Azure RG/Vnet RG Security Group different behaviour Frontend & Backend #13068
Labels
customer-request
kind/bug
Categorizes issue or PR as related to a bug.
sig/cluster-management
Denotes a PR or issue as being assigned to SIG Cluster Management.
Milestone
What happened?
When trying to create a cluster in azure, you have the option to provide a general resource group and a VNet resource group. This seems to be implemented totally fine, except for the security group.
The ui fetches the already available security groups (and everything else) from the vnet rg and provides them as option in the dropdown. (https://github.com/kubermatic/dashboard/blob/main/modules/web/src/app/wizard/step/provider-settings/provider/extended/azure/component.ts#L352 & https://github.com/kubermatic/dashboard/blob/main/modules/web/src/app/wizard/step/provider-settings/provider/extended/azure/component.ts#L257)
The Backend Reconciler however, tries to fetch the provided security group or would create a new one in the general resource group.
https://github.com/kubermatic/kubermatic/blob/main/pkg/provider/cloud/azure/security_group.go#L44
The issue generally affects usecases where network infrastructure is already present and the resource names provided during the cluster creation.
But it is still possible to create a cluster by entering the nsg name manually.
Expected behavior
Fetch the nsgs as option in the ui, which will also be useable in Backend.
This could either be the nsgs from the general resource group(no backwards compatibility issues),
the nsgs from the vnet rg(would be breaking for existing setups)
or an option to use both setup for best compatibility, with the general rg as default.
How to reproduce the issue?
Try to create a azure cluster with 2 resource groups(one for networking & one for compute)
How is your environment configured?
What cloud provider are you running on?
Azure
What operating system are you running in your user cluster?
flatcar
Additional information
After separating the nsg and the snet to two different resource groups, we had the realization that this setup makes configuring the permissions for the app registration way easier. So definitely not just more complexity, but also some benefits.
I would be happy to open a pr with a fix, but i need a decision about the desired behaviour.
The text was updated successfully, but these errors were encountered: