okd/roles/openshift_master_certificates/tasks/main.yml

---
- name: Ensure the generated_configs directory present
  file:
    path: "{{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}"
    state: directory
    mode: 0700
  with_items: masters_needing_certs

- file:
    src: "{{ openshift_master_config_dir }}/{{ item.1 }}"
    dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
    state: hard
  with_nested:
  - masters_needing_certs
  -
    - ca.crt
    - ca.key
    - ca.serial.txt

- name: Create the master certificates if they do not already exist
  command: >
    {{ openshift.common.admin_binary }} create-master-certs
      --hostnames={{ item.openshift.common.all_hostnames | join(',') }}
      --master={{ item.openshift.master.api_url }}
      --public-master={{ item.openshift.master.public_api_url }}
      --cert-dir={{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}
      --overwrite=false
  when: item.master_certs_missing | bool
  with_items: masters_needing_certs

- file:
    src: "{{ openshift_master_config_dir }}/{{ item.1 }}"
    dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
    state: hard
    force: true
  with_nested:
  - masters_needing_certs
  - "{{ hostvars[openshift.common.hostname] | certificates_to_synchronize }}"