All notable changes to this project are documented in this file.
Release date: 2023-12-11
This minor release comes with performance improvements, bug fixes and several new features.
The controller has been updated from Kustomize v5.0 to v5.3, please the see
kubernetes-sigs/kustomize
changelog
for a more details.
Starting with this version, the controller will automatically perform a cleanup of the Pods belonging to stale Kubernetes Jobs after a force apply.
A new controller flag --override-manager
has been added to extend the Field Managers disallow list.
Using this flag, cluster administrators can configure the controller to undo changes
made with Lens and other UI tools that directly modify Kubernetes objects on clusters.
In addition, the controller dependencies have been updated, including an update to Kubernetes v1.28. The container base image has been updated to Alpine 3.19.
Improvements:
- Update source-controller to v1.2.2 #1024
- build: update Alpine to 3.19 #1023
- Update Kustomize to v5.3.0 #1021
- Support additional Field Managers in the disallow list #1017
- Add test for Namespace custom resource #1016
- Update controller to Kubernetes v1.28.4 #1014
- Disable status poller cache by default #1012
- Tweak permissions on various created files #1005
- Cleanup pods when recreating Kubernetes Jobs #997
- Update SOPS to v3.8.1 #995
Release date: 2023-10-11
This patch release contains an improvement to retry the reconciliation of a
Kustomization
as soon as the source artifact is available in storage.
Which is particularly useful when the source-controller has just been upgraded.
In addition, the controller can now detect immutable field errors returned by the
Google Cloud k8s-config-connector admission controller and recreate the GCP custom
resources annotated with kustomize.toolkit.fluxcd.io/force: Enabled
.
Improvements:
- Update
fluxcd/pkg
dependencies #983 - Bump
github.com/cyphar/filepath-securejoi
n from 0.2.3 to 0.2.4 #962
Fixes:
- fix: Retry when artifacts are available in storage #980
- fix: Consistent artifact fetching retry timing #978
Release date: 2023-08-23
This minor release comes with performance improvements, bug fixes and several new features.
The apply behaviour has been extended with two policies IfNotPresent
and Ignore
.
To change the apply behaviour for specific Kubernetes resources, you can annotate them with:
Annotation | Default | Values | Role |
---|---|---|---|
kustomize.toolkit.fluxcd.io/ssa |
Override |
- Override - Merge - IfNotPresent - Ignore |
Apply policy |
kustomize.toolkit.fluxcd.io/force |
Disabled |
- Enabled - Disabled |
Recreate policy |
kustomize.toolkit.fluxcd.io/prune |
Enabled |
- Enabled - Disabled |
Delete policy |
The IfNotPresent
policy instructs the controller to only apply the Kubernetes resources if they are not present on the cluster.
This policy can be used for Kubernetes Secrets
and ValidatingWebhookConfigurations
managed by cert-manager,
where Flux creates the resources with fields that are later on mutated by other controllers.
This version improves the health checking with fail-fast behaviour by detecting stalled Kubernetes rollouts.
In addition, the controller now stops exporting an object's metrics as soon as the object has been deleted.
Lastly, this release introduces two controller flags:
- The
--concurrent-ssa
flag sets the number of concurrent server-side apply operations performed by the controller. Defaults to 4 concurrent operations per reconciliation. - The
--interval-jitter-percentage
flag makes the controller distribute the load more evenly when multiple objects are set up with the same interval. The default of this flag is set to5
, which means that the interval will be jittered by a +/- 5% random value (e.g. if the interval is 10 minutes, the actual reconciliation interval will be between 9.5 and 10.5 minutes).
Improvements:
- Add
--concurrent-ssa
flag #948 - Add
IfNotPresent
andIgnore
SSA policies #943 - controller: jitter requeue interval #940
- Enable fail-fast behavior for health checks #933
- Bump
fluxcd/pkg/ssa
to improve immutable error detection #932 - Update dependencies #939
- Update Source API to v1.1.0 #952
Fixes:
Release date: 2023-07-10
This is a patch release that fixes spurious events emitted for skipped resources.
Fixes:
- Exclude skipped resources from apply events #920
Release date: 2023-07-04
This is the first stable release of the controller. From now on, this controller follows the Flux 2 release cadence and support pledge.
Starting with this version, the build, release and provenance portions of the Flux project supply chain provisionally meet SLSA Build Level 3.
This release includes several bug fixes. In addition, dependencies have been updated to their latest version, including an update of Kubernetes to v1.27.3.
For a comprehensive list of changes since v0.35.x
, please refer to the
changelog for v1.0.0-rc.1, v1.0.0-rc.2,
v1.0.0-rc.3 and `v1.0.0-rc.4.
Improvements:
Fixes:
- Use kustomization namespace for empty dependency source namespace #897
- docs: Clarify that targetNamespace namespace can be part of resources #896
Release date: 2023-05-29
This release candidate comes with support for Kustomize v5.0.3.
In addition, the controller dependencies have been updated to Kubernetes v1.27.2 and controller-runtime v0.15.0.
Improvements:
- Update Kubernetes to v1.27 and Kustomize to v5 #850
- Update controller-runtime to v0.15.0 #869
- Update CA certificates #872
- Update source-controller to v1.0.0-rc.4 #873
Release date: 2023-05-12
This release candidate comes with improved error reporting for when the controller fails to fetch an artifact due to a checksum mismatch.
In addition, the controller dependencies have been updated to patch CVE-2023-1732 and the base image has been updated to Alpine 3.18.
Improvements:
- Update Alpine to 3.18 #855
- Update dependencies #862
- build(deps): bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 #860
- docs: Clarify the Kustomize components relative paths requirement #861
Release date: 2023-05-09
This release candidate fixes secrets decryption when using Azure Key Vault.
In addition, the controller dependencies have been updated to their latest versions.
Improvements:
Release date: 2023-04-03
This release candidate promotes the Kustomization
API from v1beta2
to v1
.
The controller now supports horizontal scaling using
sharding based on a label selector.
