Vault role updates:

* using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago · bf0af1cd3d
18 changed files with 280 additions and 278 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -366,6 +366,7 @@ before_script:
 .ubuntu_vault_sep_variables: &ubuntu_vault_sep_variables
 # stage: deploy-gce-part1
  AUTHORIZATION_MODES: "{ 'authorization_modes':  [ 'RBAC' ] }"
  KUBE_NETWORK_PLUGIN: canal
  CERT_MGMT: vault
  CLOUD_IMAGE: ubuntu-1604-xenial
--- a/roles/etcd/tasks/gen_certs_vault.yml
+++ b/roles/etcd/tasks/gen_certs_vault.yml
@ -7,51 +7,14 @@
  when: inventory_hostname in etcd_node_cert_hosts
  tags: etcd-secrets
 - name: gen_certs_vault | Read in the local credentials
  command: cat /etc/vault/roles/etcd/userpass
  register: etcd_vault_creds_cat
  delegate_to: "{{ groups['vault'][0] }}"
 - name: gen_certs_vault | Set facts for read Vault Creds
  set_fact:
    etcd_vault_creds: "{{ etcd_vault_creds_cat.stdout|from_json }}"
  delegate_to: "{{ groups['vault'][0] }}"
 - name: gen_certs_vault | Log into Vault and obtain an token
  uri:
    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/userpass/login/{{ etcd_vault_creds.username }}"
    headers:
      Accept: application/json
      Content-Type: application/json
    method: POST
    body_format: json
    body:
      password: "{{ etcd_vault_creds.password }}"
  register: etcd_vault_login_result
  delegate_to: "{{ groups['vault'][0] }}"
 - name: gen_certs_vault | Set fact for vault_client_token
  set_fact:
    vault_client_token: "{{ etcd_vault_login_result.get('json', {}).get('auth', {}).get('client_token') }}"
  run_once: true
 - name: gen_certs_vault | Set fact for Vault API token
  set_fact:
    etcd_vault_headers:
      Accept: application/json
      Content-Type: application/json
      X-Vault-Token: "{{ vault_client_token }}"
  run_once: true
  when: vault_client_token != ""
 # Issue master certs to Etcd nodes
 - include: ../../vault/tasks/shared/issue_cert.yml
  vars:
    issue_cert_common_name: "etcd:master:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
    issue_cert_alt_names: "{{ groups.etcd + ['localhost'] }}"
    issue_cert_copy_ca: "{{ item == etcd_master_certs_needed|first }}"
    issue_cert_file_group: "{{ etcd_cert_group }}"
    issue_cert_file_owner: kube
    issue_cert_headers: "{{ etcd_vault_headers }}"
    issue_cert_hosts: "{{ groups.etcd }}"
    issue_cert_ip_sans: >-
        [
@ -74,11 +37,11 @@
 # Issue node certs to everyone else
 - include: ../../vault/tasks/shared/issue_cert.yml
  vars:
    issue_cert_common_name: "etcd:node:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
    issue_cert_alt_names: "{{ etcd_node_cert_hosts }}"
    issue_cert_copy_ca: "{{ item == etcd_node_certs_needed|first }}"
    issue_cert_file_group: "{{ etcd_cert_group }}"
    issue_cert_file_owner: kube
    issue_cert_headers: "{{ etcd_vault_headers }}"
    issue_cert_hosts: "{{ etcd_node_cert_hosts }}"
    issue_cert_ip_sans: >-
        [
--- a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
@ -1,56 +1,23 @@
 ---
 - include: sync_kube_master_certs.yml
  when: inventory_hostname in groups['kube-master']
  tags: k8s-secrets
 - include: sync_kube_node_certs.yml
  when: inventory_hostname in groups['k8s-cluster']
  tags: k8s-secrets
 - name: gen_certs_vault | Read in the local credentials
  command: cat /etc/vault/roles/kube/userpass
  register: kube_vault_creds_cat
  delegate_to: "{{ groups['k8s-cluster'][0] }}"
 - name: gen_certs_vault | Set facts for read Vault Creds
  set_fact:
    kube_vault_creds: "{{ kube_vault_creds_cat.stdout|from_json }}"
  delegate_to: "{{ groups['k8s-cluster'][0] }}"
 - name: gen_certs_vault | Log into Vault and obtain an token
  uri:
    url: "{{ hostvars[groups['vault'][0]]['vault_leader_url'] }}/v1/auth/userpass/login/{{ kube_vault_creds.username }}"
    headers:
      Accept: application/json
      Content-Type: application/json
    method: POST
    body_format: json
    body:
      password: "{{ kube_vault_creds.password }}"
  register: kube_vault_login_result
  delegate_to: "{{ groups['k8s-cluster'][0] }}"
 - name: gen_certs_vault | Set fact for Vault API token
  set_fact:
    kube_vault_headers:
      Accept: application/json
      Content-Type: application/json
      X-Vault-Token: "{{ kube_vault_login_result.get('json',{}).get('auth', {}).get('client_token') }}"
  run_once: true
 # Issue certs to kube-master nodes
 # Issue admin certs to kube-master hosts
 - include: ../../../vault/tasks/shared/issue_cert.yml
  vars:
    issue_cert_copy_ca: "{{ item == kube_master_certs_needed|first }}"
    issue_cert_common_name: "admin:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
    issue_cert_copy_ca: "{{ item == kube_admin_certs_needed|first }}"
    issue_cert_file_group: "{{ kube_cert_group }}"
    issue_cert_file_owner: kube
    issue_cert_headers: "{{ kube_vault_headers }}"
    issue_cert_hosts: "{{ groups['kube-master'] }}"
    issue_cert_path: "{{ item }}"
    issue_cert_role: kube
    issue_cert_role: kube-master
    issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
    issue_cert_mount_path: "{{ kube_vault_mount_path }}"
  with_items: "{{ kube_master_certs_needed|d([]) }}"
  with_items: "{{ kube_admin_certs_needed|d([]) }}"
  when: inventory_hostname in groups['kube-master']
 - name: gen_certs_vault | Set fact about certificate alt names
@ -69,12 +36,13 @@
  when: loadbalancer_apiserver is defined and apiserver_loadbalancer_domain_name is defined
  run_once: true
 # Issue master components certs to kube-master hosts
 - include: ../../../vault/tasks/shared/issue_cert.yml
  vars:
    issue_cert_common_name: "kubernetes"
    issue_cert_alt_names: "{{ kube_cert_alt_names }}"
    issue_cert_file_group: "{{ kube_cert_group }}"
    issue_cert_file_owner: kube
    issue_cert_headers: "{{ kube_vault_headers }}"
    issue_cert_hosts: "{{ groups['kube-master'] }}"
    issue_cert_ip_sans: >-
        [
@ -87,7 +55,7 @@
        "127.0.0.1","::1","{{ kube_apiserver_ip }}"
        ]
    issue_cert_path: "{{ item }}"
    issue_cert_role: kube
    issue_cert_role: kube-master
    issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
    issue_cert_mount_path: "{{ kube_vault_mount_path }}"
  with_items: "{{ kube_master_components_certs_needed|d([]) }}"
@ -97,27 +65,28 @@
 # Issue node certs to k8s-cluster nodes
 - include: ../../../vault/tasks/shared/issue_cert.yml
  vars:
    issue_cert_common_name: "system:node:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
    issue_cert_copy_ca: "{{ item == kube_node_certs_needed|first }}"
    issue_cert_file_group: "{{ kube_cert_group }}"
    issue_cert_file_owner: kube
    issue_cert_headers: "{{ kube_vault_headers }}"
    issue_cert_hosts: "{{ groups['k8s-cluster'] }}"
    issue_cert_path: "{{ item }}"
    issue_cert_role: kube
    issue_cert_role: kube-node
    issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
    issue_cert_mount_path: "{{ kube_vault_mount_path }}"
  with_items: "{{ kube_node_certs_needed|d([]) }}"
  when: inventory_hostname in groups['k8s-cluster']
 # Issue proxy certs to k8s-cluster nodes
 - include: ../../../vault/tasks/shared/issue_cert.yml
  vars:
    issue_cert_common_name: "system:kube-proxy:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
    issue_cert_copy_ca: "{{ item == kube_proxy_certs_needed|first }}"
    issue_cert_file_group: "{{ kube_cert_group }}"
    issue_cert_file_owner: kube
    issue_cert_headers: "{{ kube_vault_headers }}"
    issue_cert_hosts: "{{ groups['k8s-cluster'] }}"
    issue_cert_path: "{{ item }}"
    issue_cert_role: kube
    issue_cert_role: kube-proxy
    issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
    issue_cert_mount_path: "{{ kube_vault_mount_path }}"
  with_items: "{{ kube_proxy_certs_needed|d([]) }}"
--- a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
+++ b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
@ -2,7 +2,7 @@
 - name: sync_kube_master_certs | Create list of needed kube admin certs
  set_fact:
    kube_master_cert_list: "{{ kube_master_cert_list|d([]) + ['admin-' + item + '.pem'] }}"
    kube_admin_cert_list: "{{ kube_admin_cert_list|d([]) + ['admin-' + item + '.pem'] }}"
  with_items: "{{ groups['kube-master'] }}"
 - include: ../../../vault/tasks/shared/sync_file.yml
@ -13,11 +13,11 @@
    sync_file_hosts: "{{ groups['kube-master'] }}"
    sync_file_is_cert: true
    sync_file_owner: kube
  with_items: "{{ kube_master_cert_list|d([]) }}"
  with_items: "{{ kube_admin_cert_list|d([]) }}"
 - name: sync_kube_master_certs | Set facts for kube admin sync_file results
  set_fact:
    kube_master_certs_needed: "{{ kube_master_certs_needed|default([]) + [item.path] }}"
    kube_admin_certs_needed: "{{ kube_admin_certs_needed|default([]) + [item.path] }}"
  with_items: "{{ sync_file_results|d([]) }}"
  when: item.no_srcs|bool
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@ -135,3 +135,10 @@ rbac_enabled: "{{ 'RBAC' in authorization_modes }}"
