diff --git a/roles/etcd/defaults/main.yml b/roles/etcd/defaults/main.yml
index f394e41aab672f64f7b2443d833d9403be59287d..4e122e719b5349f4387cd5a6c81f5e879cd7623b 100644
--- a/roles/etcd/defaults/main.yml
+++ b/roles/etcd/defaults/main.yml
@@ -32,7 +32,7 @@ etcd_memory_limit: "{% if ansible_memtotal_mb < 4096 %}512M{% else %}0{% endif %
 
 etcd_blkio_weight: 1000
 
-etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr', [])) }}"
+etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr', [])) | union(groups.get('vault', [])) }}"
 
 etcd_compaction_retention: "8"
 
diff --git a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
index 5b3b46edcb85d8b49328349201d433a72461989a..cc16b749bed5ff3ea060c48ac0faa86e4d81f10f 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
@@ -116,6 +116,6 @@
     issue_cert_role: front-proxy-client
     issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
     issue_cert_mount_path: "{{ kube_vault_mount_path }}"
-  with_items: "{{ kube_master_components_certs_needed|d([]) }}"
+  with_items: "{{ kube_front_proxy_clients_certs_needed|d([]) }}"
   when: inventory_hostname in groups['kube-master']
   notify: set secret_changed
diff --git a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
index f675f6eca0c0ea05871870aeac8b89ce89e859be..d747044484b9d89ed9829031003a8aa41bcc612c 100644
--- a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
+++ b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
@@ -32,7 +32,7 @@
     sync_file_hosts: "{{ groups['kube-master'] }}"
     sync_file_is_cert: true
     sync_file_owner: kube
-  with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem", "front-proxy-client.pem"]
+  with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem"]
 
 - name: sync_kube_master_certs | Set facts for kube master components sync_file results
   set_fact:
@@ -44,6 +44,26 @@
   set_fact:
     sync_file_results: []
 
+- include_tasks: ../../../vault/tasks/shared/sync_file.yml
+  vars:
+    sync_file: "{{ item }}"
+    sync_file_dir: "{{ kube_cert_dir }}"
+    sync_file_group: "{{ kube_cert_group }}"
+    sync_file_hosts: "{{ groups['kube-master'] }}"
+    sync_file_is_cert: true
+    sync_file_owner: kube
+  with_items: ["front-proxy-client.pem"]
+
+- name: sync_kube_master_certs | Set facts for front-proxy-client certs sync_file results
+  set_fact:
+    kube_front_proxy_clients_certs_needed: "{{ kube_front_proxy_clients_certs_needed|d([]) + [item.path] }}"
+  with_items: "{{ sync_file_results|d([]) }}"
+  when: item.no_srcs|bool
+
+- name: sync_kube_master_certs | Unset sync_file_results after front-proxy-client sync
+  set_fact:
+    sync_file_results: []
+
 - include_tasks: ../../../vault/tasks/shared/sync_file.yml
   vars:
     sync_file: ca.pem
diff --git a/tests/files/gce_ubuntu-vault-sep.yml b/tests/files/gce_ubuntu-vault-sep.yml
index 2e4926f2125cf35d6dcb433c239f9cc833ce4c87..60ce0c37ff83e1250ed59a67da4b3060d1f70e79 100644
--- a/tests/files/gce_ubuntu-vault-sep.yml
+++ b/tests/files/gce_ubuntu-vault-sep.yml
@@ -6,7 +6,7 @@ mode: separate
 
 # Instance settings
 bootstrap_os: ubuntu
-cert_mgmt: vault
+cert_management: vault
 kube_network_plugin: canal
 deploy_netchecker: true
 kubedns_min_replicas: 1