Separate certificate playbooks.

playbooks/byo/openshift-cluster/redeploy-certificates.yml

@@ -11,11 +11,23 @@
   vars:
     g_check_expiry_hosts: 'oo_etcd_to_config'
 
-- include: ../../common/openshift-cluster/redeploy-certificates/etcd.yml
+- include: ../../common/openshift-cluster/redeploy-certificates/etcd-backup.yml
 
-- include: ../../common/openshift-cluster/redeploy-certificates/masters.yml
+- include: ../../common/openshift-etcd/certificates.yml
+  vars:
+    etcd_certificates_redeploy: true
+
+- include: ../../common/openshift-cluster/redeploy-certificates/masters-backup.yml
+
+- include: ../../common/openshift-master/certificates.yml
+  vars:
+    openshift_certificates_redeploy: true
+
+- include: ../../common/openshift-cluster/redeploy-certificates/nodes-backup.yml
 
-- include: ../../common/openshift-cluster/redeploy-certificates/nodes.yml
+- include: ../../common/openshift-node/certificates.yml
+  vars:
+    openshift_certificates_redeploy: true
 
 - include: ../../common/openshift-etcd/restart.yml
   vars:

playbooks/byo/openshift-cluster/redeploy-etcd-certificates.yml

@@ -11,7 +11,11 @@
   vars:
     g_check_expiry_hosts: 'oo_etcd_to_config'
 
-- include: ../../common/openshift-cluster/redeploy-certificates/etcd.yml
+- include: ../../common/openshift-cluster/redeploy-certificates/etcd-backup.yml
+
+- include: ../../common/openshift-etcd/certificates.yml
+  vars:
+    etcd_certificates_redeploy: true
 
 - include: ../../common/openshift-etcd/restart.yml
   vars:

playbooks/byo/openshift-cluster/redeploy-master-certificates.yml

@@ -7,6 +7,10 @@
   tags:
   - always
 
-- include: ../../common/openshift-cluster/redeploy-certificates/masters.yml
+- include: ../../common/openshift-cluster/redeploy-certificates/masters-backup.yml
+
+- include: ../../common/openshift-master/certificates.yml
+  vars:
+    openshift_certificates_redeploy: true
 
 - include: ../../common/openshift-master/restart.yml

playbooks/byo/openshift-cluster/redeploy-node-certificates.yml

@@ -7,6 +7,10 @@
   tags:
   - always
 
-- include: ../../common/openshift-cluster/redeploy-certificates/nodes.yml
+- include: ../../common/openshift-cluster/redeploy-certificates/nodes-backup.yml
+
+- include: ../../common/openshift-node/certificates.yml
+  vars:
+    openshift_certificates_redeploy: true
 
 - include: ../../common/openshift-node/restart.yml

playbooks/byo/openshift-etcd/certificates.yml

@@ -0,0 +1,8 @@
+---
+- include: ../openshift-cluster/initialize_groups.yml
+
+- include: ../../common/openshift-cluster/std_include.yml
+
+- include: ../../common/openshift-etcd/ca.yml
+
+- include: ../../common/openshift-etcd/certificates.yml

playbooks/byo/openshift-master/certificates.yml

@@ -0,0 +1,8 @@
+---
+- include: ../openshift-cluster/initialize_groups.yml
+
+- include: ../../common/openshift-cluster/std_include.yml
+
+- include: ../../common/openshift-master/ca.yml
+
+- include: ../../common/openshift-master/certificates.yml

playbooks/byo/openshift-node/certificates.yml

@@ -0,0 +1,6 @@
+---
+- include: ../openshift-cluster/initialize_groups.yml
+
+- include: ../../common/openshift-cluster/std_include.yml
+
+- include: ../../common/openshift-node/certificates.yml

playbooks/byo/openshift-node/scaleup.yml

@@ -16,4 +16,6 @@
 
 - include: ../../common/openshift-cluster/std_include.yml
 
+- include: ../../common/openshift-node/certificates.yml
+
 - include: ../../common/openshift-node/config.yml

playbooks/common/openshift-cluster/config.yml

@@ -18,6 +18,10 @@
       - docker_image_availability
       - docker_storage
 
+- include: ../openshift-etcd/ca.yml
+
+- include: ../openshift-etcd/certificates.yml
+
 - include: ../openshift-etcd/config.yml
 
