router: set correct timeout for egress->ingress envoys

api/envoy/config/filter/http/router/v2/router.proto

@@ -63,4 +63,10 @@ message Router {
       "x-envoy-retry-on"
     ]
   }];
+
+  // If set to true, envoy first will check if `x-envoy-expected-timeout-ms` header is present
+  // and use it's value as timeout to upstream cluster. If header is not present or
+  // `respect_expected_rq_timeout` is set to false, envoy will derive timeout value from
+  // `x-envoy-upstream-rq-timeout-ms` header.
+  bool respect_expected_rq_timeout = 6;
 }

source/common/http/async_client_impl.cc

@@ -37,7 +37,7 @@ AsyncClientImpl::AsyncClientImpl(Upstream::ClusterInfoConstSharedPtr cluster,
                                  Router::ShadowWriterPtr&& shadow_writer,
                                  Http::Context& http_context)
     : cluster_(cluster), config_("http.async-client.", local_info, stats_store, cm, runtime, random,
-                                 std::move(shadow_writer), true, false, false, {},
+                                 std::move(shadow_writer), true, false, false, false, {},
                                  dispatcher.timeSource(), http_context),
       dispatcher_(dispatcher) {}
 

source/common/router/router.cc

@@ -121,7 +121,8 @@ bool FilterUtility::shouldShadow(const ShadowPolicy& policy, Runtime::Loader& ru
 FilterUtility::TimeoutData
 FilterUtility::finalTimeout(const RouteEntry& route, Http::HeaderMap& request_headers,
                             bool insert_envoy_expected_request_timeout_ms, bool grpc_request,
-                            bool per_try_timeout_hedging_enabled) {
+                            bool per_try_timeout_hedging_enabled,
+                            bool respect_expected_rq_timeout) {
   // See if there is a user supplied timeout in a request header. If there is we take that.
   // Otherwise if the request is gRPC and a maximum gRPC timeout is configured we use the timeout
   // in the gRPC headers (or infinity when gRPC headers have no timeout), but cap that timeout to
@@ -151,13 +152,39 @@ FilterUtility::finalTimeout(const RouteEntry& route, Http::HeaderMap& request_he
   }
   timeout.per_try_timeout_ = route.retryPolicy().perTryTimeout();
 
-  Http::HeaderEntry* header_timeout_entry = request_headers.EnvoyUpstreamRequestTimeoutMs();
   uint64_t header_timeout;
-  if (header_timeout_entry) {
-    if (absl::SimpleAtoi(header_timeout_entry->value().getStringView(), &header_timeout)) {
-      timeout.global_timeout_ = std::chrono::milliseconds(header_timeout);
+
+  if (respect_expected_rq_timeout) {
+    // Check if there is timeout set by egress envoy.
+    // If present, use that value as route timeout and don't override
+    // `x-envoy-expected-rq-timeout-ms` header. At this point `x-envoy-upstream-rq-timeout-ms`
+    // header should have been sanitized by egress envoy.
+    Http::HeaderEntry* header_expected_timeout_entry =
+        request_headers.EnvoyExpectedRequestTimeoutMs();
+    if (header_expected_timeout_entry) {
+      // This will prevent from overriding `x-envoy-expected-rq-timeout-ms` header.
+      insert_envoy_expected_request_timeout_ms = false;
+      if (absl::SimpleAtoi(header_expected_timeout_entry->value().getStringView(),
+                           &header_timeout)) {
+        timeout.global_timeout_ = std::chrono::milliseconds(header_timeout);
+      }
+    } else {
+      Http::HeaderEntry* header_timeout_entry = request_headers.EnvoyUpstreamRequestTimeoutMs();
+      if (header_timeout_entry) {
+        if (absl::SimpleAtoi(header_timeout_entry->value().getStringView(), &header_timeout)) {
+          timeout.global_timeout_ = std::chrono::milliseconds(header_timeout);
+        }
+        request_headers.removeEnvoyUpstreamRequestTimeoutMs();
+      }
+    }
+  } else {
+    Http::HeaderEntry* header_timeout_entry = request_headers.EnvoyUpstreamRequestTimeoutMs();
+    if (header_timeout_entry) {
+      if (absl::SimpleAtoi(header_timeout_entry->value().getStringView(), &header_timeout)) {
+        timeout.global_timeout_ = std::chrono::milliseconds(header_timeout);
+      }
+      request_headers.removeEnvoyUpstreamRequestTimeoutMs();
     }
-    request_headers.removeEnvoyUpstreamRequestTimeoutMs();
   }
 
   // See if there is a per try/retry timeout. If it's >= global we just ignore it.
@@ -484,7 +511,8 @@ Http::FilterHeadersStatus Filter::decodeHeaders(Http::HeaderMap& headers, bool e
   hedging_params_ = FilterUtility::finalHedgingParams(*route_entry_, headers);
 
   timeout_ = FilterUtility::finalTimeout(*route_entry_, headers, !config_.suppress_envoy_headers_,
-                                         grpc_request_, hedging_params_.hedge_on_per_try_timeout_);
+                                         grpc_request_, hedging_params_.hedge_on_per_try_timeout_,
+                                         config_.respect_expected_rq_timeout_);
 
   // If this header is set with any value, use an alternate response code on timeout
   if (headers.EnvoyUpstreamRequestTimeoutAltResponse()) {

source/common/router/router.h

@@ -140,7 +140,8 @@ class FilterUtility {
    */
   static TimeoutData finalTimeout(const RouteEntry& route, Http::HeaderMap& request_headers,
                                   bool insert_envoy_expected_request_timeout_ms, bool grpc_request,
-                                  bool per_try_timeout_hedging_enabled);
+                                  bool per_try_timeout_hedging_enabled,
+                                  bool respect_expected_rq_timeout);
 
   /**
    * Determine the final hedging settings after applying randomized behavior.
@@ -161,12 +162,14 @@ class FilterConfig {
                Stats::Scope& scope, Upstream::ClusterManager& cm, Runtime::Loader& runtime,
                Runtime::RandomGenerator& random, ShadowWriterPtr&& shadow_writer,
                bool emit_dynamic_stats, bool start_child_span, bool suppress_envoy_headers,
+               bool respect_expected_rq_timeout,
                const Protobuf::RepeatedPtrField<std::string>& strict_check_headers,
                TimeSource& time_source, Http::Context& http_context)
       : scope_(scope), local_info_(local_info), cm_(cm), runtime_(runtime),
         random_(random), stats_{ALL_ROUTER_STATS(POOL_COUNTER_PREFIX(scope, stat_prefix))},
         emit_dynamic_stats_(emit_dynamic_stats), start_child_span_(start_child_span),
-        suppress_envoy_headers_(suppress_envoy_headers), http_context_(http_context),
+        suppress_envoy_headers_(suppress_envoy_headers),
+        respect_expected_rq_timeout_(respect_expected_rq_timeout), http_context_(http_context),
         stat_name_pool_(scope_.symbolTable()), retry_(stat_name_pool_.add("retry")),
         zone_name_(stat_name_pool_.add(local_info_.zoneName())),
         empty_stat_name_(stat_name_pool_.add("")), shadow_writer_(std::move(shadow_writer)),
@@ -186,8 +189,8 @@ class FilterConfig {
                      context.runtime(), context.random(), std::move(shadow_writer),
                      PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, dynamic_stats, true),
                      config.start_child_span(), config.suppress_envoy_headers(),
-                     config.strict_check_headers(), context.api().timeSource(),
-                     context.httpContext()) {
+                     config.respect_expected_rq_timeout(), config.strict_check_headers(),
+                     context.api().timeSource(), context.httpContext()) {
     for (const auto& upstream_log : config.upstream_log()) {
       upstream_logs_.push_back(AccessLog::AccessLogFactory::fromProto(upstream_log, context));
     }
@@ -207,6 +210,7 @@ class FilterConfig {
   const bool emit_dynamic_stats_;
   const bool start_child_span_;
   const bool suppress_envoy_headers_;
+  const bool respect_expected_rq_timeout_;
   // TODO(xyu-stripe): Make this a bitset to keep cluster memory footprint down.
   HeaderVectorPtr strict_check_headers_;
   std::list<AccessLog::InstanceSharedPtr> upstream_logs_;