Update packages in kubernetes/keys.

nix/kubernetes/keys/flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1767892417,
-        "narHash": "sha256-dhhvQY67aboBk8b0/u0XB6vwHdgbROZT3fJAjyNh5Ww=",
+        "lastModified": 1772773019,
+        "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba",
+        "rev": "aca4d95fce4914b3892661bcb80b8087293536c6",
         "type": "github"
       },
       "original": {

nix/kubernetes/keys/flake.nix

@@ -14,13 +14,15 @@
       packages = forAllSystems (
         system:
         let
-          pkgs = nixpkgs.legacyPackages.${system};
-          appliedOverlay = self.overlays.default pkgs pkgs;
+          pkgs = import nixpkgs {
+            inherit system;
+            overlays = [ self.overlays.default ];
+          };
         in
         {
-          deploy_script = appliedOverlay.k8s.deploy_script;
-          default = appliedOverlay.k8s.all_keys;
-          bootstrap_script = appliedOverlay.k8s.bootstrap_script;
+          deploy_script = pkgs.k8s.deploy_script;
+          default = pkgs.k8s.all_keys;
+          bootstrap_script = pkgs.k8s.bootstrap_script;
         }
       );
       overlays.default = (
@@ -35,7 +37,6 @@
         system:
         let
           pkgs = nixpkgs.legacyPackages.${system};
-          appliedOverlay = self.overlays.default pkgs pkgs;
         in
         {
           default = pkgs.mkShell {

nix/kubernetes/keys/package/bootstrap-script/package.nix

@@ -48,28 +48,40 @@ let
   apply_manifests = "kubectl --kubeconfig=${k8s.client-configs.admin}/admin.kubeconfig apply --server-side --force-conflicts -f ${manifests}";
   gateway_crds = [
     (builtins.fetchurl {
-      url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml";
-      sha256 = "0vf8c3kzlf7p6bf92gmdrzjc22fr2dwkrzvvbnxlsb43knv1nbzl";
+      url = "https://github.com/kubernetes-sigs/gateway-api/raw/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_backendtlspolicies.yaml";
+      sha256 = "0wbrylglinba48ibqnrzs5vp4raa1azb0b83hjf2zmsk44bii24v";
     })
     (builtins.fetchurl {
-      url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_gateways.yaml";
-      sha256 = "1dqwlsypcb5f37y7x48rrv27yfgkizcx2alqd2nngijl1qzir3wa";
+      url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml";
+      sha256 = "1x5yws3q7grd5xlnz071v6ymn707vycbp1s1d9cv7qbyfnrd8ji3";
     })
     (builtins.fetchurl {
-      url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml";
-      sha256 = "05llfw6y66438r8kqy7krhyymyalkzxsaxjpa2zxzjk6z5mggbzq";
+      url = "https://github.com/kubernetes-sigs/gateway-api/raw/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_gateways.yaml";
+      sha256 = "0cbwwzmy3kqrn224a440pklcpfjv0w4mci133akw1n5l1qqfh5kl";
     })
     (builtins.fetchurl {
-      url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml";
-      sha256 = "0a9q0vhqcazfrni3ajcq8vm2b254vcjbgmkchsdq9l6cbpvx79jd";
+      url = "https://github.com/kubernetes-sigs/gateway-api/raw/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml";
+      sha256 = "1pr7g06q3m9dx2mfi4ri892nrrzq9z8d205sb53g4gadshjl37wp";
     })
     (builtins.fetchurl {
-      url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml";
-      sha256 = "19hwvdwdj0sc5fihdskw492g52ail3kjjzm6vpflvp2vlqam629p";
+      url = "https://github.com/kubernetes-sigs/gateway-api/raw/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml";
+      sha256 = "0w632khanl080fzjf34vzqi7vhf2gf7mffh7726v3v5s16qh68k8";
     })
     (builtins.fetchurl {
-      url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml";
-      sha256 = "0b5pjihyzyyi4inz3avlkzvvccsynj9wsmx6znld04jmmvwpgxc9";
+      url = "https://github.com/kubernetes-sigs/gateway-api/raw/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_listenersets.yaml";
+      sha256 = "1fz0y0w8n6rn20jgynlp0xvg4r5cmdjfzc8kc41b1yzx366lc8cj";
+    })
+    (builtins.fetchurl {
+      url = "https://github.com/kubernetes-sigs/gateway-api/raw/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml";
+      sha256 = "0ldv1ydvdjq1vhml0j400gmih2dsr9n4g2mvylwp62zddr42r458";
+    })
+    (builtins.fetchurl {
+      url = "https://github.com/kubernetes-sigs/gateway-api/raw/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_tlsroutes.yaml";
+      sha256 = "0ickl2fj23ch5j0l9pd8zr82qy2nws8ib1d24wjhx939qhkli3l1";
+    })
+    (builtins.fetchurl {
+      url = "https://github.com/kubernetes-sigs/gateway-api/raw/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_vap_safeupgrades.yaml";
+      sha256 = "18aqz4abwyi9kiqx035rakq4g6a257r6y00y0my5djq64ylls6lq";
     })
   ];
 in

nix/kubernetes/keys/scope.nix

@@ -234,7 +234,7 @@ makeScope newScope (
     encryption_config = (callPackage ./package/k8s-encryption-key/package.nix additional_vars);
     cilium-manifest =
       let
-        version = "1.18.5";
+        version = "1.19.1";
       in
       (callPackage ./package/helm-manifest/package.nix (
         additional_vars
@@ -243,7 +243,7 @@ makeScope newScope (
             owner = "cilium";
             repo = "cilium";
             tag = "v${version}";
-            hash = "sha256-348inOOQ/fgwTYnaSHrQ363xGYnx2UPts3D4ycDRsWE=";
+            hash = "sha256-wswY4u2Z7Z8hvGVnLONxSD1Mu1RV1AglC4ijUHsCCW4=";
           };
           helm_name = "cilium";
           helm_namespace = "kube-system";
@@ -262,13 +262,18 @@ makeScope newScope (
             "ipv4" = {
               "enabled" = true;
             };
+            "externalIPs" = {
+              "enabled" = true;
+            };
             "enableIPv6Masquerade" = false;
             "enableIPv4BIGTCP" = true;
             "enableIPv6BIGTCP" = true;
             "routingMode" = "native";
             "autoDirectNodeRoutes" = true;
             "ipv4NativeRoutingCIDR" = "10.200.0.0/16";
-            "ipv6NativeRoutingCIDR" = "2620:11f:7001:7:ffff::/80";
+            "ipv6NativeRoutingCIDR" = "2620:11f:7001:7:ffff:eeee::/96";
+            # "ipv6NativeRoutingCIDR" = "2620:11f:7001:7:ffff::/80";
+            # "l7Proxy" = true; # Needed for cilium gateway controller
 
             "hubble" = {
               "relay" = {
@@ -283,7 +288,7 @@ makeScope newScope (
               };
             };
 
-            "policyEnforcementMode" = "never";
+            "policyEnforcementMode" = "never"; # This is temporary for debugging
 
             # TODO: Read and maybe apply https://docs.cilium.io/en/stable/operations/performance/tuning/