Problem: Kubernetes master use ssl, with puppet certs. The name it has is the fqdn, so tools-k8s-master-01.tools.eqiad.wmflabs.
- Kubernetes things should use service / DNS names to access this, so it ends up being kubernetes.default.svc rather than tools-k8s-master-01
- It requires that we put our CA cert inside all containers, which sucks.
- Lots of tools (like kube2sky) won't operate without TLS.