1 files changed, 42 insertions, 23 deletions

diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml
index e9b7de330..4620dd877 100644
--- a/roles/openshift_master_certificates/tasks/main.yml
+++ b/roles/openshift_master_certificates/tasks/main.yml
@@ -30,7 +30,6 @@
                                               | oo_collect(attribute='stat.exists')
                                               | list)) }}"
 
-
 - name: Ensure the generated_configs directory present
   file:
     path: "{{ openshift_master_generated_config_dir }}"
@@ -39,30 +38,50 @@
   when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
   delegate_to: "{{ openshift_ca_host }}"
 
-- file:
-    src: "{{ openshift_master_config_dir }}/{{ item }}"
-    dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
-    state: hard
-  with_items:
-  - ca.crt
-  - ca.key
-  - ca.serial.txt
-  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Create the master certificates if they do not already exist
+- name: Create the master server certificate
   command: >
-    {{ openshift.common.client_binary }} adm create-master-certs
+    {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert
     {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
     --certificate-authority {{ named_ca_certificate }}
     {% endfor %}
-    --hostnames={{ openshift.common.all_hostnames | join(',') }}
-    --master={{ openshift.master.api_url }}
-    --public-master={{ openshift.master.public_api_url }}
-    --cert-dir={{ openshift_master_generated_config_dir }}
+    --hostnames={{ hostvars[item].openshift.common.all_hostnames | join(',') }}
+    --cert={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.crt
+    --key={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/master.server.key
+    --signer-cert={{ openshift_ca_cert }}
+    --signer-key={{ openshift_ca_key }}
+    --signer-serial={{ openshift_ca_serial }}
     --overwrite=false
-  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
+  with_items: "{{ hostvars
+                  | oo_select_keys(groups['oo_masters_to_config'])
+                  | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True})
+                  | difference([openshift_ca_host])}}"
+  delegate_to: "{{ openshift_ca_host }}"
+  run_once: true
+
+- name: Generate the master client config
+  command: >
+    {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config
+      {% for named_ca_certificate in openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
+      --certificate-authority {{ named_ca_certificate }}
+      {% endfor %}
+      --certificate-authority={{ openshift_ca_cert }}
+      --client-dir={{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}
+      --groups=system:masters,system:openshift-master
+      --master={{ openshift.master.api_url }}
+      --public-master={{ openshift.master.public_api_url }}
+      --signer-cert={{ openshift_ca_cert }}
+      --signer-key={{ openshift_ca_key }}
+      --signer-serial={{ openshift_ca_serial }}
+      --user=system:openshift-master
+      --basename=openshift-master
+  args:
+    creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig"
+  with_items: "{{ hostvars
+                  | oo_select_keys(groups['oo_masters_to_config'])
+                  | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True})
+                  | difference([openshift_ca_host])}}"
   delegate_to: "{{ openshift_ca_host }}"
+  run_once: true
 
 - file:
     src: "{{ openshift_master_config_dir }}/{{ item }}"
@@ -86,7 +105,7 @@
 
 - name: Create local temp directory for syncing certs
   local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
-  register: g_master_mktemp
+  register: g_master_certs_mktemp
   changed_when: False
   when: master_certs_missing | bool
   delegate_to: localhost
@@ -104,7 +123,7 @@
 - name: Retrieve the master cert tarball from the master
   fetch:
     src: "{{ openshift_master_generated_config_dir }}.tgz"
-    dest: "{{ g_master_mktemp.stdout }}/"
+    dest: "{{ g_master_certs_mktemp.stdout }}/"
     flat: yes
     fail_on_missing: yes
     validate_checksum: yes
@@ -119,11 +138,11 @@
 
 - name: Unarchive the tarball on the master
   unarchive:
-    src: "{{ g_master_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz"
+    src: "{{ g_master_certs_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz"
     dest: "{{ openshift_master_config_dir }}"
   when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
 
-- file: name={{ g_master_mktemp.stdout }} state=absent
+- file: name={{ g_master_certs_mktemp.stdout }} state=absent
   changed_when: False
   when: master_certs_missing | bool
   delegate_to: localhost