From 633d69e6a58a40f3c78e3a5b8d28f95587df4565 Mon Sep 17 00:00:00 2001 From: tschneid Date: Wed, 19 Feb 2025 08:57:20 -0600 Subject: [PATCH 1/4] deploy mise as a dependent subchart of frontend --- .yamllint.yml | 2 + config/config.msft.yaml | 12 +++++ config/config.schema.json | 28 ++++++++++ config/config.yaml | 12 +++++ config/public-cloud-cs-pr.json | 12 +++++ config/public-cloud-dev.json | 12 +++++ config/public-cloud-msft-int.json | 12 +++++ config/public-cloud-personal-dev.json | 12 +++++ frontend/Makefile | 12 +++++ frontend/deploy/helm/frontend/Chart.yaml | 6 +++ .../helm/frontend/charts/mise/Chart.yaml | 7 +++ .../charts/mise/templates/deployment.yaml | 51 +++++++++++++++++++ .../charts/mise/templates/service.yaml | 12 +++++ .../helm/frontend/charts/mise/values.yaml | 10 ++++ .../frontend/templates/acrpullbinding.yaml | 1 + .../allow-ingress.authorizationpolicy.yaml | 6 ++- .../allow-metrics.authorizationpolicy.yaml | 1 + .../templates/authorizationpolicy.yaml | 1 + .../ext-authz.authorizationpolicy.yaml | 15 ++++++ .../templates/frontend.configmap.yaml | 1 + .../templates/frontend.deployment.yaml | 1 + .../frontend.poddisruptionbudget.yaml | 1 + .../frontend/templates/frontend.service.yaml | 1 + .../frontend/templates/metrics.service.yaml | 1 + .../frontend/templates/serviceaccount.yaml | 1 + .../frontend/templates/servicemonitor.yaml | 1 + frontend/deploy/helm/frontend/values.yaml | 1 + frontend/pipeline.yaml | 16 ++++++ .../templates/istio-shared-configmap.yml | 16 ++++++ .../istio/templates/mise.serviceentry.yml | 14 +++++ 30 files changed, 277 insertions(+), 1 deletion(-) create mode 100644 frontend/deploy/helm/frontend/charts/mise/Chart.yaml create mode 100644 frontend/deploy/helm/frontend/charts/mise/templates/deployment.yaml create mode 100644 frontend/deploy/helm/frontend/charts/mise/templates/service.yaml create mode 100644 frontend/deploy/helm/frontend/charts/mise/values.yaml create mode 100644 frontend/deploy/helm/frontend/templates/ext-authz.authorizationpolicy.yaml create mode 100644 istio/deploy/helm/istio/templates/istio-shared-configmap.yml create mode 100644 istio/deploy/helm/istio/templates/mise.serviceentry.yml diff --git a/.yamllint.yml b/.yamllint.yml index 0fb376210..405aa0880 100644 --- a/.yamllint.yml +++ b/.yamllint.yml @@ -6,6 +6,8 @@ yaml-files: ignore: - 'acm/deploy/helm/clc-state-metrics/' - 'acrpull/deploy/helm/acrpull/templates/deployment.yaml' + - 'frontend/deploy/helm/frontend/templates/ext-authz.authorizationpolicy.yaml' + - 'frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml' rules: brackets: enable diff --git a/config/config.msft.yaml b/config/config.msft.yaml index 77eac2c7c..ecd145429 100644 --- a/config/config.msft.yaml +++ b/config/config.msft.yaml @@ -90,6 +90,18 @@ defaults: private: true zoneRedundantMode: 'Auto' + # Mise + mise: + deploy: true + azureAdInstance: https://login.microsoftonline.com/ + armInstance: https://management.core.windows.net/ + validAppId0: "" + validAppId1: "" + image: + registry: arohcpsvcint.azurecr.io + repository: mise + digest: sha256:ad3f7efeeb6691c25bf31d46d7b879e06093ec2ff43c05ad32b5bc5315ab96a7 + # Maestro maestro: server: diff --git a/config/config.schema.json b/config/config.schema.json index 38004188f..e481e7f2f 100644 --- a/config/config.schema.json +++ b/config/config.schema.json @@ -461,6 +461,34 @@ "serviceTag" ] }, + "mise":{ + "properties": { + "deploy" :{ + "type": "boolean" + }, + "azureAdInstance":{ + "type":"string" + }, + "validAppId0":{ + "type":"string", + "description": "" + }, + "validAppId1":{ + "type":"string", + "description": "" + }, + "image":{ + "$ref": "#/definitions/containerImage" + } + }, + "required" : [ + "deploy", + "image", + "azureAdInstance", + "validAppId0", + "validAppId1" + ] + }, "global": { "type": "object", "properties": { diff --git a/config/config.yaml b/config/config.yaml index 210ddbc05..0b711da1f 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -89,6 +89,18 @@ defaults: name: frontend-cert-{{ .ctx.regionShort }} issuer: Self + # Mise + mise: + deploy: false + azureAdInstance: "" + armInstance: "" + validAppId0: "" + validAppId1: "" + image: + registry: "" + repository: "" + digest: "" + # Maestro maestro: server: diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json index f137c5054..c91c69ce8 100644 --- a/config/public-cloud-cs-pr.json +++ b/config/public-cloud-cs-pr.json @@ -245,6 +245,18 @@ "miMockCertName": "msiMockCert2", "miMockClientId": "e8723db7-9b9e-46a4-9f7d-64d75c3534f0", "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96", + "mise": { + "armInstance": "", + "azureAdInstance": "", + "deploy": false, + "image": { + "digest": "", + "registry": "", + "repository": "" + }, + "validAppId0": "", + "validAppId1": "" + }, "monitoring": { "grafanaAdminGroupPrincipalId": "6b6d3adf-8476-4727-9812-20ffdef2b85c", "grafanaName": "arohcp-dev", diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json index ac49caf81..c171a7a9e 100644 --- a/config/public-cloud-dev.json +++ b/config/public-cloud-dev.json @@ -245,6 +245,18 @@ "miMockCertName": "msiMockCert2", "miMockClientId": "e8723db7-9b9e-46a4-9f7d-64d75c3534f0", "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96", + "mise": { + "armInstance": "", + "azureAdInstance": "", + "deploy": false, + "image": { + "digest": "", + "registry": "", + "repository": "" + }, + "validAppId0": "", + "validAppId1": "" + }, "monitoring": { "grafanaAdminGroupPrincipalId": "6b6d3adf-8476-4727-9812-20ffdef2b85c", "grafanaName": "arohcp-dev", diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json index ff7c611f4..08585df26 100644 --- a/config/public-cloud-msft-int.json +++ b/config/public-cloud-msft-int.json @@ -252,6 +252,18 @@ "miMockCertName": "msiMockCert2", "miMockClientId": "e8723db7-9b9e-46a4-9f7d-64d75c3534f0", "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96", + "mise": { + "armInstance": "https://management.core.windows.net/", + "azureAdInstance": "https://login.microsoftonline.com/", + "deploy": true, + "image": { + "digest": "sha256:ad3f7efeeb6691c25bf31d46d7b879e06093ec2ff43c05ad32b5bc5315ab96a7", + "registry": "arohcpsvcint.azurecr.io", + "repository": "mise" + }, + "validAppId0": "", + "validAppId1": "" + }, "monitoring": { "grafanaAdminGroupPrincipalId": "2fdb57d4-3fd3-415d-b604-1d0e37a188fe", "grafanaName": "arohcp-int", diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json index 474702a81..e725c8673 100644 --- a/config/public-cloud-personal-dev.json +++ b/config/public-cloud-personal-dev.json @@ -245,6 +245,18 @@ "miMockCertName": "msiMockCert2", "miMockClientId": "e8723db7-9b9e-46a4-9f7d-64d75c3534f0", "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96", + "mise": { + "armInstance": "", + "azureAdInstance": "", + "deploy": false, + "image": { + "digest": "", + "registry": "", + "repository": "" + }, + "validAppId0": "", + "validAppId1": "" + }, "monitoring": { "grafanaAdminGroupPrincipalId": "6b6d3adf-8476-4727-9812-20ffdef2b85c", "grafanaName": "arohcp-dev", diff --git a/frontend/Makefile b/frontend/Makefile index 915cd6a0d..2a70b3909 100644 --- a/frontend/Makefile +++ b/frontend/Makefile @@ -65,6 +65,8 @@ deploy: DB_URL=$$(az cosmosdb show -n ${DB_NAME} -g ${RESOURCEGROUP} --query documentEndpoint -o tsv) && \ kubectl create namespace aro-hcp --dry-run=client -o json | kubectl apply -f - && \ kubectl label namespace aro-hcp "istio.io/rev=${ISTO_TAG}" --overwrite=true && \ + kubectl create namespace mise --dry-run=client -o json | kubectl apply -f - && \ + kubectl label namespace mise "istio.io/rev=${ISTO_TAG}" --overwrite=true && \ ${HELM_CMD} aro-hcp-frontend-dev \ deploy/helm/frontend/ \ --set azure.clientId=$${SECRET_STORE_MI_CLIENT_ID} \ @@ -85,6 +87,16 @@ deploy: --set pullBinding.scope=repository:${ARO_HCP_IMAGE_REPOSITORY}:pull \ --set clusterService.namespace=${CS_NAMESPACE} \ --set clusterService.serviceAccount=${CS_SERVICE_ACCOUNT_NAME} \ + --set deployMise=${DEPLOY_MISE} \ + --set mise.namespace=mise \ + --set mise.imageRegistry=${MISE_IMAGE_REGISTRY} \ + --set mise.imageRepository=${MISE_IMAGE_REPOSITORY} \ + --set mise.imageDigest=${MISE_IMAGE_DIGEST} \ + --set mise.tenantId=${MISE_TENANT_ID} \ + --set mise.adInstance=${MISE_AD_INSTANCE} \ + --set mise.armInstance=${MISE_ARM_INSTANCE} \ + --set mise.validAppId0=${MISE_VALID_APP_ID_0} \ + --set mise.validAppId1=${MISE_VALID_APP_ID_1} \ --namespace aro-hcp .PHONY: deploy diff --git a/frontend/deploy/helm/frontend/Chart.yaml b/frontend/deploy/helm/frontend/Chart.yaml index 68e575182..2d341dd54 100644 --- a/frontend/deploy/helm/frontend/Chart.yaml +++ b/frontend/deploy/helm/frontend/Chart.yaml @@ -5,3 +5,9 @@ type: application version: 0.1.0 appVersion: "1.0.0" + +dependencies: + - name: mise + version: 0.1.0 + repository: "file://charts/mise" + condition: deployMise diff --git a/frontend/deploy/helm/frontend/charts/mise/Chart.yaml b/frontend/deploy/helm/frontend/charts/mise/Chart.yaml new file mode 100644 index 000000000..c7ec7698a --- /dev/null +++ b/frontend/deploy/helm/frontend/charts/mise/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: mise +description: A Helm chart for mise +type: application + +version: 0.1.0 +appVersion: "1.0.0" diff --git a/frontend/deploy/helm/frontend/charts/mise/templates/deployment.yaml b/frontend/deploy/helm/frontend/charts/mise/templates/deployment.yaml new file mode 100644 index 000000000..ad6b386a4 --- /dev/null +++ b/frontend/deploy/helm/frontend/charts/mise/templates/deployment.yaml @@ -0,0 +1,51 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mise + namespace: {{ .Values.mise.namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: mise + template: + metadata: + labels: + app: mise + spec: + containers: + - name: mise + image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageDigest }}" + ports: + - containerPort: 8080 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + readinessProbe: + httpGet: + path: /readyz + port: 8080 + env: + - name: AzureAd__Instance + value: {{ .Values.azureAdInstance }} + - name: AzureAd__ClientId + value: {{ .Values.frontendClientId }} + - name: AzureAd__TenantId + value: {{ .Values.tenantId }} + - name: AzureAd__InboundPolicies__0__Label + value: "ARM Policy" + - name: AzureAd__InboundPolicies__0__Authority + value: "{{ .Values.azureAdInstance }}{{ .Values.tenantId }}" + - name: AzureAd__InboundPolicies__0__AuthenticationSchemes__0 + value: "Bearer" + - name: AzureAd__InboundPolicies__0__ValidAudiences__0 + value: {{ .Values.armInstance }} + - name: AzureAd__InboundPolicies__0__ValidApplicationIds__0 + value: {{ .Values.validAppId0 }} + - name: AzureAd__InboundPolicies__0__ValidApplicationIds__1 + value: {{ .Values.validAppId1 }} + - name: AllowedHosts + value: "*" + - name: Kestrel__Endpoints__Http__Url + value: "http://0.0.0.0:8080" diff --git a/frontend/deploy/helm/frontend/charts/mise/templates/service.yaml b/frontend/deploy/helm/frontend/charts/mise/templates/service.yaml new file mode 100644 index 000000000..29589282f --- /dev/null +++ b/frontend/deploy/helm/frontend/charts/mise/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: mise + namespace: {{ .Values.mise.namespace }} +spec: + selector: + app: mise + ports: + - protocol: TCP + port: 8080 + targetPort: 8080 diff --git a/frontend/deploy/helm/frontend/charts/mise/values.yaml b/frontend/deploy/helm/frontend/charts/mise/values.yaml new file mode 100644 index 000000000..fb07d5c55 --- /dev/null +++ b/frontend/deploy/helm/frontend/charts/mise/values.yaml @@ -0,0 +1,10 @@ +mise: + imageRegistry: "" + imageRepository: "" + imageDigest: "" + tenantId: "" + adInstance: "" + armInstance: "" + validAppId0: "" + validAppId1: "" + namespace: "" diff --git a/frontend/deploy/helm/frontend/templates/acrpullbinding.yaml b/frontend/deploy/helm/frontend/templates/acrpullbinding.yaml index 6c509b939..32e1b6996 100644 --- a/frontend/deploy/helm/frontend/templates/acrpullbinding.yaml +++ b/frontend/deploy/helm/frontend/templates/acrpullbinding.yaml @@ -2,6 +2,7 @@ apiVersion: acrpull.microsoft.com/v1beta2 kind: AcrPullBinding metadata: name: pull-binding + namespace: {{ .Release.namespace }} spec: acr: environment: PublicCloud diff --git a/frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml b/frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml index d3cf0c7ee..44ddb1953 100644 --- a/frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml +++ b/frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml @@ -2,7 +2,7 @@ apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-istio-ingress - namespace: aro-hcp + namespace: {{ .Release.namespace }} spec: action: ALLOW rules: @@ -11,6 +11,10 @@ spec: namespaces: ["aks-istio-ingress"] to: - operation: + {{- if eq .Values.deployMise true }} + methods: ["GET", "PUT", "POST","PATCH", "DELETE"] + {{- else }} methods: ["GET"] + {{- end }} ports: - "8443" diff --git a/frontend/deploy/helm/frontend/templates/allow-metrics.authorizationpolicy.yaml b/frontend/deploy/helm/frontend/templates/allow-metrics.authorizationpolicy.yaml index 81631dc83..7ab83e113 100644 --- a/frontend/deploy/helm/frontend/templates/allow-metrics.authorizationpolicy.yaml +++ b/frontend/deploy/helm/frontend/templates/allow-metrics.authorizationpolicy.yaml @@ -2,6 +2,7 @@ apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: allow-metrics-frontend + namespace: {{ .Release.namespace }} spec: action: "ALLOW" rules: diff --git a/frontend/deploy/helm/frontend/templates/authorizationpolicy.yaml b/frontend/deploy/helm/frontend/templates/authorizationpolicy.yaml index c510bcee8..1656efadf 100644 --- a/frontend/deploy/helm/frontend/templates/authorizationpolicy.yaml +++ b/frontend/deploy/helm/frontend/templates/authorizationpolicy.yaml @@ -2,4 +2,5 @@ apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: allow-nothing + namespace: {{ .Release.namespace }} spec: {} diff --git a/frontend/deploy/helm/frontend/templates/ext-authz.authorizationpolicy.yaml b/frontend/deploy/helm/frontend/templates/ext-authz.authorizationpolicy.yaml new file mode 100644 index 000000000..6a43b7188 --- /dev/null +++ b/frontend/deploy/helm/frontend/templates/ext-authz.authorizationpolicy.yaml @@ -0,0 +1,15 @@ +{{- if eq .Values.deployMise true }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: ext-authz + namespace: {{ .Release.namespace }} +spec: + action: CUSTOM + provider: + name: ext-authz + rules: + - to: + - operation: + paths: ["/*"] +{{- end }} diff --git a/frontend/deploy/helm/frontend/templates/frontend.configmap.yaml b/frontend/deploy/helm/frontend/templates/frontend.configmap.yaml index 00cebba1a..16515c8e1 100644 --- a/frontend/deploy/helm/frontend/templates/frontend.configmap.yaml +++ b/frontend/deploy/helm/frontend/templates/frontend.configmap.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: frontend-config + namespace: {{ .Release.namespace }} data: DB_NAME: '{{ .Values.configMap.databaseName }}' DB_URL: '{{ .Values.configMap.databaseUrl }}' diff --git a/frontend/deploy/helm/frontend/templates/frontend.deployment.yaml b/frontend/deploy/helm/frontend/templates/frontend.deployment.yaml index 3eba3803c..6ca8ad3be 100644 --- a/frontend/deploy/helm/frontend/templates/frontend.deployment.yaml +++ b/frontend/deploy/helm/frontend/templates/frontend.deployment.yaml @@ -4,6 +4,7 @@ metadata: labels: app: aro-hcp-frontend name: aro-hcp-frontend + namespace: {{ .Release.namespace }} spec: progressDeadlineSeconds: 600 replicas: 2 diff --git a/frontend/deploy/helm/frontend/templates/frontend.poddisruptionbudget.yaml b/frontend/deploy/helm/frontend/templates/frontend.poddisruptionbudget.yaml index 4d9f6145a..b6f3c3339 100644 --- a/frontend/deploy/helm/frontend/templates/frontend.poddisruptionbudget.yaml +++ b/frontend/deploy/helm/frontend/templates/frontend.poddisruptionbudget.yaml @@ -2,6 +2,7 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: aro-hcp-frontend + namespace: {{ .Release.namespace }} spec: minAvailable: 1 selector: diff --git a/frontend/deploy/helm/frontend/templates/frontend.service.yaml b/frontend/deploy/helm/frontend/templates/frontend.service.yaml index d3497e752..cdf586e1d 100644 --- a/frontend/deploy/helm/frontend/templates/frontend.service.yaml +++ b/frontend/deploy/helm/frontend/templates/frontend.service.yaml @@ -4,6 +4,7 @@ metadata: labels: app: aro-hcp-frontend name: aro-hcp-frontend + namespace: {{ .Release.namespace }} spec: ports: - port: 8443 diff --git a/frontend/deploy/helm/frontend/templates/metrics.service.yaml b/frontend/deploy/helm/frontend/templates/metrics.service.yaml index 6f93b34cc..9d7968aa5 100644 --- a/frontend/deploy/helm/frontend/templates/metrics.service.yaml +++ b/frontend/deploy/helm/frontend/templates/metrics.service.yaml @@ -5,6 +5,7 @@ metadata: app: aro-hcp-frontend port: metrics name: aro-hcp-frontend-metrics + namespace: {{ .Release.namespace }} spec: ports: - port: 8081 diff --git a/frontend/deploy/helm/frontend/templates/serviceaccount.yaml b/frontend/deploy/helm/frontend/templates/serviceaccount.yaml index 0e44510db..c7389e59e 100644 --- a/frontend/deploy/helm/frontend/templates/serviceaccount.yaml +++ b/frontend/deploy/helm/frontend/templates/serviceaccount.yaml @@ -5,3 +5,4 @@ metadata: azure.workload.identity/client-id: '{{ .Values.serviceAccount.workloadIdentityClientId }}' azure.workload.identity/tenant-id: '{{ .Values.serviceAccount.workloadIdentityTenantId }}' name: frontend + namespace: {{ .Release.namespace }} diff --git a/frontend/deploy/helm/frontend/templates/servicemonitor.yaml b/frontend/deploy/helm/frontend/templates/servicemonitor.yaml index e5681f890..8663c02b7 100644 --- a/frontend/deploy/helm/frontend/templates/servicemonitor.yaml +++ b/frontend/deploy/helm/frontend/templates/servicemonitor.yaml @@ -2,6 +2,7 @@ apiVersion: azmonitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: aro-hcp-frontend-service-monitor + namespace: {{ .Release.namespace }} spec: endpoints: - interval: 30s diff --git a/frontend/deploy/helm/frontend/values.yaml b/frontend/deploy/helm/frontend/values.yaml index 2c17154c1..435e4b1b2 100644 --- a/frontend/deploy/helm/frontend/values.yaml +++ b/frontend/deploy/helm/frontend/values.yaml @@ -1,6 +1,7 @@ azure: clientId: "" tenantId: "" +deployMise: true configMap: databaseUrl: "" frontendMiClientId: "" diff --git a/frontend/pipeline.yaml b/frontend/pipeline.yaml index c0048ff03..957e48c94 100644 --- a/frontend/pipeline.yaml +++ b/frontend/pipeline.yaml @@ -38,3 +38,19 @@ resourceGroups: configRef: clusterService.k8s.namespace - name: CS_SERVICE_ACCOUNT_NAME configRef: clusterService.k8s.serviceAccountName + - name: DEPLOY_MISE + configRef: mise.deploy + - name: VALID_APP_ID_0 + configRef: mise.validAppId0 + - name: VALID_APP_ID_1 + configRef: mise.validAppId1 + - name: MISE_IMAGE_REGISTRY + configRef: mise.image.registry + - name: MISE_IMAGE_REPOSITORY + configRef: mise.image.repository + - name: MISE_IMAGE_DIGEST + configRef: mise.image.digest + - name: MISE_AZURE_AD_INSTANCE + configRef: mise.azureAdInstance + - name: MISE_ARM_INSTANCE + configRef: mise.armInstance diff --git a/istio/deploy/helm/istio/templates/istio-shared-configmap.yml b/istio/deploy/helm/istio/templates/istio-shared-configmap.yml new file mode 100644 index 000000000..cc472dd03 --- /dev/null +++ b/istio/deploy/helm/istio/templates/istio-shared-configmap.yml @@ -0,0 +1,16 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + labels: + istio.io/rev: asm-1-23 + name: istio-shared-configmap-asm-1-23 + namespace: aks-istio-system +data: + mesh: |- + extensionProviders: + - name: "ext-authz" + envoyExtAuthzHttp: + service: "mise/mise.mise.svc.cluster.local" + port: "8080" + includeRequestHeadersInCheck: ["x-ext-authz"] + pathPrefix: "/v1/EnvoyValidateRequest" diff --git a/istio/deploy/helm/istio/templates/mise.serviceentry.yml