Azure · tony-schndr · Feb 19, 2025 · Feb 28, 2025 · Feb 28, 2025 · Mar 3, 2025
@@ -6,6 +6,9 @@ yaml-files:
 ignore:
   - 'acm/deploy/helm/clc-state-metrics/'
   - 'acrpull/deploy/helm/acrpull/templates/deployment.yaml'
+  - 'frontend/deploy/helm/frontend/templates/ext-authz.authorizationpolicy.yaml'
+  - 'frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml'
+  - 'istio/deploy/helm/istio/templates/istio-shared-configmap.yml'
 
 rules:
   brackets: enable

@@ -90,6 +90,19 @@ defaults:
       private: true
       zoneRedundantMode: 'Auto'
 
+  # Mise
+  mise:
+    deploy: true
+    azureAdInstance: https://login.microsoftonline.com/
+    azureAdClientId: ""
+    armInstance: https://management.core.windows.net/
+    validAppId0: ""
+    validAppId1: ""
+    image:
+      registry: arohcpsvcint.azurecr.io
+      repository: mise
+      digest: sha256:ad3f7efeeb6691c25bf31d46d7b879e06093ec2ff43c05ad32b5bc5315ab96a7
+
   # Maestro
   maestro:
     server:

@@ -461,6 +461,36 @@
         "serviceTag"
       ]
     },
+    "mise":{
+      "properties": {
+        "deploy" :{
+          "type": "boolean"
+        },
+        "azureAdInstance":{
+          "type":"string"
+        },
+        "azureAdClientId":{
+          "type":"string"
+        },
+        "validAppId0":{
+          "type":"string"
+        },
+        "validAppId1":{
+          "type":"string"
+        },
+        "image":{
+          "$ref": "#/definitions/containerImage"
+        }
+      },
+      "required" : [
+        "deploy",
+        "image",
+        "azureAdInstance",
+        "azureAdClientId",
+        "validAppId0",
+        "validAppId1"
+      ]
+    },
     "global": {
       "type": "object",
       "properties": {

@@ -89,6 +89,19 @@ defaults:
       name: frontend-cert-{{ .ctx.regionShort }}
       issuer: Self
 
+  # Mise
+  mise:
+    deploy: false
+    azureAdInstance: ""
+    azureAdClientId: ""
+    armInstance: ""
+    validAppId0: ""
+    validAppId1: ""
+    image:
+      registry: ""
+      repository: ""
+      digest: ""
+
   # Maestro
   maestro:
     server:

@@ -245,6 +245,19 @@
   "miMockCertName": "msiMockCert2",
   "miMockClientId": "e8723db7-9b9e-46a4-9f7d-64d75c3534f0",
   "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96",
+  "mise": {
+    "armInstance": "",
+    "azureAdClientId": "",
+    "azureAdInstance": "",
+    "deploy": false,
+    "image": {
+      "digest": "",
+      "registry": "",
+      "repository": ""
+    },
+    "validAppId0": "",
+    "validAppId1": ""
+  },
   "monitoring": {
     "grafanaAdminGroupPrincipalId": "6b6d3adf-8476-4727-9812-20ffdef2b85c",
     "grafanaName": "arohcp-dev",

@@ -245,6 +245,19 @@
   "miMockCertName": "msiMockCert2",
   "miMockClientId": "e8723db7-9b9e-46a4-9f7d-64d75c3534f0",
   "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96",
+  "mise": {
+    "armInstance": "",
+    "azureAdClientId": "",
+    "azureAdInstance": "",
+    "deploy": false,
+    "image": {
+      "digest": "",
+      "registry": "",
+      "repository": ""
+    },
+    "validAppId0": "",
+    "validAppId1": ""
+  },
   "monitoring": {
     "grafanaAdminGroupPrincipalId": "6b6d3adf-8476-4727-9812-20ffdef2b85c",
     "grafanaName": "arohcp-dev",

