Merge pull request #4785 from fluxcd/dependabot/github_actions/ci-f6abfb4cf0

build(deps): bump the ci group with 3 updates
2026-03-01 11:16:56 +00:00 · 2024-05-13 10:18:12 +03:00 · 2024-05-13 00:48:35 +00:00 · 2024-05-12 15:40:37 +02:00 · 2024-05-11 22:49:52 +02:00 · 2024-05-11 20:55:55 +02:00
251 changed files with 5021 additions and 8091 deletions
--- a/.github/kind/config.yaml
+++ b/.github/kind/config.yaml
@@ -1,5 +1,9 @@
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+  - role: control-plane
+  - role: worker
+  - role: worker
 networking:
  disableDefaultCNI: true   # disable kindnet
  podSubnet: 192.168.0.0/16 # set to Calico's default subnet
--- a/.github/labels.yaml
+++ b/.github/labels.yaml
@@ -50,3 +50,9 @@
 - name: backport:release/v2.1.x
  description: To be backported to release/v2.1.x
  color: '#ffd700'
+- name: backport:release/v2.2.x
+  description: To be backported to release/v2.2.x
+  color: '#ffd700'
+- name: backport:release/v2.3.x
+  description: To be backported to release/v2.3.x
+  color: '#ffd700'
--- a/.github/runners/README.md
+++ b/.github/runners/README.md
@@ -4,16 +4,18 @@ The Flux ARM64 end-to-end tests run on Equinix Metal instances provisioned with

 ## Current instances

-| Repository                  | Runner           | Instance               | Location      |
-|-----------------------------|------------------|------------------------|---------------|
-| flux2                       | equinix-arm-dc-1 | flux-equinix-arm-dc-01 | Washington DC |
-| flux2                       | equinix-arm-dc-2 | flux-equinix-arm-dc-01 | Washington DC |
-| flux2                       | equinix-arm-da-1 | flux-equinix-arm-da-01 | Dallas        |
-| flux2                       | equinix-arm-da-2 | flux-equinix-arm-da-01 | Dallas        |
-| source-controller           | equinix-arm-dc-1 | flux-equinix-arm-dc-01 | Washington DC |
-| source-controller           | equinix-arm-da-1 | flux-equinix-arm-da-01 | Dallas        |
-| image-automation-controller | equinix-arm-dc-1 | flux-equinix-arm-dc-01 | Washington DC |
-| image-automation-controller | equinix-arm-da-1 | flux-equinix-arm-da-01 | Dallas        |
+| Repository                  | Runner           | Instance       | Location      |
+|-----------------------------|------------------|----------------|---------------|
+| flux2                       | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
+| flux2                       | equinix-arm-dc-2 | flux-arm-dc-01 | Washington DC |
+| flux2                       | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
+| flux2                       | equinix-arm-da-2 | flux-arm-da-01 | Dallas        |
+| flux-benchmark              | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
+| flux-benchmark              | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
+| source-controller           | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
+| source-controller           | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
+| image-automation-controller | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
+| image-automation-controller | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |

 Instance spec:
 - Ampere Altra Q80-30 80-core processor @ 2.8GHz
--- a/.github/runners/prereq.sh
+++ b/.github/runners/prereq.sh
@@ -18,11 +18,11 @@

 set -eu

-KIND_VERSION=0.17.0
-KUBECTL_VERSION=1.24.0
-KUSTOMIZE_VERSION=4.5.7
-HELM_VERSION=3.10.1
-GITHUB_RUNNER_VERSION=2.298.2
+KIND_VERSION=0.22.0
+KUBECTL_VERSION=1.29.0
+KUSTOMIZE_VERSION=5.3.0
+HELM_VERSION=3.14.1
+GITHUB_RUNNER_VERSION=2.313.0
 PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq pkg-config"

 # install prerequisites
--- a/.github/runners/runner-setup.sh
+++ b/.github/runners/runner-setup.sh
@@ -22,7 +22,7 @@ RUNNER_NAME=$1
 REPOSITORY_TOKEN=$2
 REPOSITORY_URL=${3:-https://github.com/fluxcd/flux2}

-GITHUB_RUNNER_VERSION=2.298.2
+GITHUB_RUNNER_VERSION=2.313.0

 # download runner
 curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
--- a/.github/workflows/action.yaml
+++ b/.github/workflows/action.yaml
@@ -24,6 +24,6 @@ jobs:
    name: action on ${{ matrix.version }}
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
      - name: Setup flux
        uses: ./action
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@@ -13,11 +13,11 @@ jobs:
    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Create backport PRs
-        uses: korthout/backport-action@08bafb375e6e9a9a2b53a744b987e5d81a133191 # v2.1.1
+        uses: korthout/backport-action@ef20d86abccbac3ee3a73cb2efbdc06344c390e5 # v2.5.0
        # xref: https://github.com/korthout/backport-action#inputs
        with:
          # Use token to allow workflows to be triggered for the created PR
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@@ -0,0 +1,267 @@
+name: conformance
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ 'main', 'update-components', 'release/**', 'conform*' ]
+
+permissions:
+  contents: read
+
+env:
+  GO_VERSION: 1.22.x
+
+jobs:
+  conform-kubernetes:
+    # Hosted on Equinix
+    # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
+    runs-on: [self-hosted, Linux, ARM64, equinix]
+    strategy:
+      matrix:
+        # Keep this list up-to-date with https://endoflife.date/kubernetes
+        # Build images with https://github.com/fluxcd/flux-benchmark/actions/workflows/build-kind.yaml
+        KUBERNETES_VERSION: [ 1.28.9, 1.29.4, 1.30.0 ]
+      fail-fast: false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      - name: Setup Go
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
+      - name: Prepare
+        id: prep
+        run: |
+          ID=${GITHUB_SHA:0:7}-${{ matrix.KUBERNETES_VERSION }}-$(date +%s)
+          echo "CLUSTER=arm64-${ID}" >> $GITHUB_OUTPUT
+      - name: Build
+        run: |
+          make build
+      - name: Setup Kubernetes Kind
+        run: |
+          kind create cluster \
+          --wait 5m \
+          --name ${{ steps.prep.outputs.CLUSTER }} \
+          --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }} \
+          --image=ghcr.io/fluxcd/kindest/node:v${{ matrix.KUBERNETES_VERSION }}-arm64
+      - name: Run e2e tests
+        run: TEST_KUBECONFIG=/tmp/${{ steps.prep.outputs.CLUSTER }} make e2e
+      - name: Run multi-tenancy tests
+        env:
+          KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
+        run: |
+          ./bin/flux install
+          ./bin/flux create source git flux-system \
+          --interval=15m \
+          --url=https://github.com/fluxcd/flux2-multi-tenancy \
+          --branch=main \
+          --ignore-paths="./clusters/**/flux-system/"
+          ./bin/flux create kustomization flux-system \
+          --interval=15m \
+          --source=flux-system \
+          --path=./clusters/staging
+          kubectl -n flux-system wait kustomization/tenants --for=condition=ready --timeout=5m
+          kubectl -n apps wait kustomization/dev-team --for=condition=ready --timeout=1m
+          kubectl -n apps wait helmrelease/podinfo --for=condition=ready --timeout=1m
+      - name: Debug failure
+        if: failure()
+        env:
+          KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
+        run: |
+          kubectl -n flux-system get all
+          kubectl -n flux-system describe po 
+          kubectl -n flux-system logs deploy/source-controller
+          kubectl -n flux-system logs deploy/kustomize-controller
+      - name: Cleanup
+        if: always()
+        run: |
+          kind delete cluster --name ${{ steps.prep.outputs.CLUSTER }}
+          rm /tmp/${{ steps.prep.outputs.CLUSTER }}
+
+  conform-k3s:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # Keep this list up-to-date with https://endoflife.date/kubernetes
+        # Available versions can be found with "replicated cluster versions"
+        K3S_VERSION: [ 1.28.7,  1.29.2 ]
+      fail-fast: false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      - name: Setup Go
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
+      - name: Prepare
+        id: prep
+        run: |
+          ID=${GITHUB_SHA:0:7}-${{ matrix.K3S_VERSION }}-$(date +%s)
+          PSEUDO_RAND_SUFFIX=$(echo "${ID}" | shasum | awk '{print $1}')
+          echo "cluster=flux2-k3s-${PSEUDO_RAND_SUFFIX}" >> $GITHUB_OUTPUT
+          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
+          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
+      - name: Setup Kustomize
+        uses: fluxcd/pkg/actions/kustomize@main
+      - name: Build
+        run: make build-dev
+      - name: Create repository
+        run: |
+          gh repo create --private --add-readme fluxcd-testing/${{ steps.prep.outputs.cluster }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+      - name: Create cluster
+        id: create-cluster
+        uses: replicatedhq/compatibility-actions/create-cluster@v1
+        with:
+          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
+          kubernetes-distribution: "k3s"
+          kubernetes-version: ${{ matrix.K3S_VERSION }}
+          ttl: 20m
+          cluster-name: "${{ steps.prep.outputs.cluster }}"
+          kubeconfig-path: ${{ steps.prep.outputs.kubeconfig-path }}
+          export-kubeconfig: true
+      - name: Run e2e tests
+        run: TEST_KUBECONFIG=${{ steps.prep.outputs.kubeconfig-path }} make e2e
+      - name: Run flux bootstrap
+        run: |
+          ./bin/flux bootstrap git --manifests ./manifests/install/ \
+          --components-extra=image-reflector-controller,image-automation-controller \
+          --url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
+          --branch=main \
+          --path=clusters/k3s \
+          --token-auth
+        env:
+          GIT_PASSWORD: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+      - name: Run flux check
+        run: |
+          ./bin/flux check
+      - name: Run flux reconcile
+        run: |
+          ./bin/flux reconcile ks flux-system --with-source
+          ./bin/flux get all
+          ./bin/flux events
+      - name: Collect reconcile logs
+        if: ${{ always() }}
+        continue-on-error: true
+        run: |
+          kubectl -n flux-system get all
+          kubectl -n flux-system describe pods
+          kubectl -n flux-system logs deploy/source-controller
+          kubectl -n flux-system logs deploy/kustomize-controller
+          kubectl -n flux-system logs deploy/notification-controller
+      - name: Delete flux
+        run: |
+          ./bin/flux uninstall -s --keep-namespace
+          kubectl delete ns flux-system --wait
+      - name: Delete cluster
+        if: ${{ always() }}
+        uses: replicatedhq/replicated-actions/remove-cluster@v1
+        continue-on-error: true
+        with:
+          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
+          cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
+      - name: Delete repository
+        if: ${{ always() }}
+        continue-on-error: true
+        run: |
+          gh repo delete fluxcd-testing/${{ steps.prep.outputs.cluster }} --yes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+
+  conform-openshift:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # Keep this list up-to-date with https://endoflife.date/red-hat-openshift
+        OPENSHIFT_VERSION: [ 4.15.0-okd ]
+      fail-fast: false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      - name: Setup Go
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
+      - name: Prepare
+        id: prep
+        run: |
+          ID=${GITHUB_SHA:0:7}-${{ matrix.OPENSHIFT_VERSION }}-$(date +%s)
+          PSEUDO_RAND_SUFFIX=$(echo "${ID}" | shasum | awk '{print $1}')
+          echo "cluster=flux2-openshift-${PSEUDO_RAND_SUFFIX}" >> $GITHUB_OUTPUT
+          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
+          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
+      - name: Setup Kustomize
+        uses: fluxcd/pkg/actions/kustomize@main
+      - name: Build
+        run: make build-dev
+      - name: Create repository
+        run: |
+          gh repo create --private --add-readme fluxcd-testing/${{ steps.prep.outputs.cluster }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+      - name: Create cluster
+        id: create-cluster
+        uses: replicatedhq/compatibility-actions/create-cluster@v1
+        with:
+          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
+          kubernetes-distribution: "openshift"
+          kubernetes-version: ${{ matrix.OPENSHIFT_VERSION }}
+          ttl: 20m
+          cluster-name: "${{ steps.prep.outputs.cluster }}"
+          kubeconfig-path: ${{ steps.prep.outputs.kubeconfig-path }}
+          export-kubeconfig: true
+      - name: Run flux bootstrap
+        run: |
+          ./bin/flux bootstrap git --manifests ./manifests/openshift/ \
+          --components-extra=image-reflector-controller,image-automation-controller \
+          --url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
+          --branch=main \
+          --path=clusters/openshift \
+          --token-auth
+        env:
+          GIT_PASSWORD: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+      - name: Run flux check
+        run: |
+          ./bin/flux check
+      - name: Run flux reconcile
+        run: |
+          ./bin/flux reconcile ks flux-system --with-source
+          ./bin/flux get all
+          ./bin/flux events
+      - name: Collect reconcile logs
+        if: ${{ always() }}
+        continue-on-error: true
+        run: |
+          kubectl -n flux-system get all
+          kubectl -n flux-system describe pods
+          kubectl -n flux-system logs deploy/source-controller
+          kubectl -n flux-system logs deploy/kustomize-controller
+          kubectl -n flux-system logs deploy/notification-controller
+      - name: Delete flux
+        run: |
+          ./bin/flux uninstall -s --keep-namespace
+          kubectl delete ns flux-system --wait
+      - name: Delete cluster
+        if: ${{ always() }}
+        uses: replicatedhq/replicated-actions/remove-cluster@v1
+        continue-on-error: true
+        with:
+          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
+          cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
+      - name: Delete repository
+        if: ${{ always() }}
+        continue-on-error: true
+        run: |
+          gh repo delete fluxcd-testing/${{ steps.prep.outputs.cluster }} --yes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
--- a/.github/workflows/e2e-arm64.yaml
+++ b/.github/workflows/e2e-arm64.yaml
@@ -1,106 +0,0 @@
-name: e2e-arm64
-
-on:
-  workflow_dispatch:
-  push:
-    branches: [ 'main', 'update-components', 'e2e-*', 'release/**' ]
-
-permissions:
-  contents: read
-
-jobs:
-  e2e-arm64-kubernetes:
-    # Hosted on Equinix
-    # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
-    runs-on: [self-hosted, Linux, ARM64, equinix]
-    strategy:
-      matrix:
-        # Keep this list up-to-date with https://endoflife.date/kubernetes
-        # Check which versions are available on DockerHub with 'crane ls kindest/node'
-        KUBERNETES_VERSION: [ 1.25.11, 1.26.6, 1.27.3, 1.28.0 ]
-      fail-fast: false
-    steps:
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
-        with:
-          go-version: 1.20.x
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
-      - name: Prepare
-        id: prep
-        run: |
-          ID=${GITHUB_SHA:0:7}-${{ matrix.KUBERNETES_VERSION }}-$(date +%s)
-          echo "CLUSTER=arm64-${ID}" >> $GITHUB_OUTPUT
-      - name: Build
-        run: |
-          make build
-      - name: Setup Kubernetes Kind
-        run: |
-          kind create cluster \
-          --wait 5m \
-          --name ${{ steps.prep.outputs.CLUSTER }} \
-          --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }} \
-          --image=kindest/node:v${{ matrix.KUBERNETES_VERSION }}
-      - name: Run e2e tests
-        run: TEST_KUBECONFIG=/tmp/${{ steps.prep.outputs.CLUSTER }} make e2e
-      - name: Run multi-tenancy tests
-        env:
-          KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
-        run: |
-          ./bin/flux install
-          ./bin/flux create source git flux-system \
-          --interval=15m \
-          --url=https://github.com/fluxcd/flux2-multi-tenancy \
-          --branch=main \
-          --ignore-paths="./clusters/**/flux-system/"
-          ./bin/flux create kustomization flux-system \
-          --interval=15m \
-          --source=flux-system \
-          --path=./clusters/staging
-          kubectl -n flux-system wait kustomization/tenants --for=condition=ready --timeout=5m
-          kubectl -n apps wait kustomization/dev-team --for=condition=ready --timeout=1m
-          kubectl -n apps wait helmrelease/podinfo --for=condition=ready --timeout=1m
-      - name: Run monitoring tests
-        # Keep this test in sync with https://fluxcd.io/flux/guides/monitoring/
-        env:
-          KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
-        run: |
-          ./bin/flux create source git flux-monitoring \
-          --interval=30m \
-          --url=https://github.com/fluxcd/flux2 \
-          --branch=${GITHUB_REF#refs/heads/}
-          ./bin/flux create kustomization kube-prometheus-stack \
-          --interval=1h \
-          --prune \
-          --source=flux-monitoring \
-          --path="./manifests/monitoring/kube-prometheus-stack" \
-          --health-check-timeout=5m \
-          --wait
-          ./bin/flux create kustomization monitoring-config \
-          --depends-on=kube-prometheus-stack \
-          --interval=1h \
-          --prune=true \
-          --source=flux-monitoring \
-          --path="./manifests/monitoring/monitoring-config" \
-          --health-check-timeout=1m \
-          --wait
-          kubectl -n flux-system wait kustomization/kube-prometheus-stack --for=condition=ready --timeout=5m
-          kubectl -n flux-system wait kustomization/monitoring-config --for=condition=ready --timeout=5m
-          kubectl -n monitoring wait helmrelease/kube-prometheus-stack --for=condition=ready --timeout=1m
-      - name: Debug failure
-        if: failure()
-        env:
-          KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
-        run: |
-          kubectl -n flux-system get all
-          kubectl -n flux-system describe po 
-          kubectl -n flux-system logs deploy/source-controller
-          kubectl -n flux-system logs deploy/kustomize-controller
-      - name: Cleanup
-        if: always()
-        run: |
-          kind delete cluster --name ${{ steps.prep.outputs.CLUSTER }}
-          rm /tmp/${{ steps.prep.outputs.CLUSTER }}
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@@ -21,52 +21,7 @@ permissions:
  contents: read

 jobs:
-  e2e-amd64-aks:
-    runs-on: ubuntu-22.04
-    defaults:
-      run:
-        working-directory: ./tests/azure
-    # This job is currently disabled. Remove the false check when Azure subscription is enabled.
-    if: false && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
-        with:
-          go-version: 1.20.x
-          cache-dependency-path: tests/azure/go.sum
-      - name: Setup Flux CLI
-        run: |
-          make build
-          mkdir -p $HOME/.local/bin
-          mv ./bin/flux $HOME/.local/bin
-        working-directory: ./
-      - name: Setup SOPS
-        run: |
-          mkdir -p $HOME/.local/bin
-          wget https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux -O $HOME/.local/bin/sops
-          chmod +x $HOME/.local/bin/sops
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v2
-        with:
-          terraform_version: 1.2.8
-          terraform_wrapper: false
-      - name: Setup Azure CLI
-        run: |
-          curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
-      - name: Run Azure e2e tests
-        env:
-          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
-          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
-          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
-        run: |
-          ls $HOME/.local/bin
-          az login --service-principal -u ${ARM_CLIENT_ID} -p ${ARM_CLIENT_SECRET} -t ${ARM_TENANT_ID}
-          go test -v -coverprofile cover.out -timeout 60m .
-
-  refactored-e2e-amd64-aks:
+  e2e-aks:
    runs-on: ubuntu-22.04
    defaults:
      run:
@@ -75,11 +30,11 @@ jobs:
    if: false && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: CheckoutD
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
      - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
-          go-version: 1.20.x
+          go-version: 1.22.x
          cache-dependency-path: tests/integration/go.sum
      - name: Setup Flux CLI
        run: make build
@@ -92,7 +47,7 @@ jobs:
        env:
          SOPS_VER: 3.7.1
      - name: Authenticate to Azure
-        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.6
+        uses: Azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v1.4.6
        with:
          creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}'
      - name: Set dynamic variables in .env
@@ -123,3 +78,14 @@ jobs:
          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
          make test-azure
+      - name: Ensure resource cleanup
+        if: ${{ always() }}
+        env:
+          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
+          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
+          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
+          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
+        run: source .env && make destroy-azure
--- a/.github/workflows/e2e-bootstrap.yaml
+++ b/.github/workflows/e2e-bootstrap.yaml
@@ -17,29 +17,29 @@ jobs:
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
      - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
-          go-version: 1.20.x
+          go-version: 1.22.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Setup Kubernetes
-        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
+        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
        with:
-          version: v0.20.0
+          version: v0.22.0
          cluster_name: kind
          # The versions below should target the newest Kubernetes version
          # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: kindest/node:v1.28.0@sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c
-          kubectl_version: v1.28.0
+          node_image: ghcr.io/fluxcd/kindest/node:v1.30.0-amd64
+          kubectl_version: v1.30.0
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@main
+      - name: Setup yq
+        uses: fluxcd/pkg/actions/yq@main
      - name: Build
-        run: |
-          make cmd/flux/.manifests.done
-          go build -o /tmp/flux ./cmd/flux
+        run: make build-dev
      - name: Set outputs
        id: vars
        run: |
@@ -51,18 +51,24 @@ jobs:
          echo "test_repo_name=$TEST_REPO_NAME" >> $GITHUB_OUTPUT
      - name: bootstrap init
        run: |
-          /tmp/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
+          --image-pull-secret=ghcr-auth \
+          --registry-creds=fluxcd:$GITHUB_TOKEN \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
          --team=team-z
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+      - name: verify image pull secret
+        run: |
+          kubectl -n flux-system get secret ghcr-auth | grep dockerconfigjson
      - name: bootstrap no-op
        run: |
-          /tmp/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
+          --image-pull-secret=ghcr-auth \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
@@ -72,7 +78,7 @@ jobs:
      - name: bootstrap customize
        run: |
          make setup-bootstrap-patch
-          /tmp/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
@@ -87,46 +93,31 @@ jobs:
          GITHUB_ORG_NAME: fluxcd-testing
      - name: uninstall
        run: |
-          /tmp/flux uninstall -s --keep-namespace
+          ./bin/flux uninstall -s --keep-namespace
          kubectl delete ns flux-system --timeout=10m --wait=true
      - name: test image automation
        run: |
          make setup-image-automation
-          /tmp/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
          --read-write-key
-          /tmp/flux reconcile image repository podinfo
-          /tmp/flux get images all
-          
-          retries=10
-          count=0
-          ok=false
-          until ${ok}; do
-              /tmp/flux get image update flux-system | grep 'commit' && ok=true || ok=false
-              count=$(($count + 1))
-              if [[ ${count} -eq ${retries} ]]; then
-                  echo "No more retries left"
-                  exit 1
-              fi
-              sleep 6
-              /tmp/flux reconcile image update flux-system
-          done
+          ./bin/flux reconcile image repository podinfo
+          ./bin/flux reconcile image update flux-system
+          ./bin/flux get images all
+          kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system | \
+           yq '.status.lastPushCommit | length > 1' | grep 'true'
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
          GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
          GITHUB_ORG_NAME: fluxcd-testing
      - name: delete repository
        if: ${{ always() }}
+        continue-on-error: true
        run: |
-          curl \
-            -X DELETE \
-            -H "Accept: application/vnd.github.v3+json" \
-            -H "Authorization: token ${GITHUB_TOKEN}" \
-            --fail --silent \
-            https://api.github.com/repos/fluxcd-testing/${{ steps.vars.outputs.test_repo_name }}
+          gh repo delete fluxcd-testing/${{ steps.vars.outputs.test_repo_name }} --yes
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Debug failure
--- a/.github/workflows/e2e-gcp.yaml
+++ b/.github/workflows/e2e-gcp.yaml
@@ -29,11 +29,11 @@ jobs:
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
      - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
-          go-version: 1.20.x
+          go-version: 1.22.x
          cache-dependency-path: tests/integration/go.sum
      - name: Setup Flux CLI
        run: make build
@@ -46,19 +46,19 @@ jobs:
        env:
          SOPS_VER: 3.7.1
      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
+        uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2
        id: 'auth'
        with:
          credentials_json: '${{ secrets.FLUX2_E2E_GOOGLE_CREDENTIALS }}'
          token_format: 'access_token'
      - name: Setup gcloud
-        uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
+        uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
      - name: Setup QEMU
        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
      - name: Log into us-central1-docker.pkg.dev
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
        with:
          registry: us-central1-docker.pkg.dev
          username: oauth2accesstoken
@@ -90,3 +90,13 @@ jobs:
          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
          make test-gcp
+      - name: Ensure resource cleanup
+        if: ${{ always() }}
+        env:
+          TF_VAR_gcp_project_id: ${{ vars.TF_VAR_gcp_project_id }}
+          TF_VAR_gcp_region: ${{ vars.TF_VAR_gcp_region }}
+          TF_VAR_gcp_zone: ${{ vars.TF_VAR_gcp_zone }}
+          TF_VAR_gcp_email: ${{ secrets.TF_VAR_gcp_email }}
+          TF_VAR_gcp_keyring: ${{ secrets.TF_VAR_gcp_keyring }}
+          TF_VAR_gcp_crypto_key: ${{ secrets.TF_VAR_gcp_crypto_key }}
+        run: source .env && make destroy-gcp
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -13,7 +13,9 @@ permissions:

 jobs:
  e2e-amd64-kubernetes:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: "Default Larger Runners"
+      labels: ubuntu-latest-16-cores
    services:
      registry:
        image: registry:2
@@ -21,28 +23,28 @@ jobs:
          - 5000:5000
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
      - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
-          go-version: 1.20.x
+          go-version: 1.22.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Setup Kubernetes
-        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
+        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
        with:
-          version: v0.20.0
+          version: v0.22.0
          cluster_name: kind
+          wait: 5s
          config: .github/kind/config.yaml # disable KIND-net
-          # The versions below should target the newest Kubernetes version
+          # The versions below should target the oldest supported Kubernetes version
          # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: kindest/node:v1.28.0@sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c
-          kubectl_version: v1.28.0
+          node_image: ghcr.io/fluxcd/kindest/node:v1.28.9-amd64
+          kubectl_version: v1.28.9
      - name: Setup Calico for network policy
        run: |
-          kubectl apply -f https://docs.projectcalico.org/v3.25/manifests/calico.yaml
-          kubectl -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
+          kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.3/manifests/calico.yaml
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@main
      - name: Run tests
@@ -57,44 +59,43 @@ jobs:
            exit 1
          fi
      - name: Build
-        run: |
-          go build -o /tmp/flux ./cmd/flux
+        run: make build-dev
      - name: flux check --pre
        run: |
-          /tmp/flux check --pre
+          ./bin/flux check --pre
      - name: flux install --manifests
        run: |
-          /tmp/flux install --manifests ./manifests/install/
+          ./bin/flux install --manifests ./manifests/install/
      - name: flux create secret
        run: |
-          /tmp/flux create secret git git-ssh-test \
+          ./bin/flux create secret git git-ssh-test \
            --url ssh://git@github.com/stefanprodan/podinfo
-          /tmp/flux create secret git git-https-test \
+          ./bin/flux create secret git git-https-test \
            --url https://github.com/stefanprodan/podinfo \
            --username=test --password=test
-          /tmp/flux create secret helm helm-test \
+          ./bin/flux create secret helm helm-test \
            --username=test --password=test
      - name: flux create source git
        run: |
-          /tmp/flux create source git podinfo \
+          ./bin/flux create source git podinfo \
            --url https://github.com/stefanprodan/podinfo  \
            --tag-semver=">=6.3.5"
      - name: flux create source git export apply
        run: |
-          /tmp/flux create source git podinfo-export \
+          ./bin/flux create source git podinfo-export \
            --url https://github.com/stefanprodan/podinfo  \
            --tag-semver=">=6.3.5" \
            --export | kubectl apply -f -
-          /tmp/flux delete source git podinfo-export --silent
+          ./bin/flux delete source git podinfo-export --silent
      - name: flux get sources git
        run: |
-          /tmp/flux get sources git
+          ./bin/flux get sources git
      - name: flux get sources git --all-namespaces
        run: |
-          /tmp/flux get sources git --all-namespaces
+          ./bin/flux get sources git --all-namespaces
      - name: flux create kustomization
        run: |
-          /tmp/flux create kustomization podinfo \
+          ./bin/flux create kustomization podinfo \
            --source=podinfo \
            --path="./deploy/overlays/dev" \
            --prune=true \
@@ -104,89 +105,89 @@ jobs:
            --health-check-timeout=3m
      - name: flux trace
        run: |
-          /tmp/flux trace frontend \
+          ./bin/flux trace frontend \
            --kind=deployment \
            --api-version=apps/v1 \
            --namespace=dev
      - name: flux reconcile kustomization --with-source
        run: |
-          /tmp/flux reconcile kustomization podinfo --with-source
+          ./bin/flux reconcile kustomization podinfo --with-source
      - name: flux get kustomizations
        run: |
-          /tmp/flux get kustomizations
+          ./bin/flux get kustomizations
      - name: flux get kustomizations --all-namespaces
        run: |
-          /tmp/flux get kustomizations --all-namespaces
+          ./bin/flux get kustomizations --all-namespaces
      - name: flux suspend kustomization
        run: |
-          /tmp/flux suspend kustomization podinfo
+          ./bin/flux suspend kustomization podinfo
      - name: flux resume kustomization
        run: |
-          /tmp/flux resume kustomization podinfo
+          ./bin/flux resume kustomization podinfo
      - name: flux export
        run: |
-          /tmp/flux export source git --all
-          /tmp/flux export kustomization --all
+          ./bin/flux export source git --all
+          ./bin/flux export kustomization --all
      - name: flux delete kustomization
        run: |
-          /tmp/flux delete kustomization podinfo --silent
+          ./bin/flux delete kustomization podinfo --silent
      - name: flux create source helm
        run: |
-          /tmp/flux create source helm podinfo \
+          ./bin/flux create source helm podinfo \
            --url https://stefanprodan.github.io/podinfo
      - name: flux create helmrelease --source=HelmRepository/podinfo
        run: |
-          /tmp/flux create hr podinfo-helm \
+          ./bin/flux create hr podinfo-helm \
            --target-namespace=default \
            --source=HelmRepository/podinfo.flux-system \
            --chart=podinfo \
            --chart-version=">6.0.0 <7.0.0"
      - name: flux create helmrelease --source=GitRepository/podinfo
        run: |
-          /tmp/flux create hr podinfo-git \
+          ./bin/flux create hr podinfo-git \
            --target-namespace=default \
            --source=GitRepository/podinfo \
            --chart=./charts/podinfo
      - name: flux reconcile helmrelease --with-source
        run: |
-          /tmp/flux reconcile helmrelease podinfo-git --with-source
+          ./bin/flux reconcile helmrelease podinfo-git --with-source
      - name: flux get helmreleases
        run: |
-          /tmp/flux get helmreleases
+          ./bin/flux get helmreleases
      - name: flux get helmreleases --all-namespaces
        run: |
-          /tmp/flux get helmreleases --all-namespaces
+          ./bin/flux get helmreleases --all-namespaces
      - name: flux export helmrelease
        run: |
-          /tmp/flux export hr --all
+          ./bin/flux export hr --all
      - name: flux delete helmrelease podinfo-helm
        run: |
-          /tmp/flux delete hr podinfo-helm --silent
+          ./bin/flux delete hr podinfo-helm --silent
      - name: flux delete helmrelease podinfo-git
        run: |
-          /tmp/flux delete hr podinfo-git --silent
+          ./bin/flux delete hr podinfo-git --silent
      - name: flux delete source helm
        run: |
-          /tmp/flux delete source helm podinfo --silent
+          ./bin/flux delete source helm podinfo --silent
      - name: flux delete source git
        run: |
-          /tmp/flux delete source git podinfo --silent
+          ./bin/flux delete source git podinfo --silent
      - name: flux oci artifacts
        run: |
-          /tmp/flux push artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
+          ./bin/flux push artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
            --path="./manifests" \
            --source="${{ github.repositoryUrl }}" \
            --revision="${{ github.ref }}@sha1:${{ github.sha }}"
-          /tmp/flux tag artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
+          ./bin/flux tag artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
            --tag latest
-          /tmp/flux list artifacts oci://localhost:5000/fluxcd/flux
+          ./bin/flux list artifacts oci://localhost:5000/fluxcd/flux
      - name: flux oci repositories
        run: |
-          /tmp/flux create source oci podinfo-oci \
+          ./bin/flux create source oci podinfo-oci \
            --url oci://ghcr.io/stefanprodan/manifests/podinfo \
            --tag-semver 6.3.x \
            --interval 10m
-          /tmp/flux create kustomization podinfo-oci \
+          ./bin/flux create kustomization podinfo-oci \
            --source=OCIRepository/podinfo-oci \
            --path="./" \
            --prune=true \
@@ -194,31 +195,31 @@ jobs:
            --target-namespace=default \
            --wait=true \
            --health-check-timeout=3m
-          /tmp/flux reconcile source oci podinfo-oci
-          /tmp/flux suspend source oci podinfo-oci
-          /tmp/flux get sources oci
-          /tmp/flux resume source oci podinfo-oci
-          /tmp/flux export source oci podinfo-oci
-          /tmp/flux delete ks podinfo-oci --silent
-          /tmp/flux delete source oci podinfo-oci --silent
+          ./bin/flux reconcile source oci podinfo-oci
+          ./bin/flux suspend source oci podinfo-oci
+          ./bin/flux get sources oci
+          ./bin/flux resume source oci podinfo-oci
+          ./bin/flux export source oci podinfo-oci
+          ./bin/flux delete ks podinfo-oci --silent
+          ./bin/flux delete source oci podinfo-oci --silent
      - name: flux create tenant
        run: |
-          /tmp/flux create tenant dev-team --with-namespace=apps
-          /tmp/flux -n apps create source helm podinfo \
+          ./bin/flux create tenant dev-team --with-namespace=apps
+          ./bin/flux -n apps create source helm podinfo \
            --url https://stefanprodan.github.io/podinfo
-          /tmp/flux -n apps create hr podinfo-helm \
+          ./bin/flux -n apps create hr podinfo-helm \
            --source=HelmRepository/podinfo \
            --chart=podinfo \
            --chart-version="6.3.x" \
            --service-account=dev-team
      - name: flux2-kustomize-helm-example
        run: |
-          /tmp/flux create source git flux-system \
+          ./bin/flux create source git flux-system \
          --url=https://github.com/fluxcd/flux2-kustomize-helm-example \
          --branch=main \
          --ignore-paths="./clusters/**/flux-system/" \
          --recurse-submodules
-          /tmp/flux create kustomization flux-system \
+          ./bin/flux create kustomization flux-system \
          --source=flux-system \
          --path=./clusters/staging
          kubectl -n flux-system wait kustomization/infra-controllers --for=condition=ready --timeout=5m
@@ -226,13 +227,23 @@ jobs:
          kubectl -n podinfo wait helmrelease/podinfo --for=condition=ready --timeout=5m
      - name: flux tree
        run: |
-          /tmp/flux tree kustomization flux-system | grep Service/podinfo
+          ./bin/flux tree kustomization flux-system | grep Service/podinfo
+      - name: flux events
+        run: |
+          ./bin/flux -n flux-system events --for Kustomization/apps | grep 'HelmRelease/podinfo'
+          ./bin/flux -n podinfo events --for HelmRelease/podinfo | grep 'podinfo.v1'
+      - name: flux stats
+        run: |
+          ./bin/flux stats -A
      - name: flux check
        run: |
-          /tmp/flux check
+          ./bin/flux check
+      - name: flux version
+        run: |
+          ./bin/flux version
      - name: flux uninstall
        run: |
-          /tmp/flux uninstall --silent
+          ./bin/flux uninstall --silent
      - name: Debug failure
        if: failure()
        run: |
--- a/.github/workflows/ossf.yaml
+++ b/.github/workflows/ossf.yaml
@@ -19,16 +19,16 @@ jobs:
      actions: read
      contents: read
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
      - name: Run analysis
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
        with:
          results_file: results.sarif
          results_format: sarif
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          publish_results: true
      - name: Upload artifact
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: SARIF file
          path: results.sarif
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -20,33 +20,33 @@ jobs:
      packages: write # needed for ghcr access
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
      - name: Unshallow
        run: git fetch --prune --unshallow
      - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
-          go-version: 1.20.x
+          go-version: 1.22.x
          cache: false
      - name: Setup QEMU
        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
      - name: Setup Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226  # v3.0.0
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb  # v3.3.0
      - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
+        uses: anchore/sbom-action/download-syft@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11
      - name: Setup Cosign
-        uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@main
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to Docker Hub
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d  # v3.0.0
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20  # v3.1.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -79,7 +79,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Run GoReleaser
        id: run-goreleaser
-        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+        uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
        with:
          version: latest
          args: release --release-notes=output/notes.md --skip-validate
@@ -110,7 +110,7 @@ jobs:
      id-token: write
      packages: write
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@main
      - name: Setup Flux CLI
@@ -121,13 +121,13 @@ jobs:
          VERSION=$(flux version --client | awk '{ print $NF }')
          echo "version=${VERSION}" >> $GITHUB_OUTPUT
      - name: Login to GHCR
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to DockerHub
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -155,7 +155,7 @@ jobs:
          --path="./flux-system" \
          --source=${{ github.repositoryUrl }} \
          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
-      - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
+      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
      - name: Sign manifests
        env:
          COSIGN_EXPERIMENTAL: 1
@@ -176,7 +176,7 @@ jobs:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      contents: write # for uploading attestations to GitHub releases.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      provenance-name: "provenance.intoto.jsonl"
      base64-subjects: "${{ needs.release-flux-cli.outputs.hashes }}"
@@ -188,7 +188,7 @@ jobs:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: ${{ needs.release-flux-cli.outputs.image_url }}
      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
@@ -202,7 +202,7 @@ jobs:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: ghcr.io/${{ needs.release-flux-cli.outputs.image_url }}
      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -17,9 +17,9 @@ jobs:
    runs-on: ubuntu-latest
    if: github.actor != 'dependabot[bot]'
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
      - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@6728dc6fe9a068c648d080c33829ffbe56565023 # v2.0.0
+        uses: fossa-contrib/fossa-action@cdc5065bcdee31a32e47d4585df72d66e8e941c2 # v3.0.0
        with:
          # FOSSA Push-Only API Token
          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
@@ -31,13 +31,13 @@ jobs:
      security-events: write
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@main
      - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
-          go-version: 1.20.x
+          go-version-file: 'go.mod'
          cache-dependency-path: |
            **/go.sum
            **/go.mod
@@ -49,10 +49,11 @@ jobs:
      - name:  Run Snyk to check for vulnerabilities
        continue-on-error: true
        run: |
-          snyk test --sarif-file-output=snyk.sarif
+          snyk test --all-projects --sarif-file-output=snyk.sarif
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      - name: Upload result to GitHub Code Scanning
+        continue-on-error: true
        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
        with:
          sarif_file: snyk.sarif
@@ -64,11 +65,11 @@ jobs:
    if: github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
      - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
-          go-version: 1.20.x
+          go-version-file: 'go.mod'
          cache-dependency-path: |
            **/go.sum
            **/go.mod
--- a/.github/workflows/sync-labels.yaml
+++ b/.github/workflows/sync-labels.yaml
@@ -17,8 +17,8 @@ jobs:
    permissions:
      issues: write
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: EndBug/label-sync@da00f2c11fdb78e4fae44adac2fdd713778ea3e8 # v2.3.2
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      - uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
        with:
          # Configuration file
          config-file: |
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@@ -18,11 +18,11 @@ jobs:
      pull-requests: write
    steps:
      - name: Check out code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
      - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
-          go-version: 1.20.x
+          go-version: 1.22.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
@@ -84,7 +84,7 @@ jobs:

      - name: Create Pull Request
        id: cpr
-        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
+        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
          commit-message: |
--- a/6
+++ b/6
@@ -1,15 +1,15 @@
-FROM alpine:3.18 as builder
+FROM alpine:3.19 as builder

 RUN apk add --no-cache ca-certificates curl

 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.27.3
+ARG KUBECTL_VER=1.30.0

 RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
    kubectl version --client=true

-FROM alpine:3.18 as flux-cli
+FROM alpine:3.19 as flux-cli

 RUN apk add --no-cache ca-certificates

--- a/5
+++ b/5
@@ -17,9 +17,8 @@ rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2
 all: test build

 tidy:
-	go mod tidy -compat=1.20
-	cd tests/azure && go mod tidy -compat=1.20
-	cd tests/integration && go mod tidy -compat=1.20
+	go mod tidy -compat=1.22
+	cd tests/integration && go mod tidy -compat=1.22

 fmt:
 	go fmt ./...
--- a/README.md
+++ b/README.md
@@ -21,7 +21,7 @@ Flux v2 is constructed with the [GitOps Toolkit](#gitops-toolkit), a
 set of composable APIs and specialized tools for building Continuous
 Delivery on top of Kubernetes.

-Flux is a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/)) project, used in
+Flux is a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/)) graduated project, used in
 production by various [organisations](https://fluxcd.io/adopters) and [cloud providers](https://fluxcd.io/ecosystem).

 ## Quickstart and documentation
@@ -44,7 +44,7 @@ runtime for Flux v2. The APIs comprise Kubernetes custom resources,
 which can be created and updated by a cluster user, or by other
 automation tooling.

