kubernetes-sigs
diff --git a/‎cloud/converters/rules.go‎
Lines changed: 73 additions & 0 deletions b/‎cloud/converters/rules.go‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎cloud/scope/cluster.go‎
Lines changed: 43 additions & 0 deletions b/‎cloud/scope/cluster.go‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎cloud/services/loadbalancers/loadbalancers.go‎
Lines changed: 1 addition & 1 deletion b/‎cloud/services/loadbalancers/loadbalancers.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cloud/services/securitygroups/mock_securitygroups/client_mock.go‎
Lines changed: 94 additions & 0 deletions b/‎cloud/services/securitygroups/mock_securitygroups/client_mock.go‎
Lines changed: 94 additions & 0 deletions
diff --git a/‎cloud/services/securitygroups/mock_securitygroups/doc.go‎
Lines changed: 3 additions & 1 deletion b/‎cloud/services/securitygroups/mock_securitygroups/doc.go‎
Lines changed: 3 additions & 1 deletion
@@ -0,0 +1,73 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package converters
+
+import (
+	"github.com/Azure/azure-sdk-for-go/services/network/mgmt/2019-06-01/network"
+	"github.com/Azure/go-autorest/autorest/to"
+	infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1alpha3"
+)
+
+func IngresstoSecurityRule(ingress infrav1.IngressRule) network.SecurityRule {
+	secRule := network.SecurityRule{
+		Name: to.StringPtr(ingress.Name),
+		SecurityRulePropertiesFormat: &network.SecurityRulePropertiesFormat{
+			Description:              to.StringPtr(ingress.Description),
+			SourceAddressPrefix:      ingress.Source,
+			SourcePortRange:          ingress.SourcePorts,
+			DestinationAddressPrefix: ingress.Destination,
+			DestinationPortRange:     ingress.DestinationPorts,
+			Access:                   network.SecurityRuleAccessAllow,
+			Direction:                network.SecurityRuleDirectionInbound,
+			Priority:                 to.Int32Ptr(ingress.Priority),
+		},
+	}
+
+	switch ingress.Protocol {
+	case infrav1.SecurityGroupProtocolAll:
+		secRule.Protocol = network.SecurityRuleProtocolAsterisk
+	case infrav1.SecurityGroupProtocolTCP:
+		secRule.Protocol = network.SecurityRuleProtocolTCP
+	case infrav1.SecurityGroupProtocolUDP:
+		secRule.Protocol = network.SecurityRuleProtocolUDP
+	}
+
+	return secRule
+}
+
+func SecuritytoIngressRule(rule network.SecurityRule) infrav1.IngressRule {
+	ingRule := infrav1.IngressRule{
+		Name:             to.String(rule.Name),
+		Description:      to.String(rule.Description),
+		Priority:         to.Int32(rule.Priority),
+		SourcePorts:      rule.SourcePortRange,
+		DestinationPorts: rule.DestinationPortRange,
+		Source:           rule.SourceAddressPrefix,
+		Destination:      rule.DestinationAddressPrefix,
+	}
+
+	switch rule.Protocol {
+	case network.SecurityRuleProtocolAsterisk:
+		ingRule.Protocol = infrav1.SecurityGroupProtocolAll
+	case network.SecurityRuleProtocolTCP:
+		ingRule.Protocol = infrav1.SecurityGroupProtocolTCP
+	case network.SecurityRuleProtocolUDP:
+		ingRule.Protocol = infrav1.SecurityGroupProtocolUDP
+	}
+
+	return ingRule
+}
@@ -19,6 +19,8 @@ package scope
 import (
 	"context"
 	"fmt"
+	"github.com/Azure/go-autorest/autorest/to"
+	"strconv"
 
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/go-logr/logr"
@@ -153,6 +155,20 @@ func (s *ClusterScope) RouteTableSpecs() []azure.RouteTableSpec {
 	}}
 }
 
+// NSGSpecs returns the security group specs.
+func (s *ClusterScope) NSGSpecs() []azure.NSGSpec {
+	return []azure.NSGSpec{
+		{
+			Name:         s.ControlPlaneSubnet().SecurityGroup.Name,
+			IngressRules: s.ControlPlaneSubnet().SecurityGroup.IngressRules,
+		},
+		{
+			Name:         s.NodeSubnet().SecurityGroup.Name,
+			IngressRules: s.NodeSubnet().SecurityGroup.IngressRules,
+		},
+	}
+}
+
 // SubnetSpecs returns the subnets specs.
 func (s *ClusterScope) SubnetSpecs() []azure.SubnetSpec {
 	return []azure.SubnetSpec{
@@ -283,3 +299,30 @@ func (s *ClusterScope) SetFailureDomain(id string, spec clusterv1.FailureDomainS
 	}
 	s.AzureCluster.Status.FailureDomains[id] = spec
 }
+
+func (s *ClusterScope) SetControlPlaneIngressRules() {
+	if s.ControlPlaneSubnet().SecurityGroup.IngressRules == nil {
+		s.ControlPlaneSubnet().SecurityGroup.IngressRules = infrav1.IngressRules{
+			&infrav1.IngressRule{
+				Name:             "allow_ssh",
+				Description:      "Allow SSH",
+				Priority:         100,
+				Protocol:         infrav1.SecurityGroupProtocolTCP,
+				Source:           to.StringPtr("*"),
+				SourcePorts:      to.StringPtr("*"),
+				Destination:      to.StringPtr("*"),
+				DestinationPorts: to.StringPtr("22"),
+			},
+			&infrav1.IngressRule{
+				Name:             "allow_apiserver",
+				Description:      "Allow K8s API Server",
+				Priority:         101,
+				Protocol:         infrav1.SecurityGroupProtocolTCP,
+				Source:           to.StringPtr("*"),
+				SourcePorts:      to.StringPtr("*"),
+				Destination:      to.StringPtr("*"),
+				DestinationPorts: to.StringPtr(strconv.Itoa(int(s.APIServerPort()))),
+			},
+		}
+	}
+}
@@ -191,7 +191,7 @@ func (s *Service) Delete(ctx context.Context) error {
 		err := s.Client.Delete(ctx, s.Scope.ResourceGroup(), lbSpec.Name)
 		if err != nil && azure.ResourceNotFound(err) {
 			// already deleted
-			return nil
+			continue
 		}
 		if err != nil {
 			return errors.Wrapf(err, "failed to delete load balancer %s in resource group %s", lbSpec.Name, s.Scope.ResourceGroup())
 
@@ -15,6 +15,8 @@ limitations under the License.
 */
 
 // Run go generate to regenerate this mock.
-//go:generate ../../../../hack/tools/bin/mockgen -destination securitygroups_mock.go -package mock_securitygroups -source ../client.go Client
+//go:generate ../../../../hack/tools/bin/mockgen -destination client_mock.go -package mock_securitygroups -source ../client.go Client
+//go:generate ../../../../hack/tools/bin/mockgen -destination securitygroups_mock.go -package mock_securitygroups -source ../service.go NSGScope
+//go:generate /usr/bin/env bash -c "cat ../../../../hack/boilerplate/boilerplate.generatego.txt client_mock.go > _client_mock.go && mv _client_mock.go client_mock.go"
 //go:generate /usr/bin/env bash -c "cat ../../../../hack/boilerplate/boilerplate.generatego.txt securitygroups_mock.go > _securitygroups_mock.go && mv _securitygroups_mock.go securitygroups_mock.go"
 package mock_securitygroups //nolint
Original file line number	Diff line number	Diff line change
`@@ -191,7 +191,7 @@ func (s *Service) Delete(ctx context.Context) error {`
`191`	`191`	`err := s.Client.Delete(ctx, s.Scope.ResourceGroup(), lbSpec.Name)`
`192`	`192`	`if err != nil && azure.ResourceNotFound(err) {`
`193`	`193`	`// already deleted`
`194`		`- return nil`
	`194`	`+ continue`
`195`	`195`	`}`
`196`	`196`	`if err != nil {`
`197`	`197`	`return errors.Wrapf(err, "failed to delete load balancer %s in resource group %s", lbSpec.Name, s.Scope.ResourceGroup())`