Cut over to MISE v2 as sole ext_authz provider#5005
Closed
tony-schndr wants to merge 1 commit into
Closed
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: tony-schndr The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Collaborator
Author
|
/hold until #4886 is validated in production |
tony-schndr
force-pushed
the
cutover-misev2
branch
from
65a5978 to
4741200
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes the temporary dual-frontend + dual-ext-authz setup used to validate MISE v2 in parallel, and completes the cutover so the existing mise workload becomes the sole Istio ext-authz provider using the v2 JSON ConfigMap-based configuration.
Changes:
- Remove the MISE v2 parallel stack (second frontend, second ext-authz provider, routing headers, and the associated e2e routing test).
- Convert the in-place
misedeployment from env-var configuration to JSONappsettings.jsonvia ConfigMap + checksum-based rollout. - Regenerate/update Helm and suite-list fixtures to reflect the new single-stack topology.
Reviewed changes
Copilot reviewed 32 out of 32 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| test/util/framework/per_test_framework.go | Removes the per-call policy client factory helper that was only needed by the removed routing e2e test. |
| test/testdata/zz_fixture_TestMainListSuitesForEachSuite_stage_parallelstage_parallel.txt | Removes MISE routing e2e entries from suite listing fixture. |
| test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallelrp_api_compat_all_parallel.txt | Removes MISE routing e2e entries from suite listing fixture. |
| test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallel_01rp_api_compat_all_parallel_development.txt | Removes MISE routing e2e entries from suite listing fixture. |
| test/testdata/zz_fixture_TestMainListSuitesForEachSuite_prod_parallelprod_parallel.txt | Removes MISE routing e2e entries from suite listing fixture. |
| test/testdata/zz_fixture_TestMainListSuitesForEachSuite_integration_parallelintegration_parallel.txt | Removes MISE routing e2e entries from suite listing fixture. |
| test/testdata/zz_fixture_TestMainListSuitesForEachSuite_dev_cd_check_paralleldev_cd_check_parallel.txt | Removes MISE routing e2e entries from suite listing fixture. |
| test/e2e/mise_routing.go | Deletes the MISE header-routing e2e test (no longer applicable after cutover). |
| istio/values.yaml | Points mise.image.digest at the v2 image digest value. |
| istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml | Updates rendered fixture to single MISE config/deploy and removes the v2 workload/provider. |
| istio/deploy/templates/mise.serviceentry.yml | Removes the misev2 host from the ServiceEntry. |
| istio/deploy/templates/istio-shared-configmap.yml | Removes the ext-authz-misev2 provider and drops the version header from forwarded headers. |
| istio/deploy/charts/mise/values.yaml | Removes digestv2 and adds sessiongatePolicy values for JSON config generation. |
| istio/deploy/charts/mise/templates/service.yaml | Removes the misev2 Service. |
| istio/deploy/charts/mise/templates/deployment.yaml | Mounts JSON config ConfigMap into mise and adds config checksum annotation for rollout. |
| istio/deploy/charts/mise/templates/deployment-misev2.yaml | Deletes the misev2 Deployment template. |
| istio/deploy/charts/mise/templates/configmap.yaml | Renames v2 ConfigMap to mise-config (now used by the sole mise deployment). |
| frontend/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_aro_hcp_frontend_dev.yaml | Updates rendered frontend fixture to remove v2 frontend resources and routing. |
| frontend/testdata/zz_fixture_TestHelmTemplate_frontend_mise_enabled.yaml | Updates rendered fixture to remove ext-authz-misev2 policy and v2 routing/resources. |
| frontend/testdata/zz_fixture_TestHelmTemplate_frontend_connect_socket.yaml | Updates rendered fixture to remove v2 routing/resources. |
| frontend/deploy/templates/peerauthentication.yaml | Removes v2 frontend metrics PeerAuthentication. |
| frontend/deploy/templates/frontend.virtualservice.yaml | Removes header-based route to v2 frontend. |
| frontend/deploy/templates/frontend.deployment.yaml | Inlines the deployment template (removing the helper indirection). |
| frontend/deploy/templates/frontend-v2.service.yaml | Deletes the v2 frontend Service template. |
| frontend/deploy/templates/frontend-v2.poddisruptionbudget.yaml | Deletes the v2 frontend PDB template. |
| frontend/deploy/templates/frontend-v2.deployment.yaml | Deletes the v2 frontend Deployment template wrapper. |
| frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml | Deletes the v2 frontend AuthorizationPolicy. |
| frontend/deploy/templates/_helpers.tpl | Deletes the shared helper template used by the removed v2 wrapper. |
| docs/mise.md | Removes the MISE v2 parallel deployment documentation section. |
| dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_istio.yaml | Updates rendered Istio fixture to remove v2 provider/host. |
| .yamllint.yml | Removes ignore entry for deleted template file. |
| .yamlfmt.yaml | Removes exclude entry for deleted v2 deployment template. |
Comments suppressed due to low confidence (1)
docs/mise.md:35
- The MISE v2/dual-frontend section was removed, but the doc no longer describes the current (post-cutover) deployment/configuration model (single
miseworkload using JSON ConfigMap + ext-authz provider). Please add an updated section so operators understand how MISE is configured and how Istio ext-authz is wired now that v2 is the sole provider.
# Geneva Action Requests
- Geneva Action sends a request to the Admin API with its AAD token.
- Istio external authorizer intercepts the traffic.
- Istio calls MISE in the service cluster namespace to validate:
- Token authenticity (issuer, audience, signature, expiration).
- Expected app ID / service principal identity of Geneva Action.
- Optional claim validation (e.g., Geneva-specific roles or scopes).
- MISE returns a decision.
- Istio enforces the decision (forward or reject).
Note: This retrofit ensures that Geneva Action traffic is consistently validated through the same MISE-based framework, providing a unified security model for both ARM and Geneva-originated requests.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Remove MISE v1 deployment and dual-frontend routing infrastructure. Consolidate on a single MISE v2 deployment under the existing ext-authz provider name so admin and sessiongate AuthorizationPolicies require no changes. Revert frontend from templated dual-deployment back to a single inline deployment. Remove header-based traffic splitting (x-ms-mise-version), split routing e2e tests, and associated framework code.
tony-schndr
force-pushed
the
cutover-misev2
branch
from
4741200 to
8440b05
Compare
Collaborator
Author
|
/retest |
1 similar comment
Collaborator
Author
|
/retest |
Collaborator
|
/retest-required |
|
@tony-schndr: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Collaborator
Author
|
close in favor of #5411 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes ARO-26219
What
Removes the dual-frontend deployment pattern and makes MISE v2 the sole
ext-authzprovider. The existingmisedeployment is converted in-place from env-var-based (v1) configuration to JSON ConfigMap-based (v2) configuration.Why
MISE v2 has been validated alongside v1 via header-based routing. The dual-frontend scaffolding (
aro-hcp-frontend-v2,ext-authz-misev2, VirtualService routing) is no longer needed.Testing
Existing helm template fixture tests cover the updated manifests. Test suite list fixtures regenerated to reflect the removed MISE routing e2e test.
Special notes for your reviewer
Do not merge until #4886 is validated in production.
🤖 Generated with Claude Code