Merge pull request #30721 from vespa-engine/hakonhall/azure-lb-trust

Azure LB trust
vespa-engine · Mar 24, 2024 · c3be0b5 · c3be0b5
2 parents 419c836 + 1f42018
commit c3be0b5
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
@@ -2,6 +2,7 @@
 package com.yahoo.vespa.hosted.provision.node;
 
 import com.google.common.collect.ImmutableSet;
+import com.yahoo.config.provision.CloudName;
 import com.yahoo.config.provision.NodeType;
 import com.yahoo.config.provision.Zone;
 import com.yahoo.vespa.hosted.provision.Node;
@@ -80,6 +81,13 @@ public static NodeAcl from(Node node, NodeList allNodes, LoadBalancers loadBalan
                 // - proxy nodes
                 trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.config), ipSpace));
                 trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.proxy), ipSpace));
+
+                // AZURE does not support proxy protocol, but instead passes through the source IP address.
+                // Which means we must accept any source IP.
+                if (zone.cloud().name().equals(CloudName.AZURE) &&
+                    node.allocation().map(a -> a.membership().cluster().type().isContainer()).orElse(false)) {
+                    trustedPorts.add(4443);
+                }
             }
             case config -> {
                 // Config servers trust: