Add filterContext field to Lua type in EnvoyExtensionPolicy

[norman-zon]

What

Add a filterContext field (type map[string]string) to the Lua type in EnvoyExtensionPolicySpec, so that per-route context values can be passed to a shared Lua script via request_handle:filterContext().

Why

Envoy's Lua HTTP filter already supports this via LuaPerRoute.filter_context and the Lua stream handle API filterContext(). However, Envoy Gateway's EnvoyExtensionPolicy CRD currently only exposes type (Inline/ValueRef), inline, and valueRef — there is no way to populate filter_context in the generated LuaPerRoute xDS config.

This means a single reusable Lua script cannot be parameterized per route. Users are forced to either:

• Duplicate the entire Lua script inline for each route with different hardcoded values, or
• Resort to EnvoyPatchPolicy to manually patch the generated xDS RouteConfiguration, which is fragile and requires enableEnvoyPatchPolicy: true.

Use case

Multiple apps share a Lua script (stored in a ConfigMap) that reads a token from a configurable source and sets it as a request header. The script uses filterContext() to determine where to read the token from:

function envoy_on_request(request_handle)
  local ctx = request_handle:filterContext()
  local token = request_handle:headers():get(ctx["token_header"])
  if token and token ~= "" then
    request_handle:headers():replace("authorization", "Bearer " .. token)
  end
end

Desired EnvoyExtensionPolicy usage

Route A — reads token from x-api-key:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyExtensionPolicy
metadata:
  name: route-a-auth
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: route-a
  lua:
  - type: ValueRef
    valueRef:
      kind: ConfigMap
      name: shared-auth-lua
    filterContext:                # <-- NEW FIELD
      token_header: x-api-key

Route B — reads token from x-session-token, same script:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyExtensionPolicy
metadata:
  name: route-b-auth
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: route-b
  lua:
  - type: ValueRef
    valueRef:
      kind: ConfigMap
      name: shared-auth-lua    # same ConfigMap
    filterContext:               # different values
      token_header: x-session-token

Proposed API change

Add an optional filterContext field to the Lua struct:

type Lua struct {
    Type      LuaValueType                   `json:"type"`
    Inline    *string                        `json:"inline,omitempty"`
    ValueRef  *gwapiv1.LocalObjectReference  `json:"valueRef,omitempty"`

    // FilterContext is a map of key-value pairs made available to the Lua script
    // via request_handle:filterContext(). This allows a shared script to be
    // parameterized differently per EnvoyExtensionPolicy/route.
    // +optional
    FilterContext map[string]string `json:"filterContext,omitempty"`  // <-- NEW
}

Translation to xDS

Envoy Gateway should populate LuaPerRoute.filter_context with these values:

{
  "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute",
  "name": "default.lua",
  "filter_context": {
    "token_header": "x-api-key"
  }
}

No new Envoy features required — just exposing an existing LuaPerRoute field.

Workarounds today

1. Inline duplication — Copy the entire script inline into each EnvoyExtensionPolicy with hardcoded values. Works but defeats the purpose of ValueRef/ConfigMap reuse.
2. EnvoyPatchPolicy — Manually patch the generated xDS to inject typed_per_filter_config with LuaPerRoute including filter_context. Fragile and requires enableEnvoyPatchPolicy: true.