Technically, the integration happens the same way as with Envoy itself by making use of the External Authorization filter, and can be done in two ways:
In both cases, the filter calls an external gRPC or HTTP service (here heimdall) to check whether an incoming HTTP request is authorized or not. If heimdall responses with 2xx
the request is forwarded to the upstream service, otherwise the response from heimdall is returned to the caller.
| As of today, there is a limitation in the implementation of the Envoy Gateway - it does not allow cross-namespace reference of external auth services (see also envoyproxy/gateway#3322). That means, the HTTPRoute , the Gateway resource and heimdall must be deployed in the same namespace. |