*: k0.hswaw.net somewhat working

README

@@ -0,0 +1,13 @@
+HSCloud
+=======
+
+This is a monorepo. You'll need bash and Bazel 0.20.0+ to use it.
+
+Getting started
+---------------
+
+    cd hscloud
+    . env.sh # setup PATH and hscloud_root
+    tools/install.sh # build tools
+
+    kubectl version

WORKSPACE

@@ -1,3 +1,25 @@
+# Python rules
+
+load("@bazel_tools//tools/build_defs/repo:git.bzl", "git_repository")
+
+git_repository(
+    name = "io_bazel_rules_python",
+    remote = "https://github.com/bazelbuild/rules_python.git",
+    commit = "ebd7adcbcafcc8abe3fd8e5b0e42e10ced1bfe27",
+)
+
+# Python dependencies
+
+load("@io_bazel_rules_python//python:pip.bzl", "pip_import")
+
+pip_import(
+   name = "py_deps",
+   requirements = "//:requirements.txt",
+)
+
+load("@py_deps//:requirements.bzl", "pip_install")
+pip_install()
+
 # Go rules
 
 http_archive(

cluster/README

@@ -0,0 +1,20 @@
+HSCloud Clusters
+================
+
+Current cluster: `k0.hswaw.net`
+
+Accessing via kubectl
+---------------------
+
+There isn't yet a service for getting short-term user certificates. Instead, you'll have to get admin certificates:
+
+    clustercfg admincreds $(whoami)-admin
+    kubectl get nodes
+
+Provisioning nodes
+------------------
+
+ - bring up a new node with nixos, running the configuration.nix from bootstrap (to be documented)
+ - `clustercfg nodestrap bc01nXX.hswaw.net`
+
+That's it!

cluster/certs/bc01n01.hswaw.net-kube-node.crt

@@ -1,34 +1,34 @@
 -----BEGIN CERTIFICATE-----
-MIIF+jCCA+KgAwIBAgIJAIDxP85du/ccMA0GCSqGSIb3DQEBCwUAMIG3MQswCQYD
+MIIF7zCCA9egAwIBAgIJAIDxP85du/cjMA0GCSqGSIb3DQEBCwUAMIG3MQswCQYD
 VQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNraWUxETAPBgNVBAcMCFdhcnN6YXdh
 MS4wLAYDVQQKDCVTdG93YXJ6eXN6ZW5pZSBXYXJzemF3c2tpIEhhY2tlcnNwYWNl
 MRAwDgYDVQQLDAdoc2Nsb3VkMRowGAYDVQQDDBFCb290c3RyYXAgTm9kZSBDQTEh
-MB8GCSqGSIb3DQEJARYScTNrQGhhY2tlcnNwYWNlLnBsMB4XDTE5MDExMzAzMzA1
-OFoXDTE5MDIxMjAzMzA1OFowgZ4xCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpv
-d2llY2tpZTEUMBIGA1UEBwwLTWF6b3dpZWNraWUxFTATBgNVBAoMDHN5c3RlbTpu
-b2RlczEkMCIGA1UECwwbS3ViZXJuZXRlcyBOb2RlIENlcnRpZmljYXRlMSYwJAYD
-VQQDDB1zeXN0ZW06bm9kZTpiYzAxbjAxLmhzd2F3Lm5ldDCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBAMmgCuw8NEbYDPAYxT+3RXKnr8tpKFam0UTIPEO5
-PZ63gEJHm5pdhlDbojKfNzWiSliUQ3qtxeFZfA5NLkdhwJesBPXOUcZkzNGIBces
-nmetfN2sakbUwTucCTjVDq5gAXQ5wlHGjMI7G9iddjF1DmvE+s2ewtCOa6nR1v7b
-Ltx7gmuxorq5FtWTnzeTLz+35savmz+5gQ4hTgEDVyne/BCJ+DeVynawgJ8LGGbg
-zpiyoQE3Fl0Aqy96J1uUOhpJ1r4XVv4H1vzmJclRJjx/m6QsJy9VPKUX382dQVgD
-98eVokg+BusblxW4+mY/WNv5a7N2L7h4ek4s2ocyVjUKBo67vipd0EbES0mHSOJe
-zwYU8lQ5QIRsnJkUocGcwGDZ4eLijdYDz++SqBsqwbziprpSw+m3Wyl0F6BCYLvH
-5l9tsMC569jEhQUZ64+NoN4dls6URO4IdtX4ZSONeydaxIfd51CVPyIviT0jlCto
-Ii3AkSbsNBZDR16T7e6b6zPaPEBnk1g1SbcVbGi1gIPyrU788m+QbDUo/E8m2WzQ
-ou9DlMgMEXJg3QMHJwqUiazNxL3OTSiw0p5d6cXzRA1+21l8TdGfzgnefSDapbBG
-RN5WjzW6Vx2lrEcG2Novf3Hlk4/rrHTc8/Sh4pdnGO2R3JWqG/UqbMForp8emuMk
-l6MBAgMBAAGjIDAeMBwGA1UdEQQVMBOCEWJjMDFuMDEuaHN3YXcubmV0MA0GCSqG
-SIb3DQEBCwUAA4ICAQA/ASwzUfjy0rQKbt2a3aheYLwF6ZUpuI6GSTElXiNfPSyh
-XpN6hWkrAetk2ReCxMHuvbNA2Bt6poKUURKOtfJGf1//a2qWeJTMwx3ALSJOrzfF
-18RIJK8zOkgr3LjjbqFQbeT/yAxyhTx5nOfbQA/dOfo2vOBb+4lrhGFheO4VvOQq
-1bcWWTE7rdQBhcIh3dYawKAE4UHHUPCOAPjbLyrAnvZCQXZXgAitExhue+l13rFZ
-ko0T8Il6rAf7eUWjJPfnBJHKGh2YXL2O3YgcJnPQs9EzmJKCjsaTEjA70sB/A4yY
-lc6ZeATT0iwnKcJYkRsu4gX8VwG9yYDk3vNUGorStdiqKFCGwHuTqmj0ArITNMLe
-Mo8FBeB3YzCd354roHATfWwRGMmu1xzZmOC/Yi8XGQwDYBmkKguEAayuqJnYiAVd
-H3tf5Xytj0LVWcWy2kb5Xl131JQe1cMb4Do9fvYM5H2e39bZorq7z6QjKK8IKdWU
-Q48ExHJ0HBclu34DE1orljxkD3seE7xziWgO2WfEYShaQgrl9U0VJBWQqnGvFj3c
-lCx8ZbDGZAhhvfYM5E+R16LPDZ3L9vt0ea/Lmhzg23GFQmfsD6fsw3CJPHOir5UC
-tSzRY23cl2Fc1FDnH9CXgBwEFIAjm4oJSkbEcXUvkDwqlWghvFue+uv/TvtkUg==
+MB8GCSqGSIb3DQEJARYScTNrQGhhY2tlcnNwYWNlLnBsMB4XDTE5MDExMzE5MzMx
+N1oXDTIwMDExMzE5MzMxN1owgZMxCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpv
+d2llY2tpZTERMA8GA1UEBwwIV2Fyc3phd2ExFTATBgNVBAoMDHN5c3RlbTpub2Rl
+czEcMBoGA1UECwwTS3ViZWxldCBDZXJ0aWZpY2F0ZTEmMCQGA1UEAwwdc3lzdGVt
+Om5vZGU6YmMwMW4wMS5oc3dhdy5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
+ggIKAoICAQDJoArsPDRG2AzwGMU/t0Vyp6/LaShWptFEyDxDuT2et4BCR5uaXYZQ
+26Iynzc1okpYlEN6rcXhWXwOTS5HYcCXrAT1zlHGZMzRiAXHrJ5nrXzdrGpG1ME7
+nAk41Q6uYAF0OcJRxozCOxvYnXYxdQ5rxPrNnsLQjmup0db+2y7ce4JrsaK6uRbV
+k583ky8/t+bGr5s/uYEOIU4BA1cp3vwQifg3lcp2sICfCxhm4M6YsqEBNxZdAKsv
+eidblDoaSda+F1b+B9b85iXJUSY8f5ukLCcvVTylF9/NnUFYA/fHlaJIPgbrG5cV
+uPpmP1jb+Wuzdi+4eHpOLNqHMlY1CgaOu74qXdBGxEtJh0jiXs8GFPJUOUCEbJyZ
+FKHBnMBg2eHi4o3WA8/vkqgbKsG84qa6UsPpt1spdBegQmC7x+ZfbbDAuevYxIUF
+GeuPjaDeHZbOlETuCHbV+GUjjXsnWsSH3edQlT8iL4k9I5QraCItwJEm7DQWQ0de
+k+3um+sz2jxAZ5NYNUm3FWxotYCD8q1O/PJvkGw1KPxPJtls0KLvQ5TIDBFyYN0D
+BycKlImszcS9zk0osNKeXenF80QNfttZfE3Rn84J3n0g2qWwRkTeVo81ulcdpaxH
+BtjaL39x5ZOP66x03PP0oeKXZxjtkdyVqhv1KmzBaK6fHprjJJejAQIDAQABoyAw
+HjAcBgNVHREEFTATghFiYzAxbjAxLmhzd2F3Lm5ldDANBgkqhkiG9w0BAQsFAAOC
+AgEAKwZ2WM69J2U/fnzTlxEs9kULkxYXgHnw6WZmY/RXyIX3tCjgUSisH+binuDB
+5GplGOhXg2NjlcBio7Lkwb6jJobs6kr1f1OR0EbEHo52JUbjH7m/33R7+6QuR/ps
+IW9zd+VnXvYtJ7lrI3/mlzXOMCiXfNI7sQAXob04T8WVsVrDLpg5wDUKwtLLJSf1
+MzUCFyFZOtCqB+5MKsl2jBiCXWUj9vFgpx5dS2/cMjw0cXZcbcbz9ZP68PXdwvoW
+Vt+wBQEhmbIhx5Z1jZsH/fnor4rsK7CS9jp4zGCWHiphk/rzL5VsJvVCuIbuuoek
+4lMNYZnpeccUkGFJtizMiiAcrN9xeNm3s75qmBah6ZGjSWZXgwESA3+5+pzE2ptR
+Q6MP1IjzMauyGacUBDU9HfBqc2cAeKyq+CoabuA0lrxt1jYHlnFhkPN6kDS1TQgv
+eMeFkuPhfFnAeWB3SPbXfJthCDqv66ApTKAMMb51HvbqZCAR8qUJkOz+ZkvxhIxv
+1SmZOxrQn1lejLGvDox8Sp7b7+h0ZWxc9n3hTnHMd/tT8ZptzsVH+7DCZH1oHPzn
+0dhhr2ZaQ3vN5L/MEK1L2uF4FggYFKEJWohG1rZH/hlBQhUEudLIeZOSFbyXaCES
+fgeaGmZ/gC1mLuCw+Hfc8VrWXhkq/QaP9dzyHBnih8bfdIw=
 -----END CERTIFICATE-----

