fix: avoid calling the issuer's well-known endpoint for every routes#7394
Merged
arkodg merged 2 commits intoenvoyproxy:mainfrom Nov 4, 2025
Merged
fix: avoid calling the issuer's well-known endpoint for every routes#7394arkodg merged 2 commits intoenvoyproxy:mainfrom
arkodg merged 2 commits intoenvoyproxy:mainfrom
Conversation
zhaohuabing
force-pushed
the
improve-oidc-auto-discovery
branch
3 times, most recently
from
6766744 to
18b2baa
Compare
zhaohuabing
force-pushed
the
improve-oidc-auto-discovery
branch
2 times, most recently
from
88d6511 to
50699dc
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7394 +/- ##
=======================================
Coverage ? 72.35%
=======================================
Files ? 231
Lines ? 34034
Branches ? 0
=======================================
Hits ? 24626
Misses ? 7634
Partials ? 1774 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
zhaohuabing
commented
Oct 31, 2025
Member
Author
There was a problem hiding this comment.
Instead of blocking the translator here, a more ideal approach is to fail fast and retry fetching in a background go routine, and re-trigger the translation once it succeed. This would need a global cache and some hack in the message watch.
If this makes sense, I'll send a follow-up PR.
jukie
previously approved these changes
Oct 31, 2025
This was referenced Oct 31, 2025
zhaohuabing
added
cherrypick/release-v1.5.5
and removed
cherrypick/release-v1.5.5
labels
Contributor
|
thanks @zhaohuabing, guessing we'll hit this issue for |
Member
Author
jwt: we don't pull the jwks on the control plane. |
arkodg
reviewed
Nov 4, 2025
…with Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
zhaohuabing
force-pushed
the
improve-oidc-auto-discovery
branch
from
25755b3 to
0ae4e45
Compare
kkk777-7
approved these changes
Nov 4, 2025
rudrakhp
pushed a commit
that referenced
this pull request
Nov 10, 2025
…7394) * fix: avoid calling the issuer's well-known endpoint for every routes with Signed-off-by: Huabing Zhao <[email protected]>
arkodg
added a commit
that referenced
this pull request
Nov 10, 2025
* chore(examples): fix extensionserver build (#7398) Signed-off-by: Maxime Brunet <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * chore: add missing endpoints in the crl test (#7402) fix test for #7199 Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * chore(make): exit on failure (#7387) Signed-off-by: Maxime Brunet <[email protected]> Co-authored-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: port typo (#7397) Signed-off-by: cong <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * build(deps): bump busybox from `2f590fc` to `e3652a0` in /tools/docker/envoy-gateway (#7409) build(deps): bump busybox in /tools/docker/envoy-gateway Bumps busybox from `2f590fc` to `e3652a0`. --- updated-dependencies: - dependency-name: busybox dependency-version: e3652a00a2fabd16ce889f0aa32c38eec347b997e73bd09e69c962ec7f8732ee dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: validate EnvoyGateway configuration before reload (#7412) Signed-off-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * build(deps): bump the actions group across 1 directory with 2 updates (#7410) Bumps the actions group with 2 updates in the / directory: [github/codeql-action](https://github.com/github/codeql-action) and [google/osv-scanner-action](https://github.com/google/osv-scanner-action). Updates `github/codeql-action` from 4.31.0 to 4.31.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@4e94bd1...0499de3) Updates `google/osv-scanner-action` from 2.2.3 to 2.2.4 - [Release notes](https://github.com/google/osv-scanner-action/releases) - [Commits](google/osv-scanner-action@e92b5d0...9bb6957) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: google/osv-scanner-action dependency-version: 2.2.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: missing onInvalidMessage for ClientTrafficPolicy (#7417) Signed-off-by: i.makarychev <[email protected]> Signed-off-by: i.makarychev <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * chore: add missing filters in the filter order configuration (#7404) * add missing filters in the filter order configuration Signed-off-by: Huabing Zhao <[email protected]> * fix wrong filter name Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * test: tcp security policy e2e (#7226) * feat(securitypolicy): Added e2e tests for tcp security policies Signed-off-by: davem-git <[email protected]> * removed commented out line Signed-off-by: davem-git <[email protected]> --------- Signed-off-by: davem-git <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * Docs: tcp security policy (#7247) * updated release notes Signed-off-by: davem-git <[email protected]> * updated docs Signed-off-by: davem-git <[email protected]> * fixed merge conflict Signed-off-by: davem-git <[email protected]> --------- Signed-off-by: davem-git <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * feat: support both local and global ratelimit simultaneously (#7334) * update rate limit type Signed-off-by: kkk777-7 <[email protected]> * feat: support both type rate limit Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * feat: support separated path match in ratelimit path (#7413) * update: path match ratelimit e2e Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: handle optional next update for CRL (#7422) fix: handle optional next update for crl Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: missing jwt provider when jwt is configured on multiple listeners sharing the same port (#7337) * fix jwt provider missing when jwt is configured at multiple ir listeners Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: only insert proxy service once it exists (#7424) * maybe this is the fix? Signed-off-by: jukie <[email protected]> * fixes Signed-off-by: jukie <[email protected]> * cleanup Signed-off-by: jukie <[email protected]> * consolidate Signed-off-by: jukie <[email protected]> * fix Signed-off-by: jukie <[email protected]> --------- Signed-off-by: jukie <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix error when updating invalid gateway status (#7415) * fix error when updating invalid gateway status Signed-off-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: avoid calling the issuer's well-known endpoint for every routes (#7394) * fix: avoid calling the issuer's well-known endpoint for every routes with Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: memory leak (#7429) Fix memory leak. Two watchable.Maps were never closed when shutting down the provider: - GatewayClassStatuses.Close() - missing in GatewayAPIStatuses.Close() - BackendTrafficPolicyStatuses.Close() - missing in PolicyStatuses.Close() Each unclosed map leaked 3 goroutines: 1. Internal watchable.Map.coalesce goroutine 2. HandleSubscription goroutine blocked on channel read 3. Error handler goroutine blocked on channel read Signed-off-by: Gonzalo Serrano <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * perf: move snapshot update above status update in xds layer (#7423) Signed-off-by: Arko Dasgupta <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * chore: cleanup logging when inserting proxy service cluster (#7431) cleanup Signed-off-by: jukie <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * upgrade gofumpt (#7420) Signed-off-by: fabian4 <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * feat(translator): relax backend restrictions for localhost when running standalone with Host infrastructure (#7427) Signed-off-by: Rudrakh Panigrahi <[email protected]> * chore: improve api docs for http10.useDefaultHost (#7435) * imporove api docs for useDefaultHost Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * ci: disable lint.dependabot (#7445) Signed-off-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * chore: bump github.com/containerd/containerd (#7448) Signed-off-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * perf: do not set last transition time for status in watcher layer (#7268) Signed-off-by: Rudrakh Panigrahi <[email protected]> * docs: fix gwapi docs (#7408) * docs: fix gwapi docs Signed-off-by: zirain <[email protected]> * fix Signed-off-by: zirain <[email protected]> * update Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * chore: renable lint.dependabot (#7454) Signed-off-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * chore: remove last transition time comparison as no longer set (#7451) chore: remove last transition time comparision as no longer set Signed-off-by: Rudrakh Panigrahi <[email protected]> Co-authored-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: merged policy status (#7376) Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: header modifier doesn't permit multiple values with commas (#7436) * revert: separate headers with commas Signed-off-by: kkk777-7 <[email protected]> * add e2e Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix auto http config with proxy protocol (#7439) * don't set TypedExtensionProtocolOptions when ProxyProtocol enabled Signed-off-by: zirain <[email protected]> * update test Signed-off-by: zirain <[email protected]> * enable auto ALPN for proxy protocol Signed-off-by: zirain <[email protected]> * add e2e Signed-off-by: zirain <[email protected]> * update Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> * build(deps): bump sigs.k8s.io/controller-runtime from 0.22.3 to 0.22.4 in /examples/extension-server (#7470) build(deps): bump sigs.k8s.io/controller-runtime Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.22.3 to 0.22.4. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.22.3...v0.22.4) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.22.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <[email protected]> * build(deps): bump softprops/action-gh-release from 2.4.1 to 2.4.2 in the actions group across 1 directory (#7461) build(deps): bump softprops/action-gh-release Bumps the actions group with 1 update in the / directory: [softprops/action-gh-release](https://github.com/softprops/action-gh-release). Updates `softprops/action-gh-release` from 2.4.1 to 2.4.2 - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@6da8fa9...5be0e66) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-version: 2.4.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <[email protected]> * build(deps): bump github.com/envoyproxy/go-control-plane/envoy from 1.35.0 to 1.36.0 in /examples/grpc-ext-proc (#7471) build(deps): bump github.com/envoyproxy/go-control-plane/envoy Bumps [github.com/envoyproxy/go-control-plane/envoy](https://github.com/envoyproxy/go-control-plane) from 1.35.0 to 1.36.0. - [Release notes](https://github.com/envoyproxy/go-control-plane/releases) - [Changelog](https://github.com/envoyproxy/go-control-plane/blob/main/CHANGELOG.md) - [Commits](envoyproxy/go-control-plane@envoy/v1.35.0...envoy/v1.36.0) --- updated-dependencies: - dependency-name: github.com/envoyproxy/go-control-plane/envoy dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <[email protected]> * build(deps): bump github.com/envoyproxy/go-control-plane/envoy from 1.35.0 to 1.36.0 in /examples/envoy-ext-auth (#7467) build(deps): bump github.com/envoyproxy/go-control-plane/envoy Bumps [github.com/envoyproxy/go-control-plane/envoy](https://github.com/envoyproxy/go-control-plane) from 1.35.0 to 1.36.0. - [Release notes](https://github.com/envoyproxy/go-control-plane/releases) - [Changelog](https://github.com/envoyproxy/go-control-plane/blob/main/CHANGELOG.md) - [Commits](envoyproxy/go-control-plane@envoy/v1.35.0...envoy/v1.36.0) --- updated-dependencies: - dependency-name: github.com/envoyproxy/go-control-plane/envoy dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <[email protected]> * build(deps): bump github.com/envoyproxy/go-control-plane/envoy from 1.35.1-0.20251029084203-42a4a9261f66 to 1.36.0 in /examples/extension-server (#7468) build(deps): bump github.com/envoyproxy/go-control-plane/envoy Bumps [github.com/envoyproxy/go-control-plane/envoy](https://github.com/envoyproxy/go-control-plane) from 1.35.1-0.20251029084203-42a4a9261f66 to 1.36.0. - [Release notes](https://github.com/envoyproxy/go-control-plane/releases) - [Changelog](https://github.com/envoyproxy/go-control-plane/blob/main/CHANGELOG.md) - [Commits](https://github.com/envoyproxy/go-control-plane/commits/envoy/v1.36.0) --- updated-dependencies: - dependency-name: github.com/envoyproxy/go-control-plane/envoy dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <[email protected]> * [release/v1.6] v1.6.0 release docs (#7475) Signed-off-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: Maxime Brunet <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: cong <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: i.makarychev <[email protected]> Signed-off-by: i.makarychev <[email protected]> Signed-off-by: davem-git <[email protected]> Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: jukie <[email protected]> Signed-off-by: Gonzalo Serrano <[email protected]> Signed-off-by: Arko Dasgupta <[email protected]> Signed-off-by: fabian4 <[email protected]> Co-authored-by: Maxime Brunet <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: 聪 <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Inode1 <[email protected]> Co-authored-by: davem-git <[email protected]> Co-authored-by: Kota Kimura <[email protected]> Co-authored-by: Isaac <[email protected]> Co-authored-by: Gonzalo Serrano <[email protected]> Co-authored-by: Arko Dasgupta <[email protected]> Co-authored-by: Fabian Bao <[email protected]> Co-authored-by: Ignasi Barrera <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Gateway API translator calls the issuer's well-known OIDC configuration endpoint to fetch OIDC configuration for each routes. This can cause significant delay during translation when the issuer's well-known endpoint is slow or unresponsive.
This PR improves it by caching the fetching results and reuse them during the translation.
fixes: #7358
The PR has been verified with the following setup.
Test setup:
Crate a SecurityPolicy targeting 10 HTTPRoutes.
Scale out the backend deploy from 1 to 20.
v1.5.4 test result
It took 279s for v1.5.4 to sync the endpoints to envoy.
With the coalesce optimization in #7328
With PR #7328 alone, the sync time was reduced to 58s.
2025-10-31T13:20:35.720Z INFO watchable message/watchutil.go:132 coalesced updates {"runner": "gateway-api", "count": 1, "before": 19}
With both #7328 and this PR
With PR #7328 and this PR, the sync time was reduced to 9s.
2025-10-31T13:15:47.903Z INFO watchable message/watchutil.go:132 coalesced updates {"runner": "gateway-api", "count": 1, "before": 18}