perf(xds): add x-kuma-tags conditionally

[jakubdyszkiewicz]

Checklist prior to review

Do not merge for release-2.9. I'd rather put it in 2.10

We use x-kuma-tags internally. We add this to outbound HTTP listeners and we remove them on the inbound listeners. Currently, we use this header for 3 things

1. Match sources in FaultInjection policy
2. Match from in MeshFaultInjection policy
3. Match sources in RateLimit policy

I'd argue that in 99% cases you don't need it then.
Just a simple app on k8s looks like this:

"request_headers_to_add": [
  {
    "header": {
      "key": "x-kuma-tags",
      "value": "&app=redis&&k8s.kuma.io/namespace=kuma-demo&&k8s.kuma.io/service-name=redis&&k8s.kuma.io/service-port=6379&&kubernetes.io/hostname=k3d-kuma-server-0&&kuma.io/protocol=tcp&&kuma.io/service=redis_kuma-demo_svc_6379&&kuma.io/zone=default&&pod-template-hash=686bbbb5c8&"
    }
  }
]

This is quite a lot of data to put on every single request between Envoys.
Additionally, that's quite a lot of data to put on every single outbound in XDS config. Removing this slims down the XDS config.

Long term this header should be deleted and we should extract this from the certificate on the inbound side.

• Link to relevant issue as well as docs and UI issues --
• This will not break child repos: it doesn't hardcode values (i.e. "kumahq" as a image registry) and it will work on Windows, system specific functions like syscall.Mkfifo have equivalent implementation on the other OS --
• Tests (Unit test, E2E tests, manual test on universal and k8s) --
  • Don't forget ci/ labels to run additional/fewer tests
• Do you need to update UPGRADE.md? --
• Does it need to be backported according to the backporting policy? (this GH action will add "backport" label based on these file globs, if you want to prevent it from adding the "backport" label use no-backport-autolabel label) --

[michaelbeaumont]

Long term this header should be deleted and we should extract this from the certificate on the inbound side.

isn't this for the non-mtls case?

[jakubdyszkiewicz]

We don't have extracting tags from cert (aside MTP validation ofc), so listed cases are for both mtls and non-mtls

[github-actions]

Reviewer Checklist

🔍 Each of these sections need to be checked by the reviewer of the PR 🔍:
If something doesn't apply please check the box and add a justification if the reason is non obvious.

• Is the PR title satisfactory? Is this part of a larger feature and should be grouped using > Changelog?
• PR description is clear and complete. It Links to relevant issue as well as docs and UI issues
• This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as an image registry)
• IPv6 is taken into account (.e.g: no string concatenation of host port)
• Tests (Unit test, E2E tests, manual test on universal and k8s)
  • Don't forget ci/ labels to run additional/fewer tests
• Does this contain a change that needs to be notified to users? In this case, UPGRADE.md should be updated.
• Does it need to be backported according to the backporting policy? (this GH action will add "backport" label based on these file globs, if you want to prevent it from adding the "backport" label use no-backport-autolabel label)