Skip to content

feat(flux): enrich KSail with Flux v2.9.0 capabilities (distribution bump + new features) #5606

Description

@devantler

🤖 Generated by the Daily AI Assistant

Problem / opportunity

Flux v2.9.0 is out with a substantial feature set. KSail installs Flux via the flux-operator (FluxInstance CR, pkg/svc/installer/flux/), and its distribution artifact was just pinned to flux-operator-manifests v0.52.0 (Flux 2.8.x) in #5596 to dodge the v0.53.0 / Flux-2.9.0 Receiver CRD restructure (#5595). So KSail is currently a Flux 2.8.x distributor and does not yet surface any 2.9.0 capability.

This roadmap epic tracks (a) safely adopting Flux 2.9.0 as KSail's distribution and (b) enriching KSail with the new Flux 2.9.0 capabilities where they add operator/user value. Several of these features overlap directly with KSail's own in-flight roadmaps, so part of the work is positioning (converge vs complement), not just plumbing.

What's new in Flux 2.9.0 (source: the release blog)

  • Flux CLI Plugin System — first-class plugins that ship/version independently of the flux CLI, with two official plugins:
    • mirror — mirrors Helm charts, OCI artifacts, and container images between registries, declaratively.
    • schema — validates Kubernetes manifests against JSON schemas + CEL rules.
  • kustomize-controller: Kustomization.spec.ignore SSA field-ignore rules (fine-grained drift control); SOPS Age post-quantum cipher; Workload Identity auth for OpenBao/Vault; SSH-key Git commit signing/verification.
  • helm-controller: post-render strategies with chart hooks (⚠️ breaking: default nohookscombined); literal valuesFrom (--set-literal semantics); CEL health checks with empty-kind cross-resource expressions.
  • source-controller: custom Sigstore trusted root (air-gapped); ArtifactGenerator path-pattern discovery with named captures ({app}/{env}); AWS CodeCommit Workload Identity; SSH commit verification.
  • notification-controller: OIDC-secured / secret-less generic Receivers; per-resource Receiver filtering; new flux trigger receiver command.
  • Removed APIs (EOL): image.toolkit.fluxcd.io/v1beta2, notification.toolkit.fluxcd.io/v1beta2. ✅ KSail references neither (verified) — no migration needed, but generated scaffolds/templates should be re-confirmed.
  • Kubernetes compatibility: 1.34–1.36 + OpenShift 4.21. (⚠️ confirm against KSail's supported/tested k8s matrix.)
  • Breaking: Helm post-render default → combined; GCR Receivers now require email + audience.

Proposed direction (candidate children — decompose oldest-first)

  1. Bump the Flux distribution to 2.9.0 (foundation). Move the manifests/operator pin v0.52.0 → v0.53.0 (matched pair) once the bug(flux): FluxInstance BuildFailed — floating flux-operator-manifests:latest + distribution 2.x breaks Flux bootstrap #5595 Receiver-CRD restructure is handled (the operator's bundled eventSources[].kind enum patch must apply to the new CRD shape — that mismatch is exactly what bug(flux): FluxInstance BuildFailed — floating flux-operator-manifests:latest + distribution 2.x breaks Flux bootstrap #5595/fix(flux): pin flux-operator-manifests distribution artifact (no floating :latest) #5596 worked around). Gate: every --gitops-engine Flux System Test leg green on 2.9.0. Size: M.
  2. Position vs the new mirror & schema Flux plugins (design/ADR). These overlap KSail's native [Repo Assist] [feature]: add local-remote service mirroring (Telepresence/mirrord-style dev bridge) #4521 (local-remote mirroring) and Extend workload validate and workload scan to validate/scan all GitOps layers in-process #5344 (workload validate/scan schema validation). Decide: delegate to / wrap / complement / stay native. Size: M (design-first).
  3. Kustomization.spec.ignore drift control — surface in KSail's reconcile/drift detection so users declare SSA field-ignore rules (ties into workload reconcile). Size: S–M.
  4. CEL-based Helm health checks — leverage in KSail's revision-aware reconcile readiness (workload reconcile readiness is revision-unaware → false pass/fail on a freshly pushed artifact #5576) for richer readiness gating. Size: S–M.
  5. OIDC/secret-less Receivers + per-resource filtering + flux trigger receiver — surface in KSail's GitOps webhook/notification UX. Size: M.
  6. SOPS decryption enhancements — Age post-quantum cipher + Workload-Identity OpenBao/Vault backends; relates to KSail cipher tooling (feat(cipher): rotate SOPS Age recipients (re-seal all encrypted files to a new key set) #5443). Size: S–M.
  7. SSH-key Git commit signing/verification — source/kustomize-controller now verify SSH-signed commits; relates to KSail supply-chain verify (chore(deps): Bump devantler-tech/reusable-workflows/.github/workflows/todos.yaml from 1.23.0 to 1.25.0 #1570). Size: S–M.
  8. Track the Helm combined post-render default (breaking) + literal valuesFrom — ensure KSail's Helm handling/docs track the new default and expose set-literal semantics. Size: S.

Acceptance criteria (epic)

  • KSail distributes Flux 2.9.0 with all Flux System Test legs green (child Talos implementation #1).
  • A documented positioning decision for mirror/schema vs KSail's native features (child feature/talos-optimizations #2).
  • The highest-value 2.9.0 capabilities are surfaced in KSail config/commands/docs via the decomposed children, each shipped under the normal draft-PR + validate discipline.
  • KSail's supported-Kubernetes matrix and generated scaffolds are confirmed against 2.9.0's compatibility + removed-API set.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions