From 098d0c24bb2d08e2107b6c4a55d350ae751458f7 Mon Sep 17 00:00:00 2001
From: Andrew Butcher <abutcher@redhat.com>
Date: Mon, 30 May 2016 14:34:19 -0400
Subject: Revert openshift-certificates changes.

---
 roles/openshift_ca/README.md                       |  48 --------
 roles/openshift_ca/meta/main.yml                   |  17 ---
 roles/openshift_ca/tasks/main.yml                  |  56 ----------
 roles/openshift_ca/vars/main.yml                   |   6 -
 roles/openshift_master/meta/main.yml               |   1 -
 roles/openshift_master_ca/README.md                |  34 ++++++
 roles/openshift_master_ca/meta/main.yml            |  17 +++
 roles/openshift_master_ca/tasks/main.yml           |  23 ++++
 roles/openshift_master_ca/vars/main.yml            |   6 +
 roles/openshift_master_certificates/README.md      |  29 +----
 roles/openshift_master_certificates/meta/main.yml  |   6 +-
 roles/openshift_master_certificates/tasks/main.yml | 123 ++++-----------------
 roles/openshift_master_certificates/vars/main.yml  |   2 -
 roles/openshift_node/meta/main.yml                 |   2 +-
 roles/openshift_node_certificates/README.md        |  33 ++----
 roles/openshift_node_certificates/meta/main.yml    |   6 +-
 roles/openshift_node_certificates/tasks/main.yml   |  97 ++++------------
 roles/openshift_node_certificates/vars/main.yml    |   9 +-
 18 files changed, 145 insertions(+), 370 deletions(-)
 delete mode 100644 roles/openshift_ca/README.md
 delete mode 100644 roles/openshift_ca/meta/main.yml
 delete mode 100644 roles/openshift_ca/tasks/main.yml
 delete mode 100644 roles/openshift_ca/vars/main.yml
 create mode 100644 roles/openshift_master_ca/README.md
 create mode 100644 roles/openshift_master_ca/meta/main.yml
 create mode 100644 roles/openshift_master_ca/tasks/main.yml
 create mode 100644 roles/openshift_master_ca/vars/main.yml

(limited to 'roles')

