feat: support failOpen in ext auth (#2948)

* feat: support failOpen in ext auth

Signed-off-by: Dennis Zhou <idennis.zhou@gmail.com>

* fix test

Signed-off-by: Dennis Zhou <idennis.zhou@gmail.com>

---------

Signed-off-by: Dennis Zhou <idennis.zhou@gmail.com>

internal/gatewayapi/securitypolicy.go

@@ -854,6 +854,7 @@ func (t *Translator) buildExtAuth(
 	extAuth := &ir.ExtAuth{
 		Name:             name,
 		HeadersToExtAuth: policy.Spec.ExtAuth.HeadersToExtAuth,
+		FailOpen:         policy.Spec.ExtAuth.FailOpen,
 	}
 
 	if http != nil {

internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.in.yaml

@@ -63,3 +63,4 @@ securityPolicies:
           headersToBackend:
             - header1
             - header2
+        failOpen: false

internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml

@@ -103,6 +103,7 @@ securityPolicies:
     namespace: default
   spec:
     extAuth:
+      failOpen: false
       http:
         backendRef:
           name: http-backend

internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.in.yaml

@@ -62,3 +62,4 @@ securityPolicies:
           headersToBackend:
             - header1
             - header2
+        failOpen: false

internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml

@@ -103,6 +103,7 @@ securityPolicies:
     namespace: default
   spec:
     extAuth:
+      failOpen: false
       http:
         backendRef:
           name: http-backend

internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.in.yaml

@@ -63,3 +63,4 @@ securityPolicies:
           headersToBackend:
             - header1
             - header2
+        failOpen: false

internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml

@@ -103,6 +103,7 @@ securityPolicies:
     namespace: default
   spec:
     extAuth:
+      failOpen: false
       http:
         backendRef:
           name: http-backend

internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.in.yaml

@@ -54,3 +54,4 @@ securityPolicies:
           headersToBackend:
             - header1
             - header2
+        failOpen: false

internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml

@@ -103,6 +103,7 @@ securityPolicies:
     namespace: default
   spec:
     extAuth:
+      failOpen: false
       http:
         backendRef:
           name: http-backend

internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml

@@ -210,6 +210,7 @@ securityPolicies:
           headersToBackend:
             - header1
             - header2
+        failOpen: false
   - apiVersion: gateway.envoyproxy.io/v1alpha1
     kind: SecurityPolicy
     metadata:
@@ -229,3 +230,4 @@ securityPolicies:
           backendRef:
             name: grpc-backend
             port: 9000
+        failOpen: true

internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml

@@ -207,6 +207,7 @@ securityPolicies:
     namespace: default
   spec:
     extAuth:
+      failOpen: true
       grpc:
         backendRef:
           name: grpc-backend
@@ -242,6 +243,7 @@ securityPolicies:
     namespace: default
   spec:
     extAuth:
+      failOpen: false
       http:
         backendRef:
           name: http-backend
@@ -305,6 +307,7 @@ xdsIR:
             protocol: HTTP
             weight: 1
         extAuth:
+          failOpen: true
           grpc:
             authority: grpc-backend.default:9000
             destination:
@@ -345,6 +348,7 @@ xdsIR:
             protocol: HTTP
             weight: 1
         extAuth:
+          failOpen: false
           http:
             authority: http-backend.envoy-gateway:80
             destination:

internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml

@@ -150,6 +150,7 @@ securityPolicies:
           headersToBackend:
             - header1
             - header2
+        failOpen: false
   - apiVersion: gateway.envoyproxy.io/v1alpha1
     kind: SecurityPolicy
     metadata:
@@ -169,3 +170,4 @@ securityPolicies:
           backendRef:
             name: grpc-backend
             port: 9000
+        failOpen: true

internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml

@@ -147,6 +147,7 @@ securityPolicies:
     namespace: default
   spec:
     extAuth:
+      failOpen: true
       grpc:
         backendRef:
           name: grpc-backend
@@ -182,6 +183,7 @@ securityPolicies:
     namespace: default
   spec:
     extAuth:
+      failOpen: false
       http:
         backendRef:
           name: http-backend
@@ -245,6 +247,7 @@ xdsIR:
             protocol: HTTP
             weight: 1
         extAuth:
+          failOpen: true
           grpc:
             authority: grpc-backend.default:9000
             destination:
@@ -280,6 +283,7 @@ xdsIR:
             protocol: HTTP
             weight: 1
         extAuth:
+          failOpen: true
           grpc:
             authority: grpc-backend.default:9000
             destination:
@@ -315,6 +319,7 @@ xdsIR:
             protocol: HTTP
             weight: 1
         extAuth:
+          failOpen: false
           http:
             authority: http-backend.envoy-gateway:80
             destination:

internal/ir/xds.go

@@ -599,6 +599,14 @@ type ExtAuth struct {
 	// in HeadersToExtAuth or not.
 	// +optional
 	HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"`
+
+	// FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
+	// If FailOpen is set to true, the system allows the traffic to pass through.
+	// Otherwise, if it is set to false or not set (defaulting to false),
+	// the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
+	// This setting determines whether to prioritize accessibility over strict security in case of authorization service failure.
+	// +optional
+	FailOpen *bool `json:"failOpen,omitempty"`
 }
 
 // HTTPExtAuthService defines the HTTP External Authorization service

internal/xds/translator/extauth.go

@@ -102,7 +102,10 @@ func extAuthFilterName(extAuth *ir.ExtAuth) string {
 func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz {
 	config := &extauthv3.ExtAuthz{
 		TransportApiVersion: corev3.ApiVersion_V3,
-		FailureModeAllow:    false,
+	}
+
+	if extAuth.FailOpen != nil {
+		config.FailureModeAllow = *extAuth.FailOpen
 	}
 
 	var headersToExtAuth []*matcherv3.StringMatcher

internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml

@@ -35,6 +35,7 @@ http:
               port: 80
             protocol: HTTP
             weight: 1
+      failOpen: false
   - name: httproute/default/httproute-1/rule/1/match/0/www_example_com
     hostname: "*"
     pathMatch:
@@ -62,6 +63,7 @@ http:
               port: 80
             protocol: HTTP
             weight: 1
+      failOpen: false
   - name: httproute/default/httproute-2/rule/0/match/0/www_example_com
     hostname: "*"
     pathMatch:
@@ -88,3 +90,4 @@ http:
       headersToExtAuth:
       - header1
       - header2
+      failOpen: true

internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml

@@ -37,6 +37,7 @@
               patterns:
               - exact: header1
               - exact: header2
+            failureModeAllow: true
             grpcService:
               envoyGrpc:
                 authority: grpc-backend.default:9000