feat(github-release): update fluxcd/flux2 to v2.8.5

[roybatty-bot]

This PR contains the following updates:

Package	Type	Update	Change
fluxcd/flux2	Kustomization	minor	v2.7.5 → v2.8.5

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

fluxcd/flux2 (fluxcd/flux2)

v2.8.5

Compare Source

Highlights

Flux v2.8.5 is a patch release that includes bug fixes and improvements across kustomize-controller, source-controller, and notification-controller. Users are encouraged to upgrade for the best experience.

ℹ️ Please follow the Upgrade Procedure for Flux v2.7+ for a smooth upgrade from Flux v2.6 to the latest version.

Fixes:

• Fix a race condition where a cancelled reconciliation could leave stale data in the cache, causing Kustomizations to get stuck (kustomize-controller)
• Fix Azure Blob prefix option not being passed to the storage client (source-controller)

Improvements:

• Improve error message for encrypted SSH keys without password (source-controller)
• Add optional email and audience fields to the GCR Receiver for tighter verification (notification-controller)
• Add provider manifest example for Azure Event Hub managed identity authentication (notification-controller)

Components changelog

• kustomize-controller v1.8.3
• source-controller v1.8.2
• notification-controller v1.8.3

CLI changelog

• Update toolkit components by @​fluxcdbot in #​5822

Full Changelog: fluxcd/flux2@v2.8.4...v2.8.5

v2.8.4

Compare Source

Highlights

Flux v2.8.4 is a patch release that includes fixes for the Flux CLI. Users are encouraged to upgrade for the best experience.

ℹ️ Please follow the Upgrade Procedure for Flux v2.7+ for a smooth upgrade from Flux v2.6 to the latest version.

Fixes:

• Fix flux build ks and flux diff ks on Windows
• Fix --source flag validation in create kustomization command

CLI changelog

• Update fluxcd/pkg dependencies by @​fluxcdbot in #​5796
• [release/v2.8.x] fix: validate --source flag in create kustomization command by @​fluxcdbot in #​5799

Full Changelog: fluxcd/flux2@v2.8.3...v2.8.4

v2.8.3

Compare Source

Highlights

Flux v2.8.3 is a patch release that fixes a regression in helm-controller. Users are encouraged to upgrade for the best experience.

ℹ️ Please follow the Upgrade Procedure for Flux v2.7+ for a smooth upgrade from Flux v2.6 to the latest version.

Fixes:

• Fix templating errors for charts that include --- in the content, e.g. YAML separators, embedded scripts, CAs inside ConfigMaps (helm-controller)

Components changelog

• helm-controller v1.5.3

CLI changelog

• [release/v2.8.x] Add target branch name to update branch by @​fluxcdbot in #​5774
• Update toolkit components by @​fluxcdbot in #​5779

Full Changelog: fluxcd/flux2@v2.8.2...v2.8.3

v2.8.2

Compare Source

Highlights

Flux v2.8.2 is a patch release that comes with various fixes. Users are encouraged to upgrade for the best experience.

ℹ️ Please follow the Upgrade Procedure for Flux v2.7+ for a smooth upgrade from Flux v2.6 to the latest version.

Fixes:

• Fix enqueuing new reconciliation requests for events on source Flux objects when they are already reconciling the revision present in the watch event (kustomize-controller, helm-controller)
• Fix the Go templates bug of YAML separator --- getting concatenated to apiVersion: by updating to Helm 4.1.3 (helm-controller)
• Fix canceled HelmReleases getting stuck when they don't have a retry strategy configured by introducing a new feature gate DefaultToRetryOnFailure that improves the experience when the CancelHealthCheckOnNewRevision is enabled (helm-controller)
• Fix the auth scope for Azure Container Registry to use the ACR-specific scope (source-controller, image-reflector-controller)
• Fix potential Denial of Service (DoS) during TLS handshakes (CVE-2026-27138) by building all controllers with Go 1.26.1

Components changelog

• source-controller v1.8.1
• kustomize-controller v1.8.2
• notification-controller v1.8.2
• helm-controller v1.5.2
• image-reflector-controller v1.1.1
• image-automation-controller v1.1.1
• source-watcher v2.1.1

CLI changelog

• [release/v2.8.x] build(deps): bump the ci group across 1 directory with 11 updates by @​fluxcdbot in #​5765
• Update fluxcd/pkg dependencies by @​fluxcdbot in #​5767
• Update toolkit components by @​matheuscscp in #​5770
• Update fluxcd/pkg dependencies by @​fluxcdbot in #​5771

Full Changelog: fluxcd/flux2@v2.8.1...v2.8.2

v2.8.1

Compare Source

Highlights

Flux v2.8.1 is a patch release that comes with various fixes. Users are encouraged to upgrade for the best experience.

ℹ️ Please follow the Upgrade Procedure for Flux v2.7+ for a smooth upgrade from Flux v2.6 to the latest version.

Fixes:

• Fix Git commit status events being dropped for Kustomizations (notification-controller)
• Fix health check for StatefulSets when the Pods are Pending/Unschedulable during rollout (helm-controller, kustomize-controller)

Components changelog

• kustomize-controller v1.8.1
• notification-controller v1.8.1
• helm-controller v1.5.1

CLI changelog

• [release/v2.8.x] Remove no longer needed workaround for Flux 2.8 by @​fluxcdbot in #​5735
• Update fluxcd/pkg dependencies by @​fluxcdbot in #​5739
• [release/v2.8.x] Update toolkit components by @​fluxcdbot in #​5741

Full Changelog: fluxcd/flux2@v2.8.0...v2.8.1

v2.8.0

Compare Source

Highlights

Flux v2.8.0 is a feature release. Users are encouraged to upgrade for the best experience.

For a compressive overview of new features and API changes included in this release, please refer to the Announcing Flux 2.8 GA blog post.

Overview of the new features:

• Helm v4 support, including server-side apply and kstatus-based health checking (HelmRelease)
• Readiness evaluation of Helm-managed objects with CEL expressions (HelmRelease)
• Improved observability of Helm releases with inventory tracking in .status.inventory (HelmRelease)
• Reduced the mean time to recovery of Flux-managed applications via CancelHealthCheckOnNewRevision feature gate (Kustomization, HelmRelease)
• Support for commenting on Pull Requests directly from Flux notifications (Provider)
• Custom SSA apply stages for ordering resource application in kustomize-controller (Kustomization)
• Automatic GitHub App installation ID lookup from the repository owner (GitRepository, ImageUpdateAutomation, Provider)
• Support for Cosign v3 for verifying OCI artifacts and container images (OCIRepository)
• ArtifactGenerator support for extracting and modifying Helm charts (ArtifactGenerator)
• Bypass cache when fetching source objects via DirectSourceFetch feature gate (Kustomization, HelmRelease, ArtifactGenerator)

❤️ Big thanks to all the Flux contributors that helped us with this release!

Kubernetes compatibility

This release is compatible with the following Kubernetes versions:

Kubernetes version	Minimum required
v1.33	>= 1.32.0
v1.34	>= 1.34.1
v1.35	>= 1.35.0

[!NOTE]
Note that the Flux project offers support only for the latest three minor versions of Kubernetes.
Backwards compatibility with older versions of Kubernetes and OpenShift is offered by vendors such as
ControlPlane that provide enterprise support for Flux.

OpenShift compatibility

Flux can be installed on Red Hat OpenShift cluster directly from OperatorHub using Flux Operator. The operator allows the configuration of Flux multi-tenancy lockdown, network policies, persistent storage, sharding, vertical scaling and the synchronization of the cluster state from Git repositories, OCI artifacts, and S3-compatible storage.

Upgrade procedure

⚠️ The Flux APIs v1beta2 and v2beta2 (deprecated in 2024) have reached end-of-life and have been removed from the CRDs.

Please follow the Upgrade Procedure for Flux v2.7+ for a smooth upgrade from older versions of Flux to v2.8.

Components changelog

• source-controller v1.8.0
• kustomize-controller v1.8.0
• notification-controller v1.8.0
• helm-controller v1.5.0
• image-reflector-controller v1.1.0
• image-automation-controller v1.1.0
• source-watcher v2.1.0

CLI changelog

• ci: Set GITHUB_TOKEN in the release-flux-manifests workflow by @​stefanprodan in #​5547
• Add backport label for Flux 2.7 by @​matheuscscp in #​5550
• build(deps): bump the ci group across 1 directory with 3 updates by @​dependabot[bot] in #​5548
• Fix flux push artifact not working with --provider by @​matheuscscp in #​5551
• Extend flux migrate to work with local files by @​matheuscscp in #​5554
• Improve flux migrate for live cluster migrations by @​stefanprodan in #​5558
• Fix flux migrate -f command to work with comments by @​matheuscscp in #​5560
• Add source-watcher to docs by @​stefanprodan in #​5562
• Fix flux migrate -f not considering kind comments by @​matheuscscp in #​5563
• refactor: convert Kustomization resource into unstructured map only once during variable substitution by @​ramasai1 in #​5566
• Update toolkit components by @​fluxcdbot in #​5568
• Disable AUR publishing by @​stefanprodan in #​5570
• Fix manifest generation for --storage-adv-addr and --events-addr flags by @​stefanprodan in #​5574
• Update dependencies to Kubernetes v1.34.1 and Go 1.25.2 by @​stefanprodan in #​5576
• Update toolkit components by @​fluxcdbot in #​5578
• Restore GitHub PAT for backports by @​matheuscscp in #​5581
• [RFC-0012] Add command flux get source external by @​dgunzy in #​5555
• fix: handle error when writing password prompt to stdout by @​akshatsinha0 in #​5589
• Pin cosign to v2.6.1 by @​matheuscscp in #​5594
• [RFC-0012] Add command flux export source external by @​dgunzy in #​5583
• Fix bootstrap e2e test for image policy by @​matheuscscp in #​5604
• Update toolkit components by @​fluxcdbot in #​5603
• fix: return accepted values for flags when calling Values.Type() by @​jaxels10 in #​5602
• ci: Include source-watcher in the e2e test suite by @​stefanprodan in #​5614
• Add source.extensions.fluxcd.io group to aggregated RBAC roles by @​matheuscscp in #​5627
• Fix panic on reconcile with source of ExternalArtifact kind by @​matheuscscp in #​5630
• Upgrade k8s to 1.34.2, c-r to 0.22.4 and helm to 3.19.2 by @​matheuscscp in #​5633
• diff: report if object is skipped by @​hown3d in #​5625
• Update toolkit components by @​fluxcdbot in #​5639
• Allow option to skip tenant namespace creation by @​anshuishere in #​5597
• Update toolkit components by @​fluxcdbot in #​5648
• fix: #​5654 by checking if both --chart and --chart-ref are set by @​jaxels10 in #​5656
• Added retry logic with delays to the Flux CLI download by @​ivan-munteanu in #​5659
• Run conformance tests for Kubernetes 1.35.0 by @​stefanprodan in #​5663
• fix: normalize path for Windows compatibility by @​sibasispadhi in #​5674
• Introduce support for looking up GH app installation ID by @​matheuscscp in #​5682
• Update dependencies to Kubernetes v1.35.0 by @​stefanprodan in #​5688
• Fix resume command logging success after reconciliation failure by @​Aman-Cool in #​5690
• Add 2.8 to supported versions for flux migrate -f by @​matheuscscp in #​5713
• Introduce workflow for bumping fluxcd/pkg deps by @​matheuscscp in #​5717
• Update fluxcd/pkg dependencies by @​fluxcdbot in #​5719
• Fix event listing ignoring pagination token by @​matheuscscp in #​5721
• Build with Go 1.26 by @​stefanprodan in #​5723
• Update toolkit components by @​fluxcdbot in #​5722
• Update helm-controller to v1.5.0 by @​fluxcdbot in #​5725
• build(deps): bump the ci group across 1 directory with 12 updates by @​dependabot[bot] in #​5720
• Fix bootstrap failure on Windows cross-drive paths by @​veeceey in #​5726
• Dump debug info on e2e tests by @​matheuscscp in #​5729
• Set Kubernetes 1.33 as min supported version by @​matheuscscp in #​5730
• Update conformance tests to min Kubernetes 1.33 by @​stefanprodan in #​5731

New Contributors

• @​ramasai1 made their first contribution in #​5566
• @​akshatsinha0 made their first contribution in #​5589
• @​jaxels10 made their first contribution in #​5602
• @​hown3d made their first contribution in #​5625
• @​anshuishere made their first contribution in #​5597
• @​ivan-munteanu made their first contribution in #​5659
• @​sibasispadhi made their first contribution in #​5674
• @​Aman-Cool made their first contribution in #​5690
• @​veeceey made their first contribution in #​5726

Full Changelog: fluxcd/flux2@v2.7.0...v2.8.0

---

Configuration

📅 Schedule: (in timezone Europe/Madrid)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

KICS version: v2.1.20

Category Results CRITICAL 0 HIGH 52 MEDIUM 91 LOW 146 INFO 21 TRACE 0 TOTAL 310	Metric Values Files scanned 190 Files parsed 190 Files failed to scan 0 Total executed queries 142 Queries failed to execute 0 Execution time 8

[roybatty-bot]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ REPOSITORY	git_diff	yes		no	no	0.26s
✅ REPOSITORY	secretlint	yes		no	no	1.26s
✅ YAML	prettier	1		0	0	0.44s
✅ YAML	yamllint	1		0	0	0.68s

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

Show us your support by starring ⭐ the repository