Skip to content

feat(github-release): update release fluxcd/flux2 ( v2.8.8 → v2.9.1 )#4017

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/fluxcd-flux2-2.x
Open

feat(github-release): update release fluxcd/flux2 ( v2.8.8 → v2.9.1 )#4017
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/fluxcd-flux2-2.x

Conversation

@renovate

@renovate renovate Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Update Change
fluxcd/flux2 minor v2.8.8v2.9.1

Release Notes

fluxcd/flux2 (fluxcd/flux2)

v2.9.1

Compare Source

v2.9.0

Compare Source

Highlights

Flux v2.9.0 is a feature release. Users are encouraged to upgrade for the best experience.

For a compressive overview of new features and API changes included in this release, please refer to the Announcing Flux 2.9 GA blog post.

Overview of the new features:

  • Flux CLI Plugin System with the Mirror and Schema plugins (flux plugin)
  • Server-Side Apply field ignore rules for fine-grained drift control (Kustomization)
  • SOPS decryption with the Age post-quantum cipher (Kustomization)
  • Kubernetes Workload Identity authentication for OpenBao and Vault (Kustomization)
  • Helm post-render strategies, including chart hooks support (HelmRelease)
  • Literal mode for Helm values references mirroring helm --set-literal (HelmRelease)
  • Allow empty kind in CEL health check expressions (Kustomization, HelmRelease)
  • Git commit signing and verification with SSH keys (GitRepository, ImageUpdateAutomation)
  • AWS CodeCommit authentication using Workload Identity (GitRepository)
  • Custom Sigstore trusted root for keyless verification in air-gapped environments (OCIRepository)
  • Path pattern directory discovery for monorepos (ArtifactGenerator)
  • Secret-less, OIDC-secured webhook Receivers (Receiver)

❤️ Big thanks to all the Flux contributors that helped us with this release!

Kubernetes compatibility

This release is compatible with the following Kubernetes versions:

Kubernetes version Minimum required
v1.34 >= 1.34.1
v1.35 >= 1.35.0
v1.36 >= 1.36.0

[!NOTE]
Note that the Flux project offers support only for the latest three minor versions of Kubernetes.
Backwards compatibility with older versions of Kubernetes and OpenShift is offered by vendors such as
ControlPlane that provide enterprise support for Flux.

OpenShift compatibility

Flux can be installed on Red Hat OpenShift cluster directly from OperatorHub using Flux Operator. The operator allows the configuration of Flux multi-tenancy lockdown, network policies, persistent storage, sharding, vertical scaling and the synchronization of the cluster state from Git repositories, OCI artifacts, and S3-compatible storage.

Upgrade procedure

⚠️ The Flux APIs image.toolkit.fluxcd.io/v1beta2 and notification.toolkit.fluxcd.io/v1beta2
have reached end-of-life and have been removed from the CRDs.

Please follow the Upgrade Procedure for Flux v2.7+ for a smooth upgrade from older versions of Flux to v2.9.

Components changelog

CLI changelog

New Contributors

Full Changelog: fluxcd/flux2@v2.8.0...v2.9.0


Configuration

📅 Schedule: (in timezone America/Chicago)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

claude[bot]
claude Bot previously approved these changes Jun 30, 2026

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

flux2 (gotk-components.yaml): v2.8.8 → v2.9.0

Verdict: Safe to merge

This bumps the Flux GitOps runtime manifests (CRDs + RBAC + controller Deployments) from v2.8.8 to v2.9.0, a feature release. Sub-component images move: source-controller v1.9.0→v1.9.1, kustomize-controller v1.9.0→v1.9.1, helm-controller v1.6.0→v1.6.1, notification-controller v1.9.0→v1.9.1 (all four are patch releases dated 2026-06-30, adding kubectl categories to their CRDs and documenting CLI options — no functional changes). The CRD schema changes in the diff (new optional fields, dropped kind requirement in a couple of validations) come from the v1.9.0/v1.6.0 minor releases that this PR's CRD manifests are catching up to.

Breaking changes (researched, not applicable to this repo):

  • notification-controller v1.9.0 removed the deprecated notification.toolkit.fluxcd.io/v1beta2 API (Alert/Provider/Receiver). Checked all 4 Alert/Provider manifests in flux-system-extra/github-alerts/ and flux-system-extra/discord-alerts/ — all already use v1beta3. No Receiver resources exist in the repo. Not actionable.
  • notification-controller v1.9.0 also enforces CVE-2026-40109 by requiring email/audience fields on GCR Receiver secrets — repo has no Receiver resources at all, not applicable.
  • kustomize-controller v1.9.0 enables the StrictPostBuildSubstitutions feature gate by default: reconciliation now fails if a ${VAR} referenced in manifests has no default and is missing from postBuild.substituteFrom. The repo's single root Kustomization (flux-system/gotk-sync.yaml) sources cluster-settings ConfigMap and cluster-secrets Secret. I cross-checked every ${VAR} reference found across the tree (SECRET_DOMAIN, SECRET_VOLSYNC_*, SECRET_AUTH_*, SVC_NGINX_*, etc.) against the keys defined in flux-system-extra/cluster/cluster-settings.yaml and cluster-secrets.sops.yaml — all referenced variables are defined. Not actionable.
  • helm-controller v1.6.0 changed the default Helm post-render strategy to combined (Helm v4.2 alignment) via the new .spec.postRenderStrategy field — this is a real behavioral change, but the repo is already running the helm-controller:v1.6.0 image (visible as the pre-PR value in the diff), so this behavior is already in effect on the cluster today and is not newly introduced by this PR. No HelmRelease in the repo sets postRenderers, which is the feature this mainly affects.

