feat: credential injector impl

[zhaohuabing]

Implementation for the credential injector HTTP filter.
This PR includes the implementation of the Credential Injector filter and the Generic extension type. The oauth2 extension type will be in a follow-up pR.

Related: #27769

Sponsor: @kyessenov kindly offered to be the sponsor of this new filter.

Risk Level: low
Testing: yes
Docs Changes: yes
Release Notes: yes
Platform Specific Features: No
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @adisuissa
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #30850 was opened by zhaohuabing.

see: more, trace.

[adisuissa]

Small API comment.
RE doc errors, I assume it is due to linking to "not-implemented-hide" protos.

[adisuissa]

Assigning Kuat as code-owner.
/assign @kyessenov

[adisuissa]

Thanks!
Left a small suggestion on the API, but otherwise the API LGTM.

[zhaohuabing]

/retest

[zhaohuabing]

After discussing with @wbpcode, we think the initialization process can be handled in individual credential extensions. This means the filter only needs to call the inject method.

• The oauth2 credential extension/or other possible similar extensions manage the initialization of credentials on their own, just like how generic extension handles SDS secrets.
  • It retrieves the credentials from the OAuth2 server through the client credential flow.
  • The received credentials are stored in TLS (Thread Local Storage) for accessibility by worker threads.
• During the decodeHeaders stage, the credential injector filter simply calls the inject method of the extensions to inject the credentials.

@kyessenov I believe you suggested a similar approach before?

If we're all in agreement with this approach, I'll proceed with updating the current implementation as outlined above.

[kyessenov]

Sounds reasonable. The details are easier to work out once you have an implementation for oauth2. All we really need is to be able to pause a request, and let the extension handle the job itself (e.g. no explicit thread management in this filter).

[zhaohuabing]

All we really need is to be able to pause a request, and let the extension handle the job itself (e.g. no explicit thread management in this filter).

I'm thinking just failing the request and letting the client decide the next step(fail, retry, etc.) if the extension fails to initialize the credentials, like what we have done with the generic extension(SDS).

By this way, we can decouple the filter and the extension's credential initialization/retry logic.

[wbpcode]

Thanks for your update. It's much simpler (and better) now. Fix the tests and CI, then it is ready for final review.

[zhaohuabing]

/retest

[phlax]

no point retesting atm - test certs are currently broken (#33389)

[wbpcode]

Thanks for your update. It's near to there. Only some minor comments are added to the implementation details.

[wbpcode]

nit: I think it would be better to mock the CredentialInjector rather than to mock the SecretReader. Because the filter actually only use the CredentialInjector and the SecretReader is only part of implementation of GenericCredentialInjector.

[wbpcode]

/wait

[wbpcode]

LGTM. Thanks so much for your great works and paying of so long time.

[zhaohuabing]

Thank you @kyessenov @lizan @adisuissa @wbpcode for helping on reviews and all the great feedback. I really appreciate it.