diff --git a/roles/openshift_ca/README.md b/roles/openshift_ca/README.md
deleted file mode 100644
index 96c9cd5f2..000000000
--- a/roles/openshift_ca/README.md
+++ /dev/null
@@ -1,48 +0,0 @@
-OpenShift CA
-============
-
-This role delegates all tasks to the `openshift_ca_host` such that this role can be depended on by other OpenShift certificate roles.
-
-Requirements
-------------
-
-Role Variables
---------------
-
-From this role:
-
-| Name                    | Default value                                 | Description                                                                 |
-|-------------------------|-----------------------------------------------|-----------------------------------------------------------------------------|
-| openshift_ca_host       | None (Required)                               | The hostname of the system where the OpenShift CA will be created.          |
-| openshift_ca_config_dir | `{{ openshift.common.config_base }}/master`   | CA certificate directory.                                                   |
-| openshift_ca_cert       | `{{ openshift_ca_config_dir }}/ca.crt`        | CA certificate path including CA certificate filename.                      |
-| openshift_ca_key        | `{{ openshift_ca_config_dir }}/ca.key`        | CA key path including CA key filename.                                      |
-| openshift_ca_serial     | `{{ openshift_ca_config_dir }}/ca.serial.txt` | CA serial path including CA serial filename.                                |
-| openshift_version       | `{{ openshift_pkg_version }}`                 | OpenShift package version.                                                  |
-
-Dependencies
-------------
-
-* openshift_repos
-* openshift_cli
-
-Example Playbook
-----------------
-
-```
-- name: Create OpenShift CA
-  hosts: localhost
-  roles:
-  - role: openshift_ca
-    openshift_ca_host: master1.example.com
-```
-
-License
--------
-
-Apache License Version 2.0
-
-Author Information
-------------------
-
-Jason DeTiberus (jdetiber@redhat.com)
diff --git a/roles/openshift_ca/meta/main.yml b/roles/openshift_ca/meta/main.yml
deleted file mode 100644
index 0089f4209..000000000
--- a/roles/openshift_ca/meta/main.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-galaxy_info:
-  author: Jason DeTiberus
-  description: OpenShift CA
-  company: Red Hat, Inc.
-  license: Apache License, Version 2.0
-  min_ansible_version: 1.9.4
-  platforms:
-  - name: EL
-    versions:
-    - 7
-  categories:
-  - cloud
-  - system
-dependencies:
-- role: openshift_repos
-- role: openshift_cli
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml
deleted file mode 100644
index 497473f22..000000000
--- a/roles/openshift_ca/tasks/main.yml
+++ /dev/null
@@ -1,56 +0,0 @@
----
-- fail:
-    msg: "openshift_ca_host variable must be defined for this role"
-  when: openshift_ca_host is not defined
-
-- name: Install the base package for admin tooling
-  action: >
-    {{ ansible_pkg_mgr }}
-    name={{ openshift.common.service_type }}{{ openshift_version  }}
-    state=present
-  when: not openshift.common.is_containerized | bool
-  register: install_result
-  delegate_to: "{{ openshift_ca_host }}"
-  run_once: true
-
-- name: Reload generated facts
-  openshift_facts:
-  when: install_result | changed
-  delegate_to: "{{ openshift_ca_host }}"
-  run_once: true
-
-- name: Create openshift_ca_config_dir if it does not exist
-  file:
-    path: "{{ openshift_ca_config_dir }}"
-    state: directory
-  delegate_to: "{{ openshift_ca_host }}"
-  run_once: true
-
-- name: Determine if CA must be created
-  stat:
-    path: "{{ openshift_ca_config_dir }}/{{ item }}"
-  register: g_master_ca_stat_result
-  with_items:
-  - ca.crt
-  - ca.key
-  delegate_to: "{{ openshift_ca_host }}"
-  run_once: true
-
-- set_fact:
-    master_ca_missing: "{{ False in (g_master_ca_stat_result.results
-                           | oo_collect(attribute='stat.exists')
-                           | list) }}"
-  delegate_to: "{{ openshift_ca_host }}"
-  run_once: true
-
-- name: Create the master certificates if they do not already exist
-  command: >
-    {{ openshift.common.admin_binary }} create-master-certs
-      --hostnames={{ openshift_master_hostnames | join(',') }}
-      --master={{ openshift.master.api_url }}
-      --public-master={{ openshift.master.public_api_url }}
-      --cert-dir={{ openshift_ca_config_dir }}
-      --overwrite=false
-  when: hostvars[openshift_ca_host].master_ca_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
-  run_once: true
diff --git a/roles/openshift_ca/vars/main.yml b/roles/openshift_ca/vars/main.yml
deleted file mode 100644
index a32e385ec..000000000
--- a/roles/openshift_ca/vars/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-openshift_ca_config_dir: "{{ openshift.common.config_base }}/master"
-openshift_ca_cert: "{{ openshift_ca_config_dir }}/ca.crt"
-openshift_ca_key: "{{ openshift_ca_config_dir }}/ca.key"
-openshift_ca_serial: "{{ openshift_ca_config_dir }}/ca.serial.txt"
-openshift_version: "{{ openshift_pkg_version | default('') }}"
diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml
index f6b926d74..0a69b3eef 100644
--- a/roles/openshift_master/meta/main.yml
+++ b/roles/openshift_master/meta/main.yml
@@ -15,7 +15,6 @@ dependencies:
 - role: openshift_clock
 - role: openshift_docker
 - role: openshift_cli
-- role: openshift_master_certificates
 - role: openshift_cloud_provider
 - role: openshift_builddefaults
 - role: openshift_master_facts
diff --git a/roles/openshift_master_ca/README.md b/roles/openshift_master_ca/README.md
new file mode 100644
index 000000000..5b2d3601b
--- /dev/null
+++ b/roles/openshift_master_ca/README.md
@@ -0,0 +1,34 @@
+OpenShift Master CA
+========================
+
+TODO
+
+Requirements
+------------
+
+TODO
+
+Role Variables
+--------------
+
+TODO
+
+Dependencies
+------------
+
+TODO
+
+Example Playbook
+----------------
+
+TODO
+
+License
+-------
+
+Apache License Version 2.0
+
+Author Information
+------------------
+
+Jason DeTiberus (jdetiber@redhat.com)
diff --git a/roles/openshift_master_ca/meta/main.yml b/roles/openshift_master_ca/meta/main.yml
new file mode 100644
index 000000000..b5dd466c9
--- /dev/null
+++ b/roles/openshift_master_ca/meta/main.yml
@@ -0,0 +1,17 @@
+---
+galaxy_info:
+  author: Jason DeTiberus
+  description:
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 1.8
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+  - system
+dependencies:
+- { role: openshift_repos }
+- { role: openshift_cli }
diff --git a/roles/openshift_master_ca/tasks/main.yml b/roles/openshift_master_ca/tasks/main.yml
new file mode 100644
index 000000000..4b7ef1d84
--- /dev/null
+++ b/roles/openshift_master_ca/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+- name: Install the base package for admin tooling
+  action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_version  }} state=present"
+  when: not openshift.common.is_containerized | bool
+  register: install_result
+
+- name: Reload generated facts
+  openshift_facts:
+  when: install_result | changed
+
+- name: Create openshift_master_config_dir if it doesn't exist
+  file:
+    path: "{{ openshift_master_config_dir }}"
+    state: directory
+
+- name: Create the master certificates if they do not already exist
+  command: >
+    {{ openshift.common.admin_binary }} create-master-certs
+      --hostnames={{ master_hostnames | join(',') }}
+      --master={{ openshift.master.api_url }}
+      --public-master={{ openshift.master.public_api_url }}
+      --cert-dir={{ openshift_master_config_dir }} --overwrite=false
+  when: master_certs_missing | bool
diff --git a/roles/openshift_master_ca/vars/main.yml b/roles/openshift_master_ca/vars/main.yml
new file mode 100644
index 000000000..b35339b18
--- /dev/null
+++ b/roles/openshift_master_ca/vars/main.yml
@@ -0,0 +1,6 @@
+---
+openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
+openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
+openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
+openshift_version: "{{ openshift_pkg_version | default('') }}"
diff --git a/roles/openshift_master_certificates/README.md b/roles/openshift_master_certificates/README.md
index a80d47040..ba3d5f28c 100644
--- a/roles/openshift_master_certificates/README.md
+++ b/roles/openshift_master_certificates/README.md
@@ -1,44 +1,27 @@
 OpenShift Master Certificates
 ========================
 
