From 8440b053fc5bcb42f644ee92bd7fbc7a087a035b Mon Sep 17 00:00:00 2001 From: tony-schndr Date: Thu, 23 Apr 2026 09:23:17 -0500 Subject: [PATCH] Cut over to MISE v2 as sole ext_authz provider Remove MISE v1 deployment and dual-frontend routing infrastructure. Consolidate on a single MISE v2 deployment under the existing ext-authz provider name so admin and sessiongate AuthorizationPolicies require no changes. Revert frontend from templated dual-deployment back to a single inline deployment. Remove header-based traffic splitting (x-ms-mise-version), split routing e2e tests, and associated framework code. --- .yamlfmt.yaml | 1 - .yamllint.yml | 1 - ...tHelmTemplate_dev_westus3_svc_1_istio.yaml | 17 +- docs/mise.md | 32 --- frontend/deploy/templates/_helpers.tpl | 119 ----------- .../ext-authz-misev2.authorizationpolicy.yaml | 19 -- .../templates/frontend-v2.deployment.yaml | 1 - .../frontend-v2.poddisruptionbudget.yaml | 10 - .../deploy/templates/frontend-v2.service.yaml | 15 -- .../deploy/templates/frontend.deployment.yaml | 117 ++++++++++- .../templates/frontend.virtualservice.yaml | 18 -- .../deploy/templates/peerauthentication.yaml | 13 -- ...tHelmTemplate_frontend_connect_socket.yaml | 173 ---------------- ...estHelmTemplate_frontend_mise_enabled.yaml | 184 ------------------ ...ev_westus3_svc_1_aro_hcp_frontend_dev.yaml | 165 ---------------- .../{configmap-misev2.yaml => configmap.yaml} | 2 +- .../mise/templates/deployment-misev2.yaml | 57 ------ .../charts/mise/templates/deployment.yaml | 61 ++---- .../deploy/charts/mise/templates/service.yaml | 13 -- istio/deploy/charts/mise/values.yaml | 5 +- .../templates/istio-shared-configmap.yml | 8 +- istio/deploy/templates/mise.serviceentry.yml | 1 - ...e_TestHelmTemplate_istio_mise_enabled.yaml | 155 ++------------- istio/values.yaml | 3 +- test/e2e/mise_routing.go | 94 --------- ...cd_check_paralleldev_cd_check_parallel.txt | 2 - ...tegration_parallelintegration_parallel.txt | 2 - ...orEachSuite_prod_parallelprod_parallel.txt | 2 - ...rp_api_compat_all_parallel_development.txt | 2 - ...all_parallelrp_api_compat_all_parallel.txt | 2 - ...EachSuite_stage_parallelstage_parallel.txt | 2 - test/util/framework/per_test_framework.go | 23 --- 32 files changed, 151 insertions(+), 1168 deletions(-) delete mode 100644 frontend/deploy/templates/_helpers.tpl delete mode 100644 frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml delete mode 100644 frontend/deploy/templates/frontend-v2.deployment.yaml delete mode 100644 frontend/deploy/templates/frontend-v2.poddisruptionbudget.yaml delete mode 100644 frontend/deploy/templates/frontend-v2.service.yaml rename istio/deploy/charts/mise/templates/{configmap-misev2.yaml => configmap.yaml} (99%) delete mode 100644 istio/deploy/charts/mise/templates/deployment-misev2.yaml delete mode 100644 test/e2e/mise_routing.go diff --git a/.yamlfmt.yaml b/.yamlfmt.yaml index 3e7b5833d0e..68a343ea984 100644 --- a/.yamlfmt.yaml +++ b/.yamlfmt.yaml @@ -3,7 +3,6 @@ match_type: doublestar exclude: - '**/zz_fixture_*.yaml' - 'frontend/deploy/templates/frontend.deployment.yaml' -- 'frontend/deploy/templates/frontend-v2.deployment.yaml' formatter: type: basic indentless_arrays: true diff --git a/.yamllint.yml b/.yamllint.yml index edb5f8ccedf..b2c77558f98 100644 --- a/.yamllint.yml +++ b/.yamllint.yml @@ -7,7 +7,6 @@ ignore: - 'admin/deploy/templates/ext-authz.authorizationpolicy.yaml' - 'admin/deploy/templates/admin.deployment.yaml' - 'frontend/deploy/templates/ext-authz.authorizationpolicy.yaml' -- 'frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml' - 'frontend/deploy/templates/allow-ingress.authorizationpolicy.yaml' - 'frontend/deploy/templates/frontend.deployment.yaml' - 'istio/deploy/templates/istio-shared-configmap.yml' diff --git a/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_istio.yaml b/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_istio.yaml index b8e1109d0d2..81d569890d8 100644 --- a/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_istio.yaml +++ b/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_istio.yaml @@ -14,13 +14,7 @@ data: envoyExtAuthzHttp: service: "mise/mise.mise.svc.cluster.local" port: "8080" - includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"] - pathPrefix: "/v1/EnvoyValidateRequest" - - name: "ext-authz-misev2" - envoyExtAuthzHttp: - service: "mise/misev2.mise.svc.cluster.local" - port: "8080" - includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"] + includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter"] pathPrefix: "/v1/EnvoyValidateRequest" --- # Source: istio/templates/istio-shared-configmap.yml @@ -38,13 +32,7 @@ data: envoyExtAuthzHttp: service: "mise/mise.mise.svc.cluster.local" port: "8080" - includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"] - pathPrefix: "/v1/EnvoyValidateRequest" - - name: "ext-authz-misev2" - envoyExtAuthzHttp: - service: "mise/misev2.mise.svc.cluster.local" - port: "8080" - includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"] + includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter"] pathPrefix: "/v1/EnvoyValidateRequest" --- # Source: istio/templates/ops-ingress.gateway.yaml @@ -127,7 +115,6 @@ metadata: spec: hosts: - "mise.mise.svc.cluster.local" - - "misev2.mise.svc.cluster.local" endpoints: - address: "127.0.0.1" ports: diff --git a/docs/mise.md b/docs/mise.md index 20f286710f2..9433215bda9 100644 --- a/docs/mise.md +++ b/docs/mise.md @@ -32,35 +32,3 @@ Microsoft Identity Service Essentials (MISE) is an internal Microsoft service pr - Istio enforces the decision (forward or reject). Note: This retrofit ensures that Geneva Action traffic is consistently validated through the same MISE-based framework, providing a unified security model for both ARM and Geneva-originated requests. -# MISE v2 Deployment - -MISE v2 is deployed alongside v1 as a separate workload in the `mise` namespace. It uses a JSON-based configuration (via ConfigMap) instead of the environment-variable-based configuration used by v1. - -## Dual Frontend Routing - -Because Istio limits each workload to a single ext-authz provider, and because ext-authz calls bypass VirtualService routing entirely, header-based routing between MISE versions is achieved by running two separate frontend workloads, each with its own AuthorizationPolicy. - -```mermaid -graph TB - Client[Client Request] --> Gateway[Istio Ingress Gateway] - Gateway --> VS{VirtualService
x-ms-mise-version?} - - VS -->|"v2"| FEv2[aro-hcp-frontend-v2] - VS -->|default| FEv1[aro-hcp-frontend] - - FEv2 -->|"ext-authz-misev2
provider"| MISEv2["misev2.mise
(MISE v2)"] - FEv1 -->|"ext-authz
provider"| MISEv1["mise.mise
(MISE v1)"] -``` - -### Components - -- **Two ext-authz providers** defined in the Istio mesh config (`istio-shared-configmap`): - - `ext-authz` → `mise.mise.svc.cluster.local:8080` - - `ext-authz-misev2` → `misev2.mise.svc.cluster.local:8080` -- **Two frontend Deployments and Services**: `aro-hcp-frontend` and `aro-hcp-frontend-v2`, identical except for which ext-authz provider their AuthorizationPolicy references -- **VirtualService on the ingress gateway**: routes requests with `x-ms-mise-version: v2` header to `aro-hcp-frontend-v2`, all other traffic to `aro-hcp-frontend` -- **Shared label** `app.kubernetes.io/part-of: aro-hcp-frontend` on both frontend deployments, used by policies that apply to both (metrics, admin access) - -### Why Not VirtualService-Based Routing at the MISE Layer - -Istio ext-authz calls bypass VirtualService routing. The Envoy `envoyExtAuthzHttp` filter connects directly to the service cluster endpoints, not through the HTTP routing pipeline. This means a VirtualService on `mise.mise.svc.cluster.local` cannot split ext-authz traffic by header — the split must happen upstream by routing to different frontend workloads, each bound to its own ext-authz provider. diff --git a/frontend/deploy/templates/_helpers.tpl b/frontend/deploy/templates/_helpers.tpl deleted file mode 100644 index 8ac626b7e69..00000000000 --- a/frontend/deploy/templates/_helpers.tpl +++ /dev/null @@ -1,119 +0,0 @@ -{{- define "frontend.deployment" -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: {{ .appName }} - name: {{ .appName }} - namespace: '{{ .Release.Namespace }}' -spec: - progressDeadlineSeconds: 600 - replicas: {{ .Values.deployment.replicas }} - revisionHistoryLimit: 10 - selector: - matchLabels: - app: {{ .appName }} - strategy: - rollingUpdate: - maxSurge: 50% - maxUnavailable: 50% - type: RollingUpdate - template: - metadata: - labels: - app: {{ .appName }} - app.kubernetes.io/part-of: aro-hcp-frontend - azure.workload.identity/use: "true" - spec: - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: '{{ if eq (int .Values.deployment.zoneCount) 0 }}kubernetes.azure.com/agentpool{{ else }}topology.kubernetes.io/zone{{ end }}' - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: {{ .appName }} - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: {{ .appName }} - serviceAccountName: '{{ .Values.serviceAccount.name }}' - containers: - - name: {{ .appName }} - image: '{{ .Values.deployment.imageName }}' - imagePullPolicy: Always - args: ["--clusters-service-url", "http://clusters-service.{{ .Values.clustersService.namespace }}.svc.cluster.local:8000", "--exit-on-panic={{ .Values.exitOnPanic }}"] - env: - - name: DB_NAME - valueFrom: - configMapKeyRef: - name: frontend-config - key: DB_NAME - - name: DB_URL - valueFrom: - configMapKeyRef: - name: frontend-config - key: DB_URL - - name: LOCATION - valueFrom: - configMapKeyRef: - name: frontend-config - key: LOCATION - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: "{{ .Values.tracing.address }}" - - name: OTEL_TRACES_EXPORTER - value: "{{ .Values.tracing.exporter }}" - - name: AUDIT_CONNECT_SOCKET - value: "{{ .Values.audit.connectSocket }}" - - name: AZURE_TOKEN_CREDENTIALS - value: "WorkloadIdentityCredential" - ports: - - containerPort: 8443 - protocol: TCP - - containerPort: 8081 - protocol: TCP - resources: - requests: - cpu: {{ .Values.deployment.resources.requests.cpu }} - memory: {{ .Values.deployment.resources.requests.memory }} -{{- if ne .Values.deployment.resources.limits.memory "unlimited" }} - limits: - memory: {{ .Values.deployment.resources.limits.memory }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - {{- if .Values.audit.connectSocket }} - volumeMounts: - - name: mdsd-asa-run-vol - mountPath: /var/run/mdsd - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: 8443 - initialDelaySeconds: 15 - periodSeconds: 20 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz - port: 8443 - initialDelaySeconds: 5 - periodSeconds: 10 - {{- if .Values.audit.connectSocket }} - volumes: - - name: mdsd-asa-run-vol - hostPath: - path: /var/run/mdsd - type: Directory - {{- end }} - restartPolicy: Always - terminationGracePeriodSeconds: 30 -{{- end -}} diff --git a/frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml b/frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml deleted file mode 100644 index e9e878d7fe4..00000000000 --- a/frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if eq .Values.mise.deploy true }} -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: ext-authz-misev2 - namespace: '{{ .Release.Namespace }}' -spec: - selector: - matchLabels: - app: aro-hcp-frontend-v2 - action: CUSTOM - provider: - name: ext-authz-misev2 - rules: - - to: - - operation: - paths: ["/*"] - notPaths: ["/metrics"] -{{- end }} diff --git a/frontend/deploy/templates/frontend-v2.deployment.yaml b/frontend/deploy/templates/frontend-v2.deployment.yaml deleted file mode 100644 index e2cef55bf3a..00000000000 --- a/frontend/deploy/templates/frontend-v2.deployment.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "frontend.deployment" (dict "appName" "aro-hcp-frontend-v2" "Values" .Values "Release" .Release) }} diff --git a/frontend/deploy/templates/frontend-v2.poddisruptionbudget.yaml b/frontend/deploy/templates/frontend-v2.poddisruptionbudget.yaml deleted file mode 100644 index 228afb45a81..00000000000 --- a/frontend/deploy/templates/frontend-v2.poddisruptionbudget.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: aro-hcp-frontend-v2 - namespace: '{{ .Release.Namespace }}' -spec: - minAvailable: 1 - selector: - matchLabels: - app: aro-hcp-frontend-v2 diff --git a/frontend/deploy/templates/frontend-v2.service.yaml b/frontend/deploy/templates/frontend-v2.service.yaml deleted file mode 100644 index cfc7a9efcff..00000000000 --- a/frontend/deploy/templates/frontend-v2.service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: aro-hcp-frontend-v2 - name: aro-hcp-frontend-v2 - namespace: '{{ .Release.Namespace }}' -spec: - ports: - - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app: aro-hcp-frontend-v2 - type: ClusterIP diff --git a/frontend/deploy/templates/frontend.deployment.yaml b/frontend/deploy/templates/frontend.deployment.yaml index e79af7fc407..c4925c0d6c4 100644 --- a/frontend/deploy/templates/frontend.deployment.yaml +++ b/frontend/deploy/templates/frontend.deployment.yaml @@ -1 +1,116 @@ -{{ include "frontend.deployment" (dict "appName" "aro-hcp-frontend" "Values" .Values "Release" .Release) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: aro-hcp-frontend + name: aro-hcp-frontend + namespace: '{{ .Release.Namespace }}' +spec: + progressDeadlineSeconds: 600 + replicas: {{ .Values.deployment.replicas }} + revisionHistoryLimit: 10 + selector: + matchLabels: + app: aro-hcp-frontend + strategy: + rollingUpdate: + maxSurge: 50% + maxUnavailable: 50% + type: RollingUpdate + template: + metadata: + labels: + app: aro-hcp-frontend + azure.workload.identity/use: "true" + spec: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: '{{ if eq (int .Values.deployment.zoneCount) 0 }}kubernetes.azure.com/agentpool{{ else }}topology.kubernetes.io/zone{{ end }}' + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: aro-hcp-frontend + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: aro-hcp-frontend + serviceAccountName: '{{ .Values.serviceAccount.name }}' + containers: + - name: aro-hcp-frontend + image: '{{ .Values.deployment.imageName }}' + imagePullPolicy: Always + args: ["--clusters-service-url", "http://clusters-service.