New features worth adopting (optional, no action required):

  • .spec.ignore on Kustomization — JSON-pointer-scoped drift-detection ignore rules, could simplify any future need to ignore mutated fields (e.g. webhook-injected fields) without disabling drift detection entirely.
  • .spec.postBuild.substituteStrategy: Always — only useful if a Kustomization's substitutions are all default-valued; not relevant to the current single root Kustomization.
  • Provider.spec.certSecretRef now supports full mTLS (ca.crt + tls.crt + tls.key), not just CA-only — not currently used by the github/discord Providers in this repo.

Sources consulted:

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown

Claude Review Usage

When (UTC) Version Model Turns Cost
2026-06-30 16:52 2.8.8 -> 2.9.0 claude-sonnet-4-6 27 $1.0087
2026-07-07 14:54 2.8.8 -> 2.9.1 claude-sonnet-4-6 19 $0.6166

| datasource      | package      | from   | to     |
| --------------- | ------------ | ------ | ------ |
| github-releases | fluxcd/flux2 | v2.8.8 | v2.9.1 |


Signed-off-by: Winston R. Milling <wrmilling@users.noreply.github.com>
@renovate renovate Bot force-pushed the renovate/fluxcd-flux2-2.x branch from ffa7f07 to 9f5b5c9 Compare July 7, 2026 14:52
@renovate renovate Bot changed the title feat(github-release): update release fluxcd/flux2 ( v2.8.8 → v2.9.0 ) feat(github-release): update release fluxcd/flux2 ( v2.8.8 → v2.9.1 ) Jul 7, 2026
@claude claude Bot dismissed their stale review July 7, 2026 14:54

Superseded by updated review

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fluxcd/flux2: v2.8.8 → v2.9.1

Verdict: Safe to merge

This PR upgrades the Flux GitOps runtime manifests (flux-system/gotk-components.yaml) from v2.8.8 to v2.9.1. Compared to the prior review (which covered v2.9.0), the key difference is the v2.9.1 patch release — a same-day bugfix drop that is directly relevant to this repo.

What changed since v2.9.0 (the incremental delta)

Sub-component images updated: source-controller v1.9.0→v1.9.2, kustomize-controller v1.9.0→v1.9.2, helm-controller v1.6.0→v1.6.2, notification-controller v1.9.0→v1.9.2.

v2.9.1 fixes (all four controllers):

  • All Flux CRDs are now annotated with kustomize.toolkit.fluxcd.io/substitute: disabled, preventing Kustomizations with post-build substitution from corrupting CRD schemas containing ${...} sequences. This is directly relevant to this repo: flux-system/gotk-sync.yaml uses postBuild.substituteFrom (sourcing cluster-settings and cluster-secrets), and flux-system/gotk-components.yaml lives under the root path ./ that the Kustomization applies. Without this annotation, the CRD schemas with embedded ${...} patterns could be mangled during reconciliation.
  • kustomize-controller: SOPS dependency updated to fix .ini file decryption (no .ini SOPS files in this repo — not applicable, but harmless).
  • kustomize-controller: Dry-run error fixed where applying a resource with a strategic merge patch could fail with <resource> is invalid (general reliability improvement).
  • CLI: Fix for a breaking change in the in-memory Kustomization build (not used by this repo).

Breaking changes from v2.9.0 (re-confirmed not applicable)

  • notification/v1beta2 API removal: All four Alert/Provider resources in flux-system-extra/github-alerts/ and flux-system-extra/discord-alerts/ already use notification.toolkit.fluxcd.io/v1beta3. No Receiver resources exist in the repo.
  • GCR Receiver email/audience enforcement (CVE-2026-40109): No Receiver resources in this repo.
  • StrictPostBuildSubstitutions enabled by default (kustomize-controller v1.9.0): The root Kustomization references cluster-settings and cluster-secrets; all ${VAR} references in the tree are covered by those sources (verified in the prior review — no change in this PR).
  • Helm post-render strategy default changed to combined (helm-controller v1.6.0): Already in effect on the cluster since v1.6.0 was the pre-PR image version. No HelmRelease in this repo sets postRenderers.

Not applicable to this repo:

  • source-controller v1.9.2: Registry auth token caching during Notation verification — performance improvement only, no behavior change for this repo's OCI sources.

Sources consulted:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants