10 files changed, 61 insertions, 64 deletions
diff --git a/playbooks/openshift-master/private/additional_config.yml b/playbooks/openshift-master/private/additional_config.yml
index 81bb8cc5c..ca514ed26 100644
--- a/playbooks/openshift-master/private/additional_config.yml
+++ b/playbooks/openshift-master/private/additional_config.yml
@@ -16,7 +16,6 @@
   vars:
     cockpit_plugins: "{{ osm_cockpit_plugins | default(['cockpit-kubernetes']) }}"
     etcd_urls: "{{ openshift.master.etcd_urls }}"
-    openshift_master_ha: "{{ groups.oo_masters | length > 1 }}"
     omc_cluster_hosts: "{{ groups.oo_masters | join(' ')}}"
   roles:
   - role: openshift_project_request_template
@@ -31,7 +30,7 @@
   - role: cockpit
     when:
     - not openshift_is_atomic | bool
-    - deployment_type == 'openshift-enterprise'
+    - openshift_deployment_type == 'openshift-enterprise'
     - osm_use_cockpit is undefined or osm_use_cockpit | bool
     - openshift.common.deployment_subtype != 'registry'
   - role: flannel_register
diff --git a/playbooks/openshift-master/private/certificates-backup.yml b/playbooks/openshift-master/private/certificates-backup.yml
index 4dbc041b0..56af18ca7 100644
--- a/playbooks/openshift-master/private/certificates-backup.yml
+++ b/playbooks/openshift-master/private/certificates-backup.yml
@@ -28,6 +28,7 @@
       path: "{{ openshift.common.config_base }}/master/{{ item }}"
       state: absent
     with_items:
+    # certificates_to_synchronize is a custom filter in lib_utils
     - "{{ hostvars[inventory_hostname] | certificates_to_synchronize(include_keys=false, include_ca=false) }}"
     - "etcd.server.crt"
     - "etcd.server.key"
diff --git a/playbooks/openshift-master/private/config.yml b/playbooks/openshift-master/private/config.yml
index 3093444b4..d2fc2eed8 100644
--- a/playbooks/openshift-master/private/config.yml
+++ b/playbooks/openshift-master/private/config.yml
@@ -47,7 +47,7 @@
       state: absent
     when:
     - rpmgenerated_config.stat.exists == true
-    - deployment_type == 'openshift-enterprise'
+    - openshift_deployment_type == 'openshift-enterprise'
     with_items:
     - master
     - node
@@ -78,7 +78,6 @@
         console_url: "{{ openshift_master_console_url | default(None) }}"
         console_use_ssl: "{{ openshift_master_console_use_ssl | default(None) }}"
         public_console_url: "{{ openshift_master_public_console_url | default(None) }}"
-        ha: "{{ openshift_master_ha | default(groups.oo_masters | length > 1) }}"
         master_count: "{{ openshift_master_count | default(groups.oo_masters | length) }}"
 
 - name: Inspect state of first master config settings
@@ -166,7 +165,6 @@
   hosts: oo_masters_to_config
   any_errors_fatal: true
   vars:
-    openshift_master_ha: "{{ openshift.master.ha }}"
     openshift_master_count: "{{ openshift.master.master_count }}"
     openshift_master_session_auth_secrets: "{{ hostvars[groups.oo_first_master.0].openshift.master.session_auth_secrets }}"
     openshift_master_session_encryption_secrets: "{{ hostvars[groups.oo_first_master.0].openshift.master.session_encryption_secrets }}"
@@ -185,10 +183,8 @@
   - role: openshift_builddefaults
   - role: openshift_buildoverrides
   - role: nickhammond.logrotate
-  - role: contiv
-    contiv_role: netmaster
-    when: openshift_use_contiv | default(False) | bool
   - role: openshift_master
+    openshift_master_ha: "{{ (groups.oo_masters | length > 1) | bool }}"
     openshift_master_hosts: "{{ groups.oo_masters_to_config }}"
     r_openshift_master_clean_install: "{{ hostvars[groups.oo_first_master.0].l_clean_install }}"
     r_openshift_master_etcd3_storage: "{{ hostvars[groups.oo_first_master.0].l_etcd3_enabled }}"
@@ -206,13 +202,13 @@
   - role: calico_master
     when: openshift_use_calico | default(false) | bool
   tasks:
-  - include_role:
+  - import_role:
       name: kuryr
       tasks_from: master
     when: openshift_use_kuryr | default(false) | bool
 