-![overview](https://fluxcd.io/img/diagrams/gitops-toolkit.png)
+![overview](https://raw.githubusercontent.com/fluxcd/flux2/main/docs/diagrams/fluxcd-controllers.png)

 You can use the toolkit to extend Flux, or to build your own systems
 for continuous delivery -- see [the developer
--- a/cmd/flux/alert.go
+++ b/cmd/flux/alert.go
@@ -19,7 +19,7 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )

 // notificationv1.Alert
--- a/cmd/flux/alert_provider.go
+++ b/cmd/flux/alert_provider.go
@@ -19,7 +19,7 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )

 // notificationv1.Provider
--- a/cmd/flux/bootstrap.go
+++ b/cmd/flux/bootstrap.go
@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"strings"

+	"github.com/fluxcd/pkg/git"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -52,17 +53,19 @@ type bootstrapFlags struct {
 	extraComponents    []string
 	requiredComponents []string

-	registry        string
-	imagePullSecret string
+	registry           string
+	registryCredential string
+	imagePullSecret    string

-	secretName     string
-	tokenAuth      bool
-	keyAlgorithm   flags.PublicKeyAlgorithm
-	keyRSABits     flags.RSAKeyBits
-	keyECDSACurve  flags.ECDSACurve
-	sshHostname    string
-	caFile         string
-	privateKeyFile string
+	secretName           string
+	tokenAuth            bool
+	keyAlgorithm         flags.PublicKeyAlgorithm
+	keyRSABits           flags.RSAKeyBits
+	keyECDSACurve        flags.ECDSACurve
+	sshHostname          string
+	caFile               string
+	privateKeyFile       string
+	sshHostKeyAlgorithms []string

 	watchAllNamespaces bool
 	networkPolicy      bool
@@ -98,6 +101,8 @@ func init() {

 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registry, "registry", "ghcr.io/fluxcd",
 		"container registry where the Flux controller images are published")
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registryCredential, "registry-creds", "",
+		"container registry credentials in the format 'user:password', requires --image-pull-secret to be set")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.imagePullSecret, "image-pull-secret", "",
 		"Kubernetes secret name used for pulling the controller images from a private registry")

@@ -121,6 +126,7 @@ func init() {
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.secretName, "secret-name", rootArgs.defaults.Namespace, "name of the secret the sync credentials can be found in or stored to")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyAlgorithm, "ssh-key-algorithm", bootstrapArgs.keyAlgorithm.Description())
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyRSABits, "ssh-rsa-bits", bootstrapArgs.keyRSABits.Description())
+	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.sshHostKeyAlgorithms, "ssh-hostkey-algos", nil, "list of host key algorithms to be used by the CLI for SSH connections")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyECDSACurve, "ssh-ecdsa-curve", bootstrapArgs.keyECDSACurve.Description())
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.sshHostname, "ssh-hostname", "", "SSH hostname, to be used when the SSH host differs from the HTTPS one")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
@@ -135,7 +141,7 @@ func init() {

 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.commitMessageAppendix, "commit-message-appendix", "", "string to add to the commit messages, e.g. '[ci skip]'")

-	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.force, "force", false, "override existing Flux installation if it's managed by a diffrent tool such as Helm")
+	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.force, "force", false, "override existing Flux installation if it's managed by a different tool such as Helm")
 	bootstrapCmd.PersistentFlags().MarkHidden("manifests")

 	rootCmd.AddCommand(bootstrapCmd)
@@ -181,6 +187,18 @@ func bootstrapValidate() error {
 		return err
 	}

+	if bootstrapArgs.registryCredential != "" && bootstrapArgs.imagePullSecret == "" {
+		return fmt.Errorf("--registry-creds requires --image-pull-secret to be set")
+	}
+
+	if bootstrapArgs.registryCredential != "" && len(strings.Split(bootstrapArgs.registryCredential, ":")) != 2 {
+		return fmt.Errorf("invalid --registry-creds format, expected 'user:password'")
+	}
+
+	if len(bootstrapArgs.sshHostKeyAlgorithms) > 0 {
+		git.HostKeyAlgos = bootstrapArgs.sshHostKeyAlgorithms
+	}
+
 	return nil
 }

--- a/cmd/flux/bootstrap_bitbucket_server.go
+++ b/cmd/flux/bootstrap_bitbucket_server.go
@@ -56,7 +56,7 @@ the bootstrap command will perform an upgrade if needed.`,
  # Run bootstrap for a public repository on a personal account
  flux bootstrap bitbucket-server --owner=<user> --repository=<repository name> --private=false --personal --hostname=<domain> --token-auth --path=clusters/my-cluster

-  # Run bootstrap for a an existing repository with a branch named main
+  # Run bootstrap for an existing repository with a branch named main
  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --branch=main --hostname=<domain> --token-auth --path=clusters/my-cluster`,
 	RunE: bootstrapBServerCmdRun,
 }
@@ -196,6 +196,7 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
+		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
--- a/cmd/flux/bootstrap_git.go
+++ b/cmd/flux/bootstrap_git.go
@@ -28,6 +28,9 @@ import (
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"

+	"github.com/fluxcd/pkg/git"
+	"github.com/fluxcd/pkg/git/gogit"
+
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
@@ -35,8 +38,6 @@ import (
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
-	"github.com/fluxcd/pkg/git"
-	"github.com/fluxcd/pkg/git/gogit"
 )

 var bootstrapGitCmd = &cobra.Command{
@@ -65,7 +66,10 @@ command will perform an upgrade if needed.`,
  flux bootstrap git --url=ssh://<SSH-Key-ID>@git-codecommit.<region>.amazonaws.com/v1/repos/<repository> --private-key-file=<path/to/private.key> --password=<SSH-passphrase> --path=clusters/my-cluster

  # Run bootstrap for a Git repository on Azure Devops
-  flux bootstrap git --url=ssh://git@ssh.dev.azure.com/v3/<org>/<project>/<repository> --ssh-key-algorithm=rsa --ssh-rsa-bits=4096 --path=clusters/my-cluster
+  flux bootstrap git --url=ssh://git@ssh.dev.azure.com/v3/<org>/<project>/<repository> --private-key-file=<path/to/rsa-sha2-private.key> --ssh-hostkey-algos=rsa-sha2-512,rsa-sha2-256 --path=clusters/my-cluster
+
+  # Run bootstrap for a Git repository on Oracle VBS
+  flux bootstrap git --url=https://repository_url.git --with-bearer-token=true --password=<PAT> --path=clusters/my-cluster
 `,
 	RunE: bootstrapGitCmdRun,
 }
@@ -78,6 +82,7 @@ type gitFlags struct {
 	password            string
 	silent              bool
 	insecureHttpAllowed bool
+	withBearerToken     bool
 }

 const (
@@ -94,11 +99,16 @@ func init() {
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.password, "password", "p", "", "basic authentication password")
 	bootstrapGitCmd.Flags().BoolVarP(&gitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
 	bootstrapGitCmd.Flags().BoolVar(&gitArgs.insecureHttpAllowed, "allow-insecure-http", false, "allows insecure HTTP connections")
+	bootstrapGitCmd.Flags().BoolVar(&gitArgs.withBearerToken, "with-bearer-token", false, "use password as bearer token for Authorization header")

 	bootstrapCmd.AddCommand(bootstrapGitCmd)
 }

 func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
+	if gitArgs.withBearerToken {
+		bootstrapArgs.tokenAuth = true
+	}
+
 	gitPassword := os.Getenv(gitPasswordEnvVar)
 	if gitPassword != "" && gitArgs.password == "" {
 		gitArgs.password = gitPassword
@@ -201,6 +211,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
+		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
@@ -223,9 +234,15 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		TargetPath:   gitArgs.path.String(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
+
 	if bootstrapArgs.tokenAuth {
-		secretOpts.Username = gitArgs.username
-		secretOpts.Password = gitArgs.password
+		if gitArgs.withBearerToken {
+			secretOpts.BearerToken = gitArgs.password
+		} else {
+			secretOpts.Username = gitArgs.username
+			secretOpts.Password = gitArgs.password
+		}
+
 		secretOpts.CAFile = caBundle

 		// Remove port of the given host when not syncing over HTTP/S to not assume port for protocol
@@ -318,18 +335,28 @@ func getAuthOpts(u *url.URL, caBundle []byte) (*git.AuthOptions, error) {
 		if !gitArgs.insecureHttpAllowed {
 			return nil, fmt.Errorf("scheme http is insecure, pass --allow-insecure-http=true to allow it")
 		}
-		return &git.AuthOptions{
+		httpAuth := git.AuthOptions{
 			Transport: git.HTTP,
-			Username:  gitArgs.username,
-			Password:  gitArgs.password,
-		}, nil
+		}
+		if gitArgs.withBearerToken {
+			httpAuth.BearerToken = gitArgs.password
+		} else {
+			httpAuth.Username = gitArgs.username
+			httpAuth.Password = gitArgs.password
+		}
+		return &httpAuth, nil
 	case "https":
-		return &git.AuthOptions{
+		httpsAuth := git.AuthOptions{
 			Transport: git.HTTPS,
-			Username:  gitArgs.username,
-			Password:  gitArgs.password,
 			CAFile:    caBundle,
-		}, nil
+		}
+		if gitArgs.withBearerToken {
+			httpsAuth.BearerToken = gitArgs.password
+		} else {
+			httpsAuth.Username = gitArgs.username
+			httpsAuth.Password = gitArgs.password
+		}
+		return &httpsAuth, nil
 	case "ssh":
 		authOpts := &git.AuthOptions{
 			Transport: git.SSH,
--- a/cmd/flux/bootstrap_gitea.go
+++ b/cmd/flux/bootstrap_gitea.go
@@ -184,6 +184,7 @@ func bootstrapGiteaCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
+		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
--- a/cmd/flux/bootstrap_github.go
+++ b/cmd/flux/bootstrap_github.go
@@ -191,6 +191,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
+		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
--- a/cmd/flux/bootstrap_gitlab.go
+++ b/cmd/flux/bootstrap_gitlab.go
@@ -64,7 +64,7 @@ the bootstrap command will perform an upgrade if needed.`,
  # Run bootstrap for a private repository hosted on a GitLab server
  flux bootstrap gitlab --owner=<group> --repository=<repository name> --hostname=<domain> --token-auth

-  # Run bootstrap for a an existing repository with a branch named main
+  # Run bootstrap for an existing repository with a branch named main
  flux bootstrap gitlab --owner=<organization> --repository=<repository name> --branch=main --token-auth

  # Run bootstrap for a private repository using Deploy Token authentication
@@ -216,6 +216,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
+		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
--- a/cmd/flux/build_kustomization.go
+++ b/cmd/flux/build_kustomization.go
@@ -21,10 +21,10 @@ import (
 	"os"
 	"os/signal"

-	"github.com/fluxcd/pkg/ssa"
 	"github.com/spf13/cobra"

 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	ssautil "github.com/fluxcd/pkg/ssa/utils"

 	"github.com/fluxcd/flux2/v2/internal/build"
 )
@@ -63,6 +63,7 @@ type buildKsFlags struct {
 	path              string
 	ignorePaths       []string
 	dryRun            bool
+	strictSubst       bool
 }

 var buildKsArgs buildKsFlags
@@ -72,6 +73,8 @@ func init() {
 	buildKsCmd.Flags().StringVar(&buildKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
 	buildKsCmd.Flags().StringSliceVar(&buildKsArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in .gitignore format")
 	buildKsCmd.Flags().BoolVar(&buildKsArgs.dryRun, "dry-run", false, "Dry run mode.")
+	buildKsCmd.Flags().BoolVar(&buildKsArgs.strictSubst, "strict-substitute", false,
+		"When enabled, the post build substitutions will fail if a var without a default value is declared in files but is missing from the input vars.")
 	buildCmd.AddCommand(buildKsCmd)
 }

@@ -107,6 +110,7 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 			build.WithDryRun(buildKsArgs.dryRun),
 			build.WithNamespace(*kubeconfigArgs.Namespace),
 			build.WithIgnore(buildKsArgs.ignorePaths),
+			build.WithStrictSubstitute(buildKsArgs.strictSubst),
 		)
 	} else {
 		builder, err = build.NewBuilder(name, buildKsArgs.path,
@@ -114,6 +118,7 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 			build.WithTimeout(rootArgs.timeout),
 			build.WithKustomizationFile(buildKsArgs.kustomizationFile),
 			build.WithIgnore(buildKsArgs.ignorePaths),
+			build.WithStrictSubstitute(buildKsArgs.strictSubst),
 		)
 	}

@@ -132,7 +137,7 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 			errChan <- err
 		}

-		manifests, err := ssa.ObjectsToYAML(objects)
+		manifests, err := ssautil.ObjectsToYAML(objects)
 		if err != nil {
 			errChan <- err
 		}
--- a/cmd/flux/check.go
+++ b/cmd/flux/check.go
@@ -18,6 +18,7 @@ package main

 import (
 	"context"
+	"fmt"
 	"os"
 	"time"

@@ -26,6 +27,7 @@ import (
 	v1 "k8s.io/api/apps/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/fluxcd/pkg/version"
@@ -38,6 +40,7 @@ import (

 var checkCmd = &cobra.Command{
 	Use:   "check",
+	Args:  cobra.NoArgs,
 	Short: "Check requirements and installation",
 	Long: withPreviewNote(`The check command will perform a series of checks to validate that
 the local environment is configured correctly and if the installed components are healthy.`),
@@ -57,7 +60,7 @@ type checkFlags struct {
 }

 var kubernetesConstraints = []string{
-	">=1.25.0-0",
+	">=1.28.0-0",
 }

 var checkArgs checkFlags
@@ -80,7 +83,20 @@ func runCheckCmd(cmd *cobra.Command, args []string) error {

 	fluxCheck()

-	if !kubernetesCheck(kubernetesConstraints) {
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return fmt.Errorf("Kubernetes client initialization failed: %s", err.Error())
+	}
+
+	kubeClient, err := client.New(cfg, client.Options{Scheme: utils.NewScheme()})
+	if err != nil {
+		return err
+	}
+
+	if !kubernetesCheck(cfg, kubernetesConstraints) {
 		checkFailed = true
 	}

@@ -92,13 +108,18 @@ func runCheckCmd(cmd *cobra.Command, args []string) error {
 		return nil
 	}

+	logger.Actionf("checking version in cluster")
+	if !fluxClusterVersionCheck(ctx, kubeClient) {
+		checkFailed = true
+	}
+
 	logger.Actionf("checking controllers")
-	if !componentsCheck() {
+	if !componentsCheck(ctx, kubeClient) {
 		checkFailed = true
 	}

 	logger.Actionf("checking crds")
-	if !crdsCheck() {
+	if !crdsCheck(ctx, kubeClient) {
 		checkFailed = true
 	}

@@ -129,17 +150,11 @@ func fluxCheck() {
 		return
 	}
 	if latestSv.GreaterThan(curSv) {
-		logger.Failuref("flux %s <%s (new version is available, please upgrade)", curSv, latestSv)
+		logger.Failuref("flux %s <%s (new CLI version is available, please upgrade)", curSv, latestSv)
 	}
 }

-func kubernetesCheck(constraints []string) bool {
-	cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
-		return false
-	}
-
+func kubernetesCheck(cfg *rest.Config, constraints []string) bool {
 	clientSet, err := kubernetes.NewForConfig(cfg)
 	if err != nil {
 		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
@@ -178,21 +193,8 @@ func kubernetesCheck(constraints []string) bool {
 	return true
 }

-func componentsCheck() bool {
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-
-	kubeConfig, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return false
-	}
-
-	statusChecker, err := status.NewStatusChecker(kubeConfig, checkArgs.pollInterval, rootArgs.timeout, logger)
-	if err != nil {
-		return false
-	}
-
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+func componentsCheck(ctx context.Context, kubeClient client.Client) bool {
+	statusChecker, err := status.NewStatusCheckerWithClient(kubeClient, checkArgs.pollInterval, rootArgs.timeout, logger)
 	if err != nil {
 		return false
 	}
@@ -222,15 +224,7 @@ func componentsCheck() bool {
 	return ok
 }

-func crdsCheck() bool {
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return false
-	}
-
+func crdsCheck(ctx context.Context, kubeClient client.Client) bool {
 	ok := true
 	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 	var list apiextensionsv1.CustomResourceDefinitionList
@@ -253,3 +247,17 @@ func crdsCheck() bool {
 	}
 	return ok
 }
+
+func fluxClusterVersionCheck(ctx context.Context, kubeClient client.Client) bool {
+	clusterInfo, err := getFluxClusterInfo(ctx, kubeClient)
+	if err != nil {
+		logger.Failuref("checking failed: %s", err.Error())
+		return false
+	}
+
+	if clusterInfo.distribution() != "" {
+		logger.Successf("distribution: %s", clusterInfo.distribution())
+	}
+	logger.Successf("bootstrapped: %t", clusterInfo.bootstrapped)
+	return true
+}
--- a/cmd/flux/cluster_info.go
+++ b/cmd/flux/cluster_info.go
@@ -27,6 +27,8 @@ import (

 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
 )

 // bootstrapLabels are labels put on a resource by kustomize-controller. These labels on the CRD indicates
@@ -42,6 +44,8 @@ type fluxClusterInfo struct {
 	bootstrapped bool
 	// managedBy is the name of the tool being used to manage the installation of Flux.
 	managedBy string
+	// partOf indicates which distribution the instance is a part of.
+	partOf string
 	// version is the Flux version number in semver format.
 	version string
 }
@@ -68,7 +72,7 @@ func getFluxClusterInfo(ctx context.Context, c client.Client) (fluxClusterInfo,
 		return info, err
 	}

-	info.version = crdMetadata.Labels["app.kubernetes.io/version"]
+	info.version = crdMetadata.Labels[manifestgen.VersionLabelKey]

 	var present bool
 	for _, l := range bootstrapLabels {
@@ -78,11 +82,15 @@ func getFluxClusterInfo(ctx context.Context, c client.Client) (fluxClusterInfo,
 		info.bootstrapped = true
 	}

-	// the `app.kubernetes.io` label is not set by flux but might be set by other
+	// the `app.kubernetes.io/managed-by` label is not set by flux but might be set by other
 	// tools used to install Flux e.g Helm.
 	if manager, ok := crdMetadata.Labels["app.kubernetes.io/managed-by"]; ok {
 		info.managedBy = manager
 	}
+
+	if partOf, ok := crdMetadata.Labels[manifestgen.PartOfLabelKey]; ok {
+		info.partOf = partOf
+	}
 	return info, nil
 }

@@ -105,6 +113,14 @@ func confirmFluxInstallOverride(info fluxClusterInfo) error {
 	return err
 }

+func (info fluxClusterInfo) distribution() string {
+	distribution := info.version
+	if info.partOf != "" {
+		distribution = fmt.Sprintf("%s-%s", info.partOf, info.version)
+	}
+	return distribution
+}
+
 func installManagedByFlux(manager string) bool {
 	return manager == "" || manager == "flux"
 }
--- a/cmd/flux/cluster_info_test.go
+++ b/cmd/flux/cluster_info_test.go
@@ -29,7 +29,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"

 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
-	"github.com/fluxcd/pkg/ssa"
+	ssautil "github.com/fluxcd/pkg/ssa/utils"
 )

 func Test_getFluxClusterInfo(t *testing.T) {
@@ -37,7 +37,7 @@ func Test_getFluxClusterInfo(t *testing.T) {
 	f, err := os.Open("./testdata/cluster_info/gitrepositories.yaml")
 	g.Expect(err).To(BeNil())

-	objs, err := ssa.ReadObjects(f)
+	objs, err := ssautil.ReadObjects(f)
 	g.Expect(err).To(Not(HaveOccurred()))
 	gitrepo := objs[0]

@@ -102,6 +102,17 @@ func Test_getFluxClusterInfo(t *testing.T) {
 				version: "v2.1.0",
 			},
 		},
+		{
+			name: "CRD with version and part-of labels",
+			labels: map[string]string{
+				"app.kubernetes.io/version": "v2.1.0",
+				"app.kubernetes.io/part-of": "flux",
+			},
+			wantInfo: fluxClusterInfo{
+				version: "v2.1.0",
+				partOf:  "flux",
+			},
+		},
 	}

 	for _, tt := range tests {
--- a/cmd/flux/create.go
+++ b/cmd/flux/create.go
@@ -132,7 +132,7 @@ func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) e

 	logger.Waitingf("waiting for %s reconciliation", names.kind)
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
-		isReady(kubeClient, namespacedName, object)); err != nil {
+		isObjectReadyConditionFunc(kubeClient, namespacedName, object.asClientObject())); err != nil {
 		return err
 	}
 	logger.Successf("%s reconciliation completed", names.kind)
--- a/cmd/flux/create_alert.go
+++ b/cmd/flux/create_alert.go
@@ -22,14 +22,13 @@ import (

 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
-	notificationv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
 	"github.com/fluxcd/pkg/apis/meta"

 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -97,13 +96,13 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Generatef("generating Alert")
 	}

