feat(oci/flux-manifests): update v2.2.3 ➼ v2.4.0 - biohazard - autoclosed

[tinfoild]

This PR contains the following updates:

Package	Update	Change	OpenSSF
ghcr.io/fluxcd/flux-manifests	minor	v2.2.3 -> v2.4.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

fluxcd/flux2 (ghcr.io/fluxcd/flux-manifests)

v2.4.0

Compare Source

Highlights

Flux v2.4.0 is a feature release. Users are encouraged to upgrade for the best experience.

For a comprehensive overview of new features and API changes included in this release, please refer to the Announcing Flux 2.4 GA blog post.

This release marks the General Availability (GA) of Flux Bucket API. The Bucket v1 API comes with new features including: proxy support, mTLS and custom STS configuration for AWS S3 and MinIO LDAP authentication.

The GitRepository v1 API gains support for OIDC authentication. Starting with this version, you can authenticate against Azure DevOps repositories using AKS Workload Identity.

The OCIRepository v1beta2 API gains support for proxy configuration thus allowing dedicated HTTP/S Proxy authentication on multi-tenant Kubernetes clusters.

The HelmRelease v2 API gains support for disabling JSON schema validation of the Helm release values during installation and upgrade. And allows adopting existing Kubernetes resources during Helm release installation.

The Flux controllers are now built with Go 1.23 and their dependencies have been updated to Kubernetes 1.31, Helm 3.16, SOPS 3.9 Cosign 2.4 and Notation 1.2.

❤️ Big thanks to all the Flux contributors that helped us with this release!

Kubernetes compatibility

This release is compatible with the following Kubernetes versions:

Kubernetes version	Minimum required
v1.29	>= 1.29.0
v1.30	>= 1.30.0
v1.31	>= 1.31.0

[!NOTE]
Note that the Flux project offers support only for the latest three minor versions of Kubernetes.
Backwards compatibility with older versions of Kubernetes and OpenShift is offered by vendors such as
ControlPlane that provide enterprise support for Flux.

OpenShift compatibility

Flux can be installed on Red Hat OpenShift cluster directly from OperatorHub using Flux Operator.
The operator allows the configuration of Flux multi-tenancy lockdown, network policies, persistent storage, sharding, vertical scaling and the synchronization of the cluster state from Git repositories, OCI artifacts and S3-compatible storage.

API changes

Bucket v1

The Bucket kind was promoted from v1beta2 to v1 (GA).

The v1 API is backwards compatible with v1beta2.

New fields:

• .spec.proxySecretRef allows configuring HTTP/S Proxy authentication for the S3-compatible storage service.
• .spec.certSecretRef allows custom TLS client certificate and CA for secure communication with the S3-compatible storage service.
• .spec.sts allows custom STS configuration for AWS S3 and MinIO LDAP authentication.

GitRepository v1

The GitRepository kind gains new optional fields with no breaking changes.

New fields:

• .spec.provider allows specifying an OIDC provider used for authentication purposes. Currently, only the azure provider is supported.

OCIRepository v1beta2

The OCIRepository kind gains new optional fields with no breaking changes.

New fields:

• .spec.proxySecretRef allows configuring HTTP/S Proxy authentication for the container registry service.

HelmRelease v2

The HelmRelease kind gains new optional fields with no breaking changes.

New fields:

• .spec.install.disableSchemaValidation allows disabling the JSON schema validation of the Helm release values during installation.
• .spec.upgrade.disableSchemaValidation allows disabling the JSON schema validation of the Helm release values during upgrade.

Upgrade procedure

Upgrade Flux from v2.3.0 to v2.4.0 either by rerunning bootstrap or by using the Flux GitHub Action.

To upgrade the APIs, make sure the new CRDs and controllers are deployed, and then change the manifests in Git:

1. Set apiVersion: source.toolkit.fluxcd.io/v1 in the YAML files that contain Bucket definitions.
2. Commit, push and reconcile the API version changes.

Bumping the APIs version in manifests can be done gradually.
It is advised to not delay this procedure as the deprecated versions will be removed after 6 months.

