diff --git a/ops/exports.nix b/ops/exports.nix
new file mode 100644
index 0000000..3356607
--- /dev/null
+++ b/ops/exports.nix
@@ -0,0 +1,14 @@
+{ hscloud, pkgs, hscloudForPkgs, ... }:
+
+{
+  # Used by clustercfg to figure out which machines need kube certs.
+  kubeMachineNames = let
+    isKubeMachine = n: value:
+      n != "__readTree" &&
+      (builtins.hasAttr "hscloud" value.options) &&
+      (builtins.hasAttr "kube" value.options.hscloud) &&
+      value.options.hscloud.kube.control.enable.value;
+    machines = pkgs.lib.filterAttrs isKubeMachine hscloud.ops.machines;
+    names = pkgs.lib.mapAttrsToList (name: _: name) machines;
+  in names;
+}
diff --git a/ops/monitoring/lib/cluster.libsonnet b/ops/monitoring/lib/cluster.libsonnet
index 00aa792..c742df0 100644
--- a/ops/monitoring/lib/cluster.libsonnet
+++ b/ops/monitoring/lib/cluster.libsonnet
@@ -75,7 +75,7 @@
                 //
                 // When contacting the API server, we hardcode the 'hswaw.net' DNS suffix as
                 // our API server's TLS certificate only has a CN/SAN for its full FQDN, not
-                // the .svc.cluster.local shorthand (see //cluster/clustercfg:clustercfg.py).
+                // the .svc.cluster.local shorthand (see //cluster/clustercfg).
                 local kubeScrapeNodeMetrics = function(name, path) kubeScrapeConfig(name, "node") {
                     relabel_configs: [
                         {