feat: major 2.7.0 fluxcd updates

Signed-off-by: Michael Fornaro <[email protected]>

Author: xunholy

.renovate/customManagers.json5

@@ -7,7 +7,7 @@
       managerFilePatterns: [
         "/(^|/).+\\.env$/",
         "/(^|/).+\\.sh$/",
-        "/(^|/).+\\.ya?ml(?:\\.j2)?$/"
+        "/(^|/).+\\.ya?ml(?:\\.j2)?$/",
       ],
       matchStrings: [
         // # renovate: datasource=github-releases depName=k3s-io/k3s
@@ -23,5 +23,12 @@
       ],
       datasourceTemplate: "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}",
     },
+    {
+      customType: "regex",
+      description: "Process OCI dependencies",
+      managerFilePatterns: ["/\\.yaml(?:\\.j2)?$/"],
+      matchStrings: ["oci://(?<depName>[^:]+):(?<currentValue>\\S+)"],
+      datasourceTemplate: "docker",
+    },
   ],
 }

.renovate/groups.json5

@@ -5,28 +5,34 @@
       description: "Actions Runner Controller Group",
       groupName: "Actions Runner Controller",
       matchDatasources: ["docker"],
-      matchPackageNames: ["/gha-runner-scale-set-controller/", "/gha-runner-scale-set/"],
+      matchPackageNames: [
+        "/gha-runner-scale-set-controller/",
+        "/gha-runner-scale-set/",
+      ],
       group: {
         commitMessageTopic: "{{{groupName}}} group",
       },
+      minimumGroupSize: 2,
     },
     {
       description: ["Talos Group"],
       groupName: "Talos",
       matchPackagePatterns: ["siderolabs/talosctl", "siderolabs/installer"],
       matchDatasources: ["docker"],
       group: {
-        commitMessageTopic: "{{{groupName}}} group"
+        commitMessageTopic: "{{{groupName}}} group",
       },
+      minimumGroupSize: 2,
     },
     {
       description: "Istio Group",
       groupName: "istio",
       matchDatasources: ["helm"],
       matchPackagePatterns: ["gateway", "istio-base", "istio-cni", "istiod"],
       group: {
-        commitMessageTopic: "{{{groupName}}} group"
+        commitMessageTopic: "{{{groupName}}} group",
       },
+      minimumGroupSize: 4,
     },
     {
       description: "Cilium Group",
@@ -41,10 +47,15 @@
       description: "Flux Operator Group",
       groupName: "Flux Operator",
       matchDatasources: ["docker"],
-      matchPackageNames: ["/flux-operator/", "/flux-instance/"],
+      matchPackageNames: [
+        "/flux-operator/",
+        "/flux-instance/",
+        "/flux-operator-manifests/",
+      ],
       group: {
         commitMessageTopic: "{{{groupName}}} group",
       },
+      minimumGroupSize: 3,
     },
     {
       description: "Cert-Manager Group",
@@ -63,6 +74,7 @@
       group: {
         commitMessageTopic: "{{{groupName}}} group",
       },
+      minimumGroupSize: 2,
     },
-  ]
+  ],
 }

.sops.yaml

@@ -26,6 +26,11 @@ creation_rules:
   - path_regex: terraform/.*/*.enc.ya?ml
     pgp: 0635B8D34037A9453003FB7B93CAA682FF4C9014
     mac_only_encrypted: true
+  # AGE encrypted Kubernetes secret files
+  - path_regex: kubernetes/.*/*.enc.age.ya?ml
+    encrypted_regex: ^(data|stringData)$
+    mac_only_encrypted: true
+    age: age19gj66fq5v2veu940ftyj4pkw0w5tgxgddlyqnd00pnjzyndevurqx70g4t
 
 stores:
   yaml:

.taskfiles/bootstrap/Taskfile.yaml

@@ -62,11 +62,13 @@ tasks:
     cmds:
       - kubectl create namespace flux-system --dry-run=client -oyaml | kubectl apply -f -
       - sops --decrypt "{{.ROOT_DIR}}/kubernetes/clusters/{{.CLUSTER_ID}}/secrets/sops-gpg.encrypted.yaml" | kubectl apply -f -
+      - sops --decrypt "{{.ROOT_DIR}}/kubernetes/clusters/{{.CLUSTER_ID}}/secrets/sops-age.encrypted.yaml" | kubectl apply -f -
       - sops --decrypt "{{.ROOT_DIR}}/kubernetes/clusters/{{.CLUSTER_ID}}/secrets/cluster-secrets.enc.yaml" | kubectl apply -f -
       - sops --decrypt "{{.ROOT_DIR}}/kubernetes/clusters/{{.CLUSTER_ID}}/secrets/github-auth.enc.yaml" | kubectl apply -f -
       - kubectl apply -f {{.ROOT_DIR}}/kubernetes/clusters/{{.CLUSTER_ID}}/secrets/cluster-config.yaml
     preconditions:
       - test -f {{.ROOT_DIR}}/kubernetes/clusters/{{.CLUSTER_ID}}/secrets/sops-gpg.encrypted.yaml
+      - test -f {{.ROOT_DIR}}/kubernetes/clusters/{{.CLUSTER_ID}}/secrets/sops-age.encrypted.yaml
       - test -f {{.ROOT_DIR}}/kubernetes/clusters/{{.CLUSTER_ID}}/secrets/github-auth.enc.yaml
       - test -f {{.ROOT_DIR}}/kubernetes/clusters/{{.CLUSTER_ID}}/secrets/cluster-secrets.enc.yaml
       - test -f {{.ROOT_DIR}}/kubernetes/clusters/{{.CLUSTER_ID}}/secrets/cluster-config.yaml

kubernetes/clusters/cluster-0/flux-system/flux-instance/app/values.yaml

@@ -9,6 +9,7 @@ instance:
     - kustomize-controller
     - helm-controller
     - notification-controller
+    - source-watcher
   commonAnnotations:
     fluxcd.controlplane.io/reconcile: "enabled"
     fluxcd.controlplane.io/reconcileEvery: "1h"
@@ -27,6 +28,7 @@ instance:
     path: ./clusters/cluster-0
   kustomize:
     patches:
+      # OPTIONAL: Allow cluster-autoscaler to evict flux controllers if needed
       - patch: |
           apiVersion: apps/v1
           kind: Deployment
@@ -46,6 +48,7 @@ instance:
                         memory: 2Gi
         target:
           kind: Deployment
+      # REQUIRED: Increase concurrency and requeue time for helm-controller
       - patch: |
           - op: add
             path: /spec/template/spec/containers/0/args/-
@@ -59,6 +62,7 @@ instance:
         target:
           kind: Deployment
           name: helm-controller
+      # REQUIRED: Increase concurrency and requeue time for kustomize-controller
       - patch: |
           - op: replace
             path: /spec/template/spec/volumes/0
@@ -78,6 +82,7 @@ instance:
         target:
           kind: Deployment
           name: kustomize-controller
+      # REQUIRED: Increase concurrency and requeue time for source-controller
       - patch: |
           - op: add
             path: /spec/template/spec/containers/0/args/-
@@ -88,6 +93,7 @@ instance:
         target:
           kind: Deployment
           name: source-controller
+      # REQUIRED: KustomizeController SOPS decryption for all Kustomizations
       - patch: |
           apiVersion: kustomize.toolkit.fluxcd.io/v1
           kind: Kustomization
@@ -109,8 +115,33 @@ instance:
         target:
           kind: Kustomization
           name: flux-system
+      # OPTIONAL: Remove CPU limits from all controllers to avoid OOMKills
       - patch: |
           - op: remove
             path: /spec/template/spec/containers/0/resources/limits/cpu
         target:
           kind: Deployment
+      # REQUIRED: Controller-level SOPS decryption
+      - patch: |
+          - op: add
+            path: /spec/template/spec/containers/0/args/-
+            value: --sops-age-secret=sops-age-secret
+        target:
+          kind: Deployment
+          name: kustomize-controller
+      - # REQUIRED: Watch configmaps and secrets attached to HelmReleases and Kustomizations
+      - patch: |
+          - op: add
+            path: /spec/template/spec/containers/0/args/-
+            value: --watch-configs-label-selector=owner!=helm
+        target:
+          kind: Deployment
+          name: (helm-controller|kustomize-controller)
+      # REQUIRED: Cancel health checks on new Kustomizations revisions
+      - patch: |
+          - op: add
+            path: /spec/template/spec/containers/0/args/-
+            value: --feature-gates=CancelHealthCheckOnNewRevision=true
+        target:
+          kind: Deployment
+          name: kustomize-controller

kubernetes/clusters/cluster-0/ks.yaml

@@ -40,3 +40,45 @@ spec:
               name: sops-gpg
       target:
         labelSelector: substitution.flux/enabled=true
+    # Add HelmRelease defaults to all Kustomizations
+    - patch: |-
+        apiVersion: kustomize.toolkit.fluxcd.io/v1
+        kind: Kustomization
+        metadata:
+          name: not-used
+        spec:
+          patches:
+            - patch: |-
+                apiVersion: helm.toolkit.fluxcd.io/v2
+                kind: HelmRelease
+                metadata:
+                  name: not-used
+                spec:
+                  driftDetection:
+                    mode: enabled
+                  install:
+                    crds: CreateReplace
+                    createNamespace: true
+                    replace: true
+                    strategy:
+                      name: RetryOnFailure
+                    timeout: 10m
+                  rollback:
+                    recreate: true
+                    force: true
+                    cleanupOnFail: true
+                  test:
+                    enable: true
+                  upgrade:
+                    cleanupOnFail: true
+                    crds: CreateReplace
+                    remediation:
+                      remediateLastFailure: true
+                      retries: 3
+                      strategy: rollback
+              target:
+                group: helm.toolkit.fluxcd.io
+                kind: HelmRelease
+      target:
+        group: kustomize.toolkit.fluxcd.io
+        kind: Kustomization

