apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: {{ include "gatewayName" . | trimPrefix "istio-" }}-hardening
  namespace: {{ .Release.Namespace }}
  labels:
    {{ include "kubezero-lib.labels" . | nindent 4 }}
spec:
  workloadSelector:
    labels:
      {{- include "gatewaySelectorLabels" . | nindent 6 }}
  configPatches:
  - applyTo: CLUSTER
    patch:
      operation: MERGE
      value:
        connect_timeout: 15s
        per_connection_buffer_limit_bytes: 32768 # 32 KiB
  - applyTo: NETWORK_FILTER
    match:
      listener:
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
        name: "envoy.filters.network.http_connection_manager"
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          stat_prefix: ingress_http
          use_remote_address: true
          normalize_path: true
          merge_slashes: true
          {{- if .Values.hardening.unescapeSlashes }}
          path_with_escaped_slashes_action: UNESCAPE_AND_REDIRECT
          {{- end }}
          common_http_protocol_options:
            idle_timeout: 3600s # 1 hour
            {{- if .Values.hardening.rejectUnderscoresHeaders }}
            headers_with_underscores_action: REJECT_REQUEST
            {{- end }}
          http2_protocol_options:
            max_concurrent_streams: 100
            initial_stream_window_size: 65536 # 64 KiB
            initial_connection_window_size: 1048576 # 1 MiB
          #stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
          #request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests