Vault security hardening and role isolation

roles/vault/tasks/cluster/main.yml

@@ -1,30 +1,35 @@
 ---
 
+- include: ../shared/check_vault.yml
+  when: inventory_hostname in groups.vault
+- include: ../shared/check_etcd.yml
+  when: inventory_hostname in groups.vault
+
 ## Vault Cluster Setup
 
-- include: docker.yml
-  when: inventory_hostname in groups.vault and vault_deployment_type == "docker"
+- include: configure.yml
+  when: inventory_hostname in groups.vault
+- include: binary.yml
+  when: inventory_hostname in groups.vault and vault_deployment_type == "host"
+- include: systemd.yml
+  when: inventory_hostname in groups.vault
 - include: init.yml
   when: inventory_hostname in groups.vault
 - include: unseal.yml
   when: inventory_hostname in groups.vault
-- include: pki_mount.yml
-  when: 'inventory_hostname == hostvars[groups.vault|first]["vault_leader"]'
-- include: config_ca.yml
+- include: ../shared/find_leader.yml
+  when: inventory_hostname in groups.vault
+- include: ../shared/pki_mount.yml 
+  when: inventory_hostname == groups.vault|first
+- include: ../shared/config_ca.yml
   vars:
-    vault_url: "https://{{ vault_leader }}:{{ vault_port }}"
-  when: 'inventory_hostname == hostvars[groups.vault|first]["vault_leader"]'
+    ca_name: ca
+    mount_name: pki
+  when: inventory_hostname == groups.vault|first
 
-## Sync Kubernetes Certs
+## Vault Policies, Roles, and Auth Backends
 
-- include: sync_kube_master_certs.yml
-  when: inventory_hostname in groups["kube-master"]
-- include: sync_kube_node_certs.yml
-  when: inventory_hostname in groups["k8s-cluster"]
-
-## Generate Kubernetes Certs
-
-- include: gen_kube_master_certs.yml
-  when: inventory_hostname in groups["kube-master"]
-- include: gen_kube_node_certs.yml
-  when: inventory_hostname in groups["k8s-cluster"]
+- include: role_auth_cert.yml
+  when: vault_role_auth_method == "cert"
+- include: role_auth_userpass.yml
+  when: vault_role_auth_method == "userpass"