Vault security hardening and role isolation

roles/vault/tasks/bootstrap/ca_trust.yml

@@ -1,12 +1,12 @@
 ---
 
-- name: trust_ca | pull CA from cert from groups.vault|first
+- name: bootstrap/ca_trust | pull CA from cert from groups.vault|first
   command: "cat {{ vault_cert_dir }}/ca.pem"
   register: vault_cert_file_cat
   when: inventory_hostname == groups.vault|first
 
 # This part is mostly stolen from the etcd role
-- name: trust_ca | target ca-certificate store file
+- name: bootstrap/ca_trust | target ca-certificate store file
   set_fact:
     ca_cert_path: >-
       {% if ansible_os_family == "Debian" -%}
@@ -17,16 +17,16 @@
       /etc/ssl/certs/kube-cluster-ca.pem
       {%- endif %}
 
-- name: trust_ca | add CA to trusted CA dir
+- name: bootstrap/ca_trust | add CA to trusted CA dir
   copy:
     content: "{{ hostvars[groups.vault|first]['vault_cert_file_cat']['stdout'] }}"
     dest: "{{ ca_cert_path }}"
   register: vault_ca_cert
 
-- name: trust_ca | update ca-certificates (Debian/Ubuntu/CoreOS)
+- name: bootstrap/ca_trust | update ca-certificates (Debian/Ubuntu/CoreOS)
   command: update-ca-certificates
   when: vault_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS"]
 
-- name: trust_ca | update ca-certificates (RedHat)
+- name: bootstrap/ca_trust | update ca-certificates (RedHat)
   command: update-ca-trust extract
   when: vault_ca_cert.changed and ansible_os_family == "RedHat"

roles/vault/tasks/bootstrap/create_etcd_role.yml

@@ -0,0 +1,10 @@
+---
+
+- include: ../shared/create_role.yml
+  vars:
+    create_role_name: "{{ item.name }}" 
+    create_role_group: "{{ item.group }}"
+    create_role_policy_rules: "{{ item.policy_rules }}"
+    create_role_options: "{{ item.role_options }}"
+  with_items: "{{ vault_roles }}"
+  when: item.name == "etcd"

roles/vault/tasks/bootstrap/gen_auth_ca.yml

@@ -0,0 +1,21 @@
+---
+
+- name: bootstrap/gen_auth_ca | Generate Root CA
+  uri:
+    url: "{{ vault_leader_url }}/v1/auth-pki/root/generate/exported"
+    headers: "{{ vault_headers }}"
+    method: POST
+    body_format: json
+    body: "{{ vault_ca_options }}"
+  register: vault_auth_ca_gen
+  when: inventory_hostname == groups.vault|first
+
+- name: bootstrap/gen_auth_ca | Copy auth CA cert to Vault nodes
+  copy:
+    content: "{{ hostvars[groups.vault|first]['vault_auth_ca_gen']['json']['data']['certificate'] }}"
+    dest: "{{ vault_cert_dir }}/auth-ca.pem"
+
+- name: bootstrap/gen_auth_ca | Copy auth CA key to Vault nodes
+  copy:
+    content: "{{ hostvars[groups.vault|first]['vault_auth_ca_gen']['json']['data']['private_key'] }}"
+    dest: "{{ vault_cert_dir }}/auth-ca-key.pem"

roles/vault/tasks/bootstrap/gen_ca.yml

@@ -0,0 +1,31 @@
+---
+
+- name: bootstrap/gen_ca | Ensure vault_cert_dir exists
+  file:
+    mode: 0755
+    path: "{{ vault_cert_dir }}"
+    state: directory
+
+- name: bootstrap/gen_ca | Generate Root CA in vault-temp
+  uri:
+    url: "{{ vault_leader_url }}/v1/pki/root/generate/exported"
+    headers: "{{ vault_headers }}"
+    method: POST
+    body_format: json
+    body: "{{ vault_ca_options }}"
+  register: vault_ca_gen
+  when: inventory_hostname == groups.vault|first and vault_ca_cert_needed
+
+- name: bootstrap/gen_ca | Copy root CA cert locally
+  copy:
+    content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['certificate'] }}"
+    dest: "{{ vault_cert_dir }}/ca.pem"
+    mode: 0644
+  when: vault_ca_cert_needed
+
+- name: bootstrap/gen_ca | Copy root CA key locally
+  copy:
+    content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['private_key'] }}"
+    dest: "{{ vault_cert_dir }}/ca-key.pem"
+    mode: 0640
+  when: vault_ca_cert_needed

