12 files changed, 366 insertions, 57 deletions

diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible
index a667c3f2d..942c51f27 100644
--- a/.tito/packages/openshift-ansible
+++ b/.tito/packages/openshift-ansible
@@ -1 +1 @@
-3.7.1-1 ./
+3.7.0-0.104.0 ./
diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example
index 239727c6e..385278f3b 100644
--- a/inventory/byo/hosts.origin.example
+++ b/inventory/byo/hosts.origin.example
@@ -798,9 +798,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 #openshift_builddefaults_nodeselectors={'nodelabel1':'nodelabelvalue1'}
 #openshift_builddefaults_annotations={'annotationkey1':'annotationvalue1'}
 #openshift_builddefaults_resources_requests_cpu=100m
-#openshift_builddefaults_resources_requests_memory=256m
+#openshift_builddefaults_resources_requests_memory=256Mi
 #openshift_builddefaults_resources_limits_cpu=1000m
-#openshift_builddefaults_resources_limits_memory=512m
+#openshift_builddefaults_resources_limits_memory=512Mi
 
 # Or you may optionally define your own build defaults configuration serialized as json
 #openshift_builddefaults_json='{"BuildDefaults":{"configuration":{"apiVersion":"v1","env":[{"name":"HTTP_PROXY","value":"http://proxy.example.com.redhat.com:3128"},{"name":"NO_PROXY","value":"ose3-master.example.com"}],"gitHTTPProxy":"http://proxy.example.com:3128","gitNoProxy":"ose3-master.example.com","kind":"BuildDefaultsConfig"}}}'
diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example
index 837c54f27..87fdee904 100644
--- a/inventory/byo/hosts.ose.example
+++ b/inventory/byo/hosts.ose.example
@@ -798,9 +798,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 #openshift_builddefaults_nodeselectors={'nodelabel1':'nodelabelvalue1'}
 #openshift_builddefaults_annotations={'annotationkey1':'annotationvalue1'}
 #openshift_builddefaults_resources_requests_cpu=100m
-#openshift_builddefaults_resources_requests_memory=256m
+#openshift_builddefaults_resources_requests_memory=256Mi
 #openshift_builddefaults_resources_limits_cpu=1000m
-#openshift_builddefaults_resources_limits_memory=512m
+#openshift_builddefaults_resources_limits_memory=512Mi
 
 # Or you may optionally define your own build defaults configuration serialized as json
 #openshift_builddefaults_json='{"BuildDefaults":{"configuration":{"apiVersion":"v1","env":[{"name":"HTTP_PROXY","value":"http://proxy.example.com.redhat.com:3128"},{"name":"NO_PROXY","value":"ose3-master.example.com"}],"gitHTTPProxy":"http://proxy.example.com:3128","gitNoProxy":"ose3-master.example.com","kind":"BuildDefaultsConfig"}}}'
diff --git a/openshift-ansible.spec b/openshift-ansible.spec
index 9cadf5947..1c3b1757c 100644
--- a/openshift-ansible.spec
+++ b/openshift-ansible.spec
@@ -9,8 +9,8 @@
 %global __requires_exclude ^/usr/bin/ansible-playbook$
 
 Name:           openshift-ansible
-Version:        3.7.1
-Release:        1%{?dist}
+Version:        3.7.0
+Release:        0.104.0%{?dist}
 Summary:        Openshift and Atomic Enterprise Ansible
 License:        ASL 2.0
 URL:            https://github.com/openshift/openshift-ansible
@@ -280,6 +280,198 @@ Atomic OpenShift Utilities includes
 