{{ .Values.clustersService.namespace }}.svc.cluster.local:8000", "--exit-on-panic={{ .Values.exitOnPanic }}"] + env: + - name: DB_NAME + valueFrom: + configMapKeyRef: + name: frontend-config + key: DB_NAME + - name: DB_URL + valueFrom: + configMapKeyRef: + name: frontend-config + key: DB_URL + - name: LOCATION + valueFrom: + configMapKeyRef: + name: frontend-config + key: LOCATION + - name: OTEL_EXPORTER_OTLP_ENDPOINT + value: "{{ .Values.tracing.address }}" + - name: OTEL_TRACES_EXPORTER + value: "{{ .Values.tracing.exporter }}" + - name: AUDIT_CONNECT_SOCKET + value: "{{ .Values.audit.connectSocket }}" + - name: AZURE_TOKEN_CREDENTIALS + value: "WorkloadIdentityCredential" + ports: + - containerPort: 8443 + protocol: TCP + - containerPort: 8081 + protocol: TCP + resources: + requests: + cpu: {{ .Values.deployment.resources.requests.cpu }} + memory: {{ .Values.deployment.resources.requests.memory }} +{{- if ne .Values.deployment.resources.limits.memory "unlimited" }} + limits: + memory: {{ .Values.deployment.resources.limits.memory }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + {{- if .Values.audit.connectSocket }} + volumeMounts: + - name: mdsd-asa-run-vol + mountPath: /var/run/mdsd + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: 8443 + initialDelaySeconds: 15 + periodSeconds: 20 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: 8443 + initialDelaySeconds: 5 + periodSeconds: 10 + {{- if .Values.audit.connectSocket }} + volumes: + - name: mdsd-asa-run-vol + hostPath: + path: /var/run/mdsd + type: Directory + {{- end }} + restartPolicy: Always + terminationGracePeriodSeconds: 30 diff --git a/frontend/deploy/templates/frontend.virtualservice.yaml b/frontend/deploy/templates/frontend.virtualservice.yaml index ee5d8fb77a5..649a9f5d586 100644 --- a/frontend/deploy/templates/frontend.virtualservice.yaml +++ b/frontend/deploy/templates/frontend.virtualservice.yaml @@ -9,24 +9,6 @@ spec: gateways: - aks-istio-ingress/aro-hcp-gateway-external http: - - match: - - headers: - x-ms-mise-version: - exact: "v2" - uri: - regex: '.+' - headers: - request: - add: - mise-inbound-policies-to-filter: "{{ .Values.mise.policyLabel }}" - response: - add: - x-ms-served-by: "v2" - route: - - destination: - host: aro-hcp-frontend-v2 - port: - number: 8443 - match: - uri: regex: '.+' diff --git a/frontend/deploy/templates/peerauthentication.yaml b/frontend/deploy/templates/peerauthentication.yaml index db035b6cadb..9911b719a00 100644 --- a/frontend/deploy/templates/peerauthentication.yaml +++ b/frontend/deploy/templates/peerauthentication.yaml @@ -10,16 +10,3 @@ spec: portLevelMtls: 8081: mode: PERMISSIVE ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: aro-hcp-frontend-v2-metrics - namespace: '{{ .Release.Namespace }}' -spec: - selector: - matchLabels: - app: aro-hcp-frontend-v2 - portLevelMtls: - 8081: - mode: PERMISSIVE diff --git a/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_connect_socket.yaml b/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_connect_socket.yaml index 874f6b5a2c1..4a53e0c74e4 100644 --- a/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_connect_socket.yaml +++ b/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_connect_socket.yaml @@ -1,16 +1,4 @@ --- -# Source: frontend/templates/frontend-v2.poddisruptionbudget.yaml -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - minAvailable: 1 - selector: - matchLabels: - app: aro-hcp-frontend-v2 ---- # Source: frontend/templates/frontend.poddisruptionbudget.yaml apiVersion: policy/v1 kind: PodDisruptionBudget @@ -45,23 +33,6 @@ data: FRONTEND_MI_CLIENT_ID: '__frontendMsiClientId__' LOCATION: 'westus3' --- -# Source: frontend/templates/frontend-v2.service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: aro-hcp-frontend-v2 - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - ports: - - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app: aro-hcp-frontend-v2 - type: ClusterIP ---- # Source: frontend/templates/frontend.service.yaml apiVersion: v1 kind: Service @@ -97,117 +68,6 @@ spec: selector: app.kubernetes.io/part-of: aro-hcp-frontend --- -# Source: frontend/templates/frontend-v2.deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: aro-hcp-frontend-v2 - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - progressDeadlineSeconds: 600 - replicas: 2 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: aro-hcp-frontend-v2 - strategy: - rollingUpdate: - maxSurge: 50% - maxUnavailable: 50% - type: RollingUpdate - template: - metadata: - labels: - app: aro-hcp-frontend-v2 - app.kubernetes.io/part-of: aro-hcp-frontend - azure.workload.identity/use: "true" - spec: - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: 'topology.kubernetes.io/zone' - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: aro-hcp-frontend-v2 - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: aro-hcp-frontend-v2 - serviceAccountName: 'frontend' - containers: - - name: aro-hcp-frontend-v2 - image: 'arohcpsvcdev.azurecr.io/arohcpfrontend@sha256:1234567890' - imagePullPolicy: Always - args: ["--clusters-service-url", "http://clusters-service.clusters-service.svc.cluster.local:8000", "--exit-on-panic=true"] - env: - - name: DB_NAME - valueFrom: - configMapKeyRef: - name: frontend-config - key: DB_NAME - - name: DB_URL - valueFrom: - configMapKeyRef: - name: frontend-config - key: DB_URL - - name: LOCATION - valueFrom: - configMapKeyRef: - name: frontend-config - key: LOCATION - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: "" - - name: OTEL_TRACES_EXPORTER - value: "" - - name: AUDIT_CONNECT_SOCKET - value: "true" - - name: AZURE_TOKEN_CREDENTIALS - value: "WorkloadIdentityCredential" - ports: - - containerPort: 8443 - protocol: TCP - - containerPort: 8081 - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - name: mdsd-asa-run-vol - mountPath: /var/run/mdsd - livenessProbe: - httpGet: - path: /healthz - port: 8443 - initialDelaySeconds: 15 - periodSeconds: 20 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz - port: 8443 - initialDelaySeconds: 5 - periodSeconds: 10 - volumes: - - name: mdsd-asa-run-vol - hostPath: - path: /var/run/mdsd - type: Directory - restartPolicy: Always - terminationGracePeriodSeconds: 30 ---- # Source: frontend/templates/frontend.deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -232,7 +92,6 @@ spec: metadata: labels: app: aro-hcp-frontend - app.kubernetes.io/part-of: aro-hcp-frontend azure.workload.identity/use: "true" spec: topologySpreadConstraints: @@ -490,20 +349,6 @@ spec: 8081: mode: PERMISSIVE --- -# Source: frontend/templates/peerauthentication.yaml -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: aro-hcp-frontend-v2-metrics - namespace: 'aro-hcp' -spec: - selector: - matchLabels: - app: aro-hcp-frontend-v2 - portLevelMtls: - 8081: - mode: PERMISSIVE ---- # Source: frontend/templates/frontend.secretproviderclass.yaml ################################ # @@ -571,24 +416,6 @@ spec: gateways: - aks-istio-ingress/aro-hcp-gateway-external http: - - match: - - headers: - x-ms-mise-version: - exact: "v2" - uri: - regex: '.+' - headers: - request: - add: - mise-inbound-policies-to-filter: "ARM Policy" - response: - add: - x-ms-served-by: "v2" - route: - - destination: - host: aro-hcp-frontend-v2 - port: - number: 8443 - match: - uri: regex: '.+' diff --git a/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_mise_enabled.yaml b/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_mise_enabled.yaml index 8afe78b5909..50980b61b1b 100644 --- a/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_mise_enabled.yaml +++ b/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_mise_enabled.yaml @@ -1,16 +1,4 @@ --- -# Source: frontend/templates/frontend-v2.poddisruptionbudget.yaml -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - minAvailable: 1 - selector: - matchLabels: - app: aro-hcp-frontend-v2 ---- # Source: frontend/templates/frontend.poddisruptionbudget.yaml apiVersion: policy/v1 kind: PodDisruptionBudget @@ -45,23 +33,6 @@ data: FRONTEND_MI_CLIENT_ID: '__frontendMsiClientId__' LOCATION: 'westus3' --- -# Source: frontend/templates/frontend-v2.service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: aro-hcp-frontend-v2 - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - ports: - - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app: aro-hcp-frontend-v2 - type: ClusterIP ---- # Source: frontend/templates/frontend.service.yaml apiVersion: v1 kind: Service @@ -97,109 +68,6 @@ spec: selector: app.kubernetes.io/part-of: aro-hcp-frontend --- -# Source: frontend/templates/frontend-v2.deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: aro-hcp-frontend-v2 - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - progressDeadlineSeconds: 600 - replicas: 2 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: aro-hcp-frontend-v2 - strategy: - rollingUpdate: - maxSurge: 50% - maxUnavailable: 50% - type: RollingUpdate - template: - metadata: - labels: - app: aro-hcp-frontend-v2 - app.kubernetes.io/part-of: aro-hcp-frontend - azure.workload.identity/use: "true" - spec: - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: 'topology.kubernetes.io/zone' - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: aro-hcp-frontend-v2 - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: aro-hcp-frontend-v2 - serviceAccountName: 'frontend' - containers: - - name: aro-hcp-frontend-v2 - image: 'arohcpsvcdev.azurecr.io/arohcpfrontend@sha256:1234567890' - imagePullPolicy: Always - args: ["--clusters-service-url", "http://clusters-service.clusters-service.svc.cluster.local:8000", "--exit-on-panic=true"] - env: - - name: DB_NAME - valueFrom: - configMapKeyRef: - name: frontend-config - key: DB_NAME - - name: DB_URL - valueFrom: - configMapKeyRef: - name: frontend-config - key: DB_URL - - name: LOCATION - valueFrom: - configMapKeyRef: - name: frontend-config - key: LOCATION - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: "" - - name: OTEL_TRACES_EXPORTER - value: "" - - name: AUDIT_CONNECT_SOCKET - value: "false" - - name: AZURE_TOKEN_CREDENTIALS - value: "WorkloadIdentityCredential" - ports: - - containerPort: 8443 - protocol: TCP - - containerPort: 8081 - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - livenessProbe: - httpGet: - path: /healthz - port: 8443 - initialDelaySeconds: 15 - periodSeconds: 20 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz - port: 8443 - initialDelaySeconds: 5 - periodSeconds: 10 - restartPolicy: Always - terminationGracePeriodSeconds: 30 ---- # Source: frontend/templates/frontend.deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -224,7 +92,6 @@ spec: metadata: labels: app: aro-hcp-frontend - app.kubernetes.io/part-of: aro-hcp-frontend azure.workload.identity/use: "true" spec: topologySpreadConstraints: @@ -428,25 +295,6 @@ metadata: namespace: 'aro-hcp' spec: {} --- -# Source: frontend/templates/ext-authz-misev2.authorizationpolicy.yaml -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: ext-authz-misev2 - namespace: 'aro-hcp' -spec: - selector: - matchLabels: - app: aro-hcp-frontend-v2 - action: CUSTOM - provider: - name: ext-authz-misev2 - rules: - - to: - - operation: - paths: ["/*"] - notPaths: ["/metrics"] ---- # Source: frontend/templates/ext-authz.authorizationpolicy.yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy @@ -512,20 +360,6 @@ spec: 8081: mode: PERMISSIVE --- -# Source: frontend/templates/peerauthentication.yaml -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: aro-hcp-frontend-v2-metrics - namespace: 'aro-hcp' -spec: - selector: - matchLabels: - app: aro-hcp-frontend-v2 - portLevelMtls: - 8081: - mode: PERMISSIVE ---- # Source: frontend/templates/frontend.secretproviderclass.yaml ################################ # @@ -593,24 +427,6 @@ spec: gateways: - aks-istio-ingress/aro-hcp-gateway-external http: - - match: - - headers: - x-ms-mise-version: - exact: "v2" - uri: - regex: '.+' - headers: - request: - add: - mise-inbound-policies-to-filter: "ARM Policy" - response: - add: - x-ms-served-by: "v2" - route: - - destination: - host: aro-hcp-frontend-v2 - port: - number: 8443 - match: - uri: regex: '.+' diff --git a/frontend/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_aro_hcp_frontend_dev.yaml b/frontend/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_aro_hcp_frontend_dev.yaml index 0928e0a1868..0bab98a4dc8 100644 --- a/frontend/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_aro_hcp_frontend_dev.yaml +++ b/frontend/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_aro_hcp_frontend_dev.yaml @@ -1,16 +1,4 @@ --- -# Source: frontend/templates/frontend-v2.poddisruptionbudget.yaml -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - minAvailable: 1 - selector: - matchLabels: - app: aro-hcp-frontend-v2 ---- # Source: frontend/templates/frontend.poddisruptionbudget.yaml apiVersion: policy/v1 kind: PodDisruptionBudget @@ -45,23 +33,6 @@ data: FRONTEND_MI_CLIENT_ID: '__frontendMsiClientId__' LOCATION: 'westus3' --- -# Source: frontend/templates/frontend-v2.service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: aro-hcp-frontend-v2 - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - ports: - - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app: aro-hcp-frontend-v2 - type: ClusterIP ---- # Source: frontend/templates/frontend.service.yaml apiVersion: v1 kind: Service @@ -97,109 +68,6 @@ spec: selector: app.kubernetes.io/part-of: aro-hcp-frontend --- -# Source: frontend/templates/frontend-v2.deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: aro-hcp-frontend-v2 - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - progressDeadlineSeconds: 