feat: Credential Injection for ext_authz and ext_proc calls

[kb000]

Title: Add Credential Injection compatible with ext_authz and ext_proc gRPC and HTTP calls

Description:

I have need for a feature facilitating workload authentication on external calls by the envoy.filters.http.ext_authz and envoy.filters.http.ext_proc filters. The Credential Injector filter almost works for this use case, but the secrets are only injected to the routed request, not the side-processing requests.

I don't know if this is best implemented as an enhancement to the ext_* filters to access SDS, or to somehow make secrets available to the existing API.

[aviralgarg05]

I would like to solve this issue

[kb000]

I did a bit of hacking around and have a filter working that makes a generic SDS (or static) secret's content available in DYNAMIC_METADATA. The ext_* filters can then use %DYNAMIC_METADATA(my.secret_metadata_filter.namespace:my_secret_name)% in the gRPC initial_metadata field because it can already use HeaderValue format specifiers.
As far as I can tell, this approach won't work for http ext_auth clusters.

[kb000]

I also realize I could set up mTLS on the grpc or http upstream cluster. My organization doesn't have an automated way of rotating client certs for services like mine, so I'd much rather be able to plumb through a generic secret for workload authentication.

[yanavlasov]

At this point Envoy can only use mTLS to authenticate remote callouts. There might be a way to do it with the upstream filters, but I have not verified it.