cluster/certs: remove old kube CA

This completes the migration away from the old CA/cert infrastructure. The tool which was used to generate all these certs will come next. It's effectively a reimplementation of clustercfg in Go. We also removed the unused kube-serviceaccounts cert, which was generated by the old tooling for no good reason (we only need a key for service accounts, not an actual cert...). Change-Id: Ied9e5d8fc90c64a6b4b9fdd20c33981410c884b4 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1501 Reviewed-by: q3k <q3k@hackerspace.pl>
2023-04-01 13:50:02 +00:00 · 2023-04-01 13:50:02 +00:00 · 9251121fa9
parent bdf2fa326f
commit 9251121fa9
9 changed files with 52 additions and 218 deletions
--- a/cluster/certs/ca-kube-new-and-old.crt
+++ b/cluster/certs/ca-kube-new-and-old.crt
@ -1,33 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIBZTCCARegAwIBAgIQH2KNL4wIPawUN1HO9EPCejAFBgMrZXAwHTEbMBkGA1UE
-AxMSa3ViZXJuZXRlcyBtYWluIENBMCAXDTIzMDMzMTEyNTI0M1oYDzk5OTkxMjMx
-MjM1OTU5WjAdMRswGQYDVQQDExJrdWJlcm5ldGVzIG1haW4gQ0EwKjAFBgMrZXAD
-IQAqZ7QDUNbcC3XL6jiyL4yEb2CpZJKq4qEPXSNnZ+HdaqNrMGkwDgYDVR0PAQH/
-BAQDAgGGMCcGA1UdJQQgMB4GCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYBBQUHAwkw
-DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUycQ+wTWsc0lNe+5ixgJAxIOccw8w
-BQYDK2VwA0EAFTrB2XCpWLOAFbwNzHXM8suamZweWX3YNPyEYeRKJO2f/tEuqcq3
-+S29scjKwxjnnX0eLephWLyFrbIxzh3bAA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIID2DCCAsCgAwIBAgIUfa+oMG9sYHFeuhBgb8wSWHJ7ozUwDQYJKoZIhvcNAQEL
-BQAwgYMxCzAJBgNVBAYTAlBMMRQwEgYDVQQIEwtNYXpvd2llY2tpZTEPMA0GA1UE
-BxMGV2Fyc2F3MRswGQYDVQQKExJXYXJzYXcgSGFja2Vyc3BhY2UxEzARBgNVBAsT
-CmNsdXN0ZXJjZmcxGzAZBgNVBAMTEmt1YmVybmV0ZXMgbWFpbiBDQTAeFw0xOTA0
-MDYxNzU5MDBaFw0yNDA0MDQxNzU5MDBaMIGDMQswCQYDVQQGEwJQTDEUMBIGA1UE
-CBMLTWF6b3dpZWNraWUxDzANBgNVBAcTBldhcnNhdzEbMBkGA1UEChMSV2Fyc2F3
-IEhhY2tlcnNwYWNlMRMwEQYDVQQLEwpjbHVzdGVyY2ZnMRswGQYDVQQDExJrdWJl
-cm5ldGVzIG1haW4gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7
-YfhSQTCObcBQrKrb7lhmSKUDqkcBlMxrC1Xx9IUWKpAj8+5evRA/vA1dVss8x75+
-g+6BWCPDJDm51b5KScvRdKZ8ARZOCwiXEDdw/BJUAO/uan3US9Qj6jpV/m3bsMz4
-adGDthA74y5//tD6CVBtMrVjRtpYkO0p4fzPOwNXTCXzDEVFApxoSF3MMmYDViFh
-X/qM/brgK3mh4ZouyPXx6QaL+DCYBu/YKg049Ev3z3NiK1P/t0VeBkvImKurf2Fa
-A27yZ+RsoI8OepN6EL6WsYhQhCSwD+oxB1mMlJkaB/zkVyM+YOro37ugkKgoHhhh
-nCOVyDXJpHa0EGTMMbQDAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
-Af8EBTADAQH/MB0GA1UdDgQWBBSYMl0OTzMe+wnpiSQTFkJqgNGZ0DANBgkqhkiG
-9w0BAQsFAAOCAQEAIhXBmcWgf/5cO+FAPnYoEi3QoG+EhB5j4wSyKJE+qedV4ogP
-YjztG1BbNAn7Zm6zarJ2JVRjfS56noRj5pvRDBTysLBjirpmsw/v/+/GMSfy1yJA
-0x2OLa8SDh01+hjchaxsjfDCmB11X/HZrGu7QvqQQa7KBFyGriWqXMNMaHXk9gfJ
-Wmz7aVEP0xhksVIml4ShuQqf1C1y1ut7FXfJUPppnvrfjSvR7p6zQgJ+5VAh+k9p
-NBnIrkplq0gGUSgeTu+BMMRS2/AxmSnfvsqvx52mnypWn7fUG+b6IASOesVv1hry
-TgHlXjl3Dv5hQ6//pWi+rgD8wT7OLkLf/ekVvQ==
-----END CERTIFICATE-----
--- a/cluster/certs/ca-kube-new.crt
+++ b/cluster/certs/ca-kube-new.crt
@ -1,10 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIBZTCCARegAwIBAgIQH2KNL4wIPawUN1HO9EPCejAFBgMrZXAwHTEbMBkGA1UE
-AxMSa3ViZXJuZXRlcyBtYWluIENBMCAXDTIzMDMzMTEyNTI0M1oYDzk5OTkxMjMx
-MjM1OTU5WjAdMRswGQYDVQQDExJrdWJlcm5ldGVzIG1haW4gQ0EwKjAFBgMrZXAD
-IQAqZ7QDUNbcC3XL6jiyL4yEb2CpZJKq4qEPXSNnZ+HdaqNrMGkwDgYDVR0PAQH/
-BAQDAgGGMCcGA1UdJQQgMB4GCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYBBQUHAwkw
-DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUycQ+wTWsc0lNe+5ixgJAxIOccw8w
-BQYDK2VwA0EAFTrB2XCpWLOAFbwNzHXM8suamZweWX3YNPyEYeRKJO2f/tEuqcq3
-+S29scjKwxjnnX0eLephWLyFrbIxzh3bAA==
-----END CERTIFICATE-----
--- a/cluster/certs/ca-kube.crt
+++ b/cluster/certs/ca-kube.crt
@ -1,23 +1,10 @@
 -----BEGIN CERTIFICATE-----
-MIID2DCCAsCgAwIBAgIUfa+oMG9sYHFeuhBgb8wSWHJ7ozUwDQYJKoZIhvcNAQEL
-BQAwgYMxCzAJBgNVBAYTAlBMMRQwEgYDVQQIEwtNYXpvd2llY2tpZTEPMA0GA1UE
-BxMGV2Fyc2F3MRswGQYDVQQKExJXYXJzYXcgSGFja2Vyc3BhY2UxEzARBgNVBAsT
-CmNsdXN0ZXJjZmcxGzAZBgNVBAMTEmt1YmVybmV0ZXMgbWFpbiBDQTAeFw0xOTA0
-MDYxNzU5MDBaFw0yNDA0MDQxNzU5MDBaMIGDMQswCQYDVQQGEwJQTDEUMBIGA1UE
-CBMLTWF6b3dpZWNraWUxDzANBgNVBAcTBldhcnNhdzEbMBkGA1UEChMSV2Fyc2F3
-IEhhY2tlcnNwYWNlMRMwEQYDVQQLEwpjbHVzdGVyY2ZnMRswGQYDVQQDExJrdWJl
-cm5ldGVzIG1haW4gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7
-YfhSQTCObcBQrKrb7lhmSKUDqkcBlMxrC1Xx9IUWKpAj8+5evRA/vA1dVss8x75+
-g+6BWCPDJDm51b5KScvRdKZ8ARZOCwiXEDdw/BJUAO/uan3US9Qj6jpV/m3bsMz4
-adGDthA74y5//tD6CVBtMrVjRtpYkO0p4fzPOwNXTCXzDEVFApxoSF3MMmYDViFh
-X/qM/brgK3mh4ZouyPXx6QaL+DCYBu/YKg049Ev3z3NiK1P/t0VeBkvImKurf2Fa
-A27yZ+RsoI8OepN6EL6WsYhQhCSwD+oxB1mMlJkaB/zkVyM+YOro37ugkKgoHhhh
-nCOVyDXJpHa0EGTMMbQDAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
-Af8EBTADAQH/MB0GA1UdDgQWBBSYMl0OTzMe+wnpiSQTFkJqgNGZ0DANBgkqhkiG
-9w0BAQsFAAOCAQEAIhXBmcWgf/5cO+FAPnYoEi3QoG+EhB5j4wSyKJE+qedV4ogP
-YjztG1BbNAn7Zm6zarJ2JVRjfS56noRj5pvRDBTysLBjirpmsw/v/+/GMSfy1yJA
-0x2OLa8SDh01+hjchaxsjfDCmB11X/HZrGu7QvqQQa7KBFyGriWqXMNMaHXk9gfJ
-Wmz7aVEP0xhksVIml4ShuQqf1C1y1ut7FXfJUPppnvrfjSvR7p6zQgJ+5VAh+k9p
-NBnIrkplq0gGUSgeTu+BMMRS2/AxmSnfvsqvx52mnypWn7fUG+b6IASOesVv1hry
-TgHlXjl3Dv5hQ6//pWi+rgD8wT7OLkLf/ekVvQ==
+MIIBZTCCARegAwIBAgIQH2KNL4wIPawUN1HO9EPCejAFBgMrZXAwHTEbMBkGA1UE
+AxMSa3ViZXJuZXRlcyBtYWluIENBMCAXDTIzMDMzMTEyNTI0M1oYDzk5OTkxMjMx
+MjM1OTU5WjAdMRswGQYDVQQDExJrdWJlcm5ldGVzIG1haW4gQ0EwKjAFBgMrZXAD
+IQAqZ7QDUNbcC3XL6jiyL4yEb2CpZJKq4qEPXSNnZ+HdaqNrMGkwDgYDVR0PAQH/
+BAQDAgGGMCcGA1UdJQQgMB4GCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYBBQUHAwkw
+DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUycQ+wTWsc0lNe+5ixgJAxIOccw8w
+BQYDK2VwA0EAFTrB2XCpWLOAFbwNzHXM8suamZweWX3YNPyEYeRKJO2f/tEuqcq3
+S29scjKwxjnnX0eLephWLyFrbIxzh3bAA==
 -----END CERTIFICATE-----
--- a/cluster/certs/kube-serviceaccounts.cert
+++ b/cluster/certs/kube-serviceaccounts.cert
@ -1,30 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIFKjCCBBKgAwIBAgIUKG3oH/n3UTBj+Wu2ojqjcvx5PIEwDQYJKoZIhvcNAQEL
