diff --git a/roles/rke2/tasks/config_ccm.yml b/roles/rke2/tasks/config_ccm.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8f45d6df69f6eb507619c5c5f5ba6d63a3849da0
--- /dev/null
+++ b/roles/rke2/tasks/config_ccm.yml
@@ -0,0 +1,27 @@
+- name: wait for k8s to come up till 403 forbidden
+  delegate_to: localhost
+  uri:
+    url: "https://{{ LB_IP_MGMT }}:6443"
+    status_code: [403]
+    validate_certs: no
+  register: result
+  until: result.status == 403
+  retries: 10 # retry X times
+  delay: 10 # pause for X sec b/w each call
+
+- name: add cloud.conf template for CCM
+  template:
+    src: cloud.conf.j2
+    dest: /tmp/cloud.conf
+
+- name: apply secrets for CCM
+  ansible.builtin.shell:
+    executable: /var/lib/rancher/rke2/bin/kubectl
+    cmd: create secret generic --namespace kube-system cloud-config --from-file=cloud.conf=/tmp/cloud.conf \
+  environment:
+    KUBECONFIG: /etc/rancher/rke2/rke2.yaml
+
+- name: remove /tmp/cloud.conf on remote
+  ansible.builtin.file:
+    path: /tmp/cloud.conf
+    state: absent
\ No newline at end of file
diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml
index ea9d2985cc2cf26f1f9326e931c774ca5c773e01..1abc6c3976588e014c744fc2ce7c846ac67085dd 100644
--- a/roles/rke2/tasks/main.yml
+++ b/roles/rke2/tasks/main.yml
@@ -8,7 +8,8 @@
   - include_tasks: install_rke2.yml
   when: ( not rke2_installed.stat.exists and state != 'absent' ) or (upgrade and state != 'absent' )
 
-- include_tasks: templates.yml
+- name: copy k8s yaml templates to master node
+  include_tasks: templates.yml
   when: state != 'absent' and 'master' in group_names
 
 - block:
@@ -16,10 +17,12 @@
     - include_tasks: config_rke2.yml
   when: state != 'absent'
 
-- include_tasks: save_kubeconfig.yml
+- name: save kubeconfig in keyvault
+  include_tasks: save_kubeconfig.yml
   when: state != 'absent' and 'master' in group_names
 
-- include_tasks: rotate_encryption.yml
+- name: rotate etcd secrets encryption key
+  include_tasks: rotate_encryption.yml
   when: state != 'absent' and 'control-plane' in group_names and rotate 
 
 - name: uninstall rke2
@@ -28,20 +31,8 @@
 
 - name: Flush handlers
   meta: flush_handlers
+  when: state != 'absent'
 
-- name: wait for k8s to come up till 403 forbidden
-  delegate_to: localhost
-  uri:
-    url: "https://{{ LB_IP_MGMT }}:6443"
-    status_code: [403]
-    validate_certs: no
-  register: result
-  until: result.status == 403
-  retries: 10 # retry X times
-  delay: 10 # pause for X sec b/w each call
-  when: state != 'absent' and 'master' in group_names
-
-- name: add secrets for CCM
-  ansible.builtin.debug:
-    var: result
-    verbosity: 2
\ No newline at end of file
+- name: configure Openstack Cloud Controller Manager
+  include_tasks: config_ccm.yml
+  when: state != 'absent' and 'master' in group_names
\ No newline at end of file
diff --git a/roles/rke2/templates/cloud.conf.j2 b/roles/rke2/templates/cloud.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..a3865726409c81f8128ca42c07d89516e38553ad
--- /dev/null
+++ b/roles/rke2/templates/cloud.conf.j2
@@ -0,0 +1,20 @@
+[Global]
+application-credential-id = {{ openstack_auth.application_credential_id }}
+application-credential-secret = {{ openstack_auth.application_credential_secret }}
+auth-url = {{ openstack_auth.auth_url }}
+region = {{ openstack_region_name }}
+
+[Networking]
+
+[LoadBalancer]
+enable-ingress-hostname = true
+floating-network-id = {{ floating_network_id }}
+subnet-id = {{ subnet_id }}
+use-octavia = true
+{% if item.value.ingressHostnameSuffix is defined %}
+ingress-hostname-suffix: {{ item.value.ingressHostnameSuffix }}
+{% endif %}
+
+[BlockStorage]
+
+[Metadata]
\ No newline at end of file
diff --git a/roles/rke2/templates/manifests/deploy-openstack-ccm.j2 b/roles/rke2/templates/manifests/deploy-openstack-ccm.j2
index 9b8cecb21d4442d02e1eeeaf79f2bc99a6717926..cf78f3e09233e51d41a72890fbead80a54b82e27 100644
--- a/roles/rke2/templates/manifests/deploy-openstack-ccm.j2
+++ b/roles/rke2/templates/manifests/deploy-openstack-ccm.j2
@@ -20,6 +20,9 @@ spec:
   bootstrap: True
   targetNamespace: kube-system
   valuesContent: |-
+    secret:
+      create: false
+      name: cloud-config
     cloudConfig:
       global:
         auth-url: {{ openstack_auth.auth_url }}