Introduce a Backend SecurityPolicy

[aabchoo]

Description:

Describe the desired behavior, what scenario it enables and how it
would be used.

The envoy gateway SecurityPolicy is meant for traffic entering the gateway from a client. It would be helpful to have a new dedicated Backend SecurityPolicy for traffic exiting the gateway to a backend.

Add an API definition to hold settings for configuring authentication and authorization rules on the traffic exiting the gateway to a service/backend/provider.

Some use cases include:

• Setting the APIKey as part of the header when communicating with external backend
• Obtaining OIDC tokens and using that to auth with cloud providers

[optional Relevant Links:]

Any extra documentation required to understand the issue.

[zhaohuabing]

Will the proposedBackendSecurityPolicy include any other features beyond authentication? If not, BackendAuthenticationPolicy might be a more accurate name.

[aabchoo]

For the time being, authentication is the priority, so I'm fine with it being BackendAuthenticationPolicy

[zhaohuabing]

I'm +1 for this.

As the firt iteration, we can consider supporting generic credentials and the oauth2 client grant with the credential injector filter

[arkodg]

instead of adding another API, my vote is to incorporate the feature into the existing Backend API, since the persona defining the backend endpoint is the same as the persona defining the backend auth info

[zhaohuabing]

If multiple Backend resources share the same authentication config, an idenpent BackendAuthenticationPolicy may make sense. For example, the same AWS API key can be used to access multiple AWS services.