okd/roles/openshift_control_plane/tasks/generate_session_secrets.yml

---
# This should be run on the first master so we can set_fact some items
# to ensure values are consistent across cluster

- name: Determine if sessions secrets already in place
  stat:
    path: "{{ openshift.master.session_secrets_file }}"
  register: l_osm_session_secrets_stat

- name: setup session secrets if not defined
  set_fact:
    l_osm_session_auth_secrets: "{{ [ 24 | lib_utils_oo_generate_secret ] }}"
    l_osm_session_encryption_secrets: "{{ [ 24 | lib_utils_oo_generate_secret ] }}"
  when: not l_osm_session_secrets_stat.stat.exists

# lib_utils_oo_collect is a custom filter in
# roles/lib_utils/filter_plugins/oo_filters.py
- name: Gather existing session secrets from first master
  set_fact:
    l_osm_session_auth_secrets: "{{ l_existing_osm_session.secrets | lib_utils_oo_collect('authentication') }}"
    l_osm_session_encryption_secrets: "{{ l_existing_osm_session.secrets | lib_utils_oo_collect('encryption') }}"
  vars:
    l_existing_osm_session: "{{ (osm_session_secrets_stat.content | b64decode | from_yaml) }}"
  when:
  - l_osm_session_secrets_stat.stat.exists
  - l_existing_osm_session.secrets is defined
  - l_existing_osm_session.secrets != ''
  - l_existing_osm_session.secrets != []