remove asyncFetch field and change cacheDuration type to gwapiv1.Duration

slayer321 · slayer321 · commit 3deedc61263d · 2025-09-17T19:51:47.000+05:30
Signed-off-by: sachin maurya &lt;sachin.maurya7666@gmail.com&gt;
diff --git a/api/v1alpha1/jwt_types.go b/api/v1alpha1/jwt_types.go
@@ -6,7 +6,6 @@
 package v1alpha1
 
 import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
@@ -116,23 +115,7 @@ type RemoteJWKS struct {
 	// +kubebuilder:default="300s"
 	// +kubebuilder:validation:Format=duration
 	// +optional
-	CacheDuration *metav1.Duration `json:"cacheDuration,omitempty"`
-
-	// Fetch Jwks asynchronously in the main thread before the listener is activated. Fetched Jwks can be used by all worker threads.
-	// +optional
-	AsyncFetch *JwksAsyncFetch `json:"asyncFetch,omitempty"`
-}
-
-// JwksAsyncFetch is used to Fetch Jwks asynchronously in the main thread before the listener is activated.
-type JwksAsyncFetch struct {
-	// If false, the listener is activated after the initial fetch is completed. The initial fetch result can be either successful or failed.
-	// If true, it is activated without waiting for the initial fetch to complete.
-
-	// +optional
-	FastListener bool `json:"fastListener,omitempty"`
-	// The duration to refetch after a failed fetch.
-	// +optional
-	FailedRefetchDuration *metav1.Duration `json:"failedRefetchDuration,omitempty"`
+	CacheDuration *gwapiv1.Duration `json:"cacheDuration,omitempty"`
 }
 
 // LocalJWKSType defines the types of values for Local JWKS.
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -2770,18 +2770,6 @@ spec:
                             RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
                             HTTP/HTTPS endpoint.
                           properties:
-                            asyncFetch:
-                              description: Fetch Jwks asynchronously in the main thread
-                                before the listener is activated. Fetched Jwks can
-                                be used by all worker threads.
-                              properties:
-                                failedRefetchDuration:
-                                  description: The duration to refetch after a failed
-                                    fetch.
-                                  type: string
-                                fastListener:
-                                  type: boolean
-                              type: object
                             backendRef:
                               description: |-
                                 BackendRef references a Kubernetes object that represents the
@@ -3775,7 +3763,11 @@ spec:
                               type: object
                             cacheDuration:
                               default: 300s
+                              description: |-
+                                Duration is a string value representing a duration in time. The format is as specified
+                                in GEP-2257, a strict subset of the syntax parsed by Golang time.ParseDuration.
                               format: duration
+                              pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
                               type: string
                             uri:
                               description: |-
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -2769,18 +2769,6 @@ spec:
                             RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
                             HTTP/HTTPS endpoint.
                           properties:
-                            asyncFetch:
-                              description: Fetch Jwks asynchronously in the main thread
-                                before the listener is activated. Fetched Jwks can
-                                be used by all worker threads.
-                              properties:
-                                failedRefetchDuration:
-                                  description: The duration to refetch after a failed
-                                    fetch.
-                                  type: string
-                                fastListener:
-                                  type: boolean
-                              type: object
                             backendRef:
                               description: |-
                                 BackendRef references a Kubernetes object that represents the
@@ -3774,7 +3762,11 @@ spec:
                               type: object
                             cacheDuration:
                               default: 300s
+                              description: |-
+                                Duration is a string value representing a duration in time. The format is as specified
+                                in GEP-2257, a strict subset of the syntax parsed by Golang time.ParseDuration.
                               format: duration
+                              pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
                               type: string
                             uri:
                               description: |-
diff --git a/examples/kubernetes/jwt/jwt.yaml b/examples/kubernetes/jwt/jwt.yaml
@@ -13,9 +13,6 @@ spec:
       remoteJWKS:
         uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
         cacheDuration: 60s
-        asyncFetch:
-          fastListener: true
-          failedRefetchDuration: 2s
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
diff --git a/internal/gatewayapi/resource/testdata/all-resources.out.yaml b/internal/gatewayapi/resource/testdata/all-resources.out.yaml
@@ -383,7 +383,7 @@ securityPolicies:
       providers:
       - name: example
         remoteJWKS:
-          cacheDuration: 5m0s
+          cacheDuration: 300s
           uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
     targetRef:
       group: gateway.networking.k8s.io
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -1016,7 +1016,6 @@ func (t *Translator) buildRemoteJWKS(
 		Traffic:       traffic,
 		URI:           remoteJWKS.URI,
 		CacheDuration: remoteJWKS.CacheDuration,
-		AsyncFetch:    (*ir.JwksAsyncFetch)(remoteJWKS.AsyncFetch),
 	}, nil
 }
 
diff --git a/internal/ir/xds.go b/internal/ir/xds.go
@@ -1079,10 +1079,7 @@ type RemoteJWKS struct {
 	URI string `json:"uri"`
 
 	// Duration after which the cached JWKS should be expired. If not specified, default cache duration is 5 minutes.
-	CacheDuration *metav1.Duration `json:"cacheDuration,omitempty"`
-
-	// Fetch Jwks asynchronously in the main thread before the listener is activated. Fetched Jwks can be used by all worker threads.
-	AsyncFetch *JwksAsyncFetch `json:"asyncFetch,omitempty"`
+	CacheDuration *gwapiv1.Duration `json:"cacheDuration,omitempty"`
 }
 
 // JwksAsyncFetch is used to Fetch Jwks asynchronously in the main thread before the listener is activated.
diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go
diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go
@@ -19,8 +19,8 @@ import (
 	"google.golang.org/protobuf/types/known/anypb"
 	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/emptypb"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/envoyproxy/gateway/internal/ir"
@@ -151,18 +151,14 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication,
 					jwksCluster = cluster.name
 				}
 
-				var duration *metav1.Duration
+				var duration *gwapiv1.Duration
 				if jwks.CacheDuration != nil {
 					duration = jwks.CacheDuration
 				}
 
-				var asyncFetch jwtauthnv3.JwksAsyncFetch
-
-				if jwks.AsyncFetch != nil {
-					asyncFetch = jwtauthnv3.JwksAsyncFetch{
-						FastListener:          jwks.AsyncFetch.FastListener,
-						FailedRefetchDuration: durationpb.New(jwks.AsyncFetch.FailedRefetchDuration.Duration),
-					}
+				timeDuration, err := time.ParseDuration(string(*duration))
+				if err != nil {
+					return nil, err
 				}
 
 				remote := &jwtauthnv3.JwtProvider_RemoteJwks{
@@ -174,7 +170,8 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication,
 							},
 							Timeout: durationpb.New(defaultExtServiceRequestTimeout),
 						},
-						CacheDuration: &durationpb.Duration{Seconds: 5 * 60},
+
+						CacheDuration: durationpb.New(timeDuration),
 						AsyncFetch:    &jwtauthnv3.JwksAsyncFetch{},
 					},
 				}
diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-single-route-single-match.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-single-route-single-match.yaml
@@ -22,9 +22,6 @@ http:
           remoteJWKS:
             uri: https://localhost/jwt/public-key/jwks.json
             cacheDuration: 300s
-            asyncFetch:
-              fastListener: true
-              failedRefetchDuration: 2s
     destination:
       name: "first-route-dest"
       settings:
diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml
@@ -28,9 +28,7 @@
                   - scope
                 payloadInMetadata: example
                 remoteJwks:
-                  asyncFetch:
-                    failedRefetchDuration: 2s
-                    fastListener: true
+                  asyncFetch: {}
                   cacheDuration: 300s
                   httpUri:
                     cluster: localhost_443
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
@@ -2830,21 +2830,6 @@ _Appears in:_
 
 
 
