Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552)

* Added update CA trust step for etcd and kube/secrets roles

* Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os.

* Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube.

* Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd.

* Fixed different certificates set for vault cert_managment

* Update doc/vault.md

* Fixed condition create vault CA, wrong group

* Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts

* Removed wrong when condition in create etcd role vault tasks.

roles/vault/tasks/bootstrap/ca_trust.yml

@@ -10,11 +10,11 @@
   set_fact:
     ca_cert_path: >-
       {% if ansible_os_family == "Debian" -%}
-      /usr/local/share/ca-certificates/kube-cluster-ca.crt
+      /usr/local/share/ca-certificates/vault-ca.crt
       {%- elif ansible_os_family == "RedHat" -%}
-      /etc/pki/ca-trust/source/anchors/kube-cluster-ca.crt
+      /etc/pki/ca-trust/source/anchors/vault-ca.crt
       {%- elif ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] -%}
-      /etc/ssl/certs/kube-cluster-ca.pem
+      /etc/ssl/certs/vault-ca.pem
       {%- endif %}
 
 - name: bootstrap/ca_trust | add CA to trusted CA dir

roles/vault/tasks/bootstrap/create_etcd_role.yml

@@ -1,9 +1,17 @@
 ---
+- include: ../shared/auth_backend.yml
+  vars:
+    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
+    auth_backend_path: userpass
+    auth_backend_type: userpass
+  delegate_to: "{{ groups.vault|first }}"
+  run_once: true
+
 - include: ../shared/create_role.yml
   vars:
-    create_role_name: "{{ item.name }}"
-    create_role_group: "{{ item.group }}"
-    create_role_policy_rules: "{{ item.policy_rules }}"
-    create_role_options: "{{ item.role_options }}"
-  with_items: "{{ vault_roles }}"
-  when: item.name == "etcd"
+    create_role_name: "{{ vault_etcd_role.name }}"
+    create_role_group: "{{ vault_etcd_role.group }}"
+    create_role_policy_rules: "{{ vault_etcd_role.policy_rules }}"
+    create_role_options: "{{ vault_etcd_role.role_options }}"
+    create_role_mount_path: "{{ vault_etcd_role.mount_path }}"
+  when: inventory_hostname in groups.etcd

roles/vault/tasks/bootstrap/gen_auth_ca.yml

@@ -1,21 +0,0 @@
----
-
-- name: bootstrap/gen_auth_ca | Generate Root CA
-  uri:
-    url: "{{ vault_leader_url }}/v1/auth-pki/root/generate/exported"
-    headers: "{{ vault_headers }}"
-    method: POST
-    body_format: json
-    body: "{{ vault_ca_options }}"
-  register: vault_auth_ca_gen
-  when: inventory_hostname == groups.vault|first
-
-- name: bootstrap/gen_auth_ca | Copy auth CA cert to Vault nodes
-  copy:
-    content: "{{ hostvars[groups.vault|first]['vault_auth_ca_gen']['json']['data']['certificate'] }}"
-    dest: "{{ vault_cert_dir }}/auth-ca.pem"
-
-- name: bootstrap/gen_auth_ca | Copy auth CA key to Vault nodes
-  copy:
-    content: "{{ hostvars[groups.vault|first]['vault_auth_ca_gen']['json']['data']['private_key'] }}"
-    dest: "{{ vault_cert_dir }}/auth-ca-key.pem"

roles/vault/tasks/bootstrap/gen_ca.yml

@@ -1,31 +0,0 @@
----
-
-- name: bootstrap/gen_ca | Ensure vault_cert_dir exists
-  file:
-    mode: 0755
-    path: "{{ vault_cert_dir }}"
-    state: directory
-
-- name: bootstrap/gen_ca | Generate Root CA in vault-temp
-  uri:
-    url: "{{ vault_leader_url }}/v1/pki/root/generate/exported"
-    headers: "{{ vault_headers }}"
-    method: POST
-    body_format: json
-    body: "{{ vault_ca_options }}"
-  register: vault_ca_gen
-  when: inventory_hostname == groups.vault|first and vault_ca_cert_needed
-
-- name: bootstrap/gen_ca | Copy root CA cert locally
-  copy:
-    content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['certificate'] }}"
-    dest: "{{ vault_cert_dir }}/ca.pem"
-    mode: 0644
-  when: vault_ca_cert_needed
-
-- name: bootstrap/gen_ca | Copy root CA key locally
-  copy:
-    content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['private_key'] }}"
-    dest: "{{ vault_cert_dir }}/ca-key.pem"
-    mode: 0640
-  when: vault_ca_cert_needed

roles/vault/tasks/bootstrap/gen_vault_certs.yml

@@ -2,7 +2,7 @@
 
 - name: boostrap/gen_vault_certs | Add the vault role
   uri:
-    url: "{{ vault_leader_url }}/v1/pki/roles/vault"
+    url: "{{ vault_leader_url }}/v1/{{ vault_ca_options.common_name }}/roles/vault"
     headers: "{{ vault_headers }}"
     method: POST
     body_format: json
@@ -21,6 +21,7 @@
         {%- endfor -%}
         "127.0.0.1","::1"
         ]
+    issue_cert_mount_path: "{{ vault_ca_options.common_name }}"
     issue_cert_path: "{{ vault_cert_dir }}/api.pem"
     issue_cert_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
     issue_cert_role: vault

roles/vault/tasks/bootstrap/main.yml

@@ -14,6 +14,9 @@
 - include: sync_vault_certs.yml
   when: inventory_hostname in groups.vault
 