@@ -252,6 +252,19 @@
   "miMockCertName": "msiMockCert2",
   "miMockClientId": "e8723db7-9b9e-46a4-9f7d-64d75c3534f0",
   "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96",
+  "mise": {
+    "armInstance": "https://management.core.windows.net/",
+    "azureAdClientId": "",
+    "azureAdInstance": "https://login.microsoftonline.com/",
+    "deploy": true,
+    "image": {
+      "digest": "sha256:ad3f7efeeb6691c25bf31d46d7b879e06093ec2ff43c05ad32b5bc5315ab96a7",
+      "registry": "arohcpsvcint.azurecr.io",
+      "repository": "mise"
+    },
+    "validAppId0": "",
+    "validAppId1": ""
+  },
   "monitoring": {
     "grafanaAdminGroupPrincipalId": "2fdb57d4-3fd3-415d-b604-1d0e37a188fe",
     "grafanaName": "arohcp-int",

@@ -245,6 +245,19 @@
   "miMockCertName": "msiMockCert2",
   "miMockClientId": "e8723db7-9b9e-46a4-9f7d-64d75c3534f0",
   "miMockPrincipalId": "d6b62dfa-87f5-49b3-bbcb-4a687c4faa96",
+  "mise": {
+    "armInstance": "",
+    "azureAdClientId": "",
+    "azureAdInstance": "",
+    "deploy": false,
+    "image": {
+      "digest": "",
+      "registry": "",
+      "repository": ""
+    },
+    "validAppId0": "",
+    "validAppId1": ""
+  },
   "monitoring": {
     "grafanaAdminGroupPrincipalId": "6b6d3adf-8476-4727-9812-20ffdef2b85c",
     "grafanaName": "arohcp-dev",

@@ -102,6 +102,16 @@ resourceGroups:
   subscription: {{ .svc.subscription }}
   aksCluster: {{ .svc.aks.name }}
   steps:
+  # configure istio
+  - name: istio-config
+    action: Shell
+    command: make -C ../istio deploy
+    dryRun:
+      variables:
+        - name: DRY_RUN
+          value: "true"
+    dependsOn:
+    - istio-upgrade
   # - updates workload to use istio on version svc.istio.targetVersion
   # - configures istio IP tag usage
   - name: istio-upgrade
@@ -120,16 +130,6 @@ resourceGroups:
       configRef: svc.rg
     dependsOn:
     - svc
-  # configure istio
-  - name: istio-config
-    action: Shell
-    command: make -C ../istio deploy
-    dryRun:
-      variables:
-        - name: DRY_RUN
-          value: "true"
-    dependsOn:
-    - istio-upgrade
   # Install ACRpull
   - name: acrpull
     action: Shell

@@ -65,6 +65,8 @@ deploy:
 	DB_URL=$$(az cosmosdb show -n ${DB_NAME} -g ${RESOURCEGROUP} --query documentEndpoint -o tsv) && \
 	kubectl create namespace aro-hcp --dry-run=client -o json | kubectl apply -f - && \
 	kubectl label namespace aro-hcp "istio.io/rev=${ISTO_TAG}" --overwrite=true && \
+	kubectl create namespace mise --dry-run=client -o json | kubectl apply -f - && \
+	kubectl label namespace mise "istio.io/rev=${ISTO_TAG}" --overwrite=true && \
 	${HELM_CMD} aro-hcp-frontend-dev \
 		deploy/helm/frontend/ \
 		--set azure.clientId=$${SECRET_STORE_MI_CLIENT_ID} \
@@ -85,6 +87,17 @@ deploy:
 		--set pullBinding.scope=repository:${ARO_HCP_IMAGE_REPOSITORY}:pull \
 		--set clusterService.namespace=${CS_NAMESPACE} \
 		--set clusterService.serviceAccount=${CS_SERVICE_ACCOUNT_NAME} \
+		--set deployMise=${DEPLOY_MISE} \
+		--set mise.namespace=mise \
+		--set mise.imageRegistry=${MISE_IMAGE_REGISTRY} \
+		--set mise.imageRepository=${MISE_IMAGE_REPOSITORY} \
+		--set mise.imageDigest=${MISE_IMAGE_DIGEST} \
+		--set mise.tenantId=$${TENANT_ID} \
+		--set mise.azureAdInstance=${MISE_AZURE_AD_INSTANCE} \
+		--set mise.azureAdClientId=${MISE_AZURE_AD_CLIENT_ID} \
+		--set mise.armInstance=${MISE_ARM_INSTANCE} \
+		--set mise.validAppId0=${MISE_VALID_APP_ID_0} \
+		--set mise.validAppId1=${MISE_VALID_APP_ID_1} \
 		--namespace aro-hcp
 .PHONY: deploy
 

