diff --git a/config/config.msft.clouds-overlay.yaml b/config/config.msft.clouds-overlay.yaml index 86432334f5..4b66690bf8 100644 --- a/config/config.msft.clouds-overlay.yaml +++ b/config/config.msft.clouds-overlay.yaml @@ -100,6 +100,9 @@ clouds: mise: image: digest: sha256:4822b1998fafa4c7ed1e0723dfed8fd0562e1525545327b821e6d9ef29573c74 # 1.39.0-azurelinux3.0-distroless + miseV2: + image: + digest: sha256:14a32d793b79c47b0b8a79342ef428d29078987686dfca66e41e3810e8e75e2b # 2.0.1-azurelinux3.0-distroless stg: # this is the MSFT STAGE environment defaults: @@ -199,6 +202,9 @@ clouds: mise: image: digest: sha256:4822b1998fafa4c7ed1e0723dfed8fd0562e1525545327b821e6d9ef29573c74 + miseV2: + image: + digest: sha256:14a32d793b79c47b0b8a79342ef428d29078987686dfca66e41e3810e8e75e2b # 2.0.1-azurelinux3.0-distroless prod: # this is the MSFT PRODUCTION environment defaults: @@ -298,3 +304,6 @@ clouds: mise: image: digest: sha256:4822b1998fafa4c7ed1e0723dfed8fd0562e1525545327b821e6d9ef29573c74 + miseV2: + image: + digest: sha256:14a32d793b79c47b0b8a79342ef428d29078987686dfca66e41e3810e8e75e2b # 2.0.1-azurelinux3.0-distroless diff --git a/config/config.schema.json b/config/config.schema.json index ff821a7e5d..7f97fd5012 100644 --- a/config/config.schema.json +++ b/config/config.schema.json @@ -1931,6 +1931,9 @@ "image": { "$ref": "#/definitions/containerImage" }, + "imageV2": { + "$ref": "#/definitions/containerImage" + }, "tracing": { "$ref": "#/definitions/tracing", "description": "Tracing configuration for OTLP traces." @@ -1939,6 +1942,7 @@ "required": [ "deploy", "image", + "imageV2", "arm", "genevaActions", "tracing" diff --git a/config/config.yaml b/config/config.yaml index 7e506218cc..dc7f9d8a15 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -592,6 +592,9 @@ defaults: policyLabel: "Geneva Actions" authorityFQDN: "{{ .ev2.entra.fqdn.sts }}" audienceFQDN: "{{ .ev2.arm.endpoint }}" + imageV2: + repository: "mise-1p-container-image" + digest: "" image: repository: "mise-1p-container-image" digest: "" diff --git a/config/dev.digests.yaml b/config/dev.digests.yaml index 17690e259d..46fc794a7a 100644 --- a/config/dev.digests.yaml +++ b/config/dev.digests.yaml @@ -3,19 +3,19 @@ clouds: environments: cspr: regions: - westus3: cffe30b492d28a9ed26afb7cb4a48eb46f0550b88aeff5fc9d3a5557ecd61ad1 + westus3: 3d91fe34e09e6984ed4ea0edb718e086aab0438521b1668adafa2ed1ba57e3b7 dev: regions: - westus3: 689cae6da430790fa5dc141a21d93b1ccde61a9bfa42808f2bfd971a25e54f83 + westus3: ff14a77013190e34b8f1dbd380aa3d73835cf87758c227b5a82c41054b1d65c1 perf: regions: - westus3: ce4beac7562dd549899b3b0e0da1501f7c6ed6534214ab93abab11df50998614 + westus3: 537280f1cb9d42be9db2d949fa22fecfd44754f8411da33e9af9fa95d8f2a982 pers: regions: - westus3: a993fd332e3fe39ae0e05c78f0d77b6de0f637fbdc286a758ecb08b610506da4 + westus3: e04ce53cb7441e6e5ecb4096ac5ea5845f020f8c481a6139a1199cbedb7923ba prow: regions: - westus3: 609c74619d39b90456064244486e8cf3994ef03e3ef40663dc8a6308425f37ca + westus3: 116fe51a765528acae27b92f74c4388b77576eb6a7f11c7fe163a5c403c06892 swft: regions: - uksouth: 7a09385051c1fdc0700b14be9a13a6ef6b93e8ab8d93a1110aeef97d8c438b47 + uksouth: 274ebb78c934eaed9f12d952cd0cf7f1636879552e517346df9bcfcae04fd7a6 diff --git a/config/rendered/dev/cspr/westus3.yaml b/config/rendered/dev/cspr/westus3.yaml index cdbe19c04b..e54905397e 100755 --- a/config/rendered/dev/cspr/westus3.yaml +++ b/config/rendered/dev/cspr/westus3.yaml @@ -569,6 +569,9 @@ mise: image: digest: sha256:4822b1998fafa4c7ed1e0723dfed8fd0562e1525545327b821e6d9ef29573c74 repository: mise-1p-container-image + imageV2: + digest: "" + repository: mise-1p-container-image tracing: address: "" exporter: "" diff --git a/config/rendered/dev/dev/westus3.yaml b/config/rendered/dev/dev/westus3.yaml index 186dbc1b79..369b699529 100755 --- a/config/rendered/dev/dev/westus3.yaml +++ b/config/rendered/dev/dev/westus3.yaml @@ -569,6 +569,9 @@ mise: image: digest: sha256:4822b1998fafa4c7ed1e0723dfed8fd0562e1525545327b821e6d9ef29573c74 repository: mise-1p-container-image + imageV2: + digest: "" + repository: mise-1p-container-image tracing: address: "" exporter: "" diff --git a/config/rendered/dev/perf/westus3.yaml b/config/rendered/dev/perf/westus3.yaml index 22f1817d2b..b80ba2c070 100755 --- a/config/rendered/dev/perf/westus3.yaml +++ b/config/rendered/dev/perf/westus3.yaml @@ -569,6 +569,9 @@ mise: image: digest: sha256:4822b1998fafa4c7ed1e0723dfed8fd0562e1525545327b821e6d9ef29573c74 repository: mise-1p-container-image + imageV2: + digest: "" + repository: mise-1p-container-image tracing: address: "" exporter: "" diff --git a/config/rendered/dev/pers/westus3.yaml b/config/rendered/dev/pers/westus3.yaml index c39aec2aea..28acda4889 100755 --- a/config/rendered/dev/pers/westus3.yaml +++ b/config/rendered/dev/pers/westus3.yaml @@ -571,6 +571,9 @@ mise: image: digest: sha256:4822b1998fafa4c7ed1e0723dfed8fd0562e1525545327b821e6d9ef29573c74 repository: mise-1p-container-image + imageV2: + digest: "" + repository: mise-1p-container-image tracing: address: "" exporter: "" diff --git a/config/rendered/dev/prow/westus3.yaml b/config/rendered/dev/prow/westus3.yaml index 0f088c83a7..3dc8c74627 100755 --- a/config/rendered/dev/prow/westus3.yaml +++ b/config/rendered/dev/prow/westus3.yaml @@ -571,6 +571,9 @@ mise: image: digest: sha256:4822b1998fafa4c7ed1e0723dfed8fd0562e1525545327b821e6d9ef29573c74 repository: mise-1p-container-image + imageV2: + digest: "" + repository: mise-1p-container-image tracing: address: "" exporter: "" diff --git a/config/rendered/dev/swft/uksouth.yaml b/config/rendered/dev/swft/uksouth.yaml index 2ea33d65f8..219ae47018 100755 --- a/config/rendered/dev/swft/uksouth.yaml +++ b/config/rendered/dev/swft/uksouth.yaml @@ -571,6 +571,9 @@ mise: image: digest: sha256:4822b1998fafa4c7ed1e0723dfed8fd0562e1525545327b821e6d9ef29573c74 repository: mise-1p-container-image + imageV2: + digest: "" + repository: mise-1p-container-image tracing: address: "" exporter: "" diff --git a/istio/deploy/charts/mise/Chart.yaml b/istio/deploy/charts/mise/Chart.yaml index c235f183af..8838973788 100644 --- a/istio/deploy/charts/mise/Chart.yaml +++ b/istio/deploy/charts/mise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: mise -description: A Helm chart for mise +description: A Helm chart for mise, see https://aka.ms/misev2 type: application version: 0.1.0 appVersion: "1.0.0" diff --git a/istio/deploy/charts/mise/templates/configmap-misev2.yaml b/istio/deploy/charts/mise/templates/configmap-misev2.yaml new file mode 100644 index 0000000000..d8c433b297 --- /dev/null +++ b/istio/deploy/charts/mise/templates/configmap-misev2.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: misev2-config + namespace: '{{ .Values.namespace }}' +data: + appsettings.json: |- + { + "$schema": "https://identitydivision.visualstudio.com/DevEx/_git/MISE?path=/schemas/mise-options-schema.json", + "MiseVersion": "2.0", + "AllowedHosts": "*", + "EnableInboundPolicyFilter": true, + "AzureAd": { + "Instance": "{{ .Values.audit.adInstance }}", + "ClientId": "{{ .Values.audit.clientId }}", + "TenantId": "{{ .Values.audit.tenantId }}", + "Audience": "{{ .Values.audit.audience }}", + "Logging": { + "LogLevel": "Information" + }, + "InboundPolicies": [ + { + "Label": "{{ .Values.armPolicy.label }}", + "Authority": "{{ .Values.armPolicy.authority }}", + "Audience": "{{ .Values.armPolicy.audience }}", + "ValidApplicationIds": [ + "{{ .Values.armPolicy.applicationId }}" + ], + "Protocols": { + "Pop": { + "SignedHttpRequestValidationParametersOptions": { + "ValidateTs": true, + "ValidateM": true, + "ValidateU": true, + "ValidateP": true + } + } + } + }, + { + "Label": "{{ .Values.genevaActionsPolicy.label }}", + "Authority": "{{ .Values.genevaActionsPolicy.authority }}", + "Audience": "{{ .Values.genevaActionsPolicy.audience }}", + "ValidApplicationIds": [ + "{{ .Values.genevaActionsPolicy.applicationId }}" + ], + "Protocols": { + "Bearer": { + "TokenTypes": { + "AccessToken": { + "AppToken": true + } + } + } + } + } + ] + }, + "Kestrel": { + "Endpoints": { + "Http": { + "Url": "http://0.0.0.0:8080" + } + } + }, + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft": "Information" + } + } + } diff --git a/istio/deploy/charts/mise/templates/deployment-misev2.yaml b/istio/deploy/charts/mise/templates/deployment-misev2.yaml new file mode 100644 index 0000000000..84f10f7822 --- /dev/null +++ b/istio/deploy/charts/mise/templates/deployment-misev2.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: misev2 + namespace: '{{ .Values.namespace }}' +spec: + replicas: 2 + selector: + matchLabels: + app: mise + version: v2 + template: + metadata: + labels: + app: mise + version: v2 + spec: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: '{{ if eq (int .Values.deployment.zoneCount) 0 }}kubernetes.azure.com/agentpool{{ else }}topology.kubernetes.io/zone{{ end }}' + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: mise + version: v2 + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: mise + version: v2 + containers: + - name: misev2 + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}@{{ .Values.image.digestv2 }}" + ports: + - containerPort: 8080 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + readinessProbe: + httpGet: + path: /readyz + port: 8080 + volumeMounts: + - name: config + mountPath: /app/appsettings.json + subPath: appsettings.json + readOnly: true + env: + - name: OTEL_EXPORTER_OTLP_ENDPOINT + value: "{{ .Values.tracing.address }}" + - name: OTEL_TRACES_EXPORTER + value: "{{ .Values.tracing.exporter }}" + volumes: + - name: config + configMap: + name: misev2-config diff --git a/istio/deploy/charts/mise/templates/deployment.yaml b/istio/deploy/charts/mise/templates/deployment.yaml index 71f9278ec4..52486f3673 100644 --- a/istio/deploy/charts/mise/templates/deployment.yaml +++ b/istio/deploy/charts/mise/templates/deployment.yaml @@ -12,6 +12,7 @@ spec: metadata: labels: app: mise + version: v1 spec: topologySpreadConstraints: - maxSkew: 1 diff --git a/istio/deploy/charts/mise/templates/destinationrule.yaml b/istio/deploy/charts/mise/templates/destinationrule.yaml new file mode 100644 index 0000000000..d2a63a8d3f --- /dev/null +++ b/istio/deploy/charts/mise/templates/destinationrule.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.istio.io/v1 +kind: DestinationRule +metadata: + name: mise + namespace: '{{ .Values.namespace }}' +spec: + host: mise.{{ .Values.namespace }}.svc.cluster.local + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 diff --git a/istio/deploy/charts/mise/templates/virtualservice.yaml b/istio/deploy/charts/mise/templates/virtualservice.yaml new file mode 100644 index 0000000000..031506d8b1 --- /dev/null +++ b/istio/deploy/charts/mise/templates/virtualservice.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: mise + namespace: '{{ .Values.namespace }}' +spec: + hosts: + - mise.{{ .Values.namespace }}.svc.cluster.local + http: + - route: + - destination: + host: mise.{{ .Values.namespace }}.svc.cluster.local + subset: v1 + weight: 90 + - destination: + host: mise.{{ .Values.namespace }}.svc.cluster.local + subset: v2 + weight: 10 diff --git a/istio/deploy/charts/mise/values.yaml b/istio/deploy/charts/mise/values.yaml index ebedba4972..09e022e49b 100644 --- a/istio/deploy/charts/mise/values.yaml +++ b/istio/deploy/charts/mise/values.yaml @@ -2,6 +2,7 @@ image: registry: "" repository: "" digest: "" + digestv2: "" tracing: address: "" exporter: "" diff --git a/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml b/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml index 3fa5583235..480e664638 100644 --- a/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml +++ b/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml @@ -1,4 +1,78 @@ --- +# Source: istio/charts/mise/templates/configmap-misev2.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: misev2-config + namespace: 'mise' +data: + appsettings.json: |- + { + "$schema": "https://identitydivision.visualstudio.com/DevEx/_git/MISE?path=/schemas/mise-options-schema.json", + "MiseVersion": "2.0", + "AllowedHosts": "*", + "EnableInboundPolicyFilter": true, + "AzureAd": { + "Instance": "https://login.microsoftonline.com/", + "ClientId": "b3cb2fab-15cb-4583-ad06-f91da9bfe2d1", + "TenantId": "33e01921-4d64-4f8c-a055-5bdaffd5e33d", + "Audience": "api://b3cb2fab-15cb-4583-ad06-f91da9bfe2d1", + "Logging": { + "LogLevel": "Information" + }, + "InboundPolicies": [ + { + "Label": "ARM Policy", + "Authority": "https://login.microsoftonline.com/33e01921-4d64-4f8c-a055-5bdaffd5e33d", + "Audience": "https://management.azure.com", + "ValidApplicationIds": [ + "e2c2ff5c-e5b4-4e79-8c3e-1da8c48461e7" + ], + "Protocols": { + "Pop": { + "SignedHttpRequestValidationParametersOptions": { + "ValidateTs": true, + "ValidateM": true, + "ValidateU": true, + "ValidateP": true + } + } + } + }, + { + "Label": "Geneva Actions", + "Authority": "https://sts.windows.net/__tenantId__/", + "Audience": "https://management.azure.com", + "ValidApplicationIds": [ + "__genevaActionsAppId__" + ], + "Protocols": { + "Bearer": { + "TokenTypes": { + "AccessToken": { + "AppToken": true + } + } + } + } + } + ] + }, + "Kestrel": { + "Endpoints": { + "Http": { + "Url": "http://0.0.0.0:8080" + } + } + }, + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft": "Information" + } + } + } +--- # Source: istio/templates/istio-shared-configmap.yml kind: ConfigMap apiVersion: v1 @@ -31,6 +105,67 @@ spec: port: 8080 targetPort: 8080 --- +# Source: istio/charts/mise/templates/deployment-misev2.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: misev2 + namespace: 'mise' +spec: + replicas: 2 + selector: + matchLabels: + app: mise + version: v2 + template: + metadata: + labels: + app: mise + version: v2 + spec: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: 'topology.kubernetes.io/zone' + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: mise + version: v2 + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: mise + version: v2 + containers: + - name: misev2 + image: "arohcpsvcdev.azurecr.io/mise-1p-container-image@sha256:1234567890" + ports: + - containerPort: 8080 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + readinessProbe: + httpGet: + path: /readyz + port: 8080 + volumeMounts: + - name: config + mountPath: /app/appsettings.json + subPath: appsettings.json + readOnly: true + env: + - name: OTEL_EXPORTER_OTLP_ENDPOINT + value: "" + - name: OTEL_TRACES_EXPORTER + value: "" + volumes: + - name: config + configMap: + name: misev2-config +--- # Source: istio/charts/mise/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -46,6 +181,7 @@ spec: metadata: labels: app: mise + version: v1 spec: topologySpreadConstraints: - maxSkew: 1 @@ -121,6 +257,22 @@ spec: - name: OTEL_TRACES_EXPORTER value: "" --- +# Source: istio/charts/mise/templates/destinationrule.yaml +apiVersion: networking.istio.io/v1 +kind: DestinationRule +metadata: + name: mise + namespace: 'mise' +spec: + host: mise.mise.svc.cluster.local + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 +--- # Source: istio/templates/strict_mtls.yml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication @@ -207,4 +359,24 @@ spec: accessLogging: - providers: - name: envoy +--- +# Source: istio/charts/mise/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: mise + namespace: 'mise' +spec: + hosts: + - mise.mise.svc.cluster.local + http: + - route: + - destination: + host: mise.mise.svc.cluster.local + subset: v1 + weight: 90 + - destination: + host: mise.mise.svc.cluster.local + subset: v2 + weight: 10 diff --git a/istio/values.yaml b/istio/values.yaml index 9dc0434023..96d3094bf9 100644 --- a/istio/values.yaml +++ b/istio/values.yaml @@ -7,6 +7,7 @@ mise: registry: "{{ .acr.svc.name }}.azurecr.io" repository: "{{ .mise.image.repository }}" digest: "{{ .mise.image.digest }}" + digestv2: "{{ .mise.imageV2.digest }}" audit: adInstance: "https://{{ .mise.arm.authorityFQDN }}/" clientId: "{{ .firstPartyAppClientId }}"