52 files changed, 1324 insertions, 84 deletions
diff --git a/roles/docker/tasks/udev_workaround.yml b/roles/docker/tasks/udev_workaround.yml
index 3c236f698..aa7af0cb3 100644
--- a/roles/docker/tasks/udev_workaround.yml
+++ b/roles/docker/tasks/udev_workaround.yml
@@ -14,7 +14,7 @@
   copy:
     content: |
       [Service]
-      #Need blank ExecStart to "clear" pre-exising one
+      #Need blank ExecStart to "clear" pre-existing one
       ExecStart=
       {{ udevw_udev_start_cmd.stdout }} --event-timeout=300
     dest: "{{ udevw_udevd_dir }}/override.conf"
diff --git a/roles/kube_nfs_volumes/library/partitionpool.py b/roles/kube_nfs_volumes/library/partitionpool.py
index 1ac8eed4d..9bd3228c1 100644
--- a/roles/kube_nfs_volumes/library/partitionpool.py
+++ b/roles/kube_nfs_volumes/library/partitionpool.py
@@ -60,7 +60,7 @@ options:
       - Example 3: size=200G:1,100G:2 says that the ratio of space occupied by 200 GiB
         partitions and 100GiB partition is 1:2. Therefore, on 1 TiB disk, 1/3
         (300 GiB) should be occupied by 200 GiB partitions. Only one fits there,
-        so only one is created (we always round nr. of partitions *down*). Teh rest
+        so only one is created (we always round nr. of partitions *down*). The rest
         (800 GiB) is split into eight 100 GiB partitions, even though it's more
         than 2/3 of total space - free space is always allocated as much as possible.
       - size=200G:1,100G:2 = 1x 200 GiB and 8x 100 GiB partitions (on 1 TiB disk).
diff --git a/roles/nuage_common/defaults/main.yaml b/roles/nuage_common/defaults/main.yaml
index 9b777213e..16dac8720 100644
--- a/roles/nuage_common/defaults/main.yaml
+++ b/roles/nuage_common/defaults/main.yaml
@@ -10,4 +10,4 @@ nuage_master_mon_dir: /usr/share/nuage-openshift-monitor
 nuage_node_plugin_dir: /usr/share/vsp-openshift
 
 nuage_mon_rest_server_port: "{{ nuage_openshift_monitor_rest_server_port | default('9443') }}"
-
+nuage_mon_cert_validity_period: "{{ nuage_cert_validity_period | default('3650') }}"
diff --git a/roles/nuage_master/tasks/certificates.yml b/roles/nuage_master/tasks/certificates.yml
index 32b024487..0a2f375cd 100644
--- a/roles/nuage_master/tasks/certificates.yml
+++ b/roles/nuage_master/tasks/certificates.yml
@@ -15,7 +15,7 @@
 
 - name: Generate the crt file
   command: >
-     openssl x509 -req -in "{{ nuage_mon_rest_server_crt_dir }}/restServer.req" -CA "{{ nuage_ca_crt }}" -CAkey "{{ nuage_ca_key }}" -CAserial "{{ nuage_ca_serial }}"  -out "{{ nuage_ca_master_rest_server_crt }}"
+    openssl x509 -req -in "{{ nuage_mon_rest_server_crt_dir }}/restServer.req" -CA "{{ nuage_ca_crt }}" -CAkey "{{ nuage_ca_key }}" -CAserial "{{ nuage_ca_serial }}"  -out "{{ nuage_ca_master_rest_server_crt }}" -days "{{ nuage_mon_cert_validity_period }}"
   delegate_to: "{{ nuage_ca_master }}"
 
 - name: Remove the req file
diff --git a/roles/nuage_master/templates/nuage-openshift-monitor.j2 b/roles/nuage_master/templates/nuage-openshift-monitor.j2
index 63117adc0..de2a97e37 100644
--- a/roles/nuage_master/templates/nuage-openshift-monitor.j2
+++ b/roles/nuage_master/templates/nuage-openshift-monitor.j2
@@ -23,7 +23,7 @@ enterpriseAdminUser: {{ nuage_master_adminusername }}
 enterpriseAdminPassword: {{ nuage_master_adminuserpasswd }}
 # Location where logs should be saved
 log_dir: {{ nuage_mon_rest_server_logdir }}
-# Monitor rest server paramters
+# Monitor rest server parameters
 # Logging level for the nuage openshift monitor
 # allowed options are: 0 => INFO, 1 => WARNING, 2 => ERROR, 3 => FATAL
 logLevel: {{ nuage_mon_log_level }}
diff --git a/roles/nuage_node/tasks/certificates.yml b/roles/nuage_node/tasks/certificates.yml
index 0fe6f7bac..7fcd4274d 100644
--- a/roles/nuage_node/tasks/certificates.yml
+++ b/roles/nuage_node/tasks/certificates.yml
@@ -15,7 +15,7 @@
 
 - name: Generate the crt file
   command: >
-     openssl x509 -req -in "{{ nuage_plugin_rest_client_crt_dir }}/restClient.req" -CA "{{ nuage_ca_crt }}" -CAkey "{{ nuage_ca_key }}" -CAserial "{{ nuage_ca_serial }}"  -out "{{ nuage_ca_master_plugin_crt }}" -extensions clientauth -extfile "{{ nuage_ca_dir }}"/openssl.cnf 
+    openssl x509 -req -in "{{ nuage_plugin_rest_client_crt_dir }}/restClient.req" -CA "{{ nuage_ca_crt }}" -CAkey "{{ nuage_ca_key }}" -CAserial "{{ nuage_ca_serial }}"  -out "{{ nuage_ca_master_plugin_crt }}" -extensions clientauth -extfile "{{ nuage_ca_dir }}"/openssl.cnf -days {{ nuage_mon_cert_validity_period }}
   delegate_to: "{{ nuage_ca_master }}"
 
