||||
|
|
||||||
|
load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") |
||||||
|
|
||||||
|
licenses(["notice"]) # Apache 2 |
||||||
|
|
||||||
|
api_proto_package( |
||||||
|
deps = [ |
||||||
|
"//envoy/extensions/transport_sockets/tls/v3:pkg", |
||||||
|
"@com_github_cncf_udpa//udpa/annotations:pkg", |
||||||
|
"@com_github_cncf_udpa//xds/annotations/v3:pkg", |
||||||
|
], |
||||||
|
) |
@ -0,0 +1,76 @@ |
|||||||
|
syntax = "proto3"; |
||||||
|
|
||||||
|
package envoy.extensions.injected_credentials.generic.v3; |
||||||
|
|
||||||
|
import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; |
||||||
|
|
||||||
|
import "xds/annotations/v3/status.proto"; |
||||||
|
|
||||||
|
import "udpa/annotations/status.proto"; |
||||||
|
import "validate/validate.proto"; |
||||||
|
|
||||||
|
option java_package = "io.envoyproxy.envoy.extensions.injected_credentials.generic.v3"; |
||||||
|
option java_outer_classname = "GenericProto"; |
||||||
|
option java_multiple_files = true; |
||||||
|
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/injected_credentials/generic/v3;genericv3"; |
||||||
|
option (udpa.annotations.file_status).package_version_status = ACTIVE; |
||||||
|
option (xds.annotations.v3.file_status).work_in_progress = true; |
||||||
|
|
||||||
|
// [#protodoc-title: Generic Credential] |
||||||
|
// [#not-implemented-hide:] |
||||||
|
// [#extension: envoy.injected_credentials.generic] |
||||||
|
|
||||||
|
// Generic extension can be used to inject HTTP Basic Auth, Bearer Token, or any arbitrary credential |
||||||
|
// into the proxied requests. |
||||||
|
// The credential will be injected into the specified HTTP request header. |
||||||
|
// Example: |
||||||
|
// |
||||||
|
// .. code-block:: yaml |
||||||
|
// |
||||||
|
// credential: |
||||||
|
// name: generic_credential |
||||||
|
// typed_config: |
||||||
|
// "@type": type.googleapis.com/envoy.extensions.injected_credentials.generic.v3.Generic |
||||||
|
// credential: |
||||||
|
// name: credential |
||||||
|
// sds_config: |
||||||
|
// path_config_source: |
||||||
|
// path: credential.yaml |
||||||
|
// header: Authorization |
||||||
|
// |
||||||
|
// credential.yaml for Basic Auth: |
||||||
|
// |
||||||
|
// .. code-block:: yaml |
||||||
|
// |
||||||
|
// resources: |
||||||
|
// - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" |
||||||
|
// name: credential |
||||||
|
// generic_secret: |
||||||
|
// secret: |
||||||
|
// inline_string: "Basic base64EncodedUsernamePassword" |
||||||
|
// |
||||||
|
// Refer to [RFC 7617: The 'Basic' HTTP Authentication Scheme](https://www.rfc-editor.org/rfc/rfc7617) for details. |
||||||
|
// |
||||||
|
// credential.yaml for Bearer Token: |
||||||
|
// |
||||||
|
// .. code-block:: yaml |
||||||
|
// resources: |
||||||
|
// - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" |
||||||
|
// name: credential |
||||||
|
// generic_secret: |
||||||
|
// secret: |
||||||
|
// inline_string: "Bearer myToken" |
||||||
|
// |
||||||
|
// Refer to [RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750) for details. |
||||||
|
// |
||||||
|
message Generic { |
||||||
|
// The SDS configuration for the credential that will be injected to the specified HTTP request header. |
||||||
|
// It must be a generic secret. |
||||||
|
transport_sockets.tls.v3.SdsSecretConfig credential = 1 |
||||||
|
[(validate.rules).message = {required: true}]; |
||||||
|
|
||||||
|
// The header that will be injected to the HTTP request with the provided credential. |
||||||
|
// If not set, filter will default to: ``Authorization`` |
||||||
|
string header = 2 |
||||||
|
[(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; |
||||||
|
} |
@ -0,0 +1,14 @@ |
|||||||
|
# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. |
||||||
|
|
||||||
|
load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") |
||||||
|
|
||||||
|
