deploy mise as a dependent subchart of frontend

config/config.msft.yaml

@@ -74,6 +74,18 @@ defaults:
       private: true
       zoneRedundantMode: 'Auto'
 
+  # Mise
+  mise: 
+    deploy: true
+    azureAdInstance: https://login.microsoftonline.com/
+    armInstance: https://management.core.windows.net/
+    validAppId0: ""
+    validAppId1: ""
+    image:
+      registry: arohcpsvcint.azurecr.io
+      repository: mise
+      digest: sha256:ad3f7efeeb6691c25bf31d46d7b879e06093ec2ff43c05ad32b5bc5315ab96a7
+
   # Maestro
   maestro:
     server:

config/config.schema.json

@@ -426,6 +426,34 @@
         "cert"
       ]
     },
+    "mise":{
+      "properties": {
+        "deploy" :{
+          "type": "boolean"
+        },
+        "azureAdInstance":{
+          "type":"string"
+        },
+        "validAppId0":{
+          "type":"string",
+          "description": ""
+        },
+        "validAppId1":{
+          "type":"string",
+          "description": ""
+        },
+        "image":{
+          "$ref": "#/definitions/containerImage"
+        }
+      },
+      "required" : [
+        "deploy",
+        "image",
+        "azureAdInstance",
+        "validAppId0",
+        "validAppId1"
+      ]
+    },
     "global": {
       "type": "object",
       "properties": {

config/config.yaml

@@ -70,6 +70,18 @@ defaults:
     cert:
       name: frontend-cert-{{ .ctx.regionShort }}
       issuer: Self
+
+  # Mise
+  mise:
+    deploy: false
+    azureAdInstance: ""
+    armInstance: ""
+    validAppId0: ""
+    validAppId1: ""
+    image:
+      registry: ""
+      repository: ""
+      digest: ""
 
   # Maestro
   maestro:

config/public-cloud-cs-pr.json

@@ -231,6 +231,18 @@
   "miMockCertName": "msiMockCert2",
   "miMockClientId": "e8723db7-9b9e-46a4-9f7d-64d75c3534f0",
   "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96",
+  "mise": {
+    "armInstance": "",
+    "azureAdInstance": "",
+    "deploy": false,
+    "image": {
+      "digest": "",
+      "registry": "",
+      "repository": ""
+    },
+    "validAppId0": "",
+    "validAppId1": ""
+  },
   "monitoring": {
     "grafanaAdminGroupPrincipalId": "6b6d3adf-8476-4727-9812-20ffdef2b85c",
     "grafanaName": "arohcp-dev",

config/public-cloud-dev.json

@@ -231,6 +231,18 @@
   "miMockCertName": "msiMockCert2",
   "miMockClientId": "e8723db7-9b9e-46a4-9f7d-64d75c3534f0",
   "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96",
+  "mise": {
+    "armInstance": "",
+    "azureAdInstance": "",
+    "deploy": false,
+    "image": {
+      "digest": "",
+      "registry": "",
+      "repository": ""
+    },
+    "validAppId0": "",
+    "validAppId1": ""
+  },
   "monitoring": {
     "grafanaAdminGroupPrincipalId": "6b6d3adf-8476-4727-9812-20ffdef2b85c",
     "grafanaName": "arohcp-dev",

config/public-cloud-msft-int.json

@@ -231,6 +231,18 @@
   "miMockCertName": "msiMockCert2",
   "miMockClientId": "e8723db7-9b9e-46a4-9f7d-64d75c3534f0",
   "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96",
+  "mise": {
+    "armInstance": "https://management.core.windows.net/",
+    "azureAdInstance": "https://login.microsoftonline.com/",
+    "deploy": true,
+    "image": {
+      "digest": "sha256:ad3f7efeeb6691c25bf31d46d7b879e06093ec2ff43c05ad32b5bc5315ab96a7",
+      "registry": "arohcpsvcint.azurecr.io",
+      "repository": "mise"
+    },
+    "validAppId0": "",
+    "validAppId1": ""
+  },
   "monitoring": {
     "grafanaAdminGroupPrincipalId": "2fdb57d4-3fd3-415d-b604-1d0e37a188fe",
     "grafanaName": "arohcp-int",

config/public-cloud-personal-dev.json

@@ -231,6 +231,18 @@
   "miMockCertName": "msiMockCert2",
   "miMockClientId": "e8723db7-9b9e-46a4-9f7d-64d75c3534f0",
   "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96",
+  "mise": {
+    "armInstance": "",
+    "azureAdInstance": "",
+    "deploy": false,
+    "image": {
+      "digest": "",
+      "registry": "",
+      "repository": ""
+    },
+    "validAppId0": "",
+    "validAppId1": ""
+  },
   "monitoring": {
     "grafanaAdminGroupPrincipalId": "6b6d3adf-8476-4727-9812-20ffdef2b85c",
     "grafanaName": "arohcp-dev",

frontend/Makefile

@@ -65,6 +65,8 @@ deploy:
 	DB_URL=$$(az cosmosdb show -n ${DB_NAME} -g ${RESOURCEGROUP} --query documentEndpoint -o tsv) && \
 	kubectl create namespace aro-hcp --dry-run=client -o json | kubectl apply -f - && \
 	kubectl label namespace aro-hcp "istio.io/rev=${ISTO_TAG}" --overwrite=true && \
+	kubectl create namespace mise --dry-run=client -o json | kubectl apply -f - && \
+	kubectl label namespace mise "istio.io/rev=${ISTO_TAG}" --overwrite=true && \
 	${HELM_CMD} aro-hcp-frontend-dev \
 		deploy/helm/frontend/ \
 		--set azure.clientId=$${SECRET_STORE_MI_CLIENT_ID} \
@@ -85,6 +87,16 @@ deploy:
 		--set pullBinding.scope=repository:${ARO_HCP_IMAGE_REPOSITORY}:pull \
 		--set clusterService.namespace=${CS_NAMESPACE} \
 		--set clusterService.serviceAccount=${CS_SERVICE_ACCOUNT_NAME} \
+		--set deployMise=${DEPLOY_MISE} \
+		--set mise.namespace=mise \
+		--set mise.imageRegistry=${MISE_IMAGE_REGISTRY} \
+		--set mise.imageRepository=${MISE_IMAGE_REPOSITORY} \
+		--set mise.imageDigest=${MISE_IMAGE_DIGEST} \
+		--set mise.tenantId=${MISE_TENANT_ID} \
+		--set mise.adInstance=${MISE_AD_INSTANCE} \
+		--set mise.armInstance=${MISE_ARM_INSTANCE} \
+		--set mise.validAppId0=${MISE_VALID_APP_ID_0} \
+		--set mise.validAppId1=${MISE_VALID_APP_ID_1} \
 		--namespace aro-hcp
 .PHONY: deploy
 

frontend/deploy/helm/frontend/Chart.yaml

@@ -5,3 +5,9 @@ type: application
 
 version: 0.1.0
 appVersion: "1.0.0"
+
+dependencies:
+  - name: mise
+    version: 0.1.0
+    repository: "file://charts/mise"
+    condition: deployMise

frontend/deploy/helm/frontend/charts/mise/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: mise
+description: A Helm chart for mise
+type: application
+
+version: 0.1.0
+appVersion: "1.0.0"

frontend/deploy/helm/frontend/charts/mise/templates/deployment.yaml

@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mise
+  namespace: {{ .Values.mise.namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mise
+  template:
+    metadata:
+      labels:
+        app: mise
+    spec:
+      containers:
+      - name: mise
+        image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageDigest }}"
+        ports:
+        - containerPort: 8080
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8080
+        env:
+        - name: AzureAd__Instance
+          value: {{ .Values.azureAdInstance }}
+        - name: AzureAd__ClientId
+          value: {{ .Values.frontendClientId }}
+        - name: AzureAd__TenantId
+          value: {{ .Values.tenantId }}
+        - name: AzureAd__InboundPolicies__0__Label
+          value: "ARM Policy"
+        - name: AzureAd__InboundPolicies__0__Authority
+          value: "{{ .Values.azureAdInstance }}{{ .Values.tenantId }}"
+        - name: AzureAd__InboundPolicies__0__AuthenticationSchemes__0
+          value: "Bearer"
+        - name: AzureAd__InboundPolicies__0__ValidAudiences__0
+          value: {{ .Values.armInstance }}
+        - name: AzureAd__InboundPolicies__0__ValidApplicationIds__0
+          value: {{ .Values.validAppId0 }}
+        - name: AzureAd__InboundPolicies__0__ValidApplicationIds__1
+          value: {{ .Values.validAppId1 }}
+        - name: AllowedHosts
+          value: "*"
+        - name: Kestrel__Endpoints__Http__Url
+          value: "http://0.0.0.0:8080"

frontend/deploy/helm/frontend/charts/mise/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mise
+  namespace: {{ .Values.mise.namespace }}
+spec:
+  selector:
+    app: mise
+  ports:
+  - protocol: TCP
+    port: 8080
+    targetPort: 8080