Components changelog

• source-controller v1.4.0 v1.4.1
• kustomize-controller v1.4.0
• notification-controller v1.4.0
• helm-controller v1.1.0
• image-reflector-controller v0.33.0
• image-automation-controller v0.39.0

New Documentation

• Bucket v1 specification
• Azure DevOps OIDC auth configuration

CLI Changelog

• PR #​5014 - @​stefanprodan - Update Kubernetes dependencies to v1.31.1
• PR #​5011 - @​stefanprodan - Remove TLS deprecated flags from flux create secret
• PR #​5010 - @​stefanprodan - Add flux create secret proxy command
• PR #​5009 - @​stefanprodan - Add --proxy-secret-ref to flux create source commands
• PR #​5008 - @​stefanprodan - Promote bucket commands to GA
• PR #​5007 - @​stefanprodan - Run conformance tests for Kubernetes 1.29-1.31
• PR #​5005 - @​fluxcdbot - Update toolkit components
• PR #​5004 - @​fluxcdbot - Update source-controller to v1.4.1
• PR #​4986 - @​dipti-pai - [RFC-0007] Add --provider flag to flux create source git
• PR #​4970 - @​JasonTheDeveloper - Update notaryproject/notation-go to 1.2.1
• PR #​4967 - @​mxtw - tests: use tempdir to avoid manual gc
• PR #​4959 - @​stefanprodan - Fix GitHub bootstrap for repositories with custom properties
• PR #​4948 - @​harshitasao - fix: fixed GHA token-permission and pinned dependencies issue
• PR #​4939 - @​bkreitch - Recursively diff Kustomizations
• PR #​4936 - @​stefanprodan - Build with Go 1.23
• PR #​4934 - @​stefanprodan - Update dependencies to Kubernetes v1.31.0
• PR #​4922 - @​bkreitch - Stop spinner on cancel of flux diff kustomization
• PR #​4918 - @​matheuscscp - Fix reconcile helmrelease command description
• PR #​4892 - @​stefanprodan - Run conformance tests for Kubernetes v1.31
• PR #​4871 - @​harshitasao - changed the scorecard badge link to the standard format
• PR #​4866 - @​nagyv - Introduce visibility flag for bootstrap gitlab
• PR #​4863 - @​stefanprodan - Update conformance tests to Kubernetes v1.30.2
• PR #​4845 - @​stefanprodan - Run ARM64 e2e tests on GitHub runners
• PR #​4842 - @​stefanprodan - Add part-of label to controllers base
• PR #​4835 - @​stefanprodan - ci: Adapt config to GoRelease v2
• PR #​4806 - @​dipti-pai - [RFC] Passwordless authentication for Git repositories

v2.3.0

Compare Source

Highlights

Flux v2.3.0 is a feature release. Users are encouraged to upgrade for the best experience.

For a comprehensive overview of new features and API changes included in this release, please refer to the Announcing Flux 2.3 GA blog post.

This release marks the General Availability (GA) of Flux Helm features and APIs, including helm-controller, the HelmRelease, HelmChart, and HelmRepository APIs.

The HelmRepository v2 API comes with new features, such as the ability to reference Helm charts from OCIRepository sources, reuse existing HelmChart resources, and verify the integrity of Helm chart artifacts signed with Notary Notation.

❤️ Big thanks to all the Flux contributors that helped us with this release!

Kubernetes compatibility

This release is compatible with the following Kubernetes versions:

Kubernetes version	Minimum required
v1.28	>= 1.28.0
v1.29	>= 1.29.0
v1.30	>= 1.30.0

[!NOTE]
Note that the Flux project offers support only for the latest three minor versions of Kubernetes.
Backwards compatibility with older versions of Kubernetes and OpenShift is offered by vendors such as
ControlPlane that provide enterprise support for Flux.

API changes

HelmRelease v2

The HelmRelease kind was promoted from v2beta2 to v2 (GA).

The v2 API is backwards compatible with v2beta2, with the exception of the deprecated fields which have been removed.

Removed fields:

• .spec.chart.spec.valuesFile replaced by .spec.chart.spec.valuesFiles.
• .spec.postRenderers.kustomize.patchesJson6902 replaced by .spec.postRenderers.kustomize.patches.
• .spec.postRenderers.kustomize.patchesStrategicMerge replaced by .spec.postRenderers.kustomize.patches.
• .status.lastAppliedRevision replaced by .status.history.chartVersion.

New fields:

• .spec.chartRef allows referencing chart artifacts from OCIRepository and HelmChart objects.
• .spec.chart.spec.ignoreMissingValuesFiles allows ignoring missing values files instead of failing to reconcile.

HelmChart v1

The HelmChart kind was promoted from v1beta2 to v1 (GA).

The v1 API is backwards compatible with v1beta2, with the exception of the deprecated fields which have been removed.

Removed fields:

• .spec.valuesFile replaced by .spec.chart.valuesFiles.

