Merge pull request #10162 from patrickdillon/OCPBUGS-64775-azure-ssh-leak

OCPBUGS-64775: use CAPZ to provision ssh rule

pkg/asset/manifests/azure/cluster.go

@@ -93,6 +93,17 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
 					Destination:      ptr.To("*"),
 					Action:           capz.SecurityRuleActionAllow,
 				},
+				{
+					Name:             fmt.Sprintf("%s_ssh_in", clusterID.InfraID),
+					Protocol:         capz.SecurityGroupProtocolTCP,
+					Direction:        capz.SecurityRuleDirectionInbound,
+					Priority:         220,
+					SourcePorts:      ptr.To("*"),
+					DestinationPorts: ptr.To("22"),
+					Source:           ptr.To(source),
+					Destination:      ptr.To("*"),
+					Action:           capz.SecurityRuleActionAllow,
+				},
 			},
 		},
 	}

pkg/infrastructure/azure/azure.go

@@ -537,16 +537,6 @@ func (p *Provider) PostProvision(ctx context.Context, in clusterapi.PostProvisio
 		}
 
 		sshRuleName := fmt.Sprintf("%s_ssh_in", in.InfraID)
-		if err = addSecurityGroupRule(ctx, &securityGroupInput{
-			resourceGroupName:    p.ResourceGroupName,
-			securityGroupName:    fmt.Sprintf("%s-nsg", in.InfraID),
-			securityRuleName:     sshRuleName,
-			securityRulePort:     "22",
-			securityRulePriority: 220,
-			networkClientFactory: p.NetworkClientFactory,
-		}); err != nil {
-			return fmt.Errorf("failed to add security rule: %w", err)
-		}
 
 		loadBalancerName := in.InfraID
 		frontendIPConfigName := "public-lb-ip-v4"

pkg/infrastructure/azure/network.go

@@ -11,7 +11,6 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2"
-	"k8s.io/utils/ptr"
 	capz "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -54,7 +53,6 @@ type securityGroupInput struct {
 	securityGroupName    string
 	securityRuleName     string
 	securityRulePort     string
-	securityRulePriority int32
 	networkClientFactory *armnetwork.ClientFactory
 }
 
@@ -368,40 +366,6 @@ func associateVMToBackendPool(ctx context.Context, in vmInput) error {
 	return nil
 }
 
-func addSecurityGroupRule(ctx context.Context, in *securityGroupInput) error {
-	securityRulesClient := in.networkClientFactory.NewSecurityRulesClient()
-
-	// Assume inbound tcp connections from any port to destination port for now
-	securityRuleResp, err := securityRulesClient.BeginCreateOrUpdate(ctx,
-		in.resourceGroupName,
-		in.securityGroupName,
-		in.securityRuleName,
-		armnetwork.SecurityRule{
-			Name: ptr.To(in.securityRuleName),
-			Properties: &armnetwork.SecurityRulePropertiesFormat{
-				Access:                   ptr.To(armnetwork.SecurityRuleAccessAllow),
-				Direction:                ptr.To(armnetwork.SecurityRuleDirectionInbound),
-				Protocol:                 ptr.To(armnetwork.SecurityRuleProtocolTCP),
-				DestinationAddressPrefix: ptr.To("*"),
-				DestinationPortRange:     ptr.To(in.securityRulePort),
-				Priority:                 ptr.To[int32](in.securityRulePriority),
-				SourceAddressPrefix:      ptr.To("*"),
-				SourcePortRange:          ptr.To("*"),
-			},
-		},
-		nil,
-	)
-	if err != nil {
-		return fmt.Errorf("failed to add security rule: %w", err)
-	}
-	_, err = securityRuleResp.PollUntilDone(ctx, nil)
-	if err != nil {
-		return fmt.Errorf("failed to add security rule: %w", err)
-	}
-
-	return nil
-}
-
 func deleteSecurityGroupRule(ctx context.Context, in *securityGroupInput) error {
 	securityRulesClient := in.networkClientFactory.NewSecurityRulesClient()
 	securityRulesPoller, err := securityRulesClient.BeginDelete(ctx, in.resourceGroupName, in.securityGroupName, in.securityRuleName, nil)