-This role determines if OpenShift master certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to master hosts which this role is being applied to. If this role is applied to the `openshift_ca_host`, certificate deployment will be skipped.
+TODO
 
 Requirements
 ------------
 
+TODO
+
 Role Variables
 --------------
 
-From `openshift_ca`:
-
-| Name                                  | Default value                                                             | Description                                                                                                                   |
-|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
-| openshift_ca_host                     | None (Required)                                                           | The hostname of the system where the OpenShift CA will be (or has been) created.                                              |
-
-From this role:
-
-| Name                                  | Default value                                                             | Description                                                                                                                   |
-|---------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
-| openshift_generated_configs_dir       | `{{ openshift.common.config_base }}/generated-configs`                    | Directory in which per-master generated config directories will be created on the `openshift_ca_host`.                        |
-| openshift_master_cert_subdir          | `master-{{ openshift.common.hostname }}`                                  | Directory within `openshift_generated_configs_dir` where per-master configurations will be placed on the `openshift_ca_host`. |
-| openshift_master_config_dir           | `{{ openshift.common.config_base }}/master`                               | Master configuration directory in which certificates will be deployed on masters.                                             |
-| openshift_master_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }` | Full path to the per-master generated config directory.                                                                       |
+TODO
 
 Dependencies
 ------------
 
-* openshift_ca
+TODO
 
 Example Playbook
 ----------------
 
-```
-- name: Create OpenShift Master Certificates
-  hosts: masters
-  roles:
-  - role: openshift_master_certificates
-    openshift_ca_host: master1.example.com
-```
+TODO
 
 License
 -------
diff --git a/roles/openshift_master_certificates/meta/main.yml b/roles/openshift_master_certificates/meta/main.yml
index 90fc0fb10..fd7b73b0f 100644
--- a/roles/openshift_master_certificates/meta/main.yml
+++ b/roles/openshift_master_certificates/meta/main.yml
@@ -1,10 +1,10 @@
 ---
 galaxy_info:
   author: Jason DeTiberus
-  description: OpenShift Master Certificates
+  description:
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
-  min_ansible_version: 1.9.4
+  min_ansible_version: 1.8
   platforms:
   - name: EL
     versions:
@@ -13,4 +13,4 @@ galaxy_info:
   - cloud
   - system
 dependencies:
-- role: openshift_ca
+- { role: openshift_master_ca }
diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml
index dd105652b..394f9d381 100644
--- a/roles/openshift_master_certificates/tasks/main.yml
+++ b/roles/openshift_master_certificates/tasks/main.yml
@@ -1,121 +1,38 @@
 ---
-- set_fact:
-    openshift_master_certs_no_etcd:
-    - admin.crt
-    - master.kubelet-client.crt
-    - "{{ 'master.proxy-client.crt' if openshift.common.version_gte_3_1_or_1_1 else omit }}"
-    - master.server.crt
-    - openshift-master.crt
-    - openshift-registry.crt
-    - openshift-router.crt
-    - etcd.server.crt
-    openshift_master_certs_etcd:
-    - master.etcd-client.crt
-
-- set_fact:
-    openshift_master_certs: "{{ (openshift_master_certs_no_etcd | union(openshift_master_certs_etcd )) if openshift_master_etcd_hosts | length > 0 else openshift_master_certs_no_etcd }}"
-
-- name: Check status of master certificates
-  stat:
-    path: "{{ openshift_master_config_dir }}/{{ item }}"
-  with_items:
-  - "{{ openshift_master_certs }}"
-  register: g_master_cert_stat_result
-
-- set_fact:
-    master_certs_missing: "{{ False in (g_master_cert_stat_result.results
-                              | oo_collect(attribute='stat.exists')
-                              | list) }}"
-
 - name: Ensure the generated_configs directory present
   file:
-    path: "{{ openshift_master_generated_config_dir }}"
+    path: "{{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}"
     state: directory
     mode: 0700
-  when: master_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
+  with_items: "{{ masters_needing_certs | default([]) }}"
 
 - file:
-    src: "{{ openshift_master_config_dir }}/{{ item }}"
-    dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
+    src: "{{ openshift_master_config_dir }}/{{ item.1 }}"
+    dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
     state: hard
-  with_items:
-  - ca.crt
-  - ca.key
-  - ca.serial.txt
-  when: master_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
+  with_nested:
+  - "{{ masters_needing_certs | default([]) }}"
+  -
+    - ca.crt
+    - ca.key
+    - ca.serial.txt
 
 - name: Create the master certificates if they do not already exist
   command: >
     {{ openshift.common.admin_binary }} create-master-certs
-      --hostnames={{ openshift.common.all_hostnames | join(',') }}
-      --master={{ openshift.master.api_url }}
-      --public-master={{ openshift.master.public_api_url }}
-      --cert-dir={{ openshift_master_generated_config_dir }}
+      --hostnames={{ item.openshift.common.all_hostnames | join(',') }}
+      --master={{ item.openshift.master.api_url }}
+      --public-master={{ item.openshift.master.public_api_url }}
+      --cert-dir={{ openshift_generated_configs_dir }}/{{ item.master_cert_subdir }}
       --overwrite=false
-  when: master_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
+  when: item.master_certs_missing | bool
+  with_items: "{{ masters_needing_certs | default([]) }}"
 
