Chiebot-Mirror
/
data-plane-api
mirror of https://github.com/envoyproxy/data-plane-api.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

feat: credential injector impl (#30850)

Browse Source 
* credential injector impl

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

---------

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
Co-authored-by: phlax <phlax@users.noreply.github.com>
Co-authored-by: Adi (Suissa) Peleg <adip@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 5f6842890c67bdadab129a78bf2e521068d69f61
main
update-envoy[bot] 8 months ago
parent 02a3178ba9
commit 47be8115f5
7 changed files with 29 additions and 63 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      BUILD
  2. 29
      envoy/extensions/filters/http/credential_injector/v3/credential_injector.proto
  3. 0
      envoy/extensions/http/injected_credentials/generic/v3/BUILD
  4. 47
      envoy/extensions/http/injected_credentials/generic/v3/generic.proto
  5. 0
      envoy/extensions/http/injected_credentials/oauth2/v3/BUILD
  6. 8
      envoy/extensions/http/injected_credentials/oauth2/v3/oauth2.proto
  7. 4
      versioning/BUILD

4
BUILD
Unescape View File

@ -265,12 +265,12 @@ proto_library(
"//envoy/extensions/http/early_header_mutation/header_mutation/v3:pkg",
"//envoy/extensions/http/header_formatters/preserve_case/v3:pkg",
"//envoy/extensions/http/header_validators/envoy_default/v3:pkg",
"//envoy/extensions/http/injected_credentials/generic/v3:pkg",
"//envoy/extensions/http/injected_credentials/oauth2/v3:pkg",
"//envoy/extensions/http/original_ip_detection/custom_header/v3:pkg",
"//envoy/extensions/http/original_ip_detection/xff/v3:pkg",
"//envoy/extensions/http/stateful_session/cookie/v3:pkg",
"//envoy/extensions/http/stateful_session/header/v3:pkg",
"//envoy/extensions/injected_credentials/generic/v3:pkg",
"//envoy/extensions/injected_credentials/oauth2/v3:pkg",
"//envoy/extensions/internal_redirect/allow_listed_routes/v3:pkg",
"//envoy/extensions/internal_redirect/previous_routes/v3:pkg",
"//envoy/extensions/internal_redirect/safe_cross_scheme/v3:pkg",

29
envoy/extensions/filters/http/credential_injector/v3/credential_injector.proto
Unescape View File

@ -17,7 +17,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
option (xds.annotations.v3.file_status).work_in_progress = true;
// [#protodoc-title: Credential Injector]
// [#not-implemented-hide:]
// Credential Injector :ref:`configuration overview <config_http_filters_credential_injector>`.
// [#extension: envoy.filters.http.credential_injector]
@ -25,7 +24,8 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
// they can be requested through the OAuth2 client credential grant. The credentials obtained are then injected into the Authorization header
// of the proxied HTTP requests, utilizing either the Basic or Bearer scheme.
//
// If the credential is not present, the request will fail with 401 Unauthorized if fail_if_not_present is set to true.
// If the credential is not present or there was a failure injecting the credential, the request will fail with ``401 Unauthorized`` unless
// ``allow_request_without_credential`` is set to ``true``.
//
// Notice: This filter is intended to be used for workload authentication, which means that the identity associated with the inserted credential
// is considered as the identity of the workload behind the envoy proxy(in this case, envoy is typically deployed as a sidecar alongside that
@ -33,14 +33,13 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
//
// Here is an example of CredentialInjector configuration with Generic credential, which injects an HTTP Basic Auth credential into the proxied requests.
//
// .. code-block:: yaml
// .. code-block:: yaml
//
// overwrite: true
// fail_if_not_present: true
// credential:
// name: generic_credential
// typed_config:
// "@type": type.googleapis.com/envoy.extensions.injected_credentials.generic.v3.Generic
// "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
// credential:
// name: credential
// sds_config:
@ -49,7 +48,8 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
// header: Authorization
//
// credential.yaml for Basic Auth:
// .. code-block:: yaml
//
// .. code-block:: yaml
//
// resources:
// - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
@ -59,8 +59,10 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
// inline_string: "Basic base64EncodedUsernamePassword"
//
// It can also be configured to inject a Bearer token into the proxied requests.
//
// credential.yaml for Bearer Token:
// .. code-block:: yaml
//
// .. code-block:: yaml
//
// resources:
// - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
@ -74,12 +76,15 @@ message CredentialInjector {
// Value defaults to false.
bool overwrite = 1;
// Whether to fail the request if the credential is not present.
// Value defaults to false.
// If set to true, the request will fail with 401 Unauthorized if the credential is not present.
bool fail_if_not_present = 2;
// Whether to send the request to upstream if the credential is not present or if the credential injection
// to the request fails.
//
// By default, a request will fail with ``401 Unauthorized`` if the
// credential is not present or the injection of the credential to the request fails.
// If set to true, the request will be sent to upstream without the credential.
bool allow_request_without_credential = 2;
// The credential to inject into the proxied requests
// TODO add extension-category
// [#extension-category: envoy.http.injected_credentials]
config.core.v3.TypedExtensionConfig credential = 3 [(validate.rules).message = {required: true}];
}