cluster/certs/bc01n01.hswaw.net-node.crt

@@ -1,34 +1,34 @@
 -----BEGIN CERTIFICATE-----
-MIIF3zCCA8cCCQCA8T/OXbv3GDANBgkqhkiG9w0BAQsFADCBtzELMAkGA1UEBhMC
-UEwxFDASBgNVBAgMC01hem93aWVja2llMREwDwYDVQQHDAhXYXJzemF3YTEuMCwG
-A1UECgwlU3Rvd2FyenlzemVuaWUgV2Fyc3phd3NraSBIYWNrZXJzcGFjZTEQMA4G
-A1UECwwHaHNjbG91ZDEaMBgGA1UEAwwRQm9vdHN0cmFwIE5vZGUgQ0ExITAfBgkq
-hkiG9w0BCQEWEnEza0BoYWNrZXJzcGFjZS5wbDAeFw0xOTAxMTMwMzIxNDNaFw0x
-OTAyMTIwMzIxNDNaMIGqMQswCQYDVQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNr
-aWUxFDASBgNVBAcMC01hem93aWVja2llMS4wLAYDVQQKDCVTdG93YXJ6eXN6ZW5p
-ZSBXYXJzemF3c2tpIEhhY2tlcnNwYWNlMSMwIQYDVQQLDBpOb2RlIEJvb3RzdHJh
-cCBDZXJ0aWZpY2F0ZTEaMBgGA1UEAwwRYmMwMW4wMS5oc3dhdy5uZXQwggIiMA0G
-CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCu96QoKSTxlA1mlckkXR5DhANlACOG
-aE/z/6Wxi/2pGYV0jBeml6OCKscuA4dVOuCnpgb3NDtN1q5pYyRw6v7vm2SVjwZI
-3i6jF2KHYT/2AShohjvQCiCCxVlejBYIZGt1cFL1r7pTm9DAGCcV2rVJOtbtrUpt
-10UMGHRw3IRZWjbYdjxuq08AzyRVXiEUGD72OogXW2FGoltY8VXeItlPdib43UTy
-81UrYLzVuV3WzfuUSuE8bFi8FA8SHDtcVqwq3xbwH1KCk9C9Z0XroErhjq00Iu6O
-Jp6sVBUH7FL81w9feffZtX79i8MbyDFRvItEePBInaxxq5oi7BbRsuvZmSbK7Cou
-hOKhFeyyxj6HJChvp23DSsR7uhX3XLLlIokCA23bYo2MK+gHkxTfLdAbNfdeF12n
-8tM7ZFMQ6WY35mVl9wSixpTNxqUtfFhJ88GUYiN5vgVPf/fr2mtJ8X5LQpweTfAL
-RCRUFHU16sOJsWqBgztR8JXixfRrVoPQ1+0HftagyMmbjTe++b4wHhgBEeHn/m7e
-vm6YqUTDgCFXCoMxiQ0hyvieqoqZbGaD7jjPGCbQwtyiEmqmkc+9wIMa+aFJFOTH
-uylIN9mmbAgD10QWRnGXl0ebY3deRc1a168tLGxq92Qwev4FLb+efP04HM3au5Ar
-WvrBXI1+0t9HCwIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQBRHblAlrD0nJQf3pHO
-H/HmEf2Io6CWx83+hvtsLy7W0VT639JA2DvsIe3qfk4XSMpfLJwszRWbEcxqsqH8
-Tb5599KLFQ4LuFkfYb2qh6Aqg9Rra4tOLkHGb/RZz2kYzJfNr5fNFMhloXDI4qKw
-Ztc5ZO/jq5CUh4taspx/Z1oeHCP4/3Olg+mPtcTMmj835CcoffbKaTKHTuNWIT95
-dWwOMeZ3gMaggDolfSBdZWxUUXJZkwxIcM0VHasgb6OdBldpS3JsbSUV5oIYoD6I
-HBNN30Uqj+L4XhblhN6wEdCBgkkx5jMgBl3bfAyTz22Od9dKFU9omDb/Hg7+Cbqg
-b53LgR+jACecVz9DNfTu4eHRuKKF7jFMi0DVLLUd7EcsGRj8zXPd+hrTTRjPcZZ3
-I5KokoZDhpctU/eapE7tTHjrKgdtvp6EDgfzaC0rbt1ut7vokGWNWhQ0IFCBIQZv
-xtTqyhVpV2cS3H47fm/vPXJhoiLs2DfxVa2n2LSx75aC24HXDCVCDtT+Rf6+QH3h
-7sZ7OI80aAlXUa3TiZocOGCvOKr4GAVJ68Kpim8Rn4qgIA4wPqUXcdtVjy633BoK
-txAaM4LN3SSb1RwmgZx3hm5mLvJ194LSEUPsVe60N65jcSkKAbKOkSyScRODu7Pb
-gy6l4a49WUmiJlse+3SRGodNww==
+MIIF1zCCA7+gAwIBAgIJAIDxP85du/ciMA0GCSqGSIb3DQEBCwUAMIG3MQswCQYD
+VQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNraWUxETAPBgNVBAcMCFdhcnN6YXdh
+MS4wLAYDVQQKDCVTdG93YXJ6eXN6ZW5pZSBXYXJzemF3c2tpIEhhY2tlcnNwYWNl
+MRAwDgYDVQQLDAdoc2Nsb3VkMRowGAYDVQQDDBFCb290c3RyYXAgTm9kZSBDQTEh
+MB8GCSqGSIb3DQEJARYScTNrQGhhY2tlcnNwYWNlLnBsMB4XDTE5MDExMzE5MzMx
+NFoXDTIwMDExMzE5MzMxNFowgZ0xCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpv
+d2llY2tpZTERMA8GA1UEBwwIV2Fyc3phd2ExLjAsBgNVBAoMJVN0b3dhcnp5c3pl
+bmllIFdhcnN6YXdza2kgSGFja2Vyc3BhY2UxGTAXBgNVBAsMEE5vZGUgQ2VydGlm
+aWNhdGUxGjAYBgNVBAMMEWJjMDFuMDEuaHN3YXcubmV0MIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEArvekKCkk8ZQNZpXJJF0eQ4QDZQAjhmhP8/+lsYv9
+qRmFdIwXppejgirHLgOHVTrgp6YG9zQ7TdauaWMkcOr+75tklY8GSN4uoxdih2E/
+9gEoaIY70AoggsVZXowWCGRrdXBS9a+6U5vQwBgnFdq1STrW7a1KbddFDBh0cNyE
+WVo22HY8bqtPAM8kVV4hFBg+9jqIF1thRqJbWPFV3iLZT3Ym+N1E8vNVK2C81bld
+1s37lErhPGxYvBQPEhw7XFasKt8W8B9SgpPQvWdF66BK4Y6tNCLujiaerFQVB+xS
+/NcPX3n32bV+/YvDG8gxUbyLRHjwSJ2scauaIuwW0bLr2ZkmyuwqLoTioRXsssY+
+hyQob6dtw0rEe7oV91yy5SKJAgNt22KNjCvoB5MU3y3QGzX3Xhddp/LTO2RTEOlm
+N+ZlZfcEosaUzcalLXxYSfPBlGIjeb4FT3/369prSfF+S0KcHk3wC0QkVBR1NerD
+ibFqgYM7UfCV4sX0a1aD0NftB37WoMjJm403vvm+MB4YARHh5/5u3r5umKlEw4Ah
+VwqDMYkNIcr4nqqKmWxmg+44zxgm0MLcohJqppHPvcCDGvmhSRTkx7spSDfZpmwI
+A9dEFkZxl5dHm2N3XkXNWtevLSxsavdkMHr+BS2/nnz9OBzN2ruQK1r6wVyNftLf
+RwsCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAQ/3C8fhbgAI6Kd3qh1GNJHC8aEdf
+x4iAvuVk9xN5C2UeFK3aHPXNAM0INJiTBhgA38fCra/dzw4cS3P9X5eWrt6uQk4x
+mHFty2cNcxGdu8VyGheRFxosTlciwBe+2WjrPHlCaqssaskzocCXpXVNxB4y5Bax
+aeb2mruB2IpleAWQeUUvqg56cu8i8Uu9nVwCVB+2VmShWYb2Wx8Yh1mpX+w325Lk
+2autcjhHjuv5OqKvACgcNf7sokhgyJs7VlUJ2eg1yswZGxHeKVjEMSidpZyESNLg
+0rz18/M1tQt2LAQIFCsN3DFJInwyZty79CvE1MYM6kDILgNVhAovlowjy0P2MGV4
+WUrfa4JxIwQ4RXjSJqUsGF9XT6QOTW/yp3VgsIOHR5K8fGdcqjL3mweuU/zxClpL
+k6dkS+/DLxM4j8rsAa16xTnFG17cenpVqMsST9fjsQSRUV3HLWOOrVQ4P5ax390T
+cXoU8Ptdn70F3LG3rXaQaMryn+T6qZYO/FSLwMjWYfYcFM1RHldxuaBcfl8kCyd1
+dSqc8zU/kYj6QH3Y1nXJFdluj3UUhkQvkeAd3JRqF+zug+KskWKu2l0w7o19f4rw
+bOBwfxFoQXns4K2rQ+u1wR+EZdNMWDETD/F7R3ZvNmEIbpMAwWx1t1AIm7rT5fQT
+wxsWLBWehpRMa5o=
 -----END CERTIFICATE-----

cluster/certs/bc01n02.hswaw.net-kube-node.crt

@@ -1,34 +1,34 @@
 -----BEGIN CERTIFICATE-----
-MIIF+jCCA+KgAwIBAgIJAIDxP85du/cdMA0GCSqGSIb3DQEBCwUAMIG3MQswCQYD
+MIIF7zCCA9egAwIBAgIJAIDxP85du/cqMA0GCSqGSIb3DQEBCwUAMIG3MQswCQYD
 VQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNraWUxETAPBgNVBAcMCFdhcnN6YXdh
 MS4wLAYDVQQKDCVTdG93YXJ6eXN6ZW5pZSBXYXJzemF3c2tpIEhhY2tlcnNwYWNl
 MRAwDgYDVQQLDAdoc2Nsb3VkMRowGAYDVQQDDBFCb290c3RyYXAgTm9kZSBDQTEh
-MB8GCSqGSIb3DQEJARYScTNrQGhhY2tlcnNwYWNlLnBsMB4XDTE5MDExMzAzMzIw
-M1oXDTE5MDIxMjAzMzIwM1owgZ4xCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpv
-d2llY2tpZTEUMBIGA1UEBwwLTWF6b3dpZWNraWUxFTATBgNVBAoMDHN5c3RlbTpu
-b2RlczEkMCIGA1UECwwbS3ViZXJuZXRlcyBOb2RlIENlcnRpZmljYXRlMSYwJAYD
-VQQDDB1zeXN0ZW06bm9kZTpiYzAxbjAyLmhzd2F3Lm5ldDCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBAOGSPDwayWrojo+PwSKnz7gMfX72Ht3mKh6MQpvi
-rbR4A2hwE6XaJLenH13vtnvsNE2otCLQn/o59e0sQmHlVFqXks5+mmSYpSacLLPj
-kwON+fjFeVma8NDPTZqHVnbIAau4mXz5KAEraw6gvcxjQG6mDfQZjvZBWtNZiLPj
-rXTZVTKYiT64Vp6GRm/pXWmDaAHVTWfp7atqZ7uAgL8Y2J4FLe4zJxD8odqaP1QK
-ouARpLdhPbvbg6SzLcBBlSLKst8uB+tjKSkor6uZplz9ZycBqQUwXD2Yu6lPwNr4
-eeaHc22rqsYNh6kbRIA2HViohy/1HgyyXzR1zsVIiAiOaLpcTMqRrlDALj7CPiS1
-+iGDEkIUaHJGtpmeqlvWvQgkBlclnn34I+XJoKgfh5N8CueawWoRYlh59pX5XK/b
-5eRQPem38vxdDAkhuI/FrxBNNSAslZTL2/vxl15NMUDCfHUJzwq7urpQe3KJWjgR
-lS/nyhipHH1nGfg/IONbmsTVjabVcueTwIxbGZxichc55kNrrZRZiLnQawqKnZCV
-CIaoBGh527Q/JmRk5ietaMOYAh+jJxPTdSAJIq/ZjF/GX5mn+Ssd8POgXHkhrVL+
-2XV7dBDS7k+2nKj59z1x8tfo6T6V7Vdsop/AmLlv3gENPB93Cm23xDV64hjg5lGg
-dkt3AgMBAAGjIDAeMBwGA1UdEQQVMBOCEWJjMDFuMDIuaHN3YXcubmV0MA0GCSqG
-SIb3DQEBCwUAA4ICAQCfzQoxBJDC4H7ibYcE/b5tV01XNYQHWctd/9Kmu5nCP3EV
-J10+neSxClp9OsDFlow32GL5TKZVrmEAiGw0Oy2HTawG0Nd781T9L0py2Gd7R7tE
-40qBIHh8Xdpn5mGWtevXMWbN2phrV2sS2qn7lO1HhLbjgAJefXApiiQZbWv1oh/1
-flwIi+fZxWZ01GRnJEtkU5bGoHqLhDRh+9bGS2Fi4NqrZkxpfDTZYDe0r1IVODAs
-/C+OFWbsfYsQLWtNFbgl7y0CqfgFz2cmtT21XE27PWuA5USQ8gqwPUfA0OaEMWDx
-wM/D2RPB+LsQDpNk3lKBSgXNY7GVJNDmgFXFQhdlcE3KjX9kFbmXtLrEqUQMqGQY
-f4J44QWZXc2oWDDqs9O3B71suW9xfBhzAutjNe54yC/XFvz3Mqz+5OLXQTvVzoLO
-49F4871z6hqrWmqgXdWBTS9kW6PzEGiVKxB+tKzweq0aTK7cghVHh8ie5DsK6oFz
-mhrFsKjSEZuPr53umJDzV/X7roECGU6YW/3n7QGhZRjk5SgTwaB6gl6r8liEEP0H
-KH72le415hp1qWvBCfVmUFGOB58Rotv5w2E5mWkQ0qW/jLCX1CYCOU/fck2r2+vm
-oPX/hbt7a7iECsryrF9/XIF+Knon5FIenm/NtLIZEy4uIG/P6RHFAInEazU2aw==
+MB8GCSqGSIb3DQEJARYScTNrQGhhY2tlcnNwYWNlLnBsMB4XDTE5MDExMzE5NTE1
+NloXDTIwMDExMzE5NTE1NlowgZMxCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpv
+d2llY2tpZTERMA8GA1UEBwwIV2Fyc3phd2ExFTATBgNVBAoMDHN5c3RlbTpub2Rl
+czEcMBoGA1UECwwTS3ViZWxldCBDZXJ0aWZpY2F0ZTEmMCQGA1UEAwwdc3lzdGVt
+Om5vZGU6YmMwMW4wMi5oc3dhdy5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
+ggIKAoICAQDhkjw8Gslq6I6Pj8Eip8+4DH1+9h7d5ioejEKb4q20eANocBOl2iS3
+px9d77Z77DRNqLQi0J/6OfXtLEJh5VRal5LOfppkmKUmnCyz45MDjfn4xXlZmvDQ
+z02ah1Z2yAGruJl8+SgBK2sOoL3MY0Bupg30GY72QVrTWYiz46102VUymIk+uFae
+hkZv6V1pg2gB1U1n6e2rame7gIC/GNieBS3uMycQ/KHamj9UCqLgEaS3YT2724Ok
+sy3AQZUiyrLfLgfrYykpKK+rmaZc/WcnAakFMFw9mLupT8Da+Hnmh3Ntq6rGDYep
+G0SANh1YqIcv9R4Msl80dc7FSIgIjmi6XEzKka5QwC4+wj4ktfohgxJCFGhyRraZ
+nqpb1r0IJAZXJZ59+CPlyaCoH4eTfArnmsFqEWJYefaV+Vyv2+XkUD3pt/L8XQwJ
+IbiPxa8QTTUgLJWUy9v78ZdeTTFAwnx1Cc8Ku7q6UHtyiVo4EZUv58oYqRx9Zxn4
+PyDjW5rE1Y2m1XLnk8CMWxmcYnIXOeZDa62UWYi50GsKip2QlQiGqARoedu0PyZk
+ZOYnrWjDmAIfoycT03UgCSKv2Yxfxl+Zp/krHfDzoFx5Ia1S/tl1e3QQ0u5Ptpyo
++fc9cfLX6Ok+le1XbKKfwJi5b94BDTwfdwptt8Q1euIY4OZRoHZLdwIDAQABoyAw
+HjAcBgNVHREEFTATghFiYzAxbjAyLmhzd2F3Lm5ldDANBgkqhkiG9w0BAQsFAAOC
+AgEALdUQsaYYC/Aj1Y1Wa3XiPO8vxBvNbCJnJKdQqemijxWgI/IVfvLJJqbfpb0/
+p/83y2myYUNfAFyL0YVG+13naMqSLUbUW2S+Ctbi3gMs/WIj2/zdnIYJXtF1J3ou
+2nlT/NT/4SFXGNr3ANKSFTEdm4tlW/hpBZb2xuf1/A/oH9GGE8wyJoBErYYS17mM
+UPC7+Xxm3ZfQxjERSuv4OjUTOTxyVVy+e/HV+wdIQZPx8Ul+KYHQFsuJIISy2kqj
+o87gvjwFomhcicefVOxQL7uL/YWuEHevdHfN80gY1i2MUNIHlfVQiUQH7APoI8GM
+GS/onOOzGUV9+AkVrWanxBPxuU5K8poSq20bJIA5FTHYXCanCnyD5jNvgfPI9uMg
+T1PSc8WmoW64EiSZMiBn+TZeVgmJ7M5eQS9WyUtwPbwW7mxVMFEtnXSRA/zsaWFK
+ZVSjl1EjNpNfTjQTx+fEjf185DzE7wjOCiQhxmLte09vJPbiDWy31tLBQ2kEcGc+
+/nofWK6AWe9vv5nqrpCuekcy8r2ZBUxrfrHgDaNdErUDIz1BiT045RvDejXse6oo
+88Wb19acjkesJbO+cUHa8wzTRo2293hztEycXmOaKtHiogrD5C+0vSSrPJ/676x1
+QQTK5568NBFUKuevdNHxh7MERcHImxk0UpIVUexe6UXmptM=
 -----END CERTIFICATE-----

cluster/certs/bc01n02.hswaw.net-node.crt

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF1zCCA7+gAwIBAgIJAIDxP85du/cpMA0GCSqGSIb3DQEBCwUAMIG3MQswCQYD
+VQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNraWUxETAPBgNVBAcMCFdhcnN6YXdh
+MS4wLAYDVQQKDCVTdG93YXJ6eXN6ZW5pZSBXYXJzemF3c2tpIEhhY2tlcnNwYWNl
+MRAwDgYDVQQLDAdoc2Nsb3VkMRowGAYDVQQDDBFCb290c3RyYXAgTm9kZSBDQTEh
+MB8GCSqGSIb3DQEJARYScTNrQGhhY2tlcnNwYWNlLnBsMB4XDTE5MDExMzE5NTE1
+M1oXDTIwMDExMzE5NTE1M1owgZ0xCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpv
+d2llY2tpZTERMA8GA1UEBwwIV2Fyc3phd2ExLjAsBgNVBAoMJVN0b3dhcnp5c3pl
+bmllIFdhcnN6YXdza2kgSGFja2Vyc3BhY2UxGTAXBgNVBAsMEE5vZGUgQ2VydGlm
+aWNhdGUxGjAYBgNVBAMMEWJjMDFuMDIuaHN3YXcubmV0MIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAy4rQNKn1wqavIg4fEyPSxpC3ZQ8TULE/3VSo38rd
+vSwb9c1AfNQXYCg2wm2iRk5Zt0EQgE/HHZ/NUvrymH1I/2JNPvlkLY2WlXhtWSiX
+B44xynS2UHvRC5wYfPUCCFjSylYOhh6N85CZZhv+mJVLWOzbA7jLEa+1THevRUzF
+MBznkCW9QS3ZCzfZs0Tlb0yVOPKjjYqNsTdfbBhV9m31FUbseg2g7+oaCPFXrxBf
+Aj+MDo8G2xP0M6QUZ/VXkPDFq0VE2CQBCDr3dbncLZD0hEp6ruuzM6yNzKSXl6G1
+mfkiupiqHZ784lyrdSyc+yv4TFoJPVi6n/u34k+B3SQXfA6BBsLzqyhJi+dDxP2l
+Em2HVg5u1hmqV7ZU1BQ7p+ricgJv3xdpzAbVQ2ukw4Hipb8Z8ZKSIsZ0jLPQ6OVh
+5cambMp3mD7pBDHf6zDehiwhYzIBEXUSVcF7+c+chKnHuav35jw6WJzozCCRilW0
+W3avCeyqtpIpeT80kt/s6/KxapNt70vZKe7RbRjxGRVBHk5tn5fHO6XRGDGqQ+Jd
+nHhzaAm8GIoFnNEkJp2BjMywzJTQnY4ZEn+Iut7vpU2F3zgR1KaaACTbc2oe4TrS
+SXV4zZRlq8HNSdnhxBr9cZIxaqlQG9d3jURQrNZ2d18u2a2nCDJZOYQTRzWqqWhM
+KBkCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAAHmclBSa+MkJ6pOCWoBSWu8chMlh
+QCJZqzmhfsrxSnATtfBoa+kyi0qjrXbCUhxmsKCeZjH4zCznd1MwcjL5wwQbS6Lb
+slH16NqmrCRZF8A9Cy6noFCdl/EuHqoe9kl7cFZ3jyRQ7CXhMxsWDQ+07I5M3cTn
+1hT1WyLCDU88t677MYeuNGdVIXkhX7lc1glpItX2PEpUrg6cF7ifY774MmwYUoy1
+2kP1uIZO6TJtuNQPsuWmOxFZjVQ0lBSSSegVquOkE7g7UKMxbooPXPgAL1u7KLbf
+tlzu/FU3LqiKkn+J8mvDoMm+6wsbPqXgOepnHcEHlWXhEys+Jzbz506qki9uzufE
+2mdW5b3s72TcgMp03wi6gAZtjsGAaT5v9jmfUBkPkn1aP169BBl8gCnI3yNNiext
+Zrl/28CL38vekBa/87u2BPy5xPQx+D+Nj6w5amhgAZg1FIyJbmfjup/VwZUpQ7Ac
+D6h1B0exveRAD1uCPC5pTRO39TqapA07JsfTT5QVxVqpKIZUzIc7+HnaCcpy4dGN
+4cZXZDPVkrhL8NWqwOeoL6mP9/CG+a6O2LcwiIaSfxSYBvXGCY1A57wATfpd3h8D
+n9qAX4a54eHMD97CgQqRqGiQEBGMR5B4ipo10Tkz5/95dnso4UKoZdNYmEJ5RV+u
+woES+ejgN3Q9YX8=
+-----END CERTIFICATE-----

cluster/certs/bc01n03.hswaw.net-kube-node.crt

@@ -1,34 +1,34 @@
 -----BEGIN CERTIFICATE-----
-MIIF+jCCA+KgAwIBAgIJAIDxP85du/ceMA0GCSqGSIb3DQEBCwUAMIG3MQswCQYD
+MIIF7zCCA9egAwIBAgIJAIDxP85du/csMA0GCSqGSIb3DQEBCwUAMIG3MQswCQYD
 VQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNraWUxETAPBgNVBAcMCFdhcnN6YXdh
 MS4wLAYDVQQKDCVTdG93YXJ6eXN6ZW5pZSBXYXJzemF3c2tpIEhhY2tlcnNwYWNl
 MRAwDgYDVQQLDAdoc2Nsb3VkMRowGAYDVQQDDBFCb290c3RyYXAgTm9kZSBDQTEh
-MB8GCSqGSIb3DQEJARYScTNrQGhhY2tlcnNwYWNlLnBsMB4XDTE5MDExMzAzMzIz
-MloXDTE5MDIxMjAzMzIzMlowgZ4xCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpv
-d2llY2tpZTEUMBIGA1UEBwwLTWF6b3dpZWNraWUxFTATBgNVBAoMDHN5c3RlbTpu
-b2RlczEkMCIGA1UECwwbS3ViZXJuZXRlcyBOb2RlIENlcnRpZmljYXRlMSYwJAYD
-VQQDDB1zeXN0ZW06bm9kZTpiYzAxbjAzLmhzd2F3Lm5ldDCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBAMR3GDwt2biypJBbrmuIpZmNa9I/jpnjVZ3MLDoK
-9oho2KEzugfdQIONE9gJtu74J5NVXhfhAzd3ek46w8BKjbA/cCE9Zs8hpxhpBc64
-5RBsCv5QM9gKqOfLC13l/cAIGfWrgFQBcQ0pv2U4AwhERa/6jayZ0hi5QqRA2YMc
-H7GDuBg3WQmzjKz1pLS9VHqoja8Jua4QBLj4LP5JRiaLkDfhUavuB4Rj0P5VOxjB
-Pa4yQfNCjQe/hWPN50RRhR4E2w2PYiRDz/7O/xn+6myCXIsD62U2OqeLyYBnuLKA
-hV9SAKXLxYs4IiMEVZEDogH8ben0zAtsN9N7ImXQopWZmLny5HJrHkgMHeegGhIG
-d9eSZbZCMMKgyqW9KLpM8G/ca97a8fdLfAxoVqQiW++3kANpwATatpldsbwuA1H+
-2BGt4t702WprtnvM9CxiCTXGm0nxAwA4onMVSc1hmWj00b0WGYmTArEiYgAPIlgF
-ubJH1COkxwHTOvNjpVOcanObPvba3hEKfy8q2bgW/IG7fZRj3kEvY9HnQ5Zhw0kA
-CJMZoPq0UE1z0gePv9vCbs1RgAtqhUD0+RPvs2A4giKYIogNLfHjKQdl79G/OTQM
-FLn0rdVmG6eqAyIv6RFD2EKH3euadGaZD7XMtRmXITgsfj2qnpxYfddFyNuLbpoG
-t0mLAgMBAAGjIDAeMBwGA1UdEQQVMBOCEWJjMDFuMDMuaHN3YXcubmV0MA0GCSqG
-SIb3DQEBCwUAA4ICAQBI1haT3MZehODqbPhhKAPErpu2AgoKlDMAFEztSWfH3uW6
-uaX07rlcPMvI13dzkducpL0ha+qVCodL3oAd3Jf7r738uD0nFaiamaGVoepkIfZE
-8wfAHS/c9T+iXiG8FArfE+dOBHYt5LFwq+BSyw0uRjRTquF6AeZr5SHrzsCDkFQk
-75z2PhciGUHYCk2vv2VGQvg0SkowqegrywWb/yTbAPgBsjZwQ4hmGXDfbJUa7Kga
-G2CuI6gRWA2bakfdDnNUqz4Qqn3jis1Qv05NCGCQlfJNVMmIZlrGpG3GUgVBbyMi
-Z8ELMKAIhSNSAYo4eZqyDIztRyGD2wEpxE2A+K9RgvNs+ocFgLTOQVji50NWS6t/
-opDVjZ5tbNUsVuEXdmNcis1yq5hniFwxrWUIxDwGaEAwyCRZbV0WuqgUwEGIOzHo
-6Yzv6EyHXqJCOubET42Gr5Ujc10zJpZ7oizBNQhuQvaahTKqPgew2QE8MDKmRzZm
-F3xgXNQj0jnoJJi1QUmjXANtN7/elz6hxu4HkXDkTCMtqjzGzrdZjLss+gBNLLhe
-1xBr3MD9R7XoFxyZFGCEHWiQ1Zdzw+ULai205/kZUFyNpxTK7Yt1I63oHj8HrVB6
-wLM/ibtK/TOtB5cbyYRCETYXeSe21m2hvc2RvZUKgxZ0gS28oYM7OET5s2J8ew==
+MB8GCSqGSIb3DQEJARYScTNrQGhhY2tlcnNwYWNlLnBsMB4XDTE5MDExMzE5NTIx
+MFoXDTIwMDExMzE5NTIxMFowgZMxCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpv
+d2llY2tpZTERMA8GA1UEBwwIV2Fyc3phd2ExFTATBgNVBAoMDHN5c3RlbTpub2Rl
+czEcMBoGA1UECwwTS3ViZWxldCBDZXJ0aWZpY2F0ZTEmMCQGA1UEAwwdc3lzdGVt
+Om5vZGU6YmMwMW4wMy5oc3dhdy5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
+ggIKAoICAQDEdxg8Ldm4sqSQW65riKWZjWvSP46Z41WdzCw6CvaIaNihM7oH3UCD
+jRPYCbbu+CeTVV4X4QM3d3pOOsPASo2wP3AhPWbPIacYaQXOuOUQbAr+UDPYCqjn
+ywtd5f3ACBn1q4BUAXENKb9lOAMIREWv+o2smdIYuUKkQNmDHB+xg7gYN1kJs4ys
+9aS0vVR6qI2vCbmuEAS4+Cz+SUYmi5A34VGr7geEY9D+VTsYwT2uMkHzQo0Hv4Vj
+zedEUYUeBNsNj2IkQ8/+zv8Z/upsglyLA+tlNjqni8mAZ7iygIVfUgCly8WLOCIj
+BFWRA6IB/G3p9MwLbDfTeyJl0KKVmZi58uRyax5IDB3noBoSBnfXkmW2QjDCoMql
+vSi6TPBv3Gve2vH3S3wMaFakIlvvt5ADacAE2raZXbG8LgNR/tgRreLe9Nlqa7Z7
+zPQsYgk1xptJ8QMAOKJzFUnNYZlo9NG9FhmJkwKxImIADyJYBbmyR9QjpMcB0zrz
+Y6VTnGpzmz722t4RCn8vKtm4FvyBu32UY95BL2PR50OWYcNJAAiTGaD6tFBNc9IH
+j7/bwm7NUYALaoVA9PkT77NgOIIimCKIDS3x4ykHZe/Rvzk0DBS59K3VZhunqgMi
+L+kRQ9hCh93rmnRmmQ+1zLUZlyE4LH49qp6cWH3XRcjbi26aBrdJiwIDAQABoyAw
+HjAcBgNVHREEFTATghFiYzAxbjAzLmhzd2F3Lm5ldDANBgkqhkiG9w0BAQsFAAOC
+AgEAWJ0Jdxnn0sOAJHi2AS1eTuiG188rOTt1BCFsYhWzPu+TUVBVz65EmIOF2uWP
+ZdNRgxBEePwJAzlw3SfCN6WErb3t3MxIiIwGP7MrQROCm6jOwoV+i9MuLHlVhTHD
+hgwNLneg8WmAKYhKCKqEz9izFJfQe67kTgGEgc+bC9uHlq0/qyu3DchT64HLl68k
++McpjnGH2NCeKy1/jdZBhVs9B946eCniDxIuY+5PkJH8JEjPCVaUXYSrr9LW3e3I
+VzOHLd3YiguH04UNA3b1g2FCtUMwYHmsImofoLfOF87pHRazbt2gdLbd1ZS9n2Fa
+sZD2eu42mlAtyUdIsGQlFdE96vmP/fZOYH/bfFG0manaN4oVjDyhmTRF5q59R79n
+y0FNCFFCt75FC72GYQWmTAyI6MEvk37SzYK6dvPnCRcYI/hyBQIo/ukNZfI7BIwc
+UOUydcoW9QzVL2uaabRrtYOOEKrJo2Q19CTpcyxbDrwF665JCYKli9gRjB4PZz85
+kmcXcDVeXqPI2VS0RWnVPhevCZn4fiO6o3/Gq/kWo18koAEWZYf4NRDm55T01kqj
+ISZAzRqJenGqnX/ZcnGQygSRbJoatZyIVPI4ENk4BdZEJIcCD914iFRl20Xccs/k
+I2Hj4ETGN/FVL/kXfiCyx7sx13DvhOPKSyqbk402vrTnfjM=
 -----END CERTIFICATE-----

cluster/certs/bc01n03.hswaw.net-node.crt

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF1zCCA7+gAwIBAgIJAIDxP85du/crMA0GCSqGSIb3DQEBCwUAMIG3MQswCQYD
+VQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNraWUxETAPBgNVBAcMCFdhcnN6YXdh
+MS4wLAYDVQQKDCVTdG93YXJ6eXN6ZW5pZSBXYXJzemF3c2tpIEhhY2tlcnNwYWNl
+MRAwDgYDVQQLDAdoc2Nsb3VkMRowGAYDVQQDDBFCb290c3RyYXAgTm9kZSBDQTEh
+MB8GCSqGSIb3DQEJARYScTNrQGhhY2tlcnNwYWNlLnBsMB4XDTE5MDExMzE5NTIw
+N1oXDTIwMDExMzE5NTIwN1owgZ0xCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpv
+d2llY2tpZTERMA8GA1UEBwwIV2Fyc3phd2ExLjAsBgNVBAoMJVN0b3dhcnp5c3pl
+bmllIFdhcnN6YXdza2kgSGFja2Vyc3BhY2UxGTAXBgNVBAsMEE5vZGUgQ2VydGlm
+aWNhdGUxGjAYBgNVBAMMEWJjMDFuMDMuaHN3YXcubmV0MIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAxiuSdlKbh4zsIL3/vJnDX3QE4769lon+N4zxEU6K
+9N9MjOctys8H9eeeqSvbPW2QD74f3E3CePIndKukalSutZYvKzsW6aivBXIZR7Yq
+ODjFhfIezN3uFN2rlvCrKrMRIEMvURm1mgDYfU+6kETYodRxbzy5h5vVGkYfFmO3
+aV8iZExKpwoOtGCp2K8k6ViS7SWgMddUjnfptB/Ge/Huujkejj/kSXIcIFb/9yXB
+F1eYNGzajPVpP8ervTJFetyULfskGxwsWjFixI3oJVzhstYp2C1uNOuNZdNS11wo
+pV+RcQdmlIAPe14VxIu2IAXjJ6tgXQEaXx7Veq4HoN7drc5XcKLODL6y65JleXgY
+MbRuKdCYbKomCRMWXL5ps0vZGHuuBWk9OITobDBYln1z4iO7MeDuXNwea56gsZYa
+3q37Se7Sj2RqV6hIpYyJqWr/6HbZ4Mb/0wOrm18gpfUdDXGtPG8zFNPFiZhS1VpQ
+0/UQs63CKu6eBBbJOVme1SjgRN5lyrtnm55nwsquPKDFkT6M7oIrxutFNisX0faQ
+G8xBYsIICuhZLzBQLilvd9IBnpMw9JgBygircJEOPXlYJ0L9EVLbn6oi+1o/iCjJ
+YpC0Epm/3skNhCUXgxODJMRP+2jgpxJa3T7ggv7ykgP5zVsFKDTqktX+XYaq7diF
+MRECAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAMpJiqOvJXOVbdl/fAWfXyNToRTBD
+nJyRKv9pDa9u9ZiswtwkkKihMD+on6CaKsRQt+1WaYqm9uHZs4D8TEitIdRUjj+d
+v7j9XHx6uMc9XmWxlDwm1b2Ci2/mqNZVWsDutRfPM5UhnIH+SlpjDqQEN+XaUQGf
+f5JwtDzAvCPb+ktW51oUqZCjLawAx3mQ/cl3GigZC1CxdfSg1HHC8mN7vIKKkM6q
+3o9eE3zO4o4UVKENoo7+B4IyhmQu9Qzh1fBO+5k14T/aRIds08skR+wR+SCuG/R4
+FmBUpXw0qkhLDVEbeMA8BTndFBPHv/nvv6ZjIaaQQ7R+4iKprpriW2ZA4/eegHwI
+OStwhe8XTHoAkSsIgrlaYH3md20Zmq1YwdxCKDyxPhqBXj6AV65hrwlzLY1H/9IC
+KMWjKu0s/E7BWGiaegqw47gcPGEKdDc0jdJXmGgfFtTmKBAhphYj/dSirJuJ8q53
+v/PgkGVb2jntYcBhDhOfbCJANd0ODpoxpnrWiDsNibDrREP0nHWqxuJy3NecNDsi
+zANRZtlT+TcJ+CRFOW70SA3uwci7RoOEgERdG2VrjinyL3w8r/Q5826ozM89G9I/
+PiV9N0ALN4y0NHxP/mJoHkfPsR1SkRdQgroFzfBBxTasb88WoD5luz+0ZMoahLIr
+9lmjupwIX7aPU9g=
+-----END CERTIFICATE-----

cluster/certs/ca.srl

@@ -1 +1 @@
-80F13FCE5DBBF71E
+80F13FCE5DBBF72E

cluster/certs/kube-apiserver.crt

@@ -1,33 +1,34 @@
 -----BEGIN CERTIFICATE-----
-MIIFnTCCA4UCCQCA8T/OXbv3FDANBgkqhkiG9w0BAQsFADCBtzELMAkGA1UEBhMC
-UEwxFDASBgNVBAgMC01hem93aWVja2llMREwDwYDVQQHDAhXYXJzemF3YTEuMCwG
-A1UECgwlU3Rvd2FyenlzemVuaWUgV2Fyc3phd3NraSBIYWNrZXJzcGFjZTEQMA4G
-A1UECwwHaHNjbG91ZDEaMBgGA1UEAwwRQm9vdHN0cmFwIE5vZGUgQ0ExITAfBgkq
-hkiG9w0BCQEWEnEza0BoYWNrZXJzcGFjZS5wbDAeFw0xOTAxMTIyMjA2MjJaFw0x
-OTAyMTEyMjA2MjJaMGkxCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpvd2llY2tp
-ZTEUMBIGA1UEBwwLTWF6b3dpZWNraWUxFzAVBgNVBAoMDkt1YmVybmV0ZXMgQVBJ
-MRUwEwYDVQQDDAxrMC5oc3dhdy5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
-ggIKAoICAQCkM3INHpc2gliSsI3BWlHZLMoYc7UGIDvi2rw+t6vygeXMFCVOowL/
-rxfIprGBdtjKenxuMADKjVl1NzRib9BT26grBY2tvLuZbOhLnFdFZBrWvNt6V/sP
-P33IGs5lolkdI5aWKNHwk4Umobhny5AEia7iIMjdLZP6kKGYNRb5nxcTXEwGKr+z
-ug9CGSZ5bQrmG8r+nCKgPb9QWNSTmg8AAG6TyoWyImpaMInOwLz2g6KCFd2yEEbW
-we6yUv+4iqPYmUjUbnECVqLuAUxMCO0RRtQHk9FUD+i2NB1wW5ixG/5+WrkfXLII
-O+oXmC37RZKIFUJks5VmGB2M46b0IzZsgguMXJosjieML5broh7SRIOp6FRoOLzA
-2QfiWV9maF/Ue/GUcurSwnsPNtsDy0sqffYjNpsdxHB25OH7abqDmbayNx/x68HZ
-2Rs3BaLJM5R0PZVkbYMYTAKzRGUbA2vrpiSnhIDtD3rPTLWcNbZVrDoHGpF+wWs8
-7E5VPZ7LuM5QJNg6ZBLJ7B81rvw3BYTar0H2YfLGeTjhktJ9fJVjx7gvAagBRnip
-gSOLN4fiB68wTe8lyLLH+7+ZtfZl8myRzkoDvHc0iBeZa0Pr2iGCLfR5FkqohU7n
-VRremTfIodygtTMdSozpOWRMaLJV1WJfMiB91rs+mwMBhncqa3Hp6QIDAQABMA0G
-CSqGSIb3DQEBCwUAA4ICAQA0SmB4sBITbNTPc20jhZwdmGOCEYg/o/MIpeKqnBnE
-G0SL+lUWxgB7WA7tsojS8gUSq8HaKc7kAtaDiF+in+xCuhzZAXfPRtUNIx5QIZ0G
-9wUglSuI37EfM7opmNkh2tyfgHtPvcHIhXWEIyXRmRUWSNd+/J60duECh/G0fOuN
-8cToI8KCYPxpnyYLUfI7r4xZ0wVYsu9kHK0AzWsU+i4/3h0DgXJzI9mqdVHzNYaK
-0GZWsko9Jqr28Cq8NPp2wxeAldPBc+oiegCNBSXJC/i0N4Zrl+oj3bZ09lnG4WHT
-sNbRq42p9wihanoTRaHosIjSKpB85gUXHjQIMhkI7vhQCkgxZ2sbJFKofnrjdIz8
-Oo4Aq12MdoJJye2q5YI41Y6ndxts4aYufc6Iq2JHwd12LWGYDWWGDW2lCJJurHVC
-CdWYcYUozguPExUPmkDyTRozIS+J8ovN76cDdNW4tPuf2GRJhfgR97V8Yq9LuVR2
-Hr3IksF3WKv5PUmTjb03Hdw273GleKUyyiH6fY4FnW3zDPijDX5NLRTvYord/4zg
-4x7SxGVmaggoHoqkujHQ+P8IejGqdUHIprL/NKFC/tytAAkKaKxLrX3/U7ljqqA1
-M6LLdTJCQGMeu/TO+0pCKzqmR4Xisf1eqsq7t69QO08Cd69nHGEn/JG+T2h78kRb
-sg==
+MIIF0DCCA7igAwIBAgIJAIDxP85du/cnMA0GCSqGSIb3DQEBCwUAMIG3MQswCQYD
+VQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNraWUxETAPBgNVBAcMCFdhcnN6YXdh
+MS4wLAYDVQQKDCVTdG93YXJ6eXN6ZW5pZSBXYXJzemF3c2tpIEhhY2tlcnNwYWNl
+MRAwDgYDVQQLDAdoc2Nsb3VkMRowGAYDVQQDDBFCb290c3RyYXAgTm9kZSBDQTEh
+MB8GCSqGSIb3DQEJARYScTNrQGhhY2tlcnNwYWNlLnBsMB4XDTE5MDExMzE5NDU0
+NVoXDTIwMDExMzE5NDU0NVowgZYxCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpv
+d2llY2tpZTERMA8GA1UEBwwIV2Fyc3phd2ExLjAsBgNVBAoMJVN0b3dhcnp5c3pl
+bmllIFdhcnN6YXdza2kgSGFja2Vyc3BhY2UxFzAVBgNVBAsMDkt1YmVybmV0ZXMg
+QVBJMRUwEwYDVQQDDAxrMC5oc3dhdy5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4IC
+DwAwggIKAoICAQCkM3INHpc2gliSsI3BWlHZLMoYc7UGIDvi2rw+t6vygeXMFCVO
+owL/rxfIprGBdtjKenxuMADKjVl1NzRib9BT26grBY2tvLuZbOhLnFdFZBrWvNt6
+V/sPP33IGs5lolkdI5aWKNHwk4Umobhny5AEia7iIMjdLZP6kKGYNRb5nxcTXEwG
+Kr+zug9CGSZ5bQrmG8r+nCKgPb9QWNSTmg8AAG6TyoWyImpaMInOwLz2g6KCFd2y
+EEbWwe6yUv+4iqPYmUjUbnECVqLuAUxMCO0RRtQHk9FUD+i2NB1wW5ixG/5+Wrkf
+XLIIO+oXmC37RZKIFUJks5VmGB2M46b0IzZsgguMXJosjieML5broh7SRIOp6FRo
+OLzA2QfiWV9maF/Ue/GUcurSwnsPNtsDy0sqffYjNpsdxHB25OH7abqDmbayNx/x
+68HZ2Rs3BaLJM5R0PZVkbYMYTAKzRGUbA2vrpiSnhIDtD3rPTLWcNbZVrDoHGpF+
+wWs87E5VPZ7LuM5QJNg6ZBLJ7B81rvw3BYTar0H2YfLGeTjhktJ9fJVjx7gvAagB
+RnipgSOLN4fiB68wTe8lyLLH+7+ZtfZl8myRzkoDvHc0iBeZa0Pr2iGCLfR5Fkqo
+hU7nVRremTfIodygtTMdSozpOWRMaLJV1WJfMiB91rs+mwMBhncqa3Hp6QIDAQAB
+MA0GCSqGSIb3DQEBCwUAA4ICAQBMkv4dG3gybWdggc5aCZqyanp+CU506ejVpAd2
+oPgJnvcAR1DVnHer2hMFlRk4lt1rSPsRv1bqOQLgBkOEbUJhknaSD6CknmfriX1/
+ZdBwB9JHy7E/S4QDrm/8s6HiWcKYW6eK35aP4bF8ebDp+PBmYOrHRl85vNqtjeMJ
+iyXznQFL1kiuT2hBcMiQeVbEz4o0u/yAlNIxL3PXKXn0AVyW0LjLI+EAd8lCfGKy
+SkJf2gw/UWx3s+rEctA6qrB29PBR03PTHvXfb53ILh8KuIh3hU3+EED7puNhNvrS
+qWthIe5hAVOEaE9GfHCqdelQELrrYhAVMuO+PqtsGwZruEY6dpI493Aq+lfd+2TT
+pRG/isoGvGh+Lg+pwV3DLuGnnMH47iUHnPPXbYRBvSpnhC80vx8Bnbn4l7TpuZYo
+KLo5heP+Mb4sueG7KjuoOHRXcI3vHgKD2XjXFokdLBAy+75Ik0YNUWbvK76PiajE
+znic15ws1lTJiY16z+JPdjpLh+ddXf2DDnFhkWNy/Fxt+dIm0Bhdgin0rPKpE8Sv
+BIKiagL0VpDlVW5DUQe9ZVNW3zvyb3fvis+4+SmPcHDEq6ULgQQD6NjuPTKa7Suo
+pm7SxeMmP1c0B28S1wqZAh0mxrD/yUhKA/ZagRktAhCr+CXAgePEqeCZCx0XGqUw
+d/ZySw==
 -----END CERTIFICATE-----