 - include: ../openshift-nfs/config.yml
@@ -26,10 +30,16 @@
 - include: ../openshift-loadbalancer/config.yml
   when: groups.oo_lb_to_config | default([]) | count > 0
 
+- include: ../openshift-master/ca.yml
+
+- include: ../openshift-master/certificates.yml
+
 - include: ../openshift-master/config.yml
 
 - include: ../openshift-master/additional_config.yml
 
+- include: ../openshift-node/certificates.yml
+
 - include: ../openshift-node/config.yml
 
 - include: ../openshift-glusterfs/config.yml

playbooks/common/openshift-cluster/redeploy-certificates/etcd-backup.yml

@@ -0,0 +1,19 @@
+---
+- name: Backup and remove generated etcd certificates
+  hosts: oo_first_etcd
+  any_errors_fatal: true
+  tasks:
+  - include_role:
+      name: etcd
+      tasks_from: backup_generated_certificates
+  - include_role:
+      name: etcd
+      tasks_from: remove_generated_certificates
+
+- name: Backup deployed etcd certificates
+  hosts: oo_etcd_to_config
+  any_errors_fatal: true
+  tasks:
+  - include_role:
+      name: etcd
+      tasks_from: backup_server_certificates

playbooks/common/openshift-cluster/redeploy-certificates/etcd-ca.yml

@@ -21,20 +21,7 @@
       name: etcd
       tasks_from: remove_ca_certificates
 
-- name: Generate new etcd CA
-  hosts: oo_first_etcd
-  roles:
-  - role: openshift_etcd_facts
-  tasks:
-  - include_role:
-      name: etcd
-      tasks_from: ca
-    vars:
-      etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
-      etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
-      etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
-    when:
-    - etcd_ca_setup | default(True) | bool
+- include: ../../openshift-etcd/ca.yml
 
 - name: Create temp directory for syncing certs
   hosts: localhost
@@ -72,7 +59,7 @@
       name: etcd
       tasks_from: retrieve_ca_certificates
     vars:
-      etcd_sync_cert_dir: hostvars['localhost'].g_etcd_mktemp.stdout
+      etcd_sync_cert_dir: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}"
       r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
 
 - name: Distribute etcd CA to masters

playbooks/common/openshift-cluster/redeploy-certificates/etcd.yml

@@ -1,54 +0,0 @@
----
-- name: Backup and remove generated etcd certificates
-  hosts: oo_first_etcd
-  any_errors_fatal: true
-  tasks:
-  - include_role:
-      name: etcd
-      tasks_from: backup_generated_certificates
-  - include_role:
-      name: etcd
-      tasks_from: remove_generated_certificates
-
-- name: Backup and removed deployed etcd certificates
-  hosts: oo_etcd_to_config
-  any_errors_fatal: true
-  tasks:
-  - include_role:
-      name: etcd
-      tasks_from: backup_server_certificates
-    vars:
-      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
-
-- name: Redeploy etcd certificates
-  hosts: oo_etcd_to_config
-  any_errors_fatal: true
-  roles:
-  - role: openshift_etcd_facts
-  tasks:
-  - include_role:
-      name: etcd
-      tasks_from: server_certificates
-    vars:
-      etcd_certificates_redeploy: true
-      etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
-      etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
-      etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
-      openshift_ca_host: "{{ groups.oo_first_master.0 }}"
-      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
-
-- name: Redeploy etcd client certificates for masters
-  hosts: oo_masters_to_config
-  any_errors_fatal: true
-  roles:
-  - role: openshift_etcd_facts
-  - role: openshift_etcd_client_certificates
-    etcd_certificates_redeploy: true
-    etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
-    etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
-    etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
-    etcd_cert_prefix: "master.etcd-"
-    openshift_ca_host: "{{ groups.oo_first_master.0 }}"
-    openshift_master_count: "{{ openshift.master.master_count | default(groups.oo_masters | length) }}"
-    r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
-    when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config

playbooks/common/openshift-cluster/redeploy-certificates/masters-backup.yml

@@ -0,0 +1,38 @@
+---
+- name: Backup and remove master cerftificates
+  hosts: oo_masters_to_config
+  any_errors_fatal: true
+  vars:
+    openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+    openshift_master_count: "{{ openshift.master.master_count | default(groups.oo_masters | length) }}"
+  pre_tasks:
+  - stat:
+      path: "{{ openshift.common.config_base }}/generated-configs"
+    register: openshift_generated_configs_dir_stat
+  - name: Backup generated certificate and config directories
+    command: >
+      tar -czvf /etc/origin/master-node-cert-config-backup-{{ ansible_date_time.epoch }}.tgz
+      {{ openshift.common.config_base }}/generated-configs
+      {{ openshift.common.config_base }}/master
+    when: openshift_generated_configs_dir_stat.stat.exists
+    delegate_to: "{{ openshift_ca_host }}"
+    run_once: true
+  - name: Remove generated certificate directories
+    file:
+      path: "{{ item }}"
+      state: absent
+    with_items:
+    - "{{ openshift.common.config_base }}/generated-configs"
+  - name: Remove generated certificates
+    file:
+      path: "{{ openshift.common.config_base }}/master/{{ item }}"
+      state: absent
+    with_items:
+    - "{{ hostvars[inventory_hostname] | certificates_to_synchronize(include_keys=false, include_ca=false) }}"
+    - "etcd.server.crt"
+    - "etcd.server.key"
+    - "master.server.crt"
+    - "master.server.key"
+    - "openshift-master.crt"
+    - "openshift-master.key"
+    - "openshift-master.kubeconfig"

playbooks/common/openshift-cluster/redeploy-certificates/masters.yml

@@ -1,63 +0,0 @@
----
-- name: Redeploy master certificates
-  hosts: oo_masters_to_config
-  any_errors_fatal: true
-  vars:
-    openshift_ca_host: "{{ groups.oo_first_master.0 }}"
-    openshift_master_count: "{{ openshift.master.master_count | default(groups.oo_masters | length) }}"
-  pre_tasks:
-  - stat:
-      path: "{{ openshift_generated_configs_dir }}"
-    register: openshift_generated_configs_dir_stat
-  - name: Backup generated certificate and config directories
-    command: >
-      tar -czvf /etc/origin/master-node-cert-config-backup-{{ ansible_date_time.epoch }}.tgz
-      {{ openshift_generated_configs_dir }}
-      {{ openshift.common.config_base }}/master
-    when: openshift_generated_configs_dir_stat.stat.exists
-    delegate_to: "{{ openshift_ca_host }}"
-    run_once: true
-  - name: Remove generated certificate directories
-    file:
-      path: "{{ item }}"
-      state: absent
-    with_items:
-    - "{{ openshift_generated_configs_dir }}"
-  - name: Remove generated certificates
-    file:
-      path: "{{ openshift.common.config_base }}/master/{{ item }}"
-      state: absent
-    with_items:
-    - "{{ hostvars[inventory_hostname] | certificates_to_synchronize(include_keys=false, include_ca=false) }}"
-    - "etcd.server.crt"
-    - "etcd.server.key"
-    - "master.server.crt"
-    - "master.server.key"
-    - "openshift-master.crt"
-    - "openshift-master.key"
-    - "openshift-master.kubeconfig"
-  - name: Remove generated etcd client certificates
-    file:
-      path: "{{ openshift.common.config_base }}/master/{{ item }}"
-      state: absent
-    with_items:
-    - "master.etcd-client.crt"
-    - "master.etcd-client.key"
-    when: groups.oo_etcd_to_config | default([]) | length == 0
-  roles:
-  - role: openshift_master_certificates
-    openshift_master_etcd_hosts: "{{ hostvars
-                                     | oo_select_keys(groups['oo_etcd_to_config'] | default([]))
-                                     | oo_collect('openshift.common.hostname')
-                                     | default(none, true) }}"
-    openshift_certificates_redeploy: true
-  - role: lib_utils
-  post_tasks:
-  - yedit:
-      src: "{{ openshift.common.config_base }}/master/master-config.yaml"
-      key: servingInfo.namedCertificates
-      value: "{{ openshift.master.named_certificates | default([]) | oo_named_certificates_list }}"
-    when:
-    - ('named_certificates' in openshift.master)
-    - openshift.master.named_certificates | default([]) | length > 0
-    - openshift_master_overwrite_named_certificates | default(false) | bool

playbooks/common/openshift-cluster/redeploy-certificates/nodes.yml

@@ -22,8 +22,3 @@
       state: absent
     with_items:
     - "{{ openshift.common.config_base }}/node/ca.crt"
-  roles:
-  - role: openshift_node_certificates
-    openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}"
-    openshift_ca_host: "{{ groups.oo_first_master.0 }}"
-    openshift_certificates_redeploy: true

playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml

@@ -105,25 +105,21 @@
     - "ca.serial.txt"
     - "ca-bundle.crt"
 
