Merge branch 'main' into correct-include

CODEOWNERS

@@ -344,6 +344,11 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
 
 /*/extensions/health_checkers/common @zuercher @botengyao
 
+# HTTP credential injector
+/*/extensions/filters/http/credential_injector @zhaohuabing @kyessenov
+/*/extensions/http/injected_credentials/common @zhaohuabing @kyessenov
+/*/extensions/http/injected_credentials/generic @zhaohuabing @kyessenov
+
 # Lua cluster specifier
 /*/extensions/router/cluster_specifiers/lua @StarryVae @wbpcode
 

api/BUILD

@@ -265,12 +265,12 @@ proto_library(
         "//envoy/extensions/http/early_header_mutation/header_mutation/v3:pkg",
         "//envoy/extensions/http/header_formatters/preserve_case/v3:pkg",
         "//envoy/extensions/http/header_validators/envoy_default/v3:pkg",
+        "//envoy/extensions/http/injected_credentials/generic/v3:pkg",
+        "//envoy/extensions/http/injected_credentials/oauth2/v3:pkg",
         "//envoy/extensions/http/original_ip_detection/custom_header/v3:pkg",
         "//envoy/extensions/http/original_ip_detection/xff/v3:pkg",
         "//envoy/extensions/http/stateful_session/cookie/v3:pkg",
         "//envoy/extensions/http/stateful_session/header/v3:pkg",
-        "//envoy/extensions/injected_credentials/generic/v3:pkg",
-        "//envoy/extensions/injected_credentials/oauth2/v3:pkg",
         "//envoy/extensions/internal_redirect/allow_listed_routes/v3:pkg",
         "//envoy/extensions/internal_redirect/previous_routes/v3:pkg",
         "//envoy/extensions/internal_redirect/safe_cross_scheme/v3:pkg",

api/envoy/extensions/filters/http/basic_auth/v3/basic_auth.proto

@@ -42,3 +42,11 @@ message BasicAuth {
   string forward_username_header = 2
       [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
 }
+
+// Extra settings that may be added to per-route configuration for
+// a virtual host or a cluster.
+message BasicAuthPerRoute {
+  // Username-password pairs for this route.
+  config.core.v3.DataSource users = 1
+      [(validate.rules).message = {required: true}, (udpa.annotations.sensitive) = true];
+}

api/envoy/extensions/filters/http/composite/v3/composite.proto

@@ -53,9 +53,11 @@ message ExecuteFilterAction {
   config.core.v3.TypedExtensionConfig typed_config = 1
       [(udpa.annotations.field_migrate).oneof_promotion = "config_type"];
 
-  // Dynamic configuration of filter obtained via extension configuration discovery
-  // service.
+  // Dynamic configuration of filter obtained via extension configuration discovery service.
   // Only one of ``typed_config`` or ``dynamic_config`` can be set.
+  // When composite filter is in upstream filter chain, the ``dynamic_config``
+  // can not be set. TBD: Refactor cluster manager init sequence to Support this.
+  // Please check https://github.com/envoyproxy/envoy/issues/33218 for details.
   DynamicConfig dynamic_config = 2
       [(udpa.annotations.field_migrate).oneof_promotion = "config_type"];
 }

api/envoy/extensions/filters/http/credential_injector/v3/credential_injector.proto

@@ -17,30 +17,29 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 
 // [#protodoc-title: Credential Injector]
-// [#not-implemented-hide:]
 // Credential Injector :ref:`configuration overview <config_http_filters_credential_injector>`.
 // [#extension: envoy.filters.http.credential_injector]
 
