From 7ce936d63ac300a9ae72b5126bf1e350e5ebce47 Mon Sep 17 00:00:00 2001
From: Patrick Dillon <padillon@redhat.com>
Date: Mon, 15 Dec 2025 09:35:54 -0500
Subject: [PATCH] OCPBUGS-64775: use CAPZ to provision ssh rule

A change to CAPZ[0], creates an SSH rule if one is not specified in
the cluster spec. Prior to this commit, we had been creating the
SSH rule with installer SDK hooks, which is still somewhat necessary
to add the inbound NAT rules, because we are not yet using CAPZ
to provision a public load balancer.

But we can use CAPZ to just create the rule, which will stop CAPZ
from preventing a redundant SSH rule which we were leaking during
bootstrap destroy.

This change will also result in creating an SSH rule for private clusters
which is fine, and something we do on other providers.

0: https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5525
---
 pkg/asset/manifests/azure/cluster.go | 11 +++++++++
 pkg/infrastructure/azure/azure.go    | 10 --------
 pkg/infrastructure/azure/network.go  | 36 ----------------------------
 3 files changed, 11 insertions(+), 46 deletions(-)

diff --git a/pkg/asset/manifests/azure/cluster.go b/pkg/asset/manifests/azure/cluster.go
index 399cc746d9..0e7bcdaa60 100644
--- a/pkg/asset/manifests/azure/cluster.go
+++ b/pkg/asset/manifests/azure/cluster.go
@@ -93,6 +93,17 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
 					Destination:      ptr.To("*"),
 					Action:           capz.SecurityRuleActionAllow,
 				},
+				{
+					Name:             fmt.Sprintf("%s_ssh_in", clusterID.InfraID),
+					Protocol:         capz.SecurityGroupProtocolTCP,
+					Direction:        capz.SecurityRuleDirectionInbound,
+					Priority:         220,
+					SourcePorts:      ptr.To("*"),
+					DestinationPorts: ptr.To("22"),
+					Source:           ptr.To(source),
+					Destination:      ptr.To("*"),
+					Action:           capz.SecurityRuleActionAllow,
+				},
 			},
 		},
 	}
diff --git a/pkg/infrastructure/azure/azure.go b/pkg/infrastructure/azure/azure.go
index 0539428122..47bb7b82ac 100644
--- a/pkg/infrastructure/azure/azure.go
+++ b/pkg/infrastructure/azure/azure.go
@@ -537,16 +537,6 @@ func (p *Provider) PostProvision(ctx context.Context, in clusterapi.PostProvisio
 		}
 
 		sshRuleName := fmt.Sprintf("%s_ssh_in", in.InfraID)
-		if err = addSecurityGroupRule(ctx, &securityGroupInput{
-			resourceGroupName:    p.ResourceGroupName,
-			securityGroupName:    fmt.Sprintf("%s-nsg", in.InfraID),
-			securityRuleName:     sshRuleName,
-			securityRulePort:     "22",
-			securityRulePriority: 220,
-			networkClientFactory: p.NetworkClientFactory,
-		}); err != nil {
-			return fmt.Errorf("failed to add security rule: %w", err)
-		}
 
 		loadBalancerName := in.InfraID
 		frontendIPConfigName := "public-lb-ip-v4"
diff --git a/pkg/infrastructure/azure/network.go b/pkg/infrastructure/azure/network.go
index d7aed2a883..75de4d50a5 100644
--- a/pkg/infrastructure/azure/network.go
+++ b/pkg/infrastructure/azure/network.go
@@ -11,7 +11,6 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2"
-	"k8s.io/utils/ptr"
 	capz "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -54,7 +53,6 @@ type securityGroupInput struct {
 	securityGroupName    string
 	securityRuleName     string
 	securityRulePort     string
-	securityRulePriority int32
 	networkClientFactory *armnetwork.ClientFactory
 }
 
@@ -368,40 +366,6 @@ func associateVMToBackendPool(ctx context.Context, in vmInput) error {
 	return nil
 }
 
-func addSecurityGroupRule(ctx context.Context, in *securityGroupInput) error {
-	securityRulesClient := in.networkClientFactory.NewSecurityRulesClient()
-
-	// Assume inbound tcp connections from any port to destination port for now
-	securityRuleResp, err := securityRulesClient.BeginCreateOrUpdate(ctx,
-		in.resourceGroupName,
-		in.securityGroupName,
-		in.securityRuleName,
-		armnetwork.SecurityRule{
-			Name: ptr.To(in.securityRuleName),
-			Properties: &armnetwork.SecurityRulePropertiesFormat{
-				Access:                   ptr.To(armnetwork.SecurityRuleAccessAllow),
-				Direction:                ptr.To(armnetwork.SecurityRuleDirectionInbound),
-				Protocol:                 ptr.To(armnetwork.SecurityRuleProtocolTCP),
-				DestinationAddressPrefix: ptr.To("*"),
-				DestinationPortRange:     ptr.To(in.securityRulePort),
-				Priority:                 ptr.To[int32](in.securityRulePriority),
-				SourceAddressPrefix:      ptr.To("*"),
-				SourcePortRange:          ptr.To("*"),
-			},
-		},
-		nil,
-	)
-	if err != nil {
-		return fmt.Errorf("failed to add security rule: %w", err)
-	}
-	_, err = securityRuleResp.PollUntilDone(ctx, nil)
-	if err != nil {
-		return fmt.Errorf("failed to add security rule: %w", err)
-	}
-
-	return nil
-}
-
 func deleteSecurityGroupRule(ctx context.Context, in *securityGroupInput) error {
 	securityRulesClient := in.networkClientFactory.NewSecurityRulesClient()
 	securityRulesPoller, err := securityRulesClient.BeginDelete(ctx, in.resourceGroupName, in.securityGroupName, in.securityRuleName, nil)