flux2

Highlights

Flux v2.8.8 is a patch release that includes CVE fixes via go-git v5.19.1 (source-controller, image-automation-controller), reliability fixes in helm-controller and source-controller, the move of Helm back to upstream v4.2.0, support for GCP sovereign cloud artifact registries, and dependency updates. Users are encouraged to upgrade for the best experience.

ℹ️ Please follow the Upgrade Procedure for Flux v2.7+ for a smooth upgrade from Flux v2.6 to the latest version.

Fixes:

• Add a configurable HTTP timeout for artifact fetching, preventing fetches that could block indefinitely and stall reconciliations (helm-controller)
• Fix unbounded memory growth caused by a Kubernetes client transport retry wrapper accumulating on every reconcile (helm-controller)
• Stop force-applying non-CRD objects placed under a chart's crds/ directory (helm-controller)
• Fix the Helm test action failing to find releases with names longer than 53 characters (helm-controller)
• Improve path handling in the source reconcilers (source-controller)
• Support Helm semver build-metadata encoding in OCIRepository tags (source-controller)

Improvements:

• Update go-git to v5.19.1 which fixes CVE-2026-45571 and CVE-2026-45570 (source-controller, image-automation-controller)
• Move Helm back to upstream v4.2.0 (source-controller, helm-controller)
• Add support for GCP sovereign cloud artifact registries (source-controller, image-reflector-controller)
• Upgrade Kubernetes to 1.36.1 (source-controller, helm-controller)
• Update fluxcd/pkg dependencies

Components changelog

• helm-controller v1.5.5
• image-automation-controller v1.1.4
• image-reflector-controller v1.1.2
• source-controller v1.8.5

CLI changelog

• Update toolkit components by @fluxcdbot in https://github.com/fluxcd/flux2/pull/5904

Full Changelog: https://github.com/fluxcd/flux2/compare/v2.8.7...v2.8.8