cluster: move prodvider to kubernetes.default.svc.k0.hswaw.net

In https://gerrit.hackerspace.pl/c/hscloud/+/70 we accidentally
introduced a split-horizon DNS situation:

 - k0.hswaw.net from the Internet resolves to nodes running the k8s API
   servers, and as such can serve API server traffic
 - k0.hswaw.net from the cluster returned no results

This broke prodvider in two ways:
 - it dialed the API servers at k0.hswaw.net
 - even after the endpoint was moved to
   kubernetes.default.svc.k0.hswaw.net, the apiserver cert didn't cover
   that

Thus, not only we had to change the prodvider endpoint but also change
the APIserver certs to cover this new name.

I'm not sure this should be the target fix. I think at some point we
should only start referring to in-cluster services via their full (or
cluster.local) names, but right now k0.hswaw.net is an exception and as
such a split, and we have no way to access the internal services from
the outside just yet.

However, getting prodvider to work is important enough that this fix is
IMO good enough for now.

Change-Id: I13d0681208c66f4060acecc78b7ae14b8f8d7125

cluster/certs/kube-apiserver.cert

@@ -1,30 +1,30 @@
 -----BEGIN CERTIFICATE-----
-MIIFFjCCA/6gAwIBAgIUOh9rwpJmes6m22slPOE/o3P6qYMwDQYJKoZIhvcNAQEL
+MIIFOzCCBCOgAwIBAgIUOTp3sQjMouriHKrbOlv/F2vNXaMwDQYJKoZIhvcNAQEL
 BQAwgYMxCzAJBgNVBAYTAlBMMRQwEgYDVQQIEwtNYXpvd2llY2tpZTEPMA0GA1UE
 BxMGV2Fyc2F3MRswGQYDVQQKExJXYXJzYXcgSGFja2Vyc3BhY2UxEzARBgNVBAsT
-CmNsdXN0ZXJjZmcxGzAZBgNVBAMTEmt1YmVybmV0ZXMgbWFpbiBDQTAeFw0xOTA0
-MDYyMTIwMDBaFw0yMDA0MDUyMTIwMDBaMGQxCzAJBgNVBAYTAlBMMRQwEgYDVQQI
+CmNsdXN0ZXJjZmcxGzAZBgNVBAMTEmt1YmVybmV0ZXMgbWFpbiBDQTAeFw0xOTEw
+MDQxMTM5MDBaFw0yMDEwMDMxMTM5MDBaMGQxCzAJBgNVBAYTAlBMMRQwEgYDVQQI
 EwtNYXpvd2llY2tpZTEPMA0GA1UEBxMGV2Fyc2F3MRcwFQYDVQQLEw5LdWJlcm5l
 dGVzIEFQSTEVMBMGA1UEAxMMazAuaHN3YXcubmV0MIICIjANBgkqhkiG9w0BAQEF
-AAOCAg8AMIICCgKCAgEAs9DdG6lb0weWTLCH1Z8ETCy+RasjGTkubPWEkrL8JU/o
-69aC873wIlVkL6DiqVyiBaXvcIfwKK8b4uLsPuNlThcnhl3rZIr2/y7FDnp5E2ci
-5bAWKwguv4/zKD3CiK/wTBXVlhkTuA1eLvB0UynUK5ILn7Z2YBpKr0iH8YQ/bkPy
-WkZlwBXuE/UuaeDBIOrMnTUQ5BLsnnQeDw2vkI9Fv+WNMaK5R8Drku3+yHvdWptw
-Xv7evOIQiLADazRrRSxyErjjhYTClV/Zlg5wbkfKoyfwDn8dvOiJHrK3qGFdAn81
-P2W2nNlpn5SCzlIx7IvKzlTDCb1qsF6iHK5FDPac3sD5HW8V5o9GWEJuFmcP1291
-j4gQgugTYHX/sS4yDyAInWY8YDXaFVZRKS7FWxJ1H/5s4uL7xJqerwKURDrAazI/
-IIeTvZ58KDgG0HEdgAk4E+/FlVrZqkHySL2npQtMgXfSdk2WqUUayT7DTRyDZdU9
-nj0OAhju7HuUF31/3nu+nPuCZlW3xcrlbB5ZSXr/M/VUsiZEB3KyPoy7kqLRtRbl
-TYAyfco/ZosLym4qMhzP5trkU/5kr84plDS0iUJ9psbqkW/ZapPeemPGbbPxPByR
-6w6OvR0jo+/Sbd+gXjaNlwNlBDOObmTv9LViUJaCTvpx6oSjDAKO2hG2X4HbcOUC
-AwEAAaOBnzCBnDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
-CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFMLkejxh9VHSK9XJcvFs
-i3sP9ZVTMB8GA1UdIwQYMBaAFJgyXQ5PMx77CemJJBMWQmqA0ZnQMB0GA1UdEQQW
-MBSCDGswLmhzd2F3Lm5ldIcECgoMATANBgkqhkiG9w0BAQsFAAOCAQEAmme9CGeu
-Nl1rQOB9d4xVey2k6aUD+mlta0FIOPJyvgbkC99Uj95KN/pD/2Ptasqi8QFOFTax
-CKYOb3HcT3NDE8KIuqwsaJqraTMKFJhFpNvhw9nnQ6OuGBAhDCmoAZuCLyv0t+PH
-fN7J9MBvVvTLUE8ZGEuzIu1/3owYfEp9SJ+5xJ0G+OcOOfvYqm8Px52h8/nMAClQ
-hf3Me37UA1o5ADsdfzSTjnPvEwnvkkWFgi0EpeUAZnDn9BnD3dCMNhJYSAgh9b9+
-fgk5vAYLmG8VhQNFRx1GdaEoBNd3aoUyCVFzkN1jCiTcu/BcaaJW0Rz/MCCTLVEa
-a50kj4xSfVQR7A==
+AAOCAg8AMIICCgKCAgEA060kw0Os4CAbsdmWqIuoeoKeTl0j0hAtxpDAJZIG2Cam
+2SST4AKAxrk6neNQXqmrUpJYzfDrQuUlDhr47+7Gdhllp0wkG0gobErkbo+yUDRs
+hPCcRlRktodXlvEb3jAe8OXF1LgX6sYj6Pe7d+TuMcQlUuW6qcheWUl/JJfYCFhf
+Vd5qk7BGXCZBFo6wBr08ctRKDFLFzmA+TyUADVXlVRd+M7jAo/EAZ9y30HmWRNae
+jhdsazW3mUdO2nCvMCxBhCemHPP/V/3Jg70Ueo6AD5m1+ynJ0CxN1XRgq20ETPlQ
+CT0Rk7IaHJ1e9XNMYeV1OxL3TlxMmalsARO2gl0D88X0kpIniIfbwUM4HZU4jx8B
+1FwMtJxbCSWVPE5pGE5wCbiM//dybIQelorCqLvIFuy617KhdCPs2CAsXUE2TD6h
+P80bzNiC/vNUwH1SqX6B0tvAfwwEqSIK4zAVISDYgrNH8LbcEXs9xmltowt4qG7x
+Cyxl8ihhf6BlNrGvA3F0foZCfaPKlT7+rH1cbFWqlF95/zOI8mZSJn0YNZgb8OV8
+KG1VvQOPriGE8Ha3xGZXOyUPcXAyd+ZrCGY/nntS+WRxG7EvejtSWlAkcy8G3ZK3
+FaDxYEbtpaSZZ9LYLvf6qFs32jtxd3OpUceVKmJOAZMUSSsF2zt/ytxTk5jlmesC
+AwEAAaOBxDCBwTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
+CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFNbiIjC8M04dzKXqBJpi
+NcTtkVA4MB8GA1UdIwQYMBaAFJgyXQ5PMx77CemJJBMWQmqA0ZnQMEIGA1UdEQQ7
+MDmCDGswLmhzd2F3Lm5ldIIja3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5rMC5oc3dh
+dy5uZXSHBAoKDAEwDQYJKoZIhvcNAQELBQADggEBAHXeJL3zo+MSn8Bg8cn+PmW3
+BVINkb9jxdcD45fbp1sqSuFysKx8jBVVrcxWP8ALm7J9gk1Q4Es7gOO7mISywtEI
+IcGzrQwmlM5lKMOaLMOMPJlGOI6rhlbdixuEiL7eNAKyxW9tvmtG32sRf3EiKxro
+AE/+jHN3FB5z6OAucGWcYFIPYlUOaTEAVHjMuks+8YlvB4MoEisR9J0IKyM/Ziw8
+SOQAh1gsP0Ogrsw+AxqB4m/y0V0E4xhVoJ62aOPHqVaT2VX9wQpypnNmFCMBYEkA
+89ZwprVBaH+DTBpGccYlPNK+BpFVdKnvI5zzq8Vnx0zoaK2lcYgNpbcKp0ar4D8=
 -----END CERTIFICATE-----