   - name: Setup the node group config maps
-    include_role:
+    import_role:
       name: openshift_node_group
     when: openshift_master_bootstrap_enabled | default(false) | bool
     run_once: True
diff --git a/playbooks/openshift-master/private/redeploy-openshift-ca.yml b/playbooks/openshift-master/private/redeploy-openshift-ca.yml
index 9d3c12ba1..663c39868 100644
--- a/playbooks/openshift-master/private/redeploy-openshift-ca.yml
+++ b/playbooks/openshift-master/private/redeploy-openshift-ca.yml
@@ -125,7 +125,6 @@
 - name: Create temp directory for syncing certs
   hosts: localhost
   connection: local
-  become: no
   gather_facts: no
   tasks:
   - name: Create local temp directory for syncing certs
@@ -133,6 +132,10 @@
     register: g_master_mktemp
     changed_when: false
 
+  - name: Chmod local temp directory for syncing certs
+    local_action: command chmod 777 "{{ g_master_mktemp.stdout }}"
+    changed_when: false
+
 - name: Retrieve OpenShift CA
   hosts: oo_first_master
   vars:
@@ -264,7 +267,6 @@
 - name: Delete temporary directory on localhost
   hosts: localhost
   connection: local
-  become: no
   gather_facts: no
   tasks:
   - file:
diff --git a/playbooks/openshift-master/private/restart.yml b/playbooks/openshift-master/private/restart.yml
index 5cb284935..17d90533c 100644
--- a/playbooks/openshift-master/private/restart.yml
+++ b/playbooks/openshift-master/private/restart.yml
@@ -3,16 +3,13 @@
 
 - name: Restart masters
   hosts: oo_masters_to_config
-  vars:
-    openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
   serial: 1
-  handlers:
-  - import_tasks: ../../../roles/openshift_master/handlers/main.yml
   roles:
   - openshift_facts
   post_tasks:
   - include_tasks: tasks/restart_hosts.yml
     when: openshift_rolling_restart_mode | default('services') == 'system'
-
-  - include_tasks: tasks/restart_services.yml
+  - import_role:
+      name: openshift_master
+      tasks_from: restart.yml
     when: openshift_rolling_restart_mode | default('services') == 'services'
diff --git a/playbooks/openshift-master/private/scaleup.yml b/playbooks/openshift-master/private/scaleup.yml
index 007b23ea3..5aaa0b156 100644
--- a/playbooks/openshift-master/private/scaleup.yml
+++ b/playbooks/openshift-master/private/scaleup.yml
@@ -8,7 +8,6 @@
   - openshift_facts:
       role: master
       local_facts:
-        ha: "{{ openshift_master_ha | default(groups.oo_masters | length > 1) }}"
         master_count: "{{ openshift_master_count | default(groups.oo_masters | length) }}"
   - name: Update master count
     modify_yaml:
@@ -46,7 +45,7 @@
 
 - import_playbook: set_network_facts.yml
 
-- import_playbook: ../../openshift-etcd/private/certificates.yml
+- import_playbook: ../../openshift-etcd/private/master_etcd_certificates.yml
 
 - import_playbook: config.yml
 
diff --git a/playbooks/openshift-master/private/tasks/restart_hosts.yml b/playbooks/openshift-master/private/tasks/restart_hosts.yml
index a5dbe0590..76e1ea5f3 100644
--- a/playbooks/openshift-master/private/tasks/restart_hosts.yml
+++ b/playbooks/openshift-master/private/tasks/restart_hosts.yml
@@ -27,7 +27,6 @@
       delay=10
       timeout=600
       port="{{ ansible_port | default(ansible_ssh_port | default(22,boolean=True),boolean=True) }}"
-  become: no
 
 # Now that ssh is back up we can wait for API on the remote system,
 # avoiding some potential connection issues from local system:
diff --git a/playbooks/openshift-master/private/tasks/restart_services.yml b/playbooks/openshift-master/private/tasks/restart_services.yml
index 4e1b3a3be..cf2c282e3 100644
--- a/playbooks/openshift-master/private/tasks/restart_services.yml
+++ b/playbooks/openshift-master/private/tasks/restart_services.yml
@@ -1,4 +1,4 @@
 ---
-- include_role:
+- import_role:
     name: openshift_master
     tasks_from: restart.yml
diff --git a/playbooks/openshift-master/private/tasks/wire_aggregator.yml b/playbooks/openshift-master/private/tasks/wire_aggregator.yml
index 59e2b515c..cc812c300 100644
--- a/playbooks/openshift-master/private/tasks/wire_aggregator.yml
+++ b/playbooks/openshift-master/private/tasks/wire_aggregator.yml
@@ -142,11 +142,6 @@
     state: absent
   changed_when: False
 