b/istio/deploy/helm/istio/templates/mise.serviceentry.yml new file mode 100644 index 000000000..f2427bdf9 --- /dev/null +++ b/istio/deploy/helm/istio/templates/mise.serviceentry.yml @@ -0,0 +1,14 @@ +apiVersion: networking.istio.io/v1 +kind: ServiceEntry +metadata: + name: external-authz-http +spec: + hosts: + - "mise.mise.svc.cluster.local" + endpoints: + - address: "127.0.0.1" + ports: + - name: http + number: 8080 + protocol: http + resolution: STATIC From 114ba33ec7bdf472057e0ee41e25d496c13d82e0 Mon Sep 17 00:00:00 2001 From: tschneid Date: Fri, 28 Feb 2025 10:14:02 -0600 Subject: [PATCH 2/4] istio shared cm per version and update svc cluster rollout order the istio shared config map must exist for the targeted version prior to upgrading the service --- .yamllint.yml | 1 + dev-infrastructure/svc-pipeline.yaml | 20 +++++++++---------- istio/Makefile | 1 + .../templates/istio-shared-configmap.yml | 7 +++++-- istio/deploy/helm/istio/values.yaml | 2 +- istio/pipeline.yaml | 3 +++ 6 files changed, 21 insertions(+), 13 deletions(-) diff --git a/.yamllint.yml b/.yamllint.yml index 405aa0880..7ecc1da30 100644 --- a/.yamllint.yml +++ b/.yamllint.yml @@ -8,6 +8,7 @@ ignore: - 'acrpull/deploy/helm/acrpull/templates/deployment.yaml' - 'frontend/deploy/helm/frontend/templates/ext-authz.authorizationpolicy.yaml' - 'frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml' + - 'istio/deploy/helm/istio/templates/istio-shared-configmap.yml' rules: brackets: enable diff --git a/dev-infrastructure/svc-pipeline.yaml b/dev-infrastructure/svc-pipeline.yaml index 4f6977d11..f8556faab 100644 --- a/dev-infrastructure/svc-pipeline.yaml +++ b/dev-infrastructure/svc-pipeline.yaml @@ -102,6 +102,16 @@ resourceGroups: subscription: {{ .svc.subscription }} aksCluster: {{ .svc.aks.name }} steps: + # configure istio + - name: istio-config + action: Shell + command: make -C ../istio deploy + dryRun: + variables: + - name: DRY_RUN + value: "true" + dependsOn: + - istio-upgrade # - updates workload to use istio on version svc.istio.targetVersion # - configures istio IP tag usage - name: istio-upgrade @@ -120,16 +130,6 @@ resourceGroups: configRef: svc.rg dependsOn: - svc - # configure istio - - name: istio-config - action: Shell - command: make -C ../istio deploy - dryRun: - variables: - - name: DRY_RUN - value: "true" - dependsOn: - - istio-upgrade # Install ACRpull - name: acrpull action: Shell diff --git a/istio/Makefile b/istio/Makefile index ffbf0a525..bb11fe196 100644 --- a/istio/Makefile +++ b/istio/Makefile @@ -5,6 +5,7 @@ HELM_CMD ?= helm upgrade --install deploy: ${HELM_CMD} istio \ deploy/helm/istio/ \ + --set "istioVersions={${ISTIO_VERSIONS}}" \ --namespace aks-istio-system .PHONY: deploy diff --git a/istio/deploy/helm/istio/templates/istio-shared-configmap.yml b/istio/deploy/helm/istio/templates/istio-shared-configmap.yml index cc472dd03..b49bceace 100644 --- a/istio/deploy/helm/istio/templates/istio-shared-configmap.yml +++ b/istio/deploy/helm/istio/templates/istio-shared-configmap.yml @@ -1,9 +1,11 @@ +{{ range $version := .Values.istioVersions }} +--- kind: ConfigMap apiVersion: v1 metadata: labels: - istio.io/rev: asm-1-23 - name: istio-shared-configmap-asm-1-23 + istio.io/rev: {{ $version }} + name: istio-shared-configmap-{{ $version }} namespace: aks-istio-system data: mesh: |- @@ -14,3 +16,4 @@ data: port: "8080" includeRequestHeadersInCheck: ["x-ext-authz"] pathPrefix: "/v1/EnvoyValidateRequest" +{{ end }} diff --git a/istio/deploy/helm/istio/values.yaml b/istio/deploy/helm/istio/values.yaml index 08a1c1568..485ac7ccd 100644 --- a/istio/deploy/helm/istio/values.yaml +++ b/istio/deploy/helm/istio/values.yaml @@ -1 +1 @@ -# This file is intentionally left blank. +istioVersions: [] diff --git a/istio/pipeline.yaml b/istio/pipeline.yaml index 98aeee24c..917362bc3 100644 --- a/istio/pipeline.yaml +++ b/istio/pipeline.yaml @@ -13,3 +13,6 @@ resourceGroups: variables: - name: DRY_RUN value: "true" + variables: + - name: ISTIO_VERSIONS + configRef: svc.istio.versions From 9e3655dc545eef86777b092b9d672aa54f1a1e64 Mon Sep 17 00:00:00 2001 From: tschneid Date: Fri, 28 Feb 2025 11:51:54 -0600 Subject: [PATCH 3/4] only allow ingress traffic when mise is deployed --- .../templates/allow-ingress.authorizationpolicy.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml b/frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml index 44ddb1953..ce2069a7f 100644 --- a/frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml +++ b/frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml @@ -1,3 +1,4 @@ +{{- if eq .Values.deployMise true }} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: @@ -11,10 +12,7 @@ spec: namespaces: ["aks-istio-ingress"] to: - operation: - {{- if eq .Values.deployMise true }} methods: ["GET", "PUT", "POST","PATCH", "DELETE"] - {{- else }} - methods: ["GET"] - {{- end }} ports: - "8443" +{{- end }} From 69cd5a10df91c54597858a8d518ed7920f53634a Mon Sep 17 00:00:00 2001 From: tschneid Date: Sun, 2 Mar 2025 20:59:41 -0600 Subject: [PATCH 4/4] fix schema / variable mapping --- config/config.msft.yaml | 1 + config/config.schema.json | 10 ++++++---- config/config.yaml | 1 + config/public-cloud-cs-pr.json | 1 + config/public-cloud-dev.json | 1 + config/public-cloud-msft-int.json | 1 + config/public-cloud-personal-dev.json | 1 + frontend/Makefile | 5 +++-- .../charts/mise/templates/deployment.yaml | 6 +++--- .../charts/mise/templates/service.yaml | 2 +- .../helm/frontend/charts/mise/values.yaml | 19 +++++++++---------- frontend/pipeline.yaml | 6 ++++-- 12 files changed, 32 insertions(+), 22 deletions(-) diff --git a/config/config.msft.yaml b/config/config.msft.yaml index ecd145429..dc24f20d4 100644 --- a/config/config.msft.yaml +++ b/config/config.msft.yaml @@ -94,6 +94,7 @@ defaults: mise: deploy: true azureAdInstance: https://login.microsoftonline.com/ + azureAdClientId: "" armInstance: https://management.core.windows.net/ validAppId0: "" validAppId1: "" diff --git a/config/config.schema.json b/config/config.schema.json index e481e7f2f..96d28bcac 100644 --- a/config/config.schema.json +++ b/config/config.schema.json @@ -469,13 +469,14 @@ "azureAdInstance":{ "type":"string" }, + "azureAdClientId":{ + "type":"string" + }, "validAppId0":{ - "type":"string", - "description": "" + "type":"string" }, "validAppId1":{ - "type":"string", - "description": "" + "type":"string" }, "image":{ "$ref": "#/definitions/containerImage" @@ -485,6 +486,7 @@ "deploy", "image", "azureAdInstance", + "azureAdClientId", "validAppId0", "validAppId1" ] diff --git a/config/config.yaml b/config/config.yaml index 0b711da1f..c56ee08b1 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -93,6 +93,7 @@ defaults: mise: deploy: false azureAdInstance: "" + azureAdClientId: "" armInstance: "" validAppId0: "" validAppId1: "" diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json index c91c69ce8..badcccd50 100644 --- a/config/public-cloud-cs-pr.json +++ b/config/public-cloud-cs-pr.json @@ -247,6 +247,7 @@ "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96", "mise": { "armInstance": "", + "azureAdClientId": "", "azureAdInstance": "", "deploy": false, "image": { diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json index c171a7a9e..824566dfd 100644 --- a/config/public-cloud-dev.json +++ b/config/public-cloud-dev.json @@ -247,6 +247,7 @@ "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96", "mise": { "armInstance": "", + "azureAdClientId": "", "azureAdInstance": "", "deploy": false, "image": { diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json index 08585df26..a964e5055 100644 --- a/config/public-cloud-msft-int.json +++ b/config/public-cloud-msft-int.json @@ -254,6 +254,7 @@ "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96", "mise": { "armInstance": "https://management.core.windows.net/", + "azureAdClientId": "", "azureAdInstance": "https://login.microsoftonline.com/", "deploy": true, "image": { diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json