Enhancement request: Create tokens using roles

[psfblair]

Currently VGM creates tokens by making requests to Vault at auth/token/create. This means the VGM token needs to have a policy that gives it access to auth/token/create, and with that it can create tokens for any subset of policies that it has.

This has two issues:

1. The VGM token has a lot of power: It can create another token allowing the creation of tokens.
2. Depending on how secrets are organized in Vault, when a new application/service is added, VGM may need to be restarted with a new token that lets it create tokens having access to the new secrets.

This could be more locked down if VGM requested tokens from Vault at auth/token/create/<role_id>. Its token could then have a policy giving it access to auth/token/create/*. This means that the VGM token could create tokens only for named roles (but for any named role).

When new applications were added, a role would be created to allow access to their secrets. Because of the way Vault handles creating tokens with roles, the VGM token would automatically be able to create tokens for the new role; there would be no need to generate a new token for VGM.

[nemosupremo]

Gatekeeper now uses AppRoles