736 changed files with 4654 additions and 52139 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yaml
@ -1,84 +0,0 @@
 ---
 name: Bug report
 description: Create a report to help us improve Flux
 body:
 - type: markdown
  attributes:
    value: |
      ## Support
      Find out more about your support options and getting help at: https://fluxcd.io/support/
 - type: textarea
  validations:
    required: true
  attributes:
    label: Describe the bug
    description: A clear description of what the bug is.
 - type: textarea
  validations:
    required: true
  attributes:
    label: Steps to reproduce
    description: |
      Steps to reproduce the problem.
    placeholder: |
      For example:
      1. Install Flux with the additional image automation controllers
      2. Run command '...'
      3. See error
 - type: textarea
  validations:
    required: true
  attributes:
    label: Expected behavior
    description: A brief description of what you expected to happen.
 - type: textarea
  attributes:
    label: Screenshots and recordings
    description: |
      If applicable, add screenshots to help explain your problem. You can also record an asciinema session: https://asciinema.org/
 - type: input
  validations:
    required: true
  attributes:
    label: OS / Distro
    description: The OS / distro you are executing `flux` on. If not applicable, write `N/A`.
    placeholder: e.g. Windows 10, Ubuntu 20.04, Arch Linux, macOS 10.15...
 - type: input
  validations:
    required: true
  attributes:
    label: Flux version
    description: Run `flux version --client`. If not applicable, write `N/A`.
    placeholder: e.g. v0.20.1
 - type: textarea
  validations:
    required: true
  attributes:
    label: Flux check
    description: Run `flux check`. If not applicable, write `N/A`.
    placeholder: |
      For example:
      ► checking prerequisites
      ✔ Kubernetes 1.21.1 >=1.19.0-0
      ► checking controllers
      ✔ all checks passed
 - type: input
  attributes:
    label: Git provider
    description: If applicable, add the Git provider you are having problems with, e.g. GitHub (Enterprise), GitLab, etc.
 - type: input
  attributes:
    label: Container Registry provider
    description: If applicable, add the Container Registry provider you are having problems with, e.g. DockerHub, GitHub Packages, Quay.io, etc.
 - type: textarea
  attributes:
    label: Additional context
    description: Add any other context about the problem here. This can be logs (e.g. output from `flux logs`), environment specific caveats, etc.
 - type: checkboxes
  id: terms
  attributes:
    label: Code of Conduct
    description: By submitting this issue, you agree to follow our [Code of Conduct](https://github.com/fluxcd/.github/blob/main/CODE_OF_CONDUCT.md)
    options:
    - label: I agree to follow this project's Code of Conduct
      required: true
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -1,5 +0,0 @@
 blank_issues_enabled: true
 contact_links:
  - name: Ask a question
    url: https://github.com/fluxcd/flux2/discussions
    about: Please ask and answer questions here.
--- a/.github/actions/kustomize/Dockerfile
+++ b/.github/actions/kustomize/Dockerfile
@ -0,0 +1,6 @@
 FROM giantswarm/tiny-tools
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]
--- a/.github/actions/kustomize/action.yml
+++ b/.github/actions/kustomize/action.yml
@ -0,0 +1,9 @@
 name: 'kustomize'
 description: 'A GitHub Action to run kustomize commands'
 author: 'Stefan Prodan'
 branding:
  icon: 'command'
  color: 'blue'
 runs:
  using: 'docker'
  image: 'Dockerfile'
--- a/.github/actions/kustomize/entrypoint.sh
+++ b/.github/actions/kustomize/entrypoint.sh
@ -0,0 +1,12 @@
 #!/bin/sh -l
 VERSION=3.5.4
 curl -sL https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${VERSION}/kustomize_v${VERSION}_linux_amd64.tar.gz | tar xz
 mkdir -p $GITHUB_WORKSPACE/bin
 cp ./kustomize $GITHUB_WORKSPACE/bin
 chmod +x $GITHUB_WORKSPACE/bin/kustomize
 ls -lh $GITHUB_WORKSPACE/bin
 echo "::add-path::$GITHUB_WORKSPACE/bin"
 echo "::add-path::$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin"
--- a/.github/aur/flux-bin/.SRCINFO.template
+++ b/.github/aur/flux-bin/.SRCINFO.template
@ -1,19 +0,0 @@
 pkgbase = flux-bin
 	pkgdesc = Open and extensible continuous delivery solution for Kubernetes
 	pkgver = ${PKGVER}
 	pkgrel = ${PKGREL}
 	url = https://fluxcd.io/
 	arch = x86_64
 	arch = armv7h
 	arch = aarch64
 	license = APACHE
 	optdepends = bash-completion: auto-completion for flux in Bash
 	optdepends = zsh-completions: auto-completion for flux in ZSH
 	source_x86_64 = flux-bin-${PKGVER}_linux_amd64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_amd64.tar.gz
 	sha256sums_x86_64 = ${SHA256SUM_AMD64}
 	source_armv7h = flux-bin-${PKGVER}_linux_arm.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_arm.tar.gz
 	sha256sums_armv7h = ${SHA256SUM_ARM}
 	source_aarch64 = flux-bin-${PKGVER}_linux_arm64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_arm64.tar.gz
 	sha256sums_aarch64 = ${SHA256SUM_ARM64}
 pkgname = flux-bin
--- a/.github/aur/flux-bin/.gitignore
+++ b/.github/aur/flux-bin/.gitignore
@ -1 +0,0 @@
 .pkg
--- a/.github/aur/flux-bin/PKGBUILD.template
+++ b/.github/aur/flux-bin/PKGBUILD.template
@ -1,40 +0,0 @@
 # Maintainer: Aurel Canciu <aurelcanciu@gmail.com>
 # Maintainer: Hidde Beydals <hello@hidde.co>
 pkgname=flux-bin
 pkgver=${PKGVER}
 pkgrel=${PKGREL}
 _srcname=flux
 _srcver=${VERSION}
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
 arch=("x86_64" "armv7h" "aarch64")
 license=("APACHE")
 optdepends=('bash-completion: auto-completion for flux in Bash'
            'zsh-completions: auto-completion for flux in ZSH')
 source_x86_64=(
  "${pkgname}-${pkgver}_linux_amd64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_amd64.tar.gz"
 )
 source_armv7h=(
  "${pkgname}-${pkgver}_linux_arm.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_arm.tar.gz"
 )
 source_aarch64=(
  "${pkgname}-${pkgver}_linux_arm64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_arm64.tar.gz"
 )
 sha256sums_x86_64=(
  ${SHA256SUM_AMD64}
 )
 sha256sums_armv7h=(
  ${SHA256SUM_ARM}
 )
 sha256sums_aarch64=(
  ${SHA256SUM_ARM64}
 )
 package() {
 	install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
    "${pkgdir}/usr/bin/${_srcname}" completion bash | install -Dm644 /dev/stdin "${pkgdir}/usr/share/bash-completion/completions/${_srcname}"
    "${pkgdir}/usr/bin/${_srcname}" completion fish | install -Dm644 /dev/stdin "${pkgdir}/usr/share/fish/vendor_completions.d/${_srcname}.fish"
    "${pkgdir}/usr/bin/${_srcname}" completion zsh | install -Dm644 /dev/stdin "${pkgdir}/usr/share/zsh/site-functions/_${_srcname}"
 }
--- a/.github/aur/flux-bin/publish.sh
+++ b/.github/aur/flux-bin/publish.sh
@ -1,56 +0,0 @@
 #!/usr/bin/env bash
 set -e
 WD=$(cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)
 PKGNAME=$(basename $WD)
 ROOT=${WD%/.github/aur/$PKGNAME}
 LOCKFILE=/tmp/aur-$PKGNAME.lock
 exec 100>$LOCKFILE || exit 0
 flock -n 100 || exit 0
 trap "rm -f $LOCKFILE" EXIT
 export VERSION=$1
 echo "Publishing to AUR as version ${VERSION}"
 cd $WD
 export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
 eval $(ssh-agent -s)
 ssh-add <(echo "$AUR_BOT_SSH_PRIVATE_KEY")
 GITDIR=$(mktemp -d /tmp/aur-$PKGNAME-XXX)
 trap "rm -rf $GITDIR" EXIT
 git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
 CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
 CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
 # Transform pre-release to AUR compatible version format
 export PKGVER=${VERSION/-/}
 if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
    export PKGREL=$((CURRENT_PKGREL+1))
 else
    export PKGREL=1
 fi
 export SHA256SUM_ARM=$(sha256sum ${ROOT}/dist/flux_${VERSION}_linux_arm.tar.gz | awk '{ print $1 }')
 export SHA256SUM_ARM64=$(sha256sum ${ROOT}/dist/flux_${VERSION}_linux_arm64.tar.gz | awk '{ print $1 }')
 export SHA256SUM_AMD64=$(sha256sum ${ROOT}/dist/flux_${VERSION}_linux_amd64.tar.gz | awk '{ print $1 }')
 envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < .SRCINFO.template > $GITDIR/.SRCINFO
 envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < PKGBUILD.template > $GITDIR/PKGBUILD
 cd $GITDIR
 git config user.name "fluxcdbot"
 git config user.email "fluxcdbot@users.noreply.github.com"
 git add -A
 if [ -z "$(git status --porcelain)" ]; then
  echo "No changes."
 else
  git commit -m "Updated to version v${PKGVER} release ${PKGREL}"
  git push origin master
 fi
--- a/.github/aur/flux-go/.SRCINFO.template
+++ b/.github/aur/flux-go/.SRCINFO.template
@ -1,17 +0,0 @@
 pkgbase = flux-go
 	pkgdesc = Open and extensible continuous delivery solution for Kubernetes
 	pkgver = ${PKGVER}
 	pkgrel = ${PKGREL}
 	url = https://fluxcd.io/
 	arch = x86_64
 	arch = armv7h
 	arch = aarch64
 	license = APACHE
 	makedepends = go
 	depends = glibc
 	provides = flux-bin
 	conflicts = flux-bin
  replaces = flux-cli
 	source = flux-go-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/archive/v${VERSION}.tar.gz
 pkgname = flux-go
--- a/.github/aur/flux-go/.gitignore
+++ b/.github/aur/flux-go/.gitignore
@ -1 +0,0 @@
 .pkg
--- a/.github/aur/flux-go/PKGBUILD.template
+++ b/.github/aur/flux-go/PKGBUILD.template
@ -1,59 +0,0 @@
 # Maintainer: Aurel Canciu <aurelcanciu@gmail.com>
 # Maintainer: Hidde Beydals <hello@hidde.co>
 pkgname=flux-go
 pkgver=${PKGVER}
 pkgrel=${PKGREL}
 _srcname=flux
 _srcver=${VERSION}
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
 arch=("x86_64" "armv7h" "aarch64")
 license=("APACHE")
 provides=("flux-bin")
 conflicts=("flux-bin")
 replaces=("flux-cli")
 depends=("glibc")
 makedepends=('go>=1.20', 'kustomize>=5.0')
 optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/archive/v${_srcver}.tar.gz"
 )
 sha256sums=(
  ${SHA256SUM}
 )
 build() {
  cd "flux2-${_srcver}"
  export CGO_LDFLAGS="$LDFLAGS"
  export CGO_CFLAGS="$CFLAGS"
  export CGO_CXXFLAGS="$CXXFLAGS"
  export CGO_CPPFLAGS="$CPPFLAGS"
  export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
  make cmd/flux/.manifests.done
  go build -ldflags "-linkmode=external -X main.VERSION=${_srcver}" -o ${_srcname} ./cmd/flux
 }
 check() {
  cd "flux2-${_srcver}"
  case $CARCH in
    aarch64)
      export ENVTEST_ARCH=arm64
      ;;
    armv7h)
      export ENVTEST_ARCH=arm
      ;;
  esac
  make test
 }
 package() {
  cd "flux2-${_srcver}"
  install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
  "${pkgdir}/usr/bin/${_srcname}" completion bash | install -Dm644 /dev/stdin "${pkgdir}/usr/share/bash-completion/completions/${_srcname}"
  "${pkgdir}/usr/bin/${_srcname}" completion fish | install -Dm644 /dev/stdin "${pkgdir}/usr/share/fish/vendor_completions.d/${_srcname}.fish"
  "${pkgdir}/usr/bin/${_srcname}" completion zsh | install -Dm644 /dev/stdin "${pkgdir}/usr/share/zsh/site-functions/_${_srcname}"
 }
--- a/.github/aur/flux-go/publish.sh
+++ b/.github/aur/flux-go/publish.sh
@ -1,54 +0,0 @@
 #!/usr/bin/env bash
 set -e
 WD=$(cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)
 PKGNAME=$(basename $WD)
 ROOT=${WD%/.github/aur/$PKGNAME}
 LOCKFILE=/tmp/aur-$PKGNAME.lock
 exec 100>$LOCKFILE || exit 0
 flock -n 100 || exit 0
 trap "rm -f $LOCKFILE" EXIT
 export VERSION=$1
 echo "Publishing to AUR as version ${VERSION}"
 cd $WD
 export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
 eval $(ssh-agent -s)
 ssh-add <(echo "$AUR_BOT_SSH_PRIVATE_KEY")
 GITDIR=$(mktemp -d /tmp/aur-$PKGNAME-XXX)
 trap "rm -rf $GITDIR" EXIT
 git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
 CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
 CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
 # Transform pre-release to AUR compatible version format
 export PKGVER=${VERSION/-/}
 if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
    export PKGREL=$((CURRENT_PKGREL+1))
 else
    export PKGREL=1
 fi
 export SHA256SUM=$(curl -sL https://github.com/fluxcd/flux2/archive/v${VERSION}.tar.gz | sha256sum | awk '{ print $1 }')
 envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM' < .SRCINFO.template > $GITDIR/.SRCINFO
 envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM' < PKGBUILD.template > $GITDIR/PKGBUILD
 cd $GITDIR
 git config user.name "fluxcdbot"
 git config user.email "fluxcdbot@users.noreply.github.com"
 git add -A
 if [ -z "$(git status --porcelain)" ]; then
  echo "No changes."
 else
  git commit -m "Updated to version v${PKGVER} release ${PKGREL}"
  git push origin master
 fi
--- a/.github/aur/flux-scm/.SRCINFO.template
+++ b/.github/aur/flux-scm/.SRCINFO.template
@ -1,17 +0,0 @@
 pkgbase = flux-scm
 	pkgdesc = Open and extensible continuous delivery solution for Kubernetes
 	pkgver = ${PKGVER}
 	pkgrel = ${PKGREL}
 	url = https://fluxcd.io/
 	arch = x86_64
 	arch = armv7h
 	arch = aarch64
 	license = APACHE
 	makedepends = go
 	depends = glibc
 	provides = flux-bin
 	conflicts = flux-bin
 	source = git+https://github.com/fluxcd/flux2.git
 	md5sums = SKIP
 pkgname = flux-scm
--- a/.github/aur/flux-scm/.gitignore
+++ b/.github/aur/flux-scm/.gitignore
@ -1 +0,0 @@
 .pkg
--- a/.github/aur/flux-scm/PKGBUILD.template
+++ b/.github/aur/flux-scm/PKGBUILD.template
@ -1,60 +0,0 @@
 # Maintainer: Aurel Canciu <aurelcanciu@gmail.com>
 # Maintainer: Hidde Beydals <hello@hidde.co>
 pkgname=flux-scm
 pkgver=${PKGVER}
 pkgrel=${PKGREL}
 _srcname=flux
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
 arch=("x86_64" "armv7h" "aarch64")
 license=("APACHE")
 provides=("flux-bin")
 conflicts=("flux-bin")
 depends=("glibc")
 makedepends=('go>=1.20', 'kustomize>=5.0', 'git')
 optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
  "git+https://github.com/fluxcd/flux2.git"
 )
 md5sums=('SKIP')
 pkgver() {
  cd "flux2"
  printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
 }
 build() {
  cd "flux2"
  export CGO_LDFLAGS="$LDFLAGS"
  export CGO_CFLAGS="$CFLAGS"
  export CGO_CXXFLAGS="$CXXFLAGS"
  export CGO_CPPFLAGS="$CPPFLAGS"
  export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
  make cmd/flux/.manifests.done
  go build -ldflags "-linkmode=external -X main.VERSION=${pkgver}" -o ${_srcname} ./cmd/flux
 }
 check() {
  cd "flux2"
  case $CARCH in
    aarch64)
      export ENVTEST_ARCH=arm64
      ;;
    armv7h)
      export ENVTEST_ARCH=arm
      ;;
  esac
  make test
 }
 package() {
  cd "flux2"
  install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
  "${pkgdir}/usr/bin/${_srcname}" completion bash | install -Dm644 /dev/stdin "${pkgdir}/usr/share/bash-completion/completions/${_srcname}"
  "${pkgdir}/usr/bin/${_srcname}" completion fish | install -Dm644 /dev/stdin "${pkgdir}/usr/share/fish/vendor_completions.d/${_srcname}.fish"
  "${pkgdir}/usr/bin/${_srcname}" completion zsh | install -Dm644 /dev/stdin "${pkgdir}/usr/share/zsh/site-functions/_${_srcname}"
 }
--- a/.github/aur/flux-scm/publish.sh
+++ b/.github/aur/flux-scm/publish.sh
@ -1,52 +0,0 @@
 #!/usr/bin/env bash
 set -e
 WD=$(cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)
 PKGNAME=$(basename $WD)
 ROOT=${WD%/.github/aur/$PKGNAME}
 LOCKFILE=/tmp/aur-$PKGNAME.lock
 exec 100>$LOCKFILE || exit 0
 flock -n 100 || exit 0
 trap "rm -f $LOCKFILE" EXIT
 export VERSION=$1
 echo "Publishing to AUR as version ${VERSION}"
 cd $WD
 export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
 eval $(ssh-agent -s)
 ssh-add <(echo "$AUR_BOT_SSH_PRIVATE_KEY")
 GITDIR=$(mktemp -d /tmp/aur-$PKGNAME-XXX)
 trap "rm -rf $GITDIR" EXIT
 git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
 CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
 CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
 # Transform pre-release to AUR compatible version format
 export PKGVER=${VERSION/-/}
 if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
    export PKGREL=$((CURRENT_PKGREL+1))
 else
    export PKGREL=1
 fi
 envsubst '$PKGVER $PKGREL' < .SRCINFO.template > $GITDIR/.SRCINFO
 envsubst '$PKGVER $PKGREL' < PKGBUILD.template > $GITDIR/PKGBUILD
 cd $GITDIR
 git config user.name "fluxcdbot"
 git config user.email "fluxcdbot@users.noreply.github.com"
 git add -A
 if [ -z "$(git status --porcelain)" ]; then
  echo "No changes."
 else
  git commit -m "Updated to version v${PKGVER} release ${PKGREL}"
  git push origin master
 fi
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,16 +0,0 @@
 version: 2
 updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    labels: ["area/ci", "dependencies"]
    groups:
      # Group all updates together, so that they are all applied in a single PR.
      # Grouped updates are currently in beta and is subject to change.
      # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
      ci:
        patterns:
          - "*"
    schedule:
      # By default, this will be on a monday.
      interval: "weekly"
--- a/.github/kind/config.yaml
+++ b/.github/kind/config.yaml
@ -1,9 +0,0 @@
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 nodes:
  - role: control-plane
  - role: worker
  - role: worker
 networking:
  disableDefaultCNI: true   # disable kindnet
  podSubnet: 192.168.0.0/16 # set to Calico's default subnet
--- a/.github/labels.yaml
+++ b/.github/labels.yaml
@ -1,55 +0,0 @@
 # Configuration file to declaratively configure labels
 # Ref: https://github.com/EndBug/label-sync#Config-files
 - name: area/bootstrap
  description: Bootstrap related issues and pull requests
  color: '#86efc9'
 - name: area/install
  description: Install and uninstall related issues and pull requests
  color: '#86efc9'
 - name: area/diff
  description: Diff related issues and pull requests
  color: '#BA4192'
 - name: area/bucket
  description: Bucket related issues and pull requests
  color: '#00b140'
 - name: area/git
  description: Git related issues and pull requests
  color: '#863faf'
 - name: area/oci
  description: OCI related issues and pull requests
  color: '#c739ff'
 - name: area/kustomization
  description: Kustomization related issues and pull requests
  color: '#00e54d'
 - name: area/helm
  description: Helm related issues and pull requests
  color: '#1673b6'
 - name: area/image-automation
  description: Automated image updates related issues and pull requests
  color: '#c5def5'
 - name: area/monitoring
  description: Monitoring related issues and pull requests
  color: '#dd75ae'
 - name: area/multi-tenancy
  description: Multi-tenancy related issues and pull requests
  color: '#72CDBD'
 - name: area/notification
  description: Notification API related issues and pull requests
  color: '#434ec1'
 - name: area/source
  description: Source API related issues and pull requests
  color: '#863faf'
 - name: area/rfc
  description: Feature request proposals in the RFC format
  color: '#D621C3'
  aliases: ['area/RFC']
 - name: backport:release/v2.3.x
  description: To be backported to release/v2.3.x
  color: '#ffd700'
 - name: backport:release/v2.4.x
  description: To be backported to release/v2.4.x
  color: '#ffd700'
 - name: backport:release/v2.5.x
  description: To be backported to release/v2.5.x
  color: '#ffd700'
--- a/.github/runners/README.md
+++ b/.github/runners/README.md
@ -1,82 +0,0 @@
 # Flux ARM64 GitHub runners
 The Flux ARM64 end-to-end tests run on Equinix Metal instances provisioned with Docker and GitHub self-hosted runners.
 ## Current instances
 | Repository                  | Runner           | Instance       | Location      |
 |-----------------------------|------------------|----------------|---------------|
 | flux2                       | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
 | flux2                       | equinix-arm-dc-2 | flux-arm-dc-01 | Washington DC |
 | flux2                       | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
 | flux2                       | equinix-arm-da-2 | flux-arm-da-01 | Dallas        |
 | flux-benchmark              | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
 | flux-benchmark              | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
 | source-controller           | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
 | source-controller           | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
 | image-automation-controller | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
 | image-automation-controller | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
 Instance spec:
 - Ampere Altra Q80-30 80-core processor @ 2.8GHz
 - 2 x 960GB NVME
 - 256GB RAM
 - 2 x 25Gbps
 ## Instance setup
 In order to add a new runner to the GitHub Actions pool,
 first create a server on Equinix with the following configuration:
 - Type: `c3.large.arm64`
 - OS: `Ubuntu 22.04 LTS`
 ### Install prerequisites
 - SSH into a newly created instance
 ```shell
 ssh root@<instance-public-IP>
 ``` 
 - Create the ubuntu user
 ```shell
 adduser ubuntu
 usermod -aG sudo ubuntu
 su - ubuntu
 ```
 - Create the prerequisites dir
 ```shell
 mkdir -p prereq && cd prereq
 ```
 - Download the prerequisites script
 ```shell
 curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/prereq.sh > prereq.sh \
  && chmod +x ./prereq.sh
 ```
 - Install the prerequisites
 ```shell
 sudo ./prereq.sh
 ```
 ### Install runners
 - Retrieve the GitHub runner token from the repository [settings page](https://github.com/fluxcd/flux2/settings/actions/runners/new?arch=arm64&os=linux)
 - Create two directories `flux2-01`, `flux2-02`
 - In each dir run:
 ```shell
 curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/runner-setup.sh > runner-setup.sh \
  && chmod +x ./runner-setup.sh
 ./runner-setup.sh equinix-arm-<NUMBER> <TOKEN> <REPO>
 ```
 - Reboot the instance
 ```shell
 sudo reboot
 ```
 - Navigate to the GitHub repository [runners page](https://github.com/fluxcd/flux2/settings/actions/runners) and check the runner status
--- a/.github/runners/prereq.sh
+++ b/.github/runners/prereq.sh
@ -1,72 +0,0 @@
 #!/usr/bin/env bash
 # Copyright 2021 The Flux authors. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # This script installs the prerequisites for running Flux end-to-end tests with Docker and GitHub self-hosted runners.
 set -eu
 KIND_VERSION=0.22.0
 KUBECTL_VERSION=1.29.0
 KUSTOMIZE_VERSION=5.3.0
 HELM_VERSION=3.14.1
 GITHUB_RUNNER_VERSION=2.313.0
 PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq pkg-config"
 # install prerequisites
 apt-get update \
  && apt-get install -y -q ${PACKAGES} \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 # fix Kubernetes DNS resolution
 rm /etc/resolv.conf
 cat "/run/systemd/resolve/stub-resolv.conf" | sed '/search/d' > /etc/resolv.conf
 # install docker
 curl -fsSL https://get.docker.com -o get-docker.sh \
  && chmod +x get-docker.sh
 ./get-docker.sh
 systemctl enable docker.service
 systemctl enable containerd.service
 usermod -aG docker ubuntu
 # install kind
 curl -Lo ./kind https://kind.sigs.k8s.io/dl/v${KIND_VERSION}/kind-linux-arm64
 install -o root -g root -m 0755 kind /usr/local/bin/kind
 # install kubectl
 curl -LO "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/arm64/kubectl"
 install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
 # install kustomize
 curl -Lo ./kustomize.tar.gz https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_arm64.tar.gz \
  && tar -zxvf kustomize.tar.gz \
  && rm kustomize.tar.gz
 install -o root -g root -m 0755 kustomize /usr/local/bin/kustomize
 # install helm
 curl -Lo ./helm.tar.gz https://get.helm.sh/helm-v${HELM_VERSION}-linux-arm64.tar.gz \
  && tar -zxvf helm.tar.gz \
  && rm helm.tar.gz
 install -o root -g root -m 0755 linux-arm64/helm /usr/local/bin/helm
 # download runner
 curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
  && tar xzf actions-runner-linux-arm64.tar.gz \
  && rm actions-runner-linux-arm64.tar.gz
 # install runner dependencies
 ./bin/installdependencies.sh
--- a/.github/runners/runner-setup.sh
+++ b/.github/runners/runner-setup.sh
@ -1,37 +0,0 @@
 #!/usr/bin/env bash
 # Copyright 2021 The Flux authors. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # This script installs a GitHub self-hosted ARM64 runner for running Flux end-to-end tests.
 set -eu
 RUNNER_NAME=$1
 REPOSITORY_TOKEN=$2
 REPOSITORY_URL=${3:-https://github.com/fluxcd/flux2}
 GITHUB_RUNNER_VERSION=2.313.0
 # download runner
 curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
  && tar xzf actions-runner-linux-arm64.tar.gz \
  && rm actions-runner-linux-arm64.tar.gz
 # register runner with GitHub
 ./config.sh --unattended --url ${REPOSITORY_URL} --token ${REPOSITORY_TOKEN} --name ${RUNNER_NAME}
 # start runner
 sudo ./svc.sh install
 sudo ./svc.sh start
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@ -1,50 +0,0 @@
 # Flux GitHub Workflows
 ## End-to-end Testing
 The e2e workflows run a series of tests to ensure that the Flux CLI and
 the GitOps Toolkit controllers work well all together.
 The tests are written in Go, Bash, Make and Terraform.
 | Workflow           | Jobs                 | Runner         | Role                                          |
 |--------------------|----------------------|----------------|-----------------------------------------------|
 | e2e.yaml           | e2e-amd64-kubernetes | GitHub Ubuntu  | integration testing with Kubernetes Kind<br/> |
 | e2e-arm64.yaml     | e2e-arm64-kubernetes | Equinix Ubuntu | integration testing with Kubernetes Kind<br/> |
 | e2e-bootstrap.yaml | e2e-boostrap-github  | GitHub Ubuntu  | integration testing with GitHub API<br/>      |
 | e2e-azure.yaml     | e2e-amd64-aks        | GitHub Ubuntu  | integration testing with Azure API<br/>       |
 | scan.yaml          | scan-fossa           | GitHub Ubuntu  | license scanning<br/>                         |
 | scan.yaml          | scan-snyk            | GitHub Ubuntu  | vulnerability scanning<br/>                   |
 | scan.yaml          | scan-codeql          | GitHub Ubuntu  | vulnerability scanning<br/>                   |
 ## Components Update
 The components update workflow scans the GitOps Toolkit controller repositories for new releases,
 amd when it finds a new controller version, the workflow performs the following steps:
 - Updates the controller API package version in `go.mod`.
 - Patches the controller CRDs version in the `manifests/crds` overlay.
 - Patches the controller Deployment version in `manifests/bases` overlay.
 - Opens a Pull Request against the `main` branch.
 - Triggers the e2e test suite to run for the opened PR.
 | Workflow    | Jobs              | Runner        | Role                                                |
 |-------------|-------------------|---------------|-----------------------------------------------------|
 | update.yaml | update-components | GitHub Ubuntu | update the GitOps Toolkit APIs and controllers<br/> |
 ## Release
 The release workflow is triggered by a semver Git tag and performs the following steps:
 - Generates the Flux install manifests (YAML).
 - Generates the OpenAPI validation schemas for the GitOps Toolkit CRDs (JSON).
 - Generates a Software Bill of Materials (SPDX JSON).
 - Builds the Flux CLI binaries and the multi-arch container images.
 - Pushes the container images to GitHub Container Registry and DockerHub.
 - Signs the sbom, the binaries checksum and the container images with Cosign and GitHub OIDC.
 - Uploads the sbom, binaries, checksums and install manifests to GitHub Releases.
 - Pushes the install manifests as OCI artifacts to GitHub Container Registry and DockerHub.
 - Signs the OCI artifacts with Cosign and GitHub OIDC.
 | Workflow     | Jobs                   | Runner        | Role                                                 |
 |--------------|------------------------|---------------|------------------------------------------------------|
 | release.yaml | release-flux-cli       | GitHub Ubuntu | build, push and sign the CLI release artifacts<br/>  |
 | release.yaml | release-flux-manifests | GitHub Ubuntu | build, push and sign the Flux install manifests<br/> |
--- a/.github/workflows/action.yaml
+++ b/.github/workflows/action.yaml
@ -1,29 +0,0 @@
 name: test-gh-action
 on:
  pull_request:
    paths:
      - 'action/**'
  push:
    paths:
      - 'action/**'
    branches:
      - 'main'
      - 'release/**'
 permissions: read-all
 jobs:
  actions:
    strategy:
      fail-fast: false
      matrix:
        version: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.version }}
    name: action on ${{ matrix.version }}
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup flux
        uses: ./action
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@ -1,34 +0,0 @@
 name: backport
 on:
  pull_request_target:
    types: [closed, labeled]
 permissions: 
  contents: read
 jobs:
  pull-request:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Create backport PRs
        uses: korthout/backport-action@be567af183754f6a5d831ae90f648954763f17f5 # v3.1.0
        # xref: https://github.com/korthout/backport-action#inputs
        with:
          # Use token to allow workflows to be triggered for the created PR
          github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
          # Match labels with a pattern `backport:<target-branch>`
          label_pattern: '^backport:([^ ]+)$'
          # A bit shorter pull-request title than the default
          pull_title: '[${target_branch}] ${pull_title}'
          # Simpler PR description than default
          pull_description: |-
            Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@ -1,256 +0,0 @@
 name: conformance
 on:
  workflow_dispatch:
  push:
    branches: [ 'main', 'update-components', 'release/**', 'conform*' ]
 permissions:
  contents: read
 env:
  GO_VERSION: 1.23.x
 jobs:
  conform-kubernetes:
    runs-on:
      group: "ARM64"
    strategy:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/kubernetes
        # Build images with https://github.com/fluxcd/flux-benchmark/actions/workflows/build-kind.yaml
        KUBERNETES_VERSION: [1.30.9, 1.31.5, 1.32.1 ]
      fail-fast: false
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Prepare
        id: prep
        run: |
          ID=${GITHUB_SHA:0:7}-${{ matrix.KUBERNETES_VERSION }}-$(date +%s)
          echo "CLUSTER=arm64-${ID}" >> $GITHUB_OUTPUT
      - name: Build
        run: |
          make build
      - name: Setup Kubernetes
        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
        with:
          version: v0.22.0
          cluster_name: ${{ steps.prep.outputs.CLUSTER }}
          node_image: ghcr.io/fluxcd/kindest/node:v${{ matrix.KUBERNETES_VERSION }}-arm64
      - name: Run e2e tests
        run: TEST_KUBECONFIG=$HOME/.kube/config make e2e
      - name: Run multi-tenancy tests
        run: |
          ./bin/flux install
          ./bin/flux create source git flux-system \
          --interval=15m \
          --url=https://github.com/fluxcd/flux2-multi-tenancy \
          --branch=main \
          --ignore-paths="./clusters/**/flux-system/"
          ./bin/flux create kustomization flux-system \
          --interval=15m \
          --source=flux-system \
          --path=./clusters/staging
          kubectl -n flux-system wait kustomization/tenants --for=condition=ready --timeout=5m
          kubectl -n apps wait kustomization/dev-team --for=condition=ready --timeout=1m
          kubectl -n apps wait helmrelease/podinfo --for=condition=ready --timeout=1m
      - name: Debug failure
        if: failure()
        run: |
          kubectl -n flux-system get all
          kubectl -n flux-system describe po 
          kubectl -n flux-system logs deploy/source-controller
          kubectl -n flux-system logs deploy/kustomize-controller
  conform-k3s:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/kubernetes
        # Available versions can be found with "replicated cluster versions"
        K3S_VERSION: [ 1.30.9, 1.31.5, 1.32.1 ]
      fail-fast: false
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Prepare
        id: prep
        run: |
          ID=${GITHUB_SHA:0:7}-${{ matrix.K3S_VERSION }}-$(date +%s)
          PSEUDO_RAND_SUFFIX=$(echo "${ID}" | shasum | awk '{print $1}')
          echo "cluster=flux2-k3s-${PSEUDO_RAND_SUFFIX}" >> $GITHUB_OUTPUT
          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Build
        run: make build-dev
      - name: Create repository
        run: |
          gh repo create --private --add-readme fluxcd-testing/${{ steps.prep.outputs.cluster }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Create cluster
        id: create-cluster
        uses: replicatedhq/replicated-actions/create-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
          kubernetes-distribution: "k3s"
          kubernetes-version: ${{ matrix.K3S_VERSION }}
          ttl: 20m
          cluster-name: "${{ steps.prep.outputs.cluster }}"
          kubeconfig-path: ${{ steps.prep.outputs.kubeconfig-path }}
          export-kubeconfig: true
      - name: Run e2e tests
        run: TEST_KUBECONFIG=${{ steps.prep.outputs.kubeconfig-path }} make e2e
      - name: Run flux bootstrap
        run: |
          ./bin/flux bootstrap git --manifests ./manifests/install/ \
          --components-extra=image-reflector-controller,image-automation-controller \
          --url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
          --branch=main \
          --path=clusters/k3s \
          --token-auth
        env:
          GIT_PASSWORD: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Run flux check
        run: |
          ./bin/flux check
      - name: Run flux reconcile
        run: |
          ./bin/flux reconcile ks flux-system --with-source
          ./bin/flux get all
          ./bin/flux events
      - name: Collect reconcile logs
        if: ${{ always() }}
        continue-on-error: true
        run: |
          kubectl -n flux-system get all
          kubectl -n flux-system describe pods
          kubectl -n flux-system logs deploy/source-controller
          kubectl -n flux-system logs deploy/kustomize-controller
          kubectl -n flux-system logs deploy/notification-controller
      - name: Delete flux
        run: |
          ./bin/flux uninstall -s --keep-namespace
          kubectl delete ns flux-system --wait
      - name: Delete cluster
        if: ${{ always() }}
        uses: replicatedhq/replicated-actions/remove-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
        continue-on-error: true
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
          cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
      - name: Delete repository
        if: ${{ always() }}
        continue-on-error: true
        run: |
          gh repo delete fluxcd-testing/${{ steps.prep.outputs.cluster }} --yes
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
  conform-openshift:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/red-hat-openshift
        OPENSHIFT_VERSION: [ 4.17.0-okd ]
      fail-fast: false
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Prepare
        id: prep
        run: |
          ID=${GITHUB_SHA:0:7}-${{ matrix.OPENSHIFT_VERSION }}-$(date +%s)
          PSEUDO_RAND_SUFFIX=$(echo "${ID}" | shasum | awk '{print $1}')
          echo "cluster=flux2-openshift-${PSEUDO_RAND_SUFFIX}" >> $GITHUB_OUTPUT
          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Build
        run: make build-dev
      - name: Create repository
        run: |
          gh repo create --private --add-readme fluxcd-testing/${{ steps.prep.outputs.cluster }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Create cluster
        id: create-cluster
        uses: replicatedhq/replicated-actions/create-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
          kubernetes-distribution: "openshift"
          kubernetes-version: ${{ matrix.OPENSHIFT_VERSION }}
          ttl: 20m
          cluster-name: "${{ steps.prep.outputs.cluster }}"
          kubeconfig-path: ${{ steps.prep.outputs.kubeconfig-path }}
          export-kubeconfig: true
      - name: Run flux bootstrap
        run: |
          ./bin/flux bootstrap git --manifests ./manifests/openshift/ \
          --components-extra=image-reflector-controller,image-automation-controller \
          --url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
          --branch=main \
          --path=clusters/openshift \
          --token-auth
        env:
          GIT_PASSWORD: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Run flux check
        run: |
          ./bin/flux check
      - name: Run flux reconcile
        run: |
          ./bin/flux reconcile ks flux-system --with-source
          ./bin/flux get all
          ./bin/flux events
      - name: Collect reconcile logs
        if: ${{ always() }}
        continue-on-error: true
        run: |
          kubectl -n flux-system get all
          kubectl -n flux-system describe pods
          kubectl -n flux-system logs deploy/source-controller
          kubectl -n flux-system logs deploy/kustomize-controller
          kubectl -n flux-system logs deploy/notification-controller
      - name: Delete flux
        run: |
          ./bin/flux uninstall -s --keep-namespace
          kubectl delete ns flux-system --wait
      - name: Delete cluster
        if: ${{ always() }}
        uses: replicatedhq/replicated-actions/remove-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
        continue-on-error: true
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
          cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
      - name: Delete repository
        if: ${{ always() }}
        continue-on-error: true
        run: |
          gh repo delete fluxcd-testing/${{ steps.prep.outputs.cluster }} --yes
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@ -1,93 +0,0 @@
 name: e2e-azure
 on:
  workflow_dispatch:
  schedule:
    - cron: '0 6 * * *'
  push:
    branches:
      - main
    paths:
      - 'tests/**'
      - '.github/workflows/e2e-azure.yaml'
  pull_request:
    branches:
      - main
    paths:
      - 'tests/**'
      - '.github/workflows/e2e-azure.yaml'
 permissions:
  contents: read
 jobs:
  e2e-aks:
    runs-on: ubuntu-22.04
    defaults:
      run:
