Hi guys,
Is there a way to decrease time of getting configuration by envoy from pilot?
In our case before envoy is ready takes 10-20s, which is not acceptable for our scenario.
We have 3-5 pilot pods running:
pilot:
enabled: true
autoscaleEnabled: true
autoscaleMin: 3
autoscaleMax: 5
resources:
requests:
cpu: 500m
memory: 2048Mi
Below is a snippet from istio-proxy container from one of the pods.
What could we do to decrease this bootstap time of envoy ?
Bests,
Robert
2019-08-07T20:51:21.552684Z info Envoy command: [-c /etc/istio/proxy/envoy-rev0.json --restart-epoch 0 --drain-time-s 45 --parent-shutdown-time-s 60 --service-cluster shovel-backend.rc --service-node sidecar~10.245.20.59~shovel-backend-6cbc5fb794-9jspw.rc~rc.svc.cluster.local --max-obj-name-len 189 --local-address-ip-version v4 --allow-unknown-fields -l warning --component-log-level misc:error --concurrency 2]
[2019-08-07 20:51:21.576][26][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:86] gRPC config stream closed: 14, no healthy upstream
[2019-08-07 20:51:21.576][26][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:49] Unable to establish new stream
2019-08-07T20:51:22.810975Z info Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2019-08-07T20:51:24.847974Z info Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 1 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2019-08-07T20:51:26.842297Z info Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 2 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2019-08-07T20:51:28.847632Z info Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 2 successful, 0 rejected; lds updates: 0 successful, 0 rejected
[2019-08-07 20:51:30.732][26][warning][filter] [src/envoy/http/authn/http_filter_factory.cc:102] mTLS PERMISSIVE mode is used, connection can be either plaintext or TLS, and client cert can be omitted. Please consider to upgrade to mTLS STRICT mode for more secure configuration that only allows TLS connection with client cert. See https://istio.io/docs/tasks/security/mtls-migration/
[2019-08-07 20:51:30.733][26][warning][filter] [src/envoy/http/authn/http_filter_factory.cc:102] mTLS PERMISSIVE mode is used, connection can be either plaintext or TLS, and client cert can be omitted. Please consider to upgrade to mTLS STRICT mode for more secure configuration that only allows TLS connection with client cert. See https://istio.io/docs/tasks/security/mtls-migration/
2019-08-07T20:51:31.089795Z info Envoy proxy is ready