envoyproxy/gateway

Allow configuring JWT filter fetch behavior and failed refetch duration

Open

#6,525 opened on 2025年7月15日

GitHub で見る
 (4 comments) (0 reactions) (0 assignees)Go (802 forks)auto 404
area/apihelp wanted

Repository metrics

Stars
 (2,871 stars)
PR merge metrics
 (PR metrics pending)

説明

Description:

Currently, Envoy Gateway hardcodes the use of async_fetch when generating the JWT HTTP filter XDS configuration code link. Additionally, it does not provide a mechanism to configure the failed_refetch_duration field in the JWT filter.

As a result, when the JWKS server becomes temporarily unavailable, Envoy starts retrying indefinitely without any backoff or configurable delay, which can overwhelm the Identity Provider (IdP) infrastructure. The retry policy configuration has no effect on the remote_jwks when async_fetch mode enabled: envoyproxy/envoy#40025.

Request

Envoy Gateway's SecurityPolicy or equivalent configuration should support:

  1. An option to opt-out of async_fetch and fall back to sync_fetch.
  2. A way to configure failed_refetch_duration to control the retry behavior when JWKS fetches fail.

This would provide users better resilience and control over how Envoy handles temporarily unreachable JWKS endpoints, especially in production environments where repeated retries can have cascading effects on upstream systems.

コントリビューターガイド