tetrateio
diff --git a/‎cmd/main.go
+5-2 b/‎cmd/main.go
+5-2
diff --git a/‎config/gen/go/v1/oidc/config.pb.go
+81-54 b/‎config/gen/go/v1/oidc/config.pb.go
+81-54
diff --git a/‎config/gen/go/v1/oidc/config.pb.validate.go
+29 b/‎config/gen/go/v1/oidc/config.pb.validate.go
+29
diff --git a/‎config/v1/oidc/config.proto
+9 b/‎config/v1/oidc/config.proto
+9
diff --git a/‎e2e/keycloak/authz-config.json
+2-1 b/‎e2e/keycloak/authz-config.json
+2-1
@@ -30,11 +30,13 @@ import (
 
 func main() {
 	var (
+		lifecycle   = run.NewLifecycle()
 		configFile  = &internal.LocalConfigFile{}
 		logging     = internal.NewLogSystem(log.New(), &configFile.Config)
-		jwks        = oidc.NewJWKSProvider()
+		tlsPool     = internal.NewTLSConfigPool(lifecycle.Context())
+		jwks        = oidc.NewJWKSProvider(tlsPool)
 		sessions    = oidc.NewSessionStoreFactory(&configFile.Config)
-		envoyAuthz  = server.NewExtAuthZFilter(&configFile.Config, jwks, sessions)
+		envoyAuthz  = server.NewExtAuthZFilter(&configFile.Config, tlsPool, jwks, sessions)
 		authzServer = server.New(&configFile.Config, envoyAuthz.Register)
 		healthz     = server.NewHealthServer(&configFile.Config)
 	)
@@ -50,6 +52,7 @@ func main() {
 	g := run.Group{Logger: internal.Logger(internal.Default)}
 
 	g.Register(
+		lifecycle,         // manage the lifecycle of the run.Services
 		configFile,        // load the configuration
 		logging,           // set up the logging system
 		configLog,         // log the configuration
 
@@ -16,6 +16,7 @@ syntax = "proto3";
 
 package authservice.config.v1.oidc;
 
+import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "validate/validate.proto";
 
@@ -202,6 +203,14 @@ message OIDCConfig {
     string trusted_certificate_authority_file = 20;
   }
 
+  // The duration between refreshes of the trusted certificate authority if `trusted_certificate_authority_file` is set.
+  // Unset or 0 means disables the refresh, useful is no rotation is expected.
+  // Default is unset, means disabled.
+  // Is a String that ends in `s` to indicate seconds and is preceded by the number of seconds,
+  // with nanoseconds expressed as fractional seconds, e.g. `120.15s`.
+  // Optional.
+  google.protobuf.Duration trusted_certificate_authority_refresh_interval = 21;
+
   // The Authservice makes two kinds of direct network connections directly to the OIDC Provider.
   // Both are POST requests to the configured `token_uri` of the OIDC Provider.
   // The first is to exchange the authorization code for tokens, and the other is to use the
 
@@ -28,7 +28,8 @@
             "redis_session_store_config": {
               "server_uri": "redis://redis:6379"
             },
-            "trusted_certificate_authority_file": "/etc/authservice/certs/ca.crt"
+            "trusted_certificate_authority_file": "/etc/authservice/certs/ca.crt",
+            "trusted_certificate_authority_refresh_interval": "60.25s"
           }
         }
       ]
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,8 @@`
`28`	`28`	`"redis_session_store_config": {`
`29`	`29`	`"server_uri": "redis://redis:6379"`
`30`	`30`	`},`
`31`		`- "trusted_certificate_authority_file": "/etc/authservice/certs/ca.crt"`
	`31`	`+ "trusted_certificate_authority_file": "/etc/authservice/certs/ca.crt",`
	`32`	`+ "trusted_certificate_authority_refresh_interval": "60.25s"`
`32`	`33`	`}`
`33`	`34`	`}`
`34`	`35`	`]`