*: rejigger tls certs and more
This pretty large change does the following:
- moves nix from bootstrap.hswaw.net to nix/
- changes clustercfg to use cfssl and moves it to cluster/clustercfg
- changes clustercfg to source information about target location of
certs from nix
- changes clustercfg to push nix config
- changes tls certs to have more than one CA
- recalculates all TLS certs
(it keeps the old serviceaccoutns key, otherwise we end up with
invalid serviceaccounts - the cert doesn't match, but who cares,
it's not used anyway)
diff --git a/cluster/README b/cluster/README
index 034a28c..4eeb6b7 100644
--- a/cluster/README
+++ b/cluster/README
@@ -8,14 +8,14 @@
There isn't yet a service for getting short-term user certificates. Instead, you'll have to get admin certificates:
- clustercfg admincreds $(whoami)-admin
+ bazel run //cluster/clustercfg:clustercfg admincreds $(whoami)-admin
kubectl get nodes
Provisioning nodes
------------------
- bring up a new node with nixos, running the configuration.nix from bootstrap (to be documented)
- - `clustercfg nodestrap bc01nXX.hswaw.net`
+ - `bazel run //cluster/clustercfg:clustercfg nodestrap bc01nXX.hswaw.net`
That's it!