policy: Reduce SDS initial fetch timeout to 50 milliseconds

Avoid stalling network policy updates for extended periods due to missing SDS secrets by reducing the initial fetch timeout to 50 milliseconds. Signed-off-by: Jarno Rajahalme <[email protected]>
cilium · Jan 13, 2025 · 670d2fb · 670d2fb
1 parent 7eac600
commit 670d2fb
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/cilium/grpc_subscription.cc b/cilium/grpc_subscription.cc
@@ -123,11 +123,11 @@ const Protobuf::MethodDescriptor& sotwGrpcMethod(absl::string_view type_url) {
 // Note: No rate-limit settings are used, consider if needed.
 envoy::config::core::v3::ConfigSource getCiliumXDSAPIConfig() {
   auto config_source = envoy::config::core::v3::ConfigSource();
-  /* config_source.initial_fetch_timeout is set to 5 seconds.
+  /* config_source.initial_fetch_timeout is set to 50 millliseconds.
    * This applies only to SDS Secrets for now, as for NPDS and NPHDS we explicitly set the timeout
    * as 0 (no timeout).
    */
-  config_source.mutable_initial_fetch_timeout()->set_seconds(5);
+  config_source.mutable_initial_fetch_timeout()->set_nanos(50000000);
   config_source.set_resource_api_version(envoy::config::core::v3::ApiVersion::V3);
   auto api_config_source = config_source.mutable_api_config_source();
   api_config_source->set_set_node_on_first_message_only(true);

diff --git a/cilium/secret_watcher.cc b/cilium/secret_watcher.cc
@@ -33,7 +33,7 @@ namespace {
 
 // SDS config used in production
 envoy::config::core::v3::ConfigSource getCiliumSDSConfig(const std::string&) {
-  /* returned config_source has initial_fetch_timeout left at default 15 seconds. */
+  /* returned config_source has initial_fetch_timeout of 50 milliseconds. */
   return Cilium::cilium_xds_api_config;
 }