hack/cluster: download cfssl if not present

hack/local-up-cluster.sh uses cfssl to generate certificates and
will exit it cfssl is not already installed.  But other cluster-up
mechanisms (GCE) that generate certs just download cfssl if not
present.  Make local-up-cluster.sh do that too.

cluster/gce/upgrade.sh

@@ -28,6 +28,7 @@ if [[ "${KUBERNETES_PROVIDER:-gce}" != "gce" ]]; then
 fi
 
 KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
+source "${KUBE_ROOT}/hack/lib/util.sh"
 source "${KUBE_ROOT}/cluster/kube-util.sh"
 
 function usage() {
@@ -130,7 +131,7 @@ function backfile-kubeletauth-certs() {
   echo "${CA_KEY_BASE64}" | base64 -d > "${KUBE_TEMP}/pki/ca.key"
   echo "${CA_CERT_BASE64}" | base64 -d > "${KUBE_TEMP}/pki/ca.crt"
   (cd "${KUBE_TEMP}/pki"
-    download-cfssl "${KUBE_TEMP}/cfssl"
+    kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl"
     cat <<EOF > ca-config.json
 {
   "signing": {
@@ -149,13 +150,13 @@ EOF
     # subpaths required for the apiserver to hit proxy
     # endpoints on the kubelet's handler.
     cat <<EOF \
-      | "${KUBE_TEMP}/cfssl/cfssl" gencert \
+      | "${CFSSL_BIN}" gencert \
         -ca=ca.crt \
         -ca-key=ca.key \
         -config=ca-config.json \
         -profile=client \
         - \
-      | "${KUBE_TEMP}/cfssl/cfssljson" -bare kube-apiserver
+      | "${CFSSLJSON_BIN}" -bare kube-apiserver
 {
   "CN": "kube-apiserver"
 }