-BQAwgYMxCzAJBgNVBAYTAlBMMRQwEgYDVQQIEwtNYXpvd2llY2tpZTEPMA0GA1UE
-BxMGV2Fyc2F3MRswGQYDVQQKExJXYXJzYXcgSGFja2Vyc3BhY2UxEzARBgNVBAsT
-CmNsdXN0ZXJjZmcxGzAZBgNVBAMTEmt1YmVybmV0ZXMgbWFpbiBDQTAeFw0yMjA0
-MDQxNjQ4MDBaFw0yMzA0MDQxNjQ4MDBaMHsxCzAJBgNVBAYTAlBMMRQwEgYDVQQI
-EwtNYXpvd2llY2tpZTEPMA0GA1UEBxMGV2Fyc2F3MSswKQYDVQQLEyJLdWJlcm5l
-dGVzIFNlcnZpY2UgQWNjb3VudHMgU2lnbmVyMRgwFgYDVQQDEw9zZXJ2aWNlYWNj
-b3VudHMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDFSCquXVjQANUN
-IIkGFgsgrCKxqF4gT1sxIcDnsoyncEXnsdqfYAn3yvi0iEZq0JwMkAhWI9k9oAV4
-DOW3hMBrqWZUjRnHPwUwoewvUwqCZyjOzhFSyy2E2iEq7yfrZkgxVVHIdUMoq179
-/jRRa8fk/oUmqiiQNWy//q6VX1ASX7elh4oKfwRMFwnf6vQO7WUm2wqlbYNHaGji
-XDMVuGUyx8XG/F0c1YrAQPIPx5vU6GVV+Qpdl38E/wDIUCS/RPml8M2Q5eBljo2P
-Xhr26tO2OQuOu5UBvzg4e7k1rEKsMlwQSATB2PIVyLNQrWN6zUuI2pV2OUE6Oreh
-ZI6qpZ3eo+QJi496QriZeZ6tLnzoPPaw9QIJG03Si25PjT7p1ULEx7EQ2OOcBBXj
-UoQF1KDkqoqJ5GEqA2ie/U9FhobFUaQpqiZsOWYG08u9oERzNnK+h057XjLsblod
-Bi4d2x+oLFi0q2V/zb6yts3jHicTEyAXCkOq3q6pFd7N8YUbSU5Og8Bgk6KzPoSb
-Klg6L8ttDwXXQRNl4/1CR6+17hFCECoKRVKvTeOX0O7Rl/raWpL5WmBZohpaDfQf
-VpRBONC4p9K73bnlK7P1E38DrrWO4kO7xrmGF0KuRXVCzBZngG+8dpHJMBg7CyH0
-Wv3ZmrcEgb0rRwWYj8LY71EQzO2D2QIDAQABo4GcMIGZMA4GA1UdDwEB/wQEAwIF
-oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
-BgNVHQ4EFgQUliCshdOww6BLgNw1Cu+0XiqCpg8wHwYDVR0jBBgwFoAUmDJdDk8z
-HvsJ6YkkExZCaoDRmdAwGgYDVR0RBBMwEYIPc2VydmljZWFjY291bnRzMA0GCSqG
-SIb3DQEBCwUAA4IBAQB0TgFEGt81zI2+XyWta2qR3PiDdwEaQ6OxIqfNqhEmu7M0
-+wcg6NQG9/X1KBlb/5/hOsqXLG0GIh9bd2e6owvI09iraZt3LaHopP7YuvNyh2g/
-ZrPKyGxz9WAOknqeyO3fqqw8ILAKQSX89XWD4USJDFS+i6vEAnJLvezp0Z2A3k2B
-bG/pROkAceJDZd70X0wsZwv5waRK9lYp4zusx19sQFBhQg1YWBzZwXbS8ix4oxsh
-vDaECT4dldtFIt+JaYX3ZKjIpqnDD2byNKiKuECZX9D3CISEQJ7LE/jxgXGrw3vt
-uOrngO061LXvLBOn/L39KmX2Yx0iJayDLKsHvqAR
-----END CERTIFICATE-----
--- a/cluster/machines/modules/kube-common.nix
+++ b/cluster/machines/modules/kube-common.nix
@ -86,9 +86,7 @@ in {
      # We do not use any nixpkgs predefined roles for k8s. Instead, we enable
      # k8s components manually.
      roles = [];
-      # TODO(q3k): undo after CA migration done
-      #caFile = cfg.pki.kube.apiserver.ca;
-      caFile = ../../certs/ca-kube-new-and-old.crt;
+      caFile = cfg.pki.kube.apiserver.ca;
      clusterCidr = "10.10.16.0/20";
      addons.dns.enable = false;
    };
--- a/cluster/machines/modules/kube-controlplane.nix
+++ b/cluster/machines/modules/kube-controlplane.nix