@@ -5,3 +5,9 @@ type: application
 
 version: 0.1.0
 appVersion: "1.0.0"
+
+dependencies:
+  - name: mise
+    version: 0.1.0
+    repository: "file://charts/mise"
+    condition: deployMise
@@ -0,0 +1,7 @@
+apiVersion: v2
+name: mise
+description: A Helm chart for mise
+type: application
+
+version: 0.1.0
+appVersion: "1.0.0"
@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mise
+  namespace: {{ .Values.namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mise
+  template:
+    metadata:
+      labels:
+        app: mise
+    spec:
+      containers:
+      - name: mise
+        image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}@{{ .Values.imageDigest }}"
+        ports:
+        - containerPort: 8080
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8080
+        env:
+        - name: AzureAd__Instance
+          value: {{ .Values.azureAdInstance }}
+        - name: AzureAd__ClientId
+          value: {{ .Values.azureAdClientId }}
+        - name: AzureAd__TenantId
+          value: {{ .Values.tenantId }}
+        - name: AzureAd__InboundPolicies__0__Label
+          value: "ARM Policy"
+        - name: AzureAd__InboundPolicies__0__Authority
+          value: "{{ .Values.azureAdInstance }}{{ .Values.tenantId }}"
+        - name: AzureAd__InboundPolicies__0__AuthenticationSchemes__0
+          value: "Bearer"
+        - name: AzureAd__InboundPolicies__0__ValidAudiences__0
+          value: {{ .Values.armInstance }}
+        - name: AzureAd__InboundPolicies__0__ValidApplicationIds__0
+          value: {{ .Values.validAppId0 }}
+        - name: AzureAd__InboundPolicies__0__ValidApplicationIds__1
+          value: {{ .Values.validAppId1 }}
+        - name: AllowedHosts
+          value: "*"
+        - name: Kestrel__Endpoints__Http__Url
+          value: "http://0.0.0.0:8080"
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mise
+  namespace: {{ .Values.namespace }}
+spec:
+  selector:
+    app: mise
+  ports:
+  - protocol: TCP
+    port: 8080
+    targetPort: 8080
@@ -0,0 +1,9 @@
+imageRegistry: ""
+imageRepository: ""
+imageDigest: ""
+tenantId: ""
+adInstance: ""
+armInstance: ""
+validAppId0: ""
+validAppId1: ""
+namespace: ""
@@ -2,6 +2,7 @@ apiVersion: acrpull.microsoft.com/v1beta2
 kind: AcrPullBinding
 metadata:
   name: pull-binding
+  namespace: {{ .Release.namespace }}
 spec:
   acr:
     environment: PublicCloud

@@ -1,8 +1,9 @@
+{{- if eq .Values.deployMise true }}
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: allow-istio-ingress
-  namespace: aro-hcp
+  namespace: {{ .Release.namespace }}
 spec:
   action: ALLOW
   rules:
@@ -11,6 +12,7 @@ spec:
         namespaces: ["aks-istio-ingress"]
     to:
     - operation:
-        methods: ["GET"]
+        methods: ["GET", "PUT", "POST","PATCH", "DELETE"]
         ports:
         - "8443"
+{{- end }}
@@ -2,6 +2,7 @@ apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
   name: allow-metrics-frontend
+  namespace: {{ .Release.namespace }}
 spec:
   action: "ALLOW"
   rules:

@@ -2,4 +2,5 @@ apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
   name: allow-nothing
+  namespace: {{ .Release.namespace }}
 spec: {}
@@ -0,0 +1,15 @@
+{{- if eq .Values.deployMise true }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: ext-authz
+  namespace: {{ .Release.namespace }}
+spec:
+  action: CUSTOM
+  provider:
+    name: ext-authz
+  rules:
+  - to:
+    - operation:
+        paths: ["/*"]
+{{- end }}
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: frontend-config
+  namespace: {{ .Release.namespace }}
 data:
   DB_NAME: '{{ .Values.configMap.databaseName }}'
   DB_URL: '{{ .Values.configMap.databaseUrl }}'

@@ -4,6 +4,7 @@ metadata:
   labels:
     app: aro-hcp-frontend
   name: aro-hcp-frontend
+  namespace: {{ .Release.namespace }}
 spec:
   progressDeadlineSeconds: 600
   replicas: 2