Documentation ¶
Index ¶
- Variables
- type CredentialInjector
- func (*CredentialInjector) Descriptor() ([]byte, []int)deprecated
- func (x *CredentialInjector) GetAllowRequestWithoutCredential() bool
- func (x *CredentialInjector) GetCredential() *v3.TypedExtensionConfig
- func (x *CredentialInjector) GetOverwrite() bool
- func (*CredentialInjector) ProtoMessage()
- func (x *CredentialInjector) ProtoReflect() protoreflect.Message
- func (x *CredentialInjector) Reset()
- func (x *CredentialInjector) String() string
Constants ¶
This section is empty.
Variables ¶
var File_envoy_extensions_filters_http_credential_injector_v3_credential_injector_proto protoreflect.FileDescriptor
Functions ¶
This section is empty.
Types ¶
type CredentialInjector ¶
type CredentialInjector struct { // Whether to overwrite the value or not if the injected headers already exist. // Value defaults to false. Overwrite bool `protobuf:"varint,1,opt,name=overwrite,proto3" json:"overwrite,omitempty"` // Whether to send the request to upstream if the credential is not present or if the credential injection // to the request fails. // // By default, a request will fail with “401 Unauthorized“ if the // credential is not present or the injection of the credential to the request fails. // If set to true, the request will be sent to upstream without the credential. AllowRequestWithoutCredential bool `` /* 153-byte string literal not displayed */ // The credential to inject into the proxied requests // [#extension-category: envoy.http.injected_credentials] Credential *v3.TypedExtensionConfig `protobuf:"bytes,3,opt,name=credential,proto3" json:"credential,omitempty"` // contains filtered or unexported fields }
Credential Injector injects credentials into outgoing HTTP requests. The filter configuration is used to retrieve the credentials, or they can be requested through the OAuth2 client credential grant. The credentials obtained are then injected into the Authorization header of the proxied HTTP requests, utilizing either the Basic or Bearer scheme.
If the credential is not present or there was a failure injecting the credential, the request will fail with “401 Unauthorized“ unless “allow_request_without_credential“ is set to “true“.
Notice: This filter is intended to be used for workload authentication, which means that the identity associated with the inserted credential is considered as the identity of the workload behind the envoy proxy(in this case, envoy is typically deployed as a sidecar alongside that workload). Please note that this filter does not handle end user authentication. Its purpose is solely to authenticate the workload itself.
Here is an example of CredentialInjector configuration with Generic credential, which injects an HTTP Basic Auth credential into the proxied requests.
.. code-block:: yaml
overwrite: true credential: name: generic_credential typed_config: "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic credential: name: credential sds_config: path_config_source: path: credential.yaml header: Authorization
credential.yaml for Basic Auth:
.. code-block:: yaml
resources: - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" name: credential generic_secret: secret: inline_string: "Basic base64EncodedUsernamePassword"
It can also be configured to inject a Bearer token into the proxied requests.
credential.yaml for Bearer Token:
.. code-block:: yaml
resources: - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" name: credential generic_secret: secret: inline_string: "Bearer myToken"
func (*CredentialInjector) Descriptor
deprecated
func (*CredentialInjector) Descriptor() ([]byte, []int)
Deprecated: Use CredentialInjector.ProtoReflect.Descriptor instead.
func (*CredentialInjector) GetAllowRequestWithoutCredential ¶
func (x *CredentialInjector) GetAllowRequestWithoutCredential() bool
func (*CredentialInjector) GetCredential ¶
func (x *CredentialInjector) GetCredential() *v3.TypedExtensionConfig
func (*CredentialInjector) GetOverwrite ¶
func (x *CredentialInjector) GetOverwrite() bool
func (*CredentialInjector) ProtoMessage ¶
func (*CredentialInjector) ProtoMessage()
func (*CredentialInjector) ProtoReflect ¶
func (x *CredentialInjector) ProtoReflect() protoreflect.Message
func (*CredentialInjector) Reset ¶
func (x *CredentialInjector) Reset()
func (*CredentialInjector) String ¶
func (x *CredentialInjector) String() string