CoursesFluxIntermediate

Notifications & alerts

Events out, webhooks in.

Advanced10 min · lesson 8 of 12

The notification-controller handles events in both directions. Outbound: it sends alerts about reconciliation events (a Kustomization failed, a HelmRelease succeeded) to Slack, Teams, Discord, or a generic webhook, filtered by source and severity — so your team hears about deploy failures without watching the CLI. You define a Provider (where to send) and an Alert (what events, at what level) as CRDs.

alert.yaml
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Alert
metadata: { name: on-call, namespace: flux-system }
spec:
providerRef: { name: slack }
eventSeverity: error
eventSources:
- { kind: Kustomization, name: "*" }
- { kind: HelmRelease, name: "*" }

Inbound webhooks for instant sync

Inbound: a Receiver exposes a webhook endpoint so your Git provider or registry can notify Flux the instant something changes, triggering an immediate reconcile instead of waiting for the poll interval. This makes deploys feel instant while keeping the pull model — Git still drives, the webhook just says “look now.” The webhook is authenticated with a secret token, so only your provider can trigger it.

receiver.yaml
apiVersion: notification.toolkit.fluxcd.io/v1
kind: Receiver
metadata: { name: github, namespace: flux-system }
spec:
type: github
secretRef: { name: webhook-token } # authenticates the incoming call
resources: [{ kind: GitRepository, name: fleet }]
# expose the receiver URL to your Git provider’s webhook config
Secure the inbound receiver token
A Receiver exposes an endpoint that triggers reconciliation, so its authenticating secret must be strong and protected — an attacker who can call an unauthenticated or weakly-secured receiver can force reconciles (a denial-of-service or timing lever). Use the secret token, restrict network exposure of the receiver, and rotate the token if leaked. It is a small surface, but it is an inbound trigger into your deploy loop.