Update Flux Operator to 0.27.0 #1315
Conversation
Signed-off-by: Kingdon B <kingdon@urmanac.com>
WalkthroughThis change updates the Flux Operator and Flux Instance Helm charts to version 0.27.0, introduces a new Changes
Sequence Diagram(s)sequenceDiagram
participant User
participant Helm
participant Kubernetes
participant HealthcheckJob
participant FluxInstance
User->>Helm: Install/Upgrade flux-instance chart
Helm->>Kubernetes: Apply manifests (FluxInstance, CRDs, ServiceAccount, Healthcheck Job)
Note over Helm,Kubernetes: If .Values.healthcheck.enabled is true
Kubernetes->>HealthcheckJob: Create Job (post-install/post-upgrade hook)
HealthcheckJob->>FluxInstance: Wait for readiness (with timeout)
HealthcheckJob->>Kubernetes: Report success/failure
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~15–25 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
Note ⚡️ Unit Test Generation is now available in beta!Learn more here, or try it out under "Finishing Touches" below. ✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Summary of Changes
Hello @kingdonb, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
I've updated the Flux Operator and Flux Instance Helm charts to version 0.27.0. This update brings the latest features and fixes from the upstream Flux Operator project, including an increased default CPU limit for the operator and the introduction of a new size field for FluxInstance CRDs to define scaling profiles. Additionally, the Flux Instance chart now includes optional post-install/upgrade health checks.
Highlights
- Flux Operator Version Bump: The
flux-operatorHelm chart has been updated fromv0.24.1tov0.27.0, aligning with the latest upstream releases. - Increased CPU Resource Limits: The default CPU limit for the Flux Operator has been increased from
1000mto2000mto accommodate potentially higher resource demands. - FluxInstance CRD Enhancements: A new
sizefield has been added to theFluxInstanceCustom Resource Definition, allowing for the definition of vertical scaling profiles (small, medium, large) for Flux controllers. - New Health Check Feature for Flux Instance: The
flux-instanceHelm chart now includes an optional post-install and post-upgrade health check job, improving deployment reliability. - Schema and Configuration Updates: Various schema definitions (
values.schema.json) and default values (values.yaml) have been refined across both charts to reflect the new features and improved configurations.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request updates the Flux Operator to version 0.27.0. The changes include version bumps in Chart.yaml files, documentation updates in README.md files, and significant updates to values.schema.json files to improve correctness and add new features. A new healthcheck feature is also introduced for flux-instance. While most changes are correct, the implementation of the new healthcheck feature has a critical flaw related to RBAC permissions. The default configuration will cause the healthcheck job to fail. I have provided detailed comments and suggestions to fix this by creating a dedicated, properly permissioned service account for the healthcheck job.
| {{- if .Values.healthcheck.serviceAccount.create }} | ||
| apiVersion: v1 | ||
| kind: ServiceAccount | ||
| metadata: | ||
| name: {{ .Values.healthcheck.serviceAccount.name }} | ||
| namespace: {{ .Release.Namespace }} | ||
| labels: | ||
| {{- include "flux-instance.labels" . | nindent 4 }} | ||
| {{- with .Values.commonLabels }} | ||
| {{- toYaml . | nindent 4 }} | ||
| {{- end }} | ||
| {{- with .Values.commonAnnotations }} | ||
| annotations: | ||
| {{- toYaml . | nindent 4 }} | ||
| {{- end }} | ||
| automountServiceAccountToken: {{ .Values.healthcheck.serviceAccount.automount }} | ||
| {{- end }} |
There was a problem hiding this comment.
The newly created service account for the healthcheck job is missing the necessary RBAC permissions to read FluxInstance resources, and it doesn't handle the case where a name is not provided. This will cause the healthcheck job to fail when healthcheck.serviceAccount.create is true. A Role and RoleBinding should be created to grant these permissions, and a default name should be generated if one is not provided.
{{- if .Values.healthcheck.serviceAccount.create -}}
{{- $saName := .Values.healthcheck.serviceAccount.name | default (printf "%s-healthcheck" (include "flux-instance.fullname" .)) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $saName }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "flux-instance.labels" . | nindent 4 }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.healthcheck.serviceAccount.automount }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $saName }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "flux-instance.labels" . | nindent 4 }}
rules:
- apiGroups: ["fluxcd.controlplane.io"]
resources: ["fluxinstances"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $saName }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "flux-instance.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ $saName }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: {{ $saName }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
| imagePullSecrets: | ||
| {{- toYaml . | nindent 8 }} | ||
| {{- end }} | ||
| serviceAccountName: {{ .Values.healthcheck.serviceAccount.name }} |
There was a problem hiding this comment.
To align with the recommended changes for creating a dedicated service account for healthchecks, the serviceAccountName should also use the generated default name if one is not provided in values.yaml. This makes the healthcheck feature more robust and work out-of-the-box.
serviceAccountName: {{ .Values.healthcheck.serviceAccount.name | default (printf "%s-healthcheck" (include "flux-instance.fullname" .)) }}
| serviceAccount: # @schema default: {"create":false,"automount":true,"name":"flux-operator"} | ||
| create: false | ||
| automount: true | ||
| name: "flux-operator" |
There was a problem hiding this comment.
The default values for the healthcheck service account are problematic. With create: false, the chart relies on a flux-operator service account being present in the release namespace, which is not guaranteed and can lead to deployment failures. It's better and more secure to create a dedicated service account for the healthcheck by default. This change, along with the suggested changes to serviceaccount.yaml and healthcheck.yaml, will make the feature work correctly by default.
serviceAccount: # @schema default: {"create":true,"automount":true,"name":""}
create: true
automount: true
name: ""
There was a problem hiding this comment.
Actionable comments posted: 4
♻️ Duplicate comments (1)
packages/system/fluxcd/charts/flux-instance/values.schema.json (1)
219-223: Hard-coded ServiceAccount name leaks into schema defaultsThe default block still pins
name: "flux-operator", conflicting with the description that it defaults to the release name.
This should be left empty ("") or removed so that chart logic, not the schema, decides the actual default.Aligning the schema with the proposed change in
values.yamlwill keep validation and rendered output consistent.
🧹 Nitpick comments (3)
packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml (1)
88-97: Consider adding a defensive validation rule for empty strings
sizeis optional, but if a user sets it explicitly to an empty string the CRD will reject the object because the empty value is not part of the enum. In practice, Helm often injects""when values are left unset. The accompanyinginstance.yamltemplate strips empty strings, but a user creating the CR directly (kubectl-apply) could hit this trap.A tiny CEL validation such as
rule: self == '' || ['small','medium','large'].contains(self)would allow the empty string while still constraining values, giving a smoother UX.packages/system/fluxcd/charts/flux-instance/templates/instance.yaml (1)
27-32:cluster:block – safer indentation & less aggressive trimmingUsing
{{-on bothrangeandifremoves all leading whitespace and the newline aftercluster:.
When at least one key is rendered the YAML is still valid, but if the list is empty the output becomescluster:without a trailing space or newline – technically valid but untidy and easy to miss during reviews.
A more idiomatic Helm pattern is to leave the newline in place and indent the rendered keys withnindent.- {{- range $key, $value := .Values.instance.cluster }} - {{- if not (and (kindIs "string" $value) (eq $value "")) }} - {{ $key }}: {{ $value }} - {{- end }} - {{- end }} + {{- range $key, $value := .Values.instance.cluster }} + {{- if not (and (kindIs "string" $value) (eq $value "")) }} +{{ printf "%s: %v" $key $value | nindent 4 }} + {{- end }} + {{- end }}This keeps the template readable, avoids blank-line trimming surprises and guarantees correct indentation.
packages/system/fluxcd/charts/flux-instance/README.md (1)
40-42: Table rows contain bare URLs – markdown-lint MD034
markdownlintflagged a bare URL in this block.
Wrapping URLs in angle brackets or link syntax suppresses the warning and renders consistently.-| instance.cluster | object | `{"domain":"cluster.local", ... }` | Cluster https://fluxcd.control-plane.io/operator/fluxinstance/#cluster-configuration | +| instance.cluster | object | `{"domain":"cluster.local", ... }` | Cluster <https://fluxcd.control-plane.io/operator/fluxinstance/#cluster-configuration> |Minor, but it keeps docs lint-clean.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (12)
packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml(2 hunks)packages/system/fluxcd-operator/charts/flux-operator/README.md(2 hunks)packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml(1 hunks)packages/system/fluxcd-operator/charts/flux-operator/values.schema.json(12 hunks)packages/system/fluxcd-operator/charts/flux-operator/values.yaml(1 hunks)packages/system/fluxcd/charts/flux-instance/Chart.yaml(2 hunks)packages/system/fluxcd/charts/flux-instance/README.md(2 hunks)packages/system/fluxcd/charts/flux-instance/templates/healthcheck.yaml(1 hunks)packages/system/fluxcd/charts/flux-instance/templates/instance.yaml(1 hunks)packages/system/fluxcd/charts/flux-instance/templates/serviceaccount.yaml(1 hunks)packages/system/fluxcd/charts/flux-instance/values.schema.json(4 hunks)packages/system/fluxcd/charts/flux-instance/values.yaml(3 hunks)
🧰 Additional context used
🧠 Learnings (4)
📚 Learning: the `./charts/robotlb/` directory in the hetzner-robotlb package contains vendored code, and the tea...
Learnt from: lllamnyp
PR: cozystack/cozystack#1233
File: packages/system/hetzner-robotlb/charts/robotlb/templates/deployment.yaml:33-35
Timestamp: 2025-07-23T09:15:09.658Z
Learning: The `./charts/robotlb/` directory in the hetzner-robotlb package contains vendored code, and the team generally avoids modifying vendored code to maintain clean separation from upstream dependencies.
Applied to files:
packages/system/fluxcd/charts/flux-instance/Chart.yamlpackages/system/fluxcd-operator/charts/flux-operator/Chart.yaml
📚 Learning: in helm templates, the `{{-` directive chomps all leading whitespace including newlines back to the ...
Learnt from: lllamnyp
PR: cozystack/cozystack#1160
File: packages/system/hetzner-robotlb/charts/robotlb/templates/role.yaml:6-8
Timestamp: 2025-07-11T06:28:13.696Z
Learning: In Helm templates, the `{{-` directive chomps all leading whitespace including newlines back to the previous content, so `{{- toYaml .Values.something | nindent 2 }}` will render correctly even with apparent indentation issues. However, for better style, it's cleaner to put the template directive on the same line as the parent key (e.g., `rules: {{- toYaml .Values.serviceAccount.permissions | nindent 2 }}`).
Applied to files:
packages/system/fluxcd/charts/flux-instance/templates/instance.yaml
📚 Learning: in cosi (container object storage interface), bucketaccessclass resources have fields like drivernam...
Learnt from: lllamnyp
PR: cozystack/cozystack#1239
File: packages/extra/seaweedfs/templates/external/cosi-bucket-class.yaml:3-15
Timestamp: 2025-07-24T13:21:17.388Z
Learning: In COSI (Container Object Storage Interface), BucketAccessClass resources have fields like driverName and authenticationType at the top level, not under a spec block. Only BucketClass resources require a spec block for fields like driverName and deletionPolicy.
Applied to files:
packages/system/fluxcd/charts/flux-instance/values.schema.json
📚 Learning: in the cozystack repository, the `readme-generator` tool removes enum contents from values.schema.js...
Learnt from: NickVolynkin
PR: cozystack/cozystack#1196
File: packages/apps/http-cache/Makefile:24-27
Timestamp: 2025-07-14T16:23:12.803Z
Learning: In the cozystack repository, the `readme-generator` tool removes enum contents from values.schema.json files during its operation. Therefore, when using readme-generator in Makefiles, any enum values need to be injected back into the schema using yq commands after readme-generator has run, not before.
Applied to files:
packages/system/fluxcd-operator/charts/flux-operator/values.schema.json
🪛 markdownlint-cli2 (0.17.2)
packages/system/fluxcd/charts/flux-instance/README.md
42-42: Bare URL used
(MD034, no-bare-urls)
🪛 YAMLlint (1.37.1)
packages/system/fluxcd/charts/flux-instance/templates/serviceaccount.yaml
[error] 1-1: syntax error: expected the node content, but found '-'
(syntax)
[warning] 10-10: wrong indentation: expected 2 but found 4
(indentation)
[warning] 11-11: wrong indentation: expected 2 but found 4
(indentation)
packages/system/fluxcd/charts/flux-instance/templates/healthcheck.yaml
[error] 1-1: syntax error: expected the node content, but found '-'
(syntax)
🔇 Additional comments (10)
packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml (1)
88-97: LGTM on schema addition
Thesizefield is clearly documented, strongly typed with an enum, and does not alter existing required sets. Nice, non-breaking enhancement.packages/system/fluxcd-operator/charts/flux-operator/values.yaml (1)
48-50: Double-check cluster capacity before raising CPU limits
Raising the default limit from1000mto2000mis fine for most production clusters but may evict existing deployments on small dev clusters. Please verify that your target environments can tolerate a 2-CPU limit, or consider exposing the change more prominently in the release notes.packages/system/fluxcd-operator/charts/flux-operator/README.md (2)
3-3: README version badge updated correctly
The badge matches the chart and app versions (0.27.0).
59-60: Resource table stays in sync withvalues.yaml
CPU limit reflects the new2000mdefault. Good catch keeping docs and code aligned.packages/system/fluxcd/charts/flux-instance/Chart.yaml (1)
11-12: Version bump looks consistent across charts
Chart and appVersion are updated to0.27.0, mirroring the operator chart. No other metadata drift detected.Also applies to: 28-28
packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml (1)
11-12: Consistent version alignment
appVersionand chartversionnow point to0.27.0, matching the packaged binaries and README.Also applies to: 28-28
packages/system/fluxcd/charts/flux-instance/templates/serviceaccount.yaml (1)
1-17: ServiceAccount name may be empty – double-check default value
metadata.namerelies solely on.Values.healthcheck.serviceAccount.name.
If users enablecreate: truebut omit a name the template will render an empty string, yielding an invalid manifest.Consider falling back to a deterministic name:
- name: {{ .Values.healthcheck.serviceAccount.name }} + name: {{ default (printf "%s-healthcheck" .Release.Name) .Values.healthcheck.serviceAccount.name }}This guarantees a valid object and remains override-able.
packages/system/fluxcd/charts/flux-instance/templates/healthcheck.yaml (1)
25-33:podSecurityContextblock – nil-safe rendering
withrenders nothing when the map is empty, but.Values.healthcheck.podSecurityContextdefaults to{}which is truthy, resulting in an emptysecurityContext:stanza (invalid YAML).Guard with
ifinstead:- {{- with .Values.healthcheck.podSecurityContext }} + {{- if .Values.healthcheck.podSecurityContext }} + {{- with .Values.healthcheck.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} + {{- end }}Prevents empty keys when users do not set fields.
⛔ Skipped due to learnings
Learnt from: lllamnyp PR: cozystack/cozystack#1160 File: packages/system/hetzner-robotlb/charts/robotlb/templates/role.yaml:6-8 Timestamp: 2025-07-11T06:28:13.696Z Learning: In Helm templates, the `{{-` directive chomps all leading whitespace including newlines back to the previous content, so `{{- toYaml .Values.something | nindent 2 }}` will render correctly even with apparent indentation issues. However, for better style, it's cleaner to put the template directive on the same line as the parent key (e.g., `rules: {{- toYaml .Values.serviceAccount.permissions | nindent 2 }}`).packages/system/fluxcd-operator/charts/flux-operator/values.schema.json (1)
3-7: New top-levelrequiredkeys – verify backward compatibilityDeclaring
resourcesandsecurityContextas required will break any existing consumer values files that relied on the chart defaults and omitted these keys. Please confirm that:
values.yamlstill defines both keys with sensible defaults, and- Downstream charts that override a subset continue to render successfully.
If not, consider dropping them from
requiredand rely on defaults instead.packages/system/fluxcd/charts/flux-instance/values.yaml (1)
71-75: Emptyimage.tagmay not resolve as intended
tagdefaults to the empty string; the templates need to explicitly fall back to.Chart.AppVersion(or similar) or the rendered Job will reference:<empty>and fail to pull.Please verify the template logic or provide a non-empty default here.
| serviceAccountName: {{ .Values.healthcheck.serviceAccount.name }} | ||
| {{- with .Values.healthcheck.podSecurityContext }} | ||
| securityContext: | ||
| {{- toYaml . | nindent 8 }} | ||
| {{- end }} |
There was a problem hiding this comment.
🛠️ Refactor suggestion
ServiceAccount coupling – ensure name mirrors SA template fallback
serviceAccountName is hard-wired to .Values.healthcheck.serviceAccount.name.
If the earlier advice to default the name is applied, mirror the same logic here to avoid dangling references.
- serviceAccountName: {{ .Values.healthcheck.serviceAccount.name }}
+ serviceAccountName: {{ default (printf "%s-healthcheck" .Release.Name) .Values.healthcheck.serviceAccount.name }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| serviceAccountName: {{ .Values.healthcheck.serviceAccount.name }} | |
| {{- with .Values.healthcheck.podSecurityContext }} | |
| securityContext: | |
| {{- toYaml . | nindent 8 }} | |
| {{- end }} | |
| serviceAccountName: {{ default (printf "%s-healthcheck" .Release.Name) .Values.healthcheck.serviceAccount.name }} | |
| {{- with .Values.healthcheck.podSecurityContext }} | |
| securityContext: | |
| {{- toYaml . | nindent 8 }} | |
| {{- end }} |
🤖 Prompt for AI Agents
In packages/system/fluxcd/charts/flux-instance/templates/healthcheck.yaml around
lines 29 to 33, the serviceAccountName is directly set to
.Values.healthcheck.serviceAccount.name without fallback logic. Update this to
use the same defaulting logic as the service account template to ensure the name
always resolves correctly and avoid dangling references by applying a
conditional or default value expression.
| "pullSecrets": { | ||
| "type": "array", | ||
| "uniqueItems": true, | ||
| "items": { | ||
| "type": "object" | ||
| } | ||
| }, |
There was a problem hiding this comment.
🛠️ Refactor suggestion
pullSecrets item type is too vague
image.pullSecrets.items is declared as a generic object, but Kubernetes expects objects with a mandatory name field:
image:
pullSecrets:
- name: my-regcredTightening the schema helps catch user errors:
"pullSecrets": {
"type": "array",
"uniqueItems": true,
"items": {
- "type": "object"
+ "type": "object",
+ "required": ["name"],
+ "properties": {
+ "name": { "type": "string" }
+ },
+ "additionalProperties": false
}
}🤖 Prompt for AI Agents
In packages/system/fluxcd/charts/flux-instance/values.schema.json around lines
118 to 124, the pullSecrets array items are currently typed as generic objects,
but Kubernetes requires each item to have a mandatory name field. Update the
schema to specify that each item is an object with a required string property
"name" to enforce this constraint and improve validation accuracy.
| # Healthcheck job settings. | ||
| healthcheck: | ||
| # -- Enable post-install and post-upgrade health checks. | ||
| enabled: false | ||
| # -- Health check timeout in Go duration format. | ||
| timeout: 5m # @schema default: "5m" | ||
|
|
There was a problem hiding this comment.
🛠️ Refactor suggestion
Timeout value could benefit from stronger validation
timeout is documented as a Go duration but validated only as a free-form string.
A malformed value (e.g., "5" or "5minutes") would pass schema validation yet make the Job crash at runtime.
Consider adding a simple RegExp (e.g., ^([0-9]+(ns|us|ms|s|m|h))+$) to the JSON-schema to fail early:
timeout: 5m # @schema pattern: "^([0-9]+(ns|us|ms|s|m|h))+$"🤖 Prompt for AI Agents
In packages/system/fluxcd/charts/flux-instance/values.yaml around lines 60 to
66, the timeout field under healthcheck is currently validated only as a
free-form string, which can allow invalid Go duration formats that cause runtime
failures. To fix this, add a JSON-schema pattern annotation using a regular
expression like ^([0-9]+(ns|us|ms|s|m|h))+$ to the timeout field comment to
enforce proper Go duration format validation and catch errors early during
schema validation.
| # @ignore | ||
| serviceAccount: # @schema default: {"create":false,"automount":true,"name":"flux-operator"} | ||
| create: false | ||
| automount: true | ||
| name: "flux-operator" | ||
|
|
There was a problem hiding this comment.
ServiceAccount defaults are inconsistent with the documentation and may break the Job
The inline comment says the ServiceAccount name defaults to the release name, yet the default object hard-codes
name: "flux-operator" and create: false.
If the release is installed under a different name and no cluster-wide flux-operator ServiceAccount exists, the health-check Job will fail to start.
serviceAccount:
- create: false
- automount: true
- name: "flux-operator"
+# Either create one, or default to the Helm release name for backwards-compat
+ create: true # safer default
+ automount: true
+ # name will default to .Release.Name in the template when empty
+ name: ""Tagging create: true and leaving name empty delegates the actual name decision to the template logic while guaranteeing the SA is present.
Please align the defaults here with the template behaviour (or vice-versa) to avoid runtime failures.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # @ignore | |
| serviceAccount: # @schema default: {"create":false,"automount":true,"name":"flux-operator"} | |
| create: false | |
| automount: true | |
| name: "flux-operator" | |
| # @ignore | |
| serviceAccount: # @schema default: {"create":false,"automount":true,"name":"flux-operator"} | |
| # Either create one, or default to the Helm release name for backwards-compat | |
| create: true # safer default | |
| automount: true | |
| # name will default to .Release.Name in the template when empty | |
| name: "" |
🤖 Prompt for AI Agents
In packages/system/fluxcd/charts/flux-instance/values.yaml around lines 88 to
93, the serviceAccount defaults hard-code the name as "flux-operator" and set
create to false, which conflicts with the documentation stating the name
defaults to the release name. To fix this, set create to true and leave the name
field empty so the template logic can assign the correct ServiceAccount name
based on the release, ensuring the ServiceAccount is created and preventing
runtime failures of the health-check Job.
New Flux Operator from this morning
Changelogs:
Summary by CodeRabbit
New Features
sizefield to cluster configuration, allowing selection of vertical scaling profiles (small,medium,large).Enhancements
Documentation
Bug Fixes