Azure cloud provider: expose services on non-default subnets

[itowlson]

What this PR does / why we need it: The Azure cloud provider allows users to specify that a service should be exposed on an internal load balancer instead of the default external load balancer. However, in a VNet environment, such services are currently always exposed on the master subnet. Where there are multiple subnets in the VNet, it's desirable to be able to expose an internal service on any subnet. This PR allows this via a new annotation, service.beta.kubernetes.io/azure-load-balancer-internal-subnet.

Which issue this PR fixes: fixes Azure/acs-engine#1296 (no corresponding issue has been raised in the k8s core repo)

Special notes for your reviewer: None

Release note:

A new service annotation has been added for services of type LoadBalancer on Azure, 
to specify the subnet on which the service's front end IP should be provisioned. The 
annotation is service.beta.kubernetes.io/azure-load-balancer-internal-subnet and its 
value is the subnet name (not the subnet ARM ID).  If omitted, the default is the 
master subnet.  It is ignored if the service is not on Azure, if the type is not 
LoadBalancer, or if the load balancer is not internal.

[k8s-ci-robot]

Hi @itowlson. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[itowlson]

/assign jdumars

[jdumars]

/ok-to-test

[itowlson]

/retest

[itowlson]

/retest

[itowlson]

/retest

[itowlson]

/retest

[jdumars]

/test pull-kubernetes-kubemark-e2e-gce

[itowlson]

/test pull-kubernetes-kubemark-e2e-gce

[karataliu]

Should use nil for subnet name.

Consider the case user switching from 'external loadbalancer (no subnet)' to 'internal loadbalancer with specified subnet'.
During external loadbalancer creating, it uses name where subnet is empty.

When switching to 'internal loadbalancer', it will first clean corresponding entry on the external loadblancer. But this time 'subnet' value is not empty.

The 'subnet-unset' value is compared with 'subnet-set' value, resulting a unmatch. Thus later the public IP for external loadbalancer will remain undeleted.

[karataliu]

Should only make use of 'ServiceAnnotationLoadBalancerInternalSubnet, when isInternal is true?

If user expects external loadbalancer, but also specifies ServiceAnnotationLoadBalancerInternalSubnet, we should ignore the annotation since it does not make sense, or just leave a warning.

[itowlson]

Fixed by making subnet check that the Internal annotation is also present.

[karataliu]

This is for 'if !wantLb {' section in 'https://github.com/kubernetes/kubernetes/pull/51757/files#diff-c901394068476b4ccb003a6c6efad57cR579', since github doesn't allow comment on unmodified code.

strings.EqualFold(*config.Name, lbFrontendIPConfigName) also needs update to 'serviceOwnsFrontEndIP'.

For a corner case:
Switching from 'internal LB with subnetA' to 'external LB with subnetB', the frontendIP won't get deleted.

Though this does not sound a good user input, but we need to ensure previous created frontendIP entry get deleted.

[karataliu]

Should only do this for internal LB

[karataliu]

Any reason to update this?

securityRuleName embeds information for service id, port, sourceAddrePrefix, which is part of security group rule. subnetName does not play a role here.

[itowlson]

You're right, this isn't needed. I thought it was needed so that old security rules got replaced with new ones during an edit that changed the subnet, but looking at the properties, you're correct that we can just keep the existing rule. Thanks!

[karataliu]

Why add port here?

[karataliu]

consider make use of getInternalTestService, and leave this func add subnet only.

[karataliu]

Frontend

[karataliu]

Also validate FrontendIPConfigurations before editing subnet

[karataliu]

This is logically incorrect, the property is for public IP case, though not validated in reconcileLoadBalancer.

[itowlson]

@karataliu Thanks for the detailed review - I appreciate your time. I think I've addressed the issues you've identified; please let me know if there are still outstanding problems.

[itowlson]

/retest

[karataliu]

LGTM

[karataliu]

"a new service", since no 'adding port' operation now.

[karataliu]

@itowlson Just added a note for one line in test comment. Others look good.

[itowlson]

/retest

[brendandburns]

/lgtm
/approve no-isssue

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: brendandburns, itowlson

No associated issue. Update pull-request body to add a reference to an issue, or get approval with /approve no-issue

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/cloudprovider/providers/azure/OWNERS [brendandburns]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 50294, 50422, 51757, 52379, 52014). If you want to cherry-pick this change to another branch, please follow the instructions here..