v0.31.0

Highlights

Flux v0.31.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Breaking changes

Flux is no longer compatible with kubeconfigs using client.authentication.k8s.io/v1alpha1, this version was deprecated and removed in Kubernetes 1.24. Please follow these instructions on how to update kubeconfig to client.authentication.k8s.io/v1beta1.

New features

• Pull Helm charts from container registries by configuring Helm repositories with type: oci.
  For more information please see the Helm OCI documentation.
• Trigger GitHub Actions workflows from Flux by configuring alerting providers with type: githubdispatch.
  For more information please see the GitHub dispatch provider documentation.

New guides

• Promote Flux Helm Releases with GitHub Actions.
• Using Flux on GKE with Google Cloud Source Repositories.
• Monitoring Flux logs with Loki and Grafana.

New improvements and fixes

• Starting with this version, all Flux controllers conform to the Kubernetes API Priority and Fairness.
• Add support for configuring the authentication to AWS KMS, Azure Key Vault and Google Cloud KMS on multi-tenant clusters.
• The Git reconciliation has been made more efficient by adding support for no-op clones that should reduce the outbound traffic substantially.
• The libgit2 managed transport feature has been enabled by default to improve the Azure DevOps and AWS CodeCommit Git operations.
• Fix an issue where the token used for Helm operations would go stale if it was provided using a Bound Service Account Token Volume.
• Update the controllers and CLI dependencies to Kubernetes v1.24, Kustomize v4.5.5 and Helm v3.9.0.

Components changelog

• source-controller v0.25.0 v0.25.1 v0.25.3
• kustomize-controller v0.26.0
• helm-controller v0.22.0
• notification-controller v0.24.0
• image-reflector-controller v0.19.0
• image-automation-controller v0.23.0

CLI Changelog

• PR #2809 - @fluxcdbot - Update source-controller to v0.25.3
• PR #2807 - @stefanprodan - Update dependencies
• PR #2806 - @stefanprodan - monitoring: Add Grafana Loki HR and Flux logs dashboard
• PR #2802 - @stefanprodan - Add --kubeconfig-secret-ref to flux create ks|hr
• PR #2801 - @stefanprodan - e2e: Update ARM64 runners to Kubernetes 1.24
• PR #2796 - @fluxcdbot - Update toolkit components
• PR #2792 - @somtochiama - Handle multi-doc yaml for flux build
• PR #2787 - @vipulnewaskar7 - Add --allow-insecure-http to bootstrap git
• PR #2782 - @stefanprodan - Refactor Flux Prometheus monitoring stack
• PR #2781 - @makkes - Add OCI support to create source helm
• PR #2778 - @stefanprodan - Update go-git-providers to v0.6.0
• PR #2775 - @fluxcdbot - Update toolkit components
• PR #2773 - @stefanprodan - Update dependencies
• PR #2769 - @stefanprodan - Update Go to 1.18 in CI
• PR #2767 - @takirala - Add --ignore-paths flag to flux create source (git|bucket)
• PR #2764 - @hiddeco - Ensure proper FS root is set while bootstrapping
• PR #2748 - @makkes - fix e2e tests
• PR #2747 - @dholbach - Move MAINTAINERS to f/community
• PR #2727 - @cr1cr1 - grafana: display exported ns, slight resizing, default sorting by state

v0.30.2

Flux v0.30.2 is a patch release with further patches around working with the macOS file-system.

Note that v0.29.0 included breaking changes, and v0.30.0 new features.

CLI Changelog

• PR #2703 - @aryan9600 - Modify tmp dir generation to be absolute on all OSes
• PR #2701 - @stefanprodan - Grant service account read-only access to controllers

v0.30.1

Flux v0.30.1 is a patch release fixing a regression bug introduced in v0.30.0, which prevented macOS users from upgrading Flux using bootstrap due to FS security constraints.

Note that v0.29.0 included breaking changes, and v0.30.0 new features.

CLI Changelog

• PR #2700 - @stefanprodan - MacOS: fix bootstrap manifest generation

v0.30.0

Flux v0.30.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Note that v0.29.0 included breaking changes.

Features and improvements

Support for disabling remote bases in Kustomize overlays

This release adds support to the kustomize-controller for disallowing remote bases in Kustomize overlays using --no-remote-bases=true (default: false). When this flag is enabled on the controller, all resources must refer to local files included in the Source Artifact, meaning only the Flux Sources can affect the cluster-state. Users are advised to enable it on production systems for security and performance reasons.

Support for defining a KubeConfig Secret data key

Both Kustomization and HelmRelease resources do now accept a .spec.kubeConfig.SecretRef.key definition. When the value is specified, the KubeConfig JSON is retrieved from this data key in the referred Secret, instead of the defaults (value or value.yaml).

Support for defining a ServiceAccountName in ImageRepository objects

The ImageRepository object does now accept a .spec.serviceAccountName definition. When specified, the image pull secrets attached to the ServiceAccount are used to authenticate towards the registry.

Components Changelog

• kustomize-controller to v0.25.0
• helm-controller to v0.21.0
• image-reflector-controller to v0.18.0
• source-controller to v0.24.4
• notification-controller to v0.23.5
• image-automation-controller to v0.22.1

CLI Changelog

• PR #2651 - @hiddeco - kustomize: use FS from fluxcd/pkg
• PR #2698 - @hiddeco - Update dependencies
• PR #2695 - @fluxcdbot - Update toolkit components

v0.29.5

Flux v0.29.5 is patch release which improves the Condition handling of HelmRepository resources, and handling of file formats while decrypting Secret generator entries with SOPS to ensure encrypted files in format A can be decrypted to target format B.

In addition, we now recover from Kustomize build panics to guarantee continuity of operations when running into invalid object data.

