Merge pull request #5663 from fluxcd/conform-k8s-1.35

Run conformance tests for Kubernetes 1.35.0

.github/labels.yaml

@@ -44,12 +44,12 @@
   description: Feature request proposals in the RFC format
   color: '#D621C3'
   aliases: ['area/RFC']
-- name: backport:release/v2.4.x
-  description: To be backported to release/v2.4.x
-  color: '#ffd700'
 - name: backport:release/v2.5.x
   description: To be backported to release/v2.5.x
   color: '#ffd700'
 - name: backport:release/v2.6.x
   description: To be backported to release/v2.6.x
   color: '#ffd700'
+- name: backport:release/v2.7.x
+  description: To be backported to release/v2.7.x
+  color: '#ffd700'

.github/workflows/backport.yaml

@@ -10,4 +10,4 @@ jobs:
       pull-requests: write # for creating pull requests against release branches.
     uses: fluxcd/gha-workflows/.github/workflows/backport.yaml@v0.4.0
     secrets:
-      github-token: ${{ secrets.GITHUB_TOKEN }}
+      github-token: ${{ secrets.BOT_GITHUB_TOKEN }}

.github/workflows/conformance.yaml

@@ -19,7 +19,7 @@ jobs:
       matrix:
         # Keep this list up-to-date with https://endoflife.date/kubernetes
         # Build images with https://github.com/fluxcd/flux-benchmark/actions/workflows/build-kind.yaml
-        KUBERNETES_VERSION: [1.32.1, 1.33.0, 1.34.1]
+        KUBERNETES_VERSION: [1.33.0, 1.34.1, 1.35.0]
       fail-fast: false
     steps:
       - name: Checkout

.github/workflows/release.yaml

@@ -13,7 +13,9 @@ jobs:
       hashes: ${{ steps.slsa.outputs.hashes }}
       image_url: ${{ steps.slsa.outputs.image_url }}
       image_digest: ${{ steps.slsa.outputs.image_digest }}
-    runs-on: ubuntu-latest
+    runs-on:
+      group: "Default Larger Runners"
+      labels: ubuntu-latest-16-cores
     permissions:
       contents: write # needed to write releases
       id-token: write # needed for keyless signing

CONTRIBUTING.md

@@ -49,7 +49,8 @@ you might want to take a look at the [introductory talk and demo](https://www.yo
 This project is composed of:
 
 - [flux2](https://github.com/fluxcd/flux2): The Flux CLI
-- [source-manager](https://github.com/fluxcd/source-controller): Kubernetes operator for managing sources (Git and Helm repositories, S3-compatible Buckets)
+- [source-controller](https://github.com/fluxcd/source-controller): Kubernetes operator for managing sources (Git, OCI and Helm repositories, S3-compatible Buckets)
+- [source-watcher](https://github.com/fluxcd/source-watcher): Kubernetes operator for advanced source composition and decomposition patterns
 - [kustomize-controller](https://github.com/fluxcd/kustomize-controller): Kubernetes operator for building GitOps pipelines with Kustomize
 - [helm-controller](https://github.com/fluxcd/helm-controller): Kubernetes operator for building GitOps pipelines with Helm
 - [notification-controller](https://github.com/fluxcd/notification-controller): Kubernetes operator for handling inbound and outbound events
@@ -67,10 +68,9 @@ for source changes.
 
 Prerequisites:
 
-* go >= 1.24
+* go >= 1.25
 * kubectl >= 1.30
 * kustomize >= 5.0
-* coreutils (on Mac OS)
 
 Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:
 

README.md

@@ -52,12 +52,14 @@ guides](https://fluxcd.io/flux/gitops-toolkit/source-watcher/).
 
 ### Components
 
-- [Source Controller](https://fluxcd.io/flux/components/source/)
+- [Source Controllers](https://fluxcd.io/flux/components/source/)
     - [GitRepository CRD](https://fluxcd.io/flux/components/source/gitrepositories/)
     - [OCIRepository CRD](https://fluxcd.io/flux/components/source/ocirepositories/)
     - [HelmRepository CRD](https://fluxcd.io/flux/components/source/helmrepositories/)
     - [HelmChart CRD](https://fluxcd.io/flux/components/source/helmcharts/)
     - [Bucket CRD](https://fluxcd.io/flux/components/source/buckets/)
+    - [ExternalArtifact CRD](https://fluxcd.io/flux/components/source/externalartifacts/)
+    - [ArtifactGenerator CRD](https://fluxcd.io/flux/components/source/artifactgenerators/)
 - [Kustomize Controller](https://fluxcd.io/flux/components/kustomize/)
     - [Kustomization CRD](https://fluxcd.io/flux/components/kustomize/kustomizations/)
 - [Helm Controller](https://fluxcd.io/flux/components/helm/)

action/action.yml

@@ -77,8 +77,36 @@ runs:
 
