Cut over to MISE v2 as sole ext_authz provider#5411
Open
tony-schndr wants to merge 1 commit into
Open
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: tony-schndr The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Collaborator
Author
|
/hold |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes the parallel “frontend v2 + MISE v2” stack and header-based routing, making the (formerly “v2”) JSON-configured MISE deployment the sole ext_authz provider. It also deletes the E2E routing test and updates Helm/template fixtures accordingly.
Changes:
- Removes dual-frontend (aro-hcp-frontend-v2) + ext-authz-misev2 + VirtualService header routing.
- Converts the remaining MISE deployment to ConfigMap (JSON
appsettings.json) configuration and removes the separatemisev2workload. - Removes the MISE routing E2E test and updates suite-list fixtures.
Reviewed changes
Copilot reviewed 32 out of 32 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| test/util/framework/per_test_framework.go | Removes per-call policy client-factory helper used by the deleted MISE routing test. |
| test/testdata/zz_fixture_TestMainListSuitesForEachSuite_stage_parallelstage_parallel.txt | Removes “MISE Routing” entries from suite listing fixture. |
| test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallelrp_api_compat_all_parallel.txt | Removes “MISE Routing” entries from suite listing fixture. |
| test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallel_01rp_api_compat_all_parallel_development.txt | Removes “MISE Routing” entries from suite listing fixture. |
| test/testdata/zz_fixture_TestMainListSuitesForEachSuite_prod_parallelprod_parallel.txt | Removes “MISE Routing” entries from suite listing fixture. |
| test/testdata/zz_fixture_TestMainListSuitesForEachSuite_integration_parallelintegration_parallel.txt | Removes “MISE Routing” entries from suite listing fixture. |
| test/testdata/zz_fixture_TestMainListSuitesForEachSuite_dev_cd_check_paralleldev_cd_check_parallel.txt | Removes “MISE Routing” entries from suite listing fixture. |
| test/e2e/mise_routing.go | Deletes MISE header-routing E2E test. |
| istio/values.yaml | Switches MISE image digest to v2 key (now sole provider). |
| istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml | Updates rendered fixtures: drops misev2 workload/provider and switches MISE to ConfigMap mount. |
| istio/deploy/templates/mise.serviceentry.yml | Removes ServiceEntry host for misev2. |
| istio/deploy/templates/istio-shared-configmap.yml | Removes ext-authz-misev2 provider and header forwarding for version-routing. |
| istio/deploy/charts/mise/values.yaml | Removes digestv2; adds sessiongate policy values for JSON config. |
| istio/deploy/charts/mise/templates/service.yaml | Removes misev2 Service. |
| istio/deploy/charts/mise/templates/deployment.yaml | Switches mise Deployment to mount JSON config; adds config checksum annotation. |
| istio/deploy/charts/mise/templates/deployment-misev2.yaml | Deletes misev2 Deployment template. |
| istio/deploy/charts/mise/templates/configmap.yaml | Renames ConfigMap to mise-config (v2 JSON config). |
| frontend/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_aro_hcp_frontend_dev.yaml | Updates frontend rendered fixture removing v2 artifacts and routing match. |
| frontend/testdata/zz_fixture_TestHelmTemplate_frontend_mise_enabled.yaml | Updates frontend rendered fixture removing v2 artifacts and routing match. |
| frontend/testdata/zz_fixture_TestHelmTemplate_frontend_connect_socket.yaml | Updates frontend rendered fixture removing v2 artifacts and routing match. |
| frontend/deploy/templates/peerauthentication.yaml | Removes PeerAuthentication for the deleted frontend-v2 metrics port. |
| frontend/deploy/templates/frontend.virtualservice.yaml | Removes header-based route to frontend-v2. |
| frontend/deploy/templates/frontend.deployment.yaml | Inlines deployment manifest (replacing helper-based templating). |
| frontend/deploy/templates/frontend-v2.service.yaml | Deletes frontend-v2 Service template. |
| frontend/deploy/templates/frontend-v2.poddisruptionbudget.yaml | Deletes frontend-v2 PDB template. |
| frontend/deploy/templates/frontend-v2.deployment.yaml | Deletes frontend-v2 Deployment template. |
| frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml | Deletes ext-authz policy binding for frontend-v2. |
| frontend/deploy/templates/_helpers.tpl | Deletes helper template previously used to generate both frontend deployments. |
| docs/mise.md | Removes now-obsolete documentation for dual-frontend/v1-v2 routing. |
| dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_istio.yaml | Updates Istio rendered fixture to remove ext-authz-misev2 and misev2 host. |
| .yamllint.yml | Drops ignore entry for the removed ext-authz-misev2 template. |
| .yamlfmt.yaml | Drops exclude entry for the removed frontend-v2 deployment template. |
| - name: aro-hcp-frontend | ||
| image: '{{ .Values.deployment.imageName }}' | ||
| imagePullPolicy: Always | ||
| args: ["--clusters-service-url", "http://clusters-service.{{ .Values.clustersService.namespace }}.svc.cluster.local:8000", "--exit-on-panic={{ .Values.exitOnPanic }}"] |
tony-schndr
force-pushed
the
cutover-misev2
branch
from
e95371a to
b0cf8b7
Compare
tony-schndr
force-pushed
the
cutover-misev2
branch
from
b0cf8b7 to
82ed184
Compare
Remove MISE v1 deployment and dual-frontend routing infrastructure. Consolidate on a single MISE v2 deployment under the existing ext-authz provider name so admin and sessiongate AuthorizationPolicies require no changes. Revert frontend from templated dual-deployment back to a single inline deployment. Remove header-based traffic splitting (x-ms-mise-version), split routing e2e tests, and associated framework code.
tony-schndr
force-pushed
the
cutover-misev2
branch
from
82ed184 to
0abae14
Compare
Comment on lines
965
to
973
| creds, err := tc.perBinaryInvocationTestContext.getAzureCredentials() | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| return graphutil.NewClient(ctx, creds) | ||
| } | ||
|
|
||
| // Get20251223ClientFactoryWithPolicies creates a v20251223preview client factory | ||
| // with the given additional per-call policies appended to the base options. | ||
| // Unlike Get20251223ClientFactory, the result is not cached since policies vary per call. | ||
| func (tc *perItOrDescribeTestContext) Get20251223ClientFactoryWithPolicies(ctx context.Context, policies ...policy.Policy) (*hcpsdk20251223preview.ClientFactory, error) { | ||
| creds, err := tc.perBinaryInvocationTestContext.getAzureCredentials() | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| tc.contextLock.Lock() | ||
| subscriptionID, err := tc.getSubscriptionIDUnlocked(ctx) | ||
| tc.contextLock.Unlock() | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| opts := tc.perBinaryInvocationTestContext.getHCPClientFactoryOptions() | ||
| opts.PerCallPolicies = append(opts.PerCallPolicies, policies...) | ||
|
|
||
| return hcpsdk20251223preview.NewClientFactory(subscriptionID, creds, opts) | ||
| } | ||
|
|
||
| func (tc *perItOrDescribeTestContext) Location() string { | ||
| return tc.perBinaryInvocationTestContext.Location() |
Comment on lines
57
to
62
| Customer should be able to create a cluster with an external auth config and get the external auth config | ||
| Customer should be able to lifecycle and confirm external auth on a cluster | ||
| Customer should be able to create an HCP cluster and manage ImageDigestMirrors | ||
| Customer should be able to create an HCP cluster with Image Registry not present | ||
| MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set | ||
| MISE Routing routes to the correct frontend based on version header default route returns no version header | ||
| Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits | ||
| Customer should respect cluster-wide node limits with nodepool autoscaling |
Comment on lines
54
to
59
| Customer should be able to create a cluster with an external auth config and get the external auth config | ||
| Customer should be able to lifecycle and confirm external auth on a cluster | ||
| Customer should be able to create an HCP cluster and manage ImageDigestMirrors | ||
| Customer should be able to create an HCP cluster with Image Registry not present | ||
| MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set | ||
| MISE Routing routes to the correct frontend based on version header default route returns no version header | ||
| Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits | ||
| Customer should respect cluster-wide node limits with nodepool autoscaling |
