v0.13.0

Released on 2025-07-23 15:09:14 +0000 UTC by github-actions[bot].

Description

Notable changes

HelmOps and OCI storage are now fully supported and no longer experimental.
Improved traceability for built images.
More accurate and lightweight resource status updates.

Additions

Fleet supports a new, user-driven bundle scan method for greater flexibility. The previous scan method remains supported. See documentation ,contributed by @0xavi0, PR #3480.
When using SSH to point to a Git repository, Fleet checks host keys by default, rejecting connection attempts to unknown hosts xref: ../how-tos-for-users/gitrepo-add.adoc [Known hosts] by @weyfonk in PR#3523.
Replica counts are now configurable for both controllers and agents. See documentation. (Contributed by @p-se, PR #3457)
Fleet can now use a separate webhook secret for each GitRepo. See documentation. (Contributed by @0xavi0, PR #3490)
Fleet charts now support additional labels and annotations, which propagate to controller deployments. (Contributed by @0xavi0 and @p-se, PRs #3531 and #3664)
Agent leader election is now configurable. See the example. (Contributed by @p-se, PR #3463)
The old service account migration has been removed. (Contributed by @weyfonk, PR #3601)
Fleet no longer computes resource keys in bundle statuses. (Contributed by @manno, PR #3681)
Fleet adds new GitJob metrics. See documentation. (Contributed by @p-se, PR #3649)
Agents can now skip clusters using a label. (Contributed by @manno, PR #3744)

HelmOps

HelmOps is no longer experimental. HelmOp resources (renamed from HelmApp) now support:

Polling Helm repositories
Semantic versioning constraints (see this known issue for OCI charts)
Preventing bundle naming collisions between GitOps and HelmOps bundles
Installing Helm charts in strict TLS mode

Metrics and cluster statuses now include HelmOps data. For more information, refer to Fleet documentation.

OCI Storage

OCI storage is no longer experimental, and is enabled by default, although bundles will not use it by default. It can still be disabled by setting OCI_STORAGE=false in extraEnv` when installing Fleet.

It also supports garbage collection on a best-effort basis, as well as improved traceability of secrets used in OCI storage. This includes labeling the secrets that Fleet clones to downstream clusters and generating an event if deleting an OCI artifact results in an error.

See Fleet documentation for more details.

Traceability improvements

Fleet now attests provenance of Docker manifests. (Patch by @thardeck, PR #3846)

Bug fixes

Status updates and lifecycle handling received major improvements:

GitRepo statuses are now more stable when multiple bundles are not ready. (Contributed by @rbreddy, PR #3485)
GitRepo status updates are optimized. (PR #3604)
GitRepo reconciliations now delay updates to improve performance during rapid changes. (PR #3558)
BundleDeployment status updates are optimized. (PR #3887)
Drift detection no longer updates resources with empty diffs. (PR #3555)
Fleet uses the latest Wrangler readiness detection improvements. (PR #3853)
Downstream agents correctly report statuses upstream again. (PR #3702)

Lifecycle improvements

Cluster event filters reduce unnecessary bundle deployment creation. (PR #3796)
Fleet now deletes obsolete bundle deployments:
- No longer targeted.
- GitRepo or Bundle targets changed. (PRs #3509 and #3438)

CLI improvements

Fleet CLI now provides clearer error messages in git jobs. (PR #3559)
CLI uses the controller-runtime client. (PR #3670)

Configuration improvements

Config updates now trigger cluster imports selectively:
- Only when relevant fields change.
- Only when a valid apiServerURL exists. (PRs #3551 and #3837)
Fixed panic caused by options.Helm. (PR #3567)
Creating a GitRepo with an empty repo URL is no longer allowed. (PR #3582)
Empty ignore options in BundleDeployments and HelmOps are now omitted. (PR #3842)

Other improvements

More informative errors for failed chart downloads. (PR #3593)
SSH key authentication for Helm chart downloads works again. (PR #3670)