api/envoy/extensions/filters/http/credential_injector/v3/credential_injector.proto

syntax = "proto3";

package envoy.extensions.filters.http.credential_injector.v3;

import "envoy/config/core/v3/extension.proto";

import "xds/annotations/v3/status.proto";

import "udpa/annotations/status.proto";
import "validate/validate.proto";

option java_package = "io.envoyproxy.envoy.extensions.filters.http.credential_injector.v3";
option java_outer_classname = "CredentialInjectorProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/credential_injector/v3;credential_injectorv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;
option (xds.annotations.v3.file_status).work_in_progress = true;

// [#protodoc-title: Credential Injector]
// Credential Injector :ref:`configuration overview <config_http_filters_credential_injector>`.
// [#extension: envoy.filters.http.credential_injector]

// Credential Injector injects credentials into outgoing HTTP requests. The filter configuration is used to retrieve the credentials, or
// they can be requested through the OAuth2 client credential grant. The credentials obtained are then injected into the Authorization header
// of the proxied HTTP requests, utilizing either the Basic or Bearer scheme.
//
// If the credential is not present or there was a failure injecting the credential, the request will fail with ``401 Unauthorized`` unless
// ``allow_request_without_credential`` is set to ``true``.
//
// Notice: This filter is intended to be used for workload authentication, which means that the identity associated with the inserted credential
// is considered as the identity of the workload behind the envoy proxy(in this case, envoy is typically deployed as a sidecar alongside that
// workload). Please note that this filter does not handle end user authentication. Its purpose is solely to authenticate the workload itself.
//
// Here is an example of CredentialInjector configuration with Generic credential, which injects an HTTP Basic Auth credential into the proxied requests.
//
// .. code-block:: yaml
//
//  overwrite: true
//  credential:
//    name: generic_credential
//    typed_config:
//      "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
//      credential:
//        name: credential
//        sds_config:
//          path_config_source:
//            path: credential.yaml
//      header: Authorization
//
// credential.yaml for Basic Auth:
//
// .. code-block:: yaml
//
//  resources:
//  - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
//    name: credential
//    generic_secret:
//      secret:
//        inline_string: "Basic base64EncodedUsernamePassword"
//
// It can also be configured to inject a Bearer token into the proxied requests.
//
// credential.yaml for Bearer Token:
//
// .. code-block:: yaml
//
//  resources:
//  - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
//    name: credential
//    generic_secret:
//      secret:
//        inline_string: "Bearer myToken"
//
message CredentialInjector {
  // Whether to overwrite the value or not if the injected headers already exist.
  // Value defaults to false.
  bool overwrite = 1;

  // Whether to send the request to upstream if the credential is not present or if the credential injection
  // to the request fails.
  //
  // By default, a request will fail with ``401 Unauthorized`` if the
  // credential is not present or the injection of the credential to the request fails.
  // If set to true, the request will be sent to upstream without the credential.
  bool allow_request_without_credential = 2;

  // The credential to inject into the proxied requests
  // [#extension-category: envoy.http.injected_credentials]
  config.core.v3.TypedExtensionConfig credential = 3 [(validate.rules).message = {required: true}];
}