kubespray/roles/vault/tasks/shared/config_ca.yml

---
- name: config_ca | Read root CA cert for Vault
  command: "cat {{ config_ca_ca_pem }}"
  register: vault_ca_cert_cat

- name: config_ca | Pull current CA cert from Vault
  hashivault_read:
    url: "{{ vault_leader_url }}"
    token: "{{ vault_root_token }}"
    ca_cert: "{{ vault_cert_dir }}/ca.pem"
    secret: "{{ config_ca_mount_path }}/ca"
    key: "pem"
  register: vault_pull_current_ca
  failed_when: false

- name: config_ca | Read root CA key for Vault
  command: "cat {{ config_ca_ca_key }}"
  register: vault_ca_key_cat
  when: vault_ca_cert_cat.stdout.strip() != vault_pull_current_ca.get("data","").strip()

- name: config_ca | Configure pki mount to use the found root CA cert and key
  hashivault_write:
    url: "{{ vault_leader_url }}"
    token: "{{ vault_root_token }}"
    ca_cert: "{{ vault_cert_dir }}/ca.pem"
    secret: "{{ config_ca_mount_path }}/config/ca"
    data:
      pem_bundle: "{{ vault_ca_cert_cat.stdout + '\n' + vault_ca_key_cat.stdout }}"
  when: vault_ca_cert_cat.stdout.strip() != vault_pull_current_ca.get("data","").strip()