jwt_authn: RemoteJwks to support RetryPolicy config #16319

[alichnewsky]

Signed-off-by: Anthony Lichnewsky alichnewsky@users.noreply.github.com

Commit Message: jwt_authn: RemoteJwks to support RetryPolicy config #16319 ( only for background fetches failing )
Additional Description: following up on comments and code pruned from background jwks refresh mechanism from #16298.
Risk Level: Low, default number of retries set to zero. truncated exponential backoff requires explicit configuration.
Testing: Only mock-based unit tests so far. Haven't been able to get it ( or the background jwks fetch option, for that matter ) built in esp-v2 so far.
Docs Changes:
Release Notes:
Platform Specific Features:
Fixes #16319

[repokitteh-read-only]

Hi @alichnewsky, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #16924 was opened by alichnewsky.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/envoy/.
envoyproxy/api-shepherds assignee is @markdroth
CC @envoyproxy/api-watchers: FYI only for changes made to api/envoy/.

🐱

Caused by: #16924 was opened by alichnewsky.

see: more, trace.

[alichnewsky]

this is really code that @qiwzhang was already looking at.
I am not married to this implementation, my goal is to get the ball running.

The issue of missing retries was encountered during load tests on services proxied behind Google Cloud Platform's ESPv2

[markdroth]

/lgtm api

[lizan]

/lgtm api
/wait for impl

[qiwzhang]

Look good. Thank you very much!

[lizan]

Sorry for being late on this.

While this shares same config from router's RetryPolicy, but we're not on same implementations. The HTTP Async Client specifies a NullRetryPolicy here, the optimal way should be allow setting a RetryPolicy in HTTP Async Client, instead of having another implementation and test.

[alichnewsky]

I force-pushed into this PR the new branch implementing this PR the way @lizan and @qiwzhang suggested.
It looks like it broke CI since the logs from the azure devops pipeline are consistent with the wrong code being checked out.
Most likely some relying on a cache ...

can you please advise?
should I just create another PR ?

[alichnewsky]

I force-pushed into this PR the new branch implementing this PR the way @lizan and @qiwzhang suggested.
It looks like it broke CI since the logs from the azure devops pipeline are consistent with the wrong code being checked out.
Most likely some relying on a cache ...

can you please advise?
should I just create another PR ?

the last requested changes have been pushed on top of the same branch after the forced update, and the azure pipeline still fails for similar reasons ( most likely the ci scripts can't figure out where to rebase because a force-push occurred? )
clearly it complains about an error in a file I modified with a line number that would make sense only if the file didn't contain my modifications.

Please advise.

[qiwzhang]

LGTM. Thanks

[lizan]

Thanks! This LGTM with just one nit

[lizan]

@alichnewsky The CI failure is real, can you try merge main and see if it fails locally? It might be another merged PR affect it.

[alichnewsky]

@alichnewsky The CI failure is real, can you try merge main and see if it fails locally? It might be another merged PR affect it.

you are indeed correct. my bad. correction is trivial, but a some code outside the scope of this PR does not pass spellchecking, formatting, ?clang-tidy? pre-push checks.

[alichnewsky]

@alichnewsky The CI failure is real, can you try merge main and see if it fails locally? It might be another merged PR affect it.

you are indeed correct. my bad. correction is trivial, but a some code outside the scope of this PR does not pass spellchecking, formatting, ?clang-tidy? pre-push checks.

it may take me a couple of days to figure out how to fix these ...
stuff like this:

Checking format for test/extensions/filters/http/wasm/test_data/test_body_cpp.cc - ERROR: From ./test/extensions/filters/http/wasm/test_data/test_body_cpp.cc
ERROR: ./test/extensions/filters/http/wasm/test_data/test_body_cpp.cc:16: Don't use std::string_view or toStdStringView; use absl::string_view instead
ERROR: check format failed. run 'tools/code_format/check_format.py fix'
error: failed to push some refs to 'https://github.com/alichnewsky/envoy'

[alichnewsky]

at this point, I have pushed all the changes I intended to make, and the azure pipeline still fails ( various timeouts, after 3h).

I am not authorized to re-run the failed jobs... The only thing I can do is add a comment somewhere push that and rebuild everything again, which hardly sounds correct.

Please advise.

[lizan]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #16924 (comment) was created by @lizan.

see: more, trace.

[alichnewsky]

still the same issue it takes more than 3h just to pass the unit tests on mac.. so the tests get cancelled.
I wouldn't mind adding a timeout=300 parameter here, but I am not even sure that would do the trick.

Alternatively, I could just try to retest as you did every now and then and just hope some ci agent host gets less busy at some point ?