# Istio

## EnvoyFilter

<details>

<summary>With removal of sensitive HTTP headers</summary>

The following EnvoyFilter resource removes the HTTP headers:

1. `x-envoy-decorator-operation`: reveals the internal hostname to external networks
2. `x-envoy-upstream-service-time`: reveals that Envoy is being used
3. `server`: reveals the server technology being used

Create and apply the following EnvoyFilter using `kubectl apply -f ./path/to/envoyfilter.yaml`:

```yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  # name: {{ include "istio.fullname" . }}-header-removal
  # labels:
  #   {{- include "istio.labels" . | nindent 4 }}
  name: x-envoy-header-removal
  namespace: web-app
spec:
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        filterChain:
          filter:
            name: envoy.filters.network.http_connection_manager
    patch:
      operation: MERGE
      value:
        typed_config:
          '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          server_header_transformation: PASS_THROUGH
  - applyTo: HTTP_ROUTE
    match:
      context: SIDECAR_INBOUND
    patch:
      operation: MERGE
      value:
        decorator:
          propagate: false
        response_headers_to_remove:
          - "server"
          - "x-envoy-decorator-operation"
          - "x-envoy-upstream-service-time"
          - "x-powered-by"
```

</details>

## VirtualService

<details>

<summary>Basic example</summary>

```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: {{ include "template.name" . }}
  annotations:
    external-dns.alpha.kubernetes.io/target: {{ .Values.loadBalancer.hostname }}
  labels:
    {{- include "template.labels" . | nindent 4 }}
spec:
  hosts:
  {{ range .Values.config.istio.ingress.urls -}}
    - {{ . | quote }}
  {{ end }}
  gateways:
    - {{ .Values.istio.gateway.namespace }}/{{ .Values.istio.gateway.name }}
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: {{ .Values.istio.ingress.hostname }}
        port:
          number: {{ .Values.service.port }}
```

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.joeir.net/application-infrastructure/kubernetes/istio.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.