Allow pods to directly speak to the public internet on their own public IPv6 addresses.

2025-12-29 18:35:20 -05:00 · 2025-12-29 18:35:20 -05:00 · 6551fee05b
commit 6551fee05b
parent f62e36b5af
5 changed files with 15 additions and 12 deletions
--- a/nix/kubernetes/README.org
+++ b/nix/kubernetes/README.org
@ -23,8 +23,8 @@
       --set k8sServiceHost="2620:11f:7001:7:ffff:ffff:ad7:1dd" \
       --set k8sServicePort=6443 \
       --set ipv6.enabled=true \
-       --set ipv4.enabled=true
-       # --set enableIPv6Masquerade=false
+       --set ipv4.enabled=true \
+       --set enableIPv6Masquerade=false
       # --set enableIPv4BIGTCP=true \
       # --set enableIPv6BIGTCP=true
       # --set routingMode=native \
--- a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/cilium.yaml
+++ b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/cilium.yaml
@ -36,8 +36,8 @@ metadata:
  name: cilium-ca
  namespace: kube-system
 data:
-  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBMcVRXajlHdHFqRXNMRTgxemtUUkl3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRJeU9USXlNVGt6TkZvWERUSTRNVEl5T0RJeQpNVGt6TkZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUE0UVIvSy9WOUEvNnNPdzU3N3ZodTVTcEw4anJHMFFWR1VPeXVqM2V5LytVRno5MWYKZlBiVDhzK3FCY1BreFZ4YVV4d05McVJGcFkrLzhKUm5NWi9Hb21jdEpiY2VQLzBuRnhMekRUdFhqWHFWTmMrSgpZSUx2cWFEYVhyOStBZFhmdUNuVFRtenlWVTBCekRGSFU3VTYyMldOL05FbEhZK3YvaTY2L3RWWFh5VWNpcXNzCit5Rjh0Vkd5cVNFTG5Wd0lDKzVvL1BhV29ybzEwZ0xCLzNBSGdNRlBDTG14QnF0Z3RKTzVaSWF5Mzc5VHJhamgKMytpQ2s0UGNIT2RhbFVDMGFiMHlUYjlvS0xjTHZoVFBMUjFpdGphVmRhaU9VYUtONDUyWUQ4UnJ1NFlyZ05rUwphMmtlcnNlbjZKNTRDZHFQL3VHcXJwaDV5TTFtSFNoa1dLaEdsd0lEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGREIvYzlIRnFSY0prREpHeVV3aWlQZ0k2TDhmTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQlZSc3NtVlFIWkphVi9uNk8ydFJNQ2ZOckcwR01xRkpRNFlBRjg4ZW0wT0hNWWszRjNocGZmCkhUZHVrbTJ4OS9DZlNHNkdra3pCbFVhK1cxOVJNUFhJcXdybmwrOHEzVk4ySDA3THZFajVzZHhOK1hnSVR4dG4Kb3B0MndidXpJZWNjR2FnNEd1aHJOcHBXVndHODZURTVMelU0MXE0dlNUS01CUWtIVG5aVnhaTVV3RkxIUzNEVQpPalA0b3prYjc0OEZZNkJvbjR2dGJVYjk2U0I2V2FBRnhGZW8vanRSN0RUSjVxNjZzOFp1c05tMHBKZURzVFQ2Ck9xdzUvWDhJeVRPN2tZUmV4RTIvUEZwRWZOUXVyRTBlNGlvTG9rSC9acmtNZmtncTdISU84RDRUUFJVL0s0YXIKMTdwZmhBWDVieVlScy9FZTRrV0dQclByb3EzcGpFZ1kKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
-  ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBNFFSL0svVjlBLzZzT3c1Nzd2aHU1U3BMOGpyRzBRVkdVT3l1ajNleS8rVUZ6OTFmCmZQYlQ4cytxQmNQa3hWeGFVeHdOTHFSRnBZKy84SlJuTVovR29tY3RKYmNlUC8wbkZ4THpEVHRYalhxVk5jK0oKWUlMdnFhRGFYcjkrQWRYZnVDblRUbXp5VlUwQnpERkhVN1U2MjJXTi9ORWxIWSt2L2k2Ni90VlhYeVVjaXFzcworeUY4dFZHeXFTRUxuVndJQys1by9QYVdvcm8xMGdMQi8zQUhnTUZQQ0xteEJxdGd0Sk81WklheTM3OVRyYWpoCjMraUNrNFBjSE9kYWxVQzBhYjB5VGI5b0tMY0x2aFRQTFIxaXRqYVZkYWlPVWFLTjQ1MllEOFJydTRZcmdOa1MKYTJrZXJzZW42SjU0Q2RxUC91R3FycGg1eU0xbUhTaGtXS2hHbHdJREFRQUJBb0lCQUE5Zi9VaUZwNXNrUmFScgpZdkI3TFNpZmNUMEY0eHZaSG1yZElUaFFWM3pBcTFyK3AwMmtsK3JaWWFhdk1leUNXUEdnMHczQ3o3ZDJVUWtoCk9zUGJSUGxIejMvcU9UanFGVWV3VmNjcnJOblA3RzRXMWk0d0JDdzAvM2JGNHRoQlF0NFVqWW1vVEE2a0NtRm4KWkpaRnBkWGo1SVhIeko5dWQvb0lPMks2TlJRZEZpL01YaDdxdDhpaWtSUWllcVZQTEZlZExYSlBVSHk3ZEw5eApMaHpzSTNWak9Ed1VYZGJtSXlMYXhpUkpwY3NWb3RqcitGWEdEaVFvdnFJYnk0SWlId2ZZeFMzR3RkUUI1M2J3Cm5FOW9Ga1o1WHFCRys0dmxtQ0N2cVQvaFZkN3ZRU3U4S3p4dVd1MFh3WWJUelppZTBMd0hESndxTDRNdDVUbEEKVDlXQ2I5RUNnWUVBL3pCR3Y2cEFCUUZuL1l5VDRIRzNxcXNXKzhDUjFHZEhDUHI1YVZxYXpXSldOc3VwNjExKwpsUnZqT2RyVThtUkRFS2pGRzJMS2J4QmNlRkFIb2hkZGtoNnkyK1NsMFM0VnBKc3dPMGtXMkhtOWtzeFFYNGVRCmM4Ui8xVWFpVmNENC9KYnl5d012NjlQU3lSM3p6MEl2QTJZa2p5aGh0U0tVell5NlEramlZbE1DZ1lFQTRidXAKUXlxazhZSW9DWkQ0dHdRMHlzRHBibWlaTVpmem11VWFvdlQzOXEvdUpXMWtSWWdFeG9KSTJpVnUzRGx1YmxJaQplWEMvTG52SklZenZhQjM2MlhaaXFVWUJRamJtdUp3eks0QVNrRU9VOWNMNmI4dnpBRVB4Mi9kS3NJdnNhM1NnCnRPaE4wT1ozTGNQWVFXVXo0Q0R0RjY2SGdpUkJDS201cENtclNpMENnWUJES1JGMW4vajVXRVZtRlhsVnVKZjkKOHNrNXVKU29zZ1dmOTIxc3JNdlJBZkJ1dTJzYzVwNUozKzBOYk9wZVlNVEZ2YVVpYi8yVy9WZFkwcmN2a2JhdQpuaVcwZVppcVZOYWRXN3AxMythRFVvYngrNU9ya0tJVDFjTk8vaWY3S2E1ZHk5eGFVWnhyRkhTRk9ielE3em93ClN0R1VXNnhiWDU2SitsK0xQOTlVd1FLQmdCYVdqc04zMnZXSHpyWFdXZTBHY0xueFArcWFjT256aUo3eFdnOEEKY0dleEJ5V2Jvck1LZjEvVjNiQm1tb2RTLytmdU5DRHUxVkt6ZEZiMUlXZkx5RFJHa216WjRucGJ3QTZ0SXJteApvU25xZVZkMllWVWFsWUJyVENKMHhuYVFLZUkrMDI0RzZQS0VmVnlKQW5UWXlhNGQzVnZIVFN3S3NLOUxQSlplCnpSTXBBb0dBYk84NnRRMjNIWnB1Q1Z1eWprTkdoSklrTSsyZ0xoZURFVnBxVmsxU1kvL1RLYzNQSDJQY1lHNjcKM3pmTTJkTE01d2ZNenBVOVNsamNnQXZ3TjZBalJvdm1kOGJDZzl2RzEwZmRjSXFiRko1WU4xellRM0JPTDZudgpuNjBXVWQ5V2FXeDdDSGxSWjN6N1NBOFZuMlJ6NHFkdGRXdnlDblZtTnN0VmM1WnIwWk09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
+  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQU53OW1DamlKdysveDFOQTJ6Sm5zc0F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRJeU9USXlOVEF3TVZvWERUSTRNVEl5T0RJeQpOVEF3TVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF6SGM0aThFL2JUMmlrOVB6Z0ZQeWVoTHIvUVZEbXl4SU41ZVBIUVFDSjVudXRZOHAKRTFjSGdlVzI4SGJhclZ3U3ZSQXFObUdsV2FmZDVtckgyN1E2YThpVm1DcDZYeGVsNFMrYVlRWHkrZFgyVXdOeApLZTlRNVA4WXhUMWNGWkV0QW5tclBzS0dyTm9YdDdQNC8wdHBSVTVvWktnMEJQK3RnamxiUHd3TUtueFROWjMvClBrZzI0M0Z2bEVDWHV2VXNENy9wcFhkUzRsNEVzWGpkbW1IaXpGelQ2S3A1VWJicUtsaWh5aHhkSzhlZXB4emMKM3dyUEE1ZVZXNjdCUlc4dTU1ZWFSMnVpOGRDZkgwZ2dYbXVHL0hiSTJMREtOQ09RanRFRk5XVWhUM08zb0ZuVAovWS9ON2lJc1VobE9IcnZJNUNKYWhKV2NuMVRHd1FuWWthcStxd0lEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGRFc0WXJXYkN4c0ZlQU9nT1Vsb1A1bUllVVgrTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0VOdnBiblI4TUtaMWpBVWRlMU55elJueUhjemR2T0Jla1F1YVFkS01hOWhFMk12Y0hTQ05qClBwNUNOenNXWk5FMW5RekF6RFNDcEV5Z0lpRm5mNitYaTBBZlZncXdpcDQ2SytkbUd1d1B5dnBRNWorU1YxNHoKSmlFOElJYTdYMzQrWnlrM2ZZUjd0elpobllqQ21UcXJYbnZSbzBGZHNuU0ZvRUU4T3RRMjU5dllJeXNuRXVPVwpOTEwvSTVQeGpNQlQ1WWNkaXdtbGR2RGxwZzk5YkRUQ0w0UFJ1MldKV2VFUmhzdGIzbWdRSk9Mb0RSM1VWWmowCjBFOGxQTjJiTjZMbVZjYjB1QlVyVjJQOHR6ZmxhVnF4SzQ5SlZFQmpFVHFaSzY3TTVYY3R4WG55SHdPVEpRckIKRGhVbWpkSGNZWCtYL0t5MDNOa1dhc2ZJeWdnV3IvR3gKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBekhjNGk4RS9iVDJpazlQemdGUHllaExyL1FWRG15eElONWVQSFFRQ0o1bnV0WThwCkUxY0hnZVcyOEhiYXJWd1N2UkFxTm1HbFdhZmQ1bXJIMjdRNmE4aVZtQ3A2WHhlbDRTK2FZUVh5K2RYMlV3TngKS2U5UTVQOFl4VDFjRlpFdEFubXJQc0tHck5vWHQ3UDQvMHRwUlU1b1pLZzBCUCt0Z2psYlB3d01LbnhUTlozLwpQa2cyNDNGdmxFQ1h1dlVzRDcvcHBYZFM0bDRFc1hqZG1tSGl6RnpUNktwNVViYnFLbGloeWh4ZEs4ZWVweHpjCjN3clBBNWVWVzY3QlJXOHU1NWVhUjJ1aThkQ2ZIMGdnWG11Ry9IYkkyTERLTkNPUWp0RUZOV1VoVDNPM29GblQKL1kvTjdpSXNVaGxPSHJ2STVDSmFoSldjbjFUR3dRbllrYXErcXdJREFRQUJBb0lCQUEySWtYNEVWWVRZUU5VQwpwYnhzQ09ZL1U4NlVrSG00TGFFODcxSTZmQjhyTXNBWmNMZ2xhNHRjMGM4dlhzVTBNZlF1aUNndENZMSs3V1Q0CjB2amVBRmRiYyt5SHhxMStFVndCN3NIV3ROTXMzZTdrL3JkQWt1WUZZL1dmN3RDT0VDREI5UzJiUmJ1ZmZIbUwKblF3REpJYkpiRDRReTRaZ215bVpUeVlmVDVkb3hTSEJVMU9GMkFPTlg1VkYya1oySDI5dVNsMlgydm9jMlZidQowUlMvZFp6VExkcTRocUFPQ1VsbER6Nzk1U29aVU4zdmsranBSOGdxN1J2WTV4MzFDdmZQTENKNFNGQ25WSWtEClZvcnNCRW51V3ZaN0tBc051Tms3ZGMvYys0STk3d3cxNEt2NWVXV3p2ak05c1RFZWF1M3liRlluTmFTMUwzbjUKR3ZzeERERUNnWUVBMGJWNEJwS0xhM2g1c3BpbHZ0UlpSMVV3WndpZG13REMxZVB6dEZHSmx0SUg1b1I0T1BaVApzWjR2ak9WU21MUndFQ1VGdkNIaWZpV0ljTjd0NG5oQ1VCNmpJQXh5aS8wU1BSU1pkN2dtMXdYNGZyWVRVTkJtCk1DZ1krZlNLbjN2R3o2ODNlbUlFbDYyOFl5amt0aWYzQXdjeHVwdk9lSjVqQVBaekNoTG8ycE1DZ1lFQStabDIKMVp1Ym10RUI5T3pJZmlhRUV3R1k5TXdkKzNKL3daUU9LUWd6SGZBRU1DQnpGcnZZMWNvWkFpeWt3NWtoSTEwWQpZRlpFQlVhdFF3L3JpRFYvR1pDRkJyRHBYTFVjeFdMcTZoTGRtYmVZZHdXVXUvakdsSTUrYnhpNkVhUnlDcys4ClpUZVFNSDNLWVFJZ2RmQ3J3N0VTSEp1OU5ualFpMmhOZkt5STRva0NnWUVBaExrN2U3MW42OTdWOXdqUmJkTnIKcGMvdTBHY05pTHFVbFZhdU9TT1oxeENhMjNSZnVuMThQdUFFN0VGL1l4SmdFbmU4QjNQU3ExQUo2SlhQTFJRNwp0QVdQN0lxMFBKRXc1K09QdGN1aEdWbTRDa29tTTNHU0cweGxjbDBwRndMNXN4d01HckxLZ1V6OS9DdzNoR29LCjFhbkorWGIrMkN3Mk1MZkoyMGhZZzIwQ2dZRUE3VWhlZDMyQjlURGpPbE5yMnJtRTc0aWlQMzVZdG5WSVRPQVMKZ2lHQWJ1S0JLTHVBamNrd3Z6VnNodXVvQ3libElQaGN0eURyYzFTWVhGdWpIdzgwY0RvNnJIeThyTnlrcUdWOApTK0I1ZUt2WUxyWklpbFpiZWxqb2kzY25WS1JQb2tXUXBXeW9EK0ZWNXRrZHdPRjJlUWc1M3FhVHYxZ2xjWkpMCnI4MWFLSGtDZ1lBSXVxaDZzOU9RRGpjckVMeklJZENiZUxxLzhEdWUzcEZjbmFIWjgxemcwY0oxNnM1MU53aHQKaUQxWC9oRS9sdkp1VTFjTEFpNlJLZEk3UXIwL0x2SkFDSTlCakp6VVVYS1hQZ3JJZU44UUxCOWNhK2lka2FheApIWmNzdnBSN1g1b2cvTVpldWVTUk1OaU9wdVJSZ0xlYlh5R29lMkhmbE05STUvazJERUU5bmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
 ---
 # Source: cilium/templates/hubble/tls-helm/server-secret.yaml
 apiVersion: v1
@ -47,9 +47,9 @@ metadata:
  namespace: kube-system
 type: kubernetes.io/tls
 data:
-  ca.crt:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBMcVRXajlHdHFqRXNMRTgxemtUUkl3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRJeU9USXlNVGt6TkZvWERUSTRNVEl5T0RJeQpNVGt6TkZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUE0UVIvSy9WOUEvNnNPdzU3N3ZodTVTcEw4anJHMFFWR1VPeXVqM2V5LytVRno5MWYKZlBiVDhzK3FCY1BreFZ4YVV4d05McVJGcFkrLzhKUm5NWi9Hb21jdEpiY2VQLzBuRnhMekRUdFhqWHFWTmMrSgpZSUx2cWFEYVhyOStBZFhmdUNuVFRtenlWVTBCekRGSFU3VTYyMldOL05FbEhZK3YvaTY2L3RWWFh5VWNpcXNzCit5Rjh0Vkd5cVNFTG5Wd0lDKzVvL1BhV29ybzEwZ0xCLzNBSGdNRlBDTG14QnF0Z3RKTzVaSWF5Mzc5VHJhamgKMytpQ2s0UGNIT2RhbFVDMGFiMHlUYjlvS0xjTHZoVFBMUjFpdGphVmRhaU9VYUtONDUyWUQ4UnJ1NFlyZ05rUwphMmtlcnNlbjZKNTRDZHFQL3VHcXJwaDV5TTFtSFNoa1dLaEdsd0lEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGREIvYzlIRnFSY0prREpHeVV3aWlQZ0k2TDhmTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQlZSc3NtVlFIWkphVi9uNk8ydFJNQ2ZOckcwR01xRkpRNFlBRjg4ZW0wT0hNWWszRjNocGZmCkhUZHVrbTJ4OS9DZlNHNkdra3pCbFVhK1cxOVJNUFhJcXdybmwrOHEzVk4ySDA3THZFajVzZHhOK1hnSVR4dG4Kb3B0MndidXpJZWNjR2FnNEd1aHJOcHBXVndHODZURTVMelU0MXE0dlNUS01CUWtIVG5aVnhaTVV3RkxIUzNEVQpPalA0b3prYjc0OEZZNkJvbjR2dGJVYjk2U0I2V2FBRnhGZW8vanRSN0RUSjVxNjZzOFp1c05tMHBKZURzVFQ2Ck9xdzUvWDhJeVRPN2tZUmV4RTIvUEZwRWZOUXVyRTBlNGlvTG9rSC9acmtNZmtncTdISU84RDRUUFJVL0s0YXIKMTdwZmhBWDVieVlScy9FZTRrV0dQclByb3EzcGpFZ1kKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
-  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWekNDQWorZ0F3SUJBZ0lSQVB0VkxoVHZtMkFJbEFVYTRwaFB6Ykl3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRJeU9USXlNVGt6TkZvWERUSTJNVEl5T1RJeQpNVGt6TkZvd0tqRW9NQ1lHQTFVRUF3d2ZLaTVrWldaaGRXeDBMbWgxWW1Kc1pTMW5jbkJqTG1OcGJHbDFiUzVwCmJ6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwyaWI2V0E4bUNZcitjWlZKTEIKbXBZd0VwQlo0bEpZYU1tbHZTMnlPQ09HbEE3bEh6c1QyZkVLT2dFVFZoNnZkSkJwVkVRdk5pb0VGejZ3YUd1OApuL1dmVVV4STZldUhkZmNjdXNwK1pLRld6dGJ5R0JnK01DUG42OEE5eFN1WWorMXpEWTA3WGVEem0xYU1jTGZGClFleER1OFQ5UnJ4UUJoTDBkWEVraWpFdFJYN1BSUTB1ODYrbnROVmVrRk4wa3lSTzZQMVhLcmpKWjFLeFJYZFMKOGRQaU1peFg5OXZZREwrbDR1a2hqQXJFUFYwK0d5OXo1cklobzMzYktRMFJBV1NtQi9SNU5aUllHNTR2U2VZZwplQzJsM2JQZmFMVGhuSU5NajIrb1JnRzErK21FMWxDMkZJTU4xaTFWUmN6cVdYZGlOZUxGMVdNNnBlaWkrSkZVCnVhOENBd0VBQWFPQmpUQ0JpakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUgKQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGpCQmd3Rm9BVU1IOXowY1dwRndtUQpNa2JKVENLSStBam92eDh3S2dZRFZSMFJCQ013SVlJZktpNWtaV1poZFd4MExtaDFZbUpzWlMxbmNuQmpMbU5wCmJHbDFiUzVwYnpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVpHNk9zMng2ZmdKQ01qSUNEUS9UaDFQSWhVakwKQ3FJQzlzWVZRRHM0dWpRMXJkK0pMMHBLQWVVa04ySmMxWktwanVSb2YwSGE2cmpzZVArTVZLMithemx6Qm9xTApDWVh1ZHJRb0h4U1RjVU9na01oWmtqM2dnUkthODBraEh1UjJOY21KbnZOTnVGdU4vVFBTd0JBUXpVczFLQkFpClJ0eUlOWjdERU9OVWd5Y0dwRGg5NkFKK2JUWlBGT1U1d28xS1hKajRCaVV0c1dxaFd3T3ozTWhkd1NsVC9yVTIKR1hmbXdibDY1THpneEZGaWt0TUpoUTdRdkRzdDVyM3prSXVVZWRPZ0U0RnRUMTRoZVgvMnlveitSWkxqaWFJQgowMWJFVEtGc1B6bFVQMnVLUzFaUnFqWlN0SjFZMXEycDYzRHJkM0hMNllWMytwa3lONG8waWhYM1NBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
-  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdmFKdnBZRHlZSml2NXhsVWtzR2FsakFTa0ZuaVVsaG95YVc5TGJJNEk0YVVEdVVmCk94UFo4UW82QVJOV0hxOTBrR2xVUkM4MktnUVhQckJvYTd5ZjlaOVJURWpwNjRkMTl4eTZ5bjVrb1ZiTzF2SVkKR0Q0d0krZnJ3RDNGSzVpUDdYTU5qVHRkNFBPYlZveHd0OFZCN0VPN3hQMUd2RkFHRXZSMWNTU0tNUzFGZnM5RgpEUzd6cjZlMDFWNlFVM1NUSkU3by9WY3F1TWxuVXJGRmQxTHgwK0l5TEZmMzI5Z012NlhpNlNHTUNzUTlYVDRiCkwzUG1zaUdqZmRzcERSRUJaS1lIOUhrMWxGZ2JuaTlKNWlCNExhWGRzOTlvdE9HY2cweVBiNmhHQWJYNzZZVFcKVUxZVWd3M1dMVlZGek9wWmQySTE0c1hWWXpxbDZLTDRrVlM1cndJREFRQUJBb0lCQUFVaVZiVjhaVDR2bVd1VQpxRkV2aEFPVzc1bTY1VUZuZXJGNFFabEZkRXhQUTNPWHlSMnNydW96WmEzMmNRN0puMHFkbjJ0dEtuYVVGUnV4CnVQeXZFYXhHWmtsb3hwOHdLVnNmQ3dEdno4SlNld0oweHRRNU1zMGd1cVdYY1RRa29FT1oxQ25EdHJTZ0dTVGgKdVN6Yk5BQUtqQlhobEQyd1NQUjdGb2JtcWdYUGNQQWtjK1JWR014bXpGUTBMOXg5bGZsZE1pSzNBR096UUJtMQpsNC9WSnBYUTEzaEkyU1dybGx0NEtYTUpTWnRnWllDdXgrS0FHUE1PK3BqbnFCZExUMllnbFRIc1VMN2pIU3FBCk91d3VFVCt3b3N6RVZiZFRwQkw3VVB0Z25FNFdibW1hOTR5M05xcGlVcXg3WXlkVWRQbHgrbGNkd0U5RmNRZG4KMVM5QzNWRUNnWUVBd2ZjamhQQkhHcGJldC85Q2liUVY2NHl2NmF3eENIVlNWWHVzekNwVlhRNy9zaEJmckZVZgpGUzQvenZhUkYyMVE3Sy9OT3ZTUWpJVUFSYnYySi9NY0VBamMwVThaWUplVFJyN1BjbkwrZ0FqT1ZGby9meHFqCkpWS0NQUHdiVkpSYUl2UTJERm8rdlQrdkwvRUg0VjdITDltRUZpMHFCS3VhcWUwaktDK1RSM2tDZ1lFQStraTEKYVljeGRiWmxoWkNpOTBkOHNhYW1WT004ZTJ4Wkl1czJmK3luUGQ2WjR2aDZ0YVFsVVNoSno1UVpZVlIrR3Y1OApNUzJxUDdQWmhEK3JiL2FaT2F6NFRGdjFac2JVSGhQdVlIVEU4WDUweDFVSlQ2Z3dCeVBNQXJWL08vZVJpeU5mCjF2SVRaWFhxMVNlUXVpeE9UbXdNemlFNlhYdVhxMEdLKzQ1VXVHY0NnWUJ2UUtlWTJwQ09DYmNaWmtudDNlTXMKeGZjb1dtR05ibTJaSm1USWZnZVVac1AyaURtNENPTFpMVHZnSThDNDVUU2piWHFUdEM4c3lpU0wydkdubkdPZQpOdGNoSHZONVdiZFp2cHdTRXk4eWxOcHp1NGZzQ1lWR0pQc2FxNmVwYmFYOW9vRlZ1SFYvNndVNnhFODJ6endFCmtBaVpCN0t3RnhXUkhia3FsWTh1VVFLQmdHNzlwVzJaNVlZbEQ5cHViTWFxTGhMK0swOER3b09kWmQ0Rlh4TFYKMk1pb0dhZzh0dllzUjl3NHVKclVPM2tkSmh0RWRjQzlWbjJQZlV1WGpLaEhQR1lHWGNwSEVZbTFiTVcxNHdWbApZeDBSRGlxRGZIQ1Z6azZzUWtHRlNWcEhqSVNlZUZieTNVVW1TTENrTGh0Um9KeEljRmxOQlB3RjNobTFKRFF3ClIwUExBb0dCQUpaclVxUDR4QkNSUEE2Tm41aFN6VklZcTJac1kxMnB0Y0F2WG8zTjY3MnVEZjh4QmRMTndac2YKMW1jOGVERmxqelZ0a2o2aWd2UzFFTkJMdTJkcnBRSmJOdDdHNS9tUGJHMnVBL21yOENuSFBFaGwreHVObVFrMQpoeEhoblZxekV2VkZPOHh3Tmh1TUx0YU1OSTYrQWNyS1c5WFE2UFVWbm1oUHZjamRzN3lYCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
+  ca.crt:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQU53OW1DamlKdysveDFOQTJ6Sm5zc0F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRJeU9USXlOVEF3TVZvWERUSTRNVEl5T0RJeQpOVEF3TVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF6SGM0aThFL2JUMmlrOVB6Z0ZQeWVoTHIvUVZEbXl4SU41ZVBIUVFDSjVudXRZOHAKRTFjSGdlVzI4SGJhclZ3U3ZSQXFObUdsV2FmZDVtckgyN1E2YThpVm1DcDZYeGVsNFMrYVlRWHkrZFgyVXdOeApLZTlRNVA4WXhUMWNGWkV0QW5tclBzS0dyTm9YdDdQNC8wdHBSVTVvWktnMEJQK3RnamxiUHd3TUtueFROWjMvClBrZzI0M0Z2bEVDWHV2VXNENy9wcFhkUzRsNEVzWGpkbW1IaXpGelQ2S3A1VWJicUtsaWh5aHhkSzhlZXB4emMKM3dyUEE1ZVZXNjdCUlc4dTU1ZWFSMnVpOGRDZkgwZ2dYbXVHL0hiSTJMREtOQ09RanRFRk5XVWhUM08zb0ZuVAovWS9ON2lJc1VobE9IcnZJNUNKYWhKV2NuMVRHd1FuWWthcStxd0lEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGRFc0WXJXYkN4c0ZlQU9nT1Vsb1A1bUllVVgrTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0VOdnBiblI4TUtaMWpBVWRlMU55elJueUhjemR2T0Jla1F1YVFkS01hOWhFMk12Y0hTQ05qClBwNUNOenNXWk5FMW5RekF6RFNDcEV5Z0lpRm5mNitYaTBBZlZncXdpcDQ2SytkbUd1d1B5dnBRNWorU1YxNHoKSmlFOElJYTdYMzQrWnlrM2ZZUjd0elpobllqQ21UcXJYbnZSbzBGZHNuU0ZvRUU4T3RRMjU5dllJeXNuRXVPVwpOTEwvSTVQeGpNQlQ1WWNkaXdtbGR2RGxwZzk5YkRUQ0w0UFJ1MldKV2VFUmhzdGIzbWdRSk9Mb0RSM1VWWmowCjBFOGxQTjJiTjZMbVZjYjB1QlVyVjJQOHR6ZmxhVnF4SzQ5SlZFQmpFVHFaSzY3TTVYY3R4WG55SHdPVEpRckIKRGhVbWpkSGNZWCtYL0t5MDNOa1dhc2ZJeWdnV3IvR3gKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWekNDQWorZ0F3SUJBZ0lSQVBsUTMyUWVldjRpclVZaXJMRmVSU0l3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRJeU9USXlOVEF3TVZvWERUSTJNVEl5T1RJeQpOVEF3TVZvd0tqRW9NQ1lHQTFVRUF3d2ZLaTVrWldaaGRXeDBMbWgxWW1Kc1pTMW5jbkJqTG1OcGJHbDFiUzVwCmJ6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU5IMWI3VXQ0eDdaSitUUUxBWjAKdXg0VlY4V2Z5RXRGY0hUbHdxeGZGcmMzZHBrNTQzWnpwN0NSbUg3Mkw2NlQ3VW1iRElydHZsdHcxdmh5MSs2eQpaY0FqNlZIcUVDdHhEVzd0MlNjTlRzdzFkME1aV3hiVm5QeVdiWm13aW0xV1Z4ODJ4THJMUWkrY3Y4RFhaUGpBCkZldm9rV21lNURMeTBJVmIwc0thbng0cGtQdTJsZlN0U0lveVpqOXBCYWFST2NwYXlVemNCZFU2RHBGdDlMRDIKdTIyTnVzbm00ZUh2bm9wRm5FMVI2UnprbVRGNHh4R2IyeTVweHdMTTV6RzhkZERJL3hhd3hNcHdENVVFYlRXWQorUjhaVGh5a242RHpmaitwcGI5dWZocmNOalZXRzNhY0o1elg4cElKU25ya1VTQmpLdm1ieVh3WEt4T0c4eGYzClltMENBd0VBQWFPQmpUQ0JpakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUgKQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGpCQmd3Rm9BVU5iaGl0WnNMR3dWNApBNkE1U1dnL21ZaDVSZjR3S2dZRFZSMFJCQ013SVlJZktpNWtaV1poZFd4MExtaDFZbUpzWlMxbmNuQmpMbU5wCmJHbDFiUzVwYnpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVRrb24wcTVDdzJPT2JCcy9Nb0g2a041WXJidTAKeTR1c1hVc0x4V3oyNDFadisvY3JZQ0x4d092bGZNTGNnU0crL0xtTkIrMGpGc0RnMnRhQk9zejNHbzRtUzRrQwprV1QxUENSQ2o5MFdZU2hzRHNMdUV5MlI1bndTYmZCL3NHc3MxZnNwcDNhTldXSUNjRjJlZmh1TXRsREdMcEtRClFKQytlbHNYSFNoNkpWMWROTXhFYkhQVk9kQzBobUswNHRJMjJ0Tytsc0Iwd090S3VCbUJUb2VtR1ZScUtRbmEKem81NUtLc2cyQ1FwODhSTUJ4OUk2aXJjMThqSmFJeFhaRTE5RGMzWkRiNk42ZzVGc2hNeHhUK3F5cEt3VUVWego1SGRQNks5NjhyS3RjZnZXSXpieDVsYnIvY3hrZWZ0ZTE5SThXbmlxTzl4SlkxN0duVXV1aU5DREx3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBMGZWdnRTM2pIdGtuNU5Bc0JuUzdIaFZYeFovSVMwVndkT1hDckY4V3R6ZDJtVG5qCmRuT25zSkdZZnZZdnJwUHRTWnNNaXUyK1czRFcrSExYN3JKbHdDUHBVZW9RSzNFTmJ1M1pKdzFPekRWM1F4bGIKRnRXYy9KWnRtYkNLYlZaWEh6YkV1c3RDTDV5L3dOZGsrTUFWNitpUmFaN2tNdkxRaFZ2U3dwcWZIaW1RKzdhVgo5SzFJaWpKbVAya0ZwcEU1eWxySlROd0YxVG9Pa1czMHNQYTdiWTI2eWViaDRlK2Vpa1djVFZIcEhPU1pNWGpICkVadmJMbW5IQXN6bk1ieDEwTWovRnJERXluQVBsUVJ0TlpqNUh4bE9IS1Nmb1BOK1A2bWx2MjUrR3R3Mk5WWWIKZHB3bm5OZnlrZ2xLZXVSUklHTXErWnZKZkJjckU0YnpGL2RpYlFJREFRQUJBb0lCQUROMzhKbmY5VkN2R0IzNQp3QWtYSFhXYThzakJ5Z1pWcitNZ0hiQkdvUmxwMGJ0dkd1a0RJZ1RoTkJwUGZGSFY5bkc0UGdOaWsycjBCdWFoCnRIaFJxQ3JKUXQxdlBPYUJVTE0wUUNyWUVzeHhnTnBrZ1ZWZ0tSc3NQeExSV2FYQzZCbUJRZ211WVB1dDk3MnMKcjVaZzlCN0FCTUY1RDJURDdFVDh4UFlxbEQzK3JjTUpIelZmWkhyWXhkSzZsaldHelBkYkhrQ251VUdpS0lHWgp6VTI4cVNJLzBzeld6SEU0K2NrZFplc2dTUXovMVV2WUJ3Qk1DM0k3V3dvSVlZbXV1RVhreHdiTy9iMjltSVJHClhyaWY1M1FBNDA4a0YvODFic3piUmFuT01YRUhrN2NnSlFKUzVwaXV2UVV1KzA4bzJWZEhuZUJoQ1VqK1JWWDcKZElxWEhuRUNnWUVBOGpJaGdjMGtxTlA2Z3dldjJxSkszbGd3UzhqR3pWQVlJZDIzQkNuQWtQRGp5czROdVY2QQpZaEVGejNGWkpLV0J4a3pXeDVlNXZpeHJOR0RMUnNGVDgxR1ZTZUtnZGljR3NxYTZNL0Q2d2FRZXh6T2RTRFJNCk15cjBKeWs3dmRVTjdEVHovbTl4UjNzdkluM0dpMGhXaU1ELzFJUWpJOEhyLzkraVc1UkMwQ2tDZ1lFQTNlenYKZXhHM3BsUXhDbmNJbUlyaU5SS1NiRTljODluNGQ5VVJzcEs3cFVZVWQvSFExZmlTZ2ZpL2twZnBQb0dXREtOTAppOTA4WFN3MWNxTTZCTXVWTnlmT2xEKzRQaTZXb3phU1pHOTI4Ym8zNFBzbjhSeEZqSjJ3NTZyVC9iU2p5WUllClR3NUNpQzJmQUhGQmlUTkV0TEwzY09EMzlxcmF1NWR3MVZjMGVLVUNnWUFQd1JFSzUzUTJBeXZ0Y0FlUldqTXkKaVZ3QzRmbUVpMncyYjd5aTZiQmIvVDlrQnNrL3dKVHJUQjRyb3p6Z05GL2ZyVW5mUzlCS1BZdHZxY2d2UHc0ZAo2cldpUzdxU1ZQR0xsMnJQVENLVGpBQndocnY1WVdWL2dwREZKMXA2ZTZ4ZkxBYWZDMUs4Q3BoRFR4a21JRHQ0Cnc4MGdYc1FHWkd2Y2hnaUNtbjlLR1FLQmdGRUVMMFQ1YWRieHcxbHpyUktyR1B1UkJSMC9OOHJaMXdoQUk0N1MKWEdod2xnWlhwQXFKRFVzZmVTaFdCdE5IMFhSWnBMbXhrVmplUzhERzcrWlNQKzM3dlVHSHBZWWwwZDVSak0zWApsMCtWME5KMFBkZWFuNVUrK0JjSzJRczBoOXFIZ3ZNUFhLQ0VMeGlsUCt5TFo5aWp3UXRYUlk2cVB1SGUzbFV6CjJiYjFBb0dBWUhNazlYV29rOU5MRS81c1N1c2QyWFJqVjJVN1dGZnV5K21lKzJGVU1PdGliUUMrNHgwNnBLMlUKanRMc2VZU0thcURTQ1F5bG15SXlLVG5VNlZ0YnY1Z0FvRWhQZ2tYV2p2SWhPbDduamhHWXlyOFpLcWFvaTdOZwpNa29BQUg3KzBsL2VzeVkzSmZ3UlVyNUhoNGhmaDg1bHFFaDZjejlkTGhOa0U0VTV0TkU9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
 ---
 # Source: cilium/templates/cilium-configmap.yaml
 apiVersion: v1
@ -188,7 +188,7 @@ data:
  enable-ipv4-masquerade: "true"
  enable-ipv4-big-tcp: "false"
  enable-ipv6-big-tcp: "false"
-  enable-ipv6-masquerade: "true"
+  enable-ipv6-masquerade: "false"
  enable-tcx: "true"
  datapath-mode: "veth"
  enable-masquerade-to-route-source: "false"
--- a/nix/kubernetes/keys/package/k8s-ca/files/ca.conf
+++ b/nix/kubernetes/keys/package/k8s-ca/files/ca.conf
@ -280,6 +280,7 @@ IP.11  = 2620:11f:7001:7:ffff:ffff:0ad7:01e1
 IP.12  = 10.215.1.226
 IP.13  = 2620:11f:7001:7:ffff:ffff:0ad7:01e2
 IP.14  = fd00:3e42:e349::1
+IP.15  = 2620:11f:7001:7:ffff:eeee::1
 DNS.0 = kubernetes
 DNS.1 = kubernetes.default
 DNS.2 = kubernetes.default.svc
--- a/nix/kubernetes/roles/kube_controller_manager/default.nix
+++ b/nix/kubernetes/roles/kube_controller_manager/default.nix
@ -38,9 +38,11 @@ in
            "${pkgs.kubernetes}/bin/kube-controller-manager"
            "--bind-address=0.0.0.0"
            # "--cluster-cidr=10.200.0.0/16"
-            # "--cluster-cidr=2620:11f:7001:7:ffff:ffff:0ac8:0000/16"
+            # "--cluster-cidr=2620:11f:7001:7:ffff:ffff:0ac8:0000/96"
            "--allocate-node-cidrs=true"
-            "--cluster-cidr=10.200.0.0/16,fd49:0595:2bba::/48"
+            "--cluster-cidr=10.200.0.0/16,2620:11f:7001:7:ffff:eeee::/96"
+            "--node-cidr-mask-size-ipv4=20" # default is 24
+            "--node-cidr-mask-size-ipv6=112" # default is 64, must be smaller than cluster-cidr mask
            "--cluster-name=kubernetes"
            "--cluster-signing-cert-file=/.persist/keys/kube/ca.crt"
            "--cluster-signing-key-file=/.persist/keys/kube/ca.key"
--- a/nix/kubernetes/roles/kube_proxy/default.nix
+++ b/nix/kubernetes/roles/kube_proxy/default.nix
@ -33,7 +33,7 @@ in
        mode = "iptables";
        # clusterCIDR = "10.200.0.0/16";
        # clusterCIDR = "2620:11f:7001:7:ffff:ffff:0ac8:0000/16";
-        clusterCIDR = "10.200.0.0/16,fd49:0595:2bba::/48";
+        clusterCIDR = "10.200.0.0/16,2620:11f:7001:7:ffff:eeee::/96";
      };
      description = ''
        kubelet-config.yaml
@ -57,7 +57,7 @@ in
            "${pkgs.kubernetes}/bin/kube-proxy"
            "--config=${config_file}"
            "--nodeport-addresses=primary"
-            "--cluster-cidr=10.200.0.0/16,fd49:0595:2bba::/48"
+            "--cluster-cidr=10.200.0.0/16,2620:11f:7001:7:ffff:eeee::/96"
          ]
        );
        Restart = "on-failure";