-- name: Setup extension file for service console UI
-  template:
-    src: ../templates/openshift-ansible-catalog-console.js
-    dest: /etc/origin/master/openshift-ansible-catalog-console.js
-
 - name: Update master config
   yedit:
     state: present
@@ -166,8 +161,6 @@
       value: [X-Remote-Group]
     - key: authConfig.requestHeader.extraHeaderPrefixes
       value: [X-Remote-Extra-]
-    - key: assetConfig.extensionScripts
-      value: [/etc/origin/master/openshift-ansible-catalog-console.js]
     - key: kubernetesMasterConfig.apiServerArguments.runtime-config
       value: [apis/settings.k8s.io/v1alpha1=true]
     - key: admissionConfig.pluginConfig.PodPreset.configuration.kind
@@ -178,37 +171,50 @@
       value: false
   register: yedit_output
 
-#restart master serially here
-- name: restart master api
-  systemd: name={{ openshift_service_type }}-master-api state=restarted
-  when:
-  - yedit_output.changed
-
-# We retry the controllers because the API may not be 100% initialized yet.
-- name: restart master controllers
-  command: "systemctl restart {{ openshift_service_type }}-master-controllers"
-  retries: 3
-  delay: 5
-  register: result
-  until: result.rc == 0
-  when:
-  - yedit_output.changed
+# Only add the catalog extension script if not 3.9. From 3.9 on, the console
+# can discover if template service broker is running.
+- when: not openshift.common.version_gte_3_9
+  block:
+  - name: Setup extension file for service console UI
+    template:
+      src: ../templates/openshift-ansible-catalog-console.js
+      dest: /etc/origin/master/openshift-ansible-catalog-console.js
+
+  - name: Update master config
+    yedit:
+      state: present
+      src: /etc/origin/master/master-config.yaml
+      key: assetConfig.extensionScripts
+      value: [/etc/origin/master/openshift-ansible-catalog-console.js]
+    register: yedit_asset_config_output
 
-- name: Verify API Server
-  # Using curl here since the uri module requires python-httplib2 and
-  # wait_for port doesn't provide health information.
-  command: >
-    curl --silent --tlsv1.2
-    --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
-    {{ openshift.master.api_url }}/healthz/ready
-  args:
-    # Disables the following warning:
-    # Consider using get_url or uri module rather than running curl
-    warn: no
-  register: api_available_output
-  until: api_available_output.stdout == 'ok'
-  retries: 120
-  delay: 1
-  changed_when: false
-  when:
-  - yedit_output.changed
+#restart master serially here
+- when: yedit_output.changed or (yedit_asset_config_output is defined and yedit_asset_config_output.changed)
+  block:
+  - name: restart master api
+    systemd: name={{ openshift_service_type }}-master-api state=restarted
+
+  # We retry the controllers because the API may not be 100% initialized yet.
+  - name: restart master controllers
+    command: "systemctl restart {{ openshift_service_type }}-master-controllers"
+    retries: 3
+    delay: 5
+    register: result
+    until: result.rc == 0
+
+  - name: Verify API Server
+    # Using curl here since the uri module requires python-httplib2 and
+    # wait_for port doesn't provide health information.
+    command: >
+      curl --silent --tlsv1.2
+      --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
+      {{ openshift.master.api_url }}/healthz/ready
+    args:
+      # Disables the following warning:
+      # Consider using get_url or uri module rather than running curl
+      warn: no
+    register: api_available_output
+    until: api_available_output.stdout == 'ok'
+    retries: 120
+    delay: 1
+    changed_when: false
diff --git a/playbooks/openshift-master/private/validate_restart.yml b/playbooks/openshift-master/private/validate_restart.yml
index 1077d0b9c..60b0e5bb6 100644
--- a/playbooks/openshift-master/private/validate_restart.yml
+++ b/playbooks/openshift-master/private/validate_restart.yml
@@ -21,7 +21,6 @@
 - name: Create temp file on localhost
   hosts: localhost
   connection: local
-  become: no
   gather_facts: no
   tasks:
   - local_action: command mktemp
@@ -38,7 +37,6 @@
 - name: Cleanup temp file on localhost
   hosts: localhost
   connection: local
-  become: no
   gather_facts: no
   tasks:
   - file: path="{{ hostvars.localhost.mktemp.stdout }}" state=absent