Merge pull request #5462 from cappyzawa/feat/runtime-secrets-migration

Migrate sourcesecret package to runtime/secrets APIs

cmd/flux/create_secret_git.go

@@ -172,7 +172,7 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}
 
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateGit(opts)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret_github_app.go

@@ -99,7 +99,7 @@ func createSecretGitHubAppCmdRun(cmd *cobra.Command, args []string) error {
 		opts.GitHubAppBaseURL = secretGitHubAppArgs.baseURL
 	}
 
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateGitHubApp(opts)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret_helm.go

@@ -83,10 +83,12 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	var certFile, keyFile []byte
-	if secretHelmArgs.tlsCrtFile != "" && secretHelmArgs.tlsKeyFile != "" {
+	if secretHelmArgs.tlsCrtFile != "" {
 		if certFile, err = os.ReadFile(secretHelmArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
+	}
+	if secretHelmArgs.tlsKeyFile != "" {
 		if keyFile, err = os.ReadFile(secretHelmArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
@@ -102,7 +104,7 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 		TLSCrt:    certFile,
 		TLSKey:    keyFile,
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateHelm(opts)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret_notation.go

@@ -132,7 +132,7 @@ func createSecretNotationCmdRun(cmd *cobra.Command, args []string) error {
 		VerificationCrts: caCerts,
 		TrustPolicy:      policy,
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateNotation(opts)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret_oci.go

@@ -92,7 +92,7 @@ func createSecretOCICmdRun(cmd *cobra.Command, args []string) error {
 		Username:  secretOCIArgs.username,
 	}
 
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateOCI(opts)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret_proxy.go

@@ -83,7 +83,7 @@ func createSecretProxyCmdRun(cmd *cobra.Command, args []string) error {
 		Username:  secretProxyArgs.username,
 		Password:  secretProxyArgs.password,
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateProxy(opts)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret_tls.go

@@ -84,16 +84,18 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	if secretTLSArgs.tlsCrtFile != "" && secretTLSArgs.tlsKeyFile != "" {
+	if secretTLSArgs.tlsCrtFile != "" {
 		if opts.TLSCrt, err = os.ReadFile(secretTLSArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
+	}
+	if secretTLSArgs.tlsKeyFile != "" {
 		if opts.TLSKey, err = os.ReadFile(secretTLSArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}
 
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateTLS(opts)
 	if err != nil {
 		return err
 	}

cmd/flux/create_source_git.go

@@ -305,7 +305,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
 		}
-		secret, err := sourcesecret.Generate(secretOpts)
+		secret, err := sourcesecret.GenerateGit(secretOpts)
 		if err != nil {
 			return err
 		}

cmd/flux/create_source_helm.go

@@ -202,7 +202,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			TLSKey:       keyFile,
 			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
-		secret, err := sourcesecret.Generate(secretOpts)
+		secret, err := sourcesecret.GenerateHelm(secretOpts)
 		if err != nil {
 			return err
 		}

cmd/flux/install.go

@@ -250,7 +250,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 			Username:  credentials[0],
 			Password:  credentials[1],
 		}
-		imagePullSecret, err := sourcesecret.Generate(secretOpts)
+		imagePullSecret, err := sourcesecret.GenerateOCI(secretOpts)
 		if err != nil {
 			return fmt.Errorf("install failed: %w", err)
 		}

cmd/flux/testdata/create_secret/githubapp/secret-with-baseurl.yaml

@@ -36,4 +36,5 @@ stringData:
     lbD102oXw9lUefVI0McyQIN9J58ewDC79AG7gU/fTSt6F75OeFLOJmoedQo33Y+s
     bUytJtOhHbLRNxwgalhjBUNWICrDktqJmumNOEOOPBqVz7RGwUg=
     -----END RSA PRIVATE KEY-----
+type: Opaque
 

