Adding a duration to the jwks cache to fix the race condition it creates.
Istio's Envoy proxy is using the default JWKS cache duration of 5 minutes, and the current RequestAuthentication configuration doesn't override this. When Keycloak rotates keys, Istio doesn't know about the new keys until the cache expires.
Key Findings No explicit cache configuration - The RequestAuthentication file doesn't set jwksCacheDuration Default behavior - Without configuration, Istio caches JWKS for 5 minutes OR respects HTTP cache headers from Keycloak (whichever is shorter) No async refresh - JWKS refresh happens synchronously when cache expires, potentially causing delays Multiple issuer rules - When using local Keycloak, 3 separate JWT rules are configured (lines 16-24 in request-authentication.yaml), each potentially maintaining its own cache
Dependencies The RequestAuthentication is used by: Istio Envoy sidecar - Validates JWTs before forwarding to the application AuthorizationPolicy - Enforces that valid JWTs are present (except for /info endpoint) IstioUserInfoProvider - Extracts user info from validated JWT claims Nothing breaks by adding jwksCacheDuration - it only controls how often Istio refreshes its cache.