 - file:
-    src: "{{ openshift_master_config_dir }}/{{ item }}"
-    dest: "{{ openshift_master_generated_config_dir }}/{{ item }}"
+    src: "{{ openshift_master_config_dir }}/{{ item.1 }}"
+    dest: "{{ openshift_generated_configs_dir }}/{{ item.0.master_cert_subdir }}/{{ item.1 }}"
     state: hard
     force: true
-  with_items:
+  with_nested:
+  - "{{ masters_needing_certs | default([]) }}"
   - "{{ hostvars[inventory_hostname] | certificates_to_synchronize }}"
-  when: master_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Remove generated etcd client certs when using external etcd
-  file:
-    path: "{{ openshift_master_generated_config_dir }}/{{ item }}"
-    state: absent
-  when: openshift_master_etcd_hosts | length > 0
-  with_items:
-  - master.etcd-client.crt
-  - master.etcd-client.key
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Create local temp directory for syncing certs
-  local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
-  register: g_master_mktemp
-  changed_when: False
-  when: master_certs_missing | bool
-  delegate_to: localhost
-
-- name: Create a tarball of the master certs
-  command: >
-    tar -czvf {{ openshift_master_generated_config_dir }}.tgz
-      -C {{ openshift_master_generated_config_dir }} .
-  args:
-    creates: "{{ openshift_master_generated_config_dir }}.tgz"
-  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Retrieve the master cert tarball from the master
-  fetch:
-    src: "{{ openshift_master_generated_config_dir }}.tgz"
-    dest: "{{ g_master_mktemp.stdout }}/"
-    flat: yes
-    fail_on_missing: yes
-    validate_checksum: yes
-  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Ensure certificate directory exists
-  file:
-    path: "{{ openshift_master_config_dir }}"
-    state: directory
-  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
-
-- name: Unarchive the tarball on the master
-  unarchive:
-    src: "{{ g_master_mktemp.stdout }}/{{ openshift_master_cert_subdir }}.tgz"
-    dest: "{{ openshift_master_config_dir }}"
-  when: master_certs_missing | bool and inventory_hostname != openshift_ca_host
-
-- file: name={{ g_master_mktemp.stdout }} state=absent
-  changed_when: False
-  when: master_certs_missing | bool
-  delegate_to: localhost
diff --git a/roles/openshift_master_certificates/vars/main.yml b/roles/openshift_master_certificates/vars/main.yml
index 66f2e5162..3f18ddc79 100644
--- a/roles/openshift_master_certificates/vars/main.yml
+++ b/roles/openshift_master_certificates/vars/main.yml
@@ -1,5 +1,3 @@
 ---
 openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
-openshift_master_cert_subdir: "master-{{ openshift.common.hostname }}"
 openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
-openshift_master_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_master_cert_subdir }}"
diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml
index ea52bbb99..31547b846 100644
--- a/roles/openshift_node/meta/main.yml
+++ b/roles/openshift_node/meta/main.yml
@@ -14,9 +14,9 @@ galaxy_info:
 dependencies:
 - role: openshift_clock
 - role: openshift_docker
-- role: openshift_node_certificates
 - role: openshift_cloud_provider
 - role: openshift_common
 - role: openshift_node_dnsmasq
   when: openshift.common.use_dnsmasq
 - role: os_firewall
+
diff --git a/roles/openshift_node_certificates/README.md b/roles/openshift_node_certificates/README.md
index f56066b29..6264d253a 100644
--- a/roles/openshift_node_certificates/README.md
+++ b/roles/openshift_node_certificates/README.md
@@ -1,44 +1,27 @@
-OpenShift Node Certificates
-===========================
+OpenShift/Atomic Enterprise Node Certificates
+=============================================
 
