update

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/hcloud/defaults/main.yml

@@ -0,0 +1,14 @@
+---
+external_hcloud_cloud:
+  hcloud_api_token: ""
+  token_secret_name: hcloud
+
+  service_account_name: cloud-controller-manager
+
+  controller_image_tag: "latest"
+  ## A dictionary of extra arguments to add to the openstack cloud controller manager daemonset
+  ## Format:
+  ##  external_hcloud_cloud.controller_extra_args:
+  ##    arg1: "value1"
+  ##    arg2: "value2"
+  controller_extra_args: {}

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/hcloud/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+- name: External Hcloud Cloud Controller | Generate Manifests
+  template:
+    src: "{{ item.file }}.j2"
+    dest: "{{ kube_config_dir }}/{{ item.file }}"
+    group: "{{ kube_cert_group }}"
+    mode: 0640
+  with_items:
+    - {name: external-hcloud-cloud-secret, file: external-hcloud-cloud-secret.yml}
+    - {name: external-hcloud-cloud-service-account, file: external-hcloud-cloud-service-account.yml}
+    - {name: external-hcloud-cloud-role-bindings, file: external-hcloud-cloud-role-bindings.yml}
+    - {name: "{{ 'external-hcloud-cloud-controller-manager-ds-with-networks' if external_hcloud_cloud.with_networks  else 'external-hcloud-cloud-controller-manager-ds' }}", file: "{{ 'external-hcloud-cloud-controller-manager-ds-with-networks.yml' if external_hcloud_cloud.with_networks  else  'external-hcloud-cloud-controller-manager-ds.yml' }}"}
+
+  register: external_hcloud_manifests
+  when: inventory_hostname == groups['kube_control_plane'][0]
+  tags: external-hcloud
+
+- name: External Hcloud Cloud Controller | Apply Manifests
+  kube:
+    kubectl: "{{ bin_dir }}/kubectl"
+    filename: "{{ kube_config_dir }}/{{ item.item.file }}"
+    state: "latest"
+  with_items:
+    - "{{ external_hcloud_manifests.results }}"
+  when:
+    - inventory_hostname == groups['kube_control_plane'][0]
+    - not item is skipped
+  loop_control:
+    label: "{{ item.item.file }}"
+  tags: external-hcloud

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/hcloud/templates/external-hcloud-cloud-controller-manager-ds-with-networks.yml.j2

@@ -0,0 +1,72 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: hcloud-cloud-controller-manager
+  namespace: kube-system
+  labels:
+    k8s-app: hcloud-cloud-controller-manger
+spec:
+  selector:
+    matchLabels:
+      app: hcloud-cloud-controller-manager
+  template:
+    metadata:
+      labels:
+        app: hcloud-cloud-controller-manager
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      serviceAccountName: {{ external_hcloud_cloud.service_account_name }}
+      dnsPolicy: Default
+      tolerations:
+        - key: "node.cloudprovider.kubernetes.io/uninitialized"
+          value: "true"
+          effect: "NoSchedule"
+        - key: "CriticalAddonsOnly"
+          operator: "Exists"
+        - key: "node-role.kubernetes.io/master"
+          effect: NoSchedule
+          operator: Exists
+        - key: "node-role.kubernetes.io/control-plane"
+          effect: NoSchedule
+          operator: Exists
+        - key: "node.kubernetes.io/not-ready"
+          effect: "NoSchedule"
+      hostNetwork: true
+      containers:
+        - image: {{ docker_image_repo }}/hetznercloud/hcloud-cloud-controller-manager:{{ external_hcloud_cloud.controller_image_tag }}
+          name: hcloud-cloud-controller-manager
+          command:
+            - "/bin/hcloud-cloud-controller-manager"
+            - "--cloud-provider=hcloud"
+            - "--leader-elect=false"
+            - "--allow-untagged-cloud"
+            - "--allocate-node-cidrs=true"
+            - "--cluster-cidr={{ kube_pods_subnet }}"
+{% if external_hcloud_cloud.controller_extra_args is defined %}
+
+          args:
+{% for key, value in external_hcloud_cloud.controller_extra_args.items() %}
+            - "{{ '--' + key + '=' + value }}"
+{% endfor %}
+{% endif %}
+          resources:
+            requests:
+              cpu: 100m
+              memory: 50Mi
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: HCLOUD_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ external_hcloud_cloud.token_secret_name }}
+                  key: token
+            - name: HCLOUD_NETWORK
+              valueFrom:
+                secretKeyRef:
+                  name: {{ external_hcloud_cloud.token_secret_name }}
+                  key: network

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/hcloud/templates/external-hcloud-cloud-controller-manager-ds.yml.j2

@@ -0,0 +1,63 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: hcloud-cloud-controller-manager
+  namespace: kube-system
+  labels:
+    k8s-app: hcloud-cloud-controller-manger
+spec:
+  selector:
+    matchLabels:
+      app: hcloud-cloud-controller-manager
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: hcloud-cloud-controller-manager
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      serviceAccountName: {{ external_hcloud_cloud.service_account_name }}
+      dnsPolicy: Default
+      tolerations:
+        - key: "node.cloudprovider.kubernetes.io/uninitialized"
+          value: "true"
+          effect: "NoSchedule"
+        - key: "CriticalAddonsOnly"
+          operator: "Exists"
+        - key: "node-role.kubernetes.io/master"
+          effect: NoSchedule
+        - key: "node-role.kubernetes.io/control-plane"
+          effect: NoSchedule
+        - key: "node.kubernetes.io/not-ready"
+          effect: "NoSchedule"
+      containers:
+        - image: {{ docker_image_repo }}/hetznercloud/hcloud-cloud-controller-manager:{{ external_hcloud_cloud.controller_image_tag }}
+          name: hcloud-cloud-controller-manager
+          command:
+            - "/bin/hcloud-cloud-controller-manager"
+            - "--cloud-provider=hcloud"
+            - "--leader-elect=false"
+            - "--allow-untagged-cloud"
+{% if external_hcloud_cloud.controller_extra_args is defined %}
+          args:
+{% for key, value in external_hcloud_cloud.controller_extra_args.items() %}
+            - "{{ '--' + key + '=' + value }}"
+{% endfor %}
+{% endif %}
+          resources:
+            requests:
+              cpu: 100m
+              memory: 50Mi
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: HCLOUD_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ external_hcloud_cloud.token_secret_name }}
+                  key: token

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/hcloud/templates/external-hcloud-cloud-role-bindings.yml.j2

@@ -0,0 +1,13 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: system:cloud-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: {{ external_hcloud_cloud.service_account_name }}
+    namespace: kube-system

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/hcloud/templates/external-hcloud-cloud-secret.yml.j2

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ external_hcloud_cloud.token_secret_name }}"
+  namespace: kube-system
+data:
+  token: "{{ external_hcloud_cloud.hcloud_api_token | b64encode }}"
+{% if external_hcloud_cloud.with_networks  %}
+  network: "{{ network_id|b64encode }}"
+{% endif %}

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/hcloud/templates/external-hcloud-cloud-service-account.yml.j2

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ external_hcloud_cloud.service_account_name }}
+  namespace: kube-system

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/meta/main.yml

@@ -0,0 +1,32 @@
+---
+dependencies:
+  - role: kubernetes-apps/external_cloud_controller/openstack
+    when:
+      - cloud_provider is defined
+      - cloud_provider == "external"
+      - external_cloud_provider is defined
+      - external_cloud_provider == "openstack"
+      - inventory_hostname == groups['kube_control_plane'][0]
+    tags:
+      - external-cloud-controller
+      - external-openstack
+  - role: kubernetes-apps/external_cloud_controller/vsphere
+    when:
+      - cloud_provider is defined
+      - cloud_provider == "external"
+      - external_cloud_provider is defined
+      - external_cloud_provider == "vsphere"
+      - inventory_hostname == groups['kube_control_plane'][0]
+    tags:
+      - external-cloud-controller
+      - external-vsphere
+  - role: kubernetes-apps/external_cloud_controller/hcloud
+    when:
+      - cloud_provider is defined
+      - cloud_provider == "external"
+      - external_cloud_provider is defined
+      - external_cloud_provider == "hcloud"
+      - inventory_hostname == groups['kube_control_plane'][0]
+    tags:
+      - external-cloud-controller
+      - external-hcloud

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/openstack/OWNERS

@@ -0,0 +1,6 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+reviewers:
+  - alijahnas
+  - luckySB