-	alert := notificationv1b2.Alert{
+	alert := notificationv1b3.Alert{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
-		Spec: notificationv1b2.AlertSpec{
+		Spec: notificationv1b3.AlertSpec{
 			ProviderRef: meta.LocalObjectReference{
 				Name: alertArgs.providerRef,
 			},
@@ -133,7 +132,7 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {

 	logger.Waitingf("waiting for Alert reconciliation")
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
-		isAlertReady(kubeClient, namespacedName, &alert)); err != nil {
+		isStaticObjectReadyConditionFunc(kubeClient, namespacedName, &alert)); err != nil {
 		return err
 	}
 	logger.Successf("Alert %s is ready", name)
@@ -141,13 +140,13 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 }

 func upsertAlert(ctx context.Context, kubeClient client.Client,
-	alert *notificationv1b2.Alert) (types.NamespacedName, error) {
+	alert *notificationv1b3.Alert) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: alert.GetNamespace(),
 		Name:      alert.GetName(),
 	}

-	var existing notificationv1b2.Alert
+	var existing notificationv1b3.Alert
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
@@ -170,22 +169,3 @@ func upsertAlert(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Alert updated")
 	return namespacedName, nil
 }
-
-func isAlertReady(kubeClient client.Client, namespacedName types.NamespacedName, alert *notificationv1b2.Alert) wait.ConditionWithContextFunc {
-	return func(ctx context.Context) (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, alert)
-		if err != nil {
-			return false, err
-		}
-
-		if c := apimeta.FindStatusCondition(alert.Status.Conditions, meta.ReadyCondition); c != nil {
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/create_alertprovider.go
+++ b/cmd/flux/create_alertprovider.go
@@ -22,13 +22,12 @@ import (

 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 	"github.com/fluxcd/pkg/apis/meta"

 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -128,7 +127,7 @@ func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {

 	logger.Waitingf("waiting for Provider reconciliation")
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
-		isAlertProviderReady(kubeClient, namespacedName, &provider)); err != nil {
+		isStaticObjectReadyConditionFunc(kubeClient, namespacedName, &provider)); err != nil {
 		return err
 	}

@@ -167,22 +166,3 @@ func upsertAlertProvider(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Provider updated")
 	return namespacedName, nil
 }
-
-func isAlertProviderReady(kubeClient client.Client, namespacedName types.NamespacedName, provider *notificationv1.Provider) wait.ConditionWithContextFunc {
-	return func(ctx context.Context) (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, provider)
-		if err != nil {
-			return false, err
-		}
-
-		if c := apimeta.FindStatusCondition(provider.Status.Conditions, meta.ReadyCondition); c != nil {
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/create_helmrelease.go
+++ b/cmd/flux/create_helmrelease.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Flux authors
+Copyright 2024 The Flux authors

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -24,29 +24,30 @@ import (
 	"strings"
 	"time"

-	"github.com/fluxcd/flux2/v2/internal/flags"
-	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/transform"
-
 	"github.com/spf13/cobra"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"

-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/transform"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
+
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Create or update a HelmRelease resource",
-	Long:    withPreviewNote(`The helmrelease create command generates a HelmRelease resource for a given HelmRepository source.`),
+	Long:    `The helmrelease create command generates a HelmRelease resource for a given HelmRepository source.`,
 	Example: `  # Create a HelmRelease with a chart from a HelmRepository source
  flux create hr podinfo \
    --interval=10m \
@@ -105,7 +106,17 @@ var createHelmReleaseCmd = &cobra.Command{
    --source=HelmRepository/podinfo \
    --chart=podinfo \
    --values=./values.yaml \
-    --export > podinfo-release.yaml`,
+    --export > podinfo-release.yaml
+		
+  # Create a HelmRelease using a chart from a HelmChart resource
+  flux create hr podinfo \
+    --namespace=default \
+    --chart-ref=HelmChart/podinfo.flux-system \
+
+  # Create a HelmRelease using a chart from an OCIRepository resource
+  flux create hr podinfo \
+    --namespace=default \
+    --chart-ref=OCIRepository/podinfo.flux-system`,
 	RunE: createHelmReleaseCmdRun,
 }

@@ -115,6 +126,7 @@ type helmReleaseFlags struct {
 	dependsOn           []string
 	chart               string
 	chartVersion        string
+	chartRef            string
 	targetNamespace     string
 	createNamespace     bool
 	valuesFiles         []string
@@ -130,6 +142,8 @@ var helmReleaseArgs helmReleaseFlags

 var supportedHelmReleaseValuesFromKinds = []string{"Secret", "ConfigMap"}

+var supportedHelmReleaseReferenceKinds = []string{sourcev1b2.OCIRepositoryKind, sourcev1.HelmChartKind}
+
 func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.name, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.source, "source", helmReleaseArgs.source.Description())
@@ -145,14 +159,15 @@ func init() {
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFrom, "values-from", nil, "a Kubernetes object reference that contains the values.yaml data key in the format '<kind>/<name>', where kind must be one of: (Secret,ConfigMap)")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.crds, "crds", helmReleaseArgs.crds.Description())
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartRef, "chart-ref", "", "the name of the HelmChart resource to use as source for the HelmRelease, in the format '<kind>/<name>.<namespace>', where kind must be one of: (OCIRepository,HelmChart)")
 	createCmd.AddCommand(createHelmReleaseCmd)
 }

 func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]

-	if helmReleaseArgs.chart == "" {
-		return fmt.Errorf("chart name or path is required")
+	if helmReleaseArgs.chart == "" && helmReleaseArgs.chartRef == "" {
+		return fmt.Errorf("chart or chart-ref is required")
 	}

 	sourceLabels, err := parseLabels()
@@ -182,23 +197,42 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 				Duration: createArgs.interval,
 			},
 			TargetNamespace: helmReleaseArgs.targetNamespace,
-
-			Chart: helmv2.HelmChartTemplate{
-				Spec: helmv2.HelmChartTemplateSpec{
-					Chart:   helmReleaseArgs.chart,
-					Version: helmReleaseArgs.chartVersion,
-					SourceRef: helmv2.CrossNamespaceObjectReference{
-						Kind:      helmReleaseArgs.source.Kind,
-						Name:      helmReleaseArgs.source.Name,
-						Namespace: helmReleaseArgs.source.Namespace,
-					},
-					ReconcileStrategy: helmReleaseArgs.reconcileStrategy,
-				},
-			},
-			Suspend: false,
+			Suspend:         false,
 		},
 	}

+	switch {
+	case helmReleaseArgs.chart != "":
+		helmRelease.Spec.Chart = &helmv2.HelmChartTemplate{
+			Spec: helmv2.HelmChartTemplateSpec{
+				Chart:   helmReleaseArgs.chart,
+				Version: helmReleaseArgs.chartVersion,
+				SourceRef: helmv2.CrossNamespaceObjectReference{
+					Kind:      helmReleaseArgs.source.Kind,
+					Name:      helmReleaseArgs.source.Name,
+					Namespace: helmReleaseArgs.source.Namespace,
+				},
+				ReconcileStrategy: helmReleaseArgs.reconcileStrategy,
+			},
+		}
+		if helmReleaseArgs.chartInterval != 0 {
+			helmRelease.Spec.Chart.Spec.Interval = &metav1.Duration{
+				Duration: helmReleaseArgs.chartInterval,
+			}
+		}
+	case helmReleaseArgs.chartRef != "":
+		kind, name, ns := utils.ParseObjectKindNameNamespace(helmReleaseArgs.chartRef)
+		if kind != sourcev1.HelmChartKind && kind != sourcev1b2.OCIRepositoryKind {
+			return fmt.Errorf("chart reference kind '%s' is not supported, must be one of: %s",
+				kind, strings.Join(supportedHelmReleaseReferenceKinds, ", "))
+		}
+		helmRelease.Spec.ChartRef = &helmv2.CrossNamespaceSourceReference{
+			Kind:      kind,
+			Name:      name,
+			Namespace: ns,
+		}
+	}
+
 	if helmReleaseArgs.kubeConfigSecretRef != "" {
 		helmRelease.Spec.KubeConfig = &meta.KubeConfigReference{
 			SecretRef: meta.SecretKeyReference{
@@ -207,12 +241,6 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}

-	if helmReleaseArgs.chartInterval != 0 {
-		helmRelease.Spec.Chart.Spec.Interval = &metav1.Duration{
-			Duration: helmReleaseArgs.chartInterval,
-		}
-	}
-
 	if helmReleaseArgs.createNamespace {
 		if helmRelease.Spec.Install == nil {
 			helmRelease.Spec.Install = &helmv2.Install{}
@@ -304,12 +332,12 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {

 	logger.Waitingf("waiting for HelmRelease reconciliation")
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
-		isHelmReleaseReady(kubeClient, namespacedName, &helmRelease)); err != nil {
+		isObjectReadyConditionFunc(kubeClient, namespacedName, &helmRelease)); err != nil {
 		return err
 	}
 	logger.Successf("HelmRelease %s is ready", name)

-	logger.Successf("applied revision %s", helmRelease.Status.LastAppliedRevision)
+	logger.Successf("applied revision %s", getHelmReleaseRevision(helmRelease))
 	return nil
 }

@@ -344,22 +372,6 @@ func upsertHelmRelease(ctx context.Context, kubeClient client.Client,
 	return namespacedName, nil
 }

-func isHelmReleaseReady(kubeClient client.Client, namespacedName types.NamespacedName, helmRelease *helmv2.HelmRelease) wait.ConditionWithContextFunc {
-	return func(ctx context.Context) (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, helmRelease)
-		if err != nil {
-			return false, err
-		}
-
-		// Confirm the state we are observing is for the current generation
-		if helmRelease.Generation != helmRelease.Status.ObservedGeneration {
-			return false, nil
-		}
-
-		return apimeta.IsStatusConditionTrue(helmRelease.Status.Conditions, meta.ReadyCondition), nil
-	}
-}
-
 func validateStrategy(input string) bool {
 	allowedStrategy := []string{"Revision", "ChartVersion"}

--- a/cmd/flux/create_helmrelease_test.go
+++ b/cmd/flux/create_helmrelease_test.go
@@ -0,0 +1,86 @@
+//go:build unit
+// +build unit
+
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import "testing"
+
+func TestCreateHelmRelease(t *testing.T) {
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	setupHRSource(t, tmpl)
+
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "missing name",
+			args:   "create helmrelease --export",
+			assert: assertError("name is required"),
+		},
+		{
+			name:   "missing chart template and chartRef",
+			args:   "create helmrelease podinfo --export",
+			assert: assertError("chart or chart-ref is required"),
+		},
+		{
+			name:   "unknown source kind",
+			args:   "create helmrelease podinfo --source foobar/podinfo --chart podinfo --export",
+			assert: assertError(`invalid argument "foobar/podinfo" for "--source" flag: source kind 'foobar' is not supported, must be one of: HelmRepository, GitRepository, Bucket`),
+		},
+		{
+			name:   "unknown chart reference kind",
+			args:   "create helmrelease podinfo --chart-ref foobar/podinfo --export",
+			assert: assertError(`chart reference kind 'foobar' is not supported, must be one of: OCIRepository, HelmChart`),
+		},
+		{
+			name:   "basic helmrelease",
+			args:   "create helmrelease podinfo --source Helmrepository/podinfo --chart podinfo --interval=1m0s --export",
+			assert: assertGoldenTemplateFile("testdata/create_hr/basic.yaml", tmpl),
+		},
+		{
+			name:   "chart with OCIRepository source",
+			args:   "create helmrelease podinfo --chart-ref OCIRepository/podinfo --interval=1m0s --export",
+			assert: assertGoldenTemplateFile("testdata/create_hr/or_basic.yaml", tmpl),
+		},
+		{
+			name:   "chart with HelmChart source",
+			args:   "create helmrelease podinfo --chart-ref HelmChart/podinfo --interval=1m0s --export",
+			assert: assertGoldenTemplateFile("testdata/create_hr/hc_basic.yaml", tmpl),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args + " -n " + tmpl["fluxns"],
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
+
+func setupHRSource(t *testing.T, tmpl map[string]string) {
+	t.Helper()
+	testEnv.CreateObjectFile("./testdata/create_hr/setup-source.yaml", tmpl, t)
+}
--- a/cmd/flux/create_image_update.go
+++ b/cmd/flux/create_image_update.go
@@ -22,7 +22,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )

--- a/cmd/flux/create_kustomization.go
+++ b/cmd/flux/create_kustomization.go
@@ -24,13 +24,12 @@ import (

 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	"github.com/fluxcd/pkg/apis/meta"

@@ -264,7 +263,7 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {

 	logger.Waitingf("waiting for Kustomization reconciliation")
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
-		isKustomizationReady(kubeClient, namespacedName, &kustomization)); err != nil {
+		isObjectReadyConditionFunc(kubeClient, namespacedName, &kustomization)); err != nil {
 		return err
 	}
 	logger.Successf("Kustomization %s is ready", name)
@@ -303,27 +302,3 @@ func upsertKustomization(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Kustomization updated")
 	return namespacedName, nil
 }
-
-func isKustomizationReady(kubeClient client.Client, namespacedName types.NamespacedName, kustomization *kustomizev1.Kustomization) wait.ConditionWithContextFunc {
-	return func(ctx context.Context) (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, kustomization)
-		if err != nil {
-			return false, err
-		}
-
-		// Confirm the state we are observing is for the current generation
-		if kustomization.Generation != kustomization.Status.ObservedGeneration {
-			return false, nil
-		}
-
-		if c := apimeta.FindStatusCondition(kustomization.Status.Conditions, meta.ReadyCondition); c != nil {
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/create_receiver.go
+++ b/cmd/flux/create_receiver.go
@@ -22,7 +22,6 @@ import (

 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -140,7 +139,7 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {

 	logger.Waitingf("waiting for Receiver reconciliation")
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
-		isReceiverReady(kubeClient, namespacedName, &receiver)); err != nil {
+		isObjectReadyConditionFunc(kubeClient, namespacedName, &receiver)); err != nil {
 		return err
 	}
 	logger.Successf("Receiver %s is ready", name)
@@ -179,22 +178,3 @@ func upsertReceiver(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Receiver updated")
 	return namespacedName, nil
 }
-
-func isReceiverReady(kubeClient client.Client, namespacedName types.NamespacedName, receiver *notificationv1.Receiver) wait.ConditionWithContextFunc {
-	return func(ctx context.Context) (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, receiver)
-		if err != nil {
-			return false, err
-		}
-
-		if c := apimeta.FindStatusCondition(receiver.Status.Conditions, meta.ReadyCondition); c != nil {
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/create_secret_helm.go
+++ b/cmd/flux/create_secret_helm.go
@@ -32,7 +32,7 @@ import (
 var createSecretHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Create or update a Kubernetes secret for Helm repository authentication",
-	Long:  withPreviewNote(`The create secret helm command generates a Kubernetes secret with basic authentication credentials.`),
+	Long:  `The create secret helm command generates a Kubernetes secret with basic authentication credentials.`,
 	Example: ` # Create a Helm authentication secret on disk and encrypt it with Mozilla SOPS
  flux create secret helm repo-auth \
    --namespace=my-namespace \
--- a/cmd/flux/create_secret_notation.go
+++ b/cmd/flux/create_secret_notation.go
@@ -0,0 +1,161 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/notaryproject/notation-go/verifier/trustpolicy"
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
+)
+
+var createSecretNotationCmd = &cobra.Command{
+	Use:   "notation [name]",
+	Short: "Create or update a Kubernetes secret for verifications of artifacts signed by Notation",
+	Long:  withPreviewNote(`The create secret notation command generates a Kubernetes secret with root ca certificates and trust policy.`),
+	Example: ` # Create a Notation configuration secret on disk and encrypt it with Mozilla SOPS
+  flux create secret notation my-notation-cert \
+    --namespace=my-namespace \
+    --trust-policy-file=./my-trust-policy.json \
+    --ca-cert-file=./my-cert.crt \
+    --export > my-notation-cert.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place my-notation-cert.yaml`,
+
+	RunE: createSecretNotationCmdRun,
+}
+
+type secretNotationFlags struct {
+	trustPolicyFile string
+	caCrtFile       []string
+}
+
+var secretNotationArgs secretNotationFlags
+
+func init() {
+	createSecretNotationCmd.Flags().StringVar(&secretNotationArgs.trustPolicyFile, "trust-policy-file", "", "notation trust policy file path")
+	createSecretNotationCmd.Flags().StringSliceVar(&secretNotationArgs.caCrtFile, "ca-cert-file", []string{}, "root ca cert file path")
+
+	createSecretCmd.AddCommand(createSecretNotationCmd)
+}
+
+func createSecretNotationCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("name is required")
+	}
+
+	if secretNotationArgs.caCrtFile == nil || len(secretNotationArgs.caCrtFile) == 0 {
+		return fmt.Errorf("--ca-cert-file is required")
+	}
+
+	if secretNotationArgs.trustPolicyFile == "" {
+		return fmt.Errorf("--trust-policy-file is required")
+	}
+
+	name := args[0]
+
+	labels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	policy, err := os.ReadFile(secretNotationArgs.trustPolicyFile)
+	if err != nil {
+		return fmt.Errorf("unable to read trust policy file: %w", err)
+	}
+
+	var doc trustpolicy.Document
+
+	if err := json.Unmarshal(policy, &doc); err != nil {
+		return fmt.Errorf("failed to unmarshal trust policy %s: %w", secretNotationArgs.trustPolicyFile, err)
+	}
+
+	if err := doc.Validate(); err != nil {
+		return fmt.Errorf("invalid trust policy: %w", err)
+	}
+
+	var (
+		caCerts []sourcesecret.VerificationCrt
+		fileErr error
+	)
+	for _, caCrtFile := range secretNotationArgs.caCrtFile {
+		fileName := filepath.Base(caCrtFile)
+		if !strings.HasSuffix(fileName, ".crt") && !strings.HasSuffix(fileName, ".pem") {
+			fileErr = errors.Join(fileErr, fmt.Errorf("%s must end with either .crt or .pem", fileName))
+			continue
+		}
+		caBundle, err := os.ReadFile(caCrtFile)
+		if err != nil {
+			fileErr = errors.Join(fileErr, fmt.Errorf("unable to read TLS CA file: %w", err))
+			continue
+		}
+		caCerts = append(caCerts, sourcesecret.VerificationCrt{Name: fileName, CACrt: caBundle})
+	}
+
+	if fileErr != nil {
+		return fileErr
+	}
+
+	if len(caCerts) == 0 {
+		return fmt.Errorf("no CA certs found")
+	}
+
+	opts := sourcesecret.Options{
+		Name:             name,
+		Namespace:        *kubeconfigArgs.Namespace,
+		Labels:           labels,
+		VerificationCrts: caCerts,
+		TrustPolicy:      policy,
+	}
+	secret, err := sourcesecret.Generate(opts)
+	if err != nil {
+		return err
+	}
+
+	if createArgs.export {
+		rootCmd.Println(secret.Content)
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+	if err := upsertSecret(ctx, kubeClient, s); err != nil {
+		return err
+	}
+
+	logger.Actionf("notation configuration secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
+	return nil
+}
--- a/cmd/flux/create_secret_notation_test.go
+++ b/cmd/flux/create_secret_notation_test.go
@@ -0,0 +1,124 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+const (
+	trustPolicy        = "./testdata/create_secret/notation/test-trust-policy.json"
+	invalidTrustPolicy = "./testdata/create_secret/notation/invalid-trust-policy.json"
+	invalidJson        = "./testdata/create_secret/notation/invalid.json"
+	testCertFolder     = "./testdata/create_secret/notation"
+)
+
+func TestCreateNotationSecret(t *testing.T) {
+	crt, err := os.Create(filepath.Join(t.TempDir(), "ca.crt"))
+	if err != nil {
+		t.Fatal("could not create ca.crt file")
+	}
+
+	pem, err := os.Create(filepath.Join(t.TempDir(), "ca.pem"))
+	if err != nil {
+		t.Fatal("could not create ca.pem file")
+	}
+
+	invalidCert, err := os.Create(filepath.Join(t.TempDir(), "ca.p12"))
+	if err != nil {
+		t.Fatal("could not create ca.p12 file")
+	}
+
+	_, err = crt.Write([]byte("ca-data-crt"))
+	if err != nil {
+		t.Fatal("could not write to crt certificate file")
+	}
+
+	_, err = pem.Write([]byte("ca-data-pem"))
+	if err != nil {
+		t.Fatal("could not write to pem certificate file")
+	}
+
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "no args",
+			args:   "create secret notation",
+			assert: assertError("name is required"),
+		},
+		{
+			name:   "no trust policy",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s", testCertFolder),
+			assert: assertError("--trust-policy-file is required"),
+		},
+		{
+			name:   "no cert",
+			args:   fmt.Sprintf("create secret notation notation-config --trust-policy-file=%s", trustPolicy),
+			assert: assertError("--ca-cert-file is required"),
+		},
+		{
+			name:   "non pem and crt cert",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", invalidCert.Name(), trustPolicy),
+			assert: assertError("ca.p12 must end with either .crt or .pem"),
+		},
+		{
+			name:   "invalid trust policy",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidTrustPolicy),
+			assert: assertError("invalid trust policy: a trust policy statement is missing a name, every statement requires a name"),
+		},
+		{
+			name:   "invalid trust policy json",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidJson),
+			assert: assertError(fmt.Sprintf("failed to unmarshal trust policy %s: json: cannot unmarshal string into Go value of type trustpolicy.Document", invalidJson)),
+		},
+		{
+			name:   "crt secret",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", crt.Name(), trustPolicy),
+			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-crt.yaml"),
+		},
+		{
+			name:   "pem secret",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", pem.Name(), trustPolicy),
+			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-pem.yaml"),
+		},
+		{
+			name:   "multi secret",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", crt.Name(), pem.Name(), trustPolicy),
+			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-multi.yaml"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			defer func() {
+				secretNotationArgs = secretNotationFlags{}
+			}()
+
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
--- a/cmd/flux/create_source_bucket.go
+++ b/cmd/flux/create_source_bucket.go
@@ -31,7 +31,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/conditions"

