From 83838b7fbc435513af97a7c20b4d7cc64e2d3e79 Mon Sep 17 00:00:00 2001
From: Jeff Bornemann <jeff.bornemann@oracle.com>
Date: Fri, 24 Aug 2018 14:05:38 -0400
Subject: [PATCH] Add new OCI cloud controls

---
 inventory/sample/group_vars/all/oci.yml       | 14 +++++++++--
 .../cloud_controller/oci/defaults/main.yml    |  2 +-
 .../cloud_controller/oci/tasks/main.yml       |  2 ++
 .../controller-manager-config.yml.j2          | 25 +++++++++++++++++++
 4 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/inventory/sample/group_vars/all/oci.yml b/inventory/sample/group_vars/all/oci.yml
index fd83080dd..d4f1a64aa 100644
--- a/inventory/sample/group_vars/all/oci.yml
+++ b/inventory/sample/group_vars/all/oci.yml
@@ -8,8 +8,18 @@
 #oci_vnc_id:
 #oci_subnet1_id:
 #oci_subnet2_id:
-## Overide these default behaviors if you wish
+## Overide these default/optional behaviors if you wish
 #oci_security_list_management: All
+# If you would like the controller to manage specific lists per subnet. This is a mapping of subnet ocids to security list ocids. Below are examples. 
+#oci_security_lists:
+  #ocid1.subnet.oc1.phx.aaaaaaaasa53hlkzk6nzksqfccegk2qnkxmphkblst3riclzs4rhwg7rg57q: ocid1.securitylist.oc1.iad.aaaaaaaaqti5jsfvyw6ejahh7r4okb2xbtuiuguswhs746mtahn72r7adt7q
+  #ocid1.subnet.oc1.phx.aaaaaaaahuxrgvs65iwdz7ekwgg3l5gyah7ww5klkwjcso74u3e4i64hvtvq: ocid1.securitylist.oc1.iad.aaaaaaaaqti5jsfvyw6ejahh7r4okb2xbtuiuguswhs746mtahn72r7adt7q
 # If oci_use_instance_principals is true, you do not need to set the region, tenancy, user, key, passphrase, or fingerprint
 #oci_use_instance_principals: false
-#oci_cloud_controller_version: 0.5.0
+#oci_cloud_controller_version: 0.6.0
+# If you would like to control OCI query rate limits for the controller 
+#oci_rate_limit:
+  #rate_limit_qps_read:
+  #rate_limit_qps_write:
+  #rate_limit_bucket_read:
+  #rate_limit_bucket_write:
diff --git a/roles/kubernetes-apps/cloud_controller/oci/defaults/main.yml b/roles/kubernetes-apps/cloud_controller/oci/defaults/main.yml
index ccfb70077..f128f741c 100644
--- a/roles/kubernetes-apps/cloud_controller/oci/defaults/main.yml
+++ b/roles/kubernetes-apps/cloud_controller/oci/defaults/main.yml
@@ -2,4 +2,4 @@
 
 oci_security_list_management: All
 oci_use_instance_principals: false
-oci_cloud_controller_version: 0.5.0
+oci_cloud_controller_version: 0.6.0
diff --git a/roles/kubernetes-apps/cloud_controller/oci/tasks/main.yml b/roles/kubernetes-apps/cloud_controller/oci/tasks/main.yml
index 37e5962d3..4907218cd 100644
--- a/roles/kubernetes-apps/cloud_controller/oci/tasks/main.yml
+++ b/roles/kubernetes-apps/cloud_controller/oci/tasks/main.yml
@@ -28,6 +28,7 @@
   kube:
     kubectl: "{{ bin_dir }}/kubectl"
     filename: "/tmp/cloud-provider.yml"
+    state: latest
   when: inventory_hostname == groups['kube-master'][0]
   tags: oci
 
@@ -47,5 +48,6 @@
   kube:
     kubectl: "{{ bin_dir }}/kubectl"
     filename: "/tmp/oci-cloud-controller-manager.yml"
+    state: latest
   when: inventory_hostname == groups['kube-master'][0]
   tags: oci
diff --git a/roles/kubernetes-apps/cloud_controller/oci/templates/controller-manager-config.yml.j2 b/roles/kubernetes-apps/cloud_controller/oci/templates/controller-manager-config.yml.j2
index 38c7ba86c..9726d3c5e 100644
--- a/roles/kubernetes-apps/cloud_controller/oci/templates/controller-manager-config.yml.j2
+++ b/roles/kubernetes-apps/cloud_controller/oci/templates/controller-manager-config.yml.j2
@@ -54,3 +54,28 @@ loadBalancer:
   #                    inbound traffic to load balancers.
   securityListManagementMode: {{ oci_security_list_management }}
 
+{% if oci_security_lists is defined and oci_security_lists|length > 0 %}
+  # Optional specification of which security lists to modify per subnet. This does not apply if security list management is off.
+  securityLists:
+{% for subnet_ocid, list_ocid in oci_security_lists.iteritems() %}
+    {{ subnet_ocid }}: {{ list_ocid }}
+{% endfor %}
+{% endif %}
+
+{% if oci_rate_limit is defined and oci_rate_limit|length > 0 %}
+# Optional rate limit controls for accessing OCI API
+rateLimiter:
+{% if oci_rate_limit.rate_limit_qps_read %}
+  rateLimitQPSRead: {{ oci_rate_limit.rate_limit_qps_read }} 
+{% endif %}
+{% if oci_rate_limit.rate_limit_qps_write %}
+  rateLimitQPSWrite: {{ oci_rate_limit.rate_limit_qps_write }} 
+{% endif %}
+{% if oci_rate_limit.rate_limit_bucket_read %}
+  rateLimitBucketRead: {{ oci_rate_limit.rate_limit_bucket_read }} 
+{% endif %}
+{% if oci_rate_limit.rate_limit_bucket_write %}
+  rateLimitBucketWrite: {{ oci_rate_limit.rate_limit_bucket_write }} 
+{% endif %}
+{% endif %}
+