k8s: deploy k8s certs
diff --git a/env.sh b/env.sh
index 8efe1b8..bc2a6e2 100644
--- a/env.sh
+++ b/env.sh
@@ -25,29 +25,33 @@
     )
 }
 
-hscloud-node-push-certs() {
+# Generate a per-node certificate remotely on the node.
+hscloud-node-remote-cert() {
     (
         set -e
-
-        if [ -z "$1" ]; then
-            echo >&2 "Usage: hscloud-node-push-certs node.fqdn.com"
+        if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then
+            echo >&2 "Usage: hscloud-node-remote-cert node.fqdn.com certname subj"
             exit 1
         fi
         fqdn="$1"
+        certname="$2"
+        subj="$3"
+
+        echo "Node: ${fqdn}; Cert: ${certname}"
 
         echo "Checking node livenes..."
         ssh root@$fqdn uname -a
 
         echo "Checking if node already has key..."
-        ssh root@$fqdn stat /opt/hscloud/node.key || (
+        ssh root@$fqdn stat /opt/hscloud/${certname}.key || (
             echo "Generating key..."
             ssh root@$fqdn -- mkdir -p /opt/hscloud
-            ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl genrsa -out /opt/hscloud/node.key 4096\"" 
-            ssh root@$fqdn -- chmod 400 /opt/hscloud/node.key
+            ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl genrsa -out /opt/hscloud/${certname}.key 4096\"" 
+            ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key
         )
 
         echo "Checking if node already has cert..."
-        ssh root@$fqdn stat /opt/hscloud/node.crt && exit 0
+        ssh root@$fqdn stat /opt/hscloud/${certname}.crt && exit 0
         echo "No cert, will generate..."
 
         cd "$hscloud_root"
@@ -55,14 +59,79 @@
         ca="$secrets/plain/ca.key"
         [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
 
-        ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl req -new -key /opt/hscloud/node.key -out /opt/hscloud/node.csr -subj '/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Stowarzyszenie Warszawski Hackerspace/OU=Node Bootstrap Certificate/CN="$fqdn"'\""
-        scp root@$fqdn:/opt/hscloud/node.csr .
-        openssl x509 -req -in node.csr -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "data/${fqdn}.crt"
+        ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl req -new -key /opt/hscloud/${certname}.key -out /opt/hscloud/${certname}.csr -subj '${subj}'\""
+        scp root@$fqdn:/opt/hscloud/${certname}.csr ${fqdn}-${certname}.csr
+        openssl x509 -req -in ${fqdn}-${certname}.csr -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "data/${fqdn}-${certname}.crt"
 
-        scp "data/${fqdn}.crt" root@$fqdn:/opt/hscloud/node.crt
+        scp "data/${fqdn}-${certname}.crt" root@$fqdn:/opt/hscloud/${certname}.crt
         scp "data/ca.crt" root@$fqdn:/opt/hscloud/ca.crt
-        ssh root@$fqdn -- chmod 444 /opt/hscloud/node.crt /opt/hscloud/ca.crt
-        rm node.csr
+        ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt /opt/hscloud/ca.crt
+        rm ${fqdn}-${certname}.csr
+    )
+}
+
+# Generate locally (if not present) a shared certificate, and upload it to the node
+hscloud-node-shared-cert() {
+    (
+        set -e
+        if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then
+            echo >&2 "Usage: hscloud-node-shared-cert node.fqdn.com certname subj"
+            exit 1
+        fi
+        fqdn="$1"
+        certname="$2"
+        subj="$3"
+
+        cd "$hscloud_root"
+        secrets="$hscloud_root/secrets"
+        keyfile="$secrets/$certname.key"
+        cert="$hscloud_root/data/$certname.crt"
+        csr="$hscloud_root/data/$certname.csr"
+        ca="$secrets/plain/ca.key"
+        [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
+
+        echo "Checking if key exists..."
+        if [ ! -f "$keyfile" ]; then
+            echo "No key, trying to decrypt..."
+            if ! scripts/secretstore decrypt "$secrets/cipher/$certname.key" > "$keyfile" ; then
+                echo "No encrypted key, generating..."
+                openssl genrsa -out $keyfile 4096
+                echo "Encrypting..."
+                scripts/secretstore encrypt "$keyfile" > "$secrets/cipher/$certname.key"
+            fi
+        fi
+
+        echo "Checking if cert exists..."
+        if [ ! -f "$cert" ]; then
+            echo "No cert, generating..."
+            rm -f "${csr}"
+            openssl req -new -key "${keyfile}" -out "${csr}" -subj "${subj}"
+            openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}"
+        fi
+
+        echo "Copying certificate to node..."
+        scp "${cert}" root@$fqdn:/opt/hscloud/${certname}.crt
+        scp "${keyfile}" root@$fqdn:/opt/hscloud/${certname}.key
+        ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt
+        ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key
+    )
+}
+
+hscloud-node-certs() {
+    (
+        set -e
+            
+        if [ -z "$1" ]; then
+            echo >&2 "Usage: hscloud-node-certs node.fqdn.com"
+            exit 1
+        fi
+        fqdn="$1"
+
+        hscloud-node-remote-cert ${fqdn} node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Stowarzyszenie Warszawski Hackerspace/OU=Node Bootstrap Certificate/CN=\"$fqdn\""
+        hscloud-node-remote-cert ${fqdn} kube-node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:nodes/OU=Kubernetes Node Certificate/CN=system:node:\"$fqdn\""
+        for component in controller-manager proxy scheduler; do
+            hscloud-node-shared-cert ${fqdn} kube-${component} "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:kube-${component}/OU=Kubernetes Component ${component}/CN=system:kube-${component}"
+        done
     )
 }