 
 %changelog
+* Sun Aug 20 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.104.0
+- Ensure that openshift_node_facts has been called for dns_ip
+  (sdodson@redhat.com)
+
+* Sat Aug 19 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.103.0
+- 
+
+* Fri Aug 18 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.102.0
+- 
+
+* Fri Aug 18 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.101.0
+- 
+
+* Fri Aug 18 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.100.0
+- Change memory requests and limits units (mak@redhat.com)
+- Display "origin 3.6" as in previous installer 3.5 (brunovern.a@gmail.com)
+- Use sdn_cluster_network_cidr as default calico pool (djosborne10@gmail.com)
+- fix missing console appending in logging (jcantril@redhat.com)
+- Enable version 3.6 for OSE (bacek@bacek.com)
+- Adding std_include to the metrics playbook. (kwoodson@redhat.com)
+- Don't include noop (rteague@redhat.com)
+- Remove openshift_repos dependencies (rteague@redhat.com)
+- polish openshift-master role (jchaloup@redhat.com)
+- etc_traffic check: factor away short_version (lmeyer@redhat.com)
+- openshift-checks: have playbooks invoke std_include (lmeyer@redhat.com)
+- bug: container_binary_sync no longer moves upon symlinks (smilner@redhat.com)
+- Remove orphan files (rteague@redhat.com)
+- Additional os_firewall role refactoring (rteague@redhat.com)
+- Standardize usage of std_include in byo (rteague@redhat.com)
+- Cleanup validate_hostnames (rteague@redhat.com)
+- Use openshift.node.dns_ip as listening address (sdodson@redhat.com)
+- Remove obsolete yum check (rteague@redhat.com)
+- Clean up Calico readme (djosborne10@gmail.com)
+- Change vsd user nodes parameter name (rohan.s.parulekar@nuagenetworks.net)
+- Removing dependencies for openshift_repos and setting them up early in the
+  cluster build. (kwoodson@redhat.com)
+- Default values for CFME container images are invalid (jkaur@redhat.com)
+- Fix duplicate evaluate_groups.yml call during install (rteague@redhat.com)
+- Minor update to correct firewall play name (rteague@redhat.com)
+- Moving firewall rules under the role to work with refactor.
+  (kwoodson@redhat.com)
+- Fix Restore Master AWS Options (michael.fraenkel@gmail.com)
+- Update etcd scaleup entrypoint includes and use etcd_{hostname,ip} facts for
+  new member registration. (abutcher@redhat.com)
+- openshift_checks: allow OVS 2.7 on OCP 3.5 and 3.6 (miciah.masters@gmail.com)
+- Refactor group initialization (rteague@redhat.com)
+- Updated README to reflect refactor.  Moved firewall initialize into separate
+  file. (kwoodson@redhat.com)
+- system_container.yml: fix braces (lmeyer@redhat.com)
+- Error check project creation. (kwoodson@redhat.com)
+- Update README.md (sdodson@redhat.com)
+- Fix syntax for when statement (rhcarvalho@gmail.com)
+- configure kibana index mode (jcantril@redhat.com)
+- Change default CFME namespace to use reserved openshift- prefix
+  (tbielawa@redhat.com)
+- Start iptables on each master in serial (denverjanke@gmail.com)
+- Remove additional 'restart master' handler references. (abutcher@redhat.com)
+- Adding a default condition and removing unneeded defaults.
+  (kwoodson@redhat.com)
+- adding check to a yaml dump to work properly with new ruamel lib
+  (ihorvath@redhat.com)
+- Bump calico to v2.4.1 (djosborne10@gmail.com)
+- openshift_checks: refactor find_ansible_mount (lmeyer@redhat.com)
+- More complete discovery of entry point playbooks (rteague@redhat.com)
+- Add missing byo v3_7 playbooks (sdodson@redhat.com)
+- Add v3_7 upgrades (sdodson@redhat.com)
+- Remove remaining references to openshift-master.service (ccoleman@redhat.com)
+- Disable old openshift-master.service on upgrade (ccoleman@redhat.com)
+- Use the new election mode (client based) instead of direct etcd access
+  (ccoleman@redhat.com)
+- Remove the origin-master.service and associated files (ccoleman@redhat.com)
+- Make native clustering the default everywhere (ccoleman@redhat.com)
+- Warn when user has no etcd group member nodes (ccoleman@redhat.com)
+- First attempt at refactor of os_firewall (kwoodson@redhat.com)
+- Refactor of openshift_version. (kwoodson@redhat.com)
+- Fix lint errors (sdodson@redhat.com)
+- integration tests: keep openshift_version happy (lmeyer@redhat.com)
+- New pattern involves startup and initializing through the std_include.yml
+  (kwoodson@redhat.com)
+- adding readme for openshift_manageiq (efreiber@redhat.com)
+- papr: Update to use v3.6.0 images (smilner@redhat.com)
+- Removing tasks from module openshift_facts. (kwoodson@redhat.com)
+- Updating PVC generation to only be done if the pvc does not already exist to
+  avoid idempotent issues (ewolinet@redhat.com)
+- Origin image build: add oc client (lmeyer@redhat.com)
+- Add v3.7 hosted templates (sdodson@redhat.com)
+- GlusterFS: Don't use /dev/null for empty file. (jarrpa@redhat.com)
+- Quick Installer should specify which config file to edit. (jkaur@redhat.com)
+- cri-o: configure the CNI network (gscrivan@redhat.com)
+- nfs only run if cloud_provider not defined (sdw35@cornell.edu)
+- Default gte_3_7 to false (sdodson@redhat.com)
+- Add v3.7 content (sdodson@redhat.com)
+- Update version checks to tolerate 3.7 (skuznets@redhat.com)
+- cri-o: Restart cri-o after openshift sdn installation (smilner@redhat.com)
+- cri-o: Continue node without SELinux check (smilner@redhat.com)
+- examples: use the correct variable name (gscrivan@redhat.com)
+- cri-o: allow to override CRI-O image indipendently from Docker
+  (gscrivan@redhat.com)
+- docker: introduce use_crio_only (gscrivan@redhat.com)
+- docker: skip Docker setup when using CRI-O (gscrivan@redhat.com)
+- openvswitch: system container depends on the cri-o service
+  (gscrivan@redhat.com)
+- cli_image: do not require Docker when using CRI-O (gscrivan@redhat.com)
+- cri-o: skip Set precise containerized version check (gscrivan@redhat.com)
+- cri-o: skip Docker version test (gscrivan@redhat.com)
+- cri-o: use only images from Docker Hub (gscrivan@redhat.com)
+- cri-o: Enable systemd-modules-load if required (smilner@redhat.com)
+- openshift_node: fix typo for experimental-cri (smilner@redhat.com)
+- cri-o: Fix node template to use full variable (smilner@redhat.com)
+- cri-o: Ensure overlay is available (smilner@redhat.com)
+- cri-o: Default insecure registries to "" (smilner@redhat.com)
+- crio: use a template for the configuration (gscrivan@redhat.com)
+- openshift_docker_facts: Add use_crio (smilner@redhat.com)
+- cri-o: Minor fixes for tasks (smilner@redhat.com)
+- cri-o: Hardcode image name to cri-o (smilner@redhat.com)
+- cri-o: Add cri-o as a Wants in node units (smilner@redhat.com)
+- cri-o: configure storage and insecure registries (gscrivan@redhat.com)
+- node.yaml: configure node to use cri-o when openshift.common.use_crio
+  (gscrivan@redhat.com)
+- inventory: Add use_crio example (smilner@redhat.com)
+- cri-o: Allow cri-o usage. (smilner@redhat.com)
+- adding pods/logs to manageiq role (efreiber@redhat.com)
+- openshift_checks: refactor logging checks (lmeyer@redhat.com)
+- GlusterFS: Copy SSH private key to master node. (jarrpa@redhat.com)
+- openshift_checks: add property to track 'changed' (lmeyer@redhat.com)
+- Fixing SA and clusterrole namespaces (ewolinet@redhat.com)
+- package_version check: tolerate release version 3.7 (lmeyer@redhat.com)
+- Missing space (kp@tigera.io)
+- add pre-flight checks to ugrade path (jvallejo@redhat.com)
+- add fluentd logging driver config check (jvallejo@redhat.com)
+- Paren wrap integration print(). (abutcher@redhat.com)
+- Update openshift_cert_expiry for py3 support. (abutcher@redhat.com)
+- Use enterprise images for CFME enterprise deployments (sdodson@redhat.com)
+- use mux_client_mode instead of use_mux_client (rmeggins@redhat.com)
+- openshift_checks: enable variable conversion (lmeyer@redhat.com)
+- GlusterFS: Check for namespace if deploying a StorageClass
+  (jarrpa@redhat.com)
+- Switch logging and metrics OCP image tag from 3.6.0 to v3.6
+  (sdodson@redhat.com)
+- Fixing storageclass doc variable. (kwoodson@redhat.com)
+- GlusterFS: Fix variable names in defaults. (jarrpa@redhat.com)
+- Fix aws_secret_key check (carlpett@users.noreply.github.com)
+- Impl fluentd file buffer (nhosoi@redhat.com)
+- Use existing OPENSHIFT_DEFAULT_REGISTRY setting during masters scaleup
+  (tbielawa@redhat.com)
+- GlusterFS: Default glusterfs_name in loop items. (jarrpa@redhat.com)
+- Remove cluster in favor of rolebindings. (kwoodson@redhat.com)
+- Updating metrics role to create serviceaccounts and roles immediately
+  (ewolinet@redhat.com)
+- GlusterFS: Use default namespace when not native. (jarrpa@redhat.com)
+- Set the openshift_version from the openshift.common.version in case it is
+  empty (jchaloup@redhat.com)
+- Revert "Add health checks to upgrade playbook" (rhcarvalho@gmail.com)
+- move common tasks to a single file included by both systemd_units.yml
+  (jchaloup@redhat.com)
+- Fixes for auth_proxy, vxlan mode (srampal@cisco.com)
+- Tolerate non existence of /etc/sysconfig/atomic-openshift-master
+  (sdodson@redhat.com)
+- Block etcdv3 migration for supported configurations (sdodson@redhat.com)
+- Shut down masters before taking an etcd backup (sdodson@redhat.com)
+- Move node facts to new openshift_node_facts role. (abutcher@redhat.com)
+- Add glusterfs_registry hosts to oo_all_hosts. (jarrpa@redhat.com)
+- Updating template parameter replica to be more unique to avoid var scope
+  creeping (ewolinet@redhat.com)
+- Add 3.7 releaser (sdodson@redhat.com)
+- add selector and storage class name to oc_pvc module (jcantril@redhat.com)
+- backport 'Add systemctl daemon-reload handler to openshift_node' #4403 to
+  openshift_node_upgrade (jchaloup@redhat.com)
+- Normalize list of checks passed to action plugin (rhcarvalho@gmail.com)
+- Clean up unnecessary quotes (rhcarvalho@gmail.com)
+- Make LoggingCheck.run return the correct type (rhcarvalho@gmail.com)
+- Clean up openshift-checks playbooks (rhcarvalho@gmail.com)
+- fixes after rebasing with #4485 (jvallejo@redhat.com)
+- add pre-flight checks to ugrade path (jvallejo@redhat.com)
+- Refactor openshift_facts BIOS vendor discovery (rteague@redhat.com)
+- Normalize logging entry. (kwoodson@redhat.com)
+- Nuage changes to support IPTables kube-proxy in OpenShift
+  (siva_teja.areti@nokia.com)
+- Remove default provisioner. (kwoodson@redhat.com)
+- Fix for : https://bugzilla.redhat.com/show_bug.cgi?id=1467423
+  (jkaur@redhat.com)
+- allow to specify docker registry for system containers (jchaloup@redhat.com)
+- Fail within scaleup playbooks when new_{nodes,masters} host groups are empty.
+  (abutcher@redhat.com)
+- Add rate limit configurability (sdodson@redhat.com)
+- Resolve deprecation warnings in Contiv roles (rteague@redhat.com)
+- add etcd scaleup playbook (jawed.khelil@amadeus.com)
+- Spacing and moving deleget_to to bottom. (kwoodson@redhat.com)
+- Updated to use modules instead of command for user permissions.
+  (kwoodson@redhat.com)
+- fix BZ1422541 on master branch (weshi@redhat.com)
+
 * Thu Jul 27 2017 Scott Dodson <sdodson@redhat.com> 3.7.1-1
 - Fix incorrect delegate_to in control plane upgrade (sdodson@redhat.com)
 - Follow the new naming conventions. (zhang.wanmin@zte.com.cn)
diff --git a/playbooks/byo/openshift-master/scaleup.yml b/playbooks/byo/openshift-master/scaleup.yml
index 8aa07a664..64811e80d 100644
--- a/playbooks/byo/openshift-master/scaleup.yml
+++ b/playbooks/byo/openshift-master/scaleup.yml
@@ -1,6 +1,20 @@
 ---
 - include: ../openshift-cluster/initialize_groups.yml
 
+- name: Ensure there are new_masters
+  hosts: localhost
+  connection: local
+  become: no
+  gather_facts: no
+  tasks:
+  - fail:
+      msg: >
+        Detected no new_masters or no new_nodes in inventory. Please
+        add hosts to the new_masters and new_nodes host groups to add
+        masters.
+    when:
+    - (g_new_master_hosts | default([]) | length == 0) or (g_new_node_hosts | default([]) | length == 0)
+
 - include: ../../common/openshift-master/scaleup.yml
   vars:
     openshift_cluster_id: "{{ cluster_id | default('default') }}"
diff --git a/playbooks/byo/openshift-node/scaleup.yml b/playbooks/byo/openshift-node/scaleup.yml
index c6965fd6f..fda89b1ea 100644
--- a/playbooks/byo/openshift-node/scaleup.yml
+++ b/playbooks/byo/openshift-node/scaleup.yml
@@ -1,6 +1,19 @@
 ---
 - include: ../openshift-cluster/initialize_groups.yml
 
+- name: Ensure there are new_nodes
+  hosts: localhost
+  connection: local
+  become: no
+  gather_facts: no
+  tasks:
+  - fail:
+      msg: >
+        Detected no new_nodes in inventory. Please add hosts to the
+        new_nodes host group to add nodes.
+    when:
+    - g_new_node_hosts | default([]) | length == 0
+
 - include: ../../common/openshift-node/scaleup.yml
   vars:
     openshift_cluster_id: "{{ cluster_id | default('default') }}"
diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml
index dcd9c87fc..6f012aed1 100644
--- a/roles/openshift_hosted/tasks/registry/registry.yml
+++ b/roles/openshift_hosted/tasks/registry/registry.yml
@@ -43,9 +43,6 @@
     openshift_hosted_registry_images: "{{ openshift.hosted.registry.registryurl | default('openshift3/ose-${component}:${version}')}}"
     openshift_hosted_registry_volumes: []
     openshift_hosted_registry_env_vars: {}
-    openshift_hosted_registry_routecertificates: "{{ ('routecertificates' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routecertificates, {}) }}"
-    openshift_hosted_registry_routehost: "{{ ('routehost' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routehost, False) }}"
-    openshift_hosted_registry_routetermination: "{{ ('routetermination' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routetermination, 'passthrough') }}"
     openshift_hosted_registry_edits:
     # These edits are being specified only to prevent 'changed' on rerun
     - key: spec.strategy.rollingParams
diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml
index 29c164f52..a18e6eea9 100644
--- a/roles/openshift_hosted/tasks/registry/secure.yml
+++ b/roles/openshift_hosted/tasks/registry/secure.yml
@@ -1,65 +1,68 @@
 ---
-- name: Set fact docker_registry_route_hostname
+- name: Configure facts for docker-registry
   set_fact:
-    docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}"
+    openshift_hosted_registry_routecertificates: "{{ ('routecertificates' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routecertificates, {}) }}"
+    openshift_hosted_registry_routehost: "{{ ('routehost' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routehost, False) }}"
+    openshift_hosted_registry_routetermination: "{{ ('routetermination' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routetermination, 'passthrough') }}"
 
-- name: Get the certificate contents for registry
-  copy:
-    backup: True
-    dest: "/etc/origin/master/named_certificates/{{ item.value | basename }}"
-    src: "{{ item.value }}"
-  when: item.key in ['certfile', 'keyfile', 'cafile'] and item.value
-  with_dict: "{{ openshift_hosted_registry_routecertificates }}"
+- name: Include reencrypt route configuration
+  include: secure/reencrypt.yml
+  static: no
+  when: openshift_hosted_registry_routetermination == 'reencrypt'
 
-# When certificates are defined we will create the reencrypt
-# docker-registry route
-- name: Create a reencrypt route for docker-registry
-  oc_route:
-    name: docker-registry
-    namespace: "{{ openshift_hosted_registry_namespace }}"
-    service_name: docker-registry
-    tls_termination: "{{ openshift_hosted_registry_routetermination }}"
-    host: "{{ openshift_hosted_registry_routehost | default(docker_registry_route_hostname) }}"
-    cert_path: "/etc/origin/master/named_certificates/{{ openshift_hosted_registry_routecertificates['certfile'] | basename }}"
-    key_path: "/etc/origin/master/named_certificates/{{ openshift_hosted_registry_routecertificates['keyfile'] | basename }}"
-    cacert_path: "/etc/origin/master/named_certificates/{{ openshift_hosted_registry_routecertificates['cafile'] | basename }}"
-    dest_cacert_path: /etc/origin/master/ca.crt
-  when:
-  - "'cafile' in openshift_hosted_registry_routecertificates"
-  - "'certfile' in openshift_hosted_registry_routecertificates"
-  - "'keyfile' in openshift_hosted_registry_routecertificates"
+- name: Include passthrough route configuration
+  include: secure/passthrough.yml
+  static: no
+  when: openshift_hosted_registry_routetermination == 'passthrough'
 
-# When routetermination is passthrough we will create the route
-- name: Create passthrough route for docker-registry
+- name: Fetch the docker-registry route
   oc_route:
     name: docker-registry
-    namespace: "{{ openshift_hosted_registry_namespace }}"
-    service_name: docker-registry
-    tls_termination: "{{ openshift_hosted_registry_routetermination }}"
-    host: "{{ openshift_hosted_registry_routehost | ternary(openshift_hosted_registry_routehost, docker_registry_route_hostname) }}"
-  when: openshift_hosted_registry_routetermination == 'passthrough'
+    namespace: default
+    state: list
+  register: docker_registry_route
 
-- name: Retrieve registry service IP
+- name: Retrieve registry service for the clusterip
   oc_service:
     namespace: "{{ openshift_hosted_registry_namespace }}"
     name: docker-registry
     state: list
-  register: docker_registry_service_ip
+  register: docker_registry_service
 
-- name: Create registry certificates
+- name: Generate self-signed docker-registry certificates
   oc_adm_ca_server_cert:
     signer_cert: "{{ openshift_master_config_dir }}/ca.crt"
     signer_key: "{{ openshift_master_config_dir }}/ca.key"
     signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
     hostnames:
-    - "{{ docker_registry_service_ip.results.clusterip }}"
-    - "{{ openshift_hosted_registry_name }}.default.svc"
-    - "{{ openshift_hosted_registry_name }}.default.svc.{{ openshift.common.dns_domain }}"
-    - "{{ docker_registry_route_hostname }}"
-    cert: "{{ openshift_master_config_dir }}/registry.crt"
-    key: "{{ openshift_master_config_dir }}/registry.key"
+    - "{{ docker_registry_service.results.clusterip }}"
+    - "{{ docker_registry_route.results[0].spec.host }}"
+    cert: "{{ docker_registry_cert_path }}"
+    key: "{{ docker_registry_key_path }}"
     expire_days: "{{ openshift_hosted_registry_cert_expire_days if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool else omit }}"
-  register: server_cert_out
+  register: registry_self_cert
+  when: docker_registry_self_signed
+
+# Setting up REGISTRY_HTTP_TLS_CLIENTCAS as the cacert doesn't seem to work.
+# If we need to set up a cacert, bundle it with the cert.
+- when: docker_registry_cacert_path is defined
+  block:
+  - name: Retrieve certificate files to generate certificate bundle
+    slurp:
+      src: "{{ item }}"
+    with_items:
+    - "{{ docker_registry_cert_path }}"
+    - "{{ docker_registry_cacert_path }}"
+    register: certificate_files
+
+  - name: Generate certificate bundle
+    copy:
+      content: "{{ certificate_files.results | map(attribute='content') | map('b64decode') | join('') }}"
+      dest: "{{ openshift_master_config_dir }}/named_certificates/docker-registry.pem"
+
+  - name: Reset the certificate path to use the bundle
+    set_fact:
+      docker_registry_cert_path: "{{ openshift_master_config_dir }}/named_certificates/docker-registry.pem"
 
 - name: Create the secret for the registry certificates
   oc_secret:
@@ -67,9 +70,9 @@
     namespace: "{{ openshift_hosted_registry_namespace }}"
     files:
     - name: registry.crt
-      path: "{{ openshift_master_config_dir }}/registry.crt"
+      path: "{{ docker_registry_cert_path }}"
     - name: registry.key
-      path: "{{ openshift_master_config_dir }}/registry.key"
+      path: "{{ docker_registry_key_path }}"
   register: create_registry_certificates_secret_out
 
 - name: Add the secret to the registry's pod service accounts
@@ -99,9 +102,15 @@
       value: HTTPS
       action: put
 
+- name: Detect if there has been certificate changes
+  set_fact:
+    registry_cert_changed: true
+  when: ( registry_self_cert is defined and registry_self_cert.changed ) or
+        create_registry_certificates_secret_out.changed
+
 - name: Update openshift_hosted facts with secure registry variables
   set_fact:
     openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(registry_secure_volume_mounts) }}"
     openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine(registry_secure_env_vars) }}"
     openshift_hosted_registry_edits: "{{ openshift_hosted_registry_edits | union(registry_secure_edits) }}"
-    openshift_hosted_registry_force: "{{ openshift_hosted_registry_force | union([server_cert_out.changed]) | union([create_registry_certificates_secret_out.changed]) }}"
+    openshift_hosted_registry_force: "{{ openshift_hosted_registry_force | union([registry_cert_changed | default(false)]) }}"
diff --git a/roles/openshift_hosted/tasks/registry/secure/passthrough.yml b/roles/openshift_hosted/tasks/registry/secure/passthrough.yml
new file mode 100644
index 000000000..5b44fda10
--- /dev/null
+++ b/roles/openshift_hosted/tasks/registry/secure/passthrough.yml
@@ -0,0 +1,45 @@
+---
+# Generate a self-signed certificate when there is no user-supplied certificate
+- name: Configure self-signed certificate file paths
+  set_fact:
+    docker_registry_cert_path: "{{ openshift_master_config_dir }}/registry.crt"
+    docker_registry_key_path: "{{ openshift_master_config_dir }}/registry.key"
+    docker_registry_cacert_path: "{{ openshift_master_config_dir }}/ca.crt"
+    docker_registry_self_signed: true
+  when:
+  - "'certfile' not in openshift_hosted_registry_routecertificates"
+  - "'keyfile' not in openshift_hosted_registry_routecertificates"
+
+# Retrieve user supplied certificate files if they are provided
+- when:
+  - "'certfile' in openshift_hosted_registry_routecertificates"
+  - "'keyfile' in openshift_hosted_registry_routecertificates"
+  block:
+  - name: Configure provided certificate file paths
+    set_fact:
+      docker_registry_cert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['certfile'] | basename }}"
+      docker_registry_key_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['keyfile'] | basename }}"
+      docker_registry_self_signed: false
+
+  # Since we end up bundling the cert, cacert and key in a .pem file, the 'cafile'
+  # is optional
+  - name: Configure provided ca certificate file path
+    set_fact:
+      docker_registry_cacert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['cafile'] | basename }}"
+    when: "'cafile' in openshift_hosted_registry_routecertificates"
+
+  - name: Retrieve provided certificate files
+    copy:
+      backup: True
+      dest: "{{ openshift_master_config_dir }}/named_certificates/{{ item.value | basename }}"
+      src: "{{ item.value }}"
+    when: item.key in ['certfile', 'keyfile', 'cafile'] and item.value
