Only run token_flush on 1 host

The token_flush should only run on 1 host, not all keystone hosts.
Unclean backport - for Ocata and before, we need to clean up the old
cron entries.

Change-Id: Ibb689431f288190f3a8451b52cd77a4167d6945c
Closes-Bug: #1663297
(cherry picked from commit a956a14b566964330ea8681dd22b55c1bf62e01e)

tasks/keystone_token_cleanup.yml

@@ -13,9 +13,21 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Add keystone token_flush cron job
+- name: Add keystone token_flush cron job to one keystone_host
   cron:
     name: "Clear out stale keystone tokens"
     minute: 0
     job: "{{ keystone_bin }}/keystone-manage token_flush"
     user: "{{ keystone_system_user_name }}"
+    state: present
+  when: inventory_hostname == groups['keystone_all'][0]
+
+# This job is removed in Pike
+- name: Remove keystone token_flush cron job from other keystone_host
+  cron:
+    name: "Clear out stale keystone tokens"
+    minute: 0
+    job: "{{ keystone_bin }}/keystone-manage token_flush"
+    user: "{{ keystone_system_user_name }}"
+    state: absent
+  when: inventory_hostname != groups['keystone_all'][0]