v0.30.0

Flux v0.30.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Note that v0.29.0 included breaking changes.

Features and improvements

Support for disabling remote bases in Kustomize overlays

This release adds support to the kustomize-controller for disallowing remote bases in Kustomize overlays using --no-remote-bases=true (default: false). When this flag is enabled on the controller, all resources must refer to local files included in the Source Artifact, meaning only the Flux Sources can affect the cluster-state. Users are advised to enable it on production systems for security and performance reasons.

Support for defining a KubeConfig Secret data key

Both Kustomization and HelmRelease resources do now accept a .spec.kubeConfig.SecretRef.key definition. When the value is specified, the KubeConfig JSON is retrieved from this data key in the referred Secret, instead of the defaults (value or value.yaml).

Support for defining a ServiceAccountName in ImageRepository objects

The ImageRepository object does now accept a .spec.serviceAccountName definition. When specified, the image pull secrets attached to the ServiceAccount are used to authenticate towards the registry.

Components Changelog

• kustomize-controller to v0.25.0
• helm-controller to v0.21.0
• image-reflector-controller to v0.18.0
• source-controller to v0.24.4
• notification-controller to v0.23.5
• image-automation-controller to v0.22.1

CLI Changelog

• PR #2651 - @hiddeco - kustomize: use FS from fluxcd/pkg
• PR #2698 - @hiddeco - Update dependencies
• PR #2695 - @fluxcdbot - Update toolkit components

v0.29.5

Flux v0.29.5 is patch release which improves the Condition handling of HelmRepository resources, and handling of file formats while decrypting Secret generator entries with SOPS to ensure encrypted files in format A can be decrypted to target format B.

In addition, we now recover from Kustomize build panics to guarantee continuity of operations when running into invalid object data.

Note that v0.29.0 includes breaking changes.

Components Changelog

• source-controller to v0.24.3
• kustomize-controller to v0.24.4

CLI Changelog

• PR #2686 - @fluxcdbot - Update toolkit components

v0.29.4

Flux v0.29.4 is patch release with memory consumption improvements for the reconciliation of HelmRepository resources.

Note that v0.29.0 includes breaking changes.

Components Changelog

• source-controller to v0.24.2

CLI Changelog

• PR #2679 - @fluxcdbot - Update toolkit components

v0.29.3

Flux v0.29.3 is patch release which fixes a regression bug where the source-controller would panic in further to be identified edge-case scenarios in which a HelmRepository Artifact would not have a Size.

In addition, the flags for configuring the exponential back-off retry have been made available in the kustomize-controller.

Note that v0.29.0 includes breaking changes.

Components Changelog

• source-controller to v0.24.1
• kustomize-controller to v0.24.3

CLI Changelog

• PR #2668 - @fluxcdbot - Update toolkit components

v0.29.2

Flux v0.29.2 is patch release that comes with dependency updates to please static security analyzers.

Note that v0.29.0 includes breaking changes.

Components Changelog

• kustomize-controller to v0.24.2
• notification-controller to v0.23.4

CLI Changelog

• PR #2662 - @fluxcdbot - Update toolkit components

v0.29.1

Flux v0.29.1 is patch release that comes with a regression bug fix for Kustomizations files that contain remote references.

Note that v0.29.0 includes breaking changes.

Components Changelog

• kustomize-controller to v0.24.1

CLI Changelog

• PR #2657 - @hiddeco - Update kustomize-controller to v0.24.1

v0.29.0

Flux v0.29.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Breaking changes

source-controller

• From this release on, the RUNTIME_NAMESPACE environment variable is no longer taken into account to configure the advertised HTTP/S
  address of the storage. Instead, variable substitution must be used, as described in the changelog entry for v0.5.2.
• Use of file-based KubeConfig options are now permanently disabled (e.g. TLSClientConfig.CAFile, TLSClientConfig.KeyFile, TLSClientConfig.CertFile and BearerTokenFile). The drive behind the change was to discourage insecure practices of mounting Kubernetes tokens inside the controller's container file system.
• Use of TLSClientConfig.Insecure in KubeConfig file is disabled by default, but can be enabled at controller level with the flag --insecure-kubeconfig-tls.
• Use of ExecProvider in KubeConfig file is now disabled by default, but can be enabled at controller level with the flag --insecure-kubeconfig-exec.

Features and improvements

Notification Improvements

A new notification is now emitted to identify recovery from failures. It is triggered when a failed reconciliation is followed by a successful one, and the notification message is the same that's sent in usual successful source reconciliation message about the stored artifact.

