diff --git a/config/config.msft.yaml b/config/config.msft.yaml index 82026e0c1..f639b5776 100644 --- a/config/config.msft.yaml +++ b/config/config.msft.yaml @@ -74,6 +74,18 @@ defaults: private: true zoneRedundantMode: 'Auto' + # Mise + mise: + deploy: true + azureAdInstance: https://login.microsoftonline.com/ + armInstance: https://management.core.windows.net/ + validAppId0: "" + validAppId1: "" + image: + registry: arohcpsvcint.azurecr.io + repository: mise + digest: sha256:ad3f7efeeb6691c25bf31d46d7b879e06093ec2ff43c05ad32b5bc5315ab96a7 + # Maestro maestro: server: diff --git a/config/config.schema.json b/config/config.schema.json index dae83da8c..67317da84 100644 --- a/config/config.schema.json +++ b/config/config.schema.json @@ -426,6 +426,34 @@ "cert" ] }, + "mise":{ + "properties": { + "deploy" :{ + "type": "boolean" + }, + "azureAdInstance":{ + "type":"string" + }, + "validAppId0":{ + "type":"string", + "description": "" + }, + "validAppId1":{ + "type":"string", + "description": "" + }, + "image":{ + "$ref": "#/definitions/containerImage" + } + }, + "required" : [ + "deploy", + "image", + "azureAdInstance", + "validAppId0", + "validAppId1" + ] + }, "global": { "type": "object", "properties": { diff --git a/config/config.yaml b/config/config.yaml index 3bd5c6fc7..473b783a8 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -70,6 +70,18 @@ defaults: cert: name: frontend-cert-{{ .ctx.regionShort }} issuer: Self + + # Mise + mise: + deploy: false + azureAdInstance: "" + armInstance: "" + validAppId0: "" + validAppId1: "" + image: + registry: "" + repository: "" + digest: "" # Maestro maestro: diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json index d3e9dc20d..570ca5b8b 100644 --- a/config/public-cloud-cs-pr.json +++ b/config/public-cloud-cs-pr.json @@ -231,6 +231,18 @@ "miMockCertName": "msiMockCert2", "miMockClientId": "e8723db7-9b9e-46a4-9f7d-64d75c3534f0", "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96", + "mise": { + "armInstance": "", + "azureAdInstance": "", + "deploy": false, + "image": { + "digest": "", + "registry": "", + "repository": "" + }, + "validAppId0": "", + "validAppId1": "" + }, "monitoring": { "grafanaAdminGroupPrincipalId": "6b6d3adf-8476-4727-9812-20ffdef2b85c", "grafanaName": "arohcp-dev", diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json index d13cd8af3..58c2decec 100644 --- a/config/public-cloud-dev.json +++ b/config/public-cloud-dev.json @@ -231,6 +231,18 @@ "miMockCertName": "msiMockCert2", "miMockClientId": "e8723db7-9b9e-46a4-9f7d-64d75c3534f0", "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96", + "mise": { + "armInstance": "", + "azureAdInstance": "", + "deploy": false, + "image": { + "digest": "", + "registry": "", + "repository": "" + }, + "validAppId0": "", + "validAppId1": "" + }, "monitoring": { "grafanaAdminGroupPrincipalId": "6b6d3adf-8476-4727-9812-20ffdef2b85c", "grafanaName": "arohcp-dev", diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json index 0ebda6478..133c2efc8 100644 --- a/config/public-cloud-msft-int.json +++ b/config/public-cloud-msft-int.json @@ -231,6 +231,18 @@ "miMockCertName": "msiMockCert2", "miMockClientId": "e8723db7-9b9e-46a4-9f7d-64d75c3534f0", "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96", + "mise": { + "armInstance": "https://management.core.windows.net/", + "azureAdInstance": "https://login.microsoftonline.com/", + "deploy": true, + "image": { + "digest": "sha256:ad3f7efeeb6691c25bf31d46d7b879e06093ec2ff43c05ad32b5bc5315ab96a7", + "registry": "arohcpsvcint.azurecr.io", + "repository": "mise" + }, + "validAppId0": "", + "validAppId1": "" + }, "monitoring": { "grafanaAdminGroupPrincipalId": "2fdb57d4-3fd3-415d-b604-1d0e37a188fe", "grafanaName": "arohcp-int", diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json index f92af523b..f2fa6bbce 100644 --- a/config/public-cloud-personal-dev.json +++ b/config/public-cloud-personal-dev.json @@ -231,6 +231,18 @@ "miMockCertName": "msiMockCert2", "miMockClientId": "e8723db7-9b9e-46a4-9f7d-64d75c3534f0", "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96", + "mise": { + "armInstance": "", + "azureAdInstance": "", + "deploy": false, + "image": { + "digest": "", + "registry": "", + "repository": "" + }, + "validAppId0": "", + "validAppId1": "" + }, "monitoring": { "grafanaAdminGroupPrincipalId": "6b6d3adf-8476-4727-9812-20ffdef2b85c", "grafanaName": "arohcp-dev", diff --git a/frontend/Makefile b/frontend/Makefile index 915cd6a0d..2a70b3909 100644 --- a/frontend/Makefile +++ b/frontend/Makefile @@ -65,6 +65,8 @@ deploy: DB_URL=$$(az cosmosdb show -n ${DB_NAME} -g ${RESOURCEGROUP} --query documentEndpoint -o tsv) && \ kubectl create namespace aro-hcp --dry-run=client -o json | kubectl apply -f - && \ kubectl label namespace aro-hcp "istio.io/rev=${ISTO_TAG}" --overwrite=true && \ + kubectl create namespace mise --dry-run=client -o json | kubectl apply -f - && \ + kubectl label namespace mise "istio.io/rev=${ISTO_TAG}" --overwrite=true && \ ${HELM_CMD} aro-hcp-frontend-dev \ deploy/helm/frontend/ \ --set azure.clientId=$${SECRET_STORE_MI_CLIENT_ID} \ @@ -85,6 +87,16 @@ deploy: --set pullBinding.scope=repository:${ARO_HCP_IMAGE_REPOSITORY}:pull \ --set clusterService.namespace=${CS_NAMESPACE} \ --set clusterService.serviceAccount=${CS_SERVICE_ACCOUNT_NAME} \ + --set deployMise=${DEPLOY_MISE} \ + --set mise.namespace=mise \ + --set mise.imageRegistry=${MISE_IMAGE_REGISTRY} \ + --set mise.imageRepository=${MISE_IMAGE_REPOSITORY} \ + --set mise.imageDigest=${MISE_IMAGE_DIGEST} \ + --set mise.tenantId=${MISE_TENANT_ID} \ + --set mise.adInstance=${MISE_AD_INSTANCE} \ + --set mise.armInstance=${MISE_ARM_INSTANCE} \ + --set mise.validAppId0=${MISE_VALID_APP_ID_0} \ + --set mise.validAppId1=${MISE_VALID_APP_ID_1} \ --namespace aro-hcp .PHONY: deploy diff --git a/frontend/deploy/helm/frontend/Chart.yaml b/frontend/deploy/helm/frontend/Chart.yaml index 68e575182..2d341dd54 100644 --- a/frontend/deploy/helm/frontend/Chart.yaml +++ b/frontend/deploy/helm/frontend/Chart.yaml @@ -5,3 +5,9 @@ type: application version: 0.1.0 appVersion: "1.0.0" + +dependencies: + - name: mise + version: 0.1.0 + repository: "file://charts/mise" + condition: deployMise diff --git a/frontend/deploy/helm/frontend/charts/mise/Chart.yaml b/frontend/deploy/helm/frontend/charts/mise/Chart.yaml new file mode 100644 index 000000000..c7ec7698a --- /dev/null +++ b/frontend/deploy/helm/frontend/charts/mise/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: mise +description: A Helm chart for mise +type: application + +version: 0.1.0 +appVersion: "1.0.0" diff --git a/frontend/deploy/helm/frontend/charts/mise/templates/deployment.yaml b/frontend/deploy/helm/frontend/charts/mise/templates/deployment.yaml new file mode 100644 index 000000000..ad6b386a4 --- /dev/null +++ b/frontend/deploy/helm/frontend/charts/mise/templates/deployment.yaml @@ -0,0 +1,51 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mise + namespace: {{ .Values.mise.namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: mise + template: + metadata: + labels: + app: mise + spec: + containers: + - name: mise + image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageDigest }}" + ports: + - containerPort: 8080 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + readinessProbe: + httpGet: + path: /readyz + port: 8080 + env: + - name: AzureAd__Instance + value: {{ .Values.azureAdInstance }} + - name: AzureAd__ClientId + value: {{ .Values.frontendClientId }} + - name: AzureAd__TenantId + value: {{ .Values.tenantId }} + - name: AzureAd__InboundPolicies__0__Label + value: "ARM Policy" + - name: AzureAd__InboundPolicies__0__Authority + value: "{{ .Values.azureAdInstance }}{{ .Values.tenantId }}" + - name: AzureAd__InboundPolicies__0__AuthenticationSchemes__0 + value: "Bearer" + - name: AzureAd__InboundPolicies__0__ValidAudiences__0 + value: {{ .Values.armInstance }} + - name: AzureAd__InboundPolicies__0__ValidApplicationIds__0 + value: {{ .Values.validAppId0 }} + - name: AzureAd__InboundPolicies__0__ValidApplicationIds__1 + value: {{ .Values.validAppId1 }} + - name: AllowedHosts + value: "*" + - name: Kestrel__Endpoints__Http__Url + value: "http://0.0.0.0:8080" diff --git a/frontend/deploy/helm/frontend/charts/mise/templates/service.yaml b/frontend/deploy/helm/frontend/charts/mise/templates/service.yaml new file mode 100644 index 000000000..29589282f --- /dev/null +++ b/frontend/deploy/helm/frontend/charts/mise/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: mise + namespace: {{ .Values.mise.namespace }} +spec: + selector: + app: mise + ports: + - protocol: TCP + port: 8080 + targetPort: 8080 diff --git a/frontend/deploy/helm/frontend/charts/mise/values.yaml b/frontend/deploy/helm/frontend/charts/mise/values.yaml new file mode 100644 index 000000000..fb07d5c55 --- /dev/null +++ b/frontend/deploy/helm/frontend/charts/mise/values.yaml @@ -0,0 +1,10 @@ +mise: + imageRegistry: "" + imageRepository: "" + imageDigest: "" + tenantId: "" + adInstance: "" + armInstance: "" + validAppId0: "" + validAppId1: "" + namespace: "" diff --git a/frontend/deploy/helm/frontend/templates/acrpullbinding.yaml b/frontend/deploy/helm/frontend/templates/acrpullbinding.yaml index 6c509b939..32e1b6996 100644 --- a/frontend/deploy/helm/frontend/templates/acrpullbinding.yaml +++ b/frontend/deploy/helm/frontend/templates/acrpullbinding.yaml @@ -2,6 +2,7 @@ apiVersion: acrpull.microsoft.com/v1beta2 kind: AcrPullBinding metadata: name: pull-binding + namespace: {{ .Release.namespace }} spec: acr: environment: PublicCloud diff --git a/frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml b/frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml index d3cf0c7ee..822c6d2f3 100644 --- a/frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml +++ b/frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml @@ -2,7 +2,7 @@ apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-istio-ingress - namespace: aro-hcp + namespace: {{ .Release.namespace }} spec: action: ALLOW rules: @@ -11,6 +11,10 @@ spec: namespaces: ["aks-istio-ingress"] to: - operation: + {{- if eq .Values.deployMise true }} + methods: ["GET", "PUT", "POST","PATCH", "DELETE"] + {{- else }} methods: ["GET"] + {{- end }} ports: - "8443" diff --git a/frontend/deploy/helm/frontend/templates/allow-metrics.authorizationpolicy.yaml b/frontend/deploy/helm/frontend/templates/allow-metrics.authorizationpolicy.yaml index 81631dc83..7ab83e113 100644 --- a/frontend/deploy/helm/frontend/templates/allow-metrics.authorizationpolicy.yaml +++ b/frontend/deploy/helm/frontend/templates/allow-metrics.authorizationpolicy.yaml @@ -2,6 +2,7 @@ apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: allow-metrics-frontend + namespace: {{ .Release.namespace }} spec: action: "ALLOW" rules: diff --git a/frontend/deploy/helm/frontend/templates/authorizationpolicy.yaml b/frontend/deploy/helm/frontend/templates/authorizationpolicy.yaml index c510bcee8..1656efadf 100644 --- a/frontend/deploy/helm/frontend/templates/authorizationpolicy.yaml +++ b/frontend/deploy/helm/frontend/templates/authorizationpolicy.yaml @@ -2,4 +2,5 @@ apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: allow-nothing + namespace: {{ .Release.namespace }} spec: {} diff --git a/frontend/deploy/helm/frontend/templates/ext-authz.authorizationpolicy.yaml b/frontend/deploy/helm/frontend/templates/ext-authz.authorizationpolicy.yaml new file mode 100644 index 000000000..05a179ec4 --- /dev/null +++ b/frontend/deploy/helm/frontend/templates/ext-authz.authorizationpolicy.yaml @@ -0,0 +1,15 @@ +{{- if eq .Values.deployMise true }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: ext-authz + namespace: {{ .Release.namespace }} +spec: + action: CUSTOM + provider: + name: ext-authz + rules: + - to: + - operation: + paths: ["/*"] +{{- end }} \ No newline at end of file diff --git a/frontend/deploy/helm/frontend/templates/frontend.configmap.yaml b/frontend/deploy/helm/frontend/templates/frontend.configmap.yaml index 00cebba1a..16515c8e1 100644 --- a/frontend/deploy/helm/frontend/templates/frontend.configmap.yaml +++ b/frontend/deploy/helm/frontend/templates/frontend.configmap.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: frontend-config + namespace: {{ .Release.namespace }} data: DB_NAME: '{{ .Values.configMap.databaseName }}' DB_URL: '{{ .Values.configMap.databaseUrl }}' diff --git a/frontend/deploy/helm/frontend/templates/frontend.deployment.yaml b/frontend/deploy/helm/frontend/templates/frontend.deployment.yaml index 3eba3803c..6ca8ad3be 100644 --- a/frontend/deploy/helm/frontend/templates/frontend.deployment.yaml +++ b/frontend/deploy/helm/frontend/templates/frontend.deployment.yaml @@ -4,6 +4,7 @@ metadata: labels: app: aro-hcp-frontend name: aro-hcp-frontend + namespace: {{ .Release.namespace }} spec: progressDeadlineSeconds: 600 replicas: 2 diff --git a/frontend/deploy/helm/frontend/templates/frontend.poddisruptionbudget.yaml b/frontend/deploy/helm/frontend/templates/frontend.poddisruptionbudget.yaml index 4d9f6145a..b6f3c3339 100644 --- a/frontend/deploy/helm/frontend/templates/frontend.poddisruptionbudget.yaml +++ b/frontend/deploy/helm/frontend/templates/frontend.poddisruptionbudget.yaml @@ -2,6 +2,7 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: aro-hcp-frontend + namespace: {{ .Release.namespace }} spec: minAvailable: 1 selector: diff --git a/frontend/deploy/helm/frontend/templates/frontend.service.yaml b/frontend/deploy/helm/frontend/templates/frontend.service.yaml index d3497e752..cdf586e1d 100644 --- a/frontend/deploy/helm/frontend/templates/frontend.service.yaml +++ b/frontend/deploy/helm/frontend/templates/frontend.service.yaml @@ -4,6 +4,7 @@ metadata: labels: app: aro-hcp-frontend name: aro-hcp-frontend + namespace: {{ .Release.namespace }} spec: ports: - port: 8443 diff --git a/frontend/deploy/helm/frontend/templates/metrics.service.yaml b/frontend/deploy/helm/frontend/templates/metrics.service.yaml index 6f93b34cc..9d7968aa5 100644 --- a/frontend/deploy/helm/frontend/templates/metrics.service.yaml +++ b/frontend/deploy/helm/frontend/templates/metrics.service.yaml @@ -5,6 +5,7 @@ metadata: app: aro-hcp-frontend port: metrics name: aro-hcp-frontend-metrics + namespace: {{ .Release.namespace }} spec: ports: - port: 8081 diff --git a/frontend/deploy/helm/frontend/templates/serviceaccount.yaml b/frontend/deploy/helm/frontend/templates/serviceaccount.yaml index 0e44510db..910c95f33 100644 --- a/frontend/deploy/helm/frontend/templates/serviceaccount.yaml +++ b/frontend/deploy/helm/frontend/templates/serviceaccount.yaml @@ -5,3 +5,4 @@ metadata: azure.workload.identity/client-id: '{{ .Values.serviceAccount.workloadIdentityClientId }}' azure.workload.identity/tenant-id: '{{ .Values.serviceAccount.workloadIdentityTenantId }}' name: frontend + namespace: {{ .Release.namespace }} \ No newline at end of file diff --git a/frontend/deploy/helm/frontend/templates/servicemonitor.yaml b/frontend/deploy/helm/frontend/templates/servicemonitor.yaml index e5681f890..8663c02b7 100644 --- a/frontend/deploy/helm/frontend/templates/servicemonitor.yaml +++ b/frontend/deploy/helm/frontend/templates/servicemonitor.yaml @@ -2,6 +2,7 @@ apiVersion: azmonitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: aro-hcp-frontend-service-monitor + namespace: {{ .Release.namespace }} spec: endpoints: - interval: 30s diff --git a/frontend/deploy/helm/frontend/values.yaml b/frontend/deploy/helm/frontend/values.yaml index 2c17154c1..435e4b1b2 100644 --- a/frontend/deploy/helm/frontend/values.yaml +++ b/frontend/deploy/helm/frontend/values.yaml @@ -1,6 +1,7 @@ azure: clientId: "" tenantId: "" +deployMise: true configMap: databaseUrl: "" frontendMiClientId: "" diff --git a/frontend/pipeline.yaml b/frontend/pipeline.yaml index c0048ff03..801998f17 100644 --- a/frontend/pipeline.yaml +++ b/frontend/pipeline.yaml @@ -38,3 +38,19 @@ resourceGroups: configRef: clusterService.k8s.namespace - name: CS_SERVICE_ACCOUNT_NAME configRef: clusterService.k8s.serviceAccountName + - name: DEPLOY_MISE + configRef: mise.deploy + - name: VALID_APP_ID_0 + configRef: mise.validAppId0 + - name: VALID_APP_ID_1 + configRef: mise.validAppId1 + - name: MISE_IMAGE_REGISTRY + configRef: mise.image.registry + - name: MISE_IMAGE_REPOSITORY + configRef: mise.image.repository + - name: MISE_IMAGE_DIGEST + configRef: mise.image.digest + - name: MISE_AZURE_AD_INSTANCE + configRef: mise.azureAdInstance + - name: MISE_ARM_INSTANCE + configRef: mise.armInstance diff --git a/istio/deploy/helm/istio/templates/istio-shared-configmap.yml b/istio/deploy/helm/istio/templates/istio-shared-configmap.yml new file mode 100644 index 000000000..cc472dd03 --- /dev/null +++ b/istio/deploy/helm/istio/templates/istio-shared-configmap.yml @@ -0,0 +1,16 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + labels: + istio.io/rev: asm-1-23 + name: istio-shared-configmap-asm-1-23 + namespace: aks-istio-system +data: + mesh: |- + extensionProviders: + - name: "ext-authz" + envoyExtAuthzHttp: + service: "mise/mise.mise.svc.cluster.local" + port: "8080" + includeRequestHeadersInCheck: ["x-ext-authz"] + pathPrefix: "/v1/EnvoyValidateRequest" diff --git a/istio/deploy/helm/istio/templates/mise.serviceentry.yml b/istio/deploy/helm/istio/templates/mise.serviceentry.yml new file mode 100644 index 000000000..f3693b4d4 --- /dev/null +++ b/istio/deploy/helm/istio/templates/mise.serviceentry.yml @@ -0,0 +1,14 @@ +apiVersion: networking.istio.io/v1 +kind: ServiceEntry +metadata: + name: external-authz-http +spec: + hosts: + - "mise.mise.svc.cluster.local" + endpoints: + - address: "127.0.0.1" + ports: + - name: http + number: 8080 + protocol: http + resolution: STATIC