Allow configuring JWT filter fetch behavior and failed refetch duration
#6,525 创建于 2025年7月15日
仓库指标
- Star
- (2,871 star)
- PR 合并指标
- (PR 指标待抓取)
描述
Description:
Currently, Envoy Gateway hardcodes the use of async_fetch when generating the JWT HTTP filter XDS configuration code link. Additionally, it does not provide a mechanism to configure the failed_refetch_duration field in the JWT filter.
As a result, when the JWKS server becomes temporarily unavailable, Envoy starts retrying indefinitely without any backoff or configurable delay, which can overwhelm the Identity Provider (IdP) infrastructure. The retry policy configuration has no effect on the remote_jwks when async_fetch mode enabled: envoyproxy/envoy#40025.
Request
Envoy Gateway's SecurityPolicy or equivalent configuration should support:
- An option to opt-out of
async_fetchand fall back tosync_fetch. - A way to configure
failed_refetch_durationto control the retry behavior when JWKS fetches fail.
This would provide users better resilience and control over how Envoy handles temporarily unreachable JWKS endpoints, especially in production environments where repeated retries can have cascading effects on upstream systems.