Description:
Good afternoon,
I am seeing errors like the following:
[2026-06-29 10:07:32.183][1][warning][config] [source/extensions/config_subscription/grpc/grpc_subscription_impl.cc:130] gRPC config: initial fetch timed out for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret
At the same time, as far as I understand, initial_fetch_timeout is currently set to 0 by default:
https://github.com/envoyproxy/gateway/pull/8069/changes
Here is a part of the configuration from my Envoy proxy:
"dynamic_resources": {
"lds_config": {
"ads": {},
"initial_fetch_timeout": "0s",
"resource_api_version": "V3"
},
"cds_config": {
"ads": {},
"initial_fetch_timeout": "0s",
"resource_api_version": "V3"
}
}
Could you please clarify:
If initial_fetch_timeout = 0, how can a warning about a timeout appear? Shouldn’t Envoy wait indefinitely for the configuration to be received?
Where else can I look to find the root cause? I checked the Envoy configuration, found all secrets of type type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret, and double-checked that they exist in Kubernetes.
Thank you very much in advance for your help.
Version:
Helm chart v1.8.1
envoyproxy/envoy: distroless-v1.38.1
envoyproxy/gateway: v1.8.1
envoyproxy/ratelimit: ff287602
values.yaml:
# Global settings
global:
# If set, these take highest precedence and change both envoyGateway and ratelimit's container registry and pull secrets.
# -- Global override for image registry
imageRegistry: "registry.test.net"
# -- Global override for image pull secrets
imagePullSecrets:
- name: custom-registry
# If set, these override image-specific values: useful when installing the chart in a private registry environment.
# Override image-specific values directly if a global override is not desired.
images:
envoyGateway:
# This is the full image name including the hub, repo, and tag.
image: registry.test.net/envoyproxy/gateway:fake_tag@sha256:497df13b71f4e544c7e80414873041e291776c28cd788bcbee0d18421fa5db98
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
pullPolicy: IfNotPresent
# List of secrets in the same namespace of the component that can be used to pull images from private repositories.
pullSecrets: []
ratelimit:
# This is the full image name including the hub, repo, and tag.
image: "registry.test.net/envoyproxy/ratelimit:fake_tag@sha256:f9df277f4c61459f6b26e06e0eb1f511e4da3c67ce133a39bd97a12dc5885eea"
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
pullPolicy: IfNotPresent
# List of secrets in the same namespace of the component that can be used to pull images from private repositories.
pullSecrets: []
podDisruptionBudget:
minAvailable: 0
# maxUnavailable: 1
deployment:
annotations: {}
envoyGateway:
image:
# if both this and global.imageRegistry are specified, this has to include both registry and repository explicitly, eg docker.io/envoyproxy/gateway
repository: "registry.test.net/envoyproxy/gateway"
tag: "fake_tag@sha256:497df13b71f4e544c7e80414873041e291776c28cd788bcbee0d18421fa5db98"
imagePullPolicy: ""
imagePullSecrets: []
resources:
limits:
memory: 1024Mi
requests:
cpu: 50m
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsNonRoot: true
runAsGroup: 65532
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
ports:
- name: grpc
port: 18000
targetPort: 18000
- name: ratelimit
port: 18001
targetPort: 18001
- name: wasm
port: 18002
targetPort: 18002
- name: metrics
port: 19001
targetPort: 19001
priorityClassName: null
replicas: 3
pod:
affinity: {}
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: '19001'
labels: {}
topologySpreadConstraints: []
tolerations: []
nodeSelector: {}
service:
# If set to PreferClose, the Envoy fleet will prioritize connecting to the Envoy Gateway pods that are topologically closest to them.
trafficDistribution: "PreferClose"
annotations: {}
# -- Service type. Can be set to LoadBalancer with specific IP, e.g.:
# type: LoadBalancer
# loadBalancerIP: 10.236.90.20
type: "ClusterIP"
hpa:
enabled: false
minReplicas: 1
maxReplicas: 1
metrics: []
behavior: {}
config:
# -- EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options.
envoyGateway:
gateway:
controllerName: gateway.envoyproxy.io/gatewayclass-controller
telemetry:
traces:
samplingRate:
numerator: 100
denominator: 100
sink:
type: OpenTelemetry
openTelemetry:
host: otelcol.logs.svc.cluster.local
port: 4317
protocol: grpc
provider:
type: Kubernetes
rateLimitDeployment:
container:
image: registry.test.net/envoyproxy/ratelimit:fake_tag@sha256:f9df277f4c61459f6b26e06e0eb1f511e4da3c67ce133a39bd97a12dc5885eea
patch:
type: StrategicMerge
value:
spec:
template:
spec:
containers:
- imagePullPolicy: IfNotPresent
name: envoy-ratelimit
shutdownManager:
image: registry.test.net/envoyproxy/gateway:fake_tag@sha256:497df13b71f4e544c7e80414873041e291776c28cd788bcbee0d18421fa5db98
pod:
imagePullSecrets:
- name: custom-registry
logging:
level:
default: debug
extensionApis:
enableBackend: true
enableEnvoyPatchPolicy: true
createNamespace: false
kubernetesClusterDomain: cluster.local
# -- Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC, OAuth2, etc. to not work as expected.
certgen:
job:
annotations: {}
args: []
pod:
annotations: {}
labels: {}
resources: {}
affinity: {}
tolerations: []
nodeSelector: {}
ttlSecondsAfterFinished: 30
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsGroup: 65532
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
rbac:
annotations: {}
labels: {}
topologyInjector:
enabled: true
annotations: {}
EnvoyProxy:
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
name: envoy-proxy
spec:
bootstrap:
type: Merge
value: |
stats_config:
histogram_bucket_settings:
- match:
suffix: upstream_rq_body_size
buckets:
- 1024
- 10240
- 102400
- 1048576
- 5242880
- 10485760
- 52428800
- 104857600
- 536870912
- 1073741824
- 2147483648
- 5368709120
- 10737418240
logging:
level:
default: debug
routingType: Endpoint
telemetry:
metrics:
enableVirtualHostStats: true
enableRequestResponseSizesStats: true
clusterStatName: "%ROUTE_KIND%/%ROUTE_NAMESPACE%/%ROUTE_NAME%/%ROUTE_RULE_NAME%"
accessLog:
settings:
- sinks:
- type: File
file:
path: /dev/stdout
format:
type: JSON
json:
start_time: "%START_TIME%"
method: "%REQ(:METHOD)%"
path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%"
protocol: "%PROTOCOL%"
authority: "%REQ(:AUTHORITY)%"
response_code: "%RESPONSE_CODE%"
response_code_details: "%RESPONSE_CODE_DETAILS%"
response_flags: "%RESPONSE_FLAGS%"
duration: "%DURATION%"
common_duration: "%COMMON_DURATION(DS_RX_END:US_RX_END:ms)%"
downstream_remote_address: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"
downstream_direct_remote_address: "%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%"
downstream_local_address: "%DOWNSTREAM_LOCAL_ADDRESS%"
upstream_cluster: "%UPSTREAM_CLUSTER%"
upstream_host: "%UPSTREAM_HOST%"
upstream_local_address: "%UPSTREAM_LOCAL_ADDRESS%"
upstream_transport_failure_reason: "%UPSTREAM_TRANSPORT_FAILURE_REASON%"
upstream_service_time: "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%"
upstream_attempt_count: "%UPSTREAM_REQUEST_ATTEMPT_COUNT%"
requested_server_name: "%REQUESTED_SERVER_NAME%"
route_name: "%ROUTE_NAME%"
user_agent: "%REQ(USER-AGENT)%"
x_forwarded_for: "%REQ(X-FORWARDED-FOR)%"
x_request_id: "%REQ(X-REQUEST-ID)%"
traceparent: "%REQ(TRACEPARENT)%"
trace_id: "%TRACE_ID%"
bytes_received: "%BYTES_RECEIVED%"
bytes_sent: "%BYTES_SENT%"
tracing:
samplingRate: 100
provider:
type: OpenTelemetry
backendRefs:
- name: otelcol
namespace: logs
port: 4317
provider:
type: Kubernetes
kubernetes:
envoyDaemonSet:
name: envoy-proxy
container:
image: registry.test.net/envoyproxy/envoy@sha256:5484ea0d443278cacd66a20efb7f21db02bbcae12153b487ea470cdadf8a4d02
resources:
requests:
cpu: 50m
memory: 512Mi #default
pod:
imagePullSecrets:
- name: custom-registry
envoyService:
type: NodePort
name: envoy-proxy
patch:
type: StrategicMerge
value:
spec:
ports:
- name: http
port: 80
targetPort: 10080
nodePort: 31686
- name: https
port: 443
targetPort: 10443
nodePort: 31687
- name: readiness
port: 19003
targetPort: 19003
nodePort: 31688
[optional Relevant Links:]
https://github.com/envoyproxy/gateway/pull/8069/changes
Description:
Good afternoon,
I am seeing errors like the following:
At the same time, as far as I understand,
initial_fetch_timeoutis currently set to 0 by default:https://github.com/envoyproxy/gateway/pull/8069/changes
Here is a part of the configuration from my Envoy proxy:
Could you please clarify:
If
initial_fetch_timeout= 0, how can a warning about a timeout appear? Shouldn’t Envoy wait indefinitely for the configuration to be received?Where else can I look to find the root cause? I checked the Envoy configuration, found all secrets of type
type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret, and double-checked that they exist in Kubernetes.Thank you very much in advance for your help.
Version:
Helm chart v1.8.1
envoyproxy/envoy: distroless-v1.38.1
envoyproxy/gateway: v1.8.1
envoyproxy/ratelimit: ff287602
values.yaml:
EnvoyProxy:
[optional Relevant Links:]
https://github.com/envoyproxy/gateway/pull/8069/changes