Move calico-policy-controller into separate role

By default Calico CNI does not create any network access policies
or profiles if 'policy' is enabled in CNI config. And without any
policies/profiles network access to/from PODs is blocked.

K8s related policies are created by calico-policy-controller in
such case. So we need to start it as soon as possible, before any
real workloads.

This patch also fixes kube-api port in calico-policy-controller
yaml template.

Closes #1132

roles/kubernetes-apps/policy_controller/meta/main.yml

@@ -0,0 +1,14 @@
+---
+dependencies:
+  - role: download
+    file: "{{ downloads.calico_policy }}"
+    when: enable_network_policy and
+      kube_network_plugin in ['calico', 'canal']
+    tags: [download, canal, policy-controller]
+  - role: policy_controller/calico
+    when: kube_network_plugin == 'calico' and
+      enable_network_policy
+    tags: policy-controller
+  - role: policy_controller/calico
+    when: kube_network_plugin == 'canal'
+    tags: policy-controller