Vault role updates:

* using separated vault roles for generate certs with different `O` (Organization) subject field;
  * configure vault roles for issuing certificates with different `CN` (Common name) subject field;
  * set `CN` and `O` to `kubernetes` and `etcd` certificates;
  * vault/defaults vars definition was simplified;
  * vault dirs variables defined in kubernetes-defaults foles for using
  shared tasks in etcd and kubernetes/secrets roles;
  * upgrade vault to 0.8.1;
  * generate random vault user password for each role by default;
  * fix `serial` file name for vault certs;
  * move vault auth request to issue_cert tasks;
  * enable `RBAC` in vault CI;

roles/vault/tasks/bootstrap/create_etcd_role.yml

@@ -1,17 +0,0 @@
----
-- include: ../shared/auth_backend.yml
-  vars:
-    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
-    auth_backend_path: userpass
-    auth_backend_type: userpass
-  delegate_to: "{{ groups.vault|first }}"
-  run_once: true
-
-- include: ../shared/create_role.yml
-  vars:
-    create_role_name: "{{ vault_etcd_role.name }}"
-    create_role_group: "{{ vault_etcd_role.group }}"
-    create_role_policy_rules: "{{ vault_etcd_role.policy_rules }}"
-    create_role_options: "{{ vault_etcd_role.role_options }}"
-    create_role_mount_path: "{{ vault_etcd_role.mount_path }}"
-  when: inventory_hostname in groups.etcd

roles/vault/tasks/bootstrap/create_mounts.yml

@@ -0,0 +1,12 @@
+---
+- include: ../shared/create_mount.yml
+  vars:
+    create_mount_path: "{{ item.name }}"
+    create_mount_default_lease_ttl: "{{ item.default_lease_ttl }}"
+    create_mount_max_lease_ttl: "{{ item.max_lease_ttl }}"
+    create_mount_description: "{{ item.description }}"
+    create_mount_cert_dir: "{{ item.cert_dir }}"
+    create_mount_config_ca_needed: "{{ item.config_ca }}"
+  with_items:
+    - "{{ vault_pki_mounts.vault|combine({'config_ca': not vault_ca_cert_needed}) }}"
+    - "{{ vault_pki_mounts.etcd|combine({'config_ca': not vault_etcd_ca_cert_needed}) }}"

roles/vault/tasks/bootstrap/create_roles.yml

@@ -0,0 +1,10 @@
+---
+- include: ../shared/create_role.yml
+  vars:
+    create_role_name: "{{ item.name }}"
+    create_role_group: "{{ item.group }}"
+    create_role_policy_rules: "{{ item.policy_rules }}"
+    create_role_password: "{{ item.password }}"
+    create_role_options: "{{ item.role_options }}"
+    create_role_mount_path: "{{ mount.name }}"
+  with_items: "{{ mount.roles }}"

roles/vault/tasks/bootstrap/gen_vault_certs.yml

@@ -1,29 +1,21 @@
 ---
-
-- name: boostrap/gen_vault_certs | Add the vault role
-  uri:
-    url: "{{ vault_leader_url }}/v1/{{ vault_ca_options.common_name }}/roles/vault"
-    headers: "{{ vault_headers }}"
-    method: POST
-    body_format: json
-    body: "{{ vault_default_role_permissions }}"
-    status_code: 204
-  when: inventory_hostname == groups.vault|first and vault_api_cert_needed
-
 - include: ../shared/issue_cert.yml
   vars:
+    issue_cert_common_name: "{{ vault_pki_mounts.vault.roles[0].name }}"
     issue_cert_alt_names: "{{ groups.vault + ['localhost'] }}"
     issue_cert_hosts: "{{ groups.vault }}"
     issue_cert_ip_sans: >-
         [
         {%- for host in groups.vault -%}
         "{{ hostvars[host]['ansible_default_ipv4']['address'] }}",
+        {%- if hostvars[host]['ip'] is defined -%}
+        "{{ hostvars[host]['ip'] }}",
+        {%- endif -%}
         {%- endfor -%}
         "127.0.0.1","::1"
         ]
-    issue_cert_mount_path: "{{ vault_ca_options.common_name }}"
+    issue_cert_mount_path: "{{ vault_pki_mounts.vault.name }}"
     issue_cert_path: "{{ vault_cert_dir }}/api.pem"
-    issue_cert_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
-    issue_cert_role: vault
+    issue_cert_role: "{{ vault_pki_mounts.vault.roles[0].name }}"
     issue_cert_url: "{{ vault_leader_url }}"
   when: vault_api_cert_needed

roles/vault/tasks/bootstrap/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - include: ../shared/check_vault.yml
   when: inventory_hostname in groups.vault
 
