Add AWS cloud provider support.

inventory/byo/hosts.aep.example

@@ -90,6 +90,30 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # LDAP auth
 #openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]
 
+# Cloud Provider Configuration
+#
+# Note: You may make use of environment variables rather than store
+# sensitive configuration within the ansible inventory.
+# For example:
+#openshift_cloudprovider_aws_access_key="{{ lookup('env','AWS_ACCESS_KEY_ID') }}"
+#openshift_cloudprovider_aws_secret_key="{{ lookup('env','AWS_SECRET_ACCESS_KEY') }}"
+#
+# AWS
+#openshift_cloudprovider_kind=aws
+# Note: IAM profiles may be used instead of storing API credentials on disk.
+#openshift_cloudprovider_aws_access_key=aws_access_key_id
+#openshift_cloudprovider_aws_secret_key=aws_secret_access_key
+#
+# Openstack
+#openshift_cloudprovider_kind=openstack
+#openshift_cloudprovider_openstack_auth_url=http://openstack.example.com:35357/v2.0/
+#openshift_cloudprovider_openstack_username=username
+#openshift_cloudprovider_openstack_password=password
+#openshift_cloudprovider_openstack_tenand_id=tenant_id
+#openshift_cloudprovider_openstack_tenant_name=tenant_name
+#openshift_cloudprovider_openstack_region=region
+#openshift_cloudprovider_openstack_lb_subnet_id=subnet_id
+
 # Project Configuration
 #osm_project_request_message=''
 #osm_project_request_template=''

inventory/byo/hosts.origin.example

@@ -95,6 +95,30 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # LDAP auth
 #openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]
 
+# Cloud Provider Configuration
+#
+# Note: You may make use of environment variables rather than store
+# sensitive configuration within the ansible inventory.
+# For example:
+#openshift_cloudprovider_aws_access_key="{{ lookup('env','AWS_ACCESS_KEY_ID') }}"
+#openshift_cloudprovider_aws_secret_key="{{ lookup('env','AWS_SECRET_ACCESS_KEY') }}"
+#
+# AWS
+#openshift_cloudprovider_kind=aws
+# Note: IAM profiles may be used instead of storing API credentials on disk.
+#openshift_cloudprovider_aws_access_key=aws_access_key_id
+#openshift_cloudprovider_aws_secret_key=aws_secret_access_key
+#
+# Openstack
+#openshift_cloudprovider_kind=openstack
+#openshift_cloudprovider_openstack_auth_url=http://openstack.example.com:35357/v2.0/
+#openshift_cloudprovider_openstack_username=username
+#openshift_cloudprovider_openstack_password=password
+#openshift_cloudprovider_openstack_tenand_id=tenant_id
+#openshift_cloudprovider_openstack_tenant_name=tenant_name
+#openshift_cloudprovider_openstack_region=region
+#openshift_cloudprovider_openstack_lb_subnet_id=subnet_id
+
 # Project Configuration
 #osm_project_request_message=''
 #osm_project_request_template=''

inventory/byo/hosts.ose.example

@@ -91,6 +91,30 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 # LDAP auth
 #openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]
 
+# Cloud Provider Configuration
+#
+# Note: You may make use of environment variables rather than store
+# sensitive configuration within the ansible inventory.
+# For example:
+#openshift_cloudprovider_aws_access_key="{{ lookup('env','AWS_ACCESS_KEY_ID') }}"
+#openshift_cloudprovider_aws_secret_key="{{ lookup('env','AWS_SECRET_ACCESS_KEY') }}"
+#
+# AWS
+#openshift_cloudprovider_kind=aws
+# Note: IAM profiles may be used instead of storing API credentials on disk.
+#openshift_cloudprovider_aws_access_key=aws_access_key_id
+#openshift_cloudprovider_aws_secret_key=aws_secret_access_key
+#
+# Openstack
+#openshift_cloudprovider_kind=openstack
+#openshift_cloudprovider_openstack_auth_url=http://openstack.example.com:35357/v2.0/
+#openshift_cloudprovider_openstack_username=username
+#openshift_cloudprovider_openstack_password=password
+#openshift_cloudprovider_openstack_tenand_id=tenant_id
+#openshift_cloudprovider_openstack_tenant_name=tenant_name
+#openshift_cloudprovider_openstack_region=region
+#openshift_cloudprovider_openstack_lb_subnet_id=subnet_id
+
 # Project Configuration
 #osm_project_request_message=''
 #osm_project_request_template=''

roles/openshift_cloud_provider/defaults/main.yml

@@ -1,7 +0,0 @@
----
-ocp_os_auth_url: "{{ lookup('env', 'OS_AUTH_URL') }}"
-ocp_os_username: "{{ lookup('env', 'OS_USERNAME') }}"
-ocp_os_password: "{{ lookup('env', 'OS_PASSWORD') }}"
-ocp_os_tenant_id: "{{ lookup('env', 'OS_TENANT_ID') }}"
-ocp_os_tenant_name: "{{ lookup('env', 'OS_TENANT_NAME') }}"
-ocp_os_region: "{{ lookup('env', 'OS_REGION_NAME') }}"

roles/openshift_cloud_provider/meta/main.yml

@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  author: Sylvain Baubeau, Andrew Butcher
+  description: OpenShift Cloud Provider
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 1.9
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+dependencies:
+- role: openshift_facts

roles/openshift_cloud_provider/tasks/aws.yml

@@ -0,0 +1,6 @@
+- name: Create cloud config
+  ini_file:
+    dest: "{{ openshift.common.config_base }}/cloudprovider/aws.conf"
+    section: Global
+    option: Zone
+    value: "{{ openshift.provider.zone }}"

roles/openshift_cloud_provider/tasks/main.yml

@@ -1,3 +1,24 @@
 ---
+- name: Set cloud provider facts
+  openshift_facts:
+    role: cloudprovider
+    openshift_env: "{{ item | oo_openshift_env }}"
+    openshift_env_structures:
+    - 'openshift.cloudprovider.aws.*'
+    - 'openshift.cloudprovider.openstack.*'
+  no_log: true
+  with_items:
+  - "{{ hostvars[inventory_hostname] }}"
+  - "{{ hostvars }}"
+
+- name: Create cloudprovider config dir
+  file:
+    path: "{{ openshift.common.config_base }}/cloudprovider"
+    state: directory
+  when: has_cloudprovider | bool
+
 - include: openstack.yml
-  when: "openshift_cloud_provider is defined and openshift_cloud_provider == 'openstack' and 'provider' in openshift and openshift.provider.name == 'openstack'"
+  when: cloudprovider_is_openstack | bool
+
+- include: aws.yml
+  when: cloudprovider_is_aws | bool

roles/openshift_cloud_provider/tasks/openstack.yml

@@ -1,9 +1,10 @@
+---
 - fail:
     msg: "The Openstack integration requires OpenShift Enterprise 3.2 or Origin 1.2."
   when: not openshift.common.version_gte_3_2_or_1_2 | bool
 
-- name: Create /etc/cloud.conf
+- name: Create cloud config
   template:
-    dest: /etc/cloud.conf
-    src: openstack/cloud.conf.j2
-  when: ocp_os_auth_url and ocp_os_username and ocp_os_password and (ocp_os_tenant_id or ocp_os_tenant_name)
+    dest: "{{ openshift.common.config_base }}/cloudprovider/openstack.conf"
+    src: openstack.conf.j2
+  when: "'auth_url' in openshift.cloudprovider.openstack and 'username' in openshift.cloudprovider.openstack and 'password' in openshift.cloudprovider.openstack and ('tenant_id' in openshift.cloudprovider.openstack or 'tenant_name' in openshift.cloudprovider.openstack)"

roles/openshift_cloud_provider/templates/openstack.conf.j2

@@ -0,0 +1,17 @@
+[Global]
+auth-url = {{ openshift.cloudprovider.openstack.auth_url }}
+username = {{ openshift.cloudprovider.openstack.username }}
+password = {{ openshift.cloudprovider.openstack.password }}
+{% if 'tenant_id' in openshift.cloudprovider.openstack %}
+tenant-id = {{ openshift.cloudprovider.openstack.tenant_id }}
+{% else %}
+tenant-name = {{ openshift.cloudprovider.openstack.tenant_name }}
+{% endif %}
+{% if 'region' in openshift.cloudprovider.openstack %}
+region = {{ openshift.cloudprovider.openstack.region }}
+{% endif %}
+{% if 'lb_subnet_id' in openshift.cloudprovider.openstack %}
++
++[LoadBalancer]
++subnet-id = {{ openshift.cloudprovider.openstack.lb_subnet_id }}
++{% endif %}

roles/openshift_cloud_provider/templates/openstack/cloud.conf.j2

@@ -1,17 +0,0 @@
-[Global]
-auth-url = {{ ocp_os_auth_url }}
-username = {{ ocp_os_username }}
-password = {{ ocp_os_password }}
-{% if ocp_os_tenant_id %}
-tenant-id = {{ ocp_os_tenant_id }}
-{% else %}
-tenant-name = {{ ocp_os_tenant_name }}
-{% endif %}
-{% if ocp_os_region %}
-region = {{ ocp_os_region }}
-{% endif %}
-{% if ocp_os_lb_subnet_id is defined %}
-+
-+[LoadBalancer]
-+subnet-id = {{ ocp_os_lb_subnet_id }}
-+{% endif %}

roles/openshift_cloud_provider/vars/main.yml

@@ -0,0 +1,4 @@
+---
+has_cloudprovider: "{{ 'cloudprovider' in openshift and 'kind' in openshift.cloudprovider and openshift.cloudprovider.kind != None }}"
+cloudprovider_is_aws: "{{ has_cloudprovider | bool and openshift.cloudprovider.kind == 'aws' }}"
+cloudprovider_is_openstack: "{{ has_cloudprovider | bool and openshift.cloudprovider.kind == 'openstack' }}"

roles/openshift_common/meta/main.yml

@@ -12,7 +12,6 @@ galaxy_info:
   categories:
   - cloud
 dependencies:
-- { role: os_firewall }
-- { role: openshift_facts }
-- { role: openshift_repos }
-- { role: openshift_cloud_provider }
+- role: os_firewall
+- role: openshift_facts
+- role: openshift_repos

roles/openshift_facts/library/openshift_facts.py

@@ -332,14 +332,10 @@ def normalize_provider_facts(provider, metadata):
 
     facts = dict(name=provider, metadata=metadata,
                  network=dict(interfaces=[], ipv6_enabled=False))
-    if os.path.exists('/etc/cloud.conf'):
-        for arg in ('api_server_args', 'controller_args', 'kubelet_args'):
-            facts[arg] = {'cloud-provider': [provider],
-                          'cloud-config': ['/etc/cloud.conf']}
 
     if provider == 'gce':
         facts = normalize_gce_facts(metadata, facts)
-    elif provider == 'ec2':
+    elif provider == 'aws':
         facts = normalize_aws_facts(metadata, facts)
     elif provider == 'openstack':
         facts = normalize_openstack_facts(metadata, facts)
@@ -918,6 +914,57 @@ def get_current_config(facts):
 
     return current_config
 
+def build_kubelet_args(facts):
+    """ Build node kubelet_args """
+    cloud_cfg_path = os.path.join(facts['common']['config_base'],
+                                  'cloudprovider')
+    if 'node' in facts:
+        kubelet_args = {}
+        if 'cloudprovider' in facts:
+            if facts['cloudprovider']['kind'] == 'aws':
+                kubelet_args['cloud-provider'] = ['aws']
+                kubelet_args['cloud-config'] = [cloud_cfg_path + '/aws.conf']
+            if facts['cloudprovider']['kind'] == 'openstack':
+                kubelet_args['cloud-provider'] = ['openstack']
+                kubelet_args['cloud-config'] = [cloud_cfg_path + '/openstack.conf']
+        if kubelet_args != {}:
+            facts = merge_facts({'node': {'kubelet_args': kubelet_args}}, facts, [], [])
+    return facts
+
+def build_controller_args(facts):
+    """ Build master controller_args """
+    cloud_cfg_path = os.path.join(facts['common']['config_base'],
+                                  'cloudprovider')
+    if 'master' in facts:
+        controller_args = {}
+        if 'cloudprovider' in facts:
+            if facts['cloudprovider']['kind'] == 'aws':
+                controller_args['cloud-provider'] = ['aws']
+                controller_args['cloud-config'] = [cloud_cfg_path + '/aws.conf']
+            if facts['cloudprovider']['kind'] == 'openstack':
+                controller_args['cloud-provider'] = ['openstack']
+                controller_args['cloud-config'] = [cloud_cfg_path + '/openstack.conf']
+        if controller_args != {}:
+            facts = merge_facts({'master': {'controller_args': controller_args}}, facts, [], [])
+    return facts
+
+def build_api_server_args(facts):
+    """ Build master api_server_args """
+    cloud_cfg_path = os.path.join(facts['common']['config_base'],
+                                  'cloudprovider')
+    if 'master' in facts:
+        api_server_args = {}
+        if 'cloudprovider' in facts:
+            if facts['cloudprovider']['kind'] == 'aws':
+                api_server_args['cloud-provider'] = ['aws']
+                api_server_args['cloud-config'] = [cloud_cfg_path + '/aws.conf']
+            if facts['cloudprovider']['kind'] == 'openstack':
+                api_server_args['cloud-provider'] = ['openstack']
+                api_server_args['cloud-config'] = [cloud_cfg_path + '/openstack.conf']
+        if api_server_args != {}:
+            facts = merge_facts({'master': {'api_server_args': api_server_args}}, facts, [], [])
+    return facts
+
 def get_openshift_version(facts, cli_image=None):
     """ Get current version of openshift on the host
 
