*: rejigger tls certs and more
This pretty large change does the following:
- moves nix from bootstrap.hswaw.net to nix/
- changes clustercfg to use cfssl and moves it to cluster/clustercfg
- changes clustercfg to source information about target location of
certs from nix
- changes clustercfg to push nix config
- changes tls certs to have more than one CA
- recalculates all TLS certs
(it keeps the old serviceaccoutns key, otherwise we end up with
invalid serviceaccounts - the cert doesn't match, but who cares,
it's not used anyway)
diff --git a/cluster/certs/kube-proxy.cert b/cluster/certs/kube-proxy.cert
new file mode 100644
index 0000000..fe99d01
--- /dev/null
+++ b/cluster/certs/kube-proxy.cert
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFQzCCBCugAwIBAgIUZlYtttc6/gOrhyj8uQTG7hFz3powDQYJKoZIhvcNAQEL
+BQAwgYMxCzAJBgNVBAYTAlBMMRQwEgYDVQQIEwtNYXpvd2llY2tpZTEPMA0GA1UE
+BxMGV2Fyc2F3MRswGQYDVQQKExJXYXJzYXcgSGFja2Vyc3BhY2UxEzARBgNVBAsT
+CmNsdXN0ZXJjZmcxGzAZBgNVBAMTEmt1YmVybmV0ZXMgbWFpbiBDQTAeFw0xOTA0
+MDYyMDMwMDBaFw0yMDA0MDUyMDMwMDBaMIGRMQswCQYDVQQGEwJQTDEUMBIGA1UE
+CBMLTWF6b3dpZWNraWUxDzANBgNVBAcTBldhcnNhdzEaMBgGA1UEChMRc3lzdGVt
+Omt1YmUtcHJveHkxIzAhBgNVBAsTGkt1YmVybmV0ZXMgQ29tcG9uZW50IHByb3h5
+MRowGAYDVQQDExFzeXN0ZW06a3ViZS1wcm94eTCCAiIwDQYJKoZIhvcNAQEBBQAD
+ggIPADCCAgoCggIBAMeIGf/vIR7lkgd6Wz9vrllQiyhOIKT1IaZlTd4deG72V/eg
+XXVI/iRkn3fIyxPgtLICZldT/75uMolYYWn50/Y32HGrQJT4uvfpV4Bt1YVdRzPO
+81DTKnkKuvhD7BERPSfEhYdCXMp5f7pjurJnixU/CaIKtUoLMV33N6pEeCS5ctcV
+vK8WC6/34guIXbgdjDZmo1k5HIYAJwWxJEfgqLCcKpnZHk2A3ytWgTLuGzCLE+3w
+Bu6zcvTwdXaEgq7RC1bYUAe32l21whWrmVVLPcXjoNj4Mzh+kKQ38+FNJqSGRhDd
+96SpVId1Ii7H+Ydyim3lHbRwxjpJAS6DAzP3hFqGVQ8RO1Pns9kajRicywbf35YO
+qtowSJZPJx9uk05uKKn7tzHayBX+LPr9H272AvSkgnzS5kU0obLTCnJ9UgKUp4Pb
+13M/7iMoEOsKiSLiFroGSzMn7QGIFe9QewRCPKhYzmg2KEru2nJG4wdcYb5XwGwP
+HEZRGln33rJTttpysbTuvcb0/TcYZCwSaV2l5fp5gNPfy8erF8x2kSRO2/Gfqc1m
+dEtaBA0KzyIVsYFF1shDw+Fr/L/SbXI/HYL2kpPr6CuW3Bnl2yEbjhGROCHumwRQ
+dOltUzeRJ3RKImAI34ll+TJeOcsD3EMD/FwMssfgAAVtXl6PhRZB4t2NDyWXAgMB
+AAGjgZ4wgZswDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
+BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTn0MVsvuVE2ZiSJNZfEp6Q
+pb8u9jAfBgNVHSMEGDAWgBSYMl0OTzMe+wnpiSQTFkJqgNGZ0DAcBgNVHREEFTAT
+ghFzeXN0ZW06a3ViZS1wcm94eTANBgkqhkiG9w0BAQsFAAOCAQEAEsBVXPHfGVdL
+s2BDmbhArb98byrWGbSWyz008OaDt6LLrneUDIyiwJgBOxgyY5vPR9fz5qSJb3Ua
+/7NngHE4k3afKU8/OI/mrDHIwnHrKuKWNpYcpotzKbHhTBn0erptl+KJIGhiUgOW
+LTSvEG/0k5Kxrs737Eq9R0DsOe2vNiw+IerNUAyG0wwD+HbT6pEkE6gsD6k8Fkwc
+kO+JT2hs/e0bcaCb4PUMV8CMqe5sZKGOcr1foUP72GOpE7oZ4Madq2AuNZnm4RIo
+xJGAVfejo3JG5qWglk8Kl1qGl0Wn2yUqRp3ErMUY/7UFJSKazucfnZ3zic1Z4pB4
+3svHQJ+pdA==
+-----END CERTIFICATE-----