 - name: Remove the req file
diff --git a/roles/openshift_certificate_expiry/README.md b/roles/openshift_certificate_expiry/README.md
new file mode 100644
index 000000000..d44438332
--- /dev/null
+++ b/roles/openshift_certificate_expiry/README.md
@@ -0,0 +1,250 @@
+OpenShift Certificate Expiration Checker
+========================================
+
+OpenShift certificate expiration checking. Be warned of certificates
+expiring within a configurable window of days, and notified of
+certificates which have already expired. Certificates examined
+include:
+
+* Master/Node Service Certificates
+* Router/Registry Service Certificates from etcd secrets
+* Master/Node/Router/Registry/Admin `kubeconfig`s
+* Etcd certificates
+
+This role pairs well with the redeploy certificates playbook:
+
+* [Redeploying Certificates Documentation](https://docs.openshift.com/container-platform/latest/install_config/redeploying_certificates.html)
+
+Just like the redeploying certificates playbook, this role is intended
+to be used with an inventory that is representative of the
+cluster. For best results run `ansible-playbook` with the `-v` option.
+
+
+
+Role Variables
+--------------
+
+Core variables in this role:
+
+| Name                                                  | Default value                  | Description                                                           |
+|-------------------------------------------------------|--------------------------------|-----------------------------------------------------------------------|
+| `openshift_certificate_expiry_config_base`            | `/etc/origin`                  | Base openshift config directory                                       |
+| `openshift_certificate_expiry_warning_days`           | `30`                           | Flag certificates which will expire in this many days from now        |
+| `openshift_certificate_expiry_show_all`               | `no`                           | Include healthy (non-expired and non-warning) certificates in results |
+
+Optional report/result saving variables in this role:
+
+| Name                                                  | Default value                  | Description                                                           |
+|-------------------------------------------------------|--------------------------------|-----------------------------------------------------------------------|
+| `openshift_certificate_expiry_generate_html_report`   | `no`                           | Generate an HTML report of the expiry check results                   |
+| `openshift_certificate_expiry_html_report_path`       | `/tmp/cert-expiry-report.html` | The full path to save the HTML report as                              |
+| `openshift_certificate_expiry_save_json_results`      | `no`                           | Save expiry check results as a json file                              |
+| `openshift_certificate_expiry_json_results_path`      | `/tmp/cert-expiry-report.json` | The full path to save the json report as                              |
+
+
+Example Playbook
+----------------
+
+Default behavior:
+
+```yaml
+---
+- name: Check cert expirys
+  hosts: nodes:masters:etcd
+  become: yes
+  gather_facts: no
+  roles:
+    - role: openshift_certificate_expiry
+```
+
+Generate HTML and JSON artifacts in their default paths:
+
+```yaml
+---
+- name: Check cert expirys
+  hosts: nodes:masters:etcd
+  become: yes
+  gather_facts: no
+  vars:
+    openshift_certificate_expiry_generate_html_report: yes
+    openshift_certificate_expiry_save_json_results: yes
+  roles:
+    - role: openshift_certificate_expiry
+```
+
+Change the expiration warning window to 1500 days (good for testing
+the module out):
+
+```yaml
+---
+- name: Check cert expirys
+  hosts: nodes:masters:etcd
+  become: yes
+  gather_facts: no
+  vars:
+    openshift_certificate_expiry_warning_days: 1500
+  roles:
+    - role: openshift_certificate_expiry
+```
+
+Change the expiration warning window to 1500 days (good for testing
+the module out) and save the results as a JSON file:
+
+```yaml
+---
+- name: Check cert expirys
+  hosts: nodes:masters:etcd
+  become: yes
+  gather_facts: no
+  vars:
+    openshift_certificate_expiry_warning_days: 1500
+    openshift_certificate_expiry_save_json_results: yes
+  roles:
+    - role: openshift_certificate_expiry
+```
+
+
+JSON Output
+-----------
+
+There are two top-level keys in the saved JSON results, `data` and
+`summary`.
+
+The `data` key is a hash where the keys are the names of each host
+examined and the values are the check results for each respective
+host.
+
+The `summary` key is a hash that summarizes the number of certificates
+expiring within the configured warning window and the number of
+already expired certificates.
+
+The example below is abbreviated to save space:
+
+```json
+{
+    "data": {
+        "192.168.124.148": {
+            "etcd": [
+                {
+                    "cert_cn": "CN:etcd-signer@1474563722",
+                    "days_remaining": 350,
+                    "expiry": "2017-09-22 17:02:25",
+                    "health": "warning",
+                    "path": "/etc/etcd/ca.crt"
+                },
+            ],
+            "kubeconfigs": [
+                {
+                    "cert_cn": "O:system:nodes, CN:system:node:m01.example.com",
+                    "days_remaining": 715,
+                    "expiry": "2018-09-22 17:08:57",
+                    "health": "warning",
+                    "path": "/etc/origin/node/system:node:m01.example.com.kubeconfig"
+                },
+                {
+                    "cert_cn": "O:system:cluster-admins, CN:system:admin",
+                    "days_remaining": 715,
+                    "expiry": "2018-09-22 17:04:40",
+                    "health": "warning",
+                    "path": "/etc/origin/master/admin.kubeconfig"
+                }
+            ],
+            "meta": {
+                "checked_at_time": "2016-10-07 15:26:47.608192",
+                "show_all": "True",
+                "warn_before_date": "2020-11-15 15:26:47.608192",
+                "warning_days": 1500
+            },
+            "ocp_certs": [
+                {
+                    "cert_cn": "CN:172.30.0.1, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:m01.example.com, DNS:openshift, DNS:openshift.default, DNS:openshift.default.svc, DNS:openshift.default.svc.cluster.local, DNS:172.30.0.1, DNS:192.168.124.148, IP Address:172.30.0.1, IP Address:192.168.124.148",
+                    "days_remaining": 715,
+                    "expiry": "2018-09-22 17:04:39",
+                    "health": "warning",
+                    "path": "/etc/origin/master/master.server.crt"
+                },
+                {
+                    "cert_cn": "CN:openshift-signer@1474563878",
+                    "days_remaining": 1810,
+                    "expiry": "2021-09-21 17:04:38",
+                    "health": "ok",
+                    "path": "/etc/origin/node/ca.crt"
+                }
+            ],
+            "registry": [
+                {
+                    "cert_cn": "CN:172.30.101.81, DNS:docker-registry-default.router.default.svc.cluster.local, DNS:docker-registry.default.svc.cluster.local, DNS:172.30.101.81, IP Address:172.30.101.81",
+                    "days_remaining": 728,
+                    "expiry": "2018-10-05 18:54:29",
+                    "health": "warning",
+                    "path": "/api/v1/namespaces/default/secrets/registry-certificates"
+                }
+            ],
+            "router": [
+                {
+                    "cert_cn": "CN:router.default.svc, DNS:router.default.svc, DNS:router.default.svc.cluster.local",
+                    "days_remaining": 715,
+                    "expiry": "2018-09-22 17:48:23",
+                    "health": "warning",
+                    "path": "/api/v1/namespaces/default/secrets/router-certs"
+                }
+            ]
+        }
+    },
+    "summary": {
+        "warning": 6,
+        "expired": 0
+    }
+}
+```
+
+The `summary` from the json data can be easily checked for
+warnings/expirations using a variety of command-line tools.
+
+For exampe, using `grep` we can look for the word `summary` and print
+out the 2 lines **after** the match (`-A2`):
+
+```
+$ grep -A2 summary /tmp/cert-expiry-report.json
+    "summary": {
+        "warning": 16,
+        "expired": 0
+```
+
+If available, the [jq](https://stedolan.github.io/jq/) tool can also
+be used to pick out specific values. Example 1 and 2 below show how to
+select just one value, either `warning` or `expired`. Example 3 shows
+how to select both values at once:
+
+```
+$ jq '.summary.warning' /tmp/cert-expiry-report.json
+16
+$ jq '.summary.expired' /tmp/cert-expiry-report.json
+0
+$ jq '.summary.warning,.summary.expired' /tmp/cert-expiry-report.json
+16
+0
+```
+
+
+Requirements
+------------
+
+* None
+
+
+Dependencies
+------------
+
+* None
+
+
+License
+-------
+
+Apache License, Version 2.0
+
+Author Information
+------------------
+
+Tim Bielawa (tbielawa@redhat.com)
diff --git a/roles/openshift_certificate_expiry/defaults/main.yml b/roles/openshift_certificate_expiry/defaults/main.yml
new file mode 100644
index 000000000..6d7b19298
--- /dev/null
+++ b/roles/openshift_certificate_expiry/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+openshift_certificate_expiry_config_base: "/etc/origin"
+openshift_certificate_expiry_warning_days: 30
+openshift_certificate_expiry_show_all: no
+openshift_certificate_expiry_generate_html_report: no
+openshift_certificate_expiry_html_report_path: "/tmp/cert-expiry-report.html"
+openshift_certificate_expiry_save_json_results: no
+openshift_certificate_expiry_json_results_path: "/tmp/cert-expiry-report.json"
diff --git a/roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py b/roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py
new file mode 100644
index 000000000..2e2430ee6
--- /dev/null
+++ b/roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py
@@ -0,0 +1,88 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+# vim: expandtab:tabstop=4:shiftwidth=4
+"""
+Custom filters for use in openshift-ansible
+"""
+
+from ansible import errors
+from collections import Mapping
+from distutils.util import strtobool
+from distutils.version import LooseVersion
+from operator import itemgetter
+import OpenSSL.crypto
+import os
+import pdb
+import pkg_resources
+import re
+import json
+import yaml
+from ansible.parsing.yaml.dumper import AnsibleDumper
+from urlparse import urlparse
+
+try:
+    # ansible-2.2
+    # ansible.utils.unicode.to_unicode is deprecated in ansible-2.2,
+    # ansible.module_utils._text.to_text should be used instead.
+    from ansible.module_utils._text import to_text
+except ImportError:
+    # ansible-2.1
+    from ansible.utils.unicode import to_unicode as to_text
+
+# Disabling too-many-public-methods, since filter methods are necessarily
+# public
+# pylint: disable=too-many-public-methods
+class FilterModule(object):
+    """ Custom ansible filters """
+
+    @staticmethod
+    def oo_cert_expiry_results_to_json(hostvars, play_hosts):
+        """Takes results (`hostvars`) from the openshift_cert_expiry role
+check and serializes them into proper machine-readable JSON
+output. This filter parameter **MUST** be the playbook `hostvars`
+variable. The `play_hosts` parameter is so we know what to loop over
+when we're extrating the values.
+
+Returns:
+
+Results are collected into two top-level keys under the `json_results`
+dict:
+
+* `json_results.data` [dict] - Each individual host check result, keys are hostnames
+* `json_results.summary` [dict] - Summary of number of `warning` and `expired`
+certificates
+
+Example playbook usage:
+
+  - name: Generate expiration results JSON
+    become: no
+    run_once: yes
+    delegate_to: localhost
+    when: "{{ openshift_certificate_expiry_save_json_results|bool }}"
+    copy:
+      content: "{{ hostvars|oo_cert_expiry_results_to_json() }}"
+      dest: "{{ openshift_certificate_expiry_json_results_path }}"
+
+        """
+        json_result = {
+            'data': {},
+            'summary': {},
+        }
+
+        for host in play_hosts:
+            json_result['data'][host] = hostvars[host]['check_results']['check_results']
+
+        total_warnings = sum([hostvars[h]['check_results']['summary']['warning'] for h in play_hosts])
+        total_expired = sum([hostvars[h]['check_results']['summary']['expired'] for h in play_hosts])
+
+        json_result['summary']['warning'] = total_warnings
+        json_result['summary']['expired'] = total_expired
+
+        return json_result
+
+
+    def filters(self):
+        """ returns a mapping of filters to methods """
+        return {
+            "oo_cert_expiry_results_to_json": self.oo_cert_expiry_results_to_json,
+        }
diff --git a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
new file mode 100644
index 000000000..2cdb87dc1
--- /dev/null
+++ b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
@@ -0,0 +1,637 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+# pylint: disable=line-too-long,invalid-name
+
+"""For details on this module see DOCUMENTATION (below)"""
+
+# router/registry cert grabbing
+import subprocess
+# etcd config file
+import ConfigParser
+# Expiration parsing
+import datetime
+# File path stuff
+import os
+# Config file parsing
+import yaml
+# Certificate loading
+import OpenSSL.crypto
+
+DOCUMENTATION = '''
+---
+module: openshift_cert_expiry
+short_description: Check OpenShift Container Platform (OCP) and Kube certificate expirations on a cluster
+description:
+  - The M(openshift_cert_expiry) module has two basic functions: to flag certificates which will expire in a set window of time from now, and to notify you about certificates which have already expired.
+  - When the module finishes, a summary of the examination is returned. Each certificate in the summary has a C(health) key with a value of one of the following:
+  - C(ok) - not expired, and outside of the expiration C(warning_days) window.
+  - C(warning) - not expired, but will expire between now and the C(warning_days) window.
+  - C(expired) - an expired certificate.
+  - Certificate flagging follow this logic:
+  - If the expiration date is before now then the certificate is classified as C(expired).
+  - The certificates time to live (expiration date - now) is calculated, if that time window is less than C(warning_days) the certificate is classified as C(warning).
+  - All other conditions are classified as C(ok).
+  - The following keys are ALSO present in the certificate summary:
+  - C(cert_cn) - The common name of the certificate (additional CNs present in SAN extensions are omitted)
+  - C(days_remaining) - The number of days until the certificate expires.
+  - C(expiry) - The date the certificate expires on.
+  - C(path) - The full path to the certificate on the examined host.
+version_added: "1.0"
+options:
+  config_base:
+    description:
+      - Base path to OCP system settings.
+    required: false
+    default: /etc/origin
+  warning_days:
+    description:
+      - Flag certificates which will expire in C(warning_days) days from now.
+    required: false
+    default: 30
+  show_all:
+    description:
+      - Enable this option to show analysis of ALL certificates examined by this module.
+      - By default only certificates which have expired, or will expire within the C(warning_days) window will be reported.
+    required: false
+    default: false
+
+author: "Tim Bielawa (@tbielawa) <tbielawa@redhat.com>"
+'''
+
+EXAMPLES = '''
+# Default invocation, only notify about expired certificates or certificates which will expire within 30 days from now
+- openshift_cert_expiry:
+
+# Expand the warning window to show certificates expiring within a year from now
+- openshift_cert_expiry: warning_days=365
+
+# Show expired, soon to expire (now + 30 days), and all other certificates examined
+- openshift_cert_expiry: show_all=true
+'''
+
+
+# We only need this for one thing, we don't care if it doesn't have
+# that many public methods
+#
+# pylint: disable=too-few-public-methods
+class FakeSecHead(object):
+    """etcd does not begin their config file with an opening [section] as
+required by the Python ConfigParser module. We hack around it by
+slipping one in ourselves prior to parsing.
+
+Source: Alex Martelli - http://stackoverflow.com/a/2819788/6490583
+    """
+    def __init__(self, fp):
+        self.fp = fp
+        self.sechead = '[ETCD]\n'
+
+    def readline(self):
+        """Make this look like a file-type object"""
+        if self.sechead:
+            try:
+                return self.sechead
+            finally:
+                self.sechead = None
+        else:
+            return self.fp.readline()
+
+
+######################################################################
+def filter_paths(path_list):
+    """`path_list` - A list of file paths to check. Only files which exist
+will be returned
+    """
+    return [p for p in path_list if os.path.exists(os.path.realpath(p))]
+
+
+def load_and_handle_cert(cert_string, now, base64decode=False):
+    """Load a certificate, split off the good parts, and return some
+useful data
+
+Params:
+
+- `cert_string` (string) - a certificate loaded into a string object
+- `now` (datetime) - a datetime object of the time to calculate the certificate 'time_remaining' against
+- `base64decode` (bool) - run .decode('base64') on the input?
+
+Returns:
+A 3-tuple of the form: (certificate_common_name, certificate_expiry_date, certificate_time_remaining)
+
+    """
+    if base64decode:
+        _cert_string = cert_string.decode('base-64')
+    else:
+        _cert_string = cert_string
+
+    cert_loaded = OpenSSL.crypto.load_certificate(
+        OpenSSL.crypto.FILETYPE_PEM, _cert_string)
+
+    ######################################################################
+    # Read all possible names from the cert
+    cert_subjects = []
+    for name, value in cert_loaded.get_subject().get_components():
+        cert_subjects.append('{}:{}'.format(name, value))
+
+    # To read SANs from a cert we must read the subjectAltName
+    # extension from the X509 Object. What makes this more difficult
+    # is that pyOpenSSL does not give extensions as a list, nor does
+    # it provide a count of all loaded extensions.
+    #
+    # Rather, extensions are REQUESTED by index. We must iterate over
+    # all extensions until we find the one called 'subjectAltName'. If
+    # we don't find that extension we'll eventually request an
+    # extension at an index where no extension exists (IndexError is
+    # raised). When that happens we know that the cert has no SANs so
+    # we break out of the loop.
+    i = 0
+    checked_all_extensions = False
+    while not checked_all_extensions:
+        try:
+            # Read the extension at index 'i'
+            ext = cert_loaded.get_extension(i)
+        except IndexError:
+            # We tried to read an extension but it isn't there, that
+            # means we ran out of extensions to check. Abort
+            san = None
+            checked_all_extensions = True
+        else:
+            # We were able to load the extension at index 'i'
+            if ext.get_short_name() == 'subjectAltName':
+                san = ext
+                checked_all_extensions = True
+            else:
+                # Try reading the next extension
+                i += 1
+
+    if san is not None:
+        # The X509Extension object for subjectAltName prints as a
+        # string with the alt names separated by a comma and a
+        # space. Split the string by ', ' and then add our new names
+        # to the list of existing names
+        cert_subjects.extend(str(san).split(', '))
+
+    cert_subject = ', '.join(cert_subjects)
+    ######################################################################
+
+    # Grab the expiration date
+    cert_expiry = cert_loaded.get_notAfter()
+    cert_expiry_date = datetime.datetime.strptime(
+        cert_expiry,
+        # example get_notAfter() => 20180922170439Z
+        '%Y%m%d%H%M%SZ')
+
+    time_remaining = cert_expiry_date - now
+
+    return (cert_subject, cert_expiry_date, time_remaining)
+
+
+def classify_cert(cert_meta, now, time_remaining, expire_window, cert_list):
+    """Given metadata about a certificate under examination, classify it
+    into one of three categories, 'ok', 'warning', and 'expired'.
+
+Params:
+
+- `cert_meta` dict - A dict with certificate metadata. Required fields
+  include: 'cert_cn', 'path', 'expiry', 'days_remaining', 'health'.
+- `now` (datetime) - a datetime object of the time to calculate the certificate 'time_remaining' against
+- `time_remaining` (datetime.timedelta) - a timedelta for how long until the cert expires
+- `expire_window` (datetime.timedelta) - a timedelta for how long the warning window is
+- `cert_list` list - A list to shove the classified cert into
+
+Return:
+- `cert_list` - The updated list of classified certificates
+    """
+    expiry_str = str(cert_meta['expiry'])
+    # Categorization
+    if cert_meta['expiry'] < now:
+        # This already expired, must NOTIFY
+        cert_meta['health'] = 'expired'
+    elif time_remaining < expire_window:
+        # WARN about this upcoming expirations
+        cert_meta['health'] = 'warning'
+    else:
+        # Not expired or about to expire
+        cert_meta['health'] = 'ok'
+
+    cert_meta['expiry'] = expiry_str
+    cert_list.append(cert_meta)
+    return cert_list
+
+
+def tabulate_summary(certificates, kubeconfigs, etcd_certs, router_certs, registry_certs):
+    """Calculate the summary text for when the module finishes
+running. This includes counts of each classification and what have
+you.
+
+Params:
+
+- `certificates` (list of dicts) - Processed `expire_check_result`
+  dicts with filled in `health` keys for system certificates.
+- `kubeconfigs` - as above for kubeconfigs
+- `etcd_certs` - as above for etcd certs
+
+Return:
+
+- `summary_results` (dict) - Counts of each cert type classification
+  and total items examined.
+    """
+    items = certificates + kubeconfigs + etcd_certs + router_certs + registry_certs
+
+    summary_results = {
+        'system_certificates': len(certificates),
+        'kubeconfig_certificates': len(kubeconfigs),
+        'etcd_certificates': len(etcd_certs),
+        'router_certs': len(router_certs),
+        'registry_certs': len(registry_certs),
+        'total': len(items),
+        'ok': 0,
+        'warning': 0,
+        'expired': 0
+    }
+
+    summary_results['expired'] = len([c for c in items if c['health'] == 'expired'])
+    summary_results['warning'] = len([c for c in items if c['health'] == 'warning'])
+    summary_results['ok'] = len([c for c in items if c['health'] == 'ok'])
