Jwt public resolver doesn't handle network error properly

[yangminzhu]

(NOTE: This is used to report product bugs:
To report a security vulnerability, please visit https://istio.io/about/security-vulnerabilities/
To ask questions about how to use Istio, please visit https://discuss.istio.io
)

Bug description

Affected product area (please put an X in all that apply)

[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[x] Security
[ ] Test and Release
[ ] User Experience

Expected behavior
The JWT public key resolver should handle network error with retry logic, and shouldn't delete cached public key for network error.

Steps to reproduce the bug

Version (include the output of istioctl version --remote and kubectl version)
1.0, 1.1, 1.2 and master

How was Istio installed?
GKE Istio-addon (1.0)

Environment where bug was observed (cloud vendor, OS, etc)

Additionally, please consider attaching a cluster state archive by attaching
the dump file to this issue.

[yangminzhu]

/cc @wenchenglu @liminw @duderino @ellis-bigelow

[yangminzhu]

Some follow-up work:

• Report metrics about public key refresh failure, that would give customers enough time to fix some network and idp setup issue.

• Make this how long the old public key will be kept) configurable, customers can set their own default based on their need.