New ipaclient_allow_repair switch

When allow_repair is enabled, then the playbook will continue for an
already joined host. The remaining steps ipaconf, ipasssd, krb5, ipaapi,
ipanss and ipaextras will be redone.

If allow_repair is disabled, then the meta module will be
used with the end_play option to stop the processing of the playbook
without an error.

roles/ipaclient/defaults/main.yml

@@ -6,3 +6,4 @@ ipaclient_ntp: no
 ipaclient_mkhomedir: no
 ipaclient_kinit_attempts: 5
 ipaclient_use_otp: "false"
+ipaclient_allow_repair: "false"

roles/ipaclient/tasks/install.yml

@@ -100,6 +100,13 @@
   register: ipajoin
   when: not ipatest.krb5_keytab_ok
 
+- block:
+  - file:
+      path: "/etc/ipa/.dns_ccache"
+      state: absent
+  - meta: end_play
+  when: not ipaclient_allow_repair | bool and (ipatest.krb5_keytab_ok or ipajoin.already_joined)
+
 - name: Install - Configure IPA default.conf
   include_role:
     name: ipaconf