From c4ec894578573aee6fae9eb03a29e3466064be74 Mon Sep 17 00:00:00 2001
From: Ciprian Hacman <ciprian@hakman.dev>
Date: Tue, 18 Jul 2023 05:38:37 +0300
Subject: [PATCH] azure: Perform challenge callbacks into a node

---
 pkg/apis/kops/model/features.go |  2 ++
 pkg/model/azuremodel/network.go | 11 +++++++++++
 2 files changed, 13 insertions(+)

diff --git a/pkg/apis/kops/model/features.go b/pkg/apis/kops/model/features.go
index 56925f3525..30bdf4b21b 100644
--- a/pkg/apis/kops/model/features.go
+++ b/pkg/apis/kops/model/features.go
@@ -31,6 +31,8 @@ func UseChallengeCallback(cloudProvider kops.CloudProviderID) bool {
 		return true
 	case kops.CloudProviderScaleway:
 		return true
+	case kops.CloudProviderAzure:
+		return true
 	default:
 		return false
 	}
diff --git a/pkg/model/azuremodel/network.go b/pkg/model/azuremodel/network.go
index c0b8a19528..1ebda04ad0 100644
--- a/pkg/model/azuremodel/network.go
+++ b/pkg/model/azuremodel/network.go
@@ -167,6 +167,17 @@ func (b *NetworkModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 			})
 		}
 	}
+	nsgTask.SecurityRules = append(nsgTask.SecurityRules, &azuretasks.NetworkSecurityRule{
+		Name:                     fi.PtrTo("AllowNodeupChallenge"),
+		Priority:                 fi.PtrTo[int32](220),
+		Access:                   network.SecurityRuleAccessAllow,
+		Direction:                network.SecurityRuleDirectionInbound,
+		Protocol:                 network.SecurityRuleProtocolTCP,
+		SourceAddressPrefix:      fi.PtrTo(b.Cluster.Spec.Networking.NetworkCIDR),
+		SourcePortRange:          fi.PtrTo("*"),
+		DestinationAddressPrefix: fi.PtrTo("*"),
+		DestinationPortRange:     fi.PtrTo(strconv.Itoa(wellknownports.NodeupChallenge)),
+	})
 	var nodePortAccessIPv4, nodePortAccessIPv6 []string
 	for _, cidr := range b.Cluster.Spec.NodePortAccess {
 		switch net.IPFamilyOfCIDRString(cidr) {