Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reduce default jwt_cache_size to 1000 #798

Merged
merged 2 commits into from
Mar 23, 2023
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion docker/generic/start_proxy.py
Original file line number Diff line number Diff line change
Expand Up @@ -594,7 +594,8 @@ def make_argparser():
help='''
Specify JWT cache size, the number of unique JWT tokens in the cache. The cache only stores verified
good tokens. If 0, JWT cache is disabled. It limits the memory usage. The cache used memory
is roughly (token size + 64 bytes) per token. If not specified, the default is 100000.'''
is roughly (token size + 64 bytes) per token. If not specified, the default is 1000,
which represents a max memory usage of 4.35 MB.'''
)
parser.add_argument(
'--jwks_cache_duration_in_s',
Expand Down
6 changes: 3 additions & 3 deletions examples/auth/envoy_config.json
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@
],
"issuer": "[email protected]",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down Expand Up @@ -221,7 +221,7 @@
],
"issuer": "https://securetoken.google.com/apiproxy-231719",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down Expand Up @@ -254,7 +254,7 @@
],
"issuer": "https://accounts.google.com",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down
2 changes: 1 addition & 1 deletion examples/grpc_dynamic_routing/envoy_config.json
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,7 @@
],
"issuer": "[email protected]",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down
2 changes: 1 addition & 1 deletion src/go/configmanager/flags/flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ var (
JwksFetchRetryBackOffMaxIntervalMs = flag.Int("jwks_fetch_retry_back_off_max_interval_ms", int(defaults.JwksFetchRetryBackOffMaxInterval.Milliseconds()), `Specify JWKS fetch retry exponential back off maximum interval in milliseconds. The default is 32 seconds.`)
JwtPatForwardPayloadHeader = flag.Bool("jwt_pad_forward_payload_header", defaults.JwtPadForwardPayloadHeader, `For the JWT in request, the JWT payload is forwarded to backend in the "X-Endpoint-API-UserInfo"" header by default.
Normally JWT based64 encode doesn’t add padding. If this flag is true, the header will be padded.`)
JwtCacheSize = flag.Uint("jwt_cache_size", defaults.JwtCacheSize, `Specify JWT cache size, the number of unique JWT tokens in the cache. The cache only stores verified good tokens. If 0, JWT cache is disabled. It limits the memory usage. The cache used memory is roughly (token size + 64 bytes) per token. If not specified, the default is 100000.`)
JwtCacheSize = flag.Uint("jwt_cache_size", defaults.JwtCacheSize, `Specify JWT cache size, the number of unique JWT tokens in the cache. The cache only stores verified good tokens. If 0, JWT cache is disabled. It limits the memory usage. The cache used memory is roughly (token size + 64 bytes) per token. If not specified, the default is 1000.`)

DisableJwtAudienceServiceNameCheck = flag.Bool("disable_jwt_audience_service_name_check", defaults.DisableJwtAudienceServiceNameCheck, `Normally JWT "aud" field is checked against audiences specified in OpenAPI "x-google-audiences" field. This flag changes the behaviour when the "x-google-audiences" is not specified. When the "x-google-audiences" is not specified, normally the service name is used to check the JWT "aud" field. If this flag is true, the service name is not used, JWT "aud" field will not be checked.`)

Expand Down
10 changes: 5 additions & 5 deletions src/go/configmanager/testdata/test_fetch_listeners.go
Original file line number Diff line number Diff line change
Expand Up @@ -352,7 +352,7 @@ var (
],
"issuer": "https://test_issuer.google.com/",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down Expand Up @@ -637,7 +637,7 @@ var (
],
"issuer": "https://test_issuer.google.com/",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down Expand Up @@ -1155,7 +1155,7 @@ var (
],
"issuer": "https://test_issuer.google.com/",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down Expand Up @@ -1188,7 +1188,7 @@ var (
],
"issuer": "https://test_issuer.google.com/",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down Expand Up @@ -2158,7 +2158,7 @@ var (
],
"issuer": "https://test_issuer.google.com/",
"jwtCacheConfig": {
"jwtCacheSize": 100000
"jwtCacheSize": 1000
},
"payloadInMetadata": "jwt_payloads",
"remoteJwks": {
Expand Down
2 changes: 1 addition & 1 deletion src/go/options/configgenerator.go
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,7 @@ func DefaultConfigGeneratorOptions() ConfigGeneratorOptions {
JwksFetchNumRetries: 0,
JwksFetchRetryBackOffBaseInterval: 200 * time.Millisecond,
JwksFetchRetryBackOffMaxInterval: 32 * time.Second,
JwtCacheSize: 100 * 1000,
JwtCacheSize: 1000, // Max memory usage: 4.35 MB
ListenerAddress: "0.0.0.0",
ListenerPort: 8080,
TokenAgentPort: 8791,
Expand Down