Merge pull request #2617 from bradbeam/savaultcert

Adding missing service-account certificate for vault

roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml

@@ -32,7 +32,7 @@
     sync_file_hosts: "{{ groups['kube-master'] }}"
     sync_file_is_cert: true
     sync_file_owner: kube
-  with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem"]
+  with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem", "service-account.pem"]
 
 - name: sync_kube_master_certs | Set facts for kube master components sync_file results
   set_fact:

roles/vault/tasks/bootstrap/main.yml

@@ -57,6 +57,7 @@
     gen_ca_mount_path: "{{ vault_pki_mounts.etcd.name }}"
     gen_ca_vault_headers: "{{ vault_headers }}"
     gen_ca_vault_options: "{{ vault_ca_options.etcd }}"
+    gen_ca_copy_group: "etcd"
   when: inventory_hostname in groups.etcd and vault_etcd_ca_cert_needed
 
 - import_tasks: gen_vault_certs.yml

roles/vault/tasks/cluster/main.yml

@@ -32,6 +32,7 @@
     gen_ca_mount_path: "{{ vault_pki_mounts.kube.name }}"
     gen_ca_vault_headers: "{{ vault_headers }}"
     gen_ca_vault_options: "{{ vault_ca_options.kube }}"
+    gen_ca_copy_group: "kube-master"
   when: inventory_hostname in groups.vault
 
 - include_tasks: ../shared/auth_backend.yml

roles/vault/tasks/shared/gen_ca.yml

@@ -24,9 +24,12 @@
     mode: 0644
   when: vault_ca_gen.status == 200
 
-- name: "bootstrap/gen_ca | Copy {{ gen_ca_mount_path }} root CA key locally"
+
+- name: "bootstrap/gen_ca | Copy {{ gen_ca_mount_path }} root CA key to necessary hosts"
   copy:
     content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['private_key'] }}"
     dest: "{{ gen_ca_cert_dir }}/ca-key.pem"
     mode: 0640
   when: vault_ca_gen.status == 200
+  delegate_to: "{{ item }}"
+  with_items: "{{ (groups[gen_ca_copy_group|default('vault')]) | union(groups['vault']) }}"