fix: avoid calling the issuer's well-known endpoint for every routes #7394
Conversation
zhaohuabing
force-pushed
the
improve-oidc-auto-discovery
branch
3 times, most recently
from
6766744 to
18b2baa
Compare
zhaohuabing
force-pushed
the
improve-oidc-auto-discovery
branch
2 times, most recently
from
88d6511 to
50699dc
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7394 +/- ##
=======================================
Coverage ? 72.35%
=======================================
Files ? 231
Lines ? 34034
Branches ? 0
=======================================
Hits ? 24626
Misses ? 7634
Partials ? 1774 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
|
||
| // Parse the OpenID configuration response | ||
| var config OpenIDConfig | ||
| if err = backoff.Retry(func() error { |
There was a problem hiding this comment.
Instead of blocking the translator here, a more ideal approach is to fail fast and retry fetching in a background go routine, and re-trigger the translation once it succeed. This would need a global cache and some hack in the message watch.
If this makes sense, I'll send a follow-up PR.
zhaohuabing
added
cherrypick/release-v1.5.5
and removed
cherrypick/release-v1.5.5
labels
|
thanks @zhaohuabing, guessing we'll hit this issue for |
jwt: we don't pull the jwks on the control plane. |
…with Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
zhaohuabing
force-pushed
the
improve-oidc-auto-discovery
branch
from
25755b3 to
0ae4e45
Compare
4 participants
The Gateway API translator calls the issuer's well-known OIDC configuration endpoint to fetch OIDC configuration for each routes. This can cause significant delay during translation when the issuer's well-known endpoint is slow or unresponsive.
This PR improves it by caching the fetching results and reuse them during the translation.
fixes: #7358
The PR has been verified with the following setup.
Test setup:
Crate a SecurityPolicy targeting 10 HTTPRoutes.
Scale out the backend deploy from 1 to 20.
v1.5.4 test result
It took 279s for v1.5.4 to sync the endpoints to envoy.
With the coalesce optimization in #7328
With PR #7328 alone, the sync time was reduced to 58s.
2025-10-31T13:20:35.720Z INFO watchable message/watchutil.go:132 coalesced updates {"runner": "gateway-api", "count": 1, "before": 19}
With both #7328 and this PR
With PR #7328 and this PR, the sync time was reduced to 9s.
2025-10-31T13:15:47.903Z INFO watchable message/watchutil.go:132 coalesced updates {"runner": "gateway-api", "count": 1, "before": 18}