Vault role updates:

* using separated vault roles for generate certs with different `O` (Organization) subject field;
  * configure vault roles for issuing certificates with different `CN` (Common name) subject field;
  * set `CN` and `O` to `kubernetes` and `etcd` certificates;
  * vault/defaults vars definition was simplified;
  * vault dirs variables defined in kubernetes-defaults foles for using
  shared tasks in etcd and kubernetes/secrets roles;
  * upgrade vault to 0.8.1;
  * generate random vault user password for each role by default;
  * fix `serial` file name for vault certs;
  * move vault auth request to issue_cert tasks;
  * enable `RBAC` in vault CI;

roles/vault/tasks/shared/create_role.yml

@@ -1,5 +1,4 @@
 ---
-
 # The JSON inside JSON here is intentional (Vault API wants it)
 - name: create_role | Create a policy for the new role allowing issuing
   uri:
@@ -22,7 +21,7 @@
     status_code: 204
   when: inventory_hostname == groups[create_role_group]|first
 
-- name: create_role | Create the new role in the {{ create_role_mount_path }} pki mount
+- name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
   uri:
     url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/{{ create_role_mount_path }}/roles/{{ create_role_name }}"
     headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
@@ -42,7 +41,7 @@
 - include: gen_userpass.yml
   vars:
     gen_userpass_group: "{{ create_role_group }}"
-    gen_userpass_password: "{{ create_role_password|d(''|to_uuid) }}"
+    gen_userpass_password: "{{ create_role_password }}"
     gen_userpass_policies: "{{ create_role_name }}"
     gen_userpass_role: "{{ create_role_name }}"
     gen_userpass_username: "{{ create_role_name }}"