+- include: sync_etcd_certs.yml
+  when: inventory_hostname in groups.etcd
+
 ## Generate Certs
 
 # Start a temporary instance of Vault
@@ -28,24 +31,22 @@
     vault_leader_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
   when: not vault_cluster_is_initialized
 
-# NOTE: The next 2 steps run against temp Vault and long-term Vault
-
-# Ensure PKI mount exists
-- include: ../shared/pki_mount.yml
-  when: >-
-        inventory_hostname == groups.vault|first
-
-# If the Root CA already exists, ensure Vault's PKI is using it
-- include: ../shared/config_ca.yml
+# Ensure vault PKI mounts exists
+- include: ../shared/create_mount.yml
   vars:
-    ca_name: ca
-    mount_name: pki
-  when: >-
-        inventory_hostname == groups.vault|first and
-        not vault_ca_cert_needed
+    create_mount_path: "{{ vault_ca_options.common_name }}"
+    create_mount_default_lease_ttl: "{{ vault_default_lease_ttl }}"
+    create_mount_max_lease_ttl: "{{ vault_max_lease_ttl }}"
+    create_mount_description: "Vault Root CA"
+    create_mount_cert_dir: "{{ vault_cert_dir }}"
+    create_mount_config_ca_needed: "{{ not vault_ca_cert_needed }}"
+  when: inventory_hostname == groups.vault|first
 
 # Generate root CA certs for Vault if none exist
-- include: gen_ca.yml
+- include: ../shared/gen_ca.yml
+  vars:
+    gen_ca_cert_dir: "{{ vault_cert_dir }}"
+    gen_ca_mount_path: "{{ vault_ca_options.common_name }}"
   when: >-
         inventory_hostname in groups.vault and
         not vault_cluster_is_initialized and
@@ -55,13 +56,25 @@
 - include: gen_vault_certs.yml
   when: inventory_hostname in groups.vault and vault_api_cert_needed
 
-# Update all host's CA bundle
+# Ensure etcd PKI mounts exists
+- include: ../shared/create_mount.yml
+  vars:
+    create_mount_path: "{{ vault_etcd_mount_path }}"
+    create_mount_default_lease_ttl: "{{ vault_etcd_default_lease_ttl }}"
+    create_mount_max_lease_ttl: "{{ vault_etcd_max_lease_ttl }}"
+    create_mount_description: "Etcd Root CA"
+    create_mount_cert_dir: "{{ vault_etcd_cert_dir }}"
+    create_mount_config_ca_needed: "{{ not vault_etcd_ca_cert_needed }}"
+  when: inventory_hostname == groups.vault|first
+
+# Generate root CA certs for etcd if none exist
+- include: ../shared/gen_ca.yml
+  vars:
+    gen_ca_cert_dir: "{{ vault_etcd_cert_dir }}"
+    gen_ca_mount_path: "{{ vault_etcd_mount_path }}"
+  when: inventory_hostname in groups.etcd and vault_etcd_ca_cert_needed
+
+- include: create_etcd_role.yml
+
+# Update all host's CA bundle, etcd CA will be added in etcd role
 - include: ca_trust.yml
-
-## Add Etcd Role to Vault (if needed)
-
-- include: role_auth_cert.yml
-  when: vault_role_auth_method == "cert"
-
-- include: role_auth_userpass.yml
-  when: vault_role_auth_method == "userpass"

roles/vault/tasks/bootstrap/role_auth_cert.yml

@@ -1,26 +0,0 @@
----
-
-- include: ../shared/sync_auth_certs.yml
-  when: inventory_hostname in groups.vault
-
-- include: ../shared/cert_auth_mount.yml
-  when: inventory_hostname == groups.vault|first
-
-- include: ../shared/auth_backend.yml
-  vars:
-    auth_backend_description: A Cert-based Auth primarily for services needing to issue certificates
-    auth_backend_name: cert
-    auth_backend_type: cert
-  when: inventory_hostname == groups.vault|first
-
-- include: gen_auth_ca.yml
-  when: inventory_hostname in groups.vault and vault_auth_ca_cert_needed
-
-- include: ../shared/config_ca.yml
-  vars:
-    ca_name: auth-ca
-    mount_name: auth-pki
-  when: inventory_hostname == groups.vault|first and not vault_auth_ca_cert_needed
-
-- include: create_etcd_role.yml
-  when: inventory_hostname in groups.etcd

roles/vault/tasks/bootstrap/role_auth_userpass.yml

@@ -1,11 +0,0 @@
----
-
-- include: ../shared/auth_backend.yml
-  vars:
-    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
-    auth_backend_path: userpass
-    auth_backend_type: userpass
-  when: inventory_hostname == groups.vault|first
-
-- include: create_etcd_role.yml
-  when: inventory_hostname in groups.etcd

roles/vault/tasks/bootstrap/sync_etcd_certs.yml

@@ -0,0 +1,16 @@
+---
+
+- include: ../shared/sync_file.yml
+  vars:
+    sync_file: "ca.pem"
+    sync_file_dir: "{{ vault_etcd_cert_dir }}"
+    sync_file_hosts: "{{ groups.etcd }}"
+    sync_file_is_cert: true
+
+- name: bootstrap/sync_etcd_certs | Set facts for etcd sync_file results
+  set_fact:
+    vault_etcd_ca_cert_needed: "{{ sync_file_results[0]['no_srcs'] }}"
+
+- name: bootstrap/sync_etcd_certs | Unset sync_file_results after ca.pem sync
+  set_fact:
+    sync_file_results: []