+
+    return summary_results
+
+
+######################################################################
+# This is our module MAIN function after all, so there's bound to be a
+# lot of code bundled up into one block
+#
+# pylint: disable=too-many-locals,too-many-locals,too-many-statements,too-many-branches
+def main():
+    """This module examines certificates (in various forms) which compose
+an OpenShift Container Platform cluster
+    """
+
+    module = AnsibleModule(
+        argument_spec=dict(
+            config_base=dict(
+                required=False,
+                default="/etc/origin",
+                type='str'),
+            warning_days=dict(
+                required=False,
+                default=30,
+                type='int'),
+            show_all=dict(
+                required=False,
+                default=False,
+                type='bool')
+        ),
+        supports_check_mode=True,
+    )
+
+    # Basic scaffolding for OpenShift specific certs
+    openshift_base_config_path = module.params['config_base']
+    openshift_master_config_path = os.path.normpath(
+        os.path.join(openshift_base_config_path, "master/master-config.yaml")
+    )
+    openshift_node_config_path = os.path.normpath(
+        os.path.join(openshift_base_config_path, "node/node-config.yaml")
+    )
+    openshift_cert_check_paths = [
+        openshift_master_config_path,
+        openshift_node_config_path,
+    ]
+
+    # Paths for Kubeconfigs. Additional kubeconfigs are conditionally
+    # checked later in the code
+    master_kube_configs = ['admin', 'openshift-master',
+                           'openshift-node', 'openshift-router',
+                           'openshift-registry']
+
+    kubeconfig_paths = []
+    for m_kube_config in master_kube_configs:
+        kubeconfig_paths.append(
+            os.path.normpath(
+                os.path.join(openshift_base_config_path, "master/%s.kubeconfig" % m_kube_config)
+            )
+        )
+
+    # Validate some paths we have the ability to do ahead of time
+    openshift_cert_check_paths = filter_paths(openshift_cert_check_paths)
+    kubeconfig_paths = filter_paths(kubeconfig_paths)
+
+    # etcd, where do you hide your certs? Used when parsing etcd.conf
+    etcd_cert_params = [
+        "ETCD_CA_FILE",
+        "ETCD_CERT_FILE",
+        "ETCD_PEER_CA_FILE",
+        "ETCD_PEER_CERT_FILE",
+    ]
+
+    # Expiry checking stuff
+    now = datetime.datetime.now()
+    # todo, catch exception for invalid input and return a fail_json
+    warning_days = int(module.params['warning_days'])
+    expire_window = datetime.timedelta(days=warning_days)
+
+    # Module stuff
+    #
+    # The results of our cert checking to return from the task call
+    check_results = {}
+    check_results['meta'] = {}
+    check_results['meta']['warning_days'] = warning_days
+    check_results['meta']['checked_at_time'] = str(now)
+    check_results['meta']['warn_before_date'] = str(now + expire_window)
+    check_results['meta']['show_all'] = str(module.params['show_all'])
+    # All the analyzed certs accumulate here
+    ocp_certs = []
+
+    ######################################################################
+    # Sure, why not? Let's enable check mode.
+    if module.check_mode:
+        check_results['ocp_certs'] = []
+        module.exit_json(
+            check_results=check_results,
+            msg="Checked 0 total certificates. Expired/Warning/OK: 0/0/0. Warning window: %s days" % module.params['warning_days'],
+            rc=0,
+            changed=False
+        )
+
+    ######################################################################
+    # Check for OpenShift Container Platform specific certs
+    ######################################################################
+    for os_cert in filter_paths(openshift_cert_check_paths):
+        # Open up that config file and locate the cert and CA
+        with open(os_cert, 'r') as fp:
+            cert_meta = {}
+            cfg = yaml.load(fp)
+            # cert files are specified in parsed `fp` as relative to the path
+            # of the original config file. 'master-config.yaml' with certFile
+            # = 'foo.crt' implies that 'foo.crt' is in the same
+            # directory. certFile = '../foo.crt' is in the parent directory.
+            cfg_path = os.path.dirname(fp.name)
+            cert_meta['certFile'] = os.path.join(cfg_path, cfg['servingInfo']['certFile'])
+            cert_meta['clientCA'] = os.path.join(cfg_path, cfg['servingInfo']['clientCA'])
+
+        ######################################################################
+        # Load the certificate and the CA, parse their expiration dates into
+        # datetime objects so we can manipulate them later
+        for _, v in cert_meta.iteritems():
+            with open(v, 'r') as fp:
+                cert = fp.read()
+                cert_subject, cert_expiry_date, time_remaining = load_and_handle_cert(cert, now)
+
+                expire_check_result = {
+                    'cert_cn': cert_subject,
+                    'path': fp.name,
+                    'expiry': cert_expiry_date,
+                    'days_remaining': time_remaining.days,
+                    'health': None,
+                }
+
+                classify_cert(expire_check_result, now, time_remaining, expire_window, ocp_certs)
+
+    ######################################################################
+    # /Check for OpenShift Container Platform specific certs
+    ######################################################################
+
+    ######################################################################
+    # Check service Kubeconfigs
+    ######################################################################
+    kubeconfigs = []
+
+    # There may be additional kubeconfigs to check, but their naming
+    # is less predictable than the ones we've already assembled.
+
+    try:
+        # Try to read the standard 'node-config.yaml' file to check if
+        # this host is a node.
+        with open(openshift_node_config_path, 'r') as fp:
+            cfg = yaml.load(fp)
+
+        # OK, the config file exists, therefore this is a
+        # node. Nodes have their own kubeconfig files to
+        # communicate with the master API. Let's read the relative
+        # path to that file from the node config.
+        node_masterKubeConfig = cfg['masterKubeConfig']
+        # As before, the path to the 'masterKubeConfig' file is
+        # relative to `fp`
+        cfg_path = os.path.dirname(fp.name)
+        node_kubeconfig = os.path.join(cfg_path, node_masterKubeConfig)
+
+        with open(node_kubeconfig, 'r') as fp:
+            # Read in the nodes kubeconfig file and grab the good stuff
+            cfg = yaml.load(fp)
+
+        c = cfg['users'][0]['user']['client-certificate-data']
+        (cert_subject,
+         cert_expiry_date,
+         time_remaining) = load_and_handle_cert(c, now, base64decode=True)
+
+        expire_check_result = {
+            'cert_cn': cert_subject,
+            'path': fp.name,
+            'expiry': cert_expiry_date,
+            'days_remaining': time_remaining.days,
+            'health': None,
+        }
+
+        classify_cert(expire_check_result, now, time_remaining, expire_window, kubeconfigs)
+    except IOError:
+        # This is not a node
+        pass
+
+    for kube in filter_paths(kubeconfig_paths):
+        with open(kube, 'r') as fp:
+            # TODO: Maybe consider catching exceptions here?
+            cfg = yaml.load(fp)
+
+        # Per conversation, "the kubeconfigs you care about:
+        # admin, router, registry should all be single
+        # value". Following that advice we only grab the data for
+        # the user at index 0 in the 'users' list. There should
+        # not be more than one user.
+        c = cfg['users'][0]['user']['client-certificate-data']
+        (cert_subject,
+         cert_expiry_date,
+         time_remaining) = load_and_handle_cert(c, now, base64decode=True)
+
+        expire_check_result = {
+            'cert_cn': cert_subject,
+            'path': fp.name,
+            'expiry': cert_expiry_date,
+            'days_remaining': time_remaining.days,
+            'health': None,
+        }
+
+        classify_cert(expire_check_result, now, time_remaining, expire_window, kubeconfigs)
+
+    ######################################################################
+    # /Check service Kubeconfigs
+    ######################################################################
+
+    ######################################################################
+    # Check etcd certs
+    ######################################################################
+    # Some values may be duplicated, make this a set for now so we
+    # unique them all
+    etcd_certs_to_check = set([])
+    etcd_certs = []
+    etcd_cert_params.append('dne')
+    try:
+        with open('/etc/etcd/etcd.conf', 'r') as fp:
+            etcd_config = ConfigParser.ConfigParser()
+            etcd_config.readfp(FakeSecHead(fp))
+
+        for param in etcd_cert_params:
+            try:
+                etcd_certs_to_check.add(etcd_config.get('ETCD', param))
+            except ConfigParser.NoOptionError:
+                # That parameter does not exist, oh well...
+                pass
+    except IOError:
+        # No etcd to see here, move along
+        pass
+
+    for etcd_cert in filter_paths(etcd_certs_to_check):
+        with open(etcd_cert, 'r') as fp:
+            c = fp.read()
+            (cert_subject,
+             cert_expiry_date,
+             time_remaining) = load_and_handle_cert(c, now)
+
+            expire_check_result = {
+                'cert_cn': cert_subject,
+                'path': fp.name,
+                'expiry': cert_expiry_date,
+                'days_remaining': time_remaining.days,
+                'health': None,
+            }
+
+            classify_cert(expire_check_result, now, time_remaining, expire_window, etcd_certs)
+
+    ######################################################################
+    # /Check etcd certs
+    ######################################################################
+
+    ######################################################################
+    # Check router/registry certs
+    #
+    # These are saved as secrets in etcd. That means that we can not
+    # simply read a file to grab the data. Instead we're going to
+    # subprocess out to the 'oc get' command. On non-masters this
+    # command will fail, that is expected so we catch that exception.
+    ######################################################################
+    router_certs = []
+    registry_certs = []
+
+    ######################################################################
+    # First the router certs
+    try:
+        router_secrets_raw = subprocess.Popen('oc get secret router-certs -o yaml'.split(),
+                                              stdout=subprocess.PIPE)
+        router_ds = yaml.load(router_secrets_raw.communicate()[0])
+        router_c = router_ds['data']['tls.crt']
+        router_path = router_ds['metadata']['selfLink']
+    except TypeError:
+        # YAML couldn't load the result, this is not a master
+        pass
+    except OSError:
+        # The OC command doesn't exist here. Move along.
+        pass
+    else:
+        (cert_subject,
+         cert_expiry_date,
+         time_remaining) = load_and_handle_cert(router_c, now, base64decode=True)
+
+        expire_check_result = {
+            'cert_cn': cert_subject,
+            'path': router_path,
+            'expiry': cert_expiry_date,
+            'days_remaining': time_remaining.days,
+            'health': None,
+        }
+
+        classify_cert(expire_check_result, now, time_remaining, expire_window, router_certs)
+
+    ######################################################################
+    # Now for registry
+    try:
+        registry_secrets_raw = subprocess.Popen('oc get secret registry-certificates -o yaml'.split(),
+                                                stdout=subprocess.PIPE)
+        registry_ds = yaml.load(registry_secrets_raw.communicate()[0])
+        registry_c = registry_ds['data']['registry.crt']
+        registry_path = registry_ds['metadata']['selfLink']
+    except TypeError:
+        # YAML couldn't load the result, this is not a master
+        pass
+    except OSError:
+        # The OC command doesn't exist here. Move along.
+        pass
+    else:
+        (cert_subject,
+         cert_expiry_date,
+         time_remaining) = load_and_handle_cert(registry_c, now, base64decode=True)
+
+        expire_check_result = {
+            'cert_cn': cert_subject,
+            'path': registry_path,
+            'expiry': cert_expiry_date,
+            'days_remaining': time_remaining.days,
+            'health': None,
+        }
+
+        classify_cert(expire_check_result, now, time_remaining, expire_window, registry_certs)
+
+    ######################################################################
+    # /Check router/registry certs
+    ######################################################################
+
+    res = tabulate_summary(ocp_certs, kubeconfigs, etcd_certs, router_certs, registry_certs)
+
+    msg = "Checked {count} total certificates. Expired/Warning/OK: {exp}/{warn}/{ok}. Warning window: {window} days".format(
+        count=res['total'],
+        exp=res['expired'],
+        warn=res['warning'],
+        ok=res['ok'],
+        window=int(module.params['warning_days']),
+    )
+
+    # By default we only return detailed information about expired or
+    # warning certificates. If show_all is true then we will print all
+    # the certificates examined.
+    if not module.params['show_all']:
+        check_results['ocp_certs'] = [crt for crt in ocp_certs if crt['health'] in ['expired', 'warning']]
+        check_results['kubeconfigs'] = [crt for crt in kubeconfigs if crt['health'] in ['expired', 'warning']]
+        check_results['etcd'] = [crt for crt in etcd_certs if crt['health'] in ['expired', 'warning']]
+        check_results['registry'] = [crt for crt in registry_certs if crt['health'] in ['expired', 'warning']]
+        check_results['router'] = [crt for crt in router_certs if crt['health'] in ['expired', 'warning']]
+    else:
+        check_results['ocp_certs'] = ocp_certs
+        check_results['kubeconfigs'] = kubeconfigs
+        check_results['etcd'] = etcd_certs
+        check_results['registry'] = registry_certs
+        check_results['router'] = router_certs
+
+    # Sort the final results to report in order of ascending safety
+    # time. That is to say, the certificates which will expire sooner
+    # will be at the front of the list and certificates which will
+    # expire later are at the end. Router and registry certs should be
+    # limited to just 1 result, so don't bother sorting those.
+    check_results['ocp_certs'] = sorted(check_results['ocp_certs'], cmp=lambda x, y: cmp(x['days_remaining'], y['days_remaining']))
+    check_results['kubeconfigs'] = sorted(check_results['kubeconfigs'], cmp=lambda x, y: cmp(x['days_remaining'], y['days_remaining']))
+    check_results['etcd'] = sorted(check_results['etcd'], cmp=lambda x, y: cmp(x['days_remaining'], y['days_remaining']))
+
+    # This module will never change anything, but we might want to
+    # change the return code parameter if there is some catastrophic
+    # error we noticed earlier
+    module.exit_json(
+        check_results=check_results,
+        summary=res,
+        msg=msg,
+        rc=0,
+        changed=False
+    )
+
+######################################################################
+# It's just the way we do things in Ansible. So disable this warning
+#
+# pylint: disable=wrong-import-position,import-error
+from ansible.module_utils.basic import AnsibleModule
+if __name__ == '__main__':
+    main()
diff --git a/roles/openshift_certificate_expiry/meta/main.yml b/roles/openshift_certificate_expiry/meta/main.yml
new file mode 100644
index 000000000..c13b29ba5
--- /dev/null
+++ b/roles/openshift_certificate_expiry/meta/main.yml
@@ -0,0 +1,16 @@
+---
+galaxy_info:
+  author: Tim Bielawa
+  description: OpenShift Certificate Expiry Checker
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 2.1
+  version: 1.0
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+  - system
+dependencies: []
diff --git a/roles/openshift_certificate_expiry/tasks/main.yml b/roles/openshift_certificate_expiry/tasks/main.yml
new file mode 100644
index 000000000..139d5de6e
--- /dev/null
+++ b/roles/openshift_certificate_expiry/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: Check cert expirys on host
+  openshift_cert_expiry:
+    warning_days: "{{ openshift_certificate_expiry_warning_days|int }}"
+    config_base: "{{ openshift_certificate_expiry_config_base }}"
+    show_all: "{{ openshift_certificate_expiry_show_all|bool }}"
+  register: check_results
+
+- name: Generate expiration report HTML
+  become: no
+  run_once: yes
+  template:
+    src: cert-expiry-table.html.j2
+    dest: "{{ openshift_certificate_expiry_html_report_path }}"
+  delegate_to: localhost
+  when: "{{ openshift_certificate_expiry_generate_html_report|bool }}"
+
+- name: Generate the result JSON string
+  run_once: yes
+  set_fact: json_result_string="{{ hostvars|oo_cert_expiry_results_to_json(play_hosts) }}"
+  when: "{{ openshift_certificate_expiry_save_json_results|bool }}"
+
+- name: Generate results JSON file
+  become: no
+  run_once: yes
+  template:
+    src: save_json_results.j2
+    dest: "{{ openshift_certificate_expiry_json_results_path }}"
+  delegate_to: localhost
+  when: "{{ openshift_certificate_expiry_save_json_results|bool }}"
diff --git a/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2 b/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2
new file mode 100644
index 000000000..b05110336
--- /dev/null
+++ b/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2
@@ -0,0 +1,124 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8" />
+    <title>OCP Certificate Expiry Report</title>
+    {# For fancy icons and a pleasing font #}
+    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" />
+    <link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,700" rel="stylesheet" />
+    <style type="text/css">
+      body {
+      font-family: 'Source Sans Pro', sans-serif;
+      margin-left: 50px;
+      margin-right: 50px;
+      margin-bottom: 20px;
+      padding-top: 70px;
+      }
+      table {
+      border-collapse: collapse;
+      margin-bottom: 20px;
+      }
+      table, th, td {
+      border: 1px solid black;
+      }
+      th, td {
+      padding: 5px;
+      }
+      .cert-kind {
+      margin-top: 5px;
+      margin-bottom: 5px;
+      }
+      footer {
+      font-size: small;
+      text-align: center;
+      }
+      tr.odd {
+      background-color: #f2f2f2;
+      }
+    </style>
+  </head>
+  <body>
+    <nav class="navbar navbar-default navbar-fixed-top">
+      <div class="container-fluid">
+        <div class="navbar-header">
+          <a class="navbar-brand" href="#">OCP Certificate Expiry Report</a>
+        </div>
+        <div class="collapse navbar-collapse">
+          <p class="navbar-text navbar-right">
+	    <a href="https://docs.openshift.com/container-platform/latest/install_config/redeploying_certificates.html"
+	       target="_blank"
+	       class="navbar-link">
+	       <i class="glyphicon glyphicon-book"></i> Redeploying Certificates
+	    </a>
+	  </p>
+        </div>
+      </div>
+    </nav>
+
+    {# Each host has a header and table to itself #}
+    {% for host in play_hosts %}
+      <h1>{{ host }}</h1>
+
+      <p>
+        {{ hostvars[host].check_results.msg }}
+      </p>
+      <ul>
+        <li><b>Expirations checked at:</b> {{ hostvars[host].check_results.check_results.meta.checked_at_time }}</li>
+        <li><b>Warn after date:</b> {{ hostvars[host].check_results.check_results.meta.warn_before_date }}</li>
+      </ul>
+
+      <table border="1" width="100%">
+        {# These are hard-coded right now, but should be grabbed dynamically from the registered results #}
+        {%- for kind in ['ocp_certs', 'etcd', 'kubeconfigs', 'router', 'registry'] -%}
+          <tr>
+            <th colspan="6" style="text-align:center"><h2 class="cert-kind">{{ kind }}</h2></th>
+          </tr>
+
+          <tr>
+            <th>&nbsp;</th>
+            <th style="width:33%">Certificate Common/Alt Name(s)</th>
+            <th>Health</th>
+            <th>Days Remaining</th>
+            <th>Expiration Date</th>
+            <th>Path</th>
+          </tr>
+
+          {# A row for each certificate examined #}
+          {%- for v in hostvars[host].check_results.check_results[kind] -%}
+
+            {# Let's add some flair and show status visually with fancy icons #}
+            {% if v.health == 'ok' %}
+              {% set health_icon = 'glyphicon glyphicon-ok' %}
+            {% elif v.health == 'warning' %}
+              {% set health_icon = 'glyphicon glyphicon-alert' %}
+            {% else %}
+              {% set health_icon = 'glyphicon glyphicon-remove' %}
+            {% endif %}
+
+            <tr class="{{ loop.cycle('odd', 'even') }}">
+              <td style="text-align:center"><i class="{{ health_icon }}"></i></td>
+              <td style="width:33%">{{ v.cert_cn }}</td>
+              <td>{{ v.health }}</td>
+              <td>{{ v.days_remaining }}</td>
+              <td>{{ v.expiry }}</td>
+              <td>{{ v.path }}</td>
+            </tr>
+          {% endfor %}
+          {# end row generation per cert of this type #}
+        {% endfor %}
+        {# end generation for each kind of cert block #}
+      </table>
+      <hr />
+    {% endfor %}
+    {# end section generation for each host #}
+
+    <footer>
+      <p>
+        Expiration report generated by <a href="https://github.com/openshift/openshift-ansible" target="_blank">openshift-ansible</a>
+      </p>
+      <p>
+        Status icons from bootstrap/glyphicon
+      </p>
+    </footer>
+  </body>
+</html>
diff --git a/roles/openshift_certificate_expiry/templates/save_json_results.j2 b/roles/openshift_certificate_expiry/templates/save_json_results.j2
new file mode 100644
index 000000000..c1173d9ea
--- /dev/null
+++ b/roles/openshift_certificate_expiry/templates/save_json_results.j2
@@ -0,0 +1 @@
+{{ json_result_string | to_nice_json(indent=2)}}
diff --git a/roles/openshift_examples/tasks/main.yml b/roles/openshift_examples/tasks/main.yml
index 82536e8af..551e21e72 100644
--- a/roles/openshift_examples/tasks/main.yml
+++ b/roles/openshift_examples/tasks/main.yml
@@ -106,22 +106,6 @@
   failed_when: "'already exists' not in oex_import_quickstarts.stderr and oex_import_quickstarts.rc != 0"
   changed_when: false
 
