After enabling ext_authz filters per service envoy settings. db trafic fails

i enabled ext_autz now in the default pipeline but it also affects the connection the the database it seems. when i add ext_auth filters to the default ovveride it applies it to all services no suprise realy, as i gues thats what its ment to do. but i need to be able to apply this to the services that neeeds it. how can this be achieved in consul

Hey, @dagtveit is there something you require more than Service level intentions to define service to service authorization policy?

Service Mesh Intentions | Consul by HashiCorp

If you could explain a little what you would like to achieve from manually using ext_authz, I might be able to help you find a better solution than using the Envoy escape hatches and having to manually write envoy config.

i want to use opa sidecarts to check different policy level stuff very common use case. though enabling it the way i did it tries to do it on all or nothing.

kuma as an example has an selector

---
apiVersion: kuma.io/v1alpha1
kind: ProxyTemplate
mesh: default
metadata:
  name: opa-ext-authz-filter
spec:
  selectors:
    - match:
        kuma.io/service: '*'
  conf:
    imports:
      - default-proxy
    modifications:
      - httpFilter:
          operation: addBefore
          match:
            name: envoy.filters.http.router
            origin: inbound
          value: |
            name: envoy.filters.http.header_to_metadata
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.header_to_metadata.v3.Config
              request_rules:
              - header: x-opa-authz
                on_header_missing:
                  key: 'policy_type'
                  value: 'ingress'
      - httpFilter:
          operation: addBefore
          match:
            name: envoy.filters.http.router
            origin: inbound
          value: |
            name: envoy.filters.http.ext_authz
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
              metadata_context_namespaces:
              - envoy.filters.http.header_to_metadata
              transport_api_version: V3
              with_request_body:
                max_request_bytes: 8192
                allow_partial_message: true
              failure_mode_allow: false
              grpc_service:
                google_grpc:
                  target_uri: 127.0.0.1:9191
                  stat_prefix: ext_authz
                timeout: 0.5s
      - httpFilter:
          operation: addBefore
          match:
            name: envoy.filters.http.router
            origin: outbound
          value: |
            name: envoy.filters.http.header_to_metadata
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.header_to_metadata.v3.Config
              request_rules:
              - header: x-opa-authz
                on_header_missing:
                  key: 'policy_type'
                  value: 'egress'
      - httpFilter:
          operation: addBefore
          match:
            name: envoy.filters.http.router
            origin: outbound
          value: |
            name: envoy.filters.http.ext_authz
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
              metadata_context_namespaces:
              - envoy.filters.http.header_to_metadata
              transport_api_version: V3
              with_request_body:
                max_request_bytes: 8192
                allow_partial_message: true
              failure_mode_allow: false
              grpc_service:
                google_grpc:
                  target_uri: 127.0.0.1:9191
                  stat_prefix: ext_authz
                timeout: 0.5s

not shure if i replied correctly but read under/over