Credential injector
The credential injector HTTP filter serves the purpose of injecting credentials into outgoing HTTP requests.
Notice: This filter is intended to be used for workload authentication, which means that the identity associated with the inserted credential is considered as the identity of the workload behind the Envoy proxy (in this case, Envoy is typically deployed as a sidecar alongside that workload).
Note
This filter does not handle end user authentication.
The purpose of the filter is solely to authenticate the workload itself.
Configuration
This filter should be configured with the type URL
type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
.
The filter is configured with one of the following supported credential_injector
extensions. Extensions are responsible for fetching the credentials
from the source. The credentials obtained are then injected into the Authorization
header of the proxied HTTP requests, utilizing either the Basic
or Bearer
scheme.
Generic credential injector
This extension should be configured with the type URL
type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
.
Here is an example configuration with Generic credential, which injects an HTTP Basic Auth credential into the proxied requests.
29 - name: envoy.filters.http.credential_injector
30 typed_config:
31 "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
32 allow_request_without_credential: true
33 overwrite: true
34 credential:
35 name: envoy.http.injected_credentials.generic
36 typed_config:
37 "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
38 credential:
39 name: credential
Credential which is being used to inject a Basic Auth
credential into the proxied requests:
57 - name: credential
58 generic_secret:
59 secret:
60 inline_string: "Basic base64EncodedUsernamePassword"
It can also be configured to inject a Bearer
token into the proxied requests.
Credential for Bearer
token:
61 - name: credential-bearer
62 generic_secret:
63 secret:
64 inline_string: "Bearer myToken"
OAuth2 credential injector (client credential grant)
This extension should be configured with the type URL
type.googleapis.com/envoy.extensions.http.injected_credentials.oauth2.v3.OAuth2
.
Here is an example configuration with OAuth2 client credential injector, which injects an OAuth2 token into the proxied requests.
25 - name: envoy.filters.http.credential_injector
26 typed_config:
27 "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
28 credential:
29 name: envoy.http.injected_credentials.oauth2
30 typed_config:
31 "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.oauth2.v3.OAuth2
32 token_endpoint:
33 cluster: okta.ad
34 timeout: 3s
35 uri: "https://dev-1178504991.okta.com/oauth2/default/v1/token"
36 client_credentials:
37 client_id: some-client-id
38 client_secret:
39 name: client-secret
Statistics
The HTTP credential injector filter outputs statistics in the http.<stat_prefix>.credential_injector.
namespace.
Name |
Type |
Description |
---|---|---|
|
Counter |
Total number of requests with injected credentials |
|
Counter |
Total number of requests that failed to inject credentials |
|
Counter |
Total number of requests that already had credentials and overwrite is false |
OAuth2 client credential injector extension specific statistics are also emitted in the http.<stat_prefix>.credential_injector.oauth2.
namespace.
Name |
Type |
Description |
---|---|---|
|
Counter |
Total number of token requests sent to the OAuth2 server |
|
Counter |
Total number of successful token fetches from the OAuth2 server |
|
Counter |
Total number of times token request not sent due to missing client secret |
|
Counter |
Total number of times token request not sent due to missing OAuth2 server cluster |
|
Counter |
Total number of times OAuth2 server responded with non-200 response code |
|
Counter |
Total number of times OAuth2 server responded with bad token |
|
Counter |
Total number of times http stream with OAuth2 server got reset |