okd/playbooks/openshift-master/private/certificates-backup.yml

---
- name: Backup and remove master cerftificates
  hosts: oo_masters_to_config
  any_errors_fatal: true
  vars:
    openshift_ca_host: "{{ groups.oo_first_master.0 }}"
    openshift_master_count: "{{ openshift.master.master_count | default(groups.oo_masters | length) }}"
  pre_tasks:
  - stat:
      path: "{{ openshift.common.config_base }}/generated-configs"
    register: openshift_generated_configs_dir_stat
  - name: Backup generated certificate and config directories
    command: >
      tar -czvf /etc/origin/master-node-cert-config-backup-{{ ansible_date_time.epoch }}.tgz
      {{ openshift.common.config_base }}/generated-configs
      {{ openshift.common.config_base }}/master
    when: openshift_generated_configs_dir_stat.stat.exists
    delegate_to: "{{ openshift_ca_host }}"
    run_once: true
  - name: Remove generated certificate directories
    file:
      path: "{{ item }}"
      state: absent
    with_items:
    - "{{ openshift.common.config_base }}/generated-configs"
  - name: Remove generated certificates
    file:
      path: "{{ openshift.common.config_base }}/master/{{ item }}"
      state: absent
    with_items:
    # certificates_to_synchronize is a custom filter in lib_utils
    - "{{ hostvars[inventory_hostname] | certificates_to_synchronize(include_keys=false, include_ca=false) }}"
    - "etcd.server.crt"
    - "etcd.server.key"
    - "master.server.crt"
    - "master.server.key"
    - "openshift-master.crt"
    - "openshift-master.key"
    - "openshift-master.kubeconfig"