Fix unrestricted copying of backend TLS certs

With the change
https://review.opendev.org/c/openstack/kolla-ansible/+/915901
K-A copies backend TLS certificates to all containers of projects
when backend TLS for the project is enabled because of less strict
conditional check.

However, this causes K-A to attempt copying non-existent certificates
from hosts that is not part of backend TLS to containers that are
also not part of backend TLS.

This change makes service-copy-certs task check if a host is part of
``tls-backend`` group when copying backend TLS certificate and key.

Cloeses-Bug: #2105505
Change-Id: I799dc6e6fdccc483784fc3c2088ada69f24412e9
Signed-off-by: Seunghun Lee <[email protected]>
(cherry picked from commit e092d33)

Author: seunghun1ee

ansible/roles/service-cert-copy/tasks/main.yml

@@ -24,6 +24,7 @@
   become: true
   when:
     - kolla_copy_backend_tls_files | bool
+    - inventory_hostname is in groups["tls-backend"]
   with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}"
 
 - name: "{{ project_name }} | Copying over backend internal TLS key"
@@ -41,4 +42,5 @@
   become: true
   when:
     - kolla_copy_backend_tls_files | bool
+    - inventory_hostname is in groups["tls-backend"]
   with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}"

releasenotes/notes/fix-unrestricted-copying-of-backend-tls-2bade63581b84c80.yaml

@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Fixes a bug where K-A can fail service deployment because it
+    tries to copy backend TLS certificates of some hosts to
+    containers when both hosts and containers are not part of backend
+    TLS and do not have certificates to copy.
+    `LP#2105505 <https://bugs.launchpad.net/kolla-ansible/+bug/2105505>`__