 ## List of key=value pairs that describe feature gates for
 ## the k8s cluster.
 kube_feature_gates: []
 # Vault data dirs.
 vault_base_dir: /etc/vault
 vault_cert_dir: "{{ vault_base_dir }}/ssl"
 vault_config_dir: "{{ vault_base_dir }}/config"
 vault_roles_dir: "{{ vault_base_dir }}/roles"
 vault_secrets_dir: "{{ vault_base_dir }}/secrets"
--- a/roles/vault/defaults/main.yml
+++ b/roles/vault/defaults/main.yml
@ -1,4 +1,6 @@
 ---
 vault_bootstrap: false
 vault_deployment_type: docker
 vault_adduser_vars:
  comment: "Hashicorp Vault User"
@ -6,41 +8,18 @@ vault_adduser_vars:
  name: vault
  shell: /sbin/nologin
  system: yes
 # This variables redefined in kubespray-defaults for using shared tasks
 # in etcd and kubernetes/secrets roles
 vault_base_dir: /etc/vault
 # https://releases.hashicorp.com/vault/0.6.4/vault_0.6.4_SHA256SUMS
 vault_version: 0.6.4
 vault_binary_checksum: 04d87dd553aed59f3fe316222217a8d8777f40115a115dac4d88fac1611c51a6
 vault_bootstrap: false
 vault_ca_options:
  common_name: vault
  format: pem
  ttl: 87600h
 vault_cert_dir: "{{ vault_base_dir }}/ssl"
 vault_client_headers:
  Accept: "application/json"
  Content-Type: "application/json"
 vault_config:
  backend:
    etcd:
      address: "{{ vault_etcd_url }}"
      ha_enabled: "true"
      redirect_addr: "https://{{ ansible_default_ipv4.address }}:{{ vault_port }}"
      tls_ca_file: "{{ vault_etcd_cert_dir }}/ca.pem"
  cluster_name: "kubernetes-vault"
  default_lease_ttl: "{{ vault_default_lease_ttl }}"
  listener:
    tcp:
      address: "0.0.0.0:{{ vault_port }}"
      tls_cert_file: "{{ vault_cert_dir }}/api.pem"
      tls_key_file: "{{ vault_cert_dir }}/api-key.pem"
  max_lease_ttl: "{{ vault_max_lease_ttl }}"
 vault_config_dir: "{{ vault_base_dir }}/config"
 vault_container_name: kube-hashicorp-vault
 # This variable is meant to match the GID of vault inside Hashicorp's official Vault Container
 vault_default_lease_ttl: 720h
 vault_default_role_permissions:
  allow_any_name: true
 vault_deployment_type: docker
 vault_roles_dir: "{{ vault_base_dir }}/roles"
 vault_secrets_dir: "{{ vault_base_dir }}/secrets"
 vault_log_dir: "/var/log/vault"
 vault_version: 0.8.1
 vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
 vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
 vault_download_vars:
  container: "{{ vault_deployment_type != 'host' }}"
@ -55,17 +34,19 @@ vault_download_vars:
  unarchive: true
  url: "{{ vault_download_url }}"
  version: "{{ vault_version }}"
 vault_etcd_url: "https://{{ hostvars[groups.etcd[0]]['ip']|d(hostvars[groups.etcd[0]]['ansible_default_ipv4']['address']) }}:2379"
 vault_container_name: kube-hashicorp-vault
 vault_temp_container_name: vault-temp
 vault_image_repo: "vault"
 vault_image_tag: "{{ vault_version }}"
 vault_log_dir: "/var/log/vault"
 vault_max_lease_ttl: 87600h
 vault_needs_gen: false
 vault_address: 0.0.0.0
 vault_port: 8200
 vault_roles_dir: "{{ vault_base_dir }}/roles"
 vault_secret_shares: 1
 vault_secret_threshold: 1
 vault_secrets_dir: "{{ vault_base_dir }}/secrets"
 vault_etcd_url: "https://{{ hostvars[groups.etcd[0]]['ip']|d(hostvars[groups.etcd[0]]['ansible_default_ipv4']['address']) }}:2379"
 vault_default_lease_ttl: 720h
 vault_max_lease_ttl: 87600h
 vault_temp_config:
  backend:
    file:
@ -73,29 +54,109 @@ vault_temp_config:
  default_lease_ttl: "{{ vault_default_lease_ttl }}"
  listener:
    tcp:
      address: "0.0.0.0:{{ vault_port }}"
      address: "{{ vault_address }}:{{ vault_port }}"
      tls_disable: "true"
  max_lease_ttl: "{{ vault_max_lease_ttl }}"
 vault_temp_container_name: vault-temp
 # etcd pki mount options
 vault_config:
  backend:
    etcd:
      address: "{{ vault_etcd_url }}"
      ha_enabled: "true"
      redirect_addr: "https://{{ ansible_default_ipv4.address }}:{{ vault_port }}"
      tls_ca_file: "{{ vault_etcd_cert_dir }}/ca.pem"
  cluster_name: "kubernetes-vault"
  default_lease_ttl: "{{ vault_default_lease_ttl }}"
  max_lease_ttl: "{{ vault_max_lease_ttl }}"
  listener:
    tcp:
      address: "{{ vault_address }}:{{ vault_port }}"
      tls_cert_file: "{{ vault_cert_dir }}/api.pem"
      tls_key_file: "{{ vault_cert_dir }}/api-key.pem"
 vault_secret_shares: 1
 vault_secret_threshold: 1
 vault_ca_options:
  vault:
    common_name: vault
    format: pem
    ttl: "{{ vault_max_lease_ttl }}"
    exclude_cn_from_sans: true
  etcd:
    common_name: etcd
    format: pem
    ttl: "{{ vault_max_lease_ttl }}"
    exclude_cn_from_sans: true
  kube:
    common_name: kube
    format: pem
    ttl: "{{ vault_max_lease_ttl }}"
    exclude_cn_from_sans: true
 vault_client_headers:
  Accept: "application/json"
  Content-Type: "application/json"
 vault_etcd_cert_dir: /etc/ssl/etcd/ssl
 vault_etcd_mount_path: etcd
 vault_etcd_default_lease_ttl: 720h
 vault_etcd_max_lease_ttl: 87600h
 vault_etcd_role:
  name: etcd
  group: etcd
  policy_rules: default
  role_options: default
  mount_path: "{{ vault_etcd_mount_path }}"
 # kubernetes pki mount options
 vault_kube_cert_dir: "{{ kube_cert_dir }}"
 vault_kube_mount_path: kube
 vault_kube_default_lease_ttl: 720h
 vault_kube_max_lease_ttl: 87600h
 vault_kube_role:
  name: kube
  group: k8s-cluster
  policy_rules: default
  role_options: default
  mount_path: "{{ vault_kube_mount_path }}"
 vault_kube_cert_dir: /etc/kubernetes/ssl
 vault_pki_mounts:
  vault:
    name: vault
    default_lease_ttl: "{{ vault_default_lease_ttl }}"
    max_lease_ttl: "{{ vault_max_lease_ttl }}"
    description: "Vault Root CA"
    cert_dir: "{{ vault_cert_dir }}"
    roles:
      - name: vault
        group: vault
        password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'vault') | to_uuid }}"
        policy_rules: default
        role_options: default
  etcd:
    name: etcd
    default_lease_ttl: "{{ vault_default_lease_ttl }}"
    max_lease_ttl: "{{ vault_max_lease_ttl }}"
    description: "Etcd Root CA"
    cert_dir: "{{ vault_etcd_cert_dir }}"
    roles:
      - name: etcd
        group: etcd
        password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'etcd') | to_uuid }}"
        policy_rules: default
        role_options:
          allow_any_name: true
          enforce_hostnames: false
          organization: "kube:etcd"
  kube:
    name: kube
    default_lease_ttl: "{{ vault_default_lease_ttl }}"
    max_lease_ttl: "{{ vault_max_lease_ttl }}"
    description: "Kubernetes Root CA"
    cert_dir: "{{ vault_kube_cert_dir }}"
    roles:
      - name: kube-master
        group: kube-master
        password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'kube-master') | to_uuid }}"
        policy_rules: default
        role_options:
          allow_any_name: true
          enforce_hostnames: false
          organization: "system:masters"
      - name: kube-node
        group: k8s-cluster
        password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'kube-node') | to_uuid }}"
        policy_rules: default
        role_options:
          allow_any_name: true
          enforce_hostnames: false
          organization: "system:nodes"
      - name: kube-proxy
        group: k8s-cluster
        password: "{{ lookup('pipe', 'date +%Y%m%d%H%M%S' + cluster_name + 'kube-proxy') | to_uuid }}"
        policy_rules: default
        role_options:
          allow_any_name: true
          enforce_hostnames: false
          organization: "system:node-proxier"
--- a/roles/vault/tasks/bootstrap/create_etcd_role.yml
+++ b/roles/vault/tasks/bootstrap/create_etcd_role.yml
@ -1,17 +0,0 @@
 ---
 - include: ../shared/auth_backend.yml
  vars:
    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
    auth_backend_path: userpass
    auth_backend_type: userpass
  delegate_to: "{{ groups.vault|first }}"
  run_once: true
 - include: ../shared/create_role.yml
  vars:
    create_role_name: "{{ vault_etcd_role.name }}"
    create_role_group: "{{ vault_etcd_role.group }}"
    create_role_policy_rules: "{{ vault_etcd_role.policy_rules }}"
    create_role_options: "{{ vault_etcd_role.role_options }}"
    create_role_mount_path: "{{ vault_etcd_role.mount_path }}"
  when: inventory_hostname in groups.etcd
--- a/roles/vault/tasks/bootstrap/create_mounts.yml
+++ b/roles/vault/tasks/bootstrap/create_mounts.yml
@ -0,0 +1,12 @@
 ---
 - include: ../shared/create_mount.yml
  vars:
    create_mount_path: "{{ item.name }}"
    create_mount_default_lease_ttl: "{{ item.default_lease_ttl }}"
    create_mount_max_lease_ttl: "{{ item.max_lease_ttl }}"
    create_mount_description: "{{ item.description }}"
    create_mount_cert_dir: "{{ item.cert_dir }}"
    create_mount_config_ca_needed: "{{ item.config_ca }}"
  with_items:
    - "{{ vault_pki_mounts.vault|combine({'config_ca': not vault_ca_cert_needed}) }}"
    - "{{ vault_pki_mounts.etcd|combine({'config_ca': not vault_etcd_ca_cert_needed}) }}"
--- a/roles/vault/tasks/bootstrap/create_roles.yml
+++ b/roles/vault/tasks/bootstrap/create_roles.yml
@ -0,0 +1,10 @@
 ---
 - include: ../shared/create_role.yml
  vars:
    create_role_name: "{{ item.name }}"
    create_role_group: "{{ item.group }}"
    create_role_policy_rules: "{{ item.policy_rules }}"
    create_role_password: "{{ item.password }}"
    create_role_options: "{{ item.role_options }}"
    create_role_mount_path: "{{ mount.name }}"
  with_items: "{{ mount.roles }}"
--- a/roles/vault/tasks/bootstrap/gen_vault_certs.yml
+++ b/roles/vault/tasks/bootstrap/gen_vault_certs.yml
@ -1,29 +1,21 @@
 ---
 - name: boostrap/gen_vault_certs | Add the vault role
  uri:
    url: "{{ vault_leader_url }}/v1/{{ vault_ca_options.common_name }}/roles/vault"
    headers: "{{ vault_headers }}"
    method: POST
    body_format: json
    body: "{{ vault_default_role_permissions }}"
    status_code: 204
  when: inventory_hostname == groups.vault|first and vault_api_cert_needed
 - include: ../shared/issue_cert.yml
  vars:
    issue_cert_common_name: "{{ vault_pki_mounts.vault.roles[0].name }}"
    issue_cert_alt_names: "{{ groups.vault + ['localhost'] }}"
    issue_cert_hosts: "{{ groups.vault }}"
    issue_cert_ip_sans: >-
        [
        {%- for host in groups.vault -%}
        "{{ hostvars[host]['ansible_default_ipv4']['address'] }}",
        {%- if hostvars[host]['ip'] is defined -%}
        "{{ hostvars[host]['ip'] }}",
        {%- endif -%}
        {%- endfor -%}
        "127.0.0.1","::1"
        ]
    issue_cert_mount_path: "{{ vault_ca_options.common_name }}"
    issue_cert_mount_path: "{{ vault_pki_mounts.vault.name }}"
    issue_cert_path: "{{ vault_cert_dir }}/api.pem"
    issue_cert_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
    issue_cert_role: vault
    issue_cert_role: "{{ vault_pki_mounts.vault.roles[0].name }}"
    issue_cert_url: "{{ vault_leader_url }}"
  when: vault_api_cert_needed
--- a/roles/vault/tasks/bootstrap/main.yml
+++ b/roles/vault/tasks/bootstrap/main.yml
@ -1,5 +1,4 @@
 ---
 - include: ../shared/check_vault.yml
  when: inventory_hostname in groups.vault
@ -9,72 +8,57 @@
 - include: ../shared/find_leader.yml
  when: inventory_hostname in groups.vault and vault_cluster_is_initialized|d()
 ## Sync Certs
 - include: sync_vault_certs.yml
  when: inventory_hostname in groups.vault
 - include: sync_etcd_certs.yml
  when: inventory_hostname in groups.etcd
 ## Generate Certs
 # Start a temporary instance of Vault
 - include: start_vault_temp.yml
  when: >-
        inventory_hostname == groups.vault|first and
        not vault_cluster_is_initialized
  when: inventory_hostname == groups.vault|first and not vault_cluster_is_initialized
 # Set vault_leader_url for all nodes based on above
 - name: vault | bootstrap
 - name: vault | Set fact about vault leader url
  set_fact:
    vault_leader_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
  when: not vault_cluster_is_initialized
 # Ensure vault PKI mounts exists
 - include: ../shared/create_mount.yml
  vars:
    create_mount_path: "{{ vault_ca_options.common_name }}"
    create_mount_default_lease_ttl: "{{ vault_default_lease_ttl }}"
    create_mount_max_lease_ttl: "{{ vault_max_lease_ttl }}"
    create_mount_description: "Vault Root CA"
    create_mount_cert_dir: "{{ vault_cert_dir }}"
    create_mount_config_ca_needed: "{{ not vault_ca_cert_needed }}"
 - include: create_mounts.yml
  when: inventory_hostname == groups.vault|first
 # Generate root CA certs for Vault if none exist
 - include: ../shared/gen_ca.yml
 - include: ../shared/auth_backend.yml
  vars:
    gen_ca_cert_dir: "{{ vault_cert_dir }}"
    gen_ca_mount_path: "{{ vault_ca_options.common_name }}"
  when: >-
        inventory_hostname in groups.vault and
        not vault_cluster_is_initialized and
        vault_ca_cert_needed
    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
    auth_backend_path: userpass
    auth_backend_type: userpass
  when: inventory_hostname == groups.vault|first
 # Generate Vault API certs
 - include: gen_vault_certs.yml
  when: inventory_hostname in groups.vault and vault_api_cert_needed
 - include: create_roles.yml
  with_items:
    - "{{ vault_pki_mounts.vault }}"
    - "{{ vault_pki_mounts.etcd }}"
  loop_control:
    loop_var: mount
 # Ensure etcd PKI mounts exists
 - include: ../shared/create_mount.yml
 - include: ../shared/gen_ca.yml
  vars:
    create_mount_path: "{{ vault_etcd_mount_path }}"
    create_mount_default_lease_ttl: "{{ vault_etcd_default_lease_ttl }}"
    create_mount_max_lease_ttl: "{{ vault_etcd_max_lease_ttl }}"
    create_mount_description: "Etcd Root CA"
    create_mount_cert_dir: "{{ vault_etcd_cert_dir }}"
    create_mount_config_ca_needed: "{{ not vault_etcd_ca_cert_needed }}"
  when: inventory_hostname == groups.vault|first
    gen_ca_cert_dir: "{{ vault_pki_mounts.vault.cert_dir }}"
    gen_ca_mount_path: "{{ vault_pki_mounts.vault.name }}"
    gen_ca_vault_headers: "{{ vault_headers }}"
    gen_ca_vault_options: "{{ vault_ca_options.vault }}"
  when: >-
        inventory_hostname in groups.vault
        and not vault_cluster_is_initialized
        and vault_ca_cert_needed
 # Generate root CA certs for etcd if none exist
 - include: ../shared/gen_ca.yml
  vars:
    gen_ca_cert_dir: "{{ vault_etcd_cert_dir }}"
    gen_ca_mount_path: "{{ vault_etcd_mount_path }}"
    gen_ca_cert_dir: "{{ vault_pki_mounts.etcd.cert_dir }}"
    gen_ca_mount_path: "{{ vault_pki_mounts.etcd.name }}"
    gen_ca_vault_headers: "{{ vault_headers }}"
    gen_ca_vault_options: "{{ vault_ca_options.etcd }}"
  when: inventory_hostname in groups.etcd and vault_etcd_ca_cert_needed
 - include: create_etcd_role.yml
 - include: gen_vault_certs.yml
  when: inventory_hostname in groups.vault and vault_api_cert_needed
 # Update all host's CA bundle, etcd CA will be added in etcd role
 - include: ca_trust.yml
--- a/roles/vault/tasks/cluster/create_mounts.yml
+++ b/roles/vault/tasks/cluster/create_mounts.yml
@ -0,0 +1,13 @@
 ---
 - include: ../shared/create_mount.yml
  vars:
    create_mount_path: "{{ item.name }}"
    create_mount_default_lease_ttl: "{{ item.default_lease_ttl }}"
    create_mount_max_lease_ttl: "{{ item.max_lease_ttl }}"
    create_mount_description: "{{ item.description }}"
    create_mount_cert_dir: "{{ item.cert_dir }}"
    create_mount_config_ca_needed: "{{ item.name != vault_pki_mounts.kube.name }}"
  with_items:
    - "{{ vault_pki_mounts.vault }}"
    - "{{ vault_pki_mounts.etcd }}"
    - "{{ vault_pki_mounts.kube }}"
--- a/roles/vault/tasks/cluster/create_roles.yml
+++ b/roles/vault/tasks/cluster/create_roles.yml
@ -1,18 +1,10 @@
 ---
 - include: ../shared/auth_backend.yml
  vars:
    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
    auth_backend_path: userpass
    auth_backend_type: userpass
  when: inventory_hostname == groups.vault|first
 - include: ../shared/create_role.yml
  vars:
    create_role_name: "{{ item.name }}"
    create_role_group: "{{ item.group }}"
    create_role_password: "{{ item.password }}"
    create_role_policy_rules: "{{ item.policy_rules }}"
    create_role_options: "{{ item.role_options }}"
    create_role_mount_path: "{{ item.mount_path }}"
  with_items:
    - "{{ vault_etcd_role }}"
    - "{{ vault_kube_role }}"
    create_role_mount_path: "{{ vault_pki_mounts.kube.name }}"
  with_items: "{{ vault_pki_mounts.kube.roles }}"
--- a/roles/vault/tasks/cluster/main.yml
+++ b/roles/vault/tasks/cluster/main.yml
@ -5,8 +5,6 @@
 - include: ../shared/check_etcd.yml
  when: inventory_hostname in groups.vault
 ## Vault Cluster Setup
 - include: configure.yml
  when: inventory_hostname in groups.vault
@ -25,42 +23,22 @@
 - include: ../shared/find_leader.yml
  when: inventory_hostname in groups.vault
 - include: ../shared/create_mount.yml
  vars:
    create_mount_path: "{{ vault_ca_options.common_name }}"
    create_mount_default_lease_ttl: "{{ vault_default_lease_ttl }}"
    create_mount_max_lease_ttl: "{{ vault_max_lease_ttl }}"
    create_mount_description: "Vault Root CA"
    create_mount_cert_dir: "{{ vault_cert_dir }}"
    create_mount_config_ca_needed: true
  when: inventory_hostname == groups.vault|first
 - include: ../shared/create_mount.yml
  vars:
    create_mount_path: "{{ vault_etcd_mount_path }}"
    create_mount_default_lease_ttl: "{{ vault_etcd_default_lease_ttl }}"
    create_mount_max_lease_ttl: "{{ vault_etcd_max_lease_ttl }}"
    create_mount_description: "Etcd Root CA"
    create_mount_cert_dir: "{{ vault_etcd_cert_dir }}"
    create_mount_config_ca_needed: true
  when: inventory_hostname == groups.vault|first
 - include: ../shared/create_mount.yml
  vars:
    create_mount_path: "{{ vault_kube_mount_path }}"
    create_mount_default_lease_ttl: "{{ vault_kube_default_lease_ttl }}"
    create_mount_max_lease_ttl: "{{ vault_kube_max_lease_ttl }}"
    create_mount_description: "Kubernetes Root CA"
    create_mount_cert_dir: "{{ vault_kube_cert_dir }}"
    create_mount_config_ca_needed: false
 - include: create_mounts.yml
  when: inventory_hostname == groups.vault|first
 - include: ../shared/gen_ca.yml
  vars:
    gen_ca_cert_dir: "{{ vault_kube_cert_dir }}"
    gen_ca_mount_path: "{{ vault_kube_mount_path }}"
    gen_ca_cert_dir: "{{ vault_pki_mounts.kube.cert_dir }}"
    gen_ca_mount_path: "{{ vault_pki_mounts.kube.name }}"
    gen_ca_vault_headers: "{{ vault_headers }}"
    gen_ca_vault_options: "{{ vault_ca_options.kube }}"
  when: inventory_hostname in groups.vault
 ## Vault Policies, Roles, and Auth Backends
 - include: ../shared/auth_backend.yml
  vars:
    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
    auth_backend_path: userpass
    auth_backend_type: userpass
  when: inventory_hostname == groups.vault|first
 - include: create_roles.yml
--- a/roles/vault/tasks/shared/create_role.yml
+++ b/roles/vault/tasks/shared/create_role.yml
@ -1,5 +1,4 @@
 ---
 # The JSON inside JSON here is intentional (Vault API wants it)
 - name: create_role | Create a policy for the new role allowing issuing
  uri:
@ -22,7 +21,7 @@
    status_code: 204
  when: inventory_hostname == groups[create_role_group]|first
 - name: create_role | Create the new role in the {{ create_role_mount_path }} pki mount
 - name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
  uri:
    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/{{ create_role_mount_path }}/roles/{{ create_role_name }}"
    headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
@ -42,7 +41,7 @@
 - include: gen_userpass.yml
  vars:
    gen_userpass_group: "{{ create_role_group }}"
    gen_userpass_password: "{{ create_role_password|d(''|to_uuid) }}"
    gen_userpass_password: "{{ create_role_password }}"
    gen_userpass_policies: "{{ create_role_name }}"
    gen_userpass_role: "{{ create_role_name }}"
    gen_userpass_username: "{{ create_role_name }}"
--- a/roles/vault/tasks/shared/gen_ca.yml
+++ b/roles/vault/tasks/shared/gen_ca.yml
@ -8,10 +8,10 @@
 - name: "bootstrap/gen_ca | Generate {{ gen_ca_mount_path }} root CA"
  uri:
    url: "{{ vault_leader_url }}/v1/{{ gen_ca_mount_path }}/root/generate/exported"
    headers: "{{ vault_headers }}"
    headers: "{{ gen_ca_vault_headers }}"
    method: POST
    body_format: json
    body: "{{ vault_ca_options }}"
    body: "{{ gen_ca_vault_options }}"
  register: vault_ca_gen
  delegate_to: "{{ groups.vault|first }}"
  run_once: true
--- a/roles/vault/tasks/shared/gen_userpass.yml
+++ b/roles/vault/tasks/shared/gen_userpass.yml
@ -1,5 +1,4 @@
 ---
 - name: shared/gen_userpass | Create the Username/Password combo for the role
  uri:
    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/userpass/users/{{ gen_userpass_username }}"
--- a/roles/vault/tasks/shared/issue_cert.yml
+++ b/roles/vault/tasks/shared/issue_cert.yml
@ -11,7 +11,6 @@
 #   issue_cert_file_mode:   Mode of the placed cert file
 #   issue_cert_file_owner:  Owner of the placed cert file and directory
 #   issue_cert_format:      Format for returned data. Can be pem, der, or pem_bundle
 #   issue_cert_headers:     Headers passed into the issue request
 #   issue_cert_hosts:       List of hosts to distribute the cert to
 #   issue_cert_ip_sans:     Requested IP Subject Alternative Names, in a list
 #   issue_cert_mount_path:  Mount point in Vault to make the request to
@ -27,7 +26,47 @@
    mode: "{{ issue_cert_dir_mode | d('0755') }}"
    owner: "{{ issue_cert_file_owner | d('root') }}"
 - name: "issue_cert | Generate the cert for {{ issue_cert_role }}"
 - name: "issue_cert | Read in the local credentials"
  command: cat {{ vault_roles_dir }}/{{ issue_cert_role }}/userpass
  register: vault_creds_cat
  delegate_to: "{{ issue_cert_hosts|first }}"
  run_once: true
 - name: gen_certs_vault | Set facts for read Vault Creds
  set_fact:
    user_vault_creds: "{{ vault_creds_cat.stdout|from_json }}"
  delegate_to: "{{ issue_cert_hosts|first }}"
  run_once: true
 - name: gen_certs_vault | Log into Vault and obtain an token
  uri:
    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/userpass/login/{{ user_vault_creds.username }}"
    headers:
      Accept: application/json
      Content-Type: application/json
    method: POST
    body_format: json
    body:
      password: "{{ user_vault_creds.password }}"
  register: vault_login_result
  delegate_to: "{{ issue_cert_hosts|first }}"
  run_once: true
 - name: gen_certs_vault | Set fact for vault_client_token
  set_fact:
    vault_client_token: "{{ vault_login_result.get('json', {}).get('auth', {}).get('client_token') }}"
  run_once: true
 - name: gen_certs_vault | Set fact for Vault API token
  set_fact:
    issue_cert_headers:
      Accept: application/json
      Content-Type: application/json
      X-Vault-Token: "{{ vault_client_token }}"
  run_once: true
  when: vault_client_token != ""
 - name: "issue_cert | Generate {{ issue_cert_path }} for {{ issue_cert_role }} role"
  uri:
    url: "{{ issue_cert_url }}/v1/{{ issue_cert_mount_path|d('pki') }}/issue/{{ issue_cert_role }}"
    headers: "{{ issue_cert_headers }}"
@ -70,7 +109,7 @@
 - name: issue_cert | Copy certificate serial to all hosts
  copy:
    content: "{{ hostvars[issue_cert_hosts|first]['issue_cert_result']['json']['data']['serial_number'] }}"
    dest: "{{ issue_cert_path.rsplit('.', 1)|first }}.serial }}"
    dest: "{{ issue_cert_path.rsplit('.', 1)|first }}.serial"
    group: "{{ issue_cert_file_group | d('root' )}}"
    mode: "{{ issue_cert_file_mode | d('0640') }}"
    owner: "{{ issue_cert_file_owner | d('root') }}"