Implement LDAP domains using last keystone host

To ensure that the domains can be created, we only execute
the tasks on the last member of the keystone_all group so
that the load balancer has at least one other host to work
against.

We also replace the OSA keystone module in the task with
the standard Ansible module, and delegate the task to the
service setup host.

Change-Id: I66ed21cdcf42d0c2012062c8cf74305fecbec312

tasks/keystone_ldap_setup.yml

@@ -13,19 +13,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
-- name: Create Keystone LDAP domains
-  keystone:
-    command: ensure_domain
-    domain_name: "{{ item.key }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    endpoint: "{{ keystone_service_adminurl }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
+- name: Add LDAP domains
+  os_keystone_domain:
+    cloud: default
+    state: present
+    name: "{{ item.key }}"
+    endpoint_type: admin
+    verify: "{{ not keystone_service_adminuri_insecure }}"
+  register: add_ldap_domain
+  until: add_ldap_domain is success
+  retries: 5
+  delay: 10
   with_dict: "{{ keystone_ldap }}"
-  no_log: true
-  run_once: true
+  delegate_to: "{{ keystone_service_setup_host }}"
+  vars:
+    ansible_python_interpreter: >-
+      {{ (keystone_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_python['executable']) }}
 
 - name: Create Keystone LDAP domain configs
   template:

tasks/main.yml

@@ -164,7 +164,9 @@
     - keystone-config
 
 - include_tasks: keystone_ldap_setup.yml
-  when: keystone_service_setup | bool
+  when:
+    - "inventory_hostname == ((groups['keystone_all'] | intersect(ansible_play_hosts)) | list)[-1]"
+    - "keystone_service_setup | bool"
   tags:
     - keystone-config