From bc010102962ded54df4838e28271e38aa512b903 Mon Sep 17 00:00:00 2001
From: Anthony Fishbeck <anthony.fishbeck@lexisnexis.com>
Date: Mon, 23 Jan 2023 03:32:41 -0500
Subject: [PATCH 1/2] HPCC-28826 cert-manager: add support for secretTemplate

Add helm support for cert-manager certificate secretTemplate.

Kubernetes add-ons for doing things like synchronizing
secrets/certificates across aks clusters or namespaces require annotations
be added to the kubernetes secret resources to control the new behavior.

This can be done through cert-manager using a feature known as the
secretTemplate.

Signed-off-by: Anthony Fishbeck <anthony.fishbeck@lexisnexis.com>
---
 helm/hpcc/templates/_helpers.tpl | 12 +++++++++++-
 helm/hpcc/templates/esp.yaml     |  2 +-
 helm/hpcc/values.schema.json     | 18 ++++++++++++++++++
 helm/hpcc/values.yaml            | 10 ++++++----
 4 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/helm/hpcc/templates/_helpers.tpl b/helm/hpcc/templates/_helpers.tpl
index 5de1f167d5a..c236b791ac9 100644
--- a/helm/hpcc/templates/_helpers.tpl
+++ b/helm/hpcc/templates/_helpers.tpl
@@ -1645,11 +1645,16 @@ remote client certificates.
 Adding the following to ESP (Roxie support to be added later)
   remoteClients:
   - name: myRemoteClient
+    organization: myorg #optional
+    secretTemplate:   #optional add annotations to generated secret for tools like kubed config-syncer
+      annotations:
+        kubed.appscode.com/sync: "hpcc=testns"       #sync certificate to matching namespaces
+
 Will generate certificates that can be deployed to the remote client.
 Will cause ESP to require client certificates when a socket connects.
 Will create a TLS based access control list which ESP will check to make sure a connections client certificate is enabled.
 
