[Bug]: Flux Terraform Provider Not Updating Annotations & Comments To The Desired Version When Upgrading

[satyamsareen007]

Describe the bug

Hi Team,

We are currently running 2.4.0 Flux version on EKS bootstrapped via GitLab. When we are trying to upgrade it to 2.5.1, we are seeing controller deployments, their images & CRDs getting updated in the terraform plan but the annotations app.kubernetes.io/version: v2.4.0 on all Flux resources are NOT getting updated to app.kubernetes.io/version: v2.5.1 & the comments which say the Flux version are also NOT getting updated.

                # This manifest was generated by flux. DO NOT EDIT.
                # Flux Version: v2.4.0

Can you please check if this is a bug and provide a fix for this.

Thankyou

Steps to reproduce

Install Flux 2.4.0 using the below config:

Flux version: 2.4.0
Flux Terraform provider: 1.4.0

provider "flux" {
  kubernetes = {
    config_path = "${path.root}/../config.yaml"
  }

  git = {
    url = gitlab_project.flux_bootstrap.web_url
    http = {
      username = var.gitlab_token
      password = var.gitlab_token
    }
  }
}


resource "flux_bootstrap_git" "bootstrap" {
  embedded_manifests   = true
  path                 = var.eks_cluster_name
  namespace            = "flux-cd"
  version              = var.flux_version
  watch_all_namespaces = true
  keep_namespace       = true
  depends_on           = [kubernetes_namespace.flux_cd]
}

Upgrade it in-place using the below config:

Flux version: 2.5.1
Flux Terraform provider: 1.5.1

provider "flux" {
  kubernetes = {
    config_path = "${path.root}/../config.yaml"
  }

  git = {
    url = gitlab_project.flux_bootstrap.web_url
    http = {
      username = var.gitlab_token
      password = var.gitlab_token
    }
  }
}


resource "flux_bootstrap_git" "bootstrap" {
  embedded_manifests   = true
  path                 = var.eks_cluster_name
  namespace            = "flux-cd"
  version              = var.flux_version
  watch_all_namespaces = true
  keep_namespace       = true
  depends_on           = [kubernetes_namespace.flux_cd]
}

Expected behavior

app.kubernetes.io/version annotations & Comments should get updated along with controller deployments, controller images & CRDs.

Screenshots and recordings

Terraform and provider versions

Current Versions:

Flux version: 2.4.0
Flux Terraform provider: 1.4.0
Terraform version: 1.11.2

Versions To Which we are trying to upgrade:

Flux version: 2.5.1
Flux Terraform provider: 1.5.1
Terraform version: 1.11.2

Terraform provider configurations

Current Config:

provider "flux" {
  kubernetes = {
    config_path = "${path.root}/../config.yaml"
  }

  git = {
    url = gitlab_project.flux_bootstrap.web_url
    http = {
      username = var.gitlab_token
      password = var.gitlab_token
    }
  }
}

Config to which we are trying to upgrade:

provider "flux" {
  kubernetes = {
    config_path = "${path.root}/../config.yaml"
  }

  git = {
    url = gitlab_project.flux_bootstrap.web_url
    http = {
      username = var.gitlab_token
      password = var.gitlab_token
    }
  }
}

flux_bootstrap_git resource

Current Config:

resource "flux_bootstrap_git" "bootstrap" {
  embedded_manifests   = true
  path                 = var.eks_cluster_name
  namespace            = "flux-cd"
  version              = 2.4.0
  watch_all_namespaces = true
  keep_namespace       = true
  depends_on           = [kubernetes_namespace.flux_cd]
}

Config to which we are trying to upgrade:

resource "flux_bootstrap_git" "bootstrap" {
  embedded_manifests   = true
  path                 = var.eks_cluster_name
  namespace            = "flux-cd"
  version              = 2.5.1
  watch_all_namespaces = true
  keep_namespace       = true
  depends_on           = [kubernetes_namespace.flux_cd]
}

Flux version

2.5.1

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Would you like to implement a fix?

None

[satyamsareen007]

@stefanprodan @swade1987 can you please look into this

[matheuscscp]

Hi @satyamsareen007

I recommend switching to flux-operator:

https://fluxcd.control-plane.io/operator/

[satyamsareen007]

Hi @matheuscscp, is this a known issue that the flux operator has a fix for?

What would be the quickest fix for the above issue? Is it to clean up Flux and install a fresh 2.5.1 version?
Is this a known issue that happens during in-place Flux upgrades?

[matheuscscp]

Flux Operator does not vendor the gotk-components.yaml file in your Git repo and fully manages Flux upgrades, providing you a seamless experience.

Is this a known issue that happens during in-place Flux upgrades?

Not that I'm aware of, maybe using the terraform provider it is. I just ran flux install --export to see the manifests and there's no 2.4.0 here, only 2.5.1

[satyamsareen007]

When I ran a fresh terraform bootstrap of 2.5.1, all annotations were as expected.
This issue appeared during in-place upgrades.

Can you tag someone from terraform flux provider team, who might have a better idea of how the terraform provider is handling this scenario bts?

[mloskot]

@satyamsareen007 I, a long-time user of this provider, see several issues in your Terraform code:

resource "flux_bootstrap_git" "bootstrap" {
  embedded_manifests   = true
  version              = 2.5.1
...
}

1. The version = 2.5.1 is not version number but float-point.
2. The version is string in format of vX.Y.X, see the docs

   terraform-provider-flux/docs/resources/bootstrap_git.md

   Line 52 in 6bc8a60

   - `version` (String) Flux version. Defaults to `v2.5.1`. Has no effect when `embedded_manifests` is enabled.

   and that convention is because of the 1. and why majority of K8s YAML-s use vX.Y.Z for versions.
3. The embedded_manifests = true makes any specification of your version ignored, see the docs (linked in 2.)

I have just upgraded to fluxcd/flux=1.5 and bumped my var.flux.version to 2.5.1 in my own Terraform code below and all worked fine, including update of the annotations as expected:

resource "flux_bootstrap_git" "flux" {
  version                 = "v${var.flux.version}"
  namespace               = kubernetes_namespace_v1.flux.metadata[0].name
  keep_namespace          = true
  disable_secret_creation = true
  secret_name             = var.flux.github_secret
  components_extra        = var.flux.components_extra
...
}

[satyamsareen007]

@mloskot i missed adding the v prefix in this GitHub issue, we do have it in our terraform code.

Looks like your config is not using embedded_manifest (which is the recommended by the Flux maintainers to use), can you try going from 2.4.0 --> 2.5.1 using embedded_manifest & see if annotations are getting updated.

[mloskot]

@satyamsareen007

Looks like your config is not using embedded_manifest

No, it is not indeed. I rely on the default which embedded_manifests=false.

(which is the recommended by the Flux maintainers to use),

No, it is not. I don't run air-gapped environment.

can you try going from 2.4.0 --> 2.5.1

Sorry, but I can't, I don't have any environment where I can try it out.

[mloskot]

@satyamsareen007 FYI, following #760, I've just upgraded my setup outlined in #759 (comment) in one of my AKS-based clusters changing

     flux = {
       source  = "fluxcd/flux"
-      version = "~> 1.5"
+      version = "~> 1.6"
     }

and var.flux.version variable from 2.5.1 to 2.6.0, then terraform init, plan, apply and all labels have been updated as expected, from this

Reminder: I use embedded_manifests=false.

[satyamsareen007]

thanks @mloskot for trying it out,
But probably it is an issue when embedded_manifests is set to true

[mladBlum]

Perhaps my observation will help with troubleshooting. I just had the same problem when attempting an update.
In my case, embedded_manifests = false, and I relied on not setting the version field, thus assuming that the "latest" version of fluxcd will be deployed.

However, Terraform didn't detect any changes and therefore didn't perform an update.

So it could be possible by setting embedded_manifests = true terraform detect no changes and therefore does not run the bootstrap command again.

[dhoppe]

I just did some testing with two of my K3s clusters.

dhoppe at macbook-air in ~
❯ flux check
► checking prerequisites
✔ Kubernetes 1.33.1+k3s1 >=1.31.0-0
► checking version in cluster
✔ distribution: flux-v2.5.1
✔ bootstrapped: true
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/helm-controller:v1.2.0
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v1.5.1
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v1.5.0
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v1.5.0
► checking crds
✔ alerts.notification.toolkit.fluxcd.io/v1beta3
✔ buckets.source.toolkit.fluxcd.io/v1
✔ gitrepositories.source.toolkit.fluxcd.io/v1
✔ helmcharts.source.toolkit.fluxcd.io/v1
✔ helmreleases.helm.toolkit.fluxcd.io/v2
✔ helmrepositories.source.toolkit.fluxcd.io/v1
✔ kustomizations.kustomize.toolkit.fluxcd.io/v1
✔ ocirepositories.source.toolkit.fluxcd.io/v1beta2
✔ providers.notification.toolkit.fluxcd.io/v1beta3
✔ receivers.notification.toolkit.fluxcd.io/v1
✔ all checks passed

When embedded_manifests is set to true and version is set to v2.5.1 the controllers will be updated as expected, but the distribution has not changed flux-v2.5.1. According to the documentation the version will be ignored if embedded_manifests is set to true.

dhoppe at macbook-air in ~
❯ flux check
► checking prerequisites
✔ Kubernetes 1.33.1+k3s1 >=1.31.0-0
► checking version in cluster
✔ distribution: flux-v2.5.1
✔ bootstrapped: true
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/helm-controller:v1.3.0
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v1.6.0
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v1.6.0
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v1.6.0
► checking crds
✔ alerts.notification.toolkit.fluxcd.io/v1beta3
✔ buckets.source.toolkit.fluxcd.io/v1
✔ gitrepositories.source.toolkit.fluxcd.io/v1
✔ helmcharts.source.toolkit.fluxcd.io/v1
✔ helmreleases.helm.toolkit.fluxcd.io/v2
✔ helmrepositories.source.toolkit.fluxcd.io/v1
✔ kustomizations.kustomize.toolkit.fluxcd.io/v1
✔ ocirepositories.source.toolkit.fluxcd.io/v1
✔ providers.notification.toolkit.fluxcd.io/v1beta3
✔ receivers.notification.toolkit.fluxcd.io/v1
✔ all checks passed

dhoppe at macbook-air in ~
❯ kubectl -n flux-system describe deployment.apps/helm-controller
name:                   helm-controller
Namespace:              flux-system
CreationTimestamp:      Fri, 21 Mar 2025 20:48:28 +0100
Labels:                 app.kubernetes.io/component=helm-controller
                        app.kubernetes.io/instance=flux-system
                        app.kubernetes.io/part-of=flux
                        app.kubernetes.io/version=v2.5.1
                        control-plane=controller
                        kustomize.toolkit.fluxcd.io/name=flux-system
                        kustomize.toolkit.fluxcd.io/namespace=flux-system
Annotations:            deployment.kubernetes.io/revision: 2
Selector:               app=helm-controller
Replicas:               1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:           app=helm-controller
  Annotations:      prometheus.io/port: 8080
                    prometheus.io/scrape: true
  Service Account:  helm-controller
  Containers:
   manager:
    Image:           ghcr.io/fluxcd/helm-controller:v1.3.0
    Ports:           8080/TCP, 9440/TCP
    Host Ports:      0/TCP, 0/TCP
    SeccompProfile:  RuntimeDefault
    Args:
      --events-addr=http://notification-controller.flux-system.svc.cluster.local./
      --watch-all-namespaces=true
      --log-level=info
      --log-encoding=json
      --enable-leader-election
    Limits:
      cpu:     1
      memory:  1Gi
    Requests:
      cpu:      100m
      memory:   64Mi
    Liveness:   http-get http://:healthz/healthz delay=0s timeout=1s period=10s #success=1 #failure=3
    Readiness:  http-get http://:healthz/readyz delay=0s timeout=1s period=10s #success=1 #failure=3
    Environment:
      RUNTIME_NAMESPACE:   (v1:metadata.namespace)
      GOMAXPROCS:         1 (limits.cpu)
      GOMEMLIMIT:         1073741824 (limits.memory)
    Mounts:
      /tmp from temp (rw)
  Volumes:
   temp:
    Type:               EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:          <unset>
  Priority Class Name:  system-cluster-critical
  Node-Selectors:       kubernetes.io/os=linux
  Tolerations:          <none>
Conditions:
  Type           Status  Reason
  ----           ------  ------
  Available      True    MinimumReplicasAvailable
  Progressing    True    NewReplicaSetAvailable
OldReplicaSets:  helm-controller-5c66d5b6fd (0/0 replicas created)
NewReplicaSet:   helm-controller-5c898f4887 (1/1 replicas created)
Events:
  Type    Reason             Age   From                   Message
  ----    ------             ----  ----                   -------
  Normal  ScalingReplicaSet  87s   deployment-controller  Scaled up replica set helm-controller-5c898f4887 from 0 to 1
  Normal  ScalingReplicaSet  80s   deployment-controller  Scaled down replica set helm-controller-5c66d5b6fd from 1 to 0

However, when I set embedded_version to false and version to v2.6.1 the labels will be updated and the distribution has changed to flux-v2.6.1.

dhoppe at macbook-air in ~
❯ flux check
► checking prerequisites
✔ Kubernetes 1.33.1+k3s1 >=1.31.0-0
► checking version in cluster
✔ distribution: flux-v2.6.1
✔ bootstrapped: true
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/helm-controller:v1.3.0
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v1.6.0
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v1.6.0
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v1.6.0
► checking crds
✔ alerts.notification.toolkit.fluxcd.io/v1beta3
✔ buckets.source.toolkit.fluxcd.io/v1
✔ gitrepositories.source.toolkit.fluxcd.io/v1
✔ helmcharts.source.toolkit.fluxcd.io/v1
✔ helmreleases.helm.toolkit.fluxcd.io/v2
✔ helmrepositories.source.toolkit.fluxcd.io/v1
✔ kustomizations.kustomize.toolkit.fluxcd.io/v1
✔ ocirepositories.source.toolkit.fluxcd.io/v1
✔ providers.notification.toolkit.fluxcd.io/v1beta3
✔ receivers.notification.toolkit.fluxcd.io/v1
✔ all checks passed

dhoppe at macbook-air in ~
❯ kubectl -n flux-system describe deployment.apps/helm-controller
Name:                   helm-controller
Namespace:              flux-system
CreationTimestamp:      Fri, 21 Mar 2025 20:48:28 +0100
Labels:                 app.kubernetes.io/component=helm-controller
                        app.kubernetes.io/instance=flux-system
                        app.kubernetes.io/part-of=flux
                        app.kubernetes.io/version=v2.6.1
                        control-plane=controller
                        kustomize.toolkit.fluxcd.io/name=flux-system
                        kustomize.toolkit.fluxcd.io/namespace=flux-system
Annotations:            deployment.kubernetes.io/revision: 2
Selector:               app=helm-controller
Replicas:               1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:           app=helm-controller
  Annotations:      prometheus.io/port: 8080
                    prometheus.io/scrape: true
  Service Account:  helm-controller
  Containers:
   manager:
    Image:           ghcr.io/fluxcd/helm-controller:v1.3.0
    Ports:           8080/TCP, 9440/TCP
    Host Ports:      0/TCP, 0/TCP
    SeccompProfile:  RuntimeDefault
    Args:
      --events-addr=http://notification-controller.flux-system.svc.cluster.local./
      --watch-all-namespaces=true
      --log-level=info
      --log-encoding=json
      --enable-leader-election
    Limits:
      cpu:     1
      memory:  1Gi
    Requests:
      cpu:      100m
      memory:   64Mi
    Liveness:   http-get http://:healthz/healthz delay=0s timeout=1s period=10s #success=1 #failure=3
    Readiness:  http-get http://:healthz/readyz delay=0s timeout=1s period=10s #success=1 #failure=3
    Environment:
      RUNTIME_NAMESPACE:   (v1:metadata.namespace)
      GOMAXPROCS:         1 (limits.cpu)
      GOMEMLIMIT:         1073741824 (limits.memory)
    Mounts:
      /tmp from temp (rw)
  Volumes:
   temp:
    Type:               EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:          <unset>
  Priority Class Name:  system-cluster-critical
  Node-Selectors:       kubernetes.io/os=linux
  Tolerations:          <none>
Conditions:
  Type           Status  Reason
  ----           ------  ------
  Available      True    MinimumReplicasAvailable
  Progressing    True    NewReplicaSetAvailable
OldReplicaSets:  helm-controller-5c66d5b6fd (0/0 replicas created)
NewReplicaSet:   helm-controller-5c898f4887 (1/1 replicas created)
Events:
  Type    Reason             Age   From                   Message
  ----    ------             ----  ----                   -------
  Normal  ScalingReplicaSet  19m   deployment-controller  Scaled up replica set helm-controller-5c898f4887 from 0 to 1
  Normal  ScalingReplicaSet  19m   deployment-controller  Scaled down replica set helm-controller-5c66d5b6fd from 1 to 0

[satyamsareen007]

Thanks @dhoppe, for testing it out
Looks like it is indeed an issue when embedded_manifests = true

@mloskot, can we find a way to get this issue into the visibility of the contributors & hopefully prioritised?

@dhoppe, just out of my curiosity, what is this "Flux Distribution" that is not getting updated? How is it different from the controllers, CRDs that are getting installed along with it? Till now, I didn't know there were 2 parts to how Flux gets installed.

[mloskot]

My gut feeling tells me it is not strictly a bug, but some sort of a limitation specific to the Terraform provider.

@satyamsareen007

can we find a way to get this issue into the visibility of the contributors & hopefully prioritised?

I'm not member of Flux development team, so I cannot answer your question.
See https://fluxcd.io/support/ for your options like paid support request or Flux channel on CNCF Slack.

[dhoppe]

@dhoppe, just out of my curiosity, what is this "Flux Distribution" that is not getting updated? How is it different from the controllers, CRDs that are getting installed along with it? Till now, I didn't know there were 2 parts to how Flux gets installed.

I have no idea. I would assume that the labels are used by the CLI to display the distributed version of Flux since the controllers have their own version.