okd/playbooks/openshift-hosted/private/upgrade_poll_and_check_certs.yml

---
# This playbook is called during upgrade_control_plane via post_control_plane.yml

# Need to poll to ensure the pods are deployed.
- import_playbook: openshift_hosted_wait_for_pods.yml

- name: Upgrade default router and default registry
  hosts: oo_first_master
  roles:
  - lib_utils
  - openshift_facts
  tasks:
  # Do not perform these tasks when the registry is insecure.  The default registry is insecure in openshift_hosted/defaults/main.yml
  - when:
    - openshift_hosted_manage_registry | default(True) | bool
    - not (openshift_docker_hosted_registry_insecure | default(False)) | bool
    block:
    # we need to migrate customers to the new pattern of pushing to the registry via dns
    # Step 1: verify the certificates have the docker registry service name
    - name: shell command to determine if the docker-registry.default.svc is found in the registry certificate
      shell: >
        echo -n | openssl s_client -showcerts -servername docker-registry.default.svc -connect docker-registry.default.svc:5000  | openssl x509 -text |  grep -A1 'X509v3 Subject Alternative Name:' | grep -Pq 'DNS:docker-registry\.default\.svc(,|$)'
      register: cert_output
      changed_when: false
      failed_when:
      - cert_output.rc not in [0, 1]

    # Step 2: Set a fact to be used to determine if we should run the redeploy of registry certs
    - name: set a fact to include the registry certs playbook if needed
      set_fact:
        openshift_hosted_rollout_certs_and_registry: "{{ cert_output.rc != 0  }}"

- when:
  - openshift_hosted_manage_registry | default(True) | bool
  - (hostvars[groups.oo_first_master.0].openshift_hosted_rollout_certs_and_registry | default(False)) | bool
  import_playbook: redeploy-registry-certificates.yml