Fix SSL cert mismatch when re-running install_stack

When install_stack is re-run on an already-deployed system, the simpleca
role generates a new CA in a temp directory (always fresh), and the new
CA cert overwrites /etc/pki/ca-trust/source/anchors/simpleca.crt. But
the TripleO deploy is skipped (clouds.yaml already exists), so the
running services still serve the old server cert signed by the old CA.
This breaks all openstack CLI calls with CERTIFICATE_VERIFY_FAILED.

Fix by moving the tripleo_deployed check before the SSL generation
blocks and guarding them with 'not tripleo_deployed.stat.exists', so
we only generate and install new certs when actually deploying.

Author: mandre

playbooks/install_stack.yaml

@@ -62,6 +62,13 @@
               - /opt/exported-data/extra-host-file-entries.json
               - /opt/exported-data/all-nodes-extra-map-data.json
 
+    - name: Check if TripleO has already been deployed
+      ansible.builtin.stat:
+        path: /etc/openstack/clouds.yaml
+      register: tripleo_deployed
+      become: true
+      become_user: root
+
     - name: Enable SSL
       when: ssl_enabled
       block:
@@ -75,7 +82,9 @@
               - /usr/share/openstack-tripleo-heat-templates/environments/ssl/inject-trust-anchor.yaml
 
     - name: Generate SSL self-signed certificate on localhost
-      when: ssl_enabled
+      when:
+        - ssl_enabled
+        - not tripleo_deployed.stat.exists
       become: false
       # We run this block on localhost because we don't want to put the CA key on the remote
       # server, which could lead to security problems.
@@ -96,7 +105,9 @@
             cert_name: standalone
 
     - name: Prepare the host for SSL
-      when: ssl_enabled
+      when:
+        - ssl_enabled
+        - not tripleo_deployed.stat.exists
       no_log: true
       block:
         - name: Read and clean SSL files
@@ -307,6 +318,7 @@
             neutron_bridge_mappings: "{{ base_bridge_mappings }}"
 
     - name: Create standalone_parameters.yaml
+      when: not tripleo_deployed.stat.exists
       no_log: true
       ansible.builtin.template:
         mode: '644'
@@ -506,13 +518,6 @@
       when:
         - ceph_enabled
 
-    - name: Check if TripleO has already been deployed
-      ansible.builtin.stat:
-        path: /etc/openstack/clouds.yaml
-      register: tripleo_deployed
-      become: true
-      become_user: root
-
     - name: Clean up stale heat processes from previous deploy
       become: true
       become_user: root
@@ -530,6 +535,7 @@
           # causes API requests to be randomly routed to the wrong instance,
           # resulting in 'Stack create failed'.
           ansible.builtin.command: pkill -9 -f heat-all
+          changed_when: true
           when: heat_running.rc == 0
 
         - name: Wait for heat processes to terminate