frontend/deploy/helm/frontend/charts/mise/values.yaml

@@ -0,0 +1,10 @@
+mise:
+  imageRegistry: ""
+  imageRepository: ""
+  imageDigest: ""
+  tenantId: ""
+  adInstance: ""
+  armInstance: ""
+  validAppId0: ""
+  validAppId1: ""
+  namespace: ""

frontend/deploy/helm/frontend/templates/acrpullbinding.yaml

@@ -2,6 +2,7 @@ apiVersion: acrpull.microsoft.com/v1beta2
 kind: AcrPullBinding
 metadata:
   name: pull-binding
+  namespace: {{ .Release.namespace }}
 spec:
   acr:
     environment: PublicCloud

frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml

@@ -2,7 +2,7 @@ apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: allow-istio-ingress
-  namespace: aro-hcp
+  namespace: {{ .Release.namespace }} 
 spec:
   action: ALLOW
   rules:
@@ -11,6 +11,10 @@ spec:
         namespaces: ["aks-istio-ingress"]
     to:
     - operation:
+        {{- if eq .Values.deployMise true }}
+        methods: ["GET", "PUT", "POST","PATCH", "DELETE"]
+        {{- else }}
         methods: ["GET"]
+        {{- end }}
         ports:
         - "8443"

frontend/deploy/helm/frontend/templates/allow-metrics.authorizationpolicy.yaml

@@ -2,6 +2,7 @@ apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
   name: allow-metrics-frontend
+  namespace: {{ .Release.namespace }}
 spec:
   action: "ALLOW"
   rules:

frontend/deploy/helm/frontend/templates/authorizationpolicy.yaml

@@ -2,4 +2,5 @@ apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
   name: allow-nothing
+  namespace: {{ .Release.namespace }}
 spec: {}

frontend/deploy/helm/frontend/templates/ext-authz.authorizationpolicy.yaml

@@ -0,0 +1,15 @@
+{{- if eq .Values.deployMise true }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: ext-authz 
+  namespace: {{ .Release.namespace }}
+spec:
+  action: CUSTOM 
+  provider:
+    name: ext-authz 
+  rules:
+  - to:
+    - operation:
+        paths: ["/*"]
+{{- end }}

frontend/deploy/helm/frontend/templates/frontend.configmap.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: frontend-config
+  namespace: {{ .Release.namespace }}
 data:
   DB_NAME: '{{ .Values.configMap.databaseName }}'
   DB_URL: '{{ .Values.configMap.databaseUrl }}'

frontend/deploy/helm/frontend/templates/frontend.deployment.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     app: aro-hcp-frontend
   name: aro-hcp-frontend
+  namespace: {{ .Release.namespace }}
 spec:
   progressDeadlineSeconds: 600
   replicas: 2

frontend/deploy/helm/frontend/templates/frontend.poddisruptionbudget.yaml

@@ -2,6 +2,7 @@ apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: aro-hcp-frontend
+  namespace: {{ .Release.namespace }}
 spec:
   minAvailable: 1
   selector:

frontend/deploy/helm/frontend/templates/frontend.service.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     app: aro-hcp-frontend
   name: aro-hcp-frontend
+  namespace: {{ .Release.namespace }}
 spec:
   ports:
     - port: 8443

frontend/deploy/helm/frontend/templates/metrics.service.yaml

@@ -5,6 +5,7 @@ metadata:
     app: aro-hcp-frontend
     port: metrics
   name: aro-hcp-frontend-metrics
+  namespace: {{ .Release.namespace }}
 spec:
   ports:
   - port: 8081

frontend/deploy/helm/frontend/templates/serviceaccount.yaml

@@ -5,3 +5,4 @@ metadata:
     azure.workload.identity/client-id: '{{ .Values.serviceAccount.workloadIdentityClientId }}'
     azure.workload.identity/tenant-id: '{{ .Values.serviceAccount.workloadIdentityTenantId }}'
   name: frontend
+  namespace: {{ .Release.namespace }}

frontend/deploy/helm/frontend/templates/servicemonitor.yaml

@@ -2,6 +2,7 @@ apiVersion: azmonitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: aro-hcp-frontend-service-monitor
+  namespace: {{ .Release.namespace }}
 spec:
   endpoints:
   - interval: 30s

frontend/deploy/helm/frontend/values.yaml

@@ -1,6 +1,7 @@
 azure:
   clientId: ""
   tenantId: ""
+deployMise: ""
 configMap:
   databaseUrl: ""
   frontendMiClientId: ""