cluster/certs/kube-controller-manager.crt

@@ -1,13 +1,13 @@
 -----BEGIN CERTIFICATE-----
-MIIF9DCCA9wCCQCA8T/OXbv3DjANBgkqhkiG9w0BAQsFADCBtzELMAkGA1UEBhMC
-UEwxFDASBgNVBAgMC01hem93aWVja2llMREwDwYDVQQHDAhXYXJzemF3YTEuMCwG
-A1UECgwlU3Rvd2FyenlzemVuaWUgV2Fyc3phd3NraSBIYWNrZXJzcGFjZTEQMA4G
-A1UECwwHaHNjbG91ZDEaMBgGA1UEAwwRQm9vdHN0cmFwIE5vZGUgQ0ExITAfBgkq
-hkiG9w0BCQEWEnEza0BoYWNrZXJzcGFjZS5wbDAeFw0xOTAxMTIyMTI0MTlaFw0x
-OTAyMTEyMTI0MTlaMIG/MQswCQYDVQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNr
-aWUxFDASBgNVBAcMC01hem93aWVja2llMScwJQYDVQQKDB5zeXN0ZW06a3ViZS1j
-b250cm9sbGVyLW1hbmFnZXIxMjAwBgNVBAsMKUt1YmVybmV0ZXMgQ29udHJvbGxl
-ciBNYW5hZ2VyIENlcnRpZmljYXRlMScwJQYDVQQDDB5zeXN0ZW06a3ViZS1jb250
+MIIF9DCCA9ygAwIBAgIJAIDxP85du/ckMA0GCSqGSIb3DQEBCwUAMIG3MQswCQYD
+VQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNraWUxETAPBgNVBAcMCFdhcnN6YXdh
+MS4wLAYDVQQKDCVTdG93YXJ6eXN6ZW5pZSBXYXJzemF3c2tpIEhhY2tlcnNwYWNl
+MRAwDgYDVQQLDAdoc2Nsb3VkMRowGAYDVQQDDBFCb290c3RyYXAgTm9kZSBDQTEh
+MB8GCSqGSIb3DQEJARYScTNrQGhhY2tlcnNwYWNlLnBsMB4XDTE5MDExMzE5NDU0
+M1oXDTIwMDExMzE5NDU0M1owgboxCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpv
+d2llY2tpZTERMA8GA1UEBwwIV2Fyc3phd2ExJzAlBgNVBAoMHnN5c3RlbTprdWJl
+LWNvbnRyb2xsZXItbWFuYWdlcjEwMC4GA1UECwwnS3ViZXJuZXRlciBDb21wb25l
+bnQgY29udHJvbGxlci1tYW5hZ2VyMScwJQYDVQQDDB5zeXN0ZW06a3ViZS1jb250
 cm9sbGVyLW1hbmFnZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDH
 NdThV//g0VWj5VX+i/Z0iLjmoxwIJYVcuzLNJwiC3jyhjKfXwo7GjkI03PB0oHmj
 I/OS15NqCpSbOzLNKfnBk1WjfGfbyiyJbIFWPPWnD/i4mdiKZ5ZS45nYAUqBADs6
@@ -20,15 +20,15 @@ zpd1lw8LvnVmzLHuhIr/8HLm5hnbSwcdOqX1MEFRHO7mmc6fKJ7jce3mEKdMMowV
 7ue187+3rcZFc0p7Si+onAh3EpkNjkdsBOQQuOpJ+FALEP+7Bm8rivyFiBf4RyqP
 kMjazR4VLo9xce5p65mJBHreTwCMbgCYb4yzAXOt3KSoYuaHAFDyknaL0oCi0XAB
 H4g92Hrd9AY+ogKHER6aRG9rO+3zFM8LHiaOIrciBwIDAQABMA0GCSqGSIb3DQEB
-CwUAA4ICAQBkN9yuv/dc10NqUYsqaTT0+1H0EhbGFAasFdqTjIqwg79PBgxeJa6L
-9MjcMvPyUGkOQqGISrY5W2ZnLViSXPaSufCzSaBS8LG56yWjhkJAaWYEWrE0Or7Y
-RN13Z6lXaZCcXDxg43OUo8bI/Jw1V/bMkHaqDh4ndM2wdDnWv0pbYv10EOwtXQaK
-+Xfwzhn2lVIx6GtF6BbGcSdX7FCc7BIjIO9xc5E4TbdRk/97jKFnQAq4XUgLdmPi
-M2z5DWgAgDn1AaBe9OTX4FFebDaMwvNrO28H1x1bFj70gClUWzTQaCeHjO9EwD/6
-cg4ze9TbBlE9qdRWV6UcFjKvxCpZ/TyCszJfVBHdagCTfl3gkNqRTCqKyY+D62u7
-w2BIa6FzxfAz2yTJ2ZbtxwephyVE693qPV/UEJ1qz80m4QKC02ee7TH+I4pcyDaX
-srH7NULJ2hEIv8zAwIFJCTBAAkhLvqJ/mYh3Q2WPDJFO7UMWdsLBZ7E6zrOq00wU
-6CkHQImIcBrOanIM32ylSsJve1zT1+h5b6NmhxIECFz6aoGtHbPPuCMWAkdBce+M
-p9ZCvIzW5LR3iVizpKPwL53Z4u0RMNfl7LD1uMw78v63+A2n0aUO6oo9spF+rMPB
-SKrCyPZ5GA/4N/NZ/WRMYQ67mkRZqofYgKzRkKlq8FS2YLTDgAbsdA==
+CwUAA4ICAQAY/Kz0nL4fA7TvDcCRc4CErVbXb5q2OHWivrwOJbll7yJVt4ksh9bd
+g83kmdk/Z/vUpCQcJFEdEOFu/oiQ6eLIi59pM4zTjar5KVv1vtv5zkuWJ0lKtoxe
+40oV62kEgTWb4H4z3ADImgq60wRpU+Mwb0vmWF5Bto/M7Ul/+hpNudsWwY2KZzZo
+cPPEkW5Yics5mVgFY9KPyEpnWoAxBBOEcmBjzwr5FTgjRLlz9723dVpj37N88lur
+A2+Ezx2kRw5/KIznbeeZMBVGCLYZ+3RFJKlPaoxcoQ7Qd6isq0bkzJpeo/Dbl+NG
+AgT6MX21O9sOuFwBVfpzFov1eGLNFORsDLs7zZa8mcgtEpYOn0UC4D5q17B6tmp7
+JeEvx4zdkEp8lRJkBKCJpZ86yb47a59SoV2IC4I9laUEzDyWKNn94rhJ8rN7AQke
+z92xvdR4jOcOYznt/iFDI1uA2dtiIdfw8H2IMLxHyfcbzh/mm07gugrmZAZENI6/
+DZrJp6e1h505OEu0/PGzLfQnYpkEd7xdvxLODkxkqUd5BM9jCG7soYC2p3Hr69kA
+BjUv/0IGagMT/TxqdoUUzjcJp7N6VbJW+z+5Ze3hUFuN86SXW2na01iq2olOy+c/
+sPY21NPreeag3NDVFxuz/+XI4cFZ5pg8wLgKGJvLeYmgNkr+1U9DGg==
 -----END CERTIFICATE-----

cluster/certs/kube-proxy.crt

@@ -1,33 +1,34 @@
 -----BEGIN CERTIFICATE-----
-MIIFyzCCA7MCCQCA8T/OXbv3DzANBgkqhkiG9w0BAQsFADCBtzELMAkGA1UEBhMC
-UEwxFDASBgNVBAgMC01hem93aWVja2llMREwDwYDVQQHDAhXYXJzemF3YTEuMCwG
-A1UECgwlU3Rvd2FyenlzemVuaWUgV2Fyc3phd3NraSBIYWNrZXJzcGFjZTEQMA4G
-A1UECwwHaHNjbG91ZDEaMBgGA1UEAwwRQm9vdHN0cmFwIE5vZGUgQ0ExITAfBgkq
-hkiG9w0BCQEWEnEza0BoYWNrZXJzcGFjZS5wbDAeFw0xOTAxMTIyMTMwMDFaFw0x
-OTAyMTEyMTMwMDFaMIGWMQswCQYDVQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNr
-aWUxFDASBgNVBAcMC01hem93aWVja2llMRowGAYDVQQKDBFzeXN0ZW06a3ViZS1w
-cm94eTEjMCEGA1UECwwaS3ViZXJuZXRlcyBDb21wb25lbnQgcHJveHkxGjAYBgNV
-BAMMEXN5c3RlbTprdWJlLXByb3h5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
-CgKCAgEAy6IJdYnjgNnmFr+uWcmn7MYpK/ucfle8ySsOWxuGbmFVUfJCR6vKuIii
-IisgPJVP2qdxnBDsyvHtgVUz3P8zTBqpqZdYvGgyUiQasd4DH4xypDVLdt+fmud/
-TyTqsK0/b95ugFKqbkJ09NL77/h3WjbRqPJGCTvSubSejn8vZqlIvV3O5Hj5g7gh
-O+Y3iDe37Jyv6J1/ViikvroxzZ6HvaNoGNL/r6/pF6j2s1i/Q0XITawVcgu6TAHY
-gY5XQj/zxNQMFr/jWcaTKDq8HLy2TVF9bCcHDDRufzcTwqZMwoY3N1jzX5Kvh4d0
-kgnj/u7BX3/fyFrIOGoqgxCYuvaQC2NGpILxSIAReaaFSSaSdR5jNQjj+7q+nNsm
-RjYsswnkK5fazXnDm9C1kD2VMwnXXgkX2M6vfmSWT4FRIFQPWhekWIvJZrVrNCRo
-38GiETu9oSfnZLHMemUm4SEC/pkntOFHN9ABeflkgtzGI500arQm7QN9ZT01E0e1
-iPsBC6t2Qpcc/PQy3yR3v6XkRyBzmtp7Oxx0K6REfKMCJWqwlft8FY0X1L1P+hDI
-3Ek4SOKhhxYUnUUwsGex+3NujsAyqF5LI2VFzU893rXG6+ZQYqOgarH2gk/WDHgL
-i7LtF2CDyOPLzurhebS6KObk/MBon2vQhSYjRR+3F5RnU8NJAX0CAwEAATANBgkq
-hkiG9w0BAQsFAAOCAgEAmSZE2LS5I3kWRUVUxKQ1UT6t6GMCSfILcEGW1Q03cI6T
-LbTygbOh7khIQSqlCZgKzWtmpUcc1pWGC1TwGIWcwvd/ZYJp3jPBRM3x7xs6Wnee
-1t88qaqB3ZO8cOEWcSxz+WU+DNf4iZVyWkUNqKptmTX450tyVSZpT38cHB8idRrT
-EwGg0sF7FGc3kGD9eIVi9L/MON218P6gOfrG24Ce8pxnGDwxXs9gC32s5Aa4mLam
-1S48Sun01w47M599D14OeRh6r0OpDhFdGlQUHWMlBkLsLEZkqdknNCYDWFELHIIK
-vyu28FFt8UFT0wAQRbqhYrgDqbNNJOrf4V18hrFK8XyKNivGJ9lCbhdiV4dkDEai
-y/Lz3CXbW98xT+MiiRKhsPjaTU01+NcczvM330iV4gIrtt+ROosalqo4I+N+JSs5
-PIHmIQKQ+2HAiGHIzQWiM8bz4JX4iMpxkKp7hEMiedonfw1ZMBYUuGp/6GTOQDhI
-s55qlDKk7PYLJfF4hLtNbfCHisczVQF7rwrZc216mlCOSoae3ySimUDtkO9Qfjmw
-/qr1xy3K5hkB3FoyUikRodWPdepdDILWVHGUH7++C4hBUlNh+8PpRUiSjDsURXE9
-5vsrf1vrp64JuJuc1YPzxPyZATX7lHZcv9R7l5VZCBlKuu4MvjX50rKBeEsHh5k=
+MIIFzTCCA7WgAwIBAgIJAIDxP85du/clMA0GCSqGSIb3DQEBCwUAMIG3MQswCQYD
+VQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNraWUxETAPBgNVBAcMCFdhcnN6YXdh
+MS4wLAYDVQQKDCVTdG93YXJ6eXN6ZW5pZSBXYXJzemF3c2tpIEhhY2tlcnNwYWNl
+MRAwDgYDVQQLDAdoc2Nsb3VkMRowGAYDVQQDDBFCb290c3RyYXAgTm9kZSBDQTEh
+MB8GCSqGSIb3DQEJARYScTNrQGhhY2tlcnNwYWNlLnBsMB4XDTE5MDExMzE5NDU0
+M1oXDTIwMDExMzE5NDU0M1owgZMxCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpv
+d2llY2tpZTERMA8GA1UEBwwIV2Fyc3phd2ExGjAYBgNVBAoMEXN5c3RlbTprdWJl
+LXByb3h5MSMwIQYDVQQLDBpLdWJlcm5ldGVyIENvbXBvbmVudCBwcm94eTEaMBgG
+A1UEAwwRc3lzdGVtOmt1YmUtcHJveHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
+ggIKAoICAQDLogl1ieOA2eYWv65Zyafsxikr+5x+V7zJKw5bG4ZuYVVR8kJHq8q4
+iKIiKyA8lU/ap3GcEOzK8e2BVTPc/zNMGqmpl1i8aDJSJBqx3gMfjHKkNUt235+a
+539PJOqwrT9v3m6AUqpuQnT00vvv+HdaNtGo8kYJO9K5tJ6Ofy9mqUi9Xc7kePmD
+uCE75jeIN7fsnK/onX9WKKS+ujHNnoe9o2gY0v+vr+kXqPazWL9DRchNrBVyC7pM
+AdiBjldCP/PE1AwWv+NZxpMoOrwcvLZNUX1sJwcMNG5/NxPCpkzChjc3WPNfkq+H
+h3SSCeP+7sFff9/IWsg4aiqDEJi69pALY0akgvFIgBF5poVJJpJ1HmM1COP7ur6c
+2yZGNiyzCeQrl9rNecOb0LWQPZUzCddeCRfYzq9+ZJZPgVEgVA9aF6RYi8lmtWs0
+JGjfwaIRO72hJ+dkscx6ZSbhIQL+mSe04Uc30AF5+WSC3MYjnTRqtCbtA31lPTUT
+R7WI+wELq3ZClxz89DLfJHe/peRHIHOa2ns7HHQrpER8owIlarCV+3wVjRfUvU/6
+EMjcSThI4qGHFhSdRTCwZ7H7c26OwDKoXksjZUXNTz3etcbr5lBio6BqsfaCT9YM
+eAuLsu0XYIPI48vO6uF5tLoo5uT8wGifa9CFJiNFH7cXlGdTw0kBfQIDAQABMA0G
+CSqGSIb3DQEBCwUAA4ICAQBrL4zXc5T41CUlvJS84/fXy15nCcXEGKRKMuJJYuRb
+GnAlmhcFHaqtGFZrKNVq8Ois1WVtp7yV3OFRDXVf2NQZVmZRjbTKTOMrISxdnxkz
+OTitZhgm8/dIssyM9QI6uVn/AZnI4tV2tUCrbt48F40RKQH2GZJz2yQAfoXA/MVG
+2cPzi03BglEgM4kV3F7o78DDOiXfY5RZNR3mXSOTMjqjHQ4W6c4QM15DYp+ZH20k
+lEYSINAO6Es5ng570OJYrpsED1l1qkjpw0hsdmIHmGIzCx+pLcHT9yBYYAVNzOPy
+lfta0c4F5kuUGGnZlkfov4veczXoXTcTjcBbUehnUHo5fzhzpWaN2H2MD+b6r7Q4
+EPqfZLY34p39Gcm9/SczlB0p4httnW/0VpxgskcDA1NIc0S6ZoBQvlphaIIyFhG1
+J0Ep1fzaKQXkqgAG0opq1k8pVK5ZPHCUWRqoMkiQUf3d0XdXQ7WYpyDVJGvaOyiw
+RVrR0yRZKV320H4v2kTP6wiG2zgq/4aVAXLpkFDesoE8HNna/pWPtoi/ssVGnLGE
+u4dLH6RoA3Z+BumUXKWfuFH26EgRGRvNf866bWCMCzSETrUoh7ky56IPVCMkwZft
+MTwdvR5re+KFq89iK6E2SjUPHPCG3L2q4fsxRHD/zMgSKvZ70ZqH0q8cnLBgoQ87
+AQ==
 -----END CERTIFICATE-----

cluster/certs/kube-scheduler.crt

@@ -1,34 +1,34 @@
 -----BEGIN CERTIFICATE-----
-MIIF1zCCA78CCQCA8T/OXbv3EDANBgkqhkiG9w0BAQsFADCBtzELMAkGA1UEBhMC
-UEwxFDASBgNVBAgMC01hem93aWVja2llMREwDwYDVQQHDAhXYXJzemF3YTEuMCwG
-A1UECgwlU3Rvd2FyenlzemVuaWUgV2Fyc3phd3NraSBIYWNrZXJzcGFjZTEQMA4G
-A1UECwwHaHNjbG91ZDEaMBgGA1UEAwwRQm9vdHN0cmFwIE5vZGUgQ0ExITAfBgkq
-hkiG9w0BCQEWEnEza0BoYWNrZXJzcGFjZS5wbDAeFw0xOTAxMTIyMTMwMDZaFw0x
-OTAyMTEyMTMwMDZaMIGiMQswCQYDVQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNr
-aWUxFDASBgNVBAcMC01hem93aWVja2llMR4wHAYDVQQKDBVzeXN0ZW06a3ViZS1z
-Y2hlZHVsZXIxJzAlBgNVBAsMHkt1YmVybmV0ZXMgQ29tcG9uZW50IHNjaGVkdWxl
-cjEeMBwGA1UEAwwVc3lzdGVtOmt1YmUtc2NoZWR1bGVyMIICIjANBgkqhkiG9w0B
-AQEFAAOCAg8AMIICCgKCAgEAnnIWVbnVbV2s7QDs/VSKPApWCYxQo2Px69DAfqbT
-qOkZRdMoydA9ogbaIFOcwKu5s4ipQug8tj4Fmq7ONAszAcvyNzvGXeS6t0eHFwwN
-jJVMwSV3yKH/gVPwAcG3pSfMlijf8ZFlg3hA/i2jSmnlec9S+9Y1egnP7r00/WRl
-NsmX4zE50WECOgAauPYbnQRih7psfMF+CTPUEbsgdrrpmHeRh1j8hr/AkrRQ7EHa
-r7gMxaDV2LpVNRGeCnvO/z+r9pEPF/6dWdTCGTDL5x8Zzohn70u0wjtjMxPo34ij
-2WRtBpMOYW8PnDbuv9bEOrqRzpc9CMzA223mhgRFPRHVVyqgXPOGxfqnEdWV2/3a
-F3BIUUTJ1Tn+VE83Uv6vEjs1N2UNngrsLQyrg/bWpAu+gM57b09t90JmpcdHOia9
-EbRfS43ADy2LaLElpULNWYRcbFUznAuGIsUfluf9Ujl6OM3fneZq254YxOp+g5ss
-tsY3XFqoQdkwO7mkBQvDPVD4lKw3EEFx2WsjT0lLXX8G1Lcvo6T8ParKkiscZ1eQ
-UkdUhEGiI3hOk+xBkcq5xOnDNqGiz9t98eMLF6oZ3Y5oFkyxU/le7x2z70YJiKI7
-G+qaQ3azd0nCcpph6z09g0Quh6otIHZMBLvXELB0+sO6Quxg8vWCjCaReXuuHnWr
-ThUCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAPTxRtV38O3JIMc+S079MdiUVOv5D
-XOp92Uea1IURjg9oPVAkaiFsyr4DNdoMa+J3qaTPoHX4D1DobDzWteUOkJuMqNBg
-SD/v5AZrkVvzH9jycfk7Qoqks5rlB7e0Hxj8/yyuJMzfiQBLnaJYf9sJ0jVixnxb
-nzS2/V6FRMPIpaRZkp46IxfIVtXsFGleapWTIDm5iPBR2JDO3iDhe4wsEK140mHm
-tTR/DLcbTXE5A/kG/JVOoKp980UUz6y0dkN7IZb2dDLMGlAynduzy9gFGmjMzsDu
-m5Tt8tFfq1ur3Ppl7rWKGuiYVaN2tE18xhyx/hnfrGuWat5P+cGAAKi4aD+NEiIQ
-dL5oO8vrQjCZ15gojbRS20TDy4jXeTj5xqhimezBK3I92IJt86kslqPZAWLrHVxy
-OzI6yQryTvAQvfCQPvVsCt5nPIMOSOeYEXZ+PnV4XQDTKLu8pK0VyMqZQTQXcUtz
-87emAel3nuVRpazqJXCPElE1Afq4iFNpRsjbPc+1cW/iG0mMAS/0LzlnkZop+t6I
-5N7EvjOUSUldq9lECmBMQV3mIkG/joOOM0KdI1h3zogtoblpwmp77SJZ2vUFR89q
-+rwwIkElLFzfh55uytQnZXjIqBOXcOSBC8kMEleMLa9IPNms6gkP7Co4wwHbMSTQ
-g1RPicE/VHOS/rQ=
+MIIF2TCCA8GgAwIBAgIJAIDxP85du/cmMA0GCSqGSIb3DQEBCwUAMIG3MQswCQYD
+VQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNraWUxETAPBgNVBAcMCFdhcnN6YXdh
+MS4wLAYDVQQKDCVTdG93YXJ6eXN6ZW5pZSBXYXJzemF3c2tpIEhhY2tlcnNwYWNl
+MRAwDgYDVQQLDAdoc2Nsb3VkMRowGAYDVQQDDBFCb290c3RyYXAgTm9kZSBDQTEh
+MB8GCSqGSIb3DQEJARYScTNrQGhhY2tlcnNwYWNlLnBsMB4XDTE5MDExMzE5NDU0
+NFoXDTIwMDExMzE5NDU0NFowgZ8xCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpv
+d2llY2tpZTERMA8GA1UEBwwIV2Fyc3phd2ExHjAcBgNVBAoMFXN5c3RlbTprdWJl
+LXNjaGVkdWxlcjEnMCUGA1UECwweS3ViZXJuZXRlciBDb21wb25lbnQgc2NoZWR1
+bGVyMR4wHAYDVQQDDBVzeXN0ZW06a3ViZS1zY2hlZHVsZXIwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQCechZVudVtXaztAOz9VIo8ClYJjFCjY/Hr0MB+
+ptOo6RlF0yjJ0D2iBtogU5zAq7mziKlC6Dy2PgWars40CzMBy/I3O8Zd5Lq3R4cX
+DA2MlUzBJXfIof+BU/ABwbelJ8yWKN/xkWWDeED+LaNKaeV5z1L71jV6Cc/uvTT9
+ZGU2yZfjMTnRYQI6ABq49hudBGKHumx8wX4JM9QRuyB2uumYd5GHWPyGv8CStFDs
+QdqvuAzFoNXYulU1EZ4Ke87/P6v2kQ8X/p1Z1MIZMMvnHxnOiGfvS7TCO2MzE+jf
+iKPZZG0Gkw5hbw+cNu6/1sQ6upHOlz0IzMDbbeaGBEU9EdVXKqBc84bF+qcR1ZXb
+/doXcEhRRMnVOf5UTzdS/q8SOzU3ZQ2eCuwtDKuD9takC76AzntvT233Qmalx0c6
+Jr0RtF9LjcAPLYtosSWlQs1ZhFxsVTOcC4YixR+W5/1SOXo4zd+d5mrbnhjE6n6D
+myy2xjdcWqhB2TA7uaQFC8M9UPiUrDcQQXHZayNPSUtdfwbUty+jpPw9qsqSKxxn
+V5BSR1SEQaIjeE6T7EGRyrnE6cM2oaLP233x4wsXqhndjmgWTLFT+V7vHbPvRgmI
+ojsb6ppDdrN3ScJymmHrPT2DRC6Hqi0gdkwEu9cQsHT6w7pC7GDy9YKMJpF5e64e
+datOFQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQC4VNkClOS7qFz6JKSkCWsPNGYl
+SZHihD/O4Nrd6pNhYgAeOJgRuEzbud7W214SjxIbhaZGIdRDiaYrSfaVrL0DiWso
+5NVIyG0h0e9DBojSEG8CjzGNjzbe2JfsqdwwbKVwbNw1WnfiUd+JvLuefTgUXhAH
+K2MZbqw11JUJQw+JNS8TXYRwBrii7Fb9mf1/mG6x1iiL+LYTur2WqD0X/d2VXoY5
+r2kGlnZetjWjG0Bo4QmTws1FzbzPv/+GYycG3WFRuK3q8h0COZOfUPT3Q/prbXmT
+hgRtxRecVj7jAm2Xh3eHJyXhPbDnnbTnV2DTDqQ4ADGckRAur3rYwHK0sp4fSkDV
+rz8mRg7AWW+MCn7D4hRh/XVKE4+kAB8kfl1sstZhMIEUITvJBHeFDAu+w9PfrMxm
+Z2R7ulGVgexKHLqfjufGQMZlYgeqFr+ZJgl+4xFZvnz/x9vKuDYnHubmr99gAyJY
+hx6PFrERiymUbDqsP60KzL0Weez6VDKME5SxJwhy9ZFXWq+PkK7urVNvk3fpf3vt
+plCq3Z0dV35hcE51PPEO2W5DV+8gofDtfjwn1njqtohBrArSwtbZGzzWlmbBqF4W
+kjEPdf1xib1wJHy6FW/jWnELFqsUzpWpLtTHOXJdoliH8KFdcQVqxf/uBi7riYas
+gBStDZ7N+bB3HknHew==
 -----END CERTIFICATE-----

cluster/certs/kube-serviceaccounts.crt

@@ -1,33 +1,34 @@
 -----BEGIN CERTIFICATE-----
-MIIFrjCCA5YCCQCA8T/OXbv3FTANBgkqhkiG9w0BAQsFADCBtzELMAkGA1UEBhMC
-UEwxFDASBgNVBAgMC01hem93aWVja2llMREwDwYDVQQHDAhXYXJzemF3YTEuMCwG
-A1UECgwlU3Rvd2FyenlzemVuaWUgV2Fyc3phd3NraSBIYWNrZXJzcGFjZTEQMA4G
-A1UECwwHaHNjbG91ZDEaMBgGA1UEAwwRQm9vdHN0cmFwIE5vZGUgQ0ExITAfBgkq
-hkiG9w0BCQEWEnEza0BoYWNrZXJzcGFjZS5wbDAeFw0xOTAxMTIyMjA4MTBaFw0x
-OTAyMTEyMjA4MTBaMHoxCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpvd2llY2tp
-ZTEUMBIGA1UEBwwLTWF6b3dpZWNraWUxJDAiBgNVBAoMG0t1YmVybmV0ZXMgU2Vy
-dmljZSBBY2NvdW50czEZMBcGA1UEAwwQc2VydmljZS1hY2NvdW50czCCAiIwDQYJ
-KoZIhvcNAQEBBQADggIPADCCAgoCggIBAMVIKq5dWNAA1Q0giQYWCyCsIrGoXiBP
-WzEhwOeyjKdwReex2p9gCffK+LSIRmrQnAyQCFYj2T2gBXgM5beEwGupZlSNGcc/
-BTCh7C9TCoJnKM7OEVLLLYTaISrvJ+tmSDFVUch1QyirXv3+NFFrx+T+hSaqKJA1
-bL/+rpVfUBJft6WHigp/BEwXCd/q9A7tZSbbCqVtg0doaOJcMxW4ZTLHxcb8XRzV
-isBA8g/Hm9ToZVX5Cl2XfwT/AMhQJL9E+aXwzZDl4GWOjY9eGvbq07Y5C467lQG/
-ODh7uTWsQqwyXBBIBMHY8hXIs1CtY3rNS4jalXY5QTo6t6Fkjqqlnd6j5AmLj3pC
-uJl5nq0ufOg89rD1AgkbTdKLbk+NPunVQsTHsRDY45wEFeNShAXUoOSqionkYSoD
-aJ79T0WGhsVRpCmqJmw5ZgbTy72gRHM2cr6HTnteMuxuWh0GLh3bH6gsWLSrZX/N
-vrK2zeMeJxMTIBcKQ6rerqkV3s3xhRtJTk6DwGCTorM+hJsqWDovy20PBddBE2Xj
-/UJHr7XuEUIQKgpFUq9N45fQ7tGX+tpakvlaYFmiGloN9B9WlEE40Lin0rvdueUr
-s/UTfwOutY7iQ7vGuYYXQq5FdULMFmeAb7x2kckwGDsLIfRa/dmatwSBvStHBZiP
-wtjvURDM7YPZAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAAwmZd6/Z6uOcrswDZbx
-IK3M+l8e+xJUP+4ARZK9Of98tI4yCFQko3qWapi6pSDpMU/kvLxrj606e6NzoNoQ
-VFnnrZSeq7a5nPDBoid1OzPViI64xcfSdnVmE9uGhmLKaZY2GLtD3v8Qy7jBeJOZ
-xff83E5d2NWbbraXVe9PdFvUd4k6cNKeAUpyV+yr4P58MyNLD/kS3f2WNqz9sduN
-ZouZ/MRkS8vG/nam/G8v9FXSVXekXUHU0I+Ar2jrhEfWdA9viCTCJZRHL8jasIpz
-KBDHLa2Ywv8oGe4yxgEiGlSOM697tQUwV9MPT8H8O46Lm4/ZbkxRlsHRvjd5qCKA
-tPmnGlAK7m2fXDQLHhXVy5dKuuZplsVn6+ieymQ31v86sMaSGYE+Zg9ynWlbwRnI
-TbutwuONEEaucAkICf3gNV87kSL4BICpNmyRGuUnSNQscHnn3+0Px5qRLggl0zOc
-N5JfyY+oPPoFfop7TE/pDPEhpLyojXtcAebNGxfja6w2VpG7xO7KFIKIEZ/jrmcY
-D7XDoXPxn8KtoHNQkjayken75867J67yEftYELHHkD1kM+5V3ZxiiyNC2KDGwjHD
-SMgCI1QacFCLz0+aCyvhhdsCYUYO9T2DZXzTpXcBGbod2LkTRI92kyIPKldLLwSx
-7kgCUIUpS2PS4gElXF0QAPJp
+MIIF5zCCA8+gAwIBAgIJAIDxP85du/coMA0GCSqGSIb3DQEBCwUAMIG3MQswCQYD
+VQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNraWUxETAPBgNVBAcMCFdhcnN6YXdh
+MS4wLAYDVQQKDCVTdG93YXJ6eXN6ZW5pZSBXYXJzemF3c2tpIEhhY2tlcnNwYWNl
+MRAwDgYDVQQLDAdoc2Nsb3VkMRowGAYDVQQDDBFCb290c3RyYXAgTm9kZSBDQTEh
+MB8GCSqGSIb3DQEJARYScTNrQGhhY2tlcnNwYWNlLnBsMB4XDTE5MDExMzE5NDU0
+NVoXDTIwMDExMzE5NDU0NVowga0xCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpv
+d2llY2tpZTERMA8GA1UEBwwIV2Fyc3phd2ExLjAsBgNVBAoMJVN0b3dhcnp5c3pl
+bmllIFdhcnN6YXdza2kgSGFja2Vyc3BhY2UxKjAoBgNVBAsMIUt1YmVybmV0ZXMg
+U2VydmljZSBBY2NvdW50IFNpZ25lcjEZMBcGA1UEAwwQc2VydmljZS1hY2NvdW50
+czCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMVIKq5dWNAA1Q0giQYW
+CyCsIrGoXiBPWzEhwOeyjKdwReex2p9gCffK+LSIRmrQnAyQCFYj2T2gBXgM5beE
+wGupZlSNGcc/BTCh7C9TCoJnKM7OEVLLLYTaISrvJ+tmSDFVUch1QyirXv3+NFFr
+x+T+hSaqKJA1bL/+rpVfUBJft6WHigp/BEwXCd/q9A7tZSbbCqVtg0doaOJcMxW4
+ZTLHxcb8XRzVisBA8g/Hm9ToZVX5Cl2XfwT/AMhQJL9E+aXwzZDl4GWOjY9eGvbq
+07Y5C467lQG/ODh7uTWsQqwyXBBIBMHY8hXIs1CtY3rNS4jalXY5QTo6t6Fkjqql
+nd6j5AmLj3pCuJl5nq0ufOg89rD1AgkbTdKLbk+NPunVQsTHsRDY45wEFeNShAXU
+oOSqionkYSoDaJ79T0WGhsVRpCmqJmw5ZgbTy72gRHM2cr6HTnteMuxuWh0GLh3b
+H6gsWLSrZX/NvrK2zeMeJxMTIBcKQ6rerqkV3s3xhRtJTk6DwGCTorM+hJsqWDov
+y20PBddBE2Xj/UJHr7XuEUIQKgpFUq9N45fQ7tGX+tpakvlaYFmiGloN9B9WlEE4
+0Lin0rvdueUrs/UTfwOutY7iQ7vGuYYXQq5FdULMFmeAb7x2kckwGDsLIfRa/dma
+twSBvStHBZiPwtjvURDM7YPZAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAFm01HCY
+EEbzh4zAENHSdqDmwkbt58f8KpLLmS03nl1S3E0CiujnuR+exkOx5Kgb9TB9KbBK
+/sa9ewNRFvIDMZp3rmIcW1iruQta6KgSBOJeWP1SCgLXQPWHhZ9gak3gaCUZEztD
+UMwdnHD0pcAfghw5BTvVpc1t3DKFZ4HeLaBIXPgLQEzEuBDKfNwHc/2QLmFKIcLB
+nQNtz4gGGAgR51Wzpju4fj5qCG+nj2q8dL3mkUiXj1E0eVTkVqFx7vYz0c7kUbjQ
+fh4nBCva1hnHF38lb9nAQe1nraR3Yi52rbJrtcI0avDeIhPJo3dulU29zen/uk5O
+6JLTCidYuHFD2025VEv9eeAegZVq3FigghBtMT6nv4Lgg5HGcZGKJ27zDzfOYwkP
+NqjDCUOzBjRp6p6yIErr2w1k43mX+UABu8M7cQ5jvHeOgRAvLe3HmdYoKz75Ii1k
+Zsj2Zwfy5rSJavIhzoJFGWkyYskJZmzUD7bQIMizWIx09mrwwXcisHuFxNTej1J0
+ZhY32/kAlXnBvyqEtxQfr0VtN3UYurjSXgWzWiqiM/TvsGt05RQ9jEebCSZf99f4
+nFGBYrQhbtKjchdebRbpZ17aVa6J3xYO2pu3/YIy3h+HPsWgv/velvBBafNknWt6
+0vrLPy6Q8MtE6cC6JAEiIGHJU+PjMBVr3P0b
 -----END CERTIFICATE-----

cluster/secrets/.gitignore

@@ -0,0 +1 @@
+plain

data/secrets/.gitignore

@@ -1,3 +0,0 @@
-*
-!.gitignore
-!cipher/

env.sh

@@ -5,7 +5,7 @@ if [ "$0" == "$BASH_SOURCE" ]; then
     exit 1
 fi
 
-hscloud_root="$( cd "$(dirname "$BASH_SOURCE")"; pwd -P )"
+export hscloud_root="$( cd "$(dirname "$BASH_SOURCE")"; pwd -P )"
 
 if [ ! -f "$hscloud_root/WORKSPACE" ]; then
     echo "Could not find WORKSPACE"
@@ -16,200 +16,6 @@ hscloud_path="$hscloud_root/bazel-bin/tools"
 
 [[ ":$PATH:" != *":$hscloud_path:"* ]] && PATH="$hscloud_path:${PATH}"
 
-# legacy crap follows
-
-hscloud-dc() {
-    ( cd "$hscloud_root" && docker-compose -f "docker/docker-compose.yml" "$@" )
-}
-
-hscloud-pki-dev() {
-    (
-        set -e
-
-        cd "$hscloud_root"
-        rm -rf docker/pki
-
-        cp -rv go/pki/dev-certs docker/pki
-        cd docker/pki
-        bash gen.sh m6220-proxy arista-proxy cmc-proxy topo client
-        ls *pem
-    )
-}
-
-# Generate a per-node certificate remotely on the node.
-hscloud-node-remote-cert() {
-    (
-        set -e
-        if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then
-            echo >&2 "Usage: hscloud-node-remote-cert node.fqdn.com certname subj"
-            exit 1
-        fi
-        fqdn="$1"
-        certname="$2"
-        subj="$3"
-
-        echo "Node: ${fqdn}; Cert: ${certname}"
-
-        echo "Checking node livenes..."
-        ssh root@$fqdn uname -a
-
-        echo "Checking if node already has key..."
-        ssh root@$fqdn stat /opt/hscloud/${certname}.key || (
-            echo "Generating key..."
-            ssh root@$fqdn -- mkdir -p /opt/hscloud
-            ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl genrsa -out /opt/hscloud/${certname}.key 4096\"" 
-            ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key
-        )
-
-        echo "Checking if node already has cert..."
-        ssh root@$fqdn stat /opt/hscloud/${certname}.crt && exit 0
-        echo "No cert, will generate..."
-
-        cd "$hscloud_root"
-        secrets="$hscloud_root/secrets"
-        ca="$secrets/ca.key"
-        [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
-
-        cp data/openssl.cnf san.cnf
-        echo -ne "\n[SAN]\nsubjectAltName=DNS:${fqdn}" >> san.cnf
-        scp san.cnf root@$fqdn:/opt/hscloud/san.cnf
-
-        ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl req -new -key /opt/hscloud/${certname}.key -out /opt/hscloud/${certname}.csr -subj '${subj}' -config /opt/hscloud/san.cnf -reqexts SAN\""
-        scp root@$fqdn:/opt/hscloud/${certname}.csr ${fqdn}-${certname}.csr
-        openssl x509 -req \
-                -in ${fqdn}-${certname}.csr \
-                -CA data/ca.crt \
-                -CAkey "$ca" -CAcreateserial \
-                -out "data/${fqdn}-${certname}.crt" \
-                -extensions SAN -extfile san.cnf
-
-        scp "data/${fqdn}-${certname}.crt" root@$fqdn:/opt/hscloud/${certname}.crt
-        scp "data/ca.crt" root@$fqdn:/opt/hscloud/ca.crt
-        ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt /opt/hscloud/ca.crt
-        rm ${fqdn}-${certname}.csr
-        rm san.cnf
-    )
-}
-
-# Generate locally (if not present) a shared certificate, and upload it to the node
-hscloud-node-shared-cert() {
-    (
-        set -e
-        if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then
-            echo >&2 "Usage: hscloud-node-shared-cert node.fqdn.com certname subj"
-            exit 1
-        fi
-        fqdn="$1"
-        certname="$2"
-        subj="$3"
-
-        cd "$hscloud_root"
-        secrets="$hscloud_root/secrets"
-        keyfile="$secrets/$certname.key"
-        cert="$hscloud_root/data/$certname.crt"
-        csr="$hscloud_root/data/$certname.csr"
-        ca="$secrets/ca.key"
-        [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
-
-        echo "Checking if key exists..."
-        if [ ! -f "$keyfile" ]; then
-            echo "No key, trying to decrypt..."
-            if ! scripts/secretstore decrypt "$secrets/cipher/$certname.key" > "$keyfile" ; then
-                echo "No encrypted key, generating..."
-                openssl genrsa -out $keyfile 4096
-                echo "Encrypting..."
-                scripts/secretstore encrypt "$keyfile" > "$secrets/cipher/$certname.key"
-            fi
-        fi
-
-        echo "Checking if cert exists..."
-        if [ ! -f "$cert" ]; then
-            echo "No cert, generating..."
-            rm -f "${csr}"
-            openssl req -new -key "${keyfile}" -out "${csr}" -subj "${subj}"
-            openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}"
-        fi
-
-        echo "Copying certificate to node..."
-        scp "${cert}" root@$fqdn:/opt/hscloud/${certname}.crt
-        scp "${keyfile}" root@$fqdn:/opt/hscloud/${certname}.key
-        ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt
-        ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key
-    )
-}
-
-hscloud-node-certs() {
-    (
-        set -e
-            
-        if [ -z "$1" ]; then
-            echo >&2 "Usage: hscloud-node-certs node.fqdn.com"
-            exit 1
-        fi
-        fqdn="$1"
-
-        hscloud-node-remote-cert ${fqdn} node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Stowarzyszenie Warszawski Hackerspace/OU=Node Bootstrap Certificate/CN=\"$fqdn\""
-        hscloud-node-remote-cert ${fqdn} kube-node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:nodes/OU=Kubernetes Node Certificate/CN=system:node:\"$fqdn\""
-        for component in controller-manager proxy scheduler; do
-            hscloud-node-shared-cert ${fqdn} kube-${component} "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:kube-${component}/OU=Kubernetes Component ${component}/CN=system:kube-${component}"
-        done
-        hscloud-node-shared-cert ${fqdn} kube-apiserver "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes API/CN=k0.hswaw.net"
-        hscloud-node-shared-cert ${fqdn} kube-serviceaccounts "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes Service Accounts/CN=service-accounts"
-    )
-}
-
-hscloud-k8s-config() {
-    (
-        set -e
-
-        if [ -z "$1" ]; then
-            echo >&2 "Usage: hscloud-k8s-config username"
-            exit 1
-        fi
-        username="$1"
-
-        cd "$hscloud_root"
-        mkdir -p .kubectl
-
-        cert="$hscloud_root/.kubectl/client.crt"
-        csr="$hscloud_root/.kubectl/client.csr"
-        keyfile="$hscloud_root/.kubectl/client.key"
-        secrets="$hscloud_root/secrets"
-        ca="$secrets/ca.key"
-
-        if [ ! -f "$keyfile" ]; then
-            echo "Generating ${keyfile}..."
-            openssl genrsa -out $keyfile 4096
-            rm -f "$cert"
-        fi
-        if [ ! -f "$cert" ]; then
-            echo "Signing ${cert}..."
-            [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
-            openssl req -new -key "${keyfile}" -out "${csr}" -subj "/C=PL/ST=Mazowieckie/O=system:masters/OU=Kubernetes Admin Account for ${username}/CN=${username}"
-            openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}"
-        fi
-
-        kubeconfig="$hscloud_root/.kubectl/client.kubeconfig"
-        echo "Generating ${kubeconfig}..."
-        rm -rf ${kubeconfig}
-
-        kubectl config set-cluster k0.hswaw.net \
-          --certificate-authority=${hscloud_root}/data/ca.crt \
-          --embed-certs=true \
-          --server=https://k0.hswaw.net:4001 \
-          --kubeconfig=${kubeconfig}
-
-        kubectl config set-credentials ${username} \
-          --client-certificate=${cert} \
-          --client-key=${keyfile} \
-          --embed-certs=true \
-          --kubeconfig=${kubeconfig}
-
-        kubectl config set-context default \
-          --cluster=k0.hswaw.net \
-          --user=${username} \
-          --kubeconfig=${kubeconfig}
-
-        kubectl config use-context default --kubeconfig=${kubeconfig}
-    )
+gpg-unlock() {
+    echo "test" | gpg2 --sign --batch --no-tty -o /dev/null
 }

requirements.txt

@@ -0,0 +1,12 @@
+asn1crypto==0.24.0
+bcrypt==3.1.5
+cffi==1.11.5
+cryptography==2.4.2
+fabric==2.4.0
+idna==2.8
+invoke==1.2.0
+paramiko==2.4.2
+pyasn1==0.4.5
+pycparser==2.19
+PyNaCl==1.3.0
+six==1.12.0

tools/BUILD

@@ -1,25 +1,36 @@
+load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar", "pkg_deb")
+load("@py_deps//:requirements.bzl", "requirement")
 load("//bzl:rules.bzl", "copy_go_binary")
 
 py_binary(
     name = "secretstore",
     srcs = ["secretstore.py"],
+    visibility = ["//visibility:public"],
+)
+
+py_binary(
+    name = "clustercfg",
+    srcs = ["clustercfg.py"],
+    visibility = ["//visibility:public"],
+    deps = [
+        requirement("fabric"),
+    ],
+)
+
+py_binary(
+    name = "pass",
+    srcs = ["pass.py"],
+    visibility = ["//visibility:public"],
 )
 
 copy_go_binary(
     name = "kubectl",
     src = "@io_k8s_kubernetes//cmd/kubectl:kubectl",
+    visibility = ["//visibility:public"],
 )
 
 copy_go_binary(
     name = "kubecfg",
     src = "@com_github_ksonnet_kubecfg//:kubecfg",
-)
-
-filegroup(
-    name = "tools",
-    srcs = [
-        ":secretstore",
-        ":kubectl",
-        ":kubecfg",
-    ],
+    visibility = ["//visibility:public"],
 )

tools/clustercfg.py

@@ -0,0 +1,352 @@
+#!/usr/bin/env python
+
+from builtins import object
+
+import datetime
+from io import BytesIO
+import logging
+import os
+import tempfile
+import subprocess
+import sys
+
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+import fabric
+
+import secretstore
+
+
+cluster = 'k0.hswaw.net'
+remote_root = '/opt/hscloud'
+local_root = os.getenv('hscloud_root')
+
+if local_root is None:
+    raise Exception("Please source env.sh")
+
+logger = logging.getLogger(__name__)
+logger.setLevel(logging.DEBUG)
+logger.addHandler(logging.StreamHandler())
+
+
+def decrypt(base):
+    src = os.path.join(local_root, 'cluster/secrets/cipher', base)
+    dst = os.path.join(local_root, 'cluster/secrets/plain', base)
+    secretstore.decrypt(src, dst)
+
+
+class PKI(object):
+    def __init__(self):
+        self.cacert = os.path.join(local_root, 'cluster/certs/ca.crt')
+        self.cakey = os.path.join(local_root, 'cluster/secrets/plain/ca.key')
+
+        if not os.path.exists(self.cakey):
+            decrypt('ca.key')
+
+    def sign(self, csr, crt, conf, days=365):
+        logger.info('pki: signing {} for {} days'.format(csr, days))
+        subprocess.check_call([
+            'openssl', 'x509', '-req',
+            '-in', csr,
+            '-CA', self.cacert,
+            '-CAkey', self.cakey,
+            '-out', crt,
+            '-extensions', 'SAN', '-extfile', conf,
+            '-days', str(days),
+        ])
+
+
+class Subject(object):
+    hswaw = "Stowarzyszenie Warszawski Hackerspace"
+    def __init__(self, o, ou, cn):
+        self.c = 'PL'
+        self.st = 'Mazowieckie'
+        self.l = 'Warszawa'
+        self.o = o
+        self.ou = ou
+        self.cn = cn
+
+    @property
+    def parts(self):
+        return {
+            'C': self.c,
+            'ST': self.st,
+            'L': self.l,
+            'O': self.o,
+            'OU': self.ou,
+            'CN': self.cn,
+        }
+
+    def __str__(self):
+        parts = self.parts
+        res = []
+        for p in ['C', 'ST', 'L', 'O', 'OU', 'CN']:
+            res.append('/{}={}'.format(p, parts[p]))
+        return ''.join(res)
+
+def _file_exists(c, filename):
+    res = c.run('stat "{}"'.format(filename), warn=True, hide=True)
+    return res.exited == 0
+
+def openssl_config(san):
+    with open(os.path.join(local_root, 'cluster/openssl.cnf'), 'rb') as f:
+        config = BytesIO(f.read())
+
+    config.seek(0, 2)
+    config.write(b'\n[SAN]\n')
+    for s in san:
+        config.write('subjectAltName=DNS:{}\n'.format(s).encode())
+
+    f = tempfile.NamedTemporaryFile(delete=False)
+    path = f.name
+    f.write(config.getvalue())
+    f.close()
+
+    return path
+
+def remote_cert(pki, c, fqdn, cert_name, subj, san=[], days=365):
+    logger.info("{}/{}: remote cert".format(fqdn, cert_name))
+
+    remote_key = os.path.join(remote_root, '{}.key'.format(cert_name))
+    remote_cert = os.path.join(remote_root, '{}.crt'.format(cert_name))
+    remote_csr = os.path.join(remote_root, '{}.csr'.format(cert_name))
+    remote_config = os.path.join(remote_root, 'openssl.cnf')
+
+    generate_cert = False
+    if not _file_exists(c, remote_key):
+        logger.info("{}/{}: generating key".format(fqdn, cert_name))
+        c.run('openssl genrsa -out "{}" 4096'.format(remote_key), hide=True)
+        genereate_cert = True
+
+    b = BytesIO()
+    try:
+        c.get(local=b, remote=remote_cert)
+        cert = x509.load_pem_x509_certificate(b.getvalue(), default_backend())
+        delta = cert.not_valid_after - datetime.datetime.now()
+        logger.info("{}/{}: existing cert expiry: {}".format(fqdn, cert_name, delta))
+        if delta.total_seconds() < 3600 * 24 * 60:
+            logger.info("{}/{}: expires soon, regenerating".format(fqdn, cert_name))
+            generate_cert = True
+    except (FileNotFoundError, ValueError):
+        generate_cert = True
+
+    if not generate_cert:
+        return False
+
+
+    local_config = openssl_config(san)
+    c.put(local=local_config, remote=remote_config)
+
+    c.run("""
+        nix-shell -p openssl --command "openssl req -new -key {remote_key} -out {remote_csr} -subj '{subj}' -config {remote_config} -reqexts SAN"
+    """.format(remote_key=remote_key, remote_csr=remote_csr, subj=str(subj), remote_config=remote_config))
+
+    local_csr_f = tempfile.NamedTemporaryFile(delete=False)
+    local_csr = local_csr_f.name
+    local_csr_f.close()
+
+    local_cert = os.path.join(local_root, 'cluster/certs', '{}-{}.crt'.format(fqdn, cert_name))
+
+    c.get(local=local_csr, remote=remote_csr)
+
+    pki.sign(local_csr, local_cert, local_config, days)
+
+    c.put(local=local_cert, remote=remote_cert)
+
+    os.remove(local_csr)
+    os.remove(local_config)
+
+    return True
+
+
+def shared_cert(pki, c, fqdn, cert_name, subj, san=[], days=365):
+    logger.info("{}/{}: shared cert".format(fqdn, cert_name))
+
+    local_key = os.path.join(local_root, 'cluster/secrets/plain', '{}.key'.format(cert_name))
+    local_cert = os.path.join(local_root, 'cluster/certs', '{}.crt'.format(cert_name))
+    remote_key = os.path.join(remote_root, '{}.key'.format(cert_name))
+    remote_cert = os.path.join(remote_root, '{}.crt'.format(cert_name))
+
+    generate_cert = False
+    if not os.path.exists(local_key):
+        try:
+            decrypt('{}.key'.format(cert_name))
+        except subprocess.CalledProcessError:
+            logger.info("{}/{}: generating key".format(fqdn, cert_name))
+            subprocess.check_call([
+                'openssl', 'genrsa', '-out', local_key, '4096',
+            ])
+            generate_cert = True
+
+    if os.path.exists(local_cert):
+        with open(local_cert, 'rb') as f:
+            b = f.read()
+            cert = x509.load_pem_x509_certificate(b, default_backend())
+            delta = cert.not_valid_after - datetime.datetime.now()
+            logger.info("{}/{}: existing cert expiry: {}".format(fqdn, cert_name, delta))
+            if delta.total_seconds() < 3600 * 24 * 60:
+                logger.info("{}/{}: expires soon, regenerating".format(fqdn, cert_name))
+                generate_cert = True
+    else:
+        generate_cert = True
+
+    if not generate_cert:
+        return False
+
+    local_csr_f = tempfile.NamedTemporaryFile(delete=False)
+    local_csr = local_csr_f.name
+    local_csr_f.close()
+
+    local_config = openssl_config(san)
+
+    subprocess.check_call([
+        'openssl', 'req', '-new',
+        '-key', local_key,
+        '-out', local_csr,
+        '-subj', str(subj),
+        '-config', local_config,
+        '-reqexts', 'SAN',
+    ])
+
+    pki.sign(local_csr, local_cert, local_config, days)
+
+    c.put(local=local_key, remote=remote_key)
+    c.put(local=local_cert, remote=remote_cert)
+
+    os.remove(local_csr)
+    os.remove(local_config)
+    return True
+
+
+def configure_k8s(username, ca, cert, key):
+    subprocess.check_call([
+        'kubectl', 'config',
+        'set-cluster', cluster,
+        '--certificate-authority=' + ca,
+        '--embed-certs=true',
+        '--server=https://' + cluster + ':4001',
+    ])
+    subprocess.check_call([
+        'kubectl', 'config',
+        'set-credentials', username,
+        '--client-certificate=' + cert,
+        '--client-key=' + key,
+        '--embed-certs=true',
+    ])
+    subprocess.check_call([
+        'kubectl', 'config',
+        'set-context', cluster,
+        '--cluster=' + cluster,
+        '--user=' + username,
+    ])
+    subprocess.check_call([
+        'kubectl', 'config',
+        'use-context', cluster,
+    ])
+
+def admincreds(args):
+    if len(args) != 1:
+        sys.stderr.write("Usage: admincreds q3k\n")
+        return 1
+    username = args[0]
+
+    pki = PKI()
+
+    local_key = os.path.join(local_root, '.kubectl/admin.key')
+    local_cert = os.path.join(local_root, '.kubectl/admin.crt')
+    local_csr = os.path.join(local_root, '.kubectl/admin.csr')
+
+    generate_cert = False
+    if not os.path.exists(local_key):
+        subprocess.check_call([
+            'openssl', 'genrsa', '-out', local_key, '4096',
+        ])
+        generate_cert = True
+
+    if os.path.exists(local_cert):
+        with open(local_cert, 'rb') as f:
+            b = f.read()
+            cert = x509.load_pem_x509_certificate(b, default_backend())
+            delta = cert.not_valid_after - datetime.datetime.now()
+            logger.info("admin: existing cert expiry: {}".format(delta))
+            if delta.total_seconds() < 3600 * 24:
+                logger.info("admin: expires soon, regenerating")
+                generate_cert = True
+    else:
+        generate_cert = True
+
+    if not generate_cert:
+        return configure_k8s(username, pki.cacert, local_cert, local_key)
+
+    local_config = openssl_config([])
+    subj = Subject('system:masters', "Kubernetes Admin Account for {}".format(username), username)
+
+    subprocess.check_call([
+        'openssl', 'req', '-new',
+        '-key', local_key,
+        '-out', local_csr,
+        '-subj', str(subj),
+        '-config', local_config,
+        '-reqexts', 'SAN',
+    ])
+
+    pki.sign(local_csr, local_cert, local_config, 5)
+    os.remove(local_config)
+
+    configure_k8s(username, pki.cacert, local_cert, local_key)
+
+
+def nodestrap(args):
+    if len(args) != 1:
+        sys.stderr.write("Usage: nodestrap bc01n01.hswaw.net\n")
+        return 1
+    fqdn = args[0]
+
+    logger.info("Nodestrapping {}...".format(fqdn))
+
+    c = fabric.Connection('root@{}'.format(fqdn))
+    p = PKI()
+
+    modified = False
+    modified |= remote_cert(p, c, fqdn, "node", Subject(Subject.hswaw, 'Node Certificate', fqdn))
+    modified |= remote_cert(p, c, fqdn, "kube-node", Subject('system:nodes', 'Kubelet Certificate', 'system:node:' + fqdn), san=[fqdn,])
+    for component in ['controller-manager', 'proxy', 'scheduler']:
+        o = 'system:kube-{}'.format(component)
+        ou = 'Kuberneter Component {}'.format(component)
+        modified |= shared_cert(p, c, fqdn, 'kube-{}'.format(component), Subject(o, ou, o))
+    modified |= shared_cert(p, c, fqdn, 'kube-apiserver', Subject(Subject.hswaw, 'Kubernetes API', cluster))
+    modified |= shared_cert(p, c, fqdn, 'kube-serviceaccounts', Subject(Subject.hswaw, 'Kubernetes Service Account Signer', 'service-accounts'))
+
+    if modified:
+        logger.info('{}: cert(s) modified, restarting services...'.format(fqdn))
+
+        services = [
+            'kubelet', 'kube-proxy',
+            'kube-apiserver', 'kube-controller-manager', 'kube-scheduler',
+            'etcd'
+        ]
+
+        for s in services:
+            c.run('systemctl stop {}'.format(s))
+        for s in services[::-1]:
+            c.run('systemctl start {}'.format(s))
+
+def usage():
+    sys.stderr.write("Usage: {} <nodestrap|admincreds>\n".format(sys.argv[0]))
+
+def main():
+    if len(sys.argv) < 2:
+        usage()
+        return 1
+
+    mode = sys.argv[1]
+    if mode == "nodestrap":
+        return nodestrap(sys.argv[2:])
+    elif mode == "admincreds":
+        return admincreds(sys.argv[2:])
+    else:
+        usage()
+        return 1
+
+if __name__ == '__main__':
+    sys.exit(main() or 0)

tools/install.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+if [ -z "$hscloud_root" ]; then
+    echo 2>&1 "Please first source env.sh"
+    exit 1
+fi
+
+cd "${hscloud_root}"
+
+bazel build \
+        //tools:kubectl //tools:kubecfg //tools:clustercfg //tools:secretstore \
+        //tools:pass

tools/pass.py

@@ -0,0 +1,6 @@
+#!/usr/bin/env python
+
+# This is a fake `pass` to make docker-credential-helpers shut up.
+
+import sys
+sys.exit(1)

tools/secretstore.py

@@ -10,6 +10,18 @@ keys = [
     "482FF104C29294AD1CAF827BA43890A3DE74ECC7", # inf
 ]
 
+def encrypt(src, dst):
+    cmd = ['gpg' , '--encrypt', '--armor', '--batch', '--yes', '--output', dst]
+    for k in keys:
+        cmd.append('--recipient')
+        cmd.append(k)
+    cmd.append(src)
+    subprocess.check_call(cmd)
+
+def decrypt(src, dst):
+    cmd = ['gpg', '--decrypt', '--output', dst, src]
+    subprocess.check_call(cmd)
+
 def main():
     if len(sys.argv) < 3 or sys.argv[1] not in ('encrypt', 'decrypt'):
         sys.stderr.write("Usage: {} encrypt/decrypt file\n".format(sys.argv[0]))
@@ -20,15 +32,9 @@ def main():
     src = sys.argv[2]
 
     if action == 'encrypt':
-        cmd = ['gpg' , '--encrypt', '--armor', '--batch', '--yes', '--output', '-']
-        for k in keys:
-            cmd.append('--recipient')
-            cmd.append(k)
-        cmd.append(src)
-        subprocess.check_call(cmd)
+        encrypt(src, '-')
     else:
-        cmd = ['gpg', '--decrypt', '--output', '-', src]
-        subprocess.check_call(cmd)
+        decrypt(src, '-')
 
 if __name__ == '__main__':
     sys.exit(main() or 0)