-#### JwksAsyncFetch
-
-
-
-JwksAsyncFetch is used to Fetch Jwks asynchronously in the main thread before the listener is activated.
-
-_Appears in:_
-- [RemoteJWKS](#remotejwks)
-
-| Field | Type | Required | Default | Description |
-| ---   | ---  | ---      | ---     | ---         |
-| `fastListener` | _boolean_ |  false  |  |  |
-| `failedRefetchDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ |  false  |  | The duration to refetch after a failed fetch. |
-
-
 #### KubernetesClient
 
 
@@ -4356,8 +4341,7 @@ _Appears in:_
 | `backendRefs` | _[BackendRef](#backendref) array_ |  false  |  | BackendRefs references a Kubernetes object that represents the<br />backend server to which the authorization request will be sent. |
 | `backendSettings` | _[ClusterSettings](#clustersettings)_ |  false  |  | BackendSettings holds configuration for managing the connection<br />to the backend. |
 | `uri` | _string_ |  true  |  | URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to validate the server certificate.<br />If a custom trust bundle is needed, it can be specified in a BackendTLSConfig resource and target the BackendRefs. |
-| `cacheDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ |  false  | 300s |  |
-| `asyncFetch` | _[JwksAsyncFetch](#jwksasyncfetch)_ |  false  |  | Fetch Jwks asynchronously in the main thread before the listener is activated. Fetched Jwks can be used by all worker threads. |
+| `cacheDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ |  false  | 300s |  |
 
 
 #### ReplaceRegexMatch
diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml
@@ -42565,18 +42565,6 @@ spec:
                             RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
                             HTTP/HTTPS endpoint.
                           properties:
-                            asyncFetch:
-                              description: Fetch Jwks asynchronously in the main thread
-                                before the listener is activated. Fetched Jwks can
-                                be used by all worker threads.
-                              properties:
-                                failedRefetchDuration:
-                                  description: The duration to refetch after a failed
-                                    fetch.
-                                  type: string
-                                fastListener:
-                                  type: boolean
-                              type: object
                             backendRef:
                               description: |-
                                 BackendRef references a Kubernetes object that represents the
@@ -43570,7 +43558,11 @@ spec:
                               type: object
                             cacheDuration:
                               default: 300s
+                              description: |-
+                                Duration is a string value representing a duration in time. The format is as specified
+                                in GEP-2257, a strict subset of the syntax parsed by Golang time.ParseDuration.
                               format: duration
+                              pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
                               type: string
                             uri:
                               description: |-
diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
@@ -25253,18 +25253,6 @@ spec:
                             RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
                             HTTP/HTTPS endpoint.
                           properties:
-                            asyncFetch:
-                              description: Fetch Jwks asynchronously in the main thread
-                                before the listener is activated. Fetched Jwks can
-                                be used by all worker threads.
-                              properties:
-                                failedRefetchDuration:
-                                  description: The duration to refetch after a failed
-                                    fetch.
-                                  type: string
-                                fastListener:
-                                  type: boolean
-                              type: object
                             backendRef:
                               description: |-
                                 BackendRef references a Kubernetes object that represents the
@@ -26258,7 +26246,11 @@ spec:
                               type: object
                             cacheDuration:
                               default: 300s
+                              description: |-
+                                Duration is a string value representing a duration in time. The format is as specified
+                                in GEP-2257, a strict subset of the syntax parsed by Golang time.ParseDuration.
                               format: duration
+                              pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
                               type: string
                             uri:
                               description: |-

Original file line number	Diff line number	Diff line change
`@@ -1016,7 +1016,6 @@ func (t *Translator) buildRemoteJWKS(`
`1016`	`1016`	`Traffic: traffic,`
`1017`	`1017`	`URI: remoteJWKS.URI,`
`1018`	`1018`	`CacheDuration: remoteJWKS.CacheDuration,`
`1019`		`- AsyncFetch: (*ir.JwksAsyncFetch)(remoteJWKS.AsyncFetch),`
`1020`	`1019`	`}, nil`
`1021`	`1020`	`}`
`1022`	`1021`