*: rejigger tls certs and more This pretty large change does the following: - moves nix from bootstrap.hswaw.net to nix/ - changes clustercfg to use cfssl and moves it to cluster/clustercfg - changes clustercfg to source information about target location of certs from nix - changes clustercfg to push nix config - changes tls certs to have more than one CA - recalculates all TLS certs (it keeps the old serviceaccoutns key, otherwise we end up with invalid serviceaccounts - the cert doesn't match, but who cares, it's not used anyway)

commit: 73cef11c8534edeaab7763df1018c55b8afdd157 [log] [tgz]
author: Sergiusz Bazanski <q3k@q3k.org> Sun Apr 07 00:06:23 2019 +0200
committer: Sergiusz Bazanski <q3k@q3k.org> Sun Apr 07 00:06:23 2019 +0200
tree: 8d483998903ae47cf7e9467829071bbb8c5329a0
parent: 208f0058304f5c7a01d239d5bc58a78363982d6d [diff] [blame]
diff --git a/cluster/kube/lib/calico.libsonnet b/cluster/kube/lib/calico.libsonnet
index 8a12b0e..0e00ff7 100644
--- a/cluster/kube/lib/calico.libsonnet
+++ b/cluster/kube/lib/calico.libsonnet

@@ -30,9 +30,9 @@
             // TODO(q3k): Separate etcd for calico
             etcd: {
                 endpoints: ["https://bc01n%02d.hswaw.net:2379" % n for n in std.range(1, 3)],
-                ca: importstr "../../certs/ca.crt",
-                cert: importstr "../../certs/kube-calico.crt",
-                key: importstr "../../secrets/plain/kube-calico.key",
+                ca: importstr "../../certs/ca-etcd.crt",
+                cert: importstr "../../certs/etcd-calico.cert",
+                key: importstr "../../secrets/plain/etcd-calico.key",
             },
         },
commit	73cef11c8534edeaab7763df1018c55b8afdd157	[log] [tgz]
author	Sergiusz Bazanski <q3k@q3k.org>	Sun Apr 07 00:06:23 2019 +0200
committer	Sergiusz Bazanski <q3k@q3k.org>	Sun Apr 07 00:06:23 2019 +0200
tree	8d483998903ae47cf7e9467829071bbb8c5329a0
parent	208f0058304f5c7a01d239d5bc58a78363982d6d [diff] [blame]