chore: update k8s.io/client-go for security reason, go is upgrade to 1.16 (#1912)

* chore: fix jwt dependency security issue

* chore: update clickhouse driver

* chore: fix a security issue

* chore: update dependencies

rest/engine.go

@@ -242,7 +242,7 @@ func (ng *engine) start(router httpx.Router) error {
 	}
 
 	if len(ng.conf.CertFile) == 0 && len(ng.conf.KeyFile) == 0 {
-		return internal.StartHttp(ng.conf.Host, ng.conf.Port, router)
+		return internal.StartHttp(ng.conf.Host, ng.conf.Port, router, ng.withTimeout())
 	}
 
 	return internal.StartHttps(ng.conf.Host, ng.conf.Port, ng.conf.CertFile,
@@ -250,13 +250,29 @@ func (ng *engine) start(router httpx.Router) error {
 			if ng.tlsConfig != nil {
 				svr.TLSConfig = ng.tlsConfig
 			}
-		})
+		}, ng.withTimeout())
 }
 
 func (ng *engine) use(middleware Middleware) {
 	ng.middlewares = append(ng.middlewares, middleware)
 }
 
+func (ng *engine) withTimeout() internal.StartOption {
+	return func(svr *http.Server) {
+		timeout := ng.conf.Timeout
+		if timeout > 0 {
+			// factor 0.8, to avoid clients send longer content-length than the actual content,
+			// without this timeout setting, the server will time out and respond 503 Service Unavailable,
+			// which triggers the circuit breaker.
+			svr.ReadTimeout = 4 * time.Duration(timeout) * time.Millisecond / 5
+			// factor 0.9, to avoid clients not reading the response
+			// without this timeout setting, the server will time out and respond 503 Service Unavailable,
+			// which triggers the circuit breaker.
+			svr.WriteTimeout = 9 * time.Duration(timeout) * time.Millisecond / 10
+		}
+	}
+}
+
 func convertMiddleware(ware Middleware) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return ware(next.ServeHTTP)