        working-directory: ./tests/integration
    # This job is currently disabled. Remove the false check when Azure subscription is enabled.
    if: false && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: CheckoutD
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version: 1.23.x
          cache-dependency-path: tests/integration/go.sum
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
      - name: Setup Flux CLI
        run: make build
        working-directory: ./
      - name: Setup SOPS
        run: |
          mkdir -p $HOME/.local/bin
          wget -O $HOME/.local/bin/sops https://github.com/mozilla/sops/releases/download/v$SOPS_VER/sops-v$SOPS_VER.linux
          chmod +x $HOME/.local/bin/sops
        env:
          SOPS_VER: 3.7.1
      - name: Authenticate to Azure
        uses: Azure/login@a65d910e8af852a8061c627c456678983e180302 # v1.4.6
        with:
          creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}'
      - name: Set dynamic variables in .env
        run: |
          cat > .env <<EOF
          export TF_VAR_tags='{ "environment"="github", "ci"="true", "repo"="flux2", "createdat"="$(date -u +x%Y-%m-%d_%Hh%Mm%Ss)" }'
          EOF
      - name: Print .env for dynamic tag value reference
        run: cat .env
      - name: Run Azure e2e tests
        env:
          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
          GITREPO_SSH_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_CONTENTS }}
          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_PUB_CONTENTS }}
        run: |
          source .env
          mkdir -p ./build/ssh
          touch ./build/ssh/key
          echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
          export GITREPO_SSH_PATH=build/ssh/key
          touch ./build/ssh/key.pub
          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
          make test-azure
      - name: Ensure resource cleanup
        if: ${{ always() }}
        env:
          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
        run: source .env && make destroy-azure
--- a/.github/workflows/e2e-bootstrap.yaml
+++ b/.github/workflows/e2e-bootstrap.yaml
@ -1,128 +0,0 @@
 name: e2e-bootstrap
 on:
  workflow_dispatch:
  push:
    branches: [ 'main', 'release/**' ]
  pull_request:
    branches: [ 'main', 'release/**' ]
    paths-ignore: [ 'docs/**', 'rfcs/**' ]
 permissions:
  contents: read
 jobs:
  e2e-boostrap-github:
    runs-on: ubuntu-latest
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version: 1.23.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Setup Kubernetes
        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
        with:
          version: v0.24.0
          cluster_name: kind
          # The versions below should target the newest Kubernetes version
          # Keep this up-to-date with https://endoflife.date/kubernetes
          node_image: ghcr.io/fluxcd/kindest/node:v1.31.0-amd64
          kubectl_version: v1.31.0
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Setup yq
        uses: fluxcd/pkg/actions/yq@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Build
        run: make build-dev
      - name: Set outputs
        id: vars
        run: |
          REPOSITORY_NAME=${{ github.event.repository.name }}
          BRANCH_NAME=${GITHUB_REF##*/}
          COMMIT_SHA=$(git rev-parse HEAD)
          PSEUDO_RAND_SUFFIX=$(echo "${BRANCH_NAME}-${COMMIT_SHA}" | shasum | awk '{print $1}')
          TEST_REPO_NAME="${REPOSITORY_NAME}-${PSEUDO_RAND_SUFFIX}"
          echo "test_repo_name=$TEST_REPO_NAME" >> $GITHUB_OUTPUT
      - name: bootstrap init
        run: |
          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --image-pull-secret=ghcr-auth \
          --registry-creds=fluxcd:$GITHUB_TOKEN \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
          --team=team-z
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: verify image pull secret
        run: |
          kubectl -n flux-system get secret ghcr-auth | grep dockerconfigjson
      - name: bootstrap no-op
        run: |
          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --image-pull-secret=ghcr-auth \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
          --team=team-z
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: bootstrap customize
        run: |
          make setup-bootstrap-patch
          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
          --team=team-z
          if [ $(kubectl get deployments.apps source-controller -o jsonpath='{.spec.template.spec.securityContext.runAsUser}') != "10000" ]; then
          echo "Bootstrap not customized as controller is not running as user 10000" && exit 1
          fi
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
          GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
          GITHUB_ORG_NAME: fluxcd-testing
      - name: uninstall
        run: |
          ./bin/flux uninstall -s --keep-namespace
          kubectl delete ns flux-system --timeout=10m --wait=true
      - name: test image automation
        run: |
          make setup-image-automation
          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
          --read-write-key
          ./bin/flux reconcile image repository podinfo
          ./bin/flux reconcile image update flux-system
          ./bin/flux get images all
          kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system | \
           yq '.status.lastPushCommit | length > 1' | grep 'true'
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
          GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
          GITHUB_ORG_NAME: fluxcd-testing
      - name: delete repository
        if: ${{ always() }}
        continue-on-error: true
        run: |
          gh repo delete fluxcd-testing/${{ steps.vars.outputs.test_repo_name }} --yes
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Debug failure
        if: failure()
        run: |
          kubectl -n flux-system get all
          kubectl -n flux-system logs deploy/source-controller
          kubectl -n flux-system logs deploy/kustomize-controller
--- a/.github/workflows/e2e-gcp.yaml
+++ b/.github/workflows/e2e-gcp.yaml
@ -1,104 +0,0 @@
 name: e2e-gcp
 on:
  workflow_dispatch:
  schedule:
    - cron: '0 6 * * *'
  push:
    branches:
      - main
    paths:
      - 'tests/**'
      - '.github/workflows/e2e-gcp.yaml'
  pull_request:
    branches:
      - main
    paths:
      - 'tests/**'
      - '.github/workflows/e2e-gcp.yaml'
 permissions:
  contents: read
 jobs:
  e2e-gcp:
    runs-on: ubuntu-22.04
    defaults:
      run:
        working-directory: ./tests/integration
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version: 1.23.x
          cache-dependency-path: tests/integration/go.sum
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
      - name: Setup Flux CLI
        run: make build
        working-directory: ./
      - name: Setup SOPS
        run: |
          mkdir -p $HOME/.local/bin
          wget -O $HOME/.local/bin/sops https://github.com/mozilla/sops/releases/download/v$SOPS_VER/sops-v$SOPS_VER.linux
          chmod +x $HOME/.local/bin/sops
        env:
          SOPS_VER: 3.7.1
      - name: Authenticate to Google Cloud
        uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
        id: 'auth'
        with:
          credentials_json: '${{ secrets.FLUX2_E2E_GOOGLE_CREDENTIALS }}'
          token_format: 'access_token'
      - name: Setup gcloud
        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
      - name: Setup QEMU
        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
      - name: Log into us-central1-docker.pkg.dev
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: us-central1-docker.pkg.dev
          username: oauth2accesstoken
          password: ${{ steps.auth.outputs.access_token }}
      - name: Set dynamic variables in .env
        run: |
          cat > .env <<EOF
          export TF_VAR_tags='{ "environment"="github", "ci"="true", "repo"="flux2", "createdat"="$(date -u +x%Y-%m-%d_%Hh%Mm%Ss)" }'
          EOF
      - name: Print .env for dynamic tag value reference
        run: cat .env
      - name: Run GCP e2e tests
        env:
          TF_VAR_gcp_project_id: ${{ vars.TF_VAR_gcp_project_id }}
          TF_VAR_gcp_region: ${{ vars.TF_VAR_gcp_region }}
          TF_VAR_gcp_zone: ${{ vars.TF_VAR_gcp_zone }}
          TF_VAR_gcp_email: ${{ secrets.TF_VAR_gcp_email }}
          TF_VAR_gcp_keyring: ${{ secrets.TF_VAR_gcp_keyring }}
          TF_VAR_gcp_crypto_key: ${{ secrets.TF_VAR_gcp_crypto_key }}
          GITREPO_SSH_CONTENTS: ${{ secrets.GCP_GITREPO_SSH_CONTENTS }}
          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.GCP_GITREPO_SSH_PUB_CONTENTS }}
        run: |
          source .env
          mkdir -p ./build/ssh
          touch ./build/ssh/key
          echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
          export GITREPO_SSH_PATH=build/ssh/key
          touch ./build/ssh/key.pub
          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
          make test-gcp
      - name: Ensure resource cleanup
        if: ${{ always() }}
        env:
          TF_VAR_gcp_project_id: ${{ vars.TF_VAR_gcp_project_id }}
          TF_VAR_gcp_region: ${{ vars.TF_VAR_gcp_region }}
          TF_VAR_gcp_zone: ${{ vars.TF_VAR_gcp_zone }}
          TF_VAR_gcp_email: ${{ secrets.TF_VAR_gcp_email }}
          TF_VAR_gcp_keyring: ${{ secrets.TF_VAR_gcp_keyring }}
          TF_VAR_gcp_crypto_key: ${{ secrets.TF_VAR_gcp_crypto_key }}
        run: source .env && make destroy-gcp
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@ -1,255 +1,104 @@
 name: e2e
 on:
  workflow_dispatch:
  push:
    branches: [ 'main', 'release/**' ]
  pull_request:
-    branches: [ 'main', 'release/**' ]
+  push:
-    paths-ignore: [ 'docs/**', 'rfcs/**' ]
+    branches:
-
+      - master
 permissions:
  contents: read
 jobs:
-  e2e-amd64-kubernetes:
+  kind:
-    runs-on:
+    runs-on: ubuntu-latest
      group: "Default Larger Runners"
      labels: ubuntu-latest-16-cores
    services:
      registry:
        image: registry:2
        ports:
          - 5000:5000
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v2
      - name: Restore Go cache
        uses: actions/cache@v1
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@v2-beta
        with:
-          go-version: 1.23.x
+          go-version: 1.14.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Setup Kubernetes
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
+        uses: engineerd/setup-kind@v0.3.0
        with:
          version: v0.24.0
          cluster_name: kind
          wait: 5s
          config: .github/kind/config.yaml # disable KIND-net
          # The versions below should target the oldest supported Kubernetes version
          # Keep this up-to-date with https://endoflife.date/kubernetes
          node_image: ghcr.io/fluxcd/kindest/node:v1.30.9-amd64
          kubectl_version: v1.30.9
      - name: Setup Calico for network policy
        run: |
          kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.3/manifests/calico.yaml
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
+        uses: ./.github/actions/kustomize
-      - name: Run tests
+      - name: Run test
        run: make test
      - name: Run e2e tests
        run: TEST_KUBECONFIG=$HOME/.kube/config make e2e
      - name: Check if working tree is dirty
        run: |
          if [[ $(git diff --stat) != '' ]]; then
            git diff
            echo 'run make test and commit changes'
            exit 1
          fi
      - name: Build
-        run: make build-dev
+        run: sudo go build -o ./bin/tk ./cmd/tk
-      - name: flux check --pre
+      - name: tk check --pre
        run: |
-          ./bin/flux check --pre
+          ./bin/tk check --pre
-      - name: flux install --manifests
+      - name: tk install --version
        run: |
-          ./bin/flux install --manifests ./manifests/install/
+          ./bin/tk install --version=master --namespace=test --verbose
-      - name: flux create secret
+      - name: tk uninstall
        run: |
-          ./bin/flux create secret git git-ssh-test \
+          ./bin/tk uninstall --namespace=test --crds --silent
-            --url ssh://git@github.com/stefanprodan/podinfo
+      - name: tk install --manifests
          ./bin/flux create secret git git-https-test \
            --url https://github.com/stefanprodan/podinfo \
            --username=test --password=test
          ./bin/flux create secret helm helm-test \
            --username=test --password=test
      - name: flux create source git
        run: |
-          ./bin/flux create source git podinfo \
+          ./bin/tk install --manifests ./manifests/install/ --version=""
-            --url https://github.com/stefanprodan/podinfo  \
+      - name: tk create source git
            --tag-semver=">=6.3.5"
      - name: flux create source git export apply
        run: |
-          ./bin/flux create source git podinfo-export \
+          ./bin/tk create source git podinfo \
            --url https://github.com/stefanprodan/podinfo  \
-            --tag-semver=">=6.3.5" \
+            --tag-semver=">=3.2.3"
-            --export | kubectl apply -f -
+      - name: tk get sources git
          ./bin/flux delete source git podinfo-export --silent
      - name: flux get sources git
        run: |
-          ./bin/flux get sources git
+          ./bin/tk get sources git
-      - name: flux get sources git --all-namespaces
+      - name: tk create kustomization
        run: |
-          ./bin/flux get sources git --all-namespaces
+          ./bin/tk create kustomization podinfo \
      - name: flux create kustomization
        run: |
          ./bin/flux create kustomization podinfo \
            --source=podinfo \
            --path="./deploy/overlays/dev" \
            --prune=true \
            --interval=5m \
            --validate=client \
            --health-check="Deployment/frontend.dev" \
            --health-check="Deployment/backend.dev" \
            --health-check-timeout=3m
-      - name: flux trace
+      - name: tk sync kustomization --with-source
        run: |
          ./bin/flux trace frontend \
            --kind=deployment \
            --api-version=apps/v1 \
            --namespace=dev
      - name: flux reconcile kustomization --with-source
        run: |
          ./bin/flux reconcile kustomization podinfo --with-source
      - name: flux get kustomizations
        run: |
          ./bin/flux get kustomizations
      - name: flux get kustomizations --all-namespaces
        run: |
          ./bin/flux get kustomizations --all-namespaces
      - name: flux suspend kustomization
        run: |
          ./bin/flux suspend kustomization podinfo
      - name: flux resume kustomization
        run: |
-          ./bin/flux resume kustomization podinfo
+          ./bin/tk sync kustomization podinfo --with-source
-      - name: flux export
+      - name: tk get kustomizations
        run: |
-          ./bin/flux export source git --all
+          ./bin/tk get kustomizations
-          ./bin/flux export kustomization --all
+      - name: tk suspend kustomization
      - name: flux delete kustomization
        run: |
-          ./bin/flux delete kustomization podinfo --silent
+          ./bin/tk suspend kustomization podinfo
-      - name: flux create source helm
+      - name: tk resume kustomization
        run: |
-          ./bin/flux create source helm podinfo \
+          ./bin/tk resume kustomization podinfo
-            --url https://stefanprodan.github.io/podinfo
+      - name: tk export
      - name: flux create helmrelease --source=HelmRepository/podinfo
        run: |
-          ./bin/flux create hr podinfo-helm \
+          ./bin/tk export source git --all
-            --target-namespace=default \
+          ./bin/tk export kustomization --all
-            --source=HelmRepository/podinfo.flux-system \
+      - name: tk delete kustomization
            --chart=podinfo \
            --chart-version=">6.0.0 <7.0.0"
      - name: flux create helmrelease --source=GitRepository/podinfo
        run: |
-          ./bin/flux create hr podinfo-git \
+          ./bin/tk delete kustomization podinfo --silent
-            --target-namespace=default \
+      - name: tk delete source git
            --source=GitRepository/podinfo \
            --chart=./charts/podinfo
      - name: flux reconcile helmrelease --with-source
        run: |
-          ./bin/flux reconcile helmrelease podinfo-git --with-source
+          ./bin/tk delete source git podinfo --silent
-      - name: flux get helmreleases
+      - name: tk check
        run: |
-          ./bin/flux get helmreleases
+          ./bin/tk check
      - name: flux get helmreleases --all-namespaces
        run: |
          ./bin/flux get helmreleases --all-namespaces
      - name: flux export helmrelease
        run: |
          ./bin/flux export hr --all
      - name: flux delete helmrelease podinfo-helm
        run: |
          ./bin/flux delete hr podinfo-helm --silent
      - name: flux delete helmrelease podinfo-git
        run: |
          ./bin/flux delete hr podinfo-git --silent
      - name: flux delete source helm
        run: |
          ./bin/flux delete source helm podinfo --silent
      - name: flux delete source git
        run: |
          ./bin/flux delete source git podinfo --silent
      - name: flux oci artifacts
        run: |
          ./bin/flux push artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
            --path="./manifests" \
            --source="${{ github.repositoryUrl }}" \
            --revision="${{ github.ref }}@sha1:${{ github.sha }}"
          ./bin/flux tag artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
            --tag latest
          ./bin/flux list artifacts oci://localhost:5000/fluxcd/flux
      - name: flux oci repositories
        run: |
          ./bin/flux create source oci podinfo-oci \
            --url oci://ghcr.io/stefanprodan/manifests/podinfo \
            --tag-semver 6.3.x \
            --interval 10m
          ./bin/flux create kustomization podinfo-oci \
            --source=OCIRepository/podinfo-oci \
            --path="./" \
            --prune=true \
            --interval=5m \
            --target-namespace=default \
            --wait=true \
            --health-check-timeout=3m
          ./bin/flux reconcile source oci podinfo-oci
          ./bin/flux suspend source oci podinfo-oci
          ./bin/flux get sources oci
          ./bin/flux resume source oci podinfo-oci
          ./bin/flux export source oci podinfo-oci
          ./bin/flux delete ks podinfo-oci --silent
          ./bin/flux delete source oci podinfo-oci --silent
      - name: flux create tenant
        run: |
          ./bin/flux create tenant dev-team --with-namespace=apps
          ./bin/flux -n apps create source helm podinfo \
            --url https://stefanprodan.github.io/podinfo
          ./bin/flux -n apps create hr podinfo-helm \
            --source=HelmRepository/podinfo \
            --chart=podinfo \
            --chart-version="6.3.x" \
            --service-account=dev-team
      - name: flux2-kustomize-helm-example
        run: |
          ./bin/flux create source git flux-system \
          --url=https://github.com/fluxcd/flux2-kustomize-helm-example \
          --branch=main \
          --ignore-paths="./clusters/**/flux-system/" \
          --recurse-submodules
          ./bin/flux create kustomization flux-system \
          --source=flux-system \
          --path=./clusters/staging
          kubectl -n flux-system wait kustomization/infra-controllers --for=condition=ready --timeout=5m
          kubectl -n flux-system wait kustomization/apps --for=condition=ready --timeout=5m
          kubectl -n podinfo wait helmrelease/podinfo --for=condition=ready --timeout=5m
      - name: flux tree
        run: |
          ./bin/flux tree kustomization flux-system | grep Service/podinfo
      - name: flux events
        run: |
          ./bin/flux -n flux-system events --for Kustomization/apps | grep 'HelmRelease/podinfo'
          ./bin/flux -n podinfo events --for HelmRelease/podinfo | grep 'podinfo.v1'
      - name: flux stats
        run: |
          ./bin/flux stats -A
      - name: flux check
        run: |
          ./bin/flux check
      - name: flux version
        run: |
          ./bin/flux version
      - name: flux uninstall
        run: |
          ./bin/flux uninstall --silent
      - name: Debug failure
        if: failure()
        run: |
          kubectl version --client --short
-          kubectl -n flux-system get all
+          kustomize version --short
-          kubectl -n flux-system describe pods
+          kubectl -n gitops-system get all
-          kubectl -n flux-system get kustomizations -oyaml
+          kubectl -n gitops-system get kustomizations -oyaml
-          kubectl -n flux-system logs deploy/source-controller
+          kubectl -n gitops-system logs deploy/source-controller
-          kubectl -n flux-system logs deploy/kustomize-controller
+          kubectl -n gitops-system logs deploy/kustomize-controller
--- a/.github/workflows/ossf.yaml
+++ b/.github/workflows/ossf.yaml
@ -1,39 +0,0 @@
 name: ossf
 on:
  workflow_dispatch:
  push:
    branches:
      - main
  schedule:
    # Weekly on Saturdays.
    - cron:  '30 1 * * 6'
 permissions: read-all
 jobs:
  scorecard:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      id-token: write
      actions: read
      contents: read
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run analysis
        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          publish_results: true
      - name: Upload artifact
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
      - name: Upload SARIF results
        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
        with:
          sarif_file: results.sarif
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -2,199 +2,33 @@ name: release
 on:
  push:
-    tags: ["v*"]
+    tags:
-
+      - '*'
 permissions:
  contents: read
 jobs:
-  release-flux-cli:
+  goreleaser:
    outputs:
      hashes: ${{ steps.slsa.outputs.hashes }}
      image_url: ${{ steps.slsa.outputs.image_url }}
      image_digest: ${{ steps.slsa.outputs.image_digest }}
    runs-on: ubuntu-latest
    permissions:
      contents: write # needed to write releases
      id-token: write # needed for keyless signing
      packages: write # needed for ghcr access
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v2
      - name: Unshallow
        run: git fetch --prune --unshallow
      - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@v2-beta
        with:
          go-version: 1.23.x
          cache: false
      - name: Setup QEMU
        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
      - name: Setup Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
      - name: Setup Syft
        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
      - name: Setup Cosign
        uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to Docker Hub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
      - name: Generate manifests
        run: |
          make cmd/flux/.manifests.done
          ./manifests/scripts/bundle.sh "" ./output manifests.tar.gz
          kustomize build ./manifests/install > ./output/install.yaml
      - name: Build CRDs
        run: |
          kustomize build manifests/crds > all-crds.yaml
      - name: Generate OpenAPI JSON schemas from CRDs
        uses: fluxcd/pkg/actions/crdjsonschema@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
        with:
-          crd: all-crds.yaml
+          go-version: 1.14.x
-          output: schemas
+      - name: Download release notes utility
-      - name: Archive the OpenAPI JSON schemas
+        env:
          GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
        run: cd /tmp && curl -sSL ${GH_REL_URL} | tar xz && sudo mv github-release-notes /usr/local/bin/
      - name: Generate release notes
        run: |
-          tar -czvf ./output/crd-schemas.tar.gz -C schemas .
+          echo 'CHANGELOG' > /tmp/release.txt
          github-release-notes -org fluxcd -repo toolkit >> /tmp/release.txt
      - name: Run GoReleaser
-        id: run-goreleaser
+        uses: goreleaser/goreleaser-action@v1
        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
        with:
          version: latest
-          args: release --skip=validate
+          args: release --release-notes=/tmp/release.txt
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
          AUR_BOT_SSH_PRIVATE_KEY: ${{ secrets.AUR_BOT_SSH_PRIVATE_KEY }}
      - name: Generate SLSA metadata
        id: slsa
        env:
          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
        run: |
          set -euo pipefail
          hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
          echo "hashes=$hashes" >> $GITHUB_OUTPUT
          image_url=fluxcd/flux-cli:$GITHUB_REF_NAME
          echo "image_url=$image_url" >> $GITHUB_OUTPUT
          image_digest=$(docker buildx imagetools inspect ${image_url}  --format '{{json .}}' | jq -r .manifest.digest)
          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
  release-flux-manifests:
    runs-on: ubuntu-latest
    needs: release-flux-cli
    permissions:
      id-token: write
      packages: write
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Setup Flux CLI
        uses: ./action/
      - name: Prepare
        id: prep
        run: |
          VERSION=$(flux version --client | awk '{ print $NF }')
          echo "version=${VERSION}" >> $GITHUB_OUTPUT
      - name: Login to GHCR
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
      - name: Push manifests to GHCR
        run: |
          mkdir -p ./ghcr.io/flux-system
          flux install --registry=ghcr.io/fluxcd \
          --components-extra=image-reflector-controller,image-automation-controller \
          --export > ./ghcr.io/flux-system/gotk-components.yaml
          cd ./ghcr.io && flux push artifact \
          oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
          --path="./flux-system" \
          --source=${{ github.repositoryUrl }} \
          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
      - name: Push manifests to DockerHub
        run: |
          mkdir -p ./docker.io/flux-system
          flux install --registry=docker.io/fluxcd \
          --components-extra=image-reflector-controller,image-automation-controller \
          --export > ./docker.io/flux-system/gotk-components.yaml
          cd ./docker.io && flux push artifact \
          oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
          --path="./flux-system" \
          --source=${{ github.repositoryUrl }} \
          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
      - uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
      - name: Sign manifests
        env:
          COSIGN_EXPERIMENTAL: 1
        run: |
          cosign sign --yes ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }}
          cosign sign --yes docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }}
      - name: Tag manifests
        run: |
          flux tag artifact oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
          --tag latest
          flux tag artifact oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
          --tag latest
  release-provenance:
    needs: [release-flux-cli]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      contents: write # for uploading attestations to GitHub releases.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      provenance-name: "provenance.intoto.jsonl"
      base64-subjects: "${{ needs.release-flux-cli.outputs.hashes }}"
      upload-assets: true
  dockerhub-provenance:
    needs: [release-flux-cli]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: ${{ needs.release-flux-cli.outputs.image_url }}
      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
      registry-username: fluxcdbot
    secrets:
      registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
  ghcr-provenance:
    needs: [release-flux-cli]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: ghcr.io/${{ needs.release-flux-cli.outputs.image_url }}
      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
      registry-username: fluxcdbot
    secrets:
      registry-password: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@ -1,86 +0,0 @@
 name: scan
 on:
  workflow_dispatch:
  push:
    branches: [ 'main', 'release/**' ]
  pull_request:
    branches: [ 'main', 'release/**' ]
  schedule:
    - cron: '18 10 * * 3'
 permissions:
  contents: read
 jobs:
  scan-fossa:
    runs-on: ubuntu-latest
    if: github.actor != 'dependabot[bot]'
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run FOSSA scan and upload build data
        uses: fossa-contrib/fossa-action@cdc5065bcdee31a32e47d4585df72d66e8e941c2 # v3.0.0
        with:
          # FOSSA Push-Only API Token
          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
          github-token: ${{ github.token }}
  scan-snyk:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Setup Go
        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version-file: 'go.mod'
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Download modules and build manifests
        run: |
          make tidy
          make cmd/flux/.manifests.done
      - uses: snyk/actions/setup@b98d498629f1c368650224d6d212bf7dfa89e4bf
      - name:  Run Snyk to check for vulnerabilities
        continue-on-error: true
        run: |
          snyk test --all-projects --sarif-file-output=snyk.sarif
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      - name: Upload result to GitHub Code Scanning
        continue-on-error: true
        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
        with:
          sarif_file: snyk.sarif
  scan-codeql:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    if: github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version-file: 'go.mod'
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Initialize CodeQL
        uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
        with:
          languages: go
          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
          # xref: https://codeql.github.com/codeql-query-help/go/
          queries: security-and-quality
      - name: Autobuild
        uses: github/codeql-action/autobuild@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
--- a/.github/workflows/sync-labels.yaml
+++ b/.github/workflows/sync-labels.yaml
@ -1,28 +0,0 @@
 name: sync-labels
 on:
  workflow_dispatch:
  push:
    branches:
      - main
    paths:
      - .github/labels.yaml
 permissions:
  contents: read
 jobs:
  labels:
    name: Run sync
    runs-on: ubuntu-latest
    permissions:
      issues: write
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
        with:
          # Configuration file
          config-file: |
            https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
            .github/labels.yaml
          # Strictly declarative
          delete-other-labels: true
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@ -1,108 +0,0 @@
 name: update
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 * * * *"
  push:
    branches: [main]
 permissions:
  contents: read
 jobs:
  update-components:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Check out code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version: 1.23.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Update component versions
        id: update
        run: |
          PR_BODY=$(mktemp)
          bump_version() {
            local LATEST_VERSION=$(curl -s https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
            local CTRL_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p;n" manifests/bases/$1/kustomization.yaml)
            local CRD_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p" manifests/crds/kustomization.yaml)
            local MOD_VERSION=$(go list -m -f '{{ .Version }}' "github.com/fluxcd/$1/api")
            local changed=false
            if [[ "${CTRL_VERSION}" != "${LATEST_VERSION}" ]]; then
              sed -i "s/\($1\/releases\/download\/\)v.*\(\/.*\)/\1${LATEST_VERSION}\2/g" "manifests/bases/$1/kustomization.yaml"
              changed=true
            fi
            if [[ "${CRD_VERSION}" != "${LATEST_VERSION}" ]]; then
              sed -i "s/\($1\/releases\/download\/\)v.*\(\/.*\)/\1${LATEST_VERSION}\2/g" "manifests/crds/kustomization.yaml"
              changed=true
            fi
            if [[ "${MOD_VERSION}" != "${LATEST_VERSION}" ]]; then
              go mod edit -require="github.com/fluxcd/$1/api@${LATEST_VERSION}"
              make tidy
              changed=true
            fi
            if [[ "$changed" == true ]]; then
              echo "- $1 to ${LATEST_VERSION}" >> $PR_BODY
              echo "  https://github.com/fluxcd/$1/blob/${LATEST_VERSION}/CHANGELOG.md" >> $PR_BODY
            fi
          }
          {
            # bump controller versions
            bump_version helm-controller
            bump_version kustomize-controller
            bump_version source-controller
            bump_version notification-controller
            bump_version image-reflector-controller
            bump_version image-automation-controller
            # diff change
            git diff
            # export PR_BODY for PR and commit
            # NB: this may look strange but it is the way it should be done to
            # maintain our precious newlines
            # Ref: https://github.com/github/docs/issues/21529
            echo 'pr_body<<EOF' >> $GITHUB_OUTPUT
            cat $PR_BODY >> $GITHUB_OUTPUT
            echo 'EOF' >> $GITHUB_OUTPUT
          }
      - name: Create Pull Request
        id: cpr
        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
          commit-message: |
            Update toolkit components
            ${{ steps.update.outputs.pr_body }}
          committer: GitHub <noreply@github.com>
          author: fluxcdbot <fluxcdbot@users.noreply.github.com>
          signoff: true
          branch: update-components
          title: Update toolkit components
          body: |
            ${{ steps.update.outputs.pr_body }}
          labels: |
            dependencies
          reviewers: ${{ secrets.ASSIGNEES }}
      - name: Check output
        run: |
          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
--- a/.gitignore
+++ b/.gitignore
@ -11,16 +11,6 @@
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 # Release
 dist/
 # Dependency directories (remove the comment below to include it)
 # vendor/
-bin/
+bin/
 output/
 cmd/flux/manifests/
 cmd/flux/.manifests.done
 testbin/
 # Docs
 site/
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -1,177 +1,14 @@
 project_name: flux
 changelog:
  use: github-native
 builds:
-  - <<: &build_defaults
+  - main: ./cmd/tk
-      binary: flux
+    binary: tk
      main: ./cmd/flux
      ldflags:
        - -s -w -X main.VERSION={{ .Version }}
      env:
        - CGO_ENABLED=0
    id: linux
    goos:
      - linux
    goarch:
      - amd64
      - arm64
      - arm
    goarm:
      - "7"
  - <<: *build_defaults
    id: darwin
    goos:
      - darwin
      - linux
    goarch:
      - amd64
-      - arm64
+    env:
-  - <<: *build_defaults
+      - CGO_ENABLED=0
    id: windows
    goos:
      - windows
 archives:
  - name_template: "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
    id: nix
    builds: [linux, darwin]
    format: tar.gz
    files:
      - none*
  - name_template: "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
    id: windows
    builds: [windows]
    format: zip
    files:
      - none*
 source:
  enabled: true
  name_template: '{{ .ProjectName }}_{{ .Version }}_source_code'
 sboms:
  - id: source
    artifacts: source
    documents:
      - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
 release:
  extra_files:
    - glob: output/crd-schemas.tar.gz
    - glob: output/manifests.tar.gz
    - glob: output/install.yaml
 checksum:
  extra_files:
    - glob: output/crd-schemas.tar.gz
    - glob: output/manifests.tar.gz
    - glob: output/install.yaml
 signs:
  - cmd: cosign
    env:
      - COSIGN_EXPERIMENTAL=1
    certificate: '${artifact}.pem'
    args:
      - sign-blob
      - "--yes"
      - '--output-certificate=${certificate}'
      - '--output-signature=${signature}'
      - '${artifact}'
    artifacts: checksum
    output: true
 brews:
  - name: flux
    repository:
      owner: fluxcd
      name: homebrew-tap
      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
    directory: Formula
    homepage: "https://fluxcd.io/"
    description: "Flux CLI"
    install: |
      bin.install "flux"
      generate_completions_from_executable(bin/"flux", "completion")
    test: |
      system "#{bin}/flux --version"
 publishers:
  - name: aur-pkg-bin
    env:
      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
    cmd: |
      .github/aur/flux-bin/publish.sh {{ .Version }}
  - name: aur-pkg-scm
    env:
      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
    cmd: |
      .github/aur/flux-scm/publish.sh {{ .Version }}
  - name: aur-pkg-go
    env:
      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
    cmd: |
      .github/aur/flux-go/publish.sh {{ .Version }}
 dockers:
 - image_templates:
    - 'fluxcd/flux-cli:{{ .Tag }}-amd64'
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-amd64'
  dockerfile: Dockerfile
  use: buildx
  goos: linux
  goarch: amd64
  build_flag_templates:
   - "--pull"
   - "--build-arg=ARCH=linux/amd64"
   - "--label=org.opencontainers.image.created={{ .Date }}"
   - "--label=org.opencontainers.image.name={{ .ProjectName }}"
   - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
   - "--label=org.opencontainers.image.version={{ .Version }}"
   - "--label=org.opencontainers.image.source={{ .GitURL }}"
   - "--platform=linux/amd64"
 - image_templates:
    - 'fluxcd/flux-cli:{{ .Tag }}-arm64'
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm64'
  dockerfile: Dockerfile
  use: buildx
  goos: linux
  goarch: arm64
  build_flag_templates:
    - "--pull"
    - "--build-arg=ARCH=linux/arm64"
    - "--label=org.opencontainers.image.created={{ .Date }}"
    - "--label=org.opencontainers.image.name={{ .ProjectName }}"
    - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
    - "--label=org.opencontainers.image.version={{ .Version }}"
    - "--label=org.opencontainers.image.source={{ .GitURL }}"
    - "--platform=linux/arm64"
 - image_templates:
    - 'fluxcd/flux-cli:{{ .Tag }}-arm'
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm'
  dockerfile: Dockerfile
  use: buildx
  goos: linux
  goarch: arm
  goarm: 7
  build_flag_templates:
    - "--pull"
    - "--build-arg=ARCH=linux/arm"
    - "--label=org.opencontainers.image.created={{ .Date }}"
    - "--label=org.opencontainers.image.name={{ .ProjectName }}"
    - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
    - "--label=org.opencontainers.image.version={{ .Version }}"
    - "--label=org.opencontainers.image.source={{ .GitURL }}"
    - "--platform=linux/arm/v7"
 docker_manifests:
 - name_template: 'fluxcd/flux-cli:{{ .Tag }}'
  image_templates:
    - 'fluxcd/flux-cli:{{ .Tag }}-amd64'
    - 'fluxcd/flux-cli:{{ .Tag }}-arm64'
    - 'fluxcd/flux-cli:{{ .Tag }}-arm'
 - name_template: 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}'
  image_templates:
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-amd64'
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm64'
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm'
 docker_signs:
  - cmd: cosign
    env:
      - COSIGN_EXPERIMENTAL=1
    args:
      - sign
      - "--yes"
      - '${artifact}'
    artifacts: all
    output: true
--- a/.scorecard.yml
+++ b/.scorecard.yml
@ -1,5 +0,0 @@
 annotations:
  - checks:
      - dangerous-workflow
    reasons:
      - reason: not-applicable # This workflow does not run untrusted code, the bot will only backport a code if the a PR was approved and merged into main.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,9 +1,8 @@
 # Contributing
-Flux is [Apache 2.0 licensed](https://github.com/fluxcd/flux2/blob/main/LICENSE) and
+FluxCD toolkit is [Apache 2.0 licensed](LICENSE) and accepts contributions
-accepts contributions via GitHub pull requests. This document outlines
+via GitHub pull requests. This document outlines some of the conventions on
-some of the conventions on to make it easier to get your contribution
+to make it easier to get your contribution accepted.
 accepted.
 We gratefully welcome improvements to issues and documentation as well as to
 code.
@ -13,115 +12,30 @@ code.
 By contributing to this project you agree to the Developer Certificate of
 Origin (DCO). This document was created by the Linux Kernel community and is a
 simple statement that you, as a contributor, have the legal right to make the
-contribution.
+contribution. No action from you is required, but it's a good idea to see the
-
+[DCO](DCO) file for details before you start contributing code to FluxCD
-We require all commits to be signed. By signing off with your signature, you
+toolkit.
 certify that you wrote the patch or otherwise have the right to contribute the
 material by the rules of the [DCO](DCO):
 `Signed-off-by: Jane Doe <jane.doe@example.com>`
 The signature must contain your real name
 (sorry, no pseudonyms or anonymous contributions)
 If your `user.name` and `user.email` are configured in your Git config,
 you can sign your commit automatically with `git commit -s`.
 ## Communications
-For realtime communications we use Slack: To join the conversation, simply
+The project uses Slack: To join the conversation, simply join the
-join the [CNCF](https://slack.cncf.io/) Slack workspace and use the
+[CNCF](https://slack.cncf.io/) Slack workspace and use the
-[#flux-contributors](https://cloud-native.slack.com/messages/flux-contributors/) channel.
+[#flux](https://cloud-native.slack.com/messages/flux/) channel.
