Announcing Flux 2.9 GA | Flux
View page source<br>Edit this page<br>Create child page<br>Create documentation issue<br>Create project issue
Tags<br>announcement18<br>ecosystem8<br>enterprise1<br>event8<br>flagger1<br>fluxcon1<br>monthly-update29<br>oci4<br>scale1<br>security9<br>user-story1
Announcing Flux 2.9 GA<br>We are thrilled to announce the release of Flux v2.9.0! Here you will find highlights of new features and improvements in this release.<br>By Stefan Prodan |<br>2026-06-30<br>We are thrilled to announce the release of<br>Flux v2.9.0!<br>In this post, we highlight some of the new features and improvements included in this release.
Highlights<br>Flux v2.9 introduces the Flux CLI Plugin System , a new way to extend the Flux command-line<br>interface with first-class plugins. Alongside the plugin system, this release brings powerful<br>additions to server-side apply, secrets decryption, and Git integrations.<br>In this release, we have introduced several new features to the Flux CLI and controllers:<br>Flux CLI Plugin System with the Mirror and Schema plugins<br>Server-Side Apply field ignore rules for fine-grained drift control<br>SOPS decryption with the Age post-quantum cipher<br>Kubernetes Workload Identity authentication for OpenBao and Vault<br>Helm post-render strategies, including chart hooks support<br>Git commit signing and verification with SSH keys<br>Secret-less, OIDC-secured webhook Receivers<br>AWS CodeCommit authentication using Workload Identity<br>In ecosystem news, there is a new release of<br>Flux Operator<br>that extends the<br>Flux Web UI with a workload dashboard and a<br>powerful pod log viewer.<br>Flux CLI Plugin System<br>The headline feature of Flux v2.9 is the new<br>Flux CLI Plugin System,<br>specified in RFC-0013. Plugins let you extend the flux command with additional capabilities that<br>ship and version independently of the Flux CLI itself, while still feeling like a native part of the<br>tool.<br>The<br>Flux plugins catalog ships with two plugins maintained by<br>the Flux project:<br>Mirror — mirrors Helm charts, OCI artifacts, and<br>container images between registries using a declarative configuration. It supports<br>multi-architecture images, HTTP/S to OCI Helm chart conversion, signature verification, regex and<br>semver filtering, and multiple authentication methods including cloud Workload Identity.<br>Schema — validates Kubernetes manifests against JSON<br>schemas and CEL rules. It comes with built-in schemas for Kubernetes, OpenShift, Gateway API, and<br>the Flux CRDs, supports custom schema catalogs, and integrates with CI/CD via GitHub Actions or<br>Docker.<br>In addition, ControlPlane maintains the Operator<br>plugin for managing Flux Operator resources, tracing objects through the GitOps pipeline,<br>debugging ResourceSets, and installing AI agent skills.<br>Installing plugins<br>Plugins are managed through the new flux plugin subcommands. Binaries are downloaded<br>to ~/fluxcd/plugins and registered as Flux sub-commands, so once installed they are<br>invoked as flux :<br># Search the catalog of available plugins<br>flux plugin search
# Install a plugin<br>flux plugin install schema
# List installed plugins<br>flux plugin list
# Update and remove plugins<br>flux plugin update schema<br>flux plugin uninstall schema
By default, flux plugin install pulls the latest version of a plugin. For reproducible setups,<br>you can pin a plugin to a specific version with flux plugin install schema@0.5.0, or to an<br>immutable digest with flux plugin install schema@sha256:, which is recommended for CI<br>pipelines and production environments.<br>Server-Side Apply field ignore rules<br>Flux applies your resources with server-side apply, becoming the field manager for everything it<br>reconciles. However, certain fields are meant to be owned by other controllers, like<br>the replicas field managed by a Horizontal Pod Autoscaler, or certificates injected by an admission<br>webhook. Until now, Flux would continuously try to revert those fields to the desired state declared<br>in Git.<br>Flux v2.9 extends server-side apply with field ignore rules . Using the new<br>Kustomization.spec.ignore field, you can tell kustomize-controller to ignore specific managed<br>fields during drift detection and apply, leaving them under the ownership of other controllers:<br>apiVersion: kustomize.toolkit.fluxcd.io/v1<br>kind: Kustomization<br>metadata:<br>name: podinfo<br>namespace: flux-system<br>spec:<br># ...<br>ignore:<br>- target:<br>kind: Deployment<br>paths:<br>- "/spec/replicas"
This gives you fine-grained control over which parts of a resource Flux owns, making it much easier<br>to combine GitOps with autoscalers, service meshes, and other controllers that mutate live objects.<br>Enhanced secrets decryption<br>Age post-quantum cipher<br>Flux v2.9 adds support for decrypting SOPS-encrypted secrets sealed with the<br>Age post-quantum cipher. As the industry<br>prepares for post-quantum cryptography, this allows teams to protect their secrets at rest with<br>quantum-resistant encryption while keeping the same SOPS-based GitOps workflow.<br>Workload Identity for OpenBao and Vault<br>Starting with this release, kustomize-controller can now authenticate to<br>OpenBao and...