-
Notifications
You must be signed in to change notification settings - Fork 4.7k
/
credential_injector.proto
90 lines (81 loc) · 3.81 KB
/
credential_injector.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
syntax = "proto3";
package envoy.extensions.filters.http.credential_injector.v3;
import "envoy/config/core/v3/extension.proto";
import "xds/annotations/v3/status.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.extensions.filters.http.credential_injector.v3";
option java_outer_classname = "CredentialInjectorProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/credential_injector/v3;credential_injectorv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;
option (xds.annotations.v3.file_status).work_in_progress = true;
// [#protodoc-title: Credential Injector]
// Credential Injector :ref:`configuration overview <config_http_filters_credential_injector>`.
// [#extension: envoy.filters.http.credential_injector]
// Credential Injector injects credentials into outgoing HTTP requests. The filter configuration is used to retrieve the credentials, or
// they can be requested through the OAuth2 client credential grant. The credentials obtained are then injected into the Authorization header
// of the proxied HTTP requests, utilizing either the Basic or Bearer scheme.
//
// If the credential is not present or there was a failure injecting the credential, the request will fail with ``401 Unauthorized`` unless
// ``allow_request_without_credential`` is set to ``true``.
//
// Notice: This filter is intended to be used for workload authentication, which means that the identity associated with the inserted credential
// is considered as the identity of the workload behind the envoy proxy(in this case, envoy is typically deployed as a sidecar alongside that
// workload). Please note that this filter does not handle end user authentication. Its purpose is solely to authenticate the workload itself.
//
// Here is an example of CredentialInjector configuration with Generic credential, which injects an HTTP Basic Auth credential into the proxied requests.
//
// .. code-block:: yaml
//
// overwrite: true
// credential:
// name: generic_credential
// typed_config:
// "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
// credential:
// name: credential
// sds_config:
// path_config_source:
// path: credential.yaml
// header: Authorization
//
// credential.yaml for Basic Auth:
//
// .. code-block:: yaml
//
// resources:
// - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
// name: credential
// generic_secret:
// secret:
// inline_string: "Basic base64EncodedUsernamePassword"
//
// It can also be configured to inject a Bearer token into the proxied requests.
//
// credential.yaml for Bearer Token:
//
// .. code-block:: yaml
//
// resources:
// - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
// name: credential
// generic_secret:
// secret:
// inline_string: "Bearer myToken"
//
message CredentialInjector {
// Whether to overwrite the value or not if the injected headers already exist.
// Value defaults to false.
bool overwrite = 1;
// Whether to send the request to upstream if the credential is not present or if the credential injection
// to the request fails.
//
// By default, a request will fail with ``401 Unauthorized`` if the
// credential is not present or the injection of the credential to the request fails.
// If set to true, the request will be sent to upstream without the credential.
bool allow_request_without_credential = 2;
// The credential to inject into the proxied requests
// [#extension-category: envoy.http.injected_credentials]
config.core.v3.TypedExtensionConfig credential = 3 [(validate.rules).message = {required: true}];
}