 // Credential Injector injects credentials into outgoing HTTP requests. The filter configuration is used to retrieve the credentials, or
 // they can be requested through the OAuth2 client credential grant. The credentials obtained are then injected into the Authorization header
 // of the proxied HTTP requests, utilizing either the Basic or Bearer scheme.
 //
-// If the credential is not present, the request will fail with 401 Unauthorized if fail_if_not_present is set to true.
+// If the credential is not present or there was a failure injecting the credential, the request will fail with ``401 Unauthorized`` unless
+// ``allow_request_without_credential`` is set to ``true``.
 //
 // Notice: This filter is intended to be used for workload authentication, which means that the identity associated with the inserted credential
 // is considered as the identity of the workload behind the envoy proxy(in this case, envoy is typically deployed as a sidecar alongside that
 // workload). Please note that this filter does not handle end user authentication. Its purpose is solely to authenticate the workload itself.
 //
 // Here is an example of CredentialInjector configuration with Generic credential, which injects an HTTP Basic Auth credential into the proxied requests.
 //
-//  .. code-block:: yaml
+// .. code-block:: yaml
 //
 //  overwrite: true
-//  fail_if_not_present: true
 //  credential:
 //    name: generic_credential
 //    typed_config:
-//      "@type": type.googleapis.com/envoy.extensions.injected_credentials.generic.v3.Generic
+//      "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
 //      credential:
 //        name: credential
 //        sds_config:
@@ -49,7 +48,8 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
 //      header: Authorization
 //
 // credential.yaml for Basic Auth:
-//  .. code-block:: yaml
+//
+// .. code-block:: yaml
 //
 //  resources:
 //  - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
@@ -59,8 +59,10 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
 //        inline_string: "Basic base64EncodedUsernamePassword"
 //
 // It can also be configured to inject a Bearer token into the proxied requests.
+//
 // credential.yaml for Bearer Token:
-//  .. code-block:: yaml
+//
+// .. code-block:: yaml
 //
 //  resources:
 //  - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
@@ -74,12 +76,15 @@ message CredentialInjector {
   // Value defaults to false.
   bool overwrite = 1;
 
-  // Whether to fail the request if the credential is not present.
-  // Value defaults to false.
-  // If set to true, the request will fail with 401 Unauthorized if the credential is not present.
-  bool fail_if_not_present = 2;
+  // Whether to send the request to upstream if the credential is not present or if the credential injection
+  // to the request fails.
+  //
+  // By default, a request will fail with ``401 Unauthorized`` if the
+  // credential is not present or the injection of the credential to the request fails.
+  // If set to true, the request will be sent to upstream without the credential.
+  bool allow_request_without_credential = 2;
 
   // The credential to inject into the proxied requests
-  // TODO add extension-category
+  // [#extension-category: envoy.http.injected_credentials]
   config.core.v3.TypedExtensionConfig credential = 3 [(validate.rules).message = {required: true}];
 }

api/envoy/extensions/injected_credentials/generic/v3/generic.proto → api/envoy/extensions/http/injected_credentials/generic/v3/generic.proto

@@ -1,6 +1,6 @@
 syntax = "proto3";
 
-package envoy.extensions.injected_credentials.generic.v3;
+package envoy.extensions.http.injected_credentials.generic.v3;
 
 import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
 
@@ -9,58 +9,19 @@ import "xds/annotations/v3/status.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 
-option java_package = "io.envoyproxy.envoy.extensions.injected_credentials.generic.v3";
+option java_package = "io.envoyproxy.envoy.extensions.http.injected_credentials.generic.v3";
 option java_outer_classname = "GenericProto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/injected_credentials/generic/v3;genericv3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/http/injected_credentials/generic/v3;genericv3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 
 // [#protodoc-title: Generic Credential]
-// [#not-implemented-hide:]
-// [#extension: envoy.injected_credentials.generic]
+// [#extension: envoy.http.injected_credentials.generic]
 
 // Generic extension can be used to inject HTTP Basic Auth, Bearer Token, or any arbitrary credential
 // into the proxied requests.
 // The credential will be injected into the specified HTTP request header.
-// Example:
-//
-//  .. code-block:: yaml
-//
-//  credential:
-//    name: generic_credential
-//    typed_config:
-//      "@type": type.googleapis.com/envoy.extensions.injected_credentials.generic.v3.Generic
-//      credential:
-//        name: credential
-//        sds_config:
-//          path_config_source:
-//            path: credential.yaml
-//      header: Authorization
-//
-// credential.yaml for Basic Auth:
-//
-//  .. code-block:: yaml
-//
-//  resources:
-//  - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
-//    name: credential
-//    generic_secret:
-//      secret:
-//        inline_string: "Basic base64EncodedUsernamePassword"
-//
-// Refer to [RFC 7617: The 'Basic' HTTP Authentication Scheme](https://www.rfc-editor.org/rfc/rfc7617) for details.
-//
-// credential.yaml for Bearer Token:
-//
-//  .. code-block:: yaml
-//  resources:
-//  - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
-//    name: credential
-//    generic_secret:
-//      secret:
-//        inline_string: "Bearer myToken"
-//
 // Refer to [RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750) for details.
 //
 message Generic {

