2 files changed, 20 insertions, 38 deletions
diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
index 9c927c0a1..fafbd8d1c 100644
--- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
@@ -114,22 +114,26 @@
     openshift_hosted_templates_import_command: replace
 
   post_tasks:
-  # we need to migrate customers to the new pattern of pushing to the registry via dns
-  # Step 1: verify the certificates have the docker registry service name
-  - shell: >
-      echo -n | openssl s_client -showcerts -servername docker-registry.default.svc -connect docker-registry.default.svc:5000  | openssl x509 -text |  grep -A1 'X509v3 Subject Alternative Name:' | grep -Pq 'DNS:docker-registry\.default\.svc(,|$)'
-    register: cert_output
-    changed_when: false
-    failed_when:
-    - cert_output.rc not in [0, 1]
-
-  # Step 2: Set a fact to be used to determine if we should run the redeploy of registry certs
-  - name: set a fact to include the registry certs playbook if needed
-    set_fact:
-      openshift_hosted_rollout_certs_and_registry: "{{ cert_output.rc == 0  }}"
-
-# Run the redeploy certs based upon the certificates
-- when: hostvars[groups.oo_first_master.0].openshift_hosted_rollout_certs_and_registry
+  # Do not perform these tasks when the registry is insecure.  The default registry is insecure in openshift_hosted/defaults/main.yml
+  - when: not (openshift_docker_hosted_registry_insecure | default(True))
+    block:
+    # we need to migrate customers to the new pattern of pushing to the registry via dns
+    # Step 1: verify the certificates have the docker registry service name
+    - name: shell command to determine if the docker-registry.default.svc is found in the registry certificate
+      shell: >
+        echo -n | openssl s_client -showcerts -servername docker-registry.default.svc -connect docker-registry.default.svc:5000  | openssl x509 -text |  grep -A1 'X509v3 Subject Alternative Name:' | grep -Pq 'DNS:docker-registry\.default\.svc(,|$)'
+      register: cert_output
+      changed_when: false
+      failed_when:
+      - cert_output.rc not in [0, 1]
+
+    # Step 2: Set a fact to be used to determine if we should run the redeploy of registry certs
+    - name: set a fact to include the registry certs playbook if needed
+      set_fact:
+        openshift_hosted_rollout_certs_and_registry: "{{ cert_output.rc == 0  }}"
+
+# Run the redeploy certs based upon the certificates. Defaults to False for insecure registries
+- when: (hostvars[groups.oo_first_master.0].openshift_hosted_rollout_certs_and_registry | default(False)) | bool
   import_playbook: ../../../openshift-hosted/redeploy-registry-certificates.yml
 
 # Check for warnings to be printed at the end of the upgrade:
diff --git a/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml b/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml
index 463a05688..4902b9ecd 100644
--- a/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml
+++ b/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml
@@ -94,25 +94,3 @@
         state: started
         enabled: yes
       with_items: "{{ master_services }}"
-
-# Until openshift-ansible is determining which host is the CA host we
-# must (unfortunately) ensure that the first host in the etcd group is
-# the etcd CA host.
-# https://bugzilla.redhat.com/show_bug.cgi?id=1469358
-- name: Verify we can proceed on first etcd
-  hosts: oo_first_etcd
-  gather_facts: no
-  tasks:
-  - name: Ensure CA exists on first etcd
-    stat:
-      path: /etc/etcd/generated_certs
-    register: __etcd_ca_stat
-
-  - fail:
-      msg: >
-        In order to correct an etcd certificate signing problem
-        upgrading may require re-generating etcd certificates. Please
-        ensure that the /etc/etcd/generated_certs directory exists on
-        the first host defined in your [etcd] group.
-    when:
-    - not __etcd_ca_stat.stat.exists | bool