Flux Operator v0.15

[kingdonb]

A new release of the Flux Operator (v0.15.0) - to go with the newly created Flux v2.5.0 release

(And to go with that, a new version of the flux-instance chart.)

Summary by CodeRabbit

Summary by CodeRabbit

• New Features

  • Introduced enhanced operator capabilities by adding new resource types, including ResourceSetInputProvider and ResourceSet.
  • Expanded configuration options for deployments, including settings for artifact pull secrets and customizable synchronization intervals.
  • Added support for multitenancy and role-based access control configurations.

• Documentation

  • Updated version information and badges to reflect the upgrade to version 0.15.0.

[coderabbitai]

Walkthrough

This update increments version fields in the Helm chart metadata for both the Flux Operator and Flux Instance, changing the app and chart versions from 0.13.0 to 0.15.0. The version badges in the corresponding README files have been updated accordingly. New Custom Resource Definitions for ResourceSetInputProvider and ResourceSet have been introduced in the Flux Operator chart. Additionally, the Flux Instance chart has been enhanced with new configuration options—an artifactPullSecret for distribution and a default sync interval set to "1m"—as reflected in its template, JSON schema, and default values.

Changes

File(s)	Change Summary
packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml packages/system/fluxcd/charts/flux-instance/Chart.yaml	Updated appVersion (v0.13.0 → v0.15.0) and version (0.13.0 → 0.15.0).
packages/system/fluxcd-operator/charts/flux-operator/README.md	Revised version badges for Version and AppVersion (0.13.0 → 0.15.0). Added new entries for multitenancy, rbac.create, and rbac.createAggregation.
packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml	Added new CRDs: ResourceSetInputProvider and ResourceSet with additional printer columns.
packages/system/fluxcd/charts/flux-instance/README.md	Updated version badges and documentation to reflect new fields in instance.distribution (artifactPullSecret) and instance.sync (interval set to "1m").
packages/system/fluxcd/charts/flux-instance/templates/instance.yaml packages/system/fluxcd/charts/flux-instance/values.schema.json packages/system/fluxcd/charts/flux-instance/values.yaml	Introduced new configuration options: added artifactPullSecret under distribution and interval under sync in the resource definition, schema, and default values.
packages/system/fluxcd-operator/charts/flux-operator/templates/admin-clusterrole.yaml	Introduced a conditional ClusterRoleBinding resource for the Flux operator.
packages/system/fluxcd-operator/charts/flux-operator/templates/aggregate-clusterrole.yaml	Added conditional creation of two ClusterRole resources for edit and view permissions.
packages/system/fluxcd-operator/charts/flux-operator/templates/deployment.yaml	Added a new command-line argument for the container to specify default service account based on multitenancy.
packages/system/fluxcd-operator/charts/flux-operator/values.schema.json	Added multitenancy and rbac properties to the JSON schema.
packages/system/fluxcd-operator/charts/flux-operator/values.yaml	Introduced new configuration options for multitenancy and rbac.
packages/system/fluxcd/values.yaml	Updated version field under distribution from 2.4.x to 2.5.x.

Possibly related PRs

• Upgrade flux-operator to 0.9.0 #362 – The changes in the main PR and this PR are related as both involve updates to the appVersion and version fields in the Chart.yaml file for the Flux Operator Helm chart, indicating version increments.
• Upgrade Flux operator to 0.10 #387 – The changes in the main PR are related to those in this PR as both involve updates to the appVersion and version fields in the Chart.yaml file for the Flux Operator Helm chart.
• Update fluxcd-operator to 0.13.0 #586 – The changes in the main PR, which update the appVersion and version fields in the Chart.yaml file for the Flux Operator, are related to the changes in this PR that also update the same fields in the Chart.yaml file for the Flux Operator.

Suggested reviewers

• kvaps

Poem

Oh, how I hop with glee,
New versions in the code tree.
A secret here, an interval there,
CRDs added with utmost care.
Version bumps and updates so bright,
A rabbit's cheer in the moonlight!
🐇✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[kingdonb]

This flux-operator release adds the new ResourceSet or rset API

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/system/fluxcd/charts/flux-instance/values.schema.json (1)

134-136: Add pattern validation for interval field

Consider adding a pattern validation for the interval field to ensure valid time duration format (e.g., "1m", "5m", "1h").

 "interval": {
     "type": "string"
+    "pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
 }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 65036e8 and a650b03.

📒 Files selected for processing (8)

• packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml (2 hunks)
• packages/system/fluxcd-operator/charts/flux-operator/README.md (1 hunks)
• packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml (2 hunks)
• packages/system/fluxcd/charts/flux-instance/Chart.yaml (2 hunks)
• packages/system/fluxcd/charts/flux-instance/README.md (2 hunks)
• packages/system/fluxcd/charts/flux-instance/templates/instance.yaml (2 hunks)
• packages/system/fluxcd/charts/flux-instance/values.schema.json (2 hunks)
• packages/system/fluxcd/charts/flux-instance/values.yaml (2 hunks)

✅ Files skipped from review due to trivial changes (3)

• packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml
• packages/system/fluxcd/charts/flux-instance/Chart.yaml
• packages/system/fluxcd-operator/charts/flux-operator/README.md

🔇 Additional comments (6)

packages/system/fluxcd/charts/flux-instance/templates/instance.yaml (2)

20-22: LGTM: Artifact pull secret support added

The conditional inclusion of artifactPullSecret is well implemented, allowing for optional authentication when pulling artifacts.

---

43-43: LGTM: Sync interval configuration added

The sync interval field is properly integrated into the sync configuration block.

packages/system/fluxcd/charts/flux-instance/values.yaml (2)

12-12: LGTM: Empty default for artifactPullSecret

Empty string default is appropriate for an optional authentication configuration.

---

41-41: LGTM: Default sync interval of 1m

The 1-minute default interval provides a good balance between responsiveness and resource usage.

packages/system/fluxcd/charts/flux-instance/README.md (1)

3-3: LGTM: Documentation updated for v0.14.0

Version badges and values documentation are properly updated to reflect the new fields and version.

Also applies to: 43-43, 47-47

packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml (1)

743-1250: LGTM: Well-structured ResourceSet CRDs

The new ResourceSetInputProvider and ResourceSet CRDs are well-defined with:

• Comprehensive schema validation
• Informative printer columns
• Thorough documentation
• Proper status subresources

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml (2)

743-974: New CRD: ResourceSetInputProvider
This entire CRD definition for ResourceSetInputProvider (with short name rsip) is a solid addition. It correctly defines both the desired state (in spec) and the observed state (in status). The use of additional printer columns and detailed nested properties (such as for certSecretRef, defaultValues, filter, secretRef, type, and url) adheres to Kubernetes API conventions. One minor suggestion would be to review the URL pattern and consider if any further validation (or examples in documentation) might be useful for users.

---

975-1251: New CRD: ResourceSet
The CRD for ResourceSet is well structured and consistent with Kubernetes API standards. All key fields—including commonMetadata, dependsOn, inputs, inputsFrom, resources, resourcesTemplate, serviceAccountName, and wait—are clearly defined. The inclusion of a short name (rset) simplifies CLI usage, and the status section (including conditions, inventory, lastAppliedRevision, and lastHandledReconcileAt) provides a comprehensive view of the resource’s state. Consider adding an example or additional documentation regarding the intended use of resourcesTemplate for users who might need guidance on constructing multi-document YAML templates.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e403b31 and 92b5b54.

📒 Files selected for processing (8)

• packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml (2 hunks)
• packages/system/fluxcd-operator/charts/flux-operator/README.md (1 hunks)
• packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml (2 hunks)
• packages/system/fluxcd/charts/flux-instance/Chart.yaml (2 hunks)
• packages/system/fluxcd/charts/flux-instance/README.md (2 hunks)
• packages/system/fluxcd/charts/flux-instance/templates/instance.yaml (2 hunks)
• packages/system/fluxcd/charts/flux-instance/values.schema.json (2 hunks)
• packages/system/fluxcd/charts/flux-instance/values.yaml (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (7)

• packages/system/fluxcd/charts/flux-instance/Chart.yaml
• packages/system/fluxcd/charts/flux-instance/values.schema.json
• packages/system/fluxcd/charts/flux-instance/values.yaml
• packages/system/fluxcd/charts/flux-instance/README.md
• packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml
• packages/system/fluxcd/charts/flux-instance/templates/instance.yaml
• packages/system/fluxcd-operator/charts/flux-operator/README.md

🔇 Additional comments (1)

packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml (1)

145-150: ArtifactPullSecret Field Addition
A new field artifactPullSecret has been added under the distribution properties. The description clearly states that it specifies the Kubernetes secret for pulling the manifests. Verify whether this field is meant to be optional or if it should also be included in the required list based on your deployment needs.

[themoriarti]

LGTM

[kingdonb]

Let's merge this together with #640 and target Flux Operator 0.15.0, which just released

[kingdonb]

This one should get a new review, because it has added some minor changes to the way that RBAC is defined.

(I don't think there's anything new in here except for some chart parameters that we aren't using, but please feel free to double-check me!)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (5)

packages/system/fluxcd/charts/flux-instance/README.md (1)

43-47: Improve Markdown URL formatting.

Several bare URLs are used within the table descriptions (e.g. in the "Distribution" and "Sync" columns). Converting these into proper Markdown links (e.g., [Documentation](https://fluxcd.control-plane.io/operator/fluxinstance/#distribution-configuration)) will resolve MD034 warnings and enhance readability.

🧰 Tools

🪛 markdownlint-cli2 (0.17.2)

43-43: Bare URL used
null

(MD034, no-bare-urls)

---

44-44: Bare URL used
null

(MD034, no-bare-urls)

---

45-45: Bare URL used
null

(MD034, no-bare-urls)

---

46-46: Bare URL used
null

(MD034, no-bare-urls)

---

47-47: Bare URL used
null

(MD034, no-bare-urls)

packages/system/fluxcd-operator/charts/flux-operator/templates/admin-clusterrole.yaml (1)

1-23: Templating and YAML Lint Consideration in Admin ClusterRoleBinding
The conditional block using {{- if .Values.rbac.create }} cleanly wraps the ClusterRoleBinding resource definition. Note that YAML linters may flag the templating syntax as a syntax error (as reported by YAMLlint), but this is a known false positive when processing Helm charts. Please ensure your linting configuration ignores templating markers.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[warning] 9-9: wrong indentation: expected 2 but found 4

(indentation)

---

[warning] 10-10: wrong indentation: expected 2 but found 4

(indentation)

packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml (2)

743-974: New CRD: ResourceSetInputProvider Definition
This new CRD is well structured with clear properties defined in the spec section. The following points are noteworthy:

• Required Fields: The spec requires only type and url, which is appropriate given that other properties (like certSecretRef, defaultValues, filter, and secretRef) are optional.
• Validation and Documentation: The descriptions for each field (e.g., for certSecretRef and filter) are detailed and explain the expected formats. The regex for the URL field ensures proper HTTP/S endpoints.
• Short Names: The inclusion of shortNames: [rsip] will help with CLI usability.

Overall, the CRD adheres to Kubernetes API conventions. You might consider (as a future enhancement) including an example in the documentation to illustrate how the optional fields may be used in practice.

---

975-1251: New CRD: ResourceSet Definition
The new ResourceSet CRD appears to be implemented correctly with an extensive set of properties in both the spec and status sections. Key observations:

• Spec Structure: The fields like commonMetadata, dependsOn, inputs, inputsFrom, resources, resourcesTemplate, serviceAccountName, and wait are defined with appropriate types and detailed descriptions. The use of a Go template string for resourcesTemplate is clearly documented.
• Short Names & Naming Conventions: The shortNames: [rset] is a useful addition for usability. Naming conventions are consistent throughout.
• Status Section: The status block, which includes conditions, inventory, lastAppliedRevision, and lastHandledReconcileAt, is comprehensive and follows common Kubernetes patterns.

A minor suggestion would be to ensure that any complex fields (for instance, the CEL-ready expression in dependsOn.readyExpr) have examples in the external documentation to aid users in understanding the expected input.

packages/system/fluxcd-operator/charts/flux-operator/values.schema.json (1)

172-184: Validate Multitenancy Schema Definition
The schema for multitenancy correctly requires the defaultServiceAccount while defining an optional enabled boolean. Consider adding a default value of false for enabled in the schema to align with the values provided in values.yaml for improved consistency.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 92b5b54 and 403addb.

📒 Files selected for processing (14)

• packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml (2 hunks)
• packages/system/fluxcd-operator/charts/flux-operator/README.md (2 hunks)
• packages/system/fluxcd-operator/charts/flux-operator/templates/admin-clusterrole.yaml (2 hunks)
• packages/system/fluxcd-operator/charts/flux-operator/templates/aggregate-clusterrole.yaml (1 hunks)
• packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml (2 hunks)
• packages/system/fluxcd-operator/charts/flux-operator/templates/deployment.yaml (1 hunks)
• packages/system/fluxcd-operator/charts/flux-operator/values.schema.json (2 hunks)
• packages/system/fluxcd-operator/charts/flux-operator/values.yaml (2 hunks)
• packages/system/fluxcd/charts/flux-instance/Chart.yaml (2 hunks)
• packages/system/fluxcd/charts/flux-instance/README.md (2 hunks)
• packages/system/fluxcd/charts/flux-instance/templates/instance.yaml (2 hunks)
• packages/system/fluxcd/charts/flux-instance/values.schema.json (2 hunks)
• packages/system/fluxcd/charts/flux-instance/values.yaml (2 hunks)
• packages/system/fluxcd/values.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (6)

• packages/system/fluxcd/charts/flux-instance/values.yaml
• packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml
• packages/system/fluxcd/charts/flux-instance/Chart.yaml
• packages/system/fluxcd/charts/flux-instance/values.schema.json
• packages/system/fluxcd/charts/flux-instance/templates/instance.yaml
• packages/system/fluxcd-operator/charts/flux-operator/README.md

🧰 Additional context used

🪛 YAMLlint (1.35.1)

packages/system/fluxcd-operator/charts/flux-operator/templates/admin-clusterrole.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/fluxcd-operator/charts/flux-operator/templates/aggregate-clusterrole.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

🪛 markdownlint-cli2 (0.17.2)

packages/system/fluxcd/charts/flux-instance/README.md

43-43: Bare URL used
null

(MD034, no-bare-urls)

---

44-44: Bare URL used
null

(MD034, no-bare-urls)

---

45-45: Bare URL used
null

(MD034, no-bare-urls)

---

46-46: Bare URL used
null

(MD034, no-bare-urls)

---

47-47: Bare URL used
null

(MD034, no-bare-urls)

🔇 Additional comments (9)

packages/system/fluxcd/values.yaml (1)

7-7: Update Flux instance distribution version.

The distribution version has been updated to 2.5.x, which reflects the new Flux release. Please ensure that this update remains consistent with related files (e.g. Chart.yaml) and upstream documentation.

packages/system/fluxcd/charts/flux-instance/README.md (2)

3-3: Version badges updated to 0.15.0.

The badge images now indicate version 0.15.0 for the Flux Operator, ensuring that users see the current release information at a glance.

---

43-47: Enhanced distribution and sync configuration details.

The table row for instance.distribution now includes the new artifactPullSecret field, and the instance.sync entry shows a default "interval": "1m". Please verify that the "version" field in the distribution JSON (currently set to "2.x") is intentionally left different from the 2.5.x value in values.yaml. Ensuring this consistency (or documenting the intentional difference) would help avoid confusion.

🧰 Tools

🪛 markdownlint-cli2 (0.17.2)

43-43: Bare URL used
null

(MD034, no-bare-urls)

---

44-44: Bare URL used
null

(MD034, no-bare-urls)

---

45-45: Bare URL used
null

(MD034, no-bare-urls)

---

46-46: Bare URL used
null

(MD034, no-bare-urls)

---

47-47: Bare URL used
null

(MD034, no-bare-urls)

packages/system/fluxcd-operator/charts/flux-operator/templates/aggregate-clusterrole.yaml (1)

1-57: Conditional Aggregated ClusterRoles Implementation
The introduction of the two ClusterRole resources (for “-edit” and “-view”) under the conditional {{- if .Values.rbac.createAggregation }} is well implemented. The use of the document separator (---) to distinguish the two resources is appropriate. Similar to the previous file, YAML linters might misinterpret the templating syntax; ensure your linter is configured to handle these cases. Overall, the new RBAC aggregation resources appear aligned with the release objectives.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/fluxcd-operator/charts/flux-operator/templates/deployment.yaml (1)

53-55: Addition of Multitenancy Argument in Deployment
The new conditional block that appends

{{- if .Values.multitenancy.enabled }}
- --default-service-account={{ .Values.multitenancy.defaultServiceAccount }}
{{- end }}

to the container arguments is clear and properly tied to the multitenancy configuration. This change enhances deployment flexibility by allowing a default service account to be specified when multitenancy is enabled. Please verify that the referenced value in Values.multitenancy.defaultServiceAccount is correctly set in the values.yaml file.

packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml (1)

145-149: New Distribution Field: artifactPullSecret Addition
The new artifactPullSecret field under the distribution property is added correctly with a clear description and string type. Ensure that downstream consumers of this CRD support this new field and that it is documented in the chart’s README and values file.

packages/system/fluxcd-operator/charts/flux-operator/values.yaml (2)

6-10: Assess Multitenancy Configuration
The new multitenancy section is clearly documented and includes a helpful reference link to the ResourceSet API RBAC guidelines. Verify that the chosen default service account ("flux-operator") is correct for your deployment scenarios.

---

63-68: Review RBAC Settings
The introduced RBAC section properly defines two key settings: create for cluster-admin privileges and createAggregation for granting access to ResourceSet APIs. Confirm that these RBAC flags match the intended security model and that the chart templates appropriately condition their creation based on these values.

packages/system/fluxcd-operator/charts/flux-operator/values.schema.json (1)

200-210: Review RBAC Schema Properties
The schema segment for rbac is straightforward, specifying boolean types for both create and createAggregation. Ensure that downstream chart templates are prepared to handle cases when these keys are omitted and that the intended default behaviors from values.yaml are maintained.