-- name: Import origin infrastructure-templates
-  command: >
-    {{ openshift.common.client_binary }} {{ openshift_examples_import_command }} -n openshift -f {{ infrastructure_origin_base }}
-  when: openshift_examples_load_centos | bool
-  register: oex_import_infrastructure
-  failed_when: "'already exists' not in oex_import_infrastructure.stderr and oex_import_infrastructure.rc != 0"
-  changed_when: false
-
-- name: Import enterprise infrastructure-templates
-  command: >
-    {{ openshift.common.client_binary }} {{ openshift_examples_import_command }} -n openshift -f {{ infrastructure_enterprise_base }}
-  when: openshift_examples_load_rhel | bool
-  register: oex_import_infrastructure
-  failed_when: "'already exists' not in oex_import_infrastructure.stderr and oex_import_infrastructure.rc != 0"
-  changed_when: false
-
 - name: Remove old xPaas template files
   file:
     path: "{{ item }}"
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index d9b065d8a..61ce55b7f 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -59,7 +59,7 @@ def migrate_docker_facts(facts):
         facts['docker']['hosted_registry_network'] = facts['node'].pop('portal_net')
 
     # log_options was originally meant to be a comma separated string, but
-    # we now prefer an actual list, with backward compatability:
+    # we now prefer an actual list, with backward compatibility:
     if 'log_options' in facts['docker'] and \
             isinstance(facts['docker']['log_options'], basestring):
         facts['docker']['log_options'] = facts['docker']['log_options'].split(",")
diff --git a/roles/openshift_hosted/templates/registry_config.j2 b/roles/openshift_hosted/templates/registry_config.j2
index 75d8f7fa6..557fd03af 100644
--- a/roles/openshift_hosted/templates/registry_config.j2
+++ b/roles/openshift_hosted/templates/registry_config.j2
@@ -8,55 +8,55 @@ storage:
     enabled: true
   cache:
     blobdescriptor: inmemory
-{% if openshift.hosted.registry.storage.provider == 's3' %}
+{% if openshift_hosted_registry_storage_provider | default('') == 's3' %}
   s3:
-    accesskey: {{ openshift.hosted.registry.storage.s3.accesskey }}
-    secretkey: {{ openshift.hosted.registry.storage.s3.secretkey }}
-    region: {{ openshift.hosted.registry.storage.s3.region }}
-{%   if 'regionendpoint' in openshift.hosted.registry.storage.s3 %}
-    regionendpoint: {{ openshift.hosted.registry.storage.s3.regionendpoint }}
+    accesskey: {{ openshift_hosted_registry_storage_s3_accesskey }}
+    secretkey: {{ openshift_hosted_registry_storage_s3_secretkey }}
+    region: {{ openshift_hosted_registry_storage_s3_region }}
+{%   if openshift_hosted_registry_storage_s3_regionendpoint is defined %}
+    regionendpoint: {{ openshift_hosted_registry_storage_s3_regionendpoint }}
 {%   endif %}
-    bucket: {{ openshift.hosted.registry.storage.s3.bucket }}
+    bucket: {{ openshift_hosted_registry_storage_s3_bucket }}
     encrypt: false
     secure: true
     v4auth: true
-    rootdirectory: {{ openshift.hosted.registry.storage.s3.rootdirectory | default('/registry') }}
-    chunksize: "{{ openshift.hosted.registry.storage.s3.chunksize | default(26214400) }}"
-{% elif openshift.hosted.registry.storage.provider == 'azure_blob' %}
+    rootdirectory: {{ openshift_hosted_registry_storage_s3_rootdirectory | default('/registry') }}
+    chunksize: "{{ openshift_hosted_registry_storage_s3_chunksize | default(26214400) }}"
+{% elif openshift_hosted_registry_storage_provider | default('') == 'azure_blob' %}
   azure:
-    accountname: {{ openshift.hosted.registry.storage.azure_blob.accountname }}
-    accountkey: {{ openshift.hosted.registry.storage.azure_blob.accountkey }}
-    container: {{ openshift.hosted.registry.storage.azure_blob.container }}
-    realm: {{ openshift.hosted.registry.storage.azure_blob.realm }}
-{% elif openshift.hosted.registry.storage.provider == 'swift' %}
+    accountname: {{ openshift_hosted_registry_storage_azure_blob_accountname }}
+    accountkey: {{ openshift_hosted_registry_storage_azure_blob_accountkey }}
+    container: {{ openshift_hosted_registry_storage_azure_blob_container }}
+    realm: {{ openshift_hosted_registry_storage_azure_blob_realm }}
+{% elif openshift_hosted_registry_storage_provider | default('') == 'swift' %}
   swift:
-    authurl: {{ openshift.hosted.registry.storage.swift.authurl }}
-    username: {{ openshift.hosted.registry.storage.swift.username }}
-    password: {{ openshift.hosted.registry.storage.swift.password }}
-    container: {{ openshift.hosted.registry.storage.swift.container }}
-{%   if 'region' in openshift.hosted.registry.storage.swift %}
-    region: {{ openshift.hosted.registry.storage.swift.region }}
+    authurl: {{ openshift_hosted_registry_storage_swift_authurl }}
+    username: {{ openshift_hosted_registry_storage_swift_username }}
+    password: {{ openshift_hosted_registry_storage_swift_password }}
+    container: {{ openshift_hosted_registry_storage_swift_container }}
+{%   if openshift_hosted_registry_storage_swift_region is defined %}
+    region: {{ openshift_hosted_registry_storage_swift_region }}
 {%   endif -%}
-{%   if 'tenant' in openshift.hosted.registry.storage.swift %}
-    tenant: {{ openshift.hosted.registry.storage.swift.tenant }}
+{%   if openshift_hosted_registry_storage_swift_tenant is defined %}
+    tenant: {{ openshift_hosted_registry_storage_swift_tenant }}
 {%   endif -%}
-{%   if 'tenantid' in openshift.hosted.registry.storage.swift %}
-    tenantid: {{ openshift.hosted.registry.storage.swift.tenantid }}
+{%   if openshift_hosted_registry_storage_swift_tenantid is defined %}
+    tenantid: {{ openshift_hosted_registry_storage_swift_tenantid }}
 {%   endif -%}
-{%   if 'domain' in openshift.hosted.registry.storage.swift %}
-    domain: {{ openshift.hosted.registry.storage.swift.domain }}
+{%   if openshift_hosted_registry_storage_swift_domain is defined %}
+    domain: {{ openshift_hosted_registry_storage_swift_domain }}
 {%   endif -%}
-{%   if 'domainid' in openshift.hosted.registry.storage.swift %}
-    domainid: {{ openshift.hosted.registry.storage.swift.domainid }}
+{%   if openshift_hosted_registry_storage_swift_domainid %}
+    domainid: {{ openshift_hosted_registry_storage_swift_domainid }}
 {%   endif -%}
-{% elif openshift.hosted.registry.storage.provider == 'gcs' %}
+{% elif openshift_hosted_registry_storage_provider | default('') == 'gcs' %}
   gcs:
-    bucket: {{ openshift.hosted.registry.storage.gcs.bucket }}
-{%   if 'keyfile' in openshift.hosted.registry.storage.gcs %}
-    keyfile: {{ openshift.hosted.registry.storage.gcs.keyfile }}
+    bucket: {{ openshift_hosted_registry_storage_gcs_bucket }}
+{%   if openshift_hosted_registry_storage_gcs_keyfile is defined %}
+    keyfile: {{ openshift_hosted_registry_storage_gcs_keyfile }}
 {%   endif -%}
-{%   if 'rootdirectory' in openshift.hosted.registry.storage.gcs %}
-    rootdirectory: {{ openshift.hosted.registry.storage.gcs.rootdirectory }}
+{%   if openshift_hosted_registry_storage_gcs_rootdirectory is defined %}
+    rootdirectory: {{ openshift_hosted_registry_storage_gcs_rootdirectory }}
 {%   endif -%}
 {% endif -%}
 auth:
@@ -70,16 +70,16 @@ middleware:
   repository:
   - name: openshift
     options:
-      pullthrough: {{ openshift.hosted.registry.pullthrough | default(true) }}
-      acceptschema2: {{ openshift.hosted.registry.acceptschema2 | default(false) }}
-      enforcequota: {{ openshift.hosted.registry.enforcequota | default(false) }}
-{% if openshift.hosted.registry.storage.provider == 's3' and 'cloudfront' in openshift.hosted.registry.storage.s3 %}
+      pullthrough: {{ openshift_hosted_registry_pullthrough | default(true) }}
+      acceptschema2: {{ openshift_hosted_registry_acceptschema2 | default(false) }}
+      enforcequota: {{ openshift_hosted_registry_enforcequota | default(false) }}
+{% if openshift_hosted_registry_storage_provider | default('') == 's3' and openshift_hosted_registry_storage_s3_cloudfront_baseurl is defined %}
   storage:
   - name: cloudfront
     options:
-      baseurl: {{ openshift.hosted.registry.storage.s3.cloudfront.baseurl }}
-      privatekey: {{ openshift.hosted.registry.storage.s3.cloudfront.privatekeyfile }}
-      keypairid: {{ openshift.hosted.registry.storage.s3.cloudfront.keypairid }}
+      baseurl: {{ openshift_hosted_registry_storage_s3_cloudfront_baseurl }}
+      privatekey: {{ openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile }}
+      keypairid: {{ openshift_hosted_registry_storage_s3_cloudfront_keypairid }}
 {% elif openshift.common.version_gte_3_3_or_1_3 | bool %}
   storage:
   - name: openshift
diff --git a/roles/openshift_hosted_logging/defaults/main.yml b/roles/openshift_hosted_logging/defaults/main.yml
index e357899e5..a01f24df8 100644
--- a/roles/openshift_hosted_logging/defaults/main.yml
+++ b/roles/openshift_hosted_logging/defaults/main.yml
@@ -1,2 +1,2 @@
 ---
-examples_base: "{{ openshift.common.config_base if openshift.common.is_containerized | bool else '/usr/share/openshift' }}/examples"
+hosted_base: "{{ openshift.common.config_base if openshift.common.is_containerized | bool else '/usr/share/openshift' }}/hosted"
diff --git a/roles/openshift_hosted_logging/tasks/cleanup_logging.yaml b/roles/openshift_hosted_logging/tasks/cleanup_logging.yaml
index 8331f0389..8754616d9 100644
--- a/roles/openshift_hosted_logging/tasks/cleanup_logging.yaml
+++ b/roles/openshift_hosted_logging/tasks/cleanup_logging.yaml
@@ -46,8 +46,8 @@
 
   - name: "Remove deployer template"
     command: "{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig delete template logging-deployer-template -n openshift"
-    register: delete_ouput
-    failed_when: delete_ouput.rc == 1 and 'exists' not in delete_ouput.stderr
+    register: delete_output
+    failed_when: delete_output.rc == 1 and 'exists' not in delete_output.stderr
 
 
   - name: Delete temp directory
diff --git a/roles/openshift_hosted_logging/tasks/deploy_logging.yaml b/roles/openshift_hosted_logging/tasks/deploy_logging.yaml
index c8d376194..0162d1fb0 100644
--- a/roles/openshift_hosted_logging/tasks/deploy_logging.yaml
+++ b/roles/openshift_hosted_logging/tasks/deploy_logging.yaml
@@ -17,7 +17,7 @@
       cp {{ openshift_master_config_dir }}/admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
     changed_when: False
 
-  - name: Check for logging project already exists
+  - name: "Check for logging project already exists"
     command: >
       {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get project logging -o jsonpath='{.metadata.name}'
     register: logging_project_result
@@ -40,9 +40,13 @@
 
   - name: "Create templates for logging accounts and the deployer"
     command: >
-      {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{ examples_base }}/infrastructure-templates/{{ 'enterprise' if openshift_deployment_type == 'openshift-enterprise' else 'origin' }}/logging-deployer.yaml
-    register: template_output
-    failed_when: "template_output.rc == 1 and 'exists' not in template_output.stderr"
+      {{ openshift.common.client_binary }} create
+      -f {{ hosted_base }}/logging-deployer.yaml
+      --config={{ mktemp.stdout }}/admin.kubeconfig
+      -n logging
+    register: logging_import_template
+    failed_when: "'already exists' not in logging_import_template.stderr and logging_import_template.rc != 0"
+    changed_when: "'created' in logging_import_template.stdout"
 
   - name: "Process the logging accounts template"
     shell:  "{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig process logging-deployer-account-template |  {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f -"
diff --git a/roles/openshift_hosted_templates/defaults/main.yml b/roles/openshift_hosted_templates/defaults/main.yml
new file mode 100644
index 000000000..f4fd15089
--- /dev/null
+++ b/roles/openshift_hosted_templates/defaults/main.yml
@@ -0,0 +1,10 @@
+---
+hosted_base: "{{ openshift.common.config_base if openshift.common.is_containerized | bool else '/usr/share/openshift' }}/hosted"
+hosted_deployment_type: "{{ 'origin' if openshift_deployment_type == 'origin' else 'enterprise' }}"
+
+content_version: "{{ openshift.common.examples_content_version }}"
+
+registry_url: ""
+registry_host: "{{ registry_url.split('/')[0] if '.' in registry_url.split('/')[0] else '' }}"
+
+openshift_hosted_templates_import_command: 'create'
diff --git a/roles/openshift_examples/files/examples/v1.0/infrastructure-templates/enterprise/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.0/enterprise/logging-deployer.yaml
index b3b60bf9b..b3b60bf9b 100644
--- a/roles/openshift_examples/files/examples/v1.0/infrastructure-templates/enterprise/logging-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.0/enterprise/logging-deployer.yaml
diff --git a/roles/openshift_examples/files/examples/v1.0/infrastructure-templates/enterprise/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.0/enterprise/metrics-deployer.yaml
index ddd9f2f75..ddd9f2f75 100644
--- a/roles/openshift_examples/files/examples/v1.0/infrastructure-templates/enterprise/metrics-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.0/enterprise/metrics-deployer.yaml
diff --git a/roles/openshift_examples/files/examples/v1.0/infrastructure-templates/origin/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.0/origin/logging-deployer.yaml
index 4c798e148..4c798e148 100644
--- a/roles/openshift_examples/files/examples/v1.0/infrastructure-templates/origin/logging-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.0/origin/logging-deployer.yaml
diff --git a/roles/openshift_examples/files/examples/v1.0/infrastructure-templates/origin/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.0/origin/metrics-deployer.yaml
index 3e9bcde5b..3e9bcde5b 100644
--- a/roles/openshift_examples/files/examples/v1.0/infrastructure-templates/origin/metrics-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.0/origin/metrics-deployer.yaml
diff --git a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/enterprise/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.1/enterprise/logging-deployer.yaml
index 9c8f1071a..9c8f1071a 100644
--- a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/enterprise/logging-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.1/enterprise/logging-deployer.yaml
diff --git a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/enterprise/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.1/enterprise/metrics-deployer.yaml
index 99f2df4fa..99f2df4fa 100644
--- a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/enterprise/metrics-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.1/enterprise/metrics-deployer.yaml
diff --git a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/origin/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.1/origin/logging-deployer.yaml
index 9257b1f28..9257b1f28 100644
--- a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/origin/logging-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.1/origin/logging-deployer.yaml
diff --git a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/origin/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.1/origin/metrics-deployer.yaml
index 30d79acee..30d79acee 100644
--- a/roles/openshift_examples/files/examples/v1.1/infrastructure-templates/origin/metrics-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.1/origin/metrics-deployer.yaml
diff --git a/roles/openshift_examples/files/examples/v1.2/infrastructure-templates/enterprise/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.2/enterprise/logging-deployer.yaml
index b6975eead..b6975eead 100644
--- a/roles/openshift_examples/files/examples/v1.2/infrastructure-templates/enterprise/logging-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.2/enterprise/logging-deployer.yaml
diff --git a/roles/openshift_examples/files/examples/v1.2/infrastructure-templates/enterprise/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.2/enterprise/metrics-deployer.yaml
index 032f94a18..032f94a18 100644
--- a/roles/openshift_examples/files/examples/v1.2/infrastructure-templates/enterprise/metrics-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.2/enterprise/metrics-deployer.yaml
diff --git a/roles/openshift_examples/files/examples/v1.2/infrastructure-templates/origin/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.2/origin/logging-deployer.yaml
index 8b28f872f..8b28f872f 100644
--- a/roles/openshift_examples/files/examples/v1.2/infrastructure-templates/origin/logging-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.2/origin/logging-deployer.yaml
diff --git a/roles/openshift_examples/files/examples/v1.2/infrastructure-templates/origin/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.2/origin/metrics-deployer.yaml
index ab62ae76f..ab62ae76f 100644
--- a/roles/openshift_examples/files/examples/v1.2/infrastructure-templates/origin/metrics-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.2/origin/metrics-deployer.yaml
diff --git a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/enterprise/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.3/enterprise/logging-deployer.yaml
index a8d4b1cbb..13cef2d66 100644
--- a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/enterprise/logging-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.3/enterprise/logging-deployer.yaml
@@ -200,13 +200,13 @@ items:
     name: MODE
     value: "install"
   -
-    description: 'Specify prefix for logging components; e.g. for "registry.access.redhat.com/openshift3/logging-deployer:3.3.0", set prefix "registry.access.redhat.com/openshift3/"'
+    description: 'Specify prefix for logging components; e.g. for "registry.access.redhat.com/openshift3/logging-deployer:3.3.1", set prefix "registry.access.redhat.com/openshift3/"'
     name: IMAGE_PREFIX
     value: "registry.access.redhat.com/openshift3/"
   -
-    description: 'Specify version for logging components; e.g. for "registry.access.redhat.com/openshift3/logging-deployer:3.3.0", set version "3.3.0"'
+    description: 'Specify version for logging components; e.g. for "registry.access.redhat.com/openshift3/logging-deployer:3.3.1", set version "3.3.1"'
     name: IMAGE_VERSION
-    value: "3.3.0"
+    value: "3.3.1"
   -
     description: "(Deprecated) Specify the name of an existing pull secret to be used for pulling component images from an authenticated registry."
     name: IMAGE_PULL_SECRET
diff --git a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/enterprise/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.3/enterprise/metrics-deployer.yaml
index afd47ec7c..5e21e3a7a 100644
--- a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/enterprise/metrics-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.3/enterprise/metrics-deployer.yaml
@@ -101,7 +101,7 @@ parameters:
 -
   description: 'Specify version for metrics components; e.g. for "openshift/origin-metrics-deployer:latest", set version "latest"'
   name: IMAGE_VERSION
-  value: "3.3.0"
+  value: "3.3.1"
 -
   description: "Internal URL for the master, for authentication retrieval"
   name: MASTER_URL
diff --git a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/enterprise/registry-console.yaml b/roles/openshift_hosted_templates/files/v1.3/enterprise/registry-console.yaml
index 11478263c..11478263c 100644
--- a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/enterprise/registry-console.yaml
+++ b/roles/openshift_hosted_templates/files/v1.3/enterprise/registry-console.yaml
diff --git a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/origin/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.3/origin/logging-deployer.yaml
index 8b28f872f..8b28f872f 100644
--- a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/origin/logging-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.3/origin/logging-deployer.yaml
diff --git a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/origin/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.3/origin/metrics-deployer.yaml
index 5f2290419..5f2290419 100644
--- a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/origin/metrics-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.3/origin/metrics-deployer.yaml
diff --git a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/origin/registry-console.yaml b/roles/openshift_hosted_templates/files/v1.3/origin/registry-console.yaml
index 80cc4233b..80cc4233b 100644
--- a/roles/openshift_examples/files/examples/v1.3/infrastructure-templates/origin/registry-console.yaml
+++ b/roles/openshift_hosted_templates/files/v1.3/origin/registry-console.yaml
diff --git a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/enterprise/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.4/enterprise/logging-deployer.yaml
index a8d4b1cbb..9cff9daca 100644
--- a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/enterprise/logging-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.4/enterprise/logging-deployer.yaml
@@ -200,13 +200,13 @@ items:
     name: MODE
     value: "install"
   -
-    description: 'Specify prefix for logging components; e.g. for "registry.access.redhat.com/openshift3/logging-deployer:3.3.0", set prefix "registry.access.redhat.com/openshift3/"'
+    description: 'Specify prefix for logging components; e.g. for "registry.access.redhat.com/openshift3/logging-deployer:3.4.0", set prefix "registry.access.redhat.com/openshift3/"'
     name: IMAGE_PREFIX
     value: "registry.access.redhat.com/openshift3/"
   -
-    description: 'Specify version for logging components; e.g. for "registry.access.redhat.com/openshift3/logging-deployer:3.3.0", set version "3.3.0"'
+    description: 'Specify version for logging components; e.g. for "registry.access.redhat.com/openshift3/logging-deployer:3.4.0", set version "3.4.0"'
     name: IMAGE_VERSION
-    value: "3.3.0"
+    value: "3.4.0"
   -
     description: "(Deprecated) Specify the name of an existing pull secret to be used for pulling component images from an authenticated registry."
     name: IMAGE_PULL_SECRET
diff --git a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/enterprise/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.4/enterprise/metrics-deployer.yaml
index afd47ec7c..1b46d6ac7 100644
--- a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/enterprise/metrics-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.4/enterprise/metrics-deployer.yaml
@@ -101,7 +101,7 @@ parameters:
 -
   description: 'Specify version for metrics components; e.g. for "openshift/origin-metrics-deployer:latest", set version "latest"'
   name: IMAGE_VERSION
-  value: "3.3.0"
+  value: "3.4.0"
 -
   description: "Internal URL for the master, for authentication retrieval"
   name: MASTER_URL
diff --git a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/enterprise/registry-console.yaml b/roles/openshift_hosted_templates/files/v1.4/enterprise/registry-console.yaml
index 11478263c..11478263c 100644
--- a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/enterprise/registry-console.yaml
+++ b/roles/openshift_hosted_templates/files/v1.4/enterprise/registry-console.yaml
diff --git a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/origin/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.4/origin/logging-deployer.yaml
index 8b28f872f..8b28f872f 100644
--- a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/origin/logging-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.4/origin/logging-deployer.yaml
diff --git a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/origin/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.4/origin/metrics-deployer.yaml
index 5f2290419..5f2290419 100644
--- a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/origin/metrics-deployer.yaml
+++ b/roles/openshift_hosted_templates/files/v1.4/origin/metrics-deployer.yaml
diff --git a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/origin/registry-console.yaml b/roles/openshift_hosted_templates/files/v1.4/origin/registry-console.yaml
index 80cc4233b..80cc4233b 100644
--- a/roles/openshift_examples/files/examples/v1.4/infrastructure-templates/origin/registry-console.yaml
+++ b/roles/openshift_hosted_templates/files/v1.4/origin/registry-console.yaml
diff --git a/roles/openshift_hosted_templates/meta/main.yml b/roles/openshift_hosted_templates/meta/main.yml
new file mode 100644
index 000000000..9c12865bf
--- /dev/null
+++ b/roles/openshift_hosted_templates/meta/main.yml
@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  author: Andrew Butcher
+  description: OpenShift Hosted Templates
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 2.1
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+dependencies:
+- role: openshift_common
diff --git a/roles/openshift_hosted_templates/tasks/main.yml b/roles/openshift_hosted_templates/tasks/main.yml
new file mode 100644
index 000000000..7d176bce3
--- /dev/null
+++ b/roles/openshift_hosted_templates/tasks/main.yml
@@ -0,0 +1,65 @@
+---
+- name: Create local temp dir for OpenShift hosted templates copy
+  local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
+  become: False
+  register: copy_hosted_templates_mktemp
+  run_once: True
+
+- name: Create tar of OpenShift examples
+  local_action: command tar -C "{{ role_path }}/files/{{ content_version }}/{{ hosted_deployment_type }}" -cvf "{{ copy_hosted_templates_mktemp.stdout }}/openshift-hosted-templates.tar" .
+  args:
+    # Disables the following warning:
+    # Consider using unarchive module rather than running tar
+    warn: no
+  become: False
+  register: copy_hosted_templates_tar
+
+- name: Create remote OpenShift hosted templates directory
+  file:
+    dest: "{{ hosted_base }}"
+    state: directory
+    mode: 0755
+
+- name: Unarchive the OpenShift hosted templates on the remote
+  unarchive:
+    src: "{{ copy_hosted_templates_mktemp.stdout }}/openshift-hosted-templates.tar"
+    dest: "{{ hosted_base }}/"
+
+- name: Cleanup the OpenShift hosted templates temp dir
+  become: False
+  local_action: file dest="{{ copy_hosted_templates_mktemp.stdout }}" state=absent
+
+- name: Modify registry paths if registry_url is not registry.access.redhat.com
+  shell: >
+    find {{ hosted_base }} -type f | xargs -n 1 sed -i 's|registry.access.redhat.com|{{ registry_host | quote }}|g'
+  when: registry_host != '' and openshift_hosted_modify_imagestreams | default(openshift_examples_modify_imagestreams | default(False)) | bool
+
+- name: Create temp directory for kubeconfig
+  command: mktemp -d /tmp/openshift-ansible-XXXXXX
+  register: mktemp
+  changed_when: False
+
+- name: Record kubeconfig tmp dir
+  set_fact:
+    openshift_hosted_templates_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+
+- name: Copy the admin client config(s)
+  command: >
+    cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_templates_kubeconfig }}
+  changed_when: False
+
+- name: Create or update hosted templates
+  command: >
+    {{ openshift.common.client_binary }} {{ openshift_hosted_templates_import_command }}
+    -f {{ hosted_base }}
+    --config={{ openshift_hosted_templates_kubeconfig }}
+    -n openshift
+  register: oht_import_templates
+  failed_when: "'already exists' not in oht_import_templates.stderr and oht_import_templates.rc != 0"
+  changed_when: "'created' in oht_import_templates.stdout"
+
+- name: Delete temp directory
+  file:
+    name: "{{ mktemp.stdout }}"
+    state: absent
+  changed_when: False
diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml
index ea4fb525d..bdaf64b3f 100644
--- a/roles/openshift_manageiq/tasks/main.yaml
+++ b/roles/openshift_manageiq/tasks/main.yaml
@@ -8,7 +8,7 @@
     cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{manage_iq_tmp_conf}}
   changed_when: false
 
