Skip to content

Commit

Permalink
Reduce default jwt_cache_size to 1000 (#798)
Browse files Browse the repository at this point in the history 
Based on discussions in #782, the original estimate was incorrect. Reduce max memory usage from ~410 MB to 4.35 MB.

Fixes #782
  • Loading branch information
@nareddyt
nareddyt authored Mar 23, 2023
1 parent 557e79d commit 66f0163
Show file tree
Hide file tree
Showing 6 changed files with 13 additions and 12 deletions.
3 changes: 2 additions & 1 deletion docker/generic/start_proxy.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -594,7 +594,8 @@ def make_argparser():
help='''
Specify JWT cache size, the number of unique JWT tokens in the cache. The cache only stores verified
good tokens. If 0, JWT cache is disabled. It limits the memory usage. The cache used memory
is roughly (token size + 64 bytes) per token. If not specified, the default is 100000.'''
is roughly (at most 4 KB data + 64 bytes metadata) per token. If not specified, the default is 1000,
which represents a max memory usage of 4.35 MB.'''
)
parser.add_argument(
'--jwks_cache_duration_in_s',
Expand Down
6 changes: 3 additions & 3 deletions examples/auth/envoy_config.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@
],
"issuer": "[email protected]",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down Expand Up @@ -221,7 +221,7 @@
],
"issuer": "https://securetoken.google.com/apiproxy-231719",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down Expand Up @@ -254,7 +254,7 @@
],
"issuer": "https://accounts.google.com",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down
2 changes: 1 addition & 1 deletion examples/grpc_dynamic_routing/envoy_config.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,7 @@
],
"issuer": "[email protected]",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down
2 changes: 1 addition & 1 deletion src/go/configmanager/flags/flags.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ var (
JwksFetchRetryBackOffMaxIntervalMs = flag.Int("jwks_fetch_retry_back_off_max_interval_ms", int(defaults.JwksFetchRetryBackOffMaxInterval.Milliseconds()), `Specify JWKS fetch retry exponential back off maximum interval in milliseconds. The default is 32 seconds.`)
JwtPatForwardPayloadHeader = flag.Bool("jwt_pad_forward_payload_header", defaults.JwtPadForwardPayloadHeader, `For the JWT in request, the JWT payload is forwarded to backend in the "X-Endpoint-API-UserInfo"" header by default.
Normally JWT based64 encode doesn’t add padding. If this flag is true, the header will be padded.`)
JwtCacheSize = flag.Uint("jwt_cache_size", defaults.JwtCacheSize, `Specify JWT cache size, the number of unique JWT tokens in the cache. The cache only stores verified good tokens. If 0, JWT cache is disabled. It limits the memory usage. The cache used memory is roughly (token size + 64 bytes) per token. If not specified, the default is 100000.`)
JwtCacheSize = flag.Uint("jwt_cache_size", defaults.JwtCacheSize, `Specify JWT cache size, the number of unique JWT tokens in the cache. The cache only stores verified good tokens. If 0, JWT cache is disabled. It limits the memory usage. The cache used memory is roughly (token size + 64 bytes) per token. If not specified, the default is 1000.`)

DisableJwtAudienceServiceNameCheck = flag.Bool("disable_jwt_audience_service_name_check", defaults.DisableJwtAudienceServiceNameCheck, `Normally JWT "aud" field is checked against audiences specified in OpenAPI "x-google-audiences" field. This flag changes the behaviour when the "x-google-audiences" is not specified. When the "x-google-audiences" is not specified, normally the service name is used to check the JWT "aud" field. If this flag is true, the service name is not used, JWT "aud" field will not be checked.`)

Expand Down
10 changes: 5 additions & 5 deletions src/go/configmanager/testdata/test_fetch_listeners.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -352,7 +352,7 @@ var (
],
"issuer": "https://test_issuer.google.com/",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down Expand Up @@ -637,7 +637,7 @@ var (
],
"issuer": "https://test_issuer.google.com/",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down Expand Up @@ -1155,7 +1155,7 @@ var (
],
"issuer": "https://test_issuer.google.com/",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down Expand Up @@ -1188,7 +1188,7 @@ var (
],
"issuer": "https://test_issuer.google.com/",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down Expand Up @@ -2158,7 +2158,7 @@ var (
],
"issuer": "https://test_issuer.google.com/",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down
2 changes: 1 addition & 1 deletion src/go/options/configgenerator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,7 @@ func DefaultConfigGeneratorOptions() ConfigGeneratorOptions {
JwksFetchNumRetries: 0,
JwksFetchRetryBackOffBaseInterval: 200 * time.Millisecond,
JwksFetchRetryBackOffMaxInterval: 32 * time.Second,
JwtCacheSize: 100 * 1000,
JwtCacheSize: 1000, // Max memory usage: 4.35 MB
ListenerAddress: "0.0.0.0",
ListenerPort: 8080,
TokenAgentPort: 8791,
Expand Down

0 comments on commit 66f0163

Please sign in to comment.