Merge pull request #273787 from JnHs/jh-arck8-flux191

prmerger-automator[bot] · web-flow · commit 86d5b9f3e534 · 2024-04-30T19:28:28.000Z
Flux 1.9.1 and related updates
diff --git a/articles/azure-arc/kubernetes/extensions-release.md b/articles/azure-arc/kubernetes/extensions-release.md
@@ -1,6 +1,6 @@
 ---
 title: "Available extensions for Azure Arc-enabled Kubernetes clusters"
-ms.date: 04/25/2024
+ms.date: 04/30/2024
 ms.topic: how-to
 description: "See which extensions are currently available for Azure Arc-enabled Kubernetes clusters and view release notes."
 ---
@@ -121,7 +121,7 @@ The most recent version of the Flux v2 extension and the two previous versions (
 > [!NOTE]
 > When a new version of the `microsoft.flux` extension is released, it may take several days for the new version to become available in all regions.
 
-### 1.8.4 (April 2024)
+### 1.9.1 (April 2024)
 
 Flux version: [Release v2.1.2](https://github.com/fluxcd/flux2/releases/tag/v2.1.2)
 
@@ -134,13 +134,14 @@ Flux version: [Release v2.1.2](https://github.com/fluxcd/flux2/releases/tag/v2.1
 
 Changes made for this version:
 
-- Updated source-controller to v1.2.5
+- The log-level parameters for controllers (including `fluxconfig-agent` and `fluxconfig-controller`) are now customizable. For more information, see [Configurable log-level parameters](tutorial-use-gitops-flux2.md#configurable-log-level-parameters).
+- Helm chart changes to expose new SSH host key algorithm to connect to Azure DevOps. For more information, see [Azure DevOps SSH-RSA deprecation](tutorial-use-gitops-flux2.md#azure-devops-ssh-rsa-deprecation).
 
-### 1.8.3 (March 2024)
+### 1.8.4 (April 2024)
 
 Flux version: [Release v2.1.2](https://github.com/fluxcd/flux2/releases/tag/v2.1.2)
 
-- source-controller: v1.1.2
+- source-controller: v1.2.5
 - kustomize-controller: v1.1.1
 - helm-controller: v0.36.2
 - notification-controller: v1.1.0
@@ -149,9 +150,9 @@ Flux version: [Release v2.1.2](https://github.com/fluxcd/flux2/releases/tag/v2.1
 
 Changes made for this version:
 
-- The log-level parameters for controllers are now customizable. For more information, see [Configurable log-level parameters](tutorial-use-gitops-flux2.md#configurable-log-level-parameters).
+- Updated source-controller to v1.2.5
 
-### 1.8.2 (February 2024)
+### 1.8.3 (March 2024)
 
 Flux version: [Release v2.1.2](https://github.com/fluxcd/flux2/releases/tag/v2.1.2)
 
@@ -164,7 +165,7 @@ Flux version: [Release v2.1.2](https://github.com/fluxcd/flux2/releases/tag/v2.1
 
 Changes made for this version:
 
-- Improve the identity token generation logic to handle token generation failures
+- The log-level parameters for controllers are now customizable. For more information, see [Configurable log-level parameters](tutorial-use-gitops-flux2.md#configurable-log-level-parameters).
 
 ## Dapr extension for Azure Kubernetes Service (AKS) and Arc-enabled Kubernetes
 
diff --git a/articles/azure-arc/kubernetes/gitops-flux2-parameters.md b/articles/azure-arc/kubernetes/gitops-flux2-parameters.md
@@ -1,7 +1,7 @@
 ---
 title: "GitOps (Flux v2) supported parameters"
 description: "Understand the supported parameters for GitOps (Flux v2) in Azure for use in Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS) clusters."
-ms.date: 02/08/2024
+ms.date: 04/30/2024
 ms.topic: conceptual
 ---
 
@@ -55,15 +55,20 @@ For more information, see the [Flux documentation on Git repository checkout str
 | ------------- | ------------- | ------------- |
 | `--url` `-u` | `http[s]://server/repo[.git]` | URL of the Git repository source to reconcile with the cluster. |
 
-### Private Git repository with SSH and Flux-created keys
+### Private Git repository with SSH
+
+> [!IMPORTANT]
+> Azure DevOps [announced the deprecation of SSH-RSA](https://aka.ms/ado-ssh-rsa-deprecation) as a supported encryption method for connecting to Azure repositories using SSH. If you use SSH keys to connect to Azure repositories in Flux configurations, we recommend moving to more secure RSA-SHA2-256 or RSA-SHA2-512 keys. For more information, see [Azure DevOps SSH-RSA deprecation](tutorial-use-gitops-flux2.md#azure-devops-ssh-rsa-deprecation).
+
+#### Private Git repository with SSH and Flux-created keys
 
 Add the public key generated by Flux to the user account in your Git service provider.
 
 | Parameter | Format | Notes |
 | ------------- | ------------- | ------------- |
 | `--url` `-u` | `ssh://user@server/repo[.git]` | `git@` should replace `user@` if the public key is associated with the repository instead of the user account. |
 
-### Private Git repository with SSH and user-provided keys
+#### Private Git repository with SSH and user-provided keys
 
 Use your own private key directly or from a file. The key must be in [PEM format](https://aka.ms/PEMformat) and end with a newline (`\n`).
 
@@ -75,7 +80,7 @@ Add the associated public key to the user account in your Git service provider.
 | `--ssh-private-key` | Base64 key in [PEM format](https://aka.ms/PEMformat) | Provide the key directly. |
 | `--ssh-private-key-file` | Full path to local file | Provide the full path to the local file that contains the PEM-format key.
 
-### Private Git host with SSH and user-provided known hosts
+#### Private Git host with SSH and user-provided known hosts
 
 The Flux operator maintains a list of common Git hosts in its `known_hosts` file. Flux uses this information to authenticate the Git repository before establishing the SSH connection. If you're using an uncommon Git repository or your own Git host, you can supply the host key so that Flux can identify your repository.
 
@@ -158,6 +163,9 @@ kubectl create ns flux-config
 kubectl create secret generic -n flux-config my-custom-secret --from-file=identity=./id_rsa --from-file=known_hosts=./known_hosts
 ```
 
+> [!IMPORTANT]
+> Azure DevOps [announced the deprecation of SSH-RSA](https://aka.ms/ado-ssh-rsa-deprecation) as a supported encryption method for connecting to Azure repositories using SSH. If you use SSH keys to connect to Azure repositories in Flux configurations, we recommend moving to more secure RSA-SHA2-256 or RSA-SHA2-512 keys. For more information, see [Azure DevOps SSH-RSA deprecation](tutorial-use-gitops-flux2.md#azure-devops-ssh-rsa-deprecation).
+
 For both cases, when you create the Flux configuration, use `--local-auth-ref my-custom-secret` in place of the other authentication parameters:
 
 ```azurecli
diff --git a/articles/azure-arc/kubernetes/tutorial-use-gitops-flux2.md b/articles/azure-arc/kubernetes/tutorial-use-gitops-flux2.md
@@ -1,7 +1,7 @@
 ---
 title: "Tutorial: Deploy applications using GitOps with Flux v2"
 description: "This tutorial shows how to use GitOps with Flux v2 to manage configuration and application deployment in Azure Arc and AKS clusters."
-ms.date: 03/22/2024
+ms.date: 04/30/2024
 ms.topic: tutorial
 ms.custom: template-tutorial, devx-track-azurecli, references_regions
 ---
@@ -568,7 +568,7 @@ If you don't specify values for `memoryThreshold` and `outOfMemoryWatch`, the de
 
 ## Configurable log-level parameters
 
-By default, the `log-level` for Flux controllers is set to `info`. Starting with [`microsoft.flux` v1.8.3](extensions-release.md#flux-gitops), you can modify these default settings using the `k8s-extension` command as follows:
+By default, the `log-level` for Flux controllers is set to `info`. Starting with `microsoft.flux` v1.8.3, you can modify these default settings using the `k8s-extension` command as follows:
 
 ```azurecli
 --config helm-controller.log-level=<info/error/debug>
@@ -579,14 +579,39 @@ By default, the `log-level` for Flux controllers is set to `info`. Starting with
 --config image-reflector-controller.log-level=<info/error/debug>
 ```
 
-Valid values are `debug`, `info`, or `error`. These values are only configurable for the controllers listed above; they don't apply to the `fluxconfig-agent` and `fluxconfig-controller`.
-
-For instance, to change the `log-level` for the `source-controller` and `kustomize-controller`, use the following command:
+Valid values are `debug`, `info`, or `error`. For instance, to change the `log-level` for the `source-controller` and `kustomize-controller`, use the following command:
 
 ```azurecli
 az k8s-extension update --resource-group <resource-group> --cluster-name <cluster-name> --cluster-type <cluster-type> --name flux --config source-controller.log-level=error kustomize-controller.log-level=error
 ```
 
+Starting with [`microsoft.flux` v1.9.1](extensions-release.md#flux-gitops), `fluxconfig-agent` and `fluxconfig-controller` support `info` and `error` log levels (but not `debug`). These can be modified by using the k8s-extension command as follows:
+
+```azurecli
+--config fluxconfig-agent.log-level=<info/error>
+--config fluxconfig-controller.log-level=<info/error>
+```
+
+For example, the following command changes `log-level` to `error`:
+
+```azurecli
+az k8s-extension update --resource-group <resource-group> --cluster-name <cluster-name> --cluster-type <cluster-type> --name flux --config fluxconfig-agent.log-level=error fluxconfig-controller.log-level=error
+```
+
+### Azure DevOps SSH-RSA deprecation
+
+Azure DevOps [announced the deprecation of SSH-RSA](https://aka.ms/ado-ssh-rsa-deprecation) as a supported encryption method for connecting to Azure repositories using SSH. If you use SSH keys to connect to Azure repositories in Flux configurations, we recommend moving to more secure RSA-SHA2-256 or RSA-SHA2-512 keys.
+
+When reconciling Flux configurations, you might see an error message indicating ssh-rsa is about to be deprecated or is unsupported. If so, update the host key algorithm used to establish SSH connections to Azure DevOps repositories from the Flux `source-controller` and `image-automation-controller` (if enabled) by using the `az k8s-extension update` command. For example:
+
+```azurecli
+az k8s-extension update --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type <cluster-type> --name flux --config source-controller.ssh-host-key-args="--ssh-hostkey-algos=rsa-sha2-512,rsa-sha2-256"
+
+az k8s-extension update --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type <cluster-type> --name flux --config image-automation-controller.ssh-host-key-args="--ssh-hostkey-algos=rsa-sha2-512,rsa-sha2-256"
+```
+
+For more information on Azure DevOps SSH-RSA deprecation,  see [End of SSH-RSA support for Azure Repos](https://aka.ms/ado-ssh-rsa-deprecation).
+
 ### Workload identity in AKS clusters
 
 Starting with [`microsoft.flux` v1.8.0](extensions-release.md#flux-gitops), you can create Flux configurations in [AKS clusters with workload identity enabled](/azure/aks/workload-identity-deploy-cluster). To do so, modify the flux extension as shown in the following steps.
