Long time to become ready for envoy

Hi guys,

Is there a way to decrease time of getting configuration by envoy from pilot?

In our case before envoy is ready takes 10-20s, which is not acceptable for our scenario.

We have 3-5 pilot pods running:

pilot:
  enabled: true
  autoscaleEnabled: true
  autoscaleMin: 3
  autoscaleMax: 5
  resources:
  requests:
    cpu: 500m
    memory: 2048Mi 

Below is a snippet from istio-proxy container from one of the pods.

What could we do to decrease this bootstap time of envoy ?

Bests,
Robert

2019-08-07T20:51:21.552684Z     info    Envoy command: [-c /etc/istio/proxy/envoy-rev0.json --restart-epoch 0 --drain-time-s 45 --parent-shutdown-time-s 60 --service-cluster shovel-backend.rc --service-node sidecar~10.245.20.59~shovel-backend-6cbc5fb794-9jspw.rc~rc.svc.cluster.local --max-obj-name-len 189 --local-address-ip-version v4 --allow-unknown-fields -l warning --component-log-level misc:error --concurrency 2]
[2019-08-07 20:51:21.576][26][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:86] gRPC config stream closed: 14, no healthy upstream
[2019-08-07 20:51:21.576][26][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:49] Unable to establish new stream
2019-08-07T20:51:22.810975Z     info    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2019-08-07T20:51:24.847974Z     info    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 1 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2019-08-07T20:51:26.842297Z     info    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 2 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2019-08-07T20:51:28.847632Z     info    Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 2 successful, 0 rejected; lds updates: 0 successful, 0 rejected
[2019-08-07 20:51:30.732][26][warning][filter] [src/envoy/http/authn/http_filter_factory.cc:102] mTLS PERMISSIVE mode is used, connection can be either plaintext or TLS, and client cert can be omitted. Please consider to upgrade to mTLS STRICT mode for more secure configuration that only allows TLS connection with client cert. See https://istio.io/docs/tasks/security/mtls-migration/
[2019-08-07 20:51:30.733][26][warning][filter] [src/envoy/http/authn/http_filter_factory.cc:102] mTLS PERMISSIVE mode is used, connection can be either plaintext or TLS, and client cert can be omitted. Please consider to upgrade to mTLS STRICT mode for more secure configuration that only allows TLS connection with client cert. See https://istio.io/docs/tasks/security/mtls-migration/
2019-08-07T20:51:31.089795Z     info    Envoy proxy is ready