Enable push to registry via dns only on clean 3.6 installs

We cannot assume that 3.5 to 3.6 upgrades were signed with the correct
certs

2 files changed, 4 insertions, 1 deletions

diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index 035c15fef..630d70a7e 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -128,6 +128,9 @@
   when: openshift.master.request_header_ca is defined and item.kind == 'RequestHeaderIdentityProvider' and item.clientCA | default('') != ''
   with_items: "{{ openshift.master.identity_providers }}"
 
+- set_fact:
+    openshift_push_via_dns: "{{ openshift_use_dnsmasq | default(true) and openshift.common.version_gte_3_6 and r_openshift_master_clean_install }}"
+
 - name: Install the systemd units
   include: systemd_units.yml
 
diff --git a/roles/openshift_master/templates/atomic-openshift-master.j2 b/roles/openshift_master/templates/atomic-openshift-master.j2
index 6c9e1336a..156bb49d6 100644
--- a/roles/openshift_master/templates/atomic-openshift-master.j2
+++ b/roles/openshift_master/templates/atomic-openshift-master.j2
@@ -1,6 +1,6 @@
 OPTIONS=--loglevel={{ openshift.master.debug_level | default(2) }}
 CONFIG_FILE={{ openshift_master_config_file }}
-{% if openshift_use_dnsmasq | default(true) and openshift_push_via_dns | default(false) %}
+{% if openshift_push_via_dns %}
 OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000
 {% endif %}
 {% if openshift.common.is_containerized | bool %}