New fields:

• .spec.ignoreMissingValuesFiles allows ignoring missing values files instead of failing to reconcile.
• .spec.verify.provider: notation verify the signature of a Helm OCI artifacts using Notation trust policy and CA certificate.

HelmRepository v1

The HelmRepository kind was promoted from v1beta2 to v1 (GA).

The v1 API is backwards compatible with v1beta2.

OCIRepository v1beta2

The OCIRepository kind gains new optional fields with no breaking changes.

New fields:

• .spec.ref.semverFilter allows filtering the tags based on regular expressions before applying the semver range.
• .spec.verify.provider: notation verify the signature of OCI artifacts using Notation trust policy and CA certificate.

Kustomization v1

The Flux Kustomization kind gains new optional fields with no breaking changes.

New fields:

• .spec.namePrefix allows setting a name prefix for the generated resources.
• .spec.nameSuffix allows setting a name suffix for the generated resources.

ImageUpdateAutomation v1beta2

The ImageUpdateAutomation kind was promoted from v1beta1 to v1beta2.

The v1beta2 API is backwards compatible with v1beta1.

Deprecated fields:

• Updated template data has been deprecated in favour of Changed that is designed to accommodate for all the types of updates made.

New fields:

• .spec.policySelector allows filtering ImagePolicy based on labels.

Receiver v1

The Receiver kind gains new optional fields with no breaking changes.

New fields:

• .spec.type: cdevents allows receiving, validating and filtering of CDEvents.

Upgrade procedure

Upgrade Flux from v2.x to v2.3.0 either by rerunning bootstrap or by using the Flux GitHub Action.

For more details, please refer to the upgrade guide from the Announcing Flux 2.3 GA blog post.

Components changelog

• source-controller v1.3.0
• kustomize-controller v1.3.0
• notification-controller v1.3.0
• helm-controller v1.0.0 v1.0.1
• image-reflector-controller v0.32.0
• image-automation-controller v0.38.0

New Documentation

• HelmRelease v2 specification
• ImageUpdateAutomation v1beta2 specification
• Oracle VBS bootstrap guide
• Azure DevOps bootstrap guide for SSH RSA SHA-2
• OpenShift installation guide and SCC configuration
• Air-gapped installation guide for private container registries
• Bootstrap with Terraform examples
• Flux hub-and-spoke example repository
• Flux CD Architecture Overview blog post

CLI Changelog

• PR #​4783 - @​stefanprodan - ci: Consolidate conformance tests
• PR #​4781 - @​stefanprodan - Set Kubernetes 1.28 as min required version
• PR #​4780 - @​stefanprodan - Update helm-controller to v1.0.1
• PR #​4779 - @​fluxcdbot - Update toolkit components
• PR #​4778 - @​darkowlzz - tests/integration: Run flux check after installation
• PR #​4777 - @​stefanprodan - Add k3s to the conformance test suite
• PR #​4775 - @​stefanprodan - Update HelmRelease API to v2 (GA)
• PR #​4773 - @​makkes - Add (create|delete|export) source chart commands
• PR #​4771 - @​matheuscscp - Add 2.3.x release label
• PR #​4770 - @​stefanprodan - Update Flux architecture diagram
• PR #​4769 - @​frekw - Add --reproducible flag to flux push artifact
• PR #​4768 - @​stefanprodan - Improve end-to-end test workflow
• PR #​4766 - @​souleb - Add support for HelmRelease v2 in flux reconcile and flux create
• PR #​4764 - @​stefanprodan - ci: Adapt image automation test to v1beta2
• PR #​4759 - @​stefanprodan - Update Helm Source APIs to v1 (GA)
• PR #​4754 - @​stefanprodan - Add --ssh-hostkey-algos flag to bootstrap command
• PR #​4747 - @​stefanprodan - Update dependencies to Kubernetes 1.30
• PR #​4746 - @​swade1987 - Specifying go version in setup-go github action.
• PR #​4736 - @​dependabot[bot] - build(deps): bump the ci group with 4 updates
• PR #​4735 - @​JasonTheDeveloper - feat(secret): add create notation secret handler
• PR #​4734 - @​stefanprodan - Run conformance tests for Kubernetes 1.30.0
• PR #​4729 - @​stefanprodan - Add OpenShift to the conformance test suite
• PR #​4728 - @​toomaj - bootstrap: Add support for Git HTTP/S authorization header
• PR #​4727 - @​makkes - Add flags for issuer/subject OCI signature verification
• PR #​4717 - @​hawwwdi - Set GOMAXPROCS and GOMEMLIMIT to all Flux controllers
• PR #​4710 - @​stefanprodan - Add flux envsubst command
• PR #​4709 - @​stefanprodan - Add --strict-substitute flag to flux build ks and flux diff ks
• PR #​4706 - @​stefanprodan - Add --registry-creds flag to bootstrap and install commands
• PR #​4705 - @​stefanprodan - Update dependencies to Kustomize v5.4.0
• PR #​4701 - @​fluxcdbot - Update toolkit components
• PR #​4699 - @​stefanprodan - Update dependencies to Go 1.22 and Kubernetes 1.29.3
• PR #​4689 - @​makkes - Pin envtest version
• PR #​4687 - @​carlpett - Add permissions required for flow control
• PR #​4678 - @​darkowlzz - Update ImageUpdateAutomation API to v1beta2
• PR #​4666 - @​stefanprodan - Mark RFC-0006 as implementable
• PR #​4657 - @​stefanprodan - ci: Include all go modules in snyk testing
• PR #​4654 - @​stefanprodan - Remove deprecated e2e tests
• PR #​4629 - @​rishinair11 - Fix a typo in --force flag description
• PR #​4620 - @​stefanprodan - Update Equinix ARM64 GitHub runners
• PR #​4610 - @​takp - Fix typo in build.go
• PR #​4589 - @​stefanprodan - Update dependencies
• PR #​4583 - @​fluxcdbot - Update toolkit components
• PR #​4575 - @​stefanprodan - Update dependencies to Kubernetes v1.28.6
• PR #​4558 - @​twinguy - flux check should error on unrecognised args
• PR #​4557 - @​twinguy - flux stats should error on unrecognised args
• PR #​4553 - @​twinguy - Properly detect unexpected arguments during uninstall
• PR #​4534 - @​adamkenihan - [RFC-0006] Flux-CDEvent Receiver

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[cloudflare-workers-and-pages]

Deploying jjgadgets-biohazard with    Cloudflare Pages

Latest commit:	c413a2d
Status:	✅  Deploy successful!
Preview URL:	https://036af65f.jjgadgets-biohazard.pages.dev
Branch Preview URL:	https://renovate-biohazard-flux.jjgadgets-biohazard.pages.dev

View logs

[tinfoild]

--- kube/clusters/biohazard/flux Kustomization: flux-system/0-biohazard-config OCIRepository: flux-system/flux-manifests

+++ kube/clusters/biohazard/flux Kustomization: flux-system/0-biohazard-config OCIRepository: flux-system/flux-manifests

@@ -7,9 +7,9 @@

     kustomize.toolkit.fluxcd.io/namespace: flux-system
   name: flux-manifests
   namespace: flux-system
 spec:
   interval: 10m
   ref:
-    tag: v2.2.3
+    tag: v2.4.0
   url: oci://ghcr.io/fluxcd/flux-manifests
 
--- kube/clusters/biohazard/flux Kustomization: flux-system/0-biohazard-config Kustomization: flux-system/0-biohazard-config

+++ kube/clusters/biohazard/flux Kustomization: flux-system/0-biohazard-config Kustomization: flux-system/0-biohazard-config

@@ -341,13 +341,13 @@

       labelSelector: kustomization.flux.home.arpa/helmpatches notin (false)
       version: v1
   path: ./kube/clusters/biohazard/flux
   postBuild:
     substitute:
       CLUSTER_NAME: biohazard
-      FLUXCD_VERSION: v2.2.3
+      FLUXCD_VERSION: v2.4.0
     substituteFrom:
     - kind: Secret
       name: biohazard-vars
       optional: false
     - kind: Secret
       name: biohazard-secrets

[tinfoild]

--- HelmRelease: home-assistant/home-assistant Deployment: home-assistant/home-assistant

+++ HelmRelease: home-assistant/home-assistant Deployment: home-assistant/home-assistant

@@ -67,13 +67,13 @@

         topologyKey: kubernetes.io/hostname
         whenUnsatisfiable: DoNotSchedule
       containers:
       - env:
         - name: TZ
           value: null
-        image: ghcr.io/onedr0p/home-assistant:2024.11.3@sha256:f45f502b1738e46eb435fbc8947cdcc2574f3713b156c6738129ea2ea9b49018
+        image: ghcr.io/onedr0p/home-assistant:2024.12.0@sha256:5086e1dd11d3cfbb7f3c991645c1551be14ed778de649ae1c0a99d13bbbd4f37
         livenessProbe:
           failureThreshold: 3
           initialDelaySeconds: 0
           periodSeconds: 10
           tcpSocket:
             port: 8123