htuch
htuch
+1, any existing behavior should just move under runtime guard, no semantic changes in this PR.
I think my take remains that we should add the WatchedDirectory inside of DataSource, and document that you need to see the parent site to understand if it is available...
Yeah, seems so from that code and looking at `on_demand_integration_test.cc`, I don't see any POST tests, so I would consider this unsupported.
CC @envoyproxy/security-team
@kyessenov ack. Presumably Wasm could also work here at the expense of a heavier weight everything.
> When ExtAuthz service returns 5XX response, next lua filter cannot access the headers set by ExtAuthz service. Is the request rejected at this point? If so, the filter after...
Reading https://github.com/envoyproxy/envoy/blob/741da8ba26daf0dac5d3e7f02055a494d54a74f0/source/extensions/filters/http/ext_authz/ext_authz.cc#L448, this just takes the `failure_mdoe_allowed` logic and doesn't apply any headers (as done above in https://github.com/envoyproxy/envoy/blob/741da8ba26daf0dac5d3e7f02055a494d54a74f0/source/extensions/filters/http/ext_authz/ext_authz.cc#L290), which makes sense given 5xx semantics. One option might be to enhance...
Yeah, preference is this is outside of ext_proc and part of the match model.
I think @kyessenov is suggesting we just have the coin flip in the matcher, which will be more generic, as there are other legit use cases for sampling.
I agree on the positives. The main challenge in core code is that it is a very common pattern to use exceptions during config ingestion for validation. There is no...