Release date: 2026-03-16
This patch release fixes templating errors for charts that include
--- in the content, e.g. YAML separators, embedded scripts, CAs
inside ConfigMaps, etc. Some of the errors that could be encountered
due to this issue are:
invalid document separator: ---apiVersion: v1wrong node kind
Fixes:
- Fix multi-doc parser of
---for post renderers #1442
Release date: 2026-03-12
This patch release fixes reconciliation queue behavior for source watch events
while a HelmRelease is already reconciling the watched revision. It also comes
with Helm 4.1.3, which fixes a Go templates bug where the YAML document separator
--- could be concatenated to apiVersion as ---apiVersion, and introduces
the DefaultToRetryOnFailure feature gate to improve the experience when
CancelHealthCheckOnNewRevision is enabled by ensuring canceled HelmReleases
do not get stuck when no retry strategy is configured.
Fixes:
- Fix enqueing the same revision while reconciling #1430
Improvements:
Release date: 2026-02-27
This patch release fixes health check logic for StatefulSets during rolling updates when the Pods are Pending/Unschedulable.
Fixes:
- Fix health check logic for StatefulSets during rolling updates #1424
Improvements:
Release date: 2026-02-20
This minor release comes with Helm v4 support, server-side apply for Helm releases, and various bug fixes and improvements.
v2beta2 APIs were removed. Before upgrading the CRDs, Flux users
must run flux migrate to
migrate the cluster storage off v2beta2.
The controller now uses Helm v4, and, with this change, new default behaviors are being introduced (breaking changes) to keep Flux and Helm aligned:
- Apply method is now defaulting to server-side apply for new HelmReleases.
- Health checks now default to using kstatus for assessing readiness and failures of applied resources.
Those defaults can be changed back to Helm v3's defaults by setting the
feature gate UseHelm3Defaults. Alternatively, fine-tuning the apply
and health check methods is also possible on a per-HelmRelease basis by
using the following fields:
.spec.install.serverSideApply(boolean, default defined byUseHelm3Defaults).spec.upgrade.serverSideApply(enabled,disabledorauto, defaults toauto).spec.rollback.serverSideApply(enabled,disabledorauto, defaults toauto).spec.waitStrategy.name(pollerorlegacy, default defined byUseHelm3Defaults)
Note that Helm persists the apply method in the release storage, hence
why the auto value is an option for upgrade and rollback actions. When
set to auto, the controller will reuse the apply method used in the last
successful release revision as recorded in the Helm storage, defaulting
to client-side apply. This means that existing HelmReleases will continue
to use client-side apply until their .spec is updated with
.spec.{upgrade|rollback}.serverSideApply: enabled.
The poller health check strategy uses kstatus to check the status
of applied resources, while the legacy strategy uses Helm v3's
built-in health checking behavior.
The controller now can be configured to cancel in-progress health checks when a new
reconciliation request is received, reducing the mean time to recovery (MTTR) in case
of failed deployments. This feature is enabled by the CancelHealthCheckOnNewRevision
feature gate. Note that enabling this feature gate will not cancel apply operations,
and will only cancel health checks for managed resources. Waiting for Helm hooks and
tests will not be cancelled. Note also that this feature is only available with the
poller health check strategy.
Still on the health check subject, custom health checks via CEL expressions
are now supported for HelmRelease via the .spec.healthCheckExprs field,
similar to the Kustomization API. Please see the
CEL cheatsheet
for more information.
The --override-manager=<manager> flag has been added for server-side apply drift
detection and correction. This flag can be passed multiple times. Note that drift
detection and correction in helm-controller is completely unrelated to Helm v4's
server-side apply support, and was implemented long before Helm v4 was released.
The DirectSourceFetch feature gate has been introduced for bypassing the cache
when fetching source objects on reconciliations.
For improved observability, inventory tracking has been added via
.status.inventory. Hooks and tests are not tracked in this field.
Only resources present in the Helm storage and CRDs are tracked.
Also for improved observability, the controller now tracks the action (install,
upgrade, rollback, uninstall, uninstall-remediation) in snapshots:
.status.history[].action.
In addition, the Kubernetes dependencies have been updated to v1.35.0, Kustomize has been updated to v5.8.1 and the controller is now built with Go 1.26.
Fixes:
- Fix state when configuration set back to current state following upgrade failure #1369
- Fix waiting and erroring out on garbage-collected Jobs #1402
- Fix controller not reconciling conditions for in-sync release #1411
- Fix postRenderers not causing new upgrade when applied during ongoing upgrade #1412
Improvements:
- Upgrade Helm to v4 #1383 #1403
- Add ServerSideApply field to HelmRelease API #1384
- Add
.status.inventoryto track managed objects #1385 - Add support for custom health checks via CEL expressions #1389
- Add
--override-managerflag for server-side apply drift detection #1365 - Reduce the mean time to recovery (MTTR) in case of failed deployments #1392
- Track action in snapshots #1399
- Add
DirectSourceFetchfeature gate to bypass cache for source objects #1407 - Remove deprecated APIs in group
helm.toolkit.fluxcd.io/v2beta2#1404 - Remove adoption of resources in old API versions #1396
- Remove duplicated struct json tag #1377
- Various dependency updates #1395 #1406 #1408 #1410
Release date: 2025-11-27
This patch release fixes the HelmRelease .status.history
filling up etcd when the RetryOnFailure strategy is used.
Fixes:
- Fix history truncation logic for RetryOnFailure #1360
Release date: 2025-11-19
This patch release fixes the error no URLLoader registered and
Azure Workload Identity in Azure China Cloud. It also adds a
feature gate to disable the ConfigMap and Secret watchers,
DisableConfigWatchers.
Improvements:
- Add feature gate for disabling config watchers #1353
- Upgrade k8s to 1.34.2, c-r to 0.22.4 and helm to 3.19.2 #1350
- Upgrade Helm to 3.19.1 #1346
Release date: 2025-10-28
This patch release comes with various fixes and improvements.
Fixes:
- Fix status reporting for RetryOnFailure strategy #1338
Improvements:
- Allow fetching charts from a local source-watcher #1341
Release date: 2025-10-08
This patch release comes with various dependency updates.
The controller is now built with Go 1.25.2 which includes fixes for vulnerabilities in the Go stdlib: CVE-2025-58183, CVE-2025-58188 and many others. The full list of security fixes can be found here.
Improvements:
- Update dependencies to Kubernetes v1.34.1 and Go 1.25.2 #1329
Release date: 2025-10-06
This patch release fixes the controller setting the Ready
condition to Unknown redundantly during reconciliation.
Fixes:
- Remove redundant Ready condition setter #1323
- Fix docs example for kubeconfig workload identity #1315
Release date: 2025-09-25
This minor release comes with various bug fixes and improvements.
v2beta1 APIs were removed. Before upgrading the CRDs, Flux users
must run flux migrate to
migrate the cluster storage off v2beta1.
The controller now supports ExternalArtifact Helm chart sources
under the feature gate ExternalArtifact.
A new RetryOnFailure strategy has been added for automatic
retries on Helm release failures.
Dependencies can now be evaluated using CEL expressions via the new
readyExpr field, providing more flexible and powerful dependency
readiness checks.
Support for workload identity authentication has been added for remote clusters.
This is supported both at the controller and object levels. For object-level,
enable the feature gate ObjectLevelWorkloadIdentity.
In addition, the Kubernetes dependencies have been updated to v1.34, Helm has been updated to v3.19 and various other controller dependencies have been updated to their latest version. The controller is now built with Go 1.25.
Fixes:
- Fix continuous drift due to unstable hashing of values #1267
- Fix watch index conflict between HelmChart and OCIRepository kinds #1266
- Fix requeue interval for SourceNotReady #1276
Improvements:
- [RFC-0010] Add workload identity auth for remote clusters #1249
- [RFC-0010] Support all Azure clouds for remote clusters #1262
- [RFC-0010] Add multi-tenancy lockdown for kubeconfig #1284
- [RFC-0010] Add object-level configuration validation #1286
- [RFC-0012] Add ExternalArtifact feature gate and reconciliation support #1293
- [RFC-0012] Add support for ExternalArtifact revision with digest #1296
- Remove deprecated
helm.toolkit.fluxcd.io/v2beta1API group #1280 - Add RetryOnFailure lifecycle management strategy #1281
- Add CEL expressions for dependency readiness checks with
readyExprfield #1271 - Add label selector for watching ConfigMaps and Secrets #1258
- Add common labels and annotations support with Kustomize post-renderer #1223
- Record last Helm release action duration in status #1282
- CI improvements with fluxcd/gha-workflows #1305 #1307
- Various dependency updates #1304 #1247 #1297
Release date: 2025-05-28
This minor release comes with various bug fixes and improvements.
The controller now supports the DisableChartDigestTracking feature gate,
which allows disabling appending the digest of OCI Helm charts to the
chart version. This is useful for charts that do not follow Helm's
recommendation of using the app version instead of the chart version
as a label in the manifests.
In addition, the Kubernetes dependencies have been updated to v1.33, Helm has been updated to v3.17.3 and various other controller dependencies have been updated to their latest version. The controller is now built with Go 1.24.
Fixes:
- Fix returning wrong error value in Kubernetes HTTP client #1188
Improvements:
- Add
DisableChartDigestTrackingfeature gate #1212 - Various dependency updates #1227 #1221 #1220 #1218 #1206 #1209 #1204
Release date: 2025-02-19
This minor release comes with various bug fixes and improvements.
In addition, the Kubernetes dependencies have been updated to v1.32.1, Helm has been updated to v3.17.1 and various other controller dependencies have been updated to their latest version.
Fixes:
- Replace _ with + when verifying the chart version matches the OCI artifact tag #1102
- fix: handle "leader changed" errors #1084
- Make
ValuesReferencean alias for backwards compat #1126 - Fix install and upgrade applying subchart CRDs when condition is false #1123
- fix: use HelmRelease max history for rollback remediation #1169
Improvements:
- Refactor values composition to use pkg/chartutil #1122
- docs: Rendering the final Values locally #1127
- Add disableTakeOwnership to Helm install/upgrade actions #1140
- Various dependency updates #1103 #1121 #1129 #1142 #1160 #1158 #1165 #1168 #1171 #1167 #1173 #1170
Release date: 2024-09-26
This minor release comes with various bug fixes and improvements.
The chart values schema
validation can now be disabled for install and upgrade actions by setting
disableSchemaValidation under .spec.install and .spec.upgrade of a
HelmRelease object.
HelmReleases that result in failure during uninstall will now be retried until the uninstall succeeds without any error. See handling failed uninstall docs for various remediations based on the cause of the failure.
helm-controller in sharded deployment configuration now supports cross-shard dependency check. This allows a HelmRelease to depend on other HelmReleases managed by different controller shards.
In addition, the Kubernetes dependencies have been updated to v1.31.1, Helm has been updated to v3.16.1 and various other controller dependencies have been updated to their latest version. The controller is now built with Go 1.23.
Fixes:
- fix: remove digest check to never ignore helm uninstall errors #1024
- Allow overwriting inline values with targetPath #1060
- Fix incorrect use of format strings with the conditions package #1025
- Re-enable logging json patch on StatusDrifted #1010
- Ignore 'v' version prefix in OCI artifact and Helm chart #990
- doc: fix HelmRelease default value for .spec.upgrade.crds #986
Improvements:
- Allow cross-shard dependency check #1070
- Add disableSchemaValidation to Helm install/upgrade actions #1068
- Update Helm to v3.16.1 and enable the adoption of existing resources #1062
- Build with Go 1.23 #1049
- Various dependency updates #987 #991 #994 #1004 #1046 #1048 #1052 #1064 #1072 #1073
Release date: 2024-05-10
This patch release fixes a backwards compatibility issue that could occur when trying
to move from the v2beta1 to v2 API while specifing .spec.chartRef.
Fixes:
- Fix: Allow upgrading from v2beta1 to v2 (GA) #982
- Fix: Make HelmChartTemplate a pointer in .spec.chart #980
Release date: 2024-05-08
This is the general availability release of helm-controller. From now on, this controller follows the Flux release cadence and support pledge.
This release promotes the HelmRelease API from v2beta2 to v2 (GA), and
comes with new features, improvements and bug fixes.
In addition, the controller has been updated to Kubernetes v1.30.0, Helm v3.14.4, and various other dependencies to their latest version to patch upstream CVEs.
The helm.toolkit.fluxcd.io/v2 API comes with a new field
.spec.chartRef
that adds support for referencing OCIRepository and HelmChart objects in a HelmRelease.
When using .spec.chartRef instead of .spec.chart, the controller allows the reuse
of a Helm chart version across multiple HelmRelease resources.
The notification mechanism has been improved to provide more detailed metadata
in the notification payload. The controller now annotates the Kubernetes events with
the appVersion and version of the Helm chart, and the oci digest of the
chart artifact when available.
Starting with this version, the recommended way of referencing Helm charts stored in container registries is through OCIRepository.
The OCIRepository provides more flexibility in managing Helm charts,
as it allows targeting a Helm chart version by tag, semver or OCI digest.
It also provides a way to
filter semver tags,
allowing targeting a specific version range e.g. pre-releases only, patch versions, etc.
Using OCIRepository objects instead of HelmRepository and HelmChart objects
improves the controller's performance and simplifies the debugging process.
If a chart version gets overwritten in the container registry, the controller
will detect the change in the upstream OCI digest and reconcile the HelmRelease
resources accordingly.
Promoting
a Helm chart version to production can be done by pinning the OCIRepository
to an immutable digest, ensuring that the chart version is not changed unintentionally.
Helm OCI example:
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: podinfo
namespace: default
spec:
interval: 10m
layerSelector:
mediaType: "application/vnd.cncf.helm.chart.content.v1.tar+gzip"
operation: copy
url: oci://ghcr.io/stefanprodan/charts/podinfo
ref:
semver: "*"
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: podinfo
namespace: default
spec:
interval: 10m
chartRef:
kind: OCIRepository
name: podinfoThe helm.toolkit.fluxcd.io CRD contains the following versions:
- v2 (storage version)
- v2beta2 (deprecated)
- v2beta1 (deprecated)
New optional fields have been added to the HelmRelease API:
.spec.chartRefallows referencing chart artifacts fromOCIRepositoryandHelmChartobjects..spec.chart.spec.ignoreMissingValuesFilesallows ignoring missing values files instead of failing to reconcile.
Deprecated fields have been removed from the HelmRelease API:
.spec.chart.spec.valuesFilereplaced by.spec.chart.spec.valuesFiles.spec.postRenderers.kustomize.patchesJson6902replaced by.spec.postRenderers.kustomize.patches.spec.postRenderers.kustomize.patchesStrategicMergereplaced by.spec.postRenderers.kustomize.patches.status.lastAppliedRevisionreplaced by.status.history.chartVersion
- Before upgrading the controller, ensure that the
HelmReleasev2beta2 manifests stored in Git are not using the deprecated fields. Search forvaluesFileand replace it withvaluesFiles, replacepatchesJson6902andpatchesStrategicMergewithpatches. Commit and push the changes to the Git repository, then wait for Flux to reconcile the changes. - Upgrade the controller and CRDs to v1.0.0 on the cluster using Flux v2.3 release. Note that helm-controller v1.0.0 requires source-controller v1.3.0.
- Update the
apiVersionfield of theHelmReleaseresources tohelm.toolkit.fluxcd.io/v2, commit and push the changes to the Git repository.
Bumping the API version in manifests can be done gradually. It is advised to not delay this procedure as the beta versions will be removed after 6 months.
Improvements:
- Add the chart app version to status and events metadata #968
- Promote HelmRelease API to v2 (GA) #963
- Add
.spec.ignoreMissingValuesFilesto HelmChartTemplate API #942 - Update HelmChart API to v1 (GA) #962
- Update dependencies to Kubernetes 1.30.0 #944
- Add support for HelmChart to
.spec.chartRef#945 - Add support for OCIRepository to
.spec.chartRef#905 - Update dependencies to Kustomize v5.4.0 #932
- Add notation verification provider to API #930
- Update controller to Helm v3.14.3 and Kubernetes v1.29.0 #879
- Update controller-gen to v0.14.0 #910
Fixes:
- Track changes in
.spec.postRenderers#965 - Update Ready condition during drift correction #885
- Fix patching on drift detection #935
- Use corev1 event type for sending events #908
- Reintroduce missing events for helmChart reconciliation failures #907
- Remove
genclient:Namespacedtag #901
Release date: 2024-02-05
This prerelease comes with improvements in the HelmRelease status reporting. After recovering from a reconciliation failure, sometimes the status may show stale conditions which could be misleading. This has been fixed by ensuring that the stale failure conditions get updated after failure recovery.
Improvements:
Release date: 2024-02-01
This prerelease comes with an update to the Kubernetes dependencies to v1.28.6 and various other dependencies have been updated to their latest version to patch upstream CVEs.
In addition, the controller is now built with Go 1.21.
Improvements:
- ci: Enable dependabot gomod updates #874
- Update Go to 1.21 #872
- Various dependency updates #882 #877 #876 #871 #867 #865 #862 #860
This prerelease fixes a bug that resulted in the controller not being able to properly watch HelmRelease resources with specific labels.
Fixes:
- Properly configure namespace selector #858
Improvements:
- build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 #856
This prerelease fixes a backwards compatibility issue that could occur when
trying to move from the v2beta1 to v2beta2 API while enabling drift
detection.
In addition, logging has been improved to provide faster feedback on any
HTTP errors encountered while fetching HelmChart artifacts, and the controller
will now set the Stalled condition as soon as it detects to be out of retries
without having to wait for the next reconciliation.
Lastly, Helm has been updated to v3.13.3.
Fixes:
Improvements:
- loader: log HTTP errors to provide faster feedback #845
- Update runtime to v0.43.3 #846
- Early stall condition detection after remediation #848
- Update Helm to v3.13.3 #849
Release date: 2023-12-12
This prerelease promotes the HelmRelease API from v2beta1 to v2beta2.
The promotion of the API is accompanied by a number of new features and bug
fixes. Refer to the highlights section below for more information.
In addition to the API promotion, this prerelease updates the controller dependencies to their latest versions. Making the controller compatible with Kubernetes v1.28.x, while updating the Helm library to v3.13.2, and the builtin version of Kustomize used for post-rendering to v5.3.0.
Lastly, the base controller image has been updated to Alpine v3.19.
The upgrade is backwards compatible, and the controller will continue to
reconcile HelmRelease resources of the v2beta1 API without requiring any
changes. However, making use of the new features requires upgrading the API
version.
- Drift detection and correction is now enabled on a per-release basis using
the
.spec.driftDetection.modefield. Refer to the drift detection section in thev2beta2specification for more information. - Ignoring specific fields during drift detection and correction is now
supported using the
.spec.driftDetection.ignorefield. Refer to the ignore rules section in thev2beta2specification to learn more. - Helm tests can now be selectively run using the
.spec.test.filtersfield. Refer to the test filters section in thev2beta2specification for more details. - The controller now offers proper integration with
kstatusand setsReconcilingandStalledconditions. See the Conditions section in thev2beta2specification to read more about the conditions. - The
.spec.maxHistorydefault value has been lowered from10to5to increase the controller's performance. - A history of metadata from Helm releases up to the previous successful release
is now available in the
.status.historyfield. This includes any Helm test results when enabled. - The
.patchesStrategicMergeand.patchesJson6902Kustomize post-rendering fields have been deprecated in favor of.patches. - A
status.lastAttemptedConfigDigestfield has been introduced to track the last attempted configuration digest using a hash of the composed values. - A
.status.lastAttemptedReleaseActionfield has been introduced to accurately determine the active remediation strategy. - The
.status.lastHandledForceAtand.status.lastHandledResetAtfields have been introduced to track the last time a force upgrade or reset was handled. This to accomadate newly introduced annotations to force upgrades and resets. - The
.status.lastAppliedRevisionand.status.lastReleaseRevisionfields have been deprecated in favor of.status.history. - The
.status.lastAttemptedValuesChecksumhas been deprecated in favor of.status.lastAttemptedConfigDigest.
Although the v2beta1 API is still supported, it is recommended to upgrade to
the v2beta2 API as soon as possible. The v2beta1 API will be removed after
6 months.
To upgrade to the v2beta2 API, update the apiVersion field of your
HelmRelease resources to helm.toolkit.fluxcd.io/v2beta2 after updating the
controller and Custom Resource Definitions.
- The reconciliation model of the controller has been improved to be able to
better determine the state a Helm release is in. An example of this is that
enabling Helm tests will not require a Helm upgrade to be run, but instead
will run immediately if the release is in a
deployedstate already. - The controller will detect Helm releases in a
pending-install,pending-upgradeorpending-rollbackstate, and wil forcefully unlock the release (to afailedstate) to allow the controller to reattempt the release. - When drift correction is enabled, the controller will now attempt to correct drift it detects by creating and patching Kubernetes resources instead of running a Helm upgrade.
- The controller emits more detailed Kubernetes Events after running a Helm action. In addition, the controller will now emit a Kubernetes Event when a Helm release is uninstalled.
- The controller provides richer Condition messages before and after running a Helm action.
- Changes to a HelmRelease
.specwhich require a Helm uninstall for the changes to be successfully applied are now detected. For example, a change in.spec.targetNamespaceor.spec.releaseName. - When the release name exceeds the maximum length of 53 characters, the
controller will now truncate the release name to 40 characters and append a
short SHA256 hash of the release name prefixed with a
-to ensure the release name is unique. - New annotations have been introduced to force a Helm upgrade or to reset the
number of retries for a release. Refer to the forcing a release
and resetting remediation retries
sections in the
v2beta2specification for more information. - The digest algorithm used to calculate the digest of the composed values and
hash of the release object can now be configured using the
--snapshot-digest-algocontroller flag. The default value issha256. - When the
HelmChartresource for aHelmReleaseis notReady, the Conditions of theHelmReleasewill now contain more detailed information about the reason.
To get a full overview of all changes, and see examples of the new features. Please refer to the v2beta2 specification.
Improvements:
- Update dependencies #791 #792 #799 #812
- Update source-controller dependency to v1.2.1 #793 #835
- Rework
HelmReleasereconciliation logic #738 #816 #825 #829 #830 #833 #836 - Update Kubernetes 1.28.x, Helm v3.13.2 and Kustomize v5.3.0 #817 #839
- Allow configuration of drift detection on
HelmRelease#815 - Allow configuration of snapshot digest algorithm #818
- Remove obsolete code and tidy things #819
- Add deprecation warning to v2beta1 API #821
- Correct cluster drift using patches #822
- Introduce
forceAtandresetAtannotations #823 - doc/spec: document
v2beta2API #828 - api: deprecate stategic merge and JSON 6902 patches #832
- controller: enrich "HelmChart not ready" messages #834
- build: update Alpine to 3.19 #838
Release date: 2023-10-11
This prerelease contains an improvement to retry the reconciliation of a
HelmRelease as soon as the chart is available in storage, instead of waiting
for the next reconciliation interval. Which is particularly useful when the
source-controller has just been upgraded.
In addition, it fixes a bug in which the controller would not properly label Custom Resource Definitions.
Fixes:
- runner: ensure CRDs are properly labeled #781
- fix: retry failed releases when charts are available in storage #785
Improvements:
- Address typo in documentation #777
- Update CI dependencies #783 #786
- Address miscellaneous issues throughout code base #788
Release date: 2023-09-18
This prerelease addresses a regression in which the captured Helm logs used in a failure event would not include Helm's Kubernetes client logs, making it more difficult to reason about e.g. timeout errors.
In addition, it contains a fix for the default service account used for the (experimental) differ, and dependency updates of several dependencies.