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml

@@ -0,0 +1,24 @@
+---
+# The external cloud controller will need credentials to access
+# openstack apis. Per default these values will be
+# read from the environment.
+external_openstack_auth_url: "{{ lookup('env','OS_AUTH_URL')  }}"
+external_openstack_username: "{{ lookup('env','OS_USERNAME')  }}"
+external_openstack_password: "{{ lookup('env','OS_PASSWORD')  }}"
+external_openstack_application_credential_id: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_ID')  }}"
+external_openstack_application_credential_name: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_NAME')  }}"
+external_openstack_application_credential_secret: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_SECRET')  }}"
+external_openstack_region: "{{ lookup('env','OS_REGION_NAME')  }}"
+external_openstack_tenant_id: "{{ lookup('env','OS_TENANT_ID')| default(lookup('env','OS_PROJECT_ID'),true) }}"
+external_openstack_tenant_name: "{{ lookup('env','OS_TENANT_NAME')| default(lookup('env','OS_PROJECT_NAME'),true) }}"
+external_openstack_domain_name: "{{ lookup('env','OS_USER_DOMAIN_NAME') }}"
+external_openstack_domain_id: "{{ lookup('env','OS_USER_DOMAIN_ID') }}"
+external_openstack_cacert: "{{ lookup('env','OS_CACERT') }}"
+
+## A dictionary of extra arguments to add to the openstack cloud controller manager daemonset
+## Format:
+##  external_openstack_cloud_controller_extra_args:
+##    arg1: "value1"
+##    arg2: "value2"
+external_openstack_cloud_controller_extra_args: {}
+external_openstack_cloud_controller_image_tag: "v1.25.3"

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml

@@ -0,0 +1,48 @@
+---
+- include_tasks: openstack-credential-check.yml
+  tags: external-openstack
+
+- name: External OpenStack Cloud Controller | Get base64 cacert
+  slurp:
+    src: "{{ external_openstack_cacert }}"
+  register: external_openstack_cacert_b64
+  when:
+    - inventory_hostname == groups['kube_control_plane'][0]
+    - external_openstack_cacert is defined
+    - external_openstack_cacert | length > 0
+  tags: external-openstack
+
+- name: External OpenStack Cloud Controller | Get base64 cloud-config
+  set_fact:
+    external_openstack_cloud_config_secret: "{{ lookup('template', 'external-openstack-cloud-config.j2') | b64encode }}"
+  when: inventory_hostname == groups['kube_control_plane'][0]
+  tags: external-openstack
+
+- name: External OpenStack Cloud Controller | Generate Manifests
+  template:
+    src: "{{ item.file }}.j2"
+    dest: "{{ kube_config_dir }}/{{ item.file }}"
+    group: "{{ kube_cert_group }}"
+    mode: 0640
+  with_items:
+    - {name: external-openstack-cloud-config-secret, file: external-openstack-cloud-config-secret.yml}
+    - {name: external-openstack-cloud-controller-manager-roles, file: external-openstack-cloud-controller-manager-roles.yml}
+    - {name: external-openstack-cloud-controller-manager-role-bindings, file: external-openstack-cloud-controller-manager-role-bindings.yml}
+    - {name: external-openstack-cloud-controller-manager-ds, file: external-openstack-cloud-controller-manager-ds.yml}
+  register: external_openstack_manifests
+  when: inventory_hostname == groups['kube_control_plane'][0]
+  tags: external-openstack
+
+- name: External OpenStack Cloud Controller | Apply Manifests
+  kube:
+    kubectl: "{{ bin_dir }}/kubectl"
+    filename: "{{ kube_config_dir }}/{{ item.item.file }}"
+    state: "latest"
+  with_items:
+    - "{{ external_openstack_manifests.results }}"
+  when:
+    - inventory_hostname == groups['kube_control_plane'][0]
+    - not item is skipped
+  loop_control:
+    label: "{{ item.item.file }}"
+  tags: external-openstack

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-credential-check.yml

@@ -0,0 +1,66 @@
+---
+- name: External OpenStack Cloud Controller | check external_openstack_auth_url value
+  fail:
+    msg: "external_openstack_auth_url is missing"
+  when: external_openstack_auth_url is not defined or not external_openstack_auth_url
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_username or external_openstack_application_credential_name value
+  fail:
+    msg: "you must either set external_openstack_username or external_openstack_application_credential_name"
+  when:
+    - external_openstack_username is not defined or not external_openstack_username
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_application_credential_id value
+  fail:
+    msg: "external_openstack_application_credential_id is missing"
+  when:
+    - external_openstack_application_credential_name is defined
+    - external_openstack_application_credential_name|length > 0
+    - external_openstack_application_credential_id is not defined or not external_openstack_application_credential_id
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_application_credential_secret value
+  fail:
+    msg: "external_openstack_application_credential_secret is missing"
+  when:
+    - external_openstack_application_credential_name is defined
+    - external_openstack_application_credential_name|length > 0
+    - external_openstack_application_credential_secret is not defined or not external_openstack_application_credential_secret
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_password value
+  fail:
+    msg: "external_openstack_password is missing"
+  when:
+    - external_openstack_username is defined
+    - external_openstack_username|length > 0
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
+    - external_openstack_application_credential_secret is not defined or not external_openstack_application_credential_secret
+    - external_openstack_password is not defined or not external_openstack_password
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_region value
+  fail:
+    msg: "external_openstack_region is missing"
+  when: external_openstack_region is not defined or not external_openstack_region
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_tenant_id value
+  fail:
+    msg: "one of external_openstack_tenant_id or external_openstack_tenant_name must be specified"
+  when:
+    - external_openstack_tenant_id is not defined or not external_openstack_tenant_id
+    - external_openstack_tenant_name is not defined or not external_openstack_tenant_name
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_domain_id value
+  fail:
+    msg: "one of external_openstack_domain_id or external_openstack_domain_name must be specified"
+  when:
+    - external_openstack_domain_id is not defined or not external_openstack_domain_id
+    - external_openstack_domain_name is not defined or not external_openstack_domain_name
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config-secret.yml.j2

@@ -0,0 +1,13 @@
+# This YAML file contains secret objects,
+# which are necessary to run external openstack cloud controller.
+
+kind: Secret
+apiVersion: v1
+metadata:
+  name: external-openstack-cloud-config
+  namespace: kube-system
+data:
+  cloud.conf: {{ external_openstack_cloud_config_secret }}
+{% if external_openstack_cacert_b64.content is defined %}
+  ca.cert: {{ external_openstack_cacert_b64.content }}
+{% endif %}

