Vault role updates:

* using separated vault roles for generate certs with different `O` (Organization) subject field;
  * configure vault roles for issuing certificates with different `CN` (Common name) subject field;
  * set `CN` and `O` to `kubernetes` and `etcd` certificates;
  * vault/defaults vars definition was simplified;
  * vault dirs variables defined in kubernetes-defaults foles for using
  shared tasks in etcd and kubernetes/secrets roles;
  * upgrade vault to 0.8.1;
  * generate random vault user password for each role by default;
  * fix `serial` file name for vault certs;
  * move vault auth request to issue_cert tasks;
  * enable `RBAC` in vault CI;

roles/vault/tasks/shared/create_role.yml

@@ -1,5 +1,4 @@
 ---
-
 # The JSON inside JSON here is intentional (Vault API wants it)
 - name: create_role | Create a policy for the new role allowing issuing
   uri:
@@ -22,7 +21,7 @@
     status_code: 204
   when: inventory_hostname == groups[create_role_group]|first
 
-- name: create_role | Create the new role in the {{ create_role_mount_path }} pki mount
+- name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
   uri:
     url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/{{ create_role_mount_path }}/roles/{{ create_role_name }}"
     headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
@@ -42,7 +41,7 @@
 - include: gen_userpass.yml
   vars:
     gen_userpass_group: "{{ create_role_group }}"
-    gen_userpass_password: "{{ create_role_password|d(''|to_uuid) }}"
+    gen_userpass_password: "{{ create_role_password }}"
     gen_userpass_policies: "{{ create_role_name }}"
     gen_userpass_role: "{{ create_role_name }}"
     gen_userpass_username: "{{ create_role_name }}"

roles/vault/tasks/shared/gen_ca.yml

@@ -8,10 +8,10 @@
 - name: "bootstrap/gen_ca | Generate {{ gen_ca_mount_path }} root CA"
   uri:
     url: "{{ vault_leader_url }}/v1/{{ gen_ca_mount_path }}/root/generate/exported"
-    headers: "{{ vault_headers }}"
+    headers: "{{ gen_ca_vault_headers }}"
     method: POST
     body_format: json
-    body: "{{ vault_ca_options }}"
+    body: "{{ gen_ca_vault_options }}"
   register: vault_ca_gen
   delegate_to: "{{ groups.vault|first }}"
   run_once: true

roles/vault/tasks/shared/gen_userpass.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: shared/gen_userpass | Create the Username/Password combo for the role
   uri:
     url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/userpass/users/{{ gen_userpass_username }}"

roles/vault/tasks/shared/issue_cert.yml

@@ -11,7 +11,6 @@
 #   issue_cert_file_mode:   Mode of the placed cert file
 #   issue_cert_file_owner:  Owner of the placed cert file and directory
 #   issue_cert_format:      Format for returned data. Can be pem, der, or pem_bundle
-#   issue_cert_headers:     Headers passed into the issue request
 #   issue_cert_hosts:       List of hosts to distribute the cert to
 #   issue_cert_ip_sans:     Requested IP Subject Alternative Names, in a list
 #   issue_cert_mount_path:  Mount point in Vault to make the request to
@@ -27,7 +26,47 @@
     mode: "{{ issue_cert_dir_mode | d('0755') }}"
     owner: "{{ issue_cert_file_owner | d('root') }}"
 
-- name: "issue_cert | Generate the cert for {{ issue_cert_role }}"
+- name: "issue_cert | Read in the local credentials"
+  command: cat {{ vault_roles_dir }}/{{ issue_cert_role }}/userpass
+  register: vault_creds_cat
+  delegate_to: "{{ issue_cert_hosts|first }}"
+  run_once: true
+
+- name: gen_certs_vault | Set facts for read Vault Creds
+  set_fact:
+    user_vault_creds: "{{ vault_creds_cat.stdout|from_json }}"
+  delegate_to: "{{ issue_cert_hosts|first }}"
+  run_once: true
+
+- name: gen_certs_vault | Log into Vault and obtain an token
+  uri:
+    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/userpass/login/{{ user_vault_creds.username }}"
+    headers:
+      Accept: application/json
+      Content-Type: application/json
+    method: POST
+    body_format: json
+    body:
+      password: "{{ user_vault_creds.password }}"
+  register: vault_login_result
+  delegate_to: "{{ issue_cert_hosts|first }}"
+  run_once: true
+
+- name: gen_certs_vault | Set fact for vault_client_token
+  set_fact:
+    vault_client_token: "{{ vault_login_result.get('json', {}).get('auth', {}).get('client_token') }}"
+  run_once: true
+
+- name: gen_certs_vault | Set fact for Vault API token
+  set_fact:
+    issue_cert_headers:
+      Accept: application/json
+      Content-Type: application/json
+      X-Vault-Token: "{{ vault_client_token }}"
+  run_once: true
+  when: vault_client_token != ""
+
+- name: "issue_cert | Generate {{ issue_cert_path }} for {{ issue_cert_role }} role"
   uri:
     url: "{{ issue_cert_url }}/v1/{{ issue_cert_mount_path|d('pki') }}/issue/{{ issue_cert_role }}"
     headers: "{{ issue_cert_headers }}"
@@ -70,7 +109,7 @@
 - name: issue_cert | Copy certificate serial to all hosts
   copy:
     content: "{{ hostvars[issue_cert_hosts|first]['issue_cert_result']['json']['data']['serial_number'] }}"
-    dest: "{{ issue_cert_path.rsplit('.', 1)|first }}.serial }}"
+    dest: "{{ issue_cert_path.rsplit('.', 1)|first }}.serial"
     group: "{{ issue_cert_file_group | d('root' )}}"
     mode: "{{ issue_cert_file_mode | d('0640') }}"
     owner: "{{ issue_cert_file_owner | d('root') }}"