@ -82,8 +82,7 @@ in {
      # k8s components manually.
      roles = [];
      addons.dns.enable = false;
-      # TODO(q3k): undo after CA migration done
-      #caFile = pki.kube.apiserver.ca;
+      caFile = pki.kube.apiserver.ca;
      clusterCidr = "10.10.16.0/20";

      apiserver = rec {
@ -103,15 +102,11 @@ in {

        tlsCertFile = pki.kube.apiserver.cert;
        tlsKeyFile = pki.kube.apiserver.key;
-        # TODO(q3k): undo after CA migration done
-        #clientCaFile = pki.kube.apiserver.ca;
-        clientCaFile = ../../certs/ca-kube-new-and-old.crt;
+        clientCaFile = pki.kube.apiserver.ca;

        kubeletHttps = true;
        # Same CA as main APIServer CA.
-        # TODO(q3k): undo after CA migration done
-        #kubeletClientCaFile = pki.kube.apiserver.ca;
-        kubeletClientCaFile = ../../certs/ca-kube-new-and-old.crt;
+        kubeletClientCaFile = pki.kube.apiserver.ca;
        kubeletClientCertFile = pki.kube.apiserver.cert;
        kubeletClientKeyFile = pki.kube.apiserver.key;

@ -150,24 +145,19 @@ in {
        leaderElect = true;
        serviceAccountKeyFile = pki.kube.serviceaccounts.key;
        rootCaFile = pki.kube.ca;
-        # TODO(q3k): undo after CA migration done 
        extraOpts = ''
          --service-cluster-ip-range=10.10.12.0/24 \
          --use-service-account-credentials=true \
          --secure-port=${toString cfg.portControllerManagerSecure}\
          --authentication-kubeconfig=${kubeconfig}\
          --authorization-kubeconfig=${kubeconfig}\
-          --root-ca-file=${../../certs/ca-kube-new-and-old.crt}\
        '';
        kubeconfig = pki.kube.controllermanager.config;
      };

      scheduler = let
        top = config.services.kubernetes;
-        # TODO(q3k): undo after CA migration done 
-        kubeconfig = top.lib.mkKubeConfig "scheduler" (pki.kube.scheduler.config //  {
-          ca = ../../certs/ca-kube-new-and-old.crt;
-        });
+        kubeconfig = top.lib.mkKubeConfig "scheduler" pki.kube.scheduler.config;
      in {
        enable = true;
        address = "0.0.0.0";
--- a/cluster/machines/modules/kube-dataplane.nix
+++ b/cluster/machines/modules/kube-dataplane.nix
@ -72,9 +72,7 @@ in {
        hostname = fqdn;
        tlsCertFile = pki.kube.kubelet.cert;
        tlsKeyFile = pki.kube.kubelet.key;
-        # TODO(q3k): undo after CA migration done
-        #clientCaFile = pki.kube.kubelet.ca;
-        clientCaFile = ../../certs/ca-kube-new-and-old.crt;
+        clientCaFile = pki.kube.kubelet.ca;
        nodeIp = config.hscloud.base.ipAddr;
        networkPlugin = "cni";
        clusterDns = "10.10.12.254";
--- a/cluster/secrets/cipher/ca-kube-new.key
+++ b/cluster/secrets/cipher/ca-kube-new.key
@ -1,41 +0,0 @@
-----BEGIN PGP MESSAGE-----
-
-hQEMAzhuiT4RC8VbAQgAsZHQ4swKPDSXEpnsvc1xrNI73LnD5gtey6Nf3WJ6bk60
-VYpaaX0s79oLmJZe8p64LOJvQO/MIm6kLXLrCQmEKGXbukh0ehVbvMcUtZplWu9T
-GqYsbSrGre/QR0HcvIGsid9Mh+R5/87YsBz4n8YW/jy0Q3DczmhKbiEYnvx4/tg3
-qiUgInjCuxblsn0AjgA1sq8Im8IFgaUQ7tCZoAuPbqxJ3KiW+MlmvARjH8WTKDQU
-+RJSvJVESSqBdOjwQX0TKkAhUJaaoDXDvgOBYsv3FTd4P2NpJZM2hjQ2VYCNsaQi
-HF0maBDfeWs7Hdq57XTolJxQfHKE87hRCTkYPF5ufYUBDANcG2tp6fXqvgEH/i6u
-qwKYtT2mNbDUSj2bySDXJERE1qPKlz+F7rO0aXqo/0q60vQ2RjfBVDxtlTBDBbYf
-cKuIOIQSslPLQjRxYSKzSDvKxNox5pY8wI/3DttZEYzMAEui/U/ch/sCKE7hGBrh
-HPDv9t0zgm605+gRNlJE3oZTFB5fDg2kxWOmhIXT70wdXP1jLM2MR8RC8y5N3s2D
-1BgpclfpA+3lrCx9W0AS7w1uPCQT781diNH7zF8GLPqcmD21FIaelxsKl2PLeoVU
-mZHYYb4S3NIgkBO8MGQcKnFeCJpH0gRtSlKnhLuWfDV4Fxnbs8WjXD5bm6OEv62t
-BIBTS3Q1hKkfdQXDjoSFAgwDodoT8VqRl4UBEAC0bsxhdfMcxLu5LVEsmAxxRTaB
-jWcow08Oghq6LdQElhFMlfGLioaaAWKaTdutYl1XHGOjKcrLmX1HQqLgGt1s+YI3
-Fj9UpgGpuGYx1GuJKNSuGVOxeGPma0bxrDDnDxqXUEXZysSKLi/Tiy6Q2gQpczwt
-ApN0Pcvv9sg6oF1OX6WrlknxRnc9BGulDQ5a2rAybc+YxhrZr8ynpkAzYZ0a3ZlC
-oE/3cH7NOiJY/xPaWxodkYz5Yo94OPKbVtWhRA3BoM5BPnOeKXk3VqxEsSv4r/K+
-kbY/Yt1hZSt5RVbqP+2PpOwgcI1IHV08aI1Dk1IgSVLaIgerfPqyxSD1z/pMJSLW
-fKCiLsxB2MQ4HLFAfe3xOm4eTdDtJerLGEKonaJHwlgITy14iPF7t9fZXu5ixbIZ
-snv21Bf3Iu/H3PdC3uq4hklAL7slb/GAdPA4b3My0kIyhBghGV8JcUeOsBg76iLE
-HWKJQhwlRf/eZP/POwCUu+aalPQQ5DiK1KvfS6Ed1k+sjrHzoXHlmBl0keRmSDMz
-/taAzQmgKLTel7nBFrCll/T8Z+A9/DKsnh6BsH4aXNDB+khM4iCkjVQ+iMnRMQyU
-969hvVUZ5AA0h3nUq4OhKUrtPayiSodmMh+oZybQ26N0TEmL9osSPQR3z6m/R275
-q27IGQUkUSZ2X+H5V4UCDAPiA8lOXOuz7wEP/0z3g6hJ2VGUV3071ZT3Yv91Xksy
-bZpkQBYOIY79A623CbxtUMq23Ddq2Gk4QzutSjNO/cxtm90bmVqMkR6nmkfNW5UJ
-eh/Tn+qC4sWnHEKBoi+Sldurwnhg4egA5gcxMXyuh8uzboMcuVhXySPLbEKPAmVB
-IYZHsyyl4Mjv30Y80NICoIuXQxdQQcliVP4EgVv7UTfI6ENNQWtVwwTF0pcjssOG
-5EvBN/hINsYDB+jQxqQykfp7h3jfYPqv9VcH4a0JXTD6gXIlEdbNYMverU+cXAqO
-S+9oVCgXb4a9z3tV44fJ4NCEfk2ifIo65D80WEqPfvgsLMgdcU5l+CARG+XQ68HN
-//XnaVhANVoxSlOIW/1kmWGGQSDgcaFXeG+gkeC8ZqMhA/MnkQQ6FJmdI5AXhy6R
-P3AIq63OWW0wjvDYsbt85anK0n1LQOpH8UWjoQuCOIlAswOU7td3aPi1UaYofoDD