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config.j2

@@ -0,0 +1,87 @@
+[Global]
+auth-url="{{ external_openstack_auth_url }}"
+{% if external_openstack_application_credential_id == "" and external_openstack_application_credential_name == "" %}
+username="{{ external_openstack_username }}"
+password="{{ external_openstack_password }}"
+{% endif %}
+{% if external_openstack_application_credential_id is defined and external_openstack_application_credential_id != "" %}
+application-credential-id={{ external_openstack_application_credential_id }}
+{% endif %}
+{% if external_openstack_application_credential_name is defined and external_openstack_application_credential_name != "" %}
+application-credential-name={{ external_openstack_application_credential_name }}
+{% endif %}
+{% if external_openstack_application_credential_secret is defined and external_openstack_application_credential_secret != "" %}
+application-credential-secret={{ external_openstack_application_credential_secret }}
+{% endif %}
+region="{{ external_openstack_region }}"
+{% if external_openstack_tenant_id is defined and external_openstack_tenant_id != "" %}
+tenant-id="{{ external_openstack_tenant_id }}"
+{% endif %}
+{% if external_openstack_tenant_name is defined and external_openstack_tenant_name != "" %}
+tenant-name="{{ external_openstack_tenant_name }}"
+{% endif %}
+{% if external_openstack_domain_name is defined and external_openstack_domain_name != "" %}
+domain-name="{{ external_openstack_domain_name }}"
+{% elif external_openstack_domain_id is defined and external_openstack_domain_id != "" %}
+domain-id ="{{ external_openstack_domain_id }}"
+{% endif %}
+{% if external_openstack_cacert is defined and external_openstack_cacert != "" %}
+ca-file="{{ kube_config_dir }}/external-openstack-cacert.pem"
+{% endif %}
+
+[LoadBalancer]
+create-monitor={{ external_openstack_lbaas_create_monitor }}
+monitor-delay={{ external_openstack_lbaas_monitor_delay }}
+monitor-timeout={{ external_openstack_lbaas_monitor_timeout }}
+monitor-max-retries={{ external_openstack_lbaas_monitor_max_retries }}
+{% if external_openstack_lbaas_method is defined %}
+lb-method={{ external_openstack_lbaas_method }}
+{% endif %}
+{% if external_openstack_lbaas_network_id is defined %}
+network-id={{ external_openstack_lbaas_network_id }}
+{% endif %}
+{% if external_openstack_lbaas_subnet_id is defined %}
+subnet-id={{ external_openstack_lbaas_subnet_id }}
+{% endif %}
+{% if external_openstack_lbaas_floating_network_id is defined %}
+floating-network-id={{ external_openstack_lbaas_floating_network_id }}
+{% endif %}
+{% if external_openstack_lbaas_floating_subnet_id is defined %}
+floating-subnet-id={{ external_openstack_lbaas_floating_subnet_id }}
+{% endif %}
+{% if external_openstack_lbaas_manage_security_groups is defined %}
+manage-security-groups={{ external_openstack_lbaas_manage_security_groups }}
+{% endif %}
+{% if external_openstack_lbaas_internal_lb is defined %}
+internal-lb={{ external_openstack_lbaas_internal_lb }}
+{% endif %}
+{% if external_openstack_lbaas_provider is defined %}
+lb-provider={{ external_openstack_lbaas_provider }}
+use-octavia={{ external_openstack_lbaas_use_octavia }}
+{% else %}
+lb-provider=octavia
+use-octavia=true
+{% endif %}
+{% if external_openstack_enable_ingress_hostname is defined %}
+enable-ingress-hostname={{ external_openstack_enable_ingress_hostname | bool }}
+{% endif %}
+{% if external_openstack_ingress_hostname_suffix is defined %}
+ingress-hostname-suffix={{ external_openstack_ingress_hostname_suffix | string | lower }}
+{% endif %}
+{% if external_openstack_max_shared_lb is defined %}
+max-shared-lb={{ external_openstack_max_shared_lb }}
+{% endif %}
+
+[Networking]
+ipv6-support-disabled={{ external_openstack_network_ipv6_disabled | string | lower }}
+{% for network_name in external_openstack_network_internal_networks %}
+internal-network-name="{{ network_name }}"
+{% endfor %}
+{% for network_name in external_openstack_network_public_networks %}
+public-network-name="{{ network_name }}"
+{% endfor %}
+
+[Metadata]
+{% if external_openstack_metadata_search_order is defined %}
+search-order="{{ external_openstack_metadata_search_order }}"
+{% endif %}

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-ds.yml.j2

@@ -0,0 +1,96 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cloud-controller-manager
+  namespace: kube-system
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: openstack-cloud-controller-manager
+  namespace: kube-system
+  labels:
+    k8s-app: openstack-cloud-controller-manager
+spec:
+  selector:
+    matchLabels:
+      k8s-app: openstack-cloud-controller-manager
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        k8s-app: openstack-cloud-controller-manager
+    spec:
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      securityContext:
+        runAsUser: 999
+      tolerations:
+      - key: node.cloudprovider.kubernetes.io/uninitialized
+        value: "true"
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/control-plane
+        effect: NoSchedule
+      serviceAccountName: cloud-controller-manager
+      containers:
+        - name: openstack-cloud-controller-manager
+          image: {{ docker_image_repo }}/k8scloudprovider/openstack-cloud-controller-manager:{{ external_openstack_cloud_controller_image_tag }}
+          args:
+            - /bin/openstack-cloud-controller-manager
+            - --v=1
+            - --cloud-config=$(CLOUD_CONFIG)
+            - --cloud-provider=openstack
+            - --cluster-name={{ cluster_name }}
+            - --use-service-account-credentials=true
+            - --bind-address=127.0.0.1
+{% for key, value in external_openstack_cloud_controller_extra_args.items() %}
+            - "{{ '--' + key + '=' + value }}"
+{% endfor %}
+          volumeMounts:
+            - mountPath: /etc/kubernetes/pki
+              name: k8s-certs
+              readOnly: true
+            - mountPath: /etc/ssl/certs
+              name: ca-certs
+              readOnly: true
+            - mountPath: /etc/config/cloud.conf
+              name: cloud-config-volume
+              readOnly: true
+              subPath: cloud.conf
+            - mountPath: {{ kube_config_dir }}/external-openstack-cacert.pem
+              name: cloud-config-volume
+              readOnly: true
+              subPath: ca.cert
+{% if kubelet_flexvolumes_plugins_dir is defined %}
+            - mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
+              name: flexvolume-dir
+{% endif %}
+          resources:
+            requests:
+              cpu: 200m
+          env:
+            - name: CLOUD_CONFIG
+              value: /etc/config/cloud.conf
+      hostNetwork: true
+      volumes:
+{% if kubelet_flexvolumes_plugins_dir is defined %}
+      - hostPath:
+          path: "{{ kubelet_flexvolumes_plugins_dir }}"
+          type: DirectoryOrCreate
+        name: flexvolume-dir
+{% endif %}
+      - hostPath:
+          path: /etc/kubernetes/pki
+          type: DirectoryOrCreate
+        name: k8s-certs
+      - hostPath:
+          path: /etc/ssl/certs
+          type: DirectoryOrCreate
+        name: ca-certs
+      - name: cloud-config-volume
+        secret:
+          secretName: external-openstack-cloud-config

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-bindings.yml.j2

@@ -0,0 +1,16 @@
+apiVersion: v1
+items:
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    name: system:cloud-controller-manager
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: system:cloud-controller-manager
+  subjects:
+  - kind: ServiceAccount
+    name: cloud-controller-manager
+    namespace: kube-system
+kind: List
+metadata: {}

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-roles.yml.j2

@@ -0,0 +1,109 @@
+apiVersion: v1
+items:
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRole
+  metadata:
+    name: system:cloud-controller-manager
+  rules:
+  - apiGroups:
+    - coordination.k8s.io
+    resources:
+    - leases
+    verbs:
+    - get
+    - create
+    - update
+  - apiGroups:
+    - ""
+    resources:
+    - events
+    verbs:
+    - create
+    - patch
+    - update
+  - apiGroups:
+    - ""
+    resources:
+    - nodes
+    verbs:
+    - '*'
+  - apiGroups:
+    - ""
+    resources:
+    - nodes/status
+    verbs:
+    - patch
+  - apiGroups:
+    - ""
+    resources:
+    - services
+    verbs:
+    - list
+    - patch
+    - update
+    - watch
+  - apiGroups:
+    - ""
+    resources:
+    - services/status
+    verbs:
+    - patch
+  - apiGroups:
+    - ""
+    resources:
+    - serviceaccounts/token
+    verbs:
+    - create
+  - apiGroups:
+    - ""
+    resources:
+    - serviceaccounts
+    verbs:
+    - create
+    - get
+  - apiGroups:
+    - ""
+    resources:
+    - persistentvolumes
+    verbs:
+    - '*'
+  - apiGroups:
+    - ""
+    resources:
+    - endpoints
+    verbs:
+    - create
+    - get
+    - list
+    - watch
+    - update
+  - apiGroups:
+    - ""
+    resources:
+    - configmaps
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    resources:
+    - secrets
+    verbs:
+    - list
+    - get
+    - watch
+  - apiGroups:
+    - authentication.k8s.io
+    resources:
+    - tokenreviews
+    verbs:
+    - create
+  - apiGroups:
+    - authorization.k8s.io
+    resources:
+    - subjectaccessreviews
+    verbs:
+    - create
+kind: List
+metadata: {}

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/vsphere/defaults/main.yml

@@ -0,0 +1,14 @@
+---
+external_vsphere_vcenter_port: "443"
+external_vsphere_insecure: "true"
+
+## A dictionary of extra arguments to add to the vsphere cloud controller manager daemonset
+## Format:
+##  external_vsphere_cloud_controller_extra_args:
+##    arg1: "value1"
+##    arg2: "value2"
+external_vsphere_cloud_controller_extra_args: {}
+external_vsphere_cloud_controller_image_tag: "latest"
+
+external_vsphere_user: "{{ lookup('env','VSPHERE_USER') }}"
+external_vsphere_password: "{{ lookup('env','VSPHERE_PASSWORD') }}"

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/vsphere/tasks/main.yml

@@ -0,0 +1,48 @@
+---
+- include_tasks: vsphere-credentials-check.yml
+
+- name: External vSphere Cloud Controller | Generate CPI cloud-config
+  template:
+    src: "{{ item }}.j2"
+    dest: "{{ kube_config_dir }}/{{ item }}"
+    mode: 0640
+  with_items:
+    - external-vsphere-cpi-cloud-config
+  when: inventory_hostname == groups['kube_control_plane'][0]
+
+- name: External vSphere Cloud Controller | Generate Manifests
+  template:
+    src: "{{ item }}.j2"
+    dest: "{{ kube_config_dir }}/{{ item }}"
+    mode: 0644
+  with_items:
+    - external-vsphere-cpi-cloud-config-secret.yml
+    - external-vsphere-cloud-controller-manager-roles.yml
+    - external-vsphere-cloud-controller-manager-role-bindings.yml
+    - external-vsphere-cloud-controller-manager-ds.yml
+  register: external_vsphere_manifests
+  when: inventory_hostname == groups['kube_control_plane'][0]
+
+- name: External vSphere Cloud Provider Interface | Create a CPI configMap manifest
+  command: "{{ bin_dir }}/kubectl create configmap cloud-config --from-file=vsphere.conf={{ kube_config_dir }}/external-vsphere-cpi-cloud-config -n kube-system --dry-run --save-config -o yaml"
+  register: external_vsphere_configmap_manifest
+  when: inventory_hostname == groups['kube_control_plane'][0]
+
+- name: External vSphere Cloud Provider Interface | Apply a CPI configMap manifest
+  command:
+    cmd: "{{ bin_dir }}/kubectl apply -f -"
+    stdin: "{{ external_vsphere_configmap_manifest.stdout }}"
+  when: inventory_hostname == groups['kube_control_plane'][0]
+
+- name: External vSphere Cloud Controller | Apply Manifests
+  kube:
+    kubectl: "{{ bin_dir }}/kubectl"
+    filename: "{{ kube_config_dir }}/{{ item.item }}"
+    state: "latest"
+  with_items:
+    - "{{ external_vsphere_manifests.results }}"
+  when:
+    - inventory_hostname == groups['kube_control_plane'][0]
+    - not item is skipped
+  loop_control:
+    label: "{{ item.item }}"

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/vsphere/tasks/vsphere-credentials-check.yml

@@ -0,0 +1,32 @@
+---
+- name: External vSphere Cloud Provider | check external_vsphere_vcenter_ip value
+  fail:
+    msg: "external_vsphere_vcenter_ip is missing"
+  when: external_vsphere_vcenter_ip is not defined or not external_vsphere_vcenter_ip
+
+- name: External vSphere Cloud Provider | check external_vsphere_vcenter_port value
+  fail:
+    msg: "external_vsphere_vcenter_port is missing"
+  when: external_vsphere_vcenter_port is not defined or not external_vsphere_vcenter_port
+
+- name: External vSphere Cloud Provider | check external_vsphere_insecure value
+  fail:
+    msg: "external_vsphere_insecure is missing"
+  when: external_vsphere_insecure is not defined or not external_vsphere_insecure
+
+- name: External vSphere Cloud Provider | check external_vsphere_user value
+  fail:
+    msg: "external_vsphere_user is missing"
+  when: external_vsphere_user is not defined or not external_vsphere_user
+
+- name: External vSphere Cloud Provider | check external_vsphere_password value
+  fail:
+    msg: "external_vsphere_password is missing"
+  when:
+    - external_vsphere_password is not defined or not external_vsphere_password
+
+- name: External vSphere Cloud Provider | check external_vsphere_datacenter value
+  fail:
+    msg: "external_vsphere_datacenter is missing"
+  when:
+    - external_vsphere_datacenter is not defined or not external_vsphere_datacenter

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/vsphere/templates/external-vsphere-cloud-controller-manager-ds.yml.j2

