From 1f42018173667036034c31e613e69d01696a8966 Mon Sep 17 00:00:00 2001
From: Håkon Hallingstad <hakon@yahooinc.com>
Date: Fri, 22 Mar 2024 17:54:28 +0100
Subject: Azure LB trust

---
 .../main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java  | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
index 16aa7197587..364d411f85f 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/node/NodeAcl.java
@@ -2,6 +2,7 @@
 package com.yahoo.vespa.hosted.provision.node;
 
 import com.google.common.collect.ImmutableSet;
+import com.yahoo.config.provision.CloudName;
 import com.yahoo.config.provision.NodeType;
 import com.yahoo.config.provision.Zone;
 import com.yahoo.vespa.hosted.provision.Node;
@@ -80,6 +81,13 @@ public record NodeAcl(Node node,
                 // - proxy nodes
                 trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.config), ipSpace));
                 trustedNodes.addAll(TrustedNode.of(allNodes.nodeType(NodeType.proxy), ipSpace));
+
+                // AZURE does not support proxy protocol, but instead passes through the source IP address.
+                // Which means we must accept any source IP.
+                if (zone.cloud().name().equals(CloudName.AZURE) &&
+                    node.allocation().map(a -> a.membership().cluster().type().isContainer()).orElse(false)) {
+                    trustedPorts.add(4443);
+                }
             }
             case config -> {
                 // Config servers trust:
-- 
cgit v1.2.3