Skip to content

Question about SDS initial_fetch_timeout warning #9373

Description

@makuartur

Description:
Good afternoon,

I am seeing errors like the following:

[2026-06-29 10:07:32.183][1][warning][config] [source/extensions/config_subscription/grpc/grpc_subscription_impl.cc:130] gRPC config: initial fetch timed out for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret

At the same time, as far as I understand, initial_fetch_timeout is currently set to 0 by default:

https://github.com/envoyproxy/gateway/pull/8069/changes

Here is a part of the configuration from my Envoy proxy:

"dynamic_resources": {
  "lds_config": {
    "ads": {},
    "initial_fetch_timeout": "0s",
    "resource_api_version": "V3"
  },
  "cds_config": {
    "ads": {},
    "initial_fetch_timeout": "0s",
    "resource_api_version": "V3"
  }
}

Could you please clarify:

If initial_fetch_timeout = 0, how can a warning about a timeout appear? Shouldn’t Envoy wait indefinitely for the configuration to be received?
Where else can I look to find the root cause? I checked the Envoy configuration, found all secrets of type type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret, and double-checked that they exist in Kubernetes.

Thank you very much in advance for your help.

Version:

Helm chart v1.8.1
envoyproxy/envoy: distroless-v1.38.1
envoyproxy/gateway: v1.8.1
envoyproxy/ratelimit: ff287602

values.yaml:


# Global settings
global:
  # If set, these take highest precedence and change both envoyGateway and ratelimit's container registry and pull secrets.
  # -- Global override for image registry
  imageRegistry: "registry.test.net"
  # -- Global override for image pull secrets
  imagePullSecrets:
    - name: custom-registry

  # If set, these override image-specific values: useful when installing the chart in a private registry environment.
  # Override image-specific values directly if a global override is not desired.
  images:
    envoyGateway:
      # This is the full image name including the hub, repo, and tag.
      image: registry.test.net/envoyproxy/gateway:fake_tag@sha256:497df13b71f4e544c7e80414873041e291776c28cd788bcbee0d18421fa5db98
      # Specify image pull policy if default behavior isn't desired.
      # Default behavior: latest images will be Always else IfNotPresent.
      pullPolicy: IfNotPresent
      # List of secrets in the same namespace of the component that can be used to pull images from private repositories.
      pullSecrets: []
    ratelimit:
      # This is the full image name including the hub, repo, and tag.
      image: "registry.test.net/envoyproxy/ratelimit:fake_tag@sha256:f9df277f4c61459f6b26e06e0eb1f511e4da3c67ce133a39bd97a12dc5885eea"
      # Specify image pull policy if default behavior isn't desired.
      # Default behavior: latest images will be Always else IfNotPresent.
      pullPolicy: IfNotPresent
      # List of secrets in the same namespace of the component that can be used to pull images from private repositories.
      pullSecrets: []

podDisruptionBudget:
  minAvailable: 0
  # maxUnavailable: 1

deployment:
  annotations: {}
  envoyGateway:
    image:
      # if both this and global.imageRegistry are specified, this has to include both registry and repository explicitly, eg docker.io/envoyproxy/gateway
      repository: "registry.test.net/envoyproxy/gateway"
      tag: "fake_tag@sha256:497df13b71f4e544c7e80414873041e291776c28cd788bcbee0d18421fa5db98"
    imagePullPolicy: ""
    imagePullSecrets: []
    resources:
      limits:
        memory: 1024Mi
      requests:
        cpu: 50m
        memory: 256Mi
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      runAsNonRoot: true
      runAsGroup: 65532
      runAsUser: 65532
      seccompProfile:
        type: RuntimeDefault
  ports:
    - name: grpc
      port: 18000
      targetPort: 18000
    - name: ratelimit
      port: 18001
      targetPort: 18001
    - name: wasm
      port: 18002
      targetPort: 18002
    - name: metrics
      port: 19001
      targetPort: 19001
  priorityClassName: null
  replicas: 3
  pod:
    affinity: {}
    annotations:
      prometheus.io/scrape: 'true'
      prometheus.io/port: '19001'
    labels: {}
    topologySpreadConstraints: []
    tolerations: []
    nodeSelector: {}

service:
  # If set to PreferClose, the Envoy fleet will prioritize connecting to the Envoy Gateway pods that are topologically closest to them.
  trafficDistribution: "PreferClose"
  annotations: {}
  # -- Service type. Can be set to LoadBalancer with specific IP, e.g.:
  # type: LoadBalancer
  # loadBalancerIP: 10.236.90.20
  type: "ClusterIP"

hpa:
  enabled: false
  minReplicas: 1
  maxReplicas: 1
  metrics: []
  behavior: {}

config:
# -- EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options.
  envoyGateway:
    gateway:
      controllerName: gateway.envoyproxy.io/gatewayclass-controller
    telemetry:
      traces:
        samplingRate:
          numerator: 100
          denominator: 100
        sink:
          type: OpenTelemetry
          openTelemetry:
            host: otelcol.logs.svc.cluster.local
            port: 4317
            protocol: grpc
    provider:
      type: Kubernetes
      rateLimitDeployment:
        container:
          image: registry.test.net/envoyproxy/ratelimit:fake_tag@sha256:f9df277f4c61459f6b26e06e0eb1f511e4da3c67ce133a39bd97a12dc5885eea
        patch:
          type: StrategicMerge
          value:
            spec:
              template:
                spec:
                  containers:
                  - imagePullPolicy: IfNotPresent
                    name: envoy-ratelimit
      shutdownManager:
        image: registry.test.net/envoyproxy/gateway:fake_tag@sha256:497df13b71f4e544c7e80414873041e291776c28cd788bcbee0d18421fa5db98
        pod:
          imagePullSecrets:
          - name: custom-registry
    logging:
      level:
        default: debug
    extensionApis:
      enableBackend: true
      enableEnvoyPatchPolicy: true

createNamespace: false

kubernetesClusterDomain: cluster.local

# -- Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC, OAuth2, etc. to not work as expected.
certgen:
  job:
    annotations: {}
    args: []
    pod:
      annotations: {}
      labels: {}
    resources: {}
    affinity: {}
    tolerations: []
    nodeSelector: {}
    ttlSecondsAfterFinished: 30
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      runAsGroup: 65532
      runAsUser: 65532
      seccompProfile:
        type: RuntimeDefault
  rbac:
    annotations: {}
    labels: {}

topologyInjector:
  enabled: true
  annotations: {}

EnvoyProxy:

---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: envoy-proxy
spec:
  bootstrap:
    type: Merge
    value: |
      stats_config:
        histogram_bucket_settings:
        - match:
            suffix: upstream_rq_body_size
          buckets:
          - 1024
          - 10240
          - 102400
          - 1048576
          - 5242880
          - 10485760
          - 52428800
          - 104857600
          - 536870912
          - 1073741824
          - 2147483648
          - 5368709120
          - 10737418240
  logging:
    level:
      default: debug
  routingType: Endpoint
  telemetry:
    metrics:
      enableVirtualHostStats: true
      enableRequestResponseSizesStats: true
      clusterStatName: "%ROUTE_KIND%/%ROUTE_NAMESPACE%/%ROUTE_NAME%/%ROUTE_RULE_NAME%"
    accessLog:
      settings:
      - sinks:
        - type: File
          file:
            path: /dev/stdout
        format:
          type: JSON
          json:
            start_time: "%START_TIME%"
            method: "%REQ(:METHOD)%"
            path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%"
            protocol: "%PROTOCOL%"
            authority: "%REQ(:AUTHORITY)%"
            response_code: "%RESPONSE_CODE%"
            response_code_details: "%RESPONSE_CODE_DETAILS%"
            response_flags: "%RESPONSE_FLAGS%"
            duration: "%DURATION%"
            common_duration: "%COMMON_DURATION(DS_RX_END:US_RX_END:ms)%"
            downstream_remote_address: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"
            downstream_direct_remote_address: "%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%"
            downstream_local_address: "%DOWNSTREAM_LOCAL_ADDRESS%"
            upstream_cluster: "%UPSTREAM_CLUSTER%"
            upstream_host: "%UPSTREAM_HOST%"
            upstream_local_address: "%UPSTREAM_LOCAL_ADDRESS%"
            upstream_transport_failure_reason: "%UPSTREAM_TRANSPORT_FAILURE_REASON%"
            upstream_service_time: "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%"
            upstream_attempt_count: "%UPSTREAM_REQUEST_ATTEMPT_COUNT%"
            requested_server_name: "%REQUESTED_SERVER_NAME%"
            route_name: "%ROUTE_NAME%"
            user_agent: "%REQ(USER-AGENT)%"
            x_forwarded_for: "%REQ(X-FORWARDED-FOR)%"
            x_request_id: "%REQ(X-REQUEST-ID)%"
            traceparent: "%REQ(TRACEPARENT)%"
            trace_id: "%TRACE_ID%"
            bytes_received: "%BYTES_RECEIVED%"
            bytes_sent: "%BYTES_SENT%"

    tracing:
      samplingRate: 100
      provider:
        type: OpenTelemetry
        backendRefs:
        - name: otelcol
          namespace: logs
          port: 4317
  provider:
    type: Kubernetes
    kubernetes:
      envoyDaemonSet:
        name: envoy-proxy
        container:
          image: registry.test.net/envoyproxy/envoy@sha256:5484ea0d443278cacd66a20efb7f21db02bbcae12153b487ea470cdadf8a4d02
          resources:
            requests:
              cpu: 50m
              memory: 512Mi #default
        pod:
          imagePullSecrets:
            - name: custom-registry
      envoyService:
        type: NodePort
        name: envoy-proxy
        patch:
          type: StrategicMerge
          value:
            spec:
              ports:
                - name: http
                  port: 80
                  targetPort: 10080
                  nodePort: 31686

                - name: https
                  port: 443
                  targetPort: 10443
                  nodePort: 31687

                - name: readiness
                  port: 19003
                  targetPort: 19003
                  nodePort: 31688

[optional Relevant Links:]
https://github.com/envoyproxy/gateway/pull/8069/changes

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions