Update dependency fluxcd/flux2 to v0.30.2

This MR contains the following updates:

Package	Update	Change
fluxcd/flux2	minor	v0.25.3 -> v0.30.2
fluxcd/flux2	minor	v0.29.3 -> v0.30.2
fluxcd/flux2	minor	v0.24.1 -> v0.30.2

---

Release Notes

fluxcd/flux2

v0.30.2

Compare Source

Flux v0.30.2 is a patch release with further patches around working with the macOS file-system.

Note that v0.29.0 included breaking changes, and v0.30.0 new features.

CLI Changelog

• MR #​2703 - @​aryan9600 - Modify tmp dir generation to be absolute on all OSes
• MR #​2701 - @​stefanprodan - Grant service account read-only access to controllers

v0.30.1

Compare Source

Flux v0.30.1 is a patch release fixing a regression bug introduced in v0.30.0, which prevented macOS users from upgrading Flux using bootstrap due to FS security constraints.

Note that v0.29.0 included breaking changes, and v0.30.0 new features.

CLI Changelog

• MR #​2700 - @​stefanprodan - MacOS: fix bootstrap manifest generation

v0.30.0

Compare Source

Flux v0.30.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Note that v0.29.0 included breaking changes.

Features and improvements

Support for disabling remote bases in Kustomize overlays

This release adds support to the kustomize-controller for disallowing remote bases in Kustomize overlays using --no-remote-bases=true (default: false). When this flag is enabled on the controller, all resources must refer to local files included in the Source Artifact, meaning only the Flux Sources can affect the cluster-state. Users are advised to enable it on production systems for security and performance reasons.

Support for defining a KubeConfig Secret data key

Both Kustomization and HelmRelease resources do now accept a .spec.kubeConfig.SecretRef.key definition. When the value is specified, the KubeConfig JSON is retrieved from this data key in the referred Secret, instead of the defaults (value or value.yaml).

Support for defining a ServiceAccountName in ImageRepository objects

The ImageRepository object does now accept a .spec.serviceAccountName definition. When specified, the image pull secrets attached to the ServiceAccount are used to authenticate towards the registry.

Components Changelog

• kustomize-controller to v0.25.0
• helm-controller to v0.21.0
• image-reflector-controller to v0.18.0
• source-controller to v0.24.4
• notification-controller to v0.23.5
• image-automation-controller to v0.22.1

CLI Changelog

• MR #​2651 - @​hiddeco - kustomize: use FS from fluxcd/pkg
• MR #​2698 - @​hiddeco - Update dependencies
• MR #​2695 - @​fluxcdbot - Update toolkit components

v0.29.5

Compare Source

Flux v0.29.5 is patch release which improves the Condition handling of HelmRepository resources, and handling of file formats while decrypting Secret generator entries with SOPS to ensure encrypted files in format A can be decrypted to target format B.

In addition, we now recover from Kustomize build panics to guarantee continuity of operations when running into invalid object data.

Note that v0.29.0 includes breaking changes.

Components Changelog

• source-controller to v0.24.3
• kustomize-controller to v0.24.4

CLI Changelog

• MR #​2686 - @​fluxcdbot - Update toolkit components

v0.29.4

Compare Source

Flux v0.29.4 is patch release with memory consumption improvements for the reconciliation of HelmRepository resources.

Note that v0.29.0 includes breaking changes.

Components Changelog

• source-controller to v0.24.2

CLI Changelog

• MR #​2679 - @​fluxcdbot - Update toolkit components

v0.29.3

Compare Source

Flux v0.29.3 is patch release which fixes a regression bug where the source-controller would panic in further to be identified edge-case scenarios in which a HelmRepository Artifact would not have a Size.

In addition, the flags for configuring the exponential back-off retry have been made available in the kustomize-controller.

Note that v0.29.0 includes breaking changes.

Components Changelog

• source-controller to v0.24.1
• kustomize-controller to v0.24.3

CLI Changelog

• MR #​2668 - @​fluxcdbot - Update toolkit components

v0.29.2

Compare Source

Flux v0.29.2 is patch release that comes with dependency updates to please static security analyzers.

Note that v0.29.0 includes breaking changes.

Components Changelog

• kustomize-controller to v0.24.2
• notification-controller to v0.23.4

CLI Changelog

• MR #​2662 - @​fluxcdbot - Update toolkit components

v0.29.1

Compare Source

Flux v0.29.1 is patch release that comes with a regression bug fix for Kustomizations files that contain remote references.

Note that v0.29.0 includes breaking changes.

Components Changelog

• kustomize-controller to v0.24.1

CLI Changelog

• MR #​2657 - @​hiddeco - Update kustomize-controller to v0.24.1

v0.29.0

Compare Source

Flux v0.29.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Breaking changes

source-controller

• From this release on, the RUNTIME_NAMESPACE environment variable is no longer taken into account to configure the advertised HTTP/S address of the storage. Instead, variable substitution must be used, as described in the changelog entry for v0.5.2.
• Use of file-based KubeConfig options are now permanently disabled (e.g. TLSClientConfig.CAFile, TLSClientConfig.KeyFile, TLSClientConfig.CertFile and BearerTokenFile). The drive behind the change was to discourage insecure practices of mounting Kubernetes tokens inside the controller's container file system.
• Use of TLSClientConfig.Insecure in KubeConfig file is disabled by default, but can be enabled at controller level with the flag --insecure-kubeconfig-tls.
• Use of ExecProvider in KubeConfig file is now disabled by default, but can be enabled at controller level with the flag --insecure-kubeconfig-exec.

Features and improvements

Notification Improvements

A new notification is now emitted to identify recovery from failures. It is triggered when a failed reconciliation is followed by a successful one, and the notification message is the same that's sent in usual successful source reconciliation message about the stored artifact.

In-memory cache for HelmRepository

The opt-in in-memory cache for HelmRepository addresses issues where the index file is loaded and unmarshalled in concurrent reconciliation resulting in a heavy memory footprint. It can be configured using the flags: --helm-cache-max-size, --helm-cache-ttl, --helm-cache-purge-interval.

Configurable retention of Source Artifacts

Garbage Collection is enabled by default, and now its retention options are configurable with the flags: --artifact-retention-ttl (default: 60s) and --artifact-retention-records (default: 2). They define the minimum time to live and the maximum amount of artifacts to survive a collection.

Configurable Key Exchange Algorithms for SSH connections

The Key Exchange Algorithms used when establishing SSH connections are based on the defaults configured upstream in go-git and golang.org/x/crypto. Now this can be overriden with the flag --ssh-kex-algos. Note this applies to the go-git gitImplementation or the libgit2 gitImplementation but only when Managed Transport is being used.

Configurable Exponential Back-off retry settings

The exponential back-off retry can be configured with the new flags: --min-retry-delay (default: 750ms) and --max-retry-delay (default: 15min). Previously the defaults were set to 5ms and 1000s, which in some cases impaired the controller's ability to self-heal (e.g. retrying failing SSH connections).

Experimental managed transport for libgit2 Git implementation

Managed Transport for libgit2 now introduces self-healing capabilities, to recover from failure when long-running connections become stale.

SOPS refactored and optimized

SOPS implementation was refactored to include various improvements and extended code coverage. Age identities are now imported once and reused multiple times, optimizing CPU and memory usage between decryption operations.

Helm chart directory loader improvements

Introduction of a secure directory loader which improves the handling of Helm charts paths.

Components Changelog

• helm-controller to v0.20.1
• kustomize-controller to v0.24.0
• source-controller to v0.24.0
• notification-controller to v0.23.3
• image-reflector-controller to v0.17.2
• image-automation-controller to v0.22.0

Other changes since last minor release:

• helm-controller to v0.19.0
• kustomize-controller to v0.23.0
• source-controller to v0.23.0

CLI Changelog

• MR #​2652 - @​fluxcdbot - Update toolkit components
• MR #​2649 - @​hiddeco - Update dependencies
• MR #​2646 - @​aryan9600 - Handle secret types properly while masking sops data
• MR #​2631 - @​canidam - bootstrap git: Allow the password to be specified with GIT_PASSWORD env var
• MR #​2624 - @​kingdonb - Add detail to delete docs
• MR #​2617 - @​fluxcdbot - Update toolkit components
• MR #​2616 - @​SomtochiAma - Add cli flags for chart interval and reconcile strategy
• MR #​2611 - @​souleb - Add an option to diff with a local Flux Kustomization file
• MR #​2609 - @​darkowlzz - monitoring-config: set grafana dashboards labelValues
• MR #​2607 - @​souleb - [Diff] Update pkg/kustomize to v0.1.0
• MR #​2597 - @​stefanprodan - [RFC-0002] Flux OCI support for Helm

v0.28.5

Compare Source

Flux v0.28.5 is a patch release that comes with various improvements and dependency updates to the controller components. Please consult the changelogs from the list below for a precise overview of changes. Users are (as always) encouraged to upgrade for the best experience.

Note that if you are upgrading from v0.27 you need to follow the Upgrade Flux to the Source v1beta2 API guide.

Components Changelog

• kustomize-controller to v0.22.3
• source-controller to v0.22.5
• image-automation-controller to v0.21.3
• notification-controller to v0.23.2

CLI Changelog

• MR #​2594 - @​fluxcdbot - Update toolkit components
• MR #​2584 - @​souleb - Diff: Update homeport/Dyff to v1.5.2

v0.28.4

Compare Source

Flux v0.28.4 is a patch release that comes with improvements to the experimental managed transport's overall stability. Users are encouraged to upgrade for the best experience.

Note that if you are upgrading from v0.27 you need to follow the Upgrade Flux to the Source v1beta2 API guide.

Components Changelog

• source-controller to v0.22.4
• image-automation-controller to v0.21.2

CLI Changelog

• MR #​2583 - @​fluxcdbot - Update toolkit components

v0.28.3

Compare Source

Flux v0.28.3 is patch release that comes with a regression bug fix for SOPS Azure Key Vault decryption. In addition, Kustomize has been updated to v4.5.3 to address an issue with YAML anchors. Users are encouraged to upgrade for the best experience.

Note that if you are upgrading from v0.27 you need to follow the Upgrade Flux to the Source v1beta2 API guide.

Components Changelog

• source-controller to v0.22.3
• kustomize-controller to v0.22.2
• helm-controller to v0.18.2

CLI Changelog

• MR #​2577 - @​fluxcdbot - Update toolkit components
• MR #​2572 - @​stefanprodan - Add the kube client qps and burst to the global args

v0.28.2

Compare Source

Flux v0.28.2 is patch release that comes with a regression bug fix for notification spam. Users are encouraged to upgrade for the best experience.

Note that if you are upgrading from v0.27 you need to follow the Upgrade Flux to the Source v1beta2 API guide.

Components Changelog

• kustomize-controller to v0.22.1

CLI Changelog

• MR #​2570 - @​fluxcdbot - Update toolkit components

v0.28.1

Compare Source

Flux v0.28.1 is patch release that comes with a regression bug fix for image update automation. Users are encouraged to upgrade for the best experience.

Note that if you are upgrading from v0.27 you need to follow the Upgrade Flux to the Source v1beta2 API guide.

Components Changelog

• helm-controller to v0.18.1
• source-controller to v0.22.2
• notification-controller to v0.23.1
• image-reflector-controller to v0.17.1
• image-automation-controller to v0.21.1

CLI Changelog

• MR #​2569 - @​fluxcdbot - Update toolkit components

v0.28.0

Compare Source

Flux v0.28.0 comes with new reconcilers for Source kinds and graduates the Flux Source API to v1beta2.

Breaking changes

• From this version on, controllers depending on Source kinds (kustomize-controller, helm-controller and image-automation-controller) do now require the Source v1beta2 Custom Resource Definition to be present on the cluster.

Features and improvements

API specifications in a user-friendly format

The new specifications for the v1beta2 API have been written in a new format with the aim to be more valuable to a user. Featuring separate sections with examples, and information on how to write and work with them.

Artifact now advertises size

The size (in bytes) of a tarball Artifact is now advertised in the Size (.size) field of the Artifact. This can be utilized by users to e.g. quickly see if .sourceignore rules have an effect, or be displayed in a UI.

Azure Blob Storage support for Bucket resources

The .spec.provider of a Bucket resource can now be set to azure to instruct the source-controller to use the Azure Blob Storage SDK while fetching objects. This allows for authenticating using Service Principals, Managed Identities and Shared Keys.

For more information, see the Bucket spec about the Azure provider.

Azure Key Vault multi-tenancy

Kustomization resources making use of SOPS with Azure Key Vault as the backing KMS are now allowed to refer to Azure credentials in the tenant's namespace.

For more information, see the Kustomization spec about Azure Key Vault Secret entries.

Enhanced Kubernetes Conditions

Source API resources will now advertise more explicit Condition types (more about the types in API changes), provide Reconciling and Stalled Conditions where applicable for better integration with kstatus, and record the Observed Generation on the Condition.

For a detailed overview per Source type, refer to the spec:

• GitRepository
• HelmRepository
• HelmChart
• Bucket

Enhanced Kubernetes Events (and notifications)

The Kubernetes Events the source-controller emits have been reworked to provide a proper reason, and more informative messages. Users making use of the notification-controller will notice this as well, as this same information is used to compose notifications.

Experimental managed transport for libgit2 Git implementation

The libgit2 Git implementation supports a new experimental transport to improve reliability, adding timeout enforcement for Git network operations. Opt-in by setting the environment variable EXPERIMENTAL_GIT_TRANSPORT to true in the source-controller and/or image-automation-controller their Deployment.

This will result in the low-level transport being handled by the controller, instead of libgit2. It may result in an increased number of timeout messages in the logs, however it will remove the ability of Git operations to make the controllers hang indefinitely.

Manage cluster addons

A new annotation (kustomize.toolkit.fluxcd.io/ssa: merge) is available for allowing Flux to patch cluster addons such as CoreDNS without the kustomize-controller removing the kubectl managed fields.

For more information, see the Kustomization spec about reconciliation.

Reuse of HTTP/S transport for Helm repository index and chart downloads

The Helm dependency has been updated to v3.8.1, with a patch applied from https://github.com/helm/helm/pull/10568. Using this patch, the HTTP transports are now managed by the source-controller, to prevent the clogging of thousands of open TCP connections on some instances.

Update of libgit2 Git implementation to v1.3.x

The libgit2 Git implementation has been updated to v1.3.x, allowing us to provide better error signals for authentication, certificate and transport failures. Effectively, this means that instead of a unable to clone: User error string, a descriptive one is now given.

In addition, NO_MROXY settings are now properly taken into account.

Preparation of support for rsa-ssh2-256/512

The dependency on golang.org/x/crypto has been updated to v0.0.0-20220315160706-3147a52a75dd, as preparation of support for rsa-ssh2-256/512. This should theoretically work out of the box for known_hosts entries and go-git Git provider credentials, but has not been widely tested.

API changes

The source.toolkit.fluxcd.io/v1beta2 API is backwards compatible with v1beta1.

• Introduction of Reconciling and Stalled Condition types for better integration with kstatus.
• Introduction of new Condition types to provide better signals and failure indications:
  • ArtifactOutdated: indicates the current Artifact of the Source is outdated.
  • SourceVerified: indicates the integrity of the Source has been verified.
  • FetchFailed: indicates a transient or persistent fetch failure of the upstream Source.
  • BuildFailed: indicates a transient or persistent build failure of a Source's Artifact.
  • StorageOperationFailed: indicates a transient or persistent failure related to storage.
  • IncludeUnavailable: indicates an include is not available. For example, because it does not exist, or does not have an Artifact.
• Introduction of a Size (in bytes) field (.status.artifact.size) in the Artifact object.
• Introduction of ObservedChartName (.status.observedChartName) and ObservedSourceArtifactRevision (.status.observedSourceArtifactRevision) fields in the HelmChart Status.
• Introduction of azure provider implementation for Bucket.

Upgrade procedure

To upgrade your cluster, download the Flux CLI binary from the release page and rerun the flux bootstrap command. This will upgrade the Flux components on your cluster to the latest version. Other upgrade options can be found on the docs website.

ℹ️ Note that updating the manifests in Git from source.toolkit.fluxcd.io/v1beta1 to source.toolkit.fluxcd.io/v1beta2 can be done at any time after the Flux components upgrade. All users are encouraged to update the manifests as any deprecated fields will be removed when the next API version will be released. For more information, see post upgrade.

Terrafrom upgrade

When using the Terraform provider for Flux, you have to manually remove the v1beta2 GitRepository from the TF state:

terraform state rm 'kubectl_manifest.sync["source.toolkit.fluxcd.io/v1beta1/gitrepository/flux-system/flux-system"]'

Other upgrade methods

When upgrading without the CLI or Terraform (using e.g. GitHub Actions or RenovateBot), we recommend to bump the GitRepository API version in gotk-sync.yaml to v1beta2.

Post upgrade

After rolling out the upgrade, and when you have confirmed things to be working as expected. Resources in Git which refer to source.toolkit.fluxcd.io/v1beta1 can be updated to refer to source.toolkit.fluxcd.io/v1beta2:

@​@​ -1,4 +1,4 @​@​
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:
   name: gitrepository-sample

Components Changelog

• helm-controller to v0.18.0
• kustomize-controller to v0.22.0
• source-controller to v0.22.1
• notification-controller to v0.23.0
• image-reflector-controller to v0.17.0
• image-automation-controller to v0.21.0

CLI Changelog

• MR #​2566 - @​stefanprodan - Fix resume source bucket panic
• MR #​2565 - @​hiddeco - fix: wait for Source objects observed generation
• MR #​2564 - @​stefanprodan - Use absolute domain name for the events address
• MR #​2561 - @​hiddeco - Update toolkit components
• MR #​2559 - @​stefanprodan - Retry bootstrap operations on Git conflict errors
• MR #​2542 - @​fluxcdbot - Update toolkit components
• MR #​2530 - @​stefanprodan - Add components-extra example usage to CLI help
• MR #​2512 - @​souleb - Introduce a printer interface for flux resources
• MR #​2484 - @​cuishuang - all: fix some typos
• MR #​2483 - @​fluxcdbot - Update toolkit components
• MR #​2467 - @​darkowlzz - Update get subcommand column order

v0.27.4

Compare Source

Flux v0.27.4 is a patch release that comes with patches to the Deployment manifest of helm-controller and the-notification controller, to set the .spec.securityContext.fsGroup, which may be required for some EKS setups as reported in https://github.com/fluxcd/flux2/issues/2537. Users are encouraged to upgrade for the best experience.

Components changelog

• helm-controller v0.17.2
• notification-controller v0.22.3

v0.27.3

Compare Source

Flux v0.27.3 is a patch release that comes with improvements to the libgit2 OpenSSL build dependency in image-automation-controller, which fixes some issues related to git server connection leaks. Users are encouraged to upgrade for the best experience.

Components changelog

• image-automation-controller v0.20.1

v0.27.2

Compare Source

Flux v0.27.2 is a patch release that comes with altering improvements. Users are encouraged to upgrade for the best experience.

