37 lines
1.3 KiB
YAML
37 lines
1.3 KiB
YAML
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: EnvoyFilter
|
|
metadata:
|
|
name: ingressgateway-hardening
|
|
namespace: {{ .Release.Namespace }}
|
|
spec:
|
|
configPatches:
|
|
- applyTo: CLUSTER
|
|
patch:
|
|
operation: MERGE
|
|
value:
|
|
connect_timeout: 15s
|
|
per_connection_buffer_limit_bytes: 32768 # 32 KiB
|
|
- applyTo: NETWORK_FILTER
|
|
match:
|
|
listener:
|
|
filterChain:
|
|
filter:
|
|
name: "envoy.filters.network.http_connection_manager"
|
|
patch:
|
|
operation: MERGE
|
|
value:
|
|
name: "envoy.filters.network.http_connection_manager"
|
|
typed_config:
|
|
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
|
|
common_http_protocol_options:
|
|
idle_timeout: 3600s # 1 hour
|
|
# headers_with_underscores_action: REJECT_REQUEST
|
|
http2_protocol_options:
|
|
max_concurrent_streams: 500
|
|
initial_stream_window_size: 65536 # 64 KiB
|
|
initial_connection_window_size: 1048576 # 1 MiB
|
|
#stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
|
|
#request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
|
|
{{- end }}
|