Make inbound NAT rules reconcile/delete async

azure/interfaces.go

@@ -62,6 +62,7 @@ type NetworkDescriber interface {
 	SetSubnet(infrav1.SubnetSpec)
 	IsIPv6Enabled() bool
 	ControlPlaneRouteTable() infrav1.RouteTable
+	APIServerLB() *infrav1.LoadBalancerSpec
 	APIServerLBName() string
 	APIServerLBPoolName(string) string
 	IsAPIServerPrivate() bool

azure/scope/machine.go

@@ -40,6 +40,7 @@ import (
 	"sigs.k8s.io/cluster-api-provider-azure/azure"
 	"sigs.k8s.io/cluster-api-provider-azure/azure/services/availabilitysets"
 	"sigs.k8s.io/cluster-api-provider-azure/azure/services/disks"
+	"sigs.k8s.io/cluster-api-provider-azure/azure/services/inboundnatrules"
 	"sigs.k8s.io/cluster-api-provider-azure/azure/services/resourceskus"
 	"sigs.k8s.io/cluster-api-provider-azure/azure/services/virtualmachines"
 	"sigs.k8s.io/cluster-api-provider-azure/util/futures"
@@ -193,16 +194,25 @@ func (m *MachineScope) PublicIPSpecs() []azure.PublicIPSpec {
 }
 
 // InboundNatSpecs returns the inbound NAT specs.
-func (m *MachineScope) InboundNatSpecs() []azure.InboundNatSpec {
+func (m *MachineScope) InboundNatSpecs(portsInUse map[int32]struct{}) []azure.ResourceSpecGetter {
+	// The existing inbound NAT rules are needed in order to find an available SSH port for each new inbound NAT rule.
 	if m.Role() == infrav1.ControlPlane {
-		return []azure.InboundNatSpec{
-			{
-				Name:             m.Name(),
-				LoadBalancerName: m.APIServerLBName(),
-			},
+		spec := &inboundnatrules.InboundNatSpec{
+			Name:                      m.Name(),
+			ResourceGroup:             m.ResourceGroup(),
+			LoadBalancerName:          m.APIServerLBName(),
+			FrontendIPConfigurationID: nil,
+			PortsInUse:                portsInUse,
 		}
+		if frontEndIPs := m.APIServerLB().FrontendIPs; len(frontEndIPs) > 0 {
+			ipConfig := frontEndIPs[0].Name
+			id := azure.FrontendIPConfigID(m.SubscriptionID(), m.ResourceGroup(), m.APIServerLBName(), ipConfig)
+			spec.FrontendIPConfigurationID = to.StringPtr(id)
+		}
+
+		return []azure.ResourceSpecGetter{spec}
 	}
-	return []azure.InboundNatSpec{}
+	return []azure.ResourceSpecGetter{}
 }
 
 // NICSpecs returns the network interface specs.

azure/scope/machine_test.go

@@ -18,7 +18,9 @@ package scope
 
 import (
 	"context"
+	"fmt"
 	"reflect"
+	"strings"
 	"testing"
 
 	autorestazure "github.com/Azure/go-autorest/autorest/azure"
@@ -32,8 +34,20 @@ import (
 	infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
 	"sigs.k8s.io/cluster-api-provider-azure/azure"
 	"sigs.k8s.io/cluster-api-provider-azure/azure/services/disks"
+	"sigs.k8s.io/cluster-api-provider-azure/azure/services/inboundnatrules"
 )
 
+func specArrayToString(specs []azure.ResourceSpecGetter) string {
+	var sb strings.Builder
+	sb.WriteString("[ ")
+	for _, spec := range specs {
+		sb.WriteString(fmt.Sprintf("%+v ", spec))
+	}
+	sb.WriteString("]")
+
+	return sb.String()
+}
+
 func TestMachineScope_Name(t *testing.T) {
 	tests := []struct {
 		name         string
@@ -283,7 +297,7 @@ func TestMachineScope_InboundNatSpecs(t *testing.T) {
 	tests := []struct {
 		name         string
 		machineScope MachineScope
-		want         []azure.InboundNatSpec
+		want         []azure.ResourceSpecGetter
 	}{
 		{
 			name: "returns empty when infra is not control plane",
@@ -295,7 +309,7 @@ func TestMachineScope_InboundNatSpecs(t *testing.T) {
 					},
 				},
 			},
-			want: []azure.InboundNatSpec{},
+			want: []azure.ResourceSpecGetter{},
 		},
 		{
 			name: "returns InboundNatSpec when infra is control plane",
@@ -313,29 +327,48 @@ func TestMachineScope_InboundNatSpecs(t *testing.T) {
 					},
 				},
 				ClusterScoper: &ClusterScope{
+					AzureClients: AzureClients{
+						EnvironmentSettings: auth.EnvironmentSettings{
+							Values: map[string]string{
+								auth.SubscriptionID: "123",
+							},
+						},
+					},
 					AzureCluster: &infrav1.AzureCluster{
 						Spec: infrav1.AzureClusterSpec{
+							ResourceGroup:  "my-rg",
+							SubscriptionID: "123",
 							NetworkSpec: infrav1.NetworkSpec{
 								APIServerLB: infrav1.LoadBalancerSpec{
 									Name: "foo-loadbalancer",
+									FrontendIPs: []infrav1.FrontendIP{
+										{
+											Name: "foo-frontend-ip",
+										},
+									},
 								},
 							},
 						},
 					},
 				},
 			},
-			want: []azure.InboundNatSpec{
-				{
-					Name:             "machine-name",
-					LoadBalancerName: "foo-loadbalancer",
+			want: []azure.ResourceSpecGetter{
+				&inboundnatrules.InboundNatSpec{
+					Name:                      "machine-name",
+					LoadBalancerName:          "foo-loadbalancer",
+					ResourceGroup:             "my-rg",
+					FrontendIPConfigurationID: to.StringPtr(azure.FrontendIPConfigID("123", "my-rg", "foo-loadbalancer", "foo-frontend-ip")),
+					PortsInUse:                make(map[int32]struct{}),
 				},
 			},
 		},
 	}
 	for _, tt := range tests {
+		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
-			if got := tt.machineScope.InboundNatSpecs(); !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("InboundNatSpecs() = %v, want %v", got, tt.want)
+			t.Parallel()
+			if got := tt.machineScope.InboundNatSpecs(make(map[int32]struct{})); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("InboundNatSpecs() = %s, want %s", specArrayToString(got), specArrayToString(tt.want))
 			}
 		})
 	}

azure/scope/managedcontrolplane.go

@@ -316,6 +316,11 @@ func (s *ManagedControlPlaneScope) IsVnetManaged() bool {
 	return true
 }
 
+// APIServerLBName returns the API Server LB spec.
+func (s *ManagedControlPlaneScope) APIServerLB() *infrav1.LoadBalancerSpec {
+	return nil // does not apply for AKS
+}
+
 // APIServerLBName returns the API Server LB name.
 func (s *ManagedControlPlaneScope) APIServerLBName() string {
 	return "" // does not apply for AKS