unionai · mhotan · Mar 19, 2026 · Mar 19, 2026 · Mar 19, 2026 · Mar 20, 2026
diff --git a/charts/controlplane/dashboards/union-controlplane-overview.json b/charts/controlplane/dashboards/union-controlplane-overview.json
@@ -2784,6 +2784,269 @@
             }
           ],
           "description": "Percentage of authorization decisions that denied access. Spikes indicate policy changes or auth issues. [Metrics pending: requires cloud service instrumentation to be deployed]"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "fieldConfig": {
+            "defaults": {
+              "color": {
+                "mode": "thresholds"
+              },
+              "thresholds": {
+                "steps": [
+                  {
+                    "color": "green",
+                    "value": null
+                  }
+                ]
+              },
+              "mappings": [
+                {
+                  "type": "value",
+                  "options": {
+                    "noop": { "text": "Noop", "index": 0 },
+                    "userclouds": { "text": "UserClouds", "index": 1 },
+                    "external": { "text": "External", "index": 2 },
+                    "authorizer": { "text": "Authorizer", "index": 3 }
+                  }
+                }
+              ]
+            }
+          },
+          "gridPos": {
+            "h": 8,
+            "w": 4,
+            "x": 0,
+            "y": 23
+          },
+          "id": 760,
+          "options": {
+            "colorMode": "background",
+            "graphMode": "none",
+            "reduceOptions": {
+              "calcs": [
+                "lastNotNull"
+              ],
+              "fields": "/^type$/"
+            },
+            "textMode": "value"
+          },
+          "title": "Authorizer Mode",
+          "type": "stat",
+          "targets": [
+            {
+              "expr": "authorizer:cloudauthorizer:authz_type_info{namespace=\"$namespace\"} == 1",
+              "legendFormat": "{{ type }}",
+              "refId": "A"
+            }
+          ],
+          "description": "Currently active authorizer backend type (Noop, UserClouds, External, Authorizer)."
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "fieldConfig": {
+            "defaults": {
+              "color": {
+                "mode": "palette-classic"
+              },
+              "custom": {
+                "drawStyle": "line",
+                "fillOpacity": 10,
+                "lineWidth": 1,
+                "showPoints": "never"
+              },
+              "unit": "ms"
+            }
+          },
+          "gridPos": {
+            "h": 8,
+            "w": 8,
+            "x": 4,
+            "y": 23
+          },
+          "id": 761,
+          "title": "External Backend Latency",
+          "type": "timeseries",
+          "targets": [
+            {
+              "expr": "histogram_quantile(0.50, sum by (le) (rate(authorizer:cloudauthorizer:external:authorize_duration_bucket{namespace=\"$namespace\"}[$__rate_interval])))",
+              "legendFormat": "p50",
+              "refId": "A"
+            },
+            {
+              "expr": "histogram_quantile(0.95, sum by (le) (rate(authorizer:cloudauthorizer:external:authorize_duration_bucket{namespace=\"$namespace\"}[$__rate_interval])))",
+              "legendFormat": "p95",
+              "refId": "B"
+            },
+            {
+              "expr": "histogram_quantile(0.99, sum by (le) (rate(authorizer:cloudauthorizer:external:authorize_duration_bucket{namespace=\"$namespace\"}[$__rate_interval])))",
+              "legendFormat": "p99",
+              "refId": "C"
+            }
+          ],
+          "description": "Latency of calls to the external authorization backend (p50/p95/p99)."
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "fieldConfig": {
+            "defaults": {
+              "color": {
+                "mode": "palette-classic"
+              },
+              "custom": {
+                "drawStyle": "line",
+                "fillOpacity": 10,
+                "lineWidth": 1,
+                "showPoints": "never"
+              },
+              "unit": "ops"
+            }
+          },
+          "gridPos": {
+            "h": 8,
+            "w": 6,
+            "x": 12,
+            "y": 23
+          },
+          "id": 762,
+          "title": "External Errors by gRPC Code",
+          "type": "timeseries",
+          "targets": [
+            {
+              "expr": "sum by (grpc_code) (rate(authorizer:cloudauthorizer:external:errors{namespace=\"$namespace\"}[$__rate_interval]))",
+              "legendFormat": "{{ grpc_code }}",
+              "refId": "A"
+            }
+          ],
+          "description": "Error rate from the external authorization backend, broken down by gRPC status code."
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "fieldConfig": {
+            "defaults": {
+              "color": {
+                "mode": "palette-classic"
+              },
+              "custom": {
+                "drawStyle": "line",
+                "fillOpacity": 10,
+                "lineWidth": 1,
+                "showPoints": "never"
+              },
+              "unit": "ops"
+            }
+          },
+          "gridPos": {
+            "h": 8,
+            "w": 6,
+            "x": 18,
+            "y": 23
+          },
+          "id": 763,
+          "title": "Fail-Open Activations",
+          "type": "timeseries",
+          "targets": [
+            {
+              "expr": "rate(authorizer:cloudauthorizer:external:fail_open_activated{namespace=\"$namespace\"}[$__rate_interval])",
+              "legendFormat": "Fail-Open",
+              "refId": "A"
+            }
+          ],
+          "description": "Rate of fail-open activations. Non-zero means the external backend is unreachable and requests are being allowed without authorization."
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "fieldConfig": {
+            "defaults": {
+              "color": {
+                "mode": "palette-classic"
+              },
+              "custom": {
+                "drawStyle": "line",
+                "fillOpacity": 10,
+                "lineWidth": 1,
+                "showPoints": "never",
+                "stacking": {
+                  "mode": "normal"
+                }
+              },
+              "unit": "ops"
+            }
+          },
+          "gridPos": {
+            "h": 8,
+            "w": 12,
+            "x": 0,
+            "y": 31
+          },
+          "id": 764,
+          "title": "Decisions by Action",
+          "type": "timeseries",
+          "targets": [
+            {
+              "expr": "sum by (action) (rate(authorizer:cloudauthorizer:authz_allowed{namespace=\"$namespace\"}[$__rate_interval]))",
+              "legendFormat": "allowed: {{ action }}",
+              "refId": "A"
+            },
+            {
+              "expr": "sum by (action) (rate(authorizer:cloudauthorizer:authz_denied{namespace=\"$namespace\"}[$__rate_interval]))",
+              "legendFormat": "denied: {{ action }}",
+              "refId": "B"
+            }
+          ],
+          "description": "Authorization decisions broken down by action (e.g. read, write, execute). Stacked to show total volume."
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "fieldConfig": {
+            "defaults": {
+              "color": {
+                "mode": "palette-classic"
+              },
+              "custom": {
+                "drawStyle": "line",
+                "fillOpacity": 10,
+                "lineWidth": 1,
+                "showPoints": "never"
+              },
+              "unit": "ops"
+            }
+          },
+          "gridPos": {
+            "h": 8,
+            "w": 12,
+            "x": 12,
+            "y": 31
+          },
+          "id": 765,
+          "title": "Error Attribution",
+          "type": "timeseries",
+          "targets": [
+            {
+              "expr": "sum by (error_source) (rate(authorizer:cloudauthorizer:authorize_errors_total{namespace=\"$namespace\"}[$__rate_interval]))",
+              "legendFormat": "{{ error_source }}",
+              "refId": "A"
+            }
+          ],
+          "description": "Authorization errors attributed by source (e.g. identity resolution, backend, policy evaluation)."
         }
       ]
     },

diff --git a/charts/controlplane/templates/_helpers.tpl b/charts/controlplane/templates/_helpers.tpl
@@ -361,16 +361,6 @@ IfNotPresent
 {{- end }}
 
 {{- $merged := (include "unionai.deepMerge" (dict "dest" $global "source" $svc) | fromYaml) }}
-{{- /* When AUTHZ_TYPE is not "union", fall back to Noop authorizer. */}}
-{{- /* Note: union.auth (service-to-service OAuth2 token acquisition) is intentionally NOT */}}
-{{- /* disabled here. It controls whether services attach bearer tokens when calling other */}}
-{{- /* services through nginx, which is needed in any deployment with auth enabled — */}}
-{{- /* regardless of whether Union's RBAC authorizer is active. */}}
-{{- if ne .Values.global.AUTHZ_TYPE "union" }}
-  {{- if hasKey $merged "authorizer" }}
-    {{- $_ := set $merged "authorizer" (dict "type" "Noop") }}
-  {{- end }}
-{{- end }}
 {{- $rendered := tpl ($merged | toYaml) . }}
 {{- $rendered }}
 {{- end }}

diff --git a/charts/controlplane/templates/authz/configmap.yaml b/charts/controlplane/templates/authz/configmap.yaml
@@ -1,4 +1,4 @@
-{{- if eq .Values.global.AUTHZ_TYPE "union" -}}
+{{- if eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds" -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:

diff --git a/charts/controlplane/templates/authz/deployment.yaml b/charts/controlplane/templates/authz/deployment.yaml
@@ -1,4 +1,4 @@
-{{- if eq .Values.global.AUTHZ_TYPE "union" -}}
+{{- if eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds" -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

diff --git a/charts/controlplane/templates/authz/hpa.yaml b/charts/controlplane/templates/authz/hpa.yaml
@@ -1,4 +1,4 @@
-{{- if and (eq .Values.global.AUTHZ_TYPE "union") .Values.union.authz.autoscaling.enabled }}
+{{- if and (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds") .Values.union.authz.autoscaling.enabled }}
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:

diff --git a/charts/controlplane/templates/authz/networkpolicy.yaml b/charts/controlplane/templates/authz/networkpolicy.yaml
@@ -1,4 +1,4 @@
-{{- if and (eq .Values.global.AUTHZ_TYPE "union") .Values.union.authz.networkPolicy.enabled }}
+{{- if and (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds") .Values.union.authz.networkPolicy.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:

diff --git a/charts/controlplane/templates/authz/pdb.yaml b/charts/controlplane/templates/authz/pdb.yaml
@@ -1,4 +1,4 @@
-{{- if and (eq .Values.global.AUTHZ_TYPE "union") .Values.union.authz.pdb.enabled }}
+{{- if and (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds") .Values.union.authz.pdb.enabled }}
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:

diff --git a/charts/controlplane/templates/authz/rbac.yaml b/charts/controlplane/templates/authz/rbac.yaml
@@ -1,4 +1,4 @@
-{{- if and (eq .Values.global.AUTHZ_TYPE "union") .Values.union.authz.serviceAccount.create -}}
+{{- if and (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds") .Values.union.authz.serviceAccount.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

diff --git a/charts/controlplane/templates/authz/service.yaml b/charts/controlplane/templates/authz/service.yaml
@@ -1,4 +1,4 @@
-{{- if eq .Values.global.AUTHZ_TYPE "union" -}}
+{{- if eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds" -}}
 apiVersion: v1
 kind: Service
 metadata:

diff --git a/charts/controlplane/templates/authz/serviceaccount.yaml b/charts/controlplane/templates/authz/serviceaccount.yaml
@@ -1,4 +1,4 @@
-{{- if and (eq .Values.global.AUTHZ_TYPE "union") .Values.union.authz.serviceAccount.create -}}
+{{- if and (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds") .Values.union.authz.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:

diff --git a/charts/controlplane/templates/monitoring/prometheusrule.yaml b/charts/controlplane/templates/monitoring/prometheusrule.yaml
@@ -45,6 +45,12 @@ spec:
           expr: |
             sum(rate(nginx_ingress_controller_request_duration_seconds_count{namespace="{{ .Release.Namespace }}", status=~"5.."}[5m]))
 
+        - record: union:cp:authz:external_error_rate
+          expr: |
+            sum(rate(authorizer:cloudauthorizer:external:errors{namespace="{{ .Release.Namespace }}"}[5m]))
+            /
+            (sum(rate(authorizer:cloudauthorizer:external:authorize_duration_count{namespace="{{ .Release.Namespace }}"}[5m])) > 0 or vector(1))
+
     {{- if .Values.monitoring.alerting.enabled }}
     # --- Operational alerts (opt-in) ---
     # Basic health checks only. For SLO-based alerts, see monitoring.slos.
@@ -81,6 +87,40 @@ spec:
             severity: critical
           annotations:
             summary: "Handler panic detected in CP service"
+
+        - alert: UnionCPAuthorizerExternalErrors
+          expr: |
+            sum(rate(authorizer:cloudauthorizer:external:errors{namespace="{{ .Release.Namespace }}"}[5m])) > 0.1
+          for: 5m
+          labels:
+            severity: warning
+          annotations:
+            summary: "External authorization backend returning errors"
+            description: "The external authz backend is returning errors at >0.1/s for 5+ minutes. Check external backend health."
+
+        - alert: UnionCPAuthorizerFailOpenActive
+          expr: |
+            sum(rate(authorizer:cloudauthorizer:external:fail_open_activated{namespace="{{ .Release.Namespace }}"}[5m])) > 0
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: "Authorizer fail-open mode is actively bypassing authorization"
+            description: "The external authz backend is unreachable and fail-open is allowing requests without authorization checks."
+
+        - alert: UnionCPAuthorizerHighDenyRate
+          expr: |
+            (
+              sum(rate(authorizer:cloudauthorizer:authz_denied{namespace="{{ .Release.Namespace }}"}[5m]))
+              /
+              (sum(rate(authorizer:cloudauthorizer:authz_allowed{namespace="{{ .Release.Namespace }}"}[5m])) + sum(rate(authorizer:cloudauthorizer:authz_denied{namespace="{{ .Release.Namespace }}"}[5m])))
+            ) > 0.5
+          for: 10m
+          labels:
+            severity: warning
+          annotations:
+            summary: "Authorization deny rate exceeds 50%"
+            description: "More than half of authorization decisions are being denied. Possible policy misconfiguration."
     {{- end }}
 
     {{- if .Values.monitoring.slos.enabled }}