search

renovatebot / renovate

Home of the Renovate CLI: Cross-platform Dependency Automation by Mend.io
https://mend.io/renovate
GNU Affero General Public License v3.0
16.48k stars 2.11k forks source link

Let `flux` manager update tags and digests (`flux` currently ignores tags) #29768

Open HonkingGoose opened 1 week ago

HonkingGoose commented 1 week ago

Describe the proposed change(s).

Renovate's flux manager does not support updating tags and digests yet:

https://github.com/renovatebot/renovate/blob/8975c9bda67880fd4c91bdc32534e24f98a90e0e/lib/modules/manager/flux/extract.ts#L214

@viceice says Renovate should support updating tags and digests. @viceice will look next week if there's an easy way to add support.

Related Discussion:

onedr0p commented 4 days ago

@HonkingGoose @jfroy @viceice keep in mind that tag and digest are mutually exclusive so I don't think there's really anything to do here

https://fluxcd.io/flux/components/source/ocirepositories/#reference

.spec.ref is an optional field to specify the OCI reference to resolve and watch for changes. References are specified in one or more subfields (.tag, .semver, .digest), with latter listed fields taking precedence over earlier ones. If not specified, it defaults to the latest tag.

https://fluxcd.io/flux/components/source/ocirepositories/#digest-example

This field takes precedence over all other fields.

onedr0p commented 4 days ago

Maybe there could be support added for like how GHA is done, by having renovate putting the version beside the digest in a comment? Not sure if this is possible.

e.g.

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
  name: kyverno
  namespace: flux-system
spec:
  interval: 1h
  layerSelector:
    mediaType: "application/vnd.cncf.helm.chart.content.v1.tar+gzip"
    operation: copy
  url: oci://ghcr.io/kyverno/charts/kyverno
  ref:
    digest: sha256:d363081e45627aa396d6c8cb2d4ee59fcb7a79c223a967ae601c8c8ba4e7b7f3 # 3.2.3