In 0.7, envoy sidecar needs to fetch public key from JwksURI (specified as part of JWT filter config). This requires:

• Pilot needs to create outbound cluster (CDS) for each JwksURI, which have some conflicts with v2+v1alpha3 (particularly, concept of ExternalService)
• In term of performance, each sidecar will need to fetch the keys independently.

An alternative solution is to have pilot fetch the keys and distribute the them to sidecars; sidecars can use the keys directly, without any extra communication to external services.

To make this works, following assumptions/requirements need to be met:

1. Pilot is allowed to talk to external web services. (does pilot sidecar needs to be configured somehow?)
2. Implementation for cache and key rotation in pilot (i.e if key is updated, it should trigger pilot to push new configs to services).
3. Security concerns: is this acceptable if control plane doesn't use mTLS.

Related issues:

• Proxy support public key in filter config
• Support OpenID Discovery
• Require customer to register external service for JwksURI manually #4633