Skip to content

fix(github-release): update aqua:fluxcd/flux2 to v2.7.5 #600

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
homebot-0 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(github-release): update aqua:fluxcd/flux2 to v2.7.5 #600

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .mise.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ TALOSCONFIG = "{{config_root}}/talos/clusterconfig/talosconfig"
"aqua:cloudflare/cloudflared" = "2025.10.0"
"aqua:cue-lang/cue" = "0.14.2"
"aqua:FiloSottile/age" = "1.2.1"
"aqua:fluxcd/flux2" = "2.7.3"
"aqua:fluxcd/flux2" = "2.7.5"
Copy link

@coderabbitai coderabbitai bot Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Flux v2.7.5 release notes upgrade procedure breaking changes

💡 Result:

Summary — what changed (breaking) in Flux v2.7.5 and how to upgrade

Key breaking / EOL items

  • The deprecated toolkit APIs v1beta1 / v2beta1 were removed from the CRDs (source/kustomize/helm/image/notification v1beta1/v2beta1). You must migrate resources to the stable APIs before/when upgrading. [1][2]
  • Signature verification for OCI artifacts in source-controller is not compatible with Cosign v3 (use Cosign v2.6 until v2.8 adds support). [1]
  • (From the v2.7.0 minor release) some previously deprecated flags/features were removed (example: image-reflector-controller autologin flags removed — set ImageRepository.spec.provider instead). Review the v2.7 changelog for other API/flag removals and behavioral changes (Kustomization/HelmRelease readiness, new fields and feature-gates). [2]

Upgrade procedure (short)

  • Read the Flux v2.7 upgrade guide and follow the "Upgrade Procedure for Flux v2.7+" step‑by‑step. [3]
  • Unless you deploy controllers via Flux Operator, run flux migrate on each cluster to migrate CRs to the stable APIs before upgrading the controllers. [1][3]
  • Update the flux CLI first, then upgrade controllers via your install method:
    • bootstrap Git: regenerate manifests with flux bootstrap and push;
    • bootstrap via flux CLI: rerun the same bootstrap command for each cluster;
    • Terraform: update provider and terraform apply;
    • kubectl: apply the latest install.yaml from the releases page. [3]
  • After upgrade, run flux check and verify controller versions and health. [3]

Important links (read before upgrading)

  • GitHub release notes v2.7.5 (includes upgrade note and fixes). [1]
  • Flux v2.7 blog / changelog with breaking changes and feature list. [2]
  • Flux upgrade docs / step-by-step procedure. [3]

Sources
[1] Flux v2.7.5 GitHub release (fluxcd/flux2).
[2] Flux blog — Announcing Flux 2.7 (release/changelog).
[3] Flux documentation — Upgrade procedure / Flux upgrade page.

🌐 Web query:

Flux 2.7 cosign OCI signature verification compatibility

💡 Result:

Short answer: Yes — Flux (including the 2.x source-controller used in Flux 2.7) supports verifying OCI artifact signatures produced by Sigstore cosign. You can verify both key-based and keyless (OIDC/Fulcio) cosign signatures for OCIRepository artifacts and for Helm charts stored as OCI artifacts. Configure spec.verify.provider: cosign and either point to a Secret with .pub keys (secretRef) or omit secretRef and use matchOIDCIdentity for keyless validation. Flux will set SourceVerified on success and refuse to fetch the artifact on verification failure. Examples and config fields are documented in the Flux docs. [1][2][3]

Sources:

  • Flux OCIRepository / verification docs (cosign, secretRef, matchOIDCIdentity). [1]
  • Flux cheatsheet & blog on signing/verifying OCI artifacts and Helm charts with cosign. [2][3]

References:
[1] https://fluxcd.io/flux/components/source/ocirepositories/
[2] https://fluxcd.io/flux/cheatsheets/oci-artifacts/
[3] https://fluxcd.io/blog/2022/10/prove-the-authenticity-of-oci-artifacts/

Do not bump Flux to v2.7.5 without explicit pre-upgrade migration and compatibility checks.

v2.7.5 is NOT a safe patch bump—it removes deprecated CRD APIs (v1beta1/v2beta1 across source/kustomize/helm/image/notification controllers). You must run flux migrate on each cluster to migrate all resources to stable APIs before upgrading controllers. Additionally, source-controller's OCI artifact signature verification is incompatible with Cosign v3; you must either downgrade to Cosign v2.6 or wait for v2.8. Review your current API versions, Cosign version, and follow the Flux v2.7 upgrade guide step-by-step before rollout.

🤖 Prompt for AI Agents 
In @.mise.toml at line 17, Do not change the "aqua:fluxcd/flux2" entry to
"2.7.5" yet; instead revert or hold the version and perform pre-upgrade
migration and compatibility checks: run `flux migrate` on each cluster to
convert deprecated CRD APIs (v1beta1/v2beta1) before upgrading controllers,
verify source-controller OCI signature compatibility with your cosign version
(downgrade to cosign v2.6 or wait for flux v2.8 if you use cosign v3), and
follow the Flux v2.7 upgrade guide step-by-step to confirm API versions and
controller compatibility prior to updating the "aqua:fluxcd/flux2" version.

"aqua:getsops/sops" = "3.11.0"
"aqua:go-task/task" = "3.45.5"
"aqua:hashicorp/terraform" = "1.14.0" # Managed by Renovate (matches cattle workflow)
Expand Down