kubespray/roles/vault/tasks/bootstrap/gen_ca.yml

---

- name: bootstrap/gen_ca | Ensure vault_cert_dir exists
  file:
    mode: 0755
    path: "{{ vault_cert_dir }}"
    state: directory

- name: bootstrap/gen_ca | Generate Root CA in vault-temp
  uri:
    url: "{{ vault_leader_url }}/v1/pki/root/generate/exported"
    headers: "{{ vault_headers }}"
    method: POST
    body_format: json
    body: "{{ vault_ca_options }}"
  register: vault_ca_gen
  when: inventory_hostname == groups.vault|first and vault_ca_cert_needed

- name: bootstrap/gen_ca | Copy root CA cert locally
  copy:
    content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['certificate'] }}"
    dest: "{{ vault_cert_dir }}/ca.pem"
    mode: 0644
  when: vault_ca_cert_needed

- name: bootstrap/gen_ca | Copy root CA key locally
  copy:
    content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['private_key'] }}"
    dest: "{{ vault_cert_dir }}/ca-key.pem"
    mode: 0640
  when: vault_ca_cert_needed