HTTP local rate limit

[kyessenov]

Expose per-route local rate limiting in HTTP.
Simplified version of Envoy APIs.

Signed-off-by: Kuat Yessenov [email protected]

[istio-policy-bot]

😊 Welcome @kyessenov! This is either your first contribution to the Istio api repo, or it's been
awhile since you've been here.

You can learn more about the Istio working groups, code of conduct, and contributing guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

[kyessenov]

/assign @bianpengyuan
/assign @douglas-reid
/assign @mandarjog

We can use stage 0 for local rate limit (this PR) and stage 1 for global rate limit (follow up).

[mandarjog]

Thanks !

1. either description or example when max tokens and tokens per fill are different? We can point to the envoy documentation or another place as well, but would be good to have basics here.
2. Add an example for sidecar to sidecar communication where we want to limit easy source canonical service to a certain amount.

[kyessenov]

1. It's hard to put in words a custom token bucket (it's a tradeoff between the timer overhead and "smoothness" of request bursts).
2. I don't think that's possible with the networking APIs since we need this on the server-side. We might need to copy-paste parts of networking into server-side API like authorization did. The whole networking API assumes a known source already, but it doesn't use "canonical" terminology.

[mandarjog]

That is a bummer, also a deal breaker. Ability to ratelimit inter service traffic is one of the main customer asks.

[istio-testing]

@kyessenov: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.