Redis Filter: Support AWS IAM authentication

[kiambogo]

Title: Redis Filter should support AWS IAM authentication

Description:
Envoy supports acting as proxy to a Redis cluster, providing various functions (partioning, routing, etc). Envoy currently only supports a static password defined in the configuration in order to authenticate with upstream redis clusters:

envoy/api/envoy/config/filter/network/redis_proxy/v2/redis_proxy.proto

Line 245 in 0bf518c

api.v2.core.DataSource auth_password = 1 [(udpa.annotations.sensitive) = true];

The redis filter should be extended to support additional authentication mechanisms, and in particular, AWS IAM authentication. Envoy, when running as a Redis proxy, should support being configured to automatically perform the token generation using IAM and include that in its AUTH command when establishing a connection to the upstream redis cluster. The usecase for this is a scenario where a client wishes to connect to an ElasiCache cluster through Envoy, where Envoy manages the authentication on behalf of the client.

This is different from the current external_auth_provider functionality. The external_auth_provider is used by Envoy to evaluate if a password provided by a downstream client should be considered valid. This evaluation process is entirely done within Envoy itself, and is a different process than what is being positioned in this issue.

Relevant Links:
AWS IAM Authentication for ElastiCache: https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/IAM.html

[nbaws]

@kiambogo I'm supportive of this and would be willing to add support. I have a couple of other PRs in flight that will be implemented first so it may take some time (a few months) to implement.