Support matching route metadata in the HTTP RBAC filter

[henrymwang]

Title: Support matching on route metadata in the HTTP RBAC filter

Description:

We have two types of routes which exist on the same routing table and want to be able to apply RBAC rules based on the route metadata to allow for fine-grained RBAC based on route type, https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-route. Currently the RBAC filter only supports matching on dynamic metadata which is added by previous filters or based on headers and while we could rewrite route metadata to dynamic metadata by using the Lua filter, we would like to avoid coupling the two filters together.

This is similar to #13269, which adds support for deriving ratelimit descriptors in the ratelimit filter from route metadata.

The approach would be:

1. add another field to the RBAC Principal / Permission protobufs to specify fetching the request's dynamic metadata or from the route metadata

2. update the MetadataMatcher to use info.route()->metadata() instead if the metadata source is set to route,

   envoy/source/extensions/filters/common/rbac/matchers.cc

   Line 251 in d79f6e8

   return matcher_.match(info.dynamicMetadata());

We can prepare a patch for this if it sounds reasonable.

[optional Relevant Links:]

Any extra documentation required to understand the issue.

[mathetake]

relevant: #34092