licenses(["notice"]) # Apache 2 |
||||||
|
|
||||||
|
api_proto_package( |
||||||
|
deps = [ |
||||||
|
"//envoy/config/core/v3:pkg", |
||||||
|
"//envoy/extensions/transport_sockets/tls/v3:pkg", |
||||||
|
"@com_github_cncf_udpa//udpa/annotations:pkg", |
||||||
|
"@com_github_cncf_udpa//xds/annotations/v3:pkg", |
||||||
|
], |
||||||
|
) |
@ -0,0 +1,70 @@ |
|||||||
|
syntax = "proto3"; |
||||||
|
|
||||||
|
package envoy.extensions.injected_credentials.oauth2.v3; |
||||||
|
|
||||||
|
import "envoy/config/core/v3/http_uri.proto"; |
||||||
|
import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; |
||||||
|
|
||||||
|
import "xds/annotations/v3/status.proto"; |
||||||
|
|
||||||
|
import "udpa/annotations/status.proto"; |
||||||
|
import "validate/validate.proto"; |
||||||
|
|
||||||
|
option java_package = "io.envoyproxy.envoy.extensions.injected_credentials.oauth2.v3"; |
||||||
|
option java_outer_classname = "Oauth2Proto"; |
||||||
|
option java_multiple_files = true; |
||||||
|
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/injected_credentials/oauth2/v3;oauth2v3"; |
||||||
|
option (udpa.annotations.file_status).package_version_status = ACTIVE; |
||||||
|
option (xds.annotations.v3.file_status).work_in_progress = true; |
||||||
|
|
||||||
|
// [#protodoc-title: OAuth2 Credential] |
||||||
|
// [#not-implemented-hide:] |
||||||
|
// [#extension: envoy.injected_credentials.oauth2] |
||||||
|
|
||||||
|
// OAuth2 extension can be used to retrieve an OAuth2 access token from an authorization server and inject it into the |
||||||
|
// proxied requests. |
||||||
|
// Currently, only the Client Credentials Grant flow is supported. |
||||||
|
// The access token will be injected into the request headers using the ``Authorization`` header as a bearer token. |
||||||
|
message OAuth2 { |
||||||
|
enum AuthType { |
||||||
|
// The ``client_id`` and ``client_secret`` will be sent using HTTP Basic authentication scheme. |
||||||
|
BASIC_AUTH = 0; |
||||||
|
|
||||||
|
// The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body. |
||||||
|
// This type should only be used when Auth server does not support Basic authentication. |
||||||
|
URL_ENCODED_BODY = 1; |
||||||
|
} |
||||||
|
|
||||||
|
// Credentials to authenticate client to the authorization server. |
||||||
|
// Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-2.3) for details. |
||||||
|
message ClientCredentials { |
||||||
|
// Client ID. |
||||||
|
// Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1) for details. |
||||||
|
string client_id = 1 [(validate.rules).string = {min_len: 1}]; |
||||||
|
|
||||||
|
// Client secret. |
||||||
|
// Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1) for details. |
||||||
|
transport_sockets.tls.v3.SdsSecretConfig client_secret = 2 |
||||||
|
[(validate.rules).message = {required: true}]; |
||||||
|
|
||||||
|
// The method to use when sending credentials to the authorization server. |
||||||
|
// Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1) for details. |
||||||
|
AuthType auth_type = 3; |
||||||
|
} |
||||||
|
|
||||||
|
// Endpoint on the authorization server to retrieve the access token from. |
||||||
|
// Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-3.2) for details. |
||||||
|
config.core.v3.HttpUri token_endpoint = 1 [(validate.rules).message = {required: true}]; |
||||||
|
|
||||||
|
// Optional list of OAuth scopes to be claimed in the authorization request. |
||||||
|
// Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-4.4.2) for details. |
||||||
|
repeated string scopes = 2; |
||||||
|
|
||||||
|
oneof flow_type { |
||||||
|
option (validate.required) = true; |
||||||
|
|
||||||
|
// Client Credentials Grant. |
||||||
|
// Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-4.4) for details. |
||||||
|
ClientCredentials client_credentials = 3; |
||||||
|
} |
||||||
|
} |
Loading…
Reference in new issue