envoyproxy · arkodg · Sep 27, 2025 · Jul 30, 2025 · Jul 30, 2025 · Aug 17, 2025
@@ -5,7 +5,9 @@
 
 package v1alpha1
 
-import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+import (
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
 
 // JWT defines the configuration for JSON Web Token (JWT) authentication.
 type JWT struct {
@@ -108,6 +110,11 @@ type RemoteJWKS struct {
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:MaxLength=253
 	URI string `json:"uri"`
+	// Duration after which the cached JWKS should be expired. If not specified, default cache duration is 5 minutes.
+
+	// +kubebuilder:default="300s"
+	// +optional
+	CacheDuration *gwapiv1.Duration `json:"cacheDuration,omitempty"`
 }
 
 // LocalJWKSType defines the types of values for Local JWKS.

@@ -3761,6 +3761,13 @@ spec:
                                       type: object
                                   type: object
                               type: object
+                            cacheDuration:
+                              default: 300s
+                              description: |-
+                                Duration is a string value representing a duration in time. The format is as specified
+                                in GEP-2257, a strict subset of the syntax parsed by Golang time.ParseDuration.
+                              pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+                              type: string
                             uri:
                               description: |-
                                 URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to validate the server certificate.

@@ -3760,6 +3760,13 @@ spec:
                                       type: object
                                   type: object
                               type: object
+                            cacheDuration:
+                              default: 300s
+                              description: |-
+                                Duration is a string value representing a duration in time. The format is as specified
+                                in GEP-2257, a strict subset of the syntax parsed by Golang time.ParseDuration.
+                              pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+                              type: string
                             uri:
                               description: |-
                                 URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to validate the server certificate.

@@ -12,6 +12,7 @@ spec:
     - name: example
       remoteJWKS:
         uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
+        cacheDuration: 60s
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute

@@ -84,6 +84,7 @@ spec:
       - name: example
         remoteJWKS:
           uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
+          cacheDuration: 300s
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute

@@ -383,6 +383,7 @@ securityPolicies:
       providers:
       - name: example
         remoteJWKS:
+          cacheDuration: 300s
           uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
     targetRef:
       group: gateway.networking.k8s.io

@@ -1007,10 +1007,11 @@ func (t *Translator) buildRemoteJWKS(
 	envoyProxy *egv1a1.EnvoyProxy,
 ) (*ir.RemoteJWKS, error) {
 	var (
-		protocol ir.AppProtocol
-		rd       *ir.RouteDestination
-		traffic  *ir.TrafficFeatures
-		err      error
+		protocol      ir.AppProtocol
+		rd            *ir.RouteDestination
+		traffic       *ir.TrafficFeatures
+		err           error
+		cacheDuration *metav1.Duration
 	)
 
 	u, err := url.Parse(remoteJWKS.URI)
@@ -1037,10 +1038,19 @@ func (t *Translator) buildRemoteJWKS(
 		}
 	}
 
+	if remoteJWKS.CacheDuration != nil {
+		d, err := time.ParseDuration(string(*remoteJWKS.CacheDuration))
+		if err != nil {
+			return nil, err
+		}
+		cacheDuration = ir.MetaV1DurationPtr(d)
+	}
+
 	return &ir.RemoteJWKS{
-		Destination: rd,
-		Traffic:     traffic,
-		URI:         remoteJWKS.URI,
+		Destination:   rd,
+		Traffic:       traffic,
+		URI:           remoteJWKS.URI,
+		CacheDuration: cacheDuration,
 	}, nil
 }
 

@@ -1077,6 +1077,9 @@ type RemoteJWKS struct {
 	// URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to validate the server certificate.
 	// If a custom trust bundle is needed, it can be specified in a BackendTLSConfig resource and target the BackendRefs.
 	URI string `json:"uri"`
+
+	// Duration after which the cached JWKS should be expired. If not specified, default cache duration is 5 minutes.
+	CacheDuration *metav1.Duration `json:"cacheDuration,omitempty"`
 }
 
 // OIDC defines the schema for authenticating HTTP requests using

@@ -8,7 +8,6 @@ package translator
 import (
 	"errors"
 	"fmt"
-	"time"
 
 	corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
@@ -159,11 +158,13 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication,
 							},
 							Timeout: durationpb.New(defaultExtServiceRequestTimeout),
 						},
-						CacheDuration: durationpb.New(5 * time.Minute),
-						AsyncFetch:    &jwtauthnv3.JwksAsyncFetch{},
+
+						AsyncFetch: &jwtauthnv3.JwksAsyncFetch{},
 					},
 				}
-
+				if jwks.CacheDuration != nil {
+					remote.RemoteJwks.CacheDuration = durationpb.New(jwks.CacheDuration.Duration)
+				}
 				// Set the retry policy if it exists.
 				if jwks.Traffic != nil && jwks.Traffic.Retry != nil {
 					var rp *corev3.RetryPolicy

@@ -55,6 +55,7 @@ http:
           name: example1
           remoteJWKS:
             uri: https://two.example.com/jwt/public-key/jwks.json
+            cacheDuration: 300s
   - destination:
       name: httproute/default/httproute-2/rule/0
       settings:
@@ -99,3 +100,5 @@ http:
           name: example1
           remoteJWKS:
             uri: https://one.example.com/jwt/public-key/jwks.json
+            cacheDuration: 300s
+
@@ -55,6 +55,7 @@ http:
           name: example1
           remoteJWKS:
             uri: https://two.example.com/jwt/public-key/jwks.json
+            cacheDuration: 300s
   - destination:
       name: httproute/default/httproute-2/rule/0
       settings:
@@ -95,3 +96,5 @@ http:
           name: example1
           remoteJWKS:
             uri: https://one.example.com/jwt/public-key/jwks.json
+            cacheDuration: 300s
+
@@ -52,6 +52,7 @@ http:
           name: example1
           remoteJWKS:
             uri: https://one.example.com/jwt/public-key/jwks.json
+            cacheDuration: 300s
         - audiences:
           - two.foo.com
           claimToHeaders:
@@ -61,6 +62,7 @@ http:
           name: example2
           remoteJWKS:
             uri: http://two.example.com/jwt/public-key/jwks.json
+            cacheDuration: 300s
     envoyExtensions:
       wasms:
       - config:

@@ -21,6 +21,7 @@ http:
           - foo.com
           remoteJWKS:
             uri: https://localhost/jwt/public-key/jwks.json
+            cacheDuration: 300s
           extractFrom:
             cookies:
             - session_access_token

@@ -21,6 +21,7 @@ http:
           - foo.com
           remoteJWKS:
             uri: http://localhost/jwt/public-key/jwks.json
+            cacheDuration: 300s
           claimToHeaders:
           - header: one-route-example-key1
             claim: claim.neteased.key
@@ -64,6 +65,7 @@ http:
           - foo.com
           remoteJWKS:
             uri: http://localhost/jwt/public-key/jwks.json
+            cacheDuration: 300s
           claimToHeaders:
           - header: second-route-example-key1
             claim: claim.neteased.key
@@ -74,6 +76,7 @@ http:
           - two.foo.com
           remoteJWKS:
             uri: https://192.168.1.250:8080/jwt/public-key/jwks.json
+            cacheDuration: 300s
     destination:
       name: "second-route-www.test.com-dest"
       settings:

@@ -26,6 +26,7 @@ http:
           - foo.com
           remoteJWKS:
             uri: https://localhost/jwt/public-key/jwks.json
+            cacheDuration: 300s
           claimToHeaders:
           - header: first-route-key
             claim: claim.neteased.key
@@ -49,6 +50,7 @@ http:
           - foo.com
           remoteJWKS:
             uri: https://localhost/jwt/public-key/jwks.json
+            cacheDuration: 300s
     destination:
       name: "second-route-dest"
       settings:

@@ -21,6 +21,7 @@ http:
           - foo.com
           remoteJWKS:
             uri: https://localhost/jwt/public-key/jwks.json
+            cacheDuration: 300s
           extractFrom:
             cookies:
             - session_access_token

@@ -43,6 +43,7 @@ http:
           - foo.com
           remoteJWKS:
             uri: https://192.168.1.250/jwt/public-key/jwks.json
+            cacheDuration: 300s
   - name: "second-route"
     hostname: "*"
     traffic:

@@ -21,6 +21,7 @@ http:
           - foo.com
           remoteJWKS:
             uri: https://localhost/jwt/public-key/jwks.json
+            cacheDuration: 300s
     destination:
       name: "first-route-dest"
       settings:

@@ -75,3 +75,4 @@ http:
                   - gateway-error
                   - reset
             uri: https://foo.bar.com/jwt/public-key/jwks.json
+            cacheDuration: 300s
@@ -28,6 +28,7 @@ http:
                 name: example1
                 remoteJWKS:
                   uri: https://oauth.foo.com/jwt/public-key/jwks.json
+                  cacheDuration: 300s
               - issuer: https://oauth.foo.com
                 name: example2
                 extractFrom:
@@ -37,6 +38,7 @@ http:
                     - name: MyHeaderNoPrefix
                 remoteJWKS:
                   uri: https://oauth.foo.com/jwt/public-key/jwks.json
+                  cacheDuration: 300s
               - issuer: https://oauth.foo.com
                 name: example3
                 extractFrom:
@@ -45,6 +47,7 @@ http:
                     - Cookie1
                 remoteJWKS:
                   uri: https://oauth.foo.com/jwt/public-key/jwks.json
+                  cacheDuration: 300s
               - issuer: https://oauth.foo.com
                 name: example4
                 extractFrom:
@@ -53,6 +56,7 @@ http:
                     - Param1
                 remoteJWKS:
                   uri: https://oauth.foo.com/jwt/public-key/jwks.json
+                  cacheDuration: 300s
           oidc:
             clientID: client.oauth.foo.com
             clientSecret: Y2xpZW50MTpzZWNyZXQK

@@ -61,6 +61,7 @@ http:
           name: exjwt
           remoteJWKS:
             uri: https://oidc.example.com/auth/realms/example/protocol/openid-connect/certs
+            cacheDuration: 300s
       oidc:
         clientID: prometheus
         clientSecret: '[redacted]'

@@ -13,6 +13,7 @@ new features: |
   Added support for RetryPolicy in gRPC ExtAuth callouts via SecurityPolicy backend settings fields.
   Added support for late response headers in ClientTrafficPolicy.
   Added max connection/stream duration and max requests per connection to ClientTrafficPolicy.
+  Added cacheDuration for remoteJWKS in SecurityPolicy.
 
 bug fixes: |
   Fixed %ROUTE_KIND% operator to be lower-cased when used by clusterStatName in EnvoyProxy API.

@@ -4370,6 +4370,7 @@ _Appears in:_
 | `backendRefs` | _[BackendRef](#backendref) array_ |  false  |  | BackendRefs references a Kubernetes object that represents the<br />backend server to which the authorization request will be sent. |
 | `backendSettings` | _[ClusterSettings](#clustersettings)_ |  false  |  | BackendSettings holds configuration for managing the connection<br />to the backend. |
 | `uri` | _string_ |  true  |  | URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to validate the server certificate.<br />If a custom trust bundle is needed, it can be specified in a BackendTLSConfig resource and target the BackendRefs. |
+| `cacheDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ |  false  | 300s |  |
 
 
 #### ReplaceRegexMatch

@@ -152,6 +152,7 @@ spec:
               retryOn:
                 triggers: ["5xx", "gateway-error", "reset"]
           uri: https://remote-jwks-server.gateway-conformance-infra/jwt/jwks.json
+          cacheDuration: 300s
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute

@@ -21,6 +21,7 @@ spec:
             header: x-name
         remoteJWKS:
           uri: http://static-file-server.gateway-conformance-infra/jwt/jwks.json
+          cacheDuration: 300s
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute

@@ -85,6 +85,8 @@ spec:
     - name: "keycloak"  # This is needed so JWTs generated through the OIDC flow can be validated
       remoteJWKS:
         uri: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/certs"
+        cacheDuration: 300s
     - name: "example"  # This allows us to use the static JWTs in the test
       remoteJWKS:
         uri: "http://static-file-server.gateway-conformance-infra/jwt/jwks.json"
+        cacheDuration: 300s
@@ -43575,6 +43575,13 @@ spec:
                                       type: object
                                   type: object
                               type: object
+                            cacheDuration:
+                              default: 300s
+                              description: |-
+                                Duration is a string value representing a duration in time. The format is as specified
+                                in GEP-2257, a strict subset of the syntax parsed by Golang time.ParseDuration.
+                              pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+                              type: string
                             uri:
                               description: |-
                                 URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to validate the server certificate.