Credential injector
The credential injector HTTP filter serves the purpose of injecting credentials into outgoing HTTP requests.
Notice: This filter is intended to be used for workload authentication, which means that the identity associated with the inserted credential is considered as the identity of the workload behind the Envoy proxy (in this case, Envoy is typically deployed as a sidecar alongside that workload).
Note
This filter does not handle end user authentication.
The purpose of the filter is solely to authenticate the workload itself.
Configuration
- This filter should be configured with the type URL - type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector.
The filter is configured with one of the following supported credential_injector extensions. Extensions are responsible for fetching the credentials
from the source. The credentials obtained are then injected into the Authorization header of the proxied HTTP requests, utilizing either the Basic
or Bearer scheme.
Generic credential injector
- This extension should be configured with the type URL - type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic.
Here is an example configuration with Generic credential, which injects an HTTP Basic Auth credential into the proxied requests.
29          - name: envoy.filters.http.credential_injector
30            typed_config:
31              "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
32              allow_request_without_credential: true
33              overwrite: true
34              credential:
35                name: envoy.http.injected_credentials.generic
36                typed_config:
37                  "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
38                  credential:
39                    name: credential
Credential which is being used to inject a Basic Auth credential into the proxied requests:
57  - name: credential
58    generic_secret:
59      secret:
60        inline_string: "Basic base64EncodedUsernamePassword"
It can also be configured to inject a Bearer token into the proxied requests.
Credential for Bearer token:
61  - name: credential-bearer
62    generic_secret:
63      secret:
64        inline_string: "Bearer myToken"
OAuth2 credential injector (client credential grant)
- This extension should be configured with the type URL - type.googleapis.com/envoy.extensions.http.injected_credentials.oauth2.v3.OAuth2.
Here is an example configuration with OAuth2 client credential injector, which injects an OAuth2 token into the proxied requests.
25          - name: envoy.filters.http.credential_injector
26            typed_config:
27              "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
28              credential:
29                name: envoy.http.injected_credentials.oauth2
30                typed_config:
31                  "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.oauth2.v3.OAuth2
32                  token_endpoint:
33                    cluster: okta.ad
34                    timeout: 3s
35                    uri: "https://dev-1178504991.okta.com/oauth2/default/v1/token"
36                  client_credentials:
37                    client_id: some-client-id
38                    client_secret:
39                      name: client-secret
Statistics
The HTTP credential injector filter outputs statistics in the http.<stat_prefix>.credential_injector. namespace.
| Name | Type | Description | 
|---|---|---|
| 
 | Counter | Total number of requests with injected credentials | 
| 
 | Counter | Total number of requests that failed to inject credentials | 
| 
 | Counter | Total number of requests that already had credentials and overwrite is false | 
OAuth2 client credential injector extension specific statistics are also emitted in the http.<stat_prefix>.credential_injector.oauth2. namespace.
| Name | Type | Description | 
|---|---|---|
| 
 | Counter | Total number of token requests sent to the OAuth2 server | 
| 
 | Counter | Total number of successful token fetches from the OAuth2 server | 
| 
 | Counter | Total number of times token request not sent due to missing client secret | 
| 
 | Counter | Total number of times token request not sent due to missing OAuth2 server cluster | 
| 
 | Counter | Total number of times OAuth2 server responded with non-200 response code | 
| 
 | Counter | Total number of times OAuth2 server responded with bad token | 
| 
 | Counter | Total number of times http stream with OAuth2 server got reset |