v0.40.1

Flux v0.40.1 is a patch release which includes an update of the source-controller to prevent excessive memory usage while reconciling HelmRepository objects. Users are encouraged to upgrade for the best experience.

⚠️ Note that v0.40.0 contained breaking changes, please refer to the changelog for more information.

Components changelog

• source-controller v0.35.2

CLI Changelog

• PR #3626 - @hiddeco - Update dependencies
• PR #3624 - @fluxcdbot - Update toolkit components
• PR #3615 - @stefanprodan - Update implementation history of RFC-0003 and RFC-0005

v0.40.0

Highlights

Flux v0.40.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Breaking changes

Image Automation

The image-reflector-controller autologin flags have been deprecated and are no longer used.
Please see the new API specification and migration instructions in the controller changelog.

Notifications

The source revision format reported by the Flux controllers has changed according to RFC-0005.
The events referring to Git repositories, will report the revision in the format <branch|tag>@sha1:<commit> instead of <branch|tag>/<commit>.
For more details please see the source-controller changelog.

OCI artifacts

The OCI artifacts produced with flux push artifact have now custom media types:

• artifact media type application/vnd.oci.image.manifest.v1+json
• config media type application/vnd.cncf.flux.config.v1+json
• content media type application/vnd.cncf.flux.content.v1.tar+gzip

Features and improvements

• The GitRepository API has a new optional field .spec.ref.name for specifying a Git Reference.
  This allows Flux to reconcile resources from GitHub Pull Requests (refs/pull/<id>/head) and GitLab Merge Requests (refs/merge-requests/<id>/head).
• The ImageRepository and ImagePolicy APIs have been promoted to v1beta2.
• Allow specifying the cloud provider contextual login for container registries with ImageRepository.spec.provider.
• Improve observability of ImageRepository by showing the latest scanned tags under .status.lastScanResult.latestTags.
• Improve observability of ImagePolicy by reporting the current and previous image tag in status and events.
• The Kubernetes builtin cluster roles: view, edit and admin have been extended to allow access to Flux custom resources.
• Print a report of Flux custom resources and the amount of cumulative storage used for each source type with flux stats -A.

New Documentation

• API: ImageRepository v1beta2
• API: ImagePolicy v1beta2
• Security: Aggregated cluster roles
• Bootstrap: Disable Kubernetes cluster role aggregations
• Blog: How Flux and Pulumi give each other superpowers

Components changelog

• source-controller v0.35.1 v0.35.0
• kustomize-controller v0.34.0
• helm-controller v0.30.0
• notification-controller v0.32.0
• image-reflector-controller v0.25.0
• image-automation-controller v0.30.0

CLI Changelog

• PR #3612 - @dependabot[bot] - build(deps): bump fossa-contrib/fossa-action from 1.2.0 to 2.0.0
• PR #3610 - @hiddeco - Update dependencies
• PR #3606 - @hiddeco - build: further solve issue release workflow
• PR #3605 - @hiddeco - build: ensure newlines work with $GITHUB_OUTPUT
• PR #3604 - @hiddeco - build: convert ::set-output to $GITHUB_OUTPUT
• PR #3603 - @stefanprodan - Remove deprecated flags
• PR #3602 - @hiddeco - Update source-controller to v0.35.1
• PR #3601 - @stefanprodan - ci: Fix Snyk Go build VCS stamping error
• PR #3598 - @fluxcdbot - Update toolkit components
• PR #3592 - @hiddeco - tests: only provide template values when used
• PR #3587 - @hiddeco - Support shortening of revision with digest
• PR #3585 - @darkowlzz - Update image-reflector API to v1beta2
• PR #3584 - @dependabot[bot] - build(deps): bump docker/setup-buildx-action from 2.4.0 to 2.4.1
• PR #3583 - @dependabot[bot] - build(deps): bump snyk/actions from e25b2e6f5658d1bb7a6671b113260f13134cc3af to 806182742461562b67788a64410098c9d9b96adb
• PR #3582 - @dependabot[bot] - build(deps): bump actions/cache from 3.2.4 to 3.2.5
• PR #3581 - @dependabot[bot] - build(deps): bump github/codeql-action from 2.2.1 to 2.2.4
• PR #3578 - @stefanprodan - Add flux stats command to print the reconcilers status
• PR #3575 - @stefanprodan - RFC-0003: Introduce Flux OCI media type
• PR #3566 - @stefanprodan - rbac: Add view and edit aggregated cluster roles
• PR #3563 - @dependabot[bot] - build(deps): bump actions/cache from 3.2.3 to 3.2.4
• PR #3562 - @dependabot[bot] - build(deps): bump goreleaser/goreleaser-action from 4.1.1 to 4.2.0
• PR #3560 - @stefanprodan - docs: Add permissions to update workflow

v0.39.0

Highlights

Flux v0.39.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Starting with this version, the Flux controllers come with SBOMs and SLSA Provenance Attestations embedded in their container images.

The Flux Terraform Provider has a new resource for bootstrapping Flux, without depending on third-party Terraform providers, that allows customising the controllers at install time. Users are encouraged to migrate to this new resources and provide feedback.

The Flux CLI is now included in Wolfi OS, the Linux (Un)distro designed for securing the software supply chain. The Chainguard team and Wolfi maintainers are shipping updates for the Flux package on a regular basis.

Features and improvements

• Recreate immutable resources (e.g. Kubernetes Jobs) by annotating or labeling them with kustomize.toolkit.fluxcd.io/force: enabled.
• Support for HTTPS bearer token authentication for Git repositories.
• Improve memory usage by disabling the caching of Secret and ConfigMap resources in all controllers.
• Better observability with progressive status updates for Sources (Git, OCI, Helm, S3 Buckets).
• Allow extracting the OCI artifact SHA256 digest for Cosign with flux push artifact -o json.
• Track CRDs managed by Flux, flux trace and flux tree will show which HelmRelease deployed which CRDs.
• Allow the Flux GitHub Action to use a GitHub token when checking for updates to avoid rate limiting.

New documentation

• Security: Software Bill of Materials
• Security: SLSA Provenance Attestations
• Security: Scanning Flux images for CVEs

Components changelog

• source-controller v0.34.0
• kustomize-controller v0.33.0
• helm-controller v0.29.0
• notification-controller v0.31.0
• image-reflector-controller v0.24.0
• image-automation-controller v0.29.0

CLI Changelog

• PR #3550 - @stefanprodan - flux tree: Set CRDs GroupKind in output
• PR #3549 - @stefanprodan - flux tree: Track CRDs managed by HelmReleases
• PR #3545 - @fluxcdbot - Update toolkit components
• PR #3542 - @stefanprodan - flux tree: Add namespaces to objects reconciled from HRs
• PR #3540 - @stefanprodan - Add json/yaml output to flux push artifact
• PR #3537 - @stefanprodan - Update dependencies to Kubernetes v1.26.1
• PR #3532 - @stefanprodan - Update Alpine to v3.17 and kubectl to v1.26.1 in flux-cli image
• PR #3531 - @makkes - fix misleading messaging when using -A flag
• PR #3529 - @dependabot[bot] - build(deps): bump docker/setup-buildx-action from 2.2.1 to 2.4.0
• PR #3526 - @dependabot[bot] - Bump anchore/sbom-action from 0.13.1 to 0.13.3
• PR #3525 - @dependabot[bot] - Bump github/codeql-action from 2.1.38 to 2.2.1
• PR #3524 - @dependabot[bot] - Bump goreleaser/goreleaser-action from 4.1.0 to 4.1.1
• PR #3517 - @jooooel - Fix broken GitHub Action and handle case where VERSION is provided as an input
• PR #3507 - @thezanke - Update prometheus-community helm repo due to the suspension of OCI builds
• PR #3501 - @kingdonb - Add GITHUB_TOKEN to Flux GitHub Action
• PR #3488 - @dependabot[bot] - Bump snyk/actions from 1cc9026f51d822442cb4b872d8d7ead8cc69a018 to e25b2e6f5658d1bb7a6671b113260f13134cc3af
• PR #3487 - @dependabot[bot] - Bump actions/cache from 3.2.2 to 3.2.3
• PR #3486 - @dependabot[bot] - Bump github/codeql-action from 2.1.37 to 2.1.38
• PR #3477 - @raffis - fix(install-script): support $GITHUB_TOKEN

v0.38.3

Highlights

Flux v0.38.3 is a patch release that comes with fixes and small improvements to the CLI.
Users are encouraged to upgrade for the best experience.

CLI Changelog

• PR #3476 - @aryan9600 - Update git/gogit to v0.4.1
• PR #3469 - @dependabot[bot] - Bump actions/checkout from 3.2.0 to 3.3.0
• PR #3465 - @kingdonb - Fix fluxcd/website#1347
• PR #3457 - @dependabot[bot] - Bump actions/cache from 3.0.11 to 3.2.2
• PR #3441 - @stefanprodan - check: Show the latest stored version of CRDs

v0.38.2

Flux v0.38.2 is a patch release that comes with fixes for the Notification API v1beta1 to v1beta2 upgrade.
In addition, this release improves the handling of the graceful shutdown for helm-controller.
Users are encouraged to update Flux directly to v0.38.2 for the best experience.

Components changelog

• notification-controller v0.30.2
• helm-controller v0.28.1

CLI Changelog

• PR #3437 - @fluxcdbot - Update toolkit components

v0.38.1

Flux v0.38.1 is a patch release that comes with fixes for the Notification API v1beta1 to v1beta2 upgrade.
Users are encouraged to update Flux directly to v0.38.1 for the best experience.

Changelog

• PR #3429 - @stefanprodan - Update CLI commands to Notification API v1beta2
• PR #3428 - @fluxcdbot - Update notification-controller to v0.30.1

v0.38.0

Highlights

Flux v0.38.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Notification API v1beta2

This release graduates the Notification APIs to v1beta2. After upgrading the controllers on your clusters, you need to update the notification Custom Resources in Git by replacing notification.toolkit.fluxcd.io/v1beta1 with notification.toolkit.fluxcd.io/v1beta2 in all YAML manifests.

Breaking changes

• The Alert.spec.summary has a max length of 255 characters.
• The Provider.spec.address and Provider.spec.proxy have a max length of 2048 characters.
• The Receiver.status.url was deprecated in favour of Receiver.status.webhookPath.

For more details about v1beta2 please see the notification-controller chagelog and the API spec documentation.

Features and improvements

• Support for defining Kustomize components with Kustomization.spec.components.
• Support for piping multi-doc YAMLs when publishing OCI artifacts with kustomize build . | flux push artifact --path=-.
• Support for Gitea commit status updates with Provider.spec.type set to gitea.
• Improve the memory usage of helm-controller by disabling the caching of Secret and ConfigMap resources.
• Update the Helm SDK to v3.10.3 (fix for Helm CVEs).
• All code references to libgit2 were removed, and the GitRepository.spec.gitImplementation field is no longer being honored.

Documentation improvements

The official example repository was refactored. The new version comes with the following improvements:

• Make the example compatible with ARM64 Kubernetes clusters.
• Add Weave GitOps Helm release to showcase the Flux UI.
• Replace the ingress-nginx Bitnami chart with the official one that contains multi-arch container images.
• Add cert-manager Helm release to showcase how to install CRDs and custom resources using dependsOn.
• Add Let's Encrypt ClusterIssuer to showcase how to patch resources in production with Flux Kustomization.
• Add the flux-system overlay to showcase how to configure Flux at bootstrap time.

Components changelog

• source-controller v0.33.0
• kustomize-controller v0.32.0
• helm-controller v0.28.0
• notification-controller v0.30.0
• image-reflector-controller v0.23.1
• image-automation-controller v0.28.0

CLI Changelog

• PR #3427 - @hiddeco - Update dependencies
• PR #3424 - @pjbgf - build: Revert sigstore/cosign-installer to v2.8.1
• PR #3423 - @dependabot[bot] - Bump github/codeql-action from 2.1.36 to 2.1.37
• PR #3422 - @dependabot[bot] - Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0
• PR #3421 - @dependabot[bot] - Bump actions/setup-go from 3.4.0 to 3.5.0
• PR #3420 - @dependabot[bot] - Bump actions/checkout from 3.1.0 to 3.2.0
• PR #3418 - @somtochiama - Fix path on flux push
• PR #3415 - @souleb - Fix dry-run still loading kubeconfig issue
• PR #3413 - @aryan9600 - Update dependencies
• PR #3408 - @souleb - Update fluxcd/pkg/kustomize dependency
• PR #3404 - @stefanprodan - e2e: Fix Azure test suite
• PR #3394 - @dependabot[bot] - Update sigstore/cosign-installer requirement to b6757d8360bb6b9803c38b68e8cb7442baaf7eb5
• PR #3393 - @dependabot[bot] - Bump github/codeql-action from 2.1.35 to 2.1.36
• PR #3389 - @somtochiama - Push/Build artifacts from stdin
• PR #3377 - @aryan9600 - bootstrap: fallback to default known_hosts
• PR #3372 - @dependabot[bot] - Bump peter-evans/create-pull-request from 4.2.2 to 4.2.3
• PR #3371 - @dependabot[bot] - Bump snyk/actions from a8dd587d8a94f5663fa3d67d51abd0cc66aff244 to 1cc9026f51d822442cb4b872d8d7ead8cc69a018
• PR #3370 - @dependabot[bot] - Bump actions/setup-go from 3.3.1 to 3.4.0
• PR #3369 - @dependabot[bot] - Bump github/codeql-action from 2.1.33 to 2.1.35
• PR #3360 - @fluxcdbot - Update toolkit components
• PR #3352 - @dependabot[bot] - Bump peter-evans/create-pull-request from 4.2.0 to 4.2.2
• PR #3350 - @stefanprodan - Set notification-controller container image to GHCR
• PR #3345 - @stefanprodan - e2e: Refactor Azure test suite to use go-git

v0.37.0

Highlights

Flux v0.37.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Breaking changes

Deprecation of gitImplementation

The interpretation of the gitImplementation field of GitRepository by source-controller and image-automation-controller has been deprecated, and will effectively always use go-git. This now supports all Git servers, including Azure DevOps and AWS CodeCommit, which previously were only supported by libgit2.

To opt-out from this behaviour, and get the controller to honour the field .spec.gitImplementation, start the controller with: --feature-gates=ForceGoGitImplementation=false.

For more information on this change, refer to the controllers's respective changelogs listed below.

Automatic force-push of ImageUpdateAutomation

Starting from this version, ImageUpdateAutomation objects with a .spec.PushBranch specified will have the push branch refreshed automatically via force push. To opt-out from this behaviour, start the controller with: --feature-gates=GitForcePushBranch=false.

Features and improvements

• Support for bootstrapping Azure DevOps and AWS CodeCommit repositories using flux bootstrap git.
• Support cloning of Git v2 protocol (Azure DevOps and AWS CodeCommit) for go-git Git provider.
• Support force-pushing ImageUpdateAutomation repositories.
• Allow a dry-run of flux build kustomization with --dry-run and --kustomization-file ./path/to/local/my-app.yaml. Using these flags, variable substitutions from Secrets and ConfigMaps are skipped, and no connection to the cluster is made.
• Use signed OCI Helm chart for kube-prometheus-stack.

New documentation

• Guide: AWS CodeCommit bootstrap
• Guide: Azure DevOps bootstrap

Components changelog

• source-controller v0.32.1
• kustomize-controller v0.31.0
• helm-controller v0.27.0
• notification-controller v0.29.0
• image-reflector-controller v0.23.0
• image-automation-controller v0.27.0

CLI Changelog

• PR #3339 - @hiddeco - Update dependencies
• PR #3326 - @fluxcdbot - Update toolkit components
• PR #3324 - @stefanprodan - Update kubectl and remove nsswitch.conf in flux-cli image
• PR #3323 - @pjbgf - build: Pin GitHub Actions
• PR #3317 - @souleb - Add a dry-run mode to flux build kustomization
• PR #3303 - @stefanprodan - monitoring: Use kube-prometheus-stack signed OCI Helm chart
• PR #3299 - @aryan9600 - Refactor bootstrap process to use fluxcd/pkg/git
• PR #3294 - @phillebaba - Aggregate errors in uninstall functions
• PR #3288 - @dependabot[bot] - Bump hashicorp/setup-terraform from 2.0.2 to 2.0.3
• PR #3281 - @stefanprodan - Refactor ARM64 e2e test suite
• PR #3269 - @dependabot[bot] - Bump actions/setup-go from 2 to 3
• PR #3249 - @phillebaba - Remove file reading from bootstrap package

v0.36.0

Highlights

Flux v0.36.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Features and improvements

• Verify OCI Helm charts signed by Cosign (including keyless) with HelmChart.spec.verify.
• Allow publishing a single YAML file to OCI with flux push artifact <URL> --path=deploy/install.yaml.
• Detect changes to local files before pushing to OCI with flux diff artifact <URL> --path=<local files>.
• New Alert Provider type named generic-hmac for authenticating the webhook requests coming from notification-controller.
• The Kustomization.status.conditions have been aligned with Kubernetes standard conditions and kstatus.
• The kustomize-controller memory usage was reduced by 90% when performing artifact operations.

New documentation

• Guide: How to deploy Flagger with Flux using signed Helm charts and OCI artifacts
• FAQ: Should I be using Kustomize remote bases?
• FAQ: Should I be using Kustomize Helm chart plugin?

Components changelog

• source-controller v0.31.0
• kustomize-controller v0.30.0
• helm-controller v0.26.0
• notification-controller v0.28.0
• image-reflector-controller v0.22.1
• image-automation-controller v0.26.1

CLI Changelog

• PR #3242 - @stefanprodan - Update dependencies
• PR #3237 - @phillebaba - Move bootstrap package from internal to pkg
• PR #3236 - @stefanprodan - ci: Refactor GitHub workflows
• PR #3232 - @eddie-knight - Additional workflow permissions tweaks
• PR #3231 - @eddie-knight - Adjusted workflow permissions
• PR #3229 - @stefanprodan - RFC-0002: Add Cosign verification for Helm OCI charts
• PR #3224 - @developer-guy - Add diff artifact command
• PR #3220 - @stefanprodan - Only run e2e tests for Dependabot PRs
• PR #3219 - @dependabot[bot] - Bump github/codeql-action from 1 to 2
• PR #3218 - @dependabot[bot] - Bump peter-evans/create-pull-request from 3 to 4
• PR #3217 - @dependabot[bot] - Bump hashicorp/setup-terraform from 1 to 2.0.2
• PR #3216 - @stefanprodan - Enable Dependabot for GitHub Actions
• PR #3214 - @eddie-knight - Added ArtifactHub badge
• PR #3213 - @stefanprodan - Add FOSSA license scanning badge
• PR #3198 - @phillebaba - Add nop logger
• PR #3197 - @phillebaba - Move uninstall code to pkg
• PR #3190 - @developer-guy - Accept a file path as input for flux build|push artifact
• PR #3187 - @fluxcdbot - Update toolkit components
• PR #3174 - @phillebaba - Update libgit2 version in Azure e2e tests
• PR #3162 - @somtochiama - Update golden file for get source oci
• PR #3161 - @stefanprodan - Update RFC-0003 implementation history

v0.35.0

Highlights

Flux v0.35.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Breaking changes

Strict validation rules have been put in place for API fields which define a time duration, such as .spec.interval. Effectively, this means values without a time unit (e.g. ms, s, m, h) will now be rejected by the API server.

Features and improvements

• Verify OCI artifacts signed by Cosign (including keyless) with OCIRepository.spec.verify.
• Allow pulling Helm charts dependencies from HTTPS repositories with mixed self-signed TLS and public CAs.
• Allow pulling Helm charts from OCI artifacts stored at the root of AWS ECR.
• Allow running bootstrap for insecure HTTP Git servers with flux bootstrap git --allow-insecure-http --token-auth.
• Improve health checking for global objects such as ClusterClass, GatewayClass, StorageClass, etc.
• The controllers and the Flux CLI are now built with Go 1.19.

For more information on OCI and Cosign support please see the Flux documentation.

Components changelog

• source-controller v0.30.0
• kustomize-controller v0.29.0
• helm-controller v0.25.0
• notification-controller v0.27.0
• image-reflector-controller v0.22.0
• image-automation-controller v0.26.0

CLI Changelog

• PR #3154 - @stefanprodan - [RFC-0003] Add Cosign keyless specification
• PR #3153 - @stefanprodan - Build with Go 1.19
• PR #3149 - @fluxcdbot - Update toolkit components
• PR #3145 - @stefanprodan - Add component label for controllers and their CRDs
• PR #3117 - @carlosonunez-vmw - Maintain original scheme when using --token-auth
• PR #3098 - @Santosh1176 - [Grafana] Use container_memory_working_set_bytes to report memory consumption