Azure: Only create debugd loadbalancer when debugCluster is set

cli/internal/azure/client/network.go

@@ -164,7 +164,7 @@ type NetworkSecurityGroupInput struct {
 }
 
 // CreateExternalLoadBalancer creates an external load balancer.
-func (c *Client) CreateExternalLoadBalancer(ctx context.Context) error {
+func (c *Client) CreateExternalLoadBalancer(ctx context.Context, isDebugCluster bool) error {
 	// First, create a public IP address for the load balancer.
 	publicIPAddress, err := c.createPublicIPAddress(ctx, "loadbalancer-public-ip-"+c.uid)
 	if err != nil {
@@ -182,6 +182,9 @@ func (c *Client) CreateExternalLoadBalancer(ctx context.Context) error {
 		UID:           c.uid,
 	}
 	azureLoadBalancer := loadBalancer.Azure()
+	if isDebugCluster {
+		azureLoadBalancer = loadBalancer.AppendDebugRules(azureLoadBalancer)
+	}
 
 	poller, err := c.loadBalancersAPI.BeginCreateOrUpdate(
 		ctx, c.resourceGroup, loadBalancerName,

cli/internal/azure/client/network_test.go

@@ -177,12 +177,18 @@ func TestCreateExternalLoadBalancer(t *testing.T) {
 	testCases := map[string]struct {
 		publicIPAddressesAPI publicIPAddressesAPI
 		loadBalancersAPI     loadBalancersAPI
+		isDebugCluster       bool
 		wantErr              bool
 	}{
 		"successful create": {
 			publicIPAddressesAPI: stubPublicIPAddressesAPI{},
 			loadBalancersAPI:     stubLoadBalancersAPI{},
 		},
+		"successful create (debug cluster)": {
+			publicIPAddressesAPI: stubPublicIPAddressesAPI{},
+			loadBalancersAPI:     stubLoadBalancersAPI{},
+			isDebugCluster:       true,
+		},
 		"failed to get response from successful create": {
 			loadBalancersAPI:     stubLoadBalancersAPI{pollErr: someErr},
 			publicIPAddressesAPI: stubPublicIPAddressesAPI{},
@@ -216,7 +222,7 @@ func TestCreateExternalLoadBalancer(t *testing.T) {
 				publicIPAddressesAPI: tc.publicIPAddressesAPI,
 			}
 
-			err := client.CreateExternalLoadBalancer(ctx)
+			err := client.CreateExternalLoadBalancer(ctx, tc.isDebugCluster)
 			if tc.wantErr {
 				assert.Error(err)
 			} else {

cli/internal/azure/loadbalancer.go

@@ -25,15 +25,15 @@ type LoadBalancer struct {
 const (
 	BackendAddressPoolWorkerName       = "backendAddressWorkerPool"
 	BackendAddressPoolControlPlaneName = "backendAddressControlPlanePool"
+	frontEndIPConfigName               = "frontEndIPConfig"
+	kubeHealthProbeName                = "kubeHealthProbe"
+	verifyHealthProbeName              = "verifyHealthProbe"
+	coordHealthProbeName               = "coordHealthProbe"
+	debugdHealthProbeName              = "debugdHealthProbe"
 )
 
 // Azure returns a Azure representation of LoadBalancer.
 func (l LoadBalancer) Azure() armnetwork.LoadBalancer {
-	frontEndIPConfigName := "frontEndIPConfig"
-	kubeHealthProbeName := "kubeHealthProbe"
-	verifyHealthProbeName := "verifyHealthProbe"
-	coordHealthProbeName := "coordHealthProbe"
-	debugdHealthProbeName := "debugdHealthProbe"
 	backEndAddressPoolNodeName := BackendAddressPoolWorkerName + "-" + l.UID
 	backEndAddressPoolControlPlaneName := BackendAddressPoolControlPlaneName + "-" + l.UID
 
