GCP Authentication Filter (#20112)

* initial impl; basic framework Signed-off-by: Tianyu Xia <tyxia@google.com> Mirrored from https://github.com/envoyproxy/envoy @ c354e61f2f9823354bff08f3b11b8a13aa10ba78
3 years ago · a295d8d622
parent 63ae261978
commit a295d8d622
4 changed files with 51 additions and 0 deletions
--- a/1
+++ b/1
@ -158,6 +158,7 @@ proto_library(
        "//envoy/extensions/filters/http/ext_authz/v3:pkg",
        "//envoy/extensions/filters/http/ext_proc/v3:pkg",
        "//envoy/extensions/filters/http/fault/v3:pkg",
+        "//envoy/extensions/filters/http/gcp_authn/v3:pkg",
        "//envoy/extensions/filters/http/grpc_http1_bridge/v3:pkg",
        "//envoy/extensions/filters/http/grpc_http1_reverse_bridge/v3:pkg",
        "//envoy/extensions/filters/http/grpc_json_transcoder/v3:pkg",
--- a/envoy/extensions/filters/http/gcp_authn/v3/BUILD
+++ b/envoy/extensions/filters/http/gcp_authn/v3/BUILD
@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
--- a/envoy/extensions/filters/http/gcp_authn/v3/gcp_authn.proto
+++ b/envoy/extensions/filters/http/gcp_authn/v3/gcp_authn.proto
@ -0,0 +1,37 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.http.gcp_authn.v3;
+
+import "envoy/config/core/v3/base.proto";
+import "envoy/config/core/v3/http_uri.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.http.gcp_authn.v3";
+option java_outer_classname = "GcpAuthnProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/gcp_authn/v3;gcp_authnv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: GCP authentication]
+// GCP authentication :ref:`configuration overview <config_http_filters_gcp_authn>`.
+// [#extension: envoy.filters.http.gcp_authn]
+
+// Filter configuration.
+message GcpAuthnFilterConfig {
+  // The HTTP URI to fetch tokens from GCE Metadata Server(https://cloud.google.com/compute/docs/metadata/overview).
+  // The URL format is "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]"
+  config.core.v3.HttpUri http_uri = 1 [(validate.rules).message = {required: true}];
+
+  // Retry policy for fetching tokens.
+  // This field is optional. If it is not configured, the filter will be fail-closed (i.e., reject the requests).
+  config.core.v3.RetryPolicy retry_policy = 2;
+}
+
+message Audience {
+  // The map of audience key to audience value.
+  // The key is defined as the contract with control plane in the configuration. It is fixed string "audience_key".
+  // The value is URL of the receiving service that performs token authentication.
+  map<string, string> audience_map = 1;
+}
--- a/versioning/BUILD
+++ b/versioning/BUILD
@ -95,6 +95,7 @@ proto_library(
        "//envoy/extensions/filters/http/ext_authz/v3:pkg",
        "//envoy/extensions/filters/http/ext_proc/v3:pkg",
        "//envoy/extensions/filters/http/fault/v3:pkg",
+        "//envoy/extensions/filters/http/gcp_authn/v3:pkg",
        "//envoy/extensions/filters/http/grpc_http1_bridge/v3:pkg",
        "//envoy/extensions/filters/http/grpc_http1_reverse_bridge/v3:pkg",
        "//envoy/extensions/filters/http/grpc_json_transcoder/v3:pkg",