Generate each master's certificates separately.

playbooks/common/openshift-master/config.yml

@@ -1,6 +1,6 @@
 ---
 - name: Set master facts and determine if external etcd certs need to be generated
-  hosts: oo_first_master:oo_masters_to_config
+  hosts: oo_masters_to_config
   pre_tasks:
   - name: Check for RPM generated config marker file .config_managed
     stat:
@@ -186,10 +186,6 @@
     masters_needing_certs: "{{ hostvars
                                | oo_select_keys(groups['oo_masters_to_config'] | difference(groups['oo_first_master']))
                                | oo_filter_list(filter_attr='master_certs_missing') }}"
-    master_hostnames: "{{ hostvars
-                               | oo_select_keys(groups['oo_masters_to_config'])
-                               | oo_collect('openshift.common.all_hostnames')
-                               | oo_flatten | unique }}"
     sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
   roles:
   - openshift_master_certificates
@@ -343,12 +339,12 @@
     file:
       path: "{{ openshift.common.config_base }}/master"
       state: directory
-    when: master_certs_missing and 'oo_first_master' not in group_names
+    when: master_certs_missing | bool and 'oo_first_master' not in group_names
   - name: Unarchive the tarball on the master
     unarchive:
       src: "{{ sync_tmpdir }}/{{ master_cert_subdir }}.tgz"
       dest: "{{ master_cert_config_dir }}"
-    when: master_certs_missing and 'oo_first_master' not in group_names
+    when: master_certs_missing | bool and 'oo_first_master' not in group_names
   roles:
   - openshift_master
   - role: nickhammond.logrotate

roles/openshift_master_ca/tasks/main.yml

@@ -25,4 +25,4 @@
       --master={{ openshift.master.api_url }}
       --public-master={{ openshift.master.public_api_url }}
       --cert-dir={{ openshift_master_config_dir }} --overwrite=false
-  when: master_certs_missing
+  when: master_certs_missing | bool

roles/openshift_master_certificates/tasks/main.yml

@@ -6,40 +6,16 @@
     mode: 0700
   with_items: masters_needing_certs
 
-- set_fact:
-    master_certificates:
-    - ca.crt
-    - ca.key
-    - ca.serial.txt
-    - admin.crt
-    - admin.key
-    - admin.kubeconfig
-    - master.kubelet-client.crt
-    - master.kubelet-client.key
-    - master.server.crt
-    - master.server.key
-    - openshift-master.crt
-    - openshift-master.key
-    - openshift-master.kubeconfig
-    - openshift-registry.crt
-    - openshift-registry.key
-    - openshift-registry.kubeconfig
-    - openshift-router.crt
-    - openshift-router.key
-    - openshift-router.kubeconfig
-    - serviceaccounts.private.key
-    - serviceaccounts.public.key
-    master_31_certificates:
-    - master.proxy-client.crt
-    - master.proxy-client.key
-
 - file:
     src: "{{ openshift_master_config_dir }}/{{ item.1 }}"
     dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
     state: hard
   with_nested:
   - masters_needing_certs
-  - "{{ master_certificates | union(master_31_certificates) if openshift.common.version_gte_3_1_or_1_1 | bool else master_certificates }}"
+  -
+    - ca.crt
+    - ca.key
+    - ca.serial.txt
 
 - name: Create the master certificates if they do not already exist
   command: >
@@ -49,5 +25,5 @@
       --public-master={{ item.openshift.master.public_api_url }}
       --cert-dir={{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}
       --overwrite=false
-  when: master_certs_missing
+  when: item.master_certs_missing | bool
   with_items: masters_needing_certs