Fix missing ca.crt/pem in secrets/serviceaccount.

Add helm.

k8s.nix

@@ -1,5 +1,7 @@
 with import ./certs.nix;
 let
+  pkgs = import <nixpkgs> {};
+
   etcdServers = [ "etcd0" "etcd1" "etcd2" ];
   # etcdServers = [ "k8s0-0" "k8s0-1" "k8s0-2" ];
   etcdEndpoints = builtins.map (x: "https://${x}:2379") etcdServers;
@@ -97,11 +99,12 @@ let
         kubeletClientCaFile   = ca_pem;
         kubeletClientKeyFile  = worker_key;
         kubeletClientCertFile = worker_cert;
-        # serviceAccountKeyFile = apiserver_key;
+        serviceAccountKeyFile = apiserver_key;
       };
       scheduler.leaderElect = true;
       controllerManager.leaderElect = true;
       controllerManager.serviceAccountKeyFile = apiserver_key;
+      controllerManager.rootCaFile = ca_pem;
       dns.enable = true;
       dns.port = 4053;
     };
@@ -109,6 +112,7 @@ let
       allowedTCPPorts = [ 5000 8080 4443 4053 ];
       allowedUDPPorts = [ 4053 ];
     };
+    environment.systemPackages = [ pkgs.kubernetes-helm ];
   };
 
   baseConfig = node: {