 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"

@@ -205,7 +204,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {

 	logger.Waitingf("waiting for Bucket source reconciliation")
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
-		isBucketReady(kubeClient, namespacedName, bucket)); err != nil {
+		isObjectReadyConditionFunc(kubeClient, namespacedName, bucket)); err != nil {
 		return err
 	}
 	logger.Successf("Bucket source reconciliation completed")
@@ -247,29 +246,3 @@ func upsertBucket(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Bucket source updated")
 	return namespacedName, nil
 }
-
-func isBucketReady(kubeClient client.Client, namespacedName types.NamespacedName, bucket *sourcev1.Bucket) wait.ConditionWithContextFunc {
-	return func(ctx context.Context) (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, bucket)
-		if err != nil {
-			return false, err
-		}
-
-		if c := conditions.Get(bucket, meta.ReadyCondition); c != nil {
-			// Confirm the Ready condition we are observing is for the
-			// current generation
-			if c.ObservedGeneration != bucket.GetGeneration() {
-				return false, nil
-			}
-
-			// Further check the Status
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/create_source_chart.go
+++ b/cmd/flux/create_source_chart.go
@@ -0,0 +1,217 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+)
+
+var createSourceChartCmd = &cobra.Command{
+	Use:   "chart [name]",
+	Short: "Create or update a HelmChart source",
+	Long:  `The create source chart command generates a HelmChart resource and waits for the chart to be available.`,
+	Example: `  # Create a source for a chart residing in a HelmRepository
+  flux create source chart podinfo \
+    --source=HelmRepository/podinfo \
+    --chart=podinfo \
+    --chart-version=6.x
+
+  # Create a source for a chart residing in a Git repository
+  flux create source chart podinfo \
+    --source=GitRepository/podinfo \
+    --chart=./charts/podinfo
+
+  # Create a source for a chart residing in a S3 Bucket
+  flux create source chart podinfo \
+    --source=Bucket/podinfo \
+    --chart=./charts/podinfo
+
+  # Create a source for a chart from OCI and verify its signature
+  flux create source chart podinfo \
+    --source HelmRepository/podinfo \
+    --chart podinfo \
+    --chart-version=6.6.2 \
+    --verify-provider=cosign \
+    --verify-issuer=https://token.actions.githubusercontent.com \
+    --verify-subject=https://github.com/stefanprodan/podinfo/.github/workflows/release.yml@refs/tags/6.6.2`,
+	RunE: createSourceChartCmdRun,
+}
+
+type sourceChartFlags struct {
+	chart             string
+	chartVersion      string
+	source            flags.LocalHelmChartSource
+	reconcileStrategy string
+	verifyProvider    flags.SourceOCIVerifyProvider
+	verifySecretRef   string
+	verifyOIDCIssuer  string
+	verifySubject     string
+}
+
+var sourceChartArgs sourceChartFlags
+
+func init() {
+	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.chart, "chart", "", "Helm chart name or path")
+	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
+	createSourceChartCmd.Flags().Var(&sourceChartArgs.source, "source", sourceChartArgs.source.Description())
+	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart (accepted values: Revision and ChartRevision)")
+	createSourceChartCmd.Flags().Var(&sourceChartArgs.verifyProvider, "verify-provider", sourceOCIRepositoryArgs.verifyProvider.Description())
+	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifySecretRef, "verify-secret-ref", "", "the name of a secret to use for signature verification")
+	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifySubject, "verify-subject", "", "regular expression to use for the OIDC subject during signature verification")
+	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifyOIDCIssuer, "verify-issuer", "", "regular expression to use for the OIDC issuer during signature verification")
+
+	createSourceCmd.AddCommand(createSourceChartCmd)
+}
+
+func createSourceChartCmdRun(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	if sourceChartArgs.source.Kind == "" || sourceChartArgs.source.Name == "" {
+		return fmt.Errorf("chart source is required")
+	}
+
+	if sourceChartArgs.chart == "" {
+		return fmt.Errorf("chart name or path is required")
+	}
+
+	logger.Generatef("generating HelmChart source")
+
+	sourceLabels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	helmChart := &sourcev1.HelmChart{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: *kubeconfigArgs.Namespace,
+			Labels:    sourceLabels,
+		},
+		Spec: sourcev1.HelmChartSpec{
+			Chart:   sourceChartArgs.chart,
+			Version: sourceChartArgs.chartVersion,
+			Interval: metav1.Duration{
+				Duration: createArgs.interval,
+			},
+			ReconcileStrategy: sourceChartArgs.reconcileStrategy,
+			SourceRef: sourcev1.LocalHelmChartSourceReference{
+				Kind: sourceChartArgs.source.Kind,
+				Name: sourceChartArgs.source.Name,
+			},
+		},
+	}
+
+	if provider := sourceChartArgs.verifyProvider.String(); provider != "" {
+		helmChart.Spec.Verify = &sourcev1.OCIRepositoryVerification{
+			Provider: provider,
+		}
+		if secretName := sourceChartArgs.verifySecretRef; secretName != "" {
+			helmChart.Spec.Verify.SecretRef = &meta.LocalObjectReference{
+				Name: secretName,
+			}
+		}
+		verifyIssuer := sourceChartArgs.verifyOIDCIssuer
+		verifySubject := sourceChartArgs.verifySubject
+		if verifyIssuer != "" || verifySubject != "" {
+			helmChart.Spec.Verify.MatchOIDCIdentity = []sourcev1.OIDCIdentityMatch{{
+				Issuer:  verifyIssuer,
+				Subject: verifySubject,
+			}}
+		}
+	} else if sourceChartArgs.verifySecretRef != "" {
+		return fmt.Errorf("a verification provider must be specified when a secret is specified")
+	} else if sourceChartArgs.verifyOIDCIssuer != "" || sourceOCIRepositoryArgs.verifySubject != "" {
+		return fmt.Errorf("a verification provider must be specified when OIDC issuer/subject is specified")
+	}
+
+	if createArgs.export {
+		return printExport(exportHelmChart(helmChart))
+	}
+
+	logger.Actionf("applying HelmChart source")
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+
+	namespacedName, err := upsertHelmChart(ctx, kubeClient, helmChart)
+	if err != nil {
+		return err
+	}
+
+	logger.Waitingf("waiting for HelmChart source reconciliation")
+	readyConditionFunc := isObjectReadyConditionFunc(kubeClient, namespacedName, helmChart)
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true, readyConditionFunc); err != nil {
+		return err
+	}
+	logger.Successf("HelmChart source reconciliation completed")
+
+	if helmChart.Status.Artifact == nil {
+		return fmt.Errorf("HelmChart source reconciliation completed but no artifact was found")
+	}
+	logger.Successf("fetched revision: %s", helmChart.Status.Artifact.Revision)
+	return nil
+}
+
+func upsertHelmChart(ctx context.Context, kubeClient client.Client,
+	helmChart *sourcev1.HelmChart) (types.NamespacedName, error) {
+	namespacedName := types.NamespacedName{
+		Namespace: helmChart.GetNamespace(),
+		Name:      helmChart.GetName(),
+	}
+
+	var existing sourcev1.HelmChart
+	err := kubeClient.Get(ctx, namespacedName, &existing)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			if err := kubeClient.Create(ctx, helmChart); err != nil {
+				return namespacedName, err
+			} else {
+				logger.Successf("source created")
+				return namespacedName, nil
+			}
+		}
+		return namespacedName, err
+	}
+
+	existing.Labels = helmChart.Labels
+	existing.Spec = helmChart.Spec
+	if err := kubeClient.Update(ctx, &existing); err != nil {
+		return namespacedName, err
+	}
+	helmChart = &existing
+	logger.Successf("source updated")
+	return namespacedName, nil
+}
--- a/cmd/flux/create_source_chart_test.go
+++ b/cmd/flux/create_source_chart_test.go
@@ -0,0 +1,91 @@
+//go:build unit
+// +build unit
+
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import "testing"
+
+func TestCreateSourceChart(t *testing.T) {
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	setupSourceChart(t, tmpl)
+
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "missing name",
+			args:   "create source chart --export",
+			assert: assertError("name is required"),
+		},
+		{
+			name:   "missing source reference",
+			args:   "create source chart podinfo --export ",
+			assert: assertError("chart source is required"),
+		},
+		{
+			name:   "missing chart name",
+			args:   "create source chart podinfo --source helmrepository/podinfo --export",
+			assert: assertError("chart name or path is required"),
+		},
+		{
+			name:   "unknown source kind",
+			args:   "create source chart podinfo --source foobar/podinfo --export",
+			assert: assertError(`invalid argument "foobar/podinfo" for "--source" flag: source kind 'foobar' is not supported, must be one of: HelmRepository, GitRepository, Bucket`),
+		},
+		{
+			name:   "basic chart",
+			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --export",
+			assert: assertGoldenTemplateFile("testdata/create_source_chart/basic.yaml", tmpl),
+		},
+		{
+			name:   "chart with basic signature verification",
+			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider cosign --export",
+			assert: assertGoldenTemplateFile("testdata/create_source_chart/verify_basic.yaml", tmpl),
+		},
+		{
+			name:   "unknown signature verification provider",
+			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider foobar --export",
+			assert: assertError(`invalid argument "foobar" for "--verify-provider" flag: source OCI verify provider 'foobar' is not supported, must be one of: cosign`),
+		},
+		{
+			name:   "chart with complete signature verification",
+			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider cosign --verify-issuer foo --verify-subject bar --export",
+			assert: assertGoldenTemplateFile("testdata/create_source_chart/verify_complete.yaml", tmpl),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args + " -n " + tmpl["fluxns"],
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
+
+func setupSourceChart(t *testing.T, tmpl map[string]string) {
+	t.Helper()
+	testEnv.CreateObjectFile("./testdata/create_source_chart/setup-source.yaml", tmpl, t)
+}
--- a/cmd/flux/create_source_git.go
+++ b/cmd/flux/create_source_git.go
@@ -35,7 +35,6 @@ import (
 	"sigs.k8s.io/yaml"

 	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/conditions"

 	sourcev1 "github.com/fluxcd/source-controller/api/v1"

@@ -326,7 +325,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {

 	logger.Waitingf("waiting for GitRepository source reconciliation")
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
-		isGitRepositoryReady(kubeClient, namespacedName, &gitRepository)); err != nil {
+		isObjectReadyConditionFunc(kubeClient, namespacedName, &gitRepository)); err != nil {
 		return err
 	}
 	logger.Successf("GitRepository source reconciliation completed")
@@ -368,29 +367,3 @@ func upsertGitRepository(ctx context.Context, kubeClient client.Client,
 	logger.Successf("GitRepository source updated")
 	return namespacedName, nil
 }
-
-func isGitRepositoryReady(kubeClient client.Client, namespacedName types.NamespacedName, gitRepository *sourcev1.GitRepository) wait.ConditionWithContextFunc {
-	return func(ctx context.Context) (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, gitRepository)
-		if err != nil {
-			return false, err
-		}
-
-		if c := conditions.Get(gitRepository, meta.ReadyCondition); c != nil {
-			// Confirm the Ready condition we are observing is for the
-			// current generation
-			if c.ObservedGeneration != gitRepository.GetGeneration() {
-				return false, nil
-			}
-
-			// Further check the Status
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/create_source_git_test.go
+++ b/cmd/flux/create_source_git_test.go
@@ -181,12 +181,21 @@ func TestCreateSourceGit(t *testing.T) {
 						Time: time.Now(),
 					},
 				}
+				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
 		}, {
 			"Failed",
 			command,
 			assertError("failed message"),
 			func(repo *sourcev1.GitRepository) {
+				stalledCondition := metav1.Condition{
+					Type:               meta.StalledCondition,
+					Status:             metav1.ConditionTrue,
+					Reason:             sourcev1.URLInvalidReason,
+					Message:            "failed message",
+					ObservedGeneration: repo.GetGeneration(),
+				}
+				apimeta.SetStatusCondition(&repo.Status.Conditions, stalledCondition)
 				newCondition := metav1.Condition{
 					Type:               meta.ReadyCondition,
 					Status:             metav1.ConditionFalse,
@@ -195,6 +204,7 @@ func TestCreateSourceGit(t *testing.T) {
 					ObservedGeneration: repo.GetGeneration(),
 				}
 				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
+				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
 		}, {
 			"NoArtifact",
@@ -210,6 +220,7 @@ func TestCreateSourceGit(t *testing.T) {
 					ObservedGeneration: repo.GetGeneration(),
 				}
 				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
+				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
 		},
 	}
--- a/cmd/flux/create_source_helm.go
+++ b/cmd/flux/create_source_helm.go
@@ -22,8 +22,6 @@ import (
 	"net/url"
 	"os"

-	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/conditions"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -33,7 +31,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/fluxcd/pkg/apis/meta"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"

 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
@@ -42,8 +41,8 @@ import (
 var createSourceHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Create or update a HelmRepository source",
-	Long: withPreviewNote(`The create source helm command generates a HelmRepository resource and waits for it to fetch the index.
-For private Helm repositories, the basic authentication credentials are stored in a Kubernetes secret.`),
+	Long: `The create source helm command generates a HelmRepository resource and waits for it to fetch the index.
+For private Helm repositories, the basic authentication credentials are stored in a Kubernetes secret.`,
 	Example: `  # Create a source for an HTTPS public Helm repository
  flux create source helm podinfo \
    --url=https://stefanprodan.github.io/podinfo \
@@ -231,8 +230,12 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for HelmRepository source reconciliation")
-	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
-		isHelmRepositoryReady(kubeClient, namespacedName, helmRepository)); err != nil {
+	readyConditionFunc := isObjectReadyConditionFunc(kubeClient, namespacedName, helmRepository)
+	if helmRepository.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
+		// HelmRepository type OCI is a static object.
+		readyConditionFunc = isStaticObjectReadyConditionFunc(kubeClient, namespacedName, helmRepository)
+	}
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true, readyConditionFunc); err != nil {
 		return err
 	}
 	logger.Successf("HelmRepository source reconciliation completed")
@@ -279,29 +282,3 @@ func upsertHelmRepository(ctx context.Context, kubeClient client.Client,
 	logger.Successf("source updated")
 	return namespacedName, nil
 }
-
-func isHelmRepositoryReady(kubeClient client.Client, namespacedName types.NamespacedName, helmRepository *sourcev1.HelmRepository) wait.ConditionWithContextFunc {
-	return func(ctx context.Context) (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, helmRepository)
-		if err != nil {
-			return false, err
-		}
-
-		if c := conditions.Get(helmRepository, meta.ReadyCondition); c != nil {
-			// Confirm the Ready condition we are observing is for the
-			// current generation
-			if c.ObservedGeneration != helmRepository.GetGeneration() {
-				return false, nil
-			}
-
-			// Further check the Status
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/create_source_oci.go
+++ b/cmd/flux/create_source_oci.go
@@ -29,9 +29,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/conditions"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"

 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -44,32 +44,43 @@ var createSourceOCIRepositoryCmd = &cobra.Command{
 	Example: `  # Create an OCIRepository for a public container image
  flux create source oci podinfo \
    --url=oci://ghcr.io/stefanprodan/manifests/podinfo \
-    --tag=6.1.6 \
+    --tag=6.6.2 \
    --interval=10m
+
+  # Create an OCIRepository with OIDC signature verification
+  flux create source oci podinfo \
+    --url=oci://ghcr.io/stefanprodan/manifests/podinfo \
+    --tag=6.6.2 \
+    --interval=10m \
+    --verify-provider=cosign \
+    --verify-subject="^https://github.com/stefanprodan/podinfo/.github/workflows/release.yml@refs/tags/6.6.2$" \
+    --verify-issuer="^https://token.actions.githubusercontent.com$"
 `,
 	RunE: createSourceOCIRepositoryCmdRun,
 }

 type sourceOCIRepositoryFlags struct {
-	url             string
-	tag             string
-	semver          string
-	digest          string
-	secretRef       string
-	serviceAccount  string
-	certSecretRef   string
-	verifyProvider  flags.SourceOCIVerifyProvider
-	verifySecretRef string
-	ignorePaths     []string
-	provider        flags.SourceOCIProvider
-	insecure        bool
+	url              string
+	tag              string
+	semver           string
+	digest           string
+	secretRef        string
+	serviceAccount   string
+	certSecretRef    string
+	verifyProvider   flags.SourceOCIVerifyProvider
+	verifySecretRef  string
+	verifyOIDCIssuer string
+	verifySubject    string
+	ignorePaths      []string
+	provider         flags.SourceOCIProvider
+	insecure         bool
 }

 var sourceOCIRepositoryArgs = newSourceOCIFlags()

 func newSourceOCIFlags() sourceOCIRepositoryFlags {
 	return sourceOCIRepositoryFlags{
-		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
+		provider: flags.SourceOCIProvider(sourcev1b2.GenericOCIProvider),
 	}
 }

@@ -84,6 +95,8 @@ func init() {
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
 	createSourceOCIRepositoryCmd.Flags().Var(&sourceOCIRepositoryArgs.verifyProvider, "verify-provider", sourceOCIRepositoryArgs.verifyProvider.Description())
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifySecretRef, "verify-secret-ref", "", "the name of a secret to use for signature verification")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifySubject, "verify-subject", "", "regular expression to use for the OIDC subject during signature verification")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifyOIDCIssuer, "verify-issuer", "", "regular expression to use for the OIDC issuer during signature verification")
 	createSourceOCIRepositoryCmd.Flags().StringSliceVar(&sourceOCIRepositoryArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore resources (can specify multiple paths with commas: path1,path2)")
 	createSourceOCIRepositoryCmd.Flags().BoolVar(&sourceOCIRepositoryArgs.insecure, "insecure", false, "for when connecting to a non-TLS registries over plain HTTP")

@@ -112,20 +125,20 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 		ignorePaths = &ignorePathsStr
 	}

-	repository := &sourcev1.OCIRepository{
+	repository := &sourcev1b2.OCIRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
-		Spec: sourcev1.OCIRepositorySpec{
+		Spec: sourcev1b2.OCIRepositorySpec{
 			Provider: sourceOCIRepositoryArgs.provider.String(),
 			URL:      sourceOCIRepositoryArgs.url,
 			Insecure: sourceOCIRepositoryArgs.insecure,
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
-			Reference: &sourcev1.OCIRepositoryRef{},
+			Reference: &sourcev1b2.OCIRepositoryRef{},
 			Ignore:    ignorePaths,
 		},
 	}
@@ -169,8 +182,18 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 				Name: secretName,
 			}
 		}
+		verifyIssuer := sourceOCIRepositoryArgs.verifyOIDCIssuer
+		verifySubject := sourceOCIRepositoryArgs.verifySubject
+		if verifyIssuer != "" || verifySubject != "" {
+			repository.Spec.Verify.MatchOIDCIdentity = []sourcev1.OIDCIdentityMatch{{
+				Issuer:  verifyIssuer,
+				Subject: verifySubject,
+			}}
+		}
 	} else if sourceOCIRepositoryArgs.verifySecretRef != "" {
 		return fmt.Errorf("a verification provider must be specified when a secret is specified")
+	} else if sourceOCIRepositoryArgs.verifyOIDCIssuer != "" || sourceOCIRepositoryArgs.verifySubject != "" {
+		return fmt.Errorf("a verification provider must be specified when OIDC issuer/subject is specified")
 	}

 	if createArgs.export {
@@ -193,7 +216,7 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {

 	logger.Waitingf("waiting for OCIRepository reconciliation")
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
-		isOCIRepositoryReady(kubeClient, namespacedName, repository)); err != nil {
+		isObjectReadyConditionFunc(kubeClient, namespacedName, repository)); err != nil {
 		return err
 	}
 	logger.Successf("OCIRepository reconciliation completed")
@@ -206,13 +229,13 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 }

 func upsertOCIRepository(ctx context.Context, kubeClient client.Client,
-	ociRepository *sourcev1.OCIRepository) (types.NamespacedName, error) {
+	ociRepository *sourcev1b2.OCIRepository) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: ociRepository.GetNamespace(),
 		Name:      ociRepository.GetName(),
 	}