@@ -175,35 +175,6 @@ func (l LoadBalancer) Azure() armnetwork.LoadBalancer {
 						},
 					},
 				},
-				{
-					Name: to.Ptr("debudLoadBalancerRule"),
-					Properties: &armnetwork.LoadBalancingRulePropertiesFormat{
-						FrontendIPConfiguration: &armnetwork.SubResource{
-							ID: to.Ptr("/subscriptions/" + l.Subscription +
-								"/resourceGroups/" + l.ResourceGroup +
-								"/providers/Microsoft.Network/loadBalancers/" + l.Name +
-								"/frontendIPConfigurations/" + frontEndIPConfigName),
-						},
-						FrontendPort: to.Ptr[int32](constants.DebugdPort),
-						BackendPort:  to.Ptr[int32](constants.DebugdPort),
-						Protocol:     to.Ptr(armnetwork.TransportProtocolTCP),
-						Probe: &armnetwork.SubResource{
-							ID: to.Ptr("/subscriptions/" + l.Subscription +
-								"/resourceGroups/" + l.ResourceGroup +
-								"/providers/Microsoft.Network/loadBalancers/" + l.Name +
-								"/probes/" + debugdHealthProbeName),
-						},
-						DisableOutboundSnat: to.Ptr(true),
-						BackendAddressPools: []*armnetwork.SubResource{
-							{
-								ID: to.Ptr("/subscriptions/" + l.Subscription +
-									"/resourceGroups/" + l.ResourceGroup +
-									"/providers/Microsoft.Network/loadBalancers/" + l.Name +
-									"/backendAddressPools/" + backEndAddressPoolControlPlaneName),
-							},
-						},
-					},
-				},
 			},
 			OutboundRules: []*armnetwork.OutboundRule{
 				{
@@ -230,3 +201,49 @@ func (l LoadBalancer) Azure() armnetwork.LoadBalancer {
 		},
 	}
 }
+
+func (l *LoadBalancer) AppendDebugRules(armLoadBalancer armnetwork.LoadBalancer) armnetwork.LoadBalancer {
+	backEndAddressPoolControlPlaneName := BackendAddressPoolControlPlaneName + "-" + l.UID
+
+	if armLoadBalancer.Properties == nil {
+		armLoadBalancer.Properties = &armnetwork.LoadBalancerPropertiesFormat{}
+	}
+
+	if armLoadBalancer.Properties.LoadBalancingRules == nil {
+		armLoadBalancer.Properties.LoadBalancingRules = []*armnetwork.LoadBalancingRule{}
+	}
+
+	debugdRule := armnetwork.LoadBalancingRule{
+		Name: to.Ptr("debugdLoadBalancerRule"),
+		Properties: &armnetwork.LoadBalancingRulePropertiesFormat{
+			FrontendIPConfiguration: &armnetwork.SubResource{
+				ID: to.Ptr("/subscriptions/" + l.Subscription +
+					"/resourceGroups/" + l.ResourceGroup +
+					"/providers/Microsoft.Network/loadBalancers/" + l.Name +
+					"/frontendIPConfigurations/" + frontEndIPConfigName),
+			},
+			FrontendPort: to.Ptr[int32](constants.DebugdPort),
+			BackendPort:  to.Ptr[int32](constants.DebugdPort),
+			Protocol:     to.Ptr(armnetwork.TransportProtocolTCP),
+			Probe: &armnetwork.SubResource{
+				ID: to.Ptr("/subscriptions/" + l.Subscription +
+					"/resourceGroups/" + l.ResourceGroup +
+					"/providers/Microsoft.Network/loadBalancers/" + l.Name +
+					"/probes/" + debugdHealthProbeName),
+			},
+			DisableOutboundSnat: to.Ptr(true),
+			BackendAddressPools: []*armnetwork.SubResource{
+				{
+					ID: to.Ptr("/subscriptions/" + l.Subscription +
+						"/resourceGroups/" + l.ResourceGroup +
+						"/providers/Microsoft.Network/loadBalancers/" + l.Name +
+						"/backendAddressPools/" + backEndAddressPoolControlPlaneName),
+				},
+			},
+		},
+	}
+
+	armLoadBalancer.Properties.LoadBalancingRules = append(armLoadBalancer.Properties.LoadBalancingRules, &debugdRule)
+
+	return armLoadBalancer
+}

cli/internal/azure/loadbalancer_test.go

@@ -0,0 +1,43 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package azure
+
+import (
+	"testing"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAppendDebugRules(t *testing.T) {
+	assert := assert.New(t)
+
+	// Test with empty rules
+	emptyAzureLoadBalancer := armnetwork.LoadBalancer{}
+	someLoadBalancer := LoadBalancer{
+		Name:          "test",
+		Subscription:  "00000000-0000-0000-0000-000000000000",
+		Location:      "westeurope",
+		ResourceGroup: "test-resource-group",
+		PublicIPID:    "some-public-ip-id",
+		UID:           "test-uid",
+	}
+
+	appendedEmptyAzureLoadBalancer := someLoadBalancer.AppendDebugRules(emptyAzureLoadBalancer)
+	assert.Equal("debugdLoadBalancerRule", *(appendedEmptyAzureLoadBalancer.Properties.LoadBalancingRules[0]).Name, "Debug load balancer rule not found at index 0")
+
+	// Test with existing rules
+	defaultAzureLoadBalancer := someLoadBalancer.Azure()
+	appendedDefaultAzureLoadBalancer := someLoadBalancer.AppendDebugRules(defaultAzureLoadBalancer)
+	var foundDebugLoadBalancer bool
+	for _, rule := range appendedDefaultAzureLoadBalancer.Properties.LoadBalancingRules {
+		if *(rule).Name == "debugdLoadBalancerRule" {
+			foundDebugLoadBalancer = true
+		}
+	}
+	assert.True(foundDebugLoadBalancer, "Debug load balancer rule not found")
+}

cli/internal/cloudcmd/clients.go

@@ -32,7 +32,7 @@ type azureclient interface {
 	GetState() state.ConstellationState
 	SetState(state.ConstellationState)
 	CreateApplicationInsight(ctx context.Context) error
-	CreateExternalLoadBalancer(ctx context.Context) error
+	CreateExternalLoadBalancer(ctx context.Context, isDebugCluster bool) error
 	CreateVirtualNetwork(ctx context.Context) error
 	CreateSecurityGroup(ctx context.Context, input azurecl.NetworkSecurityGroupInput) error
 	CreateInstances(ctx context.Context, input azurecl.CreateInstancesInput) error

cli/internal/cloudcmd/clients_test.go

@@ -90,7 +90,7 @@ func (c *fakeAzureClient) CreateVirtualNetwork(ctx context.Context) error {
 	return nil
 }
 
-func (c *fakeAzureClient) CreateExternalLoadBalancer(ctx context.Context) error {
+func (c *fakeAzureClient) CreateExternalLoadBalancer(ctx context.Context, isDebugCluster bool) error {
 	c.loadBalancerName = "loadBalancer"
 	return nil
 }
@@ -158,7 +158,7 @@ func (c *stubAzureClient) GetState() state.ConstellationState {
 func (c *stubAzureClient) SetState(state.ConstellationState) {
 }
 
-func (c *stubAzureClient) CreateExternalLoadBalancer(ctx context.Context) error {
+func (c *stubAzureClient) CreateExternalLoadBalancer(ctx context.Context, isDebugCluster bool) error {
 	return c.createLoadBalancerErr
 }
 

cli/internal/cloudcmd/create.go

@@ -164,7 +164,7 @@ func (c *Creator) createAzure(ctx context.Context, cl azureclient, config *confi
 	if err := cl.CreateApplicationInsight(ctx); err != nil {
 		return state.ConstellationState{}, err
 	}
-	if err := cl.CreateExternalLoadBalancer(ctx); err != nil {
+	if err := cl.CreateExternalLoadBalancer(ctx, config.IsDebugCluster()); err != nil {
 		return state.ConstellationState{}, err
 	}
 	if err := cl.CreateVirtualNetwork(ctx); err != nil {