 To discuss ideas and specifications we use [Github
 Discussions](https://github.com/fluxcd/flux2/discussions).
 For announcements we use a mailing list as well. Simply subscribe to
 [flux-dev on cncf.io](https://lists.cncf.io/g/cncf-flux-dev)
 to join the conversation (there you can also add calendar invites
 to your Google calendar for our [Flux
 meeting](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/view)).
 ## Understanding Flux and the GitOps Toolkit
 If you are entirely new to Flux and the GitOps Toolkit,
 you might want to take a look at the [introductory talk and demo](https://www.youtube.com/watch?v=qQBtSkgl7tI).
 This project is composed of:
 - [flux2](https://github.com/fluxcd/flux2): The Flux CLI
 - [source-manager](https://github.com/fluxcd/source-controller): Kubernetes operator for managing sources (Git and Helm repositories, S3-compatible Buckets)
 - [kustomize-controller](https://github.com/fluxcd/kustomize-controller): Kubernetes operator for building GitOps pipelines with Kustomize
 - [helm-controller](https://github.com/fluxcd/helm-controller): Kubernetes operator for building GitOps pipelines with Helm
 - [notification-controller](https://github.com/fluxcd/notification-controller): Kubernetes operator for handling inbound and outbound events
 - [image-reflector-controller](https://github.com/fluxcd/image-reflector-controller): Kubernetes operator for scanning container registries
 - [image-automation-controller](https://github.com/fluxcd/image-automation-controller): Kubernetes operator for patches container image tags in Git
-### Understanding the code
+The developers use a mailing list to discuss development as well.
 Simply subscribe to [flux-dev on cncf.io](https://lists.cncf.io/g/cncf-flux-dev)
 to join the conversation (this will also add an invitation to your
 Google calendar for our [Flux
 meeting](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/edit#)).
-To get started with developing controllers, you might want to review
+### How to run the test suite
 [our guide](https://fluxcd.io/flux/gitops-toolkit/source-watcher/) which
 walks you through writing a short and concise controller that watches out
 for source changes.
-## How to run the test suite
+You can run the unit tests by simply doing
 Prerequisites:
 * go >= 1.20
 * kubectl >= 1.24
 * kustomize >= 5.0
 * coreutils (on Mac OS)
 Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:
 ```bash
 make install-envtest
 ```
 Then you can run the unit tests with:
 ```bash
 make test
 ```
 After [installing Kubernetes kind](https://kind.sigs.k8s.io/docs/user/quick-start#installation) on your machine,
 create a cluster for testing with:
 ```bash
 make setup-kind
 ```
 Then you can run the end-to-end tests with:
 ```bash
 make e2e
 ```
 When the output of the Flux CLI changes, to automatically update the golden
 files used in the test, pass `-update` flag to the test as:
 ```bash
 make e2e TEST_ARGS="-update"
 ```
 Since not all packages use golden files for testing, `-update` argument must be
 passed only for the packages that use golden files. Use the variables
 `TEST_PKG_PATH` for unit tests and `E2E_TEST_PKG_PATH` for e2e tests, to set the
 path of the target test package:
 ```bash
 # Unit test
 make test TEST_PKG_PATH="./cmd/flux" TEST_ARGS="-update"
 # e2e test
 make e2e E2E_TEST_PKG_PATH="./cmd/flux" TEST_ARGS="-update"
 ```
 Teardown the e2e environment with:
 ```bash
 make cleanup-kind
 ```
 ## Acceptance policy
 These things will make a PR more likely to be accepted:
@ -143,7 +57,7 @@ get asked to resubmit the PR or divide the changes into more than one PR.
 ### Format of the Commit Message
-For the GitOps Toolkit controllers we prefer the following rules for good commit messages:
+For Source Controller we prefer the following rules for good commit messages:
 - Limit the subject to 50 characters and write as the continuation
  of the sentence "If applied, this commit will ..."
--- a/21
+++ b/21
@ -1,21 +0,0 @@
 FROM alpine:3.21 AS builder
 RUN apk add --no-cache ca-certificates curl
 ARG ARCH=linux/amd64
 ARG KUBECTL_VER=1.32.2
 RUN curl -sL https://dl.k8s.io/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl
 RUN kubectl version --client=true
 FROM alpine:3.21 AS flux-cli
 RUN apk add --no-cache ca-certificates
 COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/
 COPY --chmod=755 flux /usr/local/bin/
 USER 65534:65534
 ENTRYPOINT [ "flux" ]
--- a/6
+++ b/6
@ -2,7 +2,7 @@ The maintainers are generally available in Slack at
 https://cloud-native.slack.com in #flux (https://cloud-native.slack.com/messages/CLAJ40HV3)
 (obtain an invitation at https://slack.cncf.io/).
-The Flux2 maintainers team is identical with the core maintainers of the project
+In alphabetical order:
 as listed in
-    https://github.com/fluxcd/community/blob/main/CORE-MAINTAINERS
+Hidde Beydals, Weaveworks <hidde@weave.works> (github: @hiddeco, slack: hidde)
 Stefan Prodan, Weaveworks <stefan@weave.works> (github: @stefanprodan, slack: stefanprodan)
--- a/94
+++ b/94
@ -1,24 +1,9 @@
-VERSION?=$(shell grep 'VERSION' cmd/flux/main.go | awk '{ print $$4 }' | head -n 1 | tr -d '"')
+VERSION?=$(shell grep 'VERSION' cmd/tk/main.go | awk '{ print $$4 }' | tr -d '"')
 DEV_VERSION?=0.0.0-$(shell git rev-parse --abbrev-ref HEAD)-$(shell git rev-parse --short HEAD)-$(shell date +%s)
 EMBEDDED_MANIFESTS_TARGET=cmd/flux/.manifests.done
 TEST_KUBECONFIG?=/tmp/flux-e2e-test-kubeconfig
 # Architecture to use envtest with
 ENVTEST_ARCH ?= amd64
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
 else
 GOBIN=$(shell go env GOBIN)
 endif
 rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2)) $(filter $(subst *,%,$(2)),$(d)))
 all: test build
 tidy:
-	go mod tidy -compat=1.23
+	go mod tidy
 	cd tests/integration && go mod tidy -compat=1.23
 fmt:
 	go fmt ./...
@ -26,73 +11,18 @@ fmt:
 vet:
 	go vet ./...
-setup-kind:
+test: tidy fmt vet
-	kind create cluster --name=flux-e2e-test --kubeconfig=$(TEST_KUBECONFIG) --config=.github/kind/config.yaml
+	go test ./... -coverprofile cover.out
 	kubectl --kubeconfig=$(TEST_KUBECONFIG) apply -f https://docs.projectcalico.org/v3.16/manifests/calico.yaml
 	kubectl --kubeconfig=$(TEST_KUBECONFIG) -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
 cleanup-kind:
 	kind delete cluster --name=flux-e2e-test
 	rm $(TEST_KUBECONFIG)
 KUBEBUILDER_ASSETS?="$(shell $(ENVTEST) --arch=$(ENVTEST_ARCH) use -i $(ENVTEST_KUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR) -p path)"
 TEST_PKG_PATH="./..."
 test: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet install-envtest
 	KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test $(TEST_PKG_PATH) -coverprofile cover.out --tags=unit $(TEST_ARGS)
 E2E_TEST_PKG_PATH="./cmd/flux/..."
 e2e: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet
 	TEST_KUBECONFIG=$(TEST_KUBECONFIG) go test $(E2E_TEST_PKG_PATH) -coverprofile e2e.cover.out --tags=e2e -v -failfast $(TEST_ARGS)
 test-with-kind: install-envtest
 	make setup-kind
 	make e2e
 	make cleanup-kind
 $(EMBEDDED_MANIFESTS_TARGET): $(call rwildcard,manifests/,*.yaml *.json)
 	./manifests/scripts/bundle.sh
 	touch $@
-build: $(EMBEDDED_MANIFESTS_TARGET)
+build:
-	CGO_ENABLED=0 go build -ldflags="-s -w -X main.VERSION=$(VERSION)" -o ./bin/flux ./cmd/flux
+	CGO_ENABLED=0 go build -o ./bin/tk ./cmd/tk
 build-dev: $(EMBEDDED_MANIFESTS_TARGET)
 	CGO_ENABLED=0 go build -ldflags="-s -w -X main.VERSION=$(DEV_VERSION)" -o ./bin/flux ./cmd/flux
 .PHONY: install
 install:
-	CGO_ENABLED=0 go install ./cmd/flux
+	go install cmd/tk
 install-dev:
 	CGO_ENABLED=0 go build -o /usr/local/bin ./cmd/flux
 setup-bootstrap-patch:
 	go run ./tests/bootstrap/main.go
-setup-image-automation:
+.PHONY: docs
-	cd tests/image-automation && go run main.go
+docs:
 	mkdir -p ./docs/cmd && go run ./cmd/tk/ docgen
-ENVTEST_ASSETS_DIR=$(shell pwd)/testbin
+install-dev:
-ENVTEST_KUBERNETES_VERSION?=latest
+	CGO_ENABLED=0 go build -o /usr/local/bin ./cmd/tk
 install-envtest: setup-envtest
 	mkdir -p ${ENVTEST_ASSETS_DIR}
 	$(ENVTEST) use $(ENVTEST_KUBERNETES_VERSION) --arch=$(ENVTEST_ARCH) --bin-dir=$(ENVTEST_ASSETS_DIR)
 ENVTEST = $(shell pwd)/bin/setup-envtest
 .PHONY: envtest
 setup-envtest: ## Download envtest-setup locally if necessary.
 	$(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
 # go-install-tool will 'go install' any package $2 and install it to $1.
 PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 define go-install-tool
@[ -f $(1) ] || { \
 set -e ;\
 TMP_DIR=$$(mktemp -d) ;\
 cd $$TMP_DIR ;\
 go mod init tmp ;\
 echo "Downloading $(2)" ;\
 GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
 rm -rf $$TMP_DIR ;\
 }
 endef
--- a/README.md
+++ b/README.md
@ -1,101 +1,17 @@
-# Flux version 2
+# toolkit
-[![release](https://img.shields.io/github/release/fluxcd/flux2/all.svg)](https://github.com/fluxcd/flux2/releases)
+[![e2e](https://github.com/fluxcd/toolkit/workflows/e2e/badge.svg)](https://github.com/fluxcd/toolkit/actions)
-[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4782/badge)](https://bestpractices.coreinfrastructure.org/projects/4782)
+[![report](https://goreportcard.com/badge/github.com/fluxcd/toolkit)](https://goreportcard.com/report/github.com/fluxcd/toolkit)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/fluxcd/flux2/badge)](https://scorecard.dev/viewer/?uri=github.com/fluxcd/flux2)
+[![license](https://img.shields.io/github/license/fluxcd/toolkit.svg)](https://github.com/fluxcd/toolkit/blob/master/LICENSE)
-[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflux2.svg?type=shield)](https://app.fossa.com/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflux2?ref=badge_shield)
+[![release](https://img.shields.io/github/release/fluxcd/toolkit/all.svg)](https://github.com/fluxcd/toolkit/releases)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/flux2)](https://artifacthub.io/packages/helm/fluxcd-community/flux2)
 [![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://fluxcd.io/flux/security/slsa-assessment)
-Flux is a tool for keeping Kubernetes clusters in sync with sources of
+Experimental toolkit for assembling CD pipelines the GitOps way.
 configuration (like Git repositories and OCI artifacts),
 and automating updates to configuration when there is new code to deploy.
-Flux version 2 ("v2") is built from the ground up to use Kubernetes'
+![overview](docs/diagrams/tk-overview.png)
 API extension system, and to integrate with Prometheus and other core
 components of the Kubernetes ecosystem. In version 2, Flux supports
 multi-tenancy and support for syncing an arbitrary number of Git
 repositories, among other long-requested features.
-Flux v2 is constructed with the [GitOps Toolkit](#gitops-toolkit), a
+Components:
-set of composable APIs and specialized tools for building Continuous
+* [Toolkit CLI](docs/cmd/tk.md)
-Delivery on top of Kubernetes.
+* [Source Controller](https://github.com/fluxcd/source-controller)
 * [Kustomize Controller](https://github.com/fluxcd/kustomize-controller)
-Flux is a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/)) graduated project, used in
+To install the toolkit CLI, follow the [instructions](install/README.md).
 production by various [organisations](https://fluxcd.io/adopters) and [cloud providers](https://fluxcd.io/ecosystem).
 ## Quickstart and documentation
 To get started check out this [guide](https://fluxcd.io/flux/get-started/)
 on how to bootstrap Flux on Kubernetes and deploy a sample application in a GitOps manner.
 For more comprehensive documentation, see the following guides:
 - [Ways of structuring your repositories](https://fluxcd.io/flux/guides/repository-structure/)
 - [Manage Helm Releases](https://fluxcd.io/flux/guides/helmreleases/)
 - [Automate image updates to Git](https://fluxcd.io/flux/guides/image-update/)  
 - [Manage Kubernetes secrets with Flux and SOPS](https://fluxcd.io/flux/guides/mozilla-sops/)  
 If you need help, please refer to our **[Support page](https://fluxcd.io/support/)**.
 ## GitOps Toolkit
 The GitOps Toolkit is the set of APIs and controllers that make up the
 runtime for Flux v2. The APIs comprise Kubernetes custom resources,
 which can be created and updated by a cluster user, or by other
 automation tooling.
 ![overview](https://raw.githubusercontent.com/fluxcd/flux2/main/docs/diagrams/fluxcd-controllers.png)
 You can use the toolkit to extend Flux, or to build your own systems
 for continuous delivery -- see [the developer
 guides](https://fluxcd.io/flux/gitops-toolkit/source-watcher/).
 ### Components
 - [Source Controller](https://fluxcd.io/flux/components/source/)
    - [GitRepository CRD](https://fluxcd.io/flux/components/source/gitrepositories/)
    - [OCIRepository CRD](https://fluxcd.io/flux/components/source/ocirepositories/)
    - [HelmRepository CRD](https://fluxcd.io/flux/components/source/helmrepositories/)
    - [HelmChart CRD](https://fluxcd.io/flux/components/source/helmcharts/)
    - [Bucket CRD](https://fluxcd.io/flux/components/source/buckets/)
 - [Kustomize Controller](https://fluxcd.io/flux/components/kustomize/)
    - [Kustomization CRD](https://fluxcd.io/flux/components/kustomize/kustomizations/)
 - [Helm Controller](https://fluxcd.io/flux/components/helm/)
    - [HelmRelease CRD](https://fluxcd.io/flux/components/helm/helmreleases/)
 - [Notification Controller](https://fluxcd.io/flux/components/notification/)
    - [Provider CRD](https://fluxcd.io/flux/components/notification/providers/)
    - [Alert CRD](https://fluxcd.io/flux/components/notification/alerts/)
    - [Receiver CRD](https://fluxcd.io/flux/components/notification/receivers/)
 - [Image Automation Controllers](https://fluxcd.io/flux/components/image/)
  - [ImageRepository CRD](https://fluxcd.io/flux/components/image/imagerepositories/)
  - [ImagePolicy CRD](https://fluxcd.io/flux/components/image/imagepolicies/)
  - [ImageUpdateAutomation CRD](https://fluxcd.io/flux/components/image/imageupdateautomations/)
 ## Community
 Need help or want to contribute? Please see the links below. The Flux project is always looking for
 new contributors and there are a multitude of ways to get involved.
 - Getting Started?
    - Look at our [Get Started guide](https://fluxcd.io/flux/get-started/) and give us feedback
 - Need help?
    - First: Ask questions on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions).
    - Second: Talk to us in the #flux channel on [CNCF Slack](https://slack.cncf.io/).
    - Please follow our [Support Guidelines](https://fluxcd.io/support/)
      (in short: be nice, be respectful of volunteers' time, understand that maintainers and
      contributors cannot respond to all DMs, and keep discussions in the public #flux channel as much as possible).
 - Have feature proposals or want to contribute?
    - Propose features on our [GitHub Discussions page](https://github.com/fluxcd/flux2/discussions).
    - Join our upcoming dev meetings ([meeting access and agenda](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/view)).
    - [Join the flux-dev mailing list](https://lists.cncf.io/g/cncf-flux-dev).
    - Check out [how to contribute](CONTRIBUTING.md) to the project.
    - Check out the [project roadmap](https://fluxcd.io/roadmap/).
 ### Events
 Check out our **[events calendar](https://fluxcd.io/#calendar)**,
 both with upcoming talks, events and meetings you can attend.
 Or view the **[resources section](https://fluxcd.io/resources)**
 with past events videos you can watch.
 We look forward to seeing you with us!
--- a/action/README.md
+++ b/action/README.md
@ -1,22 +0,0 @@
 # Flux GitHub Action
 To install the latest Flux CLI on Linux, macOS or Windows GitHub runners:
 ```yaml
 steps:
  - name: Setup Flux CLI
    uses: fluxcd/flux2/action@main
    with:
      version: 'latest'
  - name: Run Flux CLI
    run: flux version --client
 ```
 The Flux GitHub Action can be used to automate various tasks in CI, such as:
 - [Automate Flux upgrades on clusters via Pull Requests](https://fluxcd.io/flux/flux-gh-action/#automate-flux-updates)
 - [Push Kubernetes manifests to container registries](https://fluxcd.io/flux/flux-gh-action/#push-kubernetes-manifests-to-container-registries)
 - [Run end-to-end testing with Flux and Kubernetes Kind](https://fluxcd.io/flux/flux-gh-action/#end-to-end-testing)
 For more information, please see the [Flux GitHub Action documentation](https://fluxcd.io/flux/flux-gh-action/).
--- a/action/action.yml
+++ b/action/action.yml
@ -1,120 +0,0 @@
 name: Setup Flux CLI
 description: A GitHub Action for installing the Flux CLI
 author: Flux project
 branding:
  color: blue
  icon: command
 inputs:
  version:
    description: "Flux version e.g. 2.0.0 (defaults to latest stable release)"
    required: false
  arch:
    description: "arch can be amd64, arm64 or arm"
    required: false
    deprecationMessage: "No longer required, action will now detect runner arch."
  bindir:
    description: "Alternative location for the Flux binary, defaults to path relative to $RUNNER_TOOL_CACHE."
    required: false
  token:
    description: "Token used to authentication against the GitHub.com API. Defaults to the token from the GitHub context of the workflow."
    required: false
 runs:
  using: composite
  steps:
    - name: "Download the binary to the runner's cache dir"
      shell: bash
      run: |
        VERSION=${{ inputs.version }}
        TOKEN=${{ inputs.token }}
        if [[ -z "$TOKEN" ]]; then
          TOKEN=${{ github.token }}
        fi
        if [[ -z "$VERSION" ]] || [[ "$VERSION" = "latest" ]]; then
          VERSION=$(curl -fsSL -H "Authorization: token ${TOKEN}" https://api.github.com/repos/fluxcd/flux2/releases/latest | grep tag_name | cut -d '"' -f 4)
        fi
        if [[ -z "$VERSION" ]]; then
          echo "Unable to determine Flux CLI version"
          exit 1
        fi
        if [[ $VERSION = v* ]]; then
          VERSION="${VERSION:1}"
        fi
        OS=$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')
        if [[ "$OS" == "macos" ]]; then
          OS="darwin"
        fi
        ARCH=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')
        if [[ "$ARCH" == "x64" ]]; then
          ARCH="amd64"
        elif [[ "$ARCH" == "x86" ]]; then
          ARCH="386"
        fi
        FLUX_EXEC_FILE="flux"
        if [[ "$OS" == "windows" ]]; then
            FLUX_EXEC_FILE="${FLUX_EXEC_FILE}.exe"
        fi
        FLUX_TOOL_DIR=${{ inputs.bindir }}
        if [[ -z "$FLUX_TOOL_DIR" ]]; then
          FLUX_TOOL_DIR="${RUNNER_TOOL_CACHE}/flux2/${VERSION}/${OS}/${ARCH}"
        fi
        if [[ ! -x "$FLUX_TOOL_DIR/FLUX_EXEC_FILE" ]]; then
          DL_DIR="$(mktemp -dt flux2-XXXXXX)"
          trap 'rm -rf $DL_DIR' EXIT
          echo "Downloading flux ${VERSION} for ${OS}/${ARCH}"
          FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.tar.gz"
          if [[ "$OS" == "windows" ]]; then
            FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.zip"
          fi
          FLUX_CHECKSUMS_FILE="flux_${VERSION}_checksums.txt"
          FLUX_DOWNLOAD_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/"
          curl -fsSL -o "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_TARGET_FILE"
          curl -fsSL -o "$DL_DIR/$FLUX_CHECKSUMS_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_CHECKSUMS_FILE"
          echo "Verifying checksum"
          sum=""
          if command -v openssl > /dev/null; then
            sum=$(openssl sha256 "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $2}')
          elif command -v sha256sum > /dev/null; then
            sum=$(sha256sum "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $1}')
          fi
          if [[ -z "$sum" ]]; then
            echo "Neither openssl nor sha256sum found. Cannot calculate checksum."
            exit 1
          fi
          expected_sum=$(grep " $FLUX_TARGET_FILE\$" "$DL_DIR/$FLUX_CHECKSUMS_FILE" | awk '{print $1}')
          if [ "$sum" != "$expected_sum" ]; then
            echo "SHA sum of ${FLUX_TARGET_FILE} does not match. Aborting."
            exit 1
          fi
          echo "Installing flux to ${FLUX_TOOL_DIR}"
          mkdir -p "$FLUX_TOOL_DIR"
          if [[ "$OS" == "windows" ]]; then
            unzip "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_EXEC_FILE" -d "$FLUX_TOOL_DIR"
          else
            tar xzf "$DL_DIR/$FLUX_TARGET_FILE" -C "$FLUX_TOOL_DIR" $FLUX_EXEC_FILE
          fi
          chmod +x "$FLUX_TOOL_DIR/$FLUX_EXEC_FILE"
        fi
        echo "Adding flux to path"
        echo "$FLUX_TOOL_DIR" >> "$GITHUB_PATH"
    - name: "Print installed flux version"
      shell: bash
      run: |
        flux -v
--- a/cmd/flux/alert.go
+++ b/cmd/flux/alert.go
@ -1,57 +0,0 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )
 // notificationv1.Alert
 var alertType = apiType{
 	kind:         notificationv1.AlertKind,
 	humanKind:    "alert",
 	groupVersion: notificationv1.GroupVersion,
 }
 type alertAdapter struct {
 	*notificationv1.Alert
 }
 func (a alertAdapter) asClientObject() client.Object {
 	return a.Alert
 }
 func (a alertAdapter) deepCopyClientObject() client.Object {
 	return a.Alert.DeepCopy()
 }
 // notificationv1.Alert
 type alertListAdapter struct {
 	*notificationv1.AlertList
 }
 func (a alertListAdapter) asClientList() client.ObjectList {
 	return a.AlertList
 }
 func (a alertListAdapter) len() int {
 	return len(a.AlertList.Items)
 }
--- a/cmd/flux/alert_provider.go
+++ b/cmd/flux/alert_provider.go
@ -1,57 +0,0 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )
 // notificationv1.Provider
 var alertProviderType = apiType{
 	kind:         notificationv1.ProviderKind,
 	humanKind:    "alert provider",
 	groupVersion: notificationv1.GroupVersion,
 }
 type alertProviderAdapter struct {
 	*notificationv1.Provider
 }
 func (a alertProviderAdapter) asClientObject() client.Object {
 	return a.Provider
 }
 func (a alertProviderAdapter) deepCopyClientObject() client.Object {
 	return a.Provider.DeepCopy()
 }
 // notificationv1.Provider
 type alertProviderListAdapter struct {
 	*notificationv1.ProviderList
 }
 func (a alertProviderListAdapter) asClientList() client.ObjectList {
 	return a.ProviderList
 }
 func (a alertProviderListAdapter) len() int {
 	return len(a.ProviderList.Items)
 }
--- a/cmd/flux/bootstrap.go
+++ b/cmd/flux/bootstrap.go
@ -1,239 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"crypto/elliptic"
 	"fmt"
 	"strings"
 	"github.com/fluxcd/pkg/git"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )
 var bootstrapCmd = &cobra.Command{
 	Use:   "bootstrap",
 	Short: "Deploy Flux on a cluster the GitOps way.",
 	Long: `The bootstrap sub-commands push the Flux manifests to a Git repository
 and deploy Flux on the cluster.`,
 }
 type bootstrapFlags struct {
 	version  string
 	logLevel flags.LogLevel
 	branch            string
 	recurseSubmodules bool
 	manifestsPath     string
 	defaultComponents  []string
 	extraComponents    []string
 	requiredComponents []string
 	registry           string
 	registryCredential string
 	imagePullSecret    string
 	secretName           string
 	tokenAuth            bool
 	keyAlgorithm         flags.PublicKeyAlgorithm
 	keyRSABits           flags.RSAKeyBits
 	keyECDSACurve        flags.ECDSACurve
 	sshHostname          string
 	caFile               string
 	privateKeyFile       string
 	sshHostKeyAlgorithms []string
 	watchAllNamespaces bool
 	networkPolicy      bool
 	clusterDomain      string
 	tolerationKeys     []string
 	authorName  string
 	authorEmail string
 	gpgKeyRingPath string
 	gpgPassphrase  string
 	gpgKeyID       string
 	force bool
 	commitMessageAppendix string
 }
 const (
 	bootstrapDefaultBranch = "main"
 )
 var bootstrapArgs = NewBootstrapFlags()
 func init() {
 	bootstrapCmd.PersistentFlags().StringVarP(&bootstrapArgs.version, "version", "v", "",
 		"toolkit version, when specified the manifests are downloaded from https://github.com/fluxcd/flux2/releases")
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.defaultComponents, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.extraComponents, "components-extra", nil,
 		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller'")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registry, "registry", "ghcr.io/fluxcd",
 		"container registry where the Flux controller images are published")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registryCredential, "registry-creds", "",
 		"container registry credentials in the format 'user:password', requires --image-pull-secret to be set")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.imagePullSecret, "image-pull-secret", "",
 		"Kubernetes secret name used for pulling the controller images from a private registry")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.branch, "branch", bootstrapDefaultBranch, "Git branch")
 	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.recurseSubmodules, "recurse-submodules", false,
 		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.manifestsPath, "manifests", "", "path to the manifest directory")
 	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.watchAllNamespaces, "watch-all-namespaces", true,
 		"watch for custom resources in all namespaces, if set to false it will only watch the namespace where the Flux controllers are installed")
 	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.networkPolicy, "network-policy", true,
 		"setup Kubernetes network policies to deny ingress access to the Flux controllers from other namespaces")
 	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.tokenAuth, "token-auth", false,
 		"when enabled, the personal access token will be used instead of the SSH deploy key")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.logLevel, "log-level", bootstrapArgs.logLevel.Description())
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.clusterDomain, "cluster-domain", rootArgs.defaults.ClusterDomain, "internal cluster domain")
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.tolerationKeys, "toleration-keys", nil,
 		"list of toleration keys used to schedule the controller pods onto nodes with matching taints")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.secretName, "secret-name", rootArgs.defaults.Namespace, "name of the secret the sync credentials can be found in or stored to")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyAlgorithm, "ssh-key-algorithm", bootstrapArgs.keyAlgorithm.Description())
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyRSABits, "ssh-rsa-bits", bootstrapArgs.keyRSABits.Description())
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.sshHostKeyAlgorithms, "ssh-hostkey-algos", nil, "list of host key algorithms to be used by the CLI for SSH connections")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyECDSACurve, "ssh-ecdsa-curve", bootstrapArgs.keyECDSACurve.Description())
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.sshHostname, "ssh-hostname", "", "SSH hostname, to be used when the SSH host differs from the HTTPS one")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.privateKeyFile, "private-key-file", "", "path to a private key file used for authenticating to the Git SSH server")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.authorName, "author-name", "Flux", "author name for Git commits")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.authorEmail, "author-email", "", "author email for Git commits")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.gpgKeyRingPath, "gpg-key-ring", "", "path to GPG key ring for signing commits")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.gpgPassphrase, "gpg-passphrase", "", "passphrase for decrypting GPG private key")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.gpgKeyID, "gpg-key-id", "", "key id for selecting a particular key")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.commitMessageAppendix, "commit-message-appendix", "", "string to add to the commit messages, e.g. '[ci skip]'")
 	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.force, "force", false, "override existing Flux installation if it's managed by a different tool such as Helm")
 	bootstrapCmd.PersistentFlags().MarkHidden("manifests")
 	rootCmd.AddCommand(bootstrapCmd)
 }
 func NewBootstrapFlags() bootstrapFlags {
 	return bootstrapFlags{
 		logLevel:           flags.LogLevel(rootArgs.defaults.LogLevel),
 		requiredComponents: []string{"source-controller", "kustomize-controller"},
 		keyAlgorithm:       flags.PublicKeyAlgorithm(sourcesecret.ECDSAPrivateKeyAlgorithm),
 		keyRSABits:         2048,
 		keyECDSACurve:      flags.ECDSACurve{Curve: elliptic.P384()},
 	}
 }
 func bootstrapComponents() []string {
 	return append(bootstrapArgs.defaultComponents, bootstrapArgs.extraComponents...)
 }
 func buildEmbeddedManifestBase() (string, error) {
 	if !isEmbeddedVersion(bootstrapArgs.version) {
 		return "", nil
 	}
 	tmpBaseDir, err := manifestgen.MkdirTempAbs("", "flux-manifests-")
 	if err != nil {
 		return "", err
 	}
 	if err := writeEmbeddedManifests(tmpBaseDir); err != nil {
 		return "", err
 	}
 	return tmpBaseDir, nil
 }
 func bootstrapValidate() error {
 	components := bootstrapComponents()
 	for _, component := range bootstrapArgs.requiredComponents {
 		if !utils.ContainsItemString(components, component) {
 			return fmt.Errorf("component %s is required", component)
 		}
 	}
 	if err := utils.ValidateComponents(components); err != nil {
 		return err
 	}
 	if bootstrapArgs.registryCredential != "" && bootstrapArgs.imagePullSecret == "" {
 		return fmt.Errorf("--registry-creds requires --image-pull-secret to be set")
 	}
 	if bootstrapArgs.registryCredential != "" && len(strings.Split(bootstrapArgs.registryCredential, ":")) != 2 {
 		return fmt.Errorf("invalid --registry-creds format, expected 'user:password'")
 	}
 	if len(bootstrapArgs.sshHostKeyAlgorithms) > 0 {
 		git.HostKeyAlgos = bootstrapArgs.sshHostKeyAlgorithms
 	}
 	return nil
 }
 func mapTeamSlice(s []string, defaultPermission string) map[string]string {
 	m := make(map[string]string, len(s))
 	for _, v := range s {
 		m[v] = defaultPermission
 		if s := strings.Split(v, ":"); len(s) == 2 {
 			m[s[0]] = s[1]
 		}
 	}
 	return m
 }
 // confirmBootstrap gets a confirmation for running bootstrap over an existing Flux installation.
 // It returns a nil error if Flux is not installed or the user confirms overriding an existing installation
 func confirmBootstrap(ctx context.Context, kubeClient client.Client) error {
 	installed := true
 	info, err := getFluxClusterInfo(ctx, kubeClient)
 	if err != nil {
 		if !errors.IsNotFound(err) {
 			return fmt.Errorf("cluster info unavailable: %w", err)
 		}
 		installed = false
 	}
 	if installed {
 		err = confirmFluxInstallOverride(info)
 		if err != nil {
 			if err == promptui.ErrAbort {
 				return fmt.Errorf("bootstrap cancelled")
 			}
 			return err
 		}
 	}
 	return nil
 }
--- a/cmd/flux/bootstrap_bitbucket_server.go
+++ b/cmd/flux/bootstrap_bitbucket_server.go
@ -1,298 +0,0 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"time"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
 	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 )
 var bootstrapBServerCmd = &cobra.Command{
 	Use:   "bitbucket-server",
 	Short: "Deploy Flux on a cluster connected to a Bitbucket Server repository",
 	Long: `The bootstrap bitbucket-server command creates the Bitbucket Server repository if it doesn't exists and
 commits the Flux manifests to the master branch.
 Then it configures the target cluster to synchronize with the repository.
 If the Flux components are present on the cluster,
 the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a Bitbucket Server API token and export it as an env var
  export BITBUCKET_TOKEN=<my-token>
  # Run bootstrap for a private repository using HTTPS token authentication
  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --token-auth --path=clusters/my-cluster
  # Run bootstrap for a private repository using SSH authentication
  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --path=clusters/my-cluster
  # Run bootstrap for a public repository on a personal account
  flux bootstrap bitbucket-server --owner=<user> --repository=<repository name> --private=false --personal --hostname=<domain> --token-auth --path=clusters/my-cluster
  # Run bootstrap for an existing repository with a branch named main
  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --branch=main --hostname=<domain> --token-auth --path=clusters/my-cluster`,
 	RunE: bootstrapBServerCmdRun,
 }
 const (
 	bServerDefaultPermission = "push"
 	bServerTokenEnvVar       = "BITBUCKET_TOKEN"
 )
 type bServerFlags struct {
 	owner        string
 	repository   string
 	interval     time.Duration
 	personal     bool
 	username     string
 	private      bool
 	hostname     string
 	path         flags.SafeRelativePath
 	teams        []string
 	readWriteKey bool
 	reconcile    bool
 }
 var bServerArgs bServerFlags
 func init() {
 	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.owner, "owner", "", "Bitbucket Server user or project name")
 	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.repository, "repository", "", "Bitbucket Server repository name")
 	bootstrapBServerCmd.Flags().StringSliceVar(&bServerArgs.teams, "group", []string{}, "Bitbucket Server groups to be given write access (also accepts comma-separated values)")
 	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.personal, "personal", false, "if true, the owner is assumed to be a Bitbucket Server user; otherwise a group")
 	bootstrapBServerCmd.Flags().StringVarP(&bServerArgs.username, "username", "u", "git", "authentication username")
 	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.private, "private", true, "if true, the repository is setup or configured as private")
 	bootstrapBServerCmd.Flags().DurationVar(&bServerArgs.interval, "interval", time.Minute, "sync interval")
 	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.hostname, "hostname", "", "Bitbucket Server hostname")
 	bootstrapBServerCmd.Flags().Var(&bServerArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
 	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
 	bootstrapCmd.AddCommand(bootstrapBServerCmd)
 }
 func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 	bitbucketToken := os.Getenv(bServerTokenEnvVar)
 	if bitbucketToken == "" {
 		var err error
 		bitbucketToken, err = readPasswordFromStdin("Please enter your Bitbucket personal access token (PAT): ")
 		if err != nil {
 			return fmt.Errorf("could not read token: %w", err)
 		}
 	}
 	if bServerArgs.hostname == "" {
 		return fmt.Errorf("invalid hostname %q", bServerArgs.hostname)
 	}
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	if !bootstrapArgs.force {
 		err = confirmBootstrap(ctx, kubeClient)
 		if err != nil {
 			return err
 		}
 	}
 	// Manifest base
 	if ver, err := getVersion(bootstrapArgs.version); err != nil {
 		return err
 	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(manifestsBase)
 	user := bServerArgs.username
 	if bServerArgs.personal {
 		user = bServerArgs.owner
 	}
 	var caBundle []byte
 	if bootstrapArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	// Build Bitbucket Server provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderStash,
 		Hostname: bServerArgs.hostname,
 		Username: user,
 		Token:    bitbucketToken,
 		CaBundle: caBundle,
 	}
 	providerClient, err := provider.BuildGitProvider(providerCfg)
 	if err != nil {
 		return err
 	}
 	// Lazy go-git repository
 	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
 	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
 	gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
 		Transport: git.HTTPS,
 		Username:  user,
 		Password:  bitbucketToken,
 		CAFile:    caBundle,
 	}, clientOpts...)
 	if err != nil {
 		return fmt.Errorf("failed to create a Git client: %w", err)
 	}
 	// Install manifest config
 	installOptions := install.Options{
 		BaseURL:                rootArgs.defaults.BaseURL,
 		Version:                bootstrapArgs.version,
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
 		LogLevel:               bootstrapArgs.logLevel.String(),
 		NotificationController: rootArgs.defaults.NotificationController,
 		ManifestFile:           rootArgs.defaults.ManifestFile,
 		Timeout:                rootArgs.timeout,
 		TargetPath:             bServerArgs.path.ToSlash(),
 		ClusterDomain:          bootstrapArgs.clusterDomain,
 		TolerationKeys:         bootstrapArgs.tolerationKeys,
 	}
 	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
 		installOptions.BaseURL = customBaseURL
 	}
 	// Source generation and secret config
 	secretOpts := sourcesecret.Options{
 		Name:         bootstrapArgs.secretName,
 		Namespace:    *kubeconfigArgs.Namespace,
 		TargetPath:   bServerArgs.path.String(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
 	if bootstrapArgs.tokenAuth {
 		if bServerArgs.personal {
 			secretOpts.Username = bServerArgs.owner
 		} else {
 			secretOpts.Username = bServerArgs.username
 		}
 		secretOpts.Password = bitbucketToken
 		secretOpts.CACrt = caBundle
 	} else {
 		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
 		if err != nil {
 			return err
 		}
 		secretOpts.Keypair = keypair
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
 		secretOpts.SSHHostname = bServerArgs.hostname
 		if bootstrapArgs.sshHostname != "" {
 			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
 	}
 	// Sync manifest config
 	syncOpts := sync.Options{
 		Interval:          bServerArgs.interval,
 		Name:              *kubeconfigArgs.Namespace,
 		Namespace:         *kubeconfigArgs.Namespace,
 		Branch:            bootstrapArgs.branch,
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        bServerArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
 	if err != nil {
 		return err
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(bServerArgs.owner, bServerArgs.repository, bServerArgs.personal),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
 		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(bServerArgs.teams, bServerDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(bServerArgs.readWriteKey),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
 	}
 	if bootstrapArgs.tokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
 	}
 	if !bServerArgs.private {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
 	}
 	if bServerArgs.reconcile {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
 	}
 	// Setup bootstrapper with constructed configs
 	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
 	if err != nil {
 		return err
 	}
 	// Run
 	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 }
--- a/cmd/flux/bootstrap_git.go
+++ b/cmd/flux/bootstrap_git.go
@ -1,403 +0,0 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"net/url"
 	"os"
 	"strings"
 	"time"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 )
 var bootstrapGitCmd = &cobra.Command{
 	Use:   "git",
 	Short: "Deploy Flux on a cluster connected to a Git repository",
 	Long: `The bootstrap git command commits the Flux manifests to the
 branch of a Git repository. And then it configures the target cluster to synchronize with
 that repository. If the Flux components are present on the cluster, the bootstrap
 command will perform an upgrade if needed.`,
 	Example: `  # Run bootstrap for a Git repository and authenticate with your SSH agent
  flux bootstrap git --url=ssh://git@example.com/repository.git --path=clusters/my-cluster
  # Run bootstrap for a Git repository and authenticate using a password
  flux bootstrap git --url=https://example.com/repository.git --password=<password> --path=clusters/my-cluster
  # Run bootstrap for a Git repository and authenticate using a password from environment variable
  GIT_PASSWORD=<password> && flux bootstrap git --url=https://example.com/repository.git --path=clusters/my-cluster
  # Run bootstrap for a Git repository with a passwordless private key
  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key> --path=clusters/my-cluster
  # Run bootstrap for a Git repository with a private key and password
  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key> --password=<password> --path=clusters/my-cluster
  # Run bootstrap for a Git repository on AWS CodeCommit
  flux bootstrap git --url=ssh://<SSH-Key-ID>@git-codecommit.<region>.amazonaws.com/v1/repos/<repository> --private-key-file=<path/to/private.key> --password=<SSH-passphrase> --path=clusters/my-cluster
  # Run bootstrap for a Git repository on Azure Devops
  flux bootstrap git --url=ssh://git@ssh.dev.azure.com/v3/<org>/<project>/<repository> --private-key-file=<path/to/rsa-sha2-private.key> --ssh-hostkey-algos=rsa-sha2-512,rsa-sha2-256 --path=clusters/my-cluster
  # Run bootstrap for a Git repository on Oracle VBS
  flux bootstrap git --url=https://repository_url.git --with-bearer-token=true --password=<PAT> --path=clusters/my-cluster
 `,
 	RunE: bootstrapGitCmdRun,
 }
 type gitFlags struct {
 	url                 string
 	interval            time.Duration
 	path                flags.SafeRelativePath
 	username            string
 	password            string
 	silent              bool
 	insecureHttpAllowed bool
 	withBearerToken     bool
 }
 const (
 	gitPasswordEnvVar = "GIT_PASSWORD"
 )
 var gitArgs gitFlags
 func init() {
 	bootstrapGitCmd.Flags().StringVar(&gitArgs.url, "url", "", "Git repository URL")
 	bootstrapGitCmd.Flags().DurationVar(&gitArgs.interval, "interval", time.Minute, "sync interval")
 	bootstrapGitCmd.Flags().Var(&gitArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.username, "username", "u", "git", "basic authentication username")
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.password, "password", "p", "", "basic authentication password")
 	bootstrapGitCmd.Flags().BoolVarP(&gitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
 	bootstrapGitCmd.Flags().BoolVar(&gitArgs.insecureHttpAllowed, "allow-insecure-http", false, "allows insecure HTTP connections")
 	bootstrapGitCmd.Flags().BoolVar(&gitArgs.withBearerToken, "with-bearer-token", false, "use password as bearer token for Authorization header")
 	bootstrapCmd.AddCommand(bootstrapGitCmd)
 }
 func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	if gitArgs.withBearerToken {
 		bootstrapArgs.tokenAuth = true
 	}
 	gitPassword := os.Getenv(gitPasswordEnvVar)
 	if gitPassword != "" && gitArgs.password == "" {
 		gitArgs.password = gitPassword
 	}
 	if bootstrapArgs.tokenAuth && gitArgs.password == "" {
 		var err error
 		gitPassword, err = readPasswordFromStdin("Please enter your Git repository password: ")
 		if err != nil {
 			return fmt.Errorf("could not read token: %w", err)
 		}
 		gitArgs.password = gitPassword
 	}
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
 	repositoryURL, err := url.Parse(gitArgs.url)
 	if err != nil {
 		return err
 	}
 	if strings.Contains(repositoryURL.Hostname(), "git-codecommit") && strings.Contains(repositoryURL.Hostname(), "amazonaws.com") {
 		if repositoryURL.Scheme == string(git.SSH) {
 			if repositoryURL.User == nil {
 				return fmt.Errorf("invalid AWS CodeCommit url: ssh username should be specified in the url")
 			}
 			if repositoryURL.User.Username() == git.DefaultPublicKeyAuthUser {
 				return fmt.Errorf("invalid AWS CodeCommit url: ssh username should be the SSH key ID for the provided private key")
 			}
 			if bootstrapArgs.privateKeyFile == "" {
 				return fmt.Errorf("private key file is required for bootstrapping against AWS CodeCommit using ssh")
 			}
 		}
 		if repositoryURL.Scheme == string(git.HTTPS) && !bootstrapArgs.tokenAuth {
 			return fmt.Errorf("--token-auth=true must be specified for using an HTTPS AWS CodeCommit url")
 		}
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	if !bootstrapArgs.force {
 		err = confirmBootstrap(ctx, kubeClient)
 		if err != nil {
 			return err
 		}
 	}
 	// Manifest base
 	if ver, err := getVersion(bootstrapArgs.version); err != nil {
 		return err
 	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(manifestsBase)
 	// Lazy go-git repository
 	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
 	var caBundle []byte
 	if bootstrapArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	authOpts, err := getAuthOpts(repositoryURL, caBundle)
 	if err != nil {
 		return fmt.Errorf("failed to create authentication options for %s: %w", repositoryURL.String(), err)
 	}
 	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
 	if gitArgs.insecureHttpAllowed {
 		clientOpts = append(clientOpts, gogit.WithInsecureCredentialsOverHTTP())
 	}
 	gitClient, err := gogit.NewClient(tmpDir, authOpts, clientOpts...)
 	if err != nil {
 		return fmt.Errorf("failed to create a Git client: %w", err)
 	}
 	// Install manifest config
 	installOptions := install.Options{
 		BaseURL:                rootArgs.defaults.BaseURL,
 		Version:                bootstrapArgs.version,
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
 		LogLevel:               bootstrapArgs.logLevel.String(),
 		NotificationController: rootArgs.defaults.NotificationController,
 		ManifestFile:           rootArgs.defaults.ManifestFile,
 		Timeout:                rootArgs.timeout,
 		TargetPath:             gitArgs.path.ToSlash(),
 		ClusterDomain:          bootstrapArgs.clusterDomain,
 		TolerationKeys:         bootstrapArgs.tolerationKeys,
 	}
 	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
 		installOptions.BaseURL = customBaseURL
 	}
 	// Source generation and secret config
 	secretOpts := sourcesecret.Options{
 		Name:         bootstrapArgs.secretName,
 		Namespace:    *kubeconfigArgs.Namespace,
 		TargetPath:   gitArgs.path.String(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
 	if bootstrapArgs.tokenAuth {
 		if gitArgs.withBearerToken {
 			secretOpts.BearerToken = gitArgs.password
 		} else {
 			secretOpts.Username = gitArgs.username
 			secretOpts.Password = gitArgs.password
 		}
 		secretOpts.CACrt = caBundle
 		// Remove port of the given host when not syncing over HTTP/S to not assume port for protocol
 		// This _might_ be overwritten later on by e.g. --ssh-hostname
 		if repositoryURL.Scheme != "https" && repositoryURL.Scheme != "http" {
 			repositoryURL.Host = repositoryURL.Hostname()
 		}
 		// Configure repository URL to match auth config for sync.
 		repositoryURL.User = nil
 		if !gitArgs.insecureHttpAllowed {
 			repositoryURL.Scheme = "https"
 		}
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.Password = gitArgs.password
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
 		// Configure repository URL to match auth config for sync
 		// Override existing user when user is not already set
 		// or when a username was passed in
 		if repositoryURL.User == nil || gitArgs.username != "git" {
 			repositoryURL.User = url.User(gitArgs.username)
 		}
 		repositoryURL.Scheme = "ssh"
 		if bootstrapArgs.sshHostname != "" {
 			repositoryURL.Host = bootstrapArgs.sshHostname
 		}
 		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
 		if err != nil {
 			return err
 		}
 		secretOpts.Keypair = keypair
 		// Configure last as it depends on the config above.
 		secretOpts.SSHHostname = repositoryURL.Host
 	}
 	// Sync manifest config
 	syncOpts := sync.Options{
 		Interval:          gitArgs.interval,
 		Name:              *kubeconfigArgs.Namespace,
 		Namespace:         *kubeconfigArgs.Namespace,
 		URL:               repositoryURL.String(),
 		Branch:            bootstrapArgs.branch,
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        gitArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
 	if err != nil {
 		return err
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitOption{
 		bootstrap.WithRepositoryURL(gitArgs.url),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithPostGenerateSecretFunc(promptPublicKey),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	// Setup bootstrapper with constructed configs
 	b, err := bootstrap.NewPlainGitProvider(gitClient, kubeClient, bootstrapOpts...)
 	if err != nil {
 		return err
 	}
 	// Run
 	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 }
 // getAuthOpts retruns a AuthOptions based on the scheme
 // of the given URL and the configured flags. If the protocol equals
 // "ssh" but no private key is configured, authentication using the local
 // SSH-agent is attempted.
 func getAuthOpts(u *url.URL, caBundle []byte) (*git.AuthOptions, error) {
 	switch u.Scheme {
 	case "http":
 		if !gitArgs.insecureHttpAllowed {
 			return nil, fmt.Errorf("scheme http is insecure, pass --allow-insecure-http=true to allow it")
 		}
 		httpAuth := git.AuthOptions{
 			Transport: git.HTTP,
 		}
 		if gitArgs.withBearerToken {
 			httpAuth.BearerToken = gitArgs.password
 		} else {
 			httpAuth.Username = gitArgs.username
 			httpAuth.Password = gitArgs.password
 		}
 		return &httpAuth, nil
 	case "https":
 		httpsAuth := git.AuthOptions{
 			Transport: git.HTTPS,
 			CAFile:    caBundle,
 		}
 		if gitArgs.withBearerToken {
 			httpsAuth.BearerToken = gitArgs.password
 		} else {
 			httpsAuth.Username = gitArgs.username
 			httpsAuth.Password = gitArgs.password
 		}
 		return &httpsAuth, nil
 	case "ssh":
 		authOpts := &git.AuthOptions{
 			Transport: git.SSH,
 			Username:  u.User.Username(),
 			Password:  gitArgs.password,
 		}
 		if bootstrapArgs.privateKeyFile != "" {
 			pk, err := os.ReadFile(bootstrapArgs.privateKeyFile)
 			if err != nil {
 				return nil, err
 			}
 			kh, err := sourcesecret.ScanHostKey(u.Host)
 			if err != nil {
 				return nil, err
 			}
 			authOpts.Identity = pk
 			authOpts.KnownHosts = kh
 		}
 		return authOpts, nil
 	default:
 		return nil, fmt.Errorf("scheme %q is not supported", u.Scheme)
 	}
 }
 func promptPublicKey(ctx context.Context, secret corev1.Secret, _ sourcesecret.Options) error {
 	ppk, ok := secret.StringData[sourcesecret.PublicKeySecretKey]
 	if !ok {
 		return nil
 	}
 	logger.Successf("public key: %s", strings.TrimSpace(ppk))
 	if !gitArgs.silent {
 		prompt := promptui.Prompt{
 			Label:     "Please give the key access to your repository",
 			IsConfirm: true,
 		}
 		_, err := prompt.Run()
 		if err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	return nil
 }
--- a/cmd/flux/bootstrap_gitea.go
+++ b/cmd/flux/bootstrap_gitea.go
@ -1,276 +0,0 @@
 /*
 Copyright 2023 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"time"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
 	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 )
 var bootstrapGiteaCmd = &cobra.Command{
 	Use:   "gitea",
 	Short: "Deploy Flux on a cluster connected to a Gitea repository",
 	Long: `The bootstrap gitea command creates the Gitea repository if it doesn't exists and
 commits the Flux manifests to the specified branch.
 Then it configures the target cluster to synchronize with that repository.
 If the Flux components are present on the cluster,
 the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a Gitea personal access token and export it as an env var
  export GITEA_TOKEN=<my-token>
  # Run bootstrap for a private repository owned by a Gitea organization
  flux bootstrap gitea --owner=<organization> --repository=<repository name> --path=clusters/my-cluster
  # Run bootstrap for a private repository and assign organization teams to it
  flux bootstrap gitea --owner=<organization> --repository=<repository name> --team=<team1 slug> --team=<team2 slug> --path=clusters/my-cluster
  # Run bootstrap for a private repository and assign organization teams with their access level(e.g maintain, admin) to it
  flux bootstrap gitea --owner=<organization> --repository=<repository name> --team=<team1 slug>:<access-level> --path=clusters/my-cluster
  # Run bootstrap for a public repository on a personal account
  flux bootstrap gitea --owner=<user> --repository=<repository name> --private=false --personal=true --path=clusters/my-cluster
  # Run bootstrap for a private repository hosted on Gitea Enterprise using SSH auth
  flux bootstrap gitea --owner=<organization> --repository=<repository name> --hostname=<domain> --ssh-hostname=<domain> --path=clusters/my-cluster
  # Run bootstrap for a private repository hosted on Gitea Enterprise using HTTPS auth
  flux bootstrap gitea --owner=<organization> --repository=<repository name> --hostname=<domain> --token-auth --path=clusters/my-cluster
  # Run bootstrap for an existing repository with a branch named main
  flux bootstrap gitea --owner=<organization> --repository=<repository name> --branch=main --path=clusters/my-cluster`,
 	RunE: bootstrapGiteaCmdRun,
 }
 type giteaFlags struct {
 	owner        string
 	repository   string
 	interval     time.Duration
 	personal     bool
 	private      bool
 	hostname     string
 	path         flags.SafeRelativePath
 	teams        []string
 	readWriteKey bool
 	reconcile    bool
 }
 const (
 	gtDefaultPermission = "maintain"
 	gtDefaultDomain     = "gitea.com"
 	gtTokenEnvVar       = "GITEA_TOKEN"
 )
 var giteaArgs giteaFlags
 func init() {
 	bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.owner, "owner", "", "Gitea user or organization name")
 	bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.repository, "repository", "", "Gitea repository name")
 	bootstrapGiteaCmd.Flags().StringSliceVar(&giteaArgs.teams, "team", []string{}, "Gitea team and the access to be given to it(team:maintain). Defaults to maintainer access if no access level is specified (also accepts comma-separated values)")
 	bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.personal, "personal", false, "if true, the owner is assumed to be a Gitea user; otherwise an org")
 	bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.private, "private", true, "if true, the repository is setup or configured as private")
 	bootstrapGiteaCmd.Flags().DurationVar(&giteaArgs.interval, "interval", time.Minute, "sync interval")
 	bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.hostname, "hostname", gtDefaultDomain, "Gitea hostname")
 	bootstrapGiteaCmd.Flags().Var(&giteaArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
 	bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
 	bootstrapCmd.AddCommand(bootstrapGiteaCmd)
 }
 func bootstrapGiteaCmdRun(cmd *cobra.Command, args []string) error {
 	gtToken := os.Getenv(gtTokenEnvVar)
 	if gtToken == "" {
 		var err error
 		gtToken, err = readPasswordFromStdin("Please enter your Gitea personal access token (PAT): ")
 		if err != nil {
 			return fmt.Errorf("could not read token: %w", err)
 		}
 	}
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	// Manifest base
 	if ver, err := getVersion(bootstrapArgs.version); err != nil {
 		return err
 	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(manifestsBase)
 	var caBundle []byte
 	if bootstrapArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	// Build Gitea provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderGitea,
 		Hostname: giteaArgs.hostname,
 		Token:    gtToken,
 		CaBundle: caBundle,
 	}
 	providerClient, err := provider.BuildGitProvider(providerCfg)
 	if err != nil {
 		return err
 	}
 	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
 	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
 	gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
 		Transport: git.HTTPS,
 		Username:  giteaArgs.owner,
 		Password:  gtToken,
 		CAFile:    caBundle,
 	}, clientOpts...)
 	if err != nil {
 		return fmt.Errorf("failed to create a Git client: %w", err)
 	}
 	// Install manifest config
 	installOptions := install.Options{
 		BaseURL:                rootArgs.defaults.BaseURL,
 		Version:                bootstrapArgs.version,
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
 		LogLevel:               bootstrapArgs.logLevel.String(),
 		NotificationController: rootArgs.defaults.NotificationController,
 		ManifestFile:           rootArgs.defaults.ManifestFile,
 		Timeout:                rootArgs.timeout,
 		TargetPath:             giteaArgs.path.ToSlash(),
 		ClusterDomain:          bootstrapArgs.clusterDomain,
 		TolerationKeys:         bootstrapArgs.tolerationKeys,
 	}
 	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
 		installOptions.BaseURL = customBaseURL
 	}
 	// Source generation and secret config
 	secretOpts := sourcesecret.Options{
 		Name:         bootstrapArgs.secretName,
 		Namespace:    *kubeconfigArgs.Namespace,
 		TargetPath:   giteaArgs.path.ToSlash(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = gtToken
 		secretOpts.CACrt = caBundle
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
 		secretOpts.SSHHostname = giteaArgs.hostname
 		if bootstrapArgs.sshHostname != "" {
 			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
 	}
 	// Sync manifest config
 	syncOpts := sync.Options{
 		Interval:          giteaArgs.interval,
 		Name:              *kubeconfigArgs.Namespace,
 		Namespace:         *kubeconfigArgs.Namespace,
 		Branch:            bootstrapArgs.branch,
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        giteaArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
 	if err != nil {
 		return err
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(giteaArgs.owner, giteaArgs.repository, giteaArgs.personal),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
 		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(giteaArgs.teams, gtDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(giteaArgs.readWriteKey),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
 	}
 	if bootstrapArgs.tokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
 	}
 	if !giteaArgs.private {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
 	}
 	if giteaArgs.reconcile {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
 	}
 	// Setup bootstrapper with constructed configs
 	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
 	if err != nil {
 		return err
 	}
 	// Run
 	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 }
--- a/cmd/flux/bootstrap_github.go
+++ b/cmd/flux/bootstrap_github.go
@ -1,283 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"time"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
 	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 )
 var bootstrapGitHubCmd = &cobra.Command{
 	Use:   "github",
 	Short: "Deploy Flux on a cluster connected to a GitHub repository",
 	Long: `The bootstrap github command creates the GitHub repository if it doesn't exists and
 commits the Flux manifests to the specified branch.
 Then it configures the target cluster to synchronize with that repository.
 If the Flux components are present on the cluster,
 the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a GitHub personal access token and export it as an env var
  export GITHUB_TOKEN=<my-token>
  # Run bootstrap for a private repository owned by a GitHub organization
  flux bootstrap github --owner=<organization> --repository=<repository name> --path=clusters/my-cluster
  # Run bootstrap for a private repository and assign organization teams to it
  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug> --team=<team2 slug> --path=clusters/my-cluster
  # Run bootstrap for a private repository and assign organization teams with their access level(e.g maintain, admin) to it
  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug>:<access-level> --path=clusters/my-cluster
  # Run bootstrap for a public repository on a personal account
  flux bootstrap github --owner=<user> --repository=<repository name> --private=false --personal=true --path=clusters/my-cluster
  # Run bootstrap for a private repository hosted on GitHub Enterprise using SSH auth
  flux bootstrap github --owner=<organization> --repository=<repository name> --hostname=<domain> --ssh-hostname=<domain> --path=clusters/my-cluster
  # Run bootstrap for a private repository hosted on GitHub Enterprise using HTTPS auth
  flux bootstrap github --owner=<organization> --repository=<repository name> --hostname=<domain> --token-auth --path=clusters/my-cluster
  # Run bootstrap for an existing repository with a branch named main
  flux bootstrap github --owner=<organization> --repository=<repository name> --branch=main --path=clusters/my-cluster`,
 	RunE: bootstrapGitHubCmdRun,
 }
 type githubFlags struct {
 	owner        string
 	repository   string
 	interval     time.Duration
 	personal     bool
 	private      bool
 	hostname     string
 	path         flags.SafeRelativePath
 	teams        []string
 	readWriteKey bool
 	reconcile    bool
 }
 const (
 	ghDefaultPermission = "maintain"
 	ghDefaultDomain     = "github.com"
 	ghTokenEnvVar       = "GITHUB_TOKEN"
 )
 var githubArgs githubFlags
 func init() {
 	bootstrapGitHubCmd.Flags().StringVar(&githubArgs.owner, "owner", "", "GitHub user or organization name")
 	bootstrapGitHubCmd.Flags().StringVar(&githubArgs.repository, "repository", "", "GitHub repository name")
 	bootstrapGitHubCmd.Flags().StringSliceVar(&githubArgs.teams, "team", []string{}, "GitHub team and the access to be given to it(team:maintain). Defaults to maintainer access if no access level is specified (also accepts comma-separated values)")
 	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.personal, "personal", false, "if true, the owner is assumed to be a GitHub user; otherwise an org")
 	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.private, "private", true, "if true, the repository is setup or configured as private")
 	bootstrapGitHubCmd.Flags().DurationVar(&githubArgs.interval, "interval", time.Minute, "sync interval")
 	bootstrapGitHubCmd.Flags().StringVar(&githubArgs.hostname, "hostname", ghDefaultDomain, "GitHub hostname")
 	bootstrapGitHubCmd.Flags().Var(&githubArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
 	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
 	bootstrapCmd.AddCommand(bootstrapGitHubCmd)
 }
 func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	ghToken := os.Getenv(ghTokenEnvVar)
 	if ghToken == "" {
 		var err error
 		ghToken, err = readPasswordFromStdin("Please enter your GitHub personal access token (PAT): ")
 		if err != nil {
 			return fmt.Errorf("could not read token: %w", err)
 		}
 	}
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	if !bootstrapArgs.force {
 		err = confirmBootstrap(ctx, kubeClient)
 		if err != nil {
 			return err
 		}
 	}
 	// Manifest base
 	if ver, err := getVersion(bootstrapArgs.version); err != nil {
 		return err
 	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(manifestsBase)
 	var caBundle []byte
 	if bootstrapArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	// Build GitHub provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderGitHub,
 		Hostname: githubArgs.hostname,
 		Token:    ghToken,
 		CaBundle: caBundle,
 	}
 	providerClient, err := provider.BuildGitProvider(providerCfg)
 	if err != nil {
 		return err
 	}
 	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
 	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
 	gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
 		Transport: git.HTTPS,
 		Username:  githubArgs.owner,
 		Password:  ghToken,
 		CAFile:    caBundle,
 	}, clientOpts...)
 	if err != nil {
 		return fmt.Errorf("failed to create a Git client: %w", err)
 	}
 	// Install manifest config
 	installOptions := install.Options{
 		BaseURL:                rootArgs.defaults.BaseURL,
 		Version:                bootstrapArgs.version,
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
 		LogLevel:               bootstrapArgs.logLevel.String(),
 		NotificationController: rootArgs.defaults.NotificationController,
 		ManifestFile:           rootArgs.defaults.ManifestFile,
 		Timeout:                rootArgs.timeout,
 		TargetPath:             githubArgs.path.ToSlash(),
 		ClusterDomain:          bootstrapArgs.clusterDomain,
 		TolerationKeys:         bootstrapArgs.tolerationKeys,
 	}
 	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
 		installOptions.BaseURL = customBaseURL
 	}
 	// Source generation and secret config
 	secretOpts := sourcesecret.Options{
 		Name:         bootstrapArgs.secretName,
 		Namespace:    *kubeconfigArgs.Namespace,
 		TargetPath:   githubArgs.path.ToSlash(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = ghToken
 		secretOpts.CACrt = caBundle
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
 		secretOpts.SSHHostname = githubArgs.hostname
 		if bootstrapArgs.sshHostname != "" {
 			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
 	}
 	// Sync manifest config
 	syncOpts := sync.Options{
 		Interval:          githubArgs.interval,
 		Name:              *kubeconfigArgs.Namespace,
 		Namespace:         *kubeconfigArgs.Namespace,
 		Branch:            bootstrapArgs.branch,
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        githubArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
 	if err != nil {
 		return err
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(githubArgs.owner, githubArgs.repository, githubArgs.personal),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
 		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(githubArgs.teams, ghDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(githubArgs.readWriteKey),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
 	}
 	if bootstrapArgs.tokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
 	}
 	if !githubArgs.private {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
 	}
 	if githubArgs.reconcile {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
 	}
 	// Setup bootstrapper with constructed configs
 	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
 	if err != nil {
 		return err
 	}
 	// Run
 	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 }
--- a/cmd/flux/bootstrap_gitlab.go
+++ b/cmd/flux/bootstrap_gitlab.go
@ -1,332 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"regexp"
 	"strings"
 	"time"
 	"github.com/fluxcd/go-git-providers/gitprovider"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
 	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 )
 var bootstrapGitLabCmd = &cobra.Command{
 	Use:   "gitlab",
 	Short: "Deploy Flux on a cluster connected to a GitLab repository",
 	Long: `The bootstrap gitlab command creates the GitLab repository if it doesn't exists and
 commits the Flux manifests to the specified branch.
 Then it configures the target cluster to synchronize with that repository.
 If the Flux components are present on the cluster,
 the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a GitLab API token and export it as an env var
  export GITLAB_TOKEN=<my-token>
  # Run bootstrap for a private repository using HTTPS token authentication
  flux bootstrap gitlab --owner=<group> --repository=<repository name> --token-auth
  # Run bootstrap for a private repository using SSH authentication
  flux bootstrap gitlab --owner=<group> --repository=<repository name>
  # Run bootstrap for a repository path
  flux bootstrap gitlab --owner=<group> --repository=<repository name> --path=dev-cluster
  # Run bootstrap for a public repository
  flux bootstrap gitlab --owner=<group> --repository=<repository name> --visibility=public  --token-auth
  # Run bootstrap for a private repository hosted on a GitLab server
  flux bootstrap gitlab --owner=<group> --repository=<repository name> --hostname=<gitlab_url> --token-auth
  # Run bootstrap for an existing repository with a branch named main
  flux bootstrap gitlab --owner=<group> --repository=<repository name> --branch=main --token-auth
  # Run bootstrap for a private repository using Deploy Token authentication
  flux bootstrap gitlab --owner=<group> --repository=<repository name> --deploy-token-auth
  `,
 	RunE: bootstrapGitLabCmdRun,
 }
 const (
 	glDefaultPermission = "maintain"
 	glDefaultDomain     = "gitlab.com"
 	glTokenEnvVar       = "GITLAB_TOKEN"
 	gitlabProjectRegex  = `\A[[:alnum:]\x{00A9}-\x{1f9ff}_][[:alnum:]\p{Pd}\x{00A9}-\x{1f9ff}_\.]*\z`
 )
 type gitlabFlags struct {
 	owner           string
 	repository      string
 	interval        time.Duration
 	personal        bool
 	visibility      flags.GitLabVisibility
 	private         bool
 	hostname        string
 	path            flags.SafeRelativePath
 	teams           []string
 	readWriteKey    bool
 	reconcile       bool
 	deployTokenAuth bool
 }
 func NewGitlabFlags() gitlabFlags {
 	return gitlabFlags{
 		visibility: flags.GitLabVisibility(gitprovider.RepositoryVisibilityPrivate),
 	}
 }
 var gitlabArgs = NewGitlabFlags()
 func init() {
 	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.owner, "owner", "", "GitLab user or group name")
 	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.repository, "repository", "", "GitLab repository name")
 	bootstrapGitLabCmd.Flags().StringSliceVar(&gitlabArgs.teams, "team", []string{}, "GitLab teams to be given maintainer access (also accepts comma-separated values)")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.personal, "personal", false, "if true, the owner is assumed to be a GitLab user; otherwise a group")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.private, "private", true, "if true, the repository is setup or configured as private")
 	bootstrapGitLabCmd.Flags().MarkDeprecated("private", "use --visibility instead")
 	bootstrapGitLabCmd.Flags().Var(&gitlabArgs.visibility, "visibility", gitlabArgs.visibility.Description())
 	bootstrapGitLabCmd.Flags().DurationVar(&gitlabArgs.interval, "interval", time.Minute, "sync interval")
 	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.hostname, "hostname", glDefaultDomain, "GitLab hostname")
 	bootstrapGitLabCmd.Flags().Var(&gitlabArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.deployTokenAuth, "deploy-token-auth", false, "when enabled, a Project Deploy Token is generated and will be used instead of the SSH deploy token")
 	bootstrapCmd.AddCommand(bootstrapGitLabCmd)
 }
 func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	glToken := os.Getenv(glTokenEnvVar)
 	if glToken == "" {
 		var err error
 		glToken, err = readPasswordFromStdin("Please enter your GitLab personal access token (PAT): ")
 		if err != nil {
 			return fmt.Errorf("could not read token: %w", err)
 		}
 	}
 	if projectNameIsValid, err := regexp.MatchString(gitlabProjectRegex, gitlabArgs.repository); err != nil || !projectNameIsValid {
 		if err == nil {
 			err = fmt.Errorf("%s is an invalid project name for gitlab.\nIt can contain only letters, digits, emojis, '_', '.', dash, space. It must start with letter, digit, emoji or '_'.", gitlabArgs.repository)
 		}
 		return err
 	}
 	if bootstrapArgs.tokenAuth && gitlabArgs.deployTokenAuth {
 		return fmt.Errorf("--token-auth and --deploy-token-auth cannot be set both.")
 	}
 	if !gitlabArgs.private {
 		gitlabArgs.visibility.Set(string(gitprovider.RepositoryVisibilityPublic))
 		cmd.Println("Using visibility public as --private=false")
 	}
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	if !bootstrapArgs.force {
 		err = confirmBootstrap(ctx, kubeClient)
 		if err != nil {
 			return err
 		}
 	}
 	// Manifest base
 	if ver, err := getVersion(bootstrapArgs.version); err != nil {
 		return err
 	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(manifestsBase)
 	var caBundle []byte
 	if bootstrapArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	// Build GitLab provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderGitLab,
 		Hostname: gitlabArgs.hostname,
 		Token:    glToken,
 		CaBundle: caBundle,
 	}
 	// Workaround for: https://github.com/fluxcd/go-git-providers/issues/55
 	if hostname := providerCfg.Hostname; hostname != glDefaultDomain &&
 		!strings.HasPrefix(hostname, "https://") &&
 		!strings.HasPrefix(hostname, "http://") {
 		providerCfg.Hostname = "https://" + providerCfg.Hostname
 	}
 	providerClient, err := provider.BuildGitProvider(providerCfg)
 	if err != nil {
 		return err
 	}
 	// Lazy go-git repository
 	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
 	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
 	gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
 		Transport: git.HTTPS,
 		Username:  gitlabArgs.owner,
 		Password:  glToken,
 		CAFile:    caBundle,
 	}, clientOpts...)
 	if err != nil {
 		return fmt.Errorf("failed to create a Git client: %w", err)
 	}
 	// Install manifest config
 	installOptions := install.Options{
 		BaseURL:                rootArgs.defaults.BaseURL,
 		Version:                bootstrapArgs.version,
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
 		LogLevel:               bootstrapArgs.logLevel.String(),
 		NotificationController: rootArgs.defaults.NotificationController,
 		ManifestFile:           rootArgs.defaults.ManifestFile,
 		Timeout:                rootArgs.timeout,
 		TargetPath:             gitlabArgs.path.ToSlash(),
 		ClusterDomain:          bootstrapArgs.clusterDomain,
 		TolerationKeys:         bootstrapArgs.tolerationKeys,
 	}
 	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
 		installOptions.BaseURL = customBaseURL
 	}
 	// Source generation and secret config
 	secretOpts := sourcesecret.Options{
 		Name:         bootstrapArgs.secretName,
 		Namespace:    *kubeconfigArgs.Namespace,
 		TargetPath:   gitlabArgs.path.String(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = glToken
 		secretOpts.CACrt = caBundle
 	} else if gitlabArgs.deployTokenAuth {
 		// the actual deploy token will be reconciled later
 		secretOpts.CACrt = caBundle
 	} else {
 		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
 		if err != nil {
 			return err
 		}
 		secretOpts.Keypair = keypair
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
 		secretOpts.SSHHostname = gitlabArgs.hostname
 		if bootstrapArgs.sshHostname != "" {
 			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
 	}
 	// Sync manifest config
 	syncOpts := sync.Options{
 		Interval:          gitlabArgs.interval,
 		Name:              *kubeconfigArgs.Namespace,
 		Namespace:         *kubeconfigArgs.Namespace,
 		Branch:            bootstrapArgs.branch,
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        gitlabArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
 	if err != nil {
 		return err
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(gitlabArgs.owner, gitlabArgs.repository, gitlabArgs.personal),
 		bootstrap.WithProviderVisibility(gitlabArgs.visibility.String()),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
 		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(gitlabArgs.teams, glDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(gitlabArgs.readWriteKey),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
 	}
 	if bootstrapArgs.tokenAuth || gitlabArgs.deployTokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
 	}
 	if gitlabArgs.deployTokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithDeployTokenAuth())
 	}
 	if gitlabArgs.reconcile {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
 	}
 	// Setup bootstrapper with constructed configs
 	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
 	if err != nil {
 		return err
 	}
 	// Run
 	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 }
--- a/cmd/flux/build.go
+++ b/cmd/flux/build.go
@ -1,31 +0,0 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"github.com/spf13/cobra"
 )
 var buildCmd = &cobra.Command{
 	Use:   "build",
 	Short: "Build a flux resource",
 	Long:  `The build command is used to build flux resources.`,
 }
 func init() {
 	rootCmd.AddCommand(buildCmd)
 }
--- a/cmd/flux/build_artifact.go
+++ b/cmd/flux/build_artifact.go
@ -1,117 +0,0 @@
 /*
 Copyright 2022 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"bufio"
 	"bytes"
 	"fmt"
 	"io"
 	"os"
 	"strings"
 	"github.com/spf13/cobra"
 	oci "github.com/fluxcd/pkg/oci/client"
 	"github.com/fluxcd/pkg/sourceignore"
 )
 var buildArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Build artifact",
 	Long: withPreviewNote(`The build artifact command creates a tgz file with the manifests
 from the given directory or a single manifest file.`),
 	Example: `  # Build the given manifests directory into an artifact
  flux build artifact --path ./path/to/local/manifests --output ./path/to/artifact.tgz
  # Build the given single manifest file into an artifact
  flux build artifact --path ./path/to/local/manifest.yaml --output ./path/to/artifact.tgz
  # List the files bundled in the artifact
  tar -ztvf ./path/to/artifact.tgz
 `,
 	RunE: buildArtifactCmdRun,
 }
 type buildArtifactFlags struct {
 	output      string
 	path        string
 	ignorePaths []string
 }
 var excludeOCI = append(strings.Split(sourceignore.ExcludeVCS, ","), strings.Split(sourceignore.ExcludeExt, ",")...)
 var buildArtifactArgs buildArtifactFlags
 func init() {
 	buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.path, "path", "p", "", "Path to the directory where the Kubernetes manifests are located.")
 	buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.output, "output", "o", "artifact.tgz", "Path to where the artifact tgz file should be written.")
 	buildArtifactCmd.Flags().StringSliceVar(&buildArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
 	buildCmd.AddCommand(buildArtifactCmd)
 }
 func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	if buildArtifactArgs.path == "" {
 		return fmt.Errorf("invalid path %q", buildArtifactArgs.path)
 	}
 	path := buildArtifactArgs.path
 	var err error
 	if buildArtifactArgs.path == "-" {
 		path, err = saveReaderToFile(os.Stdin)
 		if err != nil {
 			return err
 		}
 		defer os.Remove(path)
 	}
 	if _, err := os.Stat(path); err != nil {
 		return fmt.Errorf("invalid path '%s', must point to an existing directory or file", path)
 	}
 	logger.Actionf("building artifact from %s", path)
 	ociClient := oci.NewClient(oci.DefaultOptions())
 	if err := ociClient.Build(buildArtifactArgs.output, path, buildArtifactArgs.ignorePaths); err != nil {
 		return fmt.Errorf("building artifact failed, error: %w", err)
 	}
 	logger.Successf("artifact created at %s", buildArtifactArgs.output)
 	return nil
 }
 func saveReaderToFile(reader io.Reader) (string, error) {
 	b, err := io.ReadAll(bufio.NewReader(reader))
 	if err != nil {
 		return "", err
 	}
 	b = bytes.TrimRight(b, "\r\n")
 	f, err := os.CreateTemp("", "*.yaml")
 	if err != nil {
 		return "", fmt.Errorf("unable to create temp dir for stdin")
 	}
 	defer f.Close()
 	if _, err := f.Write(b); err != nil {
 		return "", fmt.Errorf("error writing stdin to file: %w", err)
 	}
 	return f.Name(), nil
 }
--- a/cmd/flux/build_artifact_test.go
+++ b/cmd/flux/build_artifact_test.go
@ -1,70 +0,0 @@
 /*
 Copyright 2022 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"os"
 	"strings"
 	"testing"
 	. "github.com/onsi/gomega"
 )
 func Test_saveReaderToFile(t *testing.T) {
 	g := NewWithT(t)
 	testString := `apiVersion: v1
 kind: ConfigMap
 metadata:
  name: myapp
 data:
  foo: bar`
 	tests := []struct {
 		name      string
 		string    string
 		expectErr bool
 	}{
 		{
 			name:   "yaml",
 			string: testString,
 		},
 		{
 			name:   "yaml with carriage return",
 			string: testString + "\r\n",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			tmpFile, err := saveReaderToFile(strings.NewReader(tt.string))
 			g.Expect(err).To(BeNil())
 			t.Cleanup(func() { _ = os.Remove(tmpFile) })
 			b, err := os.ReadFile(tmpFile)
 			if tt.expectErr {
 				g.Expect(err).To(Not(BeNil()))
 				return
 			}
 			g.Expect(err).To(BeNil())
 			g.Expect(string(b)).To(BeEquivalentTo(testString))
 		})
 	}
 }
--- a/cmd/flux/build_kustomization.go
+++ b/cmd/flux/build_kustomization.go
@ -1,174 +0,0 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"fmt"
 	"os"
 	"os/signal"
 	"github.com/spf13/cobra"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	ssautil "github.com/fluxcd/pkg/ssa/utils"
 	"github.com/fluxcd/flux2/v2/internal/build"
 )
 var buildKsCmd = &cobra.Command{
 	Use:     "kustomization",
 	Aliases: []string{"ks"},
 	Short:   "Build Kustomization",
 	Long: `The build command queries the Kubernetes API and fetches the specified Flux Kustomization. 
