Improve fernet_token_expiry precheck

The pre-check was broken, see bug report for details.

Change-Id: I089f1e288bae6c093be66181c81a4373a6ef3de4
Closes-Bug: #1856021
(cherry picked from commit 810acea6b1)

ansible/roles/keystone/tasks/precheck.yml

@@ -43,9 +43,23 @@
     - keystone_ssh.enabled | bool
     - inventory_hostname in groups['keystone']
 
-- name: Checking fernet_token_expiry in globals.yml. Update fernet_token_expiry to allowed value if this task fails
+- name: Checking fernet_token_expiry
   run_once: true
-  local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ node_config }}/globals.yml"
-  register: result
-  changed_when: false
-  failed_when: result.stdout | regex_replace('(60|120|180|240|300|360|600|720|900|1200|1800|3600|7200|10800|14400|21600|28800|43200|86400|604800)', '')  is search(".+")
+  assert:
+    that:
+      - fernet_token_expiry is number
+      # Check that it is not a floating point number
+      - fernet_token_expiry | int == fernet_token_expiry
+      - fernet_token_expiry >= 0
+      # NOTE(wszumski): fernet_rotate_cron_generator.py doesn't support a span
+      # greater than a week.
+      - fernet_token_expiry <= 604800
+    msg: >-
+      fernet_token_expiry must be an integer up to and including 604800. You can
+      set this in `globals.yml`. The value represents the time period, in
+      seconds, at which to rotate the fernet keys. Suggested values are: 60,
+      120, 240, 480, 720, 1440, 3600, 7200, 10800, 14400, 21600, 43200, 60480,
+      120960, 151200, 201600, 302400, 604800. These values ensure an evenly-spaced
+      run schedule as they divide 7 days without remainder.
+  when:
+    - keystone_token_provider == 'fernet'

releasenotes/notes/fix-fernet-pre-check-5efbdfe43a2776e3.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes an issue where ``fernet_token_expiry`` would fail the pre-checks
+    despite being set to a valid value. Please see `bug 1856021
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1856021>`_ for more details.