Azure RG/Vnet RG Security Group different behaviour Frontend & Backend

[4ch3los]

What happened?

When trying to create a cluster in azure, you have the option to provide a general resource group and a VNet resource group. This seems to be implemented totally fine, except for the security group.
The ui fetches the already available security groups (and everything else) from the vnet rg and provides them as option in the dropdown. (https://github.com/kubermatic/dashboard/blob/main/modules/web/src/app/wizard/step/provider-settings/provider/extended/azure/component.ts#L352 & https://github.com/kubermatic/dashboard/blob/main/modules/web/src/app/wizard/step/provider-settings/provider/extended/azure/component.ts#L257)

The Backend Reconciler however, tries to fetch the provided security group or would create a new one in the general resource group.
https://github.com/kubermatic/kubermatic/blob/main/pkg/provider/cloud/azure/security_group.go#L44

The issue generally affects usecases where network infrastructure is already present and the resource names provided during the cluster creation.
But it is still possible to create a cluster by entering the nsg name manually.

Expected behavior

Fetch the nsgs as option in the ui, which will also be useable in Backend.
This could either be the nsgs from the general resource group(no backwards compatibility issues),
the nsgs from the vnet rg(would be breaking for existing setups)
or an option to use both setup for best compatibility, with the general rg as default.

How to reproduce the issue?

Try to create a azure cluster with 2 resource groups(one for networking & one for compute)

• nsg in networking rg -> cluster reconcile will fail, but dropdown in ui will contain nsg
• nsg in compute rg -> cluster will build successfully, ui does not provide nsg via dropdown

How is your environment configured?

• KKP version: 2.24.2
• Shared or separate master/seed clusters?: separate clusters

What cloud provider are you running on?

Azure

What operating system are you running in your user cluster?

flatcar

Additional information

After separating the nsg and the snet to two different resource groups, we had the realization that this setup makes configuring the permissions for the app registration way easier. So definitely not just more complexity, but also some benefits.

I would be happy to open a pr with a fix, but i need a decision about the desired behaviour.

[xrstf]

From reading the code, it seems not just security groups, but also subnets and route tables are created in the "normal" Resource Group instead of the VNetResourceGroup. Is that also a mistake? I'm no Azure expert..

The validation logic in the provider makes me at least believe the VNet RG should be used: https://github.com/kubermatic/kubermatic/blob/main/pkg/provider/cloud/azure/provider.go#L379-L382 -- but the routeTable still uses the "normal" RG. By mistake? Or is the dashboard wrong?