-This role determines if OpenShift node certificates must be created, delegates certificate creation to the `openshift_ca_host` and then deploys those certificates to node hosts which this role is being applied to.
+TODO
 
 Requirements
 ------------
 
+TODO
+
 Role Variables
 --------------
 
-From `openshift_ca`:
-
-| Name                                | Default value                                                           | Description                                                                                                               |
-|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
-| openshift_ca_host                   | None (Required)                                                         | The hostname of the system where the OpenShift CA will be (or has been) created.                                          |
-
-From this role:
-
-| Name                                | Default value                                                           | Description                                                                                                               |
-|-------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
-| openshift_generated_configs_dir     | `{{ openshift.common.config_base }}/generated-configs`                  | Directory in which per-node generated config directories will be created on the `openshift_ca_host`.                      |
-| openshift_node_cert_subdir          | `node-{{ openshift.common.hostname }}`                                  | Directory within `openshift_generated_configs_dir` where per-node certificates will be placed on the `openshift_ca_host`. |
-| openshift_node_config_dir           | `{{ openshift.common.config_base }}/node`                               | Node configuration directory in which certificates will be deployed on nodes.                                             |
-| openshift_node_generated_config_dir | `{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }` | Full path to the per-node generated config directory.                                                                     |
+TODO
 
 Dependencies
 ------------
 
-* openshift_ca
+TODO
 
 Example Playbook
 ----------------
 
-```
-- name: Create OpenShift Node Certificates
-  hosts: nodes
-  roles:
-  - role: openshift_node_certificates
-    openshift_ca_host: master1.example.com
-```
+TODO
 
 License
 -------
diff --git a/roles/openshift_node_certificates/meta/main.yml b/roles/openshift_node_certificates/meta/main.yml
index 3caa1cdf1..f3236e850 100644
--- a/roles/openshift_node_certificates/meta/main.yml
+++ b/roles/openshift_node_certificates/meta/main.yml
@@ -1,10 +1,10 @@
 ---
 galaxy_info:
   author: Jason DeTiberus
-  description: OpenShift Node Certificates
+  description:
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
-  min_ansible_version: 1.9.4
+  min_ansible_version: 1.8
   platforms:
   - name: EL
     versions:
@@ -13,4 +13,4 @@ galaxy_info:
   - cloud
   - system
 dependencies:
-- role: openshift_ca
+- { role: openshift_facts }
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
index 147a432a4..216c11093 100644
--- a/roles/openshift_node_certificates/tasks/main.yml
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -1,95 +1,36 @@
 ---
-- name: Check status of node certificates
-  stat:
-    path: "{{ openshift.common.config_base }}/node/{{ item }}"
-  with_items:
-  - "system:node:{{ openshift.common.hostname }}.crt"
-  - "system:node:{{ openshift.common.hostname }}.key"
-  - "system:node:{{ openshift.common.hostname }}.kubeconfig"
-  - ca.crt
-  - server.key
-  - server.crt
-  register: g_node_cert_stat_result
-
-- set_fact:
-    node_certs_missing: "{{ False in (g_node_cert_stat_result.results
-                            | oo_collect(attribute='stat.exists')
-                            | list) }}"
-
-- name: Create openshift_generated_configs_dir if it does not exist
+- name: Create openshift_generated_configs_dir if it doesn\'t exist
   file:
     path: "{{ openshift_generated_configs_dir }}"
     state: directory
     mode: 0700
-  when: node_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
+  when: nodes_needing_certs | length > 0
 
