Enable GeoIP filter for telemetry access logs

[avthart]

Description:

Use case:
Logging GeoIP data (country, city, asn) in access logs for all requests for analytics, dashboards, and security visibility, without wanting to block any traffic based on geo data.

Currently the envoy.filters.http.geoip filter is only inserted into the HCM filter chain when a SecurityPolicy with clientIPGeoLocations authorization rules is configured.

We would like to have GeoIP enrichment purely for observability/telemetry (access logs) without having to configure a SecurityPolicy with authorization rules.

Example:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: eg
  namespace: envoy-gateway-system
spec:
  geoIP:
    provider:
      maxMind:
        asnDbSource:
          local:
            path: /etc/maxmind/GeoLite2-ASN.mmdb
        cityDbSource:
          local:
            path: /etc/maxmind/GeoLite2-City.mmdb
        countryDbSource:
          local:
            path: /etc/maxmind/GeoLite2-Country.mmdb
      type: MaxMind
  telemetry:
    geoip:
      enabled: true           # insert filter regardless of SecurityPolicy

When enabled, the filter would be inserted into all HTTP listener filter chains owned by the EnvoyProxy and metadata keys would be populated and available for access log.

If there's another way to do this, please let me know.

[optional Relevant Links:]

Any extra documentation required to understand the issue.

[sjoukedv]

+1

I sort of had a similar observation with #8453 (comment)