kubernetes/clusters/cluster-0/secrets/sops-age.encrypted.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+data:
+    age.agekey: ENC[AES256_GCM,data:T0SIW1jH/L+sBx9x4iBFLtxSuiw5h47LfgHa+qNwXzw85n4RCq0qztEN/HGon7RhDFwkkcJuNTeGim3z4SYeoh3wmdoqwmWLVSyVHaiKvvOOM1cjKXK4wcY7ixy9Qd0bIAZR2fYdGKY+baIBfWiEgajv8a2SpmE6vHfCTVf0N5vl4DXoXKdAQnWrPvqkaur+NhAkLGLpWKMny3BLPnJWlcdRD6YGcfQxyX9JtgpMIvDFuLMVdBL4KM9nWiyjP05ofFIvSa6abzmyP+TIelVUc/eC9T+zBc2loTrnS2de8609H0xSADqKcQFF3KHY3C85Mn3JI3lw8V1RNuF3,iv:Nz7dlXcJi8kR4AfVQAsNvtjB2Gsd7er+e0HvUzxvueI=,tag:dNDKN06P3B89u1f6KGYCyQ==,type:str]
+kind: Secret
+metadata:
+    name: sops-age-secret
+    namespace: flux-system
+    annotations:
+        reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+        reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+type: Opaque
+sops:
+    gcp_kms:
+        - resource_id: projects/raspbernetes/locations/global/keyRings/sops/cryptoKeys/sops-key
+          created_at: "2021-04-14T09:56:06Z"
+          enc: CiQAesqCOZISRRQTtLQ+hwyFXhAxPjfddIigwq/psm2fijO9cY0SSQA2cmGUMUZt4TJGNgqSOPLWe7w0nfFekhINR3Q45P6KEsWlr22cZZf0KygEOufqGOnmuFZyCqlSJmmbAgiqGgx5sUgu9rIwUWw=
+    lastmodified: "2025-09-30T22:16:28Z"
+    mac: ENC[AES256_GCM,data:CFLqmVBffFJ0VcQQj42cVmEScTXVX078oDviNl9CSUbLLuadVZ0jXOot3iVYO3qQwUoSfh7N4S1/EIipgOcwsnADMSbMp59DlCXofkye+n1JDebOUUOd49lrI4a7krNZgk7YTVOXHZXN9IszoQZrYilqIgdmTwogRGWjd6wMdr0=,iv:sySsvWKhbZua1wkhXoy7fIqSloUOayEWmNfsJuFnmZI=,tag:W06zQglZY0ulxy1dyVtVJw==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

kubernetes/clusters/cluster-0/secrets/sops-gpg.encrypted.yaml

@@ -10,16 +10,11 @@ metadata:
         reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
 type: Opaque
 sops:
-    kms: []
     gcp_kms:
         - resource_id: projects/raspbernetes/locations/global/keyRings/sops/cryptoKeys/sops-key
           created_at: "2021-04-14T09:56:06Z"
           enc: CiQAesqCOZISRRQTtLQ+hwyFXhAxPjfddIigwq/psm2fijO9cY0SSQA2cmGUMUZt4TJGNgqSOPLWe7w0nfFekhINR3Q45P6KEsWlr22cZZf0KygEOufqGOnmuFZyCqlSJmmbAgiqGgx5sUgu9rIwUWw=
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2025-02-27T03:51:14Z"
-    mac: ENC[AES256_GCM,data:pHoTerdt43LoZ2kmUn3J0Itk/QzM8aBWPGrlGMwbwxE0hq57TK7ZAA1Qg10oK7m3ngKnG5RbVbjBQaja7MiUZ1qPhsy/ce3ls/RwLYAj2OBwSC2kMz3Q1byupwJia5/Zl4DdG6tdHi4Lh2zfrPR5d0Kqn1959t+Hr7yFxaIAY2o=,iv:zu2QBC5FJ/S1fxFiQpmbY+hKs0MmvMibBrzRbmgJmoA=,tag:uQfTfQJYzxMunL35lR3Jxw==,type:str]
-    pgp: []
+    lastmodified: "2025-09-30T22:07:37Z"
+    mac: ENC[AES256_GCM,data:4xtynWTJ0lz22v/+cHwl5P+KydEExa3exgAPjhNhI4qn1RSoGHr8XiUCrBdfcruxtoITb9d5DubUoCNSj0rSpFO3gVZ8BMOF7pckCI1bgwCsi3+MhYTyieAW5x6Qiw0k+DqcMLbYsyqhWFa+rmCHgc5rlTB3apJJS6i0TKxm7Kw=,iv:o5o5BY/dTrdmbTn4/s9taZSvo3KKo55GOGzIQm63438=,tag:Fs4cadWAyC9jJB9S9E3E0A==,type:str]
     encrypted_regex: ^(data|stringData)$
-    version: 3.9.1
+    version: 3.10.2