 - name: Generate the node client config
   command: >
     {{ openshift.common.admin_binary }} create-api-client-config
-      --certificate-authority={{ openshift_ca_cert }}
-      --client-dir={{ openshift_node_generated_config_dir }}
+      --certificate-authority={{ openshift_master_ca_cert }}
+      --client-dir={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}
       --groups=system:nodes
-      --master={{ hostvars[openshift_ca_host].openshift.master.api_url }}
-      --signer-cert={{ openshift_ca_cert }}
-      --signer-key={{ openshift_ca_key }}
-      --signer-serial={{ openshift_ca_serial }}
-      --user=system:node:{{ openshift.common.hostname }}
+      --master={{ openshift.master.api_url }}
+      --signer-cert={{ openshift_master_ca_cert }}
+      --signer-key={{ openshift_master_ca_key }}
+      --signer-serial={{ openshift_master_ca_serial }}
+      --user=system:node:{{ item.openshift.common.hostname }}
   args:
-    creates: "{{ openshift_node_generated_config_dir }}"
-  when: node_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
+    creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}"
+  with_items: "{{ nodes_needing_certs | default([]) }}"
 
 - name: Generate the node server certificate
   command: >
     {{ openshift.common.admin_binary }} ca create-server-cert
-      --cert={{ openshift_node_generated_config_dir }}/server.crt
-      --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key
+      --cert={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt
+      --key={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.key
       --overwrite=true
-      --hostnames={{ openshift.common.all_hostnames |join(",") }}
-      --signer-cert={{ openshift_ca_cert }}
-      --signer-key={{ openshift_ca_key }}
-      --signer-serial={{ openshift_ca_serial }}
-  args:
-    creates: "{{ openshift_node_generated_config_dir }}/server.crt"
-  when: node_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host}}"
-
-- name: Create local temp directory for syncing certs
-  local_action: command mktemp -d /tmp/openshift-ansible-XXXXXXX
-  register: node_cert_mktemp
-  changed_when: False
-  when: node_certs_missing | bool
-  delegate_to: localhost
-
-- name: Create a tarball of the node config directories
-  command: >
-    tar -czvf {{ openshift_node_generated_config_dir }}.tgz
-    --transform 's|system:{{ openshift_node_cert_subdir }}|node|'
-    -C {{ openshift_node_generated_config_dir }} .
+      --hostnames={{ item.openshift.common.all_hostnames |join(",") }}
+      --signer-cert={{ openshift_master_ca_cert }}
+      --signer-key={{ openshift_master_ca_key }}
+      --signer-serial={{ openshift_master_ca_serial }}
   args:
-    creates: "{{ openshift_node_generated_config_dir }}.tgz"
-  when: node_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Retrieve the node config tarballs from the master
-  fetch:
-    src: "{{ openshift_node_generated_config_dir }}.tgz"
-    dest: "{{ node_cert_mktemp.stdout }}/"
-    flat: yes
-    fail_on_missing: yes
-    validate_checksum: yes
-  when: node_certs_missing | bool
-  delegate_to: "{{ openshift_ca_host }}"
-
-- name: Ensure certificate directory exists
-  file:
-    path: "{{ openshift_node_cert_dir }}"
-    state: directory
-  when: node_certs_missing | bool
-
-- name: Unarchive the tarball on the node
-  unarchive:
-    src: "{{ node_cert_mktemp.stdout }}/{{ openshift_node_cert_subdir }}.tgz"
-    dest: "{{ openshift_node_cert_dir }}"
-  when: node_certs_missing | bool
+    creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt"
+  with_items: "{{ nodes_needing_certs | default([]) }}"
diff --git a/roles/openshift_node_certificates/vars/main.yml b/roles/openshift_node_certificates/vars/main.yml
index 2fafc7387..61fbb1e51 100644
--- a/roles/openshift_node_certificates/vars/main.yml
+++ b/roles/openshift_node_certificates/vars/main.yml
@@ -1,6 +1,7 @@
 ---
-openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
-openshift_node_cert_dir: "{{ openshift.common.config_base }}/node"
-openshift_node_cert_subdir: "node-{{ openshift.common.hostname }}"
 openshift_node_config_dir: "{{ openshift.common.config_base }}/node"
-openshift_node_generated_config_dir: "{{ openshift_generated_configs_dir }}/{{ openshift_node_cert_subdir }}"
+openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_generated_configs_dir: "{{ openshift.common.config_base }}/generated-configs"
+openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
+openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
+openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
-- 
cgit v1.2.3