From 678fd2e507acfcd6ac54560212eb300afd0332b6 Mon Sep 17 00:00:00 2001
From: "update-envoy[bot]"
 <135279899+update-envoy[bot]@users.noreply.github.com>
Date: Mon, 18 Sep 2023 16:10:00 +0000
Subject: [PATCH] ext_authz: make the ext_authz filter a dual filter (#29173)

This is a revival of #25535 with changes for previous review comments.

Risk level: low
Testing: integration tested
Docs changes: n/a
Release notes: makes the ext_authz filter a dual filter.

See also: #23071 (model), #10455

Signed-off-by: Eugene Chan <eugenechan@google.com>
Signed-off-by: pianiststickman <34144687+pianiststickman@users.noreply.github.com>
Co-authored-by: Greg Greenway <ggreenway@apple.com>

Mirrored from https://github.com/envoyproxy/envoy @ 9918a0a06deaf0cb3c935566523ab3fdd7a2bab1
---
 envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto b/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
index cd2d1f6f..b090b54b 100644
--- a/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
+++ b/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
@@ -78,6 +78,7 @@ message ExtAuthz {
   // 3. At least one ``authorization response header`` is added to the client request, or is used for
   // altering another client request header.
   //
+  // It is an error to set this field when the filter is configured on an upstream filter chain.
   bool clear_route_cache = 6;
 
   // Sets the HTTP status that is returned to the client when the authorization server returns an error
@@ -135,6 +136,8 @@ message ExtAuthz {
   //
   // When this field is true, Envoy will include the peer X.509 certificate, if available, in the
   // :ref:`certificate<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.certificate>`.
+  //
+  // It is an error to set this field when the filter is configured on an upstream filter chain.
   bool include_peer_certificate = 10;
 
   // Optional additional prefix to use when emitting statistics. This allows to distinguish
@@ -184,6 +187,8 @@ message ExtAuthz {
   //
   // When this field is true, Envoy will include the SNI name used for TLSClientHello, if available, in the
   // :ref:`tls_session<envoy_v3_api_field_service.auth.v3.AttributeContext.tls_session>`.
+  //
+  // It is an error to set this field when the filter is configured on an upstream filter chain.
   bool include_tls_session = 18;
 }