[stable/zed] Mount CA into Keystone + Magnum (#1299)

\n\nCloses #1274
diff --git a/playbooks/infrastructure.yml b/playbooks/infrastructure.yml
index db62f05..d1c8ea6 100644
--- a/playbooks/infrastructure.yml
+++ b/playbooks/infrastructure.yml
@@ -13,7 +13,7 @@
 # under the License.
 
 - name: Deploy Infrastructure
-  hosts: controllers[0]
+  hosts: controllers
   become: true
   roles:
     - role: cert_manager
diff --git a/roles/cluster_issuer/tasks/main.yml b/roles/cluster_issuer/tasks/main.yml
index 8516771..72e9ac4 100644
--- a/roles/cluster_issuer/tasks/main.yml
+++ b/roles/cluster_issuer/tasks/main.yml
@@ -13,6 +13,7 @@
 # under the License.
 
 - name: Create self-signed cluster issuer
+  run_once: true
   kubernetes.core.k8s:
     state: present
     definition:
@@ -30,6 +31,7 @@
   when: cluster_issuer_type in ("self-signed", "ca")
   block:
     - name: Wait till the secret is created
+      run_once: true
       kubernetes.core.k8s_info:
         api_version: v1
         kind: Secret
diff --git a/roles/cluster_issuer/tasks/type/acme/solver/cloudflare.yml b/roles/cluster_issuer/tasks/type/acme/solver/cloudflare.yml
index 431b08e..c7cd8df 100644
--- a/roles/cluster_issuer/tasks/type/acme/solver/cloudflare.yml
+++ b/roles/cluster_issuer/tasks/type/acme/solver/cloudflare.yml
@@ -13,6 +13,7 @@
 # under the License.
 
 - name: Create ClusterIssuer
+  run_once: true
   kubernetes.core.k8s:
     state: present
     definition:
diff --git a/roles/cluster_issuer/tasks/type/acme/solver/http01.yml b/roles/cluster_issuer/tasks/type/acme/solver/http01.yml
index 363dc64..ac93dc5 100644
--- a/roles/cluster_issuer/tasks/type/acme/solver/http01.yml
+++ b/roles/cluster_issuer/tasks/type/acme/solver/http01.yml
@@ -13,6 +13,7 @@
 # under the License.
 
 - name: Create ClusterIssuer
+  run_once: true
   kubernetes.core.k8s:
     state: present
     definition:
diff --git a/roles/cluster_issuer/tasks/type/acme/solver/rfc2136.yml b/roles/cluster_issuer/tasks/type/acme/solver/rfc2136.yml
index 60306ea..d706cb2 100644
--- a/roles/cluster_issuer/tasks/type/acme/solver/rfc2136.yml
+++ b/roles/cluster_issuer/tasks/type/acme/solver/rfc2136.yml
@@ -13,6 +13,7 @@
 # under the License.
 
 - name: Create ClusterIssuer
+  run_once: true
   kubernetes.core.k8s:
     state: present
     definition:
diff --git a/roles/cluster_issuer/tasks/type/acme/solver/route53.yml b/roles/cluster_issuer/tasks/type/acme/solver/route53.yml
index fa805d6..2f056ed 100644
--- a/roles/cluster_issuer/tasks/type/acme/solver/route53.yml
+++ b/roles/cluster_issuer/tasks/type/acme/solver/route53.yml
@@ -13,6 +13,7 @@
 # under the License.
 
 - name: Create ClusterIssuer
+  run_once: true
   kubernetes.core.k8s:
     state: present
     definition:
diff --git a/roles/cluster_issuer/tasks/type/ca/main.yml b/roles/cluster_issuer/tasks/type/ca/main.yml
index a52b70a..d7a34a0 100644
--- a/roles/cluster_issuer/tasks/type/ca/main.yml
+++ b/roles/cluster_issuer/tasks/type/ca/main.yml
@@ -13,6 +13,7 @@
 # under the License.
 
 - name: Create ClusterIssuer
+  run_once: true
   kubernetes.core.k8s:
     state: present
     definition:
diff --git a/roles/cluster_issuer/tasks/type/self-signed/main.yml b/roles/cluster_issuer/tasks/type/self-signed/main.yml
index dd23773..a9bb496 100644
--- a/roles/cluster_issuer/tasks/type/self-signed/main.yml
+++ b/roles/cluster_issuer/tasks/type/self-signed/main.yml
@@ -13,6 +13,7 @@
 # under the License.
 
 - name: Create ClusterIssuer
+  run_once: true
   kubernetes.core.k8s:
     state: present
     definition:
diff --git a/roles/cluster_issuer/tasks/type/venafi/main.yml b/roles/cluster_issuer/tasks/type/venafi/main.yml
index 9baffca..f054951 100644
--- a/roles/cluster_issuer/tasks/type/venafi/main.yml
+++ b/roles/cluster_issuer/tasks/type/venafi/main.yml
@@ -13,6 +13,7 @@
 # under the License.
 
 - name: Create secret (username/password)
+  run_once: true
   when:
     - cluster_issuer_venafi_username is defined
     - cluster_issuer_venafi_password is defined
@@ -30,6 +31,7 @@
           password: "{{ cluster_issuer_venafi_password }}"
 
 - name: Create secret (access token)
+  run_once: true
   when:
     - cluster_issuer_venafi_username is not defined
     - cluster_issuer_venafi_password is not defined
@@ -46,6 +48,7 @@
           access-token: "{{ cluster_issuer_venafi_access_token }}"
 
 - name: Create ClusterIssuer
+  run_once: true
   kubernetes.core.k8s:
     state: present
     definition:
diff --git a/roles/defaults/defaults/main.yml b/roles/defaults/defaults/main.yml
index 1019593..58b1173 100644
--- a/roles/defaults/defaults/main.yml
+++ b/roles/defaults/defaults/main.yml
@@ -23,3 +23,6 @@
 
 # This is for override values in atmosphere_images
 atmosphere_image_overrides: {}
+
+defaults_ca_certificates_path: >-
+  {{ '/etc/ssl/certs/ca-certificates.crt' if ansible_facts['os_family'] in ['Debian'] else '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' }}"
diff --git a/roles/keepalived/tasks/main.yml b/roles/keepalived/tasks/main.yml
index 4eff179..ceaa88a 100644
--- a/roles/keepalived/tasks/main.yml
+++ b/roles/keepalived/tasks/main.yml
@@ -13,6 +13,7 @@
 # under the License.
 
 - name: Deploy service
+  run_once: true
   when: keepalived_enabled | bool
   kubernetes.core.k8s:
     state: present
diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml
index 609f3c8..ed85ea6 100644
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@@ -25,6 +25,7 @@
     name: PyMySQL
 
 - name: Check MySQL ready
+  run_once: true
   community.mysql.mysql_info:
     login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}"
     login_user: root
@@ -56,6 +57,7 @@
     priv: "{{ keycloak_database_name }}.*:ALL"
 
 - name: Disable pxc strict mode
+  run_once: true
   community.mysql.mysql_query:
     login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}"
     login_user: root
@@ -89,6 +91,7 @@
       cert-manager.io/cluster-issuer: atmosphere
 
 - name: Enable pxc strict mode
+  run_once: true
   community.mysql.mysql_query:
     login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}"
     login_user: root
diff --git a/roles/keystone/vars/main.yml b/roles/keystone/vars/main.yml
index 625ff2f..1b67f80 100644
--- a/roles/keystone/vars/main.yml
+++ b/roles/keystone/vars/main.yml
@@ -22,11 +22,14 @@
     mounts:
       keystone_api:
         keystone_api:
-          volumeMounts: "{{ keystone_domains | vexxhost.atmosphere.keystone_domains_to_mounts }}"
+          volumeMounts: "{{ keystone_domains | vexxhost.atmosphere.keystone_domains_to_mounts + [{'name': 'etc-ssl-certs', 'mountPath': '/etc/ssl/certs', 'readOnly': true}] }}"
           volumes:
             - name: keystone-openid-metadata
               configMap:
                 name: keystone-openid-metadata
+            - name: etc-ssl-certs
+              hostPath:
+                path: "{{ defaults_ca_certificates_path }}"
   conf:
     keystone:
       DEFAULT:
diff --git a/roles/magnum/vars/main.yml b/roles/magnum/vars/main.yml
index eeee431..358d145 100644
--- a/roles/magnum/vars/main.yml
+++ b/roles/magnum/vars/main.yml
@@ -25,6 +25,8 @@
       barbican_client:
         endpoint_type: internalURL
         region_name: "{{ openstack_helm_endpoints_barbican_region_name }}"
+      capi_client:
+        ca_file: /etc/ssl/certs/ca-certificates.crt
       cinder_client:
         endpoint_type: internalURL
         region_name: "{{ openstack_helm_endpoints_cinder_region_name }}"
@@ -74,6 +76,17 @@
     replicas:
       api: 3
       conductor: 3
+    mounts:
+      magnum_conductor:
+        magnum_conductor:
+          volumeMounts:
+            - name: etc-ssl-certs
+              mountPath: /etc/ssl/certs
+              readOnly: true
+          volumes:
+            - name: etc-ssl-certs
+              hostPath:
+                path: "{{ defaults_ca_certificates_path }}"
   manifests:
     ingress_api: false
     service_ingress_api: false