Flux Integration

Flux does not have a native pre-sync hook, so Valqore offers two patterns: an Alert + Provider webhook and a CronJob that evaluates on a schedule.

Approach 1: Alert + Provider (Webhook)

Provider

apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Provider
metadata:
  name: valqore
  namespace: flux-system
spec:
  type: generic
  address: https://api.valqore.io/v1/webhooks/flux
  secretRef:
    name: valqore-webhook-secret

Alert

apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Alert
metadata:
  name: valqore-gate
  namespace: flux-system
spec:
  providerRef:
    name: valqore
  eventSeverity: info
  eventSources:
    - kind: Kustomization
      name: "*"
    - kind: HelmRelease
      name: "*"

Approach 2: CronJob (Scheduled Evaluation)

A CronJob clones the GitOps repo, runs Valqore, and suspends the target Kustomization on BLOCK verdicts.

apiVersion: batch/v1
kind: CronJob
metadata:
  name: valqore-flux-gate
  namespace: flux-system
spec:
  schedule: "*/5 * * * *"
  jobTemplate:
    spec:
      backoffLimit: 0
      template:
        spec:
          serviceAccountName: valqore-flux
          restartPolicy: Never
          containers:
            - name: valqore
              image: ghcr.io/valqore/valqore-engine:latest
              command: ["sh", "-c"]
              args:
                - |
                  git clone $GITOPS_REPO /workspace
                  valqore evaluate /workspace/$MANIFESTS_PATH \
                    --fail-on block --output json > /tmp/report.json
                  VERDICT=$(jq -r .verdict /tmp/report.json)
                  if [ "$VERDICT" = "BLOCK" ]; then
                    kubectl patch kustomization $KUSTOMIZATION_NAME \
                      -n flux-system --type merge \
                      -p '{"spec":{"suspend":true}}'
                    exit 1
                  else
                    kubectl patch kustomization $KUSTOMIZATION_NAME \
                      -n flux-system --type merge \
                      -p '{"spec":{"suspend":false}}'
                  fi
              env:
                - name: GITOPS_REPO
                  value: "https://github.com/your-org/gitops.git"
                - name: MANIFESTS_PATH
                  value: "clusters/production"
                - name: KUSTOMIZATION_NAME
                  value: "production"
                - name: VALQORE_API_KEY
                  valueFrom:
                    secretKeyRef:
                      name: valqore-secret
                      key: api-key

Choosing an Approach

Criteria	Alert + Provider	CronJob
Latency	Real-time	Up to schedule interval
Blocking	Advisory (notification only)	Hard block (suspends Kustomization)
Complexity	Low	Medium
Best for	Visibility and alerting	Enforcement and gating