Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package flux2-cli for openSUSE:Factory checked in at 2026-07-01 16:54:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/flux2-cli (Old) and /work/SRC/openSUSE:Factory/.flux2-cli.new.11887 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "flux2-cli" Wed Jul 1 16:54:58 2026 rev:34 rq:1362909 version:2.9.0 Changes: -------- --- /work/SRC/openSUSE:Factory/flux2-cli/flux2-cli.changes 2026-05-21 18:28:50.854278881 +0200 +++ /work/SRC/openSUSE:Factory/.flux2-cli.new.11887/flux2-cli.changes 2026-07-01 16:55:46.944926996 +0200 @@ -1,0 +2,138 @@ +Wed Jul 01 07:58:18 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 2.9.0: + Flux v2.9.0 is a feature release. Users are encouraged to upgrade + for the best experience. + For a compressive overview of new features and API changes + included in this release, please refer to the Announcing Flux 2.9 + GA blog post. + https://fluxcd.io/blog/2026/06/flux-v2.9.0/ + * Overview of the new features: + - Flux CLI Plugin System with the Mirror and Schema plugins + (flux plugin) + - Server-Side Apply field ignore rules for fine-grained drift + control (Kustomization) + - SOPS decryption with the Age post-quantum cipher + (Kustomization) + - Kubernetes Workload Identity authentication for OpenBao and + Vault (Kustomization) + - Helm post-render strategies, including chart hooks support + (HelmRelease) + - Literal mode for Helm values references mirroring helm + --set-literal (HelmRelease) + - Allow empty kind in CEL health check expressions + (Kustomization, HelmRelease) + - Git commit signing and verification with SSH keys + (GitRepository, ImageUpdateAutomation) + - AWS CodeCommit authentication using Workload Identity + (GitRepository) + - Custom Sigstore trusted root for keyless verification in + air-gapped environments (OCIRepository) + - Path pattern directory discovery for monorepos + (ArtifactGenerator) + - Secret-less, OIDC-secured webhook Receivers (Receiver) + * Components changelog + - source-controller v1.9.1 + - kustomize-controller v1.9.1 + - notification-controller v1.9.1 + - helm-controller v1.6.1 + - image-reflector-controller v1.2.1 + - image-automation-controller v1.2.1 + - source-watcher v2.2.1 + * CLI changelog + - Add backport label for Flux 2.8 by @matheuscscp in #5732 + - Remove no longer needed workaround for Flux 2.8 by + @matheuscscp in #5733 + - Update toolkit components by @fluxcdbot in #5740 + - Add missing things to release notes template by @matheuscscp + in #5743 + - ci: add top-level permissions to upgrade-fluxcd-pkg workflow + by @gaganhr94 in #5763 + - build(deps): bump the ci group across 1 directory with 11 + updates by @dependabot[bot] in #5764 + - Update fluxcd/pkg dependencies by @fluxcdbot in #5766 + - Update toolkit components by @fluxcdbot in #5769 + - Add target branch name to update branch by @matheuscscp in + #5773 + - Fix/resume exit code by @Aman-Cool in #5701 + - Mark RFC 0010, 0011 and 0012 as implemented by @stefanprodan + in #5776 + - Update toolkit components by @fluxcdbot in #5780 + - Add --resolve-symlinks flag to build and push artifact + commands by @rohansood10 in #5724 + - fix: validate --source flag in create kustomization command + by @gma1k in #5798 + - Update toolkit components by @fluxcdbot in #5821 + - Add --show-source to flux get ks and flux get hr by + @rafaelperoco in #5828 + - Add flux create secret receiver command by @stefanprodan in + #5835 + - fix: handle multiple symlinks to same target in build + artifact by @Iam-Karan-Suresh in #5833 + - Add --in-memory-build to flux build ks and flux diff ks by + @rycli in #5794 + - Migrate end-to-end test to latest cloud SDKs by @stefanprodan + in #5840 + - docs: Add AI Coding Assistants Guidance by @stefanprodan in + #5841 + - Add AI Agents guidance by @stefanprodan in #5847 + - [RFC-0013] Flux CLI Plugin System by @stefanprodan in #5795 + - Add --ignore-not-found to flux diff ks by @rycli in #5845 + - [RFC-0013] Implement plugin system by @stefanprodan in #5849 + - build(deps): bump github.com/go-git/go-git/v5 from 5.17.1 to + 5.18.0 by @dependabot[bot] in #5853 + - Update toolkit components by @fluxcdbot in #5856 + - Add digest pinning support to flux plugin install by + @Iam-Karan-Suresh in #5872 + - Add --ns-follows-kube-context global flag for using the + kubeconfig context namespace by @jtyr in #5831 + - include source-watcher in install.yaml manifests by @tmmorin + in #5881 + - Update toolkit components by @fluxcdbot in #5890 + - Update toolkit components by @fluxcdbot in #5903 + - Update fluxcd/pkg dependencies by @fluxcdbot in #5907 + - Validate Helm source URL schemes by @immanuwell in #5909 + - Introduce flux trigger receiver by @matheuscscp in #5908 + - refactor(api): migrate MakeDependsOn to shared apis/meta func + by @vecil in #5912 + - Update to Kubernetes 1.36 and Go 1.26 by @stefanprodan in + #5924 + - build(deps): bump the ci group across 1 directory with 19 + updates by @dependabot[bot] in #5925 + - Run conformance tests for Kubernetes 1.36 by @stefanprodan in + #5926 + - Add support for AWS CodeCommit to flux bootstrap git by + @taraspos in #5868 + - Validate plugin binary path by @stefanprodan in #5927 + - Update fluxcd/pkg dependencies by @fluxcdbot in #5928 + - fix: preserve invalid metadata.labels in flux build ks by + @raffis in #5906 + - build: target host arch for local builds/envtest by + @stealthybox in #5932 + - build(deps): bump the ci group with 6 updates by + @dependabot[bot] in #5938 + - Support specifing sparseCheckout in flux bootstrap by + @piny940 in #5918 + - Update toolkit components by @fluxcdbot in #5944 + - Honor ks.spec.postBuild.substituteStrategy by @matheuscscp in + #5945 + - Add DriftIgnoreRules support to flux diff kustomization by + @dipti-pai in #5923 + - Allow signing commits using SSH key by @hiddeco in #5920 + - Update toolkit components by @fluxcdbot in #5950 + - Update fluxcd/pkg dependencies by @fluxcdbot in #5937 + - cmd: support type!=status in get --status-selector by + @3uzbcqje in #5952 + - Fix flux get all --status-selector for empty results and + notification resources by @matheuscscp in #5954 + - Upgrade go-git-providers to v0.27.0 by @matheuscscp in #5956 + - Fix using Receiver adapter for ArtifactGenerator by + @matheuscscp in #5957 + - feat: Install Plugins alongside Flux setup in gh actions by + @gat786 in #5955 + - Update fluxcd/pkg dependencies by @fluxcdbot in #5960 + - Add CLI support for OCIRepository.spec.layerSelector in flux + create source oci by @dme86 in #5892 + - Update toolkit components by @fluxcdbot in #5963 + +------------------------------------------------------------------- Old: ---- flux2-cli-2.8.8.obscpio New: ---- flux2-cli-2.9.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ flux2-cli.spec ++++++ --- /var/tmp/diff_new_pack.wjiEoR/_old 2026-07-01 16:55:58.197308528 +0200 +++ /var/tmp/diff_new_pack.wjiEoR/_new 2026-07-01 16:55:58.197308528 +0200 @@ -20,16 +20,16 @@ # check these versions on updates # see flux2/manifests/bases/*/kustomization.yaml -%define helm_controller_version v1.5.5 -%define image_automation_controller_version v1.1.4 -%define image_reflector_controller_version v1.1.2 -%define kustomize_controller_version v1.8.5 -%define notification_controller_version v1.8.4 -%define source_controller_version v1.8.5 -%define source_watcher_version v2.1.1 +%define helm_controller_version v1.6.1 +%define image_automation_controller_version v1.2.1 +%define image_reflector_controller_version v1.2.1 +%define kustomize_controller_version v1.9.1 +%define notification_controller_version v1.9.1 +%define source_controller_version v1.9.1 +%define source_watcher_version v2.2.1 Name: flux2-cli -Version: 2.8.8 +Version: 2.9.0 Release: 0 Summary: CLI for Flux2CD License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.wjiEoR/_old 2026-07-01 16:55:58.301312052 +0200 +++ /var/tmp/diff_new_pack.wjiEoR/_new 2026-07-01 16:55:58.309312323 +0200 @@ -1,9 +1,9 @@ <services> <service name="obs_scm" mode="manual"> - <param name="url">https://github.com/fluxcd/flux2</param> + <param name="url">https://github.com/fluxcd/flux2.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v2.8.8</param> + <param name="revision">refs/tags/v2.9.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.wjiEoR/_old 2026-07-01 16:55:58.333313137 +0200 +++ /var/tmp/diff_new_pack.wjiEoR/_new 2026-07-01 16:55:58.337313272 +0200 @@ -1,6 +1,8 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/fluxcd/flux2</param> - <param name="changesrevision">1fd61a06264d71cf445ed55c4f14d401d26a1c64</param></service></servicedata> + <param name="changesrevision">1fd61a06264d71cf445ed55c4f14d401d26a1c64</param></service><service name="tar_scm"> + <param name="url">https://github.com/fluxcd/flux2.git</param> + <param name="changesrevision">dcc7def046cba2fe8d15d9737a4c250100f62fe0</param></service></servicedata> (No newline at EOF) ++++++ flux2-cli-2.8.8.obscpio -> flux2-cli-2.9.0.obscpio ++++++ ++++ 12611 lines of diff (skipped) ++++++ flux2-cli.obsinfo ++++++ --- /var/tmp/diff_new_pack.wjiEoR/_old 2026-07-01 16:55:59.325346753 +0200 +++ /var/tmp/diff_new_pack.wjiEoR/_new 2026-07-01 16:55:59.333347025 +0200 @@ -1,5 +1,5 @@ name: flux2-cli -version: 2.8.8 -mtime: 1779274700 -commit: 1fd61a06264d71cf445ed55c4f14d401d26a1c64 +version: 2.9.0 +mtime: 1782824451 +commit: dcc7def046cba2fe8d15d9737a4c250100f62fe0 ++++++ helm-controller.crds.yaml ++++++ --- /var/tmp/diff_new_pack.wjiEoR/_old 2026-07-01 16:55:59.381348651 +0200 +++ /var/tmp/diff_new_pack.wjiEoR/_new 2026-07-01 16:55:59.393349058 +0200 @@ -2,11 +2,15 @@ kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.19.0 + controller-gen.kubebuilder.io/version: v0.21.0 name: helmreleases.helm.toolkit.fluxcd.io spec: group: helm.toolkit.fluxcd.io names: + categories: + - all + - fluxcd + - fluxcd-appliers kind: HelmRelease listKind: HelmReleaseList plural: helmreleases @@ -243,16 +247,17 @@ references to HelmRelease resources that must be ready before this HelmRelease can be reconciled. items: - description: DependencyReference defines a HelmRelease dependency - on another HelmRelease resource. + description: |- + DependencyReference contains enough information to locate the referenced Kubernetes resource object + and optional CEL expression to assess its readiness. properties: name: description: Name of the referent. type: string namespace: description: |- - Namespace of the referent, defaults to the namespace of the HelmRelease - resource object that contains the reference. + Namespace of the referent, defaults to the namespace of the resource + object that contains the reference. type: string readyExpr: description: |- @@ -383,7 +388,6 @@ required: - apiVersion - current - - kind type: object type: array install: @@ -621,6 +625,18 @@ If not set, it defaults to true. type: boolean + postRenderStrategy: + description: |- + PostRenderStrategy defines the strategy for sending hooks to post-renderers. + Valid values are 'nohooks' (hooks not sent to post-renderers, Helm 3 behavior), + 'combined' (hooks and templates sent together, Helm 4 default), and 'separate' + (hooks and templates sent in separate streams, Helm 4.2 opt-in). + Defaults to 'combined', or 'nohooks' when the UseHelm3Defaults feature gate is enabled. + enum: + - nohooks + - combined + - separate + type: string postRenderers: description: |- PostRenderers holds an array of Helm PostRenderers, which will be applied in order @@ -906,6 +922,18 @@ description: Upgrade holds the configuration for Helm upgrade actions for this HelmRelease. properties: + chartNameChangeStrategy: + description: |- + ChartNameChangeStrategy defines the strategy to use when a Helm chart name changes. + Valid values are 'Reinstall' or 'InPlaceUpdate'. Defaults to 'Reinstall' if omitted. + + Reinstall: Reinstall the Helm release, uninstalling the existing Helm release. + + InPlaceUpdate: Update the Helm release in place. + enum: + - InPlaceUpdate + - Reinstall + type: string cleanupOnFail: description: |- CleanupOnFail allows deletion of new resources created during the Helm @@ -1068,6 +1096,17 @@ - Secret - ConfigMap type: string + literal: + description: |- + Literal marks this ValuesReference as a literal value. When set in + combination with TargetPath, the referenced value is merged at the target + path without interpreting Helm's `--set` syntax (commas, brackets, dots, + equal signs, etc.), mirroring the behavior of `helm --set-literal`. This + is the only safe way to inject arbitrary file content (config files, JSON + blobs, multi-line strings containing special characters) through + `valuesFrom`. Has no effect when TargetPath is empty: in that mode the + referenced value is always YAML-merged at the root. + type: boolean name: description: |- Name of the values referent. Should reside in the same namespace as the ++++++ helm-controller.deployment.yaml ++++++ --- /var/tmp/diff_new_pack.wjiEoR/_old 2026-07-01 16:55:59.421350007 +0200 +++ /var/tmp/diff_new_pack.wjiEoR/_new 2026-07-01 16:55:59.425350142 +0200 @@ -28,7 +28,7 @@ valueFrom: fieldRef: fieldPath: metadata.namespace - image: fluxcd/helm-controller:v1.5.5 + image: fluxcd/helm-controller:v1.6.1 imagePullPolicy: IfNotPresent livenessProbe: httpGet: ++++++ image-automation-controller.crds.yaml ++++++ --- /var/tmp/diff_new_pack.wjiEoR/_old 2026-07-01 16:55:59.477351905 +0200 +++ /var/tmp/diff_new_pack.wjiEoR/_new 2026-07-01 16:55:59.485352176 +0200 @@ -2,11 +2,15 @@ kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.19.0 + controller-gen.kubebuilder.io/version: v0.21.0 name: imageupdateautomations.image.toolkit.fluxcd.io spec: group: image.toolkit.fluxcd.io names: + categories: + - all + - fluxcd + - fluxcd-images kind: ImageUpdateAutomation listKind: ImageUpdateAutomationList plural: imageupdateautomations @@ -136,15 +140,28 @@ templating rendering. type: object signingKey: - description: SigningKey provides the option to sign commits - with a GPG key + description: |- + SigningKey provides the option to sign commits with an OpenPGP or + SSH signing key, referenced from a Secret. See SigningKey. properties: secretRef: description: |- - SecretRef holds the name to a secret that contains a 'git.asc' key - corresponding to the ASCII