In addition, the controller now supports Workload Identity when decrypting secrets with SOPS and Azure Vault.
This release candidate requires the GitRepository
API version v1
,
first shipped with source-controller
v1.0.0-rc.1.
The Kustomization
kind was promoted from v1beta2 to v1 (GA) and deprecated fields were removed.
A new optional field called CommonMetadata
was added to the API
for setting labels and/or annotations to all resources part of a Kustomization.
The main difference to the Kustomize
commonLabels and
commonAnnotations,
is that the controller sets the labels and annotations only to the top level metadata
field,
without patching the Kubernetes Deployment spec.template
or the Service spec.selector
.
The kustomizations.kustomize.toolkit.fluxcd.io
CRD contains the following versions:
- v1 (storage version)
- v1beta2 (deprecated)
- v1beta1 (deprecated)
The Kustomization
v1 API is backwards compatible with v1beta2, except for the following:
- the deprecated field
.spec.validation
was removed - the deprecated field
.spec.patchesStrategicMerge
was removed (replaced by.spec.patches
) - the deprecated field
.spec.patchesJson6902
was removed (replaced by.spec.patches
)
To upgrade from v1beta2, after deploying the new CRD and controller,
set apiVersion: kustomize.toolkit.fluxcd.io/v1
in the YAML files that contain
Kustomization
definitions and remove the deprecated fields if any.
Bumping the API version in manifests can be done gradually.
It is advised to not delay this procedure as the beta versions will be removed after 6 months.
Starting with this release, the controller can be configured with
--watch-label-selector
, after which only objects with this label will
be reconciled by the controller.
This allows for horizontal scaling, where kustomize-controller can be deployed multiple times with a unique label selector which is used as the sharding key.
Improvements:
- GA: Promote Kustomization API to
kustomize.toolkit.fluxcd.io/v1
#822 - Add common labels and annotations patching capabilities #817
- Add reconciler sharding capability based on label selector #821
- Support Workload Identity for Azure Vault #813
- Verify Digest of Artifact #818
- Move
controllers
tointernal/controllers
#820 - build(deps): bump github.com/opencontainers/runc from 1.1.2 to 1.1.5 #824
Release date: 2023-03-20
This prerelease comes with a fix to error reporting. The controller will now reveal validation errors when force applying resources with immutable field changes.
In addition, the controller dependencies have been updated to their latest versions.
Improvements:
- Update dependencies #814
Release date: 2023-03-08
This prerelease adds support for disabling the cache of the kstatus
status
poller, which is used to determine the health of the resources applied by the
controller. To disable the cache, configure the Deployment of the controller
with --feature-gates=DisableStatusPollerCache=true
.
This may have a positive impact on memory usage on large clusters with many objects, at the cost of an increased number of API calls.
In addition, klog
has been configured to log using the same logger as the
rest of the controller (providing a consistent log format).
Lastly, the controller is now built using Go 1.20
, and the dependencies have
been updated to their latest versions.
Improvements:
- api: update description LastAppliedRevision #798
- Update Go to 1.20 #806
- Update dependencies #807 #811
- Use
logger.SetLogger
to also configureklog
#809
Release date: 2023-02-17
This prerelease adds support for parsing the
RFC-0005
revision format produced by source-controller >=v0.35.0
.
In addition, the controller dependencies have been updated to their latest versions.
Improvements:
Release date: 2023-02-01
This prerelease comes with support for recreating immutable resources (e.g. Kubernetes Jobs)
by annotating or labeling them with kustomize.toolkit.fluxcd.io/force: enabled
.
The caching of Secret and ConfigMap resources has been disabled to improve memory usage.
To opt-out from this behavior, start the controller with: --feature-gates=CacheSecretsAndConfigMaps=true
.
In addition, the controller dependencies have been updated to Kubernetes v1.26.1 and controller-runtime v0.14.2. The controller base image has been updated to Alpine 3.17 (which contains CVE fixes for OS packages).
Improvements:
- Allow force apply to be configured in metadata #787
- Disable caching of Secrets and ConfigMaps #789
- build: Enable SBOM and SLSA Provenance #787
- build: Update Alpine to 3.17 #786
- build: pdate source-controller/api to v0.34.0 #790
- build: Download CRD deps only when necessary #783
- test: Enable kstatus checks #784
Release date: 2022-12-20
This prerelease comes with experimental support for Kustomize components.
In addition, the AWS and Google Cloud KMS dependencies have been updated to match the latest stable release from upstream.
Improvements:
- Add support for Kustomize components #754
- Update dependencies #780
- Document the behaviour of atomic fields with server-side apply #774
- fuzz: Use build script from upstream and fix fuzzers #777
- build: Fix cifuzz tests and improve fuzz tests' reliability #771
- build: update dockertest to Go Mod compatible v3 #776
Release date: 2022-11-18
This prerelease comes with improvements to the manifests
generation component. The Kustomize overlay build logic has been
factored out into github.com/fluxcd/pkg/kustomize
so that both
the controller and the Flux CLI (flux buid kustomization
)
share the same code base.
In addition, the controller dependencies have been updated to Kubernetes v1.25.4 and controller-runtime v0.13.1. The Azure Vault SDK used for secrets decryption has been updated to match the latest stable release from upstream.
Improvements:
- Refactor: Generate manifests with
flux/pkg/kustomize
#763 - Update
keyvault/azkeys
Azure SDK to v0.9.0 #759 - Update Source API to v0.32.1 #768
- Update dependencies #767
- Use Flux Event API v1beta1 #758
- build: Bump gpg to alpine's edge #760
- build: Remove nsswitch.conf creation #765
Fixes:
- Don't override the reconcile error on status patching #761
Release date: 2022-10-21
This prerelease comes with new status condition named Reconciling
which improves
the observability for the actions performed by the controller during a reconciliation run.
The Kustomization.status.conditions
have been aligned with Kubernetes
standard conditions and kstatus.
In addition, the controller memory usage was reduced by 90% when performing artifact operations and can now better handle the reconciliation of large sources in-parallel.
Improvements:
- Optimise the memory usage of artifact operations #747
- Refactor: Adopt Flux runtime conditions and status standards #745
- Refactor: Remove docs which overlap with Flux website #746
- Refactor: Move inventory helpers to internal package #744
- Refactor: Acquire artifacts with
fluxcd/pkg/http/fetch
#743 - Refactor: Use impersonation from
fluxcd/pkg/runtime/client
#742 - Refactor: Extract generator to internal package #740
- Refactor: Extract decrytor to internal package #739
- Support alternative kustomization file names #738
- API: allow configuration of
h
unit for timeouts #749 - Update dependencies #750
Release date: 2022-09-29
This prerelease comes with strict validation rules for API fields which define a
(time) duration. Effectively, this means values without a time unit (e.g. ms
,
s
, m
, h
) will now be rejected by the API server. To stimulate sane
configurations, the units ns
, us
and µs
can no longer be configured, nor
can h
be set for fields defining a timeout value.
In addition, the controller dependencies have been updated to Kubernetes controller-runtime v0.13.
.spec.interval
new validation pattern is"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
.spec.retryInterval
new validation pattern is"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
.spec.timeout
new validation pattern is"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
Improvements:
- api: add custom validation for v1.Duration types #731
- Build with Go 1.19 #733
- Update dependencies #735
Fixes:
- Fix health checking for global objects #730
Release date: 2022-09-12
This prerelease comes with improvements to reconciling Kubernetes class type objects, SOPS decryption and fuzzing. In addition, the controller dependencies have been updated to Kubernetes controller-runtime v0.12.
Improvements:
- Align controller logs to Kubernetes structured logging #718
- Reconcile Kubernetes class type objects in a dedicated stage #720
- Sort SOPS masterkeys so offline decrypt methods are tried first #726
- SOPS: Update the AWS SDK for KMS #721
- Refactor Fuzzers based on Go native fuzzing #723
- Fuzz optimisations #722
- Update dependencies #724
Release date: 2022-08-29
This prerelease comes with panic recovery, to protect the controller from crashing when reconciliations lead to a crash.
In addition, the controller dependencies have been updated to Kubernetes v1.25.0.
Improvements:
- Enable RecoverPanic option on reconciler #708
- Update Kubernetes packages to v1.25.0 #714
- Add file path to sops decryption errors #706
- Update doc on target namespace #712
Release date: 2022-08-08
This prerelease comes with support for the OCIRepository
source type.
In addition, the controller has been updated to Kubernetes v1.24.3 and Kustomize v4.5.7.
Features:
- Add support for OCIRepository sources #684
Improvements:
- Update dependencies #704
Release date: 2022-07-13
This prerelease adds a retry mechanism for "not found" errors when downloading artifacts and recovers from SOPS store panics. Some dependencies have also been updated to patch upstream CVEs.
Fixes:
- decryptor: recover from SOPS store panic #691
Improvements:
- Retry downloading artifacts on not found errors #689
- Update dependencies #692 #696
- build: Upgrade to Go 1.18 #694
Release date: 2022-06-29
This prerelease adds support for health checking Kubernetes Jobs when impersonating a service account.
Fixes:
- Fix job wait by adding polling options to impersonation client #687
Release date: 2022-06-08
This prerelease comes with documentation improvements on how to generate
image pull secrets from SOPS encrypted .dockerconfigjson
files.
In addition, the controller has been updated to Kubernetes v1.24.1.
Improvements:
- docs: Add example section and dockerconfigjson encryption #675
- Update dependencies #676
- Update fluxcd/pkg dependencies #677
Release date: 2022-06-01
This prerelease comes with support for configuring the authentication to
AWS KMS, Azure Key Vault and GCP KMS on multi-tenant clusters.
A tenant can create a secret in their namespace with their KMS credentials
and supply it to Flux using Kustomization.spec.decryption.secretRef
.
For more details on how to configure SOPS decryption with KMS, see the
docs.
Starting with this version, the controller conforms to the Kubernetes
API Priority and Fairness.
The controller detects if the server-side throttling is enabled and uses the
advertised rate limits. When server-side throttling is enabled, the controller
ignores the --kube-api-qps
and --kube-api-burst
flags.
In addition, Kustomize has been updated
to v4.5.5
which comes with significant performance improvements for OpenAPI parsing.
Improvements:
- Support AWS KMS credentials using decryption secretRef #641 #667
- Support GCP KMS credentials using decryption secretRef #635
- Update SOPS to v3.7.3 #647
- Update controller to kustomize v4.5.5 #660
- Update dependencies #650
- Update Alpine to v3.16 #661
- Update go-yaml to v3.0.0 #665
- Update source-controller/api to v0.25.0 #671
Fixes:
- Set digests in image override #655
Release date: 2022-05-03
This prerelease adds support for disallowing remote bases in Kustomize overlays
using --no-remote-bases=true
(default: false
). When this flag is enabled on
the controller, all resources must refer to local files included in the Source
Artifact, meaning only the Flux Sources can affect the cluster-state. Users
are encouraged to enable it on production systems for security and performance
reasons.
In addition, support has been introduced for defining a KubeConfig Secret data
key in the .spec.kubeConfig.SecretRef.key
(default: value
or value.yaml
),
and dependencies have been updated.
Improvements:
- Support defining a KubeConfig Secret data key #615 #645
- Disallow remote bases usage in Kustomize overlays #638
- decryptor: improve detection of in and out formats for Secret data fields #644
Release date: 2022-04-28
This prerelease ensures we recover from Kustomize build panics to guarantee continuity of operations when running into invalid object data.
In addition, handling of file formats while decrypting Secret generator entries with SOPS has been improved to ensure encrypted files in format A can be decrypted to target format B.
Fixes:
- Use Secret generator keys for SOPS format hint #636
Improvements:
- generator: recover from kustomize build panics #637
Release date: 2022-04-22
This prerelease allows for configuring the exponential back-off retry, already
introduced in other Flux controllers. It can be configured with the new flags:
--min-retry-delay
(default: 750ms
) and --max-retry-delay
(default: 15min
). Previously the defaults were set to 5ms
and 1000s
.
Fixes:
- Ensure generated temp dir is absolute on all OSes #630
Improvements:
Release date: 2022-04-21
This prerelease updates the Go golang.org/x/crypto
dependency to latest to
please static security analysers (CVE-2022-27191).
Fixes:
- Update golang.org/x/crypto #628
Release date: 2022-04-20
This prerelease fixes a regression bug introduced in #620, which prevented remote build directories from being reachable within the FS.
Fixes:
- generator: ensure remote build dirs can be reached #626
Release date: 2022-04-19
This prerelease matures the Kustomize decryptor service, which handles the actual decryption of SOPS' encrypted Secrets, and now allows decrypting file sources referenced in Kustomization files.
In addition, Kustomize now operates using our own file system implementation, and dependencies have been updated to their latest versions.
Improvements:
- controllers: improve decryptor and add tests #619
- controllers: use own Kustomize FS implementation #620
- Update dependencies #621 #622
Release date: 2022-04-05
This prerelease adds some breaking changes around the use and handling of kubeconfigs files for remote reconciliations. Implements health checks for kubernetes jobs and updates documentation.
SOPS implementation was refactored to include various improvements and extended code coverage. Age identities are now imported once and reused multiple times, optimising CPU and memory usage between decryption operations.
Breaking changes:
- Use of file-based KubeConfig options are now permanently disabled (e.g.
TLSClientConfig.CAFile
,TLSClientConfig.KeyFile
,TLSClientConfig.CertFile
andBearerTokenFile
). The drive behind the change was to discourage insecure practices of mounting Kubernetes tokens inside the controller's container file system. - Use of
TLSClientConfig.Insecure
in KubeConfig file is disabled by default, but can enabled at controller level with the flag--insecure-kubeconfig-tls
. - Use of
ExecProvider
in KubeConfig file is now disabled by default, but can enabled at controller level with the flag--insecure-kubeconfig-exec
.
Improvements:
- Add kubeconfig flags #593
- sops: various improvements and tests #607
- docs/spec/v1beta2: fix recommended settings typo #609
- Implement health check for Kubernetes jobs #608
- Update KubeConfig documentation #611
Release date: 2022-03-29
This prerelease fixes a compatability issue between SOPS' Azure Key Vault
integration, and the controller's. In addition, Kustomize has been updated
to v4.5.4
to address an issue with ConfigMap and Secret generators.
Fixes:
Release date: 2022-03-25
This prerelease fixes a regression bug where the SOPS keyservice would not properly fall back to the default server for Azure Key Vault decryption requests.
In addition, Kustomize has been updated to v4.5.3
to address an issue with
YAML anchors.
Improvements:
Fixes:
- sops/keyservice: properly fallback to default #597
Release date: 2022-03-24
This prerelease fixes a regression bug where alerts are sent for every reconciliation run.
Fixes:
- Ensure event annotations are prefixed with Group FQDN #591
Release date: 2022-03-21
This prerelease introduces a new annotation kustomize.toolkit.fluxcd.io/ssa: merge
for allowing kustomize-controller to patch cluster addons such as CoreDNS without removing
the kubectl managed fields.
The source-controller dependency was updated to version v0.22
which
introduces API v1beta2
and deprecates v1beta1
.
In addition, various dependencies where updated to their latest versions, and
the code base was refactored to align with fluxcd/pkg/runtime
v0.13 release.
Improvements:
- Allow shared ownership of in-cluster objects applied with kubectl #581
- Update
pkg/runtime
andapis/meta
#575 - Update dependencies #584
- SOPS: Add support for Azure Key Vault credentials #495
Release date: 2022-02-23
This prerelease comes with a workaround for an
upstream bug in Kubernetes,
where the keys set in a Secret with stringData
are not removed from the cluster
when the keys are deleted from the manifest.
Improvements:
Release date: 2022-02-16
This prerelease comes with support for making the Kubernetes Secrets and ConfigMaps
referenced in postBuild.substituteFrom
optional.
When substituteFrom.optional
is set to true
, the controller will ignore
not found errors, and will substitute the variables with their default values.
Features:
- Tolerate absence of resources in post-build substitution #570
Release date: 2022-02-10
This prerelease comes with an update to the sigs.k8s.io/kustomize/api
package,
bringing the controller on par with the Kustomize v4.5.2 release.
Kustomize v4.5.2 contains a regression bug fix for pseudo git HTTP URLs.
Improvements:
- Update controller to kustomize v4.5.2 #567
- Clarify
spec.path
in API docs #566 - Fix typo in API docs #564
Release date: 2022-02-07
This prerelease comes with an update to the sigs.k8s.io/kustomize
packages, bringing
the controller on par with the Kustomize v4.5.1 release.
Improvements:
- Update controller to kustomize v4.5.1 #559
Fixes:
- Transfer ownership of the kubectl managed fields #562
Release date: 2022-02-01
This prerelease comes with security improvements for multi-tenant clusters:
- Platform admins can enforce impersonation across the cluster using the
--default-service-account
flag. When the flag is set, allKustomizations
, which don't havespec.serviceAccountName
specified, use the service account name provided by--default-service-account=<SA Name>
in the namespace of the object. - Platform admins can disable cross-namespace references with the
--no-cross-namespace-refs=true
flag. When this flag is set,Kustomizations
can only refer to sources (GitRepositories
andBuckets
) in the same namespace as theKustomization
object, preventing tenants from accessing another tenant's repositories.
The controller container images are signed with Cosign and GitHub OIDC, and a Software Bill of Materials in SPDX format has been published on the release page.
Starting with this version, the controller deployment conforms to the Kubernetes restricted pod security standard:
- all Linux capabilities were dropped
- the root filesystem was set to read-only
- the seccomp profile was set to the runtime default
- run as non-root was enabled
- the user and group ID was set to 65534
Breaking changes:
- The use of new seccomp API requires Kubernetes 1.19.
- The controller container is now executed under 65534:65534 (userid:groupid). This change may break deployments that hard-coded the user ID of 'controller' in their PodSecurityPolicy.
- When both
spec.kubeConfig
andspec.ServiceAccountName
are specified, the controller will impersonate the service account on the target cluster, previously the controller ignored the service account.
Features:
- Allow setting a default service account for impersonation #550
- Allow disabling cross-namespace references #549
- SOPS: Add support for HashiCorp Vault token-based authentication #538
Improvements:
- Publish SBOM and sign release artifacts #541
- Drop capabilities, enable seccomp and enforce runAsNonRoot #539
- docs: Add var substitution operator escape syntax #537
- Update development documentation #540
- Refactor Fuzz implementation #536
Fixes:
- Revoke kubectl managed fields ownership #527
- Ensure object are finalized under impersonation #552
- Use patch instead of update when adding finalizers #535
- Fix preflight validation #544
- Fix the missing protocol for the first port in manager config #547
Release date: 2022-01-13
This prerelease fixes a regression bug introduced in v0.19.0 that prevented StatefulSets
from being reconciled on Kubernetes <= 1.21.
Fixes:
- Update
fluxcd/pkg/ssa
to exclude the status field from apply #533
Release date: 2022-01-10
This prerelease comes with an update to the Kubernetes and controller-runtime dependencies to align them with the Kubernetes 1.23 release.
In addition, the controller is now built with Go 1.17 and Alpine 3.15.
Improvements:
- Update Go to v1.17 and controller-runtime to v0.11 #478
- Add condition to checkDependencies when SourceRef is the same #521
Fixes:
Release date: 2021-12-09
This prerelease comes with improvements to force applying objects with immutable fields changes.
Improvements:
- Update dependencies (fix CVE-2021-43784) #509
- Update golang.org/x/text to v0.3.7 (fix CVE-2021-38561) #512
- Add test for replacing variables in secrets #505
- Document behaviour when changes are made to fields not stored in git #501
- SOPS: ensure proper wiring to default server #513
Release date: 2021-11-23
This prerelease replaces deprecated dependencies, most notably being the OpenPGP
package where golang.org/x/crypto/openpgp
was replaced with
github.com/ProtonMail/go-crypto/openpgp
.
Improvements:
- Update
source-controller/api
to v0.19.0 #499 - Replace deprecated dependencies #498
- Update
opencontainers/{image-spec, runc}
#497
Release date: 2021-11-12
This prerelease comes with artifact integrity verification.
During the acquisition of an artifact, kustomize-controller computes its checksum using SHA-2
and verifies that it matches the checksum advertised in the Status
of the Source.
The controller dependencies has been updated to match kustomize v4.4.1.
Improvements:
Release date: 2021-11-09
This prerelease comes with support for ignoring changes made to in-cluster resources by annotating them with:
kustomize.toolkit.fluxcd.io/reconcile: disabled
When the kustomize.toolkit.fluxcd.io/reconcile
annotation is set to disabled
,
the controller will no longer apply changes from source, nor will it prune the resource.
To resume reconciliation, set the annotation to enabled
or remove it.
Features:
- Allow disabling the reconciliation of in-cluster resources #484
Fixes:
- Set delete propagation policy to background #482
- Warn when secrets are not decrypted before apply #483
- Remove gopass dependency #480
- Remove deprecated io/ioutil dependency #479
Release date: 2021-10-19
This prerelease comes with support for SOPS encrypted .env
files used in kustomize secret generator.
Improvements:
- SOPS: Decrypt dotenv files used in kustomize secret generator #463
- SOPS: Document dotenv secret generator #469
Fixes:
- Fix cluster scope detection of applied objects #465
Release date: 2021-10-13
This prerelease comes with improvements to drift detection of Kubernetes custom resources.
Improvements:
- Improve drift detection #459
Release date: 2021-10-12
This prerelease comes with fixes to HPA and Service objects validation.
Fixes:
- Fix Service and HPA v2beta1 validation #455
Release date: 2021-10-11
This prerelease comes with fixes for drift detection in Secrets and ConfigMaps.
Fixes:
- Fix drift detection in Secrets and ConfigMaps #451
Release date: 2021-10-10
This prerelease comes with fixes for server-side apply upstream bugs affecting Kubernetes < 1.22.
Fixes:
- Fix SSA upstream bugs for Kubernetes < 1.22 #448
Release date: 2021-10-08
This prerelease comes with fixes to backwards compatibility with Flux CLI 0.17 and older.
Fixes:
- Fix inventory panic for v1beta1 objects #445
Release date: 2021-10-08
This prerelease comes with a new reconciler
based on Kubernetes server-side apply and graduates the API to v1beta2
.
The controller dependencies has been updated to match kustomize v4.4.0 which restores the usage of YAML anchors.
Breaking changes
-
Namespaced objects must contain
metadata.namespace
, defaulting to thedefault
namespace is no longer supported. Setting a namespace for all objects reconciled by a Kustomization can be done withspec.targetNamespace
. -
The logs, events and alerts that report Kubernetes namespaced object changes are now using the
Kind/Namespace/Name
format instead ofKind/Name
. -
The minimum required version of Kubernetes has changed to:
Kubernetes version Minimum required v1.16
>= 1.16.11
v1.17
>= 1.17.7
v1.18
>= 1.18.4
v1.19
and later>= 1.19.0
Features and Improvements
- Being able to validate and reconcile sources that contain both CRDs and CRs.
- Being able to wait for all the applied resources to become ready without requiring users to fill-in the health check list.
- Improve performance (CPU, memory, network, FD usage) and reduce the number of calls to Kubernetes API by replacing kubectl execs with a specialized applier written in Go.
- Detect and report drift between the desired state (git, s3, etc) and cluster state reliably.
- Improve the overall observably of the reconciliation process by reporting in real-time the garbage collection and health assessment actions.
- Reconcile empty sources including pruning of all the resources previously applied.
- Mask secrets data in logs, events and alerts.
API changes
The kustomize.toolkit.fluxcd.io/v1beta2
API is backwards compatible with v1beta1
.
Additions, deprecations and removals:
.spec.patchesStrategicMerge
deprecated in favour of.spec.patches
.spec.patchesJson6902
deprecated in favour of.spec.patches
.spec.validation
deprecated and no longer used (server-side validation is implicit).spec.wait
added (when enabled, will wait for all the reconciled resources to become ready).status.snapshot
replaced by.status.inventory
Updating the manifests in Git to v1beta2
can be done at any time after the kustomize-controller upgrade.
All users are encouraged to update the manifests as the deprecated fields
will be removed when the next API version will be released.
Release date: 2021-09-09
This prerelease comes with improvements to logging. When Kubernetes Secrets can't be reconciled due to validation errors, the controller will mask the secret data from logs and events to prevent disclosing sensitive information.
Improvements:
- Mask the Kubernetes Secrets data from dry-run and apply logs #420
Release date: 2021-08-26
This prerelease comes with improvements to garbage collection. When pruning is enabled, the controller will skip the deletion of objects with ownerReference.BlockOwnerDeletion=true, as they are subject to Kubernetes GC.
The controller dependencies has been updated to match kustomize v4.3.0.
Improvements:
- Update controller to kustomize v4.3.0 #416
- Skip garbage collection of objects with owner references #411
- Add tests for various kustomize transformers #408
Release date: 2021-08-05
This prerelease comes with support for SOPS encrypted kubeconfigs.
Improvements:
- Make the kubeconfig secrets compatible with SOPS #400
- Remove old util ObjectKey #397
- Var substitution opt-in docs #389
- Update dependencies #401
Fixes:
- Prevent nil pointer dereference in health checks #394
Release date: 2021-07-05
This prerelease comes with improvements to health assessment error reporting.
The controller dependencies has been updated to match kustomize v4.2.0.
Improvements:
- Make it easier to reason about health check failures #374
- Update Alpine v3.14 and kubectl v1.21.2 #385
- Update controller to kustomize v4.2.0 #383
Fixes:
- Fix typo in dependency ready log #384
Release date: 2021-06-30
This prerelease comes with kubectl v1.21.1.
Improvements:
- Update kubectl to v1.21.1 #381
- e2e: Update Kubernetes to v1.21.1 #380
- Improve test coverage of the
dependsOn
feature #380
Release date: 2021-06-14
This prerelease brings the controller on a par with Kustomize v4. The Kubernetes and controller-runtime dependencies have been updated to match the Kubernetes 1.21 release.
The Kustomization API has been extended with support for generic in-line patches.
Starting with this version, the controller uses an annotation instead of a label to keep track of removed manifests from source. Please consult the garbage collection docs for more details.
Breaking changes:
- Due to the removal of
hashicorp/go-getter
from Kustomize v4, the set of URLs accepted by Kustomize in theresources
filed is reduced to only file system paths or values compatible withgit clone
. This means you can no longer use resources from archives (zip, tgz, etc). - YAML anchors are no longer supported in Kustomize v4, see kustomize/issues/3675 for more details.
- Due to a bug
in Kustomize v4, if you have non-string keys in your manifests,
the controller will fail with
json: unsupported type
error.
Features:
- Add support for in-line generic patches to Flux Kustomization API #364
Improvements:
Release date: 2021-06-02
This prerelease comes with support for decrypting any file format used with
Kustomize secretGenerator
.
Improvements:
- Support decrypting any file format in secret generator #353
Release date: 2021-05-26
This prerelease comes with a fix to the reconciliation timeout handling.
Improvements:
Fixes:
- Fix validation and application timeout handling #346
Release date: 2021-04-29
This prerelease comes with support for decrypting Kubernetes
secrets generated with SOPS and
Kustomize secretGenerator
.
Features:
- SOPS: Decrypt Kubernetes secrets generated by kustomize #329
Improvements:
- Extract validation error from apply server dry run output #333
Release date: 2021-04-22
This prerelease comes with a bug fix where the rate limited events were delaying the reconciliation.
Improvements:
Fixes:
- Avoid retrying rate limited events #326
- Make log level info for 'Dependencies do not meet ready condition' #317
Release date: 2021-04-06
This prerelease extends the Mozilla SOPS integration with support for age encryption format.
This prerelease comes with a breaking change to SOPS integration.
The OpenPGP private keys stored in Kubernetes secrets must have the .asc
file extension.
For age, the private keys file extension must be .agekey
.
Features:
- Support SOPS age encryption #309
Improvements:
Release date: 2021-03-26
This prerelease comes with a breaking change to the leader election ID
from 7593cc5d.fluxcd.io
to kustomize-controller-leader-election
to be more descriptive. This change should not have an impact on most
installations, as the default replica count is 1
. If you are running
a setup with multiple replicas, it is however advised to scale down
before upgrading.
Improvements:
Release date: 2021-03-17
This prerelease comes with updates to the runtime packages.
The controller exposes a gauge metric to track the suspended status
of Kustomization
objects: gotk_suspend_status{kind,name,namespace}
.
Improvements:
Release date: 2021-03-05
This prerelease comes with improvements to the notification system. The controller retries with exponential backoff when fetching artifacts, preventing spamming events when source-controller becomes unavailable for a short period of time.
Improvements:
- Retry with exponential backoff when fetching artifacts #289
- Validate the var names before substitution #291
Release date: 2021-02-25
This prerelease comes with an update to the sigs.k8s.io/cli-utils
dependency, to guard against a potential bug with health assessments
that was discovered in the flux
CLI.
Improvements:
- Update sigs.k8s.io/cli-utils to v0.22.2 #287
Release date: 2021-02-24
This is the ninth MINOR prerelease.