@@ -9,72 +8,57 @@
 - include: ../shared/find_leader.yml
   when: inventory_hostname in groups.vault and vault_cluster_is_initialized|d()
 
-## Sync Certs
-
 - include: sync_vault_certs.yml
   when: inventory_hostname in groups.vault
 
 - include: sync_etcd_certs.yml
   when: inventory_hostname in groups.etcd
 
-## Generate Certs
-
-# Start a temporary instance of Vault
 - include: start_vault_temp.yml
-  when: >-
-        inventory_hostname == groups.vault|first and
-        not vault_cluster_is_initialized
+  when: inventory_hostname == groups.vault|first and not vault_cluster_is_initialized
 
-# Set vault_leader_url for all nodes based on above
-- name: vault | bootstrap
+- name: vault | Set fact about vault leader url
   set_fact:
     vault_leader_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
   when: not vault_cluster_is_initialized
 
-# Ensure vault PKI mounts exists
-- include: ../shared/create_mount.yml
-  vars:
-    create_mount_path: "{{ vault_ca_options.common_name }}"
-    create_mount_default_lease_ttl: "{{ vault_default_lease_ttl }}"
-    create_mount_max_lease_ttl: "{{ vault_max_lease_ttl }}"
-    create_mount_description: "Vault Root CA"
-    create_mount_cert_dir: "{{ vault_cert_dir }}"
-    create_mount_config_ca_needed: "{{ not vault_ca_cert_needed }}"
+- include: create_mounts.yml
   when: inventory_hostname == groups.vault|first
 
-# Generate root CA certs for Vault if none exist
+- include: ../shared/auth_backend.yml
+  vars:
+    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
+    auth_backend_path: userpass
+    auth_backend_type: userpass
+  when: inventory_hostname == groups.vault|first
+
+- include: create_roles.yml
+  with_items:
+    - "{{ vault_pki_mounts.vault }}"
+    - "{{ vault_pki_mounts.etcd }}"
+  loop_control:
+    loop_var: mount
+
 - include: ../shared/gen_ca.yml
   vars:
-    gen_ca_cert_dir: "{{ vault_cert_dir }}"
-    gen_ca_mount_path: "{{ vault_ca_options.common_name }}"
+    gen_ca_cert_dir: "{{ vault_pki_mounts.vault.cert_dir }}"
+    gen_ca_mount_path: "{{ vault_pki_mounts.vault.name }}"
+    gen_ca_vault_headers: "{{ vault_headers }}"
+    gen_ca_vault_options: "{{ vault_ca_options.vault }}"
   when: >-
-        inventory_hostname in groups.vault and
-        not vault_cluster_is_initialized and
-        vault_ca_cert_needed
+        inventory_hostname in groups.vault
+        and not vault_cluster_is_initialized
+        and vault_ca_cert_needed
+
+- include: ../shared/gen_ca.yml
+  vars:
+    gen_ca_cert_dir: "{{ vault_pki_mounts.etcd.cert_dir }}"
+    gen_ca_mount_path: "{{ vault_pki_mounts.etcd.name }}"
+    gen_ca_vault_headers: "{{ vault_headers }}"
+    gen_ca_vault_options: "{{ vault_ca_options.etcd }}"
+  when: inventory_hostname in groups.etcd and vault_etcd_ca_cert_needed
 
-# Generate Vault API certs
 - include: gen_vault_certs.yml
   when: inventory_hostname in groups.vault and vault_api_cert_needed
 
-# Ensure etcd PKI mounts exists
-- include: ../shared/create_mount.yml
-  vars:
-    create_mount_path: "{{ vault_etcd_mount_path }}"
-    create_mount_default_lease_ttl: "{{ vault_etcd_default_lease_ttl }}"
-    create_mount_max_lease_ttl: "{{ vault_etcd_max_lease_ttl }}"
-    create_mount_description: "Etcd Root CA"
-    create_mount_cert_dir: "{{ vault_etcd_cert_dir }}"
-    create_mount_config_ca_needed: "{{ not vault_etcd_ca_cert_needed }}"
-  when: inventory_hostname == groups.vault|first
-
-# Generate root CA certs for etcd if none exist
-- include: ../shared/gen_ca.yml
-  vars:
-    gen_ca_cert_dir: "{{ vault_etcd_cert_dir }}"
-    gen_ca_mount_path: "{{ vault_etcd_mount_path }}"
-  when: inventory_hostname in groups.etcd and vault_etcd_ca_cert_needed
-
-- include: create_etcd_role.yml
-
-# Update all host's CA bundle, etcd CA will be added in etcd role
 - include: ca_trust.yml