@@ -1084,31 +1131,6 @@ def merge_facts(orig, new, additive_facts_to_overwrite, protected_facts_to_overw
         facts[key] = copy.deepcopy(new[key])
     return facts
 
-
-def merge_provider_facts(facts):
-    """ Recursively merge provider facts dicts
-
-        Args:
-            facts (dict): existing facts
-        Returns:
-            dict: the facts dict updated with the provider config
-    """
-    if 'provider' not in facts:
-        return facts
-    if 'master' in facts:
-        for arg in ('api_server_args', 'controller_args'):
-            facts['master'][arg] = merge_facts(
-                facts['provider'].get(arg, {}),
-                facts['master'].get(arg, {}),
-                [], [])
-    if 'node' in facts:
-        facts['node']['kubelet_args'] = merge_facts(
-            facts['provider'].get('kubelet_args', {}),
-            facts['node'].get('kubelet_args', {}),
-            [], [])
-    return facts
-
-
 def save_local_facts(filename, facts):
     """ Save local facts
 
@@ -1302,13 +1324,20 @@ class OpenShiftFacts(object):
         Raises:
             OpenShiftFactsUnsupportedRoleError:
     """
-    known_roles = ['common', 'master', 'node', 'etcd', 'hosted', 'docker']
+    known_roles = ['cloudprovider',
+                   'common',
+                   'docker',
+                   'etcd',
+                   'hosted',
+                   'master',
+                   'node']
 
     # Disabling too-many-arguments, this should be cleaned up as a TODO item.
     # pylint: disable=too-many-arguments
     def __init__(self, role, filename, local_facts,
                  additive_facts_to_overwrite=None,
                  openshift_env=None,
+                 openshift_env_structures=None,
                  protected_facts_to_overwrite=None):
         self.changed = False
         self.filename = filename
@@ -1321,12 +1350,14 @@ class OpenShiftFacts(object):
         self.facts = self.generate_facts(local_facts,
                                          additive_facts_to_overwrite,
                                          openshift_env,
+                                         openshift_env_structures,
                                          protected_facts_to_overwrite)
 
     def generate_facts(self,
                        local_facts,
                        additive_facts_to_overwrite,
                        openshift_env,
+                       openshift_env_structures,
                        protected_facts_to_overwrite):
         """ Generate facts
 
@@ -1343,6 +1374,7 @@ class OpenShiftFacts(object):
         local_facts = self.init_local_facts(local_facts,
                                             additive_facts_to_overwrite,
                                             openshift_env,
+                                            openshift_env_structures,
                                             protected_facts_to_overwrite)
         roles = local_facts.keys()
 
@@ -1359,7 +1391,6 @@ class OpenShiftFacts(object):
                             local_facts,
                             additive_facts_to_overwrite,
                             protected_facts_to_overwrite)
-        facts = merge_provider_facts(facts)
         facts['current_config'] = get_current_config(facts)
         facts = set_url_facts_if_unset(facts)
         facts = set_project_cfg_facts_if_unset(facts)
@@ -1372,6 +1403,9 @@ class OpenShiftFacts(object):
         facts = set_sdn_facts_if_unset(facts, self.system_facts)
         facts = set_deployment_facts_if_unset(facts)
         facts = set_container_facts_if_unset(facts)
+        facts = build_kubelet_args(facts)
+        facts = build_controller_args(facts)
+        facts = build_api_server_args(facts)
         facts = set_version_facts_if_unset(facts)
         facts = set_manageiq_facts_if_unset(facts)
         facts = set_aggregate_facts(facts)
@@ -1434,6 +1468,9 @@ class OpenShiftFacts(object):
         if 'docker' in roles:
             defaults['docker'] = dict(disable_push_dockerhub=False)
 
+        if 'cloudprovider' in roles:
+            defaults['cloudprovider'] = dict(kind=None)
+
         defaults['hosted'] = dict(
             registry=dict(
                 storage=dict(
@@ -1452,7 +1489,6 @@ class OpenShiftFacts(object):
             )
         )
 
-
         return defaults
 
     def guess_host_provider(self):
@@ -1488,7 +1524,7 @@ class OpenShiftFacts(object):
                 metadata['instance'].pop('serviceAccounts', None)
         elif (virt_type == 'xen' and virt_role == 'guest'
               and re.match(r'.*\.amazon$', product_version)):
-            provider = 'ec2'
+            provider = 'aws'
             metadata_url = 'http://169.254.169.254/latest/meta-data/'
             metadata = get_provider_metadata(metadata_url)
         elif re.search(r'OpenStack', product_name):
@@ -1530,11 +1566,53 @@ class OpenShiftFacts(object):
         )
         return provider_facts
 
-    # Disabling too-many-branches. This should be cleaned up as a TODO item.
-    #pylint: disable=too-many-branches
+    @staticmethod
+    def split_openshift_env_fact_keys(openshift_env_fact, openshift_env_structures):
+        """ Split openshift_env facts based on openshift_env structures.
+
+            Args:
+                openshift_env_fact (string): the openshift_env fact to split
+                                             ex: 'openshift_cloudprovider_openstack_auth_url'
+                openshift_env_structures (list): a list of structures to determine fact keys
+                                                 ex: ['openshift.cloudprovider.openstack.*']
+            Returns:
+                list: a list of keys that represent the fact
+                      ex: ['openshift', 'cloudprovider', 'openstack', 'auth_url']
+        """
+        # By default, we'll split an openshift_env fact by underscores.
+        fact_keys = openshift_env_fact.split('_')
+
+        # Determine if any of the provided variable structures match the fact.
+        matching_structure = None
+        if openshift_env_structures != None:
+            for structure in openshift_env_structures:
+                if re.match(structure, openshift_env_fact):
+                    matching_structure = structure
+        # Fact didn't match any variable structures so return the default fact keys.
+        if matching_structure is None:
+            return fact_keys
+
+        final_keys = []
+        structure_keys = matching_structure.split('.')
+        for structure_key in structure_keys:
+            # Matched current key. Add to final keys.
+            if structure_key == fact_keys[structure_keys.index(structure_key)]:
+                final_keys.append(structure_key)
+            # Wildcard means we will be taking everything from here to the end of the fact.
+            elif structure_key == '*':
+                final_keys.append('_'.join(fact_keys[structure_keys.index(structure_key):]))
+            # Shouldn't have gotten here, return the fact keys.
+            else:
+                return fact_keys
+        return final_keys
+
+    # Disabling too-many-branches and too-many-locals.
+    # This should be cleaned up as a TODO item.
+    #pylint: disable=too-many-branches, too-many-locals
     def init_local_facts(self, facts=None,
                          additive_facts_to_overwrite=None,
                          openshift_env=None,
+                         openshift_env_structures=None,
                          protected_facts_to_overwrite=None):
         """ Initialize the local facts
 
@@ -1562,8 +1640,8 @@ class OpenShiftFacts(object):
             for fact, value in openshift_env.iteritems():
                 oo_env_facts = dict()
                 current_level = oo_env_facts
-                keys = fact.split('_')[1:]
-                if keys[0] != self.role:
+                keys = self.split_openshift_env_fact_keys(fact, openshift_env_structures)[1:]
+                if len(keys) > 0 and keys[0] != self.role:
                     continue
                 for key in keys:
                     if key == keys[-1]:
@@ -1691,6 +1769,7 @@ def main():
             local_facts=dict(default=None, type='dict', required=False),
             additive_facts_to_overwrite=dict(default=[], type='list', required=False),
             openshift_env=dict(default={}, type='dict', required=False),
+            openshift_env_structures=dict(default=[], type='list', required=False),
             protected_facts_to_overwrite=dict(default=[], type='list', required=False),
         ),
         supports_check_mode=True,
@@ -1701,6 +1780,7 @@ def main():
     local_facts = module.params['local_facts']
     additive_facts_to_overwrite = module.params['additive_facts_to_overwrite']
     openshift_env = module.params['openshift_env']
+    openshift_env_structures = module.params['openshift_env_structures']
     protected_facts_to_overwrite = module.params['protected_facts_to_overwrite']
 
     fact_file = '/etc/ansible/facts.d/openshift.fact'
@@ -1710,6 +1790,7 @@ def main():
                                      local_facts,
                                      additive_facts_to_overwrite,
                                      openshift_env,
+                                     openshift_env_structures,
                                      protected_facts_to_overwrite)
 
     file_params = module.params.copy()

roles/openshift_master/meta/main.yml

@@ -13,3 +13,4 @@ galaxy_info:
   - cloud
 dependencies:
 - role: openshift_cli
+- role: openshift_cloud_provider

roles/openshift_master/templates/atomic-openshift-master.j2

@@ -4,6 +4,11 @@ CONFIG_FILE={{ openshift_master_config_file }}
 IMAGE_VERSION={{ openshift_version }}
 {% endif %}
 
+{% if 'cloudprovider' in openshift and 'aws' in openshift.cloudprovider and openshift.cloudprovider.kind == 'aws' and 'access_key' in openshift.cloudprovider.aws and 'secret_key' in openshift.cloudprovider.aws %}
+AWS_ACCESS_KEY_ID={{ openshift.cloudprovider.aws.access_key }}
+AWS_SECRET_ACCESS_KEY={{ openshift.cloudprovider.aws.secret_key }}
+{% endif %}
+
 # Proxy configuration
 # Origin uses standard HTTP_PROXY environment variables. Be sure to set
 # NO_PROXY for your master

roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2

@@ -4,6 +4,11 @@ CONFIG_FILE={{ openshift_master_config_file }}
 IMAGE_VERSION={{ openshift_version }}
 {% endif %}
 
+{% if 'cloudprovider' in openshift and 'aws' in openshift.cloudprovider and openshift.cloudprovider.kind == 'aws' and 'access_key' in openshift.cloudprovider.aws and 'secret_key' in openshift.cloudprovider.aws %}
+AWS_ACCESS_KEY_ID={{ openshift.cloudprovider.aws.access_key }}
+AWS_SECRET_ACCESS_KEY={{ openshift.cloudprovider.aws.secret_key }}
+{% endif %}
+
 # Proxy configuration
 # Origin uses standard HTTP_PROXY environment variables. Be sure to set
 # NO_PROXY for your master

roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2

@@ -4,6 +4,11 @@ CONFIG_FILE={{ openshift_master_config_file }}
 IMAGE_VERSION={{ openshift_version }}
 {% endif %}
 
+{% if 'cloudprovider' in openshift and 'aws' in openshift.cloudprovider and openshift.cloudprovider.kind == 'aws' and 'access_key' in openshift.cloudprovider.aws and 'secret_key' in openshift.cloudprovider.aws %}
+AWS_ACCESS_KEY_ID={{ openshift.cloudprovider.aws.access_key }}
+AWS_SECRET_ACCESS_KEY={{ openshift.cloudprovider.aws.secret_key }}
+{% endif %}
+
 # Proxy configuration
 # Origin uses standard HTTP_PROXY environment variables. Be sure to set
 # NO_PROXY for your master

roles/openshift_node/meta/main.yml

@@ -14,3 +14,4 @@ galaxy_info:
 dependencies:
 - role: openshift_common
 - role: openshift_docker
+- role: openshift_cloud_provider

roles/openshift_node/tasks/main.yml

@@ -81,6 +81,21 @@
   notify:
   - restart node
 
+- name: Configure AWS Cloud Provider Settings
+  lineinfile:
+    dest: /etc/sysconfig/{{ openshift.common.service_type }}-node
+    regexp: "{{ item.regex }}"
+    line: "{{ item.line }}"
+    create: true
+  with_items:
+    - regex: '^AWS_ACCESS_KEY_ID='
+      line: "AWS_ACCESS_KEY_ID={{ openshift.cloudprovider.aws.access_key }}"
+    - regex: '^AWS_SECRET_ACCESS_KEY='
+      line: "AWS_SECRET_ACCESS_KEY={{ openshift.cloudprovider.aws.secret_key }}"
+  when: "'cloudprovider' in openshift and 'aws' in openshift.cloudprovider and openshift.cloudprovider.kind == 'aws' and 'access_key' in openshift.cloudprovider.aws and 'secret_key' in openshift.cloudprovider.aws"
+  notify:
+  - restart node
+
 - name: Additional storage plugin configuration
   include: storage_plugins/main.yml