v0.37.0

Highlights

Flux v0.37.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Breaking changes

Deprecation of gitImplementation

The interpretation of the gitImplementation field of GitRepository by source-controller and image-automation-controller has been deprecated, and will effectively always use go-git. This now supports all Git servers, including Azure DevOps and AWS CodeCommit, which previously were only supported by libgit2.

To opt-out from this behaviour, and get the controller to honour the field .spec.gitImplementation, start the controller with: --feature-gates=ForceGoGitImplementation=false.

For more information on this change, refer to the controllers's respective changelogs listed below.

Automatic force-push of ImageUpdateAutomation

Starting from this version, ImageUpdateAutomation objects with a .spec.PushBranch specified will have the push branch refreshed automatically via force push. To opt-out from this behaviour, start the controller with: --feature-gates=GitForcePushBranch=false.

Features and improvements

• Support for bootstrapping Azure DevOps and AWS CodeCommit repositories using flux bootstrap git.
• Support cloning of Git v2 protocol (Azure DevOps and AWS CodeCommit) for go-git Git provider.
• Support force-pushing ImageUpdateAutomation repositories.
• Allow a dry-run of flux build kustomization with --dry-run and --kustomization-file ./path/to/local/my-app.yaml. Using these flags, variable substitutions from Secrets and ConfigMaps are skipped, and no connection to the cluster is made.
• Use signed OCI Helm chart for kube-prometheus-stack.

New documentation

• Guide: AWS CodeCommit bootstrap
• Guide: Azure DevOps bootstrap

Components changelog

• source-controller v0.32.1
• kustomize-controller v0.31.0
• helm-controller v0.27.0
• notification-controller v0.29.0
• image-reflector-controller v0.23.0
• image-automation-controller v0.27.0

CLI Changelog

• PR #3339 - @hiddeco - Update dependencies
• PR #3326 - @fluxcdbot - Update toolkit components
• PR #3324 - @stefanprodan - Update kubectl and remove nsswitch.conf in flux-cli image
• PR #3323 - @pjbgf - build: Pin GitHub Actions
• PR #3317 - @souleb - Add a dry-run mode to flux build kustomization
• PR #3303 - @stefanprodan - monitoring: Use kube-prometheus-stack signed OCI Helm chart
• PR #3299 - @aryan9600 - Refactor bootstrap process to use fluxcd/pkg/git
• PR #3294 - @phillebaba - Aggregate errors in uninstall functions
• PR #3288 - @dependabot[bot] - Bump hashicorp/setup-terraform from 2.0.2 to 2.0.3
• PR #3281 - @stefanprodan - Refactor ARM64 e2e test suite
• PR #3269 - @dependabot[bot] - Bump actions/setup-go from 2 to 3
• PR #3249 - @phillebaba - Remove file reading from bootstrap package

v0.36.0

Highlights

Flux v0.36.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Features and improvements

• Verify OCI Helm charts signed by Cosign (including keyless) with HelmChart.spec.verify.
• Allow publishing a single YAML file to OCI with flux push artifact <URL> --path=deploy/install.yaml.
• Detect changes to local files before pushing to OCI with flux diff artifact <URL> --path=<local files>.
• New Alert Provider type named generic-hmac for authenticating the webhook requests coming from notification-controller.
• The Kustomization.status.conditions have been aligned with Kubernetes standard conditions and kstatus.
• The kustomize-controller memory usage was reduced by 90% when performing artifact operations.

New documentation

• Guide: How to deploy Flagger with Flux using signed Helm charts and OCI artifacts
• FAQ: Should I be using Kustomize remote bases?
• FAQ: Should I be using Kustomize Helm chart plugin?

Components changelog

• source-controller v0.31.0
• kustomize-controller v0.30.0
• helm-controller v0.26.0
• notification-controller v0.28.0
• image-reflector-controller v0.22.1
• image-automation-controller v0.26.1

CLI Changelog

• PR #3242 - @stefanprodan - Update dependencies
• PR #3237 - @phillebaba - Move bootstrap package from internal to pkg
• PR #3236 - @stefanprodan - ci: Refactor GitHub workflows
• PR #3232 - @eddie-knight - Additional workflow permissions tweaks
• PR #3231 - @eddie-knight - Adjusted workflow permissions
• PR #3229 - @stefanprodan - RFC-0002: Add Cosign verification for Helm OCI charts
• PR #3224 - @developer-guy - Add diff artifact command
• PR #3220 - @stefanprodan - Only run e2e tests for Dependabot PRs
• PR #3219 - @dependabot[bot] - Bump github/codeql-action from 1 to 2
• PR #3218 - @dependabot[bot] - Bump peter-evans/create-pull-request from 3 to 4
• PR #3217 - @dependabot[bot] - Bump hashicorp/setup-terraform from 1 to 2.0.2
• PR #3216 - @stefanprodan - Enable Dependabot for GitHub Actions
• PR #3214 - @eddie-knight - Added ArtifactHub badge
• PR #3213 - @stefanprodan - Add FOSSA license scanning badge
• PR #3198 - @phillebaba - Add nop logger
• PR #3197 - @phillebaba - Move uninstall code to pkg
• PR #3190 - @developer-guy - Accept a file path as input for flux build|push artifact
• PR #3187 - @fluxcdbot - Update toolkit components
• PR #3174 - @phillebaba - Update libgit2 version in Azure e2e tests
• PR #3162 - @somtochiama - Update golden file for get source oci
• PR #3161 - @stefanprodan - Update RFC-0003 implementation history

v0.35.0

Highlights

Flux v0.35.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Breaking changes

Strict validation rules have been put in place for API fields which define a time duration, such as .spec.interval. Effectively, this means values without a time unit (e.g. ms, s, m, h) will now be rejected by the API server.

Features and improvements

• Verify OCI artifacts signed by Cosign (including keyless) with OCIRepository.spec.verify.
• Allow pulling Helm charts dependencies from HTTPS repositories with mixed self-signed TLS and public CAs.
• Allow pulling Helm charts from OCI artifacts stored at the root of AWS ECR.
• Allow running bootstrap for insecure HTTP Git servers with flux bootstrap git --allow-insecure-http --token-auth.
• Improve health checking for global objects such as ClusterClass, GatewayClass, StorageClass, etc.
• The controllers and the Flux CLI are now built with Go 1.19.

For more information on OCI and Cosign support please see the Flux documentation.

Components changelog

• source-controller v0.30.0
• kustomize-controller v0.29.0
• helm-controller v0.25.0
• notification-controller v0.27.0
• image-reflector-controller v0.22.0
• image-automation-controller v0.26.0

CLI Changelog

• PR #3154 - @stefanprodan - [RFC-0003] Add Cosign keyless specification
• PR #3153 - @stefanprodan - Build with Go 1.19
• PR #3149 - @fluxcdbot - Update toolkit components
• PR #3145 - @stefanprodan - Add component label for controllers and their CRDs
• PR #3117 - @carlosonunez-vmw - Maintain original scheme when using --token-auth
• PR #3098 - @Santosh1176 - [Grafana] Use container_memory_working_set_bytes to report memory consumption

v0.34.0

Highlights

Flux v0.34.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Breaking changes

The Flux controller logs have been aligned with the Kubernetes structured logging.
For more details on the new logging structure please see: fluxcd/flux2#3051.

Features and improvements

• OCIRepository.spec.insecure Allow pulling artifacts from an in-cluster Docker Registry over plain HTTP.
• Allow defining OCI sources for non-TLS container registries with flux create source oci --insecure.
• Enable contextual login when publishing OCI artifacts from a Cloud VM using flux push artifact --provider=aws|azure|gcp.
• Prioritise static credentials over OIDC providers when pulling OCI artifacts from container registries on multi-tenant cluster.
• Reconcile Kubernetes Class types (ClusterClass, GatewayClass, StorageClass, etc) in a dedicated stage before any other custom resources like Clusters, Gateways, Volumes, etc.
• When multiple SOPS providers are available, run the offline decryption methods first to avoid failures due to KMS unavailability.
• Add finalizers to the notification API to properly record the reconciliation metrics for deleted resources.
• Publish the Flux install manifests as OCI artifacts on GitHub and DockerHub container registries under fluxcd/flux-manifests.

