jwt_authn: adjust remote_jwks.async_fetch refetch timer (#24035)

This is just an improvement to async_fetch feature of remote jwks.

*  For a successful fetch,  adjust its re_fetch time to be the jwks_cache_duration - 5s.   This is to avoid of triggering on-demand fetching.   During authentication,  if jwks is not fetched, or is expired,  it will trigger an on-demand fetching.  If async_fetch can refetch the jwks a little bit earlier, it will avoid the on-demand fetch.

* For a failed fetch,  trigger a re_fetch after 1 second.  Getting jwks is important.  We should keep retrying.  This retrying is after [remote_jwks.retry_policy](https://github.com/envoyproxy/envoy/blob/main/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto#L366).

Risk Level: Low, added more frequence refetch for a failed remote jwks uri.
Testing:  unit-tested
Docs Changes: None
Release Notes: Yes

Signed-off-by: Wayne Zhang <qiwzhang@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 4e40d6ad5f98cd3c86f1398bb8990b1d88bdfe92

envoy/extensions/filters/http/jwt_authn/v3/config.proto

@@ -314,7 +314,7 @@ message RemoteJwks {
   config.core.v3.HttpUri http_uri = 1;
 
   // Duration after which the cached JWKS should be expired. If not specified, default cache
-  // duration is 5 minutes.
+  // duration is 10 minutes.
   google.protobuf.Duration cache_duration = 2;
 
   // Fetch Jwks asynchronously in the main thread before the listener is activated.
@@ -376,6 +376,9 @@ message JwksAsyncFetch {
   // If true, it is activated without waiting for the initial fetch to complete.
   // Default is false.
   bool fast_listener = 1;
+
+  // The duration to refetch after a failed fetch. If not specified, default is 1 second.
+  google.protobuf.Duration failed_refetch_duration = 2;
 }
 
 // This message specifies a header location to extract JWT token.