Add RBAC support for canal (#1604)

Refactored how rbac_enabled is set
Added RBAC to ubuntu-canal-ha CI job
Added rbac for calico policy controller

roles/network_plugin/canal/tasks/main.yml

@@ -32,16 +32,22 @@
   delegate_to: "{{groups['etcd'][0]}}"
   run_once: true
 
-- name: Canal | Write canal configmap
+- name: Canal | Create canal node manifests
   template:
-    src: canal-config.yml.j2
-    dest: "{{kube_config_dir}}/canal-config.yaml"
-
-- name: Canal | Write canal node configuration
-  template:
-    src: canal-node.yml.j2
-    dest: "{{kube_config_dir}}/canal-node.yaml"
-  register: canal_node_manifest
+    src: "{{item.file}}.j2"
+    dest: "{{kube_config_dir}}/{{item.file}}"
+  with_items:
+    - {name: canal-config, file: canal-config.yaml, type: cm}
+    - {name: canal-node, file: canal-node.yaml, type: ds}
+    - {name: canal, file: canal-node-sa.yml, type: sa}
+    - {name: calico, file: canal-cr-calico.yml, type: clusterrole}
+    - {name: flannel, file: canal-cr-flannel.yml, type: clusterrole}
+    - {name: canal-calico, file: canal-crb-calico.yml, type: clusterrolebinding}
+    - {name: canal-flannel, file: canal-crb-flannel.yml, type: clusterrolebinding}
+  register: canal_manifests
+  when:
+    - inventory_hostname in groups['kube-master']
+    - rbac_enabled or item.type not in rbac_resources
 
 - name: Canal | Copy cni plugins from hyperkube
   command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -ac /opt/cni/bin/ /cnibindir/"