Components Changelog

• source-controller v0.29.0
• kustomize-controller v0.28.0
• helm-controller v0.24.0
• notification-controller v0.26.0
• image-reflector-controller v0.21.0
• image-automation-controller v0.25.0

CLI Changelog

• PR #3097 - @stefanprodan - Add --insecure flag to flux create source oci
• PR #3091 - @fluxcdbot - Update toolkit components
• PR #3088 - @stefanprodan - Publish the install manifests to GHCR and DockerHub as OCI artifacts
• PR #3087 - @somtochiama - Remove finalizers for notification CRs on uninstall
• PR #3085 - @souleb - [bootstrap] Make sure we reconcile with the right reconciliation method
• PR #3082 - @stefanprodan - Remove finalizers for OCI repositories on uninstall
• PR #3079 - @adrien-f - Support autologin when pushing OCI artifacts
• PR #3073 - @acondrat - Filter out non-running pods in Prometheus
• PR #3063 - @somtochiama - Update flux logs to accomodate the new format
• PR #3053 - @dholbach - Revert "Fix broken "edit this page" links in Flux CLI section"
• PR #3052 - @dholbach - update to new doc links structure
• PR #3050 - @stefanprodan - Status update for RFC-0002 and RFC-0003

v0.33.0

Highlights

Flux v0.33.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Features and improvements

• HelmRepository.spec.provider Enable contextual login to container registries when pulling Helm charts from Amazon Elastic Container Registry, Azure Container Registry and Google Artifact Registry.
• OCIRepository.spec.layerSelector Select which layer contains the Kubernetes configs by specifying a matching OCI media type.
• Bucket.spec.secretRef Authenticate to Azure Blob storage using SAS tokens.
• Allow filtering OCI artifacts by semver and regex when listing artifact with flux list artifacts.
• Allow excluding local files and directories when building and publishing artifacts with flux push artifact.
• Mitigate denial-of-service on multi-tenant clusters by automatically recovering from panics encountered during reconciliation.
• Update controllers to Kubernetes v1.25.0, Kustomize v4.5.7 and Helm v3.9.4.

New documentation

• Secrets Management
• Contextual Authorization

Components changelog

• source-controller v0.27.0 v0.28.0
• kustomize-controller v0.27.1
• helm-controller v0.23.1
• notification-controller v0.25.2
• image-reflector-controller v0.20.1
• image-automation-controller v0.24.2

CLI Changelog

• PR #3049 - @stefanprodan - Update Kubernetes dependencies to v1.25.0
• PR #3034 - @snebel29 - Fix broken "edit this page" links in Flux CLI section
• PR #3028 - @snebel29 - Update tests/azure github.com/hashicorp/terraform-exec to v0.16.1
• PR #3025 - @stefanprodan - [RFC-0002] Add auth specification for Helm OCI
• PR #3024 - @stefanprodan - Add version validation to install commands
• PR #3019 - @somtochiama - Improve error message in get cmd
• PR #3014 - @stefanprodan - [RFC-0003] Select layer by OCI media type
• PR #2999 - @fluxcdbot - Update toolkit components
• PR #2998 - @somtochiama - Add --filter-semver and --filter-regex flags to list artifacts
• PR #2997 - @stefanprodan - Use ghcr.io in the static manifests
• PR #2996 - @stefanprodan - Update dependencies
• PR #2995 - @stefanprodan - Add --ignore-paths arg to flux build|push artifact
• PR #2979 - @stefanprodan - Status update for RFC-0002 and RFC-0003

v0.32.0

Highlights

Flux v0.32.0 comes with support for distributing Kubernetes manifests, Kustomize overlays and Terraform code as OCI artifacts.
For more information please see the Flux OCI documentation.

New features

• New Flux CLI commands flux push|pull|tag artifact for publishing OCI Artifacts to container registries.
• New source type OCIRepository for fetching OCI artifacts from container registries.
• Resolve Helm dependencies from OCI for charts defined in Git.