@@ -0,0 +1,76 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cloud-controller-manager
+  namespace: kube-system
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: vsphere-cloud-controller-manager
+  namespace: kube-system
+  labels:
+    k8s-app: vsphere-cloud-controller-manager
+spec:
+  selector:
+    matchLabels:
+      k8s-app: vsphere-cloud-controller-manager
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        k8s-app: vsphere-cloud-controller-manager
+    spec:
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      securityContext:
+        runAsUser: 0
+      tolerations:
+      - key: node.cloudprovider.kubernetes.io/uninitialized
+        value: "true"
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/control-plane
+        effect: NoSchedule
+      serviceAccountName: cloud-controller-manager
+      containers:
+        - name: vsphere-cloud-controller-manager
+          image: {{ gcr_image_repo }}/cloud-provider-vsphere/cpi/release/manager:{{ external_vsphere_cloud_controller_image_tag }}
+          args:
+            - --v=2
+            - --cloud-provider=vsphere
+            - --cloud-config=/etc/cloud/vsphere.conf
+{% for key, value in external_vsphere_cloud_controller_extra_args.items() %}
+            - "{{ '--' + key + '=' + value }}"
+{% endfor %}
+          volumeMounts:
+            - mountPath: /etc/cloud
+              name: vsphere-config-volume
+              readOnly: true
+          resources:
+            requests:
+              cpu: 200m
+      hostNetwork: true
+      volumes:
+      - name: vsphere-config-volume
+        configMap:
+          name: cloud-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    component: cloud-controller-manager
+  name: vsphere-cloud-controller-manager
+  namespace: kube-system
+spec:
+  type: NodePort
+  ports:
+    - port: 43001
+      protocol: TCP
+      targetPort: 43001
+  selector:
+    component: cloud-controller-manager

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/vsphere/templates/external-vsphere-cloud-controller-manager-role-bindings.yml.j2

@@ -0,0 +1,35 @@
+apiVersion: v1
+items:
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: RoleBinding
+  metadata:
+    name: servicecatalog.k8s.io:apiserver-authentication-reader
+    namespace: kube-system
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: extension-apiserver-authentication-reader
+  subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cloud-controller-manager
+    namespace: kube-system
+  - apiGroup: ""
+    kind: User
+    name: cloud-controller-manager
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    name: system:cloud-controller-manager
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: system:cloud-controller-manager
+  subjects:
+  - kind: ServiceAccount
+    name: cloud-controller-manager
+    namespace: kube-system
+  - kind: User
+    name: cloud-controller-manager
+kind: List
+metadata: {}

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/vsphere/templates/external-vsphere-cloud-controller-manager-roles.yml.j2

@@ -0,0 +1,91 @@
+apiVersion: v1
+items:
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRole
+  metadata:
+    name: system:cloud-controller-manager
+  rules:
+  - apiGroups:
+    - ""
+    resources:
+    - events
+    verbs:
+    - create
+    - patch
+    - update
+  - apiGroups:
+    - ""
+    resources:
+    - nodes
+    verbs:
+    - '*'
+  - apiGroups:
+    - ""
+    resources:
+    - nodes/status
+    verbs:
+    - patch
+  - apiGroups:
+    - ""
+    resources:
+    - services
+    verbs:
+    - list
+    - patch
+    - update
+    - watch
+  - apiGroups:
+    - ""
+    resources:
+    - services/status
+    verbs:
+    - patch
+  - apiGroups:
+    - ""
+    resources:
+    - serviceaccounts
+    verbs:
+    - create
+    - get
+    - list
+    - watch
+    - update
+  - apiGroups:
+    - ""
+    resources:
+    - persistentvolumes
+    verbs:
+    - get
+    - list
+    - update
+    - watch
+  - apiGroups:
+    - ""
+    resources:
+    - endpoints
+    verbs:
+    - create
+    - get
+    - list
+    - watch
+    - update
+  - apiGroups:
+    - ""
+    resources:
+    - secrets
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - "coordination.k8s.io"
+    resources:
+    - leases
+    verbs:
+    - get
+    - list
+    - watch
+    - create
+    - update
+kind: List
+metadata: {}

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/vsphere/templates/external-vsphere-cpi-cloud-config-secret.yml.j2

@@ -0,0 +1,11 @@
+# This YAML file contains secret objects,
+# which are necessary to run external vsphere cloud controller.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cpi-global-secret
+  namespace: kube-system
+stringData:
+  {{ external_vsphere_vcenter_ip }}.username: "{{ external_vsphere_user }}"
+  {{ external_vsphere_vcenter_ip }}.password: "{{ external_vsphere_password }}"

kubespray/extra_playbooks/roles/kubernetes-apps/external_cloud_controller/vsphere/templates/external-vsphere-cpi-cloud-config.j2

@@ -0,0 +1,8 @@
+[Global]
+port = "{{ external_vsphere_vcenter_port }}"
+insecure-flag = "{{ external_vsphere_insecure }}"
+secret-name = "cpi-global-secret"
+secret-namespace = "kube-system"
+
+[VirtualCenter "{{ external_vsphere_vcenter_ip }}"]
+datacenters = "{{ external_vsphere_datacenter }}"