My colleagues want to place certain services behind a custom authorization solution (validate Firebase tokens and AppArmor stuff), and forward approved requests to downstream microservices.

Unfortunately it doesn't seem like Gateway API / DataplaneV2 has any functionality in place for reverse-proxy authentication (apart from Identity Aware Proxy, which we already use). We migrated to this setup from Istio where one could use `AuthorizationPolicy' (URL removed by Staff). The advantage of Istio's approach is that each downstream microservice can be exposed to the internet with their own URL address,  the `AuthorizationPolicy` enforces auth, and traffic eventually gets routed to the destination pods.

With Gateway API / DataplateV2 there doesn't seem to be an equivalent pattern, and it looks like we will have to build our own proxy, expose this proxy to the internet, and apply our own logic for how requests find their destination pods.

Another alternative would be to put sidecar proxies on the microservices, and use these for authentication against our custom auth service, but I was hoping to avoid sidecars (this was why we dropped Istio in the first place).

Are there any straight-forward ways to implement custom auth flows without resorting to sidecar proxies in GKE when using DataplaneV2 and Gateway API?