CORS-3893: Create nat rule and associate to NIC

[rna-afk]

Adding IPv6 NAT rule for bootstrap SSH access and updating NAT rules to the correct IP version on the bootstrap NIC.

Summary by CodeRabbit

• Bug Fixes
  • Improved IPv6 support by enabling SSH access through public load balancer for dual-stack configurations with public API endpoints.

[openshift-ci-robot]

@rna-afk: This pull request references CORS-3893 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Adding IPv6 NAT rule for bootstrap SSH access and updating NAT rules to the correct IP version on the bootstrap NIC.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sadasu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/infrastructure/azure/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jhixson74]

/retest-required

[jhixson74]

Looks right to me. Tests need to pass.

[coderabbitai]

Walkthrough

In Azure infrastructure provisioning, when dual-stack is enabled with public API configured, the code now creates and associates an IPv6 inbound NAT rule for SSH on the public load balancer during the PostProvision operation.

Changes

Cohort / File(s)	Summary
IPv6 SSH NAT Rule for Dual-Stack pkg/infrastructure/azure/azure.go	Added logic in Provider.PostProvision to create and associate an IPv6 inbound NAT rule for SSH (TCP/22) when dual-stack is enabled. Derives IPv6 frontend IP configuration, creates NAT rule via addInboundNatRuleToLoadBalancer, and associates it to bootstrap NIC via associateInboundNatRuleToInterface with IPv6-specific error handling.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 10

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'CORS-3893: Create nat rule and associate to NIC' directly matches the main changes in the PR, which involves creating an IPv6 inbound NAT rule and associating it to the bootstrap NIC.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	Custom check targets Ginkgo test names with dynamic information, but PR modifies infrastructure provisioning code in pkg/infrastructure/azure/azure.go without test declarations.
Test Structure And Quality	✅ Passed	The PR contains only infrastructure provider code changes with no Ginkgo test files (*_test.go) or test code blocks, making this test-specific check not applicable.
Microshift Test Compatibility	✅ Passed	PR modifies only production infrastructure code without adding new Ginkgo e2e tests, so custom check requirement does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added; changes are infrastructure code for Azure IPv6 NAT rule provisioning.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies Azure infrastructure provisioning code (NAT rules), not Kubernetes deployment manifests, operators, or controllers. No pod affinity, topology constraints, node selectors, or scheduling logic affecting OpenShift topologies introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies infrastructure provisioning code for Azure NAT rules, not process-level code in OTE binaries. No stdout writes detected in infrastructure operations.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not introduce new Ginkgo e2e tests; modified file is Azure infrastructure provider implementation code without test patterns.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@rna-afk: This pull request references CORS-3893 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Adding IPv6 NAT rule for bootstrap SSH access and updating NAT rules to the correct IP version on the bootstrap NIC.

Summary by CodeRabbit

• Bug Fixes
• Improved IPv6 support by enabling SSH access through public load balancer for dual-stack configurations with public API endpoints.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/infrastructure/azure/azure.go`:
- Around line 656-687: PostDestroy currently only removes the IPv4 SSH NAT rule;
add symmetric cleanup for the IPv6 rule named fmt.Sprintf("%s_ssh_in_v6") inside
the PostDestroy function: locate the IPv4 cleanup block that deletes
`${InfraID}_ssh_in` and mirror it to first disassociate the IPv6 inbound NAT
from the bootstrap NIC (use the same pattern/clients as
associateInboundNatRuleToInterface/inboundNatRuleInput but calling your
disassociation helper) and then delete the IPv6 inbound NAT rule from the load
balancer (use the same deletion helper used for IPv4 cleanup), passing the same
resourceGroupName, loadBalancerName, frontendIPv6ConfigID and
p.NetworkClientFactory so the `${InfraID}_ssh_in_v6` rule and its NIC
association are fully removed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: edf77614-420a-462f-9cbd-d55c647ec901

📥 Commits

Reviewing files that changed from the base of the PR and between 52540f5 and bf7dea8.

📒 Files selected for processing (1)

• pkg/infrastructure/azure/azure.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add cleanup for the new IPv6 SSH NAT rule in PostDestroy.

Line 656 introduces ${InfraID}_ssh_in_v6, but PostDestroy only deletes ${InfraID}_ssh_in (IPv4). This leaves a stale IPv6 inbound NAT rule and unnecessary SSH exposure on the IPv6 frontend after bootstrap teardown.

💡 Proposed fix

--- a/pkg/infrastructure/azure/azure.go
+++ b/pkg/infrastructure/azure/azure.go
@@
 	sshRuleName := fmt.Sprintf("%s_ssh_in", in.Metadata.InfraID)
+	sshRuleNameV6 := fmt.Sprintf("%s_ssh_in_v6", in.Metadata.InfraID)
@@
 	_, err = networkClientFactory.NewInboundNatRulesClient().Get(
 		ctx,
 		resourceGroupName,
 		in.Metadata.InfraID,
 		sshRuleName,
 		nil,
 	)
 	if err == nil {
 		err = deleteInboundNatRule(ctx, &inboundNatRuleInput{
 			resourceGroupName:    resourceGroupName,
 			loadBalancerName:     in.Metadata.InfraID,
 			inboundNatRuleName:   sshRuleName,
 			networkClientFactory: networkClientFactory,
 		})
 		if err != nil {
 			return fmt.Errorf("failed to delete inbound nat rule: %w", err)
 		}
 	}
+
+	_, err = networkClientFactory.NewInboundNatRulesClient().Get(
+		ctx,
+		resourceGroupName,
+		in.Metadata.InfraID,
+		sshRuleNameV6,
+		nil,
+	)
+	if err == nil {
+		err = deleteInboundNatRule(ctx, &inboundNatRuleInput{
+			resourceGroupName:    resourceGroupName,
+			loadBalancerName:     in.Metadata.InfraID,
+			inboundNatRuleName:   sshRuleNameV6,
+			networkClientFactory: networkClientFactory,
+		})
+		if err != nil {
+			return fmt.Errorf("failed to delete IPv6 inbound nat rule: %w", err)
+		}
+	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/infrastructure/azure/azure.go` around lines 656 - 687, PostDestroy
currently only removes the IPv4 SSH NAT rule; add symmetric cleanup for the IPv6
rule named fmt.Sprintf("%s_ssh_in_v6") inside the PostDestroy function: locate
the IPv4 cleanup block that deletes `${InfraID}_ssh_in` and mirror it to first
disassociate the IPv6 inbound NAT from the bootstrap NIC (use the same
pattern/clients as associateInboundNatRuleToInterface/inboundNatRuleInput but
calling your disassociation helper) and then delete the IPv6 inbound NAT rule
from the load balancer (use the same deletion helper used for IPv4 cleanup),
passing the same resourceGroupName, loadBalancerName, frontendIPv6ConfigID and
p.NetworkClientFactory so the `${InfraID}_ssh_in_v6` rule and its NIC
association are fully removed.

[openshift-ci]

@rna-afk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure-ovn-shared-vpc	bf7dea8	link	false	/test e2e-azure-ovn-shared-vpc
ci/prow/e2e-azurestack	bf7dea8	link	false	/test e2e-azurestack
ci/prow/e2e-aws-ovn	bf7dea8	link	true	/test e2e-aws-ovn
ci/prow/e2e-azure-default-config	bf7dea8	link	false	/test e2e-azure-default-config
ci/prow/e2e-azure-ovn	bf7dea8	link	true	/test e2e-azure-ovn
ci/prow/azure-private	bf7dea8	link	false	/test azure-private
ci/prow/okd-scos-images	bf7dea8	link	true	/test okd-scos-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.