-Pass in root, client (name), organization (optional), instance (myeclwatch), component (eclwatch), visibility
+Pass in root, client (name), organization (optional), instance (myeclwatch), component (eclwatch), visibility, secretTemplate (optional)
 */}}
 {{- define "hpcc.addClientCertificate" }}
  {{- if (.root.Values.certificates | default dict).enabled -}}
@@ -1670,6 +1675,7 @@ Pass in root, client (name), organization (optional), instance (myeclwatch), com
     {{- $component := .component -}}
     {{- $client := .client -}}
     {{- $organization := .organization -}}
+    {{- $secretTemplate := .secretTemplate -}}
     {{- if not $externalCert -}}
      {{- $_ := fail (printf "Remote certificate defined for non external facing service %s - %s." $component $instance) -}}
     {{- end }}
@@ -1682,6 +1688,10 @@ metadata:
 spec:
   # Secret names are always required.
   secretName: client-{{ $issuerKeyName }}-{{ $component }}-{{ $instance }}-{{ $client }}-tls
+  {{- if $secretTemplate }}
+  secretTemplate:
+{{ toYaml $secretTemplate | indent 4 }}
+  {{- end }}
   duration: 2160h # 90d
   renewBefore: 360h # 15d
   subject:
diff --git a/helm/hpcc/templates/esp.yaml b/helm/hpcc/templates/esp.yaml
index 4724b5a4bf1..6f2872e306e 100644
--- a/helm/hpcc/templates/esp.yaml
+++ b/helm/hpcc/templates/esp.yaml
@@ -204,7 +204,7 @@ kind: ConfigMap
 {{- $instance := .name -}}
 {{- $visibility := .service.visibility -}}
 {{- range $remoteClient := .remoteClients }}
- {{ include "hpcc.addClientCertificate" (dict "root" $ "client" $remoteClient.name "organization" $remoteClient.organization "instance" $instance "component" $application "visibility" $visibility) }}
+ {{ include "hpcc.addClientCertificate" (dict "root" $ "client" $remoteClient.name "organization" $remoteClient.organization "instance" $instance "component" $application "visibility" $visibility "secretTemplate" $remoteClient.secretTemplate) }}
 {{- end }}
 {{- end }}
 {{- end }}
diff --git a/helm/hpcc/values.schema.json b/helm/hpcc/values.schema.json
index bce97c293aa..2fdd4d266bf 100644
--- a/helm/hpcc/values.schema.json
+++ b/helm/hpcc/values.schema.json
@@ -2832,6 +2832,24 @@
           "name": {
             "type": "string",
             "description": "Remote client name"
+          },
+          "organization": {
+            "type": "string",
+            "description": "Remote client organization"
+          },
+          "secretTemplate": {
+            "type": "object",
+            "description": "cert-manager secretTemplate for this remoteClient secret",
+            "properties": {
+              "annotations": {
+                "type": "object",
+                "additionalProperties": { "type": "string" }
+              },
+              "labels": {
+                "type": "object",
+                "additionalProperties": { "type": "string" }
+              }
+            }
           }
         }
       }
diff --git a/helm/hpcc/values.yaml b/helm/hpcc/values.yaml
index 2fd2a0d6604..63322bd6255 100644
--- a/helm/hpcc/values.yaml
+++ b/helm/hpcc/values.yaml
@@ -566,8 +566,12 @@ esp:
 # Add remote clients to generated client certificates and make the ESP require that one of the generated certificates is provided by a client in order to connect
 #   When setting up remote clients make sure that certificates.issuers.remote.enabled is set to true.
 # remoteClients:
-# - name: myclient
-#   organization: mycompany
+# - name: petfoodApplicationProd
+#   organization: petfoodDept
+#   secretTemplate:
+#     annotations:
+#       kubed.appscode.com/sync: "hpccenv=petfoodAppProd" # use kubed config-syncer to replicate certificate to namespace with matching annotation (also supports syncing with separate aks clusters)
+
   service:
     ## port can be used to change the local port used by the pod. If omitted, the default port (8880) is used
     port: 8888
@@ -651,8 +655,6 @@ esp:
   application: sql2ecl
   auth: none
   replicas: 1
-# remoteClients:
-# - name: sqlclient111
   service:
     visibility: local
     servicePort: 8510

From 2d9c4d962caba33504ef3d5ee43a2bf35311d3e0 Mon Sep 17 00:00:00 2001
From: Mark Kelly <mark.kelly@lexisnexisrisk.com>
Date: Mon, 23 Jan 2023 18:20:35 -0500
Subject: [PATCH 2/2] HPCC-28828 Case insensitive query names (-i)

Signed-off-by: Mark Kelly <mark.kelly@lexisnexisrisk.com>
---
 tools/roxie/extract-roxie-timings.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tools/roxie/extract-roxie-timings.py b/tools/roxie/extract-roxie-timings.py
index 552fd528041..1841abb4011 100755
--- a/tools/roxie/extract-roxie-timings.py
+++ b/tools/roxie/extract-roxie-timings.py
@@ -85,10 +85,12 @@ def printRow(curRow):
     parser.add_argument("--all", "-a", help="Combine all services into a single result", action='store_true')
     parser.add_argument("--nosummary", "-n", help="Avoid including a summary", action='store_true')
     parser.add_argument("--summaryonly", "-s", help="Only generate a summary", action='store_true')
+    parser.add_argument("--ignorecase", "-i", help="Use case-insensitve query names", action='store_true')
     args = parser.parse_args()
     combineServices = args.all
     suppressDetails = args.summaryonly
     reportSummary = not args.nosummary or args.summaryonly
+    ignoreQueryCase = args.ignorecase
 
     csv.field_size_limit(0x100000)
     with open(args.filename, encoding='latin1') as csv_file:
@@ -104,6 +106,9 @@ def printRow(curRow):
                 mapping = rowText.split();
 
                 serviceName = completeMatch.group(1)
+                if ignoreQueryCase:
+                    serviceName = serviceName.lower()
+
                 idMatch = idPattern.search(mapping[0])
                 if idMatch:
                     if combineServices: