ExtAuth: allow passing context extensions #6592
Description
Description:
Describe the desired behavior, what scenario it enables and how it
would be used.
We are integrating an External Authorization service that requires context_extentions1 to be set on a per-route basis. There does not seem to be a first class API allowing that at the moment.
A similar issue was opened before, #3460, and it was recommend to use ClientTrafficPolicy, but this applies to an entire Gateway/listener and would be sent to the upstream, rather than the ExtAuth backend only.
We are currently working around that with an EnvoyPatchPolicy:
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyPatchPolicy
metadata:
name: ext-auth-context-extensions
spec:
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: eg
namespace: default
type: JSONPatch
jsonPatches:
- type: type.googleapis.com/envoy.config.route.v3.RouteConfiguration
name: default/eg/https
operation:
op: replace
jsonPath: .virtual_hosts[*].routes[*].typed_per_filter_config["envoy.filters.http.ext_authz/securitypolicy/default/ext-auth"]
value:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
check_settings:
context_extensions:
key1: value1
key2: value2
// ...
keyN: valueNRelated Slack thread: https://envoyproxy.slack.com/archives/C03E6NHLESV/p1746457569011349
[optional Relevant Links:]
Any extra documentation required to understand the issue.