index e725c8673..a48d2060e 100644 --- a/config/public-cloud-personal-dev.json +++ b/config/public-cloud-personal-dev.json @@ -247,6 +247,7 @@ "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96", "mise": { "armInstance": "", + "azureAdClientId": "", "azureAdInstance": "", "deploy": false, "image": { diff --git a/frontend/Makefile b/frontend/Makefile index 2a70b3909..47f6f70ec 100644 --- a/frontend/Makefile +++ b/frontend/Makefile @@ -92,8 +92,9 @@ deploy: --set mise.imageRegistry=${MISE_IMAGE_REGISTRY} \ --set mise.imageRepository=${MISE_IMAGE_REPOSITORY} \ --set mise.imageDigest=${MISE_IMAGE_DIGEST} \ - --set mise.tenantId=${MISE_TENANT_ID} \ - --set mise.adInstance=${MISE_AD_INSTANCE} \ + --set mise.tenantId=$${TENANT_ID} \ + --set mise.azureAdInstance=${MISE_AZURE_AD_INSTANCE} \ + --set mise.azureAdClientId=${MISE_AZURE_AD_CLIENT_ID} \ --set mise.armInstance=${MISE_ARM_INSTANCE} \ --set mise.validAppId0=${MISE_VALID_APP_ID_0} \ --set mise.validAppId1=${MISE_VALID_APP_ID_1} \ diff --git a/frontend/deploy/helm/frontend/charts/mise/templates/deployment.yaml b/frontend/deploy/helm/frontend/charts/mise/templates/deployment.yaml index ad6b386a4..d96498f81 100644 --- a/frontend/deploy/helm/frontend/charts/mise/templates/deployment.yaml +++ b/frontend/deploy/helm/frontend/charts/mise/templates/deployment.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: mise - namespace: {{ .Values.mise.namespace }} + namespace: {{ .Values.namespace }} spec: replicas: 1 selector: @@ -15,7 +15,7 @@ spec: spec: containers: - name: mise - image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageDigest }}" + image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}@{{ .Values.imageDigest }}" ports: - containerPort: 8080 livenessProbe: @@ -30,7 +30,7 @@ spec: - name: AzureAd__Instance value: {{ .Values.azureAdInstance }} - name: AzureAd__ClientId - value: {{ .Values.frontendClientId }} + value: {{ .Values.azureAdClientId }} - name: AzureAd__TenantId value: {{ .Values.tenantId }} - name: AzureAd__InboundPolicies__0__Label diff --git a/frontend/deploy/helm/frontend/charts/mise/templates/service.yaml b/frontend/deploy/helm/frontend/charts/mise/templates/service.yaml index 29589282f..da32bf6ea 100644 --- a/frontend/deploy/helm/frontend/charts/mise/templates/service.yaml +++ b/frontend/deploy/helm/frontend/charts/mise/templates/service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: name: mise - namespace: {{ .Values.mise.namespace }} + namespace: {{ .Values.namespace }} spec: selector: app: mise diff --git a/frontend/deploy/helm/frontend/charts/mise/values.yaml b/frontend/deploy/helm/frontend/charts/mise/values.yaml index fb07d5c55..a236635a7 100644 --- a/frontend/deploy/helm/frontend/charts/mise/values.yaml +++ b/frontend/deploy/helm/frontend/charts/mise/values.yaml @@ -1,10 +1,9 @@ -mise: - imageRegistry: "" - imageRepository: "" - imageDigest: "" - tenantId: "" - adInstance: "" - armInstance: "" - validAppId0: "" - validAppId1: "" - namespace: "" +imageRegistry: "" +imageRepository: "" +imageDigest: "" +tenantId: "" +adInstance: "" +armInstance: "" +validAppId0: "" +validAppId1: "" +namespace: "" diff --git a/frontend/pipeline.yaml b/frontend/pipeline.yaml index 957e48c94..2192bb143 100644 --- a/frontend/pipeline.yaml +++ b/frontend/pipeline.yaml @@ -40,9 +40,9 @@ resourceGroups: configRef: clusterService.k8s.serviceAccountName - name: DEPLOY_MISE configRef: mise.deploy - - name: VALID_APP_ID_0 + - name: MISE_VALID_APP_ID_0 configRef: mise.validAppId0 - - name: VALID_APP_ID_1 + - name: MISE_VALID_APP_ID_1 configRef: mise.validAppId1 - name: MISE_IMAGE_REGISTRY configRef: mise.image.registry @@ -52,5 +52,7 @@ resourceGroups: configRef: mise.image.digest - name: MISE_AZURE_AD_INSTANCE configRef: mise.azureAdInstance + - name: MISE_AZURE_AD_CLIENT_ID + configRef: mise.azureAdClientId - name: MISE_ARM_INSTANCE configRef: mise.armInstance