 It then uses the fetched in cluster flux kustomization to perform needed transformation on the local kustomization.yaml
 pointed at by --path. The local kustomization.yaml is generated if it does not exist. Finally it builds the overlays using the local kustomization.yaml, and write the resulting multi-doc YAML to stdout.
 It is possible to specify a Flux kustomization file using --kustomization-file.`,
 	Example: `# Build the local manifests as they were built on the cluster
 flux build kustomization my-app --path ./path/to/local/manifests
 # Build using a local flux kustomization file
 flux build kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml
 # Build in dry-run mode without connecting to the cluster.
 # Note that variable substitutions from Secrets and ConfigMaps are skipped in dry-run mode.
 flux build kustomization my-app --path ./path/to/local/manifests \
 	--kustomization-file ./path/to/local/my-app.yaml \
 	--dry-run
 # Exclude files by providing a comma separated list of entries that follow the .gitignore pattern fromat.
 flux build kustomization my-app --path ./path/to/local/manifests \
 	--kustomization-file ./path/to/local/my-app.yaml \
 	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"
 # Run recursively on all encountered Kustomizations
 flux build kustomization my-app --path ./path/to/local/manifests \
 	--recursive \
 	--local-sources GitRepository/flux-system/my-repo=./path/to/local/git`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              buildKsCmdRun,
 }
 type buildKsFlags struct {
 	kustomizationFile string
 	path              string
 	ignorePaths       []string
 	dryRun            bool
 	strictSubst       bool
 	recursive         bool
 	localSources      map[string]string
 }
 var buildKsArgs buildKsFlags
 func init() {
 	buildKsCmd.Flags().StringVar(&buildKsArgs.path, "path", "", "Path to the manifests location.")
 	buildKsCmd.Flags().StringVar(&buildKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
 	buildKsCmd.Flags().StringSliceVar(&buildKsArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in .gitignore format")
 	buildKsCmd.Flags().BoolVar(&buildKsArgs.dryRun, "dry-run", false, "Dry run mode.")
 	buildKsCmd.Flags().BoolVar(&buildKsArgs.strictSubst, "strict-substitute", false,
 		"When enabled, the post build substitutions will fail if a var without a default value is declared in files but is missing from the input vars.")
 	buildKsCmd.Flags().BoolVarP(&buildKsArgs.recursive, "recursive", "r", false, "Recursively build Kustomizations")
 	buildKsCmd.Flags().StringToStringVar(&buildKsArgs.localSources, "local-sources", nil, "Comma-separated list of repositories in format: Kind/namespace/name=path")
 	buildCmd.AddCommand(buildKsCmd)
 }
 func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 	if len(args) < 1 {
 		return fmt.Errorf("%s name is required", kustomizationType.humanKind)
 	}
 	name := args[0]
 	if buildKsArgs.path == "" {
 		return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
 	}
 	if fs, err := os.Stat(buildKsArgs.path); err != nil || !fs.IsDir() {
 		return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
 	}
 	if buildKsArgs.dryRun && buildKsArgs.kustomizationFile == "" {
 		return fmt.Errorf("dry-run mode requires a kustomization file")
 	}
 	if buildKsArgs.kustomizationFile != "" {
 		if fs, err := os.Stat(buildKsArgs.kustomizationFile); os.IsNotExist(err) || fs.IsDir() {
 			return fmt.Errorf("invalid kustomization file %q", buildKsArgs.kustomizationFile)
 		}
 	}
 	var builder *build.Builder
 	if buildKsArgs.dryRun {
 		builder, err = build.NewBuilder(name, buildKsArgs.path,
 			build.WithTimeout(rootArgs.timeout),
 			build.WithKustomizationFile(buildKsArgs.kustomizationFile),
 			build.WithDryRun(buildKsArgs.dryRun),
 			build.WithNamespace(*kubeconfigArgs.Namespace),
 			build.WithIgnore(buildKsArgs.ignorePaths),
 			build.WithStrictSubstitute(buildKsArgs.strictSubst),
 			build.WithRecursive(buildKsArgs.recursive),
 			build.WithLocalSources(buildKsArgs.localSources),
 		)
 	} else {
 		builder, err = build.NewBuilder(name, buildKsArgs.path,
 			build.WithClientConfig(kubeconfigArgs, kubeclientOptions),
 			build.WithTimeout(rootArgs.timeout),
 			build.WithKustomizationFile(buildKsArgs.kustomizationFile),
 			build.WithIgnore(buildKsArgs.ignorePaths),
 			build.WithStrictSubstitute(buildKsArgs.strictSubst),
 			build.WithRecursive(buildKsArgs.recursive),
 			build.WithLocalSources(buildKsArgs.localSources),
 		)
 	}
 	if err != nil {
 		return err
 	}
 	// create a signal channel
 	sigc := make(chan os.Signal, 1)
 	signal.Notify(sigc, os.Interrupt)
 	errChan := make(chan error)
 	go func() {
 		objects, err := builder.Build()
 		if err != nil {
 			errChan <- err
 		}
 		manifests, err := ssautil.ObjectsToYAML(objects)
 		if err != nil {
 			errChan <- err
 		}
 		cmd.Print(manifests)
 		errChan <- nil
 	}()
 	select {
 	case <-sigc:
 		fmt.Println("Build cancelled... exiting.")
 		return builder.Cancel()
 	case err := <-errChan:
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
--- a/cmd/flux/build_kustomization_test.go
+++ b/cmd/flux/build_kustomization_test.go
@ -1,220 +0,0 @@
 //go:build unit
 // +build unit
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"bytes"
 	"os"
 	"path/filepath"
 	"testing"
 	"text/template"
 )
 func setup(t *testing.T, tmpl map[string]string) {
 	t.Helper()
 	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-source.yaml", tmpl, t)
 	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-kustomization.yaml", tmpl, t)
 }
 func TestBuildKustomization(t *testing.T) {
 	tests := []struct {
 		name       string
 		args       string
 		resultFile string
 		assertFunc string
 	}{
 		{
 			name:       "no args",
 			args:       "build kustomization podinfo",
 			resultFile: "invalid resource path \"\"",
 			assertFunc: "assertError",
 		},
 		{
 			name:       "build podinfo",
 			args:       "build kustomization podinfo --path ./testdata/build-kustomization/podinfo",
 			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build podinfo without service",
 			args:       "build kustomization podinfo --path ./testdata/build-kustomization/delete-service",
 			resultFile: "./testdata/build-kustomization/podinfo-without-service-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build deployment and configmap with var substitution",
 			args:       "build kustomization podinfo --path ./testdata/build-kustomization/var-substitution",
 			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build ignore",
 			args:       "build kustomization podinfo --path ./testdata/build-kustomization/ignore --ignore-paths \"!configmap.yaml,!secret.yaml\"",
 			resultFile: "./testdata/build-kustomization/podinfo-with-ignore-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build with recursive",
 			args:       "build kustomization podinfo --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization",
 			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 	}
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
 	setup(t, tmpl)
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var assert assertFunc
 			switch tt.assertFunc {
 			case "assertGoldenTemplateFile":
 				assert = assertGoldenTemplateFile(tt.resultFile, tmpl)
 			case "assertError":
 				assert = assertError(tt.resultFile)
 			}
 			cmd := cmdTestCase{
 				args:   tt.args + " -n " + tmpl["fluxns"],
 				assert: assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
 func TestBuildLocalKustomization(t *testing.T) {
 	podinfo := `apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: podinfo
  namespace: {{ .fluxns }}
 spec:
  interval: 5m0s
  path: ./kustomize
  force: true
  prune: true
  sourceRef:
    kind: GitRepository
    name: podinfo
  targetNamespace: default
  postBuild:
    substitute:
      cluster_env: "prod"
      cluster_region: "eu-central-1"
 `
 	tmpFile := filepath.Join(t.TempDir(), "podinfo.yaml")
 	tests := []struct {
 		name       string
 		args       string
 		resultFile string
 		assertFunc string
 	}{
 		{
 			name:       "no args",
 			args:       "build kustomization podinfo --kustomization-file ./wrongfile/ --path ./testdata/build-kustomization/podinfo",
 			resultFile: "invalid kustomization file \"./wrongfile/\"",
 			assertFunc: "assertError",
 		},
 		{
 			name:       "build podinfo",
 			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo",
 			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build podinfo without service",
 			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/delete-service",
 			resultFile: "./testdata/build-kustomization/podinfo-without-service-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build deployment and configmap with var substitution",
 			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/var-substitution",
 			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build deployment and configmap with var substitution in dry-run mode",
 			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/var-substitution --dry-run",
 			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build with recursive",
 			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization",
 			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build with recursive in dry-run mode",
 			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization --dry-run",
 			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 	}
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
 	setup(t, tmpl)
 	temp, err := template.New("podinfo").Parse(podinfo)
 	if err != nil {
 		t.Fatal(err)
 	}
 	var b bytes.Buffer
 	err = temp.Execute(&b, tmpl)
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = os.WriteFile(tmpFile, b.Bytes(), 0666)
 	if err != nil {
 		t.Fatal(err)
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var assert assertFunc
 			switch tt.assertFunc {
 			case "assertGoldenTemplateFile":
 				assert = assertGoldenTemplateFile(tt.resultFile, tmpl)
 			case "assertError":
 				assert = assertError(tt.resultFile)
 			}
 			cmd := cmdTestCase{
 				args:   tt.args + " -n " + tmpl["fluxns"],
 				assert: assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/check.go
+++ b/cmd/flux/check.go
@ -1,263 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"time"
 	"github.com/Masterminds/semver/v3"
 	"github.com/spf13/cobra"
 	v1 "k8s.io/api/apps/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/pkg/version"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/v2/pkg/status"
 )
 var checkCmd = &cobra.Command{
 	Use:   "check",
 	Args:  cobra.NoArgs,
 	Short: "Check requirements and installation",
 	Long: withPreviewNote(`The check command will perform a series of checks to validate that
 the local environment is configured correctly and if the installed components are healthy.`),
 	Example: `  # Run pre-installation checks
  flux check --pre
  # Run installation checks
  flux check`,
 	RunE: runCheckCmd,
 }
 type checkFlags struct {
 	pre             bool
 	components      []string
 	extraComponents []string
 	pollInterval    time.Duration
 }
 var kubernetesConstraints = []string{
 	">=1.30.0-0",
 }
 var checkArgs checkFlags
 func init() {
 	checkCmd.Flags().BoolVarP(&checkArgs.pre, "pre", "", false,
 		"only run pre-installation checks")
 	checkCmd.Flags().StringSliceVar(&checkArgs.components, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
 	checkCmd.Flags().StringSliceVar(&checkArgs.extraComponents, "components-extra", nil,
 		"list of components in addition to those supplied or defaulted, accepts comma-separated values")
 	checkCmd.Flags().DurationVar(&checkArgs.pollInterval, "poll-interval", 5*time.Second,
 		"how often the health checker should poll the cluster for the latest state of the resources.")
 	rootCmd.AddCommand(checkCmd)
 }
 func runCheckCmd(cmd *cobra.Command, args []string) error {
 	logger.Actionf("checking prerequisites")
 	checkFailed := false
 	fluxCheck()
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return fmt.Errorf("Kubernetes client initialization failed: %s", err.Error())
 	}
 	kubeClient, err := client.New(cfg, client.Options{Scheme: utils.NewScheme()})
 	if err != nil {
 		return err
 	}
 	if !kubernetesCheck(cfg, kubernetesConstraints) {
 		checkFailed = true
 	}
 	if checkArgs.pre {
 		if checkFailed {
 			os.Exit(1)
 		}
 		logger.Successf("prerequisites checks passed")
 		return nil
 	}
 	logger.Actionf("checking version in cluster")
 	if !fluxClusterVersionCheck(ctx, kubeClient) {
 		checkFailed = true
 	}
 	logger.Actionf("checking controllers")
 	if !componentsCheck(ctx, kubeClient) {
 		checkFailed = true
 	}
 	logger.Actionf("checking crds")
 	if !crdsCheck(ctx, kubeClient) {
 		checkFailed = true
 	}
 	if checkFailed {
 		logger.Failuref("check failed")
 		os.Exit(1)
 	}
 	logger.Successf("all checks passed")
 	return nil
 }
 func fluxCheck() {
 	curSv, err := version.ParseVersion(VERSION)
 	if err != nil {
 		return
 	}
 	// Exclude development builds.
 	if curSv.Prerelease() != "" {
 		return
 	}
 	latest, err := install.GetLatestVersion()
 	if err != nil {
 		return
 	}
 	latestSv, err := version.ParseVersion(latest)
 	if err != nil {
 		return
 	}
 	if latestSv.GreaterThan(curSv) {
 		logger.Failuref("flux %s <%s (new CLI version is available, please upgrade)", curSv, latestSv)
 	}
 }
 func kubernetesCheck(cfg *rest.Config, constraints []string) bool {
 	clientSet, err := kubernetes.NewForConfig(cfg)
 	if err != nil {
 		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
 		return false
 	}
 	kv, err := clientSet.Discovery().ServerVersion()
 	if err != nil {
 		logger.Failuref("Kubernetes API call failed: %s", err.Error())
 		return false
 	}
 	v, err := version.ParseVersion(kv.String())
 	if err != nil {
 		logger.Failuref("Kubernetes version can't be determined")
 		return false
 	}
 	var valid bool
 	var vrange string
 	for _, constraint := range constraints {
 		c, _ := semver.NewConstraint(constraint)
 		if c.Check(v) {
 			valid = true
 			vrange = constraint
 			break
 		}
 	}
 	if !valid {
 		logger.Failuref("Kubernetes version %s does not match %s", v.Original(), constraints[0])
 		return false
 	}
 	logger.Successf("Kubernetes %s %s", v.String(), vrange)
 	return true
 }
 func componentsCheck(ctx context.Context, kubeClient client.Client) bool {
 	statusChecker, err := status.NewStatusCheckerWithClient(kubeClient, checkArgs.pollInterval, rootArgs.timeout, logger)
 	if err != nil {
 		return false
 	}
 	ok := true
 	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 	var list v1.DeploymentList
 	ns := *kubeconfigArgs.Namespace
 	if err := kubeClient.List(ctx, &list, client.InNamespace(ns), selector); err == nil {
 		if len(list.Items) == 0 {
 			logger.Failuref("no controllers found in the '%s' namespace with the label selector '%s=%s'",
 				ns, manifestgen.PartOfLabelKey, manifestgen.PartOfLabelValue)
 			return false
 		}
 		for _, d := range list.Items {
 			if ref, err := buildComponentObjectRefs(d.Name); err == nil {
 				if err := statusChecker.Assess(ref...); err != nil {
 					ok = false
 				}
 			}
 			for _, c := range d.Spec.Template.Spec.Containers {
 				logger.Actionf(c.Image)
 			}
 		}
 	}
 	return ok
 }
 func crdsCheck(ctx context.Context, kubeClient client.Client) bool {
 	ok := true
 	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 	var list apiextensionsv1.CustomResourceDefinitionList
 	if err := kubeClient.List(ctx, &list, client.InNamespace(*kubeconfigArgs.Namespace), selector); err == nil {
 		if len(list.Items) == 0 {
 			logger.Failuref("no crds found with the label selector '%s=%s'",
 				manifestgen.PartOfLabelKey, manifestgen.PartOfLabelValue)
 			return false
 		}
 		for _, crd := range list.Items {
 			versions := crd.Status.StoredVersions
 			if len(versions) > 0 {
 				logger.Successf(crd.Name + "/" + versions[len(versions)-1])
 			} else {
 				ok = false
 				logger.Failuref("no stored versions for %s", crd.Name)
 			}
 		}
 	}
 	return ok
 }
 func fluxClusterVersionCheck(ctx context.Context, kubeClient client.Client) bool {
 	clusterInfo, err := getFluxClusterInfo(ctx, kubeClient)
 	if err != nil {
 		logger.Failuref("checking failed: %s", err.Error())
 		return false
 	}
 	if clusterInfo.distribution() != "" {
 		logger.Successf("distribution: %s", clusterInfo.distribution())
 	}
 	logger.Successf("bootstrapped: %t", clusterInfo.bootstrapped)
 	return true
 }
--- a/cmd/flux/check_test.go
+++ b/cmd/flux/check_test.go
@ -1,53 +0,0 @@
 //go:build e2e
 // +build e2e
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"encoding/json"
 	"strings"
 	"testing"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 func TestCheckPre(t *testing.T) {
 	jsonOutput, err := utils.ExecKubectlCommand(context.TODO(), utils.ModeCapture, *kubeconfigArgs.KubeConfig, *kubeconfigArgs.Context, "version", "--output", "json")
 	if err != nil {
 		t.Fatalf("Error running utils.ExecKubectlCommand: %v", err.Error())
 	}
 	var versions map[string]interface{}
 	if err := json.Unmarshal([]byte(jsonOutput), &versions); err != nil {
 		t.Fatalf("Error unmarshalling '%s': %v", jsonOutput, err.Error())
 	}
 	serverGitVersion := strings.TrimPrefix(
 		versions["serverVersion"].(map[string]interface{})["gitVersion"].(string),
 		"v")
 	cmd := cmdTestCase{
 		args: "check --pre",
 		assert: assertGoldenTemplateFile("testdata/check/check_pre.golden", map[string]string{
 			"serverVersion": serverGitVersion,
 		}),
 	}
 	cmd.runTestCmd(t)
 }
--- a/cmd/flux/cluster_info.go
+++ b/cmd/flux/cluster_info.go
@ -1,126 +0,0 @@
 /*
 Copyright 2023 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/manifoldco/promptui"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
 )
 // bootstrapLabels are labels put on a resource by kustomize-controller. These labels on the CRD indicates
 // that flux has been bootstrapped.
 var bootstrapLabels = []string{
 	fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group),
 	fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group),
 }
 // fluxClusterInfo contains information about an existing flux installation on a cluster.
 type fluxClusterInfo struct {
 	// bootstrapped indicates that Flux was installed using the `flux bootstrap` command.
 	bootstrapped bool
 	// managedBy is the name of the tool being used to manage the installation of Flux.
 	managedBy string
 	// partOf indicates which distribution the instance is a part of.
 	partOf string
 	// version is the Flux version number in semver format.
 	version string
 }
 // getFluxClusterInfo returns information on the Flux installation running on the cluster.
 // If an error occurred, the returned error will be non-nil.
 //
 // This function retrieves the GitRepository CRD from the cluster and checks it
 // for a set of labels used to determine the Flux version and how Flux was installed.
 // It returns the NotFound error from the underlying library if it was unable to find
 // the GitRepository CRD and this can be used to check if Flux is installed.
 func getFluxClusterInfo(ctx context.Context, c client.Client) (fluxClusterInfo, error) {
 	var info fluxClusterInfo
 	crdMetadata := &metav1.PartialObjectMetadata{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: apiextensionsv1.SchemeGroupVersion.String(),
 			Kind:       "CustomResourceDefinition",
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name: fmt.Sprintf("gitrepositories.%s", sourcev1.GroupVersion.Group),
 		},
 	}
 	if err := c.Get(ctx, client.ObjectKeyFromObject(crdMetadata), crdMetadata); err != nil {
 		return info, err
 	}
 	info.version = crdMetadata.Labels[manifestgen.VersionLabelKey]
 	var present bool
 	for _, l := range bootstrapLabels {
 		_, present = crdMetadata.Labels[l]
 	}
 	if present {
 		info.bootstrapped = true
 	}
 	// the `app.kubernetes.io/managed-by` label is not set by flux but might be set by other
 	// tools used to install Flux e.g Helm.
 	if manager, ok := crdMetadata.Labels["app.kubernetes.io/managed-by"]; ok {
 		info.managedBy = manager
 	}
 	if partOf, ok := crdMetadata.Labels[manifestgen.PartOfLabelKey]; ok {
 		info.partOf = partOf
 	}
 	return info, nil
 }
 // confirmFluxInstallOverride displays a prompt to the user so that they can confirm before overriding
 // a Flux installation. It returns nil if the installation should continue,
 // promptui.ErrAbort if the user doesn't confirm, or an error encountered.
 func confirmFluxInstallOverride(info fluxClusterInfo) error {
 	// no need to display prompt if installation is managed by Flux
 	if installManagedByFlux(info.managedBy) {
 		return nil
 	}
 	display := fmt.Sprintf("Flux %s has been installed on this cluster with %s!", info.version, info.managedBy)
 	fmt.Fprintln(rootCmd.ErrOrStderr(), display)
 	prompt := promptui.Prompt{
 		Label:     fmt.Sprintf("Are you sure you want to override the %s installation? Y/N", info.managedBy),
 		IsConfirm: true,
 	}
 	_, err := prompt.Run()
 	return err
 }
 func (info fluxClusterInfo) distribution() string {
 	distribution := info.version
 	if info.partOf != "" {
 		distribution = fmt.Sprintf("%s-%s", info.partOf, info.version)
 	}
 	return distribution
 }
 func installManagedByFlux(manager string) bool {
 	return manager == "" || manager == "flux"
 }
--- a/cmd/flux/cluster_info_test.go
+++ b/cmd/flux/cluster_info_test.go
@ -1,141 +0,0 @@
 /*
 Copyright 2023 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"testing"
 	. "github.com/onsi/gomega"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	ssautil "github.com/fluxcd/pkg/ssa/utils"
 )
 func Test_getFluxClusterInfo(t *testing.T) {
 	g := NewWithT(t)
 	f, err := os.Open("./testdata/cluster_info/gitrepositories.yaml")
 	g.Expect(err).To(BeNil())
 	objs, err := ssautil.ReadObjects(f)
 	g.Expect(err).To(Not(HaveOccurred()))
 	gitrepo := objs[0]
 	tests := []struct {
 		name     string
 		labels   map[string]string
 		wantErr  bool
 		wantInfo fluxClusterInfo
 	}{
 		{
 			name:    "no git repository CRD present",
 			wantErr: true,
 		},
 		{
 			name: "CRD with kustomize-controller labels",
 			labels: map[string]string{
 				fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group):      "flux-system",
 				fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group): "flux-system",
 				"app.kubernetes.io/version":                                 "v2.1.0",
 			},
 			wantInfo: fluxClusterInfo{
 				version:      "v2.1.0",
 				bootstrapped: true,
 			},
 		},
 		{
 			name: "CRD with kustomize-controller labels and managed-by label",
 			labels: map[string]string{
 				fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group):      "flux-system",
 				fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group): "flux-system",
 				"app.kubernetes.io/version":                                 "v2.1.0",
 				"app.kubernetes.io/managed-by":                              "flux",
 			},
 			wantInfo: fluxClusterInfo{
 				version:      "v2.1.0",
 				bootstrapped: true,
 				managedBy:    "flux",
 			},
 		},
 		{
 			name: "CRD with only managed-by label",
 			labels: map[string]string{
 				"app.kubernetes.io/version":    "v2.1.0",
 				"app.kubernetes.io/managed-by": "helm",
 			},
 			wantInfo: fluxClusterInfo{
 				version:   "v2.1.0",
 				managedBy: "helm",
 			},
 		},
 		{
 			name:     "CRD with no labels",
 			labels:   map[string]string{},
 			wantInfo: fluxClusterInfo{},
 		},
 		{
 			name: "CRD with only version label",
 			labels: map[string]string{
 				"app.kubernetes.io/version": "v2.1.0",
 			},
 			wantInfo: fluxClusterInfo{
 				version: "v2.1.0",
 			},
 		},
 		{
 			name: "CRD with version and part-of labels",
 			labels: map[string]string{
 				"app.kubernetes.io/version": "v2.1.0",
 				"app.kubernetes.io/part-of": "flux",
 			},
 			wantInfo: fluxClusterInfo{
 				version: "v2.1.0",
 				partOf:  "flux",
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			g := NewWithT(t)
 			newscheme := runtime.NewScheme()
 			apiextensionsv1.AddToScheme(newscheme)
 			builder := fake.NewClientBuilder().WithScheme(newscheme)
 			if tt.labels != nil {
 				gitrepo.SetLabels(tt.labels)
 				builder = builder.WithRuntimeObjects(gitrepo)
 			}
 			client := builder.Build()
 			info, err := getFluxClusterInfo(context.Background(), client)
 			if tt.wantErr {
 				g.Expect(err).To(HaveOccurred())
 				g.Expect(errors.IsNotFound(err)).To(BeTrue())
 			} else {
 				g.Expect(err).To(Not(HaveOccurred()))
 			}
 			g.Expect(info).To(BeEquivalentTo(tt.wantInfo))
 		})
 	}
 }
--- a/cmd/flux/completion.go
+++ b/cmd/flux/completion.go
@ -1,112 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"strings"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/dynamic"
 )
 var completionCmd = &cobra.Command{
 	Use:   "completion",
 	Short: "Generates completion scripts for various shells",
 	Long:  `The completion sub-command generates completion scripts for various shells.`,
 }
 func init() {
 	rootCmd.AddCommand(completionCmd)
 }
 func contextsCompletionFunc(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 	rawConfig, err := kubeconfigArgs.ToRawKubeConfigLoader().RawConfig()
 	if err != nil {
 		return completionError(err)
 	}
 	var comps []string
 	for name := range rawConfig.Contexts {
 		if strings.HasPrefix(name, toComplete) {
 			comps = append(comps, name)
 		}
 	}
 	return comps, cobra.ShellCompDirectiveNoFileComp
 }
 func resourceNamesCompletionFunc(gvk schema.GroupVersionKind) func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 		defer cancel()
 		cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
 		if err != nil {
 			return completionError(err)
 		}
 		mapper, err := kubeconfigArgs.ToRESTMapper()
 		if err != nil {
 			return completionError(err)
 		}
 		mapping, err := mapper.RESTMapping(gvk.GroupKind(), gvk.Version)
 		if err != nil {
 			return completionError(err)
 		}
 		client, err := dynamic.NewForConfig(cfg)
 		if err != nil {
 			return completionError(err)
 		}
 		var dr dynamic.ResourceInterface
 		if mapping.Scope.Name() == meta.RESTScopeNameNamespace {
 			dr = client.Resource(mapping.Resource).Namespace(*kubeconfigArgs.Namespace)
 		} else {
 			dr = client.Resource(mapping.Resource)
 		}
 		list, err := dr.List(ctx, metav1.ListOptions{})
 		if err != nil {
 			return completionError(err)
 		}
 		var comps []string
 		for _, item := range list.Items {
 			name := item.GetName()
 			if strings.HasPrefix(name, toComplete) {
 				comps = append(comps, name)
 			}
 		}
 		return comps, cobra.ShellCompDirectiveNoFileComp
 	}
 }
 func completionError(err error) ([]string, cobra.ShellCompDirective) {
 	cobra.CompError(err.Error())
 	return nil, cobra.ShellCompDirectiveError
 }
--- a/cmd/flux/completion_bash.go
+++ b/cmd/flux/completion_bash.go
@ -1,44 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"os"
 	"github.com/spf13/cobra"
 )
 var completionBashCmd = &cobra.Command{
 	Use:   "bash",
 	Short: "Generates bash completion scripts",
 	Long:  `The completion sub-command generates completion scripts for bash.`,
 	Example: `To load completion run
 . <(flux completion bash)
 To configure your bash shell to load completions for each session add to your bashrc
 # ~/.bashrc or ~/.profile
 command -v flux >/dev/null && . <(flux completion bash)`,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenBashCompletion(os.Stdout)
 	},
 }
 func init() {
 	completionCmd.AddCommand(completionBashCmd)
 }
--- a/cmd/flux/completion_fish.go
+++ b/cmd/flux/completion_fish.go
@ -1,41 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"os"
 	"github.com/spf13/cobra"
 )
 var completionFishCmd = &cobra.Command{
 	Use:   "fish",
 	Short: "Generates fish completion scripts",
 	Long:  `The completion sub-command generates completion scripts for fish.`,
 	Example: `To configure your fish shell to load completions for each session write this script to your completions dir:
 flux completion fish > ~/.config/fish/completions/flux.fish
 See http://fishshell.com/docs/current/index.html#completion-own for more details`,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenFishCompletion(os.Stdout, true)
 	},
 }
 func init() {
 	completionCmd.AddCommand(completionFishCmd)
 }
--- a/cmd/flux/completion_powershell.go
+++ b/cmd/flux/completion_powershell.go
@ -1,51 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"os"
 	"github.com/spf13/cobra"
 )
 var completionPowerShellCmd = &cobra.Command{
 	Use:   "powershell",
 	Short: "Generates powershell completion scripts",
 	Long:  `The completion sub-command generates completion scripts for powershell.`,
 	Example: `To load completion run
 . <(flux completion powershell)
 To configure your powershell shell to load completions for each session add to your powershell profile
 Windows:
 cd "$env:USERPROFILE\Documents\WindowsPowerShell\Modules"
 flux completion powershell >> flux-completion.ps1
 Linux:
 cd "${XDG_CONFIG_HOME:-"$HOME/.config/"}/powershell/modules"
 flux completion powershell >> flux-completions.ps1`,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenPowerShellCompletion(os.Stdout)
 	},
 }
 func init() {
 	completionCmd.AddCommand(completionPowerShellCmd)
 }
--- a/cmd/flux/completion_zsh.go
+++ b/cmd/flux/completion_zsh.go
@ -1,55 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"fmt"
 	"os"
 	"github.com/spf13/cobra"
 )
 var completionZshCmd = &cobra.Command{
 	Use:   "zsh",
 	Short: "Generates zsh completion scripts",
 	Long:  `The completion sub-command generates completion scripts for zsh.`,
 	Example: `To load completion run
 . <(flux completion zsh)
 To configure your zsh shell to load completions for each session add to your zshrc
 # ~/.zshrc or ~/.profile
 command -v flux >/dev/null && . <(flux completion zsh)
 or write a cached file in one of the completion directories in your ${fpath}:
 echo "${fpath// /\n}" | grep -i completion
 flux completion zsh > _flux
 mv _flux ~/.oh-my-zsh/completions  # oh-my-zsh
 mv _flux ~/.zprezto/modules/completion/external/src/  # zprezto`,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenZshCompletion(os.Stdout)
 		// Cobra doesn't source zsh completion file, explicitly doing it here
 		fmt.Println("compdef _flux flux")
 	},
 }
 func init() {
 	completionCmd.AddCommand(completionZshCmd)
 }
--- a/cmd/flux/create.go
+++ b/cmd/flux/create.go
@ -1,170 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"regexp"
 	"strings"
 	"time"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createCmd = &cobra.Command{
 	Use:   "create",
 	Short: "Create or update sources and resources",
 	Long:  `The create sub-commands generate sources and resources.`,
 }
 type createFlags struct {
 	interval time.Duration
 	export   bool
 	labels   []string
 }
 var createArgs createFlags
 func init() {
 	createCmd.PersistentFlags().DurationVarP(&createArgs.interval, "interval", "", time.Minute, "source sync interval")
 	createCmd.PersistentFlags().BoolVar(&createArgs.export, "export", false, "export in YAML format to stdout")
 	createCmd.PersistentFlags().StringSliceVar(&createArgs.labels, "label", nil,
 		"set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)")
 	createCmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
 		if len(args) < 1 {
 			return fmt.Errorf("name is required")
 		}
 		name := args[0]
 		if !validateObjectName(name) {
 			return fmt.Errorf("name '%s' is invalid, it should adhere to standard defined in RFC 1123, the name can only contain alphanumeric characters or '-'", name)
 		}
 		return nil
 	}
 	rootCmd.AddCommand(createCmd)
 }
 // upsertable is an interface for values that can be used in `upsert`.
 type upsertable interface {
 	adapter
 	named
 }
 // upsert updates or inserts an object. Instead of providing the
 // object itself, you provide a named (as in Name and Namespace)
 // template value, and a mutate function which sets the values you
 // want to update. The mutate function is nullary -- you mutate a
 // value in the closure, e.g., by doing this:
 //
 //	var existing Value
 //	existing.Name = name
 //	existing.Namespace = ns
 //	upsert(ctx, client, valueAdapter{&value}, func() error {
 //	  value.Spec = onePreparedEarlier
 //	})
 func (names apiType) upsert(ctx context.Context, kubeClient client.Client, object upsertable, mutate func() error) (types.NamespacedName, error) {
 	nsname := types.NamespacedName{
 		Namespace: object.GetNamespace(),
 		Name:      object.GetName(),
 	}
 	op, err := controllerutil.CreateOrUpdate(ctx, kubeClient, object.asClientObject(), mutate)
 	if err != nil {
 		return nsname, err
 	}
 	switch op {
 	case controllerutil.OperationResultCreated:
 		logger.Successf("%s created", names.kind)
 	case controllerutil.OperationResultUpdated:
 		logger.Successf("%s updated", names.kind)
 	}
 	return nsname, nil
 }
 type upsertWaitable interface {
 	upsertable
 	statusable
 }
 // upsertAndWait encodes the pattern of creating or updating a
 // resource, then waiting for it to reconcile. See the note on
 // `upsert` for how to work with the `mutate` argument.
