add custom ssl cert for roles/osbs-master, deploy it for osbs-dev host

playbooks/hosts/osbs-dev.fedorainfracloud.org.yml

@@ -50,6 +50,21 @@
         src: "{{private}}/files/httpd/osbs.htpasswd"
         dest: /etc/origin/htpasswd
 
+    - name: create cert dir for openshift public facing REST API SSL
+      file:
+        path: "/etc/origin/master/named_certificates"
+        state: "directory"
+
+    - name: install cert for openshift public facing REST API SSL
+      copy:
+        src: "{{private}}/files/osbs/osbs-dev.certs/osbs-dev.fedorainfracloud.org.crt",
+        dest: "/etc/origin/master/named_certificates/osbs-dev.fedorainfracloud.org.crt",
+
+    - name: install key for openshift public facing REST API SSL
+      copy:
+        src: "{{private}}/files/osbs/osbs-dev.certs/osbs-dev.fedorainfracloud.org.key",
+        dest: "/etc/origin/master/named_certificates/osbs-dev.fedorainfracloud.org.key",
+
 - name: setup osbs
   hosts: osbs-dev.fedorainfracloud.org
   vars_files:
@@ -86,7 +101,14 @@
             challenge: true,
             login: true,
             provider_file: "/etc/origin/htpasswd"
-          }
+          },
+          osbs_named_certificates: {
+            enabled: true,
+            cert_file: "named_certificates/osbs-dev.fedorainfracloud.org.crt",
+            key_file: "named_certificates/osbs-dev.fedorainfracloud.org.key",
+            names: [ "osbs-dev.fedorainfracloud.org" ],
+          },
+          osbs_public_api_url: "osbs-dev.fedorainfracloud.org",
       }
     - {
       role: osbs-client,

roles/osbs-master/defaults/main.yml

@@ -92,3 +92,20 @@ osbs_identity_htpasswd:
   challenge: true
   login: true
   provider_file: /etc/openshift/htpasswd
+
+# This correlates to the section of OpenShift master-config.yaml for custom
+# certificate configuration for the public facing API endpoint
+#
+# https://docs.openshift.org/latest/install_config/certificate_customization.html
+#
+# Following values:
+#   enabled: boolean - used for checking in the config template
+#   certfile: path to cert (.crt) file
+#   keyfile: path to key (.key) file
+#   names: list of names
+osbs_named_certificates:
+  enabled: false
+  cert_file:
+  key_file:
+  names:
+osbs_public_api_url:

roles/osbs-master/templates/master-config.yaml.j2

@@ -10,7 +10,11 @@ assetConfig:
   extensions: null
   loggingPublicURL: ""
   logoutURL: ""
+{% if osbs_public_api_url %}
+  masterPublicURL: https://{{ osbs_public_api_url }}:8443
+{% else %}
   masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443
+{% endif %}
   metricsPublicURL: ""
   publicURL: https://{{ ansible_default_ipv4.address }}:8443/console/
   servingInfo:
@@ -170,5 +174,15 @@ servingInfo:
   clientCA: ca.crt
   keyFile: master.server.key
   maxRequestsInFlight: 500
-  namedCertificates: null
   requestTimeoutSeconds: 3600
+{%if osbs_named_certificates.enabled %}
+  namedCertificates:
+  - certFile: {{ osbs_named_certificates.cert_file }}
+    keyFile: {{ osbs_named_certificates.key_file }}
+    names:
+{% for name in osbs_named_certificates.names %}
+    - {{ name }}
+{% endfor %}
+{% else %}
+  namedCertificates: null
+{% endif %}