-- name: Generate new OpenShift CA certificate
+- name: Create temporary directory for creating new CA certificate
   hosts: oo_first_master
-  pre_tasks:
+  tasks:
   - name: Create temporary directory for creating new CA certificate
     command: >
       mktemp -d /tmp/openshift-ansible-XXXXXXX
     register: g_new_openshift_ca_mktemp
     changed_when: false
-  roles:
-  - role: openshift_ca
+
+- include: ../../openshift-master/ca.yml
+  vars:
     # Set openshift_ca_config_dir to a temporary directory where CA
     # will be created. We'll replace the existing CA with the CA
     # created in the temporary directory.
-    openshift_ca_config_dir: "{{ g_new_openshift_ca_mktemp.stdout }}"
-    openshift_ca_host: "{{ groups.oo_first_master.0 }}"
-    openshift_master_hostnames: "{{ hostvars
-                                    | oo_select_keys(groups['oo_masters_to_config'] | default([]))
-                                    | oo_collect('openshift.common.all_hostnames')
-                                    | oo_flatten | unique }}"
+    openshift_ca_config_dir: "{{ hostvars[groups.oo_first_master.0].g_new_openshift_ca_mktemp.stdout }}"
 
 - name: Create temp directory for syncing certs
   hosts: localhost

playbooks/common/openshift-etcd/ca.yml

@@ -0,0 +1,15 @@
+---
+- name: Generate new etcd CA
+  hosts: oo_first_etcd
+  roles:
+  - role: openshift_etcd_facts
+  tasks:
+  - include_role:
+      name: etcd
+      tasks_from: ca
+    vars:
+      etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
+      etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+      etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
+    when:
+    - etcd_ca_setup | default(True) | bool

playbooks/common/openshift-etcd/certificates.yml

@@ -0,0 +1,29 @@
+---
+- name: Create etcd server certificates for etcd hosts
+  hosts: oo_etcd_to_config
+  any_errors_fatal: true
+  roles:
+    - role: openshift_etcd_facts
+  post_tasks:
+    - include_role:
+        name: etcd
+        tasks_from: server_certificates
+      vars:
+        etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+        etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
+        etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}"
+        r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
+
+- name: Create etcd client certificates for master hosts
+  hosts: oo_masters_to_config
+  any_errors_fatal: true
+  roles:
+    - role: openshift_etcd_facts
+    - role: openshift_etcd_client_certificates
+      etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+      etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
+      etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
+      etcd_cert_prefix: "master.etcd-"
+      openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
+      when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config

playbooks/common/openshift-etcd/scaleup.yml

@@ -30,6 +30,13 @@
     retries: 3
     delay: 10
     until: etcd_add_check.rc == 0
+  - include_role:
+      name: etcd
+      tasks_from: server_certificates
+    vars:
+      etcd_peers: "{{ groups.oo_new_etcd_to_config | default([], true) }}"
+      etcd_certificates_etcd_hosts: "{{ groups.oo_new_etcd_to_config | default([], true) }}"
+      r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
   roles:
   - role: os_firewall
     when: etcd_add_check.rc == 0

playbooks/common/openshift-master/ca.yml

@@ -0,0 +1,8 @@
+---
+- name: Create OpenShift CA
+  hosts: oo_masters_to_config
+  roles:
+  - role: openshift_master_facts
+  - role: openshift_named_certificates
+  - role: openshift_ca
+    openshift_ca_host: "{{ groups.oo_first_master.0 }}"

playbooks/common/openshift-master/certificates.yml

@@ -0,0 +1,14 @@
+---
+- name: Create OpenShift certificates for master hosts
+  hosts: oo_masters_to_config
+  vars:
+    openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+  roles:
+  - role: openshift_master_facts
+  - role: openshift_named_certificates
+  - role: openshift_ca
+  - role: openshift_master_certificates
+    openshift_master_etcd_hosts: "{{ hostvars
+                                     | oo_select_keys(groups['oo_etcd_to_config'] | default([]))
+                                     | oo_collect('openshift.common.hostname')
+                                     | default(none, true) }}"

playbooks/common/openshift-master/config.yml

@@ -180,15 +180,6 @@
   - role: os_firewall
   - role: openshift_master_facts
   - role: openshift_hosted_facts
-  - role: openshift_master_certificates
-  - role: openshift_etcd_facts
-  - role: openshift_etcd_client_certificates
-    etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
-    etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
-    etcd_cert_prefix: "master.etcd-"
-    r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}"
-    etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
-    when: groups.oo_etcd_to_config | default([]) | length != 0
   - role: openshift_clock
   - role: openshift_cloud_provider
   - role: openshift_builddefaults

playbooks/common/openshift-master/scaleup.yml

@@ -45,8 +45,14 @@
 
 - include: ../openshift-master/set_network_facts.yml
 
+- include: ../openshift-etcd/certificates.yml
+
+- include: ../openshift-master/certificates.yml
+
 - include: ../openshift-master/config.yml
 
 - include: ../openshift-loadbalancer/config.yml
 
+- include: ../openshift-node/certificates.yml
+
 - include: ../openshift-node/config.yml

playbooks/common/openshift-node/certificates.yml

@@ -0,0 +1,8 @@
+---
+- name: Create OpenShift certificates for node hosts
+  hosts: oo_nodes_to_config
+  gather_facts: no
+  roles:
+  - role: openshift_node_certificates
+    openshift_ca_host: "{{ groups.oo_first_master.0 }}"
+    when: not openshift_node_bootstrap | default(false) | bool

playbooks/common/openshift-node/configure_nodes.yml

@@ -13,5 +13,4 @@
   roles:
   - role: os_firewall
   - role: openshift_node
-    openshift_ca_host: "{{ groups.oo_first_master.0 }}"
   - role: nickhammond.logrotate

roles/etcd/tasks/main.yml

@@ -1,6 +1,4 @@
 ---
-- include: server_certificates.yml
-
 - name: Set hostname and ip facts
   set_fact:
     # Store etcd_hostname and etcd_ip such that they will be available

roles/openshift_ca/defaults/main.yml

@@ -1,3 +1,11 @@
 ---
 openshift_ca_cert_expire_days: 1825
 openshift_master_cert_expire_days: 730
+
+openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
+openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
+openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"
+openshift_master_loopback_config: "{{ openshift_ca_config_dir }}/openshift-master.kubeconfig"
+
+openshift_version: "{{ openshift_pkg_version | default('') }}"

roles/openshift_ca/meta/main.yml

@@ -14,4 +14,3 @@ galaxy_info:
   - system
 dependencies:
 - role: openshift_cli
-- role: openshift_named_certificates

roles/openshift_ca/vars/main.yml

@@ -1,9 +1,2 @@
 ---
-openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
-openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
-openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
-openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"
-openshift_version: "{{ openshift_pkg_version | default('') }}"
-
-openshift_master_loopback_config: "{{ openshift_ca_config_dir }}/openshift-master.kubeconfig"
 loopback_context_string: "current-context: {{ openshift.master.loopback_context_name }}"

roles/openshift_master_certificates/meta/main.yml

@@ -12,6 +12,4 @@ galaxy_info:
   categories:
   - cloud
   - system
-dependencies:
-- role: openshift_master_facts
-- role: openshift_ca
+dependencies: []

roles/openshift_named_certificates/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
+openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
+openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"
+openshift_version: "{{ openshift_pkg_version | default('') }}"

roles/openshift_named_certificates/vars/main.yml

@@ -1,10 +1,4 @@
 ---
-openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
-openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
-openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
-openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"
-openshift_version: "{{ openshift_pkg_version | default('') }}"
-
 overwrite_named_certs: "{{ openshift_master_overwrite_named_certificates | default(false) }}"
 named_certs_dir: "{{ openshift.common.config_base }}/master/named_certificates/"
 internal_hostnames: "{{ openshift.common.internal_hostnames }}"

roles/openshift_node/meta/main.yml

@@ -17,7 +17,5 @@ dependencies:
 - role: lib_os_firewall
 - role: openshift_clock
 - role: openshift_docker
-- role: openshift_node_certificates
-  when: not openshift_node_bootstrap
 - role: openshift_cloud_provider
 - role: openshift_node_dnsmasq

roles/openshift_node_certificates/meta/main.yml

@@ -12,5 +12,4 @@ galaxy_info:
   categories:
   - cloud
   - system
-dependencies:
-- role: openshift_facts
+dependencies: []