Comment 1 for bug 1993575

Hey Adrien,

I believe you're right about the root cause of the issue. However, I believe we already do have a workaround in place.

All PKI role stanzas does contain `condition` field. So while you indeed need to use user_variables or group_vars/all, you still can limit deployment of CA to specific hosts, for example:

pki_install_ca_keystone_only:
  - src: /opt/my-ca/MyRoot.crt
    filename: /etc/ssl/certs/MyRoot.crt
    condition: "{{ inventory_hostname in groups['keystone_all'] }}"

Please, let us know if this solution works for you.

PS: worth to mention that you can use any name after pki_search_install_ca_pattern, which is pki_install_ca_.*. So pki_install_ca_keystone_only is real variable you can use.