December 12, 2022 The evolution of Flux From Inception to CNCF Graduation Stefan Prodan Principal Engineer at Weaveworks Core maintainer of Flux & Flagger

Flux v1 A DevOps tool that automatically ensures that the state of a cluster matches the config in Git. 2016 - 2021 275 contributors 6900 stars

CD - Before Flux & GitOps

CD - With Flux & GitOps

Flux v1 team over the years ● Alexis Richardson (coined GitOps and come up with the Flux name) ● Michael Bridgen ● Peter Bourgon ● Paul Bellamy ● Phil Winder ● Sam Broughton ● Alfonso Acosta ● Stefan Prodan ● Hidde Beydals ● Nick Cabatoff ● Justin Barrick ● And many more ● Matthias Radestock ● Bryan Boreham ● Jordan Pellizzari ● Marc Carré ● Ilya Dmitrichenko ● Aaron Kirkbride ● Adam Harrison ● Elena Morozova

Flux v1 Timeline ● 2016 Flux made OSS by Weaveworks ● 2016 Flux adds container image automation ● 2017 General Available release ● 2018 Flux supports verifying commit signatures (OpenPGP) ● 2018 Flux adds native support for Helm (HelmRelease CRD) ● 2019 Weavework donates Flux to CNCF (sandbox) ● 2019 Flux adds support for Kustomize (manifests generation) ● 2019 Flux adds garbage collection ● 2020 Flux adds secret decryption (Mozilla SOPS) ● 2021 Deprecated in favour of Flux v2

Flux v1 - GitOps & Deploy Automation

Flux v2 A secure multi-tenant Continuous Delivery platform for Kubernetes and beyond. 2020 - present 210 contributors 4200 stars

Flux - Multi-Cluster Continuous Delivery

Flux - Kubernetes Controllers Source Controller Fetch, verify and cache resources from Git, OCI and S3-compatible storage Kustomize Controller Server-side apply, GC, decryption and dependency management for Kustomize overlays Helm Controller Manage the life cycle of Helm Releases Notification Controller Receive and dispatch events from/to external systems Image Reflector Controller Fetch metadata of OCI artifacts from container registries Image Automation Controller Update Kubernetes YAML in Git when new artifacts are available

Flux team (December 2022) Maintainers ● Hidde Beydals ● Stefan Prodan ● Philip Laine ● Aurel Canciu ● Sunny Gogoi ● Somtochi Onyekwere ● Soule Ba ● Paulo Gomes ● Sanskar Jaiswal ● Max Jonas Werner Community & DX ● Tamao Nakahara ● Daniel Holbach ● Stacey Potter ● Scott Rigby ● Kingdon Barrett ● Pinky Ravi ● Vanessa Abankwah ● Juozas Gaigalas

Flux v2 timeline ● 2020 Flux v2 kickstart ● 2021 Flux adds bootstrap and auto-update capabilities ● 2021 Flux advances from CNCF sandbox to incubation ● 2021 Flux adds support for S3-compatible storage ● 2021 First Flux extension tf-controller (Weaveworks OSS) ● 2022 Flux adopts server-side apply (drift detection & GC) ● 2022 Flux v2 powers GitOps for AWS, Azure, VMware, D2IQ, DoD ● 2022 Weavework releases Weave GitOps an OSS Flux UI ● 2022 Flux adds support for OCI Artifacts & Cosign verification ● 2022 Flux becomes a CNCF graduated project

Flux v2 - Security audit ● 2021 First independent security audit (OSTIF & ADA Logics) ○ We’ve addressed all the security issues found in record time ○ We’ve put in place an RFC process for changes to Flux security posture ○ Started continuous fuzzing for all Flux controllers and packages ● 2022 The Flux team focuses on security hardening ○ We’ve found and addressed a series of multi-tenancy vulnerabilities (locking down kustomize, helm & kubeconfig) ○ We’ve improved fuzzing and the test coverage of sensitive operations ○ Flux ships with signed releases/binaries/images and SBOM ● 2023 Flux is scheduled for a 2nd security audit

Flux - Tooling ● Flux CLI is a fully-fledged solution for installing, upgrading, operating and debugging Flux ● Flux Terraform Provider offers an alternative to Flux CLI install/upgrade features ● Flux comes with GitHub Actions for upgrading Flux and driving apps promotions with PRs ● Flux Go client offers programmatic access to Kubernetes API for operating and observing Flux ● Flux comes with Grafana dashboards for monitoring ● Weaveworks offers an OSS Web UI for Flux

Flux - Kustomize integration ● Flux Kustomization CRD is the counterpart of Kustomize config ● Flux builds Kustomize overlays in a secure manner ○ No remote bases (Flux sources are cached &subject to policy) ○ No plugins or KRM (shell-execing can’t be multi-tenant) ○ No Helm inflator (Flux has native Helm support) ● Garbage collection for stale Kustomize generated manifests ● Encryption/Decryption for Kustomize secrets generator ● Flux native variable substitutions instead of Kustomize vars ● Dependency management and health checking for overlays

Flux - Helm integration ● Declarative helming with HelmRepository & HelmRelease CRDs ● Flux helm-controller is built on top of the Helm Go SDK ● Support for all Helm operations (including tests & pre-post hooks) ● Unlike Helm, Flux manages CRDs upgrades ● Support for Kustomize patches as Helm post-render action ● Automated Helm upgrades based on semver ranges ● Automated rollback based on health checks and test results ● Support for charts stored in container registries as OCI artifacts

Flux - Multi-tenancy Mode Flux enables multi-tenancy by allowing platform admins to assign restricted Kubernetes accounts to the tenants’ sources. When Flux reconciles the tenant’s Kubernetes resources, it does so by impersonating the tenant’s account, thus enforcing the isolation boundary as defined by platform admins in their Git repository.

Flux - OCI support for Kubernetes configs $ flux push artifact oci://ghcr.io/org/my-app-config:1.0.0 –path ./deploy $ cosign sign ghcr.io/org/my-app-config:1.0.0 –key cosign.key

Flux - GA Roadmap ● GitOps GA ○ Generally available release for the Flux GitOps APIs, and the Flux Git bootstrap & webhooks functionalities. ● Helm GA ○ Generally available release for the Flux Helm APIs and the Flux Helm functionalities. ● Notifications GA ○ Generally available release for the Flux Events & Alerting APIs and the Flux CLI notifications functionalities. ● Image Automation (TBA) ● OCI Artifacts (TBA)

Confidential do not distribute 2 0 Thank you