600 - replicas: 2 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: aro-hcp-frontend-v2 - strategy: - rollingUpdate: - maxSurge: 50% - maxUnavailable: 50% - type: RollingUpdate - template: - metadata: - labels: - app: aro-hcp-frontend-v2 - app.kubernetes.io/part-of: aro-hcp-frontend - azure.workload.identity/use: "true" - spec: - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: 'topology.kubernetes.io/zone' - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: aro-hcp-frontend-v2 - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: aro-hcp-frontend-v2 - serviceAccountName: 'frontend' - containers: - - name: aro-hcp-frontend-v2 - image: 'arohcpsvcdev.azurecr.io/arohcpfrontend@sha256:1234567890' - imagePullPolicy: Always - args: ["--clusters-service-url", "http://clusters-service.clusters-service.svc.cluster.local:8000", "--exit-on-panic=true"] - env: - - name: DB_NAME - valueFrom: - configMapKeyRef: - name: frontend-config - key: DB_NAME - - name: DB_URL - valueFrom: - configMapKeyRef: - name: frontend-config - key: DB_URL - - name: LOCATION - valueFrom: - configMapKeyRef: - name: frontend-config - key: LOCATION - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: "" - - name: OTEL_TRACES_EXPORTER - value: "" - - name: AUDIT_CONNECT_SOCKET - value: "false" - - name: AZURE_TOKEN_CREDENTIALS - value: "WorkloadIdentityCredential" - ports: - - containerPort: 8443 - protocol: TCP - - containerPort: 8081 - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - livenessProbe: - httpGet: - path: /healthz - port: 8443 - initialDelaySeconds: 15 - periodSeconds: 20 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz - port: 8443 - initialDelaySeconds: 5 - periodSeconds: 10 - restartPolicy: Always - terminationGracePeriodSeconds: 30 ---- # Source: frontend/templates/frontend.deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -224,7 +92,6 @@ spec: metadata: labels: app: aro-hcp-frontend - app.kubernetes.io/part-of: aro-hcp-frontend azure.workload.identity/use: "true" spec: topologySpreadConstraints: @@ -474,20 +341,6 @@ spec: 8081: mode: PERMISSIVE --- -# Source: frontend/templates/peerauthentication.yaml -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: aro-hcp-frontend-v2-metrics - namespace: 'aro-hcp' -spec: - selector: - matchLabels: - app: aro-hcp-frontend-v2 - portLevelMtls: - 8081: - mode: PERMISSIVE ---- # Source: frontend/templates/frontend.secretproviderclass.yaml ################################ # @@ -555,24 +408,6 @@ spec: gateways: - aks-istio-ingress/aro-hcp-gateway-external http: - - match: - - headers: - x-ms-mise-version: - exact: "v2" - uri: - regex: '.+' - headers: - request: - add: - mise-inbound-policies-to-filter: "ARM Policy" - response: - add: - x-ms-served-by: "v2" - route: - - destination: - host: aro-hcp-frontend-v2 - port: - number: 8443 - match: - uri: regex: '.+' diff --git a/istio/deploy/charts/mise/templates/configmap-misev2.yaml b/istio/deploy/charts/mise/templates/configmap.yaml similarity index 99% rename from istio/deploy/charts/mise/templates/configmap-misev2.yaml rename to istio/deploy/charts/mise/templates/configmap.yaml index 0ebc06856a6..fdef3ab98d7 100644 --- a/istio/deploy/charts/mise/templates/configmap-misev2.yaml +++ b/istio/deploy/charts/mise/templates/configmap.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: misev2-config + name: mise-config namespace: '{{ .Values.namespace }}' data: appsettings.json: |- diff --git a/istio/deploy/charts/mise/templates/deployment-misev2.yaml b/istio/deploy/charts/mise/templates/deployment-misev2.yaml deleted file mode 100644 index 4a162a05750..00000000000 --- a/istio/deploy/charts/mise/templates/deployment-misev2.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: misev2 - namespace: '{{ .Values.namespace }}' -spec: - replicas: 2 - selector: - matchLabels: - app: misev2 - template: - metadata: - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap-misev2.yaml") . | sha256sum }} - labels: - app: misev2 - spec: - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: '{{ if eq (int .Values.deployment.zoneCount) 0 }}kubernetes.azure.com/agentpool{{ else }}topology.kubernetes.io/zone{{ end }}' - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: misev2 - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: misev2 - containers: - - name: misev2 - image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}@{{ .Values.image.digestv2 }}" - ports: - - containerPort: 8080 - livenessProbe: - httpGet: - path: /healthz - port: 8080 - readinessProbe: - httpGet: - path: /readyz - port: 8080 - volumeMounts: - - name: misev2-config - mountPath: /app/appsettings.json - subPath: appsettings.json - readOnly: true - env: - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: "{{ .Values.tracing.address }}" - - name: OTEL_TRACES_EXPORTER - value: "{{ .Values.tracing.exporter }}" - volumes: - - name: misev2-config - configMap: - name: misev2-config diff --git a/istio/deploy/charts/mise/templates/deployment.yaml b/istio/deploy/charts/mise/templates/deployment.yaml index 5671740f0f6..5b773f4a167 100644 --- a/istio/deploy/charts/mise/templates/deployment.yaml +++ b/istio/deploy/charts/mise/templates/deployment.yaml @@ -10,6 +10,8 @@ spec: app: mise template: metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} labels: app: mise spec: @@ -39,58 +41,17 @@ spec: httpGet: path: /readyz port: 8080 + volumeMounts: + - name: mise-config + mountPath: /app/appsettings.json + subPath: appsettings.json + readOnly: true env: - - name: EnableInboundPolicyFilter - value: "true" - - name: AzureAd__Instance - value: '{{ .Values.audit.adInstance }}' - - name: AzureAd__ClientId - value: '{{ .Values.audit.clientId }}' - - name: AzureAd__TenantId - value: '{{ .Values.audit.tenantId }}' - - name: AzureAd__Audience - value: "{{ .Values.audit.audience }}" - - name: AzureAd__InboundPolicies__0__Label - value: "{{ .Values.armPolicy.label }}" - - name: AzureAd__InboundPolicies__0__Authority - value: "{{ .Values.armPolicy.authority }}" - - name: AzureAd__InboundPolicies__0__AuthenticationSchemes__0 - value: "PoP" - - name: AzureAd__InboundPolicies__0__ValidAudiences__0 - value: '{{ .Values.armPolicy.audience }}' - - name: AzureAd__InboundPolicies__0__ValidApplicationIds__0 - value: '{{ .Values.armPolicy.applicationId }}' - - name: AzureAd__InboundPolicies__0__SignedHttpRequestValidationPolicy - value: '{"ValidateTs" : true, "ValidateM" : true, "ValidateU" : true, "ValidateP" : true }' - - name: AzureAd__InboundPolicies__1__Label - value: "{{ .Values.genevaActionsPolicy.label }}" - - name: AzureAd__InboundPolicies__1__Authority - value: "{{ .Values.genevaActionsPolicy.authority }}" - - name: AzureAd__InboundPolicies__1__AuthenticationSchemes__0 - value: "Bearer" - - name: AzureAd__InboundPolicies__1__ValidAudiences__0 - value: '{{ .Values.genevaActionsPolicy.audience }}' - - name: AzureAd__InboundPolicies__1__ValidApplicationIds__0 - value: "{{ .Values.genevaActionsPolicy.applicationId }}" - - name: AzureAd__InboundPolicies__2__Label - value: "{{ .Values.sessiongatePolicy.label }}" - - name: AzureAd__InboundPolicies__2__Authority - value: "{{ .Values.sessiongatePolicy.authority }}" - - name: AzureAd__InboundPolicies__2__AuthenticationSchemes__0 - value: "Bearer" - - name: AzureAd__InboundPolicies__2__ValidAudiences__0 - value: '{{ .Values.sessiongatePolicy.audience }}' - - name: AllowedHosts - value: "*" - - name: Kestrel__Endpoints__Http__Url - value: "http://0.0.0.0:8080" - - name: Logging__LogLevel__Default - value: "Information" - - name: Logging__LogLevel__Microsoft - value: "Information" - - name: AzureAd__Logging__LogLevel - value: "Information" - name: OTEL_EXPORTER_OTLP_ENDPOINT value: "{{ .Values.tracing.address }}" - name: OTEL_TRACES_EXPORTER value: "{{ .Values.tracing.exporter }}" + volumes: + - name: mise-config + configMap: + name: mise-config diff --git a/istio/deploy/charts/mise/templates/service.yaml b/istio/deploy/charts/mise/templates/service.yaml index ca233cdee57..5fcc2d7b022 100644 --- a/istio/deploy/charts/mise/templates/service.yaml +++ b/istio/deploy/charts/mise/templates/service.yaml @@ -10,16 +10,3 @@ spec: - protocol: TCP port: 8080 targetPort: 8080 ---- -apiVersion: v1 -kind: Service -metadata: - name: misev2 - namespace: '{{ .Values.namespace }}' -spec: - selector: - app: misev2 - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 diff --git a/istio/deploy/charts/mise/values.yaml b/istio/deploy/charts/mise/values.yaml index 0c66bfd3240..474c7d7949f 100644 --- a/istio/deploy/charts/mise/values.yaml +++ b/istio/deploy/charts/mise/values.yaml @@ -2,7 +2,6 @@ image: registry: "" repository: "" digest: "" - digestv2: "" tracing: address: "" exporter: "" @@ -24,3 +23,7 @@ genevaActionsPolicy: authority: "" audience: "" applicationId: "" +sessiongatePolicy: + label: "" + authority: "" + audience: "" diff --git a/istio/deploy/templates/istio-shared-configmap.yml b/istio/deploy/templates/istio-shared-configmap.yml index b629519b27d..fe2d755811e 100644 --- a/istio/deploy/templates/istio-shared-configmap.yml +++ b/istio/deploy/templates/istio-shared-configmap.yml @@ -15,13 +15,7 @@ data: envoyExtAuthzHttp: service: "mise/mise.mise.svc.cluster.local" port: "8080" - includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"] - pathPrefix: "/v1/EnvoyValidateRequest" - - name: "ext-authz-misev2" - envoyExtAuthzHttp: - service: "mise/misev2.mise.svc.cluster.local" - port: "8080" - includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"] + includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter"] pathPrefix: "/v1/EnvoyValidateRequest" {{ end }} {{ end }} diff --git a/istio/deploy/templates/mise.serviceentry.yml b/istio/deploy/templates/mise.serviceentry.yml index 722d7044e06..dc33ccebb03 100644 --- a/istio/deploy/templates/mise.serviceentry.yml +++ b/istio/deploy/templates/mise.serviceentry.yml @@ -6,7 +6,6 @@ metadata: spec: hosts: - "mise.mise.svc.cluster.local" - - "misev2.mise.svc.cluster.local" endpoints: - address: "127.0.0.1" ports: diff --git a/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml b/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml index c2ecf855ba9..34abb178a15 100644 --- a/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml +++ b/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml @@ -1,9 +1,9 @@ --- -# Source: istio/charts/mise/templates/configmap-misev2.yaml +# Source: istio/charts/mise/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: misev2-config + name: mise-config namespace: 'mise' data: appsettings.json: |- @@ -107,13 +107,7 @@ data: envoyExtAuthzHttp: service: "mise/mise.mise.svc.cluster.local" port: "8080" - includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"] - pathPrefix: "/v1/EnvoyValidateRequest" - - name: "ext-authz-misev2" - envoyExtAuthzHttp: - service: "mise/misev2.mise.svc.cluster.local" - port: "8080" - includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"] + includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter"] pathPrefix: "/v1/EnvoyValidateRequest" --- # Source: istio/templates/istio-shared-configmap.yml @@ -131,13 +125,7 @@ data: envoyExtAuthzHttp: service: "mise/mise.mise.svc.cluster.local" port: "8080" - includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"] - pathPrefix: "/v1/EnvoyValidateRequest" - - name: "ext-authz-misev2" - envoyExtAuthzHttp: - service: "mise/misev2.mise.svc.cluster.local" - port: "8080" - includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"] + includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter"] pathPrefix: "/v1/EnvoyValidateRequest" --- # Source: istio/charts/mise/templates/service.yaml @@ -154,79 +142,6 @@ spec: port: 8080 targetPort: 8080 --- -# Source: istio/charts/mise/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: misev2 - namespace: 'mise' -spec: - selector: - app: misev2 - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 ---- -# Source: istio/charts/mise/templates/deployment-misev2.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: misev2 - namespace: 'mise' -spec: - replicas: 2 - selector: - matchLabels: - app: misev2 - template: - metadata: - annotations: - checksum/config: 6ca24e11919f439f8a291fb3f3134d1383ab16a6987b7c8b6aa3c20ec2a6e8ea - labels: - app: misev2 - spec: - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: 'topology.kubernetes.io/zone' - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: misev2 - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: misev2 - containers: - - name: misev2 - image: "arohcpsvcdev.azurecr.io/mise-1p-container-image@sha256:1234567890" - ports: - - containerPort: 8080 - livenessProbe: - httpGet: - path: /healthz - port: 8080 - readinessProbe: - httpGet: - path: /readyz - port: 8080 - volumeMounts: - - name: misev2-config - mountPath: /app/appsettings.json - subPath: appsettings.json - readOnly: true - env: - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: "" - - name: OTEL_TRACES_EXPORTER - value: "" - volumes: - - name: misev2-config - configMap: - name: misev2-config ---- # Source: istio/charts/mise/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -240,6 +155,8 @@ spec: app: mise template: metadata: + annotations: + checksum/config: 878706b0364a1ad5f4baea54aaf81e19e2222e4c44c97f853f1cac09fad6ac70 labels: app: mise spec: @@ -269,61 +186,20 @@ spec: httpGet: path: /readyz port: 8080 + volumeMounts: + - name: mise-config + mountPath: /app/appsettings.json + subPath: appsettings.json + readOnly: true env: - - name: EnableInboundPolicyFilter - value: "true" - - name: AzureAd__Instance - value: 'https://login.microsoftonline.com/' - - name: AzureAd__ClientId - value: 'b3cb2fab-15cb-4583-ad06-f91da9bfe2d1' - - name: AzureAd__TenantId - value: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' - - name: AzureAd__Audience - value: "api://b3cb2fab-15cb-4583-ad06-f91da9bfe2d1" - - name: AzureAd__InboundPolicies__0__Label - value: "ARM Policy" - - name: AzureAd__InboundPolicies__0__Authority - value: "https://login.microsoftonline.com/33e01921-4d64-4f8c-a055-5bdaffd5e33d" - - name: AzureAd__InboundPolicies__0__AuthenticationSchemes__0 - value: "PoP" - - name: AzureAd__InboundPolicies__0__ValidAudiences__0 - value: 'https://management.azure.com' - - name: AzureAd__InboundPolicies__0__ValidApplicationIds__0 - value: 'e2c2ff5c-e5b4-4e79-8c3e-1da8c48461e7' - - name: AzureAd__InboundPolicies__0__SignedHttpRequestValidationPolicy - value: '{"ValidateTs" : true, "ValidateM" : true, "ValidateU" : true, "ValidateP" : true }' - - name: AzureAd__InboundPolicies__1__Label - value: "Geneva Actions" - - name: AzureAd__InboundPolicies__1__Authority - value: "https://sts.windows.net/__tenantId__/" - - name: AzureAd__InboundPolicies__1__AuthenticationSchemes__0 - value: "Bearer" - - name: AzureAd__InboundPolicies__1__ValidAudiences__0 - value: 'https://management.azure.com' - - name: AzureAd__InboundPolicies__1__ValidApplicationIds__0 - value: "__genevaActionsAppId__" - - name: AzureAd__InboundPolicies__2__Label - value: "Session Gate" - - name: AzureAd__InboundPolicies__2__Authority - value: "https://sts.windows.net/__tenantId__" - - name: AzureAd__InboundPolicies__2__AuthenticationSchemes__0 - value: "Bearer" - - name: AzureAd__InboundPolicies__2__ValidAudiences__0 - value: '6dae42f8-4368-4678-94ff-3960e28e3630' - - name: AllowedHosts - value: "*" - - name: Kestrel__Endpoints__Http__Url - value: "http://0.0.0.0:8080" - - name: Logging__LogLevel__Default - value: "Information" - - name: Logging__LogLevel__Microsoft - value: "Information" - - name: AzureAd__Logging__LogLevel - value: "Information" - name: OTEL_EXPORTER_OTLP_ENDPOINT value: "" - name: OTEL_TRACES_EXPORTER value: "" + volumes: + - name: mise-config + configMap: + name: mise-config --- # Source: istio/templates/ops-ingress.gateway.yaml apiVersion: gateway.networking.k8s.io/v1 @@ -405,7 +281,6 @@ metadata: spec: hosts: - "mise.mise.svc.cluster.local" - - "misev2.mise.svc.cluster.local" endpoints: - address: "127.0.0.1" ports: diff --git a/istio/values.yaml b/istio/values.yaml index f28d95e485a..9483d6debe6 100644 --- a/istio/values.yaml +++ b/istio/values.yaml @@ -15,8 +15,7 @@ mise: image: registry: "{{ .acr.svc.name }}.azurecr.io" repository: "{{ .mise.image.repository }}" - digest: "{{ .mise.image.digest }}" - digestv2: "{{ .mise.imageV2.digest }}" + digest: "{{ .mise.imageV2.digest }}" audit: adInstance: "https://{{ .mise.arm.authorityFQDN }}/" clientId: "{{ .firstPartyAppClientId }}" diff --git a/test/e2e/mise_routing.go b/test/e2e/mise_routing.go deleted file mode 100644 index 37004143d88..00000000000 --- a/test/e2e/mise_routing.go +++ /dev/null @@ -1,94 +0,0 @@ -// Copyright 2025 Microsoft Corporation -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package e2e - -import ( - "context" - "net/http" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" - - "github.com/Azure/ARO-HCP/test/util/framework" - "github.com/Azure/ARO-HCP/test/util/labels" -) - -// miseV2HeaderPolicy injects the x-ms-mise-version: v2 request header -// so that the Istio VirtualService routes to the MISE v2 frontend. -type miseV2HeaderPolicy struct { - version string -} - -func (p *miseV2HeaderPolicy) Do(req *policy.Request) (*http.Response, error) { - req.Raw().Header.Set("x-ms-mise-version", p.version) - return req.Next() -} - -// miseVersionCapture captures the x-ms-served-by response header set by the -// VirtualService to verify which MISE version handled the request. -type miseVersionCapture struct { - version string -} - -func (p *miseVersionCapture) Do(req *policy.Request) (*http.Response, error) { - resp, err := req.Next() - if resp != nil { - p.version = resp.Header.Get("x-ms-served-by") - } - return resp, err -} - -// Tests the VirtualService routes to the correct frontend instance based on request headers. -// In INT and above, this exercises MISE-backed routing. In dev/prow environments, the same -// VirtualService is deployed but fronts non-MISE frontend instances. PR checks connect -// through the Istio ingress gateway (not port-forwarded), so the VirtualService routing -// rules are always evaluated. -var _ = Describe("MISE Routing", func() { - defer GinkgoRecover() - - DescribeTable("routes to the correct frontend based on version header", - labels.RequireNothing, - labels.AroRpApiCompatible, - labels.Low, - labels.Positive, - func(ctx context.Context, rgPrefix string, miseVersionHeader string, expectedVersion string) { - tc := framework.NewTestContext() - - By("Creating resource group") - rg, err := tc.NewResourceGroup(ctx, rgPrefix, tc.Location()) - Expect(err).NotTo(HaveOccurred()) - - By("Building client factory") - capture := &miseVersionCapture{} - policies := []policy.Policy{capture} - if miseVersionHeader != "" { - policies = append([]policy.Policy{&miseV2HeaderPolicy{version: miseVersionHeader}}, policies...) - } - clientFactory, err := tc.Get20251223ClientFactoryWithPolicies(ctx, policies...) - Expect(err).NotTo(HaveOccurred()) - - By("Listing clusters") - pager := clientFactory.NewHcpOpenShiftClustersClient().NewListByResourceGroupPager(*rg.Name, nil) - _, err = pager.NextPage(ctx) - Expect(err).NotTo(HaveOccurred()) - - Expect(capture.version).To(Equal(expectedVersion)) - }, - Entry("MISE v2 when x-ms-mise-version header is set", "mise-v2-smoke", "v2", "v2"), - Entry("default route returns no version header", "mise-default-smoke", "", ""), - ) -}) diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_dev_cd_check_paralleldev_cd_check_parallel.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_dev_cd_check_paralleldev_cd_check_parallel.txt index 57e05f8b549..c23a6fa0623 100644 --- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_dev_cd_check_paralleldev_cd_check_parallel.txt +++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_dev_cd_check_paralleldev_cd_check_parallel.txt @@ -57,8 +57,6 @@ Customer should be able to lifecycle and confirm external auth on a cluster Customer should be able to create an HCP cluster and manage ImageDigestMirrors Customer should be able to create an HCP cluster with Image Registry not present Engineering should be able to retrieve kusto logs for a cluster and services -MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set -MISE Routing routes to the correct frontend based on version header default route returns no version header Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits Nodepool Ephemeral OS Disk should create a nodepool with ephemeral OS disk when autoRepair is enabled Customer should be able to update node pool labels and taints diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_integration_parallelintegration_parallel.