roles/vault/tasks/bootstrap/gen_etcd_certs.yml

@@ -1,29 +0,0 @@
----
-
-- name: bootstrap/gen_etcd_certs | Add the etcd role
-  uri:
-    url: "http://{{ groups.vault|first }}:{{ vault_temp_port }}/v1/pki/roles/etcd"
-    headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
-    method: POST
-    body_format: json
-    body:
-      allow_any_name: true
-    status_code: 204
-  when: inventory_hostname == groups.etcd|first
-
-- include: ../gen_cert.yml
-  vars:
-    gen_cert_alt_names: "{{ groups.etcd | join(',') }},localhost"
-    gen_cert_copy_ca: "{{ true if item == vault_etcd_certs_needed|first else false }}"
-    gen_cert_hosts: "{{ groups.etcd }}"
-    gen_cert_ip_sans: >-
-        {%- for host in groups.etcd  -%}
-        {{ hostvars[host]["ansible_default_ipv4"]["address"] }}
-        {%- if not loop.last -%},{%- endif -%}
-        {%- endfor -%}
-        ,127.0.0.1,::1
-    gen_cert_path: "{{ item }}"
-    gen_cert_vault_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
-    gen_cert_vault_role: etcd
-    gen_cert_vault_url: "http://{{ groups.vault|first }}:{{ vault_temp_port }}"
-  with_items: "{{ vault_etcd_certs_needed|default([]) }}"

roles/vault/tasks/bootstrap/gen_etcd_node_certs.yml

@@ -1,29 +0,0 @@
----
-
-- name: bootstrap/gen_etcd_node_certs | Add the etcd role
-  uri:
-    url: "http://{{ groups.vault|first }}:{{ vault_temp_port }}/v1/pki/roles/etcd"
-    headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
-    method: POST
-    body_format: json
-    body:
-      allow_any_name: true
-    status_code: 204
-  when: inventory_hostname == groups["k8s-cluster"]|first
-
-- include: ../gen_cert.yml
-  vars:
-    gen_cert_alt_names: "{{ groups['k8s-cluster'] | union(groups.etcd) | join(',') }},localhost"
-    gen_cert_copy_ca: "{{ true if item == vault_etcd_node_certs_needed|first else false }}"
-    gen_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.etcd) }}"
-    gen_cert_ip_sans: >-
-        {%- for host in groups["k8s-cluster"] | union(groups.etcd) -%}
-        {{ hostvars[host]["ansible_default_ipv4"]["address"] }}
-        {%- if not loop.last -%},{%- endif -%}
-        {%- endfor -%}
-        ,127.0.0.1,::1
-    gen_cert_path: "{{ item }}"
-    gen_cert_vault_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
-    gen_cert_vault_role: etcd
-    gen_cert_vault_url: "http://{{ groups.vault|first }}:{{ vault_temp_port }}"
-  with_items: "{{ vault_etcd_node_certs_needed|default([]) }}"

roles/vault/tasks/bootstrap/gen_vault_certs.yml

@@ -1,47 +1,8 @@
 ---
 
-- name: bootstrap/gen_vault_certs | Ensure vault_cert_dir exists
-  file:
-    path: "{{ vault_cert_dir }}"
-    state: directory
-
-- name: bootstrap/gen_vault_certs | Generate Root CA in vault-temp
-  uri:
-    url: "http://localhost:{{ vault_temp_port }}/v1/pki/root/generate/exported"
-    headers: "{{ vault_headers }}"
-    method: POST
-    body_format: json
-    body: "{{ vault_ca_options }}"
-  register: vault_ca_gen
-  when: inventory_hostname == groups.vault|first and vault_ca_cert_needed
-
-- name: bootstrap/gen_vault_certs | Set facts for ca cert and key
-  set_fact:
-    vault_ca_cert: "{{ vault_ca_gen.json.data.certificate }}"
-    vault_ca_key: "{{ vault_ca_gen.json.data.private_key }}"
-  when: inventory_hostname == groups.vault|first and vault_ca_cert_needed
-
-- name: bootstrap/gen_vault_certs | Set cert and key facts for all hosts other than groups.vault|first
-  set_fact:
-    vault_ca_cert: "{{ hostvars[groups.vault|first]['vault_ca_cert'] }}"
-    vault_ca_key: "{{ hostvars[groups.vault|first]['vault_ca_key'] }}"
-  when: inventory_hostname != groups.vault|first and vault_ca_cert_needed
-
-- name: bootstrap/gen_vault_certs | Copy root CA cert locally
-  copy:
-    content: "{{ vault_ca_cert }}"
-    dest: "{{ vault_cert_dir }}/ca.pem"
-  when: vault_ca_cert_needed
-
-- name: bootstrap/gen_vault_certs | Copy root CA key locally
-  copy:
-    content: "{{vault_ca_key}}"
-    dest: "{{vault_cert_dir}}/ca-key.pem"
-  when: vault_ca_cert_needed
-
 - name: boostrap/gen_vault_certs | Add the vault role
   uri:
-    url: "http://localhost:{{ vault_temp_port }}/v1/pki/roles/vault"
+    url: "{{ vault_leader_url }}/v1/pki/roles/vault"
     headers: "{{ vault_headers }}"
     method: POST
     body_format: json
@@ -49,18 +10,19 @@
     status_code: 204
   when: inventory_hostname == groups.vault|first and vault_api_cert_needed
 
-- include: ../gen_cert.yml
+- include: ../shared/issue_cert.yml
   vars:
-    gen_cert_alt_names: "{{ groups.vault | join(',') }},localhost"
-    gen_cert_hosts: "{{ groups.vault }}"
-    gen_cert_ip_sans: >-
+    issue_cert_alt_names: "{{ groups.vault + ['localhost'] }}"
+    issue_cert_hosts: "{{ groups.vault }}"
+    issue_cert_ip_sans: >-
+        [
         {%- for host in groups.vault -%}
-        {{ hostvars[host]["ansible_default_ipv4"]["address"] }}
-        {%- if not loop.last -%},{%- endif -%}
+        "{{ hostvars[host]['ansible_default_ipv4']['address'] }}",
         {%- endfor -%}
-        ,127.0.0.1,::1
-    gen_cert_path: "{{ vault_cert_dir }}/api.pem"
-    gen_cert_vault_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
-    gen_cert_vault_role: vault
-    gen_cert_vault_url: "http://{{ groups.vault|first }}:{{ vault_temp_port }}"
+        "127.0.0.1","::1"
+        ]
+    issue_cert_path: "{{ vault_cert_dir }}/api.pem"
+    issue_cert_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
+    issue_cert_role: vault
+    issue_cert_url: "{{ vault_leader_url }}"
   when: vault_api_cert_needed

roles/vault/tasks/bootstrap/main.yml

@@ -1,60 +1,58 @@
 ---
 
+- include: ../shared/check_vault.yml
+  when: inventory_hostname in groups.vault
+- include: sync_secrets.yml
+  when: inventory_hostname in groups.vault
+- include: ../shared/find_leader.yml
+  when: inventory_hostname in groups.vault and vault_cluster_is_initialized|d()
+
 ## Sync Certs
 
-- include: bootstrap/sync_vault_certs.yml
+- include: sync_vault_certs.yml
   when: inventory_hostname in groups.vault
 