Armored file containing the GPG signing - keypair as the value. It must be in the same namespace as the + SecretRef references a Secret containing the signing key. For type + 'gpg', the Secret must contain a 'git.asc' (ASCII-armored OpenPGP + keypair) and may contain a 'passphrase'. For type 'ssh', the Secret + must contain an 'identity' (an SSH private key in any format + golang.org/x/crypto/ssh.ParsePrivateKey accepts; typically the + OpenSSH format produced by 'ssh-keygen') and may contain a 'password' + (the key's passphrase). The SSH conventions match the GitRepository + SSH transport-auth Secret format, allowing a single Secret to serve + both transport and signing when the ImageUpdateAutomation lives in + the same namespace as the GitRepository. + + The Secret itself must live in the same namespace as the ImageUpdateAutomation. + + Supported SSH key algorithms: ed25519, ecdsa-sha2-nistp256/384/521, + and rsa (>= 2048-bit). properties: name: description: Name of the referent. @@ -152,411 +169,15 @@ required: - name type: object - required: - - secretRef - type: object - required: - - author - type: object - push: - description: |- - Push specifies how and where to push commits made by the - automation. If missing, commits are pushed (back) to - `.spec.checkout.branch` or its default. - properties: - branch: - description: |- - Branch specifies that commits should be pushed to the branch - named. The branch is created using `.spec.checkout.branch` as the - starting point, if it doesn't already exist. - type: string - options: - additionalProperties: - type: string - description: |- - Options specifies the push options that are sent to the Git - server when performing a push operation. For details, see: - https://git-scm.com/docs/git-push#Documentation/git-push.txt---push-optionltoptiongt - type: object - refspec: - description: |- - Refspec specifies the Git Refspec to use for a push operation. - If both Branch and Refspec are provided, then the commit is pushed - to the branch and also using the specified refspec. - For more details about Git Refspecs, see: - https://git-scm.com/book/en/v2/Git-Internals-The-Refspec - type: string - type: object - required: - - commit - type: object - interval: - description: |- - Interval gives an lower bound for how often the automation - run should be attempted. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - policySelector: - description: |- - PolicySelector allows to filter applied policies based on labels. - By default includes all policies in namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - sourceRef: - description: |- - SourceRef refers to the resource giving access details - to a git repository. - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - default: GitRepository - description: Kind of the referent. - enum: - - GitRepository - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, defaults to the namespace - of the Kubernetes resource object that contains the reference. - type: string - required: - - kind - - name - type: object - suspend: - description: |- - Suspend tells the controller to not run this automation, until - it is unset (or set to false). Defaults to false. - type: boolean - update: - default: - strategy: Setters - description: |- - Update gives the specification for how to update the files in - the repository. This can be left empty, to use the default - value. - properties: - path: - description: |- - Path to the directory containing the manifests to be updated. - Defaults to 'None', which translates to the root path - of the GitRepositoryRef. - type: string - strategy: - default: Setters - description: Strategy names the strategy to be used. - enum: - - Setters - type: string - type: object - required: - - interval - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: ImageUpdateAutomationStatus defines the observed state of - ImageUpdateAutomation - properties: - conditions: - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastAutomationRunTime: - description: |- - LastAutomationRunTime records the last time the controller ran - this automation through to completion (even if no updates were - made). - format: date-time - type: string - lastHandledReconcileAt: - description: |- - LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value - can be detected. - type: string - lastPushCommit: - description: |- - LastPushCommit records the SHA1 of the last commit made by the - controller, for this automation object - type: string - lastPushTime: - description: LastPushTime records the time of the last pushed change. - format: date-time - type: string - observedGeneration: - format: int64 - type: integer - observedPolicies: - additionalProperties: - description: ImageRef represents an image reference. - properties: - digest: - description: Digest is the image's digest. - type: string - name: - description: Name is the bare image's name. - type: string - tag: - description: Tag is the image's tag. - type: string - required: - - name - - tag - type: object - description: |- - ObservedPolicies is the list of observed ImagePolicies that were - considered by the ImageUpdateAutomation update process. - type: object - observedSourceRevision: - description: |- - ObservedPolicies []ObservedPolicy `json:"observedPolicies,omitempty"` - ObservedSourceRevision is the last observed source revision. This can be - used to determine if the source has been updated since last observation. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .status.lastAutomationRunTime - name: Last run - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - deprecationWarning: v1beta2 ImageUpdateAutomation is deprecated, upgrade to v1 - name: v1beta2 - schema: - openAPIV3Schema: - description: ImageUpdateAutomation is the Schema for the imageupdateautomations - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ImageUpdateAutomationSpec defines the desired state of ImageUpdateAutomation - properties: - git: - description: |- - GitSpec contains all the git-specific definitions. This is - technically optional, but in practice mandatory until there are - other kinds of source allowed. - properties: - checkout: - description: |- - Checkout gives the parameters for cloning the git repository, - ready to make changes. If not present, the `spec.ref` field from the - referenced `GitRepository` or its default will be used. - properties: - ref: - description: |- - Reference gives a branch, tag or commit to clone from the Git - repository. - properties: - branch: - description: Branch to check out, defaults to 'master' - if no other field is defined. - type: string - commit: + type: description: |- - Commit SHA to check out, takes precedence over all reference fields. - - This can be combined with Branch to shallow clone the branch, in which - the commit is expected to exist. - type: string - name: - description: |- - Name of the reference to check out; takes precedence over Branch, Tag and SemVer. - - It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description - Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head" - type: string - semver: - description: SemVer tag expression to check out, takes - precedence over Tag. - type: string - tag: - description: Tag to check out, takes precedence over Branch. - type: string - type: object - required: - - ref - type: object - commit: - description: Commit specifies how to commit to the git repository. - properties: - author: - description: |- - Author gives the email and optionally the name to use as the - author of commits. - properties: - email: - description: Email gives the email to provide when making - a commit. - type: string - name: - description: Name gives the name to provide when making - a commit. + Type selects the signing-key format expected in the referenced + Secret. When empty, the controller defaults to 'gpg'. + enum: + - gpg + - ssh type: string required: - - email - type: object - messageTemplate: - description: |- - MessageTemplate provides a template for the commit message, - into which will be interpolated the details of the change made. - Note: The `Updated` template field has been removed. Use `Changed` instead. - type: string - messageTemplateValues: - additionalProperties: - type: string - description: |- - MessageTemplateValues provides additional values to be available to the - templating rendering. - type: object - signingKey: - description: SigningKey provides the option to sign commits - with a GPG key - properties: - secretRef: - description: |- - SecretRef holds the name to a secret that contains a 'git.asc' key - corresponding to the ASCII Armored file containing the GPG signing - keypair as the value. It must be in the same namespace as the - ImageUpdateAutomation. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - secretRef type: object required: @@ -820,7 +441,7 @@ type: object type: object served: true - storage: false + storage: true subresources: status: {} ++++++ image-automation-controller.deployment.yaml ++++++ --- /var/tmp/diff_new_pack.wjiEoR/_old 2026-07-01 16:55:59.517353260 +0200 +++ /var/tmp/diff_new_pack.wjiEoR/_new 2026-07-01 16:55:59.521353396 +0200 @@ -28,7 +28,7 @@ valueFrom: fieldRef: fieldPath: metadata.namespace - image: fluxcd/image-automation-controller:v1.1.4 + image: fluxcd/image-automation-controller:v1.2.1 imagePullPolicy: IfNotPresent livenessProbe: httpGet: ++++++ image-reflector-controller.crds.yaml ++++++ ++++ 626 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/flux2-cli/image-reflector-controller.crds.yaml ++++ and /work/SRC/openSUSE:Factory/.flux2-cli.new.11887/image-reflector-controller.crds.yaml ++++++ image-reflector-controller.deployment.yaml ++++++ --- /var/tmp/diff_new_pack.wjiEoR/_old 2026-07-01 16:55:59.585355564 +0200 +++ /var/tmp/diff_new_pack.wjiEoR/_new 2026-07-01 16:55:59.593355835 +0200 @@ -28,7 +28,7 @@ valueFrom: fieldRef: fieldPath: metadata.namespace - image: fluxcd/image-reflector-controller:v1.1.2 + image: fluxcd/image-reflector-controller:v1.2.1 imagePullPolicy: IfNotPresent livenessProbe: httpGet: ++++++ kustomize-controller.crds.yaml ++++++ --- /var/tmp/diff_new_pack.wjiEoR/_old 2026-07-01 16:55:59.637357326 +0200 +++ /var/tmp/diff_new_pack.wjiEoR/_new 2026-07-01 16:55:59.653357869 +0200 @@ -2,11 +2,15 @@ kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.19.0 + controller-gen.kubebuilder.io/version: v0.21.0 name: kustomizations.kustomize.toolkit.fluxcd.io spec: group: kustomize.toolkit.fluxcd.io names: + categories: + - all + - fluxcd + - fluxcd-appliers kind: Kustomization listKind: KustomizationList plural: kustomizations @@ -52,6 +56,20 @@ KustomizationSpec defines the configuration to calculate the desired state from a Source using Kustomize. properties: + buildMetadata: + description: |- + BuildMetadata specifies which kustomize build metadata should be added + to the built resources. The allowed values are 'originAnnotations' to + annotate resources with their source origin, and 'transformerAnnotations' + to annotate resources with the transformers that produced them. + items: + description: BuildMetadataOption defines the supported buildMetadata + options. + enum: + - originAnnotations + - transformerAnnotations + type: string + type: array commonMetadata: description: |- CommonMetadata specifies the common labels and annotations that are @@ -125,16 +143,17 @@ with references to Kustomization resources that must be ready before this Kustomization can be reconciled. items: - description: DependencyReference defines a Kustomization dependency - on another Kustomization resource. + description: |- + DependencyReference contains enough information to locate the referenced Kubernetes resource object + and optional CEL expression to assess its readiness. properties: name: description: Name of the referent. type: string namespace: description: |- - Namespace of the referent, defaults to the namespace of the Kustomization - resource object that contains the reference. + Namespace of the referent, defaults to the namespace of the resource + object that contains the reference. type: string readyExpr: description: |- @@ -187,7 +206,6 @@ required: - apiVersion - current - - kind type: object type: array healthChecks: @@ -216,6 +234,73 @@ - name type: object type: array + ignore: + description: |- + Ignore is a list of rules for specifying which changes to ignore + during drift detection. These rules are applied to the resources managed + by the Kustomization and are used to exclude specific JSON pointer paths + from the drift detection and apply process. + items: + description: |- + IgnoreRule defines a rule to selectively disregard specific changes during + the drift detection process. + properties: + paths: + description: |- + Paths is a list of JSON Pointer (RFC 6901) paths to be excluded from + consideration in a Kubernetes object. + items: + type: string + type: array + target: + description: |- + Target is a selector for specifying Kubernetes objects to which this + rule applies. + If Target is not set, the Paths will be ignored for all Kubernetes + objects within the manifest of the Kustomization. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - paths + type: object + type: array ignoreMissingComponents: description: |- IgnoreMissingComponents instructs the controller to ignore Components paths @@ -464,6 +549,19 @@ - name type: object type: array + substituteStrategy: + description: |- + SubstituteStrategy defines the strategy for substituting variables in the YAML manifests. + Valid values are: + + - WithVariables (the default): require at least one variable to be defined, + either through the inline map or through the resolved references to ConfigMaps + and Secrets. + - Always: perform the substitution even if no variables are defined. + enum: + - WithVariables + - Always + type: string type: object prune: description: Prune enables garbage collection. ++++++ kustomize-controller.deployment.yaml ++++++ --- /var/tmp/diff_new_pack.wjiEoR/_old 2026-07-01 16:55:59.733360580 +0200 +++ /var/tmp/diff_new_pack.wjiEoR/_new 2026-07-01 16:55:59.757361393 +0200 @@ -28,7 +28,7 @@ valueFrom: fieldRef: fieldPath: metadata.namespace - image: fluxcd/kustomize-controller:v1.8.5 + image: fluxcd/kustomize-controller:v1.9.1 imagePullPolicy: IfNotPresent livenessProbe: httpGet: ++++++ notification-controller.crds.yaml ++++++ ++++ 905 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/flux2-cli/notification-controller.crds.yaml ++++ and /work/SRC/openSUSE:Factory/.flux2-cli.new.11887/notification-controller.crds.yaml ++++++ notification-controller.deployment.yaml ++++++ --- /var/tmp/diff_new_pack.wjiEoR/_old 2026-07-01 16:55:59.845364375 +0200 +++ /var/tmp/diff_new_pack.wjiEoR/_new 2026-07-01 16:55:59.849364511 +0200 @@ -60,7 +60,7 @@ valueFrom: fieldRef: fieldPath: metadata.namespace - image: fluxcd/notification-controller:v1.8.4 + image: fluxcd/notification-controller:v1.9.1 imagePullPolicy: IfNotPresent livenessProbe: httpGet: ++++++ source-controller.crds.yaml ++++++ --- /var/tmp/diff_new_pack.wjiEoR/_old 2026-07-01 16:55:59.913366679 +0200 +++ /var/tmp/diff_new_pack.wjiEoR/_new 2026-07-01 16:55:59.961368306 +0200 @@ -2,11 +2,15 @@ kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.19.0 + controller-gen.kubebuilder.io/version: v0.21.0 name: buckets.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io names: + categories: + - all + - fluxcd + - fluxcd-sources kind: Bucket listKind: BucketList plural: buckets @@ -384,14 +388,20 @@ kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.19.0 + controller-gen.kubebuilder.io/version: v0.21.0 name: externalartifacts.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io names: + categories: + - all + - fluxcd + - fluxcd-sources kind: ExternalArtifact listKind: ExternalArtifactList plural: externalartifacts + shortNames: + - ea singular: externalartifact scope: Namespaced versions: @@ -575,11 +585,15 @@ kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.19.0 + controller-gen.kubebuilder.io/version: v0.21.0 name: gitrepositories.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io names: + categories: + - all + - fluxcd + - fluxcd-sources kind: GitRepository listKind: GitRepositoryList plural: gitrepositories @@ -677,10 +691,11 @@ type: string provider: description: |- - Provider used for authentication, can be 'azure', 'github', 'generic'. + Provider used for authentication, can be 'aws', 'azure', 'github', 'generic'. When not specified, defaults to 'generic'. enum: - generic + - aws - azure - github type: string @@ -749,7 +764,7 @@ serviceAccountName: description: |- ServiceAccountName is the name of the Kubernetes ServiceAccount used to - authenticate to the GitRepository. This field is only supported for 'azure' provider. + authenticate to the GitRepository. This field is only supported for 'azure' and 'aws' providers. type: string sparseCheckout: description: |- @@ -797,7 +812,8 @@ secretRef: description: |- SecretRef specifies the Secret containing the public keys of trusted Git - authors. + authors. PGP public keys must be stored under keys with the .asc suffix, + and SSH public keys must be stored under keys with the .sshpub suffix. properties: name: description: Name of the referent. @@ -814,8 +830,9 @@ type: object x-kubernetes-validations: - message: serviceAccountName can only be set when provider is 'azure' - rule: '!has(self.serviceAccountName) || (has(self.provider) && self.provider - == ''azure'')' + or 'aws' + rule: '!has(self.serviceAccountName) || (has(self.provider) && (self.provider + == ''azure'' || self.provider == ''aws''))' status: default: observedGeneration: -1 @@ -1057,11 +1074,15 @@ kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.19.0 + controller-gen.kubebuilder.io/version: v0.21.0 name: helmcharts.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io names: + categories: + - all + - fluxcd + - fluxcd-sources kind: HelmChart listKind: HelmChartList plural: helmcharts @@ -1411,11 +1432,15 @@ kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.19.0 + controller-gen.kubebuilder.io/version: v0.21.0 name: helmrepositories.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io names: + categories: + - all + - fluxcd + - fluxcd-sources kind: HelmRepository listKind: HelmRepositoryList plural: helmrepositories @@ -1732,11 +1757,15 @@ kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.19.0 + controller-gen.kubebuilder.io/version: v0.21.0 name: ocirepositories.source.toolkit.fluxcd.io spec: group: source.toolkit.fluxcd.io names: + categories: + - all + - fluxcd + - fluxcd-sources kind: OCIRepository listKind: OCIRepositoryList plural: ocirepositories @@ -1971,6 +2000,19 @@ properties: name: description: Name of the referent. + type: string + required: + - name + type: object + trustedRootSecretRef: + description: |- + TrustedRootSecretRef specifies the Kubernetes Secret containing a + Sigstore trusted_root.json file. This enables verification against + self-hosted Sigstore infrastructure (custom Fulcio CA, self-hosted + Rekor instance). The Secret must contain a key named "trusted_root.json". + properties: + name: + description: Name of the referent. type: string required: - name ++++++ source-controller.deployment.yaml ++++++ --- /var/tmp/diff_new_pack.wjiEoR/_old 2026-07-01 16:56:00.061371695 +0200 +++ /var/tmp/diff_new_pack.wjiEoR/_new 2026-07-01 16:56:00.093372779 +0200 @@ -50,7 +50,7 @@ fieldPath: metadata.namespace - name: TUF_ROOT value: /tmp/.sigstore - image: fluxcd/source-controller:v1.8.5 + image: fluxcd/source-controller:v1.9.1 imagePullPolicy: IfNotPresent livenessProbe: httpGet: ++++++ source-watcher.crds.yaml ++++++ --- /var/tmp/diff_new_pack.wjiEoR/_old 2026-07-01 16:56:00.161375084 +0200 +++ /var/tmp/diff_new_pack.wjiEoR/_new 2026-07-01 16:56:00.205376575 +0200 @@ -2,11 +2,15 @@ kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.19.0 + controller-gen.kubebuilder.io/version: v0.21.0 name: artifactgenerators.source.extensions.fluxcd.io spec: group: source.extensions.fluxcd.io names: + categories: + - all + - fluxcd + - fluxcd-sources kind: ArtifactGenerator listKind: ArtifactGeneratorList plural: artifactgenerators @@ -67,7 +71,10 @@ exclude: description: |- Exclude specifies a list of glob patterns to exclude - files and dirs matched by the 'From' field. + files and dirs matched by the 'From' field. Patterns are matched + against paths relative to the source alias root or to the non-glob + prefix of 'From'. Patterns without a separator (e.g. "*.md") match + the file name at any depth. items: type: string maxItems: 100 @@ -75,8 +82,10 @@ from: description: |- From specifies the source (by alias) and the glob pattern to match files. - The format is "@<alias>/<glob-pattern>". + The format is "@<alias>/<glob-pattern>". When pathPattern is set, + the path may use capture placeholders such as "{app}". maxLength: 1024 + minLength: 1 pattern: ^@([a-z0-9]([a-z0-9_-]*[a-z0-9])?)/(.*)$ type: string strategy: @@ -97,8 +106,10 @@ description: |- To specifies the destination path within the artifact. The format is "@artifact/path", the alias "artifact" - refers to the root path of the generated artifact. + refers to the root path of the generated artifact. When pathPattern + is set, the path may use capture placeholders such as "{app}". maxLength: 1024 + minLength: 1 pattern: ^@(artifact)/(.*)$ type: string required: @@ -108,9 +119,11 @@ minItems: 1 type: array name: - description: Name is the name of the generated artifact. + description: |- + Name is the name of the generated artifact. + When pathPattern is set, this field may use capture placeholders such as "{app}". maxLength: 253 - pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ + minLength: 1 type: string originRevision: description: |- @@ -138,6 +151,31 @@ maxItems: 1000 minItems: 1 type: array + commonMetadata: + description: |- + CommonMetadata specifies the common labels and annotations that are + applied to all resources. Any existing label or annotation will be + overridden if its key matches a common one. + properties: + annotations: + additionalProperties: + type: string + description: Annotations to be added to the object's metadata. + type: object + labels: + additionalProperties: + type: string + description: Labels to be added to the object's metadata. + type: object + type: object + pathPattern: + description: |- + PathPattern specifies a directory traversal pattern to match within the sources. + The format is "@<alias>/<pattern>". Named captures in the pattern (e.g. "{app}") + can be used as placeholders in OutputArtifacts fields. + maxLength: 1024 + pattern: ^@([a-z0-9]([a-z0-9_-]*[a-z0-9])?)/(.*)$ + type: string sources: description: |- Sources is a list of references to the Flux source-controller @@ -189,6 +227,11 @@ - artifacts - sources type: object + x-kubernetes-validations: + - message: artifact names must be valid Kubernetes object names when pathPattern + is not set + rule: has(self.pathPattern) && size(self.pathPattern) > 0 || self.artifacts.all(a, + a.name.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$')) status: description: ArtifactGeneratorStatus defines the observed state of ArtifactGenerator. properties: ++++++ source-watcher.deployment.yaml ++++++ --- /var/tmp/diff_new_pack.wjiEoR/_old 2026-07-01 16:56:00.277379015 +0200 +++ /var/tmp/diff_new_pack.wjiEoR/_new 2026-07-01 16:56:00.297379692 +0200 @@ -48,7 +48,7 @@ valueFrom: fieldRef: fieldPath: metadata.namespace - image: fluxcd/source-watcher:v2.1.1 + image: fluxcd/source-watcher:v2.2.1 imagePullPolicy: IfNotPresent livenessProbe: httpGet: ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/flux2-cli/vendor.tar.gz /work/SRC/openSUSE:Factory/.flux2-cli.new.11887/vendor.tar.gz differ: char 14, line 1
