grpc_json_transcoder: Adhere to decoder and encoder buffer limits

[nareddyt]

Commit Message:
grpc_json_transcoder: Adhere to decoder and encoder buffer limits

Additional Description:
Currently, the transcoder has unbounded internal buffering. This is not allowed according to the Extension stability and security posture.

This PR introduces limits to internal request/response buffers. This follows the documentation for Flow Control, but the filter does not participate in watermarking. Flow control via watermarking will not help the filter: Data stuck in a buffer will never be transcoded until more data comes in. If watermarking occurs, then the data will be stuck forever. So we fail the request with HTTP 413 or HTTP 500 instead.

Note: The current implementation does not handle some edge cases with streaming requests/responses. Those will require special handling. I will make a follow-up PR for that. See review comments for more details.

Risk Level:
Medium.

• Technically a breaking change, but default envoy buffer limits are 1 MiB. Unlikely users will hit this limit with typical requests.
• Configurable by a runtime feature, true by default: envoy.reloadable_features.grpc_json_transcoder_adhere_to_buffer_limits

Testing:

• Unit tests for unary/streaming, request/response
• Integration tests for unary request/responses over buffer limit.
• Integration tests for streaming responses under/over buffer limit.

Docs Changes: None

Release Notes: Yes

Platform Specific Features: None

[nareddyt]

@qiwzhang Please take a quick look at the draft PR.
@htuch Can you give more context on the scary changes in b/155331763#comment11
cc @TAOXUY

[qiwzhang]

This is not very accurate. incoming request bytes are converted on the flight to proto. It is stored here if I read it correctly.

We may have to count its size.

[nareddyt]

Got it. Will spend some time evaluating if there are any other buffers internally.

[nareddyt]

I took a look at the transcoder library. This will only be a problem for the streaming cases. If two streaming messages occur in succession, then the byte limit will be inaccurate and the buffered data will exceed the allowed limit. This should be rare.

For unary request/response, the current implementation works for all cases. The buffer limit is checked before the message reaches any of those internal buffers. So the size unary messages will be counted correctly.

I would like to move forward with this PR and follow-up later. The diff is getting large. I am not worried about introducing a partial implementation here. There is never a case where the transcoder will incorrectly reject a request. It will always count the correct buffer usage or (in the streaming case) undercount buffer usage.

[antoniovicente]

What does [DNS] refer to in the PR title?

[alyssawilk]

@snowp or @mattklein123 would one of you be up for final pass?

[mattklein123]

I can take a look.

[mattklein123]

Thanks, LGTM with small comments.

/wait

[nareddyt]

CI will fail until #15075 is merged.

[nareddyt]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #14906 (comment) was created by @nareddyt.

see: more, trace.

[mattklein123]

Thanks LGTM with small comment.

/wait

[mattklein123]

Thanks!