Move ipa check to external_deploy_tasks

The ipa dns acl validation needs to occur on the undercloud
rather than on the node, because in a new environment, the node
is not yet set up as an ipa client.  That only happens in the
deploy_steps tasks.

I also removed the validation tags so that this check could be
done even if validations are not requested.  The check itself
is not expensive, and troubleshooting the issue we're trying to
prevent is somewhat tricky.  Much better to fail fast.

Change-Id: I021a2aa173f58e0e7cb37022b73ef17782033f70
(cherry picked from commit 81087b49c2)

deployment/etcd/etcd-container-puppet.yaml

@@ -205,25 +205,21 @@ outputs:
             - /var/lib/config-data/etcd/etc/etcd/:/etc/etcd:ro
             - /var/lib/etcd:/var/lib/etcd:ro
       host_prep_tasks:
-        list_concat:
+          - name: create /var/lib/etcd
+            file:
+              path: /var/lib/etcd
+              state: directory
+              setype: container_file_t
+      external_deploy_tasks:
+        if:
+          - internal_tls_enabled
           -
-            - name: create /var/lib/etcd
-              file:
-                path: /var/lib/etcd
-                state: directory
-                setype: container_file_t
-          -
-            if:
-              - internal_tls_enabled
-              -
-                - name: check if ipa server has required permissions
-                  import_role:
-                    name: tls_everywhere
-                    tasks_from: ipa-server-check
-                  tags:
-                    - opendev-validation
-                    - opendev-validation-tls-everywhere
-              - null
+            - name: check if ipa server has required permissions
+              when: step|int == 1
+              import_role:
+                name: tls_everywhere
+                tasks_from: ipa-server-check
+          - null
       upgrade_tasks: []
       metadata_settings:
         if: