BackendTLSPolicy - Extend support for backends used by filters #4413
Description
What would you like to be added:
BackendTLSPolicy to support any backend used by filters
Why this is needed:
As BackendTLSPolicy has graduated to standard, it is natural to have it being used as the semantics to define how a gateway should communicate with a Backend.
On some cases, the backend is not part of a backendRef, but instead it is part of a filter. For now we can say about:
- mirror filter
- ext_auth filter
But future filters (like a rate limiting filter) may also need to define how the Gateway should communicate with them. It is important to note that the extended support here is just for the same case where BTLS is extended: for Services.
Other types of Backends remains implementation specific.
As an example, I want to change the combinatory definition of BackendTLSPolicy support with filters:
- An implementation that claims to support ExtAuth feature and claims to support BackendTLSPolicy feature must support setting a BackendTLSPolicy pointing to the ext_auth filter service
- An implementation that claims to support only the ExtAuth filter does not need to support BackendTLSPolicy if the support for this feature is not supported
- For newer filters that communicate with a backend of type Service, the combination of the claim of this filter feature + BTLS must support the Gateway communicating with this filter respecting BTLS
Who needs this:
Any user that relies on a filters that communicate with an external Backend of type service.