Merge remote-tracking branch 'origin/candidate-8.10.x' into candidate…

…-8.12.x Signed-off-by: Gavin Halliday <[email protected]>
hpcc-systems · Jan 24, 2023 · 348e1b8 · 348e1b8
2 parents 752a208 + 3dc0026
commit 348e1b8
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 6 deletions.
diff --git a/helm/hpcc/templates/_helpers.tpl b/helm/hpcc/templates/_helpers.tpl
@@ -1654,11 +1654,16 @@ remote client certificates.
 Adding the following to ESP (Roxie support to be added later)
   remoteClients:
   - name: myRemoteClient
+    organization: myorg #optional
+    secretTemplate:   #optional add annotations to generated secret for tools like kubed config-syncer
+      annotations:
+        kubed.appscode.com/sync: "hpcc=testns"       #sync certificate to matching namespaces
+
 Will generate certificates that can be deployed to the remote client.
 Will cause ESP to require client certificates when a socket connects.
 Will create a TLS based access control list which ESP will check to make sure a connections client certificate is enabled.
 
-Pass in root, client (name), organization (optional), instance (myeclwatch), component (eclwatch), visibility
+Pass in root, client (name), organization (optional), instance (myeclwatch), component (eclwatch), visibility, secretTemplate (optional)
 */}}
 {{- define "hpcc.addClientCertificate" }}
  {{- if (.root.Values.certificates | default dict).enabled -}}
@@ -1679,6 +1684,7 @@ Pass in root, client (name), organization (optional), instance (myeclwatch), com
     {{- $component := .component -}}
     {{- $client := .client -}}
     {{- $organization := .organization -}}
+    {{- $secretTemplate := .secretTemplate -}}
     {{- if not $externalCert -}}
      {{- $_ := fail (printf "Remote certificate defined for non external facing service %s - %s." $component $instance) -}}
     {{- end }}
@@ -1691,6 +1697,10 @@ metadata:
 spec:
   # Secret names are always required.
   secretName: client-{{ $issuerKeyName }}-{{ $component }}-{{ $instance }}-{{ $client }}-tls
+  {{- if $secretTemplate }}
+  secretTemplate:
+{{ toYaml $secretTemplate | indent 4 }}
+  {{- end }}
   duration: 2160h # 90d
   renewBefore: 360h # 15d
   subject:

diff --git a/helm/hpcc/templates/esp.yaml b/helm/hpcc/templates/esp.yaml
@@ -205,7 +205,7 @@ kind: ConfigMap
 {{- $instance := .name -}}
 {{- $visibility := .service.visibility -}}
 {{- range $remoteClient := .remoteClients }}
- {{ include "hpcc.addClientCertificate" (dict "root" $ "client" $remoteClient.name "organization" $remoteClient.organization "instance" $instance "component" $application "visibility" $visibility) }}
+ {{ include "hpcc.addClientCertificate" (dict "root" $ "client" $remoteClient.name "organization" $remoteClient.organization "instance" $instance "component" $application "visibility" $visibility "secretTemplate" $remoteClient.secretTemplate) }}
 {{- end }}
 {{- end }}
 {{- end }}
diff --git a/helm/hpcc/values.schema.json b/helm/hpcc/values.schema.json
@@ -2852,6 +2852,24 @@
           "name": {
             "type": "string",
             "description": "Remote client name"
+          },
+          "organization": {
+            "type": "string",
+            "description": "Remote client organization"
+          },
+          "secretTemplate": {
+            "type": "object",
+            "description": "cert-manager secretTemplate for this remoteClient secret",
+            "properties": {
+              "annotations": {
+                "type": "object",
+                "additionalProperties": { "type": "string" }
+              },
+              "labels": {
+                "type": "object",
+                "additionalProperties": { "type": "string" }
+              }
+            }
           }
         }
       }

diff --git a/helm/hpcc/values.yaml b/helm/hpcc/values.yaml
@@ -566,8 +566,12 @@ esp:
 # Add remote clients to generated client certificates and make the ESP require that one of the generated certificates is provided by a client in order to connect
 #   When setting up remote clients make sure that certificates.issuers.remote.enabled is set to true.
 # remoteClients:
-# - name: myclient
-#   organization: mycompany
+# - name: petfoodApplicationProd
+#   organization: petfoodDept
+#   secretTemplate:
+#     annotations:
+#       kubed.appscode.com/sync: "hpccenv=petfoodAppProd" # use kubed config-syncer to replicate certificate to namespace with matching annotation (also supports syncing with separate aks clusters)
+
   service:
     ## port can be used to change the local port used by the pod. If omitted, the default port (8880) is used
     port: 8888
@@ -651,8 +655,6 @@ esp:
   application: sql2ecl
   auth: none
   replicas: 1
-# remoteClients:
-# - name: sqlclient111
   service:
     visibility: local
     servicePort: 8510

diff --git a/tools/roxie/extract-roxie-timings.py b/tools/roxie/extract-roxie-timings.py
@@ -85,10 +85,12 @@ def printRow(curRow):
     parser.add_argument("--all", "-a", help="Combine all services into a single result", action='store_true')
     parser.add_argument("--nosummary", "-n", help="Avoid including a summary", action='store_true')
     parser.add_argument("--summaryonly", "-s", help="Only generate a summary", action='store_true')
+    parser.add_argument("--ignorecase", "-i", help="Use case-insensitve query names", action='store_true')
     args = parser.parse_args()
     combineServices = args.all
     suppressDetails = args.summaryonly
     reportSummary = not args.nosummary or args.summaryonly
+    ignoreQueryCase = args.ignorecase
 
     csv.field_size_limit(0x100000)
     with open(args.filename, encoding='latin1') as csv_file:
@@ -104,6 +106,9 @@ def printRow(curRow):
                 mapping = rowText.split();
 
                 serviceName = completeMatch.group(1)
+                if ignoreQueryCase:
+                    serviceName = serviceName.lower()
+
                 idMatch = idPattern.search(mapping[0])
                 if idMatch:
                     if combineServices: