Update Flux Operator (v0.33.0)

[kingdonb]

https://github.com/fluxcd/flux2/discussions/5572

There are some upgrade instructions for Flux 2.7, but I don't think that they apply to Cozystack.

They might be relevant for some users though, depending on how they are using Flux in their clusters - Cozystack only uses HelmReleases AFAIK (and now gitrepository and helmrelease for external apps) so there is no problem with the Flux 2.7 upgrade, which brings Image APIs to GA (v1)

That change has no impact on Cozystack because we don't depend on the Flux Image APIs yet.

I haven't tested the upgrade to Flux 2.7, but I will include the bump in the FluxInstance definition since Flux 2.7 has been out for a while already, has had several patch releases, and is probably stable for the next CozyStack release now!

Summary by CodeRabbit

• New Features

  • Added distribution variant option for FluxInstance (upstream-alpine, enterprise-alpine, enterprise-distroless)
  • Added status fields to improve tracking of force and reconcile annotation handling across resources

• Chores

  • Bumped Flux Operator and Flux Instance charts to 0.33.0 (appVersion v0.33.0)
  • Upgraded Flux distribution to 2.7.x
  • Added/cleaned up network policy templates and README badges

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai[bot]]

Walkthrough

Bump Flux Operator and Flux Instance chart versions to 0.33.0 (appVersion v0.33.0), update distribution.version to 2.7.x, extend CRD schemas with distribution.variant and lastHandled* status fields, and add/adjust network-policy Helm template and README badges.

Changes

Cohort / File(s)	Summary
Chart metadata bumps packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml, packages/system/fluxcd/charts/flux-instance/Chart.yaml	Updated version from 0.30.0 → 0.33.0 and appVersion from v0.30.0 → v0.33.0
Values update packages/system/fluxcd/values.yaml	flux-instance.distribution.version updated from 2.6.x → 2.7.x
CRD schema extensions packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml	Added FluxInstance.spec.distribution.variant (enum: upstream-alpine, enterprise-alpine, enterprise-distroless) and added lastHandledForceAt / lastHandledReconcileAt status fields to FluxInstance, FluxReport, ResourceSet, and ResourceSetInputProvider
Network policy template packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml, packages/system/fluxcd-operator/patches/networkPolicy.diff	Added/moved Helm template for a conditional CiliumClusterwideNetworkPolicy; removed an extraneous separator line and adjusted template placement/path
Documentation updates packages/system/fluxcd-operator/charts/flux-operator/README.md, packages/system/fluxcd/charts/flux-instance/README.md	Version and AppVersion badges updated to 0.33.0/v0.33.0; flux-instance README text expanded (install/configure/upgrade wording)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Pay extra attention to CRD schema additions in templates/crds.yaml for alignment with operator code and backward compatibility.
• Validate the Cilium network policy template conditions and ports in network-policy.yaml.
• Ensure chart/version consistency across flux-operator, flux-instance, and values.yaml.

Possibly related PRs

• cozystack/cozystack#1581 — modifies the Flux Operator network-policy template (overlapping file changes).
• cozystack/cozystack#1482 — updates flux-operator chart metadata and CRD templates (related schema/version edits).
• cozystack/cozystack#1344 — concurrent CRD schema updates to FluxInstance/FluxReport/ResourceSet (overlapping resource definitions).

Suggested labels

ok-to-test

Suggested reviewers

• kvaps
• lllamnyp
• nbykov0

Poem

🐰 I hopped through charts with tiny feet,
Pushed versions up — a tidy feat.
Variants sprout and timestamps keep pace,
Network rules settled in their place.
A carrot-coded cheer for Flux's new grace! 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating Flux Operator from v0.30.0 to v0.33.0 across multiple chart files and related configurations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• [ ] Create PR with unit tests
• [ ] Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5ad953f0bf1f7864001f1c1bb3a4be87edb32e5a and 8e351f18270f47ac2dd63b9c2ef3607e3710afb4.

📒 Files selected for processing (8)

• packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml (2 hunks)
• packages/system/fluxcd-operator/charts/flux-operator/README.md (1 hunks)
• packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml (2 hunks)
• packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml (0 hunks)
• packages/system/fluxcd-operator/patches/networkPolicy.diff (1 hunks)
• packages/system/fluxcd/charts/flux-instance/Chart.yaml (2 hunks)
• packages/system/fluxcd/charts/flux-instance/README.md (1 hunks)
• packages/system/fluxcd/values.yaml (1 hunks)

💤 Files with no reviewable changes (1)

• packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml

🚧 Files skipped from review as they are similar to previous changes (5)

• packages/system/fluxcd-operator/charts/flux-operator/README.md
• packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml
• packages/system/fluxcd/charts/flux-instance/Chart.yaml
• packages/system/fluxcd/charts/flux-instance/README.md
• packages/system/fluxcd/values.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build

🔇 Additional comments (4)

packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml (3)

206-214: LGTM. The new variant field in FluxInstance.spec.distribution is properly scoped, constrained to valid enum values, and non-breaking (optional).

Confirm that the enum values (upstream-alpine, enterprise-alpine, enterprise-distroless) align with the Flux Operator v0.33.0 specification. If you have access to the upstream Flux Operator repository, please verify these variant names against the corresponding version's documentation.

---

595-600: LGTM. The new lastHandledForceAt field in FluxInstance.status follows Flux operator conventions and complements the existing lastHandledReconcileAt field, enabling annotation-driven force reconciliation tracking.

---

1242-1247: LGTM. The new lastHandledForceAt field in ResourceSetInputProvider.status mirrors the FluxInstance addition and maintains consistency across CRD status schemas.

packages/system/fluxcd-operator/patches/networkPolicy.diff (1)

12-12: Verify that empty nodeSelector is intentional.

The empty nodeSelector: {} means this policy applies to all nodes. Confirm this is the intended scope—if the Flux Operator pods run on specific nodes, you may want to tighten the selector.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist[bot]]

Summary of Changes

Hello @kingdonb, I'm Gemini Code Assist[^1]! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on upgrading the Flux Operator and Flux Instance Helm charts to version v0.33.0. This update introduces new capabilities to the FluxInstance Custom Resource Definition, allowing for more granular control over Flux distribution variants and enhancing the tracking of reconciliation states. Additionally, minor structural cleanups were applied to the network policy configuration. The author notes that while this update aligns with Flux 2.7, it does not leverage the new Image APIs, which are not currently used by Cozystack.

Highlights

• Flux Operator Version Bump: The Flux Operator and Flux Instance Helm charts have been updated from v0.30.0 to v0.33.0, reflecting the latest stable release.
• CRD Enhancements: The FluxInstance Custom Resource Definition (CRD) now includes a variant field to specify Flux distribution flavors (e.g., upstream-alpine, enterprise-alpine, enterprise-distroless) and a lastHandledForceAt field for improved status tracking of force requests.
• Network Policy Refinement: Minor adjustments were made to the CiliumClusterwideNetworkPolicy definition, including the removal of a redundant YAML separator and a specific fromEntities entry, streamlining the policy configuration.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with :thumbsup: and :thumbsdown: on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

[^1]: Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

[kingdonb]

Interesting.

ingress:
  - fromEntities:
      - cluster
    toPorts:
      - ports:
          - port: "8080"
            protocol: TCP
          - port: "8081"
            protocol: TCP

The robot commented about this.

The actual clusterpolicy in our template is:

{{- if .Capabilities.APIVersions.Has "cilium.io/v2/CiliumClusterwideNetworkPolicy" }}
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: {{ include "flux-operator.fullname" . }}-restrict
spec:
  nodeSelector: {}
  ingressDeny:
    - fromEntities:
        - world
      toPorts:
        - ports:
            - port: "8080"
              protocol: TCP
            - port: "8081"
              protocol: TCP
  ingress:
    - fromEntities:

I think this is OK. I don't understand cilium network policies, though, the update might not be correct.

[kingdonb]

OK, I can see that the CI failed! I'll recheck my patch and try again.

[kingdonb]

That was it 🎉

[kvaps]

Hi @kingdonb thank you!

We have already started work on refactoring whole installation process, and going to migrate to flux-aio distribution.

Here is draft PR https://github.com/cozystack/cozystack/pull/1641

I'm going to merge this for v0.39 release!

[kingdonb]

That will make some things simpler, no need to contend with the Flux controllers' dependencies on CNI 👍