-	var existing sourcev1.OCIRepository
+	var existing sourcev1b2.OCIRepository
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
@@ -235,29 +258,3 @@ func upsertOCIRepository(ctx context.Context, kubeClient client.Client,
 	logger.Successf("OCIRepository updated")
 	return namespacedName, nil
 }
-
-func isOCIRepositoryReady(kubeClient client.Client, namespacedName types.NamespacedName, ociRepository *sourcev1.OCIRepository) wait.ConditionWithContextFunc {
-	return func(ctx context.Context) (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, ociRepository)
-		if err != nil {
-			return false, err
-		}
-
-		if c := conditions.Get(ociRepository, meta.ReadyCondition); c != nil {
-			// Confirm the Ready condition we are observing is for the
-			// current generation
-			if c.ObservedGeneration != ociRepository.GetGeneration() {
-				return false, nil
-			}
-
-			// Further check the Status
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/create_source_oci_test.go
+++ b/cmd/flux/create_source_oci_test.go
@@ -37,10 +37,35 @@ func TestCreateSourceOCI(t *testing.T) {
 			assertFunc: assertError("url is required"),
 		},
 		{
-			name:       "verify provider not specified",
+			name:       "verify secret specified but provider missing",
 			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-secret-ref=cosign-pub",
 			assertFunc: assertError("a verification provider must be specified when a secret is specified"),
 		},
+		{
+			name:       "verify issuer specified but provider missing",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-issuer=github.com",
+			assertFunc: assertError("a verification provider must be specified when OIDC issuer/subject is specified"),
+		},
+		{
+			name:       "verify identity specified but provider missing",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-subject=developer",
+			assertFunc: assertError("a verification provider must be specified when OIDC issuer/subject is specified"),
+		},
+		{
+			name:       "verify issuer specified but subject missing",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-issuer=github --verify-provider=cosign --export",
+			assertFunc: assertGoldenFile("./testdata/oci/export_with_issuer.golden"),
+		},
+		{
+			name:       "all verify fields set",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-issuer=github verify-subject=stefanprodan --verify-provider=cosign --export",
+			assertFunc: assertGoldenFile("./testdata/oci/export_with_issuer.golden"),
+		},
+		{
+			name:       "verify subject specified but issuer missing",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-subject=stefanprodan --verify-provider=cosign --export",
+			assertFunc: assertGoldenFile("./testdata/oci/export_with_subject.golden"),
+		},
 		{
 			name:       "export manifest",
 			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --interval 10m --export",
--- a/cmd/flux/delete_alert.go
+++ b/cmd/flux/delete_alert.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )

 var deleteAlertCmd = &cobra.Command{
--- a/cmd/flux/delete_alertprovider.go
+++ b/cmd/flux/delete_alertprovider.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )

 var deleteAlertProviderCmd = &cobra.Command{
--- a/cmd/flux/delete_helmrelease.go
+++ b/cmd/flux/delete_helmrelease.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Flux authors
+Copyright 2024 The Flux authors

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -19,14 +19,14 @@ package main
 import (
 	"github.com/spf13/cobra"

-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 )

 var deleteHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Delete a HelmRelease resource",
-	Long:    withPreviewNote("The delete helmrelease command removes the given HelmRelease from the cluster."),
+	Long:    "The delete helmrelease command removes the given HelmRelease from the cluster.",
 	Example: `  # Delete a Helm release and the Kubernetes resources created by it
  flux delete hr podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
--- a/cmd/flux/delete_image_update.go
+++ b/cmd/flux/delete_image_update.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 )

 var deleteImageUpdateCmd = &cobra.Command{
--- a/cmd/flux/delete_source_chart.go
+++ b/cmd/flux/delete_source_chart.go
@@ -0,0 +1,40 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+)
+
+var deleteSourceChartCmd = &cobra.Command{
+	Use:   "chart [name]",
+	Short: "Delete a HelmChart source",
+	Long:  "The delete source chart command deletes the given HelmChart from the cluster.",
+	Example: `  # Delete a HelmChart
+  flux delete source chart podinfo`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.HelmChartKind)),
+	RunE: deleteCommand{
+		apiType: helmChartType,
+		object:  universalAdapter{&sourcev1.HelmChart{}},
+	}.run,
+}
+
+func init() {
+	deleteSourceCmd.AddCommand(deleteSourceChartCmd)
+}
--- a/cmd/flux/delete_source_helm.go
+++ b/cmd/flux/delete_source_helm.go
@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )

 var deleteSourceHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Delete a HelmRepository source",
-	Long:  withPreviewNote("The delete source helm command deletes the given HelmRepository from the cluster."),
+	Long:  "The delete source helm command deletes the given HelmRepository from the cluster.",
 	Example: `  # Delete a Helm repository
  flux delete source helm podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)),
--- a/cmd/flux/diff_kustomization.go
+++ b/cmd/flux/diff_kustomization.go
@@ -23,8 +23,9 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/fluxcd/flux2/v2/internal/build"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+
+	"github.com/fluxcd/flux2/v2/internal/build"
 )

 var diffKsCmd = &cobra.Command{
@@ -53,6 +54,7 @@ type diffKsFlags struct {
 	path              string
 	ignorePaths       []string
 	progressBar       bool
+	strictSubst       bool
 }

 var diffKsArgs diffKsFlags
@@ -62,6 +64,8 @@ func init() {
 	diffKsCmd.Flags().BoolVar(&diffKsArgs.progressBar, "progress-bar", true, "Boolean to set the progress bar. The default value is true.")
 	diffKsCmd.Flags().StringSliceVar(&diffKsArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in .gitignore format")
 	diffKsCmd.Flags().StringVar(&diffKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
+	diffKsCmd.Flags().BoolVar(&diffKsArgs.strictSubst, "strict-substitute", false,
+		"When enabled, the post build substitutions will fail if a var without a default value is declared in files but is missing from the input vars.")
 	diffCmd.AddCommand(diffKsCmd)
 }

@@ -96,6 +100,7 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 			build.WithKustomizationFile(diffKsArgs.kustomizationFile),
 			build.WithProgressBar(),
 			build.WithIgnore(diffKsArgs.ignorePaths),
+			build.WithStrictSubstitute(diffKsArgs.strictSubst),
 		)
 	} else {
 		builder, err = build.NewBuilder(name, diffKsArgs.path,
@@ -103,6 +108,7 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 			build.WithTimeout(rootArgs.timeout),
 			build.WithKustomizationFile(diffKsArgs.kustomizationFile),
 			build.WithIgnore(diffKsArgs.ignorePaths),
+			build.WithStrictSubstitute(diffKsArgs.strictSubst),
 		)
 	}

--- a/cmd/flux/envsubst.go
+++ b/cmd/flux/envsubst.go
@@ -0,0 +1,74 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"bufio"
+	"fmt"
+
+	"github.com/fluxcd/pkg/envsubst"
+	"github.com/spf13/cobra"
+)
+
+var envsubstCmd = &cobra.Command{
+	Use:   "envsubst",
+	Args:  cobra.NoArgs,
+	Short: "envsubst substitutes the values of environment variables",
+	Long: withPreviewNote(`The envsubst command substitutes the values of environment variables
+in the string piped as standard input and writes the result to the standard output. This command can be used
+to replicate the behavior of the Flux Kustomization post-build substitutions.`),
+	Example: `  # Run env var substitutions on the kustomization build output
+  export cluster_region=eu-central-1
+  kustomize build . | flux envsubst
+
+  # Run env var substitutions and error out if a variable is not set
+  kustomize build . | flux envsubst --strict
+`,
+	RunE: runEnvsubstCmd,
+}
+
+type envsubstFlags struct {
+	strict bool
+}
+
+var envsubstArgs envsubstFlags
+
+func init() {
+	envsubstCmd.Flags().BoolVar(&envsubstArgs.strict, "strict", false,
+		"fail if a variable without a default value is declared in the input but is missing from the environment")
+	rootCmd.AddCommand(envsubstCmd)
+}
+
+func runEnvsubstCmd(cmd *cobra.Command, args []string) error {
+	stdin := bufio.NewScanner(rootCmd.InOrStdin())
+	stdout := bufio.NewWriter(rootCmd.OutOrStdout())
+	for stdin.Scan() {
+		line, err := envsubst.EvalEnv(stdin.Text(), envsubstArgs.strict)
+		if err != nil {
+			return err
+		}
+		_, err = fmt.Fprintln(stdout, line)
+		if err != nil {
+			return err
+		}
+		err = stdout.Flush()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/cmd/flux/envsubst_test.go
+++ b/cmd/flux/envsubst_test.go
@@ -0,0 +1,50 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"bytes"
+	"os"
+	"testing"
+
+	. "github.com/onsi/gomega"
+)
+
+func TestEnvsubst(t *testing.T) {
+	g := NewWithT(t)
+	input, err := os.ReadFile("testdata/envsubst/file.yaml")
+	g.Expect(err).NotTo(HaveOccurred())
+
+	t.Setenv("REPO_NAME", "test")
+
+	output, err := executeCommandWithIn("envsubst", bytes.NewReader(input))
+	g.Expect(err).NotTo(HaveOccurred())
+
+	expected, err := os.ReadFile("testdata/envsubst/file.gold")
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(output).To(Equal(string(expected)))
+}
+
+func TestEnvsubst_Strinct(t *testing.T) {
+	g := NewWithT(t)
+	input, err := os.ReadFile("testdata/envsubst/file.yaml")
+	g.Expect(err).NotTo(HaveOccurred())
+
+	_, err = executeCommandWithIn("envsubst --strict", bytes.NewReader(input))
+	g.Expect(err).To(HaveOccurred())
+	g.Expect(err.Error()).To(ContainSubstring("variable not set (strict mode)"))
+}
--- a/cmd/flux/events.go
+++ b/cmd/flux/events.go
@@ -39,12 +39,12 @@ import (
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
-	notificationv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"

@@ -422,33 +422,33 @@ var fluxKindMap = refMap{
 		gvk:             helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind),
 		crossNamespaced: true,
 		otherRefs: func(namespace, name string) []string {
-			return []string{fmt.Sprintf("%s/%s-%s", sourcev1b2.HelmChartKind, namespace, name)}
+			return []string{fmt.Sprintf("%s/%s-%s", sourcev1.HelmChartKind, namespace, name)}
 		},
 		field: []string{"spec", "chart", "spec", "sourceRef"},
 	},
-	notificationv1b2.AlertKind: {
-		gvk:             notificationv1b2.GroupVersion.WithKind(notificationv1b2.AlertKind),
-		kind:            notificationv1b2.ProviderKind,
+	notificationv1b3.AlertKind: {
+		gvk:             notificationv1b3.GroupVersion.WithKind(notificationv1b3.AlertKind),
+		kind:            notificationv1b3.ProviderKind,
 		crossNamespaced: false,
 		field:           []string{"spec", "providerRef"},
 	},
 	notificationv1.ReceiverKind:   {gvk: notificationv1.GroupVersion.WithKind(notificationv1.ReceiverKind)},
-	notificationv1b2.ProviderKind: {gvk: notificationv1b2.GroupVersion.WithKind(notificationv1b2.ProviderKind)},
+	notificationv1b3.ProviderKind: {gvk: notificationv1b3.GroupVersion.WithKind(notificationv1b3.ProviderKind)},
 	imagev1.ImagePolicyKind: {
 		gvk:             imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind),
 		kind:            imagev1.ImageRepositoryKind,
 		crossNamespaced: true,
 		field:           []string{"spec", "imageRepositoryRef"},
 	},
-	sourcev1b2.HelmChartKind: {
-		gvk:             sourcev1b2.GroupVersion.WithKind(sourcev1b2.HelmChartKind),
+	sourcev1.HelmChartKind: {
+		gvk:             sourcev1.GroupVersion.WithKind(sourcev1.HelmChartKind),
 		crossNamespaced: true,
 		field:           []string{"spec", "sourceRef"},
 	},
 	sourcev1.GitRepositoryKind:       {gvk: sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)},
 	sourcev1b2.OCIRepositoryKind:     {gvk: sourcev1b2.GroupVersion.WithKind(sourcev1b2.OCIRepositoryKind)},
 	sourcev1b2.BucketKind:            {gvk: sourcev1b2.GroupVersion.WithKind(sourcev1b2.BucketKind)},
-	sourcev1b2.HelmRepositoryKind:    {gvk: sourcev1b2.GroupVersion.WithKind(sourcev1b2.HelmRepositoryKind)},
+	sourcev1.HelmRepositoryKind:      {gvk: sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)},
 	autov1.ImageUpdateAutomationKind: {gvk: autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)},
 	imagev1.ImageRepositoryKind:      {gvk: imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)},
 }
--- a/cmd/flux/events_test.go
+++ b/cmd/flux/events_test.go
@@ -27,20 +27,11 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
-	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"

-	helmv2beta1 "github.com/fluxcd/helm-controller/api/v2beta1"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
-	notificationv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
 	eventv1 "github.com/fluxcd/pkg/apis/event/v1beta1"
-	"github.com/fluxcd/pkg/ssa"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
+	ssautil "github.com/fluxcd/pkg/ssa/utils"

 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
@@ -87,7 +78,7 @@ spec:
  timeout: 1m0s
  url: ssh://git@github.com/example/repo
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: podinfo
@@ -104,7 +95,7 @@ spec:
      version: '*'
  interval: 5m0s
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: podinfo
@@ -113,7 +104,7 @@ spec:
  interval: 1m0s
  url: https://stefanprodan.github.io/podinfo
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmChart
 metadata:
  name: default-podinfo
@@ -127,7 +118,7 @@ spec:
    name: podinfo-chart
  version: '*'
 ---
-apiVersion: notification.toolkit.fluxcd.io/v1beta2
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Alert
 metadata:
  name: webapp
@@ -140,7 +131,7 @@ spec:
  providerRef:
    name: slack
 ---
-apiVersion: notification.toolkit.fluxcd.io/v1beta2
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Provider
 metadata:
  name: slack
@@ -169,10 +160,10 @@ metadata:

 func Test_getObjectRef(t *testing.T) {
 	g := NewWithT(t)
-	objs, err := ssa.ReadObjects(strings.NewReader(objects))
+	objs, err := ssautil.ReadObjects(strings.NewReader(objects))
 	g.Expect(err).To(Not(HaveOccurred()))

-	builder := fake.NewClientBuilder().WithScheme(getScheme())
+	builder := fake.NewClientBuilder().WithScheme(utils.NewScheme())
 	for _, obj := range objs {
 		builder = builder.WithObjects(obj)
 	}
@@ -253,10 +244,10 @@ func Test_getObjectRef(t *testing.T) {

 func Test_getRows(t *testing.T) {
 	g := NewWithT(t)
-	objs, err := ssa.ReadObjects(strings.NewReader(objects))
+	objs, err := ssautil.ReadObjects(strings.NewReader(objects))
 	g.Expect(err).To(Not(HaveOccurred()))

-	builder := fake.NewClientBuilder().WithScheme(getScheme())
+	builder := fake.NewClientBuilder().WithScheme(utils.NewScheme())
 	for _, obj := range objs {
 		builder = builder.WithObjects(obj)
 	}
@@ -410,21 +401,6 @@ func getTestListOpt(kind, name string) client.ListOption {
 	return client.MatchingFieldsSelector{Selector: sel}
 }

-func getScheme() *runtime.Scheme {
-	newscheme := runtime.NewScheme()
-	corev1.AddToScheme(newscheme)
-	kustomizev1.AddToScheme(newscheme)
-	helmv2beta1.AddToScheme(newscheme)
-	notificationv1.AddToScheme(newscheme)
-	notificationv1b2.AddToScheme(newscheme)
-	imagev1.AddToScheme(newscheme)
-	autov1.AddToScheme(newscheme)
-	sourcev1.AddToScheme(newscheme)
-	sourcev1b2.AddToScheme(newscheme)
-
-	return newscheme
-}
-
 func createEvent(obj client.Object, eventType, msg, reason string) corev1.Event {
 	return corev1.Event{
 		ObjectMeta: metav1.ObjectMeta{
--- a/cmd/flux/export_alert.go
+++ b/cmd/flux/export_alert.go
@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )

 var exportAlertCmd = &cobra.Command{
--- a/cmd/flux/export_alertprovider.go
+++ b/cmd/flux/export_alertprovider.go
@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )

 var exportAlertProviderCmd = &cobra.Command{
--- a/cmd/flux/export_helmrelease.go
+++ b/cmd/flux/export_helmrelease.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Flux authors
+Copyright 2024 The Flux authors

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -20,14 +20,14 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 )

 var exportHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Export HelmRelease resources in YAML format",
-	Long:    withPreviewNote("The export helmrelease command exports one or all HelmRelease resources in YAML format."),
+	Long:    "The export helmrelease command exports one or all HelmRelease resources in YAML format.",
 	Example: `  # Export all HelmRelease resources
  flux export helmrelease --all > kustomizations.yaml

--- a/cmd/flux/export_image_update.go
+++ b/cmd/flux/export_image_update.go
@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 )

 var exportImageUpdateCmd = &cobra.Command{
--- a/cmd/flux/export_source_chart.go
+++ b/cmd/flux/export_source_chart.go
@@ -0,0 +1,67 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+)
+
+var exportSourceChartCmd = &cobra.Command{
+	Use:   "chart [name]",
+	Short: "Export HelmChart sources in YAML format",
+	Long:  withPreviewNote("The export source chart command exports one or all HelmChart sources in YAML format."),
+	Example: `  # Export all chart sources
+  flux export source chart --all > sources.yaml`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.HelmChartKind)),
+	RunE: exportCommand{
+		list:   helmChartListAdapter{&sourcev1.HelmChartList{}},
+		object: helmChartAdapter{&sourcev1.HelmChart{}},
+	}.run,
+}
+
+func init() {
+	exportSourceCmd.AddCommand(exportSourceChartCmd)
+}
+
+func exportHelmChart(source *sourcev1.HelmChart) interface{} {
+	gvk := sourcev1.GroupVersion.WithKind(sourcev1.HelmChartKind)
+	export := sourcev1.HelmChart{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       gvk.Kind,
+			APIVersion: gvk.GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        source.Name,
+			Namespace:   source.Namespace,
+			Labels:      source.Labels,
+			Annotations: source.Annotations,
+		},
+		Spec: source.Spec,
+	}
+	return export
+}
+
+func (ex helmChartAdapter) export() interface{} {
+	return exportHelmChart(ex.HelmChart)
+}
+
+func (ex helmChartListAdapter) exportItem(i int) interface{} {
+	return exportHelmChart(&ex.HelmChartList.Items[i])
+}
--- a/cmd/flux/export_source_helm.go
+++ b/cmd/flux/export_source_helm.go
@@ -21,13 +21,13 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )

 var exportSourceHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Export HelmRepository sources in YAML format",
-	Long:  withPreviewNote("The export source git command exports one or all HelmRepository sources in YAML format."),
+	Long:  "The export source git command exports one or all HelmRepository sources in YAML format.",
 	Example: `  # Export all HelmRepository sources
  flux export source helm --all > sources.yaml

--- a/cmd/flux/export_test.go
+++ b/cmd/flux/export_test.go
@@ -58,6 +58,12 @@ func TestExport(t *testing.T) {
 			"testdata/export/git-repo.yaml",
 			tmpl,
 		},
+		{
+			"source chart",
+			"export source chart flux-system",
+			"testdata/export/helm-chart.yaml",
+			tmpl,
+		},
 		{
 			"source helm",
 			"export source helm flux-system",
--- a/cmd/flux/get.go
+++ b/cmd/flux/get.go
@@ -18,7 +18,6 @@ package main

 import (
 	"context"
-	"errors"
 	"fmt"
 	"os"
 	"strings"
@@ -28,7 +27,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/watch"
-	"k8s.io/client-go/discovery"
 	watchtools "k8s.io/client-go/tools/watch"
 	"sigs.k8s.io/controller-runtime/pkg/client"

@@ -178,8 +176,7 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {

 	err = kubeClient.List(ctx, get.list.asClientList(), listOpts...)
 	if err != nil {
-		var discErr *discovery.ErrGroupDiscoveryFailed
-		if getAll && (strings.Contains(err.Error(), "no matches for kind") || errors.As(err, &discErr)) {
+		if getAll && apimeta.IsNoMatchError(err) {
 			return nil
 		}
 		return err
--- a/cmd/flux/get_alert.go
+++ b/cmd/flux/get_alert.go
@@ -23,9 +23,10 @@ import (
 	"github.com/spf13/cobra"
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )

 var getAlertCmd = &cobra.Command{
@@ -77,7 +78,7 @@ func init() {

 func (s alertListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := s.Items[i]
-	status, msg := statusAndMessage(item.Status.Conditions)
+	status, msg := string(metav1.ConditionTrue), "Alert is Ready"
 	return append(nameColumns(&item, includeNamespace, includeKind),
 		cases.Title(language.English).String(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
@@ -91,6 +92,5 @@ func (s alertListAdapter) headers(includeNamespace bool) []string {
 }

 func (s alertListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
-	item := s.Items[i]
-	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+	return false
 }
--- a/cmd/flux/get_alertprovider.go
+++ b/cmd/flux/get_alertprovider.go
@@ -20,9 +20,10 @@ import (
 	"fmt"

 	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )

 var getAlertProviderCmd = &cobra.Command{
@@ -74,7 +75,7 @@ func init() {

 func (s alertProviderListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := s.Items[i]
-	status, msg := statusAndMessage(item.Status.Conditions)
+	status, msg := string(metav1.ConditionTrue), "Provider is Ready"
 	return append(nameColumns(&item, includeNamespace, includeKind), status, msg)
 }

@@ -87,6 +88,5 @@ func (s alertProviderListAdapter) headers(includeNamespace bool) []string {
 }

 func (s alertProviderListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
-	item := s.Items[i]
-	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+	return false
 }
--- a/cmd/flux/get_all.go
+++ b/cmd/flux/get_all.go
@@ -17,14 +17,13 @@ limitations under the License.
 package main

 import (
-	"strings"
-
 	"github.com/spf13/cobra"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"

-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
-	notificationv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
 )

 var getAllCmd = &cobra.Command{
@@ -63,11 +62,11 @@ var getAllCmd = &cobra.Command{
 			},
 			{
 				apiType: alertProviderType,
-				list:    alertProviderListAdapter{&notificationv1b2.ProviderList{}},
+				list:    alertProviderListAdapter{&notificationv1b3.ProviderList{}},
 			},
 			{
 				apiType: alertType,
-				list:    &alertListAdapter{&notificationv1b2.AlertList{}},
+				list:    &alertListAdapter{&notificationv1b3.AlertList{}},
 			},
 		}

@@ -87,7 +86,7 @@ var getAllCmd = &cobra.Command{
 }

 func logError(err error) {
-	if !strings.Contains(err.Error(), "no matches for kind") {
+	if !apimeta.IsNoMatchError(err) {
 		logger.Failuref(err.Error())
 	}
 }
--- a/cmd/flux/get_helmrelease.go
+++ b/cmd/flux/get_helmrelease.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Flux authors
+Copyright 2024 The Flux authors

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -25,14 +25,14 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"

-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 )

 var getHelmReleaseCmd = &cobra.Command{
 	Use:     "helmreleases",
 	Aliases: []string{"hr", "helmrelease"},
 	Short:   "Get HelmRelease statuses",
-	Long:    withPreviewNote("The get helmreleases command prints the statuses of the resources."),
+	Long:    "The get helmreleases command prints the statuses of the resources.",
 	Example: `  # List all Helm releases and their status
  flux get helmreleases`,
 	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
@@ -72,9 +72,16 @@ func init() {
 	getCmd.AddCommand(getHelmReleaseCmd)
 }

+func getHelmReleaseRevision(helmRelease helmv2.HelmRelease) string {
+	if helmRelease.Status.History != nil && len(helmRelease.Status.History) > 0 {
+		return helmRelease.Status.History[0].ChartVersion
+	}
+	return helmRelease.Status.LastAttemptedRevision
+}
+
 func (a helmReleaseListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := a.Items[i]
-	revision := item.Status.LastAppliedRevision
+	revision := getHelmReleaseRevision(item)
 	status, msg := statusAndMessage(item.Status.Conditions)
 	return append(nameColumns(&item, includeNamespace, includeKind),
 		revision, cases.Title(language.English).String(strconv.FormatBool(item.Spec.Suspend)), status, msg)
--- a/cmd/flux/get_image_all.go
+++ b/cmd/flux/get_image_all.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
 )

--- a/cmd/flux/get_image_update.go
+++ b/cmd/flux/get_image_update.go
@@ -26,7 +26,7 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 )

 var getImageUpdateCmd = &cobra.Command{
--- a/cmd/flux/get_source_all.go
+++ b/cmd/flux/get_source_all.go
@@ -17,9 +17,8 @@ limitations under the License.
 package main

 import (
-	"strings"
-
 	"github.com/spf13/cobra"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"

 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
@@ -55,17 +54,17 @@ var getSourceAllCmd = &cobra.Command{
 			},
 			{
 				apiType: helmRepositoryType,
-				list:    &helmRepositoryListAdapter{&sourcev1b2.HelmRepositoryList{}},
+				list:    &helmRepositoryListAdapter{&sourcev1.HelmRepositoryList{}},
 			},
 			{
 				apiType: helmChartType,
-				list:    &helmChartListAdapter{&sourcev1b2.HelmChartList{}},
+				list:    &helmChartListAdapter{&sourcev1.HelmChartList{}},
 			},
 		}

 		for _, c := range allSourceCmd {
 			if err := c.run(cmd, args); err != nil {
-				if !strings.Contains(err.Error(), "no matches for kind") {
+				if !apimeta.IsNoMatchError(err) {
 					logger.Failuref(err.Error())
 				}
 			}
--- a/cmd/flux/get_source_chart.go
+++ b/cmd/flux/get_source_chart.go
@@ -25,7 +25,7 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"

 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
@@ -33,7 +33,7 @@ import (
 var getSourceHelmChartCmd = &cobra.Command{
 	Use:   "chart",
 	Short: "Get HelmChart statuses",
-	Long:  withPreviewNote("The get sources chart command prints the status of the HelmCharts."),
+	Long:  "The get sources chart command prints the status of the HelmCharts.",
 	Example: `  # List all Helm charts and their status
  flux get sources chart

--- a/cmd/flux/get_source_helm.go
+++ b/cmd/flux/get_source_helm.go
@@ -23,9 +23,10 @@ import (
 	"github.com/spf13/cobra"
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"

 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
@@ -33,7 +34,7 @@ import (
 var getSourceHelmCmd = &cobra.Command{
 	Use:   "helm",
 	Short: "Get HelmRepository source statuses",
-	Long:  withPreviewNote("The get sources helm command prints the status of the HelmRepository sources."),
+	Long:  "The get sources helm command prints the status of the HelmRepository sources.",
 	Example: `  # List all Helm repositories and their status
  flux get sources helm

@@ -82,7 +83,12 @@ func (a *helmRepositoryListAdapter) summariseItem(i int, includeNamespace bool,
 	if item.GetArtifact() != nil {
 		revision = item.GetArtifact().Revision
 	}
-	status, msg := statusAndMessage(item.Status.Conditions)
+	var status, msg string
+	if item.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
+		status, msg = string(metav1.ConditionTrue), "Helm repository is Ready"
+	} else {
+		status, msg = statusAndMessage(item.Status.Conditions)
+	}
 	revision = utils.TruncateHex(revision)
 	msg = utils.TruncateHex(msg)
 	return append(nameColumns(&item, includeNamespace, includeKind),
--- a/cmd/flux/helmrelease.go
+++ b/cmd/flux/helmrelease.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2021 The Flux authors
+Copyright 2024 The Flux authors

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -19,7 +19,7 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 )

 // helmv2.HelmRelease
--- a/cmd/flux/image.go
+++ b/cmd/flux/image.go
@@ -19,7 +19,7 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
 )

--- a/cmd/flux/install.go
+++ b/cmd/flux/install.go
@@ -21,16 +21,20 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"

 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
+	"sigs.k8s.io/yaml"

 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/v2/pkg/status"
 )

@@ -66,6 +70,7 @@ type installFlags struct {
 	defaultComponents  []string
 	extraComponents    []string
 	registry           string
+	registryCredential string
 	imagePullSecret    string
 	branch             string
 	watchAllNamespaces bool
@@ -92,6 +97,8 @@ func init() {
 	installCmd.Flags().StringVar(&installArgs.manifestsPath, "manifests", "", "path to the manifest directory")
 	installCmd.Flags().StringVar(&installArgs.registry, "registry", rootArgs.defaults.Registry,
 		"container registry where the toolkit images are published")
+	installCmd.Flags().StringVar(&installArgs.registryCredential, "registry-creds", "",
+		"container registry credentials in the format 'user:password', requires --image-pull-secret to be set")
 	installCmd.Flags().StringVar(&installArgs.imagePullSecret, "image-pull-secret", "",
 		"Kubernetes secret name used for pulling the toolkit images from a private registry")
 	installCmd.Flags().BoolVar(&installArgs.watchAllNamespaces, "watch-all-namespaces", rootArgs.defaults.WatchAllNamespaces,
@@ -102,7 +109,7 @@ func init() {
 	installCmd.Flags().StringVar(&installArgs.clusterDomain, "cluster-domain", rootArgs.defaults.ClusterDomain, "internal cluster domain")
 	installCmd.Flags().StringSliceVar(&installArgs.tolerationKeys, "toleration-keys", nil,
 		"list of toleration keys used to schedule the components pods onto nodes with matching taints")
-	installCmd.Flags().BoolVar(&installArgs.force, "force", false, "override existing Flux installation if it's managed by a diffrent tool such as Helm")
+	installCmd.Flags().BoolVar(&installArgs.force, "force", false, "override existing Flux installation if it's managed by a different tool such as Helm")
 	installCmd.Flags().MarkHidden("manifests")

 	rootCmd.AddCommand(installCmd)
@@ -124,6 +131,14 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	if installArgs.registryCredential != "" && installArgs.imagePullSecret == "" {
+		return fmt.Errorf("--registry-creds requires --image-pull-secret to be set")
+	}
+
+	if installArgs.registryCredential != "" && len(strings.Split(installArgs.registryCredential, ":")) != 2 {
+		return fmt.Errorf("invalid --registry-creds format, expected 'user:password'")
+	}
+
 	if ver, err := getVersion(installArgs.version); err != nil {
 		return err
 	} else {
@@ -154,6 +169,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             components,
 		Registry:               installArgs.registry,
+		RegistryCredential:     installArgs.registryCredential,
 		ImagePullSecret:        installArgs.imagePullSecret,
 		WatchAllNamespaces:     installArgs.watchAllNamespaces,
 		NetworkPolicy:          installArgs.networkPolicy,
@@ -224,6 +240,29 @@ func installCmdRun(cmd *cobra.Command, args []string) error {

 	fmt.Fprintln(os.Stderr, applyOutput)

+	if opts.ImagePullSecret != "" && opts.RegistryCredential != "" {
+		logger.Actionf("generating image pull secret %s", opts.ImagePullSecret)
+		credentials := strings.SplitN(opts.RegistryCredential, ":", 2)
+		secretOpts := sourcesecret.Options{
+			Name:      opts.ImagePullSecret,
+			Namespace: opts.Namespace,
+			Registry:  opts.Registry,
+			Username:  credentials[0],
+			Password:  credentials[1],
+		}
+		imagePullSecret, err := sourcesecret.Generate(secretOpts)
+		if err != nil {
+			return fmt.Errorf("install failed: %w", err)
+		}
+		var s corev1.Secret
+		if err := yaml.Unmarshal([]byte(imagePullSecret.Content), &s); err != nil {
+			return fmt.Errorf("install failed: %w", err)
+		}
+		if err := upsertSecret(ctx, kubeClient, s); err != nil {
+			return fmt.Errorf("install failed: %w", err)
+		}
+	}
+
 	kubeConfig, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return fmt.Errorf("install failed: %w", err)
--- a/cmd/flux/install_test.go
+++ b/cmd/flux/install_test.go
@@ -42,6 +42,11 @@ func TestInstall(t *testing.T) {
 			args:   "install unexpectedPosArg --namespace=example",
 			assert: assertError(`unknown command "unexpectedPosArg" for "flux install"`),
 		},
+		{
+			name:   "missing image pull secret",
+			args:   "install --registry-creds=fluxcd:test",
+			assert: assertError(`--registry-creds requires --image-pull-secret to be set`),
+		},
 	}

 	for _, tt := range tests {
--- a/cmd/flux/main_e2e_test.go
+++ b/cmd/flux/main_e2e_test.go
@@ -25,10 +25,15 @@ import (
 	"os"
 	"testing"

+	"github.com/go-logr/logr"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 func TestMain(m *testing.M) {
+	log.SetLogger(logr.New(log.NullLogSink{}))
+
 	// Ensure tests print consistent timestamps regardless of timezone
 	os.Setenv("TZ", "UTC")

--- a/cmd/flux/main_test.go
+++ b/cmd/flux/main_test.go
@@ -31,14 +31,16 @@ import (
 	"text/template"
 	"time"

-	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/google/go-cmp/cmp"
 	"github.com/mattn/go-shellwords"
+	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	k8syaml "k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/client-go/tools/clientcmd"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var nextNamespaceId int64
@@ -112,7 +114,8 @@ func (m *testEnvKubeManager) CreateObjects(clientObjects []*unstructured.Unstruc
 		}
 		obj.SetResourceVersion(createObj.GetResourceVersion())
 		err = m.client.Status().Update(context.Background(), obj)
-		if err != nil {
+		// Updating status of static objects results in not found error.
+		if err != nil && !errors.IsNotFound(err) {
 			return err
 		}
 	}
@@ -391,6 +394,29 @@ func executeCommand(cmd string) (string, error) {
 	return result, err
 }

+// Run the command while passing the string as input and return the captured output.
+func executeCommandWithIn(cmd string, in io.Reader) (string, error) {
+	defer resetCmdArgs()
+	args, err := shellwords.Parse(cmd)
+	if err != nil {
+		return "", err
+	}
+
+	buf := new(bytes.Buffer)
+
+	rootCmd.SetOut(buf)
+	rootCmd.SetErr(buf)
+	rootCmd.SetArgs(args)
+	if in != nil {
+		rootCmd.SetIn(in)
+	}
+
+	_, err = rootCmd.ExecuteC()
+	result := buf.String()
+
+	return result, err
+}
+
 // resetCmdArgs resets the flags for various cmd
 // Note: this will also clear default value of the flags set in init()
 func resetCmdArgs() {
@@ -439,7 +465,7 @@ func resetCmdArgs() {
 	versionArgs = versionFlags{
 		output: "yaml",
 	}
-
+	envsubstArgs = envsubstFlags{}
 }

 func isChangeError(err error) bool {
--- a/cmd/flux/main_unit_test.go
+++ b/cmd/flux/main_unit_test.go
@@ -22,10 +22,13 @@ package main
 import (
 	"context"
 	"fmt"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"os"
 	"testing"
+
+	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )

 // The test environment is long running process shared between tests, initialized
@@ -34,6 +37,8 @@ import (
 var testEnv *testEnvKubeManager

 func TestMain(m *testing.M) {
+	log.SetLogger(logr.New(log.NullLogSink{}))
+
 	// Ensure tests print consistent timestamps regardless of timezone
 	os.Setenv("TZ", "UTC")

--- a/cmd/flux/push_artifact.go
+++ b/cmd/flux/push_artifact.go
@@ -105,15 +105,16 @@ The command can read the credentials from '~/.docker/config.json' but they can a
 }

 type pushArtifactFlags struct {
-	path        string
-	source      string
-	revision    string
-	creds       string
-	provider    flags.SourceOCIProvider
-	ignorePaths []string
-	annotations []string
-	output      string
-	debug       bool
+	path         string
+	source       string
+	revision     string
+	creds        string
+	provider     flags.SourceOCIProvider
+	ignorePaths  []string
+	annotations  []string
+	output       string
+	debug        bool
+	reproducible bool
 }

 var pushArtifactArgs = newPushArtifactFlags()
@@ -135,6 +136,7 @@ func init() {
 	pushArtifactCmd.Flags().StringVarP(&pushArtifactArgs.output, "output", "o", "",
 		"the format in which the artifact digest should be printed, can be 'json' or 'yaml'")
 	pushArtifactCmd.Flags().BoolVarP(&pushArtifactArgs.debug, "debug", "", false, "display logs from underlying library")
+	pushArtifactCmd.Flags().BoolVar(&pushArtifactArgs.reproducible, "reproducible", false, "ensure reproducible image digests by setting the created timestamp to '1970-01-01T00:00:00Z'")

 	pushCmd.AddCommand(pushArtifactCmd)
 }
@@ -202,6 +204,11 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		Annotations: annotations,
 	}

+	if pushArtifactArgs.reproducible {
+		zeroTime := time.Unix(0, 0)
+		meta.Created = zeroTime.Format(time.RFC3339)
+	}
+
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

--- a/cmd/flux/readiness.go
+++ b/cmd/flux/readiness.go
@@ -0,0 +1,149 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	kstatus "github.com/fluxcd/cli-utils/pkg/kstatus/status"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/object"
+	"github.com/fluxcd/pkg/runtime/patch"
+)
+
+// objectStatusType is the type of object in terms of status when computing the
+// readiness of an object. Readiness check method depends on the type of object.
+// For a dynamic object, Ready status condition is considered only for the
+// latest generation of the object. For a static object that don't have any
+// condition, the object generation is not considered.
+type objectStatusType int
+
+const (
+	objectStatusDynamic objectStatusType = iota
+	objectStatusStatic
+)
+
+// isObjectReady determines if an object is ready using the kstatus.Compute()
+// result. statusType helps differenciate between static and dynamic objects to
+// accurately check the object's readiness. A dynamic object may have some extra
+// considerations depending on the object.
+func isObjectReady(obj client.Object, statusType objectStatusType) (bool, error) {
+	observedGen, err := object.GetStatusObservedGeneration(obj)
+	if err != nil && err != object.ErrObservedGenerationNotFound {
+		return false, err
+	}
+
+	if statusType == objectStatusDynamic {
+		// Object not reconciled yet.
+		if observedGen < 1 {
+			return false, nil
+		}
+
+		cobj, ok := obj.(meta.ObjectWithConditions)
+		if !ok {
+			return false, fmt.Errorf("unable to get conditions from object")
+		}
+
+		if c := apimeta.FindStatusCondition(cobj.GetConditions(), meta.ReadyCondition); c != nil {
+			// Ensure that the ready condition is for the latest generation of
+			// the object.
+			// NOTE: Some APIs like ImageUpdateAutomation and HelmRelease don't
+			// support per condition observed generation yet. Per condition
+			// observed generation for them are always zero.
+			// There are two strategies used across different object kinds to
+			// check the latest ready condition:
+			//   - check that the ready condition's generation matches the
+			//     object's generation.
+			//   - check that the observed generation of the object in the
+			//     status matches the object's generation.
+			//
+			// TODO: Once ImageUpdateAutomation and HelmRelease APIs have per
+			// condition observed generation, remove the object's observed
+			// generation and object's generation check (the second condition
+			// below). Also, try replacing this readiness check function with
+			// fluxcd/pkg/ssa's ResourceManager.Wait(), which uses kstatus
+			// internally to check readiness of the objects.
+			if c.ObservedGeneration != 0 && c.ObservedGeneration != obj.GetGeneration() {
+				return false, nil
+			}
+			if c.ObservedGeneration == 0 && observedGen != obj.GetGeneration() {
+				return false, nil
+			}
+		} else {
+			return false, nil
+		}
+	}
+
+	u, err := patch.ToUnstructured(obj)
+	if err != nil {
+		return false, err
+	}
+	result, err := kstatus.Compute(u)
+	if err != nil {
+		return false, err
+	}
+	switch result.Status {
+	case kstatus.CurrentStatus:
+		return true, nil
+	case kstatus.InProgressStatus:
+		return false, nil
+	default:
+		return false, fmt.Errorf(result.Message)
+	}
+}
+
+// isObjectReadyConditionFunc returns a wait.ConditionFunc to be used with
+// wait.Poll* while polling for an object with dynamic status to be ready.
+func isObjectReadyConditionFunc(kubeClient client.Client, namespaceName types.NamespacedName, obj client.Object) wait.ConditionWithContextFunc {
+	return func(ctx context.Context) (bool, error) {
+		err := kubeClient.Get(ctx, namespaceName, obj)
+		if err != nil {
+			return false, err
+		}
+
+		return isObjectReady(obj, objectStatusDynamic)
+	}
+}
+
+// isStaticObjectReadyConditionFunc returns a wait.ConditionFunc to be used with
+// wait.Poll* while polling for an object with static or no status to be
+// ready.
+func isStaticObjectReadyConditionFunc(kubeClient client.Client, namespaceName types.NamespacedName, obj client.Object) wait.ConditionWithContextFunc {
+	return func(ctx context.Context) (bool, error) {
+		err := kubeClient.Get(ctx, namespaceName, obj)
+		if err != nil {
+			return false, err
+		}
+
+		return isObjectReady(obj, objectStatusStatic)
+	}
+}
+
+// kstatusCompute returns the kstatus computed result of a given object.
+func kstatusCompute(obj client.Object) (result *kstatus.Result, err error) {
+	u, err := patch.ToUnstructured(obj)
+	if err != nil {
+		return result, err
+	}
+	return kstatus.Compute(u)
+}
--- a/cmd/flux/readiness_test.go
+++ b/cmd/flux/readiness_test.go
@@ -0,0 +1,139 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+)
+
+func Test_isObjectReady(t *testing.T) {
+	// Ready object.
+	readyObj := &sourcev1.GitRepository{}
+	readyObj.Generation = 1
+	readyObj.Status.ObservedGeneration = 1
+	conditions.MarkTrue(readyObj, meta.ReadyCondition, "foo1", "bar1")
+
+	// Not ready object.
+	notReadyObj := readyObj.DeepCopy()
+	conditions.MarkFalse(notReadyObj, meta.ReadyCondition, "foo2", "bar2")
+
+	// Not reconciled object.
+	notReconciledObj := readyObj.DeepCopy()
+	notReconciledObj.Status = sourcev1.GitRepositoryStatus{ObservedGeneration: -1}
+
+	// No condition.
+	noConditionObj := readyObj.DeepCopy()
+	noConditionObj.Status = sourcev1.GitRepositoryStatus{ObservedGeneration: 1}
+
+	// Outdated condition.
+	readyObjOutdated := readyObj.DeepCopy()
+	readyObjOutdated.Generation = 2
+
+	// Object without per condition observed generation.
+	oldObj := readyObj.DeepCopy()
+	readyTrueCondn := conditions.TrueCondition(meta.ReadyCondition, "foo3", "bar3")
+	oldObj.Status.Conditions = []metav1.Condition{*readyTrueCondn}
+
+	// Outdated object without per condition observed generation.
+	oldObjOutdated := oldObj.DeepCopy()
+	oldObjOutdated.Generation = 2
+
+	// Empty status object.
+	staticObj := readyObj.DeepCopy()
+	staticObj.Status = sourcev1.GitRepositoryStatus{}
+
+	// No status object.
+	noStatusObj := &notificationv1.Provider{}
+	noStatusObj.Generation = 1
+
+	type args struct {
+		obj        client.Object
+		statusType objectStatusType
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    bool
+		wantErr bool
+	}{
+		{
+			name: "dynamic ready",
+			args: args{obj: readyObj, statusType: objectStatusDynamic},
+			want: true,
+		},
+		{
+			name: "dynamic not ready",
+			args: args{obj: notReadyObj, statusType: objectStatusDynamic},
+			want: false,
+		},
+		{
+			name: "dynamic not reconciled",
+			args: args{obj: notReconciledObj, statusType: objectStatusDynamic},
+			want: false,
+		},
+		{
+			name: "dynamic not condition",
+			args: args{obj: noConditionObj, statusType: objectStatusDynamic},
+			want: false,
+		},
+		{
+			name: "dynamic ready outdated",
+			args: args{obj: readyObjOutdated, statusType: objectStatusDynamic},
+			want: false,
+		},
+		{
+			name: "dynamic ready without per condition gen",
+			args: args{obj: oldObj, statusType: objectStatusDynamic},
+			want: true,
+		},
+		{
+			name: "dynamic outdated ready status without per condition gen",
+			args: args{obj: oldObjOutdated, statusType: objectStatusDynamic},
+			want: false,
+		},
+		{
+			name: "static empty status",
+			args: args{obj: staticObj, statusType: objectStatusStatic},
+			want: true,
+		},
+		{
+			name: "static no status",
+			args: args{obj: noStatusObj, statusType: objectStatusStatic},
+			want: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := isObjectReady(tt.args.obj, tt.args.statusType)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("isObjectReady() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("isObjectReady() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/cmd/flux/reconcile.go
+++ b/cmd/flux/reconcile.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"time"

+	kstatus "github.com/fluxcd/cli-utils/pkg/kstatus/status"
 	"github.com/spf13/cobra"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -30,8 +31,7 @@ import (
 	"k8s.io/client-go/util/retry"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
-	notificationv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	"github.com/fluxcd/pkg/apis/meta"

 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -61,6 +61,7 @@ type reconcilable interface {
 	GetAnnotations() map[string]string
 	SetAnnotations(map[string]string)

+	isStatic() bool                      // is it a static object that does not have a reconciler?
 	lastHandledReconcileRequest() string // what was the last handled reconcile request?
 	successMessage() string              // what do you want to tell people when successfully reconciled?
 }
@@ -101,6 +102,11 @@ func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	if reconcile.object.isStatic() {
+		logger.Successf("reconciliation not supported by the object")
+		return nil
+	}
+
 	if reconcile.object.isSuspended() {
 		return fmt.Errorf("resource is suspended")
 	}
@@ -112,16 +118,6 @@ func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
 	}
 	logger.Successf("%s annotated", reconcile.kind)

-	if reconcile.kind == notificationv1b2.AlertKind || reconcile.kind == notificationv1.ReceiverKind {
-		if err = wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
-			isReconcileReady(kubeClient, namespacedName, reconcile.object)); err != nil {
-			return err
-		}
-
-		logger.Successf(reconcile.object.successMessage())
-		return nil
-	}
-
 	lastHandledReconcileAt := reconcile.object.lastHandledReconcileRequest()
 	logger.Waitingf("waiting for %s reconciliation", reconcile.kind)
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
@@ -146,9 +142,17 @@ func reconciliationHandled(kubeClient client.Client, namespacedName types.Namesp
 		if err != nil {
 			return false, err
 		}
-		isProgressing := apimeta.IsStatusConditionPresentAndEqual(reconcilableConditions(obj),
-			meta.ReadyCondition, metav1.ConditionUnknown)
-		return obj.lastHandledReconcileRequest() != lastHandledReconcileAt && !isProgressing, nil
+
+		if obj.lastHandledReconcileRequest() == lastHandledReconcileAt {
+			return false, nil
+		}
+
+		result, err := kstatusCompute(obj.asClientObject())
+		if err != nil {
+			return false, err
+		}
+
+		return result.Status == kstatus.CurrentStatus, nil
 	}
 }

@@ -163,33 +167,26 @@ func requestReconciliation(ctx context.Context, kubeClient client.Client,
 			return err
 		}
 		patch := client.MergeFrom(object.DeepCopy())
-		if ann := object.GetAnnotations(); ann == nil {
-			object.SetAnnotations(map[string]string{
-				meta.ReconcileRequestAnnotation: time.Now().Format(time.RFC3339Nano),
-			})
-		} else {
-			ann[meta.ReconcileRequestAnnotation] = time.Now().Format(time.RFC3339Nano)
-			object.SetAnnotations(ann)
+
+		// Add a timestamp annotation to trigger a reconciliation.
+		ts := time.Now().Format(time.RFC3339Nano)
+		annotations := object.GetAnnotations()
+		if annotations == nil {
+			annotations = make(map[string]string, 1)
 		}
+		annotations[meta.ReconcileRequestAnnotation] = ts
+
+		// HelmRelease specific annotations to force or reset a release.
+		if gvk.Kind == helmv2.HelmReleaseKind {
+			if rhrArgs.syncForce {
+				annotations[helmv2.ForceRequestAnnotation] = ts
+			}
+			if rhrArgs.syncReset {
+				annotations[helmv2.ResetRequestAnnotation] = ts
+			}
+		}
+
+		object.SetAnnotations(annotations)
 		return kubeClient.Patch(ctx, object, patch)
 	})
 }
-
-func isReconcileReady(kubeClient client.Client, namespacedName types.NamespacedName, obj reconcilable) wait.ConditionWithContextFunc {
-	return func(ctx context.Context) (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, obj.asClientObject())
-		if err != nil {
-			return false, err
-		}
-
-		if c := apimeta.FindStatusCondition(reconcilableConditions(obj), meta.ReadyCondition); c != nil {
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/reconcile_alert.go
+++ b/cmd/flux/reconcile_alert.go
@@ -1,44 +0,0 @@
-/*
-Copyright 2020 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"github.com/spf13/cobra"
-
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
-)
-
-var reconcileAlertCmd = &cobra.Command{
-	Use:   "alert [name]",
-	Short: "Reconcile an Alert",
-	Long:  `The reconcile alert command triggers a reconciliation of an Alert resource and waits for it to finish.`,
-	Example: `  # Trigger a reconciliation for an existing alert
-  flux reconcile alert main`,
-	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.AlertKind)),
-	RunE: reconcileCommand{
-		apiType: alertType,
-		object:  alertAdapter{&notificationv1.Alert{}},
-	}.run,
-}
-
-func init() {
-	reconcileCmd.AddCommand(reconcileAlertCmd)
-}
-
-func (obj alertAdapter) lastHandledReconcileRequest() string {
-	return ""
-}
--- a/cmd/flux/reconcile_alertprovider.go
+++ b/cmd/flux/reconcile_alertprovider.go
@@ -1,93 +0,0 @@
-/*
-Copyright 2020 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/wait"
-
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
-	"github.com/fluxcd/pkg/apis/meta"
-
-	"github.com/fluxcd/flux2/v2/internal/utils"
-)
-
-var reconcileAlertProviderCmd = &cobra.Command{
-	Use:   "alert-provider [name]",
-	Short: "Reconcile a Provider",
-	Long:  `The reconcile alert-provider command triggers a reconciliation of a Provider resource and waits for it to finish.`,
-	Example: `  # Trigger a reconciliation for an existing provider
-  flux reconcile alert-provider slack`,
-	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ProviderKind)),
-	RunE:              reconcileAlertProviderCmdRun,
-}
-
-func init() {
-	reconcileCmd.AddCommand(reconcileAlertProviderCmd)
-}
-
-func reconcileAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("Provider name is required")
-	}
-	name := args[0]
-
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return err
-	}
-
-	namespacedName := types.NamespacedName{
-		Namespace: *kubeconfigArgs.Namespace,
-		Name:      name,
-	}
-
-	logger.Actionf("annotating Provider %s in %s namespace", name, *kubeconfigArgs.Namespace)
-	var alertProvider notificationv1.Provider
-	err = kubeClient.Get(ctx, namespacedName, &alertProvider)
-	if err != nil {
-		return err
-	}
-
-	if alertProvider.Annotations == nil {
-		alertProvider.Annotations = map[string]string{
-			meta.ReconcileRequestAnnotation: time.Now().Format(time.RFC3339Nano),
-		}
-	} else {
-		alertProvider.Annotations[meta.ReconcileRequestAnnotation] = time.Now().Format(time.RFC3339Nano)
-	}
-	if err := kubeClient.Update(ctx, &alertProvider); err != nil {
-		return err
-	}
-	logger.Successf("Provider annotated")
-
-	logger.Waitingf("waiting for reconciliation")
-	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
-		isAlertProviderReady(kubeClient, namespacedName, &alertProvider)); err != nil {
-		return err
-	}
-	logger.Successf("Provider reconciliation completed")
-	return nil
-}
--- a/cmd/flux/reconcile_helmrelease.go
+++ b/cmd/flux/reconcile_helmrelease.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Flux authors
+Copyright 2024 The Flux authors

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -22,7 +22,8 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"

-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 )

@@ -46,13 +47,16 @@ The reconcile kustomization command triggers a reconciliation of a HelmRelease r

 type reconcileHelmReleaseFlags struct {
 	syncHrWithSource bool
+	syncForce        bool
+	syncReset        bool
 }

 var rhrArgs reconcileHelmReleaseFlags

 func init() {
 	reconcileHrCmd.Flags().BoolVar(&rhrArgs.syncHrWithSource, "with-source", false, "reconcile HelmRelease source")
-
+	reconcileHrCmd.Flags().BoolVar(&rhrArgs.syncForce, "force", false, "force a one-off install or upgrade of the HelmRelease resource")
+	reconcileHrCmd.Flags().BoolVar(&rhrArgs.syncReset, "reset", false, "reset the failure count for this HelmRelease resource")
 	reconcileCmd.AddCommand(reconcileHrCmd)
 }

@@ -65,19 +69,49 @@ func (obj helmReleaseAdapter) reconcileSource() bool {
 }

 func (obj helmReleaseAdapter) getSource() (reconcileSource, types.NamespacedName) {
-	cmd := reconcileWithSourceCommand{
-		apiType: helmChartType,
-		object:  helmChartAdapter{&sourcev1b2.HelmChart{}},
-		force:   true,
-	}
-
-	ns := obj.Spec.Chart.Spec.SourceRef.Namespace
-	if ns == "" {
-		ns = obj.Namespace
-	}
-
-	return cmd, types.NamespacedName{
-		Name:      fmt.Sprintf("%s-%s", obj.Namespace, obj.Name),
-		Namespace: ns,
+	var (
+		name string
+		ns   string
+	)
+	switch {
+	case obj.Spec.ChartRef != nil:
+		name, ns = obj.Spec.ChartRef.Name, obj.Spec.ChartRef.Namespace
+		if ns == "" {
+			ns = obj.Namespace
+		}
+		namespacedName := types.NamespacedName{
+			Name:      name,
+			Namespace: ns,
+		}
+		if obj.Spec.ChartRef.Kind == sourcev1.HelmChartKind {
+			return reconcileWithSourceCommand{
+				apiType: helmChartType,
+				object:  helmChartAdapter{&sourcev1.HelmChart{}},
+				force:   true,
+			}, namespacedName
+		}
+		return reconcileCommand{
+			apiType: ociRepositoryType,
+			object:  ociRepositoryAdapter{&sourcev1b2.OCIRepository{}},
+		}, namespacedName
+	default:
+		// default case assumes the HelmRelease is using a HelmChartTemplate
+		ns = obj.Spec.Chart.Spec.SourceRef.Namespace
+		if ns == "" {
+			ns = obj.Namespace
+		}
+		name = fmt.Sprintf("%s-%s", obj.Namespace, obj.Name)
+		return reconcileWithSourceCommand{
+				apiType: helmChartType,
+				object:  helmChartAdapter{&sourcev1.HelmChart{}},
+				force:   true,
+			}, types.NamespacedName{
+				Name:      name,
+				Namespace: ns,
+			}
 	}
 }
+
+func (obj helmReleaseAdapter) isStatic() bool {
+	return false
+}
--- a/cmd/flux/reconcile_image_repository.go
+++ b/cmd/flux/reconcile_image_repository.go
@@ -48,3 +48,7 @@ func (obj imageRepositoryAdapter) lastHandledReconcileRequest() string {
 func (obj imageRepositoryAdapter) successMessage() string {
 	return fmt.Sprintf("scan fetched %d tags", obj.Status.LastScanResult.TagCount)
 }
+
+func (obj imageRepositoryAdapter) isStatic() bool {
+	return false
+}
--- a/cmd/flux/reconcile_image_updateauto.go
+++ b/cmd/flux/reconcile_image_updateauto.go
@@ -22,7 +22,7 @@ import (
 	"github.com/spf13/cobra"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 	meta "github.com/fluxcd/pkg/apis/meta"
 )

@@ -56,3 +56,7 @@ func (obj imageUpdateAutomationAdapter) successMessage() string {
 	}
 	return "automation not yet run"
 }
+
+func (obj imageUpdateAutomationAdapter) isStatic() bool {
+	return false
+}
--- a/cmd/flux/reconcile_kustomization.go
+++ b/cmd/flux/reconcile_kustomization.go
@@ -88,3 +88,7 @@ func (obj kustomizationAdapter) getSource() (reconcileSource, types.NamespacedNa
 		Namespace: obj.Spec.SourceRef.Namespace,
 	}
 }
+
+func (obj kustomizationAdapter) isStatic() bool {
+	return false
+}
--- a/cmd/flux/reconcile_receiver.go
+++ b/cmd/flux/reconcile_receiver.go
@@ -17,18 +17,9 @@ limitations under the License.
 package main

 import (
-	"context"
-	"fmt"
-	"time"
-
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/wait"

 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
-	"github.com/fluxcd/pkg/apis/meta"
-
-	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var reconcileReceiverCmd = &cobra.Command{
@@ -38,62 +29,20 @@ var reconcileReceiverCmd = &cobra.Command{
 	Example: `  # Trigger a reconciliation for an existing receiver
  flux reconcile receiver main`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ReceiverKind)),
-	RunE:              reconcileReceiverCmdRun,
+	RunE: reconcileCommand{
+		apiType: receiverType,
+		object:  receiverAdapter{&notificationv1.Receiver{}},
+	}.run,
 }

 func init() {
 	reconcileCmd.AddCommand(reconcileReceiverCmd)
 }

-func reconcileReceiverCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("receiver name is required")
-	}
-	name := args[0]
-
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return err
-	}
-
-	namespacedName := types.NamespacedName{
-		Namespace: *kubeconfigArgs.Namespace,
-		Name:      name,
-	}
-
-	var receiver notificationv1.Receiver
-	err = kubeClient.Get(ctx, namespacedName, &receiver)
-	if err != nil {
-		return err
-	}
-
-	if receiver.Spec.Suspend {
-		return fmt.Errorf("resource is suspended")
-	}
-
-	logger.Actionf("annotating Receiver %s in %s namespace", name, *kubeconfigArgs.Namespace)
-	if receiver.Annotations == nil {
-		receiver.Annotations = map[string]string{
-			meta.ReconcileRequestAnnotation: time.Now().Format(time.RFC3339Nano),
-		}
-	} else {
-		receiver.Annotations[meta.ReconcileRequestAnnotation] = time.Now().Format(time.RFC3339Nano)
-	}
-	if err := kubeClient.Update(ctx, &receiver); err != nil {
-		return err
-	}
-	logger.Successf("Receiver annotated")
-
-	logger.Waitingf("waiting for Receiver reconciliation")
-	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
-		isReceiverReady(kubeClient, namespacedName, &receiver)); err != nil {
-		return err
-	}
-
-	logger.Successf("Receiver reconciliation completed")
-
-	return nil
+func (obj receiverAdapter) lastHandledReconcileRequest() string {
+	return obj.Status.GetLastHandledReconcileRequest()
+}
+
+func (obj receiverAdapter) isStatic() bool {
+	return false
 }
--- a/cmd/flux/reconcile_source_bucket.go
+++ b/cmd/flux/reconcile_source_bucket.go
@@ -48,3 +48,7 @@ func (obj bucketAdapter) lastHandledReconcileRequest() string {
 func (obj bucketAdapter) successMessage() string {
 	return fmt.Sprintf("fetched revision %s", obj.Status.Artifact.Revision)
 }
+
+func (obj bucketAdapter) isStatic() bool {
+	return false
+}
--- a/cmd/flux/reconcile_source_chart.go
+++ b/cmd/flux/reconcile_source_chart.go
@@ -33,10 +33,10 @@ var reconcileSourceHelmChartCmd = &cobra.Command{
 
  # Trigger a reconciliation of the HelmCharts's source and apply changes
  flux reconcile helmchart podinfo --with-source`,
-	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1b2.GroupVersion.WithKind(sourcev1b2.HelmChartKind)),
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.HelmChartKind)),
 	RunE: reconcileWithSourceCommand{
 		apiType: helmChartType,
-		object:  helmChartAdapter{&sourcev1b2.HelmChart{}},
+		object:  helmChartAdapter{&sourcev1.HelmChart{}},
 	}.run,
 }

@@ -62,10 +62,10 @@ func (obj helmChartAdapter) reconcileSource() bool {
 func (obj helmChartAdapter) getSource() (reconcileSource, types.NamespacedName) {
 	var cmd reconcileCommand
 	switch obj.Spec.SourceRef.Kind {
-	case sourcev1b2.HelmRepositoryKind:
+	case sourcev1.HelmRepositoryKind:
 		cmd = reconcileCommand{
 			apiType: helmRepositoryType,
-			object:  helmRepositoryAdapter{&sourcev1b2.HelmRepository{}},
+			object:  helmRepositoryAdapter{&sourcev1.HelmRepository{}},
 		}
 	case sourcev1.GitRepositoryKind:
 		cmd = reconcileCommand{
@@ -84,3 +84,7 @@ func (obj helmChartAdapter) getSource() (reconcileSource, types.NamespacedName)
 		Namespace: obj.Namespace,
 	}
 }
+
+func (obj helmChartAdapter) isStatic() bool {
+	return false
+}
--- a/Show More
+++ b/Show More