How to inject credentials into a proxied request

[KALAKATASUNEETHA]

Description:

I am trying to inject the credentials into the proxied request through EnvoyPatchPolicy resource
Followed the reference for adding typed_config for credentials
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/credential_injector/v3/credential_injector.proto.html

My template is

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyPatchPolicy
metadata:
  name: credential-injection-patch
  namespace: envoy-gateway
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: eg
  type: JSONPatch
  jsonPatches:
    - type: "type.googleapis.com/envoy.config.listener.v3.Listener"
      name: envoy-gateway/eg/http
      operation:
        op: add
        path: "/default_filter_chain/filters/0/typed_config/http_filters/-"
        value:
          name: envoy.filters.http.credential_injector
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
            allow_request_without_credential: false
            overwrite: true
            credential:
              name: envoy.http.injected_credentials.generic
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
                header: Authorization
                credential:
                  name: credential

Expected Behavior:
When allow_request_without_credential: false, the request should be blocked with a 401 Unauthorized response.
Envoy Gateway should apply the patch properly.

Actual Behavior:
The patch is applied successfully (kubectl get envoypatchpolicy shows it as Accepted).
But the request always succeeds with 200 OK, even when no credentials are passed.

Additionally, I want to inject a static credential using a Secret:

resources:
- "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
  name: credential
  generic_secret:
    secret:
      inline_string: "Bearer myToken"

Could you provide an example on how to properly add this Secret and inject credentials in EnvoyPatchPolicy?

BTW, i have tested using envoyproxy to inject credentials. It works as expected

[optional Relevant Links:]

Any extra documentation required to understand the issue.

[KALAKATASUNEETHA]

Looking forward to any advice or pointers on resolving this.

[arkodg]

looks like Secret enum is missing in the API which is a bug

gateway/api/v1alpha1/envoypatchpolicy_types.go

Line 92 in 291da0f

const (

but the implementation exists

gateway/internal/xds/translator/jsonpatch.go

Line 143 in 291da0f

case resourcev3.SecretType:

[arkodg]

alternatively @KALAKATASUNEETHA we are trying to express this use case as a first class API , if you can help with it that would be great #4757

[KALAKATASUNEETHA]

I tested the changes mentioned in #4757, and it successfully replaces the hostname in the proxied request. Let me know if any additional validation is needed.

[KALAKATASUNEETHA]

Just FYI, I installed Envoy Gateway version 1.3.0.
It is not routing traffic to the upstream, whereas version 1.2.5 was diverting traffic correctly.

[KALAKATASUNEETHA]

I tested the changes mentioned in #4757, and it successfully replaces the hostname in the proxied request. Let me know if any additional validation is needed.

Some how I tested to rewrite the url , not contributed to #4757