Enable push to registry via dns only on clean 3.6 installs

We cannot assume that 3.5 to 3.6 upgrades were signed with the correct
certs

roles/openshift_master/tasks/main.yml

@@ -128,6 +128,9 @@
   when: openshift.master.request_header_ca is defined and item.kind == 'RequestHeaderIdentityProvider' and item.clientCA | default('') != ''
   with_items: "{{ openshift.master.identity_providers }}"
 
+- set_fact:
+    openshift_push_via_dns: "{{ openshift_use_dnsmasq | default(true) and openshift.common.version_gte_3_6 and r_openshift_master_clean_install }}"
+
 - name: Install the systemd units
   include: systemd_units.yml
 

roles/openshift_master/templates/atomic-openshift-master.j2

@@ -1,6 +1,6 @@
 OPTIONS=--loglevel={{ openshift.master.debug_level | default(2) }}
 CONFIG_FILE={{ openshift_master_config_file }}
-{% if openshift_use_dnsmasq | default(true) and openshift_push_via_dns | default(false) %}
+{% if openshift_push_via_dns %}
 OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000
 {% endif %}
 {% if openshift.common.is_containerized | bool %}