Feat: add external OCI cloud controller manager template & variable

Signed-off-by: tico88612 <17496418+tico88612@users.noreply.github.com>

inventory/sample/group_vars/all/oci.yml

@@ -1,3 +1,30 @@
+## When External Oracle Cloud Infrastructure is used, set these variables
+## External OCI Cloud Controller Manager
+## https://github.com/oracle/oci-cloud-controller-manager/blob/v1.29.0/manifests/provider-config-example.yaml
+# external_oci_auth_region: ""
+# external_oci_auth_tenancy: ""
+# external_oci_auth_user: ""
+# external_oci_auth_key: ""
+# external_oci_auth_passphrase: ""
+# external_oci_auth_fingerprint: ""
+# external_oci_auth_use_instance_principals: false
+
+# external_oci_compartment: ""
+# external_oci_vcn: ""
+# external_oci_load_balancer_subnet1: ""
+# external_oci_load_balancer_subnet2: ""
+# external_oci_load_balancer_security_list_management_mode: All
+# external_oci_load_balancer_security_lists: {}
+
+# external_oci_ratelimiter_qps_read: 20.0
+# external_oci_ratelimiter_bucket_read: 5
+# external_oci_ratelimiter_qps_write: 20.0
+# external_oci_ratelimiter_bucket_write: 5
+
+# external_oci_cloud_controller_image_repo: ghcr.io/oracle/cloud-provider-oci
+# external_oci_cloud_controller_image_tag: "v1.29.0"
+
+
 ## When Oracle Cloud Infrastructure is used, set these variables
 # oci_private_key:
 # oci_region_id:

roles/kubernetes-apps/external_cloud_controller/oci/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+external_oci_auth_use_instance_principals: false
+external_oci_load_balancer_security_list_management_mode: All
+external_oci_load_balancer_security_lists: {}
+
+external_oci_ratelimiter_qps_read: 20.0
+external_oci_ratelimiter_bucket_read: 5
+external_oci_ratelimiter_qps_write: 20.0
+external_oci_ratelimiter_bucket_write: 5
+
+external_oci_cloud_controller_image_repo: ghcr.io/oracle/cloud-provider-oci
+external_oci_cloud_controller_image_tag: "v1.29.0"

roles/kubernetes-apps/external_cloud_controller/oci/templates/external-oci-cloud-config-secret.yml.j2

@@ -0,0 +1,10 @@
+# This YAML file contains secret objects,
+# which are necessary to run external oci cloud controller.
+
+kind: Secret
+apiVersion: v1
+metadata:
+  name: oci-cloud-controller-manager
+  namespace: kube-system
+data:
+  cloud-provider.yaml: {{ external_oci_cloud_config_secret }}

roles/kubernetes-apps/external_cloud_controller/oci/templates/external-oci-cloud-config.yml.j2

@@ -0,0 +1,45 @@
+{% if external_oci_auth_use_instance_principals %}
+useInstancePrincipals: true
+{% endif %}
+
+auth:
+{% if external_oci_auth_use_instance_principals %}
+  useInstancePrincipals: true
+{% else %}
+  useInstancePrincipals: false
+  region: {{ external_oci_auth_region }}
+  tenancy: {{ external_oci_auth_tenancy }}
+  user: {{ external_oci_auth_user }}
+  key: |
+    {{ external_oci_auth_key }}
+  {% if external_oci_auth_passphrase is defined %}
+  # Omit if there is not a password for the key
+  passphrase: {{ external_oci_auth_passphrase }}
+  {% endif %}
+  fingerprint: {{ external_oci_auth_fingerprint }}
+{% endif %}
+
+compartment: {{ external_oci_compartment }}
+
+vcn: {{ external_oci_vcn }}
+
+loadBalancer:
+  subnet1: {{ external_oci_load_balancer_subnet1 }}
+  subnet2: {{ external_oci_load_balancer_subnet2 }}
+
+  securityListManagementMode: {{ external_oci_load_balancer_security_list_management_mode }}
+
+{% if oci_security_lists is defined and oci_security_lists | length > 0 %}
+  # Optional specification of which security lists to modify per subnet. This does not apply if security list management is off.
+  securityLists:
+  {% for subnet_ocid, list_ocid in external_oci_load_balancer_security_lists.items() %}
+    {{ subnet_ocid }}: {{ list_ocid }}
+  {% endfor %}
+{% endif %}
+
+# Optional rate limit controls for accessing OCI API
+rateLimiter:
+  rateLimitQPSRead: {{ external_oci_ratelimiter_qps_read }}
+  rateLimitBucketRead: {{ external_oci_ratelimiter_bucket_read }}
+  rateLimitQPSWrite: {{ external_oci_ratelimiter_qps_write }}
+  rateLimitBucketWrite: {{ external_oci_ratelimiter_bucket_write }}