cluster/clustercfg/clustercfg.py

@@ -190,7 +190,7 @@ def nodestrap(args, nocerts=False):
         c.upload_pki(r, pki_config('kube.kubelet'))
 
         # Make apiserver certificate.
-        c = ca_kube.make_cert('kube-apiserver', ou='Kubernetes API', hosts=[cluster, '10.10.12.1'])
+        c = ca_kube.make_cert('kube-apiserver', ou='Kubernetes API', hosts=[cluster, 'kubernetes.default.svc.'+cluster, '10.10.12.1'])
         c.upload_pki(r, pki_config('kube.apiserver'), concat_ca=True)
 
         # Make service accounts decryption key (as cert for consistency).

cluster/kube/cluster.jsonnet

@@ -210,7 +210,11 @@ local Cluster(fqdn) = {
     },
 
     // Prodvider
-    prodvider: prodvider.Environment {},
+    prodvider: prodvider.Environment {
+        cfg+: {
+            apiEndpoint: "kubernetes.default.svc.%s" % [cluster.fqdn],
+        },
+    },
 };
 
 

cluster/kube/lib/prodvider.libsonnet

@@ -11,6 +11,8 @@ local kube = import "../../../kube/kube.libsonnet";
             namespace: "prodvider",
             image: "registry.k0.hswaw.net/cluster/prodvider:1567256363-71a21c769369d013972d8dd0a71b83bee3e6848e",
 
+            apiEndpoint: error "API endpoint must be set",
+
             pki: {
                 intermediate: {
                     cert: importstr "../../certs/ca-kube-prodvider.cert",
@@ -60,6 +62,7 @@ local kube = import "../../../kube/kube.libsonnet";
                                     "-ca_key_path", "/opt/ca/intermediate-ca.key",
                                     "-ca_certificate_path", "/opt/ca/intermediate-ca.crt",
                                     "-kube_ca_certificate_path", "/opt/ca/ca.crt",
+                                    "-kubernetes_host", cfg.apiEndpoint,
                                 ],
                                 volumeMounts_: {
                                     ca: { mountPath: "/opt/ca" },