From 0abae14a14c923ba78fc82f7086ac2b79013c354 Mon Sep 17 00:00:00 2001 From: tony-schndr Date: Thu, 23 Apr 2026 09:23:17 -0500 Subject: [PATCH] Cut over to MISE v2 as sole ext_authz provider Remove MISE v1 deployment and dual-frontend routing infrastructure. Consolidate on a single MISE v2 deployment under the existing ext-authz provider name so admin and sessiongate AuthorizationPolicies require no changes. Revert frontend from templated dual-deployment back to a single inline deployment. Remove header-based traffic splitting (x-ms-mise-version), split routing e2e tests, and associated framework code. --- .yamlfmt.yaml | 1 - .yamllint.yml | 1 - ...tHelmTemplate_dev_westus3_svc_1_istio.yaml | 9 +- docs/mise.md | 32 --- .../ext-authz-misev2.authorizationpolicy.yaml | 19 -- .../templates/frontend-v2.deployment.yaml | 1 - .../frontend-v2.poddisruptionbudget.yaml | 10 - .../deploy/templates/frontend-v2.service.yaml | 15 -- .../deploy/templates/frontend.deployment.yaml | 126 +++++++++++- .../templates/frontend.virtualservice.yaml | 18 -- .../deploy/templates/peerauthentication.yaml | 13 -- ...tHelmTemplate_frontend_connect_socket.yaml | 180 ----------------- ...estHelmTemplate_frontend_mise_enabled.yaml | 191 ------------------ ...ev_westus3_svc_1_aro_hcp_frontend_dev.yaml | 172 ---------------- .../{configmap-misev2.yaml => configmap.yaml} | 2 +- .../mise/templates/deployment-misev2.yaml | 57 ------ .../charts/mise/templates/deployment.yaml | 61 +----- .../deploy/charts/mise/templates/service.yaml | 13 -- istio/deploy/charts/mise/values.yaml | 5 +- .../templates/istio-shared-configmap.yml | 8 +- istio/deploy/templates/mise.serviceentry.yml | 1 - ...e_TestHelmTemplate_istio_mise_enabled.yaml | 147 ++------------ istio/values.yaml | 5 +- ...cd_check_paralleldev_cd_check_parallel.txt | 2 - ...tegration_parallelintegration_parallel.txt | 2 - ...orEachSuite_prod_parallelprod_parallel.txt | 2 - ...rp_api_compat_all_parallel_development.txt | 2 - ...all_parallelrp_api_compat_all_parallel.txt | 2 - ...EachSuite_stage_parallelstage_parallel.txt | 2 - test/util/framework/per_test_framework.go | 23 --- 30 files changed, 159 insertions(+), 963 deletions(-) delete mode 100644 frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml delete mode 100644 frontend/deploy/templates/frontend-v2.deployment.yaml delete mode 100644 frontend/deploy/templates/frontend-v2.poddisruptionbudget.yaml delete mode 100644 frontend/deploy/templates/frontend-v2.service.yaml rename istio/deploy/charts/mise/templates/{configmap-misev2.yaml => configmap.yaml} (99%) delete mode 100644 istio/deploy/charts/mise/templates/deployment-misev2.yaml diff --git a/.yamlfmt.yaml b/.yamlfmt.yaml index 258395ef720..a250681bea1 100644 --- a/.yamlfmt.yaml +++ b/.yamlfmt.yaml @@ -3,7 +3,6 @@ match_type: doublestar exclude: - '**/zz_fixture_*.yaml' - 'frontend/deploy/templates/frontend.deployment.yaml' -- 'frontend/deploy/templates/frontend-v2.deployment.yaml' - 'image-registry-policy/values.yaml' - 'image-registry-policy/deploy/templates/validatingadmissionpolicybinding.yaml' formatter: diff --git a/.yamllint.yml b/.yamllint.yml index 8c4cfb1f3be..de309593639 100644 --- a/.yamllint.yml +++ b/.yamllint.yml @@ -7,7 +7,6 @@ ignore: - 'admin/deploy/templates/ext-authz.authorizationpolicy.yaml' - 'admin/deploy/templates/admin.deployment.yaml' - 'frontend/deploy/templates/ext-authz.authorizationpolicy.yaml' -- 'frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml' - 'frontend/deploy/templates/allow-ingress.authorizationpolicy.yaml' - 'frontend/deploy/templates/frontend.deployment.yaml' - 'istio/deploy/templates/istio-shared-configmap.yml' diff --git a/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_istio.yaml b/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_istio.yaml index 5bee5871dce..5f4d26cb54d 100644 --- a/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_istio.yaml +++ b/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_istio.yaml @@ -14,13 +14,7 @@ data: envoyExtAuthzHttp: service: "mise/mise.mise.svc.cluster.local" port: "8080" - includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"] - pathPrefix: "/v1/EnvoyValidateRequest" - - name: "ext-authz-misev2" - envoyExtAuthzHttp: - service: "mise/misev2.mise.svc.cluster.local" - port: "8080" - includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"] + includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter"] pathPrefix: "/v1/EnvoyValidateRequest" --- # Source: istio/templates/ops-ingress.gateway.yaml @@ -103,7 +97,6 @@ metadata: spec: hosts: - "mise.mise.svc.cluster.local" - - "misev2.mise.svc.cluster.local" endpoints: - address: "127.0.0.1" ports: diff --git a/docs/mise.md b/docs/mise.md index 20f286710f2..9433215bda9 100644 --- a/docs/mise.md +++ b/docs/mise.md @@ -32,35 +32,3 @@ Microsoft Identity Service Essentials (MISE) is an internal Microsoft service pr - Istio enforces the decision (forward or reject). Note: This retrofit ensures that Geneva Action traffic is consistently validated through the same MISE-based framework, providing a unified security model for both ARM and Geneva-originated requests. -# MISE v2 Deployment - -MISE v2 is deployed alongside v1 as a separate workload in the `mise` namespace. It uses a JSON-based configuration (via ConfigMap) instead of the environment-variable-based configuration used by v1. - -## Dual Frontend Routing - -Because Istio limits each workload to a single ext-authz provider, and because ext-authz calls bypass VirtualService routing entirely, header-based routing between MISE versions is achieved by running two separate frontend workloads, each with its own AuthorizationPolicy. - -```mermaid -graph TB - Client[Client Request] --> Gateway[Istio Ingress Gateway] - Gateway --> VS{VirtualService
x-ms-mise-version?} - - VS -->|"v2"| FEv2[aro-hcp-frontend-v2] - VS -->|default| FEv1[aro-hcp-frontend] - - FEv2 -->|"ext-authz-misev2
provider"| MISEv2["misev2.mise
(MISE v2)"] - FEv1 -->|"ext-authz
provider"| MISEv1["mise.mise
(MISE v1)"] -``` - -### Components - -- **Two ext-authz providers** defined in the Istio mesh config (`istio-shared-configmap`): - - `ext-authz` → `mise.mise.svc.cluster.local:8080` - - `ext-authz-misev2` → `misev2.mise.svc.cluster.local:8080` -- **Two frontend Deployments and Services**: `aro-hcp-frontend` and `aro-hcp-frontend-v2`, identical except for which ext-authz provider their AuthorizationPolicy references -- **VirtualService on the ingress gateway**: routes requests with `x-ms-mise-version: v2` header to `aro-hcp-frontend-v2`, all other traffic to `aro-hcp-frontend` -- **Shared label** `app.kubernetes.io/part-of: aro-hcp-frontend` on both frontend deployments, used by policies that apply to both (metrics, admin access) - -### Why Not VirtualService-Based Routing at the MISE Layer - -Istio ext-authz calls bypass VirtualService routing. The Envoy `envoyExtAuthzHttp` filter connects directly to the service cluster endpoints, not through the HTTP routing pipeline. This means a VirtualService on `mise.mise.svc.cluster.local` cannot split ext-authz traffic by header — the split must happen upstream by routing to different frontend workloads, each bound to its own ext-authz provider. diff --git a/frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml b/frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml deleted file mode 100644 index e9e878d7fe4..00000000000 --- a/frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if eq .Values.mise.deploy true }} -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: ext-authz-misev2 - namespace: '{{ .Release.Namespace }}' -spec: - selector: - matchLabels: - app: aro-hcp-frontend-v2 - action: CUSTOM - provider: - name: ext-authz-misev2 - rules: - - to: - - operation: - paths: ["/*"] - notPaths: ["/metrics"] -{{- end }} diff --git a/frontend/deploy/templates/frontend-v2.deployment.yaml b/frontend/deploy/templates/frontend-v2.deployment.yaml deleted file mode 100644 index e2cef55bf3a..00000000000 --- a/frontend/deploy/templates/frontend-v2.deployment.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "frontend.deployment" (dict "appName" "aro-hcp-frontend-v2" "Values" .Values "Release" .Release) }} diff --git a/frontend/deploy/templates/frontend-v2.poddisruptionbudget.yaml b/frontend/deploy/templates/frontend-v2.poddisruptionbudget.yaml deleted file mode 100644 index 228afb45a81..00000000000 --- a/frontend/deploy/templates/frontend-v2.poddisruptionbudget.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: aro-hcp-frontend-v2 - namespace: '{{ .Release.Namespace }}' -spec: - minAvailable: 1 - selector: - matchLabels: - app: aro-hcp-frontend-v2 diff --git a/frontend/deploy/templates/frontend-v2.service.yaml b/frontend/deploy/templates/frontend-v2.service.yaml deleted file mode 100644 index cfc7a9efcff..00000000000 --- a/frontend/deploy/templates/frontend-v2.service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: aro-hcp-frontend-v2 - name: aro-hcp-frontend-v2 - namespace: '{{ .Release.Namespace }}' -spec: - ports: - - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app: aro-hcp-frontend-v2 - type: ClusterIP diff --git a/frontend/deploy/templates/frontend.deployment.yaml b/frontend/deploy/templates/frontend.deployment.yaml index e79af7fc407..cd9a879e409 100644 --- a/frontend/deploy/templates/frontend.deployment.yaml +++ b/frontend/deploy/templates/frontend.deployment.yaml @@ -1 +1,125 @@ -{{ include "frontend.deployment" (dict "appName" "aro-hcp-frontend" "Values" .Values "Release" .Release) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: aro-hcp-frontend + name: aro-hcp-frontend + namespace: '{{ .Release.Namespace }}' +spec: + progressDeadlineSeconds: 600 + replicas: {{ .Values.deployment.replicas }} + revisionHistoryLimit: 10 + selector: + matchLabels: + app: aro-hcp-frontend + strategy: + rollingUpdate: + maxSurge: 50% + maxUnavailable: 50% + type: RollingUpdate + template: + metadata: + labels: + app: aro-hcp-frontend + app.kubernetes.io/part-of: aro-hcp-frontend + azure.workload.identity/use: "true" + spec: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: '{{ if eq (int .Values.deployment.zoneCount) 0 }}kubernetes.azure.com/agentpool{{ else }}topology.kubernetes.io/zone{{ end }}' + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: aro-hcp-frontend + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: aro-hcp-frontend + serviceAccountName: '{{ .Values.serviceAccount.name }}' + containers: + - name: aro-hcp-frontend + image: '{{ .Values.deployment.imageName }}' + imagePullPolicy: Always + args: ["--clusters-service-url", "http://clusters-service.{{ .Values.clustersService.namespace }}.svc.cluster.local:8000", "--exit-on-panic={{ .Values.exitOnPanic }}", "--log-verbosity={{ .Values.logVerbosity }}"] + env: + - name: DB_NAME + valueFrom: + configMapKeyRef: + name: frontend-config + key: DB_NAME + - name: DB_URL + valueFrom: + configMapKeyRef: + name: frontend-config + key: DB_URL + - name: LOCATION + valueFrom: + configMapKeyRef: + name: frontend-config + key: LOCATION + - name: OTEL_EXPORTER_OTLP_ENDPOINT + value: "{{ .Values.tracing.address }}" + - name: OTEL_TRACES_EXPORTER + value: "{{ .Values.tracing.exporter }}" + - name: AUDIT_CONNECT_SOCKET + value: "{{ .Values.audit.connectSocket }}" + - name: AZURE_TOKEN_CREDENTIALS + value: "WorkloadIdentityCredential" + ports: + - containerPort: 8443 + protocol: TCP + - containerPort: 8081 + protocol: TCP + resources: + requests: + cpu: {{ .Values.deployment.resources.requests.cpu }} + memory: {{ .Values.deployment.resources.requests.memory }} +{{- if ne .Values.deployment.resources.limits.memory "unlimited" }} + limits: + memory: {{ .Values.deployment.resources.limits.memory }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + seccompProfile: + type: RuntimeDefault + {{- if .Values.audit.connectSocket }} + volumeMounts: + - name: mdsd-asa-run-vol + mountPath: /var/run/mdsd + {{- end }} + startupProbe: + httpGet: + path: /healthz + port: 8443 + periodSeconds: 10 + failureThreshold: 30 + livenessProbe: + httpGet: + path: /healthz + port: 8443 + initialDelaySeconds: 15 + periodSeconds: 20 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: 8443 + initialDelaySeconds: 5 + periodSeconds: 10 + {{- if .Values.audit.connectSocket }} + volumes: + - name: mdsd-asa-run-vol + hostPath: + path: /var/run/mdsd + type: Directory + {{- end }} + restartPolicy: Always + terminationGracePeriodSeconds: 30 diff --git a/frontend/deploy/templates/frontend.virtualservice.yaml b/frontend/deploy/templates/frontend.virtualservice.yaml index ee5d8fb77a5..649a9f5d586 100644 --- a/frontend/deploy/templates/frontend.virtualservice.yaml +++ b/frontend/deploy/templates/frontend.virtualservice.yaml @@ -9,24 +9,6 @@ spec: gateways: - aks-istio-ingress/aro-hcp-gateway-external http: - - match: - - headers: - x-ms-mise-version: - exact: "v2" - uri: - regex: '.