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_integration_parallelintegration_parallel.txt index 378bdbc834d..5456d43e703 100644 --- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_integration_parallelintegration_parallel.txt +++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_integration_parallelintegration_parallel.txt @@ -58,8 +58,6 @@ Customer should be able to lifecycle and confirm external auth on a cluster HCP Nodepools GPU instances creates and deletes vm type NC4asT4v3 in a single cluster Customer should be able to create an HCP cluster and manage ImageDigestMirrors Customer should be able to create an HCP cluster with Image Registry not present -MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set -MISE Routing routes to the correct frontend based on version header default route returns no version header Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits Customer should respect cluster-wide node limits with nodepool autoscaling Nodepool Ephemeral OS Disk should create a nodepool with ephemeral OS disk when autoRepair is enabled diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_prod_parallelprod_parallel.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_prod_parallelprod_parallel.txt index 6b96a5fc8e9..127d3193de7 100644 --- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_prod_parallelprod_parallel.txt +++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_prod_parallelprod_parallel.txt @@ -57,8 +57,6 @@ Customer should be able to create a cluster with an external auth config and get Customer should be able to lifecycle and confirm external auth on a cluster Customer should be able to create an HCP cluster and manage ImageDigestMirrors Customer should be able to create an HCP cluster with Image Registry not present -MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set -MISE Routing routes to the correct frontend based on version header default route returns no version header Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits Customer should respect cluster-wide node limits with nodepool autoscaling Nodepool Ephemeral OS Disk should create a nodepool with ephemeral OS disk when autoRepair is enabled diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallel_01rp_api_compat_all_parallel_development.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallel_01rp_api_compat_all_parallel_development.txt index 620ccb954ea..e4f8295d9fd 100644 --- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallel_01rp_api_compat_all_parallel_development.txt +++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallel_01rp_api_compat_all_parallel_development.txt @@ -59,8 +59,6 @@ Customer should be able to lifecycle and confirm external auth on a cluster Customer should be able to create an HCP cluster and manage ImageDigestMirrors Customer should be able to create an HCP cluster with Image Registry not present Engineering should be able to retrieve kusto logs for a cluster and services -MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set -MISE Routing routes to the correct frontend based on version header default route returns no version header Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits Customer should respect cluster-wide node limits with nodepool autoscaling Nodepool Ephemeral OS Disk should create a nodepool with ephemeral OS disk when autoRepair is enabled diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallelrp_api_compat_all_parallel.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallelrp_api_compat_all_parallel.txt index 4c319f85f2a..4424b143643 100644 --- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallelrp_api_compat_all_parallel.txt +++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallelrp_api_compat_all_parallel.txt @@ -54,8 +54,6 @@ Customer should be able to create a cluster with an external auth config and get Customer should be able to lifecycle and confirm external auth on a cluster Customer should be able to create an HCP cluster and manage ImageDigestMirrors Customer should be able to create an HCP cluster with Image Registry not present -MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set -MISE Routing routes to the correct frontend based on version header default route returns no version header Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits Customer should respect cluster-wide node limits with nodepool autoscaling Nodepool Ephemeral OS Disk should create a nodepool with ephemeral OS disk when autoRepair is enabled diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_stage_parallelstage_parallel.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_stage_parallelstage_parallel.txt index 6b96a5fc8e9..127d3193de7 100644 --- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_stage_parallelstage_parallel.txt +++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_stage_parallelstage_parallel.txt @@ -57,8 +57,6 @@ Customer should be able to create a cluster with an external auth config and get Customer should be able to lifecycle and confirm external auth on a cluster Customer should be able to create an HCP cluster and manage ImageDigestMirrors Customer should be able to create an HCP cluster with Image Registry not present -MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set -MISE Routing routes to the correct frontend based on version header default route returns no version header Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits Customer should respect cluster-wide node limits with nodepool autoscaling Nodepool Ephemeral OS Disk should create a nodepool with ephemeral OS disk when autoRepair is enabled diff --git a/test/util/framework/per_test_framework.go b/test/util/framework/per_test_framework.go index 410034315cc..5328b8d1230 100644 --- a/test/util/framework/per_test_framework.go +++ b/test/util/framework/per_test_framework.go @@ -43,7 +43,6 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/azcore" "github.com/Azure/azure-sdk-for-go/sdk/azcore/log" - "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources" @@ -963,28 +962,6 @@ func (tc *perItOrDescribeTestContext) getGraphClientUnlocked(ctx context.Context return graphutil.NewClient(ctx, creds) } -// Get20251223ClientFactoryWithPolicies creates a v20251223preview client factory -// with the given additional per-call policies appended to the base options. -// Unlike Get20251223ClientFactory, the result is not cached since policies vary per call. -func (tc *perItOrDescribeTestContext) Get20251223ClientFactoryWithPolicies(ctx context.Context, policies ...policy.Policy) (*hcpsdk20251223preview.ClientFactory, error) { - creds, err := tc.perBinaryInvocationTestContext.getAzureCredentials() - if err != nil { - return nil, err - } - - tc.contextLock.Lock() - subscriptionID, err := tc.getSubscriptionIDUnlocked(ctx) - tc.contextLock.Unlock() - if err != nil { - return nil, err - } - - opts := tc.perBinaryInvocationTestContext.getHCPClientFactoryOptions() - opts.PerCallPolicies = append(opts.PerCallPolicies, policies...) - - return hcpsdk20251223preview.NewClientFactory(subscriptionID, creds, opts) -} - func (tc *perItOrDescribeTestContext) Location() string { return tc.perBinaryInvocationTestContext.Location() }