0
envoy/extensions/injected_credentials/generic/v3/BUILD → envoy/extensions/http/injected_credentials/generic/v3/BUILD
Unescape View File

47
envoy/extensions/injected_credentials/generic/v3/generic.proto → envoy/extensions/http/injected_credentials/generic/v3/generic.proto
Unescape View File

@ -1,6 +1,6 @@
syntax = "proto3";
package envoy.extensions.injected_credentials.generic.v3;
package envoy.extensions.http.injected_credentials.generic.v3;
import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
@ -9,58 +9,19 @@ import "xds/annotations/v3/status.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.extensions.injected_credentials.generic.v3";
option java_package = "io.envoyproxy.envoy.extensions.http.injected_credentials.generic.v3";
option java_outer_classname = "GenericProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/injected_credentials/generic/v3;genericv3";
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/http/injected_credentials/generic/v3;genericv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;
option (xds.annotations.v3.file_status).work_in_progress = true;
// [#protodoc-title: Generic Credential]
// [#not-implemented-hide:]
// [#extension: envoy.injected_credentials.generic]
// [#extension: envoy.http.injected_credentials.generic]
// Generic extension can be used to inject HTTP Basic Auth, Bearer Token, or any arbitrary credential
// into the proxied requests.
// The credential will be injected into the specified HTTP request header.
// Example:
//
// .. code-block:: yaml
//
// credential:
// name: generic_credential
// typed_config:
// "@type": type.googleapis.com/envoy.extensions.injected_credentials.generic.v3.Generic
// credential:
// name: credential
// sds_config:
// path_config_source:
// path: credential.yaml
// header: Authorization
//
// credential.yaml for Basic Auth:
//
// .. code-block:: yaml
//
// resources:
// - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
// name: credential
// generic_secret:
// secret:
// inline_string: "Basic base64EncodedUsernamePassword"
//
// Refer to [RFC 7617: The 'Basic' HTTP Authentication Scheme](https://www.rfc-editor.org/rfc/rfc7617) for details.
//
// credential.yaml for Bearer Token:
//
// .. code-block:: yaml
// resources:
// - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
// name: credential
// generic_secret:
// secret:
// inline_string: "Bearer myToken"
//
// Refer to [RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750) for details.
//
message Generic {

0
envoy/extensions/injected_credentials/oauth2/v3/BUILD → envoy/extensions/http/injected_credentials/oauth2/v3/BUILD
Unescape View File

8
envoy/extensions/injected_credentials/oauth2/v3/oauth2.proto → envoy/extensions/http/injected_credentials/oauth2/v3/oauth2.proto
Unescape View File

@ -1,6 +1,6 @@
syntax = "proto3";
package envoy.extensions.injected_credentials.oauth2.v3;
package envoy.extensions.http.injected_credentials.oauth2.v3;
import "envoy/config/core/v3/http_uri.proto";
import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
@ -10,16 +10,16 @@ import "xds/annotations/v3/status.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.extensions.injected_credentials.oauth2.v3";
option java_package = "io.envoyproxy.envoy.extensions.http.injected_credentials.oauth2.v3";
option java_outer_classname = "Oauth2Proto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/injected_credentials/oauth2/v3;oauth2v3";
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/http/injected_credentials/oauth2/v3;oauth2v3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;
option (xds.annotations.v3.file_status).work_in_progress = true;
// [#protodoc-title: OAuth2 Credential]
// [#not-implemented-hide:]
// [#extension: envoy.injected_credentials.oauth2]
// [#extension: envoy.http.injected_credentials.oauth2]
// OAuth2 extension can be used to retrieve an OAuth2 access token from an authorization server and inject it into the
// proxied requests.

4
versioning/BUILD
Unescape View File

@ -203,12 +203,12 @@ proto_library(
"//envoy/extensions/http/early_header_mutation/header_mutation/v3:pkg",
"//envoy/extensions/http/header_formatters/preserve_case/v3:pkg",
"//envoy/extensions/http/header_validators/envoy_default/v3:pkg",
"//envoy/extensions/http/injected_credentials/generic/v3:pkg",
"//envoy/extensions/http/injected_credentials/oauth2/v3:pkg",
"//envoy/extensions/http/original_ip_detection/custom_header/v3:pkg",
"//envoy/extensions/http/original_ip_detection/xff/v3:pkg",
"//envoy/extensions/http/stateful_session/cookie/v3:pkg",
"//envoy/extensions/http/stateful_session/header/v3:pkg",
"//envoy/extensions/injected_credentials/generic/v3:pkg",
"//envoy/extensions/injected_credentials/oauth2/v3:pkg",
"//envoy/extensions/internal_redirect/allow_listed_routes/v3:pkg",
"//envoy/extensions/internal_redirect/previous_routes/v3:pkg",
"//envoy/extensions/internal_redirect/safe_cross_scheme/v3:pkg",

Write Preview
Loading…
Cancel
Save