In-memory cache for HelmRepository

The opt-in in-memory cache for HelmRepository addresses issues where the index file is loaded and unmarshalled in concurrent reconciliation resulting in a heavy memory footprint. It can be configured using the flags: --helm-cache-max-size, --helm-cache-ttl, --helm-cache-purge-interval.

Configurable retention of Source Artifacts

Garbage Collection is enabled by default, and now its retention options are configurable with the flags: --artifact-retention-ttl (default: 60s) and --artifact-retention-records (default: 2). They define the minimum time to live and the maximum amount of artifacts to survive a collection.

Configurable Key Exchange Algorithms for SSH connections

The Key Exchange Algorithms used when establishing SSH connections are based on the defaults configured upstream in go-git and golang.org/x/crypto. Now this can be overriden with the flag --ssh-kex-algos. Note this applies to the go-git gitImplementation or the libgit2 gitImplementation but only when Managed Transport is being used.

Configurable Exponential Back-off retry settings

The exponential back-off retry can be configured with the new flags: --min-retry-delay (default: 750ms) and --max-retry-delay (default: 15min). Previously the defaults were set to 5ms and 1000s, which in some cases impaired the controller's ability to self-heal (e.g. retrying failing SSH connections).

Experimental managed transport for libgit2 Git implementation

Managed Transport for libgit2 now introduces self-healing capabilities, to recover from failure when long-running connections become stale.

SOPS refactored and optimized

SOPS implementation was refactored to include various improvements and extended code coverage. Age identities are now imported once and reused multiple times, optimizing CPU and memory usage between decryption operations.

Helm chart directory loader improvements

Introduction of a secure directory loader which improves the handling of Helm charts paths.

Components Changelog

• helm-controller to v0.20.1
• kustomize-controller to v0.24.0
• source-controller to v0.24.0
• notification-controller to v0.23.3
• image-reflector-controller to v0.17.2
• image-automation-controller to v0.22.0

Other changes since last minor release:

• helm-controller to v0.19.0
• kustomize-controller to v0.23.0
• source-controller to v0.23.0

CLI Changelog

• PR #2652 - @fluxcdbot - Update toolkit components
• PR #2649 - @hiddeco - Update dependencies
• PR #2646 - @aryan9600 - Handle secret types properly while masking sops data
• PR #2631 - @canidam - bootstrap git: Allow the password to be specified with GIT_PASSWORD env var
• PR #2624 - @kingdonb - Add detail to delete docs
• PR #2617 - @fluxcdbot - Update toolkit components
• PR #2616 - @somtochiama - Add cli flags for chart interval and reconcile strategy
• PR #2611 - @souleb - Add an option to diff with a local Flux Kustomization file
• PR #2609 - @darkowlzz - monitoring-config: set grafana dashboards labelValues
• PR #2607 - @souleb - [Diff] Update pkg/kustomize to v0.1.0
• PR #2597 - @stefanprodan - [RFC-0002] Flux OCI support for Helm

v0.28.5

Flux v0.28.5 is a patch release that comes with various improvements and dependency updates to the controller components. Please consult the changelogs from the list below for a precise overview of changes. Users are (as always) encouraged to upgrade for the best experience.

Note that if you are upgrading from v0.27 you need to follow the Upgrade Flux to the Source v1beta2 API guide.

Components Changelog

• kustomize-controller to v0.22.3
• source-controller to v0.22.5
• image-automation-controller to v0.21.3
• notification-controller to v0.23.2

CLI Changelog

• PR #2594 - @fluxcdbot - Update toolkit components
• PR #2584 - @souleb - Diff: Update homeport/Dyff to v1.5.2

v0.28.4

Flux v0.28.4 is a patch release that comes with improvements to the experimental managed transport's overall stability. Users are encouraged to upgrade for the best experience.

Note that if you are upgrading from v0.27 you need to follow the Upgrade Flux to the Source v1beta2 API guide.

Components Changelog

• source-controller to v0.22.4
• image-automation-controller to v0.21.2

CLI Changelog

• PR #2583 - @fluxcdbot - Update toolkit components

v0.28.3

Flux v0.28.3 is patch release that comes with a regression bug fix for SOPS Azure Key Vault decryption. In addition, Kustomize has been updated to v4.5.3 to address an issue with YAML anchors. Users are encouraged to upgrade for the best experience.

Note that if you are upgrading from v0.27 you need to follow the Upgrade Flux to the Source v1beta2 API guide.

Components Changelog

• source-controller to v0.22.3
• kustomize-controller to v0.22.2
• helm-controller to v0.18.2

CLI Changelog

• PR #2577 - @fluxcdbot - Update toolkit components
• PR #2572 - @stefanprodan - Add the kube client qps and burst to the global args