From f47a66622743aa31970cebeca7968a0939cb700d Mon Sep 17 00:00:00 2001
From: Vincent Gramer <vgramer@gmail.com>
Date: Wed, 24 Apr 2019 11:14:01 +0200
Subject: [PATCH] support azure loadbalancer standard sku (#4150) (#4476)

add the support of the folling property in azure-credential-check.yml
  - azure_loadbalancer_sku: Sku of Load Balancer and Public IP. Candidate values are: basic and standard.
  - azure_exclude_master_from_standard_lb: excludes master nodes from standard load balancer.
  - azure_disable_outbound_snat: disables the outbound SNAT for public load balancer rules
  - useInstanceMetadata: Use instance metadata service where possible
  - azure_primary_availability_set: (Optional) The name of the availability set that should be used as the load balancer backend
---
 docs/azure.md                                 | 19 +++++++++++++++++++
 roles/kubernetes/node/defaults/main.yml       |  8 ++++++++
 .../node/tasks/azure-credential-check.yml     | 17 +++++++++++++++++
 .../node/templates/azure-cloud-config.j2      | 11 ++++++++++-
 4 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/docs/azure.md b/docs/azure.md
index 4aeabde71..70ee99766 100644
--- a/docs/azure.md
+++ b/docs/azure.md
@@ -51,6 +51,25 @@ This is the AppId from the last command
 
 azure\_aad\_client\_id must be set to the AppId, azure\_aad\_client\_secret is your choosen secret.
 
+#### azure\_loadbalancer\_sku
+Sku of Load Balancer and Public IP. Candidate values are: basic and standard.
+
+#### azure\_exclude\_master\_from\_standard\_lb
+azure\_exclude\_master\_from\_standard\_lb excludes master nodes from `standard` load balancer.
+
+#### azure\_disable\_outbound\_snat
+azure\_disable\_outbound\_snat disables the outbound SNAT for public load balancer rules. It should only be set when azure\_exclude\_master\_from\_standard\_lb is `standard`.
+ 
+#### azure\_primary\_availability\_set\_name
+(Optional) The name of the availability set that should be used as the load balancer backend .If this is set, the Azure 
+cloudprovider will only add nodes from that availability set to the load balancer backend pool. If this is not set, and 
+multiple agent pools (availability sets) are used, then the cloudprovider will try to add all nodes to a single backend 
+pool which is forbidden. In other words, if you use multiple agent pools (availability sets), you MUST set this field.
+
+#### azure\_use\_instance\_metadata
+Use instance metadata service where possible
+
+
 ## Provisioning Azure with Resource Group Templates
 
 You'll find Resource Group Templates and scripts to provision the required infrastructure to Azure in [*contrib/azurerm*](../contrib/azurerm/README.md)
diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index 7eb45c89b..6bf6c54bc 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -126,3 +126,11 @@ vsphere_public_network: "{{ lookup('env', 'VSPHERE_PUBLIC_NETWORK')|default('')
 # azure_security_group_name:
 # azure_vnet_name:
 # azure_route_table_name:
+# Sku of Load Balancer and Public IP. Candidate values are: basic and standard.
+azure_loadbalancer_sku: basic
+# excludes master nodes from standard load balancer.
+azure_exclude_master_from_standard_lb: true
+# disables the outbound SNAT for public load balancer rules
+azure_disable_outbound_snat: false
+# use instance metadata service where possible
+azure_use_instance_metadata: true
diff --git a/roles/kubernetes/node/tasks/azure-credential-check.yml b/roles/kubernetes/node/tasks/azure-credential-check.yml
index 68cbaa160..f53622c41 100644
--- a/roles/kubernetes/node/tasks/azure-credential-check.yml
+++ b/roles/kubernetes/node/tasks/azure-credential-check.yml
@@ -53,3 +53,20 @@
   fail:
     msg: "azure_route_table_name is missing"
   when: azure_route_table_name is not defined or azure_route_table_name == ""
+
+- name: check azure_loadbalancer_sku value
+  fail:
+    msg: "azure_loadbalancer_sku has an invalid value '{{azure_loadbalancer_sku}}'. Supported values are 'basic', 'standard'"
+  when: azure_loadbalancer_sku not in ["basic", "standard"]
+
+- name: "check azure_exclude_master_from_standard_lb is a bool"
+  assert:
+    that: azure_exclude_master_from_standard_lb |type_debug == 'bool'
+
+- name: "check azure_disable_outbound_snat is a bool"
+  assert:
+    that: azure_disable_outbound_snat |type_debug == 'bool'
+
+- name: "check azure_use_instance_metadata is a bool"
+  assert:
+    that: azure_use_instance_metadata |type_debug == 'bool'
diff --git a/roles/kubernetes/node/templates/azure-cloud-config.j2 b/roles/kubernetes/node/templates/azure-cloud-config.j2
index d33c044b2..22377aff9 100644
--- a/roles/kubernetes/node/templates/azure-cloud-config.j2
+++ b/roles/kubernetes/node/templates/azure-cloud-config.j2
@@ -9,5 +9,14 @@
   "securityGroupName": "{{ azure_security_group_name }}",
   "vnetName": "{{ azure_vnet_name }}",
   "vnetResourceGroup": "{{ azure_vnet_resource_group }}",
-  "routeTableName": "{{ azure_route_table_name }}"
+  "routeTableName": "{{ azure_route_table_name }}",
+{% if azure_primary_availability_set_name is defined %}
+  "primaryAvailabilitySetName": "{{ azure_primary_availability_set_name }}",
+{%endif%}
+  "useInstanceMetadata": {{azure_use_instance_metadata }},
+{% if azure_loadbalancer_sku == "standard" %}
+  "excludeMasterFromStandardLB": {{ azure_exclude_master_from_standard_lb }},
+  "disableOutboundSNAT": {{ azure_disable_outbound_snat }},
+{% endif%}
+  "loadBalancerSku": "{{ azure_loadbalancer_sku }}"
 }