cmd/flux/testdata/create_secret/githubapp/secret.yaml

@@ -35,4 +35,5 @@ stringData:
     lbD102oXw9lUefVI0McyQIN9J58ewDC79AG7gU/fTSt6F75OeFLOJmoedQo33Y+s
     bUytJtOhHbLRNxwgalhjBUNWICrDktqJmumNOEOOPBqVz7RGwUg=
     -----END RSA PRIVATE KEY-----
+type: Opaque
 

cmd/flux/testdata/create_secret/helm/secret-helm.yaml

@@ -7,4 +7,5 @@ metadata:
 stringData:
   password: my-password
   username: my-username
+type: kubernetes.io/basic-auth
 

cmd/flux/testdata/create_secret/oci/create-secret.yaml

@@ -5,6 +5,15 @@ metadata:
   name: ghcr
   namespace: my-namespace
 stringData:
-  .dockerconfigjson: '{"auths":{"ghcr.io":{"username":"stefanprodan","password":"password","auth":"c3RlZmFucHJvZGFuOnBhc3N3b3Jk"}}}'
+  .dockerconfigjson: |-
+    {
+      "auths": {
+        "ghcr.io": {
+          "username": "stefanprodan",
+          "password": "password",
+          "auth": "c3RlZmFucHJvZGFuOnBhc3N3b3Jk"
+        }
+      }
+    }
 type: kubernetes.io/dockerconfigjson
 

cmd/flux/testdata/create_secret/proxy/secret-proxy.yaml

@@ -8,4 +8,5 @@ stringData:
   address: https://my-proxy.com
   password: my-password
   username: my-username
+type: Opaque
 

go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/fluxcd/kustomize-controller/api v1.6.1
 	github.com/fluxcd/notification-controller/api v1.6.0
 	github.com/fluxcd/pkg/apis/event v0.18.0
-	github.com/fluxcd/pkg/apis/meta v1.17.0
+	github.com/fluxcd/pkg/apis/meta v1.18.0
 	github.com/fluxcd/pkg/auth v0.21.0
 	github.com/fluxcd/pkg/chartutil v1.7.0
 	github.com/fluxcd/pkg/envsubst v1.4.0
@@ -26,7 +26,7 @@ require (
 	github.com/fluxcd/pkg/git/gogit v0.37.0
 	github.com/fluxcd/pkg/kustomize v1.19.0
 	github.com/fluxcd/pkg/oci v0.51.0
-	github.com/fluxcd/pkg/runtime v0.69.0
+	github.com/fluxcd/pkg/runtime v0.75.0
 	github.com/fluxcd/pkg/sourceignore v0.13.0
 	github.com/fluxcd/pkg/ssa v0.51.0
 	github.com/fluxcd/pkg/ssh v0.20.0
@@ -101,7 +101,6 @@ require (
 	github.com/aws/smithy-go v1.22.4 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
-	github.com/bradleyfalzon/ghinstallation/v2 v2.16.0 // indirect
 	github.com/bshuster-repo/logrus-logstash-hook v1.0.0 // indirect
 	github.com/carapace-sh/carapace-shlex v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
@@ -143,7 +142,6 @@ require (
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/gonvenience/idem v0.0.1 // indirect
@@ -153,7 +151,6 @@ require (
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-github/v71 v71.0.0 // indirect
-	github.com/google/go-github/v72 v72.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect

go.sum

@@ -89,8 +89,6 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
-github.com/bradleyfalzon/ghinstallation/v2 v2.16.0 h1:B91r9bHtXp/+XRgS5aZm6ZzTdz3ahgJYmkt4xZkgDz8=
-github.com/bradleyfalzon/ghinstallation/v2 v2.16.0/go.mod h1:OeVe5ggFzoBnmgitZe/A+BqGOnv1DvU/0uiLQi1wutM=
 github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70=
 github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=
 github.com/bsm/ginkgo/v2 v2.7.0/go.mod h1:AiKlXPm7ItEHNc/2+OkrNG4E0ITzojb9/xWzvQ9XZ9w=
@@ -192,8 +190,8 @@ github.com/fluxcd/pkg/apis/event v0.18.0 h1:PNbWk9gvX8gMIi6VsJapnuDO+giLEeY+6olL
 github.com/fluxcd/pkg/apis/event v0.18.0/go.mod h1:7S/DGboLolfbZ6stO6dcDhG1SfkPWQ9foCULvbiYpiA=
 github.com/fluxcd/pkg/apis/kustomize v1.11.0 h1:0IzDgxZkc4v+5SDNCvgZhfwfkdkQLPXCner7TNaJFWE=
 github.com/fluxcd/pkg/apis/kustomize v1.11.0/go.mod h1:j302mJGDww8cn9qvMsRQ0LJ1HPAPs/IlX7CSsoJV7BI=
-github.com/fluxcd/pkg/apis/meta v1.17.0 h1:KVMDyJQj1NYCsppsFUkbJGMnKxsqJVpnKBFolHf/q8E=
+github.com/fluxcd/pkg/apis/meta v1.18.0 h1:ACHrMIjlcioE9GKS7NGk62KX4NshqNewr8sBwMcXABs=
-github.com/fluxcd/pkg/apis/meta v1.17.0/go.mod h1:97l3hTwBpJbXBY+wetNbqrUsvES8B1jGioKcBUxmqd8=
+github.com/fluxcd/pkg/apis/meta v1.18.0/go.mod h1:97l3hTwBpJbXBY+wetNbqrUsvES8B1jGioKcBUxmqd8=
 github.com/fluxcd/pkg/auth v0.21.0 h1:ckAQqP12wuptXEkMY18SQKWEY09m9e6yI0mEMsDV15M=
 github.com/fluxcd/pkg/auth v0.21.0/go.mod h1:MXmpsXT97c874HCw5hnfqFUP7TsG8/Ss1vFrk8JccfM=
 github.com/fluxcd/pkg/cache v0.10.0 h1:M+OGDM4da1cnz7q+sZSBtkBJHpiJsLnKVmR9OdMWxEY=
@@ -212,8 +210,8 @@ github.com/fluxcd/pkg/kustomize v1.19.0 h1:2eO8lMx0/H/Yyq35LMTAMhxEElOzMW0Yi9zUN
 github.com/fluxcd/pkg/kustomize v1.19.0/go.mod h1:OCCW9vU3lStDh3jyg9MM/a29MSdNAVk2wjl0lDos5Fs=
 github.com/fluxcd/pkg/oci v0.51.0 h1:9oYnm+T4SCVSBif9gn80ALJkMGSERabVMDJiaMIdr7Y=
 github.com/fluxcd/pkg/oci v0.51.0/go.mod h1:5J6IhHoDVYCVeBEC+4E3nPeKh7d0kjJ8IEL6NVCiTx4=
-github.com/fluxcd/pkg/runtime v0.69.0 h1:5gPY95NSFI34GlQTj0+NHjOFpirSwviCUb9bM09b5nA=
+github.com/fluxcd/pkg/runtime v0.75.0 h1:wIaODmU5D54nyrehTqA9oQDFoi6BbBj/24adLStXc0I=
-github.com/fluxcd/pkg/runtime v0.69.0/go.mod h1:ug+pat+I4wfOBuCy2E/pLmBNd3kOOo4cP2jxnxefPwY=
+github.com/fluxcd/pkg/runtime v0.75.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
 github.com/fluxcd/pkg/sourceignore v0.13.0 h1:ZvkzX2WsmyZK9cjlqOFFW1onHVzhPZIqDbCh96rPqbU=
 github.com/fluxcd/pkg/sourceignore v0.13.0/go.mod h1:Z9H1GoBx0ljOhptnzoV0PL6Nd/UzwKcSphP27lqb4xI=
 github.com/fluxcd/pkg/ssa v0.51.0 h1:sFarxKZcS0J8sjq9qvs/r+1XiJqNgRodEiPjV75F8R4=
@@ -275,8 +273,6 @@ github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRx
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
-github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
 github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
@@ -312,8 +308,6 @@ github.com/google/go-containerregistry v0.20.6 h1:cvWX87UxxLgaH76b4hIvya6Dzz9qHB
 github.com/google/go-containerregistry v0.20.6/go.mod h1:T0x8MuoAoKX/873bkeSfLD2FAkwCDf9/HZgsFJ02E2Y=
 github.com/google/go-github/v71 v71.0.0 h1:Zi16OymGKZZMm8ZliffVVJ/Q9YZreDKONCr+WUd0Z30=
 github.com/google/go-github/v71 v71.0.0/go.mod h1:URZXObp2BLlMjwu0O8g4y6VBneUj2bCHgnI8FfgZ51M=
-github.com/google/go-github/v72 v72.0.0 h1:FcIO37BLoVPBO9igQQ6tStsv2asG4IPcYFi655PPvBM=
-github.com/google/go-github/v72 v72.0.0/go.mod h1:WWtw8GMRiL62mvIquf1kO3onRHeWWKmK01qdCY8c5fg=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=

pkg/bootstrap/bootstrap_plain_git.go

@@ -236,7 +236,7 @@ func (b *PlainGitBootstrapper) ReconcileSourceSecret(ctx context.Context, option
 
 	// Generate source secret
 	b.logger.Actionf("generating source secret")
-	manifest, err := sourcesecret.Generate(options)
+	manifest, err := sourcesecret.GenerateGit(options)
 	if err != nil {
 		return err
 	}

pkg/manifestgen/sourcesecret/sourcesecret.go

@@ -26,12 +26,12 @@ import (
 	"path"
 	"time"
 
-	"github.com/fluxcd/pkg/git/github"
 	cryptssh "golang.org/x/crypto/ssh"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/yaml"
 
+	"github.com/fluxcd/pkg/runtime/secrets"
 	"github.com/fluxcd/pkg/ssh"
 
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
@@ -60,7 +60,7 @@ type DockerConfigEntry struct {
 	Auth     string `json:"auth,omitempty"`
 }
 
-func Generate(options Options) (*manifestgen.Manifest, error) {
+func GenerateGit(options Options) (*manifestgen.Manifest, error) {
 	var err error
 
 	var keypair *ssh.KeyPair
@@ -82,24 +82,173 @@ func Generate(options Options) (*manifestgen.Manifest, error) {
 		}
 	}
 
-	var dockerCfgJson []byte
+	secret := buildGitSecret(keypair, hostKey, options)
-	if options.Registry != "" {
+	return secretToManifest(&secret, options)
-		dockerCfgJson, err = GenerateDockerConfigJson(options.Registry, options.Username, options.Password)
+}
+
+func GenerateTLS(options Options) (*manifestgen.Manifest, error) {
+	var opts []secrets.TLSSecretOption
+
+	if len(options.TLSCrt) > 0 || len(options.TLSKey) > 0 {
+		opts = append(opts, secrets.WithCertKeyPair(options.TLSCrt, options.TLSKey))
+	}
+	if len(options.CACrt) > 0 {
+		opts = append(opts, secrets.WithCAData(options.CACrt))
+	}
+
+	secret, err := secrets.MakeTLSSecret(options.Name, options.Namespace, opts...)
+	if err != nil {
+		return nil, err
+	}
+
+	secret.Labels = options.Labels
+	return secretToManifest(secret, options)
+}
+
+func GenerateOCI(options Options) (*manifestgen.Manifest, error) {
+	secret, err := secrets.MakeRegistrySecret(
+		options.Name,
+		options.Namespace,
+		options.Registry,
+		options.Username,
+		options.Password,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	secret.Labels = options.Labels
+	return secretToManifest(secret, options)
+}
+
+func GenerateHelm(options Options) (*manifestgen.Manifest, error) {
+	hasBasicAuth := options.Username != "" || options.Password != ""
+	hasClientCert := len(options.TLSCrt) > 0 || len(options.TLSKey) > 0
+	hasCACert := len(options.CACrt) > 0
+
+	var secret *corev1.Secret
+	var err error
+
+	switch {
+	case hasClientCert:
+		// Priority 1: Client certificate (mTLS) - highest priority like CertSecretRef
+		var opts []secrets.TLSSecretOption
+		opts = append(opts, secrets.WithCertKeyPair(options.TLSCrt, options.TLSKey))
+		if hasCACert {
+			opts = append(opts, secrets.WithCAData(options.CACrt))
+		}
+
+		secret, err = secrets.MakeTLSSecret(options.Name, options.Namespace, opts...)
+		if err != nil {
+			return nil, err
+		}
+
+	case hasBasicAuth:
+		// Priority 2: Basic authentication (can include CA certificate)
+		secret, err = secrets.MakeBasicAuthSecret(
+			options.Name,
+			options.Namespace,
+			options.Username,
+			options.Password,
+		)
+		if err != nil {
+			return nil, err
+		}
+
+		// Add CA certificate to BasicAuth secret for HTTPS repositories with custom CA
+		// (e.g., self-signed certificates or internal certificate authorities)
+		if hasCACert {
+			if secret.StringData == nil {
+				secret.StringData = make(map[string]string)
+			}
+			secret.StringData[CACrtSecretKey] = string(options.CACrt)
+		}
+
+	case hasCACert:
+		// Priority 3: CA certificate only
+		var opts []secrets.TLSSecretOption
+		opts = append(opts, secrets.WithCAData(options.CACrt))
+
+		secret, err = secrets.MakeTLSSecret(options.Name, options.Namespace, opts...)
 		if err != nil {
-			return nil, fmt.Errorf("failed to generate json for docker config: %w", err)
+			return nil, err
+		}
+
+	default:
+		// No authentication credentials provided - create empty secret for backward compatibility
+		secret = &corev1.Secret{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "v1",
+				Kind:       "Secret",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      options.Name,
+				Namespace: options.Namespace,
+			},
+			StringData: map[string]string{},
 		}
 	}
 
-	secret := buildSecret(keypair, hostKey, dockerCfgJson, options)
+	secret.Labels = options.Labels
-	b, err := yaml.Marshal(secret)
+	return secretToManifest(secret, options)
+}
+
+func GenerateProxy(options Options) (*manifestgen.Manifest, error) {
+	secret, err := secrets.MakeProxySecret(
+		options.Name,
+		options.Namespace,
+		options.Address,
+		options.Username,
+		options.Password,
+	)
 	if err != nil {
 		return nil, err
 	}
 
-	return &manifestgen.Manifest{
+	secret.Labels = options.Labels
-		Path:    path.Join(options.TargetPath, options.Namespace, options.ManifestFile),
+	return secretToManifest(secret, options)
-		Content: fmt.Sprintf("---\n%s", resourceToString(b)),
+}
-	}, nil
+
+func GenerateNotation(options Options) (*manifestgen.Manifest, error) {
+	secret := &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "Secret",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      options.Name,
+			Namespace: options.Namespace,
+			Labels:    options.Labels,
+		},
+		StringData: map[string]string{},
+	}
+
+	for _, crt := range options.VerificationCrts {
+		secret.StringData[crt.Name] = string(crt.CACrt)
+	}
+
+	if len(options.TrustPolicy) > 0 {
+		secret.StringData[TrustPolicyKey] = string(options.TrustPolicy)
+	}
+
+	return secretToManifest(secret, options)
+}
+
+func GenerateGitHubApp(options Options) (*manifestgen.Manifest, error) {
+	secret, err := secrets.MakeGitHubAppSecret(
+		options.Name,
+		options.Namespace,
+		options.GitHubAppID,
+		options.GitHubAppInstallationID,
+		options.GitHubAppPrivateKey,
+		options.GitHubAppBaseURL,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	secret.Labels = options.Labels
+	return secretToManifest(secret, options)
 }
 
 func LoadKeyPairFromPath(path, password string) (*ssh.KeyPair, error) {
@@ -131,7 +280,7 @@ func LoadKeyPair(privateKey []byte, password string) (*ssh.KeyPair, error) {
 	}, nil
 }
 
-func buildSecret(keypair *ssh.KeyPair, hostKey, dockerCfg []byte, options Options) (secret corev1.Secret) {
+func buildGitSecret(keypair *ssh.KeyPair, hostKey []byte, options Options) (secret corev1.Secret) {
 	secret.TypeMeta = metav1.TypeMeta{
 		APIVersion: "v1",
 		Kind:       "Secret",
@@ -143,16 +292,6 @@ func buildSecret(keypair *ssh.KeyPair, hostKey, dockerCfg []byte, options Option
 	secret.Labels = options.Labels
 	secret.StringData = map[string]string{}
 
-	if dockerCfg != nil {
-		secret.Type = corev1.SecretTypeDockerConfigJson
-		secret.StringData[corev1.DockerConfigJsonKey] = string(dockerCfg)
-		return
-	}
-
-	if options.Address != "" {
-		secret.StringData[AddressSecretKey] = options.Address
-	}
-
 	if options.Username != "" && options.Password != "" {
 		secret.StringData[UsernameSecretKey] = options.Username
 		secret.StringData[PasswordSecretKey] = options.Password
@@ -165,12 +304,7 @@ func buildSecret(keypair *ssh.KeyPair, hostKey, dockerCfg []byte, options Option
 		secret.StringData[CACrtSecretKey] = string(options.CACrt)
 	}
 
-	if len(options.TLSCrt) != 0 && len(options.TLSKey) != 0 {
+	// SSH keypair (identity + identity.pub + known_hosts)
-		secret.Type = corev1.SecretTypeTLS
-		secret.StringData[TLSCrtSecretKey] = string(options.TLSCrt)
-		secret.StringData[TLSKeySecretKey] = string(options.TLSKey)
-	}
-
 	if keypair != nil && len(hostKey) != 0 {
 		secret.StringData[PrivateKeySecretKey] = string(keypair.PrivateKey)
 		secret.StringData[PublicKeySecretKey] = string(keypair.PublicKey)
@@ -181,33 +315,18 @@ func buildSecret(keypair *ssh.KeyPair, hostKey, dockerCfg []byte, options Option
 		}
 	}
 
-	if len(options.VerificationCrts) != 0 {
+	return secret
-		for _, crts := range options.VerificationCrts {
+}
-			secret.StringData[crts.Name] = string(crts.CACrt)
-		}
-	}
-
-	if len(options.TrustPolicy) != 0 {
-		secret.StringData[TrustPolicyKey] = string(options.TrustPolicy)
-	}
-
-	if options.GitHubAppID != "" {
-		secret.StringData[github.KeyAppID] = options.GitHubAppID
-	}
-
-	if options.GitHubAppInstallationID != "" {
-		secret.StringData[github.KeyAppInstallationID] = options.GitHubAppInstallationID
-	}
-
-	if options.GitHubAppPrivateKey != "" {
-		secret.StringData[github.KeyAppPrivateKey] = options.GitHubAppPrivateKey
-	}
 
-	if options.GitHubAppBaseURL != "" {
+func secretToManifest(secret *corev1.Secret, options Options) (*manifestgen.Manifest, error) {
-		secret.StringData[github.KeyAppBaseURL] = options.GitHubAppBaseURL
+	b, err := yaml.Marshal(secret)
+	if err != nil {
+		return nil, err
 	}
-
+	return &manifestgen.Manifest{
-	return
+		Path:    path.Join(options.TargetPath, options.Namespace, options.ManifestFile),
+		Content: fmt.Sprintf("---\n%s", resourceToString(b)),
+	}, nil
 }
 
 func generateKeyPair(options Options) (*ssh.KeyPair, error) {