Is this the right place to submit this?

• This is not a security vulnerability or a crashing bug
• This is not a question about how to use Istio

Bug Description

When Istio is frequently generating configuration, and there is at least one JWKS URI that hasn't been fetched and returns an error, then the background refresh that fetches and updates other good URIs won't be triggered.

Repro steps:

1. Install Istio and bookinfo
2. On istiod, set the env PILOT_JWT_PUB_KEY_REFRESH_INTERVAL to something short like 30s (not required, but makes validation much faster)
3. Set up a JWKS server that you control, I used a test service in the cluster
4. Create RequestAuthentication and Authorization policy to require a JWT for accessing productpage with a good jwksUri from your test server
5. Now run a loop that creates and deletes a RequestAuthentication config for details with an invalid jwks URI with a 10s delay (must be shorter than the refresh interval set above)
6. Now change the JWKS returned by the test server created in (3) for the good URI configured in (4), which you'd expect to get updated

Wait a couple minutes, enough time that the JWKS should have been updated.

Issue a request to productpage with a JWT signed by the key in the old JWKS - it will still work. Then issue a request with a JWT signed by the key in the new JWKS - you get a 403.

Version

% istioctl version
client version: 1.22.1
control plane version: 1.22.1
data plane version: 1.22.1 (9 proxies)

% kubectl version
Client Version: v1.29.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.1

But it still occurs in a master build

Additional Information

Skipping as I am already working on a PR to fix this