We also set --trust-model=always, as we explicitly ship GPG
fingerprints, so there's no need to rely on GPG's web of trust
shenanigans.
Change-Id: If2976130315c044f1d1727c61a6f6d489c876a52
This kills two birds with one stone:
- update the secretstore tool to be slightly smarter about secrets, to
the point where we can now just point it at a secret directory and
ask it to 'sync' all secrets in there
- runs the new fancy sync command on all keys to update them, which
is a follow up to gerrit/328.
Change-Id: I0eec4a3e8afcd9481b0b248154983aac25657c40
cz2's key has expired. Removing it for now as there's no easy way to
force gpg to encrypt content for expired keys.
Change-Id: Ib27b9a09385fcead1ba2d48ebf45426038d8b647
This pretty large change does the following:
- moves nix from bootstrap.hswaw.net to nix/
- changes clustercfg to use cfssl and moves it to cluster/clustercfg
- changes clustercfg to source information about target location of
certs from nix
- changes clustercfg to push nix config
- changes tls certs to have more than one CA
- recalculates all TLS certs
(it keeps the old serviceaccoutns key, otherwise we end up with
invalid serviceaccounts - the cert doesn't match, but who cares,
it's not used anyway)