ext_authz: Set the peer's certificate in the source attributes (#8327)

Set the downstream client X.509 certificate in the source Peer AttributeContext

Risk Level: low
Testing: Tests updated and extended.
Docs Changes: New API additions are documented.
Release Notes: Added.

Fixes #8326

Signed-off-by: Steve Larkin <steve.larkin@volvocars.com>

Mirrored from https://github.com/envoyproxy/envoy @ 766f3fb8dbdafce402631c43c16fda46ed003462

envoy/config/filter/http/ext_authz/v2/ext_authz.proto

@@ -17,7 +17,7 @@ import "validate/validate.proto";
 // [#protodoc-title: External Authorization]
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 
-// [#next-free-field: 10]
+// [#next-free-field: 11]
 message ExtAuthz {
   // External authorization service configuration.
   oneof services {
@@ -90,6 +90,12 @@ message ExtAuthz {
   //
   // If this field is not specified, the filter will be enabled for all requests.
   api.v2.core.RuntimeFractionalPercent filter_enabled = 9;
+
+  // Specifies if the peer certificate is sent to the external service.
+  //
+  // When this field is true, Envoy will include the peer X.509 certificate, if available, in the
+  // :ref:`certificate<envoy_api_field_service.auth.v2.AttributeContext.Peer.certificate>`.
+  bool include_peer_certificate = 10;
 }
 
 // Configuration for buffering the request data.

envoy/config/filter/http/ext_authz/v3alpha/ext_authz.proto

@@ -17,7 +17,7 @@ import "validate/validate.proto";
 // [#protodoc-title: External Authorization]
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 
-// [#next-free-field: 10]
+// [#next-free-field: 11]
 message ExtAuthz {
   reserved 4;
 
@@ -88,6 +88,12 @@ message ExtAuthz {
   //
   // If this field is not specified, the filter will be enabled for all requests.
   api.v3alpha.core.RuntimeFractionalPercent filter_enabled = 9;
+
+  // Specifies if the peer certificate is sent to the external service.
+  //
+  // When this field is true, Envoy will include the peer X.509 certificate, if available, in the
+  // :ref:`certificate<envoy_api_field_service.auth.v3alpha.AttributeContext.Peer.certificate>`.
+  bool include_peer_certificate = 10;
 }
 
 // Configuration for buffering the request data.

envoy/config/filter/network/ext_authz/v2/ext_authz.proto

@@ -31,4 +31,10 @@ message ExtAuthz {
   // communication failure between authorization service and the proxy.
   // Defaults to false.
   bool failure_mode_allow = 3;
+
+  // Specifies if the peer certificate is sent to the external service.
+  //
+  // When this field is true, Envoy will include the peer X.509 certificate, if available, in the
+  // :ref:`certificate<envoy_api_field_service.auth.v2.AttributeContext.Peer.certificate>`.
+  bool include_peer_certificate = 4;
 }

envoy/config/filter/network/ext_authz/v3alpha/ext_authz.proto

@@ -31,4 +31,10 @@ message ExtAuthz {
   // communication failure between authorization service and the proxy.
   // Defaults to false.
   bool failure_mode_allow = 3;
+
+  // Specifies if the peer certificate is sent to the external service.
+  //
+  // When this field is true, Envoy will include the peer X.509 certificate, if available, in the
+  // :ref:`certificate<envoy_api_field_service.auth.v3alpha.AttributeContext.Peer.certificate>`.
+  bool include_peer_certificate = 4;
 }

envoy/service/auth/v2/attribute_context.proto

@@ -39,6 +39,7 @@ message AttributeContext {
   // The node can be either a service or an application that sends, forwards,
   // or receives the request. Service peers should fill in the `service`,
   // `principal`, and `labels` as appropriate.
+  // [#next-free-field: 6]
   message Peer {
     // The address of the peer, this is typically the IP address.
     // It can also be UDS path, or others.
@@ -66,6 +67,10 @@ message AttributeContext {
     // *    SPIFFE format is `spiffe://trust-domain/path`
     // *    Google account format is `https://accounts.google.com/{userid}`
     string principal = 4;
+
+    // The X.509 certificate used to authenticate the identify of this peer.
+    // When present, the certificate contents are encoded in URL and PEM format.
+    string certificate = 5;
   }
 
   // Represents a network request, such as an HTTP request.

envoy/service/auth/v3alpha/attribute_context.proto

@@ -39,6 +39,7 @@ message AttributeContext {
   // The node can be either a service or an application that sends, forwards,
   // or receives the request. Service peers should fill in the `service`,
   // `principal`, and `labels` as appropriate.
+  // [#next-free-field: 6]
   message Peer {
     // The address of the peer, this is typically the IP address.
     // It can also be UDS path, or others.
@@ -66,6 +67,10 @@ message AttributeContext {
     // *    SPIFFE format is `spiffe://trust-domain/path`
     // *    Google account format is `https://accounts.google.com/{userid}`
     string principal = 4;
+
+    // The X.509 certificate used to authenticate the identify of this peer.
+    // When present, the certificate contents are encoded in URL and PEM format.
+    string certificate = 5;
   }
 
   // Represents a network request, such as an HTTP request.