diff --git a/.yamlfmt.yaml b/.yamlfmt.yaml
index 258395ef720..a250681bea1 100644
--- a/.yamlfmt.yaml
+++ b/.yamlfmt.yaml
@@ -3,7 +3,6 @@ match_type: doublestar
exclude:
- '**/zz_fixture_*.yaml'
- 'frontend/deploy/templates/frontend.deployment.yaml'
-- 'frontend/deploy/templates/frontend-v2.deployment.yaml'
- 'image-registry-policy/values.yaml'
- 'image-registry-policy/deploy/templates/validatingadmissionpolicybinding.yaml'
formatter:
diff --git a/.yamllint.yml b/.yamllint.yml
index 8c4cfb1f3be..de309593639 100644
--- a/.yamllint.yml
+++ b/.yamllint.yml
@@ -7,7 +7,6 @@ ignore:
- 'admin/deploy/templates/ext-authz.authorizationpolicy.yaml'
- 'admin/deploy/templates/admin.deployment.yaml'
- 'frontend/deploy/templates/ext-authz.authorizationpolicy.yaml'
-- 'frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml'
- 'frontend/deploy/templates/allow-ingress.authorizationpolicy.yaml'
- 'frontend/deploy/templates/frontend.deployment.yaml'
- 'istio/deploy/templates/istio-shared-configmap.yml'
diff --git a/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_istio.yaml b/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_istio.yaml
index 5bee5871dce..5f4d26cb54d 100644
--- a/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_istio.yaml
+++ b/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_istio.yaml
@@ -14,13 +14,7 @@ data:
envoyExtAuthzHttp:
service: "mise/mise.mise.svc.cluster.local"
port: "8080"
- includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"]
- pathPrefix: "/v1/EnvoyValidateRequest"
- - name: "ext-authz-misev2"
- envoyExtAuthzHttp:
- service: "mise/misev2.mise.svc.cluster.local"
- port: "8080"
- includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"]
+ includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter"]
pathPrefix: "/v1/EnvoyValidateRequest"
---
# Source: istio/templates/ops-ingress.gateway.yaml
@@ -103,7 +97,6 @@ metadata:
spec:
hosts:
- "mise.mise.svc.cluster.local"
- - "misev2.mise.svc.cluster.local"
endpoints:
- address: "127.0.0.1"
ports:
diff --git a/docs/mise.md b/docs/mise.md
index 20f286710f2..9433215bda9 100644
--- a/docs/mise.md
+++ b/docs/mise.md
@@ -32,35 +32,3 @@ Microsoft Identity Service Essentials (MISE) is an internal Microsoft service pr
- Istio enforces the decision (forward or reject).
Note: This retrofit ensures that Geneva Action traffic is consistently validated through the same MISE-based framework, providing a unified security model for both ARM and Geneva-originated requests.
-# MISE v2 Deployment
-
-MISE v2 is deployed alongside v1 as a separate workload in the `mise` namespace. It uses a JSON-based configuration (via ConfigMap) instead of the environment-variable-based configuration used by v1.
-
-## Dual Frontend Routing
-
-Because Istio limits each workload to a single ext-authz provider, and because ext-authz calls bypass VirtualService routing entirely, header-based routing between MISE versions is achieved by running two separate frontend workloads, each with its own AuthorizationPolicy.
-
-```mermaid
-graph TB
- Client[Client Request] --> Gateway[Istio Ingress Gateway]
- Gateway --> VS{VirtualService
x-ms-mise-version?}
-
- VS -->|"v2"| FEv2[aro-hcp-frontend-v2]
- VS -->|default| FEv1[aro-hcp-frontend]
-
- FEv2 -->|"ext-authz-misev2
provider"| MISEv2["misev2.mise
(MISE v2)"]
- FEv1 -->|"ext-authz
provider"| MISEv1["mise.mise
(MISE v1)"]
-```
-
-### Components
-
-- **Two ext-authz providers** defined in the Istio mesh config (`istio-shared-configmap`):
- - `ext-authz` → `mise.mise.svc.cluster.local:8080`
- - `ext-authz-misev2` → `misev2.mise.svc.cluster.local:8080`
-- **Two frontend Deployments and Services**: `aro-hcp-frontend` and `aro-hcp-frontend-v2`, identical except for which ext-authz provider their AuthorizationPolicy references
-- **VirtualService on the ingress gateway**: routes requests with `x-ms-mise-version: v2` header to `aro-hcp-frontend-v2`, all other traffic to `aro-hcp-frontend`
-- **Shared label** `app.kubernetes.io/part-of: aro-hcp-frontend` on both frontend deployments, used by policies that apply to both (metrics, admin access)
-
-### Why Not VirtualService-Based Routing at the MISE Layer
-
-Istio ext-authz calls bypass VirtualService routing. The Envoy `envoyExtAuthzHttp` filter connects directly to the service cluster endpoints, not through the HTTP routing pipeline. This means a VirtualService on `mise.mise.svc.cluster.local` cannot split ext-authz traffic by header — the split must happen upstream by routing to different frontend workloads, each bound to its own ext-authz provider.
diff --git a/frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml b/frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml
deleted file mode 100644
index e9e878d7fe4..00000000000
--- a/frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-{{- if eq .Values.mise.deploy true }}
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
- name: ext-authz-misev2
- namespace: '{{ .Release.Namespace }}'
-spec:
- selector:
- matchLabels:
- app: aro-hcp-frontend-v2
- action: CUSTOM
- provider:
- name: ext-authz-misev2
- rules:
- - to:
- - operation:
- paths: ["/*"]
- notPaths: ["/metrics"]
-{{- end }}
diff --git a/frontend/deploy/templates/frontend-v2.deployment.yaml b/frontend/deploy/templates/frontend-v2.deployment.yaml
deleted file mode 100644
index e2cef55bf3a..00000000000
--- a/frontend/deploy/templates/frontend-v2.deployment.yaml
+++ /dev/null
@@ -1 +0,0 @@
-{{ include "frontend.deployment" (dict "appName" "aro-hcp-frontend-v2" "Values" .Values "Release" .Release) }}
diff --git a/frontend/deploy/templates/frontend-v2.poddisruptionbudget.yaml b/frontend/deploy/templates/frontend-v2.poddisruptionbudget.yaml
deleted file mode 100644
index 228afb45a81..00000000000
--- a/frontend/deploy/templates/frontend-v2.poddisruptionbudget.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- name: aro-hcp-frontend-v2
- namespace: '{{ .Release.Namespace }}'
-spec:
- minAvailable: 1
- selector:
- matchLabels:
- app: aro-hcp-frontend-v2
diff --git a/frontend/deploy/templates/frontend-v2.service.yaml b/frontend/deploy/templates/frontend-v2.service.yaml
deleted file mode 100644
index cfc7a9efcff..00000000000
--- a/frontend/deploy/templates/frontend-v2.service.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- app: aro-hcp-frontend-v2
- name: aro-hcp-frontend-v2
- namespace: '{{ .Release.Namespace }}'
-spec:
- ports:
- - port: 8443
- protocol: TCP
- targetPort: 8443
- selector:
- app: aro-hcp-frontend-v2
- type: ClusterIP
diff --git a/frontend/deploy/templates/frontend.deployment.yaml b/frontend/deploy/templates/frontend.deployment.yaml
index e79af7fc407..cd9a879e409 100644
--- a/frontend/deploy/templates/frontend.deployment.yaml
+++ b/frontend/deploy/templates/frontend.deployment.yaml
@@ -1 +1,125 @@
-{{ include "frontend.deployment" (dict "appName" "aro-hcp-frontend" "Values" .Values "Release" .Release) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: aro-hcp-frontend
+ name: aro-hcp-frontend
+ namespace: '{{ .Release.Namespace }}'
+spec:
+ progressDeadlineSeconds: 600
+ replicas: {{ .Values.deployment.replicas }}
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ app: aro-hcp-frontend
+ strategy:
+ rollingUpdate:
+ maxSurge: 50%
+ maxUnavailable: 50%
+ type: RollingUpdate
+ template:
+ metadata:
+ labels:
+ app: aro-hcp-frontend
+ app.kubernetes.io/part-of: aro-hcp-frontend
+ azure.workload.identity/use: "true"
+ spec:
+ topologySpreadConstraints:
+ - maxSkew: 1
+ topologyKey: '{{ if eq (int .Values.deployment.zoneCount) 0 }}kubernetes.azure.com/agentpool{{ else }}topology.kubernetes.io/zone{{ end }}'
+ whenUnsatisfiable: ScheduleAnyway
+ labelSelector:
+ matchLabels:
+ app: aro-hcp-frontend
+ - maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: ScheduleAnyway
+ labelSelector:
+ matchLabels:
+ app: aro-hcp-frontend
+ serviceAccountName: '{{ .Values.serviceAccount.name }}'
+ containers:
+ - name: aro-hcp-frontend
+ image: '{{ .Values.deployment.imageName }}'
+ imagePullPolicy: Always
+ args: ["--clusters-service-url", "http://clusters-service.{{ .Values.clustersService.namespace }}.svc.cluster.local:8000", "--exit-on-panic={{ .Values.exitOnPanic }}", "--log-verbosity={{ .Values.logVerbosity }}"]
+ env:
+ - name: DB_NAME
+ valueFrom:
+ configMapKeyRef:
+ name: frontend-config
+ key: DB_NAME
+ - name: DB_URL
+ valueFrom:
+ configMapKeyRef:
+ name: frontend-config
+ key: DB_URL
+ - name: LOCATION
+ valueFrom:
+ configMapKeyRef:
+ name: frontend-config
+ key: LOCATION
+ - name: OTEL_EXPORTER_OTLP_ENDPOINT
+ value: "{{ .Values.tracing.address }}"
+ - name: OTEL_TRACES_EXPORTER
+ value: "{{ .Values.tracing.exporter }}"
+ - name: AUDIT_CONNECT_SOCKET
+ value: "{{ .Values.audit.connectSocket }}"
+ - name: AZURE_TOKEN_CREDENTIALS
+ value: "WorkloadIdentityCredential"
+ ports:
+ - containerPort: 8443
+ protocol: TCP
+ - containerPort: 8081
+ protocol: TCP
+ resources:
+ requests:
+ cpu: {{ .Values.deployment.resources.requests.cpu }}
+ memory: {{ .Values.deployment.resources.requests.memory }}
+{{- if ne .Values.deployment.resources.limits.memory "unlimited" }}
+ limits:
+ memory: {{ .Values.deployment.resources.limits.memory }}
+{{- end }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ runAsNonRoot: true
+ runAsUser: 65532
+ runAsGroup: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ {{- if .Values.audit.connectSocket }}
+ volumeMounts:
+ - name: mdsd-asa-run-vol
+ mountPath: /var/run/mdsd
+ {{- end }}
+ startupProbe:
+ httpGet:
+ path: /healthz
+ port: 8443
+ periodSeconds: 10
+ failureThreshold: 30
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 8443
+ initialDelaySeconds: 15
+ periodSeconds: 20
+ failureThreshold: 3
+ readinessProbe:
+ httpGet:
+ path: /healthz
+ port: 8443
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ {{- if .Values.audit.connectSocket }}
+ volumes:
+ - name: mdsd-asa-run-vol
+ hostPath:
+ path: /var/run/mdsd
+ type: Directory
+ {{- end }}
+ restartPolicy: Always
+ terminationGracePeriodSeconds: 30
diff --git a/frontend/deploy/templates/frontend.virtualservice.yaml b/frontend/deploy/templates/frontend.virtualservice.yaml
index ee5d8fb77a5..649a9f5d586 100644
--- a/frontend/deploy/templates/frontend.virtualservice.yaml
+++ b/frontend/deploy/templates/frontend.virtualservice.yaml
@@ -9,24 +9,6 @@ spec:
gateways:
- aks-istio-ingress/aro-hcp-gateway-external
http:
- - match:
- - headers:
- x-ms-mise-version:
- exact: "v2"
- uri:
- regex: '.+'
- headers:
- request:
- add:
- mise-inbound-policies-to-filter: "{{ .Values.mise.policyLabel }}"
- response:
- add:
- x-ms-served-by: "v2"
- route:
- - destination:
- host: aro-hcp-frontend-v2
- port:
- number: 8443
- match:
- uri:
regex: '.+'
diff --git a/frontend/deploy/templates/peerauthentication.yaml b/frontend/deploy/templates/peerauthentication.yaml
index db035b6cadb..9911b719a00 100644
--- a/frontend/deploy/templates/peerauthentication.yaml
+++ b/frontend/deploy/templates/peerauthentication.yaml
@@ -10,16 +10,3 @@ spec:
portLevelMtls:
8081:
mode: PERMISSIVE
----
-apiVersion: security.istio.io/v1beta1
-kind: PeerAuthentication
-metadata:
- name: aro-hcp-frontend-v2-metrics
- namespace: '{{ .Release.Namespace }}'
-spec:
- selector:
- matchLabels:
- app: aro-hcp-frontend-v2
- portLevelMtls:
- 8081:
- mode: PERMISSIVE
diff --git a/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_connect_socket.yaml b/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_connect_socket.yaml
index 1356bffac83..fb5de9d5ad7 100644
--- a/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_connect_socket.yaml
+++ b/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_connect_socket.yaml
@@ -1,16 +1,4 @@
---
-# Source: frontend/templates/frontend-v2.poddisruptionbudget.yaml
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- name: aro-hcp-frontend-v2
- namespace: 'aro-hcp'
-spec:
- minAvailable: 1
- selector:
- matchLabels:
- app: aro-hcp-frontend-v2
----
# Source: frontend/templates/frontend.poddisruptionbudget.yaml
apiVersion: policy/v1
kind: PodDisruptionBudget
@@ -45,23 +33,6 @@ data:
FRONTEND_MI_CLIENT_ID: '__frontendMsiClientId__'
LOCATION: 'westus3'
---
-# Source: frontend/templates/frontend-v2.service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- app: aro-hcp-frontend-v2
- name: aro-hcp-frontend-v2
- namespace: 'aro-hcp'
-spec:
- ports:
- - port: 8443
- protocol: TCP
- targetPort: 8443
- selector:
- app: aro-hcp-frontend-v2
- type: ClusterIP
----
# Source: frontend/templates/frontend.service.yaml
apiVersion: v1
kind: Service
@@ -97,125 +68,6 @@ spec:
selector:
app.kubernetes.io/part-of: aro-hcp-frontend
---
-# Source: frontend/templates/frontend-v2.deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- app: aro-hcp-frontend-v2
- name: aro-hcp-frontend-v2
- namespace: 'aro-hcp'
-spec:
- progressDeadlineSeconds: 600
- replicas: 2
- revisionHistoryLimit: 10
- selector:
- matchLabels:
- app: aro-hcp-frontend-v2
- strategy:
- rollingUpdate:
- maxSurge: 50%
- maxUnavailable: 50%
- type: RollingUpdate
- template:
- metadata:
- labels:
- app: aro-hcp-frontend-v2
- app.kubernetes.io/part-of: aro-hcp-frontend
- azure.workload.identity/use: "true"
- spec:
- topologySpreadConstraints:
- - maxSkew: 1
- topologyKey: 'topology.kubernetes.io/zone'
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app: aro-hcp-frontend-v2
- - maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app: aro-hcp-frontend-v2
- serviceAccountName: 'frontend'
- containers:
- - name: aro-hcp-frontend-v2
- image: 'arohcpsvcdev.azurecr.io/arohcpfrontend@sha256:1234567890'
- imagePullPolicy: Always
- args: ["--clusters-service-url", "http://clusters-service.clusters-service.svc.cluster.local:8000", "--exit-on-panic=true", "--log-verbosity=0"]
- env:
- - name: DB_NAME
- valueFrom:
- configMapKeyRef:
- name: frontend-config
- key: DB_NAME
- - name: DB_URL
- valueFrom:
- configMapKeyRef:
- name: frontend-config
- key: DB_URL
- - name: LOCATION
- valueFrom:
- configMapKeyRef:
- name: frontend-config
- key: LOCATION
- - name: OTEL_EXPORTER_OTLP_ENDPOINT
- value: ""
- - name: OTEL_TRACES_EXPORTER
- value: ""
- - name: AUDIT_CONNECT_SOCKET
- value: "true"
- - name: AZURE_TOKEN_CREDENTIALS
- value: "WorkloadIdentityCredential"
- ports:
- - containerPort: 8443
- protocol: TCP
- - containerPort: 8081
- protocol: TCP
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- runAsNonRoot: true
- runAsUser: 65532
- runAsGroup: 65532
- seccompProfile:
- type: RuntimeDefault
- volumeMounts:
- - name: mdsd-asa-run-vol
- mountPath: /var/run/mdsd
- startupProbe:
- httpGet:
- path: /healthz
- port: 8443
- periodSeconds: 10
- failureThreshold: 30
- livenessProbe:
- httpGet:
- path: /healthz
- port: 8443
- initialDelaySeconds: 15
- periodSeconds: 20
- failureThreshold: 3
- readinessProbe:
- httpGet:
- path: /healthz
- port: 8443
- initialDelaySeconds: 5
- periodSeconds: 10
- volumes:
- - name: mdsd-asa-run-vol
- hostPath:
- path: /var/run/mdsd
- type: Directory
- restartPolicy: Always
- terminationGracePeriodSeconds: 30
----
# Source: frontend/templates/frontend.deployment.yaml
apiVersion: apps/v1
kind: Deployment
@@ -506,20 +358,6 @@ spec:
8081:
mode: PERMISSIVE
---
-# Source: frontend/templates/peerauthentication.yaml
-apiVersion: security.istio.io/v1beta1
-kind: PeerAuthentication
-metadata:
- name: aro-hcp-frontend-v2-metrics
- namespace: 'aro-hcp'
-spec:
- selector:
- matchLabels:
- app: aro-hcp-frontend-v2
- portLevelMtls:
- 8081:
- mode: PERMISSIVE
----
# Source: frontend/templates/frontend.secretproviderclass.yaml
################################
#
@@ -587,24 +425,6 @@ spec:
gateways:
- aks-istio-ingress/aro-hcp-gateway-external
http:
- - match:
- - headers:
- x-ms-mise-version:
- exact: "v2"
- uri:
- regex: '.+'
- headers:
- request:
- add:
- mise-inbound-policies-to-filter: "ARM Policy"
- response:
- add:
- x-ms-served-by: "v2"
- route:
- - destination:
- host: aro-hcp-frontend-v2
- port:
- number: 8443
- match:
- uri:
regex: '.+'
diff --git a/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_mise_enabled.yaml b/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_mise_enabled.yaml
index 9d9408a3091..f79c3532422 100644
--- a/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_mise_enabled.yaml
+++ b/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_mise_enabled.yaml
@@ -1,16 +1,4 @@
---
-# Source: frontend/templates/frontend-v2.poddisruptionbudget.yaml
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- name: aro-hcp-frontend-v2
- namespace: 'aro-hcp'
-spec:
- minAvailable: 1
- selector:
- matchLabels:
- app: aro-hcp-frontend-v2
----
# Source: frontend/templates/frontend.poddisruptionbudget.yaml
apiVersion: policy/v1
kind: PodDisruptionBudget
@@ -45,23 +33,6 @@ data:
FRONTEND_MI_CLIENT_ID: '__frontendMsiClientId__'