+' - headers: - request: - add: - mise-inbound-policies-to-filter: "{{ .Values.mise.policyLabel }}" - response: - add: - x-ms-served-by: "v2" - route: - - destination: - host: aro-hcp-frontend-v2 - port: - number: 8443 - match: - uri: regex: '.+' diff --git a/frontend/deploy/templates/peerauthentication.yaml b/frontend/deploy/templates/peerauthentication.yaml index db035b6cadb..9911b719a00 100644 --- a/frontend/deploy/templates/peerauthentication.yaml +++ b/frontend/deploy/templates/peerauthentication.yaml @@ -10,16 +10,3 @@ spec: portLevelMtls: 8081: mode: PERMISSIVE ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: aro-hcp-frontend-v2-metrics - namespace: '{{ .Release.Namespace }}' -spec: - selector: - matchLabels: - app: aro-hcp-frontend-v2 - portLevelMtls: - 8081: - mode: PERMISSIVE diff --git a/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_connect_socket.yaml b/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_connect_socket.yaml index 1356bffac83..fb5de9d5ad7 100644 --- a/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_connect_socket.yaml +++ b/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_connect_socket.yaml @@ -1,16 +1,4 @@ --- -# Source: frontend/templates/frontend-v2.poddisruptionbudget.yaml -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - minAvailable: 1 - selector: - matchLabels: - app: aro-hcp-frontend-v2 ---- # Source: frontend/templates/frontend.poddisruptionbudget.yaml apiVersion: policy/v1 kind: PodDisruptionBudget @@ -45,23 +33,6 @@ data: FRONTEND_MI_CLIENT_ID: '__frontendMsiClientId__' LOCATION: 'westus3' --- -# Source: frontend/templates/frontend-v2.service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: aro-hcp-frontend-v2 - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - ports: - - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app: aro-hcp-frontend-v2 - type: ClusterIP ---- # Source: frontend/templates/frontend.service.yaml apiVersion: v1 kind: Service @@ -97,125 +68,6 @@ spec: selector: app.kubernetes.io/part-of: aro-hcp-frontend --- -# Source: frontend/templates/frontend-v2.deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: aro-hcp-frontend-v2 - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - progressDeadlineSeconds: 600 - replicas: 2 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: aro-hcp-frontend-v2 - strategy: - rollingUpdate: - maxSurge: 50% - maxUnavailable: 50% - type: RollingUpdate - template: - metadata: - labels: - app: aro-hcp-frontend-v2 - app.kubernetes.io/part-of: aro-hcp-frontend - azure.workload.identity/use: "true" - spec: - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: 'topology.kubernetes.io/zone' - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: aro-hcp-frontend-v2 - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: aro-hcp-frontend-v2 - serviceAccountName: 'frontend' - containers: - - name: aro-hcp-frontend-v2 - image: 'arohcpsvcdev.azurecr.io/arohcpfrontend@sha256:1234567890' - imagePullPolicy: Always - args: ["--clusters-service-url", "http://clusters-service.clusters-service.svc.cluster.local:8000", "--exit-on-panic=true", "--log-verbosity=0"] - env: - - name: DB_NAME - valueFrom: - configMapKeyRef: - name: frontend-config - key: DB_NAME - - name: DB_URL - valueFrom: - configMapKeyRef: - name: frontend-config - key: DB_URL - - name: LOCATION - valueFrom: - configMapKeyRef: - name: frontend-config - key: LOCATION - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: "" - - name: OTEL_TRACES_EXPORTER - value: "" - - name: AUDIT_CONNECT_SOCKET - value: "true" - - name: AZURE_TOKEN_CREDENTIALS - value: "WorkloadIdentityCredential" - ports: - - containerPort: 8443 - protocol: TCP - - containerPort: 8081 - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - seccompProfile: - type: RuntimeDefault - volumeMounts: - - name: mdsd-asa-run-vol - mountPath: /var/run/mdsd - startupProbe: - httpGet: - path: /healthz - port: 8443 - periodSeconds: 10 - failureThreshold: 30 - livenessProbe: - httpGet: - path: /healthz - port: 8443 - initialDelaySeconds: 15 - periodSeconds: 20 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz - port: 8443 - initialDelaySeconds: 5 - periodSeconds: 10 - volumes: - - name: mdsd-asa-run-vol - hostPath: - path: /var/run/mdsd - type: Directory - restartPolicy: Always - terminationGracePeriodSeconds: 30 ---- # Source: frontend/templates/frontend.deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -506,20 +358,6 @@ spec: 8081: mode: PERMISSIVE --- -# Source: frontend/templates/peerauthentication.yaml -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: aro-hcp-frontend-v2-metrics - namespace: 'aro-hcp' -spec: - selector: - matchLabels: - app: aro-hcp-frontend-v2 - portLevelMtls: - 8081: - mode: PERMISSIVE ---- # Source: frontend/templates/frontend.secretproviderclass.yaml ################################ # @@ -587,24 +425,6 @@ spec: gateways: - aks-istio-ingress/aro-hcp-gateway-external http: - - match: - - headers: - x-ms-mise-version: - exact: "v2" - uri: - regex: '.+' - headers: - request: - add: - mise-inbound-policies-to-filter: "ARM Policy" - response: - add: - x-ms-served-by: "v2" - route: - - destination: - host: aro-hcp-frontend-v2 - port: - number: 8443 - match: - uri: regex: '.