*: rejigger tls certs and more
This pretty large change does the following:
- moves nix from bootstrap.hswaw.net to nix/
- changes clustercfg to use cfssl and moves it to cluster/clustercfg
- changes clustercfg to source information about target location of
certs from nix
- changes clustercfg to push nix config
- changes tls certs to have more than one CA
- recalculates all TLS certs
(it keeps the old serviceaccoutns key, otherwise we end up with
invalid serviceaccounts - the cert doesn't match, but who cares,
it's not used anyway)
diff --git a/cluster/kube/lib/calico.libsonnet b/cluster/kube/lib/calico.libsonnet
index 8a12b0e..0e00ff7 100644
--- a/cluster/kube/lib/calico.libsonnet
+++ b/cluster/kube/lib/calico.libsonnet
@@ -30,9 +30,9 @@
// TODO(q3k): Separate etcd for calico
etcd: {
endpoints: ["https://bc01n%02d.hswaw.net:2379" % n for n in std.range(1, 3)],
- ca: importstr "../../certs/ca.crt",
- cert: importstr "../../certs/kube-calico.crt",
- key: importstr "../../secrets/plain/kube-calico.key",
+ ca: importstr "../../certs/ca-etcd.crt",
+ cert: importstr "../../certs/etcd-calico.cert",
+ key: importstr "../../secrets/plain/etcd-calico.key",
},
},