feat: api for credential injector http filter

[zhaohuabing]

API for the credential injector HTTP filter.

Note: based on feedback in the comments, the original PR has been split into multiple PRs, this one only contains APIs so it would be easier to review. The implementations of the Credential Injector Filter and Extensions will be in follow-up PRs.

Commit Message: add API for the credential injector HTTP filter.

Additional Description:
The credential injector HTTP filter serves the purpose of injecting credentials into outgoing HTTP requests. At present, the filter configuration is used to retrieve the credentials, or they can be requested through the OAuth2 client credential grant. Furthermore, it has the potential to support additional credential sources in the future, such as the OAuth2 resource owner password credentials grant , STS, etc. The credentials obtained are then injected into the Authorization header of the proxied HTTP requests, utilizing either the Basic or Bearer scheme.

Notice: This filter is intended to be used for workload authentication, which means that the identity associated with the inserted credential is considered as the identity of the workload behind the envoy proxy(in this case, envoy is typically deployed as a sidecar alongside that workload). Please note that this filter does not handle end user authentication. Its purpose is solely to authenticate the workload itself.

Sponsor: @kyessenov kindly offered to be the sponsor of this new filter.

Risk Level: low
Testing: no, only APIs, testing will be in follow-up PRs with implementation.
Docs Changes: yes
Release Notes: no
Platform Specific Features: No
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

generic, can be used to inject a custom credential in any specified header

          http_filters:
          - name: envoy.filters.http.credential_injector
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
              overwrite: false
              credential:
                name:  custom_credential      
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.credentials.generic.v3.Generic
                  header: my_custom_credential_header // default "Authorization"
                  credential:
                    name: my_credential
                    sds_config:
                      path_config_source:
                        path: /home/ubuntu/credential.yaml

basic auth, used to inject HTTP basic auth credential(username password)

          http_filters:
          - name: envoy.filters.http.credential_injector
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
              overwrite: false
              credential:
                name: basic_auth      
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.credentials.basic_auth.v3.BasicAuth
                  username: test
                  password:
                    name: password
                    sds_config:
                      path_config_source:
                        path: /home/ubuntu/password.yaml

bearer token, used to inject HTTP bearer token

          http_filters:
          - name: envoy.filters.http.credential_injector
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
              overwrite: false
              credential:
                name: bearer_token      
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.credentials.bearer_token.v3.BearerToken
                  bearer_token:
                    name: bearer_token
                    sds_config:
                      path_config_source:
                        path: /home/ubuntu/bearer_token.yaml

oauth2, used to get token via oauth2 client credentials grant and inject it into the http header

          http_filters:
          - name: envoy.filters.http.credential_injector
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
              overwrite: false
              credential:
                name: oauth2      
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.credentials.oauth2.v3.OAuth2
                  token_endpoint: https://foo.bar.com/oauth
                  client_credentials:
                    client_id: my_client_id
                    client_secret: 
                       name: client_secret
                      sds_config:
                       ..... //omitted for brevity

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @lizan
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #27769 was opened by zhaohuabing.

see: more, trace.

[zhaohuabing]

Need help here. Precheck protobuf failed but the log doesn't give explicit reasons.
https://dev.azure.com/cncf/envoy/_build/results?buildId=139531&view=logs&j=c95d62a5-6bb9-58f0-2a02-7575fd482a15&t=76c9b3e6-0d40-57e9-06f3-2219e9228a0a

[KBaichoo]

ping @lizan on api
ping @kyessenov if there's additional review

[kyessenov]

Looks fine to me. Need API reviewers feedback.

[lizan]

This is in good direction, do you have a draft for the implementation so I can refer for those API?

[zhaohuabing]

Yes, we do have a draft implementation internally, but the API is a bit different than this one and the functionality has not been fully finished yet. If it's needed, I can create another pr in draft. @lizan

…

On Sat, Jun 17, 2023, 00:58 Lizan Zhou ***@***.***> wrote: ***@***.**** commented on this pull request. This is in good direction, do you have a draft for the implementation so I can refer for those API? — Reply to this email directly, view it on GitHub <#27769 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAKCWISORBCLCBRMLGLUKYLXLSGFDANCNFSM6AAAAAAYX76XOQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[zhaohuabing]

A matcher might be useful but it's not blocking since even the credentials are added to every outgoing requests, it won't be any problems.

…

On Sat, Jun 17, 2023, 10:57 Vikas Choudhary (vikasc) < ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In api/envoy/extensions/filters/http/credential_injector/v3/credential_injector.proto <#27769 (comment)>: > +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.credential_injector.v3"; +option java_outer_classname = "CredentialInjectorProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/credential_injector/v3;credential_injectorv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Credential Injector] +// [#not-implemented-hide:] +// Credential Injector :ref:`configuration overview <config_http_filters_credential_injector>`. +// [#extension: envoy.filters.http.credential_injector] + +// Filter config. +message CredentialInjector { Hi @zhaohuabing <https://github.com/zhaohuabing> , should we support matcher as well so that filter can inject credentials only the matched requests? — Reply to this email directly, view it on GitHub <#27769 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAKCWIVVZ6PYKCNKREGW6QLXLUMJRANCNFSM6AAAAAAYX76XOQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[zhaohuabing]

Looking at the implementation of these two injector and they are pretty similar. We should be able to refactor them into one similar implementation.

@lizan I moved the shared code from those extensions into the common directory to reduce redundancy. Does this address your concern?

[wbpcode]

I agree with @adisuissa's suggestion, this patch is huge and it would be better to split it to multiple different parts. Then we do more reasonable review.

And compared to implementation, we should try to figure out a final conclusion of the API first. Seems the discussion about the API has not ended.

[wbpcode]

/wait-any

[zhaohuabing]

/lgtm api

This looks much cleaner, thank you!

@wbpcode @adisuissa Thanks for your suggestion. We have already agreed on the APIs before I push implementations into this PR, please see the above discussion on the APIs.

If this is too big for review, I can split this into multiple PRs. This one is just for APIs, and Filter and Extensions implementation will be in follow-up PRs.

[adisuissa]

I think the directory name is confusing, as these are only credentials that are injected (not being fetched IIUC). Please change the directory name from api/envoy/extensions/credentials/ to api/envoy/extensions/injected_credentials/

[phlax]

/docs

[repokitteh-read-only]

Docs for this Pull Request will be rendered here:

https://storage.googleapis.com/envoy-pr/27769/docs/index.html

The docs are (re-)rendered each time the CI envoy-presubmit (precheck docs) job completes.

🐱

Caused by: a #27769 (comment) was created by @phlax.

see: more, trace.

[lizan]

/lgtm api

defer to @adisuissa

[kyessenov]

/wait-any
for @adisuissa response

[adisuissa]

Ok, LGTM API. We can reiterate over the details as these are WIP.
Thanks!
/lgtm api

[zhaohuabing]

Thank guys for reviewing the PR and the help on the API!

Need your last help. How can I fix this to get this PR merged? I already added a new envoy.injected_credentials category in tools/extensions/extensions_schema.yaml.

Unable to find extension category:  envoy.injected_credentials

https://dev.azure.com/cncf/envoy/_build/results?buildId=154742&view=logs&j=9fd58ae0-0c50-56b1-f517-c2b9afda9c9b&t=f871f0ce-3dc6-5bd2-7916-5ec61dbe723c&l=138

As you suggested, the implementation of the credential injector and the generic credential extension will be in a follow-up PR soo after this PR gets merged.

[adisuissa]

/lgtm api