Fixes:
- runner: address regression in captured Helm logs #767
- Check source for nil artifact before loading chart #768
- controller: use
DefaultServiceAccountin differ #774
Improvements:
- build(deps): bump the ci group dependencies #761 #762 #766 #773
- build(deps): bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 #764
- Update source-controller to v1.1.1 #775
Release date: 2023-08-23
This prerelease introduces a --interval-jitter-percentage flag to the
controller to distribute the load more evenly when multiple objects are set up
with the same interval. The default of this flag is set to 5, which means
that the interval will be jittered by a +/- 5% random value (e.g. if the
interval is 10 minutes, the actual reconciliation interval will be between 9.5
and 10.5 minutes).
In addition, the controller now stops exporting an object's metrics as soon as it has been deleted.
Lastly, dependencies have been updated, such as an update of Helm to v3.12.3
and Kubernetes related dependencies to v0.27.4.
Improvements:
- Update dependencies #748
- controller: jitter requeue interval #751
- Delete stale metrics on delete #753
- Update Helm to v3.12.3 #754
- Update Source API to v1.1.0 #758
Fixes:
- chore: fix typo reconciliation #736
Release date: 2023-07-04
This prerelease adds support for configuring the deletion propagation policy to
use when a Helm uninstall is performed using .spec.uninstall.deletionPropagation,
which was added as a feature to Helm in v3.12.0.
Supported values are background, foreground and orphan (defaults to
background). See the Helm documentation
In addition, it offers support for Kubernetes v1.27.3 and includes updates to
the controller's dependencies, such as an upgrade of Helm to v3.12.1.
Starting with this version, the build, release and provenance portions of the Flux project supply chain provisionally meet SLSA Build Level 3.
Improvements:
- Set deletion propagation for helm uninstall #698
- Align
go.modversion with Kubernetes (Go 1.20) #715 - Update Go dependencies #726
- Update source-controller to v1.0.0 #729
Release date: 2023-06-22
This prerelease fixes a regression bug for long-running reconciliations introduced in v0.34.0.
In addition, the controller release workflow was enhanced with SLSA level 3 generators. Starting with this version, provenance attestations are generated for the controller release assets and for the multi-arch container images.
Fixes:
- Fix HelmRelease reconciliation loop #703
Improvements:
- Add SLSA3 generators to release workflow #705
Release date: 2023-06-01
This prerelease comes with a bug fix for the event metadata revision, which was not included when a token was already present.
In addition, the source-controller dependency has been updated to v1.0.0-rc.5.
Fixes:
- Include revision and token in event metadata #695
Improvements:
- Update source-controller to v1.0.0-rc.5 #696
Release date: 2023-05-29
This prerelease comes with support for Helm 3.12.0 and Kustomize v5.0.3.
In addition, the controller dependencies have been updated to Kubernetes v1.27.2 and controller-runtime v0.15.0.
Lastly, the logic to forward events to notification-controller has been modified
to use .status.lastAttemptedValuesChecksum as an event metadata token to
prevent incorrect rate limiting.
Improvements:
- Update Kubernetes, controller-runtime and Helm #690
- Remove the tini supervisor, and other nits #691
- Use last attempted values checksum as event metadata token #692
- Update source-controller to v1.0.0-rc.4 #693
Release date: 2023-05-12
This prerelease comes with a change to the calculation of the release values checksum. Previously, the checksum was calculated based on the values as provided by the user, which could lead to an upgrade when the values changed order, but not content. This has been changed to calculate the checksum based on the values after stable sorting them by key. This means that the checksum will only change when the values actually change.
In addition, the dependencies have been updated including a mitigation for CVE-2023-2253, and the controller base image has been updated to Alpine 3.18.
Improvements:
- Stable sort release values by key #684
- Update Alpine to 3.18 #685
- build(deps): bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible #686
- Update dependencies #687
Release date: 2023-04-13
This prerelease comes with a bug fix for a nil pointer deref that could occur when drift detection was enabled.
In addition, it updates Helm to v3.11.3, which includes two fixes for Go
routine leaks.
Fixes:
Release date: 2023-04-03
This prerelease comes with a bug fix in HelmRelease related to the
.spec.chart.metadata field which wasn't truly optional, leading to empty value
assignment even when it wasn't set.
Fixes:
- Fix chart metadata by making it truly optional #665
Release date: 2023-03-31
This prerelease comes with a number of new features and improvements, and solves a long-standing issue with the patching of the HelmRelease status.
The HelmRelease now supports the definition of a set of labels and annotations
using .spec.chart.metadata.labels and .spec.chart.metadata.annotations,
which will be applied to the HelmChart created by the controller.
The controller can now be configured with --watch-label-selector, after
which only HelmRelease objects with this label will be reconciled by the
controller.
This allows for horizontal scaling, where the controller can be deployed multiple times with a unique label selector which is used as the sharding key.
Note that if you want to ensure a HelmChart gets created for a specific
source-controller instance, you have to provide the labels for this controller
in .spec.chart.metadata.labels of the HelmRelease.
In addition, the source referenced (i.e. HelmRepository) in the HelmChart must be available to this same controller instance.
The HelmRelease now supports opting out of the persistent Kubernetes client
introduced in v0.31.0 by defining .spec.persistentClient: false (default
true).
This can be useful when a HelmRelease is used to manage a Helm chart that itself manages Custom Resource Definitions outside the Helm chart's CRD lifecycle (like OPA Gatekeeper), as the persistent client will not observe the creation of these resources.
Disabling this increases memory consumption, and should only be used when necessary.
The controller will now verify the Digest of the Artifact as advertised by
the HelmChart, introduced in source-controller v0.35.0.
Due to this, the controller will now require source-controller v0.35.0 or
higher (and ships with v1.0.0-rc.1 by default, which includes v1 of the
Artifact API).
Improvements:
- Manage labels and annotations for a HelmChart #631
- Verify Digest of Artifact #651
- Move
controllerstointernal/controllers#653 - Update dependencies #654
- Add reconciler sharding capability based on label selector #658
- Add
PersistentClientflag to allow control over Kubernetes client behavior #659 - Update source-controller to v1.0.0-rc.1 #661
- config/*: update API versions and file names #662
Fixes:
- Update status patch logic #660
Release date: 2023-03-20
This prerelease extends the drift detection feature introduced in v0.31.0
with support for disabling the correction of drift using the CorrectDrift
feature gate.
When disabled while DetectDrift is enabled (using --feature-gates=DetectDrift=true,CorrectDrift=false),
the controller will only emit events and log messages when drift is detected,
but will not attempt to correct it. This allows to transition to drift
detection and correction in a controlled manner.
In addition, the controller dependencies have been updated to their latest versions.
Fixes:
- Allow opt-out of drift correction #647
Improvements:
- Update dependencies #649
Release date: 2023-03-10
This prerelease extends the OOM watch feature introduced in v0.31.0 with
support for automatic detection of cgroup v1 paths, and flags to configure
alternative paths using --oom-watch-max-memory-path and
--oom-watch-current-memory-path.
Fixes:
- oomwatch: auto-detect well known cgroup paths #641
Release date: 2023-03-08
This prerelease comes with a number of new features and improvements after a long period of non-substantial changes.
The controller now supports experimental drift detection, which can be enabled
by configuring the Deployment with --feature-gates=DetectDrift=true. This
feature is still in its early stages, and lacks certain UX features. Diff
output is currently available in the controller logs when the --log-level=debug
flag is set.
The feature itself makes use of the same approach as kustomize-controller to detect drift using a dry-run Server Side Apply of the rendered manifests of a release. When drift is detected, the controller will emit an event and trigger a Helm upgrade.
When a specific object from a release causes spurious upgrades, it can be
excluded by annotating or labeling the object with
helm.toolkit.fluxcd.io/driftDetection: disabled. Refer to the drift detection
documentation
for more information.
When a SIGTERM signal is received by the controller, it will now propagate
this to any running Helm action, which will mark the release as failed. This
should prevent the controller from getting stuck in a pending state when
receiving a SIGTERM signal.
The controller can now be configured to detect when it is nearing an OOM kill.
This is enabled by configuring the Deployment with
--feature-gates=OOMWatch=true.
When enabled, the controller will monitor its memory usage as reported by
cgroups, and when it is nearing OOM, attempt to gracefully shutdown. Releases
that are currently being upgraded will be cancelled (resulting in a failed
release as opposed to a pending deadlock), and no new releases will be
started.
This is best combined with a thoughtful configuration of remediation strategies
on the HelmRelease resources, to ensure that the controller can recover from
the failed release.
To control the threshold at which the controller will attempt to shut down, use
the --oom-watch-memory-threshold (default 95) and --oom-watch-interval
(default 500ms) flags.
In a future release, we will add support for unlocking releases that are in a pending state as a different approach to handling OOM situations. But this is waiting for architectural changes to happen first.
We have made a number of improvements to the Kubernetes client used by the controller for Helm actions, which should reduce the memory usage of the controller and the number of API requests it makes when creating or replacing Custom Resource Definitions.
klog is now configured to log using the same logger as the rest of the
controller (providing a consistent log format).
In addition, the controller is now built with Go 1.20, and the dependencies have been updated.
Improvements:
- Enable experimental drift detection #617
- helm: propagate context to install and upgrade #620
- Check if Service Account exists before uninstalling release #623
- runner: configure Helm action cfg log levels #625
- Update dependencies #626 #627 #635
- Add OOM watcher to allow graceful shutdown #628
- kube: unify clients into single RESTClientGetter #630
- Use
logger.SetLoggerto also configureklog#633
Release date: 2023-02-17
This prerelease adds support for parsing the
RFC-0005
revision format produced by source-controller >=v0.35.0.
In addition, the controller dependencies have been updated to their latest
versions, including a security patch of Helm to v3.11.1.
Improvements:
- Support RFC-0005 revision format #606
- Update dependencies #610
- Update source-controller to v0.35.1 #612
Release date: 2023-02-01
This prerelease comes with an update of Kubernetes dependencies to v1.26, Helm to v3.11.0, and a general update of other dependencies to their latest versions.
Starting with this release, Custom Resource Definitions installed by the
controller as part of a Create or CreateReplace
policy
are now labeled with helm.toolkit.fluxcd.io/name and
helm.toolkit.fluxcd.io/namespace to allow tracking the HelmRelease origin
of the resource. Note that these labels are only added to new and/or changed
resources, existing resources will not be updated.
Improvements:
- build: Enable SBOM and SLSA Provenance #594
- Update dependencies #595
- Patch CRDs with origin labels #596
- Update source-controller to v0.34.0 #597
Release date: 2022-12-22
This prerelease sets the default value for the --graceful-shutdown-timeout to
match the default value we set in the Deployment for
terminationGracePeriodSeconds which is 600s. This should fix handling graceful
shutdown correctly.
Fixes:
- Align
graceful-shutdown-timeoutwithterminationGracePeriodSeconds#584
Release date: 2022-12-20
This prerelease disables the caching of Secret and ConfigMap resources to
improve memory usage. To opt-out from this behaviour, start the controller
with: --feature-gates=CacheSecretsAndConfigMaps=true.
In addition, a new flag --graceful-shutdown-timeout has been added to
control the duration of the graceful shutdown period. The default value is
-1 (disabled), to help prevent releases from being stuck due to the
controller being terminated before the Helm action has completed.
Helm has been updated to v3.10.3, which includes security fixes.
Fixes:
- Assign the value of
DisableOpenApiValidationduring upgrade #564 - build: Fix cifuzz and improve fuzz tests' reliability #565
- Minor typo in doc #566
- fuzz: Use build script from upstream and fix fuzzers #578
Improvements:
- Disable caching of Secrets and ConfigMaps #513
- Allow overriding ctrl manager graceful shutdown timeout #570 #582
- helm: Update SDK to v3.10.3 #577
- Update source-controller and dependencies #581
Release date: 2022-11-22
This prerelease comes with re-added support for h in the HelmRelease
spec.timeout field, so that users can use hours to set reconciliation
timeouts.
Improvements:
- Allow 'h' in HelmRelease timeout field #559
- Use Flux Event API v1beta1 #557
- Update dependencies #561
Release date: 2022-10-21
This prerelease comes with support for Cosign verification of Helm OCI charts.
The signatures verification can be configured by setting HelmRelease.spec.chart.spec.verify with
provider as cosign and a secretRef to a secret containing the public key.
Cosign keyless verification is also supported, please see the
HelmChart API documentation
for more details.
In addition, the controller dependencies have been updated to Kubernetes v1.25.3 and Helm v3.10.1.
Improvements:
- Enable Cosign verification of Helm charts stored as OCI artifacts in container registries #545
- API: allow configuration of h unit for timeouts #549
- Update dependencies #550
Release date: 2022-09-29
This prerelease comes with strict validation rules for API fields which define a
(time) duration. Effectively, this means values without a time unit (e.g. ms,
s, m, h) will now be rejected by the API server. To stimulate sane
configurations, the units ns, us and µs can no longer be configured, nor
can h be set for fields defining a timeout value.
In addition, the controller dependencies have been updated to Kubernetes controller-runtime v0.13.
.spec.intervalnew validation pattern is"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$".spec.timeoutnew validation pattern is"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
Improvements:
- api: add custom validation for v1.Duration types #533
- Build with Go 1.19 #537
- Update dependencies #538
Release date: 2022-09-12
This prerelease comes with improvements to fuzzing. In addition, the controller dependencies have been updated to Kubernetes controller-runtime v0.12.
Improvements:
- Align controller logs to Kubernetes structured logging #528
- fuzz: Fix upstream build and optimise execution #529
Release date: 2022-08-29
This prerelease comes with updates to the controller dependencies including Kubernetes v1.25.0, Helm v3.9.4 and Kustomize v4.5.7.
Improvements:
- Update Kubernetes packages to v1.25.0 #524
Release date: 2022-08-19
This prerelease comes with panic recovery, to protect the controller from crashing when reconciliations lead to a crash.
The API now enforces validation to Spec.ValuesFrom subfields:
TargetPath and ValuesKey.
The new image contains updates to patch alpine CVEs.
Improvements:
- Enable RecoverPanic option on reconciler #516
- Add validation to TargetPath and ValuesKey #520
- Update dependencies #521
Release date: 2022-07-13
This prerelease updates dependencies to patch upstream CVEs.
Improvements:
- Fix github.com/emicklei/go-restful (CVE-2022-1996) #507
- Update dependencies #501
- Update gopkg.in/yaml.v3 to v3.0.1 #502
- build: Upgrade to Go 1.18 #505
Release date: 2022-06-07
This prerelease fixes a regression bug introduced in #480
which would cause the impersonation config to pick the incorrect
TargetNamespace for the account name if it was set.
In addition, Kubernetes dependencies have been updated to v0.24.1, and
github.com/containerd/containerd was updated to v1.6.6 to mitigate
CVE-2022-31030.
Fixes:
Improvements:
- Update dependencies #493
Release date: 2022-06-01
This prerelease fixes an issue where the token used for Helm operations would go stale if it was provided using a Bound Service Account Token Volume.
Starting with this version, the controller conforms to the Kubernetes
API Priority and Fairness.
The controller detects if the server-side throttling is enabled and uses the
advertised rate limits. When server-side throttling is enabled, the controller
ignores the --kube-api-qps and --kube-api-burst flags.
Fixes:
- kube: load KubeConfig (token) from FS on every reconcile #480
- Updating API group name to helm.toolkit.fluxcd.io in docs #484
Improvements:
Release date: 2022-05-03
This prerelease introduces support for defining a KubeConfig Secret data key in
the .spec.kubeConfig.SecretRef.key (default: value or value.yaml).
In addition, dependencies have been updated.
Improvements:
Release date: 2022-04-20
This prerelease equals to v0.20.0, but is tagged at the right
revision.
Release date: 2022-04-19
This prerelease adds support for configuring the exponential back-off retry
using newly introduced flags: --min-retry-delay (default: 750ms) and
--max-retry-delay (default: 15min). Previously the defaults were set to
5ms and 1000s.
In addition, all dependencies have been updated to their latest versions,
including an update of Helm to v3.8.2.
Improvements:
Release date: 2022-04-05
This prerelease adds some breaking changes around the use and handling of kubeconfigs files for remote reconciliations. It updates documentation and progress other housekeeping tasks.
Breaking changes:
- Use of file-based KubeConfig options are now permanently disabled (e.g.
TLSClientConfig.CAFile,TLSClientConfig.KeyFile,TLSClientConfig.CertFileandBearerTokenFile). The drive behind the change was to discourage insecure practices of mounting Kubernetes tokens inside the controller's container file system. - Use of
TLSClientConfig.Insecurein KubeConfig file is disabled by default, but can enabled at controller level with the flag--insecure-kubeconfig-tls. - Use of
ExecProviderin KubeConfig file is now disabled by default, but can enabled at controller level with the flag--insecure-kubeconfig-exec.
Improvements:
- Update KubeConfig documentation #457
- Update docs links to toolkit.fluxcd.io #456
- Add kubeconfig flags #455
- Align version of dependencies when Fuzzing #452
Release date: 2022-03-25
This prerelease updates the source-controller and Kustomize dependencies to their latest versions.
Improvements:
Release date: 2022-03-23
This prerelease ensures the API objects fully adhere to newly introduced
interfaces, allowing them to work in combination with e.g. the
conditions
package.
In addition, it ensures (Kubernetes) Event annotations are prefixed with the
FQDN of the Helm API Group. For example, revision is now
helm.toolkit.fluxcd.io/revision.
This to facilitate improvements to the notification-controller, where annotations prefixed with the FQDN of the Group of the Involved Object will be transformed into "fields".
Improvements:
Fixes:
- Prefix revision annotation with API Group FQDN #447
Release date: 2022-03-21
This prerelease adds support to the Helm post renderer for Kustomize patches
capable of targeting objects based on kind, label and annotation selectors
using .spec.postRenderers[].kustomize.patches.
In addition, various dependencies where updated to their latest versions, and
the code base was refactored to align with the fluxcd/pkg/runtime v0.13
release.
The source-controller dependency was updated to version v0.22 which
introduces API v1beta2 and deprecates v1beta1.
Improvements:
- Update
pkg/runtimeandapis/meta#421 - api: Move Status in CRD printcolumn to the end #425
- Support targeted Patches in the PostRenderer specification #432
- Update dependencies #440 #441
Release date: 2022-03-15
This prerelease comes with an update for github.com/containerd/containerd to
v1.5.10 to please static security analysers and fix any warnings for
CVE-2022-23648.
In addition, it updates Helm from a forked and patched v3.8.0, to the
official v3.8.1 release, and updates minor dependencies.
The Deployment manifest contains a patch to set the
.spec.securityContext.fsGroup, which may be required for some EKS setups
as reported in fluxcd/flux2#2537.
Improvements:
- Update Helm to v3.8.1 #434
- add fsgroup for securityContext #435
- Update containerd to v1.5.10 and tidy go.mod #436
Release date: 2022-02-22
This prerelease ensures the QPS and Burst configuration is properly propagated to the Kubernetes client used by Helm actions, and updates multiple dependencies to pull in CVE fixes.
Improvements:
Release date: 2022-02-16
This prerelease introduces a breaking change to the Helm uninstall behavior, as
the --wait flag is now enabled by default. Resulting in Helm to wait for
resources to be deleted while uninstalling a release. Disabling this behavior
is possible by declaring spec.uninstall.disableWait: true in a HelmRelease.
Improvements:
- Add uninstall disableWait flag #416
Release date: 2022-02-01
This prerelease comes with security improvements for multi-tenant clusters:
- Platform admins can enforce impersonation across the cluster using the
--default-service-accountflag. When the flag is set, allHelmReleases, which don't havespec.serviceAccountNamespecified, use the service account name provided by--default-service-account=<SA Name>in the namespace of the object. - Platform admins can disable cross-namespace references with the
--no-cross-namespace-refs=trueflag. When this flag is set,HelmReleasescan only refer to sources (HelmRepositories,GitRepositoriesandBuckets) in the same namespace as theHelmReleaseobject, preventing tenants from accessing another tenant's repositories.
In addition, the controller comes with a temporary fork of Helm v3.8.0 with a patch applied from helm/pull/10486 to solve a memory leak.
The controller container images are signed with Cosign and GitHub OIDC, and a Software Bill of Materials in SPDX format has been published on the release page.
Starting with this version, the controller deployment conforms to the Kubernetes restricted pod security standard:
- all Linux capabilities were dropped
- the root filesystem was set to read-only
- the seccomp profile was set to the runtime default
- run as non-root was enabled
- the user and group ID was set to 65534
Breaking changes:
- The use of new seccomp API requires Kubernetes 1.19.
- The controller container is now executed under 65534:65534 (userid:groupid). This change may break deployments that hard-coded the user ID of 'controller' in their PodSecurityPolicy.
- When both
spec.kubeConfigandspec.ServiceAccountNameare specified, the controller will impersonate the service account on the target cluster, previously the controller ignored the service account.
Features:
- Allow setting a default service account for impersonation #406
- Allow disabling cross-namespace references #408
Improvements:
- Update Helm to patched 3.8.0 #409
- Publish SBOM and sign release artifacts #401
- Drop capabilities, set userid and enable seccomp #385
- Update development documentation #397
- Refactor Fuzz implementation #396
Fixes:
- Use patch instead of update when adding finalizers #395
- Fix the missing protocol for the first port in manager config #405
- Use go-install-tool for gen-crd-api-reference-docs #392
- Use go install instead of go get in Makefile #391
Release date: 2022-01-10
This prerelease comes with an update to the Kubernetes and controller-runtime dependencies
to align them with the Kubernetes 1.23 release, including an update of Helm to v3.7.2.
In addition, the controller is now built with Go 1.17 and Alpine 3.15.
Improvements:
Fixes:
- Fix inconsistent code-style raised at security audit #386
Release date: 2021-12-09
This prerelease updates the dependency on the source-controller to v0.19.2,
which includes the fixes from source-controller v0.19.1, and changes the
length of the SHA hex added to the SemVer metadata of a HelmChart. Refer to
the source-controller changelog
for more information.
+ character in the label:
metadata.labels: Invalid value: "1.2.3+a4303ff0f6fb560ea032f9981c6bd7c7f146d083.1": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')
Given the Helm chart best practices mention to replace this character with a
_,
we encourage you to patch this in your (upstream) chart.
Pseudo example using template functions:
{{- replace "+" "_" .Chart.Version | trunc 63 }}In addition, the dependency on github.com/opencontainers/runc is updated to
v1.0.3 to please static security analysers and fix any warnings for
CVE-2021-43784.
Improvements:
- Update kustomize packages to Kustomize v4.4.1 #374
- Update dependencies (fix CVE-2021-43784) #376
- Update source-controller to v0.19.2 #377
Fixes:
- docs/spec: Fix reconcile annotation key in example #371
Release date: 2021-11-23
This prerelease updates the dependency on the source-controller to v0.19.0, which
includes breaking behavioral changes, including one beneficial to users making
use of ValuesFiles references. Refer to the changelog
for more information.
In addition, it updates Alpine to v3.14, and several dependencies to their latest
version. Solving an issue with rest_client_request_latency_seconds_.* high
cardinality metrics.
Improvements:
- Update Alpine to v3.14 #360
- Update various dependencies to mitigate CVE warnings #361
- Update opencontainers/image-spec to v1.0.2 #362
- Update controller-runtime to v0.10.2 #363
- Update source-controller to v0.19.0 #364
Release date: 2021-11-12
This prerelease comes with artifact integrity verification.
During the acquisition of an artifact, helm-controller computes its checksum using SHA-2
and verifies that it matches the checksum advertised in the Status of the Source.
Improvements:
- Verify artifacts integrity #358
Release date: 2021-11-11
This prerelease downgrades Helm to v3.6.3 due to high memory usage issues
inherited from upstream dependency changes. For technical details about the
issue, see this comment.
As Helm v3.7.0 did not introduce any new features from the perspective of
the controller, we consider this to be a patch which reverts the unwanted
behavior introduced in v0.12.0.
Fixes:
- Set the managed fields owner to helm-controller #346
- Downgrade Helm to v3.6.3 due to OOM issues #352
- Replace containerd with version that patches CVEs #356
Release date: 2021-10-14
This prerelease updates Helm to v3.7.1, and ensures ReconcileStrategy
changes are applied to the underlying HelmChart of a HelmRelease.
Improvements:
Fixes:
- Update the release if ReconcileStrategy changes #333
Release date: 2021-10-08
This prerelease updates Helm to v3.7.0, this Helm version should include
improvements to the locking mechanism of releases, which should result in
a reduction of deadlocked releases that have been reported in the past.
In addition, it is now possible to define a ReconcileStrategy in the
HelmChartTemplateSpec. By setting the value of this field to Revision,
a new artifact will be made available for charts from Bucket and
GitRepository sources whenever a new revision is available.
The default value of the field is ChartVersion, which looks for version
changes in the Chart.yaml file.
Improvements:
- Update fluxcd/source-controller to v0.16.0 #329
- Introduce ReconcileStrategy in HelmChartTemplateSpec #329
- Update sigs.k8s.io/kustomize/api to v0.10.0 #330
- Update Helm to v3.7.0 #330
Fixes:
- Fix indentation for PostRenderers example #314
Release date: 2021-08-05
This prerelease comes with support for SOPS encrypted kubeconfig loaded from the
value of the value.yaml key in the object, and ensures quoted values are treated
as strings when a targetPath is set for a valuesFrom item.
To enhance the experience of consumers observing the HelmRelease object using
kstatus, a default of -1 is now configured for the observedGeneration to
ensure it does not report a false positive in the time the controller has not
marked the resource with a Ready condition yet.
In addition, it updates Helm to v3.6.3 and aligns the Kubernetes dependencies
with v1.21.3.
Improvements:
- Set default observedGeneration to -1 on HelmReleases #294
- Treat quoted values as string when targetPath is set #298
- Make the kubeconfig secrets compatible with SOPS #305
- Update dependencies #307
Fixes:
- Remove old util ObjectKey #305
Release date: 2021-06-18
This prerelease updates Helm to v3.6.1, this is a security update which has
no impact as transport is handled by the source-controller. For more details
please see the source-controller v0.15.1
changelog.
Improvements:
Release date: 2021-06-09
This prerelease comes with an update to the Kubernetes and controller-runtime
dependencies to align them with the Kubernetes 1.21 release, including an update
of Helm to v3.6.0.
It introduces breaking changes to the Helm behavior as the --wait-for-jobs
flag that was introduced in Helm v3.5.0 is now enabled by default. Disabling
this behavior is possible by declaring spec.<install|upgrade|rollback>.disableWaitForJobs: true
in a HelmRelease.
Improvements:
- Add support for Helm
--wait-for-jobsflag #271 - Update dependencies #273
- Add nightly builds workflow and allow RC releases #274
Fixes:
- Fix HelmChartTemplateSpec Doc missing valuesFiles info #266
Release date: 2021-05-10
This prerelease fixes a bug where an skipCRDs is set to false and crds is set to Skip error would be thrown if the deprecated skipCRDs
field was omitted by giving the CRD policy field precedence over the
deprecated one.
Improvements:
- Update source-controller dependencies to v0.12.2 #262
Fixes:
- Give CRD policy precedence over skipCRDs field #261
Release date: 2021-04-21
This prerelease introduces support for defining a CRDsPolicy in the
HelmReleaseSpec, Install and Upgrade objects, while deprecating
the SkipCRDs fields.
Supported policies:
Skip: Do neither install nor replace (update) any CRDs.Create: New CRDs are created, existing CRDs are neither updated nor deleted.CreateReplace: New CRDs are created, existing CRDs are updated (replaced) but not deleted.
In case CreateReplace is used as an Upgrade policy, Custom Resource
Definitions are applied by the controller before a Helm upgrade is
performed. On rollbacks, the Custom Resource Definitions are left
untouched and not rolled back.
The ValuesFile field in the HelmChart template has been deprecated
in favour of the new ValuesFiles field.
Features:
Improvements:
Fixes:
- docs: minor
createNamespaceplacement fix #246
Release date: 2021-03-26
This prerelease comes with a breaking change to the leader election ID
from 5b6ca942.fluxcd.io to helm-controller-leader-election
to be more descriptive. This change should not have an impact on most
installations, as the default replica count is 1. If you are running
a setup with multiple replicas, it is however advised to scale down
before upgrading.
To ease debugging wait timeout errors, the last 5 deduplicated log lines
from Helm are now recorded in the status conditions and events of the
HelmRelease.
To track the origin of resources that are created by a Helm operation
performed by the controllers, they are now labeled with
helm.toolkit.fluxcd.io/name and helm.toolkit.fluxcd.io/namespace
using a builtin post render.
The suspended status of resources is now recorded to a
gotk_suspend_status Prometheus gauge metric.
Improvements:
- Capture and expose debug (log) information on release failure #219
- Record suspension metrics #236
- Label release resources with HelmRelease origin #238
- Set leader election deadline to 30s #239
- Update source-controller API to v0.10.0 #240
Release date: 2021-03-15
This prerelease comes with patch updates to Helm and controller-runtime dependencies.
Improvements:
- Update dependencies #232
Release date: 2021-03-05
This prerelease comes with improvements to the notification system. The controller retries with exponential backoff when fetching artifacts, preventing spamming events when source-controller becomes unavailable for a short period of time.
Improvements:
- Retry with exponential backoff when fetching artifacts #216
Fixes:
- fix: log messages contain '%s' #229
Release date: 2021-02-24
This is the eight MINOR prerelease.
Due to changes in Helm v3.5.2,
charts not versioned using strict semver are no longer compatible with
source-controller (and the embedded HelmChart template in the HelmRelease).
When using charts from Git, make sure that the version
field is set in Chart.yaml.
Improvements:
- Allow the controller to be run locally #216
- Add a release deployment event when reconciling a release #217
- Use
MergeMapsfrom pkg/runtime v0.8.2 #220 - Refactor release workflow #223
- Update dependencies #225
- Use source-controller manifest from GitHub release #226
Release date: 2021-02-12
This is the seventh MINOR prerelease.
Support has been added for Kustomize based post renderer, making it possible
to define images, strategic merge and JSON 6902 patches within the
HelmRelease.
pprof endpoints have been enabled on the metrics server, making it easier to
collect runtime information to for example debug performance issues.
Features:
Improvements:
Release date: 2021-01-25
This prerelease adds support for configuring the namespace of the
Helm storage by defining a StorageNamespace in the HelmRelease
resource (defaults to the namespace of the resource).
Release date: 2021-01-22
This is the sixth MINOR prerelease.
Two new argument flags are introduced to support configuring the QPS
(--kube-api-qps) and burst (--kube-api-burst) while communicating
with the Kubernetes API server.
The LocalObjectReference from the Kubernetes core has been replaced
with our own, making Name a required field. The impact of this should
be limited to direct API consumers only, as the field was already
required by controller logic.
Release date: 2021-01-18
This prerelease comes with updates to Kubernetes and Helm dependencies.
The Kubernetes packages were updated to v1.20.2 and Helm to v3.5.0.
Release date: 2021-01-14
This prerelease fixes a regression bug introduced in v0.5.0 that caused
reconciliation request annotations to be ignored in certain scenarios.
Release date: 2021-01-12
This is the fifth MINOR prerelease, upgrading the controller-runtime
dependencies to v0.7.0.
The container image for ARMv7 and ARM64 that used to be published
separately as helm-controller:*-arm64 has been merged with the AMD64
image.
Release date: 2020-12-16
This prerelease increases the terminationGracePeriodSeconds of the
controller Deployment from 10 to 600, to allow release processes
that make use of the default timeout (5m0s) to finish, and upgrades
the source-controller API dependency to v0.5.5.
Release date: 2020-12-10
This prerelease upgrades various dependencies.
- Kubernetes dependency upgrades to
v1.19.4 - Helm upgrade to
v3.4.2
Release date: 2020-12-04
This prerelease fixes a bug in the merging of values.
Release date: 2020-11-30
This prerelease introduces support for Helm's namespace creation
feature by defining CreateNamespace in the Install configuration
of the HelmRelease. Take note that deleting the HelmRelease does
not remove the created namespace, and managing namespaces outside of
the HelmRelease is advised.
In addition, it includes a fix for a bug that caused the finalizer to never be removed if a release no longer existed in the Helm storage.
Release date: 2020-11-26
This the fourth MINOR prerelease. It adds support for impersonating a
Service Account during Helm actions by defining a ServiceAccountName
in the HelmRelease, and includes various bug fixes.
Release date: 2020-11-20
This is the third MINOR prerelease. It introduces a breaking change to
the API package; the status condition type has changed to the type
introduced in Kubernetes API machinery v1.19.0.
Release date: 2020-11-18
This prerelease comes with a bugfix for chart divergence detections.
Release date: 2020-11-17
This prerelease comes with improvements to status reporting, and a bugfix for the (temporary) dead lock that would occur on some transient values composition and chart loading errors.
Release date: 2020-10-29
This is the second MINOR prerelease, it comes with a breaking change:
- The histogram metric
gotk_reconcile_durationwas renamed togotk_reconcile_duration_seconds
Other notable changes:
- Added support for cross-cluster Helm releases by defining a
KubeConfigreference in theHelmReleaseSpec. - The annotation
fluxcd.io/reconcileAtwas renamed toreconcile.fluxcd.io/requestedAt, the former will be removed in a next release but is backwards compatible for now.
Release date: 2020-10-16
This prereleases fixes two bugs:
HelmReleaseresources with aspec.valuesFromreference making use of atargetPathdefined as the first item will now compose without failing.- The chart reconciliation and readiness logic has been rewritten to
better work with no-op chart updates and guarantee readiness state
observation accuracy. This prevents it from
HelmReleases getting stuck on a "HelmChart is not ready" state.
Release date: 2020-10-13
This prerelease comes with Prometheus instrumentation for the controller's resources.
For each kind, the controller exposes a gauge metric to track the Ready condition status,
and a histogram with the reconciliation duration in seconds:
gotk_reconcile_condition{kind, name, namespace, status, type="Ready"}gotk_reconcile_duration{kind, name, namespace}
Release date: 2020-10-02
This prerelease fixes a regression bug introduced in v0.1.0
resulting in the spec.targetNamespace not being taken into
account.
Release date: 2020-09-30
This is the first MINOR prerelease, it promotes the
helm.toolkit.fluxcd.io API to v2beta1 and removes support for
v2alpha1.
Going forward, changes to the API will be accompanied by a conversion mechanism. With this release the API becomes more stable, but while in beta phase there are no guarantees about backwards compatibility between beta releases.
A breaking change was introduced to the Status object, as the
LastObservedTime field has been removed in favour of the newly
introduced LastHandledReconcileAt. This field records the value
of the fluxcd.io/reconcilateAt annotation, which makes it possible
for e.g. the gotk CLI to observe if the controller has handled
the resource since the manual reconciliation request was made.
Release date: 2020-09-23
This prerelease adds support for Helm charts from Bucket sources,
support for optional ValuesFrom references, and a Helm upgrade from
3.3.3 to 3.3.4.
Release date: 2020-09-22
This prerelease adds support for DependsOn references to other namespaces
than the HelmRelease resource resides in, container images for ARMv7 and
ARMv8 published to ghcr.io/fluxcd/helm-controller-arm64, a Helm upgrade
from 3.3.1 to 3.3.3, and a refactor of the Status object.
The latter introduces the following breaking changes to the Status object:
- The
Installed,Upgraded,RolledBack, andUninstalledconditions have been removed, since they did not represent current state, but rather actions taken, which are already recorded by events. - The
ObservedStateReconciledfield has been removed, since it solved the problem of remembering past release successes, but not past release failures, after other subsequent failures such as dependency failures, Kubernetes API failures, etc. - The
Testedcondition has been renamed toTestSuccess, for forward compatibility with interval based Helm tests.
While introducing the following new Status conditions:
Remediatedwhich records whether the release is currently in a remediated state. It is used to prevent release retries after remediation failures. We were previously not doing this for rollback failures.Releasedwhich records whether the current state has been successfully released. This is used to remember the last release attempt status, regardless of any subsequent other failures such as dependency failures, Kubernetes API failures, etc.
Release date: 2020-09-11
This prerelease adds support for defining a ValuesFile in the
HelmChartTemplateSpec to overwrite the default chart values with another
values file, as supported by >=0.0.15 of the source-controller, and a
--watch-all-namespaces flag (defaults to true) to provide the option
to only watch the runtime namespace of the controller for resources.
Release date: 2020-09-04
This prerelease comes with documentation fixes. Container images for linux/amd64 and linux/arm64 are published to GHCR.
Release date: 2020-09-02
This prerelease adds support for Helm charts from GitRepository sources,
improvements for a more graceful failure recovery, and an upgrade of Helm
from v3.0.0 to v3.0.1. It includes several (breaking) changes to the
API.
The spec of the HelmRelease has a multitude of breaking changes:
spec.chart(which contained the template for theHelmCharttemplate) has moved one level down tospec.chart.spec. This matches the pod template defined in the KubernetesDeploymentkind, and allows for adding e.g. aspec.chart.metadatafield in a future iteration to be able to define annotations and/or labels.- The
spec.chart.namefield has been renamed tospec.chart.spec.chart, and now accepts a chart name (for charts fromHelmRepositorysources) or a path (for charts fromGitRepositorysources), to follow changes made to theHelmChartAPI. - The
spec.chart.spec.sourceRef.kindis now mandatory, and accepts bothHelmRepositoryandGitRepositoryvalues.
The status object has two new fields to help end-users and automation
(tools) with observing state:
observedStateReconciledrepresents whether the observed state of the has been successfully reconciled. This field is marked astrueon aReady==Truecondition, and only reset ongeneration, values, and/or chart changes.lastObservedTimereflects the last time at which theHelmReleasewas observed. This can for example be used to observe if theHelmReleaseis running on the configuredspec.intervaland/or reacting toReconcileAtannotations.
Release date: 2020-08-26
This prerelease adds support for conditional remediation on failed Helm actions, and includes several (breaking) changes to the API:
- The
maxRetriesvalue should now be set on the respectiveinstall.remediation.retriesandupgrade.remediation.retriesfields. - The
rollback.enablefield has been removed in favour ofupgrade.remediateLastFailure. - Failing Helm tests will now result in a
FalseReadycondition by default, ignoring test failures can be re-enabled by configuringtest.ignoreFailurestotrue.
Release date: 2020-08-20
This prerelease adds support for merging a flat single value from
a ValueReference at the defined TargetPath, and fixes a bug in
the merging of values where overwrites of a map with a flat single
value was not allowed.
Release date: 2020-08-18
This prerelease upgrades the github.com/fluxcd/pkg/* dependencies to
dedicated versioned modules, and makes the api package available as
a dedicated versioned module.
Release date: 2020-08-12
In this prerelease the Helm package was upgraded to v3.3.0.
Release date: 2020-07-31
This prerelease comes with a breaking change, the CRDs group has been
renamed to helm.toolkit.fluxcd.io. The dependency on source-controller
has been updated to v0.0.7 to be able to work with source.toolkit.fluxcd.io
resources.
Release date: 2020-07-22
This beta release fixes a bug affecting helm release status reevaluation.
Release date: 2020-07-21
This beta release fixes a bug affecting helm charts reconciliation.
Release date: 2020-07-21
This beta release comes with various bug fixes and minor improvements.
Release date: 2020-07-20
This beta release drops support for Kubernetes <1.16.
The CRDs have been updated to apiextensions.k8s.io/v1.
Release date: 2020-07-16
This alpha release comes with improvements to alerts delivering, logging, and fixes a bug in the lookup of HelmReleases when a HelmChart revision had changed.
Release date: 2020-07-13
This is the first alpha release of helm-controller. The controller is an implementation of the helm.fluxcd.io/v2alpha1 API.