Comment on lines
58
to
66
| Customer should be able to create a cluster with an external auth config and get the external auth config | ||
| Customer should be able to lifecycle and confirm external auth on a cluster | ||
| Customer should be able to create an HCP cluster and manage ImageDigestMirrors | ||
| Customer should be able to create an HCP cluster with Image Registry not present | ||
| Image Registry Policy should deny pods with images from disallowed registries | ||
| Image Registry Policy should allow pods with images from allowed registries and have a valid allowlist | ||
| Engineering should be able to retrieve kusto logs for a cluster and services | ||
| MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set | ||
| MISE Routing routes to the correct frontend based on version header default route returns no version header | ||
| Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits | ||
| Customer should respect cluster-wide node limits with nodepool autoscaling |
Comment on lines
57
to
62
| Customer should be able to create a cluster with an external auth config and get the external auth config | ||
| Customer should be able to lifecycle and confirm external auth on a cluster | ||
| Customer should be able to create an HCP cluster and manage ImageDigestMirrors | ||
| Customer should be able to create an HCP cluster with Image Registry not present | ||
| MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set | ||
| MISE Routing routes to the correct frontend based on version header default route returns no version header | ||
| Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits | ||
| Customer should respect cluster-wide node limits with nodepool autoscaling |
Comment on lines
57
to
63
| Customer should be able to create a cluster with an external auth config and get the external auth config | ||
| Customer should be able to lifecycle and confirm external auth on a cluster | ||
| HCP Nodepools GPU instances creates and deletes vm type NC4asT4v3 in a single cluster | ||
| Customer should be able to create an HCP cluster and manage ImageDigestMirrors | ||
| Customer should be able to create an HCP cluster with Image Registry not present | ||
| MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set | ||
| MISE Routing routes to the correct frontend based on version header default route returns no version header | ||
| Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits | ||
| Customer should respect cluster-wide node limits with nodepool autoscaling |
Comment on lines
55
to
62
| Engineering should be able to retrieve expected metrics from the /metrics endpoint | ||
| Customer should be able to create a cluster with an external auth config and get the external auth config | ||
| Customer should be able to lifecycle and confirm external auth on a cluster | ||
| Customer should be able to create an HCP cluster and manage ImageDigestMirrors | ||
| Customer should be able to create an HCP cluster with Image Registry not present | ||
| Engineering should be able to retrieve kusto logs for a cluster and services | ||
| MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set | ||
| MISE Routing routes to the correct frontend based on version header default route returns no version header | ||
| Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits | ||
| Customer should update NodeDrainTimeoutMinutes and upgrade a nodepool |
Comment on lines
+1
to
+5
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| labels: | ||
| app: aro-hcp-frontend |
|
@tony-schndr: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes ARO-26219
What
Removes the dual-frontend deployment pattern and makes MISE v2 the sole ext-authz provider. The existing mise deployment is converted in-place from env-var-based (v1) configuration to JSON ConfigMap-based (v2) configuration.
Why
MISE v2 has been validated alongside v1 via header-based routing. The dual-frontend scaffolding (aro-hcp-frontend-v2, ext-authz-misev2, VirtualService routing) is no longer needed.
Testing
Existing helm template fixture tests cover the updated manifests. Test suite list fixtures regenerated to reflect the removed MISE routing e2e test.
Special notes for your reviewer
Do not merge until #4886 is validated in production.
🤖 Generated with Claude Code