-m4tAzHAzuLIuRu4SdmV+m18GYKvN1bxf/xCdaG7RROgQ5y6asr5UMpwQBhJOGH/b
-+y0JOeGDGMCOAxzNtTI8ehIcw+dWK4Yw8WNpbvaii7/r+9YA6arIrdPMoIsJRlUc
-GeFZTHCMQi+ZRO+BjF8Rk2X4CIdQ5+DgZp4OY5SR4ssYvUEcJrBOCVHU9l+FA+hS
-V7JKcpgk7R/9adWo0qkBcD4R3suCEZX2TsjdIql96LQ9DvodF9zImoHoPjxF/bq2
-bws2vxSuBTYZkhJP04mHtFaZ1LyUYcUZHd5WLqLdHRv+bb1QqoGI/zgX+TY9OiAX
-r5KDY1V3nyz3vzsufa4qRq+llOj6xyIT+4T0Qxj9SxTYVTWuwuXHWOHwElRe9gOU
-x7LvRgwV7skQU64ASXhmj2ktQAU7IqxeUij15jDjxIMuT+S5Y5xG
-=iO70
-----END PGP MESSAGE-----
--- a/cluster/secrets/cipher/ca-kube.key
+++ b/cluster/secrets/cipher/ca-kube.key
@ -1,66 +1,41 @@
 -----BEGIN PGP MESSAGE-----

-hQEMAzhuiT4RC8VbAQf/TfFp59dCH1CMzBfcHVE2O6TGsFcT+PSxXfi6Z+0yXhLq
-WgVgg45T7C/LmHJrTLJ2W+xkN0TRjs+xNu5icgNqnISU/xcTqx78PZKWi+ueY1GU
-EFN5utl3o4nh8wXHBXOGf7FwxCHJMKCL6+B0+7vF/Uz1oViiEsVKpW2vc1uvmzg5
-sfoLzFwAne1J6PPc8VSAuoKVEdZNDwB9iR1MkBjD5KMeKd6bx7xZR+1J4Q8EzGKr
-MDuihWn+DxsFGnKSGnD45iCC5v2+6Fa1OqXfoElVrZCHRIWIyuVSCxxomRxKGwET
-eFUi2881Mta6Tr7ivpW2/oztFGnGBg50hetCfUPV/oUBDANcG2tp6fXqvgEH/0d6
-1H6R6PmaRIhvvbsDHpfbdTfKhPaiSjEogm8riarevG8O27sIlA/ADM6Xl8tSKrsj
-wgK5NwI1yj0SnTCB5Qw8OsWP1k3TK0j03zPIbl5I2l/RwVWNGUYxQhS6V7fiwHwG
-M/TYxLW4bHhgh5jHwuHftkWjqVKwd5eHS94xGcM6eaaecFIB0hWHLpZAl/bmznBg
-HGMXWFlNEGjn6zsiO7pjjCSO4owyCuKL66nTO//ZQfzqY41FM4M3CQ/Y1ONEo4EO
-ltWk5IX3v/H4sceRct5L2OC1jMNms02YkSNv7tx+RL67FMX/2Kt7LZXhWBow7skO
-QlbHERvH8cEGK42CuQKFAgwDodoT8VqRl4UBD/9bLewyuE9USPiDGfyVIs9bfo9A
-DKNwHYL68TeX+y4Jcb8HhmJGzBHjL7M7pedS7efbCizH1ifHqRXfdoeU1zETt6wv
-OZ4xKo19NZxoYTht5BfOBbP6FloVikWxrW0Cs4S+ejCnofYcBugSuqaIHJTzIq2P
-XBi6B1vqrm4M8lr2tJM1oGOnv6QIG8YUYMpvFU/SsX5bGXToq+R+lfwQJ6Oc3uZx
-ILPvKOTnNtrwl7/oyZNqs1k9jlDtiaLTC/0ADZxBcktWD0xxZVoUP9iTUEjqHB4j
-kEhHmq57qksFOnSmCv6Qee+ctIdegtlojMRiX/neP04qOR8uLXhVogw/wlQtScp0
-hP8ekCBaTj+mU1U6N6JCyiGt3u0INMUp2nAHhEoAeDZsYHGfZO1gTjimNcelG8lb
-wjkZcYV02m+s6ybczgB9p7n9F6dgNyVrWEjNoaoUYrlLoGauzIQOqESF+M5wMHKL
-4DDTs255+YnsfeNXCkNiC/b/r7vpHQlQBfs3l3yMIeGSxsdHmsOppR+Ub3ukZADq
-uPMoKKWgGObBCFQ9Myk6ccAfSl0/AcCGo5JwEj2B3F1LbeKP4GKMKLzBPhawo0dX
-KjtvD4bYAzBOZpgJHygUJYE3X5LjkSFZnQQ1CI1bro2iuMojoVzMMQomHAUzv8Wn
-Tlap8tJS6S6Fc7qhSIUCDAPiA8lOXOuz7wEP/0JHntyM6EfDWkbNfMeGiVrAzHtA
-mmzE8sgSPn1ysLXzIvaejhUnzG1yZ2FrK7xXVI++64L14bTEWArTts9YEb+eLCqe
-IpbSVGCQhOtux0WlaCQElYA7sSgmesAvpojjvo/J0cZE6mWhjScDh6+O9FOsGbxU
-f597Nhk/aJlZhFicn3XP6Pqpo6PT1FkOQPKnjHj1w2z9OMdPA/CuTkcVGcxPKAFe
-/mL8TYJBvOqPvj0MGOWH8U6AiJ9ziywgaMl732/lf0/KoK76tc2V0Gf7Qh9TOWAH
