jwt_authn: RemoteJwks to support RetryPolicy config #16319 (#16924)

Commit Message: jwt_authn: RemoteJwks to support RetryPolicy config #16319 ( only for background fetches failing ) Additional Description: following up on comments and code pruned from background jwks refresh mechanism from #16912 Risk Level: Low, default number of retries set to zero. truncated exponential backoff requires explicit configuration. Testing: Only mock-based unit tests so far. Haven't been able to get it ( or the background jwks fetch option, for that matter ) built in [esp-v2](https://github.com/GoogleCloudPlatform/espv-2) so far. Docs Changes: Release Notes: Platform Specific Features: Fixes #16319 Signed-off-by: Anthony Lichnewsky <alichnewsky@users.noreply.github.com> Mirrored from https://github.com/envoyproxy/envoy @ b62dae29a5dd06b7f689899b26974d9567a98f0e
4 years ago · fbe05e0430
parent f98d69cd37
commit fbe05e0430
2 changed files with 62 additions and 0 deletions
--- a/envoy/extensions/filters/http/jwt_authn/v3/config.proto
+++ b/envoy/extensions/filters/http/jwt_authn/v3/config.proto
@ -258,6 +258,37 @@ message RemoteJwks {
  // * Jwks is ready when the requests come, not need to wait for the Jwks fetching.
  //
  JwksAsyncFetch async_fetch = 3;
+
+  // Retry policy for fetching Jwks. optional. turned off by default.
+  //
+  // For example:
+  //
+  // .. code-block:: yaml
+  //
+  //   retry_policy:
+  //     retry_back_off:
+  //       base_interval: 0.01s
+  //       max_interval: 20s
+  //     num_retries: 10
+  //
+  // will yield a randomized truncated exponential backoff policy with an initial delay of 10ms
+  // 10 maximum attempts spaced at most 20s seconds.
+  //
+  // .. code-block:: yaml
+  //
+  //   retry_policy:
+  //     num_retries:1
+  //
+  // uses the default :ref:`retry backoff strategy <envoy_v3_api_msg_config.core.v3.BackoffStrategy>`.
+  // with the default base interval is 1000 milliseconds. and the default maximum interval of 10 times the base interval.
+  //
+  // if num_retries is omitted, the default is to allow only one retry.
+  //
+  //
+  // If enabled, the retry policy will apply to all Jwks fetching approaches, e.g. on demand or asynchronously in background.
+  //
+  //
+  config.core.v3.RetryPolicy retry_policy = 4;
 }

 // Fetch Jwks asynchronously in the main thread when the filter config is parsed.
--- a/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto
+++ b/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto
@ -258,6 +258,37 @@ message RemoteJwks {
  // * Jwks is ready when the requests come, not need to wait for the Jwks fetching.
  //
  JwksAsyncFetch async_fetch = 3;
+
+  // Retry policy for fetching Jwks. optional. turned off by default.
+  //
+  // For example:
+  //
+  // .. code-block:: yaml
+  //
+  //   retry_policy:
+  //     retry_back_off:
+  //       base_interval: 0.01s
+  //       max_interval: 20s
+  //     num_retries: 10
+  //
+  // will yield a randomized truncated exponential backoff policy with an initial delay of 10ms
+  // 10 maximum attempts spaced at most 20s seconds.
+  //
+  // .. code-block:: yaml
+  //
+  //   retry_policy:
+  //     num_retries:1
+  //
+  // uses the default :ref:`retry backoff strategy <envoy_v3_api_msg_config.core.v3.BackoffStrategy>`.
+  // with the default base interval is 1000 milliseconds. and the default maximum interval of 10 times the base interval.
+  //
+  // if num_retries is omitted, the default is to allow only one retry.
+  //
+  //
+  // If enabled, the retry policy will apply to all Jwks fetching approaches, e.g. on demand or asynchronously in background.
+  //
+  //
+  config.core.v4alpha.RetryPolicy retry_policy = 4;
 }

 // Fetch Jwks asynchronously in the main thread when the filter config is parsed.