ext_authz is called before host redirect is performed

[LanceEa]

Summary

In Envoy 1.20+ the ext_authz behavior changed so Envoy makes ext_authz calls on all request (redirect, route, direct response) unless overridden on a per Route basis. In Emissary-ingress v3.Y, when an AuthService is applied this behavior change caused Envoy to call the AuthService before performing the host_redirect. This issue is related to the #4620 which the same behavior change caused https_redirect to not work properly.

When using a Mapping and you set the host_redirect: true field the the following Envoy configuration is produced:

{
  "match": {
    "case_sensitive": true,
    "headers": [
      {
        "exact_match": "https",
        "name": "x-forwarded-proto"
      }
    ],
    "prefix": "/backend/",
  },
  "redirect": {
    "host_redirect": "quote.default",
    "path_redirect": "/bob/"
  }
}

In previous versions of Emissary-ingress the redirect caused Envoy to skip the ext_authz call but that is no longer the default behavior.

Proposed Solution

We need to implement the same solution we did for https_redirect so that we override this behavior on a per-route basis to restore the behavior that existing prior to Emissary-ingress v3.Y.

Here is a sample of what the fixed configuration should look like:

{
  "match": {
    "case_sensitive": true,
    "headers": [
      {
        "exact_match": "https",
        "name": "x-forwarded-proto"
      }
    ],
    "prefix": "/backend/"
  },
  "redirect": {
    "host_redirect": "quote.default",
    "path_redirect": "/bob/"
  },
  "typed_per_filter_config": {
    "envoy.filters.http.ext_authz": {
      "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute",
      "disabled": true
    }
  }
}

[LanceEa]

Closed by #4641