From b8ee14752b1ba853aeffe9d002fc48c85af58ea5 Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Sat, 7 Mar 2026 20:14:07 -0500 Subject: [PATCH] Update packages in kubernetes/keys. --- nix/kubernetes/keys/flake.lock | 6 ++-- nix/kubernetes/keys/flake.nix | 13 +++---- .../keys/package/bootstrap-script/package.nix | 36 ++++++++++++------- nix/kubernetes/keys/scope.nix | 13 ++++--- 4 files changed, 43 insertions(+), 25 deletions(-) diff --git a/nix/kubernetes/keys/flake.lock b/nix/kubernetes/keys/flake.lock index 42c9926c..a6e534e2 100644 --- a/nix/kubernetes/keys/flake.lock +++ b/nix/kubernetes/keys/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1767892417, - "narHash": "sha256-dhhvQY67aboBk8b0/u0XB6vwHdgbROZT3fJAjyNh5Ww=", + "lastModified": 1772773019, + "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba", + "rev": "aca4d95fce4914b3892661bcb80b8087293536c6", "type": "github" }, "original": { diff --git a/nix/kubernetes/keys/flake.nix b/nix/kubernetes/keys/flake.nix index 3bdd04b7..5bc06a6b 100644 --- a/nix/kubernetes/keys/flake.nix +++ b/nix/kubernetes/keys/flake.nix @@ -14,13 +14,15 @@ packages = forAllSystems ( system: let - pkgs = nixpkgs.legacyPackages.${system}; - appliedOverlay = self.overlays.default pkgs pkgs; + pkgs = import nixpkgs { + inherit system; + overlays = [ self.overlays.default ]; + }; in { - deploy_script = appliedOverlay.k8s.deploy_script; - default = appliedOverlay.k8s.all_keys; - bootstrap_script = appliedOverlay.k8s.bootstrap_script; + deploy_script = pkgs.k8s.deploy_script; + default = pkgs.k8s.all_keys; + bootstrap_script = pkgs.k8s.bootstrap_script; } ); overlays.default = ( @@ -35,7 +37,6 @@ system: let pkgs = nixpkgs.legacyPackages.${system}; - appliedOverlay = self.overlays.default pkgs pkgs; in { default = pkgs.mkShell { diff --git a/nix/kubernetes/keys/package/bootstrap-script/package.nix b/nix/kubernetes/keys/package/bootstrap-script/package.nix index 2ae16d0f..37bf3a62 100644 --- a/nix/kubernetes/keys/package/bootstrap-script/package.nix +++ b/nix/kubernetes/keys/package/bootstrap-script/package.nix @@ -48,28 +48,40 @@ let apply_manifests = "kubectl --kubeconfig=${k8s.client-configs.admin}/admin.kubeconfig apply --server-side --force-conflicts -f ${manifests}"; gateway_crds = [ (builtins.fetchurl { - url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml"; - sha256 = "0vf8c3kzlf7p6bf92gmdrzjc22fr2dwkrzvvbnxlsb43knv1nbzl"; + url = "https://github.com/kubernetes-sigs/gateway-api/raw/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_backendtlspolicies.yaml"; + sha256 = "0wbrylglinba48ibqnrzs5vp4raa1azb0b83hjf2zmsk44bii24v"; }) (builtins.fetchurl { - url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_gateways.yaml"; - sha256 = "1dqwlsypcb5f37y7x48rrv27yfgkizcx2alqd2nngijl1qzir3wa"; + url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml"; + sha256 = "1x5yws3q7grd5xlnz071v6ymn707vycbp1s1d9cv7qbyfnrd8ji3"; }) (builtins.fetchurl { - url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml"; - sha256 = "05llfw6y66438r8kqy7krhyymyalkzxsaxjpa2zxzjk6z5mggbzq"; + url = "https://github.com/kubernetes-sigs/gateway-api/raw/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_gateways.yaml"; + sha256 = "0cbwwzmy3kqrn224a440pklcpfjv0w4mci133akw1n5l1qqfh5kl"; }) (builtins.fetchurl { - url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml"; - sha256 = "0a9q0vhqcazfrni3ajcq8vm2b254vcjbgmkchsdq9l6cbpvx79jd"; + url = "https://github.com/kubernetes-sigs/gateway-api/raw/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml"; + sha256 = "1pr7g06q3m9dx2mfi4ri892nrrzq9z8d205sb53g4gadshjl37wp"; }) (builtins.fetchurl { - url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml"; - sha256 = "19hwvdwdj0sc5fihdskw492g52ail3kjjzm6vpflvp2vlqam629p"; + url = "https://github.com/kubernetes-sigs/gateway-api/raw/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml"; + sha256 = "0w632khanl080fzjf34vzqi7vhf2gf7mffh7726v3v5s16qh68k8"; }) (builtins.fetchurl { - url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml"; - sha256 = "0b5pjihyzyyi4inz3avlkzvvccsynj9wsmx6znld04jmmvwpgxc9"; + url = "https://github.com/kubernetes-sigs/gateway-api/raw/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_listenersets.yaml"; + sha256 = "1fz0y0w8n6rn20jgynlp0xvg4r5cmdjfzc8kc41b1yzx366lc8cj"; + }) + (builtins.fetchurl { + url = "https://github.com/kubernetes-sigs/gateway-api/raw/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml"; + sha256 = "0ldv1ydvdjq1vhml0j400gmih2dsr9n4g2mvylwp62zddr42r458"; + }) + (builtins.fetchurl { + url = "https://github.com/kubernetes-sigs/gateway-api/raw/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_tlsroutes.yaml"; + sha256 = "0ickl2fj23ch5j0l9pd8zr82qy2nws8ib1d24wjhx939qhkli3l1"; + }) + (builtins.fetchurl { + url = "https://github.com/kubernetes-sigs/gateway-api/raw/refs/tags/v1.5.1/config/crd/standard/gateway.networking.k8s.io_vap_safeupgrades.yaml"; + sha256 = "18aqz4abwyi9kiqx035rakq4g6a257r6y00y0my5djq64ylls6lq"; }) ]; in diff --git a/nix/kubernetes/keys/scope.nix b/nix/kubernetes/keys/scope.nix index d5b970ce..09af1be4 100644 --- a/nix/kubernetes/keys/scope.nix +++ b/nix/kubernetes/keys/scope.nix @@ -234,7 +234,7 @@ makeScope newScope ( encryption_config = (callPackage ./package/k8s-encryption-key/package.nix additional_vars); cilium-manifest = let - version = "1.18.5"; + version = "1.19.1"; in (callPackage ./package/helm-manifest/package.nix ( additional_vars @@ -243,7 +243,7 @@ makeScope newScope ( owner = "cilium"; repo = "cilium"; tag = "v${version}"; - hash = "sha256-348inOOQ/fgwTYnaSHrQ363xGYnx2UPts3D4ycDRsWE="; + hash = "sha256-wswY4u2Z7Z8hvGVnLONxSD1Mu1RV1AglC4ijUHsCCW4="; }; helm_name = "cilium"; helm_namespace = "kube-system"; @@ -262,13 +262,18 @@ makeScope newScope ( "ipv4" = { "enabled" = true; }; + "externalIPs" = { + "enabled" = true; + }; "enableIPv6Masquerade" = false; "enableIPv4BIGTCP" = true; "enableIPv6BIGTCP" = true; "routingMode" = "native"; "autoDirectNodeRoutes" = true; "ipv4NativeRoutingCIDR" = "10.200.0.0/16"; - "ipv6NativeRoutingCIDR" = "2620:11f:7001:7:ffff::/80"; + "ipv6NativeRoutingCIDR" = "2620:11f:7001:7:ffff:eeee::/96"; + # "ipv6NativeRoutingCIDR" = "2620:11f:7001:7:ffff::/80"; + # "l7Proxy" = true; # Needed for cilium gateway controller "hubble" = { "relay" = { @@ -283,7 +288,7 @@ makeScope newScope ( }; }; - "policyEnforcementMode" = "never"; + "policyEnforcementMode" = "never"; # This is temporary for debugging # TODO: Read and maybe apply https://docs.cilium.io/en/stable/operations/performance/tuning/