Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552)

* Added update CA trust step for etcd and kube/secrets roles

* Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os.

* Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube.

* Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd.

* Fixed different certificates set for vault cert_managment

* Update doc/vault.md

* Fixed condition create vault CA, wrong group

* Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts

* Removed wrong when condition in create etcd role vault tasks.

roles/vault/tasks/bootstrap/sync_etcd_certs.yml

+---
+
+- include: ../shared/sync_file.yml
+  vars:
+    sync_file: "ca.pem"
+    sync_file_dir: "{{ vault_etcd_cert_dir }}"
+    sync_file_hosts: "{{ groups.etcd }}"
+    sync_file_is_cert: true
+
+- name: bootstrap/sync_etcd_certs | Set facts for etcd sync_file results
+  set_fact:
+    vault_etcd_ca_cert_needed: "{{ sync_file_results[0]['no_srcs'] }}"
+
+- name: bootstrap/sync_etcd_certs | Unset sync_file_results after ca.pem sync
+  set_fact:
+    sync_file_results: []

roles/vault/tasks/cluster/create_roles.yml

 ---
+- include: ../shared/auth_backend.yml
+  vars:
+    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
+    auth_backend_path: userpass
+    auth_backend_type: userpass
+  when: inventory_hostname == groups.vault|first
 
 - include: ../shared/create_role.yml
   vars:
@@ -6,4 +12,7 @@
     create_role_group: "{{ item.group }}"
     create_role_policy_rules: "{{ item.policy_rules }}"
     create_role_options: "{{ item.role_options }}"
-  with_items: "{{ vault_roles|d([]) }}"
+    create_role_mount_path: "{{ item.mount_path }}"
+  with_items:
+    - "{{ vault_etcd_role }}"
+    - "{{ vault_kube_role }}"

roles/vault/tasks/cluster/main.yml

@@ -25,19 +25,42 @@
 - include: ../shared/find_leader.yml
   when: inventory_hostname in groups.vault
 
-- include: ../shared/pki_mount.yml
+- include: ../shared/create_mount.yml
+  vars:
+    create_mount_path: "{{ vault_ca_options.common_name }}"
+    create_mount_default_lease_ttl: "{{ vault_default_lease_ttl }}"
+    create_mount_max_lease_ttl: "{{ vault_max_lease_ttl }}"
+    create_mount_description: "Vault Root CA"
+    create_mount_cert_dir: "{{ vault_cert_dir }}"
+    create_mount_config_ca_needed: true
   when: inventory_hostname == groups.vault|first
 
-- include: ../shared/config_ca.yml
+- include: ../shared/create_mount.yml
   vars:
-    ca_name: ca
-    mount_name: pki
+    create_mount_path: "{{ vault_etcd_mount_path }}"
+    create_mount_default_lease_ttl: "{{ vault_etcd_default_lease_ttl }}"
+    create_mount_max_lease_ttl: "{{ vault_etcd_max_lease_ttl }}"
+    create_mount_description: "Etcd Root CA"
+    create_mount_cert_dir: "{{ vault_etcd_cert_dir }}"
+    create_mount_config_ca_needed: true
   when: inventory_hostname == groups.vault|first
 
-## Vault Policies, Roles, and Auth Backends
+- include: ../shared/create_mount.yml
+  vars:
+    create_mount_path: "{{ vault_kube_mount_path }}"
+    create_mount_default_lease_ttl: "{{ vault_kube_default_lease_ttl }}"
+    create_mount_max_lease_ttl: "{{ vault_kube_max_lease_ttl }}"
+    create_mount_description: "Kubernetes Root CA"
+    create_mount_cert_dir: "{{ vault_kube_cert_dir }}"
+    create_mount_config_ca_needed: false
+  when: inventory_hostname == groups.vault|first
 
-- include: role_auth_cert.yml
-  when: vault_role_auth_method == "cert"
+- include: ../shared/gen_ca.yml
+  vars:
+    gen_ca_cert_dir: "{{ vault_kube_cert_dir }}"
+    gen_ca_mount_path: "{{ vault_kube_mount_path }}"
+  when: inventory_hostname in groups.vault
+
+## Vault Policies, Roles, and Auth Backends
 
-- include: role_auth_userpass.yml
-  when: vault_role_auth_method == "userpass"
+- include: create_roles.yml

roles/vault/tasks/cluster/role_auth_cert.yml

----
-
-- include: ../shared/cert_auth_mount.yml
-  when: inventory_hostname == groups.vault|first
-
-- include: ../shared/auth_backend.yml
-  vars:
-    auth_backend_description: A Cert-based Auth primarily for services needing to issue certificates
-    auth_backend_name: cert
-    auth_backend_type: cert
-  when: inventory_hostname == groups.vault|first
-
-- include: ../shared/config_ca.yml
-  vars:
-    ca_name: auth-ca
-    mount_name: auth-pki
-  when: inventory_hostname == groups.vault|first
-
-- include: create_roles.yml

roles/vault/tasks/cluster/role_auth_userpass.yml

----
-
-- include: ../shared/auth_backend.yml
-  vars:
-    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
-    auth_backend_path: userpass
-    auth_backend_type: userpass
-  when: inventory_hostname == groups.vault|first
-
-- include: create_roles.yml

roles/vault/tasks/shared/cert_auth_mount.yml

 ---
 
-- include: ../shared/mount.yml
+- include: ../shared/pki_mount.yml
   vars:
-    mount_name: auth-pki
-    mount_options:
+    pki_mount_path: auth-pki
+    pki_mount_options:
       description: PKI mount to generate certs for the Cert Auth Backend
       config:
         default_lease_ttl: "{{ vault_default_lease_ttl }}"
         max_lease_ttl: "{{ vault_max_lease_ttl }}"
-      type: pki
 
 - name: shared/auth_mount | Create a dummy role for issuing certs from auth-pki
   uri:

roles/vault/tasks/shared/config_ca.yml

 ---
-
 - name: config_ca | Read root CA cert for Vault
-  command: "cat /etc/vault/ssl/{{ ca_name }}.pem"
+  command: "cat {{ config_ca_ca_pem }}"
   register: vault_ca_cert_cat
 
 - name: config_ca | Pull current CA cert from Vault
   uri:
-    url: "{{ vault_leader_url }}/v1/{{ mount_name }}/ca/pem"
+    url: "{{ vault_leader_url }}/v1/{{ config_ca_mount_path }}/ca/pem"
     headers: "{{ vault_headers }}"
     return_content: true
     status_code: 200,204
@@ -14,13 +13,13 @@
   register: vault_pull_current_ca
 
 - name: config_ca | Read root CA key for Vault
-  command: "cat /etc/vault/ssl/{{ ca_name }}-key.pem"
+  command: "cat {{ config_ca_ca_key }}"
   register: vault_ca_key_cat
   when: vault_ca_cert_cat.stdout.strip() != vault_pull_current_ca.content.strip()
 
 - name: config_ca | Configure pki mount to use the found root CA cert and key
   uri:
-    url: "{{ vault_leader_url }}/v1/{{ mount_name }}/config/ca"
+    url: "{{ vault_leader_url }}/v1/{{ config_ca_mount_path }}/config/ca"
     headers: "{{ vault_headers }}"
     method: POST
     body_format: json

roles/vault/tasks/shared/create_mount.yml

+---
+- include: ../shared/pki_mount.yml
+  vars:
+    pki_mount_path: "{{ create_mount_path }}"
+    pki_mount_options:
+      config:
+        default_lease_ttl: "{{ create_mount_default_lease_ttl }}"
+        max_lease_ttl: "{{ create_mount_max_lease_ttl }}"
+      description: "{{ create_mount_description }}"
+
+- include: ../shared/config_ca.yml
+  vars:
+    config_ca_ca_pem: "{{ create_mount_cert_dir }}/ca.pem"
+    config_ca_ca_key: "{{ create_mount_cert_dir }}/ca-key.pem"
+    config_ca_mount_path: "{{ create_mount_path }}"
+  when: create_mount_config_ca_needed

roles/vault/tasks/shared/create_role.yml

@@ -12,8 +12,8 @@
              {%- if create_role_policy_rules|d("default") == "default" -%}
              {{
              { 'path': {
-                 'pki/issue/' + create_role_name: {'policy': 'write'},
-                 'pki/roles/' + create_role_name: {'policy': 'read'}
+                 create_role_mount_path + '/issue/' + create_role_name: {'policy': 'write'},
+                 create_role_mount_path + '/roles/' + create_role_name: {'policy': 'read'}
              }} | to_json + '\n'
              }}
              {%- else -%}
@@ -22,9 +22,9 @@
     status_code: 204
   when: inventory_hostname == groups[create_role_group]|first
 
-- name: create_role | Create the new role in the pki mount
+- name: create_role | Create the new role in the {{ create_role_mount_path }} pki mount
   uri:
-    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/pki/roles/{{ create_role_name }}"
+    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/{{ create_role_mount_path }}/roles/{{ create_role_name }}"
     headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
     method: POST
     body_format: json
@@ -37,31 +37,6 @@
     status_code: 204
   when: inventory_hostname == groups[create_role_group]|first
 
