fix: remove the default retry policy for jwks fetch (envoyproxy#4802)

* remove the default retry policy for jwks fetch Signed-off-by: Huabing Zhao <[email protected]> * fix gen Signed-off-by: Huabing Zhao <[email protected]> * Update release-notes/current.yaml Co-authored-by: Arko Dasgupta <[email protected]> Signed-off-by: Huabing Zhao <[email protected]> --------- Signed-off-by: Huabing Zhao <[email protected]> Co-authored-by: Arko Dasgupta <[email protected]> (cherry picked from commit 526a05f) Signed-off-by: Huabing Zhao <[email protected]>
zhaohuabing · Nov 29, 2024 · f4ddef8 · f4ddef8
1 parent a6f684a
commit f4ddef8
Show file tree

Hide file tree

Showing 15 changed files with 4 additions and 34 deletions.
diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json
@@ -514,8 +514,7 @@
                                         "cluster": "raw_githubusercontent_com_443",
                                         "timeout": "10s",
                                         "uri": "https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json"
-                                      },
-                                      "retryPolicy": {}
+                                      }
                                     }
                                   }
                                 },

diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml
@@ -306,7 +306,6 @@ xds:
                               cluster: raw_githubusercontent_com_443
                               timeout: 10s
                               uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
-                            retryPolicy: {}
                       requirementMap:
                         httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com:
                           providerName: httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com/example

diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml
@@ -61,7 +61,6 @@ xds:
                             cluster: raw_githubusercontent_com_443
                             timeout: 10s
                             uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
-                          retryPolicy: {}
                     requirementMap:
                       httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com:
                         providerName: httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com/example

diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go
@@ -120,7 +120,6 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication,
 					},
 					CacheDuration: &durationpb.Duration{Seconds: 5 * 60},
 					AsyncFetch:    &jwtauthnv3.JwksAsyncFetch{},
-					RetryPolicy:   &corev3.RetryPolicy{},
 				},
 			}
 

diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml
@@ -35,7 +35,6 @@
                     cluster: two_example_com_443
                     timeout: 10s
                     uri: https://two.example.com/jwt/public-key/jwks.json
-                  retryPolicy: {}
               httproute/default/httproute-2/rule/0/match/0/www_example_com/example1:
                 audiences:
                 - one.foo.com
@@ -52,7 +51,6 @@
                     cluster: one_example_com_443
                     timeout: 10s
                     uri: https://one.example.com/jwt/public-key/jwks.json
-                  retryPolicy: {}
             requirementMap:
               httproute/default/httproute-1/rule/0/match/0/www_example_com:
                 providerName: httproute/default/httproute-1/rule/0/match/0/www_example_com/example1

diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml
@@ -35,7 +35,6 @@
                     cluster: two_example_com_443
                     timeout: 10s
                     uri: https://two.example.com/jwt/public-key/jwks.json
-                  retryPolicy: {}
               httproute/default/httproute-2/rule/0/match/0/www_example_com/example1:
                 audiences:
                 - one.foo.com
@@ -52,7 +51,6 @@
                     cluster: one_example_com_443
                     timeout: 10s
                     uri: https://one.example.com/jwt/public-key/jwks.json
-                  retryPolicy: {}
             requirementMap:
               httproute/default/httproute-1/rule/0/match/0/www_example_com:
                 providerName: httproute/default/httproute-1/rule/0/match/0/www_example_com/example1

diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml
@@ -85,7 +85,6 @@
                     cluster: one_example_com_443
                     timeout: 10s
                     uri: https://one.example.com/jwt/public-key/jwks.json
-                  retryPolicy: {}
               httproute/envoy-gateway/httproute-1/rule/0/match/0/www_example_com/example2:
                 audiences:
                 - two.foo.com
@@ -105,7 +104,6 @@
                     cluster: two_example_com_80
                     timeout: 10s
                     uri: http://two.example.com/jwt/public-key/jwks.json
-                  retryPolicy: {}
             requirementMap:
               httproute/envoy-gateway/httproute-1/rule/0/match/0/www_example_com:
                 requiresAny:

diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml
@@ -42,7 +42,6 @@
                     cluster: localhost_443
                     timeout: 10s
                     uri: https://localhost/jwt/public-key/jwks.json
-                  retryPolicy: {}
             requirementMap:
               first-route:
                 providerName: first-route/example

diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml
@@ -38,7 +38,6 @@
                     cluster: localhost_80
                     timeout: 10s
                     uri: http://localhost/jwt/public-key/jwks.json
-                  retryPolicy: {}
               first-route-www.test.com/example2:
                 audiences:
                 - one.foo.com
@@ -62,7 +61,6 @@
                     cluster: "192_168_1_250_8080"
                     timeout: 10s
                     uri: https://192.168.1.250:8080/jwt/public-key/jwks.json
-                  retryPolicy: {}
               second-route-www.test.com/example:
                 audiences:
                 - foo.com
@@ -82,7 +80,6 @@
                     cluster: localhost_80
                     timeout: 10s
                     uri: http://localhost/jwt/public-key/jwks.json
-                  retryPolicy: {}
               second-route-www.test.com/example2:
                 audiences:
                 - one.foo.com
@@ -100,7 +97,6 @@
                     cluster: "192_168_1_250_8080"
                     timeout: 10s
                     uri: https://192.168.1.250:8080/jwt/public-key/jwks.json
-                  retryPolicy: {}
             requirementMap:
               first-route-www.test.com:
                 requiresAny:

diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml
@@ -60,7 +60,6 @@
                     cluster: localhost_443
                     timeout: 10s
                     uri: https://localhost/jwt/public-key/jwks.json
-                  retryPolicy: {}
               second-route/example:
                 audiences:
                 - foo.com
@@ -77,7 +76,6 @@
                     cluster: localhost_443
                     timeout: 10s
                     uri: https://localhost/jwt/public-key/jwks.json
-                  retryPolicy: {}
             requirementMap:
               first-route:
                 providerName: first-route/example

diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml
@@ -42,7 +42,6 @@
                     cluster: localhost_443
                     timeout: 10s
                     uri: https://localhost/jwt/public-key/jwks.json
-                  retryPolicy: {}
             requirementMap:
               first-route:
                 requiresAny:

diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml
@@ -35,7 +35,6 @@
                     cluster: "192_168_1_250_443"
                     timeout: 10s
                     uri: https://192.168.1.250/jwt/public-key/jwks.json
-                  retryPolicy: {}
             requirementMap:
               first-route:
                 providerName: first-route/example

diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml
@@ -35,7 +35,6 @@
                     cluster: localhost_443
                     timeout: 10s
                     uri: https://localhost/jwt/public-key/jwks.json
-                  retryPolicy: {}
             requirementMap:
               first-route:
                 providerName: first-route/example

diff --git a/...rnal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml b/...rnal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml
@@ -81,7 +81,6 @@
                     cluster: oidc_example_com_443
                     timeout: 10s
                     uri: https://oidc.example.com/auth/realms/example/protocol/openid-connect/certs
-                  retryPolicy: {}
             requirementMap:
               httproute/default/httproute-1/rule/0/match/0/www_example_com:
                 providerName: httproute/default/httproute-1/rule/0/match/0/www_example_com/exjwt

diff --git a/release-notes/current.yaml b/release-notes/current.yaml
@@ -2,8 +2,6 @@ date: Pending
 
 # Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs.
 breaking changes: |
-  Always use `::` and `IPv4Compact` enabled on dynamic listeners.
-  Use `V4_PREFERRED` instead of `V4_ONLY` by default for the cluster's `DnsLookupFamily`.
 
 # Updates addressing vulnerabilities, security flaws, or compliance requirements.
 security updates: |
@@ -15,16 +13,9 @@ new features: |
 
 # Fixes for bugs identified in previous versions.
 bug fixes: |
-  Only log endpoint configuration in verbose logging mode (`-v 4` or higher)
-  The xDS translation failed when wasm http code source configured without a sha
-  HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses
-  Route with multiple parents has incorrect namespace in parentRef status
-  BackendTlsPolicy specify multiple targetRefs of the same service, only one will work
-  Helm chart fails for Flux HelmRelease
-  Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes
-  Fixed failed to update SecurityPolicy resources with the `backendRef` field specified
-  Fixed xDS translation failed when oidc tokenEndpoint and jwt remoteJWKS are specified in the same SecurityPolicy and using the same hostname
-  Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn
+  Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s.
+  Used a waitGroup instead of an enabled channel in the status updater.
+
 
 # Enhancements that improve performance.
 performance improvements: |
-Original file line number
+Diff line change
@@ Expand Up @@
     					},
     					CacheDuration: &durationpb.Duration{Seconds: 5 * 60},
     					AsyncFetch:    &jwtauthnv3.JwksAsyncFetch{},
-    					RetryPolicy:   &corev3.RetryPolicy{},
     				},
     			}
@@ Expand Down @@