Add troubleshooting headless TCP service disconnects.

[hollinwilkins]

This PR adds documentation on how to prevent Istio from disconnecting connections to headless TCP services every 15 minutes or so.

See conversation here for reference:
istio/istio#506

[andraxylia]

Minor edit for accuracy.

[andraxylia]

If istio-ca is deployed, Envoy is restarted every 15 minutes to refresh the certificates, causing the disconnection of TCP streams or long-running connections.

[hollinwilkins]

@andraxylia Do you want me to make these changes?

[ldemailly]

yes please do

[andraxylia]

Yes, please rephrase, sorry if that was not clear. Envoy is not restarted by the istio-ca, but by the pilot agent.

[ldemailly]

yes please do

[ldemailly]

I would insert something like:
"While your TCP services should be resilient to rare connection close events (as your pods may move for a number of reasons instance), if you really need to keep long running connections, and until we release the version of Istio that doesn't require envoy restart for certificate reload, you will have to disable mTLS [...]"
(though that's kind of a loooong sentence)

[hollinwilkins]

@ldemailly 15 minutes isn't a long TCP connection. DB connections often stay open for hours by default before being recycled. Will add something about connection resilience as well.

[hollinwilkins]

Hey, I made the requested changes, had to open a new PR because the old repository was deleted:

#870

[ldemailly]

closing -> #870