-- name: Add Managment Infrastructure project
+- name: Add Management Infrastructure project
   command: >
     {{ openshift.common.client_binary }} adm new-project
     management-infra
diff --git a/roles/openshift_metrics/defaults/main.yml b/roles/openshift_metrics/defaults/main.yml
new file mode 100644
index 000000000..a01f24df8
--- /dev/null
+++ b/roles/openshift_metrics/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+hosted_base: "{{ openshift.common.config_base if openshift.common.is_containerized | bool else '/usr/share/openshift' }}/hosted"
diff --git a/roles/openshift_metrics/tasks/install.yml b/roles/openshift_metrics/tasks/install.yml
index 4dabd314f..4976c7153 100644
--- a/roles/openshift_metrics/tasks/install.yml
+++ b/roles/openshift_metrics/tasks/install.yml
@@ -70,7 +70,7 @@
 - name: Build metrics deployer command
   set_fact:
     deployer_cmd: "{{ openshift.common.client_binary }} process -f \
-      {{ metrics_template_dir }}/metrics-deployer.yaml -v \
+      {{ hosted_base }}/metrics-deployer.yaml -v \
       HAWKULAR_METRICS_HOSTNAME={{ metrics_hostname }},USE_PERSISTENT_STORAGE={{metrics_persistence | string | lower }},DYNAMICALLY_PROVISION_STORAGE={{metrics_dynamic_vol | string | lower }},METRIC_DURATION={{ openshift.hosted.metrics.duration }},METRIC_RESOLUTION={{ openshift.hosted.metrics.resolution }}{{ image_prefix }}{{ image_version }},MODE={{ deployment_mode }} \
         | {{ openshift.common.client_binary }} --namespace openshift-infra \
         --config={{ openshift_metrics_kubeconfig }} \
diff --git a/roles/openshift_node_dnsmasq/tasks/main.yml b/roles/openshift_node_dnsmasq/tasks/main.yml
index bd9a0ffb6..396c27295 100644
--- a/roles/openshift_node_dnsmasq/tasks/main.yml
+++ b/roles/openshift_node_dnsmasq/tasks/main.yml
@@ -29,6 +29,12 @@
   when: openshift_node_dnsmasq_additional_config_file is defined
   notify: restart dnsmasq
 
+- name: Enable dnsmasq
+  service:
+    name: dnsmasq
+    enabled: yes
+    state: started
+
 # Dynamic NetworkManager based dispatcher
 - include: ./network-manager.yml
   when: network_manager_active | bool
diff --git a/roles/os_firewall/library/os_firewall_manage_iptables.py b/roles/os_firewall/library/os_firewall_manage_iptables.py
index 190016c14..bd638b69b 100755
--- a/roles/os_firewall/library/os_firewall_manage_iptables.py
+++ b/roles/os_firewall/library/os_firewall_manage_iptables.py
@@ -50,8 +50,8 @@ class IpTablesCreateJumpRuleError(IpTablesError):
         self.chain = chain
 
 
-# TODO: impliment rollbacks for any events that where successful and an
-# exception was thrown later. for example, when the chain is created
+# TODO: implement rollbacks for any events that were successful and an
+# exception was thrown later. For example, when the chain is created
 # successfully, but the add/remove rule fails.
 class IpTablesManager(object): # pylint: disable=too-many-instance-attributes
     def __init__(self, module):