+' diff --git a/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_mise_enabled.yaml b/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_mise_enabled.yaml index 9d9408a3091..f79c3532422 100644 --- a/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_mise_enabled.yaml +++ b/frontend/testdata/zz_fixture_TestHelmTemplate_frontend_mise_enabled.yaml @@ -1,16 +1,4 @@ --- -# Source: frontend/templates/frontend-v2.poddisruptionbudget.yaml -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - minAvailable: 1 - selector: - matchLabels: - app: aro-hcp-frontend-v2 ---- # Source: frontend/templates/frontend.poddisruptionbudget.yaml apiVersion: policy/v1 kind: PodDisruptionBudget @@ -45,23 +33,6 @@ data: FRONTEND_MI_CLIENT_ID: '__frontendMsiClientId__' LOCATION: 'westus3' --- -# Source: frontend/templates/frontend-v2.service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: aro-hcp-frontend-v2 - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - ports: - - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app: aro-hcp-frontend-v2 - type: ClusterIP ---- # Source: frontend/templates/frontend.service.yaml apiVersion: v1 kind: Service @@ -97,117 +68,6 @@ spec: selector: app.kubernetes.io/part-of: aro-hcp-frontend --- -# Source: frontend/templates/frontend-v2.deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: aro-hcp-frontend-v2 - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - progressDeadlineSeconds: 600 - replicas: 2 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: aro-hcp-frontend-v2 - strategy: - rollingUpdate: - maxSurge: 50% - maxUnavailable: 50% - type: RollingUpdate - template: - metadata: - labels: - app: aro-hcp-frontend-v2 - app.kubernetes.io/part-of: aro-hcp-frontend - azure.workload.identity/use: "true" - spec: - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: 'topology.kubernetes.io/zone' - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: aro-hcp-frontend-v2 - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: aro-hcp-frontend-v2 - serviceAccountName: 'frontend' - containers: - - name: aro-hcp-frontend-v2 - image: 'arohcpsvcdev.azurecr.io/arohcpfrontend@sha256:1234567890' - imagePullPolicy: Always - args: ["--clusters-service-url", "http://clusters-service.clusters-service.svc.cluster.local:8000", "--exit-on-panic=true", "--log-verbosity=0"] - env: - - name: DB_NAME - valueFrom: - configMapKeyRef: - name: frontend-config - key: DB_NAME - - name: DB_URL - valueFrom: - configMapKeyRef: - name: frontend-config - key: DB_URL - - name: LOCATION - valueFrom: - configMapKeyRef: - name: frontend-config - key: LOCATION - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: "" - - name: OTEL_TRACES_EXPORTER - value: "" - - name: AUDIT_CONNECT_SOCKET - value: "false" - - name: AZURE_TOKEN_CREDENTIALS - value: "WorkloadIdentityCredential" - ports: - - containerPort: 8443 - protocol: TCP - - containerPort: 8081 - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - seccompProfile: - type: RuntimeDefault - startupProbe: - httpGet: - path: /healthz - port: 8443 - periodSeconds: 10 - failureThreshold: 30 - livenessProbe: - httpGet: - path: /healthz - port: 8443 - initialDelaySeconds: 15 - periodSeconds: 20 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz - port: 8443 - initialDelaySeconds: 5 - periodSeconds: 10 - restartPolicy: Always - terminationGracePeriodSeconds: 30 ---- # Source: frontend/templates/frontend.deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -444,25 +304,6 @@ metadata: namespace: 'aro-hcp' spec: {} --- -# Source: frontend/templates/ext-authz-misev2.authorizationpolicy.yaml -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: ext-authz-misev2 - namespace: 'aro-hcp' -spec: - selector: - matchLabels: - app: aro-hcp-frontend-v2 - action: CUSTOM - provider: - name: ext-authz-misev2 - rules: - - to: - - operation: - paths: ["/*"] - notPaths: ["/metrics"] ---- # Source: frontend/templates/ext-authz.authorizationpolicy.yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy @@ -528,20 +369,6 @@ spec: 8081: mode: PERMISSIVE --- -# Source: frontend/templates/peerauthentication.yaml -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: aro-hcp-frontend-v2-metrics - namespace: 'aro-hcp' -spec: - selector: - matchLabels: - app: aro-hcp-frontend-v2 - portLevelMtls: - 8081: - mode: PERMISSIVE ---- # Source: frontend/templates/frontend.secretproviderclass.yaml ################################ # @@ -609,24 +436,6 @@ spec: gateways: - aks-istio-ingress/aro-hcp-gateway-external http: - - match: - - headers: - x-ms-mise-version: - exact: "v2" - uri: - regex: '.+' - headers: - request: - add: - mise-inbound-policies-to-filter: "ARM Policy" - response: - add: - x-ms-served-by: "v2" - route: - - destination: - host: aro-hcp-frontend-v2 - port: - number: 8443 - match: - uri: regex: '.+' diff --git a/frontend/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_aro_hcp_frontend_dev.yaml b/frontend/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_aro_hcp_frontend_dev.yaml index 8b466d86a8c..3c677dd4063 100644 --- a/frontend/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_aro_hcp_frontend_dev.yaml +++ b/frontend/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_aro_hcp_frontend_dev.yaml @@ -1,16 +1,4 @@ --- -# Source: frontend/templates/frontend-v2.poddisruptionbudget.yaml -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - minAvailable: 1 - selector: - matchLabels: - app: aro-hcp-frontend-v2 ---- # Source: frontend/templates/frontend.poddisruptionbudget.yaml apiVersion: policy/v1 kind: PodDisruptionBudget @@ -45,23 +33,6 @@ data: FRONTEND_MI_CLIENT_ID: '__frontendMsiClientId__' LOCATION: 'westus3' --- -# Source: frontend/templates/frontend-v2.service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: aro-hcp-frontend-v2 - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - ports: - - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app: aro-hcp-frontend-v2 - type: ClusterIP ---- # Source: frontend/templates/frontend.service.yaml apiVersion: v1 kind: Service @@ -97,117 +68,6 @@ spec: selector: app.kubernetes.io/part-of: aro-hcp-frontend --- -# Source: frontend/templates/frontend-v2.deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: aro-hcp-frontend-v2 - name: aro-hcp-frontend-v2 - namespace: 'aro-hcp' -spec: - progressDeadlineSeconds: 600 - replicas: 2 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: aro-hcp-frontend-v2 - strategy: - rollingUpdate: - maxSurge: 50% - maxUnavailable: 50% - type: RollingUpdate - template: - metadata: - labels: - app: aro-hcp-frontend-v2 - app.kubernetes.io/part-of: aro-hcp-frontend - azure.workload.identity/use: "true" - spec: - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: 'topology.kubernetes.io/zone' - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: aro-hcp-frontend-v2 - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: aro-hcp-frontend-v2 - serviceAccountName: 'frontend' - containers: - - name: aro-hcp-frontend-v2 - image: 'arohcpsvcdev.azurecr.io/arohcpfrontend@sha256:1234567890' - imagePullPolicy: Always - args: ["--clusters-service-url", "http://clusters-service.clusters-service.svc.cluster.local:8000", "--exit-on-panic=true", "--log-verbosity=0"] - env: - - name: DB_NAME - valueFrom: - configMapKeyRef: - name: frontend-config - key: DB_NAME - - name: DB_URL - valueFrom: - configMapKeyRef: - name: frontend-config - key: DB_URL - - name: LOCATION - valueFrom: - configMapKeyRef: - name: frontend-config - key: LOCATION - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: "" - - name: OTEL_TRACES_EXPORTER - value: "" - - name: AUDIT_CONNECT_SOCKET - value: "false" - - name: AZURE_TOKEN_CREDENTIALS - value: "WorkloadIdentityCredential" - ports: - - containerPort: 8443 - protocol: TCP - - containerPort: 8081 - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - seccompProfile: - type: RuntimeDefault - startupProbe: - httpGet: - path: /healthz - port: 8443 - periodSeconds: 10 - failureThreshold: 30 - livenessProbe: - httpGet: - path: /healthz - port: 8443 - initialDelaySeconds: 15 - periodSeconds: 20 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz - port: 8443 - initialDelaySeconds: 5 - periodSeconds: 10 - restartPolicy: Always - terminationGracePeriodSeconds: 30 ---- # Source: frontend/templates/frontend.deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -490,20 +350,6 @@ spec: 8081: mode: PERMISSIVE --- -# Source: frontend/templates/peerauthentication.yaml -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: aro-hcp-frontend-v2-metrics - namespace: 'aro-hcp' -spec: - selector: - matchLabels: - app: aro-hcp-frontend-v2 - portLevelMtls: - 8081: - mode: PERMISSIVE ---- # Source: frontend/templates/frontend.secretproviderclass.yaml ################################ # @@ -571,24 +417,6 @@ spec: gateways: - aks-istio-ingress/aro-hcp-gateway-external http: - - match: - - headers: - x-ms-mise-version: - exact: "v2" - uri: - regex: '.+' - headers: - request: - add: - mise-inbound-policies-to-filter: "ARM Policy" - response: - add: - x-ms-served-by: "v2" - route: - - destination: - host: aro-hcp-frontend-v2 - port: - number: 8443 - match: - uri: regex: '.+' diff --git a/istio/deploy/charts/mise/templates/configmap-misev2.yaml b/istio/deploy/charts/mise/templates/configmap.yaml similarity index 99% rename from istio/deploy/charts/mise/templates/configmap-misev2.yaml rename to istio/deploy/charts/mise/templates/configmap.yaml index 0ebc06856a6..fdef3ab98d7 100644 --- a/istio/deploy/charts/mise/templates/configmap-misev2.yaml +++ b/istio/deploy/charts/mise/templates/configmap.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: misev2-config + name: mise-config namespace: '{{ .Values.namespace }}' data: appsettings.json: |- diff --git a/istio/deploy/charts/mise/templates/deployment-misev2.yaml b/istio/deploy/charts/mise/templates/deployment-misev2.yaml deleted file mode 100644 index 4a162a05750..00000000000 --- a/istio/deploy/charts/mise/templates/deployment-misev2.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: misev2 - namespace: '{{ .Values.namespace }}' -spec: - replicas: 2 - selector: - matchLabels: - app: misev2 - template: - metadata: - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap-misev2.yaml") . | sha256sum }} - labels: - app: misev2 - spec: - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: '{{ if eq (int .Values.deployment.zoneCount) 0 }}kubernetes.azure.com/agentpool{{ else }}topology.kubernetes.io/zone{{ end }}' - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: misev2 - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: misev2 - containers: - - name: misev2 - image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}@{{ .Values.image.digestv2 }}" - ports: - - containerPort: 8080 - livenessProbe: - httpGet: - path: /healthz - port: 8080 - readinessProbe: - httpGet: - path: /readyz - port: 8080 - volumeMounts: - - name: misev2-config - mountPath: /app/appsettings.json - subPath: appsettings.json - readOnly: true - env: - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: "{{ .Values.tracing.address }}" - - name: OTEL_TRACES_EXPORTER - value: "{{ .Values.tracing.exporter }}" - volumes: - - name: misev2-config - configMap: - name: misev2-config diff --git a/istio/deploy/charts/mise/templates/deployment.yaml b/istio/deploy/charts/mise/templates/deployment.yaml index 5671740f0f6..5b773f4a167 100644 --- a/istio/deploy/charts/mise/templates/deployment.yaml +++ b/istio/deploy/charts/mise/templates/deployment.yaml @@ -10,6 +10,8 @@ spec: app: mise template: metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} labels: app: mise spec: @@ -39,58 +41,17 @@ spec: httpGet: path: /readyz port: 8080 + volumeMounts: + - name: mise-config + mountPath: /app/appsettings.json + subPath: appsettings.json + readOnly: true env: - - name: EnableInboundPolicyFilter - value: "true" - - name: AzureAd__Instance - value: '{{ .Values.audit.adInstance }}' - - name: AzureAd__ClientId - value: '{{ .Values.audit.clientId }}' - - name: AzureAd__TenantId - value: '{{ .Values.audit.tenantId }}' - - name: AzureAd__Audience - value: "{{ .Values.audit.audience }}" - - name: AzureAd__InboundPolicies__0__Label - value: "{{ .Values.armPolicy.label }}" - - name: AzureAd__InboundPolicies__0__Authority - value: "{{ .Values.armPolicy.authority }}" - - name: AzureAd__InboundPolicies__0__AuthenticationSchemes__0 - value: "PoP" - - name: AzureAd__InboundPolicies__0__ValidAudiences__0 - value: '{{ .Values.armPolicy.audience }}' - - name: AzureAd__InboundPolicies__0__ValidApplicationIds__0 - value: '{{ .Values.armPolicy.applicationId }}' - - name: AzureAd__InboundPolicies__0__SignedHttpRequestValidationPolicy - value: '{"ValidateTs" : true, "ValidateM" : true, "ValidateU" : true, "ValidateP" : true }' - - name: AzureAd__InboundPolicies__1__Label - value: "{{ .Values.genevaActionsPolicy.label }}" - - name: AzureAd__InboundPolicies__1__Authority - value: "{{ .Values.genevaActionsPolicy.authority }}" - - name: AzureAd__InboundPolicies__1__AuthenticationSchemes__0 - value: "Bearer" - - name: AzureAd__InboundPolicies__1__ValidAudiences__0 - value: '{{ .Values.genevaActionsPolicy.audience }}' - - name: AzureAd__InboundPolicies__1__ValidApplicationIds__0 - value: "{{ .Values.genevaActionsPolicy.applicationId }}" - - name: AzureAd__InboundPolicies__2__Label - value: "{{ .Values.sessiongatePolicy.label }}" - - name: AzureAd__InboundPolicies__2__Authority - value: "{{ .Values.sessiongatePolicy.authority }}" - - name: AzureAd__InboundPolicies__2__AuthenticationSchemes__0 - value: "Bearer" - - name: AzureAd__InboundPolicies__2__ValidAudiences__0 - value: '{{ .Values.sessiongatePolicy.audience }}' - - name: AllowedHosts - value: "*" - - name: Kestrel__Endpoints__Http__Url - value: "http://0.0.0.0:8080" - - name: Logging__LogLevel__Default - value: "Information" - - name: Logging__LogLevel__Microsoft - value: "Information" - - name: AzureAd__Logging__LogLevel - value: "Information" - name: OTEL_EXPORTER_OTLP_ENDPOINT value: "{{ .Values.tracing.address }}" - name: OTEL_TRACES_EXPORTER value: "{{ .Values.tracing.exporter }}" + volumes: + - name: mise-config + configMap: + name: mise-config diff --git a/istio/deploy/charts/mise/templates/service.yaml b/istio/deploy/charts/mise/templates/service.yaml index ca233cdee57..5fcc2d7b022 100644 --- a/istio/deploy/charts/mise/templates/service.yaml +++ b/istio/deploy/charts/mise/templates/service.yaml @@ -10,16 +10,3 @@ spec: - protocol: TCP port: 8080 targetPort: 8080 ---- -apiVersion: v1 -kind: Service -metadata: - name: misev2 - namespace: '{{ .Values.namespace }}' -spec: - selector: - app: misev2 - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 diff --git a/istio/deploy/charts/mise/values.yaml b/istio/deploy/charts/mise/values.yaml index 0c66bfd3240..474c7d7949f 100644 --- a/istio/deploy/charts/mise/values.yaml +++ b/istio/deploy/charts/mise/values.yaml @@ -2,7 +2,6 @@ image: registry: "" repository: "" digest: "" - digestv2: "" tracing: address: "" exporter: "" @@ -24,3 +23,7 @@ genevaActionsPolicy: authority: "" audience: "" applicationId: "" +sessiongatePolicy: + label: "" + authority: "" + audience: "" diff --git a/istio/deploy/templates/istio-shared-configmap.yml b/istio/deploy/templates/istio-shared-configmap.yml index b629519b27d..fe2d755811e 100644 --- a/istio/deploy/templates/istio-shared-configmap.yml +++ b/istio/deploy/templates/istio-shared-configmap.yml @@ -15,13 +15,7 @@ data: envoyExtAuthzHttp: service: "mise/mise.mise.svc.cluster.local" port: "8080" - includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"] - pathPrefix: "/v1/EnvoyValidateRequest" - - name: "ext-authz-misev2" - envoyExtAuthzHttp: - service: "mise/misev2.mise.svc.cluster.local" - port: "8080" - includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"] + includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter"] pathPrefix: "/v1/EnvoyValidateRequest" {{ end }} {{ end }} diff --git a/istio/deploy/templates/mise.serviceentry.yml b/istio/deploy/templates/mise.serviceentry.yml index 722d7044e06..dc33ccebb03 100644 --- a/istio/deploy/templates/mise.serviceentry.yml +++ b/istio/deploy/templates/mise.serviceentry.yml @@ -6,7 +6,6 @@ metadata: spec: hosts: - "mise.mise.svc.cluster.local" - - "misev2.mise.svc.cluster.local" endpoints: - address: "127.0.0.1" ports: diff --git a/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml b/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml index b718967f30e..8e3a752d932 100644 --- a/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml +++ b/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml @@ -1,9 +1,9 @@ --- -# Source: istio/charts/mise/templates/configmap-misev2.yaml +# Source: istio/charts/mise/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: misev2-config + name: mise-config namespace: 'mise' data: appsettings.json: |- @@ -107,13 +107,7 @@ data: envoyExtAuthzHttp: service: "mise/mise.mise.svc.cluster.local" port: "8080" - includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"] - pathPrefix: "/v1/EnvoyValidateRequest" - - name: "ext-authz-misev2" - envoyExtAuthzHttp: - service: "mise/misev2.mise.svc.cluster.local" - port: "8080" - includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"] + includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter"] pathPrefix: "/v1/EnvoyValidateRequest" --- # Source: istio/charts/mise/templates/service.yaml @@ -130,79 +124,6 @@ spec: port: 8080 targetPort: 8080 --- -# Source: istio/charts/mise/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: misev2 - namespace: 'mise' -spec: - selector: - app: misev2 - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 ---- -# Source: istio/charts/mise/templates/deployment-misev2.