By overriding the variable `nova_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the nova backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
`nova_pki_console_certificates` are used to encrypt:
- traffic between console proxy and compute hosts
`nova_pki_certificates` are used to encrypt:
- traffic between haproxy and its backends(including console proxy)
It would be complex to use nova_pki_console_certificates to encrypt
traffic between haproxy and console proxy because they don't have valid
key_usage for that and changing key_usage would require to manually set
`pki_regen_cert` for existing environments.
Certs securing traffic between haproxy and console proxy are provided in
execstarts because otherwise they would have to be defined in nova.conf
that may be shared with nova-api(which stands behind uwsgi and should
not use TLS).
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Ibff3bf0b5eedc87c221bbb1b5976b12972fda608
e02e56fc93