LOCATION: 'westus3'
---
-# Source: frontend/templates/frontend-v2.service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- app: aro-hcp-frontend-v2
- name: aro-hcp-frontend-v2
- namespace: 'aro-hcp'
-spec:
- ports:
- - port: 8443
- protocol: TCP
- targetPort: 8443
- selector:
- app: aro-hcp-frontend-v2
- type: ClusterIP
----
# Source: frontend/templates/frontend.service.yaml
apiVersion: v1
kind: Service
@@ -97,117 +68,6 @@ spec:
selector:
app.kubernetes.io/part-of: aro-hcp-frontend
---
-# Source: frontend/templates/frontend-v2.deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- app: aro-hcp-frontend-v2
- name: aro-hcp-frontend-v2
- namespace: 'aro-hcp'
-spec:
- progressDeadlineSeconds: 600
- replicas: 2
- revisionHistoryLimit: 10
- selector:
- matchLabels:
- app: aro-hcp-frontend-v2
- strategy:
- rollingUpdate:
- maxSurge: 50%
- maxUnavailable: 50%
- type: RollingUpdate
- template:
- metadata:
- labels:
- app: aro-hcp-frontend-v2
- app.kubernetes.io/part-of: aro-hcp-frontend
- azure.workload.identity/use: "true"
- spec:
- topologySpreadConstraints:
- - maxSkew: 1
- topologyKey: 'topology.kubernetes.io/zone'
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app: aro-hcp-frontend-v2
- - maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app: aro-hcp-frontend-v2
- serviceAccountName: 'frontend'
- containers:
- - name: aro-hcp-frontend-v2
- image: 'arohcpsvcdev.azurecr.io/arohcpfrontend@sha256:1234567890'
- imagePullPolicy: Always
- args: ["--clusters-service-url", "http://clusters-service.clusters-service.svc.cluster.local:8000", "--exit-on-panic=true", "--log-verbosity=0"]
- env:
- - name: DB_NAME
- valueFrom:
- configMapKeyRef:
- name: frontend-config
- key: DB_NAME
- - name: DB_URL
- valueFrom:
- configMapKeyRef:
- name: frontend-config
- key: DB_URL
- - name: LOCATION
- valueFrom:
- configMapKeyRef:
- name: frontend-config
- key: LOCATION
- - name: OTEL_EXPORTER_OTLP_ENDPOINT
- value: ""
- - name: OTEL_TRACES_EXPORTER
- value: ""
- - name: AUDIT_CONNECT_SOCKET
- value: "false"
- - name: AZURE_TOKEN_CREDENTIALS
- value: "WorkloadIdentityCredential"
- ports:
- - containerPort: 8443
- protocol: TCP
- - containerPort: 8081
- protocol: TCP
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- runAsNonRoot: true
- runAsUser: 65532
- runAsGroup: 65532
- seccompProfile:
- type: RuntimeDefault
- startupProbe:
- httpGet:
- path: /healthz
- port: 8443
- periodSeconds: 10
- failureThreshold: 30
- livenessProbe:
- httpGet:
- path: /healthz
- port: 8443
- initialDelaySeconds: 15
- periodSeconds: 20
- failureThreshold: 3
- readinessProbe:
- httpGet:
- path: /healthz
- port: 8443
- initialDelaySeconds: 5
- periodSeconds: 10
- restartPolicy: Always
- terminationGracePeriodSeconds: 30
----
# Source: frontend/templates/frontend.deployment.yaml
apiVersion: apps/v1
kind: Deployment
@@ -444,25 +304,6 @@ metadata:
namespace: 'aro-hcp'
spec: {}
---
-# Source: frontend/templates/ext-authz-misev2.authorizationpolicy.yaml
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
- name: ext-authz-misev2
- namespace: 'aro-hcp'
-spec:
- selector:
- matchLabels:
- app: aro-hcp-frontend-v2
- action: CUSTOM
- provider:
- name: ext-authz-misev2
- rules:
- - to:
- - operation:
- paths: ["/*"]
- notPaths: ["/metrics"]
----
# Source: frontend/templates/ext-authz.authorizationpolicy.yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
@@ -528,20 +369,6 @@ spec:
8081:
mode: PERMISSIVE
---
-# Source: frontend/templates/peerauthentication.yaml
-apiVersion: security.istio.io/v1beta1
-kind: PeerAuthentication
-metadata:
- name: aro-hcp-frontend-v2-metrics
- namespace: 'aro-hcp'
-spec:
- selector:
- matchLabels:
- app: aro-hcp-frontend-v2
- portLevelMtls:
- 8081:
- mode: PERMISSIVE
----
# Source: frontend/templates/frontend.secretproviderclass.yaml
################################
#
@@ -609,24 +436,6 @@ spec:
gateways:
- aks-istio-ingress/aro-hcp-gateway-external
http:
- - match:
- - headers:
- x-ms-mise-version:
- exact: "v2"
- uri:
- regex: '.+'
- headers:
- request:
- add:
- mise-inbound-policies-to-filter: "ARM Policy"
- response:
- add:
- x-ms-served-by: "v2"
- route:
- - destination:
- host: aro-hcp-frontend-v2
- port:
- number: 8443
- match:
- uri:
regex: '.+'
diff --git a/frontend/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_aro_hcp_frontend_dev.yaml b/frontend/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_aro_hcp_frontend_dev.yaml
index 8b466d86a8c..3c677dd4063 100644
--- a/frontend/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_aro_hcp_frontend_dev.yaml
+++ b/frontend/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_aro_hcp_frontend_dev.yaml
@@ -1,16 +1,4 @@
---
-# Source: frontend/templates/frontend-v2.poddisruptionbudget.yaml
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- name: aro-hcp-frontend-v2
- namespace: 'aro-hcp'
-spec:
- minAvailable: 1
- selector:
- matchLabels:
- app: aro-hcp-frontend-v2
----
# Source: frontend/templates/frontend.poddisruptionbudget.yaml
apiVersion: policy/v1
kind: PodDisruptionBudget
@@ -45,23 +33,6 @@ data:
FRONTEND_MI_CLIENT_ID: '__frontendMsiClientId__'
LOCATION: 'westus3'
---
-# Source: frontend/templates/frontend-v2.service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- app: aro-hcp-frontend-v2
- name: aro-hcp-frontend-v2
- namespace: 'aro-hcp'
-spec:
- ports:
- - port: 8443
- protocol: TCP
- targetPort: 8443
- selector:
- app: aro-hcp-frontend-v2
- type: ClusterIP
----
# Source: frontend/templates/frontend.service.yaml
apiVersion: v1
kind: Service
@@ -97,117 +68,6 @@ spec:
selector:
app.kubernetes.io/part-of: aro-hcp-frontend
---
-# Source: frontend/templates/frontend-v2.deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- app: aro-hcp-frontend-v2
- name: aro-hcp-frontend-v2
- namespace: 'aro-hcp'
-spec:
- progressDeadlineSeconds: 600
- replicas: 2
- revisionHistoryLimit: 10
- selector:
- matchLabels:
- app: aro-hcp-frontend-v2
- strategy:
- rollingUpdate:
- maxSurge: 50%
- maxUnavailable: 50%
- type: RollingUpdate
- template:
- metadata:
- labels:
- app: aro-hcp-frontend-v2
- app.kubernetes.io/part-of: aro-hcp-frontend
- azure.workload.identity/use: "true"
- spec:
- topologySpreadConstraints:
- - maxSkew: 1
- topologyKey: 'topology.kubernetes.io/zone'
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app: aro-hcp-frontend-v2
- - maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app: aro-hcp-frontend-v2
- serviceAccountName: 'frontend'
- containers:
- - name: aro-hcp-frontend-v2
- image: 'arohcpsvcdev.azurecr.io/arohcpfrontend@sha256:1234567890'
- imagePullPolicy: Always
- args: ["--clusters-service-url", "http://clusters-service.clusters-service.svc.cluster.local:8000", "--exit-on-panic=true", "--log-verbosity=0"]
- env:
- - name: DB_NAME
- valueFrom:
- configMapKeyRef:
- name: frontend-config
- key: DB_NAME
- - name: DB_URL
- valueFrom:
- configMapKeyRef:
- name: frontend-config
- key: DB_URL
- - name: LOCATION
- valueFrom:
- configMapKeyRef:
- name: frontend-config
- key: LOCATION
- - name: OTEL_EXPORTER_OTLP_ENDPOINT
- value: ""
- - name: OTEL_TRACES_EXPORTER
- value: ""
- - name: AUDIT_CONNECT_SOCKET
- value: "false"
- - name: AZURE_TOKEN_CREDENTIALS
- value: "WorkloadIdentityCredential"
- ports:
- - containerPort: 8443
- protocol: TCP
- - containerPort: 8081
- protocol: TCP
- resources:
- requests:
- cpu: 100m
- memory: 512Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- runAsNonRoot: true
- runAsUser: 65532
- runAsGroup: 65532
- seccompProfile:
- type: RuntimeDefault
- startupProbe:
- httpGet:
- path: /healthz
- port: 8443
- periodSeconds: 10
- failureThreshold: 30
- livenessProbe:
- httpGet:
- path: /healthz
- port: 8443
- initialDelaySeconds: 15
- periodSeconds: 20
- failureThreshold: 3
- readinessProbe:
- httpGet:
- path: /healthz
- port: 8443
- initialDelaySeconds: 5
- periodSeconds: 10
- restartPolicy: Always
- terminationGracePeriodSeconds: 30
----
# Source: frontend/templates/frontend.deployment.yaml
apiVersion: apps/v1
kind: Deployment
@@ -490,20 +350,6 @@ spec:
8081:
mode: PERMISSIVE
---
-# Source: frontend/templates/peerauthentication.yaml
-apiVersion: security.istio.io/v1beta1
-kind: PeerAuthentication
-metadata:
- name: aro-hcp-frontend-v2-metrics
- namespace: 'aro-hcp'
-spec:
- selector:
- matchLabels:
- app: aro-hcp-frontend-v2
- portLevelMtls:
- 8081:
- mode: PERMISSIVE
----
# Source: frontend/templates/frontend.secretproviderclass.yaml
################################
#
@@ -571,24 +417,6 @@ spec:
gateways:
- aks-istio-ingress/aro-hcp-gateway-external
http:
- - match:
- - headers:
- x-ms-mise-version:
- exact: "v2"
- uri:
- regex: '.+'
- headers:
- request:
- add:
- mise-inbound-policies-to-filter: "ARM Policy"
- response:
- add:
- x-ms-served-by: "v2"
- route:
- - destination:
- host: aro-hcp-frontend-v2
- port:
- number: 8443
- match:
- uri:
regex: '.+'
diff --git a/istio/deploy/charts/mise/templates/configmap-misev2.yaml b/istio/deploy/charts/mise/templates/configmap.yaml
similarity index 99%
rename from istio/deploy/charts/mise/templates/configmap-misev2.yaml
rename to istio/deploy/charts/mise/templates/configmap.yaml
index 0ebc06856a6..fdef3ab98d7 100644
--- a/istio/deploy/charts/mise/templates/configmap-misev2.yaml
+++ b/istio/deploy/charts/mise/templates/configmap.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
- name: misev2-config
+ name: mise-config
namespace: '{{ .Values.namespace }}'
data:
appsettings.json: |-
diff --git a/istio/deploy/charts/mise/templates/deployment-misev2.yaml b/istio/deploy/charts/mise/templates/deployment-misev2.yaml
deleted file mode 100644
index 4a162a05750..00000000000
--- a/istio/deploy/charts/mise/templates/deployment-misev2.yaml
+++ /dev/null
@@ -1,57 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: misev2
- namespace: '{{ .Values.namespace }}'
-spec:
- replicas: 2
- selector:
- matchLabels:
- app: misev2
- template:
- metadata:
- annotations:
- checksum/config: {{ include (print $.Template.BasePath "/configmap-misev2.yaml") . | sha256sum }}
- labels:
- app: misev2
- spec:
- topologySpreadConstraints:
- - maxSkew: 1
- topologyKey: '{{ if eq (int .Values.deployment.zoneCount) 0 }}kubernetes.azure.com/agentpool{{ else }}topology.kubernetes.io/zone{{ end }}'
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app: misev2
- - maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app: misev2
- containers:
- - name: misev2
- image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}@{{ .Values.image.digestv2 }}"
- ports:
- - containerPort: 8080
- livenessProbe:
- httpGet:
- path: /healthz
- port: 8080
- readinessProbe:
- httpGet:
- path: /readyz
- port: 8080
- volumeMounts:
- - name: misev2-config
- mountPath: /app/appsettings.json
- subPath: appsettings.json
- readOnly: true
- env:
- - name: OTEL_EXPORTER_OTLP_ENDPOINT
- value: "{{ .Values.tracing.address }}"
- - name: OTEL_TRACES_EXPORTER
- value: "{{ .Values.tracing.exporter }}"
- volumes:
- - name: misev2-config
- configMap:
- name: misev2-config
diff --git a/istio/deploy/charts/mise/templates/deployment.yaml b/istio/deploy/charts/mise/templates/deployment.yaml
index 5671740f0f6..5b773f4a167 100644
--- a/istio/deploy/charts/mise/templates/deployment.yaml
+++ b/istio/deploy/charts/mise/templates/deployment.yaml
@@ -10,6 +10,8 @@ spec:
app: mise
template:
metadata:
+ annotations:
+ checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
labels:
app: mise
spec:
@@ -39,58 +41,17 @@ spec:
httpGet:
path: /readyz
port: 8080
+ volumeMounts:
+ - name: mise-config
+ mountPath: /app/appsettings.json
+ subPath: appsettings.json
+ readOnly: true
env:
- - name: EnableInboundPolicyFilter
- value: "true"
- - name: AzureAd__Instance
- value: '{{ .Values.audit.adInstance }}'
- - name: AzureAd__ClientId
- value: '{{ .Values.audit.clientId }}'
- - name: AzureAd__TenantId
- value: '{{ .Values.audit.tenantId }}'
- - name: AzureAd__Audience
- value: "{{ .Values.audit.audience }}"
- - name: AzureAd__InboundPolicies__0__Label
- value: "{{ .Values.armPolicy.label }}"
- - name: AzureAd__InboundPolicies__0__Authority
- value: "{{ .Values.armPolicy.authority }}"
- - name: AzureAd__InboundPolicies__0__AuthenticationSchemes__0
- value: "PoP"
- - name: AzureAd__InboundPolicies__0__ValidAudiences__0
- value: '{{ .Values.armPolicy.audience }}'
- - name: AzureAd__InboundPolicies__0__ValidApplicationIds__0
- value: '{{ .Values.armPolicy.applicationId }}'
- - name: AzureAd__InboundPolicies__0__SignedHttpRequestValidationPolicy
- value: '{"ValidateTs" : true, "ValidateM" : true, "ValidateU" : true, "ValidateP" : true }'
- - name: AzureAd__InboundPolicies__1__Label
- value: "{{ .Values.genevaActionsPolicy.label }}"
- - name: AzureAd__InboundPolicies__1__Authority
- value: "{{ .Values.genevaActionsPolicy.authority }}"
- - name: AzureAd__InboundPolicies__1__AuthenticationSchemes__0
- value: "Bearer"
- - name: AzureAd__InboundPolicies__1__ValidAudiences__0
- value: '{{ .Values.genevaActionsPolicy.audience }}'
- - name: AzureAd__InboundPolicies__1__ValidApplicationIds__0
- value: "{{ .Values.genevaActionsPolicy.applicationId }}"
- - name: AzureAd__InboundPolicies__2__Label
- value: "{{ .Values.sessiongatePolicy.label }}"
- - name: AzureAd__InboundPolicies__2__Authority
- value: "{{ .Values.sessiongatePolicy.authority }}"
- - name: AzureAd__InboundPolicies__2__AuthenticationSchemes__0
- value: "Bearer"
- - name: AzureAd__InboundPolicies__2__ValidAudiences__0
- value: '{{ .Values.sessiongatePolicy.audience }}'
- - name: AllowedHosts
- value: "*"
- - name: Kestrel__Endpoints__Http__Url
- value: "http://0.0.0.0:8080"
- - name: Logging__LogLevel__Default
- value: "Information"
- - name: Logging__LogLevel__Microsoft
- value: "Information"
- - name: AzureAd__Logging__LogLevel
- value: "Information"
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: "{{ .Values.tracing.address }}"
- name: OTEL_TRACES_EXPORTER
value: "{{ .Values.tracing.exporter }}"
+ volumes:
+ - name: mise-config
+ configMap:
+ name: mise-config
diff --git a/istio/deploy/charts/mise/templates/service.yaml b/istio/deploy/charts/mise/templates/service.yaml
index ca233cdee57..5fcc2d7b022 100644
--- a/istio/deploy/charts/mise/templates/service.yaml
+++ b/istio/deploy/charts/mise/templates/service.yaml
@@ -10,16 +10,3 @@ spec:
- protocol: TCP
port: 8080
targetPort: 8080
----
-apiVersion: v1
-kind: Service
-metadata:
- name: misev2
- namespace: '{{ .Values.namespace }}'
-spec:
- selector:
- app: misev2
- ports:
- - protocol: TCP
- port: 8080
- targetPort: 8080
diff --git a/istio/deploy/charts/mise/values.yaml b/istio/deploy/charts/mise/values.yaml
index 0c66bfd3240..474c7d7949f 100644
--- a/istio/deploy/charts/mise/values.yaml
+++ b/istio/deploy/charts/mise/values.yaml
@@ -2,7 +2,6 @@ image:
registry: ""
repository: ""
digest: ""
- digestv2: ""
tracing:
address: ""
exporter: ""
@@ -24,3 +23,7 @@ genevaActionsPolicy:
authority: ""
audience: ""
applicationId: ""
+sessiongatePolicy:
+ label: ""
+ authority: ""
+ audience: ""
diff --git a/istio/deploy/templates/istio-shared-configmap.yml b/istio/deploy/templates/istio-shared-configmap.yml
index b629519b27d..fe2d755811e 100644
--- a/istio/deploy/templates/istio-shared-configmap.yml
+++ b/istio/deploy/templates/istio-shared-configmap.yml
@@ -15,13 +15,7 @@ data:
envoyExtAuthzHttp:
service: "mise/mise.mise.svc.cluster.local"
port: "8080"
- includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"]
- pathPrefix: "/v1/EnvoyValidateRequest"
- - name: "ext-authz-misev2"
- envoyExtAuthzHttp:
- service: "mise/misev2.mise.svc.cluster.local"
- port: "8080"
- includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"]
+ includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter"]
pathPrefix: "/v1/EnvoyValidateRequest"
{{ end }}
{{ end }}
diff --git a/istio/deploy/templates/mise.serviceentry.yml b/istio/deploy/templates/mise.serviceentry.yml
index 722d7044e06..dc33ccebb03 100644
--- a/istio/deploy/templates/mise.serviceentry.yml
+++ b/istio/deploy/templates/mise.serviceentry.yml
@@ -6,7 +6,6 @@ metadata:
spec:
hosts:
- "mise.mise.svc.cluster.local"
- - "misev2.mise.svc.cluster.local"
endpoints:
- address: "127.0.0.1"
ports:
diff --git a/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml b/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml
index b718967f30e..8e3a752d932 100644
--- a/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml
+++ b/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml
@@ -1,9 +1,9 @@
---
-# Source: istio/charts/mise/templates/configmap-misev2.yaml
+# Source: istio/charts/mise/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
- name: misev2-config
+ name: mise-config
namespace: 'mise'
data:
appsettings.json: |-
@@ -107,13 +107,7 @@ data:
envoyExtAuthzHttp:
service: "mise/mise.mise.svc.cluster.local"
port: "8080"
- includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"]
- pathPrefix: "/v1/EnvoyValidateRequest"
- - name: "ext-authz-misev2"
- envoyExtAuthzHttp:
- service: "mise/misev2.mise.svc.cluster.local"
- port: "8080"
- includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"]
+ includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter"]
pathPrefix: "/v1/EnvoyValidateRequest"
---
# Source: istio/charts/mise/templates/service.yaml
@@ -130,79 +124,6 @@ spec:
port: 8080
targetPort: 8080
---
-# Source: istio/charts/mise/templates/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: misev2
- namespace: 'mise'
-spec:
- selector:
- app: misev2
- ports:
- - protocol: TCP
- port: 8080
- targetPort: 8080
----
-# Source: istio/charts/mise/templates/deployment-misev2.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: misev2
- namespace: 'mise'
-spec:
- replicas: 2
- selector:
- matchLabels:
- app: misev2
- template:
- metadata:
- annotations:
- checksum/config: 6ca24e11919f439f8a291fb3f3134d1383ab16a6987b7c8b6aa3c20ec2a6e8ea
- labels:
- app: misev2
- spec:
- topologySpreadConstraints:
- - maxSkew: 1
- topologyKey: 'topology.kubernetes.io/zone'
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app: misev2
- - maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app: misev2
- containers:
- - name: misev2
- image: "arohcpsvcdev.azurecr.io/mise-1p-container-image@sha256:1234567890"
- ports:
- - containerPort: 8080
- livenessProbe:
- httpGet:
- path: /healthz
- port: 8080
- readinessProbe:
- httpGet:
- path: /readyz
- port: 8080
- volumeMounts:
- - name: misev2-config
- mountPath: /app/appsettings.json
- subPath: appsettings.json
- readOnly: true
- env:
- - name: OTEL_EXPORTER_OTLP_ENDPOINT
- value: ""
- - name: OTEL_TRACES_EXPORTER
- value: ""
- volumes:
- - name: misev2-config
- configMap:
- name: misev2-config
----
# Source: istio/charts/mise/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
@@ -216,6 +137,8 @@ spec:
app: mise
template:
metadata:
+ annotations:
+ checksum/config: 878706b0364a1ad5f4baea54aaf81e19e2222e4c44c97f853f1cac09fad6ac70
labels:
app: mise
spec:
@@ -245,61 +168,20 @@ spec:
httpGet:
path: /readyz
port: 8080
+ volumeMounts:
+ - name: mise-config
+ mountPath: /app/appsettings.json
+ subPath: appsettings.json
+ readOnly: true
env:
- - name: EnableInboundPolicyFilter
- value: "true"
- - name: AzureAd__Instance
- value: 'https://login.microsoftonline.com/'
- - name: AzureAd__ClientId
- value: 'b3cb2fab-15cb-4583-ad06-f91da9bfe2d1'
- - name: AzureAd__TenantId
- value: '33e01921-4d64-4f8c-a055-5bdaffd5e33d'
- - name: AzureAd__Audience
- value: "api://b3cb2fab-15cb-4583-ad06-f91da9bfe2d1"
- - name: AzureAd__InboundPolicies__0__Label
- value: "ARM Policy"
- - name: AzureAd__InboundPolicies__0__Authority
- value: "https://login.microsoftonline.com/33e01921-4d64-4f8c-a055-5bdaffd5e33d"
- - name: AzureAd__InboundPolicies__0__AuthenticationSchemes__0
- value: "PoP"
- - name: AzureAd__InboundPolicies__0__ValidAudiences__0
- value: 'https://management.azure.com'
- - name: AzureAd__InboundPolicies__0__ValidApplicationIds__0
- value: 'e2c2ff5c-e5b4-4e79-8c3e-1da8c48461e7'
- - name: AzureAd__InboundPolicies__0__SignedHttpRequestValidationPolicy
- value: '{"ValidateTs" : true, "ValidateM" : true, "ValidateU" : true, "ValidateP" : true }'
- - name: AzureAd__InboundPolicies__1__Label
- value: "Geneva Actions"
- - name: AzureAd__InboundPolicies__1__Authority
- value: "https://sts.windows.net/__tenantId__/"
- - name: AzureAd__InboundPolicies__1__AuthenticationSchemes__0
- value: "Bearer"
- - name: AzureAd__InboundPolicies__1__ValidAudiences__0
- value: 'https://management.azure.com'
- - name: AzureAd__InboundPolicies__1__ValidApplicationIds__0
- value: "__genevaActionsAppId__"
- - name: AzureAd__InboundPolicies__2__Label
- value: "Session Gate"
- - name: AzureAd__InboundPolicies__2__Authority
- value: "https://sts.windows.net/__tenantId__"
- - name: AzureAd__InboundPolicies__2__AuthenticationSchemes__0
- value: "Bearer"
- - name: AzureAd__InboundPolicies__2__ValidAudiences__0
- value: '6dae42f8-4368-4678-94ff-3960e28e3630'
- - name: AllowedHosts
- value: "*"
- - name: Kestrel__Endpoints__Http__Url
- value: "http://0.0.0.0:8080"
- - name: Logging__LogLevel__Default
- value: "Information"
- - name: Logging__LogLevel__Microsoft
- value: "Information"
- - name: AzureAd__Logging__LogLevel
- value: "Information"
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: ""
- name: OTEL_TRACES_EXPORTER
value: ""
+ volumes:
+ - name: mise-config
+ configMap:
+ name: mise-config
---
# Source: istio/templates/ops-ingress.gateway.yaml
apiVersion: gateway.networking.k8s.io/v1
@@ -381,7 +263,6 @@ metadata:
spec:
hosts:
- "mise.mise.svc.cluster.local"
- - "misev2.mise.svc.cluster.local"
endpoints:
- address: "127.0.0.1"
ports:
diff --git a/istio/values.yaml b/istio/values.yaml
index f28d95e485a..324420d752d 100644
--- a/istio/values.yaml
+++ b/istio/values.yaml
@@ -14,9 +14,8 @@ mise:
namespace: "mise"
image:
registry: "{{ .acr.svc.name }}.azurecr.io"
- repository: "{{ .mise.image.repository }}"
- digest: "{{ .mise.image.digest }}"
- digestv2: "{{ .mise.imageV2.digest }}"
+ repository: "{{ .mise.imageV2.repository }}"
+ digest: "{{ .mise.imageV2.digest }}"
audit:
adInstance: "https://{{ .mise.arm.authorityFQDN }}/"
clientId: "{{ .firstPartyAppClientId }}"
diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_dev_cd_check_paralleldev_cd_check_parallel.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_dev_cd_check_paralleldev_cd_check_parallel.txt
index 0a50b13a1e2..209c001d33b 100644
--- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_dev_cd_check_paralleldev_cd_check_parallel.txt
+++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_dev_cd_check_paralleldev_cd_check_parallel.txt
@@ -58,8 +58,6 @@ Customer should be able to lifecycle and confirm external auth on a cluster
Customer should be able to create an HCP cluster and manage ImageDigestMirrors
Customer should be able to create an HCP cluster with Image Registry not present
Engineering should be able to retrieve kusto logs for a cluster and services
-MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set
-MISE Routing routes to the correct frontend based on version header default route returns no version header
Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits
Customer should update NodeDrainTimeoutMinutes and upgrade a nodepool
Nodepool Ephemeral OS Disk should create a nodepool with ephemeral OS disk when autoRepair is enabled
diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_integration_parallelintegration_parallel.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_integration_parallelintegration_parallel.txt
index 8ded77656ee..210ae769cef 100644
--- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_integration_parallelintegration_parallel.txt
+++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_integration_parallelintegration_parallel.txt
@@ -59,8 +59,6 @@ Customer should be able to lifecycle and confirm external auth on a cluster
HCP Nodepools GPU instances creates and deletes vm type NC4asT4v3 in a single cluster
Customer should be able to create an HCP cluster and manage ImageDigestMirrors
Customer should be able to create an HCP cluster with Image Registry not present
-MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set
-MISE Routing routes to the correct frontend based on version header default route returns no version header
Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits
Customer should respect cluster-wide node limits with nodepool autoscaling
Customer should update NodeDrainTimeoutMinutes and upgrade a nodepool
diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_prod_parallelprod_parallel.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_prod_parallelprod_parallel.txt
index 35975e7838d..edf431786b0 100644
--- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_prod_parallelprod_parallel.txt
+++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_prod_parallelprod_parallel.txt
@@ -58,8 +58,6 @@ Customer should be able to create a cluster with an external auth config and get
Customer should be able to lifecycle and confirm external auth on a cluster
Customer should be able to create an HCP cluster and manage ImageDigestMirrors
Customer should be able to create an HCP cluster with Image Registry not present
-MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set
-MISE Routing routes to the correct frontend based on version header default route returns no version header
Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits
Customer should respect cluster-wide node limits with nodepool autoscaling
Customer should update NodeDrainTimeoutMinutes and upgrade a nodepool
diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallel_01rp_api_compat_all_parallel_development.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallel_01rp_api_compat_all_parallel_development.txt
index d209230d5ed..4e9180e246c 100644
--- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallel_01rp_api_compat_all_parallel_development.txt
+++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallel_01rp_api_compat_all_parallel_development.txt
@@ -62,8 +62,6 @@ Customer should be able to create an HCP cluster with Image Registry not present
Image Registry Policy should deny pods with images from disallowed registries
Image Registry Policy should allow pods with images from allowed registries and have a valid allowlist
Engineering should be able to retrieve kusto logs for a cluster and services
-MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set
-MISE Routing routes to the correct frontend based on version header default route returns no version header
Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits
Customer should respect cluster-wide node limits with nodepool autoscaling
Customer should update NodeDrainTimeoutMinutes and upgrade a nodepool
diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallelrp_api_compat_all_parallel.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallelrp_api_compat_all_parallel.txt
index 3e05dc4d26b..1ad2605dacf 100644
--- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallelrp_api_compat_all_parallel.txt
+++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallelrp_api_compat_all_parallel.txt
@@ -55,8 +55,6 @@ Customer should be able to create a cluster with an external auth config and get
Customer should be able to lifecycle and confirm external auth on a cluster
Customer should be able to create an HCP cluster and manage ImageDigestMirrors
Customer should be able to create an HCP cluster with Image Registry not present
-MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set
-MISE Routing routes to the correct frontend based on version header default route returns no version header
Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits
Customer should respect cluster-wide node limits with nodepool autoscaling
Customer should update NodeDrainTimeoutMinutes and upgrade a nodepool
diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_stage_parallelstage_parallel.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_stage_parallelstage_parallel.txt
index 35975e7838d..edf431786b0 100644
--- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_stage_parallelstage_parallel.txt
+++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_stage_parallelstage_parallel.txt
@@ -58,8 +58,6 @@ Customer should be able to create a cluster with an external auth config and get
Customer should be able to lifecycle and confirm external auth on a cluster
Customer should be able to create an HCP cluster and manage ImageDigestMirrors
Customer should be able to create an HCP cluster with Image Registry not present
-MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set
-MISE Routing routes to the correct frontend based on version header default route returns no version header
Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits
Customer should respect cluster-wide node limits with nodepool autoscaling
Customer should update NodeDrainTimeoutMinutes and upgrade a nodepool
diff --git a/test/util/framework/per_test_framework.go b/test/util/framework/per_test_framework.go
index a6d7d9a24a8..3b5b7f44288 100644
--- a/test/util/framework/per_test_framework.go
+++ b/test/util/framework/per_test_framework.go
@@ -43,7 +43,6 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/log"
- "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources"
@@ -970,28 +969,6 @@ func (tc *perItOrDescribeTestContext) getGraphClientUnlocked(ctx context.Context
return graphutil.NewClient(ctx, creds)
}
-// Get20251223ClientFactoryWithPolicies creates a v20251223preview client factory
-// with the given additional per-call policies appended to the base options.
-// Unlike Get20251223ClientFactory, the result is not cached since policies vary per call.
-func (tc *perItOrDescribeTestContext) Get20251223ClientFactoryWithPolicies(ctx context.Context, policies ...policy.Policy) (*hcpsdk20251223preview.ClientFactory, error) {
- creds, err := tc.perBinaryInvocationTestContext.getAzureCredentials()
- if err != nil {
- return nil, err
- }
-
- tc.contextLock.Lock()
- subscriptionID, err := tc.getSubscriptionIDUnlocked(ctx)
- tc.contextLock.Unlock()
- if err != nil {
- return nil, err
- }
-
- opts := tc.perBinaryInvocationTestContext.getHCPClientFactoryOptions()
- opts.PerCallPolicies = append(opts.PerCallPolicies, policies...)
-
- return hcpsdk20251223preview.NewClientFactory(subscriptionID, creds, opts)
-}
-
func (tc *perItOrDescribeTestContext) Location() string {
return tc.perBinaryInvocationTestContext.Location()
}