envoyproxy/gateway

Allow configuring JWT filter fetch behavior and failed refetch duration

Open

#6,525 建立於 2025年7月15日

在 GitHub 查看
 (4 留言) (0 反應) (0 負責人)Go (802 fork)auto 404
area/apihelp wanted

倉庫指標

Star
 (2,871 star)
PR 合併指標
 (PR 指標待抓取)

描述

Description:

Currently, Envoy Gateway hardcodes the use of async_fetch when generating the JWT HTTP filter XDS configuration code link. Additionally, it does not provide a mechanism to configure the failed_refetch_duration field in the JWT filter.

As a result, when the JWKS server becomes temporarily unavailable, Envoy starts retrying indefinitely without any backoff or configurable delay, which can overwhelm the Identity Provider (IdP) infrastructure. The retry policy configuration has no effect on the remote_jwks when async_fetch mode enabled: envoyproxy/envoy#40025.

Request

Envoy Gateway's SecurityPolicy or equivalent configuration should support:

  1. An option to opt-out of async_fetch and fall back to sync_fetch.
  2. A way to configure failed_refetch_duration to control the retry behavior when JWKS fetches fail.

This would provide users better resilience and control over how Envoy handles temporarily unreachable JWKS endpoints, especially in production environments where repeated retries can have cascading effects on upstream systems.

貢獻者指南