Components changelog

• source-controller v0.26.0 v0.26.1
• kustomize-controller v0.27.0
• notification-controller v0.25.0 v0.25.1
• image-reflector-controller v0.20.0
• image-automation-controller v0.24.1

CLI Changelog

• PR #2966 - @fluxcdbot - Update toolkit components
• PR #2964 - @pjbgf - Add validation to namespace flag
• PR #2955 - @somtochiama - fix log filter and add tests for flux logs
• PR #2951 - @stefanprodan - [RFC-0003] Add the provider field for OIDC auth
• PR #2940 - @hiddeco - AUR: further solve .SRCINFO issues
• PR #2937 - @hiddeco - AUR: ensure pkgname is bottom entry in .SRCINFO

v0.31.5

Highlights

Flux v0.31.5 is a patch release that comes with fixes. Users are encouraged to upgrade for the best experience.

Fixes

• Fix ImageRepository public repository scan for unconfigured provider registries

Improvements

• Improve Helm OCI Chart to work with registries that don't support listing tags

Component changelog

• source-controller v0.25.11
• image-reflector-controller v0.19.4

CLI Changelog

• PR #2932 - @fluxcdbot - Update toolkit components
• PR #2917 - @morancj - SRCINFO: fix path

v0.31.4

Highlights

Flux v0.31.4 is a patch release that comes with fixes. Users are encouraged to upgrade for the best experience.

Fixes

• Fix SIGSEGV when resolving charts dependencies.
• Fix Panic when no artifact in source.
• decryptor: recover from SOPS store panic.
• Fix spelling mistake in azure/exchanger.go.

Improvements

• Retry downloading artifacts on not found errors.

Components changelog

• source-controller v0.25.10
• kustomize-controller v0.26.3
• notification-controller v0.24.1
• helm-controller v0.22.2
• image-automation-controller v0.23.5
• image-reflector-controller v0.19.3

CLI Changelog

• PR #2905 - @fluxcdbot - Update toolkit components

v0.31.3

Highlights

Flux v0.31.3 is a patch release that comes with fixes. Users are encouraged to upgrade for the best experience.

Fixes

• Fix for Helm OCI authentication where the credentials were cached instead of being reloaded at each reconciliation
• Fix for health checking Kubernetes Jobs when impersonating a service account

Components changelog

• source-controller v0.25.9
• kustomize-controller v0.26.2

CLI Changelog

• PR #2881 - @fluxcdbot - Update toolkit components
• PR #2877 - @sympatheticmoose - Add the --branch arg to the basic auth example

v0.31.2

Highlights

Flux v0.31.2 is a patch release that comes with fixes and small improvements. Users are encouraged to upgrade for the best experience.

Fixes and improvements

• Fix SSH connection leaks when using libgit2 managed transport
• Improve the libgit2 error messages when the known hosts check fails
• Fix authentication for BitBucket server when using libgit2 managed transport
• Fix flux logs when running Flux inside a service mesh
• Fix flux reconcile source helm when using Helm OCI
• Accept multiple values for flux create hr --values-from
• List the Flux CRDs and assert their statuses when running flux check
• Add finalizers to ImageRepository, ImagePolicy and ImageUpdateAutomation resources to properly record the metrics for deleted resources

Components changelog

• source-controller v0.25.8 v0.25.7 v0.25.6
• image-reflector-controller v0.19.2
• image-automation-controller v0.23.4 v0.23.3

CLI Changelog

• PR #2867 - @stefanprodan - Remove image finalizers on uninstall
• PR #2862 - @bplasmeijer - Put the dashboard configmap in the right namespace for monitoring
• PR #2859 - @somtochiama - Return different success message for oci type - reconcile_source_helm
• PR #2844 - @hiddeco - logs: select manager container when multiple exist
• PR #2839 - @fluxcdbot - Update toolkit components
• PR #2829 - @somtochiama - Accept multiple values for flux create hr --values-from
• PR #2823 - @stefanprodan - Add CRDs to flux check command