 func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions) // NB globals
 	if err != nil {
 		return err
 	}
 	logger.Generatef("generating %s", names.kind)
 	logger.Actionf("applying %s", names.kind)
 	namespacedName, err := names.upsert(ctx, kubeClient, object, mutate)
 	if err != nil {
 		return err
 	}
 	logger.Waitingf("waiting for %s reconciliation", names.kind)
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
 		isObjectReadyConditionFunc(kubeClient, namespacedName, object.asClientObject())); err != nil {
 		return err
 	}
 	logger.Successf("%s reconciliation completed", names.kind)
 	return nil
 }
 func parseLabels() (map[string]string, error) {
 	result := make(map[string]string)
 	for _, label := range createArgs.labels {
 		// validate key value pair
 		parts := strings.Split(label, "=")
 		if len(parts) != 2 {
 			return nil, fmt.Errorf("invalid label format '%s', must be key=value", label)
 		}
 		// validate label name
 		if errors := validation.IsQualifiedName(parts[0]); len(errors) > 0 {
 			return nil, fmt.Errorf("invalid label '%s': %v", parts[0], errors)
 		}
 		// validate label value
 		if errors := validation.IsValidLabelValue(parts[1]); len(errors) > 0 {
 			return nil, fmt.Errorf("invalid label value '%s': %v", parts[1], errors)
 		}
 		result[parts[0]] = parts[1]
 	}
 	return result, nil
 }
 func validateObjectName(name string) bool {
 	r := regexp.MustCompile(`^[a-z0-9]([a-z0-9\-]){0,61}[a-z0-9]$`)
 	return r.MatchString(name)
 }
--- a/cmd/flux/create_alert.go
+++ b/cmd/flux/create_alert.go
@ -1,171 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createAlertCmd = &cobra.Command{
 	Use:   "alert [name]",
 	Short: "Create or update a Alert resource",
 	Long:  withPreviewNote(`The create alert command generates a Alert resource.`),
 	Example: `  # Create an Alert for kustomization events
  flux create alert \
  --event-severity info \
  --event-source Kustomization/flux-system \
  --provider-ref slack \
  flux-system`,
 	RunE: createAlertCmdRun,
 }
 type alertFlags struct {
 	providerRef   string
 	eventSeverity string
 	eventSources  []string
 }
 var alertArgs alertFlags
 func init() {
 	createAlertCmd.Flags().StringVar(&alertArgs.providerRef, "provider-ref", "", "reference to provider")
 	createAlertCmd.Flags().StringVar(&alertArgs.eventSeverity, "event-severity", "", "severity of events to send alerts for")
 	createAlertCmd.Flags().StringSliceVar(&alertArgs.eventSources, "event-source", []string{}, "sources that should generate alerts (<kind>/<name>), also accepts comma-separated values")
 	createCmd.AddCommand(createAlertCmd)
 }
 func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	if alertArgs.providerRef == "" {
 		return fmt.Errorf("provider ref is required")
 	}
 	eventSources := []notificationv1.CrossNamespaceObjectReference{}
 	for _, eventSource := range alertArgs.eventSources {
 		kind, name, namespace := utils.ParseObjectKindNameNamespace(eventSource)
 		if kind == "" {
 			return fmt.Errorf("invalid event source '%s', must be in format <kind>/<name>", eventSource)
 		}
 		eventSources = append(eventSources, notificationv1.CrossNamespaceObjectReference{
 			Kind:      kind,
 			Name:      name,
 			Namespace: namespace,
 		})
 	}
 	if len(eventSources) == 0 {
 		return fmt.Errorf("at least one event source is required")
 	}
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	if !createArgs.export {
 		logger.Generatef("generating Alert")
 	}
 	alert := notificationv1b3.Alert{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: notificationv1b3.AlertSpec{
 			ProviderRef: meta.LocalObjectReference{
 				Name: alertArgs.providerRef,
 			},
 			EventSeverity: alertArgs.eventSeverity,
 			EventSources:  eventSources,
 			Suspend:       false,
 		},
 	}
 	if createArgs.export {
 		return printExport(exportAlert(&alert))
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	logger.Actionf("applying Alert")
 	namespacedName, err := upsertAlert(ctx, kubeClient, &alert)
 	if err != nil {
 		return err
 	}
 	logger.Waitingf("waiting for Alert reconciliation")
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
 		isStaticObjectReadyConditionFunc(kubeClient, namespacedName, &alert)); err != nil {
 		return err
 	}
 	logger.Successf("Alert %s is ready", name)
 	return nil
 }
 func upsertAlert(ctx context.Context, kubeClient client.Client,
 	alert *notificationv1b3.Alert) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: alert.GetNamespace(),
 		Name:      alert.GetName(),
 	}
 	var existing notificationv1b3.Alert
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			if err := kubeClient.Create(ctx, alert); err != nil {
 				return namespacedName, err
 			} else {
 				logger.Successf("Alert created")
 				return namespacedName, nil
 			}
 		}
 		return namespacedName, err
 	}
 	existing.Labels = alert.Labels
 	existing.Spec = alert.Spec
 	if err := kubeClient.Update(ctx, &existing); err != nil {
 		return namespacedName, err
 	}
 	alert = &existing
 	logger.Successf("Alert updated")
 	return namespacedName, nil
 }
--- a/cmd/flux/create_alertprovider.go
+++ b/cmd/flux/create_alertprovider.go
@ -1,168 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createAlertProviderCmd = &cobra.Command{
 	Use:   "alert-provider [name]",
 	Short: "Create or update a Provider resource",
 	Long:  withPreviewNote(`The create alert-provider command generates a Provider resource.`),
 	Example: `  # Create a Provider for a Slack channel
  flux create alert-provider slack \
  --type slack \
  --channel general \
  --address https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK \
  --secret-ref webhook-url
  # Create a Provider for a Github repository
  flux create alert-provider github-podinfo \
  --type github \
  --address https://github.com/stefanprodan/podinfo \
  --secret-ref github-token`,
 	RunE: createAlertProviderCmdRun,
 }
 type alertProviderFlags struct {
 	alertType string
 	channel   string
 	username  string
 	address   string
 	secretRef string
 }
 var alertProviderArgs alertProviderFlags
 func init() {
 	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.alertType, "type", "", "type of provider")
 	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.channel, "channel", "", "channel to send messages to in the case of a chat provider")
 	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.username, "username", "", "bot username used by the provider")
 	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.address, "address", "", "path to either the git repository, chat provider or webhook")
 	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.secretRef, "secret-ref", "", "name of secret containing authentication token")
 	createCmd.AddCommand(createAlertProviderCmd)
 }
 func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	if alertProviderArgs.alertType == "" {
 		return fmt.Errorf("Provider type is required")
 	}
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	if !createArgs.export {
 		logger.Generatef("generating Provider")
 	}
 	provider := notificationv1.Provider{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: notificationv1.ProviderSpec{
 			Type:     alertProviderArgs.alertType,
 			Channel:  alertProviderArgs.channel,
 			Username: alertProviderArgs.username,
 			Address:  alertProviderArgs.address,
 		},
 	}
 	if alertProviderArgs.secretRef != "" {
 		provider.Spec.SecretRef = &meta.LocalObjectReference{
 			Name: alertProviderArgs.secretRef,
 		}
 	}
 	if createArgs.export {
 		return printExport(exportAlertProvider(&provider))
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	logger.Actionf("applying Provider")
 	namespacedName, err := upsertAlertProvider(ctx, kubeClient, &provider)
 	if err != nil {
 		return err
 	}
 	logger.Waitingf("waiting for Provider reconciliation")
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
 		isStaticObjectReadyConditionFunc(kubeClient, namespacedName, &provider)); err != nil {
 		return err
 	}
 	logger.Successf("Provider %s is ready", name)
 	return nil
 }
 func upsertAlertProvider(ctx context.Context, kubeClient client.Client,
 	provider *notificationv1.Provider) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: provider.GetNamespace(),
 		Name:      provider.GetName(),
 	}
 	var existing notificationv1.Provider
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			if err := kubeClient.Create(ctx, provider); err != nil {
 				return namespacedName, err
 			} else {
 				logger.Successf("Provider created")
 				return namespacedName, nil
 			}
 		}
 		return namespacedName, err
 	}
 	existing.Labels = provider.Labels
 	existing.Spec = provider.Spec
 	if err := kubeClient.Update(ctx, &existing); err != nil {
 		return namespacedName, err
 	}
 	provider = &existing
 	logger.Successf("Provider updated")
 	return namespacedName, nil
 }
--- a/cmd/flux/create_helmrelease.go
+++ b/cmd/flux/create_helmrelease.go
@ -1,385 +0,0 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"os"
 	"strings"
 	"time"
 	"github.com/spf13/cobra"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/transform"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Create or update a HelmRelease resource",
 	Long:    `The helmrelease create command generates a HelmRelease resource for a given HelmRepository source.`,
 	Example: `  # Create a HelmRelease with a chart from a HelmRepository source
  flux create hr podinfo \
    --interval=10m \
    --source=HelmRepository/podinfo \
    --chart=podinfo \
    --chart-version=">4.0.0"
  # Create a HelmRelease with a chart from a GitRepository source
  flux create hr podinfo \
    --interval=10m \
    --source=GitRepository/podinfo \
    --chart=./charts/podinfo
  # Create a HelmRelease with a chart from a Bucket source
  flux create hr podinfo \
    --interval=10m \
    --source=Bucket/podinfo \
    --chart=./charts/podinfo
  # Create a HelmRelease with values from local YAML files
  flux create hr podinfo \
    --source=HelmRepository/podinfo \
    --chart=podinfo \
    --values=./my-values1.yaml \
    --values=./my-values2.yaml
  # Create a HelmRelease with values from a Kubernetes secret
  kubectl -n app create secret generic my-secret-values \
 	--from-file=values.yaml=/path/to/my-secret-values.yaml
  flux -n app create hr podinfo \
    --source=HelmRepository/podinfo \
    --chart=podinfo \
    --values-from=Secret/my-secret-values
  # Create a HelmRelease with a custom release name
  flux create hr podinfo \
    --release-name=podinfo-dev \
    --source=HelmRepository/podinfo \
    --chart=podinfo
  # Create a HelmRelease targeting another namespace than the resource
  flux create hr podinfo \
    --target-namespace=test \
    --create-target-namespace=true \
    --source=HelmRepository/podinfo \
    --chart=podinfo
  # Create a HelmRelease using a source from a different namespace
  flux create hr podinfo \
    --namespace=default \
    --source=HelmRepository/podinfo.flux-system \
    --chart=podinfo
  # Create a HelmRelease definition on disk without applying it on the cluster
  flux create hr podinfo \
    --source=HelmRepository/podinfo \
    --chart=podinfo \
    --values=./values.yaml \
    --export > podinfo-release.yaml
  # Create a HelmRelease using a chart from a HelmChart resource
  flux create hr podinfo \
    --namespace=default \
    --chart-ref=HelmChart/podinfo.flux-system \
  # Create a HelmRelease using a chart from an OCIRepository resource
  flux create hr podinfo \
    --namespace=default \
    --chart-ref=OCIRepository/podinfo.flux-system`,
 	RunE: createHelmReleaseCmdRun,
 }
 type helmReleaseFlags struct {
 	name                string
 	source              flags.HelmChartSource
 	dependsOn           []string
 	chart               string
 	chartVersion        string
 	chartRef            string
 	targetNamespace     string
 	createNamespace     bool
 	valuesFiles         []string
 	valuesFrom          []string
 	saName              string
 	crds                flags.CRDsPolicy
 	reconcileStrategy   string
 	chartInterval       time.Duration
 	kubeConfigSecretRef string
 }
 var helmReleaseArgs helmReleaseFlags
 var supportedHelmReleaseValuesFromKinds = []string{"Secret", "ConfigMap"}
 var supportedHelmReleaseReferenceKinds = []string{sourcev1b2.OCIRepositoryKind, sourcev1.HelmChartKind}
 func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.name, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.source, "source", helmReleaseArgs.source.Description())
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chart, "chart", "", "Helm chart name or path")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.dependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.targetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
 	createHelmReleaseCmd.Flags().BoolVar(&helmReleaseArgs.createNamespace, "create-target-namespace", false, "create the target namespace if it does not exist")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart created by the helm release(accepted values: Revision and ChartRevision)")
 	createHelmReleaseCmd.Flags().DurationVarP(&helmReleaseArgs.chartInterval, "chart-interval", "", 0, "the interval of which to check for new chart versions")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFiles, "values", nil, "local path to values.yaml files, also accepts comma-separated values")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFrom, "values-from", nil, "a Kubernetes object reference that contains the values.yaml data key in the format '<kind>/<name>', where kind must be one of: (Secret,ConfigMap)")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.crds, "crds", helmReleaseArgs.crds.Description())
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartRef, "chart-ref", "", "the name of the HelmChart resource to use as source for the HelmRelease, in the format '<kind>/<name>.<namespace>', where kind must be one of: (OCIRepository,HelmChart)")
 	createCmd.AddCommand(createHelmReleaseCmd)
 }
 func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	if helmReleaseArgs.chart == "" && helmReleaseArgs.chartRef == "" {
 		return fmt.Errorf("chart or chart-ref is required")
 	}
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	if !createArgs.export {
 		logger.Generatef("generating HelmRelease")
 	}
 	if !validateStrategy(helmReleaseArgs.reconcileStrategy) {
 		return fmt.Errorf("'%s' is an invalid reconcile strategy(valid: Revision, ChartVersion)",
 			helmReleaseArgs.reconcileStrategy)
 	}
 	helmRelease := helmv2.HelmRelease{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: helmv2.HelmReleaseSpec{
 			ReleaseName: helmReleaseArgs.name,
 			DependsOn:   utils.MakeDependsOn(helmReleaseArgs.dependsOn),
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
 			TargetNamespace: helmReleaseArgs.targetNamespace,
 			Suspend:         false,
 		},
 	}
 	switch {
 	case helmReleaseArgs.chart != "":
 		helmRelease.Spec.Chart = &helmv2.HelmChartTemplate{
 			Spec: helmv2.HelmChartTemplateSpec{
 				Chart:   helmReleaseArgs.chart,
 				Version: helmReleaseArgs.chartVersion,
 				SourceRef: helmv2.CrossNamespaceObjectReference{
 					Kind:      helmReleaseArgs.source.Kind,
 					Name:      helmReleaseArgs.source.Name,
 					Namespace: helmReleaseArgs.source.Namespace,
 				},
 				ReconcileStrategy: helmReleaseArgs.reconcileStrategy,
 			},
 		}
 		if helmReleaseArgs.chartInterval != 0 {
 			helmRelease.Spec.Chart.Spec.Interval = &metav1.Duration{
 				Duration: helmReleaseArgs.chartInterval,
 			}
 		}
 	case helmReleaseArgs.chartRef != "":
 		kind, name, ns := utils.ParseObjectKindNameNamespace(helmReleaseArgs.chartRef)
 		if kind != sourcev1.HelmChartKind && kind != sourcev1b2.OCIRepositoryKind {
 			return fmt.Errorf("chart reference kind '%s' is not supported, must be one of: %s",
 				kind, strings.Join(supportedHelmReleaseReferenceKinds, ", "))
 		}
 		helmRelease.Spec.ChartRef = &helmv2.CrossNamespaceSourceReference{
 			Kind:      kind,
 			Name:      name,
 			Namespace: ns,
 		}
 	}
 	if helmReleaseArgs.kubeConfigSecretRef != "" {
 		helmRelease.Spec.KubeConfig = &meta.KubeConfigReference{
 			SecretRef: meta.SecretKeyReference{
 				Name: helmReleaseArgs.kubeConfigSecretRef,
 			},
 		}
 	}
 	if helmReleaseArgs.createNamespace {
 		if helmRelease.Spec.Install == nil {
 			helmRelease.Spec.Install = &helmv2.Install{}
 		}
 		helmRelease.Spec.Install.CreateNamespace = helmReleaseArgs.createNamespace
 	}
 	if helmReleaseArgs.saName != "" {
 		helmRelease.Spec.ServiceAccountName = helmReleaseArgs.saName
 	}
 	if helmReleaseArgs.crds != "" {
 		if helmRelease.Spec.Install == nil {
 			helmRelease.Spec.Install = &helmv2.Install{}
 		}
 		helmRelease.Spec.Install.CRDs = helmv2.Create
 		helmRelease.Spec.Upgrade = &helmv2.Upgrade{CRDs: helmv2.CRDsPolicy(helmReleaseArgs.crds.String())}
 	}
 	if len(helmReleaseArgs.valuesFiles) > 0 {
 		valuesMap := make(map[string]interface{})
 		for _, v := range helmReleaseArgs.valuesFiles {
 			data, err := os.ReadFile(v)
 			if err != nil {
 				return fmt.Errorf("reading values from %s failed: %w", v, err)
 			}
 			jsonBytes, err := yaml.YAMLToJSON(data)
 			if err != nil {
 				return fmt.Errorf("converting values to JSON from %s failed: %w", v, err)
 			}
 			jsonMap := make(map[string]interface{})
 			if err := json.Unmarshal(jsonBytes, &jsonMap); err != nil {
 				return fmt.Errorf("unmarshaling values from %s failed: %w", v, err)
 			}
 			valuesMap = transform.MergeMaps(valuesMap, jsonMap)
 		}
 		jsonRaw, err := json.Marshal(valuesMap)
 		if err != nil {
 			return fmt.Errorf("marshaling values failed: %w", err)
 		}
 		helmRelease.Spec.Values = &apiextensionsv1.JSON{Raw: jsonRaw}
 	}
 	if len(helmReleaseArgs.valuesFrom) != 0 {
 		values := []helmv2.ValuesReference{}
 		for _, value := range helmReleaseArgs.valuesFrom {
 			sourceKind, sourceName := utils.ParseObjectKindName(value)
 			if sourceKind == "" {
 				return fmt.Errorf("invalid Kubernetes object reference '%s', must be in format <kind>/<name>", value)
 			}
 			cleanSourceKind, ok := utils.ContainsEqualFoldItemString(supportedHelmReleaseValuesFromKinds, sourceKind)
 			if !ok {
 				return fmt.Errorf("reference kind '%s' is not supported, must be one of: %s",
 					sourceKind, strings.Join(supportedHelmReleaseValuesFromKinds, ", "))
 			}
 			values = append(values, helmv2.ValuesReference{
 				Name: sourceName,
 				Kind: cleanSourceKind,
 			})
 		}
 		helmRelease.Spec.ValuesFrom = values
 	}
 	if createArgs.export {
 		return printExport(exportHelmRelease(&helmRelease))
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	logger.Actionf("applying HelmRelease")
 	namespacedName, err := upsertHelmRelease(ctx, kubeClient, &helmRelease)
 	if err != nil {
 		return err
 	}
 	logger.Waitingf("waiting for HelmRelease reconciliation")
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
 		isObjectReadyConditionFunc(kubeClient, namespacedName, &helmRelease)); err != nil {
 		return err
 	}
 	logger.Successf("HelmRelease %s is ready", name)
 	logger.Successf("applied revision %s", getHelmReleaseRevision(helmRelease))
 	return nil
 }
 func upsertHelmRelease(ctx context.Context, kubeClient client.Client,
 	helmRelease *helmv2.HelmRelease) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: helmRelease.GetNamespace(),
 		Name:      helmRelease.GetName(),
 	}
 	var existing helmv2.HelmRelease
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			if err := kubeClient.Create(ctx, helmRelease); err != nil {
 				return namespacedName, err
 			} else {
 				logger.Successf("HelmRelease created")
 				return namespacedName, nil
 			}
 		}
 		return namespacedName, err
 	}
 	existing.Labels = helmRelease.Labels
 	existing.Spec = helmRelease.Spec
 	if err := kubeClient.Update(ctx, &existing); err != nil {
 		return namespacedName, err
 	}
 	helmRelease = &existing
 	logger.Successf("HelmRelease updated")
 	return namespacedName, nil
 }
 func validateStrategy(input string) bool {
 	allowedStrategy := []string{"Revision", "ChartVersion"}
 	for _, strategy := range allowedStrategy {
 		if strategy == input {
 			return true
 		}
 	}
 	return false
 }
--- a/cmd/flux/create_helmrelease_test.go
+++ b/cmd/flux/create_helmrelease_test.go
@ -1,86 +0,0 @@
 //go:build unit
 // +build unit
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import "testing"
 func TestCreateHelmRelease(t *testing.T) {
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
 	setupHRSource(t, tmpl)
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "missing name",
 			args:   "create helmrelease --export",
 			assert: assertError("name is required"),
 		},
 		{
 			name:   "missing chart template and chartRef",
 			args:   "create helmrelease podinfo --export",
 			assert: assertError("chart or chart-ref is required"),
 		},
 		{
 			name:   "unknown source kind",
 			args:   "create helmrelease podinfo --source foobar/podinfo --chart podinfo --export",
 			assert: assertError(`invalid argument "foobar/podinfo" for "--source" flag: source kind 'foobar' is not supported, must be one of: HelmRepository, GitRepository, Bucket`),
 		},
 		{
 			name:   "unknown chart reference kind",
 			args:   "create helmrelease podinfo --chart-ref foobar/podinfo --export",
 			assert: assertError(`chart reference kind 'foobar' is not supported, must be one of: OCIRepository, HelmChart`),
 		},
 		{
 			name:   "basic helmrelease",
 			args:   "create helmrelease podinfo --source Helmrepository/podinfo --chart podinfo --interval=1m0s --export",
 			assert: assertGoldenTemplateFile("testdata/create_hr/basic.yaml", tmpl),
 		},
 		{
 			name:   "chart with OCIRepository source",
 			args:   "create helmrelease podinfo --chart-ref OCIRepository/podinfo --interval=1m0s --export",
 			assert: assertGoldenTemplateFile("testdata/create_hr/or_basic.yaml", tmpl),
 		},
 		{
 			name:   "chart with HelmChart source",
 			args:   "create helmrelease podinfo --chart-ref HelmChart/podinfo --interval=1m0s --export",
 			assert: assertGoldenTemplateFile("testdata/create_hr/hc_basic.yaml", tmpl),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args + " -n " + tmpl["fluxns"],
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
 func setupHRSource(t *testing.T, tmpl map[string]string) {
 	t.Helper()
 	testEnv.CreateObjectFile("./testdata/create_hr/setup-source.yaml", tmpl, t)
 }
--- a/cmd/flux/create_image.go
+++ b/cmd/flux/create_image.go
@ -1,33 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"github.com/spf13/cobra"
 )
 var createImageCmd = &cobra.Command{
 	Use:   "image",
 	Short: "Create or update resources dealing with image automation",
 	Long: `The create image sub-commands work with image automation objects;
 that is, object controlling updates to git based on e.g., new container images
 being available.`,
 }
 func init() {
 	createCmd.AddCommand(createImageCmd)
 }
--- a/cmd/flux/create_image_policy.go
+++ b/cmd/flux/create_image_policy.go
@ -1,258 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"fmt"
 	"regexp/syntax"
 	"strings"
 	"unicode"
 	"unicode/utf8"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"github.com/fluxcd/pkg/apis/meta"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
 )
 var createImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Create or update an ImagePolicy object",
 	Long: withPreviewNote(`The create image policy command generates an ImagePolicy resource.
 An ImagePolicy object calculates a "latest image" given an image
 repository and a policy, e.g., semver.
 The image that sorts highest according to the policy is recorded in
 the status of the object.`),
 	Example: `  # Create an ImagePolicy to select the latest stable release
  flux create image policy podinfo \
    --image-ref=podinfo \
    --select-semver=">=1.0.0"
  # Create an ImagePolicy to select the latest main branch build tagged as "${GIT_BRANCH}-${GIT_SHA:0:7}-$(date +%s)"
  flux create image policy podinfo \
    --image-ref=podinfo \
    --select-numeric=asc \
 	--filter-regex='^main-[a-f0-9]+-(?P<ts>[0-9]+)' \
 	--filter-extract='$ts'`,
 	RunE: createImagePolicyRun}
 type imagePolicyFlags struct {
 	imageRef      string
 	semver        string
 	alpha         string
 	numeric       string
 	filterRegex   string
 	filterExtract string
 }
 var imagePolicyArgs = imagePolicyFlags{}
 func init() {
 	flags := createImagePolicyCmd.Flags()
 	flags.StringVar(&imagePolicyArgs.imageRef, "image-ref", "", "the name of an image repository object")
 	flags.StringVar(&imagePolicyArgs.semver, "select-semver", "", "a semver range to apply to tags; e.g., '1.x'")
 	flags.StringVar(&imagePolicyArgs.alpha, "select-alpha", "", "use alphabetical sorting to select image; either \"asc\" meaning select the last, or \"desc\" meaning select the first")
 	flags.StringVar(&imagePolicyArgs.numeric, "select-numeric", "", "use numeric sorting to select image; either \"asc\" meaning select the last, or \"desc\" meaning select the first")
 	flags.StringVar(&imagePolicyArgs.filterRegex, "filter-regex", "", "regular expression pattern used to filter the image tags")
 	flags.StringVar(&imagePolicyArgs.filterExtract, "filter-extract", "", "replacement pattern (using capture groups from --filter-regex) to use for sorting")
 	createImageCmd.AddCommand(createImagePolicyCmd)
 }
 // getObservedGeneration is implemented here, since it's not
 // (presently) needed elsewhere.
 func (obj imagePolicyAdapter) getObservedGeneration() int64 {
 	return obj.ImagePolicy.Status.ObservedGeneration
 }
 func createImagePolicyRun(cmd *cobra.Command, args []string) error {
 	objectName := args[0]
 	if imagePolicyArgs.imageRef == "" {
 		return fmt.Errorf("the name of an ImageRepository in the namespace is required (--image-ref)")
 	}
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	var policy = imagev1.ImagePolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      objectName,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    labels,
 		},
 		Spec: imagev1.ImagePolicySpec{
 			ImageRepositoryRef: meta.NamespacedObjectReference{
 				Name: imagePolicyArgs.imageRef,
 			},
 		},
 	}
 	switch {
 	case imagePolicyArgs.semver != "" && imagePolicyArgs.alpha != "":
 	case imagePolicyArgs.semver != "" && imagePolicyArgs.numeric != "":
 	case imagePolicyArgs.alpha != "" && imagePolicyArgs.numeric != "":
 		return fmt.Errorf("only one of --select-semver, --select-alpha or --select-numeric can be specified")
 	case imagePolicyArgs.semver != "":
 		policy.Spec.Policy.SemVer = &imagev1.SemVerPolicy{
 			Range: imagePolicyArgs.semver,
 		}
 	case imagePolicyArgs.alpha != "":
 		if imagePolicyArgs.alpha != "desc" && imagePolicyArgs.alpha != "asc" {
 			return fmt.Errorf("--select-alpha must be one of [\"asc\", \"desc\"]")
 		}
 		policy.Spec.Policy.Alphabetical = &imagev1.AlphabeticalPolicy{
 			Order: imagePolicyArgs.alpha,
 		}
 	case imagePolicyArgs.numeric != "":
 		if imagePolicyArgs.numeric != "desc" && imagePolicyArgs.numeric != "asc" {
 			return fmt.Errorf("--select-numeric must be one of [\"asc\", \"desc\"]")
 		}
 		policy.Spec.Policy.Numerical = &imagev1.NumericalPolicy{
 			Order: imagePolicyArgs.numeric,
 		}
 	default:
 		return fmt.Errorf("a policy must be provided with either --select-semver or --select-alpha")
 	}
 	if imagePolicyArgs.filterRegex != "" {
 		exp, err := syntax.Parse(imagePolicyArgs.filterRegex, syntax.Perl)
 		if err != nil {
 			return fmt.Errorf("--filter-regex is an invalid regex pattern")
 		}
 		policy.Spec.FilterTags = &imagev1.TagFilter{
 			Pattern: imagePolicyArgs.filterRegex,
 		}
 		if imagePolicyArgs.filterExtract != "" {
 			if err := validateExtractStr(imagePolicyArgs.filterExtract, exp.CapNames()); err != nil {
 				return err
 			}
 			policy.Spec.FilterTags.Extract = imagePolicyArgs.filterExtract
 		}
 	} else if imagePolicyArgs.filterExtract != "" {
 		return fmt.Errorf("cannot specify --filter-extract without specifying --filter-regex")
 	}
 	if createArgs.export {
 		return printExport(exportImagePolicy(&policy))
 	}
 	var existing imagev1.ImagePolicy
 	copyName(&existing, &policy)
 	err = imagePolicyType.upsertAndWait(imagePolicyAdapter{&existing}, func() error {
 		existing.Spec = policy.Spec
 		existing.SetLabels(policy.Labels)
 		return nil
 	})
 	return err
 }
 // Performs a dry-run of the extract function in Regexp to validate the template
 func validateExtractStr(template string, capNames []string) error {
 	for len(template) > 0 {
 		i := strings.Index(template, "$")
 		if i < 0 {
 			return nil
 		}
 		template = template[i:]
 		if len(template) > 1 && template[1] == '$' {
 			template = template[2:]
 			continue
 		}
 		name, num, rest, ok := extract(template)
 		if !ok {
 			// Malformed extract string, assume user didn't want this
 			return fmt.Errorf("--filter-extract is malformed")
 		}
 		template = rest
 		if num >= 0 {
 			// we won't worry about numbers as we can't validate these
 			continue
 		} else {
 			found := false
 			for _, capName := range capNames {
 				if name == capName {
 					found = true
 				}
 			}
 			if !found {
 				return fmt.Errorf("capture group $%s used in --filter-extract not found in --filter-regex", name)
 			}
 		}
 	}
 	return nil
 }
 // extract method from the regexp package
 // returns the name or number of the value prepended by $
 func extract(str string) (name string, num int, rest string, ok bool) {
 	if len(str) < 2 || str[0] != '$' {
 		return
 	}
 	brace := false
 	if str[1] == '{' {
 		brace = true
 		str = str[2:]
 	} else {
 		str = str[1:]
 	}
 	i := 0
 	for i < len(str) {
 		rune, size := utf8.DecodeRuneInString(str[i:])
 		if !unicode.IsLetter(rune) && !unicode.IsDigit(rune) && rune != '_' {
 			break
 		}
 		i += size
 	}
 	if i == 0 {
 		// empty name is not okay
 		return
 	}
 	name = str[:i]
 	if brace {
 		if i >= len(str) || str[i] != '}' {
 			// missing closing brace
 			return
 		}
 		i++
 	}
 	// Parse number.
 	num = 0
 	for i := 0; i < len(name); i++ {
 		if name[i] < '0' || '9' < name[i] || num >= 1e8 {
 			num = -1
 			break
 		}
 		num = num*10 + int(name[i]) - '0'
 	}
 	// Disallow leading zeros.
 	if name[0] == '0' && len(name) > 1 {
 		num = -1
 	}
 	rest = str[i:]
 	ok = true
 	return
 }
--- a/cmd/flux/create_image_repository.go
+++ b/cmd/flux/create_image_repository.go
@ -1,139 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"fmt"
 	"time"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"github.com/fluxcd/pkg/apis/meta"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
 )
 var createImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Create or update an ImageRepository object",
 	Long: withPreviewNote(`The create image repository command generates an ImageRepository resource.
 An ImageRepository object specifies an image repository to scan.`),
 	Example: `  # Create an ImageRepository object to scan the alpine image repository:
  flux create image repository alpine-repo --image alpine --interval 20m
  # Create an image repository that uses an image pull secret (assumed to
  # have been created already):
  flux create image repository myapp-repo \
    --secret-ref image-pull \
    --image ghcr.io/example.com/myapp --interval 5m
  # Create a TLS secret for a local image registry using a self-signed
  # host certificate, and use it to scan an image. ca.pem is a file
  # containing the CA certificate used to sign the host certificate.
  flux create secret tls local-registry-cert --ca-file ./ca.pem
  flux create image repository app-repo \
    --cert-secret-ref local-registry-cert \
    --image local-registry:5000/app --interval 5m
  # Create a TLS secret with a client certificate and key, and use it
  # to scan a private image registry.
  flux create secret tls client-cert \
    --cert-file client.crt --key-file client.key
  flux create image repository app-repo \
    --cert-secret-ref client-cert \
    --image registry.example.com/private/app --interval 5m`,
 	RunE: createImageRepositoryRun,
 }
 type imageRepoFlags struct {
 	image         string
 	secretRef     string
 	certSecretRef string
 	timeout       time.Duration
 }
 var imageRepoArgs = imageRepoFlags{}
 func init() {
 	flags := createImageRepositoryCmd.Flags()
 	flags.StringVar(&imageRepoArgs.image, "image", "", "the image repository to scan; e.g., library/alpine")
 	flags.StringVar(&imageRepoArgs.secretRef, "secret-ref", "", "the name of a docker-registry secret to use for credentials")
 	flags.StringVar(&imageRepoArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
 	// NB there is already a --timeout in the global flags, for
 	// controlling timeout on operations while e.g., creating objects.
 	flags.DurationVar(&imageRepoArgs.timeout, "scan-timeout", 0, "a timeout for scanning; this defaults to the interval if not set")
 	createImageCmd.AddCommand(createImageRepositoryCmd)
 }
 func createImageRepositoryRun(cmd *cobra.Command, args []string) error {
 	objectName := args[0]
 	if imageRepoArgs.image == "" {
 		return fmt.Errorf("an image repository (--image) is required")
 	}
 	if _, err := name.NewRepository(imageRepoArgs.image); err != nil {
 		return fmt.Errorf("unable to parse image value: %w", err)
 	}
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	var repo = imagev1.ImageRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      objectName,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    labels,
 		},
 		Spec: imagev1.ImageRepositorySpec{
 			Image:    imageRepoArgs.image,
 			Interval: metav1.Duration{Duration: createArgs.interval},
 		},
 	}
 	if imageRepoArgs.timeout != 0 {
 		repo.Spec.Timeout = &metav1.Duration{Duration: imageRepoArgs.timeout}
 	}
 	if imageRepoArgs.secretRef != "" {
 		repo.Spec.SecretRef = &meta.LocalObjectReference{
 			Name: imageRepoArgs.secretRef,
 		}
 	}
 	if imageRepoArgs.certSecretRef != "" {
 		repo.Spec.CertSecretRef = &meta.LocalObjectReference{
 			Name: imageRepoArgs.certSecretRef,
 		}
 	}
 	if createArgs.export {
 		return printExport(exportImageRepository(&repo))
 	}
 	// a temp value for use with the rest
 	var existing imagev1.ImageRepository
 	copyName(&existing, &repo)
 	err = imageRepositoryType.upsertAndWait(imageRepositoryAdapter{&existing}, func() error {
 		existing.Spec = repo.Spec
 		existing.Labels = repo.Labels
 		return nil
 	})
 	return err
 }
--- a/cmd/flux/create_image_update.go
+++ b/cmd/flux/create_image_update.go
@ -1,178 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"fmt"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 var createImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Create or update an ImageUpdateAutomation object",
 	Long: withPreviewNote(`The create image update command generates an ImageUpdateAutomation resource.
 An ImageUpdateAutomation object specifies an automated update to images
 mentioned in YAMLs in a git repository.`),
 	Example: `  # Configure image updates for the main repository created by flux bootstrap
  flux create image update flux-system \
    --git-repo-ref=flux-system \
    --git-repo-path="./clusters/my-cluster" \
    --checkout-branch=main \
    --author-name=flux \
    --author-email=flux@example.com \
    --commit-template="{{range .Updated.Images}}{{println .}}{{end}}"
  # Configure image updates to push changes to a different branch, if the branch doesn't exists it will be created
  flux create image update flux-system \
    --git-repo-ref=flux-system \
    --git-repo-path="./clusters/my-cluster" \
    --checkout-branch=main \
    --push-branch=image-updates \
    --author-name=flux \
    --author-email=flux@example.com \
    --commit-template="{{range .Updated.Images}}{{println .}}{{end}}"
  # Configure image updates for a Git repository in a different namespace
  flux create image update apps \
    --namespace=apps \
    --git-repo-ref=flux-system \
    --git-repo-namespace=flux-system \
    --git-repo-path="./clusters/my-cluster" \
    --checkout-branch=main \
    --push-branch=image-updates \
    --author-name=flux \
    --author-email=flux@example.com \
    --commit-template="{{range .Updated.Images}}{{println .}}{{end}}"
 `,
 	RunE: createImageUpdateRun,
 }
 type imageUpdateFlags struct {
 	gitRepoName      string
 	gitRepoNamespace string
 	gitRepoPath      string
 	checkoutBranch   string
 	pushBranch       string
 	commitTemplate   string
 	authorName       string
 	authorEmail      string
 }
 var imageUpdateArgs = imageUpdateFlags{}
 func init() {
 	flags := createImageUpdateCmd.Flags()
 	flags.StringVar(&imageUpdateArgs.gitRepoName, "git-repo-ref", "", "the name of a GitRepository resource with details of the upstream Git repository")
 	flags.StringVar(&imageUpdateArgs.gitRepoNamespace, "git-repo-namespace", "", "the namespace of the GitRepository resource, defaults to the ImageUpdateAutomation namespace")
 	flags.StringVar(&imageUpdateArgs.gitRepoPath, "git-repo-path", "", "path to the directory containing the manifests to be updated, defaults to the repository root")
 	flags.StringVar(&imageUpdateArgs.checkoutBranch, "checkout-branch", "", "the branch to checkout")
 	flags.StringVar(&imageUpdateArgs.pushBranch, "push-branch", "", "the branch to push commits to, defaults to the checkout branch if not specified")
 	flags.StringVar(&imageUpdateArgs.commitTemplate, "commit-template", "", "a template for commit messages")
 	flags.StringVar(&imageUpdateArgs.authorName, "author-name", "", "the name to use for commit author")
 	flags.StringVar(&imageUpdateArgs.authorEmail, "author-email", "", "the email to use for commit author")
 	createImageCmd.AddCommand(createImageUpdateCmd)
 }
 func createImageUpdateRun(cmd *cobra.Command, args []string) error {
 	objectName := args[0]
 	if imageUpdateArgs.gitRepoName == "" {
 		return fmt.Errorf("a reference to a GitRepository is required (--git-repo-ref)")
 	}
 	if imageUpdateArgs.checkoutBranch == "" {
 		return fmt.Errorf("the Git repository branch is required (--checkout-branch)")
 	}
 	if imageUpdateArgs.authorName == "" {
 		return fmt.Errorf("the author name is required (--author-name)")
 	}
 	if imageUpdateArgs.authorEmail == "" {
 		return fmt.Errorf("the author email is required (--author-email)")
 	}
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	var update = autov1.ImageUpdateAutomation{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      objectName,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    labels,
 		},
 		Spec: autov1.ImageUpdateAutomationSpec{
 			SourceRef: autov1.CrossNamespaceSourceReference{
 				Kind:      sourcev1.GitRepositoryKind,
 				Name:      imageUpdateArgs.gitRepoName,
 				Namespace: imageUpdateArgs.gitRepoNamespace,
 			},
 			GitSpec: &autov1.GitSpec{
 				Checkout: &autov1.GitCheckoutSpec{
 					Reference: sourcev1.GitRepositoryRef{
 						Branch: imageUpdateArgs.checkoutBranch,
 					},
 				},
 				Commit: autov1.CommitSpec{
 					Author: autov1.CommitUser{
 						Name:  imageUpdateArgs.authorName,
 						Email: imageUpdateArgs.authorEmail,
 					},
 					MessageTemplate: imageUpdateArgs.commitTemplate,
 				},
 			},
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
 		},
 	}
 	if imageUpdateArgs.pushBranch != "" {
 		update.Spec.GitSpec.Push = &autov1.PushSpec{
 			Branch: imageUpdateArgs.pushBranch,
 		}
 	}
 	if imageUpdateArgs.gitRepoPath != "" {
 		update.Spec.Update = &autov1.UpdateStrategy{
 			Path:     imageUpdateArgs.gitRepoPath,
 			Strategy: autov1.UpdateStrategySetters,
 		}
 	}
 	if createArgs.export {
 		return printExport(exportImageUpdate(&update))
 	}
 	var existing autov1.ImageUpdateAutomation
 	copyName(&existing, &update)
 	err = imageUpdateAutomationType.upsertAndWait(imageUpdateAutomationAdapter{&existing}, func() error {
 		existing.Spec = update.Spec
 		existing.Labels = update.Labels
 		return nil
 	})
 	return err
 }
--- a/cmd/flux/create_kustomization.go
+++ b/cmd/flux/create_kustomization.go
@ -1,304 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"strings"
 	"time"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createKsCmd = &cobra.Command{
 	Use:     "kustomization [name]",
 	Aliases: []string{"ks"},
 	Short:   "Create or update a Kustomization resource",
 	Long:    `The create command generates a Kustomization resource for a given source.`,
 	Example: `  # Create a Kustomization resource from a source at a given path
  flux create kustomization kyverno \
    --source=GitRepository/kyverno \
    --path="./config/release" \
    --prune=true \
    --interval=60m \
    --wait=true \
    --health-check-timeout=3m
  # Create a Kustomization resource that depends on the previous one
  flux create kustomization kyverno-policies \
    --depends-on=kyverno \
    --source=GitRepository/kyverno-policies \
    --path="./policies/flux" \
    --prune=true \
    --interval=5m
  # Create a Kustomization using a source from a different namespace
  flux create kustomization podinfo \
    --namespace=default \
    --source=GitRepository/podinfo.flux-system \
    --path="./kustomize" \
    --prune=true \
    --interval=5m
  # Create a Kustomization resource that references an OCIRepository
  flux create kustomization podinfo \
    --source=OCIRepository/podinfo \
    --target-namespace=default \
    --prune=true \
    --interval=5m
  # Create a Kustomization resource that references a Bucket
  flux create kustomization secrets \
    --source=Bucket/secrets \
    --prune=true \
    --interval=5m`,
 	RunE: createKsCmdRun,
 }
 type kustomizationFlags struct {
 	source              flags.KustomizationSource
 	path                flags.SafeRelativePath
 	prune               bool
 	dependsOn           []string
 	validation          string
 	healthCheck         []string
 	healthTimeout       time.Duration
 	saName              string
 	decryptionProvider  flags.DecryptionProvider
 	decryptionSecret    string
 	targetNamespace     string
 	wait                bool
 	kubeConfigSecretRef string
 	retryInterval       time.Duration
 }
 var kustomizationArgs = NewKustomizationFlags()
 func init() {
 	createKsCmd.Flags().Var(&kustomizationArgs.source, "source", kustomizationArgs.source.Description())
 	createKsCmd.Flags().Var(&kustomizationArgs.path, "path", "path to the directory containing a kustomization.yaml file")
 	createKsCmd.Flags().BoolVar(&kustomizationArgs.prune, "prune", false, "enable garbage collection")
 	createKsCmd.Flags().BoolVar(&kustomizationArgs.wait, "wait", false, "enable health checking of all the applied resources")
 	createKsCmd.Flags().StringSliceVar(&kustomizationArgs.healthCheck, "health-check", nil, "workload to be included in the health assessment, in the format '<kind>/<name>.<namespace>'")
 	createKsCmd.Flags().DurationVar(&kustomizationArgs.healthTimeout, "health-check-timeout", 2*time.Minute, "timeout of health checking operations")
 	createKsCmd.Flags().StringVar(&kustomizationArgs.validation, "validation", "", "validate the manifests before applying them on the cluster, can be 'client' or 'server'")
 	createKsCmd.Flags().StringSliceVar(&kustomizationArgs.dependsOn, "depends-on", nil, "Kustomization that must be ready before this Kustomization can be applied, supported formats '<name>' and '<namespace>/<name>', also accepts comma-separated values")
 	createKsCmd.Flags().StringVar(&kustomizationArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this Kustomization")
 	createKsCmd.Flags().Var(&kustomizationArgs.decryptionProvider, "decryption-provider", kustomizationArgs.decryptionProvider.Description())
 	createKsCmd.Flags().StringVar(&kustomizationArgs.decryptionSecret, "decryption-secret", "", "set the Kubernetes secret name that contains the OpenPGP private keys used for sops decryption")
 	createKsCmd.Flags().StringVar(&kustomizationArgs.targetNamespace, "target-namespace", "", "overrides the namespace of all Kustomization objects reconciled by this Kustomization")
 	createKsCmd.Flags().StringVar(&kustomizationArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
 	createKsCmd.Flags().MarkDeprecated("validation", "this arg is no longer used, all resources are validated using server-side apply dry-run")
 	createKsCmd.Flags().DurationVar(&kustomizationArgs.retryInterval, "retry-interval", 0, "the interval at which to retry a previously failed reconciliation")
 	createCmd.AddCommand(createKsCmd)
 }
 func NewKustomizationFlags() kustomizationFlags {
 	return kustomizationFlags{
 		path: "./",
 	}
 }
 func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	if kustomizationArgs.path == "" {
 		return fmt.Errorf("path is required")
 	}
 	if !strings.HasPrefix(kustomizationArgs.path.String(), "./") {
 		return fmt.Errorf("path must begin with ./")
 	}
 	if !createArgs.export {
 		logger.Generatef("generating Kustomization")
 	}
 	kslabels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	kustomization := kustomizev1.Kustomization{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    kslabels,
 		},
 		Spec: kustomizev1.KustomizationSpec{
 			DependsOn: utils.MakeDependsOn(kustomizationArgs.dependsOn),
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
 			Path:  kustomizationArgs.path.ToSlash(),
 			Prune: kustomizationArgs.prune,
 			SourceRef: kustomizev1.CrossNamespaceSourceReference{
 				Kind:      kustomizationArgs.source.Kind,
 				Name:      kustomizationArgs.source.Name,
 				Namespace: kustomizationArgs.source.Namespace,
 			},
 			Suspend:         false,
 			TargetNamespace: kustomizationArgs.targetNamespace,
 		},
 	}
 	if kustomizationArgs.kubeConfigSecretRef != "" {
 		kustomization.Spec.KubeConfig = &meta.KubeConfigReference{
 			SecretRef: meta.SecretKeyReference{
 				Name: kustomizationArgs.kubeConfigSecretRef,
 			},
 		}
 	}
 	if len(kustomizationArgs.healthCheck) > 0 && !kustomizationArgs.wait {
 		healthChecks := make([]meta.NamespacedObjectKindReference, 0)
 		for _, w := range kustomizationArgs.healthCheck {
 			kindObj := strings.Split(w, "/")
 			if len(kindObj) != 2 {
 				return fmt.Errorf("invalid health check '%s' must be in the format 'kind/name.namespace' %v", w, kindObj)
 			}
 			kind := kindObj[0]
 			//TODO: (stefan) extend this list with all the kstatus builtin kinds
 			kinds := map[string]bool{
 				"Deployment":           true,
 				"DaemonSet":            true,
 				"StatefulSet":          true,
 				helmv2.HelmReleaseKind: true,
 			}
 			if !kinds[kind] {
 				return fmt.Errorf("invalid health check kind '%s' can be HelmRelease, Deployment, DaemonSet or StatefulSet", kind)
 			}
 			nameNs := strings.Split(kindObj[1], ".")
 			if len(nameNs) != 2 {
 				return fmt.Errorf("invalid health check '%s' must be in the format 'kind/name.namespace'", w)
 			}
 			check := meta.NamespacedObjectKindReference{
 				Kind:      kind,
 				Name:      nameNs[0],
 				Namespace: nameNs[1],
 			}
 			if kind == helmv2.HelmReleaseKind {
 				check.APIVersion = helmv2.GroupVersion.String()
 			}
 			healthChecks = append(healthChecks, check)
 		}
 		kustomization.Spec.HealthChecks = healthChecks
 		kustomization.Spec.Timeout = &metav1.Duration{
 			Duration: kustomizationArgs.healthTimeout,
 		}
 	}
 	if kustomizationArgs.wait {
 		kustomization.Spec.Wait = true
 		kustomization.Spec.Timeout = &metav1.Duration{
 			Duration: kustomizationArgs.healthTimeout,
 		}
 	}
 	if kustomizationArgs.saName != "" {
 		kustomization.Spec.ServiceAccountName = kustomizationArgs.saName
 	}
 	if kustomizationArgs.decryptionProvider != "" {
 		kustomization.Spec.Decryption = &kustomizev1.Decryption{
 			Provider: kustomizationArgs.decryptionProvider.String(),
 		}
 		if kustomizationArgs.decryptionSecret != "" {
 			kustomization.Spec.Decryption.SecretRef = &meta.LocalObjectReference{Name: kustomizationArgs.decryptionSecret}
 		}
 	}
 	if kustomizationArgs.retryInterval > 0 {
 		kustomization.Spec.RetryInterval = &metav1.Duration{Duration: kustomizationArgs.retryInterval}
 	}
 	if createArgs.export {
 		return printExport(exportKs(&kustomization))
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	logger.Actionf("applying Kustomization")
 	namespacedName, err := upsertKustomization(ctx, kubeClient, &kustomization)
 	if err != nil {
 		return err
 	}
 	logger.Waitingf("waiting for Kustomization reconciliation")
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
 		isObjectReadyConditionFunc(kubeClient, namespacedName, &kustomization)); err != nil {
 		return err
 	}
 	logger.Successf("Kustomization %s is ready", name)
 	logger.Successf("applied revision %s", kustomization.Status.LastAppliedRevision)
 	return nil
 }
 func upsertKustomization(ctx context.Context, kubeClient client.Client,
 	kustomization *kustomizev1.Kustomization) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: kustomization.GetNamespace(),
 		Name:      kustomization.GetName(),
 	}
 	var existing kustomizev1.Kustomization
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			if err := kubeClient.Create(ctx, kustomization); err != nil {
 				return namespacedName, err
 			} else {
 				logger.Successf("Kustomization created")
 				return namespacedName, nil
 			}
 		}
 		return namespacedName, err
 	}
 	existing.Labels = kustomization.Labels
 	existing.Spec = kustomization.Spec
 	if err := kubeClient.Update(ctx, &existing); err != nil {
 		return namespacedName, err
 	}
 	kustomization = &existing
 	logger.Successf("Kustomization updated")
 	return namespacedName, nil
 }
--- a/cmd/flux/create_receiver.go
+++ b/cmd/flux/create_receiver.go
@ -1,180 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createReceiverCmd = &cobra.Command{
 	Use:   "receiver [name]",
 	Short: "Create or update a Receiver resource",
 	Long:  `The create receiver command generates a Receiver resource.`,
 	Example: `  # Create a Receiver
  flux create receiver github-receiver \
 	--type github \
 	--event ping \
 	--event push \
 	--secret-ref webhook-token \
 	--resource GitRepository/webapp \
 	--resource HelmRepository/webapp`,
 	RunE: createReceiverCmdRun,
 }
 type receiverFlags struct {
 	receiverType string
 	secretRef    string
 	events       []string
 	resources    []string
 }
 var receiverArgs receiverFlags
 func init() {
 	createReceiverCmd.Flags().StringVar(&receiverArgs.receiverType, "type", "", "")
 	createReceiverCmd.Flags().StringVar(&receiverArgs.secretRef, "secret-ref", "", "")
 	createReceiverCmd.Flags().StringSliceVar(&receiverArgs.events, "event", []string{}, "also accepts comma-separated values")
 	createReceiverCmd.Flags().StringSliceVar(&receiverArgs.resources, "resource", []string{}, "also accepts comma-separated values")
 	createCmd.AddCommand(createReceiverCmd)
 }
 func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	if receiverArgs.receiverType == "" {
 		return fmt.Errorf("Receiver type is required")
 	}
 	if receiverArgs.secretRef == "" {
 		return fmt.Errorf("secret ref is required")
 	}
 	resources := []notificationv1.CrossNamespaceObjectReference{}
 	for _, resource := range receiverArgs.resources {
 		kind, name := utils.ParseObjectKindName(resource)
 		if kind == "" {
 			return fmt.Errorf("invalid event source '%s', must be in format <kind>/<name>", resource)
 		}
 		resources = append(resources, notificationv1.CrossNamespaceObjectReference{
 			Kind: kind,
 			Name: name,
 		})
 	}
 	if len(resources) == 0 {
 		return fmt.Errorf("atleast one resource is required")
 	}
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	if !createArgs.export {
 		logger.Generatef("generating Receiver")
 	}
 	receiver := notificationv1.Receiver{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: notificationv1.ReceiverSpec{
 			Type:      receiverArgs.receiverType,
 			Events:    receiverArgs.events,
 			Resources: resources,
 			SecretRef: meta.LocalObjectReference{
 				Name: receiverArgs.secretRef,
 			},
 			Suspend: false,
 		},
 	}
 	if createArgs.export {
 		return printExport(exportReceiver(&receiver))
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	logger.Actionf("applying Receiver")
 	namespacedName, err := upsertReceiver(ctx, kubeClient, &receiver)
 	if err != nil {
 		return err
 	}
 	logger.Waitingf("waiting for Receiver reconciliation")
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
 		isObjectReadyConditionFunc(kubeClient, namespacedName, &receiver)); err != nil {
 		return err
 	}
 	logger.Successf("Receiver %s is ready", name)
 	logger.Successf("generated webhook URL %s", receiver.Status.WebhookPath)
 	return nil
 }
 func upsertReceiver(ctx context.Context, kubeClient client.Client,
 	receiver *notificationv1.Receiver) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: receiver.GetNamespace(),
 		Name:      receiver.GetName(),
 	}
 	var existing notificationv1.Receiver
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			if err := kubeClient.Create(ctx, receiver); err != nil {
 				return namespacedName, err
 			} else {
 				logger.Successf("Receiver created")
 				return namespacedName, nil
 			}
 		}
 		return namespacedName, err
 	}
 	existing.Labels = receiver.Labels
 	existing.Spec = receiver.Spec
 	if err := kubeClient.Update(ctx, &existing); err != nil {
 		return namespacedName, err
 	}
 	receiver = &existing
 	logger.Successf("Receiver updated")
 	return namespacedName, nil
 }
--- a/cmd/flux/create_secret.go
+++ b/cmd/flux/create_secret.go
@ -1,63 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 var createSecretCmd = &cobra.Command{
 	Use:   "secret",
 	Short: "Create or update Kubernetes secrets",
 	Long:  `The create source sub-commands generate Kubernetes secrets specific to Flux.`,
 }
 func init() {
 	createCmd.AddCommand(createSecretCmd)
 }
 func upsertSecret(ctx context.Context, kubeClient client.Client, secret corev1.Secret) error {
 	namespacedName := types.NamespacedName{
 		Namespace: secret.GetNamespace(),
 		Name:      secret.GetName(),
 	}
 	var existing corev1.Secret
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			if err := kubeClient.Create(ctx, &secret); err != nil {
 				return err
 			} else {
 				return nil
 			}
 		}
 		return err
 	}
 	existing.StringData = secret.StringData
 	if err := kubeClient.Update(ctx, &existing); err != nil {
 		return err
 	}
 	return nil
 }
--- a/cmd/flux/create_secret_git.go
+++ b/cmd/flux/create_secret_git.go
@ -1,206 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"crypto/elliptic"
 	"fmt"
 	"net/url"
 	"os"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )
 var createSecretGitCmd = &cobra.Command{
 	Use:   "git [name]",
 	Short: "Create or update a Kubernetes secret for Git authentication",
 	Long: `The create secret git command generates a Kubernetes secret with Git credentials.
 For Git over SSH, the host and SSH keys are automatically generated and stored
 in the secret.
 For Git over HTTP/S, the provided basic authentication credentials or bearer
 authentication token are stored in the secret.`,
 	Example: `  # Create a Git SSH authentication secret using an ECDSA P-521 curve public key
  flux create secret git podinfo-auth \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --ssh-key-algorithm=ecdsa \
    --ssh-ecdsa-curve=p521
  # Create a Git SSH authentication secret with a passwordless private key from file
  # The public SSH host key will still be gathered from the host
  flux create secret git podinfo-auth \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --private-key-file=./private.key
  # Create a Git SSH authentication secret with a passworded private key from file
  # The public SSH host key will still be gathered from the host
  flux create secret git podinfo-auth \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --private-key-file=./private.key \
    --password=<password>
  # Create a secret for a Git repository using basic authentication
  flux create secret git podinfo-auth \
    --url=https://github.com/stefanprodan/podinfo \
    --username=username \
    --password=password
  # Create a Git SSH secret on disk
  flux create secret git podinfo-auth \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --export > podinfo-auth.yaml
  # Print the deploy key
  yq eval '.stringData."identity.pub"' podinfo-auth.yaml
  # Encrypt the secret on disk with Mozilla SOPS
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
    --in-place podinfo-auth.yaml`,
 	RunE: createSecretGitCmdRun,
 }
 type secretGitFlags struct {
 	url            string
 	username       string
 	password       string
 	keyAlgorithm   flags.PublicKeyAlgorithm
 	rsaBits        flags.RSAKeyBits
 	ecdsaCurve     flags.ECDSACurve
 	caCrtFile      string
 	privateKeyFile string
 	bearerToken    string
 }
 var secretGitArgs = NewSecretGitFlags()
 func init() {
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.url, "url", "", "git address, e.g. ssh://git@host/org/repository")
 	createSecretGitCmd.Flags().StringVarP(&secretGitArgs.username, "username", "u", "", "basic authentication username")
 	createSecretGitCmd.Flags().StringVarP(&secretGitArgs.password, "password", "p", "", "basic authentication password")
 	createSecretGitCmd.Flags().Var(&secretGitArgs.keyAlgorithm, "ssh-key-algorithm", secretGitArgs.keyAlgorithm.Description())
 	createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description())
 	createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caCrtFile, "ca-crt-file", "", "path to TLS CA certificate file used for validating self-signed certificates")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.bearerToken, "bearer-token", "", "bearer authentication token")
 	createSecretCmd.AddCommand(createSecretGitCmd)
 }
 func NewSecretGitFlags() secretGitFlags {
 	return secretGitFlags{
 		keyAlgorithm: flags.PublicKeyAlgorithm(sourcesecret.ECDSAPrivateKeyAlgorithm),
 		rsaBits:      2048,
 		ecdsaCurve:   flags.ECDSACurve{Curve: elliptic.P384()},
 	}
 }
 func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	if secretGitArgs.url == "" {
 		return fmt.Errorf("url is required")
 	}
 	u, err := url.Parse(secretGitArgs.url)
 	if err != nil {
 		return fmt.Errorf("git URL parse failed: %w", err)
 	}
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	opts := sourcesecret.Options{
 		Name:         name,
 		Namespace:    *kubeconfigArgs.Namespace,
 		Labels:       labels,
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
 	switch u.Scheme {
 	case "ssh":
 		keypair, err := sourcesecret.LoadKeyPairFromPath(secretGitArgs.privateKeyFile, secretGitArgs.password)
 		if err != nil {
 			return err
 		}
 		opts.Keypair = keypair
 		opts.SSHHostname = u.Host
 		opts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(secretGitArgs.keyAlgorithm)
 		opts.RSAKeyBits = int(secretGitArgs.rsaBits)
 		opts.ECDSACurve = secretGitArgs.ecdsaCurve.Curve
 		opts.Password = secretGitArgs.password
 	case "http", "https":
 		if (secretGitArgs.username == "" || secretGitArgs.password == "") && secretGitArgs.bearerToken == "" {
 			return fmt.Errorf("for Git over HTTP/S the username and password, or a bearer token is required")
 		}
 		opts.Username = secretGitArgs.username
 		opts.Password = secretGitArgs.password
 		opts.BearerToken = secretGitArgs.bearerToken
 		if secretGitArgs.username != "" && secretGitArgs.password != "" && secretGitArgs.bearerToken != "" {
 			return fmt.Errorf("user credentials and bearer token cannot be used together")
 		}
 		// --ca-crt-file takes precedence over --ca-file.
 		if secretGitArgs.caCrtFile != "" {
 			opts.CACrt, err = os.ReadFile(secretGitArgs.caCrtFile)
 			if err != nil {
 				return fmt.Errorf("unable to read TLS CA file: %w", err)
 			}
 		}
 	default:
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
 	if createArgs.export {
 		rootCmd.Println(secret.Content)
 		return nil
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
 	if ppk, ok := s.StringData[sourcesecret.PublicKeySecretKey]; ok {
 		logger.Generatef("deploy key: %s", ppk)
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("git secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
 	return nil
 }
--- a/cmd/flux/create_secret_git_test.go
+++ b/cmd/flux/create_secret_git_test.go
@ -1,70 +0,0 @@
 package main
 import (
 	"fmt"
 	"os"
 	"testing"
 )
 func TestCreateGitSecret(t *testing.T) {
 	file, err := os.CreateTemp(t.TempDir(), "ca-crt")
 	if err != nil {
 		t.Fatal("could not create CA certificate file")
 	}
 	_, err = file.Write([]byte("ca-data"))
 	if err != nil {
 		t.Fatal("could not write to CA certificate file")
 	}
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "no args",
 			args:   "create secret git",
 			assert: assertError("name is required"),
 		},
 		{
 			name:   "basic secret",
 			args:   "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=my-username --password=my-password --namespace=my-namespace --export",
 			assert: assertGoldenFile("./testdata/create_secret/git/secret-git-basic.yaml"),
 		},
 		{
 			name:   "ssh key",
 			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa.private --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret.yaml"),
 		},
 		{
 			name:   "ssh key with password",
 			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa-password.private --password=password --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret-password.yaml"),
 		},
 		{
 			name:   "git authentication with bearer token",
 			args:   "create secret git bearer-token-auth --url=https://github.com/stefanprodan/podinfo --bearer-token=ghp_baR2qnFF0O41WlucePL3udt2N9vVZS4R0hAS --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-bearer-token.yaml"),
 		},
 		{
 			name:   "git authentication with CA certificate",
 			args:   fmt.Sprintf("create secret git ca-crt --url=https://github.com/stefanprodan/podinfo --password=my-password --username=my-username --ca-crt-file=%s --namespace=my-namespace --export", file.Name()),
 			assert: assertGoldenFile("testdata/create_secret/git/secret-ca-crt.yaml"),
 		},
 		{
 			name:   "git authentication with basic auth and bearer token",
 			args:   "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=aaa --password=zzzz --bearer-token=aaaa --namespace=my-namespace --export",
 			assert: assertError("user credentials and bearer token cannot be used together"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_secret_github_app.go
+++ b/cmd/flux/create_secret_github_app.go
@ -1,128 +0,0 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 )
 var createSecretGitHubAppCmd = &cobra.Command{
 	Use:   "githubapp [name]",
 	Short: "Create or update a github app secret",
 	Long:  withPreviewNote(`The create secret githubapp command generates a Kubernetes secret that can be used for GitRepository authentication with github app`),
 	Example: `  # Create a githubapp authentication secret on disk and encrypt it with Mozilla SOPS
  flux create secret githubapp podinfo-auth \
    --app-id="1" \
    --app-installation-id="2" \
    --app-private-key=./private-key-file.pem \
    --export > githubapp-auth.yaml
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
    --in-place githubapp-auth.yaml
 	`,
 	RunE: createSecretGitHubAppCmdRun,
 }
 type secretGitHubAppFlags struct {
 	appID             string
 	appInstallationID string
 	privateKeyFile    string
 	baseURL           string
 }
 var secretGitHubAppArgs = secretGitHubAppFlags{}
 func init() {
 	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appID, "app-id", "", "github app ID")
 	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appInstallationID, "app-installation-id", "", "github app installation ID")
 	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.privateKeyFile, "app-private-key", "", "github app private key file path")
 	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.baseURL, "app-base-url", "", "github app base URL")
 	createSecretCmd.AddCommand(createSecretGitHubAppCmd)
 }
 func createSecretGitHubAppCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	secretName := args[0]
 	if secretGitHubAppArgs.appID == "" {
 		return fmt.Errorf("--app-id is required")
 	}
 	if secretGitHubAppArgs.appInstallationID == "" {
 		return fmt.Errorf("--app-installation-id is required")
 	}
 	if secretGitHubAppArgs.privateKeyFile == "" {
 		return fmt.Errorf("--app-private-key is required")
 	}
 	privateKey, err := os.ReadFile(secretGitHubAppArgs.privateKeyFile)
 	if err != nil {
 		return fmt.Errorf("unable to read private key file: %w", err)
 	}
 	opts := sourcesecret.Options{
 		Name:                    secretName,
 		Namespace:               *kubeconfigArgs.Namespace,
 		GitHubAppID:             secretGitHubAppArgs.appID,
 		GitHubAppInstallationID: secretGitHubAppArgs.appInstallationID,
 		GitHubAppPrivateKey:     string(privateKey),
 	}
 	if secretGitHubAppArgs.baseURL != "" {
 		opts.GitHubAppBaseURL = secretGitHubAppArgs.baseURL
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
 	if createArgs.export {
 		rootCmd.Println(secret.Content)
 		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("githubapp secret '%s' created in '%s' namespace", secretName, *kubeconfigArgs.Namespace)
 	return nil
 }
--- a/cmd/flux/create_secret_githubapp_test.go
+++ b/cmd/flux/create_secret_githubapp_test.go
@ -1,74 +0,0 @@
 /*
 Copyright 2022 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"testing"
 )
 func TestCreateSecretGitHubApp(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "create githubapp secret with missing name",
 			args:   "create secret githubapp",
 			assert: assertError("name is required"),
 		},
 		{
 			name:   "create githubapp secret with missing app-id",
 			args:   "create secret githubapp appinfo",
 			assert: assertError("--app-id is required"),
 		},
 		{
 			name:   "create githubapp secret with missing appInstallationID",
 			args:   "create secret githubapp appinfo --app-id 1",
 			assert: assertError("--app-installation-id is required"),
 		},
 		{
 			name:   "create githubapp secret with missing private key file",
 			args:   "create secret githubapp appinfo --app-id 1 --app-installation-id 2",
 			assert: assertError("--app-private-key is required"),
 		},
 		{
 			name:   "create githubapp secret with private key file that does not exist",
 			args:   "create secret githubapp appinfo --app-id 1 --app-installation-id 2 --app-private-key pk.pem",
 			assert: assertError("unable to read private key file: open pk.pem: no such file or directory"),
 		},
 		{
 			name:   "create githubapp secret with app info",
 			args:   "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-id 2 --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/githubapp/secret.yaml"),
 		},
 		{
 			name:   "create githubapp secret with appinfo and base url",
 			args:   "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-id 2 --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --app-base-url www.example.com/api/v3 --export",
 			assert: assertGoldenFile("testdata/create_secret/githubapp/secret-with-baseurl.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_secret_helm.go
+++ b/cmd/flux/create_secret_helm.go
@ -1,131 +0,0 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )
 var createSecretHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Create or update a Kubernetes secret for Helm repository authentication",
 	Long:  `The create secret helm command generates a Kubernetes secret with basic authentication credentials.`,
 	Example: ` # Create a Helm authentication secret on disk and encrypt it with Mozilla SOPS
  flux create secret helm repo-auth \
    --namespace=my-namespace \
    --username=my-username \
    --password=my-password \
    --export > repo-auth.yaml
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
    --in-place repo-auth.yaml`,
 	RunE: createSecretHelmCmdRun,
 }
 type secretHelmFlags struct {
 	username string
 	password string
 	secretTLSFlags
 }
 var secretHelmArgs secretHelmFlags
 func init() {
 	flags := createSecretHelmCmd.Flags()
 	flags.StringVarP(&secretHelmArgs.username, "username", "u", "", "basic authentication username")
 	flags.StringVarP(&secretHelmArgs.password, "password", "p", "", "basic authentication password")
 	flags.StringVar(&secretHelmArgs.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
 	flags.StringVar(&secretHelmArgs.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
 	flags.StringVar(&secretHelmArgs.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
 	createSecretCmd.AddCommand(createSecretHelmCmd)
 }
 func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	caBundle := []byte{}
 	if secretHelmArgs.caCrtFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(secretHelmArgs.caCrtFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	var certFile, keyFile []byte
 	if secretHelmArgs.tlsCrtFile != "" && secretHelmArgs.tlsKeyFile != "" {
 		if certFile, err = os.ReadFile(secretHelmArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
 		if keyFile, err = os.ReadFile(secretHelmArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}
 	opts := sourcesecret.Options{
 		Name:      name,
 		Namespace: *kubeconfigArgs.Namespace,
 		Labels:    labels,
 		Username:  secretHelmArgs.username,
 		Password:  secretHelmArgs.password,
 		CACrt:     caBundle,
 		TLSCrt:    certFile,
 		TLSKey:    keyFile,
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
 	if createArgs.export {
 		rootCmd.Println(secret.Content)
 		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("helm secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
 	return nil
 }
--- a/cmd/flux/create_secret_helm_test.go
+++ b/cmd/flux/create_secret_helm_test.go
@ -1,47 +0,0 @@
 /*
 Copyright 2022 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"testing"
 )
 func TestCreateHelmSecret(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			args:   "create secret helm",
 			assert: assertError("name is required"),
 		},
 		{
 			args:   "create secret helm helm-secret --username=my-username --password=my-password --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/helm/secret-helm.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_secret_notation.go
+++ b/cmd/flux/create_secret_notation.go
@ -1,161 +0,0 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/notaryproject/notation-go/verifier/trustpolicy"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 )
 var createSecretNotationCmd = &cobra.Command{
 	Use:   "notation [name]",
 	Short: "Create or update a Kubernetes secret for verifications of artifacts signed by Notation",
 	Long:  withPreviewNote(`The create secret notation command generates a Kubernetes secret with root ca certificates and trust policy.`),
 	Example: ` # Create a Notation configuration secret on disk and encrypt it with Mozilla SOPS
  flux create secret notation my-notation-cert \
    --namespace=my-namespace \
    --trust-policy-file=./my-trust-policy.json \
    --ca-cert-file=./my-cert.crt \
    --export > my-notation-cert.yaml
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
    --in-place my-notation-cert.yaml`,
 	RunE: createSecretNotationCmdRun,
 }
 type secretNotationFlags struct {
 	trustPolicyFile string
 	caCrtFile       []string
 }
 var secretNotationArgs secretNotationFlags
 func init() {
 	createSecretNotationCmd.Flags().StringVar(&secretNotationArgs.trustPolicyFile, "trust-policy-file", "", "notation trust policy file path")
 	createSecretNotationCmd.Flags().StringSliceVar(&secretNotationArgs.caCrtFile, "ca-cert-file", []string{}, "root ca cert file path")
 	createSecretCmd.AddCommand(createSecretNotationCmd)
 }
 func createSecretNotationCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	if secretNotationArgs.caCrtFile == nil || len(secretNotationArgs.caCrtFile) == 0 {
 		return fmt.Errorf("--ca-cert-file is required")
 	}
 	if secretNotationArgs.trustPolicyFile == "" {
 		return fmt.Errorf("--trust-policy-file is required")
 	}
 	name := args[0]
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	policy, err := os.ReadFile(secretNotationArgs.trustPolicyFile)
 	if err != nil {
 		return fmt.Errorf("unable to read trust policy file: %w", err)
 	}
 	var doc trustpolicy.Document
 	if err := json.Unmarshal(policy, &doc); err != nil {
 		return fmt.Errorf("failed to unmarshal trust policy %s: %w", secretNotationArgs.trustPolicyFile, err)
 	}
 	if err := doc.Validate(); err != nil {
 		return fmt.Errorf("invalid trust policy: %w", err)
 	}
 	var (
 		caCerts []sourcesecret.VerificationCrt
 		fileErr error
 	)
 	for _, caCrtFile := range secretNotationArgs.caCrtFile {
 		fileName := filepath.Base(caCrtFile)
 		if !strings.HasSuffix(fileName, ".crt") && !strings.HasSuffix(fileName, ".pem") {
 			fileErr = errors.Join(fileErr, fmt.Errorf("%s must end with either .crt or .pem", fileName))
 			continue
 		}
 		caBundle, err := os.ReadFile(caCrtFile)
 		if err != nil {
 			fileErr = errors.Join(fileErr, fmt.Errorf("unable to read TLS CA file: %w", err))
 			continue
 		}
 		caCerts = append(caCerts, sourcesecret.VerificationCrt{Name: fileName, CACrt: caBundle})
 	}
 	if fileErr != nil {
 		return fileErr
 	}
 	if len(caCerts) == 0 {
 		return fmt.Errorf("no CA certs found")
 	}
 	opts := sourcesecret.Options{
 		Name:             name,
 		Namespace:        *kubeconfigArgs.Namespace,
 		Labels:           labels,
 		VerificationCrts: caCerts,
 		TrustPolicy:      policy,
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
 	if createArgs.export {
 		rootCmd.Println(secret.Content)
 		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("notation configuration secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
 	return nil
 }
--- a/cmd/flux/create_secret_notation_test.go
+++ b/cmd/flux/create_secret_notation_test.go
@ -1,124 +0,0 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
 )
 const (
 	trustPolicy        = "./testdata/create_secret/notation/test-trust-policy.json"
 	invalidTrustPolicy = "./testdata/create_secret/notation/invalid-trust-policy.json"
 	invalidJson        = "./testdata/create_secret/notation/invalid.json"
 	testCertFolder     = "./testdata/create_secret/notation"
 )
 func TestCreateNotationSecret(t *testing.T) {
 	crt, err := os.Create(filepath.Join(t.TempDir(), "ca.crt"))
 	if err != nil {
 		t.Fatal("could not create ca.crt file")
 	}
 	pem, err := os.Create(filepath.Join(t.TempDir(), "ca.pem"))
 	if err != nil {
 		t.Fatal("could not create ca.pem file")
 	}
 	invalidCert, err := os.Create(filepath.Join(t.TempDir(), "ca.p12"))
 	if err != nil {
 		t.Fatal("could not create ca.p12 file")
 	}
 	_, err = crt.Write([]byte("ca-data-crt"))
 	if err != nil {
 		t.Fatal("could not write to crt certificate file")
 	}
 	_, err = pem.Write([]byte("ca-data-pem"))
 	if err != nil {
 		t.Fatal("could not write to pem certificate file")
 	}
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "no args",
 			args:   "create secret notation",
 			assert: assertError("name is required"),
 		},
 		{
 			name:   "no trust policy",
 			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s", testCertFolder),
 			assert: assertError("--trust-policy-file is required"),
 		},
 		{
 			name:   "no cert",
 			args:   fmt.Sprintf("create secret notation notation-config --trust-policy-file=%s", trustPolicy),
 			assert: assertError("--ca-cert-file is required"),
 		},
 		{
 			name:   "non pem and crt cert",
 			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", invalidCert.Name(), trustPolicy),
 			assert: assertError("ca.p12 must end with either .crt or .pem"),
 		},
 		{
 			name:   "invalid trust policy",
 			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidTrustPolicy),
 			assert: assertError("invalid trust policy: trust policy: a trust policy statement is missing a name, every statement requires a name"),
 		},
 		{
 			name:   "invalid trust policy json",
 			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidJson),
 			assert: assertError(fmt.Sprintf("failed to unmarshal trust policy %s: json: cannot unmarshal string into Go value of type trustpolicy.Document", invalidJson)),
 		},
 		{
 			name:   "crt secret",
 			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", crt.Name(), trustPolicy),
 			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-crt.yaml"),
 		},
 		{
 			name:   "pem secret",
 			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", pem.Name(), trustPolicy),
 			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-pem.yaml"),
 		},
 		{
 			name:   "multi secret",
 			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", crt.Name(), pem.Name(), trustPolicy),
 			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-multi.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			defer func() {
 				secretNotationArgs = secretNotationFlags{}
 			}()
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_secret_oci.go
+++ b/cmd/flux/create_secret_oci.go
@ -1,121 +0,0 @@
 /*
 Copyright 2022 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 )
 var createSecretOCICmd = &cobra.Command{
 	Use:   "oci [name]",
 	Short: "Create or update a Kubernetes image pull secret",
 	Long:  withPreviewNote(`The create secret oci command generates a Kubernetes secret that can be used for OCIRepository authentication`),
 	Example: `  # Create an OCI authentication secret on disk and encrypt it with Mozilla SOPS
  flux create secret oci podinfo-auth \
    --url=ghcr.io \
    --username=username \
    --password=password \
    --export > repo-auth.yaml
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
    --in-place repo-auth.yaml
 	`,
 	RunE: createSecretOCICmdRun,
 }
 type secretOCIFlags struct {
 	url      string
 	password string
 	username string
 }
 var secretOCIArgs = secretOCIFlags{}
 func init() {
 	createSecretOCICmd.Flags().StringVar(&secretOCIArgs.url, "url", "", "oci repository address e.g ghcr.io/stefanprodan/charts")
 	createSecretOCICmd.Flags().StringVarP(&secretOCIArgs.username, "username", "u", "", "basic authentication username")
 	createSecretOCICmd.Flags().StringVarP(&secretOCIArgs.password, "password", "p", "", "basic authentication password")
 	createSecretCmd.AddCommand(createSecretOCICmd)
 }
 func createSecretOCICmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	secretName := args[0]
 	if secretOCIArgs.url == "" {
 		return fmt.Errorf("--url is required")
 	}
 	if secretOCIArgs.username == "" {
 		return fmt.Errorf("--username is required")
 	}
 	if secretOCIArgs.password == "" {
 		return fmt.Errorf("--password is required")
 	}
 	if _, err := name.ParseReference(secretOCIArgs.url); err != nil {
 		return fmt.Errorf("error parsing url: '%s'", err)
 	}
 	opts := sourcesecret.Options{
 		Name:      secretName,
 		Namespace: *kubeconfigArgs.Namespace,
 		Registry:  secretOCIArgs.url,
 		Password:  secretOCIArgs.password,
 		Username:  secretOCIArgs.username,
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
 	if createArgs.export {
 		rootCmd.Println(secret.Content)
 		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("oci secret '%s' created in '%s' namespace", secretName, *kubeconfigArgs.Namespace)
 	return nil
 }
--- a/cmd/flux/create_secret_oci_test.go
+++ b/cmd/flux/create_secret_oci_test.go
@ -1,51 +0,0 @@
 /*
 Copyright 2022 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"testing"
 )
 func TestCreateSecretOCI(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			args:   "create secret oci",
 			assert: assertError("name is required"),
 		},
 		{
 			args:   "create secret oci ghcr",
 			assert: assertError("--url is required"),
 		},
 		{
 			args:   "create secret oci ghcr --namespace=my-namespace --url ghcr.io --username stefanprodan --password=password --export",
 			assert: assertGoldenFile("testdata/create_secret/oci/create-secret.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_secret_proxy.go
+++ b/cmd/flux/create_secret_proxy.go
@ -1,112 +0,0 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"errors"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )
 var createSecretProxyCmd = &cobra.Command{
 	Use:   "proxy [name]",
 	Short: "Create or update a Kubernetes secret for proxy authentication",
 	Long: `The create secret proxy command generates a Kubernetes secret with the
 proxy address and the basic authentication credentials.`,
 	Example: ` # Create a proxy secret on disk and encrypt it with SOPS
  flux create secret proxy my-proxy \
    --namespace=my-namespace \
    --address=https://my-proxy.com \
    --username=my-username \
    --password=my-password \
    --export > proxy.yaml
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
    --in-place proxy.yaml`,
 	RunE: createSecretProxyCmdRun,
 }
 type secretProxyFlags struct {
 	address  string
 	username string
 	password string
 }
 var secretProxyArgs secretProxyFlags
 func init() {
 	createSecretProxyCmd.Flags().StringVar(&secretProxyArgs.address, "address", "", "proxy address")
 	createSecretProxyCmd.Flags().StringVarP(&secretProxyArgs.username, "username", "u", "", "basic authentication username")
 	createSecretProxyCmd.Flags().StringVarP(&secretProxyArgs.password, "password", "p", "", "basic authentication password")
 	createSecretCmd.AddCommand(createSecretProxyCmd)
 }
 func createSecretProxyCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	if secretProxyArgs.address == "" {
 		return errors.New("address is required")
 	}
 	opts := sourcesecret.Options{
 		Name:      name,
 		Namespace: *kubeconfigArgs.Namespace,
 		Labels:    labels,
 		Address:   secretProxyArgs.address,
 		Username:  secretProxyArgs.username,
 		Password:  secretProxyArgs.password,
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
 	if createArgs.export {
 		rootCmd.Println(secret.Content)
 		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("proxy secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
 	return nil
 }
--- a/cmd/flux/create_secret_proxy_test.go
+++ b/cmd/flux/create_secret_proxy_test.go
@ -1,47 +0,0 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"testing"
 )
 func TestCreateProxySecret(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			args:   "create secret proxy proxy-secret",
 			assert: assertError("address is required"),
 		},
 		{
 			args:   "create secret proxy proxy-secret --address=https://my-proxy.com --username=my-username --password=my-password --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/proxy/secret-proxy.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_secret_tls.go
+++ b/cmd/flux/create_secret_tls.go
@ -1,122 +0,0 @@
 /*
 Copyright 2020, 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )
 var createSecretTLSCmd = &cobra.Command{
 	Use:   "tls [name]",
 	Short: "Create or update a Kubernetes secret with TLS certificates",
 	Long:  `The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`,
 	Example: ` # Create a TLS secret on disk and encrypt it with SOPS.
  # Files are expected to be PEM-encoded.
  flux create secret tls certs \
    --namespace=my-namespace \
    --tls-crt-file=./client.crt \
    --tls-key-file=./client.key \
    --ca-crt-file=./ca.crt \
    --export > certs.yaml
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
    --in-place certs.yaml`,
 	RunE: createSecretTLSCmdRun,
 }
 type secretTLSFlags struct {
 	caCrtFile  string
 	tlsKeyFile string
 	tlsCrtFile string
 }
 var secretTLSArgs secretTLSFlags
 func init() {
 	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
 	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
 	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
 	createSecretCmd.AddCommand(createSecretTLSCmd)
 }
 func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	opts := sourcesecret.Options{
 		Name:      name,
 		Namespace: *kubeconfigArgs.Namespace,
 		Labels:    labels,
 	}
 	if secretTLSArgs.caCrtFile != "" {
 		opts.CACrt, err = os.ReadFile(secretTLSArgs.caCrtFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	if secretTLSArgs.tlsCrtFile != "" && secretTLSArgs.tlsKeyFile != "" {
 		if opts.TLSCrt, err = os.ReadFile(secretTLSArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
 		if opts.TLSKey, err = os.ReadFile(secretTLSArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
 	if createArgs.export {
 		rootCmd.Print(secret.Content)
 		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("tls secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
 	return nil
 }
--- a/cmd/flux/create_secret_tls_test.go
+++ b/cmd/flux/create_secret_tls_test.go
@ -1,31 +0,0 @@
 package main
 import (
 	"testing"
 )
 func TestCreateTlsSecret(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			args:   "create secret tls",
 			assert: assertError("name is required"),
 		},
 		{
 			args:   "create secret tls certs --namespace=my-namespace --tls-crt-file=./testdata/create_secret/tls/test-cert.pem --tls-key-file=./testdata/create_secret/tls/test-key.pem --ca-crt-file=./testdata/create_secret/tls/test-ca.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/tls/secret-tls.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_source.go
+++ b/cmd/flux/create_source.go
@ -1,41 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"time"
 	"github.com/spf13/cobra"
 )
 var createSourceCmd = &cobra.Command{
 	Use:   "source",
 	Short: "Create or update sources",
 	Long:  `The create source sub-commands generate sources.`,
 }
 type createSourceFlags struct {
 	fetchTimeout time.Duration
 }
 var createSourceArgs createSourceFlags
 func init() {
 	createSourceCmd.PersistentFlags().DurationVar(&createSourceArgs.fetchTimeout, "fetch-timeout", createSourceArgs.fetchTimeout,
 		"set a timeout for fetch operations performed by source-controller (e.g. 'git clone' or 'helm repo update')")
 	createCmd.AddCommand(createSourceCmd)
 }
--- a/cmd/flux/create_source_bucket.go
+++ b/cmd/flux/create_source_bucket.go
@ -1,256 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"strings"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Create or update a Bucket source",
 	Long: `The create source bucket command generates a Bucket resource and waits for it to be downloaded.
 For Buckets with static authentication, the credentials are stored in a Kubernetes secret.`,
 	Example: `  # Create a source for a Bucket using static authentication
  flux create source bucket podinfo \
 	--bucket-name=podinfo \
    --endpoint=minio.minio.svc.cluster.local:9000 \
 	--insecure=true \
 	--access-key=myaccesskey \
 	--secret-key=mysecretkey \
    --interval=10m
  # Create a source for an Amazon S3 Bucket using IAM authentication
  flux create source bucket podinfo \
 	--bucket-name=podinfo \
 	--provider=aws \
    --endpoint=s3.amazonaws.com \
 	--region=us-east-1 \
    --interval=10m`,
 	RunE: createSourceBucketCmdRun,
 }
 type sourceBucketFlags struct {
 	name           string
 	provider       flags.SourceBucketProvider
 	endpoint       string
 	accessKey      string
 	secretKey      string
 	region         string
 	insecure       bool
 	secretRef      string
 	proxySecretRef string
 	ignorePaths    []string
 }
 var sourceBucketArgs = newSourceBucketFlags()
 func init() {
 	createSourceBucketCmd.Flags().Var(&sourceBucketArgs.provider, "provider", sourceBucketArgs.provider.Description())
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.name, "bucket-name", "", "the bucket name")
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.endpoint, "endpoint", "", "the bucket endpoint address")
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.accessKey, "access-key", "", "the bucket access key")
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.secretKey, "secret-key", "", "the bucket secret key")
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.region, "region", "", "the bucket region")
 	createSourceBucketCmd.Flags().BoolVar(&sourceBucketArgs.insecure, "insecure", false, "for when connecting to a non-TLS S3 HTTP endpoint")
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.secretRef, "secret-ref", "", "the name of an existing secret containing credentials")
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.proxySecretRef, "proxy-secret-ref", "", "the name of an existing secret containing the proxy address and credentials")
 	createSourceBucketCmd.Flags().StringSliceVar(&sourceBucketArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in bucket resource (can specify multiple paths with commas: path1,path2)")
 	createSourceCmd.AddCommand(createSourceBucketCmd)
 }
 func newSourceBucketFlags() sourceBucketFlags {
 	return sourceBucketFlags{
 		provider: flags.SourceBucketProvider(sourcev1.BucketProviderGeneric),
 	}
 }
 func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	if sourceBucketArgs.name == "" {
 		return fmt.Errorf("bucket-name is required")
 	}
 	if sourceBucketArgs.endpoint == "" {
 		return fmt.Errorf("endpoint is required")
 	}
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	tmpDir, err := os.MkdirTemp("", name)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)
 	var ignorePaths *string
 	if len(sourceBucketArgs.ignorePaths) > 0 {
 		ignorePathsStr := strings.Join(sourceBucketArgs.ignorePaths, "\n")
 		ignorePaths = &ignorePathsStr
 	}
 	bucket := &sourcev1.Bucket{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: sourcev1.BucketSpec{
 			BucketName: sourceBucketArgs.name,
 			Provider:   sourceBucketArgs.provider.String(),
 			Insecure:   sourceBucketArgs.insecure,
 			Endpoint:   sourceBucketArgs.endpoint,
 			Region:     sourceBucketArgs.region,
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
 			Ignore: ignorePaths,
 		},
 	}
 	if createSourceArgs.fetchTimeout > 0 {
 		bucket.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
 	}
 	if sourceBucketArgs.secretRef != "" {
 		bucket.Spec.SecretRef = &meta.LocalObjectReference{
 			Name: sourceBucketArgs.secretRef,
 		}
 	}
 	if sourceBucketArgs.proxySecretRef != "" {
 		bucket.Spec.ProxySecretRef = &meta.LocalObjectReference{
 			Name: sourceBucketArgs.proxySecretRef,
 		}
 	}
 	if createArgs.export {
 		return printExport(exportBucket(bucket))
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	logger.Generatef("generating Bucket source")
 	if sourceBucketArgs.secretRef == "" {
 		secretName := fmt.Sprintf("bucket-%s", name)
 		secret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      secretName,
 				Namespace: *kubeconfigArgs.Namespace,
 				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{},
 		}
 		if sourceBucketArgs.accessKey != "" && sourceBucketArgs.secretKey != "" {
 			secret.StringData["accesskey"] = sourceBucketArgs.accessKey
 			secret.StringData["secretkey"] = sourceBucketArgs.secretKey
 		}
 		if len(secret.StringData) > 0 {
 			logger.Actionf("applying secret with the bucket credentials")
 			if err := upsertSecret(ctx, kubeClient, secret); err != nil {
 				return err
 			}
 			bucket.Spec.SecretRef = &meta.LocalObjectReference{
 				Name: secretName,
 			}
 			logger.Successf("authentication configured")
 		}
 	}
 	logger.Actionf("applying Bucket source")
 	namespacedName, err := upsertBucket(ctx, kubeClient, bucket)
 	if err != nil {
 		return err
 	}
 	logger.Waitingf("waiting for Bucket source reconciliation")
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
 		isObjectReadyConditionFunc(kubeClient, namespacedName, bucket)); err != nil {
 		return err
 	}
 	logger.Successf("Bucket source reconciliation completed")
 	if bucket.Status.Artifact == nil {
 		return fmt.Errorf("Bucket source reconciliation but no artifact was found")
 	}
 	logger.Successf("fetched revision: %s", bucket.Status.Artifact.Revision)
 	return nil
 }
 func upsertBucket(ctx context.Context, kubeClient client.Client,
 	bucket *sourcev1.Bucket) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: bucket.GetNamespace(),
 		Name:      bucket.GetName(),
 	}
 	var existing sourcev1.Bucket
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			if err := kubeClient.Create(ctx, bucket); err != nil {
 				return namespacedName, err
 			} else {
 				logger.Successf("Bucket source created")
 				return namespacedName, nil
 			}
 		}
 		return namespacedName, err
 	}
 	existing.Labels = bucket.Labels
 	existing.Spec = bucket.Spec
 	if err := kubeClient.Update(ctx, &existing); err != nil {
 		return namespacedName, err
 	}
 	bucket = &existing
 	logger.Successf("Bucket source updated")
 	return namespacedName, nil
 }
--- a/cmd/flux/create_source_chart.go
+++ b/cmd/flux/create_source_chart.go
@ -1,217 +0,0 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createSourceChartCmd = &cobra.Command{
 	Use:   "chart [name]",
 	Short: "Create or update a HelmChart source",
 	Long:  `The create source chart command generates a HelmChart resource and waits for the chart to be available.`,
 	Example: `  # Create a source for a chart residing in a HelmRepository
  flux create source chart podinfo \
    --source=HelmRepository/podinfo \
    --chart=podinfo \
    --chart-version=6.x
  # Create a source for a chart residing in a Git repository
  flux create source chart podinfo \
    --source=GitRepository/podinfo \
    --chart=./charts/podinfo
  # Create a source for a chart residing in a S3 Bucket
  flux create source chart podinfo \
    --source=Bucket/podinfo \
    --chart=./charts/podinfo
  # Create a source for a chart from OCI and verify its signature
  flux create source chart podinfo \
    --source HelmRepository/podinfo \
    --chart podinfo \
    --chart-version=6.6.2 \
    --verify-provider=cosign \
    --verify-issuer=https://token.actions.githubusercontent.com \
    --verify-subject=https://github.com/stefanprodan/podinfo/.github/workflows/release.yml@refs/tags/6.6.2`,
 	RunE: createSourceChartCmdRun,
 }
 type sourceChartFlags struct {
 	chart             string
 	chartVersion      string
 	source            flags.LocalHelmChartSource
 	reconcileStrategy string
 	verifyProvider    flags.SourceOCIVerifyProvider
 	verifySecretRef   string
 	verifyOIDCIssuer  string
 	verifySubject     string
 }
 var sourceChartArgs sourceChartFlags
 func init() {
 	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.chart, "chart", "", "Helm chart name or path")
 	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
 	createSourceChartCmd.Flags().Var(&sourceChartArgs.source, "source", sourceChartArgs.source.Description())
 	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart (accepted values: Revision and ChartRevision)")
 	createSourceChartCmd.Flags().Var(&sourceChartArgs.verifyProvider, "verify-provider", sourceOCIRepositoryArgs.verifyProvider.Description())
 	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifySecretRef, "verify-secret-ref", "", "the name of a secret to use for signature verification")
 	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifySubject, "verify-subject", "", "regular expression to use for the OIDC subject during signature verification")
 	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifyOIDCIssuer, "verify-issuer", "", "regular expression to use for the OIDC issuer during signature verification")
 	createSourceCmd.AddCommand(createSourceChartCmd)
 }
 func createSourceChartCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	if sourceChartArgs.source.Kind == "" || sourceChartArgs.source.Name == "" {
 		return fmt.Errorf("chart source is required")
 	}
 	if sourceChartArgs.chart == "" {
 		return fmt.Errorf("chart name or path is required")
 	}
 	logger.Generatef("generating HelmChart source")
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	helmChart := &sourcev1.HelmChart{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: sourcev1.HelmChartSpec{
 			Chart:   sourceChartArgs.chart,
 			Version: sourceChartArgs.chartVersion,
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
 			ReconcileStrategy: sourceChartArgs.reconcileStrategy,
 			SourceRef: sourcev1.LocalHelmChartSourceReference{
 				Kind: sourceChartArgs.source.Kind,
 				Name: sourceChartArgs.source.Name,
 			},
 		},
 	}
 	if provider := sourceChartArgs.verifyProvider.String(); provider != "" {
 		helmChart.Spec.Verify = &sourcev1.OCIRepositoryVerification{
 			Provider: provider,
 		}
 		if secretName := sourceChartArgs.verifySecretRef; secretName != "" {
 			helmChart.Spec.Verify.SecretRef = &meta.LocalObjectReference{
 				Name: secretName,
 			}
 		}
 		verifyIssuer := sourceChartArgs.verifyOIDCIssuer
 		verifySubject := sourceChartArgs.verifySubject
 		if verifyIssuer != "" || verifySubject != "" {
 			helmChart.Spec.Verify.MatchOIDCIdentity = []sourcev1.OIDCIdentityMatch{{
 				Issuer:  verifyIssuer,
 				Subject: verifySubject,
 			}}
 		}
 	} else if sourceChartArgs.verifySecretRef != "" {
 		return fmt.Errorf("a verification provider must be specified when a secret is specified")
 	} else if sourceChartArgs.verifyOIDCIssuer != "" || sourceOCIRepositoryArgs.verifySubject != "" {
 		return fmt.Errorf("a verification provider must be specified when OIDC issuer/subject is specified")
 	}
 	if createArgs.export {
 		return printExport(exportHelmChart(helmChart))
 	}
 	logger.Actionf("applying HelmChart source")
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	namespacedName, err := upsertHelmChart(ctx, kubeClient, helmChart)
 	if err != nil {
 		return err
 	}
 	logger.Waitingf("waiting for HelmChart source reconciliation")
 	readyConditionFunc := isObjectReadyConditionFunc(kubeClient, namespacedName, helmChart)
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true, readyConditionFunc); err != nil {
 		return err
 	}
 	logger.Successf("HelmChart source reconciliation completed")
 	if helmChart.Status.Artifact == nil {
 		return fmt.Errorf("HelmChart source reconciliation completed but no artifact was found")
 	}
 	logger.Successf("fetched revision: %s", helmChart.Status.Artifact.Revision)
 	return nil
 }
 func upsertHelmChart(ctx context.Context, kubeClient client.Client,
 	helmChart *sourcev1.HelmChart) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: helmChart.GetNamespace(),
 		Name:      helmChart.GetName(),
 	}
 	var existing sourcev1.HelmChart
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			if err := kubeClient.Create(ctx, helmChart); err != nil {
 				return namespacedName, err
 			} else {
 				logger.Successf("source created")
 				return namespacedName, nil
 			}
 		}
 		return namespacedName, err
 	}
 	existing.Labels = helmChart.Labels
 	existing.Spec = helmChart.Spec
 	if err := kubeClient.Update(ctx, &existing); err != nil {
 		return namespacedName, err
 	}
 	helmChart = &existing
 	logger.Successf("source updated")
 	return namespacedName, nil
 }
--- a/cmd/flux/create_source_chart_test.go
+++ b/cmd/flux/create_source_chart_test.go
@ -1,91 +0,0 @@
 //go:build unit
 // +build unit
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import "testing"
 func TestCreateSourceChart(t *testing.T) {
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
 	setupSourceChart(t, tmpl)
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "missing name",
 			args:   "create source chart --export",
 			assert: assertError("name is required"),
 		},
 		{
 			name:   "missing source reference",
 			args:   "create source chart podinfo --export ",
 			assert: assertError("chart source is required"),
 		},
 		{
 			name:   "missing chart name",
 			args:   "create source chart podinfo --source helmrepository/podinfo --export",
 			assert: assertError("chart name or path is required"),
 		},
 		{
 			name:   "unknown source kind",
 			args:   "create source chart podinfo --source foobar/podinfo --export",
 			assert: assertError(`invalid argument "foobar/podinfo" for "--source" flag: source kind 'foobar' is not supported, must be one of: HelmRepository, GitRepository, Bucket`),
 		},
 		{
 			name:   "basic chart",
 			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --export",
 			assert: assertGoldenTemplateFile("testdata/create_source_chart/basic.yaml", tmpl),
 		},
 		{
 			name:   "chart with basic signature verification",
 			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider cosign --export",
 			assert: assertGoldenTemplateFile("testdata/create_source_chart/verify_basic.yaml", tmpl),
 		},
 		{
 			name:   "unknown signature verification provider",
 			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider foobar --export",
 			assert: assertError(`invalid argument "foobar" for "--verify-provider" flag: source OCI verify provider 'foobar' is not supported, must be one of: cosign`),
 		},
 		{
 			name:   "chart with complete signature verification",
 			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider cosign --verify-issuer foo --verify-subject bar --export",
 			assert: assertGoldenTemplateFile("testdata/create_source_chart/verify_complete.yaml", tmpl),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args + " -n " + tmpl["fluxns"],
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
 func setupSourceChart(t *testing.T, tmpl map[string]string) {
 	t.Helper()
 	testEnv.CreateObjectFile("./testdata/create_source_chart/setup-source.yaml", tmpl, t)
 }
--- a/cmd/flux/create_source_git.go
+++ b/cmd/flux/create_source_git.go
@ -1,389 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"crypto/elliptic"
 	"fmt"
 	"net/url"
 	"os"
 	"strings"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )
 type sourceGitFlags struct {
 	url               string
 	branch            string
 	tag               string
 	semver            string
 	refName           string
 	commit            string
 	username          string
 	password          string
 	keyAlgorithm      flags.PublicKeyAlgorithm
 	keyRSABits        flags.RSAKeyBits
 	keyECDSACurve     flags.ECDSACurve
 	secretRef         string
 	proxySecretRef    string
 	provider          flags.SourceGitProvider
 	caFile            string
 	privateKeyFile    string
 	recurseSubmodules bool
 	silent            bool
 	ignorePaths       []string
 }
 var createSourceGitCmd = &cobra.Command{
 	Use:   "git [name]",
 	Short: "Create or update a GitRepository source",
 	Long: `The create source git command generates a GitRepository resource and waits for it to sync.
 For Git over SSH, host and SSH keys are automatically generated and stored in a Kubernetes secret.
 For private Git repositories, the basic authentication credentials are stored in a Kubernetes secret.`,
 	Example: `  # Create a source from a public Git repository master branch
  flux create source git podinfo \
    --url=https://github.com/stefanprodan/podinfo \
    --branch=master
  # Create a source for a Git repository pinned to specific git tag
  flux create source git podinfo \
    --url=https://github.com/stefanprodan/podinfo \
    --tag="3.2.3"
  # Create a source from a public Git repository tag that matches a semver range
  flux create source git podinfo \
    --url=https://github.com/stefanprodan/podinfo \
    --tag-semver=">=3.2.0 <3.3.0"
  # Create a source for a Git repository using SSH authentication
  flux create source git podinfo \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --branch=master
  # Create a source for a Git repository using SSH authentication and an
  # ECDSA P-521 curve public key
  flux create source git podinfo \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --branch=master \
    --ssh-key-algorithm=ecdsa \
    --ssh-ecdsa-curve=p521
  # Create a source for a Git repository using SSH authentication and a
  #	passwordless private key from file
  # The public SSH host key will still be gathered from the host
  flux create source git podinfo \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --branch=master \
    --private-key-file=./private.key
  # Create a source for a Git repository using SSH authentication and a
  # private key with a password from file
  # The public SSH host key will still be gathered from the host
  flux create source git podinfo \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --branch=master \
    --private-key-file=./private.key \
    --password=<password>
  # Create a source for a Git repository using basic authentication
  flux create source git podinfo \
    --url=https://github.com/stefanprodan/podinfo \
    --branch=master \
    --username=username \
    --password=password
  # Create a source for a Git repository using azure provider
  flux create source git podinfo \
    --url=https://dev.azure.com/foo/bar/_git/podinfo \
    --branch=master \
    --provider=azure`,
 	RunE: createSourceGitCmdRun,
 }
 var sourceGitArgs = newSourceGitFlags()
 func init() {
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.url, "url", "", "git address, e.g. ssh://git@host/org/repository")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.branch, "branch", "", "git branch")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.tag, "tag", "", "git tag")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.semver, "tag-semver", "", "git tag semver range")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", "git reference name")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.commit, "commit", "", "git commit")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.username, "username", "u", "", "basic authentication username")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.password, "password", "p", "", "basic authentication password")
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyAlgorithm, "ssh-key-algorithm", sourceGitArgs.keyAlgorithm.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyRSABits, "ssh-rsa-bits", sourceGitArgs.keyRSABits.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyECDSACurve, "ssh-ecdsa-curve", sourceGitArgs.keyECDSACurve.Description())
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials or github app authentication")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.proxySecretRef, "proxy-secret-ref", "", "the name of an existing secret containing the proxy address and credentials")
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.provider, "provider", sourceGitArgs.provider.Description())
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSourceGitCmd.Flags().BoolVar(&sourceGitArgs.recurseSubmodules, "recurse-submodules", false,
 		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
 	createSourceGitCmd.Flags().BoolVarP(&sourceGitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
 	createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in git resource (can specify multiple paths with commas: path1,path2)")
 	createSourceCmd.AddCommand(createSourceGitCmd)
 }
 func newSourceGitFlags() sourceGitFlags {
 	return sourceGitFlags{
 		keyAlgorithm:  flags.PublicKeyAlgorithm(sourcesecret.ECDSAPrivateKeyAlgorithm),
 		keyRSABits:    2048,
 		keyECDSACurve: flags.ECDSACurve{Curve: elliptic.P384()},
 	}
 }
 func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	if sourceGitArgs.url == "" {
 		return fmt.Errorf("url is required")
 	}
 	u, err := url.Parse(sourceGitArgs.url)
 	if err != nil {
 		return fmt.Errorf("git URL parse failed: %w", err)
 	}
 	if u.Scheme != "ssh" && u.Scheme != "http" && u.Scheme != "https" {
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}
 	if sourceGitArgs.branch == "" && sourceGitArgs.tag == "" && sourceGitArgs.semver == "" && sourceGitArgs.commit == "" && sourceGitArgs.refName == "" {
 		return fmt.Errorf("a Git ref is required, use one of the following: --branch, --tag, --commit, --ref-name or --tag-semver")
 	}
 	if sourceGitArgs.caFile != "" && u.Scheme == "ssh" {
 		return fmt.Errorf("specifying a CA file is not supported for Git over SSH")
 	}
 	tmpDir, err := os.MkdirTemp("", name)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	var ignorePaths *string
 	if len(sourceGitArgs.ignorePaths) > 0 {
 		ignorePathsStr := strings.Join(sourceGitArgs.ignorePaths, "\n")
 		ignorePaths = &ignorePathsStr
 	}
 	gitRepository := sourcev1.GitRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: sourcev1.GitRepositorySpec{
 			URL: sourceGitArgs.url,
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
 			RecurseSubmodules: sourceGitArgs.recurseSubmodules,
 			Reference:         &sourcev1.GitRepositoryRef{},
 			Ignore:            ignorePaths,
 		},
 	}
 	if createSourceArgs.fetchTimeout > 0 {
 		gitRepository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
 	}
 	if sourceGitArgs.commit != "" {
 		gitRepository.Spec.Reference.Commit = sourceGitArgs.commit
 		gitRepository.Spec.Reference.Branch = sourceGitArgs.branch
 	} else if sourceGitArgs.refName != "" {
 		gitRepository.Spec.Reference.Name = sourceGitArgs.refName
 	} else if sourceGitArgs.semver != "" {
 		gitRepository.Spec.Reference.SemVer = sourceGitArgs.semver
 	} else if sourceGitArgs.tag != "" {
 		gitRepository.Spec.Reference.Tag = sourceGitArgs.tag
 	} else {
 		gitRepository.Spec.Reference.Branch = sourceGitArgs.branch
 	}
 	if sourceGitArgs.secretRef != "" {
 		gitRepository.Spec.SecretRef = &meta.LocalObjectReference{
 			Name: sourceGitArgs.secretRef,
 		}
 	}
 	if sourceGitArgs.proxySecretRef != "" {
 		gitRepository.Spec.ProxySecretRef = &meta.LocalObjectReference{
 			Name: sourceGitArgs.proxySecretRef,
 		}
 	}
 	if provider := sourceGitArgs.provider.String(); provider != "" {
 		gitRepository.Spec.Provider = provider
 	}
 	if createArgs.export {
 		return printExport(exportGit(&gitRepository))
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	logger.Generatef("generating GitRepository source")
 	if sourceGitArgs.secretRef == "" {
 		secretOpts := sourcesecret.Options{
 			Name:         name,
 			Namespace:    *kubeconfigArgs.Namespace,
 			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
 		switch u.Scheme {
 		case "ssh":
 			keypair, err := sourcesecret.LoadKeyPairFromPath(sourceGitArgs.privateKeyFile, sourceGitArgs.password)
 			if err != nil {
 				return err
 			}
 			secretOpts.Keypair = keypair
 			secretOpts.SSHHostname = u.Host
 			secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(sourceGitArgs.keyAlgorithm)
 			secretOpts.RSAKeyBits = int(sourceGitArgs.keyRSABits)
 			secretOpts.ECDSACurve = sourceGitArgs.keyECDSACurve.Curve
 			secretOpts.Password = sourceGitArgs.password
 		case "https":
 			if sourceGitArgs.caFile != "" {
 				caBundle, err := os.ReadFile(sourceGitArgs.caFile)
 				if err != nil {
 					return fmt.Errorf("unable to read TLS CA file: %w", err)
 				}
 				secretOpts.CACrt = caBundle
 			}
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
 		case "http":
 			logger.Warningf("insecure configuration: credentials configured for an HTTP URL")
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
 		}
 		secret, err := sourcesecret.Generate(secretOpts)
 		if err != nil {
 			return err
 		}
 		var s corev1.Secret
 		if err = yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 			return err
 		}
 		if len(s.StringData) > 0 {
 			if hk, ok := s.StringData[sourcesecret.KnownHostsSecretKey]; ok {
 				logger.Successf("collected public key from SSH server:\n%s", hk)
 			}
 			if ppk, ok := s.StringData[sourcesecret.PublicKeySecretKey]; ok {
 				logger.Generatef("deploy key: %s", ppk)
 				if !sourceGitArgs.silent {
 					prompt := promptui.Prompt{
 						Label:     "Have you added the deploy key to your repository",
 						IsConfirm: true,
 					}
 					if _, err := prompt.Run(); err != nil {
 						return fmt.Errorf("aborting")
 					}
 				}
 			}
 			logger.Actionf("applying secret with repository credentials")
 			if err := upsertSecret(ctx, kubeClient, s); err != nil {
 				return err
 			}
 			gitRepository.Spec.SecretRef = &meta.LocalObjectReference{
 				Name: s.Name,
 			}
 			logger.Successf("authentication configured")
 		}
 	}
 	logger.Actionf("applying GitRepository source")
 	namespacedName, err := upsertGitRepository(ctx, kubeClient, &gitRepository)
 	if err != nil {
 		return err
 	}
 	logger.Waitingf("waiting for GitRepository source reconciliation")
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
 		isObjectReadyConditionFunc(kubeClient, namespacedName, &gitRepository)); err != nil {
 		return err
 	}
 	logger.Successf("GitRepository source reconciliation completed")
 	if gitRepository.Status.Artifact == nil {
 		return fmt.Errorf("GitRepository source reconciliation completed but no artifact was found")
 	}
 	logger.Successf("fetched revision: %s", gitRepository.Status.Artifact.Revision)
 	return nil
 }
 func upsertGitRepository(ctx context.Context, kubeClient client.Client,
 	gitRepository *sourcev1.GitRepository) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: gitRepository.GetNamespace(),
 		Name:      gitRepository.GetName(),
 	}
 	var existing sourcev1.GitRepository
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			if err := kubeClient.Create(ctx, gitRepository); err != nil {
 				return namespacedName, err
 			} else {
 				logger.Successf("GitRepository source created")
 				return namespacedName, nil
 			}
 		}
 		return namespacedName, err
 	}
 	existing.Labels = gitRepository.Labels
 	existing.Spec = gitRepository.Spec
 	if err := kubeClient.Update(ctx, &existing); err != nil {
 		return namespacedName, err
 	}
 	gitRepository = &existing
 	logger.Successf("GitRepository source updated")
 	return namespacedName, nil
 }
--- a/cmd/flux/create_source_git_test.go
+++ b/cmd/flux/create_source_git_test.go
@ -1,276 +0,0 @@
 //go:build unit
 // +build unit
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"testing"
 	"time"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 var pollInterval = 50 * time.Millisecond
 var testTimeout = 10 * time.Second
 // Update the GitRepository once created to exercise test specific behavior
 type reconcileFunc func(repo *sourcev1.GitRepository)
 // reconciler waits for an object to be created, then invokes a test supplied
 // function to mutate that object, simulating a controller.
 // Test should invoke run() to run the background reconciler task which
 // polls to wait for the object to exist before applying the update function.
 // Any errors from the reconciler are asserted on test completion.
 type reconciler struct {
 	client    client.Client
 	name      types.NamespacedName
 	reconcile reconcileFunc
 }
 // Start the background task that waits for the object to exist then applies
 // the update function.
 func (r *reconciler) run(t *testing.T) {
 	result := make(chan error)
 	go func() {
 		defer close(result)
 		err := wait.PollImmediate(
 			pollInterval,
 			testTimeout,
 			r.conditionFunc)
 		result <- err
 	}()
 	t.Cleanup(func() {
 		if err := <-result; err != nil {
 			t.Errorf("Failure from test reconciler: '%v':", err.Error())
 		}
 	})
 }
 // A ConditionFunction that waits for the named GitRepository to be created,
 // then sets the ready condition to true.
 func (r *reconciler) conditionFunc() (bool, error) {
 	var repo sourcev1.GitRepository
 	if err := r.client.Get(context.Background(), r.name, &repo); err != nil {
 		if errors.IsNotFound(err) {
 			return false, nil // Keep polling until object is created
 		}
 		return true, err
 	}
 	r.reconcile(&repo)
 	err := r.client.Status().Update(context.Background(), &repo)
 	return true, err
 }
 func TestCreateSourceGitExport(t *testing.T) {
 	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String()
 	cases := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			"ExportSucceeded",
 			command,
 			assertGoldenFile("testdata/create_source_git/export.golden"),
 		},
 		{
 			name:   "no args",
 			args:   "create secret git",
 			assert: assertError("name is required"),
 		},
 		{
 			name:   "source with commit",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --commit=c88a2f41 --interval=1m0s --export",
 			assert: assertGoldenFile("./testdata/create_source_git/source-git-commit.yaml"),
 		},
 		{
 			name:   "source with ref name",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --ref-name=refs/heads/main --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-refname.yaml"),
 		},
 		{
 			name:   "source with branch name and commit",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --branch=main --commit=c88a2f41 --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-branch-commit.yaml"),
 		},
 		{
 			name:   "source with semver",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --tag-semver=v1.01 --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-semver.yaml"),
 		},
 		{
 			name:   "source with git tag",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --tag=test --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-tag.yaml"),
 		},
 		{
 			name:   "source with git branch",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --branch=test --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-branch.yaml"),
 		},
 		{
 			name:   "source with generic provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --provider generic --branch=test --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-generic.yaml"),
 		},
 		{
 			name:   "source with azure provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider azure --branch=test --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-azure.yaml"),
 		},
 		{
 			name:   "source with github provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --provider github --branch=test --interval=1m0s --secret-ref appinfo --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-github.yaml"),
 		},
 		{
 			name:   "source with invalid provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider dummy --branch=test --interval=1m0s --export",
 			assert: assertError("invalid argument \"dummy\" for \"--provider\" flag: source Git provider 'dummy' is not supported, must be one of: generic|azure|github"),
 		},
 		{
 			name:   "source with empty provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider \"\" --branch=test --interval=1m0s --export",
 			assert: assertError("invalid argument \"\" for \"--provider\" flag: no source Git provider given, please specify the Git provider name"),
 		},
 		{
 			name:   "source with no provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --branch=test --interval=1m0s --export --provider",
 			assert: assertError("flag needs an argument: --provider"),
 		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tc.args,
 				assert: tc.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
 func TestCreateSourceGit(t *testing.T) {
 	// Default command used for multiple tests
 	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --timeout=" + testTimeout.String()
 	cases := []struct {
 		name      string
 		args      string
 		assert    assertFunc
 		reconcile reconcileFunc
 	}{
 		{
 			"NoArgs",
 			"create source git",
 			assertError("name is required"),
 			nil,
 		}, {
 			"Succeeded",
 			command,
 			assertGoldenFile("testdata/create_source_git/success.golden"),
 			func(repo *sourcev1.GitRepository) {
 				newCondition := metav1.Condition{
 					Type:               meta.ReadyCondition,
 					Status:             metav1.ConditionTrue,
 					Reason:             sourcev1.GitOperationSucceedReason,
 					Message:            "succeeded message",
 					ObservedGeneration: repo.GetGeneration(),
 				}
 				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
 				repo.Status.Artifact = &sourcev1.Artifact{
 					Path:     "some-path",
 					Revision: "v1",
 					LastUpdateTime: metav1.Time{
 						Time: time.Now(),
 					},
 				}
 				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
 		}, {
 			"Failed",
 			command,
 			assertError("failed message"),
 			func(repo *sourcev1.GitRepository) {
 				stalledCondition := metav1.Condition{
 					Type:               meta.StalledCondition,
 					Status:             metav1.ConditionTrue,
 					Reason:             sourcev1.URLInvalidReason,
 					Message:            "failed message",
 					ObservedGeneration: repo.GetGeneration(),
 				}
 				apimeta.SetStatusCondition(&repo.Status.Conditions, stalledCondition)
 				newCondition := metav1.Condition{
 					Type:               meta.ReadyCondition,
 					Status:             metav1.ConditionFalse,
 					Reason:             sourcev1.URLInvalidReason,
 					Message:            "failed message",
 					ObservedGeneration: repo.GetGeneration(),
 				}
 				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
 				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
 		}, {
 			"NoArtifact",
 			command,
 			assertError("GitRepository source reconciliation completed but no artifact was found"),
 			func(repo *sourcev1.GitRepository) {
 				// Updated with no artifact
 				newCondition := metav1.Condition{
 					Type:               meta.ReadyCondition,
 					Status:             metav1.ConditionTrue,
 					Reason:             sourcev1.GitOperationSucceedReason,
 					Message:            "succeeded message",
 					ObservedGeneration: repo.GetGeneration(),
 				}
 				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
 				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
 		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			ns := allocateNamespace("podinfo")
 			setupTestNamespace(ns, t)
 			if tc.reconcile != nil {
 				r := reconciler{
 					client:    testEnv.client,
 					name:      types.NamespacedName{Namespace: ns, Name: "podinfo"},
 					reconcile: tc.reconcile,
 				}
 				r.run(t)
 			}
 			cmd := cmdTestCase{
 				args:   tc.args + " -n=" + ns,
 				assert: tc.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/Show More
+++ b/Show More