feat: tooling tweaks, Istio ingress option to preserver external request Ids

admin/dev_apply.sh

@@ -106,6 +106,6 @@ else
     done
   fi
   for t in ${ARTIFACTS[@]}; do
-    _helm apply $t || true
+    _helm $ACTION $t || true
   done
 fi

admin/libhelm.sh

@@ -5,8 +5,6 @@ API_VERSIONS="-a monitoring.coreos.com/v1 -a snapshot.storage.k8s.io/v1 -a polic
 
 export HELM_SECRETS_BACKEND="vals"
 
-LOCAL_DEV=${LOCAL_DEV:-""}
-
 # Waits for max 300s and retries
 function wait_for() {
   local TRIES=0
@@ -35,7 +33,9 @@ function argo_used() {
 
 
 function field_manager() {
-  if [ "$1" == "True" ]; then
+  local argo=${1:-"False"}
+
+  if [ "$argo" == "True" ]; then
     echo "--field-manager argo-controller"
   else
     echo ""
@@ -43,6 +43,21 @@ function field_manager() {
 }
 
 
+function get_kubezero_secret() {
+  export _key="$1"
+
+  kubectl get secrets -n kubezero kubezero-secrets -o yaml | yq '.data.[env(_key)]' | base64 -d -w0
+}
+
+
+function set_kubezero_secret() {
+  local key="$1"
+  local val="$2"
+
+  kubectl patch secret -n kubezero kubezero-secrets --patch="{\"data\": { \"$key\": \"$(echo -n $val |base64 -w0)\" }}"
+}
+
+
 # get kubezero-values from ArgoCD if available or use in-cluster CM
 function get_kubezero_values() {
   local argo=${1:-"False"}
@@ -105,19 +120,6 @@ function waitSystemPodsRunning() {
   done
 }
 
-function argo_app_synced() {
-  APP=$1
-
-  # Ensure we are synced otherwise bail out
-  status=$(kubectl get application $APP -n argocd -o yaml | yq .status.sync.status)
-  if [ "$status" != "Synced" ]; then
-    echo "ArgoCD Application $APP not 'Synced'!"
-    return 1
-  fi
-
-  return 0
-}
-
 
 # make sure namespace exists prior to calling helm as the create-namespace options doesn't work
 function create_ns() {
@@ -202,7 +204,7 @@ function _helm() {
     # Allow custom CRD handling
     declare -F ${module}-crds && ${module}-crds || _crds
 
-  elif [ $action == "apply" ]; then
+  elif [ $action == "apply" -o $action == "replace" ]; then
     echo "using values to $action of module $module: "
     cat $WORKDIR/values.yaml
 
@@ -213,7 +215,8 @@ function _helm() {
     declare -F ${module}-pre && ${module}-pre
 
     render
-    kubectl $action -f $WORKDIR/helm.yaml --server-side --force-conflicts $(field_manager $ARGOCD) && rc=$? || rc=$?
+    [ $action == "apply" ] && kubectl apply -f $WORKDIR/helm.yaml --server-side --force-conflicts $(field_manager $ARGOCD) && rc=$? || rc=$?
+    [ $action == "replace" ] && kubectl replace -f $WORKDIR/helm.yaml $(field_manager $ARGOCD) && rc=$? || rc=$?
 
     # Optional post hook
     declare -F ${module}-post && ${module}-post

charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml

@@ -32,6 +32,7 @@ spec:
           use_remote_address: true
           normalize_path: true
           merge_slashes: true
+          preserve_external_request_id: {{ .Values.hardening.preserveExternalRequestId }}
           {{- if .Values.hardening.unescapeSlashes }}
           path_with_escaped_slashes_action: UNESCAPE_AND_REDIRECT
           {{- end }}

charts/kubezero-istio-gateway/values.yaml

@@ -43,3 +43,4 @@ proxyProtocol: true
 hardening:
   rejectUnderscoresHeaders: true
   unescapeSlashes: true
+  preserveExternalRequestId: false