roles/kubernetes-apps/external_cloud_controller/oci/templates/external-oci-cloud-controller-manager-rbac.yml.j2

@@ -0,0 +1,166 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cloud-controller-manager
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:cloud-controller-manager
+  labels:
+    kubernetes.io/cluster-service: "true"
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - '*'
+
+- apiGroups:
+  - ""
+  resources:
+  - nodes/status
+  verbs:
+  - patch
+
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - list
+  - watch
+  - patch
+  - get
+
+- apiGroups:
+  - ""
+  resources:
+  - services/status
+  verbs:
+  - patch
+  - get
+  - update
+
+- apiGroups:
+    - ""
+  resources:
+    - configmaps
+  resourceNames:
+    - "extension-apiserver-authentication"
+  verbs:
+    - get
+
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - list
+  - watch
+  - create
+  - patch
+  - update
+
+# For leader election
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - create
+
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  resourceNames:
+  - "cloud-controller-manager"
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+
+- apiGroups:
+    - "coordination.k8s.io"
+  resources:
+    - leases
+  verbs:
+    - get
+    - create
+    - update
+    - delete
+    - patch
+    - watch
+
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  resourceNames:
+  - "cloud-controller-manager"
+  verbs:
+  - get
+  - update
+
+- apiGroups:
+    - ""
+  resources:
+    - configmaps
+  resourceNames:
+    - "extension-apiserver-authentication"
+  verbs:
+    - get
+    - list
+    - watch
+
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - list
+  - get
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+
+# For the PVL
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumes
+  verbs:
+  - list
+  - watch
+  - patch
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: oci-cloud-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:cloud-controller-manager
+subjects:
+- kind: ServiceAccount
+  name: cloud-controller-manager
+  namespace: kube-system

roles/kubernetes-apps/external_cloud_controller/oci/templates/external-oci-cloud-controller-manager.yml.j2

@@ -0,0 +1,59 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: oci-cloud-controller-manager
+  namespace: kube-system
+  labels:
+    k8s-app: oci-cloud-controller-manager
+spec:
+  selector:
+    matchLabels:
+      component: oci-cloud-controller-manager
+      tier: control-plane
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        component: oci-cloud-controller-manager
+        tier: control-plane
+    spec:
+      serviceAccountName: cloud-controller-manager
+      hostNetwork: true
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      tolerations:
+      - key: node.cloudprovider.kubernetes.io/uninitialized
+        value: "true"
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      volumes:
+        - name: cfg
+          secret:
+            secretName: oci-cloud-controller-manager
+        - name: kubernetes
+          hostPath:
+            path: /etc/kubernetes
+      containers:
+        - name: oci-cloud-controller-manager
+          image: {{ external_oci_cloud_controller_image_repo }}:{{ external_oci_cloud_controller_image_tag }}
+          command: ["/usr/local/bin/oci-cloud-controller-manager"]
+          args:
+            - --cloud-config=/etc/oci/cloud-provider.yaml
+            - --cloud-provider=oci
+            - --leader-elect-resource-lock=leases
+            - --concurrent-service-syncs=3
+            - --v=2
+          volumeMounts:
+            - name: cfg
+              mountPath: /etc/oci
+              readOnly: true
+            - name: kubernetes
+              mountPath: /etc/kubernetes
+              readOnly: true