-## Cert based auth method
-
-- include: gen_cert.yml
-  vars:
-    gen_cert_copy_ca: true
-    gen_cert_hosts: "{{ groups[create_role_group] }}"
-    gen_cert_mount: "auth-pki"
-    gen_cert_path: "{{ vault_roles_dir }}/{{ create_role_name }}/issuer.pem"
-    gen_cert_vault_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
-    gen_cert_vault_role: "dummy"
-    gen_cert_vault_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
-  when: vault_role_auth_method == "cert" and inventory_hostname in groups[create_role_group]
-
-- name: create_role | Insert the auth-pki CA as the authenticating CA for that role
-  uri:
-    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/cert/certs/{{ create_role_name }}"
-    headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
-    method: POST
-    body_format: json
-    body:
-      certificate: "{{ hostvars[groups[create_role_group]|first]['gen_cert_result']['json']['data']['issuing_ca'] }}"
-      policies: "{{ create_role_name }}"
-    status_code: 204
-  when: vault_role_auth_method == "cert" and inventory_hostname == groups[create_role_group]|first
-
 ## Userpass based auth method
 
 - include: gen_userpass.yml
@@ -71,4 +46,4 @@
     gen_userpass_policies: "{{ create_role_name }}"
     gen_userpass_role: "{{ create_role_name }}"
     gen_userpass_username: "{{ create_role_name }}"
-  when: vault_role_auth_method == "userpass" and inventory_hostname in groups[create_role_group]
+  when: inventory_hostname in groups[create_role_group]

roles/vault/tasks/bootstrap/gen_ca.yml → roles/vault/tasks/shared/gen_ca.yml

 ---
-
-- name: bootstrap/gen_ca | Ensure vault_cert_dir exists
+- name: "bootstrap/gen_ca | Ensure cert_dir {{ gen_ca_cert_dir }} exists"
   file:
     mode: 0755
-    path: "{{ vault_cert_dir }}"
+    path: "{{ gen_ca_cert_dir }}"
     state: directory
 
-- name: bootstrap/gen_ca | Generate Root CA in vault-temp
+- name: "bootstrap/gen_ca | Generate {{ gen_ca_mount_path }} root CA"
   uri:
-    url: "{{ vault_leader_url }}/v1/pki/root/generate/exported"
+    url: "{{ vault_leader_url }}/v1/{{ gen_ca_mount_path }}/root/generate/exported"
     headers: "{{ vault_headers }}"
     method: POST
     body_format: json
     body: "{{ vault_ca_options }}"
   register: vault_ca_gen
-  when: inventory_hostname == groups.vault|first and vault_ca_cert_needed
+  delegate_to: "{{ groups.vault|first }}"
+  run_once: true
 
-- name: bootstrap/gen_ca | Copy root CA cert locally
+- name: "bootstrap/gen_ca | Copy {{ gen_ca_mount_path }} root CA cert locally"
   copy:
     content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['certificate'] }}"
-    dest: "{{ vault_cert_dir }}/ca.pem"
+    dest: "{{ gen_ca_cert_dir }}/ca.pem"
     mode: 0644
-  when: vault_ca_cert_needed
 
-- name: bootstrap/gen_ca | Copy root CA key locally
+- name: "bootstrap/gen_ca | Copy {{ gen_ca_mount_path }} root CA key locally"
   copy:
     content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['private_key'] }}"
-    dest: "{{ vault_cert_dir }}/ca-key.pem"
+    dest: "{{ gen_ca_cert_dir }}/ca-key.pem"
     mode: 0640
-  when: vault_ca_cert_needed

roles/vault/tasks/shared/issue_cert.yml

@@ -14,16 +14,11 @@
 #   issue_cert_headers:     Headers passed into the issue request
 #   issue_cert_hosts:       List of hosts to distribute the cert to
 #   issue_cert_ip_sans:     Requested IP Subject Alternative Names, in a list
-#   issue_cert_mount:       Mount point in Vault to make the request to
+#   issue_cert_mount_path:  Mount point in Vault to make the request to
 #   issue_cert_path:        Full path to the cert, include its name
 #   issue_cert_role:        The Vault role to issue the cert with
 #   issue_cert_url:         Url to reach Vault, including protocol and port
 
-- name: issue_cert | debug who issues certs
-  debug:
-    msg: "{{ issue_cert_hosts }} issues certs"
-
-
 - name: issue_cert | Ensure target directory exists
   file:
     path: "{{ issue_cert_path | dirname }}"
@@ -34,7 +29,7 @@
 
