api: support failOpen in ext auth

api/v1alpha1/ext_auth_types.go

@@ -40,6 +40,16 @@ type ExtAuth struct {
 	// in HeadersToExtAuth or not.
 	// +optional
 	HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"`
+
+	// FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
+	// If FailOpen is set to true, the system allows the traffic to pass through.
+	// Otherwise, if it is set to false or not set (defaulting to false),
+	// the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
+	// This setting determines whether to prioritize accessibility over strict security in case of authorization service failure.
+	//
+	// +optional
+	// +kubebuilder:default=false
+	FailOpen *bool `json:"failOpen,omitempty"`
 }
 
 // GRPCExtAuthService defines the gRPC External Authorization service

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml

@@ -154,6 +154,17 @@ spec:
               extAuth:
                 description: ExtAuth defines the configuration for External Authorization.
                 properties:
+                  failOpen:
+                    default: false
+                    description: FailOpen is a switch used to control the behavior
+                      when a response from the External Authorization service cannot
+                      be obtained. If FailOpen is set to true, the system allows the
+                      traffic to pass through. Otherwise, if it is set to false or
+                      not set (defaulting to false), the system blocks the traffic
+                      and returns a HTTP 5xx error, reflecting a fail-closed approach.
+                      This setting determines whether to prioritize accessibility
+                      over strict security in case of authorization service failure.
+                    type: boolean
                   grpc:
                     description: GRPC defines the gRPC External Authorization service.
                       Either GRPCService or HTTPService must be specified, and only

site/content/en/latest/api/extension_types.md

@@ -910,6 +910,7 @@ _Appears in:_
 | `grpc` | _[GRPCExtAuthService](#grpcextauthservice)_ |  true  | GRPC defines the gRPC External Authorization service. Either GRPCService or HTTPService must be specified, and only one of them can be provided. |
 | `http` | _[HTTPExtAuthService](#httpextauthservice)_ |  true  | HTTP defines the HTTP External Authorization service. Either GRPCService or HTTPService must be specified, and only one of them can be provided. |
 | `headersToExtAuth` | _string array_ |  false  | HeadersToExtAuth defines the client request headers that will be included in the request to the external authorization service. Note: If not specified, the default behavior for gRPC and HTTP external authorization services is different due to backward compatibility reasons. All headers will be included in the check request to a gRPC authorization server. Only the following headers will be included in the check request to an HTTP authorization server: Host, Method, Path, Content-Length, and Authorization. And these headers will always be included to the check request to an HTTP authorization server by default, no matter whether they are specified in HeadersToExtAuth or not. |
+| `failOpen` | _boolean_ |  false  | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. If FailOpen is set to true, the system allows the traffic to pass through. Otherwise, if it is set to false or not set (defaulting to false), the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach. This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. |
 
 
 #### ExtensionAPISettings