This prerelease comes with support for recreating Kubernetes objects (e.g. Jobs) when immutable fields are changed in Git.
Features:
- Add support for recreating objects when immutable fields are updated #271
Improvements:
Fixes:
- Avoid prompts on SOPS key import by adding batch flag to gpg #281
Release date: 2021-02-18
This prerelease adds an array field called substituteFrom
to the post build
API. SubstituteFrom
holds references to ConfigMaps
and Secrets
containing
the variables (data keys) and their values (data values) to be substituted in
the YAML manifests.
You can disable the variable substitution for certain resources by either labeling or annotating them with:
kustomize.toolkit.fluxcd.io/substitute: disabled
Features:
- Implement var substitution from ConfigMaps and Secrets #275
Release date: 2021-02-12
This is the eight MINOR prerelease.
This prerelease comes with support for bash-style variable substitutions.
The Kustomization API was extended with in-line support for Kustomize Strategic Merge and JSON 6902 patches.
Pruning can be disabled for certain resources by either labeling or annotating them with:
kustomize.toolkit.fluxcd.io/prune: disabled
Golang pprof
endpoints have been enabled on the metrics server,
making it easier to collect runtime information to debug performance issues.
Features:
- Add support for variable substitutions #253
- Support Strategic Merge and JSON 6902 patches #264
- Allow disabling of prune on certain resources #267
Improvements:
Release date: 2021-02-02
This prerelease comes with a change to the Kustomization status so that the controller can keep track of the last health assessment result and avoid issuing redundant health check events.
Improvements:
- Add Healthy status condition #262
Release date: 2021-02-01
This prerelease comes with support for running the Kustomization validation using service account impersonation.
Improvements:
- Support impersonation for validation #260
Release date: 2021-01-26
This prerelease comes with a fix to the service account impersonation when running health checks and garbage collection.
Fixes:
- Clear
config.BearerTokenFile
when settingBearerToken
#258
Release date: 2021-01-25
This prerelease fixes a regression bug introduced in v0.7.0
that caused
failed reconciliations to be immediately retried instead of being scheduled
at the specified interval.
Fixes:
- Fix reconciliation retry scheduler #256
Release date: 2021-01-22
This is the seventh MINOR prerelease.
An optional field was added spec.retryInterval
that allows users to
requeue a failed reconciliation at a different interval than spec.Interval
.
The LocalObjectReference
from the Kubernetes core has been replaced
with our own, making Name
a required field. The impact of this should
be limited to direct API consumers only, as the field was already
required by controller logic.
Improvements:
- Allow failed reconciliations to be scheduled at a different interval #250
- Update fluxcd/pkg/runtime to v0.8.0 #247
Release date: 2021-01-19
This prerelease comes with fixes to the kustomize build procedure by disabling kyaml. The Kubernetes packages were updated to v1.20.2 and kustomize/api to v0.7.2.
Improvements:
Release date: 2021-01-15
This prerelease adds support for kustomization.yml
and Kustomization
files at the root of the configured path.
Improvements:
- Look for all accepted Kustomization filenames #238
Release date: 2021-01-14
This prerelease fixes a regression bug introduced in v0.6.0
that caused
reconciliation request annotations to be ignored in certain scenarios.
Two new argument flags are introduced to support configuring the QPS
(--kube-api-qps
) and burst (--kube-api-burst
) while communicating
with the Kubernetes API server.
Improvements:
Fixes:
- Upgrade runtime package to v0.6.2 for regression bug fix #234
Release date: 2021-01-12
This is the sixth MINOR prerelease, upgrading the controller-runtime
dependencies to v0.7.0
.
The container image for ARMv7 and ARM64 that used to be published
separately as kustomize-controller:*-arm64
has been merged with the
AMD64 image.
Improvements:
- Update kubectl to v1.20.1 #231
- Update kustomize/api to v0.7.1 #229
- Run GC and health checks using service account impersonation #221
Fixes:
- No longer treat dirs as kustomization files #224
Release date: 2020-12-18
This prerelease comes with improvements to health reporting.
Improvements:
- Emit healthcheck event when Kustomization was not ready #219
- Add debug logs to garbage collection #218
- Add SOPS user error to logs #220
Release date: 2020-12-16
This prerelease comes with improvements to garbage collection and adds safe guards for relative paths.
The Path
field was marked as optional, when not specified,
it defaults to the root path of the SourceRef
.
Health checking and garbage collection for HelmReleases
and other custom resources were fixed by downgrading
to controller-runtime
v0.6.3.
Improvements:
- Refactor garbage collection #210
- Make Path field optional and add safe guards for relative paths #211
Release date: 2020-12-14
This prerelease comes with improvements to error reporting.
Improvements:
- Refactor apply error reporting #205
Release date: 2020-12-11
This is the fifth MINOR prerelease. It comes with support for
overriding container images with spec.images
.
Improvements:
Release date: 2020-11-26
This is the fourth MINOR prerelease. Suspended Kustomizations are no longer marked as not ready, the status sub-resource is left untouched.
Improvements:
- Do not mark suspended resource as not ready #183
- Set field manager to
kustomize-controller
instead ofkubectl
#184
Fixes:
- Requeue after interval on source not found errors #182
Release date: 2020-11-20
This is the third MINOR prerelease. It introduces two breaking changes:
- the
ServiceAccount
field has been removed and replaced byServiceAccountName
; it is no longer possible to specify a namespace for a service account, the namespace is inferred from the Kustomization namespace - the status condition type has changed to the type introduced in Kubernetes API machinery
v1.19.0
Improvements:
- Use ServiceAccountName for impersonation #180
- Adopt Kubernetes condition type #174
- Add docs for excluding non-k8 YAML files in kustomization generation #176
- Use DeletionTimestamp for prune and readiness #177
Fixes:
- Add fsGroup to security context (fix for AWS KMS IAM Role bindings) #178
Release date: 2020-11-12
This prerelease comes with improvements to status reporting.
The Kustomization dry-run can now be explicitly disabled
by setting spec.validation
to none
.
Improvements:
Release date: 2020-11-04
This prerelease comes with improvements to garbage collection. The Kubernetes packages have been updated to v1.19.
Improvements:
- Update k8s to 1.19 + kustomize 0.6.4 #161
- Add openssh client to support git+ssh Kustomize resources #159
Fixes:
Release date: 2020-10-29
This is the second MINOR prerelease, it comes with breaking changes:
- the histogram metric
gotk_reconcile_duration
was renamed togotk_reconcile_duration_seconds
- the annotation
fluxcd.io/reconcileAt
was renamed toreconcile.fluxcd.io/requestedAt
Improvements:
- Refactor predicates and enqueuers #156 #155 #153
- Use annotation helpers #152
- Suppress health check events when no changes made #151
- Use controller-runtime utils for finalizer and health checks #150
- Improve remote cluster documentation #148
Release date: 2020-10-16
This prerelease comes with support for targeting remote clusters created with Cluster-API.
Improvements:
- Implement non-caching, per-kustomization GC-client/statusPoller for cross-cluster kubeconfigs #135
Fixes:
- Fix status reporting when the source is not found #141
- Validate manifests when generating kustomization.yaml #143
- Set correct status on failure events #145
Release date: 2020-10-13
This prerelease comes with Prometheus instrumentation for the controller's resources.
For each kind, the controller exposes a gauge metric to track the Ready
condition status,
and a histogram with the reconciliation duration in seconds:
gotk_reconcile_condition{kind, name, namespace, status, type="Ready"}
gotk_reconcile_duration{kind, name, namespace}
Release date: 2020-09-30
This is the first MINOR prerelease, it promotes the
kustomize.toolkit.fluxcd.io
API to v1beta1
and removes support for v1alpha1
.
Going forward, changes to the API will be accompanied by a conversion mechanism. With this release the API becomes more stable, but while in beta phase there are no guarantees about backwards compatibility between beta releases.
Release date: 2020-09-22
This prerelease comes with support for S3 bucket sources and
cross-namespace dependencies.
Container images for ARMv7 and ARMv8 are published to
ghcr.io/fluxcd/kustomize-controller-arm64
.
Release date: 2020-09-14
This prerelease comes with improvements to health assessment. The health checks leverage the kstatus library to support custom resources such as HelmReleases that implement the Ready condition.
Release date: 2020-09-12
This prerelease comes with the option to watch for resources in the runtime namespace of the controller or at cluster level.
Release date: 2020-09-05
This prerelease comes with a bug fix to garbage collection.
Release date: 2020-09-04
This prerelease comes with support for decrypting Kubernetes secrets with Mozilla SOPS. Container images for linux/amd64 and linux/arm64 are published to GHCR.
Release date: 2020-08-18
This prerelease upgrades the github.com/fluxcd/pkg/*
dependencies to
dedicated versioned modules, and makes the api
package available as
a dedicated versioned module.
Release date: 2020-07-31
This prerelease comes with a breaking change, the CRDs group has been
renamed to kustomize.toolkit.fluxcd.io
. The dependency on source-controller
has been updated to v0.0.7
to be able to work with source.toolkit.fluxcd.io
resources.
Release date: 2020-07-25
This prerelease comes with improvements to the dependency management and service account impersonation.
Release date: 2020-07-20
This prerelease drops support for Kubernetes <1.16.
The CRDs have been updated to apiextensions.k8s.io/v1
.
Release date: 2020-07-16
This prerelease comes with improvements to the alerting system and allows sources to be referenced across namespaces. The kustomize/api has been updated to v0.5.1.
Release date: 2020-07-13
This prerelease comes with improvements to logging.
The default logging format is JSON and the timestamp format is ISO8601.
Introduce fluxcd.io/reconcileAt
annotation for on-demand reconciliation
of kustomization objects.
Release date: 2020-07-02
This prerelease comes with improvements to the alerting system. The reconciliation events can be forwarded to notification controller and alerting can be configured for Slack, MS Teams, Discord and Rocket chat using the notification.fluxcd.io API.
Release date: 2020-06-24
This is the first prerelease ready for public testing. To get started testing, see the GitOps Toolkit guide.
Release date: 2020-06-10
This beta release allows configuring the number of concurrent reconciles. Starting with this version, the controller watches for resources only in the namespace where it's deployed.
Release date: 2020-05-29
This is the first beta release of kustomize controller. This release comes with improvements to the reconciliation engine when dealing with CRDs/CRs. The kustomize/api has been updated to v0.4.1.
Release date: 2020-05-11
This alpha release includes a bug fix for the source event handler and sets the current context to the default namespace.
Release date: 2020-05-09
This alpha release comes with improvements to health assessment and dependency management. When a source revision changes, the Kustomizations are executed based on the depends-on graph.
Release date: 2020-05-05
This alpha release comes with improvements to the garbage collector. The new GC doesn't require label selectors to be set in the kustomization and can prune resources safely without hitting Kubernetes API rate limits.
Release date: 2020-05-03
This alpha release comes with role-based access control for restricting the execution of a kustomization apply to a specific service account.
Release date: 2020-04-27
This alpha release introduces an intermediate state to the status ready condition to signal that a reconciliation is underway. This allows waiting for an on-demand sync to complete.
Release date: 2020-04-24
This alpha release introduces a new status field for recording the last applied source revision.
Feature comparison with Flux has been added to docs/spec.
Release date: 2020-04-23
This alpha release introduces the option to tell the controller to
automatically generate
the kustomization.yaml
for repositories that contain plain Kubernetes manifests.
The controller design and motivation can be found at docs/spec.
Release date: 2020-04-21
This alpha release introduces the Profile CRD that allows grouping Kustomization objects and defining a common behavior for them. The v1alpha1 profiles can be used for configuring Slack and Discord alerting.
Release date: 2020-04-20
This is the first alpha release of kustomize controller. The controller is an implementation of the kustomize.fluxcd.io/v1alpha1 API.