 - name: "issue_cert | Generate the cert for {{ issue_cert_role }}"
   uri:
-    url: "{{ issue_cert_url }}/v1/{{ issue_cert_mount|d('pki') }}/issue/{{ issue_cert_role }}"
+    url: "{{ issue_cert_url }}/v1/{{ issue_cert_mount_path|d('pki') }}/issue/{{ issue_cert_role }}"
     headers: "{{ issue_cert_headers }}"
     method: POST
     body_format: json
@@ -45,11 +40,7 @@
       ip_sans: "{{ issue_cert_ip_sans | default([]) | join(',') }}"
   register: issue_cert_result
   delegate_to: "{{ issue_cert_hosts|first }}"
-
-- name: issue_cert | results
-  debug:
-    msg: "{{ issue_cert_result }}"
-
+  run_once: true
 
 - name: "issue_cert | Copy {{ issue_cert_path }} cert to all hosts"
   copy:

roles/vault/tasks/shared/mount.yml

----
-
-- name: shared/mount | Test if PKI mount exists
-  uri:
-    url: "{{ vault_leader_url }}/v1/sys/mounts/{{ mount_name }}/tune"
-    headers: "{{ vault_headers }}"
-  ignore_errors: true
-  register: vault_pki_mount_check
-
-- name: shared/mount | Mount PKI mount if needed
-  uri:
-    url: "{{ vault_leader_url }}/v1/sys/mounts/{{ mount_name }}"
-    headers: "{{ vault_headers }}"
-    method: POST
-    body_format: json
-    body: "{{ mount_options|d() }}"
-    status_code: 204
-  when: vault_pki_mount_check|failed

roles/vault/tasks/shared/pki_mount.yml

 ---
+- name: "shared/mount | Test if {{ pki_mount_path }} PKI mount exists"
+  uri:
+    url: "{{ vault_leader_url }}/v1/sys/mounts/{{ pki_mount_path }}/tune"
+    headers: "{{ vault_headers }}"
+  ignore_errors: true
+  register: vault_pki_mount_check
 
-- include: mount.yml
-  vars:
-    mount_name: pki
-    mount_options:
-      config:
-        default_lease_ttl: "{{ vault_default_lease_ttl }}"
-        max_lease_ttl: "{{ vault_max_lease_ttl }}"
-      description: The default PKI mount for Kubernetes
-      type: pki
+- name: shared/mount | Set pki mount type
+  set_fact:
+    mount_options: "{{ pki_mount_options | combine({'type': 'pki'}) }}"
+  when: vault_pki_mount_check|failed
+
+- name: shared/mount | Mount {{ pki_mount_path }} PKI mount if needed
+  uri:
+    url: "{{ vault_leader_url }}/v1/sys/mounts/{{ pki_mount_path }}"
+    headers: "{{ vault_headers }}"
+    method: POST
+    body_format: json
+    body: "{{ mount_options|d() }}"
+    status_code: 204
+  when: vault_pki_mount_check|failed
+
+- name: shared/mount | Unset mount options
+  set_fact:
+    mount_options: {}
+  when: vault_pki_mount_check|failed

roles/vault/templates/docker.service.j2

@@ -21,6 +21,7 @@ ExecStart={{ docker_bin_dir }}/docker run \
 --cap-add=IPC_LOCK \
 -v {{ vault_cert_dir }}:{{ vault_cert_dir }} \
 -v {{ vault_config_dir }}:{{ vault_config_dir }} \
+-v {{ vault_etcd_cert_dir }}:{{ vault_etcd_cert_dir }} \
 -v {{ vault_log_dir }}:/vault/logs \
 -v {{ vault_roles_dir }}:{{ vault_roles_dir }} \
 -v {{ vault_secrets_dir }}:{{ vault_secrets_dir }} \

roles/vault/templates/rkt.service.j2

@@ -24,6 +24,8 @@ ExecStart=/usr/bin/rkt run \
 --mount=volume=vault-secrets-dir,target={{ vault_secrets_dir }} \
 --volume=vault-roles-dir,kind=host,source={{ vault_roles_dir }} \
 --mount=volume=vault-roles-dir,target={{ vault_roles_dir }} \
+--volume=vault-etcd-cert-dir,kind=host,source={{ vault_etcd_cert_dir }} \
+--mount=volume=vault-etcd-cert-dir,target={{ vault_etcd_cert_dir }} \
 docker://{{ vault_image_repo }}:{{ vault_image_tag }} \
 --name={{ vault_container_name }} --net=host \
 --caps-retain=CAP_IPC_LOCK \