kubernetes: fix breakage introduced by upgrade to 1.22

          to use wildcards in the <literal>source</literal> argument.

        </para>

      </listitem>

    </itemizedlist>

    <para>

      <<<<<<< HEAD

    </para>

    <itemizedlist>

      <listitem>

        <para>

          The <literal>openrazer</literal> and

          release is also still available.

        </para>

      </listitem>

      <listitem>

        <para>

          The <literal>kubernetes</literal> package was upgraded to

          1.22. The <literal>kubernetes.apiserver.kubeletHttps</literal>

          option was removed and HTTPS is always used.

        </para>

      </listitem>

    </itemizedlist>

  </section>

  <section xml:id="sec-release-21.11-notable-changes">

- `programs.neovim.runtime` switched to a `linkFarm` internally, making it impossible to use wildcards in the `source` argument.

<<<<<<< HEAD

- The `openrazer` and `openrazer-daemon` packages as well as the `hardware.openrazer` module now require users to be members of the `openrazer` group instead of `plugdev`. With this change, users no longer need be granted the entire set of `plugdev` group permissions, which can include permissions other than those required by `openrazer`. This is desirable from a security point of view. The setting [`harware.openrazer.users`](options.html#opt-services.hardware.openrazer.users) can be used to add users to the `openrazer` group.

- The `yambar` package has been split into `yambar` and `yambar-wayland`, corresponding to the xorg and wayland backend respectively. Please switch to `yambar-wayland` if you are on wayland.

- The `varnish` package was upgraded from 6.3.x to 6.5.x. `varnish60` for the last LTS release is also still available.

- The `kubernetes` package was upgraded to 1.22.  The `kubernetes.apiserver.kubeletHttps` option was removed and HTTPS is always used.

## Other Notable Changes {#sec-release-21.11-notable-changes}

- The setting [`services.openssh.logLevel`](options.html#opt-services.openssh.logLevel) `"VERBOSE"` `"INFO"`. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.

      type = nullOr path;

    };

    kubeletHttps = mkOption {

      description = "Whether to use https for connections to kubelet.";

      default = true;

      type = bool;

    };

    preferredAddressTypes = mkOption {

      description = "List of the preferred NodeAddressTypes to use for kubelet connections.";

      type = nullOr str;

                "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \

              ${optionalString (cfg.basicAuthFile != null)

                "--basic-auth-file=${cfg.basicAuthFile}"} \

              --kubelet-https=${boolToString cfg.kubeletHttps} \

              ${optionalString (cfg.kubeletClientCaFile != null)

                "--kubelet-certificate-authority=${cfg.kubeletClientCaFile}"} \

              ${optionalString (cfg.kubeletClientCertFile != null)

    services.kubernetes.addonManager.bootstrapAddons = mkIf ((storageBackend == "kubernetes") && (elem "RBAC" top.apiserver.authorizationMode)) {

      flannel-cr = {

        apiVersion = "rbac.authorization.k8s.io/v1beta1";

        apiVersion = "rbac.authorization.k8s.io/v1";

        kind = "ClusterRole";

        metadata = { name = "flannel"; };

        rules = [{

      };

      flannel-crb = {

        apiVersion = "rbac.authorization.k8s.io/v1beta1";

        apiVersion = "rbac.authorization.k8s.io/v1";

        kind = "ClusterRoleBinding";

        metadata = { name = "flannel"; };

        roleRef = {