JWKS Async Fetch

[aikoven]

We use JWT validation in our HTTPProxy via remote JWKS that points to OIDC provider endpoint located in a different region. Requests to JWKS endpoint take about 1 second. This means that when the JWKS cache expires we get extra latency to requests running through that HTTPProxy.

Envoy has the JWKS Async Fetch feature that would help to mitigate this.

Would it be possible to enable it in Contour? Or add a new flag to HTTPProxy CRD?

[github-actions[bot]]

Hey @aikoven! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

[github-actions[bot]]

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

• After 60d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

• Mark this Issue as fresh by commenting
• Close this Issue
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

[github-actions[bot]]

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

• After 60d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

• Mark this Issue as fresh by commenting
• Close this Issue
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

[tsaarni]

I haven't had the chance to look at this further, but it seems like a useful feature. I’m curious if it could be enabled by default without requiring the user to select it.

Just for future reference, the Envoy project PR that added JwksAsyncFetch was envoyproxy/envoy#16298.