+    with_dict: "{{ openshift_hosted_registry_routecertificates }}"
+
+- name: Configure a passthrough route for docker-registry
+  oc_route:
+    name: docker-registry
+    namespace: "{{ openshift_hosted_registry_namespace }}"
+    service_name: docker-registry
+    tls_termination: "{{ openshift_hosted_registry_routetermination }}"
+    host: "{{ openshift_hosted_registry_routehost | default(omit, true) }}"
diff --git a/roles/openshift_hosted/tasks/registry/secure/reencrypt.yml b/roles/openshift_hosted/tasks/registry/secure/reencrypt.yml
new file mode 100644
index 000000000..48e5b0fba
--- /dev/null
+++ b/roles/openshift_hosted/tasks/registry/secure/reencrypt.yml
@@ -0,0 +1,38 @@
+---
+- name: Validate route termination configuration
+  fail:
+    msg: >
+     When 'openshift_hosted_registry_routetermination' is 'reencrypt', you must
+     provide certificate files with 'openshift_hosted_registry_routecertificates'
+  when: ('certfile' not in openshift_hosted_registry_routecertificates) or
+        ('keyfile' not in openshift_hosted_registry_routecertificates) or
+        ('cafile' not in openshift_hosted_registry_routecertificates)
+
+- name: Configure self-signed certificate file paths
+  set_fact:
+    docker_registry_cert_path: "{{ openshift_master_config_dir }}/registry.crt"
+    docker_registry_key_path: "{{ openshift_master_config_dir }}/registry.key"
+    docker_registry_cacert_path: "{{ openshift_master_config_dir }}/ca.crt"
+    docker_registry_self_signed: true
+
+- name: Retrieve provided certificate files
+  copy:
+    backup: True
+    dest: "{{ openshift_master_config_dir }}/named_certificates/{{ item.value | basename }}"
+    src: "{{ item.value }}"
+  when: item.key in ['certfile', 'keyfile', 'cafile'] and item.value
+  with_dict: "{{ openshift_hosted_registry_routecertificates }}"
+
+# Encrypt with the provided certificate and provide the dest_cacert for the
+# self-signed certificate at the endpoint
+- name: Configure a reencrypt route for docker-registry
+  oc_route:
+    name: docker-registry
+    namespace: "{{ openshift_hosted_registry_namespace }}"
+    service_name: docker-registry
+    tls_termination: "{{ openshift_hosted_registry_routetermination }}"
+    host: "{{ openshift_hosted_registry_routehost | default(omit, true) }}"
+    cert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['certfile'] | basename }}"
+    key_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['keyfile'] | basename }}"
+    cacert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['cafile'] | basename }}"
+    dest_cacert_path: "{{ openshift_master_config_dir }}/ca.crt"
diff --git a/roles/openshift_node_dnsmasq/meta/main.yml b/roles/openshift_node_dnsmasq/meta/main.yml
index 18e04e06d..84035b88c 100644
--- a/roles/openshift_node_dnsmasq/meta/main.yml
+++ b/roles/openshift_node_dnsmasq/meta/main.yml
@@ -13,3 +13,4 @@ galaxy_info:
   - cloud
 dependencies:
 - role: openshift_common
+- role: openshift_node_facts
diff --git a/utils/src/ooinstall/variants.py b/utils/src/ooinstall/variants.py
index 1574d447a..546bf91f8 100644
--- a/utils/src/ooinstall/variants.py
+++ b/utils/src/ooinstall/variants.py
@@ -61,7 +61,7 @@ LEGACY = Variant('openshift-enterprise', 'OpenShift Container Platform', [
 
 # Ordered list of variants we can install, first is the default.
 SUPPORTED_VARIANTS = (OSE, REG, origin, LEGACY)
-DISPLAY_VARIANTS = (OSE, REG,)
+DISPLAY_VARIANTS = (OSE, REG, origin)
 
 
 def find_variant(name, version=None):