Append a request header with a value from a secret

[arkodg]

Description:

I'd like the ability to append a request header value from a secret (SDS) , this header represents the API key header and the secret represents the actual API key

The request_headers_to_add field in the RouteConfiguration uses the HeaderValueOption which only supports a literal value

Relates to envoyproxy/gateway#4757

[optional Relevant Links:]

Any extra documentation required to understand the issue.

[arkodg]

cc @mathetake @aabchoo

[adisuissa]

Sounds a bit risky.
Can you provide more details on the desired behavior (requirement) that you want to accomplish?

[jewertow]

@adisuissa another use case: appending authentication header to the HTTP CONNECT request sent to the upstream forward proxy, like Squid. Currently, we can only set a literal value in tunneling_config.headers_to_add. Why do you think it's risky?

I could try to contribute this feature.

[arkodg]

@adisuissa sharing a real use case example here

I would like to route API requests from downstream and upstream it to OpenAI, which uses an API Key as an authentication mechanism https://platform.openai.com/docs/quickstart?language-preference=curl#make-your-first-api-request
I cannot use the request_headers_to_add because I do not want to expose this sensitive key in the config dump, similar to the tls cert private key

[winston0410]

@adisuissa sharing a real use case example here

I would like to route API requests from downstream and upstream it to OpenAI, which uses an API Key as an authentication mechanism https://platform.openai.com/docs/quickstart?language-preference=curl#make-your-first-api-request

I cannot use the request_headers_to_add because I do not want to expose this sensitive key in the config dump, similar to the tls cert private key

I have similar usecase. I have a static website, and I need to communicate with an API behind Envoy. Instead of creating a proxy to add api token to the reqeust for me, I just want to let envoy handle that before routing traffic to that API

[adisuissa]

I agree that the header's value should not be part of the config-dump, and adding a way to annotate it as sensitive seems the right way to go. However, this is different than what I thought the original request was: adding an ability to copy the output of SDS and send it to the upstream.
FWIW, I think this header's value will still be dumped as part of the access-logs. I guess the better way to address this issue is to authenticate against a server and receive a token for the request, and that should be added to the request.

[arkodg]

I like the annotation idea @adisuissa , does this design pattern already exist in Envoy Proxy today ?

looks like an attempt was made to redact header values in a bottom up way #27820
The goal is for this value to not be accessible in

• config dump
• access logs
• or used in a substitution formatter in other places (like setting the header value using %REQ(X-API-TOKEN)%)

cc @mathetake @wbpcode

[arkodg]

closing this issue as it can be solved with https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/credential_injector_filter