terraform-talos/oracle/deployments/oci-cloud-controller-manager.yaml

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cloud-controller-manager
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: system:cloud-controller-manager
  labels:
    kubernetes.io/cluster-service: "true"
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - '*'

- apiGroups:
  - ""
  resources:
  - nodes/status
  verbs:
  - patch

- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - list
  - watch
  - patch

- apiGroups:
  - ""
  resources:
  - services/status
  verbs:
  - patch
  - get
  - update

- apiGroups:
    - ""
  resources:
    - configmaps
  resourceNames:
    - "extension-apiserver-authentication"
  verbs:
    - get

- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - list
  - watch
  - create
  - patch
  - update

# For leader election
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - create

- apiGroups:
  - ""
  resources:
  - endpoints
  resourceNames:
  - "cloud-controller-manager"
  verbs:
  - get
  - list
  - watch
  - update

- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create

- apiGroups:
    - "coordination.k8s.io"
  resources:
    - leases
  verbs:
    - get
    - create
    - update
    - delete
    - patch
    - watch

- apiGroups:
  - ""
  resources:
  - configmaps
  resourceNames:
  - "cloud-controller-manager"
  verbs:
  - get
  - update

- apiGroups:
    - ""
  resources:
    - configmaps
  resourceNames:
    - "extension-apiserver-authentication"
  verbs:
    - get
    - list
    - watch

- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list

# For the PVL
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - list
  - watch
  - patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: oci-cloud-controller-manager
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:cloud-controller-manager
subjects:
- kind: ServiceAccount
  name: cloud-controller-manager
  namespace: kube-system
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: oci-cloud-controller-manager
  namespace: kube-system
  labels:
    k8s-app: oci-cloud-controller-manager
spec:
  selector:
    matchLabels:
      component: oci-cloud-controller-manager
      tier: control-plane
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        component: oci-cloud-controller-manager
        tier: control-plane
    spec:
      serviceAccountName: cloud-controller-manager
      dnsPolicy: None
      dnsConfig:
        nameservers:
          - 169.254.169.254
      nodeSelector:
        node-role.kubernetes.io/control-plane: ""
        node.cloudprovider.kubernetes.io/platform: oracle
      tolerations:
        - key: "node.cloudprovider.kubernetes.io/uninitialized"
          value: "true"
          effect: "NoSchedule"
        - key: "node-role.kubernetes.io/control-plane"
          effect: NoSchedule
      volumes:
        - name: cfg
          secret:
            secretName: oci-cloud-controller-manager
      containers:
        - name: oci-cloud-controller-manager
          image: ghcr.io/oracle/cloud-provider-oci:v1.24.0
          command: ["/usr/local/bin/oci-cloud-controller-manager"]
          args:
            - -v=4
            - --cluster-name=$(CLUSTER_NAME)
            - --cloud-config=/etc/oci/cloud-provider.yaml
            - --cloud-provider=oci
            - --allocate-node-cidrs=false
            - --controllers=cloud-node-lifecycle
            - --leader-elect-resource-name=cloud-controller-manager-oci
            - --bind-address=127.0.0.1
          env:
            - name: CLUSTER_NAME
              value: kubernetes
          volumeMounts:
            - name: cfg
              mountPath: /etc/oci
              readOnly: true