Note that v0.29.0 includes breaking changes.

Components Changelog

• source-controller to v0.24.3
• kustomize-controller to v0.24.4

CLI Changelog

• PR #2686 - @fluxcdbot - Update toolkit components

v0.29.4

Flux v0.29.4 is patch release with memory consumption improvements for the reconciliation of HelmRepository resources.

Note that v0.29.0 includes breaking changes.

Components Changelog

• source-controller to v0.24.2

CLI Changelog

• PR #2679 - @fluxcdbot - Update toolkit components

v0.29.3

Flux v0.29.3 is patch release which fixes a regression bug where the source-controller would panic in further to be identified edge-case scenarios in which a HelmRepository Artifact would not have a Size.

In addition, the flags for configuring the exponential back-off retry have been made available in the kustomize-controller.

Note that v0.29.0 includes breaking changes.

Components Changelog

• source-controller to v0.24.1
• kustomize-controller to v0.24.3

CLI Changelog

• PR #2668 - @fluxcdbot - Update toolkit components

v0.29.2

Flux v0.29.2 is patch release that comes with dependency updates to please static security analyzers.

Note that v0.29.0 includes breaking changes.

Components Changelog

• kustomize-controller to v0.24.2
• notification-controller to v0.23.4

CLI Changelog

• PR #2662 - @fluxcdbot - Update toolkit components

v0.29.1

Flux v0.29.1 is patch release that comes with a regression bug fix for Kustomizations files that contain remote references.

Note that v0.29.0 includes breaking changes.

Components Changelog

• kustomize-controller to v0.24.1

CLI Changelog

• PR #2657 - @hiddeco - Update kustomize-controller to v0.24.1

v0.29.0

Flux v0.29.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Breaking changes

source-controller

• From this release on, the RUNTIME_NAMESPACE environment variable is no longer taken into account to configure the advertised HTTP/S
  address of the storage. Instead, variable substitution must be used, as described in the changelog entry for v0.5.2.
• Use of file-based KubeConfig options are now permanently disabled (e.g. TLSClientConfig.CAFile, TLSClientConfig.KeyFile, TLSClientConfig.CertFile and BearerTokenFile). The drive behind the change was to discourage insecure practices of mounting Kubernetes tokens inside the controller's container file system.
• Use of TLSClientConfig.Insecure in KubeConfig file is disabled by default, but can be enabled at controller level with the flag --insecure-kubeconfig-tls.
• Use of ExecProvider in KubeConfig file is now disabled by default, but can be enabled at controller level with the flag --insecure-kubeconfig-exec.

Features and improvements

Notification Improvements

A new notification is now emitted to identify recovery from failures. It is triggered when a failed reconciliation is followed by a successful one, and the notification message is the same that's sent in usual successful source reconciliation message about the stored artifact.

In-memory cache for HelmRepository

The opt-in in-memory cache for HelmRepository addresses issues where the index file is loaded and unmarshalled in concurrent reconciliation resulting in a heavy memory footprint. It can be configured using the flags: --helm-cache-max-size, --helm-cache-ttl, --helm-cache-purge-interval.

Configurable retention of Source Artifacts

Garbage Collection is enabled by default, and now its retention options are configurable with the flags: --artifact-retention-ttl (default: 60s) and --artifact-retention-records (default: 2). They define the minimum time to live and the maximum amount of artifacts to survive a collection.

Configurable Key Exchange Algorithms for SSH connections

The Key Exchange Algorithms used when establishing SSH connections are based on the defaults configured upstream in go-git and golang.org/x/crypto. Now this can be overriden with the flag --ssh-kex-algos. Note this applies to the go-git gitImplementation or the libgit2 gitImplementation but only when Managed Transport is being used.

Configurable Exponential Back-off retry settings

The exponential back-off retry can be configured with the new flags: --min-retry-delay (default: 750ms) and --max-retry-delay (default: 15min). Previously the defaults were set to 5ms and 1000s, which in some cases impaired the controller's ability to self-heal (e.g. retrying failing SSH connections).

Experimental managed transport for libgit2 Git implementation

Managed Transport for libgit2 now introduces self-healing capabilities, to recover from failure when long-running connections become stale.

SOPS refactored and optimized

SOPS implementation was refactored to include various improvements and extended code coverage. Age identities are now imported once and reused multiple times, optimizing CPU and memory usage between decryption operations.

Helm chart directory loader improvements

Introduction of a secure directory loader which improves the handling of Helm charts paths.

Components Changelog

• helm-controller to v0.20.1
• kustomize-controller to v0.24.0
• source-controller to v0.24.0
• notification-controller to v0.23.3
• image-reflector-controller to v0.17.2
• image-automation-controller to v0.22.0

Other changes since last minor release:

• helm-controller to v0.19.0
• kustomize-controller to v0.23.0
• source-controller to v0.23.0

CLI Changelog

• PR #2652 - @fluxcdbot - Update toolkit components
• PR #2649 - @hiddeco - Update dependencies
• PR #2646 - @aryan9600 - Handle secret types properly while masking sops data
• PR #2631 - @canidam - bootstrap git: Allow the password to be specified with GIT_PASSWORD env var
• PR #2624 - @kingdonb - Add detail to delete docs
• PR #2617 - @fluxcdbot - Update toolkit components
• PR #2616 - @somtochiama - Add cli flags for chart interval and reconcile strategy
• PR #2611 - @souleb - Add an option to diff with a local Flux Kustomization file
• PR #2609 - @darkowlzz - monitoring-config: set grafana dashboards labelValues
• PR #2607 - @souleb - [Diff] Update pkg/kustomize to v0.1.0
• PR #2597 - @stefanprodan - [RFC-0002] Flux OCI support for Helm