Improvements:

• Add support for using basic auth when sending alerts to Grafana annotations API
• Allow the proxy address to specified in the Kubernetes Secret referenced in Flux Alerts

Components changelog

• notification-controller v0.22.1 v0.22.2

v0.27.1

Compare Source

Highlights

Flux v0.27.1 is a patch release that comes with fixes and no breaking changes. Users are encouraged to upgrade for the best experience.

Fixes:

• Convert stringData to data before diffing and applying Secrets (workaround for upstream Kubernetes bug)
• Set QPS and Burst when impersonating service account in helm-controller (avoid client-side throttling when upgrading Helm releases containing hundreds of resources)

Components changelog

• kustomize-controller v0.21.1
• helm-controller v0.17.1

CLI changelog

• MR #​2460 - @​fluxcdbot - Update toolkit components
• MR #​2452 - @​souleb - Diff: fix stringData Secret issue
• MR #​2450 - @​SomtochiAma - Add --wait flag to flux resume cmd
• MR #​2448 - @​SomtochiAma - Use metadata.Client for reconcile operations

v0.27.0

Compare Source

Highlights

Flux v0.27.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Breaking changes

• Flux custom resources require their names to follow the DNS label standard as defined in RFC 1123. The metadata.name can only contain lowercase alphanumeric characters or - and must contain at most 63 characters.
• This version introduces a breaking change to the Helm uninstall behavior, as the --wait flag is now enabled by default. Resulting in helm-controller to wait for resources to be deleted while uninstalling a release. Disabling this behavior is possible by setting spec.uninstall.disableWait: true in HelmRelease manifests.

New features and improvements

• Add support to notification-controller for sending events to Grafana annotations API.
• Allow selecting event sources based on labels using the Alert API spec.eventSources[].matchLabels field.
• Add support to kustomize-controller for making the Kubernetes Secrets and ConfigMaps referenced in postBuild.substituteFrom optional.
• Allow dot-prefixed paths to be used for bootstrap e.g. flux bootstrap --path=".flux/clusters/my-cluster".
• All Flux controllers and libraries are now tested by Google's continuous fuzzing for open source software.

Components changelog

• kustomize-controller v0.21.0
• helm-controller v0.17.0
• notification-controller v0.22.0

CLI Changelog

• MR #​2444 - @​fluxcdbot - Update toolkit components
• MR #​2443 - @​SomtochiAma - Validate that object name adheres to RFC 1123 for flux create commands
• MR #​2439 - @​SomtochiAma - Use text/template library instead of html/template for logs
• MR #​2427 - @​souleb - Bootstrap bitbucket-server: Make sure we retrieve the right project
• MR #​2426 - @​foot - Add support for Kustomizations with dot-prefixed paths
• MR #​2425 - @​souleb - Add a simple spinner when running flux diff kustomization

v0.26.3

Compare Source

Highlights

Flux v0.26.3 is a patch release that comes with fixes to bootstrap. Users are encouraged to upgrade for the best experience.

In addition, kustomize-controller was update to be on par with Kustomize v4.5.2 release.

Components changelog

• kustomize-controller v0.20.2

CLI changelog

• MR #​2418 - @​stefanprodan - Fix bootstrap: Reset schema cache after applying CRDs
• MR #​2416 - @​fluxcdbot - Update kustomize-controller to v0.20.2
• MR #​2415 - @​stefanprodan - Add GitRepository namespace arg to flux create image update

v0.26.2

Compare Source

Highlights

Flux v0.26.2 is a patch release that comes with various fixes. Users are encouraged to upgrade for the best experience.

Fixes:

• Fix flux bootstrap race condition
• Fix flux diff kustomization when comparing Kubernetes secrets
• Fix for libgit2 SSH cloning intermittent timeouts
• Fix some edge cases when overriding manual changes made with kubectl apply

In addition, kustomize-controller was updated to be on par with the Kustomize v4.5.1 release.

Components changelog

• source-controller v0.21.2
• kustomize-controller v0.20.1

CLI changelog

• MR #​2398 - @​fluxcdbot - Update toolkit components
• MR #​2397 - @​stefanprodan - Fix bootstrap CRD wait race condition
• MR #​2392 - @​souleb - Mask dockerconfigjson secret types and support StringData secrets
• MR #​2389 - @​souleb - Fix wrong deletion message on flux diff

v0.26.1

Compare Source

Flux v0.26.1 is a patch release that comes with fixes for the flux diff and flux bootstrap commands. Users are encouraged to upgrade for the best experience.

CLI Changelog

• MR #​2382 - @​SomtochiAma - Use client.Patch for suspend/resume operations
• MR #​2380 - @​souleb - Fix panic on bootstrap when orgRef is not retrieved
• MR #​2377 - @​souleb - Fix flux build/diff when parsing SOPS encrypted secrets
• MR #​2376 - @​stefanprodan - e2e: Fix Azure image update automation test
• MR #​2375 - @​souleb - Return exit code 1 when flux diff detects changes
• MR #​2368 - @​stefanprodan - Update dependencies
• MR #​2364 - @​robwittman - Add GPG signing to Github/Gitlab/Bitbucket bootstrap

v0.26.0

Compare Source

Highlights

Flux v0.26.0 comes with new features and improvements. Users are encouraged to upgrade for the best experience.

Breaking changes

• The minimum supported version of Kubernetes is now v1.20.6. Note that Flux may work on Kubernetes 1.19, but we don’t recommend running EOL versions in production.
• On multi-tenant clusters, Flux controllers are now using the native Kubernetes impersonation feature. When both spec.kubeConfig and spec.ServiceAccountName are specified in Flux custom resources, the controllers will impersonate the service account on the target cluster, previously the controllers ignored the service account.

Security enhancements

• Platform admins have the option to lock down Flux on multi-tenant clusters and enforce tenant isolation at namespace level without having to use a 3rd party admission controller.
• The Flux installation conforms to the Kubernetes restricted pod security standard and the Seccomp runtime default security profile was enabled for all controllers.
• The container images of all Flux's components are signed with Cosign and GitHub OIDC.
• Flux releases include a Software Bill of Materials (SBOM) that is available for download on the GitHub release page.

New features and improvements

• Preview local changes against live clusters with the flux diff kustomization command.
• Undo changes made directly on clusters (with kubectl server-side apply) to Flux managed objects.
• Native support for Hashicorp Vault token-based authentication when decrypting SOPS encrypted secrets.
• Auto-login to AWS ECR, Azure ACR and Google Cloud GCR for image update automation on EKS, AKS or GKE.
• On single-tenant clusters, image automation can now refer to Git repositories in other namespaces than the ImageImageUpdateAutomation object.

Components changelog

• source-controller v0.21.1 v0.21.0
• kustomize-controller v0.20.0
• helm-controller v0.16.0
• notification-controller v0.21.0
• image-reflector-controller v0.16.0
• image-automation-controller v0.20.0

CLI Changelog

• MR #​2167 - @​souleb - Preview local changes with flux build/diff kustomization
• MR #​2356 - @​stefanprodan - Adapt diff test to match Kubernetes 1.23.3 API response
• MR #​2348 - @​pjbgf - Add pkg-config to arm runners
• MR #​2347 - @​stealthybox - Fix output usage for flux get <sources|images>
• MR #​2345 - @​fluxcdbot - Update toolkit components
• MR #​2343 - @​stefanprodan - Set minimum supported version to Kubernetes 1.20.6
• MR #​2342 - @​stefanprodan - Run the CLI as non-root
• MR #​2336 - @​souleb - Upgrade go-git-providers to v0.5.3
• MR #​2317 - @​souleb - Add license Header to internal/build files
• MR #​2316 - @​pjbgf - [security] Enable pod security warnings for flux-system

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this MR, click this checkbox.

---

This MR has been generated by Renovate Bot.