api/envoy/extensions/injected_credentials/oauth2/v3/oauth2.proto → api/envoy/extensions/http/injected_credentials/oauth2/v3/oauth2.proto

@@ -1,6 +1,6 @@
 syntax = "proto3";
 
-package envoy.extensions.injected_credentials.oauth2.v3;
+package envoy.extensions.http.injected_credentials.oauth2.v3;
 
 import "envoy/config/core/v3/http_uri.proto";
 import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
@@ -10,16 +10,16 @@ import "xds/annotations/v3/status.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 
-option java_package = "io.envoyproxy.envoy.extensions.injected_credentials.oauth2.v3";
+option java_package = "io.envoyproxy.envoy.extensions.http.injected_credentials.oauth2.v3";
 option java_outer_classname = "Oauth2Proto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/injected_credentials/oauth2/v3;oauth2v3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/http/injected_credentials/oauth2/v3;oauth2v3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 
 // [#protodoc-title: OAuth2 Credential]
 // [#not-implemented-hide:]
-// [#extension: envoy.injected_credentials.oauth2]
+// [#extension: envoy.http.injected_credentials.oauth2]
 
 // OAuth2 extension can be used to retrieve an OAuth2 access token from an authorization server and inject it into the
 // proxied requests.

api/versioning/BUILD

@@ -203,12 +203,12 @@ proto_library(
         "//envoy/extensions/http/early_header_mutation/header_mutation/v3:pkg",
         "//envoy/extensions/http/header_formatters/preserve_case/v3:pkg",
         "//envoy/extensions/http/header_validators/envoy_default/v3:pkg",
+        "//envoy/extensions/http/injected_credentials/generic/v3:pkg",
+        "//envoy/extensions/http/injected_credentials/oauth2/v3:pkg",
         "//envoy/extensions/http/original_ip_detection/custom_header/v3:pkg",
         "//envoy/extensions/http/original_ip_detection/xff/v3:pkg",
         "//envoy/extensions/http/stateful_session/cookie/v3:pkg",
         "//envoy/extensions/http/stateful_session/header/v3:pkg",
-        "//envoy/extensions/injected_credentials/generic/v3:pkg",
-        "//envoy/extensions/injected_credentials/oauth2/v3:pkg",
         "//envoy/extensions/internal_redirect/allow_listed_routes/v3:pkg",
         "//envoy/extensions/internal_redirect/previous_routes/v3:pkg",
         "//envoy/extensions/internal_redirect/safe_cross_scheme/v3:pkg",

bazel/dependency_imports.bzl

@@ -151,8 +151,8 @@ def envoy_dependency_imports(go_version = GO_VERSION, jq_version = JQ_VERSION, y
     go_repository(
         name = "com_github_planetscale_vtprotobuf",
         importpath = "github.com/planetscale/vtprotobuf",
-        sum = "h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=",
-        version = "v0.6.1-0.20240319094008-0393e58bdf10",
+        sum = "h1:ujRGEVWJEoaxQ+8+HMl8YEpGaDAgohgZxJ5S+d2TTFQ=",
+        version = "v0.6.1-0.20240409071808-615f978279ca",
         build_external = "external",
     )
 

changelogs/current.yaml

@@ -262,6 +262,10 @@ removed_config_or_runtime:
     removed ``envoy_reloadable_features_initialize_upstream_filters`` and legacy code paths.
 
 new_features:
+- area: filters
+  change: |
+    Added the :ref:`credential injector filter <envoy_v3_api_msg_extensions.filters.http.credential_injector.v3.CredentialInjector>`,
+    which can be used to inject credentials into the HTTP headers.
 - area: basic_auth
   change: |
     Added :ref:`forward_username_header <envoy_v3_api_field_extensions.filters.http.basic_auth.v3.BasicAuth.forward_username_header>`
@@ -309,6 +313,9 @@ new_features:
   change: |
     added support for :ref:`%UPSTREAM_CONNECTION_ID% <config_access_log_format_upstream_connection_id>` for the upstream connection
     identifier.
+- area: opentelemetry/grpc/access log
+  change: |
+    Added support to configure trace ID in OpenTelemetry logs.
 - area: compression
   change: |
     Added Qatzstd :ref:`compressor <envoy_v3_api_msg_extensions.compression.qatzstd.compressor.v3alpha.Qatzstd>`.
@@ -401,6 +408,12 @@ new_features:
 - area: http
   change: |
     Added DownstreamRemoteReset to CoreResponseFlag, and it is set when stream is remote reset.
+- area: match_delegate
+  change: |
+    Convert match_delegate fiter into dual filter so it can be installed in the upstream filter chain.
+- area: composite
+  change: |
+    Convert composite fiter into dual filter so it can be installed in the upstream filter chain.
 - area: tracing
   change: |
     Added support for variant span attribute type for the OpenTelemetry tracer.
@@ -463,6 +476,10 @@ new_features:
     Added maximum gRPC message size that is allowed to be received in Envoy gRPC. If a message over this limit is received,
     the gRPC stream is terminated with the RESOURCE_EXHAUSTED error. This limit is applied to individual messages in the
     streaming response and not the total size of streaming response. Defaults to 0, which means unlimited.
+- area: filters
+  change: |
+    Added :ref:`per-route configuration support to the Basic Auth filter
+    <envoy_v3_api_msg_extensions.filters.http.basic_auth.v3.BasicAuthPerRoute>`.
 
 deprecated:
 - area: listener

docs/BUILD

@@ -29,6 +29,7 @@ filegroup(
             "root/configuration/http/http_filters/_include/checksum_filter.yaml",
             # TODO(phlax/windows-dev): figure out how to get this working on windows
             #      "Error: unable to read file: /etc/ssl/certs/ca-certificates.crt"
+            "root/configuration/http/http_filters/_include/credential-injector-filter.yaml",
             "root/configuration/http/http_filters/_include/dns-cache-circuit-breaker.yaml",
             "root/configuration/other_features/_include/dlb.yaml",
             "root/configuration/other_features/_include/hyperscan_matcher.yaml",

docs/root/api-v3/config/config.rst

@@ -27,6 +27,7 @@ Extensions
   http/header_validators
   http/original_ip_detection
   http/stateful_session
+  injected_credentials/injected_credentials
   geoip_provider/geoip_provider
   trace/trace
   internal_redirect/internal_redirect

docs/root/api-v3/config/injected_credentials/injected_credentials.rst

@@ -0,0 +1,8 @@
+Injected credentials
+====================
+
+.. toctree::
+  :glob:
+  :maxdepth: 2
+
+  ../../extensions/http/injected_credentials/*/v3/*

docs/root/configuration/http/http_filters/_include/credential-injector-filter.yaml

@@ -0,0 +1,57 @@
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address:
+        address: 0.0.0.0
+        port_value: 10000
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          stat_prefix: ingress_http
+          access_log:
+          - name: envoy.access_loggers.stdout
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: local_service
+              domains: ["*"]
+              routes:
+              - match:
+                  prefix: "/"
+                route:
+                  cluster: service1
+          http_filters:
+          - name: envoy.filters.http.credential_injector
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
+              allow_request_without_credential: true
+              overwrite: true
+              credential:
+                name: envoy.http.injected_credentials.generic
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
+                  credential:
+                    name: credential
+                    sds_config:
+                      path_config_source:
+                        path: /home/ubuntu/credential.yaml
+          - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+  clusters:
+  - name: service1
+    load_assignment:
+      cluster_name: service1
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: 127.0.0.1
+                port_value: 8080