(CommandList
  children: [
    (Assignment
      keyword: Assign_None
      pairs: [
        (assign_pair
          lhs: (LhsName name:cert_dir)
          op: Equal
          rhs: 
            {
              (BracedVarSub
                token: <VSub_Name CERT_DIR>
                suffix_op: 
                  (StringUnary
                    op_id: VTest_ColonHyphen
                    arg_word: {(Lit_Slash /) (srv) (Lit_Slash /) (kubernetes)}
                  )
                spids: [45 52]
              )
            }
          spids: [44]
        )
      ]
      spids: [44]
    )
    (Assignment
      keyword: Assign_None
      pairs: [
        (assign_pair
          lhs: (LhsName name:cert_group)
          op: Equal
          rhs: 
            {
              (BracedVarSub
                token: <VSub_Name CERT_GROUP>
                suffix_op: (StringUnary op_id:VTest_ColonHyphen arg_word:{(kube-cert)})
                spids: [55 59]
              )
            }
          spids: [54]
        )
      ]
      spids: [54]
    )
    (C {(mkdir)} {(-p)} {(DQ ($ VSub_Name "$cert_dir"))})
    (C {(openssl)} {(req)} {(-new)} {(-newkey)} {(rsa) (Lit_Other ":") (4096)} {(-days)} {(365)} {(-nodes)} 
      {(-x509)} {(-subj)} {(DQ ("/CN=kubernetes.invalid/O=Kubernetes"))} {(-keyout)} 
      {(DQ (${ VSub_Name cert_dir) (/server.key))} {(-out)} {(DQ (${ VSub_Name cert_dir) (/server.cert))}
    )
    (C {(chgrp)} {($ VSub_Name "$cert_group")} {(DQ (${ VSub_Name cert_dir) (/server.key))} 
      {(DQ (${ VSub_Name cert_dir) (/server.cert))}
    )
    (C {(chmod)} {(660)} {(DQ (${ VSub_Name cert_dir) (/server.key))} 
      {(DQ (${ VSub_Name cert_dir) (/server.cert))}
    )
  ]
)