feautre: support ext-authz by annotation

[zhangcly]

Ⅰ. Describe what this PR did

parse higress anno and transfer to envoyfilter(ext-authz and rbac http filter) .
test cases added.
the issue haven't been resloved yet.

Ⅱ. Does this pull request fix one issue?

#207

Ⅲ. Why don't you add test cases (unit test/integration test)?

Ⅳ. Describe how to verify it

Ⅴ. Special notes for reviews

[codecov-commenter]

Codecov Report

Merging #263 (e11ff89) into main (7fd3f43) will increase coverage by 0.63%.
The diff coverage is 50.54%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #263      +/-   ##
==========================================
+ Coverage   44.45%   45.08%   +0.63%     
==========================================
  Files          32       33       +1     
  Lines        5289     5647     +358     
==========================================
+ Hits         2351     2546     +195     
- Misses       2770     2911     +141     
- Partials      168      190      +22     

Impacted Files	Coverage Δ
pkg/ingress/kube/annotations/annotations.go	25.00% <0.00%> (-0.31%)	⬇️
pkg/ingress/config/ingress_config.go	26.11% <50.17%> (+8.25%)	⬆️
pkg/ingress/kube/annotations/authz.go	52.56% <52.56%> (ø)

... and 2 files with indirect coverage changes

[SpecialYang]

It is cool 👍🏻.

But I want to know how you control the route match order. Given one request /api/test, if we have two ingress, /api with prefix matching and /api/test with exact matching, how you control this request matching the right rbac and external authz policy because these resources have their own matching list.

[Xunzhuo]

But I want to know how you control the route match order. Given one request /api/test, if we have two ingress, /api with prefix matching and /api/test with exact matching, how you control this request matching the right rbac and external authz policy because these resources have their own matching list.

suggest refering to kubernetes-sigs/gateway-api#1855.

[SpecialYang]

Aha. Here I'm not addressing on the route order for route tables.
I mean how we control the matching order in the matching list of rbac. So we can found the right rbac policy for the target request.

[johnlanni]

It is cool 👍🏻.

But I want to know how you control the route match order. Given one request /api/test, if we have two ingress, /api with prefix matching and /api/test with exact matching, how you control this request matching the right rbac and external authz policy because these resources have their own matching list.

You are right, this design to implement ext-authz via ingress annotation was my mistake, it seems we need a CRD to do this.
And there is another option if it‘s still via ingress annotation: it can be extended based on envoy rbac permission matcher to achieve matching based on route name