Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552)

* Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks.
2026-02-03 10:38:19 -03:30 · 2017-08-30 16:03:22 +03:00
parent 72a0d78b3c
commit 6eb22c5db2
36 changed files with 337 additions and 329 deletions
--- a/roles/etcd/defaults/main.yml
+++ b/roles/etcd/defaults/main.yml
@@ -26,3 +26,5 @@ etcd_memory_limit: 512M
 etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr', [])) }}"

 etcd_compaction_retention: "8"
+
+etcd_vault_mount_path: etcd
--- a/roles/etcd/tasks/gen_certs_script.yml
+++ b/roles/etcd/tasks/gen_certs_script.yml
@@ -161,30 +161,3 @@
    owner: kube
    mode: "u=rwX,g-rwx,o-rwx"
    recurse: yes
-
- name: Gen_certs | target ca-certificate store file
-  set_fact:
-    ca_cert_path: |-
-      {% if ansible_os_family == "Debian" -%}
-      /usr/local/share/ca-certificates/etcd-ca.crt
-      {%- elif ansible_os_family == "RedHat" -%}
-      /etc/pki/ca-trust/source/anchors/etcd-ca.crt
-      {%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%}
-      /etc/ssl/certs/etcd-ca.pem
-      {%- endif %}
-  tags: facts
-
- name: Gen_certs | add CA to trusted CA dir
-  copy:
-    src: "{{ etcd_cert_dir }}/ca.pem"
-    dest: "{{ ca_cert_path }}"
-    remote_src: true
-  register: etcd_ca_cert
-
- name: Gen_certs | update ca-certificates (Debian/Ubuntu/Container Linux by CoreOS)
-  command: update-ca-certificates
-  when: etcd_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS", "Container Linux by CoreOS"]
-
- name: Gen_certs | update ca-certificates (RedHat)
-  command: update-ca-trust extract
-  when: etcd_ca_cert.changed and ansible_os_family == "RedHat"
--- a/roles/etcd/tasks/gen_certs_vault.yml
+++ b/roles/etcd/tasks/gen_certs_vault.yml
@@ -66,6 +66,7 @@
    issue_cert_path: "{{ item }}"
    issue_cert_role: etcd
    issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
+    issue_cert_mount_path: "{{ etcd_vault_mount_path }}"
  with_items: "{{ etcd_master_certs_needed|d([]) }}"
  when: inventory_hostname in groups.etcd
  notify: set etcd_secret_changed
@@ -92,6 +93,7 @@
    issue_cert_path: "{{ item }}"
    issue_cert_role: etcd
    issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
+    issue_cert_mount_path: "{{ etcd_vault_mount_path }}"
  with_items: "{{ etcd_node_certs_needed|d([]) }}"
  when: inventory_hostname in etcd_node_cert_hosts
  notify: set etcd_secret_changed
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -10,6 +10,9 @@
 - include: "gen_certs_{{ cert_management }}.yml"
  tags: etcd-secrets

+- include: upd_ca_trust.yml
+  tags: etcd-secrets
+
 - include: "install_{{ etcd_deployment_type }}.yml"
  when: is_etcd_master
  tags: upgrade
--- a/roles/etcd/tasks/upd_ca_trust.yml
+++ b/roles/etcd/tasks/upd_ca_trust.yml
@@ -0,0 +1,27 @@
+---
+- name: Gen_certs | target ca-certificate store file
+  set_fact:
+    ca_cert_path: |-
+      {% if ansible_os_family == "Debian" -%}
+      /usr/local/share/ca-certificates/etcd-ca.crt
+      {%- elif ansible_os_family == "RedHat" -%}
+      /etc/pki/ca-trust/source/anchors/etcd-ca.crt
+      {%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%}
+      /etc/ssl/certs/etcd-ca.pem
+      {%- endif %}
+  tags: facts
+
+- name: Gen_certs | add CA to trusted CA dir
+  copy:
+    src: "{{ etcd_cert_dir }}/ca.pem"
+    dest: "{{ ca_cert_path }}"
+    remote_src: true
+  register: etcd_ca_cert
+
+- name: Gen_certs | update ca-certificates (Debian/Ubuntu/Container Linux by CoreOS)
+  command: update-ca-certificates
+  when: etcd_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS", "Container Linux by CoreOS"]
+
+- name: Gen_certs | update ca-certificates (RedHat)
+  command: update-ca-trust extract
+  when: etcd_ca_cert.changed and ansible_os_family == "RedHat"
--- a/roles/kubernetes/secrets/defaults/main.yml
+++ b/roles/kubernetes/secrets/defaults/main.yml
@@ -1,2 +1,3 @@
 ---
 kube_cert_group: kube-cert
+kube_vault_mount_path: kube
--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@@ -166,30 +166,3 @@
    owner: kube
    mode: "u=rwX,g-rwx,o-rwx"
    recurse: yes
-
- name: Gen_certs | target ca-certificates path
-  set_fact:
-    ca_cert_path: |-
-      {% if ansible_os_family == "Debian" -%}
-      /usr/local/share/ca-certificates/kube-ca.crt
-      {%- elif ansible_os_family == "RedHat" -%}
-      /etc/pki/ca-trust/source/anchors/kube-ca.crt
-      {%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%}
-      /etc/ssl/certs/kube-ca.pem
-      {%- endif %}
-  tags: facts
-
- name: Gen_certs | add CA to trusted CA dir
-  copy:
-    src: "{{ kube_cert_dir }}/ca.pem"
-    dest: "{{ ca_cert_path }}"
-    remote_src: true
-  register: kube_ca_cert
-
- name: Gen_certs | update ca-certificates (Debian/Ubuntu/Container Linux by CoreOS)
-  command: update-ca-certificates
-  when: kube_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS", "Container Linux by CoreOS"]
-
- name: Gen_certs | update ca-certificates (RedHat)
-  command: update-ca-trust extract
-  when: kube_ca_cert.changed and ansible_os_family == "RedHat"
--- a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
@@ -49,17 +49,29 @@
    issue_cert_path: "{{ item }}"
    issue_cert_role: kube
    issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
+    issue_cert_mount_path: "{{ kube_vault_mount_path }}"
  with_items: "{{ kube_master_certs_needed|d([]) }}"
  when: inventory_hostname in groups['kube-master']

+- name: gen_certs_vault | Set fact about certificate alt names
+  set_fact:
+    kube_cert_alt_names: >-
+      {{
+      groups['kube-master'] +
+      ['kubernetes.default.svc.cluster.local', 'kubernetes.default.svc', 'kubernetes.default', 'kubernetes'] +
+      ['localhost']
+      }}
+  run_once: true
+
+- name: gen_certs_vault | Add external load balancer domain name to certificate alt names
+  set_fact:
+    kube_cert_alt_names: "{{ kube_cert_alt_names + [apiserver_loadbalancer_domain_name] }}"
+  when: loadbalancer_apiserver is defined and apiserver_loadbalancer_domain_name is defined
+  run_once: true
+
 - include: ../../../vault/tasks/shared/issue_cert.yml
  vars:
-    issue_cert_alt_names: >-
-        {{
-        groups['kube-master'] +
-        ['kubernetes.default.svc.cluster.local', 'kubernetes.default.svc', 'kubernetes.default', 'kubernetes'] +
-        ['localhost']
-        }}
+    issue_cert_alt_names: "{{ kube_cert_alt_names }}"
    issue_cert_file_group: "{{ kube_cert_group }}"
    issue_cert_file_owner: kube
    issue_cert_headers: "{{ kube_vault_headers }}"
@@ -77,8 +89,10 @@
    issue_cert_path: "{{ item }}"
    issue_cert_role: kube
    issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
+    issue_cert_mount_path: "{{ kube_vault_mount_path }}"
  with_items: "{{ kube_master_components_certs_needed|d([]) }}"
  when: inventory_hostname in groups['kube-master']
+  notify: set secret_changed

 # Issue node certs to k8s-cluster nodes
 - include: ../../../vault/tasks/shared/issue_cert.yml
@@ -91,6 +105,7 @@
    issue_cert_path: "{{ item }}"
    issue_cert_role: kube
    issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
+    issue_cert_mount_path: "{{ kube_vault_mount_path }}"
  with_items: "{{ kube_node_certs_needed|d([]) }}"
  when: inventory_hostname in groups['k8s-cluster']

@@ -104,5 +119,6 @@
    issue_cert_path: "{{ item }}"
    issue_cert_role: kube
    issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
+    issue_cert_mount_path: "{{ kube_vault_mount_path }}"
  with_items: "{{ kube_proxy_certs_needed|d([]) }}"
  when: inventory_hostname in groups['k8s-cluster']
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -72,5 +72,8 @@
 - include: "gen_certs_{{ cert_management }}.yml"
  tags: k8s-secrets

+- include: upd_ca_trust.yml
+  tags: k8s-secrets
+
 - include: gen_tokens.yml
  tags: k8s-secrets
--- a/roles/kubernetes/secrets/tasks/upd_ca_trust.yml
+++ b/roles/kubernetes/secrets/tasks/upd_ca_trust.yml
@@ -0,0 +1,27 @@
+---
+- name: Gen_certs | target ca-certificates path
+  set_fact:
+    ca_cert_path: |-
+      {% if ansible_os_family == "Debian" -%}
+      /usr/local/share/ca-certificates/kube-ca.crt
+      {%- elif ansible_os_family == "RedHat" -%}
+      /etc/pki/ca-trust/source/anchors/kube-ca.crt
+      {%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%}
+      /etc/ssl/certs/kube-ca.pem
+      {%- endif %}
+  tags: facts
+
+- name: Gen_certs | add CA to trusted CA dir
+  copy:
+    src: "{{ kube_cert_dir }}/ca.pem"
+    dest: "{{ ca_cert_path }}"
+    remote_src: true
+  register: kube_ca_cert
+
+- name: Gen_certs | update ca-certificates (Debian/Ubuntu/Container Linux by CoreOS)
+  command: update-ca-certificates
+  when: kube_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS", "Container Linux by CoreOS"]
+
+- name: Gen_certs | update ca-certificates (RedHat)
+  command: update-ca-trust extract
+  when: kube_ca_cert.changed and ansible_os_family == "RedHat"
--- a/roles/reset/tasks/main.yml
+++ b/roles/reset/tasks/main.yml
@@ -17,6 +17,7 @@
  with_items:
    - kubelet
    - etcd
+    - vault
  register: services_removed
  tags: ['services']

@@ -86,10 +87,15 @@
    - /run/flannel
    - /etc/flannel
    - /run/kubernetes
-    - /usr/local/share/ca-certificates/kube-ca.crt
    - /usr/local/share/ca-certificates/etcd-ca.crt
-    - /etc/ssl/certs/kube-ca.pem
+    - /usr/local/share/ca-certificates/kube-ca.crt
+    - /usr/local/share/ca-certificates/vault-ca.crt
    - /etc/ssl/certs/etcd-ca.pem
+    - /etc/ssl/certs/kube-ca.pem
+    - /etc/ssl/certs/vault-ca.crt
+    - /etc/pki/ca-trust/source/anchors/etcd-ca.crt
+    - /etc/pki/ca-trust/source/anchors/kube-ca.crt
+    - /etc/pki/ca-trust/source/anchors/vault-ca.crt
    - /etc/vault
    - /var/log/pods/
    - "{{ bin_dir }}/kubelet"
--- a/roles/vault/defaults/main.yml
+++ b/roles/vault/defaults/main.yml
@@ -8,10 +8,11 @@ vault_adduser_vars:
  system: yes
 vault_base_dir: /etc/vault
 # https://releases.hashicorp.com/vault/0.6.4/vault_0.6.4_SHA256SUMS
+vault_version: 0.6.4
 vault_binary_checksum: 04d87dd553aed59f3fe316222217a8d8777f40115a115dac4d88fac1611c51a6
 vault_bootstrap: false
 vault_ca_options:
-  common_name: kube-cluster-ca
+  common_name: vault
  format: pem
  ttl: 87600h
 vault_cert_dir: "{{ vault_base_dir }}/ssl"
@@ -24,7 +25,7 @@ vault_config:
      address: "{{ vault_etcd_url }}"
      ha_enabled: "true"
      redirect_addr: "https://{{ ansible_default_ipv4.address }}:{{ vault_port }}"
-      tls_ca_file: "{{ vault_cert_dir }}/ca.pem"
+      tls_ca_file: "{{ vault_etcd_cert_dir }}/ca.pem"
  cluster_name: "kubernetes-vault"
  default_lease_ttl: "{{ vault_default_lease_ttl }}"
  listener:
@@ -61,18 +62,6 @@ vault_log_dir: "/var/log/vault"
 vault_max_lease_ttl: 87600h
 vault_needs_gen: false
 vault_port: 8200
-# Although "cert" is an option, ansible has no way to auth via cert until
-# upstream merges: https://github.com/ansible/ansible/pull/18141
-vault_role_auth_method: userpass
-vault_roles:
-  - name: etcd
-    group: etcd
-    policy_rules: default
-    role_options: default
-  - name: kube
-    group: k8s-cluster
-    policy_rules: default
-    role_options: default
 vault_roles_dir: "{{ vault_base_dir }}/roles"
 vault_secret_shares: 1
 vault_secret_threshold: 1
@@ -88,4 +77,25 @@ vault_temp_config:
      tls_disable: "true"
  max_lease_ttl: "{{ vault_max_lease_ttl }}"
 vault_temp_container_name: vault-temp
-vault_version: 0.6.4
+# etcd pki mount options
+vault_etcd_cert_dir: /etc/ssl/etcd/ssl
+vault_etcd_mount_path: etcd
+vault_etcd_default_lease_ttl: 720h
+vault_etcd_max_lease_ttl: 87600h
+vault_etcd_role:
+  name: etcd
+  group: etcd
+  policy_rules: default
+  role_options: default
+  mount_path: "{{ vault_etcd_mount_path }}"
+# kubernetes pki mount options
+vault_kube_cert_dir: "{{ kube_cert_dir }}"
+vault_kube_mount_path: kube
+vault_kube_default_lease_ttl: 720h
+vault_kube_max_lease_ttl: 87600h
+vault_kube_role:
+  name: kube
+  group: k8s-cluster
+  policy_rules: default
+  role_options: default
+  mount_path: "{{ vault_kube_mount_path }}"
--- a/roles/vault/tasks/bootstrap/ca_trust.yml
+++ b/roles/vault/tasks/bootstrap/ca_trust.yml
@@ -10,11 +10,11 @@
  set_fact:
    ca_cert_path: >-
      {% if ansible_os_family == "Debian" -%}
-      /usr/local/share/ca-certificates/kube-cluster-ca.crt
+      /usr/local/share/ca-certificates/vault-ca.crt
      {%- elif ansible_os_family == "RedHat" -%}
-      /etc/pki/ca-trust/source/anchors/kube-cluster-ca.crt
+      /etc/pki/ca-trust/source/anchors/vault-ca.crt
      {%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%}
-      /etc/ssl/certs/kube-cluster-ca.pem
+      /etc/ssl/certs/vault-ca.pem
      {%- endif %}

