You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Flux v2.9.0 is out with a substantial feature set. KSail installs Flux via the flux-operator (FluxInstance CR, pkg/svc/installer/flux/), and its distribution artifact was just pinned to flux-operator-manifests v0.52.0 (Flux 2.8.x) in #5596 to dodge the v0.53.0 / Flux-2.9.0 Receiver CRD restructure (#5595). So KSail is currently a Flux 2.8.x distributor and does not yet surface any 2.9.0 capability.
This roadmap epic tracks (a) safely adopting Flux 2.9.0 as KSail's distribution and (b) enriching KSail with the new Flux 2.9.0 capabilities where they add operator/user value. Several of these features overlap directly with KSail's own in-flight roadmaps, so part of the work is positioning (converge vs complement), not just plumbing.
What's new in Flux 2.9.0 (source: the release blog)
Flux CLI Plugin System — first-class plugins that ship/version independently of the flux CLI, with two official plugins:
mirror — mirrors Helm charts, OCI artifacts, and container images between registries, declaratively.
schema — validates Kubernetes manifests against JSON schemas + CEL rules.
kustomize-controller:Kustomization.spec.ignore SSA field-ignore rules (fine-grained drift control); SOPS Age post-quantum cipher; Workload Identity auth for OpenBao/Vault; SSH-key Git commit signing/verification.
helm-controller: post-render strategies with chart hooks (⚠️ breaking: default nohooks → combined); literal valuesFrom (--set-literal semantics); CEL health checks with empty-kind cross-resource expressions.
source-controller: custom Sigstore trusted root (air-gapped); ArtifactGenerator path-pattern discovery with named captures ({app}/{env}); AWS CodeCommit Workload Identity; SSH commit verification.
Removed APIs (EOL):image.toolkit.fluxcd.io/v1beta2, notification.toolkit.fluxcd.io/v1beta2. ✅ KSail references neither (verified) — no migration needed, but generated scaffolds/templates should be re-confirmed.
Track the Helm combined post-render default (breaking) + literal valuesFrom — ensure KSail's Helm handling/docs track the new default and expose set-literal semantics. Size: S.
Acceptance criteria (epic)
KSail distributes Flux 2.9.0 with all Flux System Test legs green (child Talos implementation #1).
The highest-value 2.9.0 capabilities are surfaced in KSail config/commands/docs via the decomposed children, each shipped under the normal draft-PR + validate discipline.
KSail's supported-Kubernetes matrix and generated scaffolds are confirmed against 2.9.0's compatibility + removed-API set.
Problem / opportunity
Flux v2.9.0 is out with a substantial feature set. KSail installs Flux via the flux-operator (
FluxInstanceCR,pkg/svc/installer/flux/), and its distribution artifact was just pinned toflux-operator-manifestsv0.52.0 (Flux 2.8.x) in #5596 to dodge the v0.53.0 / Flux-2.9.0ReceiverCRD restructure (#5595). So KSail is currently a Flux 2.8.x distributor and does not yet surface any 2.9.0 capability.This roadmap epic tracks (a) safely adopting Flux 2.9.0 as KSail's distribution and (b) enriching KSail with the new Flux 2.9.0 capabilities where they add operator/user value. Several of these features overlap directly with KSail's own in-flight roadmaps, so part of the work is positioning (converge vs complement), not just plumbing.
What's new in Flux 2.9.0 (source: the release blog)
fluxCLI, with two official plugins:mirror— mirrors Helm charts, OCI artifacts, and container images between registries, declaratively.schema— validates Kubernetes manifests against JSON schemas + CEL rules.Kustomization.spec.ignoreSSA field-ignore rules (fine-grained drift control); SOPS Age post-quantum cipher; Workload Identity auth for OpenBao/Vault; SSH-key Git commit signing/verification.nohooks→combined); literalvaluesFrom(--set-literalsemantics); CEL health checks with empty-kind cross-resource expressions.{app}/{env}); AWS CodeCommit Workload Identity; SSH commit verification.Receivers; per-resource Receiver filtering; newflux trigger receivercommand.image.toolkit.fluxcd.io/v1beta2,notification.toolkit.fluxcd.io/v1beta2. ✅ KSail references neither (verified) — no migration needed, but generated scaffolds/templates should be re-confirmed.combined; GCRReceivers now requireemail+audience.Proposed direction (candidate children — decompose oldest-first)
Receiver-CRD restructure is handled (the operator's bundledeventSources[].kindenum patch must apply to the new CRD shape — that mismatch is exactly what bug(flux): FluxInstance BuildFailed — floating flux-operator-manifests:latest + distribution 2.x breaks Flux bootstrap #5595/fix(flux): pin flux-operator-manifests distribution artifact (no floating :latest) #5596 worked around). Gate: every--gitops-engine FluxSystem Test leg green on 2.9.0. Size: M.mirror&schemaFlux plugins (design/ADR). These overlap KSail's native [Repo Assist] [feature]: add local-remote service mirroring (Telepresence/mirrord-style dev bridge) #4521 (local-remote mirroring) and Extendworkload validateandworkload scanto validate/scan all GitOps layers in-process #5344 (workload validate/scanschema validation). Decide: delegate to / wrap / complement / stay native. Size: M (design-first).Kustomization.spec.ignoredrift control — surface in KSail's reconcile/drift detection so users declare SSA field-ignore rules (ties intoworkload reconcile). Size: S–M.flux trigger receiver— surface in KSail's GitOps webhook/notification UX. Size: M.combinedpost-render default (breaking) + literalvaluesFrom— ensure KSail's Helm handling/docs track the new default and expose set-literal semantics. Size: S.Acceptance criteria (epic)
mirror/schemavs KSail's native features (child feature/talos-optimizations #2).