api: HTTP APIKey Auth Filter

api/BUILD

@@ -159,6 +159,7 @@ proto_library(
         "//envoy/extensions/filters/http/adaptive_concurrency/v3:pkg",
         "//envoy/extensions/filters/http/admission_control/v3:pkg",
         "//envoy/extensions/filters/http/alternate_protocols_cache/v3:pkg",
+        "//envoy/extensions/filters/http/api_key_auth/v3:pkg",
         "//envoy/extensions/filters/http/aws_lambda/v3:pkg",
         "//envoy/extensions/filters/http/aws_request_signing/v3:pkg",
         "//envoy/extensions/filters/http/bandwidth_limit/v3:pkg",

api/envoy/extensions/filters/http/api_key_auth/v3/BUILD

@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_xds//udpa/annotations:pkg",
+    ],
+)

api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto

@@ -0,0 +1,56 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.http.api_key_auth.v3;
+
+import "envoy/config/core/v3/base.proto";
+
+import "udpa/annotations/sensitive.proto";
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.http.api_key_auth.v3";
+option java_outer_classname = "ApiKeyAuthProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/api_key_auth/v3;api_key_authv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: APIKey Auth]
+// APIKey Auth :ref:`configuration overview <config_http_filters_api_key_auth>`.
+// [#extension: envoy.filters.http.api_key_auth]
+
+// API Key HTTP authentication.
+//
+// Example:
+//
+// .. code-block:: yaml
+//
+//    authentication_header: "X-API-KEY"
+//    keys:
+//      inline_string: |-
+//        clientID1:apiKey1
+//        clientID2:apiKey2
+//
+message APIKeyAuth {
+  // keys used to authenticate the client.
+  // It should be a map of clientID to apiKey. 
+  // The clientID serves solely for identification purposes and isn't used for authentication.
+  config.core.v3.DataSource keys = 1 [(udpa.annotations.sensitive) = true];
+
+  // The header name to fetch the key.
+  // Only one of authentication_header, authentication_query, or authentication_cookie should be set.
+  string authentication_header = 2;
+  // The query parameter name to fetch the key.
+  // Only one of authentication_header, authentication_query, or authentication_cookie should be set.
+  string authentication_query = 3;
+  // The cookie name to fetch the key.
+  // Only one of authentication_header, authentication_query, or authentication_cookie should be set.
+  string authentication_cookie = 4;
+}
+
+// Extra settings that may be added to per-route configuration for
+// a virtual host or a cluster.
+message APIKeyAuthPerRoute {
+  // keys used to authenticate the client for this route.
+  config.core.v3.DataSource keys = 1
+      [(validate.rules).message = {required: true}, (udpa.annotations.sensitive) = true];
+}

api/versioning/BUILD

@@ -97,6 +97,7 @@ proto_library(
         "//envoy/extensions/filters/http/adaptive_concurrency/v3:pkg",
         "//envoy/extensions/filters/http/admission_control/v3:pkg",
         "//envoy/extensions/filters/http/alternate_protocols_cache/v3:pkg",
+        "//envoy/extensions/filters/http/api_key_auth/v3:pkg",
         "//envoy/extensions/filters/http/aws_lambda/v3:pkg",
         "//envoy/extensions/filters/http/aws_request_signing/v3:pkg",
         "//envoy/extensions/filters/http/bandwidth_limit/v3:pkg",