           FLUX_DOWNLOAD_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/"
 
-          curl -fsSL -o "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_TARGET_FILE"
-          curl -fsSL -o "$DL_DIR/$FLUX_CHECKSUMS_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_CHECKSUMS_FILE"
+          MAX_RETRIES=5
+          RETRY_DELAY=5
+          
+          for i in $(seq 1 $MAX_RETRIES); do
+            echo "Downloading flux binary (attempt $i/$MAX_RETRIES)"
+            if curl -fsSL -o "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_TARGET_FILE"; then
+              break
+            fi
+            if [ $i -lt $MAX_RETRIES ]; then
+              echo "Download failed, retrying in ${RETRY_DELAY} seconds..."
+              sleep $RETRY_DELAY
+            else
+              echo "Failed to download flux binary after $MAX_RETRIES attempts"
+              exit 1
+            fi
+          done
+          
+          for i in $(seq 1 $MAX_RETRIES); do
+            echo "Downloading checksums file (attempt $i/$MAX_RETRIES)"
+            if curl -fsSL -o "$DL_DIR/$FLUX_CHECKSUMS_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_CHECKSUMS_FILE"; then
+              break
+            fi
+            if [ $i -lt $MAX_RETRIES ]; then
+              echo "Download failed, retrying in ${RETRY_DELAY} seconds..."
+              sleep $RETRY_DELAY
+            else
+              echo "Failed to download checksums file after $MAX_RETRIES attempts"
+              exit 1
+            fi
+          done
         
           echo "Verifying checksum"
           sum=""

cmd/flux/create_helmrelease.go

@@ -182,6 +182,10 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("chart or chart-ref is required")
 	}
 
+	if helmReleaseArgs.chart != "" && helmReleaseArgs.chartRef != "" {
+		return fmt.Errorf("cannot use --chart in combination with --chart-ref")
+	}
+
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err

cmd/flux/create_helmrelease_test.go

@@ -42,6 +42,11 @@ func TestCreateHelmRelease(t *testing.T) {
 			args:   "create helmrelease podinfo --export",
 			assert: assertError("chart or chart-ref is required"),
 		},
+		{
+			name:   "chart and chartRef used in combination",
+			args:   "create helmrelease podinfo --chart podinfo --chart-ref foobar/podinfo --export",
+			assert: assertError("cannot use --chart in combination with --chart-ref"),
+		},
 		{
 			name:   "unknown source kind",
 			args:   "create helmrelease podinfo --source foobar/podinfo --chart podinfo --export",

cmd/flux/export_source_external.go

@@ -0,0 +1,84 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+)
+
+var exportSourceExternalCmd = &cobra.Command{
+	Use:   "external [name]",
+	Short: "Export ExternalArtifact sources in YAML format",
+	Long:  "The export source external command exports one or all ExternalArtifact sources in YAML format.",
+	Example: `  # Export all ExternalArtifact sources
+  flux export source external --all > sources.yaml
+
+  # Export a specific ExternalArtifact
+  flux export source external my-artifact > source.yaml`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.ExternalArtifactKind)),
+	RunE: exportWithSecretCommand{
+		list:   externalArtifactListAdapter{&sourcev1.ExternalArtifactList{}},
+		object: externalArtifactAdapter{&sourcev1.ExternalArtifact{}},
+	}.run,
+}
+
+func init() {
+	exportSourceCmd.AddCommand(exportSourceExternalCmd)
+}
+
+func exportExternalArtifact(source *sourcev1.ExternalArtifact) any {
+	gvk := sourcev1.GroupVersion.WithKind(sourcev1.ExternalArtifactKind)
+	export := sourcev1.ExternalArtifact{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       gvk.Kind,
+			APIVersion: gvk.GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        source.Name,
+			Namespace:   source.Namespace,
+			Labels:      source.Labels,
+			Annotations: source.Annotations,
+		},
+		Spec: source.Spec,
+	}
+	return export
+}
+
+func getExternalArtifactSecret(source *sourcev1.ExternalArtifact) *types.NamespacedName {
+	// ExternalArtifact does not have a secretRef in its spec, this satisfies the interface
+	return nil
+}
+
+func (ex externalArtifactAdapter) secret() *types.NamespacedName {
+	return getExternalArtifactSecret(ex.ExternalArtifact)
+}
+
+func (ex externalArtifactListAdapter) secretItem(i int) *types.NamespacedName {
+	return getExternalArtifactSecret(&ex.ExternalArtifactList.Items[i])
+}
+
+func (ex externalArtifactAdapter) export() any {
+	return exportExternalArtifact(ex.ExternalArtifact)
+}
+
+func (ex externalArtifactListAdapter) exportItem(i int) any {
+	return exportExternalArtifact(&ex.ExternalArtifactList.Items[i])
+}

cmd/flux/export_test.go

@@ -110,6 +110,12 @@ func TestExport(t *testing.T) {
 			"testdata/export/bucket.yaml",
 			tmpl,
 		},
+		{
+			"source external",
+			"export source external flux-system",
+			"testdata/export/external-artifact.yaml",
+			tmpl,
+		},
 	}
 
 	for _, tt := range cases {

cmd/flux/get_source_all.go

@@ -59,6 +59,10 @@ var getSourceAllCmd = &cobra.Command{
 				apiType: helmChartType,
 				list:    &helmChartListAdapter{&sourcev1.HelmChartList{}},
 			},
+			{
+				apiType: externalArtifactType,
+				list:    &externalArtifactListAdapter{&sourcev1.ExternalArtifactList{}},
+			},
 		}
 
 		for _, c := range allSourceCmd {

cmd/flux/get_source_external.go

@@ -0,0 +1,108 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+)
+
+var getSourceExternalCmd = &cobra.Command{
+	Use:   "external",
+	Short: "Get ExternalArtifact source statuses",
+	Long:  `The get sources external command prints the status of the ExternalArtifact sources.`,
+	Example: `  # List all ExternalArtifacts and their status
+  flux get sources external
+
+  # List ExternalArtifacts from all namespaces
+  flux get sources external --all-namespaces`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.ExternalArtifactKind)),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		get := getCommand{
+			apiType: externalArtifactType,
+			list:    &externalArtifactListAdapter{&sourcev1.ExternalArtifactList{}},
+			funcMap: make(typeMap),
+		}
+
+		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
+			o, ok := obj.(*sourcev1.ExternalArtifact)
+			if !ok {
+				return nil, fmt.Errorf("impossible to cast type %#v to ExternalArtifact", obj)
+			}
+
+			sink := &externalArtifactListAdapter{&sourcev1.ExternalArtifactList{
+				Items: []sourcev1.ExternalArtifact{
+					*o,
+				}}}
+			return sink, nil
+		})
+
+		if err != nil {
+			return err
+		}
+
+		if err := get.run(cmd, args); err != nil {
+			return err
+		}
+
+		return nil
+	},
+}
+
+func init() {
+	getSourceCmd.AddCommand(getSourceExternalCmd)
+}
+
+func (a *externalArtifactListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
+	item := a.Items[i]
+	var revision string
+	if item.Status.Artifact != nil {
+		revision = item.Status.Artifact.Revision
+	}
+	status, msg := statusAndMessage(item.Status.Conditions)
+	revision = utils.TruncateHex(revision)
+	msg = utils.TruncateHex(msg)
+
+	var source string
+	if item.Spec.SourceRef != nil {
+		source = fmt.Sprintf("%s/%s/%s",
+			item.Spec.SourceRef.Kind,
+			item.Spec.SourceRef.Namespace,
+			item.Spec.SourceRef.Name)
+	}
+	return append(nameColumns(&item, includeNamespace, includeKind),
+		revision, source, status, msg)
+}
+
+func (a externalArtifactListAdapter) headers(includeNamespace bool) []string {
+	headers := []string{"Name", "Revision", "Source", "Ready", "Message"}
+	if includeNamespace {
+		headers = append([]string{"Namespace"}, headers...)
+	}
+	return headers
+}
+
+func (a externalArtifactListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := a.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/main.go

@@ -180,7 +180,7 @@ func main() {
 
 	// This is required because controller-runtime expects its consumers to
 	// set a logger through log.SetLogger within 30 seconds of the program's
-	// initalization. If not set, the entire debug stack is printed as an
+	// initialization. If not set, the entire debug stack is printed as an
 	// error, see: https://github.com/kubernetes-sigs/controller-runtime/blob/ed8be90/pkg/log/log.go#L59
 	// Since we have our own logging and don't care about controller-runtime's
 	// logger, we configure it's logger to do nothing.
@@ -225,7 +225,9 @@ func configureDefaultNamespace() {
 func readPasswordFromStdin(prompt string) (string, error) {
 	var out string
 	var err error
-	fmt.Fprint(os.Stdout, prompt)
+	if _, err := fmt.Fprint(os.Stdout, prompt); err != nil {
+		return "", fmt.Errorf("failed to write prompt: %w", err)
+	}
 	stdinFD := int(os.Stdin.Fd())
 	if term.IsTerminal(stdinFD) {
 		var inBytes []byte

cmd/flux/source.go

@@ -195,3 +195,37 @@ func (a helmRepositoryListAdapter) asClientList() client.ObjectList {
 func (a helmRepositoryListAdapter) len() int {
 	return len(a.HelmRepositoryList.Items)
 }
+
+// sourcev1.ExternalArtifact
+
+var externalArtifactType = apiType{
+	kind:         sourcev1.ExternalArtifactKind,
+	humanKind:    "source external-artifact",
+	groupVersion: sourcev1.GroupVersion,
+}
+
+type externalArtifactAdapter struct {
+	*sourcev1.ExternalArtifact
+}
+
+func (a externalArtifactAdapter) asClientObject() client.Object {
+	return a.ExternalArtifact
+}
+
+func (a externalArtifactAdapter) deepCopyClientObject() client.Object {
+	return a.ExternalArtifact.DeepCopy()
+}
+
+// sourcev1.ExternalArtifactList
+
+type externalArtifactListAdapter struct {
+	*sourcev1.ExternalArtifactList
+}
+
+func (a externalArtifactListAdapter) asClientList() client.ObjectList {
+	return a.ExternalArtifactList
+}
+
+func (a externalArtifactListAdapter) len() int {
+	return len(a.ExternalArtifactList.Items)
+}

cmd/flux/testdata/export/external-artifact.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: ExternalArtifact
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  sourceRef:
+    apiVersion: source.example.com/v1alpha1
+    kind: GitHubRelease
+    name: flux-system
+    namespace: {{ .fluxns }}

cmd/flux/testdata/export/objects.yaml

@@ -165,3 +165,15 @@ spec:
   endpoint: s3.amazonaws.com
   region: us-east-1
   timeout: 30s
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: ExternalArtifact
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  sourceRef:
+    apiVersion: source.example.com/v1alpha1
+    kind: GitHubRelease
+    name: flux-system
+    namespace: {{ .fluxns }}

internal/build/build.go

@@ -520,30 +520,32 @@ func (b *Builder) do(ctx context.Context, kustomization kustomizev1.Kustomizatio
 		return nil, fmt.Errorf("kustomize build failed: %w", err)
 	}
 
+	if kustomization.Spec.PostBuild == nil {
+		return m, nil
+	}
+
+	data, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&kustomization)
+	if err != nil {
+		return nil, err
+	}
 	for _, res := range m.Resources() {
 		// run variable substitutions
-		if kustomization.Spec.PostBuild != nil {
-			data, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&kustomization)
+		outRes, err := kustomize.SubstituteVariables(ctx,
+			b.client,
+			unstructured.Unstructured{Object: data},
+			res,
+			kustomize.SubstituteWithDryRun(b.dryRun),
+			kustomize.SubstituteWithStrict(b.strictSubst),
+		)
+		if err != nil {
+			return nil, fmt.Errorf("var substitution failed for '%s': %w", res.GetName(), err)
+		}
+
+		if outRes != nil {
+			_, err = m.Replace(res)
 			if err != nil {
 				return nil, err
 			}
-			outRes, err := kustomize.SubstituteVariables(ctx,
-				b.client,
-				unstructured.Unstructured{Object: data},
-				res,
-				kustomize.SubstituteWithDryRun(b.dryRun),
-				kustomize.SubstituteWithStrict(b.strictSubst),
-			)
-			if err != nil {
-				return nil, fmt.Errorf("var substitution failed for '%s': %w", res.GetName(), err)
-			}
-
-			if outRes != nil {
-				_, err = m.Replace(res)
-				if err != nil {
-					return nil, err
-				}
-			}
 		}
 	}