Merge pull request #18156 from hakman/azure-task-deps

k8s-ci-robot · web-flow · commit a46ce9ba19b2 · 2026-04-04T01:03:10.000+05:30
azure: Fix task dependencies during cluster update
diff --git a/pkg/model/azuremodel/api_loadbalancer.go b/pkg/model/azuremodel/api_loadbalancer.go
@@ -76,6 +76,7 @@ func (b *APILoadBalancerModelBuilder) Build(c *fi.CloudupModelBuilderContext) er
 			Tags:          map[string]*string{},
 		}
 		c.AddTask(p)
+		lb.PublicIPAddress = p
 	default:
 		return fmt.Errorf("unknown load balancer Type: %q", lbSpec.Type)
 	}
diff --git a/pkg/model/azuremodel/network.go b/pkg/model/azuremodel/network.go
@@ -51,7 +51,11 @@ func (b *NetworkModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 		Name:          fi.PtrTo(b.NameForVirtualNetwork()),
 		Lifecycle:     b.Lifecycle,
 		ResourceGroup: b.LinkToResourceGroup(),
-		Tags:          map[string]*string{},
+		ApplicationSecurityGroups: []*azuretasks.ApplicationSecurityGroup{
+			b.LinkToApplicationSecurityGroupControlPlane(),
+			b.LinkToApplicationSecurityGroupNodes(),
+		},
+		Tags: map[string]*string{},
 	}
 	sshAccessIPv4 := ipv4CIDRs(b.Cluster.Spec.SSHAccess)
 	if len(sshAccessIPv4) > 0 {
diff --git a/upup/pkg/fi/cloudup/azuretasks/loadbalancer.go b/upup/pkg/fi/cloudup/azuretasks/loadbalancer.go
@@ -42,6 +42,9 @@ type LoadBalancer struct {
 	// External is set to true when the loadbalancer is used for external traffic
 	External *bool
 
+	// PublicIPAddress is the public IP address for external load balancers.
+	PublicIPAddress *PublicIPAddress
+
 	Tags map[string]*string
 
 	// WellKnownServices indicates which services are supported by this resource.
@@ -135,6 +138,11 @@ func (lb *LoadBalancer) Find(c *fi.CloudupContext) (*LoadBalancer, error) {
 			Name: subnet.Name,
 		}
 	}
+	if feConfig.Properties.PublicIPAddress != nil {
+		actual.PublicIPAddress = &PublicIPAddress{
+			ID: feConfig.Properties.PublicIPAddress.ID,
+		}
+	}
 
 	return actual, nil
 }
@@ -178,7 +186,7 @@ func (*LoadBalancer) RenderAzure(t *azure.AzureAPITarget, a, e, changes *LoadBal
 	feConfigProperties := &network.FrontendIPConfigurationPropertiesFormat{}
 	if *e.External {
 		feConfigProperties.PublicIPAddress = &network.PublicIPAddress{
-			ID: to.Ptr(fmt.Sprintf("/%s/publicIPAddresses/%s", idPrefix, *e.Name)),
+			ID: e.PublicIPAddress.ID,
 		}
 	} else {
 		feConfigProperties.PrivateIPAllocationMethod = to.Ptr(network.IPAllocationMethodDynamic)
diff --git a/upup/pkg/fi/cloudup/azuretasks/loadbalancer_test.go b/upup/pkg/fi/cloudup/azuretasks/loadbalancer_test.go
@@ -44,7 +44,10 @@ func newTestLoadBalancer() *LoadBalancer {
 				Name: to.Ptr("vnet"),
 			},
 		},
-		External:          to.Ptr(true),
+		External: to.Ptr(true),
+		PublicIPAddress: &PublicIPAddress{
+			ID: to.Ptr("/subscriptions/sub/resourceGroups/rg/providers/Microsoft.Network/publicIPAddresses/loadbalancer"),
+		},
 		WellKnownServices: []wellknownservices.WellKnownService{wellknownservices.KubeAPIServer},
 		Tags: map[string]*string{
 			testTagKey: to.Ptr(testTagValue),
diff --git a/upup/pkg/fi/cloudup/azuretasks/networksecuritygroup.go b/upup/pkg/fi/cloudup/azuretasks/networksecuritygroup.go
@@ -38,6 +38,10 @@ type NetworkSecurityGroup struct {
 
 	SecurityRules []*NetworkSecurityRule
 
+	// ApplicationSecurityGroups are the ASGs referenced by security rules.
+	// This field is used for dependency ordering and is not rendered to the cloud.
+	ApplicationSecurityGroups []*ApplicationSecurityGroup
+
 	Tags map[string]*string
 }
 

Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,7 @@ func (b APILoadBalancerModelBuilder) Build(c fi.CloudupModelBuilderContext) er`
`76`	`76`	`Tags: map[string]*string{},`
`77`	`77`	`}`
`78`	`78`	`c.AddTask(p)`
	`79`	`+ lb.PublicIPAddress = p`
`79`	`80`	`default:`
`80`	`81`	`return fmt.Errorf("unknown load balancer Type: %q", lbSpec.Type)`
`81`	`82`	`}`
Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,10 @@ type NetworkSecurityGroup struct {`
`38`	`38`
`39`	`39`	`SecurityRules []*NetworkSecurityRule`
`40`	`40`
	`41`	`+ // ApplicationSecurityGroups are the ASGs referenced by security rules.`
	`42`	`+ // This field is used for dependency ordering and is not rendered to the cloud.`
	`43`	`+ ApplicationSecurityGroups []*ApplicationSecurityGroup`
	`44`	`+`
`41`	`45`	`Tags map[string]*string`
`42`	`46`	`}`
`43`	`47`