[upgrade] Create/configure service signer cert when missing.

1 files changed, 23 insertions, 1 deletions

diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/upgrade.yml
index e8bf133e6..ba4fc63be 100644
--- a/playbooks/common/openshift-cluster/upgrades/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/upgrade.yml
@@ -34,7 +34,7 @@
 ###############################################################################
 # Upgrade Masters
 ###############################################################################
-- name: Upgrade master
+- name: Upgrade master packages
   hosts: oo_masters_to_config
   handlers:
   - include: ../../../../roles/openshift_master/handlers/main.yml
@@ -45,6 +45,28 @@
   - include: rpm_upgrade.yml component=master
     when: not openshift.common.is_containerized | bool
 
+- name: Determine if service signer cert must be created
+  hosts: oo_first_master
+  tasks:
+  - name: Determine if service signer certificate must be created
+    stat:
+      path: "{{ openshift.common.config_base }}/master/service-signer.crt"
+    register: service_signer_cert_stat
+    changed_when: false
+
+# Create service signer cert when missing. Service signer certificate
+# is added to master config in the master config hook for v3_3.
+- include: create_service_signer_cert.yml
+  when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool)
+
+- name: Upgrade master config and systemd units
+  hosts: oo_masters_to_config
+  handlers:
+  - include: ../../../../roles/openshift_master/handlers/main.yml
+    static: yes
+  roles:
+  - openshift_facts
+  tasks:
   - include: "{{ master_config_hook }}"
     when: master_config_hook is defined