Add timeouts support to clientTrafficPolicy

[yaelShechter]

Description:
Add requestTimeout and requestHeadersTimeout to clientTrafficPolicy.

According to Envoy documentation, These fields should be configured in the presence of untrusted downstreams.

Additionally, according to the Envoy best practices, configuring the request_timeout is recommended. It is emphasized that this setting "must be disabled for long-lived and streaming requests". hence, instead of enabling it by default, I propose making this field configurable.

These fields weren't previously discussed in this issue because requestHeadersTimeout was not explicitly mentioned in the best-practices document, and requestTimeout wasn't enforced by default to avoid potential disruptions to certain clients (as discussed above).

Links:

• request_timeout and request_headers_timeout in Envoy Docs
• Envoy best practices

[arkodg]

+1 to this, can we start off with request_timeout w/o adding the more fine grained request_headers_timeout knob ?

sidenote - it maybe too late to get this into v1.0, added this into the backlog for now.

[yaelShechter]

Please assign to me, I will start with request_timeout

[guydc]

+1 to this, can we start off with request_timeout w/o adding the more fine grained request_headers_timeout knob ?

@arkodg - Maybe we can set a secure-by-default value for request_headers_timeout to mitigate slow-header slowloris? e.g. the envoy-documented example of 10s sounds like a reasonable default timeout for reading headers.

[arkodg]

+1 to this, can we start off with request_timeout w/o adding the more fine grained request_headers_timeout knob ?

@arkodg - Maybe we can set a secure-by-default value for request_headers_timeout to mitigate slow-header slowloris? e.g. the envoy-documented example of 10s sounds like a reasonable default timeout for reading headers.

this/default for this timeout is worth discussing in the community meeting, @kflynn and I had a similar discussion around route timeout defaults and we decided to not set one, because its hard to gauge user intent. For this specific case (client request timeout) the context is a little different here, we are dealing with untrusted downstreams, so the decision could be different