From bfafccaf327d740c070d0a5f57e828fde9d28b89 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Mon, 10 Mar 2025 17:49:24 +0000 Subject: [PATCH] feat: tooling tweaks, Istio ingress option to preserver external request Ids --- admin/dev_apply.sh | 2 +- admin/libhelm.sh | 39 ++++++++++--------- .../templates/envoyfilter-hardening.yaml | 1 + charts/kubezero-istio-gateway/values.yaml | 1 + 4 files changed, 24 insertions(+), 19 deletions(-) diff --git a/admin/dev_apply.sh b/admin/dev_apply.sh index 19895f63..830a6d1e 100755 --- a/admin/dev_apply.sh +++ b/admin/dev_apply.sh @@ -106,6 +106,6 @@ else done fi for t in ${ARTIFACTS[@]}; do - _helm apply $t || true + _helm $ACTION $t || true done fi diff --git a/admin/libhelm.sh b/admin/libhelm.sh index 5a5aa32b..386f843e 100644 --- a/admin/libhelm.sh +++ b/admin/libhelm.sh @@ -5,8 +5,6 @@ API_VERSIONS="-a monitoring.coreos.com/v1 -a snapshot.storage.k8s.io/v1 -a polic export HELM_SECRETS_BACKEND="vals" -LOCAL_DEV=${LOCAL_DEV:-""} - # Waits for max 300s and retries function wait_for() { local TRIES=0 @@ -35,7 +33,9 @@ function argo_used() { function field_manager() { - if [ "$1" == "True" ]; then + local argo=${1:-"False"} + + if [ "$argo" == "True" ]; then echo "--field-manager argo-controller" else echo "" @@ -43,6 +43,21 @@ function field_manager() { } +function get_kubezero_secret() { + export _key="$1" + + kubectl get secrets -n kubezero kubezero-secrets -o yaml | yq '.data.[env(_key)]' | base64 -d -w0 +} + + +function set_kubezero_secret() { + local key="$1" + local val="$2" + + kubectl patch secret -n kubezero kubezero-secrets --patch="{\"data\": { \"$key\": \"$(echo -n $val |base64 -w0)\" }}" +} + + # get kubezero-values from ArgoCD if available or use in-cluster CM function get_kubezero_values() { local argo=${1:-"False"} @@ -105,19 +120,6 @@ function waitSystemPodsRunning() { done } -function argo_app_synced() { - APP=$1 - - # Ensure we are synced otherwise bail out - status=$(kubectl get application $APP -n argocd -o yaml | yq .status.sync.status) - if [ "$status" != "Synced" ]; then - echo "ArgoCD Application $APP not 'Synced'!" - return 1 - fi - - return 0 -} - # make sure namespace exists prior to calling helm as the create-namespace options doesn't work function create_ns() { @@ -202,7 +204,7 @@ function _helm() { # Allow custom CRD handling declare -F ${module}-crds && ${module}-crds || _crds - elif [ $action == "apply" ]; then + elif [ $action == "apply" -o $action == "replace" ]; then echo "using values to $action of module $module: " cat $WORKDIR/values.yaml @@ -213,7 +215,8 @@ function _helm() { declare -F ${module}-pre && ${module}-pre render - kubectl $action -f $WORKDIR/helm.yaml --server-side --force-conflicts $(field_manager $ARGOCD) && rc=$? || rc=$? + [ $action == "apply" ] && kubectl apply -f $WORKDIR/helm.yaml --server-side --force-conflicts $(field_manager $ARGOCD) && rc=$? || rc=$? + [ $action == "replace" ] && kubectl replace -f $WORKDIR/helm.yaml $(field_manager $ARGOCD) && rc=$? || rc=$? # Optional post hook declare -F ${module}-post && ${module}-post diff --git a/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml b/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml index 563a1b55..e0fd7135 100644 --- a/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml +++ b/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml @@ -32,6 +32,7 @@ spec: use_remote_address: true normalize_path: true merge_slashes: true + preserve_external_request_id: {{ .Values.hardening.preserveExternalRequestId }} {{- if .Values.hardening.unescapeSlashes }} path_with_escaped_slashes_action: UNESCAPE_AND_REDIRECT {{- end }} diff --git a/charts/kubezero-istio-gateway/values.yaml b/charts/kubezero-istio-gateway/values.yaml index abc4ecc8..d1ad284b 100644 --- a/charts/kubezero-istio-gateway/values.yaml +++ b/charts/kubezero-istio-gateway/values.yaml @@ -43,3 +43,4 @@ proxyProtocol: true hardening: rejectUnderscoresHeaders: true unescapeSlashes: true + preserveExternalRequestId: false