Fix vault file owner issues and k8s apiserver cert creation (#2985)

apiserver cert should be created only once

roles/vault/tasks/shared/issue_cert.yml

@@ -45,7 +45,7 @@
     state: directory
     recurse: yes
     owner: "vault"
-    group: "vault"
+    group: "root"
     mode: 0755
 
 - name: gen_certs_vault | install hvac
@@ -87,6 +87,7 @@
       format: "{{ issue_cert_format | d('pem') }}"
       ip_sans: "{{ issue_cert_ip_sans | default([]) | join(',') }}"
   register: issue_cert_result
+  run_once: "{{ issue_cert_run_once | d(false) }}"
 
 - name: "issue_cert | Copy {{ issue_cert_path }} cert to all hosts"
   copy: