RATATOSKRATATOSK
Sign in

Flux

v2.9.1CI/CD & App Delivery
Jul 7, 2026

v2.9.1 patches CRD schema corruption caused by post-build variable substitution on Flux CRDs, plus a SOPS .ini decryption fix and a kustomize-controller dry-run bug. Upgrade recommended for all users.

  • breakingCRD schema corruption from post-build substitution — upgrade now

    If you use Kustomizations with post-build variable substitution (`.spec.postBuild.substitute`), the old behavior could silently mangle CRD schemas that contain `${...}` sequences — making CRDs invalid or causing unexpected schema validation failures. The fix adds `kustomize.toolkit.fluxcd.io/substitute: disabled` to all Flux CRDs. Upgrade to v2.9.1 to get this annotation applied; the risk is ongoing schema corruption if you stay on an older version.

  • securitySOPS `.ini` decryption was broken — check your secrets

    The SOPS dependency update fixes `.ini` file decryption in kustomize-controller. If your Flux setup uses SOPS-encrypted `.ini` files, those would have silently failed to decrypt before this patch. Upgrade and re-sync any affected Kustomizations.

Key changes (5)

  • All Flux CRDs are now annotated with `kustomize.toolkit.fluxcd.io/substitute: disabled`, preventing post-build variable substitution from corrupting CRD schemas containing `${...}` sequences.
  • SOPS dependency updated to fix `.ini` file decryption in kustomize-controller.
  • Fixed a dry-run error in kustomize-controller where strategic merge patches caused a spurious `is invalid` error.
  • Fixed a breaking change in the Flux CLI's in-memory Kustomization build.
  • source-controller now caches the registry auth token during Notation verification, reducing redundant token fetches.