Formatter extension for printing values from generic secrets (proto)

This extension has the qualified name envoy.formatter.generic_secret

Note

This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension is intended to be robust against both untrusted downstream and upstream traffic.

Tip

This extension extends and can be used with the following extension category:

envoy.formatter

This extension must be configured with one of the following type URLs:

type.googleapis.com/envoy.extensions.formatter.generic_secret.v3.GenericSecret

extensions.formatter.generic_secret.v3.GenericSecret

[extensions.formatter.generic_secret.v3.GenericSecret proto]

GenericSecret formatter extension implements the %SECRET(name)% command operator that resolves the value of a named generic secret obtained via SDS or static bootstrap configuration.

The secret must be a GenericSecret with the secret field set.

Example configuration adding an authorization header with a secret obtained via SDS:

http_uri:
  uri: https://api.example.com/v1/data
  cluster: api_backend
  timeout: 5s
request_headers_to_add:
- header:
    key: "authorization"
    value: "Bearer %SECRET(my-api-token)%"
formatters:
- name: envoy.formatter.generic_secret
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.formatter.generic_secret.v3.GenericSecret
    secret_configs:
      my-api-token:
        name: bearer-token
        sds_config:
          ads: {}

{
  "secret_configs": {...}
}

secret_configs: (repeated map<string, extensions.transport_sockets.tls.v3.SdsSecretConfig>) Map from formatter lookup name to SDS secret configuration. The map key is the name used in the %SECRET(name)% command operator.