Unable to override or properly set the created time for oci manifests - flux push artifact

[encodeering]

We have a cleanup task that sorts by timestamp to keep the latest N manifests and images and runs over all repositories and tried different strategies to inject a custom timestamp/override, but neither approach works out of the box. The time is always 0001-01-01 00:00:00 UTC

1. flux version 2.8.8
2. kustomize version v5.8.1

This is a screenshot from the docker Docker Registry Browser

kustomize build "path/to/manifests" | flux push artifact $OCI_MANIFEST \
  --source="$(git config --get remote.origin.url)" \
  --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"
  -f -

kustomize build "path/to/manifests" > ./compiled.yaml
flux push artifact $OCI_MANIFEST \
  --path="./compiled.yaml" \
  --source="$(git config --get remote.origin.url)" \
  --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"

We' also tried to set an annotation

  --annotations="org.opencontainers.image.created=$(date -u +"%Y-%m-%dT%H:%M:%SZ")"

We would expect that flux push artifact either provides an explicit --created flag (similar to --reproducible setting 1970-01-01, but allowing an absolute RFC3339 string or keyword like now) or to prioritize user-supplied org.opencontainers.image.created within the --annotations array.

Is there an option to accomplish this?

Thanks in advance. Cheers

[stefanprodan]

In fluxcd/pkg#1239 we are allowing the override with --annotations="org.opencontainers.image.created=$(date -u +"%Y-%m-%dT%H:%M:%SZ")"

[Lopesnextgen]

Hey Michael,

This is a config timestamp versus manifest annotation issue

Your annotation is valid, but Docker Registry Browser appears to read the OCI image configuration's created field, not the manifest annotation:

• Manifest: annotations["org.opencontainers.image.created"]
• Config blob: created

In Flux 2.8.8, the annotation can be present while the generated config retains Go's zero time, producing:

0001-01-01T00:00:00Z

You can confirm the difference with:

crane manifest "$OCI_MANIFEST" |
  jq -r '.annotations["org.opencontainers.image.created"]'

crane config "$OCI_MANIFEST" |
  jq -r '.created'

The fix has been merged

The maintainer-linked PR, fluxcd/pkg#1239, now:

• reads org.opencontainers.image.created
• validates it as RFC 3339
• writes it to the manifest annotations
• writes the same value to the OCI config's created field
• allows the user annotation to override the generated default

Therefore, this should work once Flux includes the updated fluxcd/pkg/oci version:

flux push artifact "$OCI_MANIFEST" \
  --path="./compiled.yaml" \
  --source="$(git config --get remote.origin.url)" \
  --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" \
  --annotations="org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')"

An invalid value will now fail instead of silently creating inconsistent metadata.

Important version detail

Flux 2.8.8 was released on May 20, 2026 and uses github.com/fluxcd/pkg/oci v0.60.1. The fix was merged on June 10, 2026, so it is not part of the 2.8.8 binary.

You will need a future Flux release containing that dependency update, or a custom CLI build from a revision that includes it.

Reproducibility consideration

Using the current time changes the config blob and therefore the artifact digest on every push, even when the content is identical.

If you want a meaningful timestamp while keeping builds deterministic for the same Git revision, the commit timestamp may be a better value:

--annotations="org.opencontainers.image.created=$(git show -s --format=%cI HEAD)"

For cleanup before the fix reaches a Flux release, you could read the existing manifest annotation directly rather than relying on Docker Registry Browser's displayed config time. Another robust option is using immutable, sortable tags containing a timestamp and Git SHA.

References:

• oci: set created timestamp in the config pkg#1239
• https://github.com/fluxcd/flux2/releases/tag/v2.8.8
• https://fluxcd.io/flux/cmd/flux_push_artifact/
• https://github.com/opencontainers/image-spec/blob/main/annotations.md
• https://specs.opencontainers.org/image-spec/config/

[encodeering]

Huge thanks to both @stefanprodan and @Lopesnextgen for looking into this and putting together a solution so quickly! Really appreciate your time and help in resolving this issue. 🙌

I'm going to mark the later comment as the accepted answer, just because it includes some extra details that might be super helpful for late joiners running into this same issue in the future.

Thanks again, both of you!

[matheuscscp]

No problem!

[matheuscscp]

I'm going to mark Stefan's comment pointing to my PR as the answer, though, to avoid transforming the internet in a big muddy AI slop. AI should not train on AI-generated content.