diff --git a/docker/generic/start_proxy.py b/docker/generic/start_proxy.py index 6d28e7e11..098c2211a 100644 --- a/docker/generic/start_proxy.py +++ b/docker/generic/start_proxy.py @@ -594,7 +594,8 @@ def make_argparser(): help=''' Specify JWT cache size, the number of unique JWT tokens in the cache. The cache only stores verified good tokens. If 0, JWT cache is disabled. It limits the memory usage. The cache used memory - is roughly (token size + 64 bytes) per token. If not specified, the default is 100000.''' + is roughly (at most 4 KB data + 64 bytes metadata) per token. If not specified, the default is 1000, + which represents a max memory usage of 4.35 MB.''' ) parser.add_argument( '--jwks_cache_duration_in_s', diff --git a/examples/auth/envoy_config.json b/examples/auth/envoy_config.json index ed0276b9a..14f0c2766 100644 --- a/examples/auth/envoy_config.json +++ b/examples/auth/envoy_config.json @@ -188,7 +188,7 @@ ], "issuer": "123456789-compute@developer.gserviceaccount.com", "jwtCacheConfig": { - "jwtCacheSize": 100000 + "jwtCacheSize": 1000 }, "payloadInMetadata": "jwt_payloads", "remoteJwks": { @@ -221,7 +221,7 @@ ], "issuer": "https://securetoken.google.com/apiproxy-231719", "jwtCacheConfig": { - "jwtCacheSize": 100000 + "jwtCacheSize": 1000 }, "payloadInMetadata": "jwt_payloads", "remoteJwks": { @@ -254,7 +254,7 @@ ], "issuer": "https://accounts.google.com", "jwtCacheConfig": { - "jwtCacheSize": 100000 + "jwtCacheSize": 1000 }, "payloadInMetadata": "jwt_payloads", "remoteJwks": { diff --git a/examples/grpc_dynamic_routing/envoy_config.json b/examples/grpc_dynamic_routing/envoy_config.json index f2b8ee46b..1c66cd37b 100644 --- a/examples/grpc_dynamic_routing/envoy_config.json +++ b/examples/grpc_dynamic_routing/envoy_config.json @@ -280,7 +280,7 @@ ], "issuer": "e2e-client-jwk@cloudesf-testing.iam.gserviceaccount.com", "jwtCacheConfig": { - "jwtCacheSize": 100000 + "jwtCacheSize": 1000 }, "payloadInMetadata": "jwt_payloads", "remoteJwks": { diff --git a/src/go/configmanager/flags/flags.go b/src/go/configmanager/flags/flags.go index d9a2911e5..c05a679ca 100644 --- a/src/go/configmanager/flags/flags.go +++ b/src/go/configmanager/flags/flags.go @@ -144,7 +144,7 @@ var ( JwksFetchRetryBackOffMaxIntervalMs = flag.Int("jwks_fetch_retry_back_off_max_interval_ms", int(defaults.JwksFetchRetryBackOffMaxInterval.Milliseconds()), `Specify JWKS fetch retry exponential back off maximum interval in milliseconds. The default is 32 seconds.`) JwtPatForwardPayloadHeader = flag.Bool("jwt_pad_forward_payload_header", defaults.JwtPadForwardPayloadHeader, `For the JWT in request, the JWT payload is forwarded to backend in the "X-Endpoint-API-UserInfo"" header by default. Normally JWT based64 encode doesn’t add padding. If this flag is true, the header will be padded.`) - JwtCacheSize = flag.Uint("jwt_cache_size", defaults.JwtCacheSize, `Specify JWT cache size, the number of unique JWT tokens in the cache. The cache only stores verified good tokens. If 0, JWT cache is disabled. It limits the memory usage. The cache used memory is roughly (token size + 64 bytes) per token. If not specified, the default is 100000.`) + JwtCacheSize = flag.Uint("jwt_cache_size", defaults.JwtCacheSize, `Specify JWT cache size, the number of unique JWT tokens in the cache. The cache only stores verified good tokens. If 0, JWT cache is disabled. It limits the memory usage. The cache used memory is roughly (token size + 64 bytes) per token. If not specified, the default is 1000.`) DisableJwtAudienceServiceNameCheck = flag.Bool("disable_jwt_audience_service_name_check", defaults.DisableJwtAudienceServiceNameCheck, `Normally JWT "aud" field is checked against audiences specified in OpenAPI "x-google-audiences" field. This flag changes the behaviour when the "x-google-audiences" is not specified. When the "x-google-audiences" is not specified, normally the service name is used to check the JWT "aud" field. If this flag is true, the service name is not used, JWT "aud" field will not be checked.`) diff --git a/src/go/configmanager/testdata/test_fetch_listeners.go b/src/go/configmanager/testdata/test_fetch_listeners.go index 06c902d51..a833b0967 100644 --- a/src/go/configmanager/testdata/test_fetch_listeners.go +++ b/src/go/configmanager/testdata/test_fetch_listeners.go @@ -352,7 +352,7 @@ var ( ], "issuer": "https://test_issuer.google.com/", "jwtCacheConfig": { - "jwtCacheSize": 100000 + "jwtCacheSize": 1000 }, "payloadInMetadata": "jwt_payloads", "remoteJwks": { @@ -637,7 +637,7 @@ var ( ], "issuer": "https://test_issuer.google.com/", "jwtCacheConfig": { - "jwtCacheSize": 100000 + "jwtCacheSize": 1000 }, "payloadInMetadata": "jwt_payloads", "remoteJwks": { @@ -1155,7 +1155,7 @@ var ( ], "issuer": "https://test_issuer.google.com/", "jwtCacheConfig": { - "jwtCacheSize": 100000 + "jwtCacheSize": 1000 }, "payloadInMetadata": "jwt_payloads", "remoteJwks": { @@ -1188,7 +1188,7 @@ var ( ], "issuer": "https://test_issuer.google.com/", "jwtCacheConfig": { - "jwtCacheSize": 100000 + "jwtCacheSize": 1000 }, "payloadInMetadata": "jwt_payloads", "remoteJwks": { @@ -2158,7 +2158,7 @@ var ( ], "issuer": "https://test_issuer.google.com/", "jwtCacheConfig": { - "jwtCacheSize": 100000 + "jwtCacheSize": 1000 }, "payloadInMetadata": "jwt_payloads", "remoteJwks": { diff --git a/src/go/options/configgenerator.go b/src/go/options/configgenerator.go index 2ca9904d0..38e1fabf0 100644 --- a/src/go/options/configgenerator.go +++ b/src/go/options/configgenerator.go @@ -177,7 +177,7 @@ func DefaultConfigGeneratorOptions() ConfigGeneratorOptions { JwksFetchNumRetries: 0, JwksFetchRetryBackOffBaseInterval: 200 * time.Millisecond, JwksFetchRetryBackOffMaxInterval: 32 * time.Second, - JwtCacheSize: 100 * 1000, + JwtCacheSize: 1000, // Max memory usage: 4.35 MB ListenerAddress: "0.0.0.0", ListenerPort: 8080, TokenAgentPort: 8791,