-- include: bootstrap/sync_etcd_certs.yml
-  when: inventory_hostname in groups.etcd
-
-- include: bootstrap/sync_etcd_node_certs.yml
-  when: inventory_hostname in groups["k8s-cluster"] | union(groups.etcd)
-
 ## Generate Certs
 
 # Start a temporary instance of Vault
-- include: bootstrap/start_vault_temp.yml
-  when: >-
-        ( hostvars[groups.etcd|first].get("vault_etcd_certs_needed", [])|length > 0 or
-        hostvars[groups.etcd|first].get("vault_etcd_node_certs_needed", [])|length > 0 or
-        hostvars[groups.vault|first]["vault_ca_cert_needed"] ) and
-        inventory_hostname == groups.vault|first
-
-# Generate root CA certs for Vault if none exist
-- include: bootstrap/gen_vault_certs.yml
-  when: >-
-        ( hostvars[groups.vault|first]["vault_ca_cert_needed"] or
-        hostvars[groups.vault|first]["vault_api_cert_needed"] ) and
-        inventory_hostname in groups.vault
-
-# Change vault-temp's issuing CA to use existing ca.pem/ca-key.pem
-- include: config_ca.yml
-  vars:
-    vault_url: "http://{{ groups.vault|first }}:{{ vault_temp_port }}"
-  when: >-
-        ( hostvars[groups.etcd|first].get("vault_etcd_certs_needed", [])|length > 0 or
-        hostvars[groups["k8s-cluster"]|first].get("vault_etcd_node_certs_needed", [])|length > 0 or
-        hostvars[groups.vault|first]["vault_api_cert_needed"] ) and
-        not hostvars[groups.vault|first]["vault_ca_cert_needed"] and
-        inventory_hostname == groups.vault|first
-
-# Generate etcd certs for etcd cluster members
-- include: bootstrap/gen_etcd_certs.yml
-  when: >- 
-        hostvars[groups.etcd|first].get("vault_etcd_certs_needed", [])|length > 0 and
-        inventory_hostname in groups.etcd
-
-# Generate etcd node certs for all k8s-cluster
-- include: bootstrap/gen_etcd_node_certs.yml
-  when: >-
-        hostvars[groups["k8s-cluster"]|first].get("vault_etcd_node_certs_needed", [])|length > 0 and
-        inventory_hostname in groups["k8s-cluster"] | union(groups.etcd)
-
-# Stop temporary vault
-- include: bootstrap/stop_vault_temp.yml
+- include: start_vault_temp.yml
   when: >-
         inventory_hostname == groups.vault|first and
-        hostvars[groups.vault|first]["vault_temp_start"]|succeeded
+        not vault_cluster_is_initialized
 
+# NOTE: The next 2 steps run against temp Vault and long-term Vault
+
+# Ensure PKI mount exists
+- include: ../shared/pki_mount.yml
+  when: >-
+        inventory_hostname == groups.vault|first
+
+# If the Root CA already exists, ensure Vault's PKI is using it
+- include: ../shared/config_ca.yml
+  vars:
+    ca_name: ca
+    mount_name: pki
+  when: >-
+        inventory_hostname == groups.vault|first and
+        not vault_ca_cert_needed
+
+# Generate root CA certs for Vault if none exist
+- include: gen_ca.yml
+  when: >-
+        inventory_hostname in groups.vault and
+        not vault_cluster_is_initialized and
+        vault_ca_cert_needed
+
+# Generate Vault API certs
+- include: gen_vault_certs.yml
+  when: inventory_hostname in groups.vault and vault_api_cert_needed
+
+# Update all host's CA bundle
 - include: ca_trust.yml
+
+## Add Etcd Role to Vault (if needed)
+
+- include: role_auth_cert.yml
+  when: vault_role_auth_method == "cert"
+- include: role_auth_userpass.yml
+  when: vault_role_auth_method == "userpass"

roles/vault/tasks/bootstrap/role_auth_cert.yml

@@ -0,0 +1,25 @@
+---
+
+- include: ../shared/sync_auth_certs.yml
+  when: inventory_hostname in groups.vault
+
+- include: ../shared/cert_auth_mount.yml
+  when: inventory_hostname == groups.vault|first
+
+- include: ../shared/auth_backend.yml
+  vars:
+    auth_backend_description: A Cert-based Auth primarily for services needing to issue certificates
+    auth_backend_name: cert
+    auth_backend_type: cert
+  when: inventory_hostname == groups.vault|first
+
+- include: gen_auth_ca.yml
+  when: inventory_hostname in groups.vault and vault_auth_ca_cert_needed
+
+- include: ../shared/config_ca.yml
+  vars:
+    ca_name: auth-ca
+    mount_name: auth-pki
+  when: inventory_hostname == groups.vault|first and not vault_auth_ca_cert_needed
+- include: create_etcd_role.yml
+  when: inventory_hostname in groups.etcd

roles/vault/tasks/bootstrap/role_auth_userpass.yml

@@ -0,0 +1,10 @@
+---
+
+- include: ../shared/auth_backend.yml
+  vars:
+    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
+    auth_backend_path: userpass
+    auth_backend_type: userpass
+  when: inventory_hostname == groups.vault|first
+- include: create_etcd_role.yml
+  when: inventory_hostname in groups.etcd

roles/vault/tasks/bootstrap/start_vault_temp.yml

@@ -1,21 +1,21 @@
 ---
 
-- name: boostrap/start_vault_temp | Ensure vault-temp isn't already running
-  shell: if docker rm -f vault-temp 2>&1 1>/dev/null;then echo true;else echo false;fi
+- name: bootstrap/start_vault_temp | Ensure vault-temp isn't already running
+  shell: if docker rm -f {{ vault_temp_container_name }} 2>&1 1>/dev/null;then echo true;else echo false;fi
   register: vault_temp_stop_check
   changed_when: "{{ 'true' in vault_temp_stop_check.stdout }}"
 
 - name: bootstrap/start_vault_temp | Start single node Vault with file backend
   command: >
-           docker run -d --cap-add=IPC_LOCK --name vault-temp -p {{ vault_temp_port }}:{{ vault_temp_port }}
+           docker run -d --cap-add=IPC_LOCK --name {{ vault_temp_container_name }}
+           -p {{ vault_port }}:{{ vault_port }}
            -e 'VAULT_LOCAL_CONFIG={{ vault_temp_config|to_json }}'
            -v /etc/vault:/etc/vault
            {{ vault_image_repo }}:{{ vault_version }} server
-  register: vault_temp_start
 
 - name: bootstrap/start_vault_temp | Initialize vault-temp
   uri:
-    url: "http://localhost:{{ vault_temp_port }}/v1/sys/init"
+    url: "http://localhost:{{ vault_port }}/v1/sys/init"
     headers: "{{ vault_client_headers }}"
     method: PUT
     body_format: json
@@ -24,32 +24,20 @@
       secret_threshold: 1
   register: vault_temp_init
 
-# NOTE: vault_headers and vault_url are used by subsequent gen_cert calls
+# NOTE: vault_headers and vault_url are used by subsequent issue calls
 - name: bootstrap/start_vault_temp | Set needed vault facts
   set_fact:
+    vault_leader_url: "http://{{ inventory_hostname }}:{{ vault_port }}"
     vault_temp_unseal_keys: "{{ vault_temp_init.json['keys'] }}"
     vault_temp_root_token: "{{ vault_temp_init.json.root_token }}"
     vault_headers: "{{ vault_client_headers|combine({'X-Vault-Token': vault_temp_init.json.root_token}) }}"
 
 - name: bootstrap/start_vault_temp | Unseal vault-temp
   uri:
-    url: "http://localhost:{{ vault_temp_port }}/v1/sys/unseal"
+    url: "http://localhost:{{ vault_port }}/v1/sys/unseal"
     headers: "{{ vault_headers }}"
     method: POST
     body_format: json
     body:
       key: "{{ item }}"
   with_items: "{{ vault_temp_unseal_keys|default([]) }}"
-
-- name: bootstrap/start_vault_temp | Create new PKI mount
-  uri:
-    url: "http://localhost:{{ vault_temp_port }}/v1/sys/mounts/pki"
-    headers: "{{ vault_headers }}"
-    method: POST
-    body_format: json
-    body:
-      config:
-        default_lease_ttl: "{{ vault_default_lease_ttl }}"
-        max_lease_ttl: "{{ vault_max_lease_ttl }}"
-      type: pki
-    status_code: 204

roles/vault/tasks/bootstrap/stop_vault_temp.yml

@@ -1,4 +0,0 @@
----
-
-- name: stop vault-temp container
-  command: docker stop vault-temp

roles/vault/tasks/bootstrap/sync_etcd_certs.yml

@@ -1,38 +0,0 @@
----
-
-- name: bootstrap/sync_etcd_certs | Create list of certs needing creation
-  set_fact: 
-    vault_etcd_cert_list: >-
-        {{ vault_etcd_cert_list|default([]) +  [
-        "admin-" + item + ".pem",
-        "member-" + item + ".pem"
-        ] }}
-  with_items: "{{ groups.etcd }}"
-
-- include: ../sync_file.yml
-  vars: 
-    sync_file: "{{ item }}"
-    sync_file_dir: "{{ etcd_cert_dir }}"
-    sync_file_hosts: "{{ groups.etcd }}"
-    sync_file_is_cert: true
-  with_items: "{{ vault_etcd_cert_list|default([]) }}"
-
-- name: bootstrap/sync_etcd_certs | Set facts for etcd sync_file results
-  set_fact:
-    vault_etcd_certs_needed: "{{ vault_etcd_certs_needed|default([]) + [item.path] }}"
-  with_items: "{{ sync_file_results }}"
-  when: item.no_srcs|bool
-
-- name: bootstrap/sync_etcd_certs | Unset sync_file_results after etcd certs sync
-  set_fact:
-    sync_file_results: []
-
-- include: ../sync_file.yml
-  vars:
-    sync_file: ca.pem
-    sync_file_dir: "{{ etcd_cert_dir }}"
-    sync_file_hosts: "{{ groups.etcd }}"
-
-- name: bootstrap/sync_etcd_certs | Unset sync_file_results after ca.pem sync
-  set_fact:
-    sync_file_results: []

roles/vault/tasks/bootstrap/sync_etcd_node_certs.yml

@@ -1,34 +0,0 @@
----
-
-- name: bootstrap/sync_etcd_node_certs | Create list of certs needing creation
-  set_fact: 
-    vault_etcd_node_cert_list: "{{ vault_etcd_node_cert_list|default([]) +  ['node-' + item + '.pem'] }}"
-  with_items: "{{ groups['k8s-cluster'] | union(groups.etcd) }}"
-
-- include: ../sync_file.yml
-  vars: 
-    sync_file: "{{ item }}"
-    sync_file_dir: "{{ etcd_cert_dir }}"
-    sync_file_hosts: "{{ groups['k8s-cluster'] | union(groups.etcd) }}"
-    sync_file_is_cert: true
-  with_items: "{{ vault_etcd_node_cert_list|default([]) }}"
-
-- name: bootstrap/sync_etcd_node_certs | Set facts for etcd sync_file results
-  set_fact:
-    vault_etcd_node_certs_needed: "{{ vault_etcd_node_certs_needed|default([]) + [item.path] }}"
-  with_items: "{{ sync_file_results }}"
-  when: item.no_srcs|bool
-
-- name: bootstrap/sync_etcd_node_certs | Unset sync_file_results after etcd node certs
-  set_fact:
-    sync_file_results: []
-
-- include: ../sync_file.yml
-  vars: 
-    sync_file: ca.pem
-    sync_file_dir: "{{ etcd_cert_dir }}"
-    sync_file_hosts: "{{ groups['k8s-cluster']| union(groups.etcd) }}"
-
-- name: bootstrap/sync_etcd_node_certs | Unset sync_file_results after ca.pem
-  set_fact:
-    sync_file_results: []

roles/vault/tasks/bootstrap/sync_secrets.yml

@@ -0,0 +1,48 @@
+---
+
+- include: ../shared/sync_file.yml
+  vars:
+    sync_file: "{{ item }}"
+    sync_file_dir: "{{ vault_secrets_dir }}"
+    sync_file_hosts: "{{ groups.vault }}"
+  with_items:
+    - root_token
+    - unseal_keys
+
+- name: bootstrap/sync_secrets | Set fact based on sync_file_results
+  set_fact:
+    vault_secrets_available: "{{ vault_secrets_available|default(true) and not item.no_srcs }}"
+  with_items: "{{ sync_file_results|d([]) }}"
+
+- name: bootstrap/sync_secrets | Reset sync_file_results to avoid variable bleed
+  set_fact:
+    sync_file_results: []
+
+- name: bootstrap/sync_secrets | Print out warning message if secrets are not available and vault is initialized
+  pause:
+    prompt: >
+         Vault orchestration may not be able to proceed. The Vault cluster is initialzed, but
+         'root_token' or 'unseal_keys' were not found in {{ vault_secrets_dir }}. These are
+         needed for many vault orchestration steps.
+  when: vault_cluster_is_initialized and not vault_secrets_available
+
+- name: bootstrap/sync_secrets | Cat root_token from a vault host
+  command: "cat {{ vault_secrets_dir }}/root_token"
+  register: vault_root_token_cat
+  when: vault_secrets_available and inventory_hostname == groups.vault|first
+
+- name: bootstrap/sync_secrets | Cat unseal_keys from a vault host
+  command: "cat {{ vault_secrets_dir }}/unseal_keys"
+  register: vault_unseal_keys_cat
+  when: vault_secrets_available and inventory_hostname == groups.vault|first
+
+- name: bootstrap/sync_secrets | Set needed facts for Vault API interaction when Vault is already running
+  set_fact:
+    vault_root_token: "{{ hostvars[groups.vault|first]['vault_root_token_cat']['stdout'] }}"
+    vault_unseal_keys: "{{ hostvars[groups.vault|first]['vault_unseal_keys_cat']['stdout_lines'] }}"
+  when: vault_secrets_available
+
+- name: bootstrap/sync_secrets | Update vault_headers if we have the root_token
+  set_fact:
+    vault_headers: "{{ vault_client_headers | combine({'X-Vault-Token': vault_root_token}) }}"
+  when: vault_secrets_available

roles/vault/tasks/bootstrap/sync_vault_certs.yml

@@ -1,21 +1,21 @@
 ---
 
-- include: ../sync_file.yml
+- include: ../shared/sync_file.yml
   vars:
     sync_file: "ca.pem"
     sync_file_dir: "{{ vault_cert_dir }}"
     sync_file_hosts: "{{ groups.vault }}"
     sync_file_is_cert: true
 
-- name: "bootstrap/sync_vault_certs | Set facts for vault sync_file results"
+- name: bootstrap/sync_vault_certs | Set facts for vault sync_file results
   set_fact:
-    vault_ca_cert_needed: "{{ true if sync_file_results|length > 0 else false }}"
+    vault_ca_cert_needed: "{{ sync_file_results[0]['no_srcs'] }}"
 
 - name: bootstrap/sync_vault_certs | Unset sync_file_results after ca.pem sync
   set_fact:
     sync_file_results: []
 
-- include: ../sync_file.yml
+- include: ../shared/sync_file.yml
   vars:
     sync_file: "api.pem"
     sync_file_dir: "{{ vault_cert_dir }}"
@@ -24,7 +24,7 @@
 
 - name: bootstrap/sync_vault_certs | Set fact if Vault's API cert is needed
   set_fact:
-    vault_api_cert_needed: "{{ true if sync_file_results|length > 0 else false }}"
+    vault_api_cert_needed: "{{ sync_file_results[0]['no_srcs'] }}"
 
 - name: bootstrap/sync_vault_certs | Unset sync_file_results after api.pem sync
   set_fact: