http: add connection-duration jitter, drain-timeout jitter, and drain_percentage to stagger downstream reconnections

[Winbobob]

Commit Message:
http: add connection-duration jitter, drain-timeout jitter, and drain_percentage to stagger downstream reconnections

Additional Description:
Mitigates the thundering-herd reconnect problem when many downstream long-lived HTTP/2 or gRPC connections share the same max_connection_duration and all reach the limit (and therefore drain) at the same instant. Three opt-in knobs:

1. HttpProtocolOptions.max_connection_duration_jitter (type.v3.Percent):
   extends each connection's duration timer by random(0, base * pct/100).
   Mirrors the existing TCP-proxy field max_downstream_connection_duration_jitter_percentage (from tcp_proxy: Add max_downstream_connection_duration_jitter_percentage #40999).
2. HttpConnectionManager.drain_timeout_jitter (type.v3.Percent): extends
   the drain grace period between the shutdown-notice GOAWAY and the final
   GOAWAY by random(0, drain_timeout * pct/100).
3. HttpConnectionManager.drain_percentage (type.v3.Percent, default 100):
   when max_connection_duration fires, only this fraction of eligible
   connections drain this cycle; the rest re-arm the duration timer (with
   fresh jitter, if configured) and wait for the next round. 100 (or unset)
   preserves current behavior; 0 means never drain via this path.

All three fields are individually opt-in.

Risk Level:
Low.

• Defaults preserve current behavior on all three fields:
  • jitter fields default to unset → no jitter
  • drain_percentage defaults to 100 → drain all same as today
• No existing config paths or stats are altered.

Testing:
Unit tests and config-parsing tests

Docs Changes:
Proto field comments document semantics, defaults, and interaction with
max_connection_duration / drain_timeout.

Release Notes:
Updated change log.

Platform Specific Features:
None.

Runtime guard:
None.

Fixes #Issue:

• Extend the functionality of max_connection_duration + drain_timeout #35391
• Add jitter support for HTTP max_connection_duration #42410

API Considerations:

• max_connection_duration_jitter placed on HttpProtocolOptions (next to
  max_connection_duration) following the TCP proxy precedent. Note: the
  field is currently honored only by the downstream HCM runtime; upstream
  clusters read the same proto but do not apply the jitter today.
• drain_timeout_jitter and drain_percentage placed on
  HttpConnectionManager because the drain sequence they gate is
  downstream-HCM-only; placing them on HttpProtocolOptions would
  incorrectly imply upstream applicability.
• All three use type.v3.Percent, which carries [0, 100] PGV validation;
  no additional runtime bounds checking is needed.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @adisuissa
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #45101 was opened by Winbobob.

see: more, trace.

[Winbobob]

I saw multiple PRs try to implement the jitter for max connection duration timeout. This PR includes that and also adds drain timeout jitter and drain percentage based on a conversation two years ago: #35391. CI passed, cc @mathetake, @wbpcode

• http: Add max_connection_duration_jitter_percentage to prevent thundring herd #42479
• http: add jitter support for max_connection_duration #44064

[Winbobob]

Hi @markdroth , could you please review the API change? Thanks a lot!

[naren-13]

hi @Winbobob
When can we expect this feature to be fully implemented ?

[adisuissa]

Thanks.
Left a couple of API points:

1. Consider using a jitter duration instead of percentage (not a requirement, just want to understand whether using a duration is better or not).
2. I think that the drain_percentage field will not be easy to use/reason about. Let's decouple that into a different PR.

[adisuissa]

OOC why is percent based better than an explicit max-jitter-value?
I assume that max-jitter-value is easier to control and reason about, so I'm wondering why the percentage based approach is preferred here.

[Winbobob]

Two reasons:

1. to match the existing behavior in tcp proxy: tcp_proxy: Add max_downstream_connection_duration_jitter_percentage #40999
2. the value of type.v3.Percent will be [0,100], no extra validations needed

Hope it makes sense.

[adisuissa]

What is a round?

[Winbobob]

It should be rephrased as "current connection will have this percentage of chance to be drained". But as you suggested, I will remove the drain_percentage from this PR.

[adisuissa]

Please update the documentation that explains all the timeouts, to take into account the new jitters.

[Winbobob]

Just updated docs/root/faq/configuration/timeouts.rst

[adisuissa]

I think this makes the understanding of max number of long-lived connections at a given time challenging to reason about.
Can you please explain why working in "rounds"/"cycles" is better here, and how are they defined?

[Winbobob]

Rounds/cycles mean: if this time this connection does not get a chance to be drained, its duration timer will be reset and wait until the timer is fired and try to drain again.