Bump github.com/fluxcd/kustomize-controller/api from 1.8.5 to 1.9.0

[dependabot]

Bumps github.com/fluxcd/kustomize-controller/api from 1.8.5 to 1.9.0.

Release notes

Sourced from github.com/fluxcd/kustomize-controller/api's releases.

v1.9.0

Changelog

v1.9.0 changelog

Container images

• docker.io/fluxcd/kustomize-controller:v1.9.0
• ghcr.io/fluxcd/kustomize-controller:v1.9.0

Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC. To verify the images and their provenance (SLSA level 3), please see the security documentation.

Changelog

Sourced from github.com/fluxcd/kustomize-controller/api's changelog.

1.9.0

Release date: 2026-06-17

This minor release comes with new features for post-build variable substitution, drift detection, SOPS decryption and Kustomize build metadata, along with various bug fixes and dependency updates.

Kustomization

Post-build substitutions are now stricter by default: the controller fails the reconciliation when a variable without a default value is referenced in the manifests but is missing from the input vars. This behavior is controlled by the StrictPostBuildSubstitutions feature gate, which is now enabled by default and can be opted out of. In addition, a new .spec.postBuild.substituteStrategy: Always option was introduced to always perform substitutions even when no variables are defined, which is useful when the substitution expressions all carry defaults (e.g. ${var:=default}).

Drift detection can now be fine-tuned with ignore rules. The new .spec.ignore field accepts a list of rules selecting JSON pointer paths (optionally scoped to specific targets) to exclude from both drift detection and the apply process.

A new .spec.buildMetadata field allows enabling Kustomize build metadata annotations per Kustomization, supporting the originAnnotations and transformerAnnotations options.

The controller now keeps resources that failed to be pruned in the .status.inventory, ensuring they remain tracked and can be retried on the next reconciliation instead of becoming untracked orphans.

SOPS decryption

SOPS decryption now supports generic Kubernetes workload identity for the OpenBao/Vault transit engine, allowing the controller to authenticate to OpenBao by exchanging a Kubernetes ServiceAccount token for a short-lived OpenBao token through a JWT-backed auth method, instead of using a static token. This is purely additive and non-breaking: the existing sops.vault-token Secret and VAULT_TOKEN environment variable paths are unchanged and take precedence.

Age and SOPS have also been updated to support Age hybrid post-quantum encryption.

General updates

In addition, the Kubernetes dependencies have been updated to v1.36, the controller is now built with Go 1.26 and the source-controller API has been upgraded to v1.9.0. The shared DependencyReference type was migrated to the apis/meta package, preserving backward compatibility through a type alias.

Fixes:

... (truncated)

Commits

• 5469138 Merge pull request #1675 from fluxcd/release-v1.9.0
• 1b885f3 Release v1.9.0
• 94d4688 Add changelog entry for v1.9.0
• 9dfc5b3 Merge pull request #1674 from fluxcd/source-controller-v1.9.0
• 7365c20 Upgrade source-controller API to v1.9.0
• 77e3d98 Merge pull request #1673 from yugstar/docs-sops-dotenv-type
• 2bdabb9 docs: fix SOPS store type for dotenv files (env -> dotenv)
• 5b3449c Merge pull request #1672 from fluxcd/varsub-always
• 6214269 Introduce substituteStrategy: Always
• 3e12665 Merge pull request #1671 from fluxcd/strict-varsub-default
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)