 - name: bootstrap/ca_trust | add CA to trusted CA dir
--- a/roles/vault/tasks/bootstrap/create_etcd_role.yml
+++ b/roles/vault/tasks/bootstrap/create_etcd_role.yml
@@ -1,9 +1,17 @@
 ---
+- include: ../shared/auth_backend.yml
+  vars:
+    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
+    auth_backend_path: userpass
+    auth_backend_type: userpass
+  delegate_to: "{{ groups.vault|first }}"
+  run_once: true
+
 - include: ../shared/create_role.yml
  vars:
-    create_role_name: "{{ item.name }}"
-    create_role_group: "{{ item.group }}"
-    create_role_policy_rules: "{{ item.policy_rules }}"
-    create_role_options: "{{ item.role_options }}"
-  with_items: "{{ vault_roles }}"
-  when: item.name == "etcd"
+    create_role_name: "{{ vault_etcd_role.name }}"
+    create_role_group: "{{ vault_etcd_role.group }}"
+    create_role_policy_rules: "{{ vault_etcd_role.policy_rules }}"
+    create_role_options: "{{ vault_etcd_role.role_options }}"
+    create_role_mount_path: "{{ vault_etcd_role.mount_path }}"
+  when: inventory_hostname in groups.etcd
--- a/roles/vault/tasks/bootstrap/gen_auth_ca.yml
+++ b/roles/vault/tasks/bootstrap/gen_auth_ca.yml
@@ -1,21 +0,0 @@
---
-
- name: bootstrap/gen_auth_ca | Generate Root CA
-  uri:
-    url: "{{ vault_leader_url }}/v1/auth-pki/root/generate/exported"
-    headers: "{{ vault_headers }}"
-    method: POST
-    body_format: json
-    body: "{{ vault_ca_options }}"
-  register: vault_auth_ca_gen
-  when: inventory_hostname == groups.vault|first
-
- name: bootstrap/gen_auth_ca | Copy auth CA cert to Vault nodes
-  copy:
-    content: "{{ hostvars[groups.vault|first]['vault_auth_ca_gen']['json']['data']['certificate'] }}"
-    dest: "{{ vault_cert_dir }}/auth-ca.pem"
-
- name: bootstrap/gen_auth_ca | Copy auth CA key to Vault nodes
-  copy:
-    content: "{{ hostvars[groups.vault|first]['vault_auth_ca_gen']['json']['data']['private_key'] }}"
-    dest: "{{ vault_cert_dir }}/auth-ca-key.pem"
--- a/roles/vault/tasks/bootstrap/gen_ca.yml
+++ b/roles/vault/tasks/bootstrap/gen_ca.yml
@@ -1,31 +0,0 @@
---
-
- name: bootstrap/gen_ca | Ensure vault_cert_dir exists
-  file:
-    mode: 0755
-    path: "{{ vault_cert_dir }}"
-    state: directory
-
- name: bootstrap/gen_ca | Generate Root CA in vault-temp
-  uri:
-    url: "{{ vault_leader_url }}/v1/pki/root/generate/exported"
-    headers: "{{ vault_headers }}"
-    method: POST
-    body_format: json
-    body: "{{ vault_ca_options }}"
-  register: vault_ca_gen
-  when: inventory_hostname == groups.vault|first and vault_ca_cert_needed
-
- name: bootstrap/gen_ca | Copy root CA cert locally
-  copy:
-    content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['certificate'] }}"
-    dest: "{{ vault_cert_dir }}/ca.pem"
-    mode: 0644
-  when: vault_ca_cert_needed
-
- name: bootstrap/gen_ca | Copy root CA key locally
-  copy:
-    content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['private_key'] }}"
-    dest: "{{ vault_cert_dir }}/ca-key.pem"
-    mode: 0640
-  when: vault_ca_cert_needed
--- a/roles/vault/tasks/bootstrap/gen_vault_certs.yml
+++ b/roles/vault/tasks/bootstrap/gen_vault_certs.yml
@@ -2,7 +2,7 @@

 - name: boostrap/gen_vault_certs | Add the vault role
  uri:
-    url: "{{ vault_leader_url }}/v1/pki/roles/vault"
+    url: "{{ vault_leader_url }}/v1/{{ vault_ca_options.common_name }}/roles/vault"
    headers: "{{ vault_headers }}"
    method: POST
    body_format: json
@@ -21,6 +21,7 @@
        {%- endfor -%}
        "127.0.0.1","::1"
        ]
+    issue_cert_mount_path: "{{ vault_ca_options.common_name }}"
    issue_cert_path: "{{ vault_cert_dir }}/api.pem"
    issue_cert_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
    issue_cert_role: vault
--- a/roles/vault/tasks/bootstrap/main.yml
+++ b/roles/vault/tasks/bootstrap/main.yml
@@ -14,6 +14,9 @@
 - include: sync_vault_certs.yml
  when: inventory_hostname in groups.vault

+- include: sync_etcd_certs.yml
+  when: inventory_hostname in groups.etcd
+
 ## Generate Certs

 # Start a temporary instance of Vault
@@ -28,24 +31,22 @@
    vault_leader_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
  when: not vault_cluster_is_initialized

-# NOTE: The next 2 steps run against temp Vault and long-term Vault
-
-# Ensure PKI mount exists
- include: ../shared/pki_mount.yml
-  when: >-
-        inventory_hostname == groups.vault|first
-
-# If the Root CA already exists, ensure Vault's PKI is using it
- include: ../shared/config_ca.yml
+# Ensure vault PKI mounts exists
+- include: ../shared/create_mount.yml
  vars:
-    ca_name: ca
-    mount_name: pki
-  when: >-
-        inventory_hostname == groups.vault|first and
-        not vault_ca_cert_needed
+    create_mount_path: "{{ vault_ca_options.common_name }}"
+    create_mount_default_lease_ttl: "{{ vault_default_lease_ttl }}"
+    create_mount_max_lease_ttl: "{{ vault_max_lease_ttl }}"
+    create_mount_description: "Vault Root CA"
+    create_mount_cert_dir: "{{ vault_cert_dir }}"
+    create_mount_config_ca_needed: "{{ not vault_ca_cert_needed }}"
+  when: inventory_hostname == groups.vault|first

 # Generate root CA certs for Vault if none exist
- include: gen_ca.yml
+- include: ../shared/gen_ca.yml
+  vars:
+    gen_ca_cert_dir: "{{ vault_cert_dir }}"
+    gen_ca_mount_path: "{{ vault_ca_options.common_name }}"
  when: >-
        inventory_hostname in groups.vault and
        not vault_cluster_is_initialized and
@@ -55,13 +56,25 @@
 - include: gen_vault_certs.yml
  when: inventory_hostname in groups.vault and vault_api_cert_needed

-# Update all host's CA bundle
+# Ensure etcd PKI mounts exists
+- include: ../shared/create_mount.yml
+  vars:
+    create_mount_path: "{{ vault_etcd_mount_path }}"
+    create_mount_default_lease_ttl: "{{ vault_etcd_default_lease_ttl }}"
+    create_mount_max_lease_ttl: "{{ vault_etcd_max_lease_ttl }}"
+    create_mount_description: "Etcd Root CA"
+    create_mount_cert_dir: "{{ vault_etcd_cert_dir }}"
+    create_mount_config_ca_needed: "{{ not vault_etcd_ca_cert_needed }}"
+  when: inventory_hostname == groups.vault|first
+
+# Generate root CA certs for etcd if none exist
+- include: ../shared/gen_ca.yml
+  vars:
+    gen_ca_cert_dir: "{{ vault_etcd_cert_dir }}"
+    gen_ca_mount_path: "{{ vault_etcd_mount_path }}"
+  when: inventory_hostname in groups.etcd and vault_etcd_ca_cert_needed
+
+- include: create_etcd_role.yml
+
+# Update all host's CA bundle, etcd CA will be added in etcd role
 - include: ca_trust.yml
-
-## Add Etcd Role to Vault (if needed)
-
- include: role_auth_cert.yml
-  when: vault_role_auth_method == "cert"
-
- include: role_auth_userpass.yml
-  when: vault_role_auth_method == "userpass"
--- a/roles/vault/tasks/bootstrap/role_auth_cert.yml
+++ b/roles/vault/tasks/bootstrap/role_auth_cert.yml
@@ -1,26 +0,0 @@
---
-
- include: ../shared/sync_auth_certs.yml
-  when: inventory_hostname in groups.vault
-
- include: ../shared/cert_auth_mount.yml
-  when: inventory_hostname == groups.vault|first
-
- include: ../shared/auth_backend.yml
-  vars:
-    auth_backend_description: A Cert-based Auth primarily for services needing to issue certificates
-    auth_backend_name: cert
-    auth_backend_type: cert
-  when: inventory_hostname == groups.vault|first
-
- include: gen_auth_ca.yml
-  when: inventory_hostname in groups.vault and vault_auth_ca_cert_needed
-
- include: ../shared/config_ca.yml
-  vars:
-    ca_name: auth-ca
-    mount_name: auth-pki
-  when: inventory_hostname == groups.vault|first and not vault_auth_ca_cert_needed
-
- include: create_etcd_role.yml
-  when: inventory_hostname in groups.etcd
--- a/roles/vault/tasks/bootstrap/role_auth_userpass.yml
+++ b/roles/vault/tasks/bootstrap/role_auth_userpass.yml
@@ -1,11 +0,0 @@
---
-
- include: ../shared/auth_backend.yml
-  vars:
-    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
-    auth_backend_path: userpass
-    auth_backend_type: userpass
-  when: inventory_hostname == groups.vault|first
-
- include: create_etcd_role.yml
-  when: inventory_hostname in groups.etcd
--- a/roles/vault/tasks/bootstrap/sync_etcd_certs.yml
+++ b/roles/vault/tasks/bootstrap/sync_etcd_certs.yml
@@ -0,0 +1,16 @@
+---
+
+- include: ../shared/sync_file.yml
+  vars:
+    sync_file: "ca.pem"
+    sync_file_dir: "{{ vault_etcd_cert_dir }}"
+    sync_file_hosts: "{{ groups.etcd }}"
+    sync_file_is_cert: true
+
+- name: bootstrap/sync_etcd_certs | Set facts for etcd sync_file results
+  set_fact:
+    vault_etcd_ca_cert_needed: "{{ sync_file_results[0]['no_srcs'] }}"
+
+- name: bootstrap/sync_etcd_certs | Unset sync_file_results after ca.pem sync
+  set_fact:
+    sync_file_results: []
--- a/roles/vault/tasks/cluster/create_roles.yml
+++ b/roles/vault/tasks/cluster/create_roles.yml
@@ -1,4 +1,10 @@
 ---
+- include: ../shared/auth_backend.yml
+  vars:
+    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
+    auth_backend_path: userpass
+    auth_backend_type: userpass
+  when: inventory_hostname == groups.vault|first

 - include: ../shared/create_role.yml
  vars:
@@ -6,4 +12,7 @@
    create_role_group: "{{ item.group }}"
    create_role_policy_rules: "{{ item.policy_rules }}"
    create_role_options: "{{ item.role_options }}"
-  with_items: "{{ vault_roles|d([]) }}"
+    create_role_mount_path: "{{ item.mount_path }}"
+  with_items:
+    - "{{ vault_etcd_role }}"
+    - "{{ vault_kube_role }}"
--- a/roles/vault/tasks/cluster/main.yml
+++ b/roles/vault/tasks/cluster/main.yml
@@ -25,19 +25,42 @@
 - include: ../shared/find_leader.yml
  when: inventory_hostname in groups.vault

- include: ../shared/pki_mount.yml
+- include: ../shared/create_mount.yml
+  vars:
+    create_mount_path: "{{ vault_ca_options.common_name }}"
+    create_mount_default_lease_ttl: "{{ vault_default_lease_ttl }}"
+    create_mount_max_lease_ttl: "{{ vault_max_lease_ttl }}"
+    create_mount_description: "Vault Root CA"
+    create_mount_cert_dir: "{{ vault_cert_dir }}"
+    create_mount_config_ca_needed: true
  when: inventory_hostname == groups.vault|first

- include: ../shared/config_ca.yml
+- include: ../shared/create_mount.yml
  vars:
-    ca_name: ca
-    mount_name: pki
+    create_mount_path: "{{ vault_etcd_mount_path }}"
+    create_mount_default_lease_ttl: "{{ vault_etcd_default_lease_ttl }}"
+    create_mount_max_lease_ttl: "{{ vault_etcd_max_lease_ttl }}"
+    create_mount_description: "Etcd Root CA"
+    create_mount_cert_dir: "{{ vault_etcd_cert_dir }}"
+    create_mount_config_ca_needed: true
  when: inventory_hostname == groups.vault|first

+- include: ../shared/create_mount.yml
+  vars:
+    create_mount_path: "{{ vault_kube_mount_path }}"
+    create_mount_default_lease_ttl: "{{ vault_kube_default_lease_ttl }}"
+    create_mount_max_lease_ttl: "{{ vault_kube_max_lease_ttl }}"
+    create_mount_description: "Kubernetes Root CA"
+    create_mount_cert_dir: "{{ vault_kube_cert_dir }}"
+    create_mount_config_ca_needed: false
+  when: inventory_hostname == groups.vault|first
+
+- include: ../shared/gen_ca.yml
+  vars:
+    gen_ca_cert_dir: "{{ vault_kube_cert_dir }}"
+    gen_ca_mount_path: "{{ vault_kube_mount_path }}"
+  when: inventory_hostname in groups.vault
+
 ## Vault Policies, Roles, and Auth Backends

- include: role_auth_cert.yml
-  when: vault_role_auth_method == "cert"
-
- include: role_auth_userpass.yml
-  when: vault_role_auth_method == "userpass"
+- include: create_roles.yml
--- a/roles/vault/tasks/cluster/role_auth_cert.yml
+++ b/roles/vault/tasks/cluster/role_auth_cert.yml
@@ -1,19 +0,0 @@
---
-
- include: ../shared/cert_auth_mount.yml
-  when: inventory_hostname == groups.vault|first
-
- include: ../shared/auth_backend.yml
-  vars:
-    auth_backend_description: A Cert-based Auth primarily for services needing to issue certificates
-    auth_backend_name: cert
-    auth_backend_type: cert
-  when: inventory_hostname == groups.vault|first
-
- include: ../shared/config_ca.yml
-  vars:
-    ca_name: auth-ca
-    mount_name: auth-pki
-  when: inventory_hostname == groups.vault|first
-
- include: create_roles.yml
--- a/roles/vault/tasks/cluster/role_auth_userpass.yml
+++ b/roles/vault/tasks/cluster/role_auth_userpass.yml
@@ -1,10 +0,0 @@
---
-
- include: ../shared/auth_backend.yml
-  vars:
-    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
-    auth_backend_path: userpass
-    auth_backend_type: userpass
-  when: inventory_hostname == groups.vault|first
-
- include: create_roles.yml
--- a/roles/vault/tasks/shared/cert_auth_mount.yml
+++ b/roles/vault/tasks/shared/cert_auth_mount.yml
@@ -1,14 +1,13 @@
 ---

- include: ../shared/mount.yml
+- include: ../shared/pki_mount.yml
  vars:
-    mount_name: auth-pki
-    mount_options:
+    pki_mount_path: auth-pki
+    pki_mount_options:
      description: PKI mount to generate certs for the Cert Auth Backend
      config:
        default_lease_ttl: "{{ vault_default_lease_ttl }}"
        max_lease_ttl: "{{ vault_max_lease_ttl }}"
-      type: pki

 - name: shared/auth_mount | Create a dummy role for issuing certs from auth-pki
  uri:
--- a/roles/vault/tasks/shared/config_ca.yml
+++ b/roles/vault/tasks/shared/config_ca.yml
@@ -1,12 +1,11 @@
 ---
-
 - name: config_ca | Read root CA cert for Vault
-  command: "cat /etc/vault/ssl/{{ ca_name }}.pem"
+  command: "cat {{ config_ca_ca_pem }}"
  register: vault_ca_cert_cat

 - name: config_ca | Pull current CA cert from Vault
  uri:
-    url: "{{ vault_leader_url }}/v1/{{ mount_name }}/ca/pem"
+    url: "{{ vault_leader_url }}/v1/{{ config_ca_mount_path }}/ca/pem"
    headers: "{{ vault_headers }}"
    return_content: true
    status_code: 200,204
@@ -14,13 +13,13 @@
  register: vault_pull_current_ca

 - name: config_ca | Read root CA key for Vault
-  command: "cat /etc/vault/ssl/{{ ca_name }}-key.pem"
+  command: "cat {{ config_ca_ca_key }}"
  register: vault_ca_key_cat
  when: vault_ca_cert_cat.stdout.strip() != vault_pull_current_ca.content.strip()

 - name: config_ca | Configure pki mount to use the found root CA cert and key
  uri:
-    url: "{{ vault_leader_url }}/v1/{{ mount_name }}/config/ca"
+    url: "{{ vault_leader_url }}/v1/{{ config_ca_mount_path }}/config/ca"
    headers: "{{ vault_headers }}"
    method: POST
    body_format: json
--- a/roles/vault/tasks/shared/create_mount.yml
+++ b/roles/vault/tasks/shared/create_mount.yml
@@ -0,0 +1,16 @@
+---
+- include: ../shared/pki_mount.yml
+  vars:
+    pki_mount_path: "{{ create_mount_path }}"
+    pki_mount_options:
+      config:
+        default_lease_ttl: "{{ create_mount_default_lease_ttl }}"
+        max_lease_ttl: "{{ create_mount_max_lease_ttl }}"
+      description: "{{ create_mount_description }}"
+
+- include: ../shared/config_ca.yml
+  vars:
+    config_ca_ca_pem: "{{ create_mount_cert_dir }}/ca.pem"
+    config_ca_ca_key: "{{ create_mount_cert_dir }}/ca-key.pem"
+    config_ca_mount_path: "{{ create_mount_path }}"
+  when: create_mount_config_ca_needed
--- a/roles/vault/tasks/shared/create_role.yml
+++ b/roles/vault/tasks/shared/create_role.yml
@@ -12,8 +12,8 @@
             {%- if create_role_policy_rules|d("default") == "default" -%}
             {{
             { 'path': {
-                 'pki/issue/' + create_role_name: {'policy': 'write'},
-                 'pki/roles/' + create_role_name: {'policy': 'read'}
+                 create_role_mount_path + '/issue/' + create_role_name: {'policy': 'write'},
+                 create_role_mount_path + '/roles/' + create_role_name: {'policy': 'read'}
             }} | to_json + '\n'
             }}
             {%- else -%}
@@ -22,9 +22,9 @@
    status_code: 204
  when: inventory_hostname == groups[create_role_group]|first

- name: create_role | Create the new role in the pki mount
+- name: create_role | Create the new role in the {{ create_role_mount_path }} pki mount
  uri:
-    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/pki/roles/{{ create_role_name }}"
+    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/{{ create_role_mount_path }}/roles/{{ create_role_name }}"
    headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
    method: POST
    body_format: json
@@ -37,31 +37,6 @@
    status_code: 204
  when: inventory_hostname == groups[create_role_group]|first

-## Cert based auth method
-
- include: gen_cert.yml
-  vars:
-    gen_cert_copy_ca: true
-    gen_cert_hosts: "{{ groups[create_role_group] }}"
-    gen_cert_mount: "auth-pki"
-    gen_cert_path: "{{ vault_roles_dir }}/{{ create_role_name }}/issuer.pem"
-    gen_cert_vault_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
-    gen_cert_vault_role: "dummy"
-    gen_cert_vault_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
-  when: vault_role_auth_method == "cert" and inventory_hostname in groups[create_role_group]
-
- name: create_role | Insert the auth-pki CA as the authenticating CA for that role
-  uri:
-    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/cert/certs/{{ create_role_name }}"
-    headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
-    method: POST
-    body_format: json
-    body:
-      certificate: "{{ hostvars[groups[create_role_group]|first]['gen_cert_result']['json']['data']['issuing_ca'] }}"
-      policies: "{{ create_role_name }}"
-    status_code: 204
-  when: vault_role_auth_method == "cert" and inventory_hostname == groups[create_role_group]|first
-
 ## Userpass based auth method

 - include: gen_userpass.yml
@@ -71,4 +46,4 @@
    gen_userpass_policies: "{{ create_role_name }}"
    gen_userpass_role: "{{ create_role_name }}"
    gen_userpass_username: "{{ create_role_name }}"
-  when: vault_role_auth_method == "userpass" and inventory_hostname in groups[create_role_group]
+  when: inventory_hostname in groups[create_role_group]
--- a/roles/vault/tasks/shared/gen_ca.yml
+++ b/roles/vault/tasks/shared/gen_ca.yml
@@ -0,0 +1,29 @@
+---
+- name: "bootstrap/gen_ca | Ensure cert_dir {{ gen_ca_cert_dir }} exists"
+  file:
+    mode: 0755
+    path: "{{ gen_ca_cert_dir }}"
+    state: directory
+
+- name: "bootstrap/gen_ca | Generate {{ gen_ca_mount_path }} root CA"
+  uri:
+    url: "{{ vault_leader_url }}/v1/{{ gen_ca_mount_path }}/root/generate/exported"
+    headers: "{{ vault_headers }}"
+    method: POST
+    body_format: json
+    body: "{{ vault_ca_options }}"
+  register: vault_ca_gen
+  delegate_to: "{{ groups.vault|first }}"
+  run_once: true
+
+- name: "bootstrap/gen_ca | Copy {{ gen_ca_mount_path }} root CA cert locally"
+  copy:
+    content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['certificate'] }}"
+    dest: "{{ gen_ca_cert_dir }}/ca.pem"
+    mode: 0644
+
+- name: "bootstrap/gen_ca | Copy {{ gen_ca_mount_path }} root CA key locally"
+  copy:
+    content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['private_key'] }}"
+    dest: "{{ gen_ca_cert_dir }}/ca-key.pem"
+    mode: 0640
--- a/roles/vault/tasks/shared/issue_cert.yml
+++ b/roles/vault/tasks/shared/issue_cert.yml
@@ -14,16 +14,11 @@
 #   issue_cert_headers:     Headers passed into the issue request
 #   issue_cert_hosts:       List of hosts to distribute the cert to
 #   issue_cert_ip_sans:     Requested IP Subject Alternative Names, in a list
-#   issue_cert_mount:       Mount point in Vault to make the request to
+#   issue_cert_mount_path:  Mount point in Vault to make the request to
 #   issue_cert_path:        Full path to the cert, include its name
 #   issue_cert_role:        The Vault role to issue the cert with
 #   issue_cert_url:         Url to reach Vault, including protocol and port

- name: issue_cert | debug who issues certs
-  debug:
-    msg: "{{ issue_cert_hosts }} issues certs"
-
-
 - name: issue_cert | Ensure target directory exists
  file:
    path: "{{ issue_cert_path | dirname }}"
@@ -34,7 +29,7 @@

 - name: "issue_cert | Generate the cert for {{ issue_cert_role }}"
  uri:
-    url: "{{ issue_cert_url }}/v1/{{ issue_cert_mount|d('pki') }}/issue/{{ issue_cert_role }}"
+    url: "{{ issue_cert_url }}/v1/{{ issue_cert_mount_path|d('pki') }}/issue/{{ issue_cert_role }}"
    headers: "{{ issue_cert_headers }}"
    method: POST
    body_format: json
@@ -45,11 +40,7 @@
      ip_sans: "{{ issue_cert_ip_sans | default([]) | join(',') }}"
  register: issue_cert_result
  delegate_to: "{{ issue_cert_hosts|first }}"
-
- name: issue_cert | results
-  debug:
-    msg: "{{ issue_cert_result }}"
-
+  run_once: true

 - name: "issue_cert | Copy {{ issue_cert_path }} cert to all hosts"
  copy:
--- a/roles/vault/tasks/shared/mount.yml
+++ b/roles/vault/tasks/shared/mount.yml
@@ -1,18 +0,0 @@
---
-
- name: shared/mount | Test if PKI mount exists
-  uri:
-    url: "{{ vault_leader_url }}/v1/sys/mounts/{{ mount_name }}/tune"
-    headers: "{{ vault_headers }}"
-  ignore_errors: true
-  register: vault_pki_mount_check
-
- name: shared/mount | Mount PKI mount if needed
-  uri:
-    url: "{{ vault_leader_url }}/v1/sys/mounts/{{ mount_name }}"
-    headers: "{{ vault_headers }}"
-    method: POST
-    body_format: json
-    body: "{{ mount_options|d() }}"
-    status_code: 204
-  when: vault_pki_mount_check|failed
--- a/roles/vault/tasks/shared/pki_mount.yml
+++ b/roles/vault/tasks/shared/pki_mount.yml
@@ -1,11 +1,27 @@
 ---
+- name: "shared/mount | Test if {{ pki_mount_path }} PKI mount exists"
+  uri:
+    url: "{{ vault_leader_url }}/v1/sys/mounts/{{ pki_mount_path }}/tune"
+    headers: "{{ vault_headers }}"
+  ignore_errors: true
+  register: vault_pki_mount_check

- include: mount.yml
-  vars:
-    mount_name: pki
-    mount_options:
-      config:
-        default_lease_ttl: "{{ vault_default_lease_ttl }}"
-        max_lease_ttl: "{{ vault_max_lease_ttl }}"
-      description: The default PKI mount for Kubernetes
-      type: pki
+- name: shared/mount | Set pki mount type
+  set_fact:
+    mount_options: "{{ pki_mount_options | combine({'type': 'pki'}) }}"
+  when: vault_pki_mount_check|failed
+
+- name: shared/mount | Mount {{ pki_mount_path }} PKI mount if needed
+  uri:
+    url: "{{ vault_leader_url }}/v1/sys/mounts/{{ pki_mount_path }}"
+    headers: "{{ vault_headers }}"
+    method: POST
+    body_format: json
+    body: "{{ mount_options|d() }}"
+    status_code: 204
+  when: vault_pki_mount_check|failed
+
+- name: shared/mount | Unset mount options
+  set_fact:
+    mount_options: {}
+  when: vault_pki_mount_check|failed
--- a/roles/vault/templates/docker.service.j2
+++ b/roles/vault/templates/docker.service.j2
@@ -21,6 +21,7 @@ ExecStart={{ docker_bin_dir }}/docker run \
 --cap-add=IPC_LOCK \
 -v {{ vault_cert_dir }}:{{ vault_cert_dir }} \
 -v {{ vault_config_dir }}:{{ vault_config_dir }} \
+-v {{ vault_etcd_cert_dir }}:{{ vault_etcd_cert_dir }} \
 -v {{ vault_log_dir }}:/vault/logs \
 -v {{ vault_roles_dir }}:{{ vault_roles_dir }} \
 -v {{ vault_secrets_dir }}:{{ vault_secrets_dir }} \
--- a/roles/vault/templates/rkt.service.j2
+++ b/roles/vault/templates/rkt.service.j2
@@ -24,6 +24,8 @@ ExecStart=/usr/bin/rkt run \
 --mount=volume=vault-secrets-dir,target={{ vault_secrets_dir }} \
 --volume=vault-roles-dir,kind=host,source={{ vault_roles_dir }} \
 --mount=volume=vault-roles-dir,target={{ vault_roles_dir }} \
+--volume=vault-etcd-cert-dir,kind=host,source={{ vault_etcd_cert_dir }} \
+--mount=volume=vault-etcd-cert-dir,target={{ vault_etcd_cert_dir }} \
 docker://{{ vault_image_repo }}:{{ vault_image_tag }} \
 --name={{ vault_container_name }} --net=host \
 --caps-retain=CAP_IPC_LOCK \