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: misev2 - namespace: 'mise' -spec: - replicas: 2 - selector: - matchLabels: - app: misev2 - template: - metadata: - annotations: - checksum/config: 6ca24e11919f439f8a291fb3f3134d1383ab16a6987b7c8b6aa3c20ec2a6e8ea - labels: - app: misev2 - spec: - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: 'topology.kubernetes.io/zone' - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: misev2 - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: misev2 - containers: - - name: misev2 - image: "arohcpsvcdev.azurecr.io/mise-1p-container-image@sha256:1234567890" - ports: - - containerPort: 8080 - livenessProbe: - httpGet: - path: /healthz - port: 8080 - readinessProbe: - httpGet: - path: /readyz - port: 8080 - volumeMounts: - - name: misev2-config - mountPath: /app/appsettings.json - subPath: appsettings.json - readOnly: true - env: - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: "" - - name: OTEL_TRACES_EXPORTER - value: "" - volumes: - - name: misev2-config - configMap: - name: misev2-config ---- # Source: istio/charts/mise/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -216,6 +137,8 @@ spec: app: mise template: metadata: + annotations: + checksum/config: 878706b0364a1ad5f4baea54aaf81e19e2222e4c44c97f853f1cac09fad6ac70 labels: app: mise spec: @@ -245,61 +168,20 @@ spec: httpGet: path: /readyz port: 8080 + volumeMounts: + - name: mise-config + mountPath: /app/appsettings.json + subPath: appsettings.json + readOnly: true env: - - name: EnableInboundPolicyFilter - value: "true" - - name: AzureAd__Instance - value: 'https://login.microsoftonline.com/' - - name: AzureAd__ClientId - value: 'b3cb2fab-15cb-4583-ad06-f91da9bfe2d1' - - name: AzureAd__TenantId - value: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' - - name: AzureAd__Audience - value: "api://b3cb2fab-15cb-4583-ad06-f91da9bfe2d1" - - name: AzureAd__InboundPolicies__0__Label - value: "ARM Policy" - - name: AzureAd__InboundPolicies__0__Authority - value: "https://login.microsoftonline.com/33e01921-4d64-4f8c-a055-5bdaffd5e33d" - - name: AzureAd__InboundPolicies__0__AuthenticationSchemes__0 - value: "PoP" - - name: AzureAd__InboundPolicies__0__ValidAudiences__0 - value: 'https://management.azure.com' - - name: AzureAd__InboundPolicies__0__ValidApplicationIds__0 - value: 'e2c2ff5c-e5b4-4e79-8c3e-1da8c48461e7' - - name: AzureAd__InboundPolicies__0__SignedHttpRequestValidationPolicy - value: '{"ValidateTs" : true, "ValidateM" : true, "ValidateU" : true, "ValidateP" : true }' - - name: AzureAd__InboundPolicies__1__Label - value: "Geneva Actions" - - name: AzureAd__InboundPolicies__1__Authority - value: "https://sts.windows.net/__tenantId__/" - - name: AzureAd__InboundPolicies__1__AuthenticationSchemes__0 - value: "Bearer" - - name: AzureAd__InboundPolicies__1__ValidAudiences__0 - value: 'https://management.azure.com' - - name: AzureAd__InboundPolicies__1__ValidApplicationIds__0 - value: "__genevaActionsAppId__" - - name: AzureAd__InboundPolicies__2__Label - value: "Session Gate" - - name: AzureAd__InboundPolicies__2__Authority - value: "https://sts.windows.net/__tenantId__" - - name: AzureAd__InboundPolicies__2__AuthenticationSchemes__0 - value: "Bearer" - - name: AzureAd__InboundPolicies__2__ValidAudiences__0 - value: '6dae42f8-4368-4678-94ff-3960e28e3630' - - name: AllowedHosts - value: "*" - - name: Kestrel__Endpoints__Http__Url - value: "http://0.0.0.0:8080" - - name: Logging__LogLevel__Default - value: "Information" - - name: Logging__LogLevel__Microsoft - value: "Information" - - name: AzureAd__Logging__LogLevel - value: "Information" - name: OTEL_EXPORTER_OTLP_ENDPOINT value: "" - name: OTEL_TRACES_EXPORTER value: "" + volumes: + - name: mise-config + configMap: + name: mise-config --- # Source: istio/templates/ops-ingress.gateway.yaml apiVersion: gateway.networking.k8s.io/v1 @@ -381,7 +263,6 @@ metadata: spec: hosts: - "mise.mise.svc.cluster.local" - - "misev2.mise.svc.cluster.local" endpoints: - address: "127.0.0.1" ports: diff --git a/istio/values.yaml b/istio/values.yaml index f28d95e485a..324420d752d 100644 --- a/istio/values.yaml +++ b/istio/values.yaml @@ -14,9 +14,8 @@ mise: namespace: "mise" image: registry: "{{ .acr.svc.name }}.azurecr.io" - repository: "{{ .mise.image.repository }}" - digest: "{{ .mise.image.digest }}" - digestv2: "{{ .mise.imageV2.digest }}" + repository: "{{ .mise.imageV2.repository }}" + digest: "{{ .mise.imageV2.digest }}" audit: adInstance: "https://{{ .mise.arm.authorityFQDN }}/" clientId: "{{ .firstPartyAppClientId }}" diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_dev_cd_check_paralleldev_cd_check_parallel.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_dev_cd_check_paralleldev_cd_check_parallel.txt index 0a50b13a1e2..209c001d33b 100644 --- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_dev_cd_check_paralleldev_cd_check_parallel.txt +++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_dev_cd_check_paralleldev_cd_check_parallel.txt @@ -58,8 +58,6 @@ Customer should be able to lifecycle and confirm external auth on a cluster Customer should be able to create an HCP cluster and manage ImageDigestMirrors Customer should be able to create an HCP cluster with Image Registry not present Engineering should be able to retrieve kusto logs for a cluster and services -MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set -MISE Routing routes to the correct frontend based on version header default route returns no version header Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits Customer should update NodeDrainTimeoutMinutes and upgrade a nodepool Nodepool Ephemeral OS Disk should create a nodepool with ephemeral OS disk when autoRepair is enabled diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_integration_parallelintegration_parallel.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_integration_parallelintegration_parallel.txt index 8ded77656ee..210ae769cef 100644 --- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_integration_parallelintegration_parallel.txt +++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_integration_parallelintegration_parallel.txt @@ -59,8 +59,6 @@ Customer should be able to lifecycle and confirm external auth on a cluster HCP Nodepools GPU instances creates and deletes vm type NC4asT4v3 in a single cluster Customer should be able to create an HCP cluster and manage ImageDigestMirrors Customer should be able to create an HCP cluster with Image Registry not present -MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set -MISE Routing routes to the correct frontend based on version header default route returns no version header Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits Customer should respect cluster-wide node limits with nodepool autoscaling Customer should update NodeDrainTimeoutMinutes and upgrade a nodepool diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_prod_parallelprod_parallel.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_prod_parallelprod_parallel.txt index 35975e7838d..edf431786b0 100644 --- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_prod_parallelprod_parallel.txt +++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_prod_parallelprod_parallel.txt @@ -58,8 +58,6 @@ Customer should be able to create a cluster with an external auth config and get Customer should be able to lifecycle and confirm external auth on a cluster Customer should be able to create an HCP cluster and manage ImageDigestMirrors Customer should be able to create an HCP cluster with Image Registry not present -MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set -MISE Routing routes to the correct frontend based on version header default route returns no version header Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits Customer should respect cluster-wide node limits with nodepool autoscaling Customer should update NodeDrainTimeoutMinutes and upgrade a nodepool diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallel_01rp_api_compat_all_parallel_development.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallel_01rp_api_compat_all_parallel_development.txt index d209230d5ed..4e9180e246c 100644 --- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallel_01rp_api_compat_all_parallel_development.txt +++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallel_01rp_api_compat_all_parallel_development.txt @@ -62,8 +62,6 @@ Customer should be able to create an HCP cluster with Image Registry not present Image Registry Policy should deny pods with images from disallowed registries Image Registry Policy should allow pods with images from allowed registries and have a valid allowlist Engineering should be able to retrieve kusto logs for a cluster and services -MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set -MISE Routing routes to the correct frontend based on version header default route returns no version header Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits Customer should respect cluster-wide node limits with nodepool autoscaling Customer should update NodeDrainTimeoutMinutes and upgrade a nodepool diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallelrp_api_compat_all_parallel.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallelrp_api_compat_all_parallel.txt index 3e05dc4d26b..1ad2605dacf 100644 --- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallelrp_api_compat_all_parallel.txt +++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_rp_api_compat_all_parallelrp_api_compat_all_parallel.txt @@ -55,8 +55,6 @@ Customer should be able to create a cluster with an external auth config and get Customer should be able to lifecycle and confirm external auth on a cluster Customer should be able to create an HCP cluster and manage ImageDigestMirrors Customer should be able to create an HCP cluster with Image Registry not present -MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set -MISE Routing routes to the correct frontend based on version header default route returns no version header Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits Customer should respect cluster-wide node limits with nodepool autoscaling Customer should update NodeDrainTimeoutMinutes and upgrade a nodepool diff --git a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_stage_parallelstage_parallel.txt b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_stage_parallelstage_parallel.txt index 35975e7838d..edf431786b0 100644 --- a/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_stage_parallelstage_parallel.txt +++ b/test/testdata/zz_fixture_TestMainListSuitesForEachSuite_stage_parallelstage_parallel.txt @@ -58,8 +58,6 @@ Customer should be able to create a cluster with an external auth config and get Customer should be able to lifecycle and confirm external auth on a cluster Customer should be able to create an HCP cluster and manage ImageDigestMirrors Customer should be able to create an HCP cluster with Image Registry not present -MISE Routing routes to the correct frontend based on version header MISE v2 when x-ms-mise-version header is set -MISE Routing routes to the correct frontend based on version header default route returns no version header Customer should be able to create a cluster with default autoscaling and a nodepool with autoscaling enabled up to replica limits Customer should respect cluster-wide node limits with nodepool autoscaling Customer should update NodeDrainTimeoutMinutes and upgrade a nodepool diff --git a/test/util/framework/per_test_framework.go b/test/util/framework/per_test_framework.go index a6d7d9a24a8..3b5b7f44288 100644 --- a/test/util/framework/per_test_framework.go +++ b/test/util/framework/per_test_framework.go @@ -43,7 +43,6 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/azcore" "github.com/Azure/azure-sdk-for-go/sdk/azcore/log" - "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources" @@ -970,28 +969,6 @@ func (tc *perItOrDescribeTestContext) getGraphClientUnlocked(ctx context.Context return graphutil.NewClient(ctx, creds) } -// Get20251223ClientFactoryWithPolicies creates a v20251223preview client factory -// with the given additional per-call policies appended to the base options. -// Unlike Get20251223ClientFactory, the result is not cached since policies vary per call. -func (tc *perItOrDescribeTestContext) Get20251223ClientFactoryWithPolicies(ctx context.Context, policies ...policy.Policy) (*hcpsdk20251223preview.ClientFactory, error) { - creds, err := tc.perBinaryInvocationTestContext.getAzureCredentials() - if err != nil { - return nil, err - } - - tc.contextLock.Lock() - subscriptionID, err := tc.getSubscriptionIDUnlocked(ctx) - tc.contextLock.Unlock() - if err != nil { - return nil, err - } - - opts := tc.perBinaryInvocationTestContext.getHCPClientFactoryOptions() - opts.PerCallPolicies = append(opts.PerCallPolicies, policies...) - - return hcpsdk20251223preview.NewClientFactory(subscriptionID, creds, opts) -} - func (tc *perItOrDescribeTestContext) Location() string { return tc.perBinaryInvocationTestContext.Location() }