Compare revisions

Michael Martin · Michael Martin · 596efd05 · 596efd05 · 596efd05 · 596efd05
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

 ---

+## [1.23.2-bb.1] - 2024-10-21
+### Added
+- added default, global envoy filter for HSTS and other security headers
+
 ## [1.23.2-bb.0] - 2024-10-08
 ### Changed
 - ironbank/opensource/istio/install-cni updated from 1.22.5 to 1.23.2

--- a/README.md
+++ b/README.md
 <!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
 # istio

-![Version: 1.23.2-bb.0](https://img.shields.io/badge/Version-1.23.2--bb.0-informational?style=flat-square) ![AppVersion: 1.23.2](https://img.shields.io/badge/AppVersion-1.23.2-informational?style=flat-square)
+![Version: 1.23.2-bb.1](https://img.shields.io/badge/Version-1.23.2--bb.1-informational?style=flat-square) ![AppVersion: 1.23.2](https://img.shields.io/badge/AppVersion-1.23.2-informational?style=flat-square)

 Configurable Deployment of Istio Custom Resources Wrapped Inside a Helm Chart.

@@ -120,6 +120,7 @@ helm install istio chart/
 | waitJob.enabled | bool | `true` |  |
 | waitJob.scripts.image | string | `"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5"` |  |
 | waitJob.permissions.resources[0] | string | `"istio-controlplane"` |  |
+| defaultSecurityHeaders.enabled | bool | `true` |  |

 ## Contributing


--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -3,7 +3,7 @@ name: istio
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.23.2-bb.0
+version: 1.23.2-bb.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.

--- a/chart/templates/bigbang/istio/authorizationPolicies/allow-ingress-authz-policy.yaml
+++ b/chart/templates/bigbang/istio/authorizationPolicies/allow-ingress-authz-policy.yaml
-{{- if and .Values.hardened.enabled -}}
+{{- if .Values.hardened.enabled -}}
 apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:

--- a/chart/templates/bigbang/istio/default-security-headers.yaml
+++ b/chart/templates/bigbang/istio/default-security-headers.yaml
+{{- if .Values.defaultSecurityHeaders.enabled -}}
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: default-security-headers
+  namespace: istio-system
+spec:
+  workloadSelector:
+    labels:
+      istio: ingressgateway
+  configPatches:
+  - applyTo: HTTP_FILTER
+    match:
+      context: GATEWAY
+      listener:
+        filterChain:
+          filter:
+            name: "envoy.filters.network.http_connection_manager"
+            subFilter:
+              name: "envoy.filters.http.router"
+    patch:
+      operation: INSERT_BEFORE
+      value:
+       name: envoy.lua
+       typed_config:
+         "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
+         inlineCode: |
+            function envoy_on_response(response_handle)
+              function hasFrameAncestors(rh)
+                s = rh:headers():get("Content-Security-Policy");
+                delimiter = ";";
+                defined = false;
+                for match in (s..delimiter):gmatch("(.-)"..delimiter) do
+                  match = match:gsub("%s+", "");
+                  if match:sub(1, 15)=="frame-ancestors" then
+                    return true;
+                  end
+                end
+                return false;
+              end
+              if not response_handle:headers():get("Strict-Transport-Security") then
+                response_handle:headers():add("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
+              end
+              if not response_handle:headers():get("X-Frame-Options") then
+                response_handle:headers():add("X-Frame-Options", "SAMEORIGIN");
+              end
+              if not response_handle:headers():get("X-Content-Type-Options") then
+                response_handle:headers():add("X-Content-Type-Options", "nosniff");
+              end
+              if not response_handle:headers():get("Referrer-Policy") then
+                response_handle:headers():add("Referrer-Policy", "strict-origin");
+              end
+            end
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/peerAuthentication.yaml
+++ b/chart/templates/bigbang/peerAuthentication.yaml
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -351,4 +351,7 @@ waitJob:
    image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5
  permissions:
    resources:
-     - istio-controlplane
\ No newline at end of file
+     - istio-controlplane
+
+defaultSecurityHeaders:
+  enabled: true
\ No newline at end of file
No results found