-MdWK2SiY7R7NP3UKWoQX1ZYANfUfMsOJX2lDdq4xJ7KOpPQGvh5c05jHkGhouYTt
-M3AA7ek59OGIyOH/oeawfY8KZHrWpEwOD2+tBjhG9bwWnC7vmULtnPQxpe9mw3fU
-qShNrjl6FmuahGA79MjJnahJZH9+j08Kv+Ho4fqN+EPAtNas1xc85njpw9gH6NnK
-O9jfYKrH8dLmUI9HZyg1Zf2CDarI0KJvlPyZ/iiXvXZ5lK1XWxsiVBBDyyL3R59D
-TxM/DjIqZ+zV9V4uwJUEeTGmVfMGLEsPyaLmzBNHaFVLtxnk/sFFPyNWdhCgxk2o
-Qnd8TMoe8xtWX9RIj5UmS5lgjWeigSthrCBMoTIi4o248uE8mX8JxQVgbkd2iima
-eQXgNHF5EFhjlGu30uoBEIPl7rh9m2uoXgCUoPFaiYVWlDW3PRDfzLWXkIL5DhZ0
-AKvDtILdAghTRXG+lUlf/52jsSwt+cKW6kd26SfGAx+NNoU9zMw3yg59QlL6b0Mj
-MP29EC4ZJOsMzWpBQVEKkyl7KBfpUIyeqjzgqeXyOkKfCf+oRMsGQ9uQUHBU8gV1
-lm4hXz7QnY8rdtuerI8RVl+T54HKGCvF9J50PUmEH/uP5vi9W1vnnUy6zq6II5eN
-gLRpPXO0e79YkA+058DRhagr1HKhHjRU/jnb2S2X5jyAwdJvH3y8B55jocGtb+MY
-qWU+ApVUaQRC0T5vfdsvrdmLSma1+hFA5a++moppZ4IjlX9++wr4iCvuXyb4j03U
-TlYuswv5r91xR8bcVJ7gOVeYSBa8/x9B6Eac5xnMRrseVcU8H7nr4HMd+K1p6ZuV
-ysU/jNjlLlFebaPZiCibwAimOccM1GfDDM5IuHcebUV4YwTySLB9fniA9TIbSOTX
-BeepXKqsKdUsWGALb9lGNYwfFF74e/no9uPbFBFyHpS1cbHVE6SoXMu12D/Audft
-AYd9vep3XNH0nbJQhyUsVvyHGxgvzNNmfzSIEkMbbpjhbm2Gw7InAcmaqe/gTfLZ
-G8rJaCjl0bShjnQq+3w/Tj8kap0VbPK2m2LESvT8m7C7c9KD/BCuhNyl9wHbmgMf
-aiyifLx5le/UIpgwZBZYM8eoUVJBsTpHGPoj/XTO7MONuh6vxFqs9PnxuPqaOOWm
-cNbMj0jukTnB7zGvLkKmGR/P+aDZyZJ8cadul+WSeXoMTRlH1pofeBUyYeC2sTLI
-mUbSfJR04CSMr+CWDorZ5AOqi8bTNQrepDcED6RhMPo53NF9xQdpZvcGTXIWG5ZI
-MO+z08YpH7gkKGAa0J1VCeGdAW5533n61TlD793Xk1NVvuvy3RpNpkiQtdcwmGGK
-JMfEtTtMVoaWxWB21TCUqTL0YZRCuJY4NPA1gF6w3bdxRhRpiudA2u7wVQ4WO8h7
-tTjcTNcOs+FKoZCqauupSDGyCIDQySLpjLB0+FlVJ7sK6x7ozpGQAHUfbSA/+fnZ
-lVzznDmda7MlLm+87oAQS4fQKx9RwQeoFJ9kQHyEvEYbIQuI23nmkLAZdDmII70q
-2+zTKDmTXD1cMQ6HuUtn7nUdjFCoMtpuMHU0m3fjrHlhJRfKIEJTPgc6wx1SuYft
-khkii1nRYTxnCL+BeVWGfWJZtylzK2bVEQy1S//2EclCMnoYCde5A0n+o85YfHp4
-KYHMKYGHbnWgKSGtlKP3C5tN9q1dDq2i+QtTJL3UIEfHsV+qQvHAqaOqvLnxJuYI
-LIkr/vspDKtdUdEmVIiytLTJ+8XrmdLoe1ANCDIowJeicOiSloLtCbS4v+/9IcmG
-szrbef3Lg0UvA+4oK1pmWGZKlnwE1pojOCoUm0Al7DvEV62pp3yy032EEMTdYJK0
-A5/9hOX0jw8eAm2ebdT3A7V6KkWL1IEgDC4B8ZFAHPQgTpBe/gj2gO0lslj3WOyh
-cnUsIKd8wwZbw5zutRuxrAf5MujbS+Jra6J3em0wbx0sho2E110WntB6h77WxJ44
-FGPt3Yp78ORIvM59UCu9xL0VdJgj4UptG9mYn9fJ+BGuvDejeSD+EfDZvIE98hVL
-a2/MmiGKD0gFQRcTHCAROLnTvJikcsdAXXxzAip7Lo/0eKq1e3gZPWhMfnoohBeH
-SaktcJAfsh7eIsjV01iOC6lfDEmtPUBYrv8k4a8TGE3BPfsmJ5juIEWw/CRhd2ys
-zAP3sqFBMxvZEiEdKOgvgpqxJR5AMFyhguk3LcchOXz81joaLPVw
-=rrIB
+hQEMAzhuiT4RC8VbAQgAsZHQ4swKPDSXEpnsvc1xrNI73LnD5gtey6Nf3WJ6bk60
+VYpaaX0s79oLmJZe8p64LOJvQO/MIm6kLXLrCQmEKGXbukh0ehVbvMcUtZplWu9T
+GqYsbSrGre/QR0HcvIGsid9Mh+R5/87YsBz4n8YW/jy0Q3DczmhKbiEYnvx4/tg3
+qiUgInjCuxblsn0AjgA1sq8Im8IFgaUQ7tCZoAuPbqxJ3KiW+MlmvARjH8WTKDQU
+RJSvJVESSqBdOjwQX0TKkAhUJaaoDXDvgOBYsv3FTd4P2NpJZM2hjQ2VYCNsaQi
+HF0maBDfeWs7Hdq57XTolJxQfHKE87hRCTkYPF5ufYUBDANcG2tp6fXqvgEH/i6u
+qwKYtT2mNbDUSj2bySDXJERE1qPKlz+F7rO0aXqo/0q60vQ2RjfBVDxtlTBDBbYf
+cKuIOIQSslPLQjRxYSKzSDvKxNox5pY8wI/3DttZEYzMAEui/U/ch/sCKE7hGBrh
+HPDv9t0zgm605+gRNlJE3oZTFB5fDg2kxWOmhIXT70wdXP1jLM2MR8RC8y5N3s2D
+1BgpclfpA+3lrCx9W0AS7w1uPCQT781diNH7zF8GLPqcmD21FIaelxsKl2PLeoVU
+mZHYYb4S3NIgkBO8MGQcKnFeCJpH0gRtSlKnhLuWfDV4Fxnbs8WjXD5bm6OEv62t
+BIBTS3Q1hKkfdQXDjoSFAgwDodoT8VqRl4UBEAC0bsxhdfMcxLu5LVEsmAxxRTaB
+jWcow08Oghq6LdQElhFMlfGLioaaAWKaTdutYl1XHGOjKcrLmX1HQqLgGt1s+YI3
+Fj9UpgGpuGYx1GuJKNSuGVOxeGPma0bxrDDnDxqXUEXZysSKLi/Tiy6Q2gQpczwt
+ApN0Pcvv9sg6oF1OX6WrlknxRnc9BGulDQ5a2rAybc+YxhrZr8ynpkAzYZ0a3ZlC
+oE/3cH7NOiJY/xPaWxodkYz5Yo94OPKbVtWhRA3BoM5BPnOeKXk3VqxEsSv4r/K+
+kbY/Yt1hZSt5RVbqP+2PpOwgcI1IHV08aI1Dk1IgSVLaIgerfPqyxSD1z/pMJSLW
+fKCiLsxB2MQ4HLFAfe3xOm4eTdDtJerLGEKonaJHwlgITy14iPF7t9fZXu5ixbIZ
+snv21Bf3Iu/H3PdC3uq4hklAL7slb/GAdPA4b3My0kIyhBghGV8JcUeOsBg76iLE
+HWKJQhwlRf/eZP/POwCUu+aalPQQ5DiK1KvfS6Ed1k+sjrHzoXHlmBl0keRmSDMz
+/taAzQmgKLTel7nBFrCll/T8Z+A9/DKsnh6BsH4aXNDB+khM4iCkjVQ+iMnRMQyU
+969hvVUZ5AA0h3nUq4OhKUrtPayiSodmMh+oZybQ26N0TEmL9osSPQR3z6m/R275
+q27IGQUkUSZ2X+H5V4UCDAPiA8lOXOuz7wEP/0z3g6hJ2VGUV3071ZT3Yv91Xksy
+bZpkQBYOIY79A623CbxtUMq23Ddq2Gk4QzutSjNO/cxtm90bmVqMkR6nmkfNW5UJ
+eh/Tn+qC4sWnHEKBoi+Sldurwnhg4egA5gcxMXyuh8uzboMcuVhXySPLbEKPAmVB
+IYZHsyyl4Mjv30Y80NICoIuXQxdQQcliVP4EgVv7UTfI6ENNQWtVwwTF0pcjssOG
+5EvBN/hINsYDB+jQxqQykfp7h3jfYPqv9VcH4a0JXTD6gXIlEdbNYMverU+cXAqO
+S+9oVCgXb4a9z3tV44fJ4NCEfk2ifIo65D80WEqPfvgsLMgdcU5l+CARG+XQ68HN
+//XnaVhANVoxSlOIW/1kmWGGQSDgcaFXeG+gkeC8ZqMhA/MnkQQ6FJmdI5AXhy6R
+P3AIq63OWW0wjvDYsbt85anK0n1LQOpH8UWjoQuCOIlAswOU7td3aPi1UaYofoDD
+m4tAzHAzuLIuRu4SdmV+m18GYKvN1bxf/xCdaG7RROgQ5y6asr5UMpwQBhJOGH/b
+y0JOeGDGMCOAxzNtTI8ehIcw+dWK4Yw8WNpbvaii7/r+9YA6arIrdPMoIsJRlUc
+GeFZTHCMQi+ZRO+BjF8Rk2X4CIdQ5+DgZp4OY5SR4ssYvUEcJrBOCVHU9l+FA+hS
+V7JKcpgk7R/9adWo0qkBcD4R3suCEZX2TsjdIql96LQ9DvodF9zImoHoPjxF/bq2
+bws2vxSuBTYZkhJP04mHtFaZ1LyUYcUZHd5WLqLdHRv+bb1QqoGI/zgX+TY9OiAX
+r5KDY1V3nyz3vzsufa4qRq+llOj6xyIT+4T0Qxj9SxTYVTWuwuXHWOHwElRe9gOU
+x7LvRgwV7skQU64ASXhmj2ktQAU7IqxeUij15jDjxIMuT+S5Y5xG
+=iO70
 -----END PGP MESSAGE-----