.github/aur/flux-bin/.SRCINFO.template

@@ -4,16 +4,13 @@ pkgbase = flux-bin
 	pkgrel = ${PKGREL}
 	url = https://fluxcd.io/
 	arch = x86_64
+	arch = armv6h
 	arch = armv7h
 	arch = aarch64
 	license = APACHE
-	optdepends = bash-completion: auto-completion for flux in Bash
+	source_x86_64 = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_amd64.tar.gz
-	optdepends = zsh-completions: auto-completion for flux in ZSH
+	source_armv6h = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm.tar.gz
-	source_x86_64 = flux-bin-${PKGVER}_linux_amd64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_amd64.tar.gz
+	source_armv7h = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm.tar.gz
-	sha256sums_x86_64 = ${SHA256SUM_AMD64}
+	source_aarch64 = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm64.tar.gz
-	source_armv7h = flux-bin-${PKGVER}_linux_arm.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_arm.tar.gz
-	sha256sums_armv7h = ${SHA256SUM_ARM}
-	source_aarch64 = flux-bin-${PKGVER}_linux_arm64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_arm64.tar.gz
-	sha256sums_aarch64 = ${SHA256SUM_ARM64}
 
 pkgname = flux-bin

.github/aur/flux-bin/PKGBUILD.template

@@ -4,32 +4,37 @@
 pkgname=flux-bin
 pkgver=${PKGVER}
 pkgrel=${PKGREL}
-_srcname=flux
-_srcver=${VERSION}
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
-arch=("x86_64" "armv7h" "aarch64")
+arch=("x86_64" "armv6h" "armv7h" "aarch64")
 license=("APACHE")
-optdepends=('bash-completion: auto-completion for flux in Bash'
+optdepends=('bash-completion: auto-completion for flux in Bash',
-            'zsh-completions: auto-completion for flux in ZSH')
+'zsh-completions: auto-completion for flux in ZSH')
 source_x86_64=(
-  "${pkgname}-${pkgver}_linux_amd64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_amd64.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_amd64.tar.gz"
+)
+source_armv6h=(
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
 )
 source_armv7h=(
-  "${pkgname}-${pkgver}_linux_arm.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_arm.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
 )
 source_aarch64=(
-  "${pkgname}-${pkgver}_linux_arm64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_arm64.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm64.tar.gz"
 )
 sha256sums_x86_64=(
   ${SHA256SUM_AMD64}
 )
+sha256sums_armv6h=(
+  ${SHA256SUM_ARM}
+)
 sha256sums_armv7h=(
   ${SHA256SUM_ARM}
 )
 sha256sums_aarch64=(
   ${SHA256SUM_ARM64}
 )
+_srcname=flux
 
 package() {
 	install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"

.github/aur/flux-bin/publish.sh

@@ -28,7 +28,6 @@ git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
 CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
 CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
 
-# Transform pre-release to AUR compatible version format
 export PKGVER=${VERSION/-/}
 
 if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
@@ -37,12 +36,12 @@ else
     export PKGREL=1
 fi
 
-export SHA256SUM_ARM=$(sha256sum ${ROOT}/dist/flux_${VERSION}_linux_arm.tar.gz | awk '{ print $1 }')
+export SHA256SUM_ARM=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_arm.tar.gz | awk '{ print $1 }')
-export SHA256SUM_ARM64=$(sha256sum ${ROOT}/dist/flux_${VERSION}_linux_arm64.tar.gz | awk '{ print $1 }')
+export SHA256SUM_ARM64=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_arm64.tar.gz | awk '{ print $1 }')
-export SHA256SUM_AMD64=$(sha256sum ${ROOT}/dist/flux_${VERSION}_linux_amd64.tar.gz | awk '{ print $1 }')
+export SHA256SUM_AMD64=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_amd64.tar.gz | awk '{ print $1 }')
 
-envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < .SRCINFO.template > $GITDIR/.SRCINFO
-envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < PKGBUILD.template > $GITDIR/PKGBUILD
+envsubst '$PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < PKGBUILD.template > $GITDIR/PKGBUILD
 
 cd $GITDIR
 git config user.name "fluxcdbot"

.github/aur/flux-go/.SRCINFO.template

@@ -4,6 +4,7 @@ pkgbase = flux-go
 	pkgrel = ${PKGREL}
 	url = https://fluxcd.io/
 	arch = x86_64
+	arch = armv6h
 	arch = armv7h
 	arch = aarch64
 	license = APACHE
@@ -12,6 +13,6 @@ pkgbase = flux-go
 	provides = flux-bin
 	conflicts = flux-bin
   replaces = flux-cli
-	source = flux-go-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/archive/v${VERSION}.tar.gz
+	source = flux-go-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/archive/v${PKGVER}.tar.gz
 
 pkgname = flux-go

.github/aur/flux-go/PKGBUILD.template

@@ -4,44 +4,43 @@
 pkgname=flux-go
 pkgver=${PKGVER}
 pkgrel=${PKGREL}
-_srcname=flux
-_srcver=${VERSION}
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
-arch=("x86_64" "armv7h" "aarch64")
+arch=("x86_64" "armv6h" "armv7h" "aarch64")
 license=("APACHE")
 provides=("flux-bin")
 conflicts=("flux-bin")
 replaces=("flux-cli")
 depends=("glibc")
-makedepends=('go>=1.20', 'kustomize>=5.0')
+makedepends=('go>=1.17', 'kustomize>=3.0')
 optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/archive/v${_srcver}.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/archive/v${pkgver}.tar.gz"
 )
 sha256sums=(
   ${SHA256SUM}
 )
+_srcname=flux
 
 build() {
-  cd "flux2-${_srcver}"
+  cd "flux2-${pkgver}"
   export CGO_LDFLAGS="$LDFLAGS"
   export CGO_CFLAGS="$CFLAGS"
   export CGO_CXXFLAGS="$CXXFLAGS"
   export CGO_CPPFLAGS="$CPPFLAGS"
   export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
   make cmd/flux/.manifests.done
-  go build -ldflags "-linkmode=external -X main.VERSION=${_srcver}" -o ${_srcname} ./cmd/flux
+  go build -ldflags "-linkmode=external -X main.VERSION=${pkgver}" -o ${_srcname} ./cmd/flux
 }
 
 check() {
-  cd "flux2-${_srcver}"
+  cd "flux2-${pkgver}"
   case $CARCH in
     aarch64)
       export ENVTEST_ARCH=arm64
       ;;
-    armv7h)
+    armv6h|armv7h)
       export ENVTEST_ARCH=arm
       ;;
   esac
@@ -49,7 +48,7 @@ check() {
 }
 
 package() {
-  cd "flux2-${_srcver}"
+  cd "flux2-${pkgver}"
   install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
   install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
 

.github/aur/flux-go/publish.sh

@@ -28,7 +28,6 @@ git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
 CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
 CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
 
-# Transform pre-release to AUR compatible version format
 export PKGVER=${VERSION/-/}
 
 if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
@@ -37,10 +36,10 @@ else
     export PKGREL=1
 fi
 
-export SHA256SUM=$(curl -sL https://github.com/fluxcd/flux2/archive/v${VERSION}.tar.gz | sha256sum | awk '{ print $1 }')
+export SHA256SUM=$(curl -sL https://github.com/fluxcd/flux2/archive/v$PKGVER.tar.gz | sha256sum | awk '{ print $1 }')
 
-envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$PKGVER $PKGREL $SHA256SUM' < .SRCINFO.template > $GITDIR/.SRCINFO
-envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM' < PKGBUILD.template > $GITDIR/PKGBUILD
+envsubst '$PKGVER $PKGREL $SHA256SUM' < PKGBUILD.template > $GITDIR/PKGBUILD
 
 cd $GITDIR
 git config user.name "fluxcdbot"

.github/aur/flux-scm/.SRCINFO.template

@@ -4,6 +4,7 @@ pkgbase = flux-scm
 	pkgrel = ${PKGREL}
 	url = https://fluxcd.io/
 	arch = x86_64
+	arch = armv6h
 	arch = armv7h
 	arch = aarch64
 	license = APACHE

.github/aur/flux-scm/PKGBUILD.template

@@ -4,21 +4,21 @@
 pkgname=flux-scm
 pkgver=${PKGVER}
 pkgrel=${PKGREL}
-_srcname=flux
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
-arch=("x86_64" "armv7h" "aarch64")
+arch=("x86_64" "armv6h" "armv7h" "aarch64")
 license=("APACHE")
 provides=("flux-bin")
 conflicts=("flux-bin")
 depends=("glibc")
-makedepends=('go>=1.20', 'kustomize>=5.0', 'git')
+makedepends=('go>=1.17', 'kustomize>=3.0', 'git')
 optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
   "git+https://github.com/fluxcd/flux2.git"
 )
 md5sums=('SKIP')
+_srcname=flux
 
 pkgver() {
   cd "flux2"
@@ -42,7 +42,7 @@ check() {
     aarch64)
       export ENVTEST_ARCH=arm64
       ;;
-    armv7h)
+    armv6h|armv7h)
       export ENVTEST_ARCH=arm
       ;;
   esac

.github/aur/flux-scm/publish.sh

@@ -28,7 +28,6 @@ git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
 CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
 CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
 
-# Transform pre-release to AUR compatible version format
 export PKGVER=${VERSION/-/}
 
 if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then

.github/dependabot.yml

@@ -1,16 +0,0 @@
-version: 2
-
-updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    labels: ["area/ci", "dependencies"]
-    groups:
-      # Group all updates together, so that they are all applied in a single PR.
-      # Grouped updates are currently in beta and is subject to change.
-      # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
-      ci:
-        patterns:
-          - "*"
-    schedule:
-      # By default, this will be on a monday.
-      interval: "weekly"

.github/kind/config.yaml

@@ -1,9 +1,5 @@
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
-nodes:
-  - role: control-plane
-  - role: worker
-  - role: worker
 networking:
   disableDefaultCNI: true   # disable kindnet
   podSubnet: 192.168.0.0/16 # set to Calico's default subnet

.github/labels.yaml

@@ -1,55 +0,0 @@
-# Configuration file to declaratively configure labels
-# Ref: https://github.com/EndBug/label-sync#Config-files
-
-- name: area/bootstrap
-  description: Bootstrap related issues and pull requests
-  color: '#86efc9'
-- name: area/install
-  description: Install and uninstall related issues and pull requests
-  color: '#86efc9'
-- name: area/diff
-  description: Diff related issues and pull requests
-  color: '#BA4192'
-- name: area/bucket
-  description: Bucket related issues and pull requests
-  color: '#00b140'
-- name: area/git
-  description: Git related issues and pull requests
-  color: '#863faf'
-- name: area/oci
-  description: OCI related issues and pull requests
-  color: '#c739ff'
-- name: area/kustomization
-  description: Kustomization related issues and pull requests
-  color: '#00e54d'
-- name: area/helm
-  description: Helm related issues and pull requests
-  color: '#1673b6'
-- name: area/image-automation
-  description: Automated image updates related issues and pull requests
-  color: '#c5def5'
-- name: area/monitoring
-  description: Monitoring related issues and pull requests
-  color: '#dd75ae'
-- name: area/multi-tenancy
-  description: Multi-tenancy related issues and pull requests
-  color: '#72CDBD'
-- name: area/notification
-  description: Notification API related issues and pull requests
-  color: '#434ec1'
-- name: area/source
-  description: Source API related issues and pull requests
-  color: '#863faf'
-- name: area/rfc
-  description: Feature request proposals in the RFC format
-  color: '#D621C3'
-  aliases: ['area/RFC']
-- name: backport:release/v2.3.x
-  description: To be backported to release/v2.3.x
-  color: '#ffd700'
-- name: backport:release/v2.4.x
-  description: To be backported to release/v2.4.x
-  color: '#ffd700'
-- name: backport:release/v2.5.x
-  description: To be backported to release/v2.5.x
-  color: '#ffd700'

.github/runners/README.md

@@ -1,34 +1,24 @@
 # Flux ARM64 GitHub runners
 
-The Flux ARM64 end-to-end tests run on Equinix Metal instances provisioned with Docker and GitHub self-hosted runners.
+The Flux ARM64 end-to-end tests run on Equinix instances provisioned with Docker and GitHub self-hosted runners.
 
 ## Current instances
 
-| Repository                  | Runner           | Instance       | Location      |
+| Runner        | Instance            | Region |
-|-----------------------------|------------------|----------------|---------------|
+|---------------|---------------------|--------|
-| flux2                       | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
+| equinix-arm-1 | flux-equinix-arm-01 | AMS1   |
-| flux2                       | equinix-arm-dc-2 | flux-arm-dc-01 | Washington DC |
+| equinix-arm-2 | flux-equinix-arm-01 | AMS1   |
-| flux2                       | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
+| equinix-arm-3 | flux-equinix-arm-01 | AMS1   |
-| flux2                       | equinix-arm-da-2 | flux-arm-da-01 | Dallas        |
+| equinix-arm-4 | flux-equinix-arm-02 | DFW2   |
-| flux-benchmark              | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
+| equinix-arm-5 | flux-equinix-arm-02 | DFW2   |
-| flux-benchmark              | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
+| equinix-arm-6 | flux-equinix-arm-02 | DFW2   |
-| source-controller           | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
-| source-controller           | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
-| image-automation-controller | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
-| image-automation-controller | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
-
-Instance spec:
-- Ampere Altra Q80-30 80-core processor @ 2.8GHz
-- 2 x 960GB NVME
-- 256GB RAM
-- 2 x 25Gbps
 
 ## Instance setup
 
 In order to add a new runner to the GitHub Actions pool,
 first create a server on Equinix with the following configuration:
-- Type: `c3.large.arm64`
+- Type: c2.large.arm
-- OS: `Ubuntu 22.04 LTS`
+- OS: Ubuntu 20.04
 
 ### Install prerequisites
 
@@ -64,14 +54,14 @@ sudo ./prereq.sh
 
 - Retrieve the GitHub runner token from the repository [settings page](https://github.com/fluxcd/flux2/settings/actions/runners/new?arch=arm64&os=linux)
 
-- Create two directories `flux2-01`, `flux2-02`
+- Create 3 directories `runner1`, `runner2`, `runner3`
 
 - In each dir run:
 ```shell
 curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/runner-setup.sh > runner-setup.sh \
   && chmod +x ./runner-setup.sh
 
-./runner-setup.sh equinix-arm-<NUMBER> <TOKEN> <REPO>
+./runner-setup.sh equinix-arm-<NUMBER> <TOKEN>
 ```
 
 - Reboot the instance

.github/runners/prereq.sh

@@ -18,11 +18,11 @@
 
 set -eu
 
-KIND_VERSION=0.22.0
+KIND_VERSION=0.14.0
-KUBECTL_VERSION=1.29.0
+KUBECTL_VERSION=1.24.0
-KUSTOMIZE_VERSION=5.3.0
+KUSTOMIZE_VERSION=4.5.4
-HELM_VERSION=3.14.1
+HELM_VERSION=3.8.2
-GITHUB_RUNNER_VERSION=2.313.0
+GITHUB_RUNNER_VERSION=2.291.1
 PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq pkg-config"
 
 # install prerequisites
@@ -31,10 +31,6 @@ apt-get update \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
-# fix Kubernetes DNS resolution
-rm /etc/resolv.conf
-cat "/run/systemd/resolve/stub-resolv.conf" | sed '/search/d' > /etc/resolv.conf
-
 # install docker
 curl -fsSL https://get.docker.com -o get-docker.sh \
   && chmod +x get-docker.sh

.github/runners/runner-setup.sh

@@ -22,7 +22,7 @@ RUNNER_NAME=$1
 REPOSITORY_TOKEN=$2
 REPOSITORY_URL=${3:-https://github.com/fluxcd/flux2}
 
-GITHUB_RUNNER_VERSION=2.313.0
+GITHUB_RUNNER_VERSION=2.285.1
 
 # download runner
 curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \

.github/workflows/README.md

@@ -1,50 +0,0 @@
-# Flux GitHub Workflows
-
-## End-to-end Testing
-
-The e2e workflows run a series of tests to ensure that the Flux CLI and
-the GitOps Toolkit controllers work well all together.
-The tests are written in Go, Bash, Make and Terraform.
-
-| Workflow           | Jobs                 | Runner         | Role                                          |
-|--------------------|----------------------|----------------|-----------------------------------------------|
-| e2e.yaml           | e2e-amd64-kubernetes | GitHub Ubuntu  | integration testing with Kubernetes Kind<br/> |
-| e2e-arm64.yaml     | e2e-arm64-kubernetes | Equinix Ubuntu | integration testing with Kubernetes Kind<br/> |
-| e2e-bootstrap.yaml | e2e-boostrap-github  | GitHub Ubuntu  | integration testing with GitHub API<br/>      |
-| e2e-azure.yaml     | e2e-amd64-aks        | GitHub Ubuntu  | integration testing with Azure API<br/>       |
-| scan.yaml          | scan-fossa           | GitHub Ubuntu  | license scanning<br/>                         |
-| scan.yaml          | scan-snyk            | GitHub Ubuntu  | vulnerability scanning<br/>                   |
-| scan.yaml          | scan-codeql          | GitHub Ubuntu  | vulnerability scanning<br/>                   |
-
-## Components Update
-
-The components update workflow scans the GitOps Toolkit controller repositories for new releases,
-amd when it finds a new controller version, the workflow performs the following steps:
-- Updates the controller API package version in `go.mod`.
-- Patches the controller CRDs version in the `manifests/crds` overlay.
-- Patches the controller Deployment version in `manifests/bases` overlay.
-- Opens a Pull Request against the `main` branch.
-- Triggers the e2e test suite to run for the opened PR.
-
-
-| Workflow    | Jobs              | Runner        | Role                                                |
-|-------------|-------------------|---------------|-----------------------------------------------------|
-| update.yaml | update-components | GitHub Ubuntu | update the GitOps Toolkit APIs and controllers<br/> |
-
-## Release
-
-The release workflow is triggered by a semver Git tag and performs the following steps:
-- Generates the Flux install manifests (YAML).
-- Generates the OpenAPI validation schemas for the GitOps Toolkit CRDs (JSON).
-- Generates a Software Bill of Materials (SPDX JSON).
-- Builds the Flux CLI binaries and the multi-arch container images.
-- Pushes the container images to GitHub Container Registry and DockerHub.
-- Signs the sbom, the binaries checksum and the container images with Cosign and GitHub OIDC.
-- Uploads the sbom, binaries, checksums and install manifests to GitHub Releases.
-- Pushes the install manifests as OCI artifacts to GitHub Container Registry and DockerHub.
-- Signs the OCI artifacts with Cosign and GitHub OIDC.
-
-| Workflow     | Jobs                   | Runner        | Role                                                 |
-|--------------|------------------------|---------------|------------------------------------------------------|
-| release.yaml | release-flux-cli       | GitHub Ubuntu | build, push and sign the CLI release artifacts<br/>  |
-| release.yaml | release-flux-manifests | GitHub Ubuntu | build, push and sign the Flux install manifests<br/> |

.github/workflows/action.yaml

@@ -1,29 +0,0 @@
-name: test-gh-action
-
-on:
-  pull_request:
-    paths:
-      - 'action/**'
-  push:
-    paths:
-      - 'action/**'
-    branches:
-      - 'main'
-      - 'release/**'
-
-permissions: read-all
-
-jobs:
-  actions:
-    strategy:
-      fail-fast: false
-      matrix:
-        version: [ubuntu-latest, macos-latest, windows-latest]
-
-    runs-on: ${{ matrix.version }}
-    name: action on ${{ matrix.version }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Setup flux
-        uses: ./action

.github/workflows/backport.yaml

@@ -1,34 +0,0 @@
-name: backport
-
-on:
-  pull_request_target:
-    types: [closed, labeled]
-
-permissions: 
-  contents: read
-
-jobs:
-  pull-request:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Create backport PRs
-        uses: korthout/backport-action@be567af183754f6a5d831ae90f648954763f17f5 # v3.1.0
-        # xref: https://github.com/korthout/backport-action#inputs
-        with:
-          # Use token to allow workflows to be triggered for the created PR
-          github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
-          # Match labels with a pattern `backport:<target-branch>`
-          label_pattern: '^backport:([^ ]+)$'
-          # A bit shorter pull-request title than the default
-          pull_title: '[${target_branch}] ${pull_title}'
-          # Simpler PR description than default
-          pull_description: |-
-            Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.

.github/workflows/bootstrap.yaml

@@ -1,45 +1,40 @@
-name: e2e-bootstrap
+name: bootstrap
 
 on:
-  workflow_dispatch:
   push:
-    branches: [ 'main', 'release/**' ]
+    branches: [ main ]
   pull_request:
-    branches: [ 'main', 'release/**' ]
+    branches: [ main ]
-    paths-ignore: [ 'docs/**', 'rfcs/**' ]
-
-permissions:
-  contents: read
 
 jobs:
-  e2e-boostrap-github:
+  github:
     runs-on: ubuntu-latest
-    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v3
+      - name: Restore Go cache
+        uses: actions/cache@v3
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go1.18-
       - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@v3
         with:
-          go-version: 1.23.x
+          go-version: 1.18.x
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
       - name: Setup Kubernetes
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
+        uses: engineerd/setup-kind@v0.5.0
         with:
-          version: v0.24.0
+          version: v0.11.1
-          cluster_name: kind
+          image: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
-          # The versions below should target the newest Kubernetes version
-          # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: ghcr.io/fluxcd/kindest/node:v1.31.0-amd64
-          kubectl_version: v1.31.0
       - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
+        uses: fluxcd/pkg//actions/kustomize@main
-      - name: Setup yq
-        uses: fluxcd/pkg/actions/yq@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
       - name: Build
-        run: make build-dev
+        run: |
+          make cmd/flux/.manifests.done
+          go build -o /tmp/flux ./cmd/flux
       - name: Set outputs
         id: vars
         run: |
@@ -48,27 +43,21 @@ jobs:
           COMMIT_SHA=$(git rev-parse HEAD)
           PSEUDO_RAND_SUFFIX=$(echo "${BRANCH_NAME}-${COMMIT_SHA}" | shasum | awk '{print $1}')
           TEST_REPO_NAME="${REPOSITORY_NAME}-${PSEUDO_RAND_SUFFIX}"
-          echo "test_repo_name=$TEST_REPO_NAME" >> $GITHUB_OUTPUT
+          echo "::set-output name=test_repo_name::$TEST_REPO_NAME"
       - name: bootstrap init
         run: |
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          /tmp/flux bootstrap github --manifests ./manifests/install/ \
           --owner=fluxcd-testing \
-          --image-pull-secret=ghcr-auth \
-          --registry-creds=fluxcd:$GITHUB_TOKEN \
           --repository=${{ steps.vars.outputs.test_repo_name }} \
           --branch=main \
           --path=test-cluster \
           --team=team-z
         env:
           GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
-      - name: verify image pull secret
-        run: |
-          kubectl -n flux-system get secret ghcr-auth | grep dockerconfigjson
       - name: bootstrap no-op
         run: |
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          /tmp/flux bootstrap github --manifests ./manifests/install/ \
           --owner=fluxcd-testing \
-          --image-pull-secret=ghcr-auth \
           --repository=${{ steps.vars.outputs.test_repo_name }} \
           --branch=main \
           --path=test-cluster \
@@ -78,7 +67,7 @@ jobs:
       - name: bootstrap customize
         run: |
           make setup-bootstrap-patch
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          /tmp/flux bootstrap github --manifests ./manifests/install/ \
           --owner=fluxcd-testing \
           --repository=${{ steps.vars.outputs.test_repo_name }} \
           --branch=main \
@@ -91,33 +80,56 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
           GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
           GITHUB_ORG_NAME: fluxcd-testing
+      - name: libgit2
+        run: |
+          /tmp/flux create source git test-libgit2 \
+          --url=ssh://git@github.com/fluxcd-testing/${{ steps.vars.outputs.test_repo_name }} \
+          --git-implementation=libgit2 \
+          --secret-ref=flux-system \
+          --branch=main
       - name: uninstall
         run: |
-          ./bin/flux uninstall -s --keep-namespace
+          /tmp/flux uninstall -s --keep-namespace
           kubectl delete ns flux-system --timeout=10m --wait=true
       - name: test image automation
         run: |
           make setup-image-automation
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          /tmp/flux bootstrap github --manifests ./manifests/install/ \
           --owner=fluxcd-testing \
           --repository=${{ steps.vars.outputs.test_repo_name }} \
           --branch=main \
           --path=test-cluster \
           --read-write-key
-          ./bin/flux reconcile image repository podinfo
+          /tmp/flux reconcile image repository podinfo
-          ./bin/flux reconcile image update flux-system
+          /tmp/flux reconcile image update flux-system
-          ./bin/flux get images all
+          /tmp/flux get images all
-          kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system | \
+          
-           yq '.status.lastPushCommit | length > 1' | grep 'true'
+          retries=10
+          count=0
+          ok=false
+          until ${ok}; do
+              /tmp/flux get image update flux-system | grep 'commit' && ok=true || ok=false
+              count=$(($count + 1))
+              if [[ ${count} -eq ${retries} ]]; then
+                  echo "No more retries left"
+                  exit 1
+              fi
+              sleep 6
+              /tmp/flux reconcile image update flux-system
+          done
         env:
           GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
           GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
           GITHUB_ORG_NAME: fluxcd-testing
       - name: delete repository
         if: ${{ always() }}
-        continue-on-error: true
         run: |
-          gh repo delete fluxcd-testing/${{ steps.vars.outputs.test_repo_name }} --yes
+          curl \
+            -X DELETE \
+            -H "Accept: application/vnd.github.v3+json" \
+            -H "Authorization: token ${GITHUB_TOKEN}" \
+            --fail --silent \
+            https://api.github.com/repos/fluxcd-testing/${{ steps.vars.outputs.test_repo_name }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
       - name: Debug failure

.github/workflows/conformance.yaml

@@ -1,256 +0,0 @@
-name: conformance
-
-on:
-  workflow_dispatch:
-  push:
-    branches: [ 'main', 'update-components', 'release/**', 'conform*' ]
-
-permissions:
-  contents: read
-
-env:
-  GO_VERSION: 1.23.x
-
-jobs:
-  conform-kubernetes:
-    runs-on:
-      group: "ARM64"
-    strategy:
-      matrix:
-        # Keep this list up-to-date with https://endoflife.date/kubernetes
-        # Build images with https://github.com/fluxcd/flux-benchmark/actions/workflows/build-kind.yaml
-        KUBERNETES_VERSION: [1.30.9, 1.31.5, 1.32.1 ]
-      fail-fast: false
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
-      - name: Prepare
-        id: prep
-        run: |
-          ID=${GITHUB_SHA:0:7}-${{ matrix.KUBERNETES_VERSION }}-$(date +%s)
-          echo "CLUSTER=arm64-${ID}" >> $GITHUB_OUTPUT
-      - name: Build
-        run: |
-          make build
-      - name: Setup Kubernetes
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
-        with:
-          version: v0.22.0
-          cluster_name: ${{ steps.prep.outputs.CLUSTER }}
-          node_image: ghcr.io/fluxcd/kindest/node:v${{ matrix.KUBERNETES_VERSION }}-arm64
-      - name: Run e2e tests
-        run: TEST_KUBECONFIG=$HOME/.kube/config make e2e
-      - name: Run multi-tenancy tests
-        run: |
-          ./bin/flux install
-          ./bin/flux create source git flux-system \
-          --interval=15m \
-          --url=https://github.com/fluxcd/flux2-multi-tenancy \
-          --branch=main \
-          --ignore-paths="./clusters/**/flux-system/"
-          ./bin/flux create kustomization flux-system \
-          --interval=15m \
-          --source=flux-system \
-          --path=./clusters/staging
-          kubectl -n flux-system wait kustomization/tenants --for=condition=ready --timeout=5m
-          kubectl -n apps wait kustomization/dev-team --for=condition=ready --timeout=1m
-          kubectl -n apps wait helmrelease/podinfo --for=condition=ready --timeout=1m
-      - name: Debug failure
-        if: failure()
-        run: |
-          kubectl -n flux-system get all
-          kubectl -n flux-system describe po 
-          kubectl -n flux-system logs deploy/source-controller
-          kubectl -n flux-system logs deploy/kustomize-controller
-
-  conform-k3s:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        # Keep this list up-to-date with https://endoflife.date/kubernetes
-        # Available versions can be found with "replicated cluster versions"
-        K3S_VERSION: [ 1.30.9, 1.31.5, 1.32.1 ]
-      fail-fast: false
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
-      - name: Prepare
-        id: prep
-        run: |
-          ID=${GITHUB_SHA:0:7}-${{ matrix.K3S_VERSION }}-$(date +%s)
-          PSEUDO_RAND_SUFFIX=$(echo "${ID}" | shasum | awk '{print $1}')
-          echo "cluster=flux2-k3s-${PSEUDO_RAND_SUFFIX}" >> $GITHUB_OUTPUT
-          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
-          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
-      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
-      - name: Build
-        run: make build-dev
-      - name: Create repository
-        run: |
-          gh repo create --private --add-readme fluxcd-testing/${{ steps.prep.outputs.cluster }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
-      - name: Create cluster
-        id: create-cluster
-        uses: replicatedhq/replicated-actions/create-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
-        with:
-          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
-          kubernetes-distribution: "k3s"
-          kubernetes-version: ${{ matrix.K3S_VERSION }}
-          ttl: 20m
-          cluster-name: "${{ steps.prep.outputs.cluster }}"
-          kubeconfig-path: ${{ steps.prep.outputs.kubeconfig-path }}
-          export-kubeconfig: true
-      - name: Run e2e tests
-        run: TEST_KUBECONFIG=${{ steps.prep.outputs.kubeconfig-path }} make e2e
-      - name: Run flux bootstrap
-        run: |
-          ./bin/flux bootstrap git --manifests ./manifests/install/ \
-          --components-extra=image-reflector-controller,image-automation-controller \
-          --url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
-          --branch=main \
-          --path=clusters/k3s \
-          --token-auth
-        env:
-          GIT_PASSWORD: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
-      - name: Run flux check
-        run: |
-          ./bin/flux check
-      - name: Run flux reconcile
-        run: |
-          ./bin/flux reconcile ks flux-system --with-source
-          ./bin/flux get all
-          ./bin/flux events
-      - name: Collect reconcile logs
-        if: ${{ always() }}
-        continue-on-error: true
-        run: |
-          kubectl -n flux-system get all
-          kubectl -n flux-system describe pods
-          kubectl -n flux-system logs deploy/source-controller
-          kubectl -n flux-system logs deploy/kustomize-controller
-          kubectl -n flux-system logs deploy/notification-controller
-      - name: Delete flux
-        run: |
-          ./bin/flux uninstall -s --keep-namespace
-          kubectl delete ns flux-system --wait
-      - name: Delete cluster
-        if: ${{ always() }}
-        uses: replicatedhq/replicated-actions/remove-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
-        continue-on-error: true
-        with:
-          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
-          cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
-      - name: Delete repository
-        if: ${{ always() }}
-        continue-on-error: true
-        run: |
-          gh repo delete fluxcd-testing/${{ steps.prep.outputs.cluster }} --yes
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
-
-  conform-openshift:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        # Keep this list up-to-date with https://endoflife.date/red-hat-openshift
-        OPENSHIFT_VERSION: [ 4.17.0-okd ]
-      fail-fast: false
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
-      - name: Prepare
-        id: prep
-        run: |
-          ID=${GITHUB_SHA:0:7}-${{ matrix.OPENSHIFT_VERSION }}-$(date +%s)
-          PSEUDO_RAND_SUFFIX=$(echo "${ID}" | shasum | awk '{print $1}')
-          echo "cluster=flux2-openshift-${PSEUDO_RAND_SUFFIX}" >> $GITHUB_OUTPUT
-          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
-          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
-      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
-      - name: Build
-        run: make build-dev
-      - name: Create repository
-        run: |
-          gh repo create --private --add-readme fluxcd-testing/${{ steps.prep.outputs.cluster }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
-      - name: Create cluster
-        id: create-cluster
-        uses: replicatedhq/replicated-actions/create-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
-        with:
-          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
-          kubernetes-distribution: "openshift"
-          kubernetes-version: ${{ matrix.OPENSHIFT_VERSION }}
-          ttl: 20m
-          cluster-name: "${{ steps.prep.outputs.cluster }}"
-          kubeconfig-path: ${{ steps.prep.outputs.kubeconfig-path }}
-          export-kubeconfig: true
-      - name: Run flux bootstrap
-        run: |
-          ./bin/flux bootstrap git --manifests ./manifests/openshift/ \
-          --components-extra=image-reflector-controller,image-automation-controller \
-          --url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
-          --branch=main \
-          --path=clusters/openshift \
-          --token-auth
-        env:
-          GIT_PASSWORD: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
-      - name: Run flux check
-        run: |
-          ./bin/flux check
-      - name: Run flux reconcile
-        run: |
-          ./bin/flux reconcile ks flux-system --with-source
-          ./bin/flux get all
-          ./bin/flux events
-      - name: Collect reconcile logs
-        if: ${{ always() }}
-        continue-on-error: true
-        run: |
-          kubectl -n flux-system get all
-          kubectl -n flux-system describe pods
-          kubectl -n flux-system logs deploy/source-controller
-          kubectl -n flux-system logs deploy/kustomize-controller
-          kubectl -n flux-system logs deploy/notification-controller
-      - name: Delete flux
-        run: |
-          ./bin/flux uninstall -s --keep-namespace
-          kubectl delete ns flux-system --wait
-      - name: Delete cluster
-        if: ${{ always() }}
-        uses: replicatedhq/replicated-actions/remove-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
-        continue-on-error: true
-        with:
-          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
-          cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
-      - name: Delete repository
-        if: ${{ always() }}
-        continue-on-error: true
-        run: |
-          gh repo delete fluxcd-testing/${{ steps.prep.outputs.cluster }} --yes
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}

.github/workflows/e2e-arm64.yaml

@@ -0,0 +1,37 @@
+name: e2e-arm64
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ main, update-components ]
+
+jobs:
+  test:
+    # Hosted on Equinix
+    # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
+    runs-on: [self-hosted, Linux, ARM64, equinix]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.18.x
+      - name: Prepare
+        id: prep
+        run: |
+          echo ::set-output name=CLUSTER::arm64-${GITHUB_SHA:0:7}-$(date +%s)
+          echo ::set-output name=CONTEXT::kind-arm64-${GITHUB_SHA:0:7}-$(date +%s)
+      - name: Build
+        run: |
+          make build
+      - name: Setup Kubernetes Kind
+        run: |
+          kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }}
+      - name: Run e2e tests
+        run: TEST_KUBECONFIG=/tmp/${{ steps.prep.outputs.CLUSTER }} make e2e
+      - name: Cleanup
+        if: always()
+        run: |
+          kind delete cluster --name ${{ steps.prep.outputs.CLUSTER }}
+          rm /tmp/${{ steps.prep.outputs.CLUSTER }}

.github/workflows/e2e-azure.yaml

@@ -3,91 +3,64 @@ name: e2e-azure
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 6 * * *'
+    - cron:  '0 6 * * *'
   push:
-    branches:
+    branches: [ azure* ]
-      - main
-    paths:
-      - 'tests/**'
-      - '.github/workflows/e2e-azure.yaml'
-  pull_request:
-    branches:
-      - main
-    paths:
-      - 'tests/**'
-      - '.github/workflows/e2e-azure.yaml'
-
-permissions:
-  contents: read
 
 jobs:
-  e2e-aks:
+  e2e:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: ./tests/integration
-    # This job is currently disabled. Remove the false check when Azure subscription is enabled.
-    if: false && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
     steps:
-      - name: CheckoutD
+      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v3
+      - name: Restore Go cache
+        uses: actions/cache@v3
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go1.18-
       - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@v2
         with:
-          go-version: 1.23.x
+          go-version: 1.18.x
-          cache-dependency-path: tests/integration/go.sum
+      - name: Install libgit2
-      - name: Setup Terraform
+        run: |
-        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138
+          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9
+          echo "deb http://deb.debian.org/debian unstable main" | sudo tee -a /etc/apt/sources.list
+          echo "deb-src http://deb.debian.org/debian unstable main" | sudo tee -a /etc/apt/sources.list
+          sudo apt-get update
+          sudo apt-get install -y --allow-downgrades libgit2-dev/unstable zlib1g-dev/unstable libssh2-1-dev/unstable libpcre3-dev/unstable
       - name: Setup Flux CLI
-        run: make build
+        run: |
-        working-directory: ./
+          make build
+          mkdir -p $HOME/.local/bin
+          mv ./bin/flux $HOME/.local/bin
       - name: Setup SOPS
         run: |
+          wget https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux
+          chmod +x sops-v3.7.1.linux
           mkdir -p $HOME/.local/bin
-          wget -O $HOME/.local/bin/sops https://github.com/mozilla/sops/releases/download/v$SOPS_VER/sops-v$SOPS_VER.linux
+          mv sops-v3.7.1.linux $HOME/.local/bin/sops
-          chmod +x $HOME/.local/bin/sops
+      - name: Setup Terraform
-        env:
+        uses: hashicorp/setup-terraform@v1
-          SOPS_VER: 3.7.1
-      - name: Authenticate to Azure
-        uses: Azure/login@a65d910e8af852a8061c627c456678983e180302 # v1.4.6
         with:
-          creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}'
+          terraform_version: 1.0.7
-      - name: Set dynamic variables in .env
+          terraform_wrapper: false
+      - name: Setup Azure CLI
         run: |
-          cat > .env <<EOF
+          curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
-          export TF_VAR_tags='{ "environment"="github", "ci"="true", "repo"="flux2", "createdat"="$(date -u +x%Y-%m-%d_%Hh%Mm%Ss)" }'
-          EOF
-      - name: Print .env for dynamic tag value reference
-        run: cat .env
       - name: Run Azure e2e tests
         env:
-          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
+          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
-          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
+          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
-          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
+          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
-          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
-          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
-          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
-          GITREPO_SSH_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_CONTENTS }}
-          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_PUB_CONTENTS }}
         run: |
-          source .env
+          echo $HOME
-          mkdir -p ./build/ssh
+          echo $PATH
-          touch ./build/ssh/key
+          ls $HOME/.local/bin
-          echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
+          az login --service-principal -u ${ARM_CLIENT_ID} -p ${ARM_CLIENT_SECRET} -t ${ARM_TENANT_ID}
-          export GITREPO_SSH_PATH=build/ssh/key
+          cd ./tests/azure
-          touch ./build/ssh/key.pub
+          go test -v -coverprofile cover.out -timeout 60m .
-          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
-          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
-          make test-azure
-      - name: Ensure resource cleanup
-        if: ${{ always() }}
-        env:
-          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
-          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
-          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
-          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
-          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
-          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
-          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
-        run: source .env && make destroy-azure

.github/workflows/e2e-gcp.yaml

@@ -1,104 +0,0 @@
-name: e2e-gcp
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '0 6 * * *'
-  push:
-    branches:
-      - main
-    paths:
-      - 'tests/**'
-      - '.github/workflows/e2e-gcp.yaml'
-  pull_request:
-    branches:
-      - main
-    paths:
-      - 'tests/**'
-      - '.github/workflows/e2e-gcp.yaml'
-
-permissions:
-  contents: read
-
-jobs:
-  e2e-gcp:
-    runs-on: ubuntu-22.04
-    defaults:
-      run:
-        working-directory: ./tests/integration
-    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
-        with:
-          go-version: 1.23.x
-          cache-dependency-path: tests/integration/go.sum
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
-      - name: Setup Flux CLI
-        run: make build
-        working-directory: ./
-      - name: Setup SOPS
-        run: |
-          mkdir -p $HOME/.local/bin
-          wget -O $HOME/.local/bin/sops https://github.com/mozilla/sops/releases/download/v$SOPS_VER/sops-v$SOPS_VER.linux
-          chmod +x $HOME/.local/bin/sops
-        env:
-          SOPS_VER: 3.7.1
-      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
-        id: 'auth'
-        with:
-          credentials_json: '${{ secrets.FLUX2_E2E_GOOGLE_CREDENTIALS }}'
-          token_format: 'access_token'
-      - name: Setup gcloud
-        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
-      - name: Setup QEMU
-        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
-      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
-      - name: Log into us-central1-docker.pkg.dev
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          registry: us-central1-docker.pkg.dev
-          username: oauth2accesstoken
-          password: ${{ steps.auth.outputs.access_token }}
-      - name: Set dynamic variables in .env
-        run: |
-          cat > .env <<EOF
-          export TF_VAR_tags='{ "environment"="github", "ci"="true", "repo"="flux2", "createdat"="$(date -u +x%Y-%m-%d_%Hh%Mm%Ss)" }'
-          EOF
-      - name: Print .env for dynamic tag value reference
-        run: cat .env
-      - name: Run GCP e2e tests
-        env:
-          TF_VAR_gcp_project_id: ${{ vars.TF_VAR_gcp_project_id }}
-          TF_VAR_gcp_region: ${{ vars.TF_VAR_gcp_region }}
-          TF_VAR_gcp_zone: ${{ vars.TF_VAR_gcp_zone }}
-          TF_VAR_gcp_email: ${{ secrets.TF_VAR_gcp_email }}
-          TF_VAR_gcp_keyring: ${{ secrets.TF_VAR_gcp_keyring }}
-          TF_VAR_gcp_crypto_key: ${{ secrets.TF_VAR_gcp_crypto_key }}
-          GITREPO_SSH_CONTENTS: ${{ secrets.GCP_GITREPO_SSH_CONTENTS }}
-          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.GCP_GITREPO_SSH_PUB_CONTENTS }}
-        run: |
-          source .env
-          mkdir -p ./build/ssh
-          touch ./build/ssh/key
-          echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
-          export GITREPO_SSH_PATH=build/ssh/key
-          touch ./build/ssh/key.pub
-          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
-          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
-          make test-gcp
-      - name: Ensure resource cleanup
-        if: ${{ always() }}
-        env:
-          TF_VAR_gcp_project_id: ${{ vars.TF_VAR_gcp_project_id }}
-          TF_VAR_gcp_region: ${{ vars.TF_VAR_gcp_region }}
-          TF_VAR_gcp_zone: ${{ vars.TF_VAR_gcp_zone }}
-          TF_VAR_gcp_email: ${{ secrets.TF_VAR_gcp_email }}
-          TF_VAR_gcp_keyring: ${{ secrets.TF_VAR_gcp_keyring }}
-          TF_VAR_gcp_crypto_key: ${{ secrets.TF_VAR_gcp_crypto_key }}
-        run: source .env && make destroy-gcp

.github/workflows/e2e.yaml

@@ -1,52 +1,40 @@
 name: e2e
 
 on:
-  workflow_dispatch:
   push:
-    branches: [ 'main', 'release/**' ]
+    branches: [ main ]
   pull_request:
-    branches: [ 'main', 'release/**' ]
+    branches: [ main ]
-    paths-ignore: [ 'docs/**', 'rfcs/**' ]
-
-permissions:
-  contents: read
 
 jobs:
-  e2e-amd64-kubernetes:
+  kind:
-    runs-on:
+    runs-on: ubuntu-latest
-      group: "Default Larger Runners"
-      labels: ubuntu-latest-16-cores
-    services:
-      registry:
-        image: registry:2
-        ports:
-          - 5000:5000
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v3
+      - name: Restore Go cache
+        uses: actions/cache@v3
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go1.18-
       - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@v3
         with:
-          go-version: 1.23.x
+          go-version: 1.18.x
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
       - name: Setup Kubernetes
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
+        uses: engineerd/setup-kind@v0.5.0
         with:
-          version: v0.24.0
+          version: v0.11.1
-          cluster_name: kind
+          image: kindest/node:v1.20.7
-          wait: 5s
           config: .github/kind/config.yaml # disable KIND-net
-          # The versions below should target the oldest supported Kubernetes version
-          # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: ghcr.io/fluxcd/kindest/node:v1.30.9-amd64
-          kubectl_version: v1.30.9
       - name: Setup Calico for network policy
         run: |
-          kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.3/manifests/calico.yaml
+          kubectl apply -f https://docs.projectcalico.org/v3.20/manifests/calico.yaml
+          kubectl -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
       - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
+        uses: fluxcd/pkg//actions/kustomize@main
       - name: Run tests
         run: make test
       - name: Run e2e tests
@@ -59,43 +47,51 @@ jobs:
             exit 1
           fi
       - name: Build
-        run: make build-dev
+        run: |
+          go build -o /tmp/flux ./cmd/flux
       - name: flux check --pre
         run: |
-          ./bin/flux check --pre
+          /tmp/flux check --pre
       - name: flux install --manifests
         run: |
-          ./bin/flux install --manifests ./manifests/install/
+          /tmp/flux install --manifests ./manifests/install/
       - name: flux create secret
         run: |
-          ./bin/flux create secret git git-ssh-test \
+          /tmp/flux create secret git git-ssh-test \
             --url ssh://git@github.com/stefanprodan/podinfo
-          ./bin/flux create secret git git-https-test \
+          /tmp/flux create secret git git-https-test \
             --url https://github.com/stefanprodan/podinfo \
             --username=test --password=test
-          ./bin/flux create secret helm helm-test \
+          /tmp/flux create secret helm helm-test \
             --username=test --password=test
       - name: flux create source git
         run: |
-          ./bin/flux create source git podinfo \
+          /tmp/flux create source git podinfo \
             --url https://github.com/stefanprodan/podinfo  \
-            --tag-semver=">=6.3.5"
+            --tag-semver=">=3.2.3"
       - name: flux create source git export apply
         run: |
-          ./bin/flux create source git podinfo-export \
+          /tmp/flux create source git podinfo-export \
             --url https://github.com/stefanprodan/podinfo  \
-            --tag-semver=">=6.3.5" \
+            --tag-semver=">=3.2.3" \
             --export | kubectl apply -f -
-          ./bin/flux delete source git podinfo-export --silent
+          /tmp/flux delete source git podinfo-export --silent
+      - name: flux create source git libgit2 semver
+        run: |
+          /tmp/flux create source git podinfo-libgit2 \
+            --url https://github.com/stefanprodan/podinfo  \
+            --tag-semver=">=3.2.3" \
+            --git-implementation=libgit2
+          /tmp/flux delete source git podinfo-libgit2 --silent
       - name: flux get sources git
         run: |
-          ./bin/flux get sources git
+          /tmp/flux get sources git
       - name: flux get sources git --all-namespaces
         run: |
-          ./bin/flux get sources git --all-namespaces
+          /tmp/flux get sources git --all-namespaces
       - name: flux create kustomization
         run: |
-          ./bin/flux create kustomization podinfo \
+          /tmp/flux create kustomization podinfo \
             --source=podinfo \
             --path="./deploy/overlays/dev" \
             --prune=true \
@@ -105,145 +101,106 @@ jobs:
             --health-check-timeout=3m
       - name: flux trace
         run: |
-          ./bin/flux trace frontend \
+          /tmp/flux trace frontend \
             --kind=deployment \
             --api-version=apps/v1 \
             --namespace=dev
       - name: flux reconcile kustomization --with-source
         run: |
-          ./bin/flux reconcile kustomization podinfo --with-source
+          /tmp/flux reconcile kustomization podinfo --with-source
       - name: flux get kustomizations
         run: |
-          ./bin/flux get kustomizations
+          /tmp/flux get kustomizations
       - name: flux get kustomizations --all-namespaces
         run: |
-          ./bin/flux get kustomizations --all-namespaces
+          /tmp/flux get kustomizations --all-namespaces
       - name: flux suspend kustomization
         run: |
-          ./bin/flux suspend kustomization podinfo
+          /tmp/flux suspend kustomization podinfo
       - name: flux resume kustomization
         run: |
-          ./bin/flux resume kustomization podinfo
+          /tmp/flux resume kustomization podinfo
       - name: flux export
         run: |
-          ./bin/flux export source git --all
+          /tmp/flux export source git --all
-          ./bin/flux export kustomization --all
+          /tmp/flux export kustomization --all
       - name: flux delete kustomization
         run: |
-          ./bin/flux delete kustomization podinfo --silent
+          /tmp/flux delete kustomization podinfo --silent
       - name: flux create source helm
         run: |
-          ./bin/flux create source helm podinfo \
+          /tmp/flux create source helm podinfo \
             --url https://stefanprodan.github.io/podinfo
       - name: flux create helmrelease --source=HelmRepository/podinfo
         run: |
-          ./bin/flux create hr podinfo-helm \
+          /tmp/flux create hr podinfo-helm \
             --target-namespace=default \
             --source=HelmRepository/podinfo.flux-system \
             --chart=podinfo \
-            --chart-version=">6.0.0 <7.0.0"
+            --chart-version=">4.0.0 <5.0.0"
       - name: flux create helmrelease --source=GitRepository/podinfo
         run: |
-          ./bin/flux create hr podinfo-git \
+          /tmp/flux create hr podinfo-git \
             --target-namespace=default \
             --source=GitRepository/podinfo \
             --chart=./charts/podinfo
       - name: flux reconcile helmrelease --with-source
         run: |
-          ./bin/flux reconcile helmrelease podinfo-git --with-source
+          /tmp/flux reconcile helmrelease podinfo-git --with-source
       - name: flux get helmreleases
         run: |
-          ./bin/flux get helmreleases
+          /tmp/flux get helmreleases
       - name: flux get helmreleases --all-namespaces
         run: |
-          ./bin/flux get helmreleases --all-namespaces
+          /tmp/flux get helmreleases --all-namespaces
       - name: flux export helmrelease
         run: |
-          ./bin/flux export hr --all
+          /tmp/flux export hr --all
       - name: flux delete helmrelease podinfo-helm
         run: |
-          ./bin/flux delete hr podinfo-helm --silent
+          /tmp/flux delete hr podinfo-helm --silent
       - name: flux delete helmrelease podinfo-git
         run: |
-          ./bin/flux delete hr podinfo-git --silent
+          /tmp/flux delete hr podinfo-git --silent
       - name: flux delete source helm
         run: |
-          ./bin/flux delete source helm podinfo --silent
+          /tmp/flux delete source helm podinfo --silent
       - name: flux delete source git
         run: |
-          ./bin/flux delete source git podinfo --silent
+          /tmp/flux delete source git podinfo --silent
-      - name: flux oci artifacts
-        run: |
-          ./bin/flux push artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
-            --path="./manifests" \
-            --source="${{ github.repositoryUrl }}" \
-            --revision="${{ github.ref }}@sha1:${{ github.sha }}"
-          ./bin/flux tag artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
-            --tag latest
-          ./bin/flux list artifacts oci://localhost:5000/fluxcd/flux
-      - name: flux oci repositories
-        run: |
-          ./bin/flux create source oci podinfo-oci \
-            --url oci://ghcr.io/stefanprodan/manifests/podinfo \
-            --tag-semver 6.3.x \
-            --interval 10m
-          ./bin/flux create kustomization podinfo-oci \
-            --source=OCIRepository/podinfo-oci \
-            --path="./" \
-            --prune=true \
-            --interval=5m \
-            --target-namespace=default \
-            --wait=true \
-            --health-check-timeout=3m
-          ./bin/flux reconcile source oci podinfo-oci
-          ./bin/flux suspend source oci podinfo-oci
-          ./bin/flux get sources oci
-          ./bin/flux resume source oci podinfo-oci
-          ./bin/flux export source oci podinfo-oci
-          ./bin/flux delete ks podinfo-oci --silent
-          ./bin/flux delete source oci podinfo-oci --silent
       - name: flux create tenant
         run: |
-          ./bin/flux create tenant dev-team --with-namespace=apps
+          /tmp/flux create tenant dev-team --with-namespace=apps
-          ./bin/flux -n apps create source helm podinfo \
+          /tmp/flux -n apps create source helm podinfo \
             --url https://stefanprodan.github.io/podinfo
-          ./bin/flux -n apps create hr podinfo-helm \
+          /tmp/flux -n apps create hr podinfo-helm \
             --source=HelmRepository/podinfo \
             --chart=podinfo \
-            --chart-version="6.3.x" \
+            --chart-version="5.0.x" \
             --service-account=dev-team
       - name: flux2-kustomize-helm-example
         run: |
-          ./bin/flux create source git flux-system \
+          /tmp/flux create source git flux-system \
           --url=https://github.com/fluxcd/flux2-kustomize-helm-example \
           --branch=main \
-          --ignore-paths="./clusters/**/flux-system/" \
           --recurse-submodules
-          ./bin/flux create kustomization flux-system \
+          /tmp/flux create kustomization flux-system \
           --source=flux-system \
           --path=./clusters/staging
-          kubectl -n flux-system wait kustomization/infra-controllers --for=condition=ready --timeout=5m
+          kubectl -n flux-system wait kustomization/infrastructure --for=condition=ready --timeout=5m
           kubectl -n flux-system wait kustomization/apps --for=condition=ready --timeout=5m
+          kubectl -n nginx wait helmrelease/nginx --for=condition=ready --timeout=5m
+          kubectl -n redis wait helmrelease/redis --for=condition=ready --timeout=5m
           kubectl -n podinfo wait helmrelease/podinfo --for=condition=ready --timeout=5m
       - name: flux tree
         run: |
-          ./bin/flux tree kustomization flux-system | grep Service/podinfo
+          /tmp/flux tree kustomization flux-system | grep Service/podinfo
-      - name: flux events
-        run: |
-          ./bin/flux -n flux-system events --for Kustomization/apps | grep 'HelmRelease/podinfo'
-          ./bin/flux -n podinfo events --for HelmRelease/podinfo | grep 'podinfo.v1'
-      - name: flux stats
-        run: |
-          ./bin/flux stats -A
       - name: flux check
         run: |
-          ./bin/flux check
+          /tmp/flux check
-      - name: flux version
-        run: |
-          ./bin/flux version
       - name: flux uninstall
         run: |
-          ./bin/flux uninstall --silent
+          /tmp/flux uninstall --silent
       - name: Debug failure
         if: failure()
         run: |

.github/workflows/ossf.yaml

@@ -1,39 +0,0 @@
-name: ossf
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - main
-  schedule:
-    # Weekly on Saturdays.
-    - cron:  '30 1 * * 6'
-
-permissions: read-all
-
-jobs:
-  scorecard:
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-      id-token: write
-      actions: read
-      contents: read
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Run analysis
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_results: true
-      - name: Upload artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
-      - name: Upload SARIF results
-        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
-        with:
-          sarif_file: results.sarif

.github/workflows/release.yaml

@@ -2,51 +2,44 @@ name: release
 
 on:
   push:
-    tags: ["v*"]
+    tags: [ 'v*' ]
 
 permissions:
-  contents: read
+  contents: write # needed to write releases
+  id-token: write # needed for keyless signing
+  packages: write # needed for ghcr access
 
 jobs:
-  release-flux-cli:
+  goreleaser:
-    outputs:
-      hashes: ${{ steps.slsa.outputs.hashes }}
-      image_url: ${{ steps.slsa.outputs.image_url }}
-      image_digest: ${{ steps.slsa.outputs.image_digest }}
     runs-on: ubuntu-latest
-    permissions:
-      contents: write # needed to write releases
-      id-token: write # needed for keyless signing
-      packages: write # needed for ghcr access
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v3
       - name: Unshallow
         run: git fetch --prune --unshallow
       - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@v3
         with:
-          go-version: 1.23.x
+          go-version: 1.18.x
-          cache: false
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
+        uses: docker/setup-qemu-action@v2
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
+        uses: docker/setup-buildx-action@v2
       - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
+        uses: anchore/sbom-action/download-syft@v0
       - name: Setup Cosign
-        uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
+        uses: sigstore/cosign-installer@main
       - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
+        uses: fluxcd/pkg//actions/kustomize@main
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: fluxcdbot
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.GHCR_TOKEN }}
       - name: Login to Docker Hub
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@v2
         with:
           username: fluxcdbot
           password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -58,143 +51,33 @@ jobs:
       - name: Build CRDs
         run: |
           kustomize build manifests/crds > all-crds.yaml
+      # Pinned to commit before https://github.com/fluxcd/pkg/pull/189 due to
+      # introduction faulty behavior.
       - name: Generate OpenAPI JSON schemas from CRDs
-        uses: fluxcd/pkg/actions/crdjsonschema@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
+        uses: fluxcd/pkg//actions/crdjsonschema@49e26aa2ee9e734c3233c560253fd9542afe18ae
         with:
           crd: all-crds.yaml
           output: schemas
       - name: Archive the OpenAPI JSON schemas
         run: |
           tar -czvf ./output/crd-schemas.tar.gz -C schemas .
+      - name: Download release notes utility
+        env:
+          GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
+        run: cd /tmp && curl -sSL ${GH_REL_URL} | tar xz && sudo mv github-release-notes /usr/local/bin/
+      - name: Generate release notes
+        run: |
+          NOTES="./output/notes.md"
+          echo '## CLI Changelog' > ${NOTES}
+          github-release-notes -org fluxcd -repo flux2 -since-latest-release -include-author >> ${NOTES}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Run GoReleaser
-        id: run-goreleaser
+        uses: goreleaser/goreleaser-action@v3
-        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
         with:
           version: latest
-          args: release --skip=validate
+          args: release --release-notes=output/notes.md --skip-validate
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
           AUR_BOT_SSH_PRIVATE_KEY: ${{ secrets.AUR_BOT_SSH_PRIVATE_KEY }}
-      - name: Generate SLSA metadata
-        id: slsa
-        env:
-          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
-        run: |
-          set -euo pipefail
-
-          hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
-          echo "hashes=$hashes" >> $GITHUB_OUTPUT
-
-          image_url=fluxcd/flux-cli:$GITHUB_REF_NAME
-          echo "image_url=$image_url" >> $GITHUB_OUTPUT
-
-          image_digest=$(docker buildx imagetools inspect ${image_url}  --format '{{json .}}' | jq -r .manifest.digest)
-          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
-
-  release-flux-manifests:
-    runs-on: ubuntu-latest
-    needs: release-flux-cli
-    permissions:
-      id-token: write
-      packages: write
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
-      - name: Setup Flux CLI
-        uses: ./action/
-      - name: Prepare
-        id: prep
-        run: |
-          VERSION=$(flux version --client | awk '{ print $NF }')
-          echo "version=${VERSION}" >> $GITHUB_OUTPUT
-      - name: Login to GHCR
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          registry: ghcr.io
-          username: fluxcdbot
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Login to DockerHub
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          username: fluxcdbot
-          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
-      - name: Push manifests to GHCR
-        run: |
-          mkdir -p ./ghcr.io/flux-system
-          flux install --registry=ghcr.io/fluxcd \
-          --components-extra=image-reflector-controller,image-automation-controller \
-          --export > ./ghcr.io/flux-system/gotk-components.yaml
-
-          cd ./ghcr.io && flux push artifact \
-          oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
-          --path="./flux-system" \
-          --source=${{ github.repositoryUrl }} \
-          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
-      - name: Push manifests to DockerHub
-        run: |
-          mkdir -p ./docker.io/flux-system
-          flux install --registry=docker.io/fluxcd \
-          --components-extra=image-reflector-controller,image-automation-controller \
-          --export > ./docker.io/flux-system/gotk-components.yaml
-
-          cd ./docker.io && flux push artifact \
-          oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
-          --path="./flux-system" \
-          --source=${{ github.repositoryUrl }} \
-          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
-      - uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
-      - name: Sign manifests
-        env:
-          COSIGN_EXPERIMENTAL: 1
-        run: |
-          cosign sign --yes ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }}
-          cosign sign --yes docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }}
-      - name: Tag manifests
-        run: |
-          flux tag artifact oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
-          --tag latest
-
-          flux tag artifact oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
-          --tag latest
-
-  release-provenance:
-    needs: [release-flux-cli]
-    permissions:
-      actions: read # for detecting the Github Actions environment.
-      id-token: write # for creating OIDC tokens for signing.
-      contents: write # for uploading attestations to GitHub releases.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
-    with:
-      provenance-name: "provenance.intoto.jsonl"
-      base64-subjects: "${{ needs.release-flux-cli.outputs.hashes }}"
-      upload-assets: true
-
-  dockerhub-provenance:
-    needs: [release-flux-cli]
-    permissions:
-      actions: read # for detecting the Github Actions environment.
-      id-token: write # for creating OIDC tokens for signing.
-      packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
-    with:
-      image: ${{ needs.release-flux-cli.outputs.image_url }}
-      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
-      registry-username: fluxcdbot
-    secrets:
-      registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
-
-  ghcr-provenance:
-    needs: [release-flux-cli]
-    permissions:
-      actions: read # for detecting the Github Actions environment.
-      id-token: write # for creating OIDC tokens for signing.
-      packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
-    with:
-      image: ghcr.io/${{ needs.release-flux-cli.outputs.image_url }}
-      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
-      registry-username: fluxcdbot
-    secrets:
-      registry-password: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scan.yaml

@@ -1,86 +1,64 @@
 name: scan
 
 on:
-  workflow_dispatch:
   push:
-    branches: [ 'main', 'release/**' ]
+    branches: [ main ]
   pull_request:
-    branches: [ 'main', 'release/**' ]
+    branches: [ main ]
   schedule:
     - cron: '18 10 * * 3'
 
 permissions:
-  contents: read
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for codeQL to write security events
 
 jobs:
-  scan-fossa:
+  fossa:
+    name: FOSSA
     runs-on: ubuntu-latest
-    if: github.actor != 'dependabot[bot]'
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v3
       - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@cdc5065bcdee31a32e47d4585df72d66e8e941c2 # v3.0.0
+        uses: fossa-contrib/fossa-action@v1
         with:
           # FOSSA Push-Only API Token
           fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
           github-token: ${{ github.token }}
 
-  scan-snyk:
+  snyk:
+    name: Snyk
     runs-on: ubuntu-latest
-    permissions:
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-      security-events: write
-    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v3
       - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
+        uses: fluxcd/pkg//actions/kustomize@main
-      - name: Setup Go
+      - name: Build manifests
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
-        with:
-          go-version-file: 'go.mod'
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
-      - name: Download modules and build manifests
         run: |
-          make tidy
           make cmd/flux/.manifests.done
-      - uses: snyk/actions/setup@b98d498629f1c368650224d6d212bf7dfa89e4bf
+      - name: Run Snyk to check for vulnerabilities
-      - name:  Run Snyk to check for vulnerabilities
+        uses: snyk/actions/golang@master
         continue-on-error: true
-        run: |
-          snyk test --all-projects --sarif-file-output=snyk.sarif
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --sarif-file-output=snyk.sarif
       - name: Upload result to GitHub Code Scanning
-        continue-on-error: true
+        uses: github/codeql-action/upload-sarif@v1
-        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           sarif_file: snyk.sarif
 
-  scan-codeql:
+  codeql:
+    name: CodeQL
     runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-    if: github.actor != 'dependabot[bot]'
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v3
-      - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
-        with:
-          go-version-file: 'go.mod'
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        uses: github/codeql-action/init@v2
         with:
           languages: go
-          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-          # xref: https://codeql.github.com/codeql-query-help/go/
-          queries: security-and-quality
       - name: Autobuild
-        uses: github/codeql-action/autobuild@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        uses: github/codeql-action/autobuild@v2
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        uses: github/codeql-action/analyze@v2

.github/workflows/sync-labels.yaml

@@ -1,28 +0,0 @@
-name: sync-labels
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - main
-    paths:
-      - .github/labels.yaml
-
-permissions:
-  contents: read
-
-jobs:
-  labels:
-    name: Run sync
-    runs-on: ubuntu-latest
-    permissions:
-      issues: write
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
-        with:
-          # Configuration file
-          config-file: |
-            https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
-            .github/labels.yaml
-          # Strictly declarative
-          delete-other-labels: true

.github/workflows/update.yaml

@@ -1,4 +1,4 @@
-name: update
+name: Update Components
 
 on:
   workflow_dispatch:
@@ -7,29 +7,20 @@ on:
   push:
     branches: [main]
 
-permissions:
-  contents: read
-
 jobs:
   update-components:
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v3
       - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@v3
         with:
-          go-version: 1.23.x
+          go-version: 1.18.x
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
       - name: Update component versions
         id: update
         run: |
-          PR_BODY=$(mktemp)
+          PR_BODY=""
 
           bump_version() {
             local LATEST_VERSION=$(curl -s https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
@@ -56,8 +47,7 @@ jobs:
             fi
 
             if [[ "$changed" == true ]]; then
-              echo "- $1 to ${LATEST_VERSION}" >> $PR_BODY
+              PR_BODY="$PR_BODY- $1 to ${LATEST_VERSION}%0A  https://github.com/fluxcd/$1/blob/${LATEST_VERSION}/CHANGELOG.md%0A"
-              echo "  https://github.com/fluxcd/$1/blob/${LATEST_VERSION}/CHANGELOG.md" >> $PR_BODY
             fi
           }
 
@@ -74,17 +64,12 @@ jobs:
             git diff
 
             # export PR_BODY for PR and commit
-            # NB: this may look strange but it is the way it should be done to
+            echo "::set-output name=pr_body::$PR_BODY"
-            # maintain our precious newlines
-            # Ref: https://github.com/github/docs/issues/21529
-            echo 'pr_body<<EOF' >> $GITHUB_OUTPUT
-            cat $PR_BODY >> $GITHUB_OUTPUT
-            echo 'EOF' >> $GITHUB_OUTPUT
           }
 
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
+        uses: peter-evans/create-pull-request@v3
         with:
           token: ${{ secrets.BOT_GITHUB_TOKEN }}
           commit-message: |
@@ -99,7 +84,7 @@ jobs:
           body: |
             ${{ steps.update.outputs.pr_body }}
           labels: |
-            dependencies
+            area/build
           reviewers: ${{ secrets.ASSIGNEES }}
 
       - name: Check output

.goreleaser.yml

@@ -1,6 +1,4 @@
 project_name: flux
-changelog:
-  use: github-native
 builds:
   - <<: &build_defaults
       binary: flux
@@ -17,7 +15,7 @@ builds:
       - arm64
       - arm
     goarm:
-      - "7"
+      - 7
   - <<: *build_defaults
     id: darwin
     goos:
@@ -67,7 +65,6 @@ signs:
     certificate: '${artifact}.pem'
     args:
       - sign-blob
-      - "--yes"
       - '--output-certificate=${certificate}'
       - '--output-signature=${signature}'
       - '${artifact}'
@@ -75,17 +72,24 @@ signs:
     output: true
 brews:
   - name: flux
-    repository:
+    tap:
       owner: fluxcd
       name: homebrew-tap
       token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
-    directory: Formula
+    folder: Formula
     homepage: "https://fluxcd.io/"
     description: "Flux CLI"
     install: |
       bin.install "flux"
 
-      generate_completions_from_executable(bin/"flux", "completion")
+      bash_output = Utils.safe_popen_read(bin/"flux", "completion", "bash")
+      (bash_completion/"flux").write bash_output
+
+      zsh_output = Utils.safe_popen_read(bin/"flux", "completion", "zsh")
+      (zsh_completion/"_flux").write zsh_output
+
+      fish_output = Utils.safe_popen_read(bin/"flux", "completion", "fish")
+      (fish_completion/"flux.fish").write fish_output
     test: |
       system "#{bin}/flux --version"
 publishers:
@@ -171,7 +175,6 @@ docker_signs:
       - COSIGN_EXPERIMENTAL=1
     args:
       - sign
-      - "--yes"
       - '${artifact}'
     artifacts: all
     output: true

.scorecard.yml

@@ -1,5 +0,0 @@
-annotations:
-  - checks:
-      - dangerous-workflow
-    reasons:
-      - reason: not-applicable # This workflow does not run untrusted code, the bot will only backport a code if the a PR was approved and merged into main.

CONTRIBUTING.md

@@ -59,7 +59,7 @@ This project is composed of:
 ### Understanding the code
 
 To get started with developing controllers, you might want to review
-[our guide](https://fluxcd.io/flux/gitops-toolkit/source-watcher/) which
+[our guide](https://fluxcd.io/docs/gitops-toolkit/source-watcher/) which
 walks you through writing a short and concise controller that watches out
 for source changes.
 
@@ -67,9 +67,9 @@ for source changes.
 
 Prerequisites:
 
-* go >= 1.20
+* go >= 1.17
-* kubectl >= 1.24
+* kubectl >= 1.20
-* kustomize >= 5.0
+* kustomize >= 4.4
 * coreutils (on Mac OS)
 
 Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:

Dockerfile

@@ -1,16 +1,19 @@
-FROM alpine:3.21 AS builder
+FROM alpine:3.16 as builder
 
 RUN apk add --no-cache ca-certificates curl
 
 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.32.2
+ARG KUBECTL_VER=1.24.0
 
-RUN curl -sL https://dl.k8s.io/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
+RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
-    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl
+    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
+    kubectl version --client=true
 
-RUN kubectl version --client=true
+FROM alpine:3.16 as flux-cli
 
-FROM alpine:3.21 AS flux-cli
+# Create minimal nsswitch.conf file to prioritize the usage of /etc/hosts over DNS queries.
+# https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-354316460
+RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
 
 RUN apk add --no-cache ca-certificates
 

Makefile

@@ -1,5 +1,4 @@
 VERSION?=$(shell grep 'VERSION' cmd/flux/main.go | awk '{ print $$4 }' | head -n 1 | tr -d '"')
-DEV_VERSION?=0.0.0-$(shell git rev-parse --abbrev-ref HEAD)-$(shell git rev-parse --short HEAD)-$(shell date +%s)
 EMBEDDED_MANIFESTS_TARGET=cmd/flux/.manifests.done
 TEST_KUBECONFIG?=/tmp/flux-e2e-test-kubeconfig
 # Architecture to use envtest with
@@ -17,8 +16,8 @@ rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2
 all: test build
 
 tidy:
-	go mod tidy -compat=1.23
+	go mod tidy -compat=1.17
-	cd tests/integration && go mod tidy -compat=1.23
+	cd tests/azure && go mod tidy -compat=1.17
 
 fmt:
 	go fmt ./...
@@ -56,9 +55,6 @@ $(EMBEDDED_MANIFESTS_TARGET): $(call rwildcard,manifests/,*.yaml *.json)
 build: $(EMBEDDED_MANIFESTS_TARGET)
 	CGO_ENABLED=0 go build -ldflags="-s -w -X main.VERSION=$(VERSION)" -o ./bin/flux ./cmd/flux
 
-build-dev: $(EMBEDDED_MANIFESTS_TARGET)
-	CGO_ENABLED=0 go build -ldflags="-s -w -X main.VERSION=$(DEV_VERSION)" -o ./bin/flux ./cmd/flux
-
 .PHONY: install
 install:
 	CGO_ENABLED=0 go install ./cmd/flux

README.md

@@ -1,15 +1,14 @@
 # Flux version 2
 
-[![release](https://img.shields.io/github/release/fluxcd/flux2/all.svg)](https://github.com/fluxcd/flux2/releases)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4782/badge)](https://bestpractices.coreinfrastructure.org/projects/4782)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/fluxcd/flux2/badge)](https://scorecard.dev/viewer/?uri=github.com/fluxcd/flux2)
+[![e2e](https://github.com/fluxcd/flux2/workflows/e2e/badge.svg)](https://github.com/fluxcd/flux2/actions)
-[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflux2.svg?type=shield)](https://app.fossa.com/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflux2?ref=badge_shield)
+[![report](https://goreportcard.com/badge/github.com/fluxcd/flux2)](https://goreportcard.com/report/github.com/fluxcd/flux2)
-[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/flux2)](https://artifacthub.io/packages/helm/fluxcd-community/flux2)
+[![license](https://img.shields.io/github/license/fluxcd/flux2.svg)](https://github.com/fluxcd/flux2/blob/main/LICENSE)
-[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://fluxcd.io/flux/security/slsa-assessment)
+[![release](https://img.shields.io/github/release/fluxcd/flux2/all.svg)](https://github.com/fluxcd/flux2/releases)
 
 Flux is a tool for keeping Kubernetes clusters in sync with sources of
-configuration (like Git repositories and OCI artifacts),
+configuration (like Git repositories), and automating updates to
-and automating updates to configuration when there is new code to deploy.
+configuration when there is new code to deploy.
 
 Flux version 2 ("v2") is built from the ground up to use Kubernetes'
 API extension system, and to integrate with Prometheus and other core
@@ -21,19 +20,18 @@ Flux v2 is constructed with the [GitOps Toolkit](#gitops-toolkit), a
 set of composable APIs and specialized tools for building Continuous
 Delivery on top of Kubernetes.
 
-Flux is a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/)) graduated project, used in
+Flux is a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/)) project.
-production by various [organisations](https://fluxcd.io/adopters) and [cloud providers](https://fluxcd.io/ecosystem).
 
 ## Quickstart and documentation
 
-To get started check out this [guide](https://fluxcd.io/flux/get-started/)
+To get started check out this [guide](https://fluxcd.io/docs/get-started/)
 on how to bootstrap Flux on Kubernetes and deploy a sample application in a GitOps manner.
 
 For more comprehensive documentation, see the following guides:
-- [Ways of structuring your repositories](https://fluxcd.io/flux/guides/repository-structure/)
+- [Ways of structuring your repositories](https://fluxcd.io/docs/guides/repository-structure/)
-- [Manage Helm Releases](https://fluxcd.io/flux/guides/helmreleases/)
+- [Manage Helm Releases](https://fluxcd.io/docs/guides/helmreleases/)
-- [Automate image updates to Git](https://fluxcd.io/flux/guides/image-update/)  
+- [Automate image updates to Git](https://fluxcd.io/docs/guides/image-update/)  
-- [Manage Kubernetes secrets with Flux and SOPS](https://fluxcd.io/flux/guides/mozilla-sops/)  
+- [Manage Kubernetes secrets with Mozilla SOPS](https://fluxcd.io/docs/guides/mozilla-sops/)  
 
 If you need help, please refer to our **[Support page](https://fluxcd.io/support/)**.
 
@@ -44,32 +42,31 @@ runtime for Flux v2. The APIs comprise Kubernetes custom resources,
 which can be created and updated by a cluster user, or by other
 automation tooling.
 
-![overview](https://raw.githubusercontent.com/fluxcd/flux2/main/docs/diagrams/fluxcd-controllers.png)
+![overview](docs/_files/gitops-toolkit.png)
 
 You can use the toolkit to extend Flux, or to build your own systems
 for continuous delivery -- see [the developer
-guides](https://fluxcd.io/flux/gitops-toolkit/source-watcher/).
+guides](https://fluxcd.io/docs/gitops-toolkit/source-watcher/).
 
 ### Components
 
-- [Source Controller](https://fluxcd.io/flux/components/source/)
+- [Source Controller](https://fluxcd.io/docs/components/source/)
-    - [GitRepository CRD](https://fluxcd.io/flux/components/source/gitrepositories/)
+    - [GitRepository CRD](https://fluxcd.io/docs/components/source/gitrepositories/)
-    - [OCIRepository CRD](https://fluxcd.io/flux/components/source/ocirepositories/)
+    - [HelmRepository CRD](https://fluxcd.io/docs/components/source/helmrepositories/)
-    - [HelmRepository CRD](https://fluxcd.io/flux/components/source/helmrepositories/)
+    - [HelmChart CRD](https://fluxcd.io/docs/components/source/helmcharts/)
-    - [HelmChart CRD](https://fluxcd.io/flux/components/source/helmcharts/)
+    - [Bucket CRD](https://fluxcd.io/docs/components/source/buckets/)
-    - [Bucket CRD](https://fluxcd.io/flux/components/source/buckets/)
+- [Kustomize Controller](https://fluxcd.io/docs/components/kustomize/)
-- [Kustomize Controller](https://fluxcd.io/flux/components/kustomize/)
+    - [Kustomization CRD](https://fluxcd.io/docs/components/kustomize/kustomization/)
-    - [Kustomization CRD](https://fluxcd.io/flux/components/kustomize/kustomizations/)
+- [Helm Controller](https://fluxcd.io/docs/components/helm/)
-- [Helm Controller](https://fluxcd.io/flux/components/helm/)
+    - [HelmRelease CRD](https://fluxcd.io/docs/components/helm/helmreleases/)
-    - [HelmRelease CRD](https://fluxcd.io/flux/components/helm/helmreleases/)
+- [Notification Controller](https://fluxcd.io/docs/components/notification/)
-- [Notification Controller](https://fluxcd.io/flux/components/notification/)
+    - [Provider CRD](https://fluxcd.io/docs/components/notification/provider/)
-    - [Provider CRD](https://fluxcd.io/flux/components/notification/providers/)
+    - [Alert CRD](https://fluxcd.io/docs/components/notification/alert/)
-    - [Alert CRD](https://fluxcd.io/flux/components/notification/alerts/)
+    - [Receiver CRD](https://fluxcd.io/docs/components/notification/receiver/)
-    - [Receiver CRD](https://fluxcd.io/flux/components/notification/receivers/)
+- [Image Automation Controllers](https://fluxcd.io/docs/components/image/)
-- [Image Automation Controllers](https://fluxcd.io/flux/components/image/)
+  - [ImageRepository CRD](https://fluxcd.io/docs/components/image/imagerepositories/)
-  - [ImageRepository CRD](https://fluxcd.io/flux/components/image/imagerepositories/)
+  - [ImagePolicy CRD](https://fluxcd.io/docs/components/image/imagepolicies/)
-  - [ImagePolicy CRD](https://fluxcd.io/flux/components/image/imagepolicies/)
+  - [ImageUpdateAutomation CRD](https://fluxcd.io/docs/components/image/imageupdateautomations/)
-  - [ImageUpdateAutomation CRD](https://fluxcd.io/flux/components/image/imageupdateautomations/)
   
 ## Community
 
@@ -77,19 +74,18 @@ Need help or want to contribute? Please see the links below. The Flux project is
 new contributors and there are a multitude of ways to get involved.
 
 - Getting Started?
-    - Look at our [Get Started guide](https://fluxcd.io/flux/get-started/) and give us feedback
+    - Look at our [Get Started guide](https://fluxcd.io/docs/get-started/) and give us feedback
 - Need help?
-    - First: Ask questions on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions).
+    - First: Ask questions on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions)
-    - Second: Talk to us in the #flux channel on [CNCF Slack](https://slack.cncf.io/).
+    - Second: Talk to us in the #flux channel on [CNCF Slack](https://slack.cncf.io/)
     - Please follow our [Support Guidelines](https://fluxcd.io/support/)
       (in short: be nice, be respectful of volunteers' time, understand that maintainers and
       contributors cannot respond to all DMs, and keep discussions in the public #flux channel as much as possible).
 - Have feature proposals or want to contribute?
-    - Propose features on our [GitHub Discussions page](https://github.com/fluxcd/flux2/discussions).
+    - Propose features on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions)
-    - Join our upcoming dev meetings ([meeting access and agenda](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/view)).
+    - Join our upcoming dev meetings ([meeting access and agenda](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/view))
     - [Join the flux-dev mailing list](https://lists.cncf.io/g/cncf-flux-dev).
-    - Check out [how to contribute](CONTRIBUTING.md) to the project.
+    - Check out [how to contribute](CONTRIBUTING.md) to the project
-    - Check out the [project roadmap](https://fluxcd.io/roadmap/).
 
 ### Events
 

action/README.md

@@ -1,22 +1,104 @@
 # Flux GitHub Action
 
-To install the latest Flux CLI on Linux, macOS or Windows GitHub runners:
+Usage:
 
 ```yaml
-steps:
+    steps:
-  - name: Setup Flux CLI
+      - name: Setup Flux CLI
-    uses: fluxcd/flux2/action@main
+        uses: fluxcd/flux2/action@main
-    with:
+      - name: Run Flux commands
-      version: 'latest'
+        run: flux -v
-  - name: Run Flux CLI
-    run: flux version --client
 ```
 
-The Flux GitHub Action can be used to automate various tasks in CI, such as:
+The latest stable version of the `flux` binary is downloaded from
+GitHub [releases](https://github.com/fluxcd/flux2/releases)
+and placed at `/usr/local/bin/flux`.
 
-- [Automate Flux upgrades on clusters via Pull Requests](https://fluxcd.io/flux/flux-gh-action/#automate-flux-updates)
+Note that this action can only be used on GitHub **Linux** runners.
-- [Push Kubernetes manifests to container registries](https://fluxcd.io/flux/flux-gh-action/#push-kubernetes-manifests-to-container-registries)
+You can change the arch (defaults to `amd64`) with:
-- [Run end-to-end testing with Flux and Kubernetes Kind](https://fluxcd.io/flux/flux-gh-action/#end-to-end-testing)
 
-For more information, please see the [Flux GitHub Action documentation](https://fluxcd.io/flux/flux-gh-action/).
+```yaml
+    steps:
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+        with:
+          arch: arm64 # can be amd64, arm64 or arm
+```
+
+You can download a specific version with:
+
+```yaml
+    steps:
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+        with:
+          version: 0.8.0
+```
+
+### Automate Flux updates
+
+Example workflow for updating Flux's components generated with `flux bootstrap --path=clusters/production`:
+
+```yaml
+name: update-flux
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 * * * *"
+
+jobs:
+  components:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Check for updates
+        id: update
+        run: |
+          flux install \
+            --export > ./clusters/production/flux-system/gotk-components.yaml
+
+          VERSION="$(flux -v)"
+          echo "::set-output name=flux_version::$VERSION"
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v3
+        with:
+            token: ${{ secrets.GITHUB_TOKEN }}
+            branch: update-flux
+            commit-message: Update to ${{ steps.update.outputs.flux_version }}
+            title: Update to ${{ steps.update.outputs.flux_version }}
+            body: |
+              ${{ steps.update.outputs.flux_version }}
+```
+
+### End-to-end testing
+
+Example workflow for running Flux in Kubernetes Kind:
+
+```yaml
+name: e2e
+
+on:
+  push:
+    branches:
+      - '*'
+
+jobs:
+  kubernetes:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Setup Kubernetes Kind
+        uses: engineerd/setup-kind@v0.5.0
+      - name: Install Flux in Kubernetes Kind
+        run: flux install
+```
 
+A complete e2e testing workflow is available here
+[flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example/blob/main/.github/workflows/e2e.yaml)

action/action.yml

@@ -1,120 +1,52 @@
 name: Setup Flux CLI
-description: A GitHub Action for installing the Flux CLI
+description: A GitHub Action for running Flux commands
-author: Flux project
+author: Stefan Prodan
 branding:
   color: blue
   icon: command
 inputs:
   version:
-    description: "Flux version e.g. 2.0.0 (defaults to latest stable release)"
+    description: "Flux version e.g. 0.8.0 (defaults to latest stable release)"
     required: false
   arch:
     description: "arch can be amd64, arm64 or arm"
-    required: false
+    required: true
-    deprecationMessage: "No longer required, action will now detect runner arch."
+    default: "amd64"
   bindir:
-    description: "Alternative location for the Flux binary, defaults to path relative to $RUNNER_TOOL_CACHE."
+    description: "Optional location of the Flux binary. Will not use sudo if set. Updates System Path."
-    required: false
-  token:
-    description: "Token used to authentication against the GitHub.com API. Defaults to the token from the GitHub context of the workflow."
     required: false
 runs:
   using: composite
   steps:
-    - name: "Download the binary to the runner's cache dir"
+    - name: "Download flux binary to tmp"
       shell: bash
       run: |
+        ARCH=${{ inputs.arch }}
         VERSION=${{ inputs.version }}
 
-        TOKEN=${{ inputs.token }}
+        if [ -z $VERSION ]; then
-        if [[ -z "$TOKEN" ]]; then
+          VERSION=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
-          TOKEN=${{ github.token }}
-        fi
-
-        if [[ -z "$VERSION" ]] || [[ "$VERSION" = "latest" ]]; then
-          VERSION=$(curl -fsSL -H "Authorization: token ${TOKEN}" https://api.github.com/repos/fluxcd/flux2/releases/latest | grep tag_name | cut -d '"' -f 4)
-        fi
-        if [[ -z "$VERSION" ]]; then
-          echo "Unable to determine Flux CLI version"
-          exit 1
-        fi
-        if [[ $VERSION = v* ]]; then
-          VERSION="${VERSION:1}"
-        fi
-
-        OS=$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')
-        if [[ "$OS" == "macos" ]]; then
-          OS="darwin"
-        fi
-
-        ARCH=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')
-        if [[ "$ARCH" == "x64" ]]; then
-          ARCH="amd64"
-        elif [[ "$ARCH" == "x86" ]]; then
-          ARCH="386"
-        fi
-
-        FLUX_EXEC_FILE="flux"
-        if [[ "$OS" == "windows" ]]; then
-            FLUX_EXEC_FILE="${FLUX_EXEC_FILE}.exe"
-        fi
-
-        FLUX_TOOL_DIR=${{ inputs.bindir }}
-        if [[ -z "$FLUX_TOOL_DIR" ]]; then
-          FLUX_TOOL_DIR="${RUNNER_TOOL_CACHE}/flux2/${VERSION}/${OS}/${ARCH}"
-        fi
-        if [[ ! -x "$FLUX_TOOL_DIR/FLUX_EXEC_FILE" ]]; then
-          DL_DIR="$(mktemp -dt flux2-XXXXXX)"
-          trap 'rm -rf $DL_DIR' EXIT
-
-          echo "Downloading flux ${VERSION} for ${OS}/${ARCH}"
-          FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.tar.gz"
-          if [[ "$OS" == "windows" ]]; then
-            FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.zip"
-          fi
-
-          FLUX_CHECKSUMS_FILE="flux_${VERSION}_checksums.txt"
-
-          FLUX_DOWNLOAD_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/"
-
-          curl -fsSL -o "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_TARGET_FILE"
-          curl -fsSL -o "$DL_DIR/$FLUX_CHECKSUMS_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_CHECKSUMS_FILE"
-
-          echo "Verifying checksum"
-          sum=""
-          if command -v openssl > /dev/null; then
-            sum=$(openssl sha256 "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $2}')
-          elif command -v sha256sum > /dev/null; then
-            sum=$(sha256sum "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $1}')
-          fi
-
-          if [[ -z "$sum" ]]; then
-            echo "Neither openssl nor sha256sum found. Cannot calculate checksum."
-            exit 1
-          fi
-
-          expected_sum=$(grep " $FLUX_TARGET_FILE\$" "$DL_DIR/$FLUX_CHECKSUMS_FILE" | awk '{print $1}')
-          if [ "$sum" != "$expected_sum" ]; then
-            echo "SHA sum of ${FLUX_TARGET_FILE} does not match. Aborting."
-            exit 1
-          fi
-
-          echo "Installing flux to ${FLUX_TOOL_DIR}"
-          mkdir -p "$FLUX_TOOL_DIR"
-        
-          if [[ "$OS" == "windows" ]]; then
-            unzip "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_EXEC_FILE" -d "$FLUX_TOOL_DIR"
-          else
-            tar xzf "$DL_DIR/$FLUX_TARGET_FILE" -C "$FLUX_TOOL_DIR" $FLUX_EXEC_FILE
-          fi
-
-          chmod +x "$FLUX_TOOL_DIR/$FLUX_EXEC_FILE"
         fi
 
-        echo "Adding flux to path"
+        BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_${ARCH}.tar.gz"
-        echo "$FLUX_TOOL_DIR" >> "$GITHUB_PATH"
+        curl -sL ${BIN_URL} -o /tmp/flux.tar.gz
-
+        mkdir -p /tmp/flux
-    - name: "Print installed flux version"
+        tar -C /tmp/flux/ -zxvf /tmp/flux.tar.gz
+    - name: "Copy Flux binary to execute location"
+      shell: bash
+      run: |
+        BINDIR=${{ inputs.bindir }}
+        if [ -z $BINDIR ]; then
+          sudo cp /tmp/flux/flux /usr/local/bin
+        else
+          cp /tmp/flux/flux "${BINDIR}"
+          echo "${BINDIR}" >> $GITHUB_PATH
+        fi
+    - name: "Cleanup tmp"
+      shell: bash
+      run: |
+        rm -rf /tmp/flux/ /tmp/flux.tar.gz
+    - name: "Verify correct installation of binary"
       shell: bash
       run: |
         flux -v

cmd/flux/alert.go

@@ -19,7 +19,7 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
 
 // notificationv1.Alert

cmd/flux/alert_provider.go

@@ -19,7 +19,7 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
 
 // notificationv1.Provider

cmd/flux/bootstrap.go

@@ -17,32 +17,27 @@ limitations under the License.
 package main
 
 import (
-	"context"
 	"crypto/elliptic"
 	"fmt"
 	"strings"
 
-	"github.com/fluxcd/pkg/git"
-	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/api/errors"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 
 var bootstrapCmd = &cobra.Command{
 	Use:   "bootstrap",
-	Short: "Deploy Flux on a cluster the GitOps way.",
+	Short: "Bootstrap toolkit components",
-	Long: `The bootstrap sub-commands push the Flux manifests to a Git repository
+	Long:  "The bootstrap sub-commands bootstrap the toolkit components on the targeted Git provider.",
-and deploy Flux on the cluster.`,
 }
 
 type bootstrapFlags struct {
 	version  string
+	arch     flags.Arch
 	logLevel flags.LogLevel
 
 	branch            string
@@ -53,19 +48,17 @@ type bootstrapFlags struct {
 	extraComponents    []string
 	requiredComponents []string
 
-	registry           string
+	registry        string
-	registryCredential string
+	imagePullSecret string
-	imagePullSecret    string
 
-	secretName           string
+	secretName     string
-	tokenAuth            bool
+	tokenAuth      bool
-	keyAlgorithm         flags.PublicKeyAlgorithm
+	keyAlgorithm   flags.PublicKeyAlgorithm
-	keyRSABits           flags.RSAKeyBits
+	keyRSABits     flags.RSAKeyBits
-	keyECDSACurve        flags.ECDSACurve
+	keyECDSACurve  flags.ECDSACurve
-	sshHostname          string
+	sshHostname    string
-	caFile               string
+	caFile         string
-	privateKeyFile       string
+	privateKeyFile string
-	sshHostKeyAlgorithms []string
 
 	watchAllNamespaces bool
 	networkPolicy      bool
@@ -79,8 +72,6 @@ type bootstrapFlags struct {
 	gpgPassphrase  string
 	gpgKeyID       string
 
-	force bool
-
 	commitMessageAppendix string
 }
 
@@ -100,11 +91,9 @@ func init() {
 		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller'")
 
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registry, "registry", "ghcr.io/fluxcd",
-		"container registry where the Flux controller images are published")
+		"container registry where the toolkit images are published")
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registryCredential, "registry-creds", "",
-		"container registry credentials in the format 'user:password', requires --image-pull-secret to be set")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.imagePullSecret, "image-pull-secret", "",
-		"Kubernetes secret name used for pulling the controller images from a private registry")
+		"Kubernetes secret name used for pulling the toolkit images from a private registry")
 
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.branch, "branch", bootstrapDefaultBranch, "Git branch")
 	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.recurseSubmodules, "recurse-submodules", false,
@@ -113,20 +102,19 @@ func init() {
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.manifestsPath, "manifests", "", "path to the manifest directory")
 
 	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.watchAllNamespaces, "watch-all-namespaces", true,
-		"watch for custom resources in all namespaces, if set to false it will only watch the namespace where the Flux controllers are installed")
+		"watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed")
 	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.networkPolicy, "network-policy", true,
-		"setup Kubernetes network policies to deny ingress access to the Flux controllers from other namespaces")
+		"deny ingress access to the toolkit controllers from other namespaces using network policies")
 	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.tokenAuth, "token-auth", false,
-		"when enabled, the personal access token will be used instead of the SSH deploy key")
+		"when enabled, the personal access token will be used instead of SSH deploy key")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.logLevel, "log-level", bootstrapArgs.logLevel.Description())
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.clusterDomain, "cluster-domain", rootArgs.defaults.ClusterDomain, "internal cluster domain")
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.tolerationKeys, "toleration-keys", nil,
-		"list of toleration keys used to schedule the controller pods onto nodes with matching taints")
+		"list of toleration keys used to schedule the components pods onto nodes with matching taints")
 
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.secretName, "secret-name", rootArgs.defaults.Namespace, "name of the secret the sync credentials can be found in or stored to")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyAlgorithm, "ssh-key-algorithm", bootstrapArgs.keyAlgorithm.Description())
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyRSABits, "ssh-rsa-bits", bootstrapArgs.keyRSABits.Description())
-	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.sshHostKeyAlgorithms, "ssh-hostkey-algos", nil, "list of host key algorithms to be used by the CLI for SSH connections")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyECDSACurve, "ssh-ecdsa-curve", bootstrapArgs.keyECDSACurve.Description())
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.sshHostname, "ssh-hostname", "", "SSH hostname, to be used when the SSH host differs from the HTTPS one")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
@@ -141,7 +129,8 @@ func init() {
 
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.commitMessageAppendix, "commit-message-appendix", "", "string to add to the commit messages, e.g. '[ci skip]'")
 
-	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.force, "force", false, "override existing Flux installation if it's managed by a different tool such as Helm")
+	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.arch, "arch", bootstrapArgs.arch.Description())
+	bootstrapCmd.PersistentFlags().MarkDeprecated("arch", "multi-arch container image is now available for AMD64, ARMv7 and ARM64")
 	bootstrapCmd.PersistentFlags().MarkHidden("manifests")
 
 	rootCmd.AddCommand(bootstrapCmd)
@@ -187,18 +176,6 @@ func bootstrapValidate() error {
 		return err
 	}
 
-	if bootstrapArgs.registryCredential != "" && bootstrapArgs.imagePullSecret == "" {
-		return fmt.Errorf("--registry-creds requires --image-pull-secret to be set")
-	}
-
-	if bootstrapArgs.registryCredential != "" && len(strings.Split(bootstrapArgs.registryCredential, ":")) != 2 {
-		return fmt.Errorf("invalid --registry-creds format, expected 'user:password'")
-	}
-
-	if len(bootstrapArgs.sshHostKeyAlgorithms) > 0 {
-		git.HostKeyAlgos = bootstrapArgs.sshHostKeyAlgorithms
-	}
-
 	return nil
 }
 
@@ -213,27 +190,3 @@ func mapTeamSlice(s []string, defaultPermission string) map[string]string {
 
 	return m
 }
-
-// confirmBootstrap gets a confirmation for running bootstrap over an existing Flux installation.
-// It returns a nil error if Flux is not installed or the user confirms overriding an existing installation
-func confirmBootstrap(ctx context.Context, kubeClient client.Client) error {
-	installed := true
-	info, err := getFluxClusterInfo(ctx, kubeClient)
-	if err != nil {
-		if !errors.IsNotFound(err) {
-			return fmt.Errorf("cluster info unavailable: %w", err)
-		}
-		installed = false
-	}
-
-	if installed {
-		err = confirmFluxInstallOverride(info)
-		if err != nil {
-			if err == promptui.ErrAbort {
-				return fmt.Errorf("bootstrap cancelled")
-			}
-			return err
-		}
-	}
-	return nil
-}

cmd/flux/bootstrap_bitbucket_server.go

@@ -22,42 +22,45 @@ import (
 	"os"
 	"time"
 
-	"github.com/fluxcd/pkg/git"
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
-	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"
 
-	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/internal/bootstrap"
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
-	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/internal/bootstrap/provider"
-	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
+	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
 
 var bootstrapBServerCmd = &cobra.Command{
 	Use:   "bitbucket-server",
-	Short: "Deploy Flux on a cluster connected to a Bitbucket Server repository",
+	Short: "Bootstrap toolkit components in a Bitbucket Server repository",
 	Long: `The bootstrap bitbucket-server command creates the Bitbucket Server repository if it doesn't exists and
-commits the Flux manifests to the master branch.
+commits the toolkit components manifests to the master branch.
 Then it configures the target cluster to synchronize with the repository.
-If the Flux components are present on the cluster,
+If the toolkit components are present on the cluster,
 the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a Bitbucket Server API token and export it as an env var
   export BITBUCKET_TOKEN=<my-token>
 
   # Run bootstrap for a private repository using HTTPS token authentication
-  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --token-auth --path=clusters/my-cluster
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --token-auth
 
   # Run bootstrap for a private repository using SSH authentication
-  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --path=clusters/my-cluster
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain>
+
+  # Run bootstrap for a repository path
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --path=dev-cluster --hostname=<domain>
 
   # Run bootstrap for a public repository on a personal account
-  flux bootstrap bitbucket-server --owner=<user> --repository=<repository name> --private=false --personal --hostname=<domain> --token-auth --path=clusters/my-cluster
+  flux bootstrap bitbucket-server --owner=<user> --repository=<repository name> --private=false --personal --hostname=<domain> --token-auth
 
-  # Run bootstrap for an existing repository with a branch named main
+  # Run bootstrap for a an existing repository with a branch named main
-  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --branch=main --hostname=<domain> --token-auth --path=clusters/my-cluster`,
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --branch=main --hostname=<domain> --token-auth`,
 	RunE: bootstrapBServerCmdRun,
 }
 
@@ -124,17 +127,8 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	if !bootstrapArgs.force {
-		err = confirmBootstrap(ctx, kubeClient)
-		if err != nil {
-			return err
-		}
-	}
-
 	// Manifest base
-	if ver, err := getVersion(bootstrapArgs.version); err != nil {
+	if ver, err := getVersion(bootstrapArgs.version); err == nil {
-		return err
-	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
@@ -177,17 +171,10 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
-
+	gitClient := gogit.New(tmpDir, &http.BasicAuth{
-	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
+		Username: user,
-	gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
+		Password: bitbucketToken,
-		Transport: git.HTTPS,
+	})
-		Username:  user,
-		Password:  bitbucketToken,
-		CAFile:    caBundle,
-	}, clientOpts...)
-	if err != nil {
-		return fmt.Errorf("failed to create a Git client: %w", err)
-	}
 
 	// Install manifest config
 	installOptions := install.Options{
@@ -196,7 +183,6 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
-		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
@@ -226,18 +212,19 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 			secretOpts.Username = bServerArgs.username
 		}
 		secretOpts.Password = bitbucketToken
-		secretOpts.CACrt = caBundle
+
-	} else {
+		if bootstrapArgs.caFile != "" {
-		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
+			secretOpts.CAFilePath = bootstrapArgs.caFile
-		if err != nil {
-			return err
 		}
-		secretOpts.Keypair = keypair
+	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
-
 		secretOpts.SSHHostname = bServerArgs.hostname
+
+		if bootstrapArgs.privateKeyFile != "" {
+			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
+		}
 		if bootstrapArgs.sshHostname != "" {
 			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
@@ -252,27 +239,23 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        bServerArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
+		GitImplementation: sourceGitArgs.gitImplementation.String(),
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 
-	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
-	if err != nil {
-		return err
-	}
-
 	// Bootstrap config
-
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(bServerArgs.owner, bServerArgs.repository, bServerArgs.personal),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
-		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(bServerArgs.teams, bServerDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(bServerArgs.readWriteKey),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithLogger(logger),
-		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
+		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))

cmd/flux/bootstrap_git.go

@@ -24,52 +24,44 @@ import (
 	"strings"
 	"time"
 
+	"github.com/go-git/go-git/v5/plumbing/transport"
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	"github.com/go-git/go-git/v5/plumbing/transport/ssh"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 
-	"github.com/fluxcd/pkg/git"
+	"github.com/fluxcd/flux2/internal/bootstrap"
-	"github.com/fluxcd/pkg/git/gogit"
+	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
-
+	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 )
 
 var bootstrapGitCmd = &cobra.Command{
 	Use:   "git",
-	Short: "Deploy Flux on a cluster connected to a Git repository",
+	Short: "Bootstrap toolkit components in a Git repository",
-	Long: `The bootstrap git command commits the Flux manifests to the
+	Long: `The bootstrap git command commits the toolkit components manifests to the
-branch of a Git repository. And then it configures the target cluster to synchronize with
+branch of a Git repository. It then configures the target cluster to synchronize with
-that repository. If the Flux components are present on the cluster, the bootstrap
+the repository. If the toolkit components are present on the cluster, the bootstrap
 command will perform an upgrade if needed.`,
 	Example: `  # Run bootstrap for a Git repository and authenticate with your SSH agent
-  flux bootstrap git --url=ssh://git@example.com/repository.git --path=clusters/my-cluster
+  flux bootstrap git --url=ssh://git@example.com/repository.git
 
   # Run bootstrap for a Git repository and authenticate using a password
-  flux bootstrap git --url=https://example.com/repository.git --password=<password> --path=clusters/my-cluster
+  flux bootstrap git --url=https://example.com/repository.git --password=<password>
 
   # Run bootstrap for a Git repository and authenticate using a password from environment variable
-  GIT_PASSWORD=<password> && flux bootstrap git --url=https://example.com/repository.git --path=clusters/my-cluster
+  GIT_PASSWORD=<password> && flux bootstrap git --url=https://example.com/repository.git
 
   # Run bootstrap for a Git repository with a passwordless private key
-  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key> --path=clusters/my-cluster
+  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key>
 
   # Run bootstrap for a Git repository with a private key and password
-  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key> --password=<password> --path=clusters/my-cluster
+  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key> --password=<password>
-
-  # Run bootstrap for a Git repository on AWS CodeCommit
-  flux bootstrap git --url=ssh://<SSH-Key-ID>@git-codecommit.<region>.amazonaws.com/v1/repos/<repository> --private-key-file=<path/to/private.key> --password=<SSH-passphrase> --path=clusters/my-cluster
-
-  # Run bootstrap for a Git repository on Azure Devops
-  flux bootstrap git --url=ssh://git@ssh.dev.azure.com/v3/<org>/<project>/<repository> --private-key-file=<path/to/rsa-sha2-private.key> --ssh-hostkey-algos=rsa-sha2-512,rsa-sha2-256 --path=clusters/my-cluster
-
-  # Run bootstrap for a Git repository on Oracle VBS
-  flux bootstrap git --url=https://repository_url.git --with-bearer-token=true --password=<PAT> --path=clusters/my-cluster
 `,
 	RunE: bootstrapGitCmdRun,
 }
@@ -82,7 +74,6 @@ type gitFlags struct {
 	password            string
 	silent              bool
 	insecureHttpAllowed bool
-	withBearerToken     bool
 }
 
 const (
@@ -98,17 +89,12 @@ func init() {
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.username, "username", "u", "git", "basic authentication username")
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.password, "password", "p", "", "basic authentication password")
 	bootstrapGitCmd.Flags().BoolVarP(&gitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
-	bootstrapGitCmd.Flags().BoolVar(&gitArgs.insecureHttpAllowed, "allow-insecure-http", false, "allows insecure HTTP connections")
+	bootstrapGitCmd.Flags().BoolVar(&gitArgs.insecureHttpAllowed, "allow-insecure-http", false, "allows http git url connections")
-	bootstrapGitCmd.Flags().BoolVar(&gitArgs.withBearerToken, "with-bearer-token", false, "use password as bearer token for Authorization header")
 
 	bootstrapCmd.AddCommand(bootstrapGitCmd)
 }
 
 func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
-	if gitArgs.withBearerToken {
-		bootstrapArgs.tokenAuth = true
-	}
-
 	gitPassword := os.Getenv(gitPasswordEnvVar)
 	if gitPassword != "" && gitArgs.password == "" {
 		gitArgs.password = gitPassword
@@ -130,22 +116,9 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
-
+	gitAuth, err := transportForURL(repositoryURL)
-	if strings.Contains(repositoryURL.Hostname(), "git-codecommit") && strings.Contains(repositoryURL.Hostname(), "amazonaws.com") {
+	if err != nil {
-		if repositoryURL.Scheme == string(git.SSH) {
+		return err
-			if repositoryURL.User == nil {
-				return fmt.Errorf("invalid AWS CodeCommit url: ssh username should be specified in the url")
-			}
-			if repositoryURL.User.Username() == git.DefaultPublicKeyAuthUser {
-				return fmt.Errorf("invalid AWS CodeCommit url: ssh username should be the SSH key ID for the provided private key")
-			}
-			if bootstrapArgs.privateKeyFile == "" {
-				return fmt.Errorf("private key file is required for bootstrapping against AWS CodeCommit using ssh")
-			}
-		}
-		if repositoryURL.Scheme == string(git.HTTPS) && !bootstrapArgs.tokenAuth {
-			return fmt.Errorf("--token-auth=true must be specified for using an HTTPS AWS CodeCommit url")
-		}
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
@@ -156,17 +129,8 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	if !bootstrapArgs.force {
-		err = confirmBootstrap(ctx, kubeClient)
-		if err != nil {
-			return err
-		}
-	}
-
 	// Manifest base
-	if ver, err := getVersion(bootstrapArgs.version); err != nil {
+	if ver, err := getVersion(bootstrapArgs.version); err == nil {
-		return err
-	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
@@ -181,28 +145,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
-
+	gitClient := gogit.New(tmpDir, gitAuth)
-	var caBundle []byte
-	if bootstrapArgs.caFile != "" {
-		var err error
-		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
-		if err != nil {
-			return fmt.Errorf("unable to read TLS CA file: %w", err)
-		}
-	}
-	authOpts, err := getAuthOpts(repositoryURL, caBundle)
-	if err != nil {
-		return fmt.Errorf("failed to create authentication options for %s: %w", repositoryURL.String(), err)
-	}
-
-	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
-	if gitArgs.insecureHttpAllowed {
-		clientOpts = append(clientOpts, gogit.WithInsecureCredentialsOverHTTP())
-	}
-	gitClient, err := gogit.NewClient(tmpDir, authOpts, clientOpts...)
-	if err != nil {
-		return fmt.Errorf("failed to create a Git client: %w", err)
-	}
 
 	// Install manifest config
 	installOptions := install.Options{
@@ -211,7 +154,6 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
-		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
@@ -234,16 +176,13 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		TargetPath:   gitArgs.path.String(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
-
 	if bootstrapArgs.tokenAuth {
-		if gitArgs.withBearerToken {
+		secretOpts.Username = gitArgs.username
-			secretOpts.BearerToken = gitArgs.password
+		secretOpts.Password = gitArgs.password
-		} else {
-			secretOpts.Username = gitArgs.username
-			secretOpts.Password = gitArgs.password
-		}
 
-		secretOpts.CACrt = caBundle
+		if bootstrapArgs.caFile != "" {
+			secretOpts.CAFilePath = bootstrapArgs.caFile
+		}
 
 		// Remove port of the given host when not syncing over HTTP/S to not assume port for protocol
 		// This _might_ be overwritten later on by e.g. --ssh-hostname
@@ -253,9 +192,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 
 		// Configure repository URL to match auth config for sync.
 		repositoryURL.User = nil
-		if !gitArgs.insecureHttpAllowed {
+		repositoryURL.Scheme = "https"
-			repositoryURL.Scheme = "https"
-		}
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.Password = gitArgs.password
@@ -274,12 +211,9 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		if bootstrapArgs.sshHostname != "" {
 			repositoryURL.Host = bootstrapArgs.sshHostname
 		}
-
+		if bootstrapArgs.privateKeyFile != "" {
-		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
+			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
-		if err != nil {
-			return err
 		}
-		secretOpts.Keypair = keypair
 
 		// Configure last as it depends on the config above.
 		secretOpts.SSHHostname = repositoryURL.Host
@@ -295,24 +229,30 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        gitArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
+		GitImplementation: sourceGitArgs.gitImplementation.String(),
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 
-	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
+	var caBundle []byte
-	if err != nil {
+	if bootstrapArgs.caFile != "" {
-		return err
+		var err error
+		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
 	}
 
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitOption{
 		bootstrap.WithRepositoryURL(gitArgs.url),
 		bootstrap.WithBranch(bootstrapArgs.branch),
-		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithPostGenerateSecretFunc(promptPublicKey),
 		bootstrap.WithLogger(logger),
-		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
+		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 
 	// Setup bootstrapper with constructed configs
@@ -325,57 +265,30 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 }
 
-// getAuthOpts retruns a AuthOptions based on the scheme
+// transportForURL constructs a transport.AuthMethod based on the scheme
 // of the given URL and the configured flags. If the protocol equals
 // "ssh" but no private key is configured, authentication using the local
 // SSH-agent is attempted.
-func getAuthOpts(u *url.URL, caBundle []byte) (*git.AuthOptions, error) {
+func transportForURL(u *url.URL) (transport.AuthMethod, error) {
 	switch u.Scheme {
 	case "http":
 		if !gitArgs.insecureHttpAllowed {
 			return nil, fmt.Errorf("scheme http is insecure, pass --allow-insecure-http=true to allow it")
 		}
-		httpAuth := git.AuthOptions{
+		return &http.BasicAuth{
-			Transport: git.HTTP,
+			Username: gitArgs.username,
-		}
+			Password: gitArgs.password,
-		if gitArgs.withBearerToken {
+		}, nil
-			httpAuth.BearerToken = gitArgs.password
-		} else {
-			httpAuth.Username = gitArgs.username
-			httpAuth.Password = gitArgs.password
-		}
-		return &httpAuth, nil
 	case "https":
-		httpsAuth := git.AuthOptions{
+		return &http.BasicAuth{
-			Transport: git.HTTPS,
+			Username: gitArgs.username,
-			CAFile:    caBundle,
+			Password: gitArgs.password,
-		}
+		}, nil
-		if gitArgs.withBearerToken {
-			httpsAuth.BearerToken = gitArgs.password
-		} else {
-			httpsAuth.Username = gitArgs.username
-			httpsAuth.Password = gitArgs.password
-		}
-		return &httpsAuth, nil
 	case "ssh":
-		authOpts := &git.AuthOptions{
-			Transport: git.SSH,
-			Username:  u.User.Username(),
-			Password:  gitArgs.password,
-		}
 		if bootstrapArgs.privateKeyFile != "" {
-			pk, err := os.ReadFile(bootstrapArgs.privateKeyFile)
+			return ssh.NewPublicKeysFromFile(u.User.Username(), bootstrapArgs.privateKeyFile, gitArgs.password)
-			if err != nil {
-				return nil, err
-			}
-			kh, err := sourcesecret.ScanHostKey(u.Host)
-			if err != nil {
-				return nil, err
-			}
-			authOpts.Identity = pk
-			authOpts.KnownHosts = kh
 		}
-		return authOpts, nil
+		return nil, nil
 	default:
 		return nil, fmt.Errorf("scheme %q is not supported", u.Scheme)
 	}

cmd/flux/bootstrap_gitea.go

@@ -1,276 +0,0 @@
-/*
-Copyright 2023 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"time"
-
-	"github.com/fluxcd/pkg/git"
-	"github.com/fluxcd/pkg/git/gogit"
-	"github.com/spf13/cobra"
-
-	"github.com/fluxcd/flux2/v2/internal/flags"
-	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
-	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
-)
-
-var bootstrapGiteaCmd = &cobra.Command{
-	Use:   "gitea",
-	Short: "Deploy Flux on a cluster connected to a Gitea repository",
-	Long: `The bootstrap gitea command creates the Gitea repository if it doesn't exists and
-commits the Flux manifests to the specified branch.
-Then it configures the target cluster to synchronize with that repository.
-If the Flux components are present on the cluster,
-the bootstrap command will perform an upgrade if needed.`,
-	Example: `  # Create a Gitea personal access token and export it as an env var
-  export GITEA_TOKEN=<my-token>
-
-  # Run bootstrap for a private repository owned by a Gitea organization
-  flux bootstrap gitea --owner=<organization> --repository=<repository name> --path=clusters/my-cluster
-
-  # Run bootstrap for a private repository and assign organization teams to it
-  flux bootstrap gitea --owner=<organization> --repository=<repository name> --team=<team1 slug> --team=<team2 slug> --path=clusters/my-cluster
-
-  # Run bootstrap for a private repository and assign organization teams with their access level(e.g maintain, admin) to it
-  flux bootstrap gitea --owner=<organization> --repository=<repository name> --team=<team1 slug>:<access-level> --path=clusters/my-cluster
-
-  # Run bootstrap for a public repository on a personal account
-  flux bootstrap gitea --owner=<user> --repository=<repository name> --private=false --personal=true --path=clusters/my-cluster
-
-  # Run bootstrap for a private repository hosted on Gitea Enterprise using SSH auth
-  flux bootstrap gitea --owner=<organization> --repository=<repository name> --hostname=<domain> --ssh-hostname=<domain> --path=clusters/my-cluster
-
-  # Run bootstrap for a private repository hosted on Gitea Enterprise using HTTPS auth
-  flux bootstrap gitea --owner=<organization> --repository=<repository name> --hostname=<domain> --token-auth --path=clusters/my-cluster
-
-  # Run bootstrap for an existing repository with a branch named main
-  flux bootstrap gitea --owner=<organization> --repository=<repository name> --branch=main --path=clusters/my-cluster`,
-	RunE: bootstrapGiteaCmdRun,
-}
-
-type giteaFlags struct {
-	owner        string
-	repository   string
-	interval     time.Duration
-	personal     bool
-	private      bool
-	hostname     string
-	path         flags.SafeRelativePath
-	teams        []string
-	readWriteKey bool
-	reconcile    bool
-}
-
-const (
-	gtDefaultPermission = "maintain"
-	gtDefaultDomain     = "gitea.com"
-	gtTokenEnvVar       = "GITEA_TOKEN"
-)
-
-var giteaArgs giteaFlags
-
-func init() {
-	bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.owner, "owner", "", "Gitea user or organization name")
-	bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.repository, "repository", "", "Gitea repository name")
-	bootstrapGiteaCmd.Flags().StringSliceVar(&giteaArgs.teams, "team", []string{}, "Gitea team and the access to be given to it(team:maintain). Defaults to maintainer access if no access level is specified (also accepts comma-separated values)")
-	bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.personal, "personal", false, "if true, the owner is assumed to be a Gitea user; otherwise an org")
-	bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.private, "private", true, "if true, the repository is setup or configured as private")
-	bootstrapGiteaCmd.Flags().DurationVar(&giteaArgs.interval, "interval", time.Minute, "sync interval")
-	bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.hostname, "hostname", gtDefaultDomain, "Gitea hostname")
-	bootstrapGiteaCmd.Flags().Var(&giteaArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
-	bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
-	bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
-
-	bootstrapCmd.AddCommand(bootstrapGiteaCmd)
-}
-
-func bootstrapGiteaCmdRun(cmd *cobra.Command, args []string) error {
-	gtToken := os.Getenv(gtTokenEnvVar)
-	if gtToken == "" {
-		var err error
-		gtToken, err = readPasswordFromStdin("Please enter your Gitea personal access token (PAT): ")
-		if err != nil {
-			return fmt.Errorf("could not read token: %w", err)
-		}
-	}
-
-	if err := bootstrapValidate(); err != nil {
-		return err
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return err
-	}
-
-	// Manifest base
-	if ver, err := getVersion(bootstrapArgs.version); err != nil {
-		return err
-	} else {
-		bootstrapArgs.version = ver
-	}
-	manifestsBase, err := buildEmbeddedManifestBase()
-	if err != nil {
-		return err
-	}
-	defer os.RemoveAll(manifestsBase)
-
-	var caBundle []byte
-	if bootstrapArgs.caFile != "" {
-		var err error
-		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
-		if err != nil {
-			return fmt.Errorf("unable to read TLS CA file: %w", err)
-		}
-	}
-	// Build Gitea provider
-	providerCfg := provider.Config{
-		Provider: provider.GitProviderGitea,
-		Hostname: giteaArgs.hostname,
-		Token:    gtToken,
-		CaBundle: caBundle,
-	}
-	providerClient, err := provider.BuildGitProvider(providerCfg)
-	if err != nil {
-		return err
-	}
-
-	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
-	if err != nil {
-		return fmt.Errorf("failed to create temporary working dir: %w", err)
-	}
-	defer os.RemoveAll(tmpDir)
-
-	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
-	gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
-		Transport: git.HTTPS,
-		Username:  giteaArgs.owner,
-		Password:  gtToken,
-		CAFile:    caBundle,
-	}, clientOpts...)
-	if err != nil {
-		return fmt.Errorf("failed to create a Git client: %w", err)
-	}
-
-	// Install manifest config
-	installOptions := install.Options{
-		BaseURL:                rootArgs.defaults.BaseURL,
-		Version:                bootstrapArgs.version,
-		Namespace:              *kubeconfigArgs.Namespace,
-		Components:             bootstrapComponents(),
-		Registry:               bootstrapArgs.registry,
-		RegistryCredential:     bootstrapArgs.registryCredential,
-		ImagePullSecret:        bootstrapArgs.imagePullSecret,
-		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
-		NetworkPolicy:          bootstrapArgs.networkPolicy,
-		LogLevel:               bootstrapArgs.logLevel.String(),
-		NotificationController: rootArgs.defaults.NotificationController,
-		ManifestFile:           rootArgs.defaults.ManifestFile,
-		Timeout:                rootArgs.timeout,
-		TargetPath:             giteaArgs.path.ToSlash(),
-		ClusterDomain:          bootstrapArgs.clusterDomain,
-		TolerationKeys:         bootstrapArgs.tolerationKeys,
-	}
-	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
-		installOptions.BaseURL = customBaseURL
-	}
-
-	// Source generation and secret config
-	secretOpts := sourcesecret.Options{
-		Name:         bootstrapArgs.secretName,
-		Namespace:    *kubeconfigArgs.Namespace,
-		TargetPath:   giteaArgs.path.ToSlash(),
-		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
-	}
-	if bootstrapArgs.tokenAuth {
-		secretOpts.Username = "git"
-		secretOpts.Password = gtToken
-		secretOpts.CACrt = caBundle
-	} else {
-		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
-		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
-		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
-
-		secretOpts.SSHHostname = giteaArgs.hostname
-		if bootstrapArgs.sshHostname != "" {
-			secretOpts.SSHHostname = bootstrapArgs.sshHostname
-		}
-	}
-
-	// Sync manifest config
-	syncOpts := sync.Options{
-		Interval:          giteaArgs.interval,
-		Name:              *kubeconfigArgs.Namespace,
-		Namespace:         *kubeconfigArgs.Namespace,
-		Branch:            bootstrapArgs.branch,
-		Secret:            bootstrapArgs.secretName,
-		TargetPath:        giteaArgs.path.ToSlash(),
-		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
-		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
-	}
-
-	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
-	if err != nil {
-		return err
-	}
-
-	// Bootstrap config
-	bootstrapOpts := []bootstrap.GitProviderOption{
-		bootstrap.WithProviderRepository(giteaArgs.owner, giteaArgs.repository, giteaArgs.personal),
-		bootstrap.WithBranch(bootstrapArgs.branch),
-		bootstrap.WithBootstrapTransportType("https"),
-		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
-		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
-		bootstrap.WithProviderTeamPermissions(mapTeamSlice(giteaArgs.teams, gtDefaultPermission)),
-		bootstrap.WithReadWriteKeyPermissions(giteaArgs.readWriteKey),
-		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
-		bootstrap.WithLogger(logger),
-		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
-	}
-	if bootstrapArgs.sshHostname != "" {
-		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
-	}
-	if bootstrapArgs.tokenAuth {
-		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
-	}
-	if !giteaArgs.private {
-		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
-	}
-	if giteaArgs.reconcile {
-		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
-	}
-
-	// Setup bootstrapper with constructed configs
-	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
-	if err != nil {
-		return err
-	}
-
-	// Run
-	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
-}

cmd/flux/bootstrap_github.go

@@ -22,51 +22,54 @@ import (
 	"os"
 	"time"
 
-	"github.com/fluxcd/pkg/git"
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
-	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"
 
-	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/internal/bootstrap"
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
-	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/internal/bootstrap/provider"
-	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
+	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
 
 var bootstrapGitHubCmd = &cobra.Command{
 	Use:   "github",
-	Short: "Deploy Flux on a cluster connected to a GitHub repository",
+	Short: "Bootstrap toolkit components in a GitHub repository",
 	Long: `The bootstrap github command creates the GitHub repository if it doesn't exists and
-commits the Flux manifests to the specified branch.
+commits the toolkit components manifests to the main branch.
-Then it configures the target cluster to synchronize with that repository.
+Then it configures the target cluster to synchronize with the repository.
-If the Flux components are present on the cluster,
+If the toolkit components are present on the cluster,
 the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a GitHub personal access token and export it as an env var
   export GITHUB_TOKEN=<my-token>
 
   # Run bootstrap for a private repository owned by a GitHub organization
-  flux bootstrap github --owner=<organization> --repository=<repository name> --path=clusters/my-cluster
+  flux bootstrap github --owner=<organization> --repository=<repository name>
 
   # Run bootstrap for a private repository and assign organization teams to it
-  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug> --team=<team2 slug> --path=clusters/my-cluster
+  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug> --team=<team2 slug>
 
   # Run bootstrap for a private repository and assign organization teams with their access level(e.g maintain, admin) to it
-  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug>:<access-level> --path=clusters/my-cluster
+  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug>:<access-level>
+
+  # Run bootstrap for a repository path
+  flux bootstrap github --owner=<organization> --repository=<repository name> --path=dev-cluster
 
   # Run bootstrap for a public repository on a personal account
-  flux bootstrap github --owner=<user> --repository=<repository name> --private=false --personal=true --path=clusters/my-cluster
+  flux bootstrap github --owner=<user> --repository=<repository name> --private=false --personal=true
 
   # Run bootstrap for a private repository hosted on GitHub Enterprise using SSH auth
-  flux bootstrap github --owner=<organization> --repository=<repository name> --hostname=<domain> --ssh-hostname=<domain> --path=clusters/my-cluster
+  flux bootstrap github --owner=<organization> --repository=<repository name> --hostname=<domain> --ssh-hostname=<domain>
 
   # Run bootstrap for a private repository hosted on GitHub Enterprise using HTTPS auth
-  flux bootstrap github --owner=<organization> --repository=<repository name> --hostname=<domain> --token-auth --path=clusters/my-cluster
+  flux bootstrap github --owner=<organization> --repository=<repository name> --hostname=<domain> --token-auth
 
   # Run bootstrap for an existing repository with a branch named main
-  flux bootstrap github --owner=<organization> --repository=<repository name> --branch=main --path=clusters/my-cluster`,
+  flux bootstrap github --owner=<organization> --repository=<repository name> --branch=main`,
 	RunE: bootstrapGitHubCmdRun,
 }
 
@@ -128,17 +131,8 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	if !bootstrapArgs.force {
-		err = confirmBootstrap(ctx, kubeClient)
-		if err != nil {
-			return err
-		}
-	}
-
 	// Manifest base
-	if ver, err := getVersion(bootstrapArgs.version); err != nil {
+	if ver, err := getVersion(bootstrapArgs.version); err == nil {
-		return err
-	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
@@ -167,22 +161,16 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	// Lazy go-git repository
 	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
-
+	gitClient := gogit.New(tmpDir, &http.BasicAuth{
-	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
+		Username: githubArgs.owner,
-	gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
+		Password: ghToken,
-		Transport: git.HTTPS,
+	})
-		Username:  githubArgs.owner,
-		Password:  ghToken,
-		CAFile:    caBundle,
-	}, clientOpts...)
-	if err != nil {
-		return fmt.Errorf("failed to create a Git client: %w", err)
-	}
 
 	// Install manifest config
 	installOptions := install.Options{
@@ -191,7 +179,6 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
-		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
@@ -217,13 +204,16 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = ghToken
-		secretOpts.CACrt = caBundle
+
+		if bootstrapArgs.caFile != "" {
+			secretOpts.CAFilePath = bootstrapArgs.caFile
+		}
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
-
 		secretOpts.SSHHostname = githubArgs.hostname
+
 		if bootstrapArgs.sshHostname != "" {
 			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
@@ -238,26 +228,23 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        githubArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
+		GitImplementation: sourceGitArgs.gitImplementation.String(),
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 
-	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
-	if err != nil {
-		return err
-	}
-
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(githubArgs.owner, githubArgs.repository, githubArgs.personal),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
-		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(githubArgs.teams, ghDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(githubArgs.readWriteKey),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithLogger(logger),
-		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
+		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))

cmd/flux/bootstrap_gitlab.go

@@ -24,28 +24,27 @@ import (
 	"strings"
 	"time"
 
-	"github.com/fluxcd/go-git-providers/gitprovider"
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
-	"github.com/fluxcd/pkg/git"
-	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"
 
-	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/internal/bootstrap"
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
-	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/internal/bootstrap/provider"
-	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
+	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
 
 var bootstrapGitLabCmd = &cobra.Command{
 	Use:   "gitlab",
-	Short: "Deploy Flux on a cluster connected to a GitLab repository",
+	Short: "Bootstrap toolkit components in a GitLab repository",
 	Long: `The bootstrap gitlab command creates the GitLab repository if it doesn't exists and
-commits the Flux manifests to the specified branch.
+commits the toolkit components manifests to the master branch.
-Then it configures the target cluster to synchronize with that repository.
+Then it configures the target cluster to synchronize with the repository.
-If the Flux components are present on the cluster,
+If the toolkit components are present on the cluster,
 the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a GitLab API token and export it as an env var
   export GITLAB_TOKEN=<my-token>
@@ -59,18 +58,14 @@ the bootstrap command will perform an upgrade if needed.`,
   # Run bootstrap for a repository path
   flux bootstrap gitlab --owner=<group> --repository=<repository name> --path=dev-cluster
 
-  # Run bootstrap for a public repository
+  # Run bootstrap for a public repository on a personal account
-  flux bootstrap gitlab --owner=<group> --repository=<repository name> --visibility=public  --token-auth
+  flux bootstrap gitlab --owner=<user> --repository=<repository name> --private=false --personal --token-auth
 
   # Run bootstrap for a private repository hosted on a GitLab server
-  flux bootstrap gitlab --owner=<group> --repository=<repository name> --hostname=<gitlab_url> --token-auth
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --hostname=<domain> --token-auth
 
-  # Run bootstrap for an existing repository with a branch named main
+  # Run bootstrap for a an existing repository with a branch named main
-  flux bootstrap gitlab --owner=<group> --repository=<repository name> --branch=main --token-auth
+  flux bootstrap gitlab --owner=<organization> --repository=<repository name> --branch=main --token-auth`,
-
-  # Run bootstrap for a private repository using Deploy Token authentication
-  flux bootstrap gitlab --owner=<group> --repository=<repository name> --deploy-token-auth
-  `,
 	RunE: bootstrapGitLabCmdRun,
 }
 
@@ -82,27 +77,19 @@ const (
 )
 
 type gitlabFlags struct {
-	owner           string
+	owner        string
-	repository      string
+	repository   string
-	interval        time.Duration
+	interval     time.Duration
-	personal        bool
+	personal     bool
-	visibility      flags.GitLabVisibility
+	private      bool
-	private         bool
+	hostname     string
-	hostname        string
+	path         flags.SafeRelativePath
-	path            flags.SafeRelativePath
+	teams        []string
-	teams           []string
+	readWriteKey bool
-	readWriteKey    bool
+	reconcile    bool
-	reconcile       bool
-	deployTokenAuth bool
-}
-
-func NewGitlabFlags() gitlabFlags {
-	return gitlabFlags{
-		visibility: flags.GitLabVisibility(gitprovider.RepositoryVisibilityPrivate),
-	}
 }
 
-var gitlabArgs = NewGitlabFlags()
+var gitlabArgs gitlabFlags
 
 func init() {
 	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.owner, "owner", "", "GitLab user or group name")
@@ -110,14 +97,11 @@ func init() {
 	bootstrapGitLabCmd.Flags().StringSliceVar(&gitlabArgs.teams, "team", []string{}, "GitLab teams to be given maintainer access (also accepts comma-separated values)")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.personal, "personal", false, "if true, the owner is assumed to be a GitLab user; otherwise a group")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.private, "private", true, "if true, the repository is setup or configured as private")
-	bootstrapGitLabCmd.Flags().MarkDeprecated("private", "use --visibility instead")
-	bootstrapGitLabCmd.Flags().Var(&gitlabArgs.visibility, "visibility", gitlabArgs.visibility.Description())
 	bootstrapGitLabCmd.Flags().DurationVar(&gitlabArgs.interval, "interval", time.Minute, "sync interval")
 	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.hostname, "hostname", glDefaultDomain, "GitLab hostname")
 	bootstrapGitLabCmd.Flags().Var(&gitlabArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
-	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.deployTokenAuth, "deploy-token-auth", false, "when enabled, a Project Deploy Token is generated and will be used instead of the SSH deploy token")
 
 	bootstrapCmd.AddCommand(bootstrapGitLabCmd)
 }
@@ -139,15 +123,6 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	if bootstrapArgs.tokenAuth && gitlabArgs.deployTokenAuth {
-		return fmt.Errorf("--token-auth and --deploy-token-auth cannot be set both.")
-	}
-
-	if !gitlabArgs.private {
-		gitlabArgs.visibility.Set(string(gitprovider.RepositoryVisibilityPublic))
-		cmd.Println("Using visibility public as --private=false")
-	}
-
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
@@ -160,17 +135,8 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	if !bootstrapArgs.force {
-		err = confirmBootstrap(ctx, kubeClient)
-		if err != nil {
-			return err
-		}
-	}
-
 	// Manifest base
-	if ver, err := getVersion(bootstrapArgs.version); err != nil {
+	if ver, err := getVersion(bootstrapArgs.version); err == nil {
-		return err
-	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
@@ -212,17 +178,10 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
-
+	gitClient := gogit.New(tmpDir, &http.BasicAuth{
-	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
+		Username: gitlabArgs.owner,
-	gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
+		Password: glToken,
-		Transport: git.HTTPS,
+	})
-		Username:  gitlabArgs.owner,
-		Password:  glToken,
-		CAFile:    caBundle,
-	}, clientOpts...)
-	if err != nil {
-		return fmt.Errorf("failed to create a Git client: %w", err)
-	}
 
 	// Install manifest config
 	installOptions := install.Options{
@@ -231,7 +190,6 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
-		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
@@ -257,21 +215,19 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = glToken
-		secretOpts.CACrt = caBundle
+
-	} else if gitlabArgs.deployTokenAuth {
+		if bootstrapArgs.caFile != "" {
-		// the actual deploy token will be reconciled later
+			secretOpts.CAFilePath = bootstrapArgs.caFile
-		secretOpts.CACrt = caBundle
-	} else {
-		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
-		if err != nil {
-			return err
 		}
-		secretOpts.Keypair = keypair
+	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
-
 		secretOpts.SSHHostname = gitlabArgs.hostname
+
+		if bootstrapArgs.privateKeyFile != "" {
+			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
+		}
 		if bootstrapArgs.sshHostname != "" {
 			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
@@ -286,36 +242,32 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        gitlabArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
+		GitImplementation: sourceGitArgs.gitImplementation.String(),
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 
-	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
-	if err != nil {
-		return err
-	}
-
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(gitlabArgs.owner, gitlabArgs.repository, gitlabArgs.personal),
-		bootstrap.WithProviderVisibility(gitlabArgs.visibility.String()),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
-		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(gitlabArgs.teams, glDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(gitlabArgs.readWriteKey),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithLogger(logger),
-		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
+		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
 	}
-	if bootstrapArgs.tokenAuth || gitlabArgs.deployTokenAuth {
+	if bootstrapArgs.tokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
 	}
-	if gitlabArgs.deployTokenAuth {
+	if !gitlabArgs.private {
-		bootstrapOpts = append(bootstrapOpts, bootstrap.WithDeployTokenAuth())
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
 	}
 	if gitlabArgs.reconcile {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())

cmd/flux/build.go

@@ -23,7 +23,7 @@ import (
 var buildCmd = &cobra.Command{
 	Use:   "build",
 	Short: "Build a flux resource",
-	Long:  `The build command is used to build flux resources.`,
+	Long:  "The build command is used to build flux resources.",
 }
 
 func init() {

cmd/flux/build_artifact.go

@@ -1,117 +0,0 @@
-/*
-Copyright 2022 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"bufio"
-	"bytes"
-	"fmt"
-	"io"
-	"os"
-	"strings"
-
-	"github.com/spf13/cobra"
-
-	oci "github.com/fluxcd/pkg/oci/client"
-	"github.com/fluxcd/pkg/sourceignore"
-)
-
-var buildArtifactCmd = &cobra.Command{
-	Use:   "artifact",
-	Short: "Build artifact",
-	Long: withPreviewNote(`The build artifact command creates a tgz file with the manifests
-from the given directory or a single manifest file.`),
-	Example: `  # Build the given manifests directory into an artifact
-  flux build artifact --path ./path/to/local/manifests --output ./path/to/artifact.tgz
-
-  # Build the given single manifest file into an artifact
-  flux build artifact --path ./path/to/local/manifest.yaml --output ./path/to/artifact.tgz
-
-  # List the files bundled in the artifact
-  tar -ztvf ./path/to/artifact.tgz
-`,
-	RunE: buildArtifactCmdRun,
-}
-
-type buildArtifactFlags struct {
-	output      string
-	path        string
-	ignorePaths []string
-}
-
-var excludeOCI = append(strings.Split(sourceignore.ExcludeVCS, ","), strings.Split(sourceignore.ExcludeExt, ",")...)
-
-var buildArtifactArgs buildArtifactFlags
-
-func init() {
-	buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.path, "path", "p", "", "Path to the directory where the Kubernetes manifests are located.")
-	buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.output, "output", "o", "artifact.tgz", "Path to where the artifact tgz file should be written.")
-	buildArtifactCmd.Flags().StringSliceVar(&buildArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
-
-	buildCmd.AddCommand(buildArtifactCmd)
-}
-
-func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {
-	if buildArtifactArgs.path == "" {
-		return fmt.Errorf("invalid path %q", buildArtifactArgs.path)
-	}
-
-	path := buildArtifactArgs.path
-	var err error
-	if buildArtifactArgs.path == "-" {
-		path, err = saveReaderToFile(os.Stdin)
-		if err != nil {
-			return err
-		}
-
-		defer os.Remove(path)
-	}
-
-	if _, err := os.Stat(path); err != nil {
-		return fmt.Errorf("invalid path '%s', must point to an existing directory or file", path)
-	}
-
-	logger.Actionf("building artifact from %s", path)
-
-	ociClient := oci.NewClient(oci.DefaultOptions())
-	if err := ociClient.Build(buildArtifactArgs.output, path, buildArtifactArgs.ignorePaths); err != nil {
-		return fmt.Errorf("building artifact failed, error: %w", err)
-	}
-
-	logger.Successf("artifact created at %s", buildArtifactArgs.output)
-	return nil
-}
-
-func saveReaderToFile(reader io.Reader) (string, error) {
-	b, err := io.ReadAll(bufio.NewReader(reader))
-	if err != nil {
-		return "", err
-	}
-	b = bytes.TrimRight(b, "\r\n")
-	f, err := os.CreateTemp("", "*.yaml")
-	if err != nil {
-		return "", fmt.Errorf("unable to create temp dir for stdin")
-	}
-
-	defer f.Close()
-
-	if _, err := f.Write(b); err != nil {
-		return "", fmt.Errorf("error writing stdin to file: %w", err)
-	}
-
-	return f.Name(), nil
-}

cmd/flux/build_artifact_test.go

@@ -1,70 +0,0 @@
-/*
-Copyright 2022 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"os"
-	"strings"
-	"testing"
-
-	. "github.com/onsi/gomega"
-)
-
-func Test_saveReaderToFile(t *testing.T) {
-	g := NewWithT(t)
-
-	testString := `apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: myapp
-data:
-  foo: bar`
-
-	tests := []struct {
-		name      string
-		string    string
-		expectErr bool
-	}{
-		{
-			name:   "yaml",
-			string: testString,
-		},
-		{
-			name:   "yaml with carriage return",
-			string: testString + "\r\n",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			tmpFile, err := saveReaderToFile(strings.NewReader(tt.string))
-			g.Expect(err).To(BeNil())
-
-			t.Cleanup(func() { _ = os.Remove(tmpFile) })
-
-			b, err := os.ReadFile(tmpFile)
-			if tt.expectErr {
-				g.Expect(err).To(Not(BeNil()))
-				return
-			}
-
-			g.Expect(err).To(BeNil())
-			g.Expect(string(b)).To(BeEquivalentTo(testString))
-		})
-
-	}
-}

cmd/flux/build_kustomization.go

@@ -23,10 +23,8 @@ import (
 
 	"github.com/spf13/cobra"
 
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	"github.com/fluxcd/flux2/internal/build"
-	ssautil "github.com/fluxcd/pkg/ssa/utils"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
-
-	"github.com/fluxcd/flux2/v2/internal/build"
 )
 
 var buildKsCmd = &cobra.Command{
@@ -42,23 +40,7 @@ It is possible to specify a Flux kustomization file using --kustomization-file.`
 flux build kustomization my-app --path ./path/to/local/manifests
 
 # Build using a local flux kustomization file
-flux build kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml
+flux build kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml`,
-
-# Build in dry-run mode without connecting to the cluster.
-# Note that variable substitutions from Secrets and ConfigMaps are skipped in dry-run mode.
-flux build kustomization my-app --path ./path/to/local/manifests \
-	--kustomization-file ./path/to/local/my-app.yaml \
-	--dry-run
-
-# Exclude files by providing a comma separated list of entries that follow the .gitignore pattern fromat.
-flux build kustomization my-app --path ./path/to/local/manifests \
-	--kustomization-file ./path/to/local/my-app.yaml \
-	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"
-
-# Run recursively on all encountered Kustomizations
-flux build kustomization my-app --path ./path/to/local/manifests \
-	--recursive \
-	--local-sources GitRepository/flux-system/my-repo=./path/to/local/git`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              buildKsCmdRun,
 }
@@ -66,11 +48,6 @@ flux build kustomization my-app --path ./path/to/local/manifests \
 type buildKsFlags struct {
 	kustomizationFile string
 	path              string
-	ignorePaths       []string
-	dryRun            bool
-	strictSubst       bool
-	recursive         bool
-	localSources      map[string]string
 }
 
 var buildKsArgs buildKsFlags
@@ -78,16 +55,10 @@ var buildKsArgs buildKsFlags
 func init() {
 	buildKsCmd.Flags().StringVar(&buildKsArgs.path, "path", "", "Path to the manifests location.")
 	buildKsCmd.Flags().StringVar(&buildKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
-	buildKsCmd.Flags().StringSliceVar(&buildKsArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in .gitignore format")
-	buildKsCmd.Flags().BoolVar(&buildKsArgs.dryRun, "dry-run", false, "Dry run mode.")
-	buildKsCmd.Flags().BoolVar(&buildKsArgs.strictSubst, "strict-substitute", false,
-		"When enabled, the post build substitutions will fail if a var without a default value is declared in files but is missing from the input vars.")
-	buildKsCmd.Flags().BoolVarP(&buildKsArgs.recursive, "recursive", "r", false, "Recursively build Kustomizations")
-	buildKsCmd.Flags().StringToStringVar(&buildKsArgs.localSources, "local-sources", nil, "Comma-separated list of repositories in format: Kind/namespace/name=path")
 	buildCmd.AddCommand(buildKsCmd)
 }
 
-func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
+func buildKsCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("%s name is required", kustomizationType.humanKind)
 	}
@@ -101,40 +72,13 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 		return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
 	}
 
-	if buildKsArgs.dryRun && buildKsArgs.kustomizationFile == "" {
-		return fmt.Errorf("dry-run mode requires a kustomization file")
-	}
-
 	if buildKsArgs.kustomizationFile != "" {
 		if fs, err := os.Stat(buildKsArgs.kustomizationFile); os.IsNotExist(err) || fs.IsDir() {
 			return fmt.Errorf("invalid kustomization file %q", buildKsArgs.kustomizationFile)
 		}
 	}
 
-	var builder *build.Builder
+	builder, err := build.NewBuilder(kubeconfigArgs, kubeclientOptions, name, buildKsArgs.path, build.WithTimeout(rootArgs.timeout), build.WithKustomizationFile(buildKsArgs.kustomizationFile))
-	if buildKsArgs.dryRun {
-		builder, err = build.NewBuilder(name, buildKsArgs.path,
-			build.WithTimeout(rootArgs.timeout),
-			build.WithKustomizationFile(buildKsArgs.kustomizationFile),
-			build.WithDryRun(buildKsArgs.dryRun),
-			build.WithNamespace(*kubeconfigArgs.Namespace),
-			build.WithIgnore(buildKsArgs.ignorePaths),
-			build.WithStrictSubstitute(buildKsArgs.strictSubst),
-			build.WithRecursive(buildKsArgs.recursive),
-			build.WithLocalSources(buildKsArgs.localSources),
-		)
-	} else {
-		builder, err = build.NewBuilder(name, buildKsArgs.path,
-			build.WithClientConfig(kubeconfigArgs, kubeclientOptions),
-			build.WithTimeout(rootArgs.timeout),
-			build.WithKustomizationFile(buildKsArgs.kustomizationFile),
-			build.WithIgnore(buildKsArgs.ignorePaths),
-			build.WithStrictSubstitute(buildKsArgs.strictSubst),
-			build.WithRecursive(buildKsArgs.recursive),
-			build.WithLocalSources(buildKsArgs.localSources),
-		)
-	}
-
 	if err != nil {
 		return err
 	}
@@ -145,17 +89,12 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 
 	errChan := make(chan error)
 	go func() {
-		objects, err := builder.Build()
+		manifests, err := builder.Build()
-		if err != nil {
-			errChan <- err
-		}
-
-		manifests, err := ssautil.ObjectsToYAML(objects)
 		if err != nil {
 			errChan <- err
 		}
 
-		cmd.Print(manifests)
+		cmd.Print(string(manifests))
 		errChan <- nil
 	}()
 

cmd/flux/build_kustomization_test.go

@@ -22,7 +22,6 @@ package main
 import (
 	"bytes"
 	"os"
-	"path/filepath"
 	"testing"
 	"text/template"
 )
@@ -64,18 +63,6 @@ func TestBuildKustomization(t *testing.T) {
 			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
-		{
-			name:       "build ignore",
-			args:       "build kustomization podinfo --path ./testdata/build-kustomization/ignore --ignore-paths \"!configmap.yaml,!secret.yaml\"",
-			resultFile: "./testdata/build-kustomization/podinfo-with-ignore-result.yaml",
-			assertFunc: "assertGoldenTemplateFile",
-		},
-		{
-			name:       "build with recursive",
-			args:       "build kustomization podinfo --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization",
-			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
-			assertFunc: "assertGoldenTemplateFile",
-		},
 	}
 
 	tmpl := map[string]string{
@@ -105,7 +92,7 @@ func TestBuildKustomization(t *testing.T) {
 }
 
 func TestBuildLocalKustomization(t *testing.T) {
-	podinfo := `apiVersion: kustomize.toolkit.fluxcd.io/v1
+	podinfo := `apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
 kind: Kustomization
 metadata:
   name: podinfo
@@ -125,8 +112,6 @@ spec:
       cluster_region: "eu-central-1"
 `
 
-	tmpFile := filepath.Join(t.TempDir(), "podinfo.yaml")
-
 	tests := []struct {
 		name       string
 		args       string
@@ -141,46 +126,29 @@ spec:
 		},
 		{
 			name:       "build podinfo",
-			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo",
+			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/podinfo",
 			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build podinfo without service",
-			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/delete-service",
+			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/delete-service",
 			resultFile: "./testdata/build-kustomization/podinfo-without-service-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build deployment and configmap with var substitution",
-			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/var-substitution",
+			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/var-substitution",
-			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
-			assertFunc: "assertGoldenTemplateFile",
-		},
-		{
-			name:       "build deployment and configmap with var substitution in dry-run mode",
-			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/var-substitution --dry-run",
 			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
-		{
-			name:       "build with recursive",
-			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization",
-			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
-			assertFunc: "assertGoldenTemplateFile",
-		},
-		{
-			name:       "build with recursive in dry-run mode",
-			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization --dry-run",
-			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
-			assertFunc: "assertGoldenTemplateFile",
-		},
 	}
 
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
-	setup(t, tmpl)
+
+	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-source.yaml", tmpl, t)
 
 	temp, err := template.New("podinfo").Parse(podinfo)
 	if err != nil {
@@ -193,11 +161,13 @@ spec:
 		t.Fatal(err)
 	}
 
-	err = os.WriteFile(tmpFile, b.Bytes(), 0666)
+	err = os.WriteFile("./testdata/build-kustomization/podinfo.yaml", b.Bytes(), 0666)
 	if err != nil {
 		t.Fatal(err)
 	}
 
+	defer os.Remove("./testdata/build-kustomization/podinfo.yaml")
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var assert assertFunc

cmd/flux/check.go

@@ -18,32 +18,28 @@ package main
 
 import (
 	"context"
-	"fmt"
 	"os"
 	"time"
 
 	"github.com/Masterminds/semver/v3"
 	"github.com/spf13/cobra"
 	v1 "k8s.io/api/apps/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/pkg/version"
 
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/v2/pkg/status"
+	"github.com/fluxcd/flux2/pkg/status"
 )
 
 var checkCmd = &cobra.Command{
 	Use:   "check",
-	Args:  cobra.NoArgs,
 	Short: "Check requirements and installation",
-	Long: withPreviewNote(`The check command will perform a series of checks to validate that
+	Long: `The check command will perform a series of checks to validate that
-the local environment is configured correctly and if the installed components are healthy.`),
+the local environment is configured correctly and if the installed components are healthy.`,
 	Example: `  # Run pre-installation checks
   flux check --pre
 
@@ -60,7 +56,7 @@ type checkFlags struct {
 }
 
 var kubernetesConstraints = []string{
-	">=1.30.0-0",
+	">=1.20.6-0",
 }
 
 var checkArgs checkFlags
@@ -83,20 +79,7 @@ func runCheckCmd(cmd *cobra.Command, args []string) error {
 
 	fluxCheck()
 
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	if !kubernetesCheck(kubernetesConstraints) {
-	defer cancel()
-
-	cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return fmt.Errorf("Kubernetes client initialization failed: %s", err.Error())
-	}
-
-	kubeClient, err := client.New(cfg, client.Options{Scheme: utils.NewScheme()})
-	if err != nil {
-		return err
-	}
-
-	if !kubernetesCheck(cfg, kubernetesConstraints) {
 		checkFailed = true
 	}
 
@@ -108,26 +91,13 @@ func runCheckCmd(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
-	logger.Actionf("checking version in cluster")
-	if !fluxClusterVersionCheck(ctx, kubeClient) {
-		checkFailed = true
-	}
-
 	logger.Actionf("checking controllers")
-	if !componentsCheck(ctx, kubeClient) {
+	if !componentsCheck() {
 		checkFailed = true
 	}
-
-	logger.Actionf("checking crds")
-	if !crdsCheck(ctx, kubeClient) {
-		checkFailed = true
-	}
-
 	if checkFailed {
-		logger.Failuref("check failed")
 		os.Exit(1)
 	}
-
 	logger.Successf("all checks passed")
 	return nil
 }
@@ -150,11 +120,17 @@ func fluxCheck() {
 		return
 	}
 	if latestSv.GreaterThan(curSv) {
-		logger.Failuref("flux %s <%s (new CLI version is available, please upgrade)", curSv, latestSv)
+		logger.Failuref("flux %s <%s (new version is available, please upgrade)", curSv, latestSv)
 	}
 }
 
-func kubernetesCheck(cfg *rest.Config, constraints []string) bool {
+func kubernetesCheck(constraints []string) bool {
+	cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
+		return false
+	}
+
 	clientSet, err := kubernetes.NewForConfig(cfg)
 	if err != nil {
 		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
@@ -193,8 +169,21 @@ func kubernetesCheck(cfg *rest.Config, constraints []string) bool {
 	return true
 }
 
-func componentsCheck(ctx context.Context, kubeClient client.Client) bool {
+func componentsCheck() bool {
-	statusChecker, err := status.NewStatusCheckerWithClient(kubeClient, checkArgs.pollInterval, rootArgs.timeout, logger)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeConfig, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return false
+	}
+
+	statusChecker, err := status.NewStatusChecker(kubeConfig, checkArgs.pollInterval, rootArgs.timeout, logger)
+	if err != nil {
+		return false
+	}
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return false
 	}
@@ -202,14 +191,7 @@ func componentsCheck(ctx context.Context, kubeClient client.Client) bool {
 	ok := true
 	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 	var list v1.DeploymentList
-	ns := *kubeconfigArgs.Namespace
+	if err := kubeClient.List(ctx, &list, client.InNamespace(*kubeconfigArgs.Namespace), selector); err == nil {
-	if err := kubeClient.List(ctx, &list, client.InNamespace(ns), selector); err == nil {
-		if len(list.Items) == 0 {
-			logger.Failuref("no controllers found in the '%s' namespace with the label selector '%s=%s'",
-				ns, manifestgen.PartOfLabelKey, manifestgen.PartOfLabelValue)
-			return false
-		}
-
 		for _, d := range list.Items {
 			if ref, err := buildComponentObjectRefs(d.Name); err == nil {
 				if err := statusChecker.Assess(ref...); err != nil {
@@ -223,41 +205,3 @@ func componentsCheck(ctx context.Context, kubeClient client.Client) bool {
 	}
 	return ok
 }
-
-func crdsCheck(ctx context.Context, kubeClient client.Client) bool {
-	ok := true
-	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
-	var list apiextensionsv1.CustomResourceDefinitionList
-	if err := kubeClient.List(ctx, &list, client.InNamespace(*kubeconfigArgs.Namespace), selector); err == nil {
-		if len(list.Items) == 0 {
-			logger.Failuref("no crds found with the label selector '%s=%s'",
-				manifestgen.PartOfLabelKey, manifestgen.PartOfLabelValue)
-			return false
-		}
-
-		for _, crd := range list.Items {
-			versions := crd.Status.StoredVersions
-			if len(versions) > 0 {
-				logger.Successf(crd.Name + "/" + versions[len(versions)-1])
-			} else {
-				ok = false
-				logger.Failuref("no stored versions for %s", crd.Name)
-			}
-		}
-	}
-	return ok
-}
-
-func fluxClusterVersionCheck(ctx context.Context, kubeClient client.Client) bool {
-	clusterInfo, err := getFluxClusterInfo(ctx, kubeClient)
-	if err != nil {
-		logger.Failuref("checking failed: %s", err.Error())
-		return false
-	}
-
-	if clusterInfo.distribution() != "" {
-		logger.Successf("distribution: %s", clusterInfo.distribution())
-	}
-	logger.Successf("bootstrapped: %t", clusterInfo.bootstrapped)
-	return true
-}

cmd/flux/check_test.go

@@ -25,7 +25,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/utils"
 )
 
 func TestCheckPre(t *testing.T) {

cmd/flux/cluster_info.go

@@ -1,126 +0,0 @@
-/*
-Copyright 2023 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/manifoldco/promptui"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
-)
-
-// bootstrapLabels are labels put on a resource by kustomize-controller. These labels on the CRD indicates
-// that flux has been bootstrapped.
-var bootstrapLabels = []string{
-	fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group),
-	fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group),
-}
-
-// fluxClusterInfo contains information about an existing flux installation on a cluster.
-type fluxClusterInfo struct {
-	// bootstrapped indicates that Flux was installed using the `flux bootstrap` command.
-	bootstrapped bool
-	// managedBy is the name of the tool being used to manage the installation of Flux.
-	managedBy string
-	// partOf indicates which distribution the instance is a part of.
-	partOf string
-	// version is the Flux version number in semver format.
-	version string
-}
-
-// getFluxClusterInfo returns information on the Flux installation running on the cluster.
-// If an error occurred, the returned error will be non-nil.
-//
-// This function retrieves the GitRepository CRD from the cluster and checks it
-// for a set of labels used to determine the Flux version and how Flux was installed.
-// It returns the NotFound error from the underlying library if it was unable to find
-// the GitRepository CRD and this can be used to check if Flux is installed.
-func getFluxClusterInfo(ctx context.Context, c client.Client) (fluxClusterInfo, error) {
-	var info fluxClusterInfo
-	crdMetadata := &metav1.PartialObjectMetadata{
-		TypeMeta: metav1.TypeMeta{
-			APIVersion: apiextensionsv1.SchemeGroupVersion.String(),
-			Kind:       "CustomResourceDefinition",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name: fmt.Sprintf("gitrepositories.%s", sourcev1.GroupVersion.Group),
-		},
-	}
-	if err := c.Get(ctx, client.ObjectKeyFromObject(crdMetadata), crdMetadata); err != nil {
-		return info, err
-	}
-
-	info.version = crdMetadata.Labels[manifestgen.VersionLabelKey]
-
-	var present bool
-	for _, l := range bootstrapLabels {
-		_, present = crdMetadata.Labels[l]
-	}
-	if present {
-		info.bootstrapped = true
-	}
-
-	// the `app.kubernetes.io/managed-by` label is not set by flux but might be set by other
-	// tools used to install Flux e.g Helm.
-	if manager, ok := crdMetadata.Labels["app.kubernetes.io/managed-by"]; ok {
-		info.managedBy = manager
-	}
-
-	if partOf, ok := crdMetadata.Labels[manifestgen.PartOfLabelKey]; ok {
-		info.partOf = partOf
-	}
-	return info, nil
-}
-
-// confirmFluxInstallOverride displays a prompt to the user so that they can confirm before overriding
-// a Flux installation. It returns nil if the installation should continue,
-// promptui.ErrAbort if the user doesn't confirm, or an error encountered.
-func confirmFluxInstallOverride(info fluxClusterInfo) error {
-	// no need to display prompt if installation is managed by Flux
-	if installManagedByFlux(info.managedBy) {
-		return nil
-	}
-
-	display := fmt.Sprintf("Flux %s has been installed on this cluster with %s!", info.version, info.managedBy)
-	fmt.Fprintln(rootCmd.ErrOrStderr(), display)
-	prompt := promptui.Prompt{
-		Label:     fmt.Sprintf("Are you sure you want to override the %s installation? Y/N", info.managedBy),
-		IsConfirm: true,
-	}
-	_, err := prompt.Run()
-	return err
-}
-
-func (info fluxClusterInfo) distribution() string {
-	distribution := info.version
-	if info.partOf != "" {
-		distribution = fmt.Sprintf("%s-%s", info.partOf, info.version)
-	}
-	return distribution
-}
-
-func installManagedByFlux(manager string) bool {
-	return manager == "" || manager == "flux"
-}

cmd/flux/cluster_info_test.go

@@ -1,141 +0,0 @@
-/*
-Copyright 2023 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"testing"
-
-	. "github.com/onsi/gomega"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
-	ssautil "github.com/fluxcd/pkg/ssa/utils"
-)
-
-func Test_getFluxClusterInfo(t *testing.T) {
-	g := NewWithT(t)
-	f, err := os.Open("./testdata/cluster_info/gitrepositories.yaml")
-	g.Expect(err).To(BeNil())
-
-	objs, err := ssautil.ReadObjects(f)
-	g.Expect(err).To(Not(HaveOccurred()))
-	gitrepo := objs[0]
-
-	tests := []struct {
-		name     string
-		labels   map[string]string
-		wantErr  bool
-		wantInfo fluxClusterInfo
-	}{
-		{
-			name:    "no git repository CRD present",
-			wantErr: true,
-		},
-		{
-			name: "CRD with kustomize-controller labels",
-			labels: map[string]string{
-				fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group):      "flux-system",
-				fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group): "flux-system",
-				"app.kubernetes.io/version":                                 "v2.1.0",
-			},
-			wantInfo: fluxClusterInfo{
-				version:      "v2.1.0",
-				bootstrapped: true,
-			},
-		},
-		{
-			name: "CRD with kustomize-controller labels and managed-by label",
-			labels: map[string]string{
-				fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group):      "flux-system",
-				fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group): "flux-system",
-				"app.kubernetes.io/version":                                 "v2.1.0",
-				"app.kubernetes.io/managed-by":                              "flux",
-			},
-			wantInfo: fluxClusterInfo{
-				version:      "v2.1.0",
-				bootstrapped: true,
-				managedBy:    "flux",
-			},
-		},
-		{
-			name: "CRD with only managed-by label",
-			labels: map[string]string{
-				"app.kubernetes.io/version":    "v2.1.0",
-				"app.kubernetes.io/managed-by": "helm",
-			},
-			wantInfo: fluxClusterInfo{
-				version:   "v2.1.0",
-				managedBy: "helm",
-			},
-		},
-		{
-			name:     "CRD with no labels",
-			labels:   map[string]string{},
-			wantInfo: fluxClusterInfo{},
-		},
-		{
-			name: "CRD with only version label",
-			labels: map[string]string{
-				"app.kubernetes.io/version": "v2.1.0",
-			},
-			wantInfo: fluxClusterInfo{
-				version: "v2.1.0",
-			},
-		},
-		{
-			name: "CRD with version and part-of labels",
-			labels: map[string]string{
-				"app.kubernetes.io/version": "v2.1.0",
-				"app.kubernetes.io/part-of": "flux",
-			},
-			wantInfo: fluxClusterInfo{
-				version: "v2.1.0",
-				partOf:  "flux",
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			g := NewWithT(t)
-			newscheme := runtime.NewScheme()
-			apiextensionsv1.AddToScheme(newscheme)
-			builder := fake.NewClientBuilder().WithScheme(newscheme)
-			if tt.labels != nil {
-				gitrepo.SetLabels(tt.labels)
-				builder = builder.WithRuntimeObjects(gitrepo)
-			}
-
-			client := builder.Build()
-			info, err := getFluxClusterInfo(context.Background(), client)
-			if tt.wantErr {
-				g.Expect(err).To(HaveOccurred())
-				g.Expect(errors.IsNotFound(err)).To(BeTrue())
-			} else {
-				g.Expect(err).To(Not(HaveOccurred()))
-			}
-
-			g.Expect(info).To(BeEquivalentTo(tt.wantInfo))
-		})
-	}
-}

cmd/flux/completion.go

@@ -20,7 +20,7 @@ import (
 	"context"
 	"strings"
 
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -31,7 +31,7 @@ import (
 var completionCmd = &cobra.Command{
 	Use:   "completion",
 	Short: "Generates completion scripts for various shells",
-	Long:  `The completion sub-command generates completion scripts for various shells.`,
+	Long:  "The completion sub-command generates completion scripts for various shells",
 }
 
 func init() {

cmd/flux/completion_bash.go

@@ -25,7 +25,6 @@ import (
 var completionBashCmd = &cobra.Command{
 	Use:   "bash",
 	Short: "Generates bash completion scripts",
-	Long:  `The completion sub-command generates completion scripts for bash.`,
 	Example: `To load completion run
 
 . <(flux completion bash)

cmd/flux/completion_fish.go

@@ -25,7 +25,6 @@ import (
 var completionFishCmd = &cobra.Command{
 	Use:   "fish",
 	Short: "Generates fish completion scripts",
-	Long:  `The completion sub-command generates completion scripts for fish.`,
 	Example: `To configure your fish shell to load completions for each session write this script to your completions dir:
 
 flux completion fish > ~/.config/fish/completions/flux.fish

cmd/flux/completion_powershell.go

@@ -25,7 +25,6 @@ import (
 var completionPowerShellCmd = &cobra.Command{
 	Use:   "powershell",
 	Short: "Generates powershell completion scripts",
-	Long:  `The completion sub-command generates completion scripts for powershell.`,
 	Example: `To load completion run
 
 . <(flux completion powershell)
@@ -35,12 +34,12 @@ To configure your powershell shell to load completions for each session add to y
 Windows:
 
 cd "$env:USERPROFILE\Documents\WindowsPowerShell\Modules"
-flux completion powershell >> flux-completion.ps1
+flux completion >> flux-completion.ps1
 
 Linux:
 
 cd "${XDG_CONFIG_HOME:-"$HOME/.config/"}/powershell/modules"
-flux completion powershell >> flux-completions.ps1`,
+flux completion >> flux-completions.ps1`,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenPowerShellCompletion(os.Stdout)
 	},

cmd/flux/completion_zsh.go

@@ -26,7 +26,6 @@ import (
 var completionZshCmd = &cobra.Command{
 	Use:   "zsh",
 	Short: "Generates zsh completion scripts",
-	Long:  `The completion sub-command generates completion scripts for zsh.`,
 	Example: `To load completion run
 
 . <(flux completion zsh)

cmd/flux/create.go

@@ -30,13 +30,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/utils"
 )
 
 var createCmd = &cobra.Command{
 	Use:   "create",
 	Short: "Create or update sources and resources",
-	Long:  `The create sub-commands generate sources and resources.`,
+	Long:  "The create sub-commands generate sources and resources.",
 }
 
 type createFlags struct {
@@ -79,12 +79,12 @@ type upsertable interface {
 // want to update. The mutate function is nullary -- you mutate a
 // value in the closure, e.g., by doing this:
 //
-//	var existing Value
+//     var existing Value
-//	existing.Name = name
+//     existing.Name = name
-//	existing.Namespace = ns
+//     existing.Namespace = ns
-//	upsert(ctx, client, valueAdapter{&value}, func() error {
+//     upsert(ctx, client, valueAdapter{&value}, func() error {
-//	  value.Spec = onePreparedEarlier
+//       value.Spec = onePreparedEarlier
-//	})
+//     })
 func (names apiType) upsert(ctx context.Context, kubeClient client.Client, object upsertable, mutate func() error) (types.NamespacedName, error) {
 	nsname := types.NamespacedName{
 		Namespace: object.GetNamespace(),
@@ -125,14 +125,14 @@ func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) e
 	logger.Generatef("generating %s", names.kind)
 	logger.Actionf("applying %s", names.kind)
 
-	namespacedName, err := names.upsert(ctx, kubeClient, object, mutate)
+	namespacedName, err := imageRepositoryType.upsert(ctx, kubeClient, object, mutate)
 	if err != nil {
 		return err
 	}
 
 	logger.Waitingf("waiting for %s reconciliation", names.kind)
-	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isObjectReadyConditionFunc(kubeClient, namespacedName, object.asClientObject())); err != nil {
+		isReady(ctx, kubeClient, namespacedName, object)); err != nil {
 		return err
 	}
 	logger.Successf("%s reconciliation completed", names.kind)
@@ -165,6 +165,6 @@ func parseLabels() (map[string]string, error) {
 }
 
 func validateObjectName(name string) bool {
-	r := regexp.MustCompile(`^[a-z0-9]([a-z0-9\-]){0,61}[a-z0-9]$`)
+	r := regexp.MustCompile("^[a-z0-9]([a-z0-9\\-]){0,61}[a-z0-9]$")
 	return r.MatchString(name)
 }

cmd/flux/create_alert.go

@@ -22,22 +22,22 @@ import (
 
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
-	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
 	"github.com/fluxcd/pkg/apis/meta"
 
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/utils"
 )
 
 var createAlertCmd = &cobra.Command{
 	Use:   "alert [name]",
 	Short: "Create or update a Alert resource",
-	Long:  withPreviewNote(`The create alert command generates a Alert resource.`),
+	Long:  "The create alert command generates a Alert resource.",
 	Example: `  # Create an Alert for kustomization events
   flux create alert \
   --event-severity info \
@@ -96,13 +96,13 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Generatef("generating Alert")
 	}
 
-	alert := notificationv1b3.Alert{
+	alert := notificationv1.Alert{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
-		Spec: notificationv1b3.AlertSpec{
+		Spec: notificationv1.AlertSpec{
 			ProviderRef: meta.LocalObjectReference{
 				Name: alertArgs.providerRef,
 			},
@@ -131,8 +131,8 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for Alert reconciliation")
-	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isStaticObjectReadyConditionFunc(kubeClient, namespacedName, &alert)); err != nil {
+		isAlertReady(ctx, kubeClient, namespacedName, &alert)); err != nil {
 		return err
 	}
 	logger.Successf("Alert %s is ready", name)
@@ -140,13 +140,13 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 }
 
 func upsertAlert(ctx context.Context, kubeClient client.Client,
-	alert *notificationv1b3.Alert) (types.NamespacedName, error) {
+	alert *notificationv1.Alert) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: alert.GetNamespace(),
 		Name:      alert.GetName(),
 	}
 
-	var existing notificationv1b3.Alert
+	var existing notificationv1.Alert
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
@@ -169,3 +169,23 @@ func upsertAlert(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Alert updated")
 	return namespacedName, nil
 }
+
+func isAlertReady(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, alert *notificationv1.Alert) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, alert)
+		if err != nil {
+			return false, err
+		}
+
+		if c := apimeta.FindStatusCondition(alert.Status.Conditions, meta.ReadyCondition); c != nil {
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}

cmd/flux/create_alertprovider.go

@@ -22,21 +22,22 @@ import (
 
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
 
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/utils"
 )
 
 var createAlertProviderCmd = &cobra.Command{
 	Use:   "alert-provider [name]",
 	Short: "Create or update a Provider resource",
-	Long:  withPreviewNote(`The create alert-provider command generates a Provider resource.`),
+	Long:  "The create alert-provider command generates a Provider resource.",
 	Example: `  # Create a Provider for a Slack channel
   flux create alert-provider slack \
   --type slack \
@@ -126,8 +127,8 @@ func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for Provider reconciliation")
-	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isStaticObjectReadyConditionFunc(kubeClient, namespacedName, &provider)); err != nil {
+		isAlertProviderReady(ctx, kubeClient, namespacedName, &provider)); err != nil {
 		return err
 	}
 
@@ -166,3 +167,23 @@ func upsertAlertProvider(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Provider updated")
 	return namespacedName, nil
 }
+
+func isAlertProviderReady(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, provider *notificationv1.Provider) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, provider)
+		if err != nil {
+			return false, err
+		}
+
+		if c := apimeta.FindStatusCondition(provider.Status.Conditions, meta.ReadyCondition); c != nil {
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}

cmd/flux/create_helmrelease.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2024 The Flux authors
+Copyright 2020 The Flux authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -21,33 +21,31 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
-	"strings"
 	"time"
 
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/transform"
+
 	"github.com/spf13/cobra"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 
-	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
-	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/transform"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
-
-	"github.com/fluxcd/flux2/v2/internal/flags"
-	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 
 var createHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Create or update a HelmRelease resource",
-	Long:    `The helmrelease create command generates a HelmRelease resource for a given HelmRepository source.`,
+	Long:    "The helmrelease create command generates a HelmRelease resource for a given HelmRepository source.",
 	Example: `  # Create a HelmRelease with a chart from a HelmRepository source
   flux create hr podinfo \
     --interval=10m \
@@ -84,9 +82,9 @@ var createHelmReleaseCmd = &cobra.Command{
 
   # Create a HelmRelease with a custom release name
   flux create hr podinfo \
-    --release-name=podinfo-dev \
+    --release-name=podinfo-dev
     --source=HelmRepository/podinfo \
-    --chart=podinfo
+    --chart=podinfo \
 
   # Create a HelmRelease targeting another namespace than the resource
   flux create hr podinfo \
@@ -106,17 +104,7 @@ var createHelmReleaseCmd = &cobra.Command{
     --source=HelmRepository/podinfo \
     --chart=podinfo \
     --values=./values.yaml \
-    --export > podinfo-release.yaml
+    --export > podinfo-release.yaml`,
-		
-  # Create a HelmRelease using a chart from a HelmChart resource
-  flux create hr podinfo \
-    --namespace=default \
-    --chart-ref=HelmChart/podinfo.flux-system \
-
-  # Create a HelmRelease using a chart from an OCIRepository resource
-  flux create hr podinfo \
-    --namespace=default \
-    --chart-ref=OCIRepository/podinfo.flux-system`,
 	RunE: createHelmReleaseCmdRun,
 }
 
@@ -126,11 +114,10 @@ type helmReleaseFlags struct {
 	dependsOn           []string
 	chart               string
 	chartVersion        string
-	chartRef            string
 	targetNamespace     string
 	createNamespace     bool
 	valuesFiles         []string
-	valuesFrom          []string
+	valuesFrom          flags.HelmReleaseValuesFrom
 	saName              string
 	crds                flags.CRDsPolicy
 	reconcileStrategy   string
@@ -140,10 +127,6 @@ type helmReleaseFlags struct {
 
 var helmReleaseArgs helmReleaseFlags
 
-var supportedHelmReleaseValuesFromKinds = []string{"Secret", "ConfigMap"}
-
-var supportedHelmReleaseReferenceKinds = []string{sourcev1b2.OCIRepositoryKind, sourcev1.HelmChartKind}
-
 func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.name, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.source, "source", helmReleaseArgs.source.Description())
@@ -156,18 +139,17 @@ func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart created by the helm release(accepted values: Revision and ChartRevision)")
 	createHelmReleaseCmd.Flags().DurationVarP(&helmReleaseArgs.chartInterval, "chart-interval", "", 0, "the interval of which to check for new chart versions")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFiles, "values", nil, "local path to values.yaml files, also accepts comma-separated values")
-	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFrom, "values-from", nil, "a Kubernetes object reference that contains the values.yaml data key in the format '<kind>/<name>', where kind must be one of: (Secret,ConfigMap)")
+	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.valuesFrom, "values-from", helmReleaseArgs.valuesFrom.Description())
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.crds, "crds", helmReleaseArgs.crds.Description())
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
-	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartRef, "chart-ref", "", "the name of the HelmChart resource to use as source for the HelmRelease, in the format '<kind>/<name>.<namespace>', where kind must be one of: (OCIRepository,HelmChart)")
 	createCmd.AddCommand(createHelmReleaseCmd)
 }
 
 func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 
-	if helmReleaseArgs.chart == "" && helmReleaseArgs.chartRef == "" {
+	if helmReleaseArgs.chart == "" {
-		return fmt.Errorf("chart or chart-ref is required")
+		return fmt.Errorf("chart name or path is required")
 	}
 
 	sourceLabels, err := parseLabels()
@@ -197,50 +179,37 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 				Duration: createArgs.interval,
 			},
 			TargetNamespace: helmReleaseArgs.targetNamespace,
-			Suspend:         false,
-		},
-	}
 
-	switch {
+			Chart: helmv2.HelmChartTemplate{
-	case helmReleaseArgs.chart != "":
+				Spec: helmv2.HelmChartTemplateSpec{
-		helmRelease.Spec.Chart = &helmv2.HelmChartTemplate{
+					Chart:   helmReleaseArgs.chart,
-			Spec: helmv2.HelmChartTemplateSpec{
+					Version: helmReleaseArgs.chartVersion,
-				Chart:   helmReleaseArgs.chart,
+					SourceRef: helmv2.CrossNamespaceObjectReference{
-				Version: helmReleaseArgs.chartVersion,
+						Kind:      helmReleaseArgs.source.Kind,
-				SourceRef: helmv2.CrossNamespaceObjectReference{
+						Name:      helmReleaseArgs.source.Name,
-					Kind:      helmReleaseArgs.source.Kind,
+						Namespace: helmReleaseArgs.source.Namespace,
-					Name:      helmReleaseArgs.source.Name,
+					},
-					Namespace: helmReleaseArgs.source.Namespace,
+					ReconcileStrategy: helmReleaseArgs.reconcileStrategy,
 				},
-				ReconcileStrategy: helmReleaseArgs.reconcileStrategy,
 			},
-		}
+			Suspend: false,
-		if helmReleaseArgs.chartInterval != 0 {
+		},
-			helmRelease.Spec.Chart.Spec.Interval = &metav1.Duration{
-				Duration: helmReleaseArgs.chartInterval,
-			}
-		}
-	case helmReleaseArgs.chartRef != "":
-		kind, name, ns := utils.ParseObjectKindNameNamespace(helmReleaseArgs.chartRef)
-		if kind != sourcev1.HelmChartKind && kind != sourcev1b2.OCIRepositoryKind {
-			return fmt.Errorf("chart reference kind '%s' is not supported, must be one of: %s",
-				kind, strings.Join(supportedHelmReleaseReferenceKinds, ", "))
-		}
-		helmRelease.Spec.ChartRef = &helmv2.CrossNamespaceSourceReference{
-			Kind:      kind,
-			Name:      name,
-			Namespace: ns,
-		}
 	}
 
 	if helmReleaseArgs.kubeConfigSecretRef != "" {
-		helmRelease.Spec.KubeConfig = &meta.KubeConfigReference{
+		helmRelease.Spec.KubeConfig = &helmv2.KubeConfig{
 			SecretRef: meta.SecretKeyReference{
 				Name: helmReleaseArgs.kubeConfigSecretRef,
 			},
 		}
 	}
 
+	if helmReleaseArgs.chartInterval != 0 {
+		helmRelease.Spec.Chart.Spec.Interval = &metav1.Duration{
+			Duration: helmReleaseArgs.chartInterval,
+		}
+	}
+
 	if helmReleaseArgs.createNamespace {
 		if helmRelease.Spec.Install == nil {
 			helmRelease.Spec.Install = &helmv2.Install{}
@@ -291,25 +260,11 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		helmRelease.Spec.Values = &apiextensionsv1.JSON{Raw: jsonRaw}
 	}
 
-	if len(helmReleaseArgs.valuesFrom) != 0 {
+	if helmReleaseArgs.valuesFrom.String() != "" {
-		values := []helmv2.ValuesReference{}
+		helmRelease.Spec.ValuesFrom = []helmv2.ValuesReference{{
-		for _, value := range helmReleaseArgs.valuesFrom {
+			Kind: helmReleaseArgs.valuesFrom.Kind,
-			sourceKind, sourceName := utils.ParseObjectKindName(value)
+			Name: helmReleaseArgs.valuesFrom.Name,
-			if sourceKind == "" {
+		}}
-				return fmt.Errorf("invalid Kubernetes object reference '%s', must be in format <kind>/<name>", value)
-			}
-			cleanSourceKind, ok := utils.ContainsEqualFoldItemString(supportedHelmReleaseValuesFromKinds, sourceKind)
-			if !ok {
-				return fmt.Errorf("reference kind '%s' is not supported, must be one of: %s",
-					sourceKind, strings.Join(supportedHelmReleaseValuesFromKinds, ", "))
-			}
-
-			values = append(values, helmv2.ValuesReference{
-				Name: sourceName,
-				Kind: cleanSourceKind,
-			})
-		}
-		helmRelease.Spec.ValuesFrom = values
 	}
 
 	if createArgs.export {
@@ -331,13 +286,13 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for HelmRelease reconciliation")
-	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isObjectReadyConditionFunc(kubeClient, namespacedName, &helmRelease)); err != nil {
+		isHelmReleaseReady(ctx, kubeClient, namespacedName, &helmRelease)); err != nil {
 		return err
 	}
 	logger.Successf("HelmRelease %s is ready", name)
 
-	logger.Successf("applied revision %s", getHelmReleaseRevision(helmRelease))
+	logger.Successf("applied revision %s", helmRelease.Status.LastAppliedRevision)
 	return nil
 }
 
@@ -372,6 +327,23 @@ func upsertHelmRelease(ctx context.Context, kubeClient client.Client,
 	return namespacedName, nil
 }
 
+func isHelmReleaseReady(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, helmRelease *helmv2.HelmRelease) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, helmRelease)
+		if err != nil {
+			return false, err
+		}
+
+		// Confirm the state we are observing is for the current generation
+		if helmRelease.Generation != helmRelease.Status.ObservedGeneration {
+			return false, nil
+		}
+
+		return apimeta.IsStatusConditionTrue(helmRelease.Status.Conditions, meta.ReadyCondition), nil
+	}
+}
+
 func validateStrategy(input string) bool {
 	allowedStrategy := []string{"Revision", "ChartVersion"}
 

cmd/flux/create_helmrelease_test.go

@@ -1,86 +0,0 @@
-//go:build unit
-// +build unit
-
-/*
-Copyright 2024 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import "testing"
-
-func TestCreateHelmRelease(t *testing.T) {
-	tmpl := map[string]string{
-		"fluxns": allocateNamespace("flux-system"),
-	}
-	setupHRSource(t, tmpl)
-
-	tests := []struct {
-		name   string
-		args   string
-		assert assertFunc
-	}{
-		{
-			name:   "missing name",
-			args:   "create helmrelease --export",
-			assert: assertError("name is required"),
-		},
-		{
-			name:   "missing chart template and chartRef",
-			args:   "create helmrelease podinfo --export",
-			assert: assertError("chart or chart-ref is required"),
-		},
-		{
-			name:   "unknown source kind",
-			args:   "create helmrelease podinfo --source foobar/podinfo --chart podinfo --export",
-			assert: assertError(`invalid argument "foobar/podinfo" for "--source" flag: source kind 'foobar' is not supported, must be one of: HelmRepository, GitRepository, Bucket`),
-		},
-		{
-			name:   "unknown chart reference kind",
-			args:   "create helmrelease podinfo --chart-ref foobar/podinfo --export",
-			assert: assertError(`chart reference kind 'foobar' is not supported, must be one of: OCIRepository, HelmChart`),
-		},
-		{
-			name:   "basic helmrelease",
-			args:   "create helmrelease podinfo --source Helmrepository/podinfo --chart podinfo --interval=1m0s --export",
-			assert: assertGoldenTemplateFile("testdata/create_hr/basic.yaml", tmpl),
-		},
-		{
-			name:   "chart with OCIRepository source",
-			args:   "create helmrelease podinfo --chart-ref OCIRepository/podinfo --interval=1m0s --export",
-			assert: assertGoldenTemplateFile("testdata/create_hr/or_basic.yaml", tmpl),
-		},
-		{
-			name:   "chart with HelmChart source",
-			args:   "create helmrelease podinfo --chart-ref HelmChart/podinfo --interval=1m0s --export",
-			assert: assertGoldenTemplateFile("testdata/create_hr/hc_basic.yaml", tmpl),
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			cmd := cmdTestCase{
-				args:   tt.args + " -n " + tmpl["fluxns"],
-				assert: tt.assert,
-			}
-			cmd.runTestCmd(t)
-		})
-	}
-}
-
-func setupHRSource(t *testing.T, tmpl map[string]string) {
-	t.Helper()
-	testEnv.CreateObjectFile("./testdata/create_hr/setup-source.yaml", tmpl, t)
-}

cmd/flux/create_image.go

@@ -20,12 +20,14 @@ import (
 	"github.com/spf13/cobra"
 )
 
+const createImageLong = `The create image sub-commands work with image automation objects; that is,
+object controlling updates to git based on e.g., new container images
+being available.`
+
 var createImageCmd = &cobra.Command{
 	Use:   "image",
 	Short: "Create or update resources dealing with image automation",
-	Long: `The create image sub-commands work with image automation objects;
+	Long:  createImageLong,
-that is, object controlling updates to git based on e.g., new container images
-being available.`,
 }
 
 func init() {

cmd/flux/create_image_policy.go

@@ -28,18 +28,18 @@ import (
 
 	"github.com/fluxcd/pkg/apis/meta"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 
 var createImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Create or update an ImagePolicy object",
-	Long: withPreviewNote(`The create image policy command generates an ImagePolicy resource.
+	Long: `The create image policy command generates an ImagePolicy resource.
 An ImagePolicy object calculates a "latest image" given an image
 repository and a policy, e.g., semver.
 
 The image that sorts highest according to the policy is recorded in
-the status of the object.`),
+the status of the object.`,
 	Example: `  # Create an ImagePolicy to select the latest stable release
   flux create image policy podinfo \
     --image-ref=podinfo \
@@ -54,12 +54,13 @@ the status of the object.`),
 	RunE: createImagePolicyRun}
 
 type imagePolicyFlags struct {
-	imageRef      string
+	imageRef        string
-	semver        string
+	semver          string
-	alpha         string
+	alpha           string
-	numeric       string
+	numeric         string
-	filterRegex   string
+	filterRegex     string
-	filterExtract string
+	filterExtract   string
+	filterNumerical string
 }
 
 var imagePolicyArgs = imagePolicyFlags{}
@@ -182,6 +183,7 @@ func validateExtractStr(template string, capNames []string) error {
 		name, num, rest, ok := extract(template)
 		if !ok {
 			// Malformed extract string, assume user didn't want this
+			template = template[1:]
 			return fmt.Errorf("--filter-extract is malformed")
 		}
 		template = rest

cmd/flux/create_image_repository.go

@@ -26,14 +26,14 @@ import (
 
 	"github.com/fluxcd/pkg/apis/meta"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 
 var createImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Create or update an ImageRepository object",
-	Long: withPreviewNote(`The create image repository command generates an ImageRepository resource.
+	Long: `The create image repository command generates an ImageRepository resource.
-An ImageRepository object specifies an image repository to scan.`),
+An ImageRepository object specifies an image repository to scan.`,
 	Example: `  # Create an ImageRepository object to scan the alpine image repository:
   flux create image repository alpine-repo --image alpine --interval 20m
 

cmd/flux/create_image_update.go

@@ -22,16 +22,16 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var createImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Create or update an ImageUpdateAutomation object",
-	Long: withPreviewNote(`The create image update command generates an ImageUpdateAutomation resource.
+	Long: `The create image update command generates an ImageUpdateAutomation resource.
 An ImageUpdateAutomation object specifies an automated update to images
-mentioned in YAMLs in a git repository.`),
+mentioned in YAMLs in a git repository.`,
 	Example: `  # Configure image updates for the main repository created by flux bootstrap
   flux create image update flux-system \
     --git-repo-ref=flux-system \

cmd/flux/create_kustomization.go

@@ -24,24 +24,25 @@ import (
 
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"
 
-	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/utils"
 )
 
 var createKsCmd = &cobra.Command{
 	Use:     "kustomization [name]",
 	Aliases: []string{"ks"},
 	Short:   "Create or update a Kustomization resource",
-	Long:    `The create command generates a Kustomization resource for a given source.`,
+	Long:    "The create command generates a Kustomization resource for a given source.",
 	Example: `  # Create a Kustomization resource from a source at a given path
   flux create kustomization kyverno \
     --source=GitRepository/kyverno \
@@ -67,13 +68,6 @@ var createKsCmd = &cobra.Command{
     --prune=true \
     --interval=5m
 
-  # Create a Kustomization resource that references an OCIRepository
-  flux create kustomization podinfo \
-    --source=OCIRepository/podinfo \
-    --target-namespace=default \
-    --prune=true \
-    --interval=5m
-
   # Create a Kustomization resource that references a Bucket
   flux create kustomization secrets \
     --source=Bucket/secrets \
@@ -96,7 +90,6 @@ type kustomizationFlags struct {
 	targetNamespace     string
 	wait                bool
 	kubeConfigSecretRef string
-	retryInterval       time.Duration
 }
 
 var kustomizationArgs = NewKustomizationFlags()
@@ -116,7 +109,6 @@ func init() {
 	createKsCmd.Flags().StringVar(&kustomizationArgs.targetNamespace, "target-namespace", "", "overrides the namespace of all Kustomization objects reconciled by this Kustomization")
 	createKsCmd.Flags().StringVar(&kustomizationArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
 	createKsCmd.Flags().MarkDeprecated("validation", "this arg is no longer used, all resources are validated using server-side apply dry-run")
-	createKsCmd.Flags().DurationVar(&kustomizationArgs.retryInterval, "retry-interval", 0, "the interval at which to retry a previously failed reconciliation")
 
 	createCmd.AddCommand(createKsCmd)
 }
@@ -170,7 +162,7 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	if kustomizationArgs.kubeConfigSecretRef != "" {
-		kustomization.Spec.KubeConfig = &meta.KubeConfigReference{
+		kustomization.Spec.KubeConfig = &kustomizev1.KubeConfig{
 			SecretRef: meta.SecretKeyReference{
 				Name: kustomizationArgs.kubeConfigSecretRef,
 			},
@@ -239,10 +231,6 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	if kustomizationArgs.retryInterval > 0 {
-		kustomization.Spec.RetryInterval = &metav1.Duration{Duration: kustomizationArgs.retryInterval}
-	}
-
 	if createArgs.export {
 		return printExport(exportKs(&kustomization))
 	}
@@ -262,8 +250,8 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for Kustomization reconciliation")
-	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isObjectReadyConditionFunc(kubeClient, namespacedName, &kustomization)); err != nil {
+		isKustomizationReady(ctx, kubeClient, namespacedName, &kustomization)); err != nil {
 		return err
 	}
 	logger.Successf("Kustomization %s is ready", name)
@@ -302,3 +290,28 @@ func upsertKustomization(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Kustomization updated")
 	return namespacedName, nil
 }
+
+func isKustomizationReady(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, kustomization *kustomizev1.Kustomization) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, kustomization)
+		if err != nil {
+			return false, err
+		}
+
+		// Confirm the state we are observing is for the current generation
+		if kustomization.Generation != kustomization.Status.ObservedGeneration {
+			return false, nil
+		}
+
+		if c := apimeta.FindStatusCondition(kustomization.Status.Conditions, meta.ReadyCondition); c != nil {
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}

cmd/flux/create_receiver.go

@@ -22,21 +22,22 @@ import (
 
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
 
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/utils"
 )
 
 var createReceiverCmd = &cobra.Command{
 	Use:   "receiver [name]",
 	Short: "Create or update a Receiver resource",
-	Long:  `The create receiver command generates a Receiver resource.`,
+	Long:  "The create receiver command generates a Receiver resource.",
 	Example: `  # Create a Receiver
   flux create receiver github-receiver \
 	--type github \
@@ -138,13 +139,13 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for Receiver reconciliation")
-	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isObjectReadyConditionFunc(kubeClient, namespacedName, &receiver)); err != nil {
+		isReceiverReady(ctx, kubeClient, namespacedName, &receiver)); err != nil {
 		return err
 	}
 	logger.Successf("Receiver %s is ready", name)
 
-	logger.Successf("generated webhook URL %s", receiver.Status.WebhookPath)
+	logger.Successf("generated webhook URL %s", receiver.Status.URL)
 	return nil
 }
 
@@ -178,3 +179,23 @@ func upsertReceiver(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Receiver updated")
 	return namespacedName, nil
 }
+
+func isReceiverReady(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, receiver *notificationv1.Receiver) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, receiver)
+		if err != nil {
+			return false, err
+		}
+
+		if c := apimeta.FindStatusCondition(receiver.Status.Conditions, meta.ReadyCondition); c != nil {
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}

cmd/flux/create_secret.go

@@ -29,7 +29,7 @@ import (
 var createSecretCmd = &cobra.Command{
 	Use:   "secret",
 	Short: "Create or update Kubernetes secrets",
-	Long:  `The create source sub-commands generate Kubernetes secrets specific to Flux.`,
+	Long:  "The create source sub-commands generate Kubernetes secrets specific to Flux.",
 }
 
 func init() {

cmd/flux/create_secret_git.go

@@ -21,25 +21,22 @@ import (
 	"crypto/elliptic"
 	"fmt"
 	"net/url"
-	"os"
 
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 
-	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 
 var createSecretGitCmd = &cobra.Command{
 	Use:   "git [name]",
 	Short: "Create or update a Kubernetes secret for Git authentication",
 	Long: `The create secret git command generates a Kubernetes secret with Git credentials.
-For Git over SSH, the host and SSH keys are automatically generated and stored
+For Git over SSH, the host and SSH keys are automatically generated and stored in the secret.
-in the secret.
+For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.`,
-For Git over HTTP/S, the provided basic authentication credentials or bearer
-authentication token are stored in the secret.`,
 	Example: `  # Create a Git SSH authentication secret using an ECDSA P-521 curve public key
 
   flux create secret git podinfo-auth \
@@ -87,9 +84,8 @@ type secretGitFlags struct {
 	keyAlgorithm   flags.PublicKeyAlgorithm
 	rsaBits        flags.RSAKeyBits
 	ecdsaCurve     flags.ECDSACurve
-	caCrtFile      string
+	caFile         string
 	privateKeyFile string
-	bearerToken    string
 }
 
 var secretGitArgs = NewSecretGitFlags()
@@ -101,9 +97,8 @@ func init() {
 	createSecretGitCmd.Flags().Var(&secretGitArgs.keyAlgorithm, "ssh-key-algorithm", secretGitArgs.keyAlgorithm.Description())
 	createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description())
 	createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
-	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caCrtFile, "ca-crt-file", "", "path to TLS CA certificate file used for validating self-signed certificates")
+	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
-	createSecretGitCmd.Flags().StringVar(&secretGitArgs.bearerToken, "bearer-token", "", "bearer authentication token")
 
 	createSecretCmd.AddCommand(createSecretGitCmd)
 }
@@ -140,34 +135,19 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	switch u.Scheme {
 	case "ssh":
-		keypair, err := sourcesecret.LoadKeyPairFromPath(secretGitArgs.privateKeyFile, secretGitArgs.password)
-		if err != nil {
-			return err
-		}
-		opts.Keypair = keypair
 		opts.SSHHostname = u.Host
+		opts.PrivateKeyPath = secretGitArgs.privateKeyFile
 		opts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(secretGitArgs.keyAlgorithm)
 		opts.RSAKeyBits = int(secretGitArgs.rsaBits)
 		opts.ECDSACurve = secretGitArgs.ecdsaCurve.Curve
 		opts.Password = secretGitArgs.password
 	case "http", "https":
-		if (secretGitArgs.username == "" || secretGitArgs.password == "") && secretGitArgs.bearerToken == "" {
+		if secretGitArgs.username == "" || secretGitArgs.password == "" {
-			return fmt.Errorf("for Git over HTTP/S the username and password, or a bearer token is required")
+			return fmt.Errorf("for Git over HTTP/S the username and password are required")
 		}
 		opts.Username = secretGitArgs.username
 		opts.Password = secretGitArgs.password
-		opts.BearerToken = secretGitArgs.bearerToken
+		opts.CAFilePath = secretGitArgs.caFile
-		if secretGitArgs.username != "" && secretGitArgs.password != "" && secretGitArgs.bearerToken != "" {
-			return fmt.Errorf("user credentials and bearer token cannot be used together")
-		}
-
-		// --ca-crt-file takes precedence over --ca-file.
-		if secretGitArgs.caCrtFile != "" {
-			opts.CACrt, err = os.ReadFile(secretGitArgs.caCrtFile)
-			if err != nil {
-				return fmt.Errorf("unable to read TLS CA file: %w", err)
-			}
-		}
 	default:
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}

cmd/flux/create_secret_git_test.go

@@ -1,21 +1,10 @@
 package main
 
 import (
-	"fmt"
-	"os"
 	"testing"
 )
 
 func TestCreateGitSecret(t *testing.T) {
-	file, err := os.CreateTemp(t.TempDir(), "ca-crt")
-	if err != nil {
-		t.Fatal("could not create CA certificate file")
-	}
-	_, err = file.Write([]byte("ca-data"))
-	if err != nil {
-		t.Fatal("could not write to CA certificate file")
-	}
-
 	tests := []struct {
 		name   string
 		args   string
@@ -41,21 +30,6 @@ func TestCreateGitSecret(t *testing.T) {
 			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa-password.private --password=password --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret-password.yaml"),
 		},
-		{
-			name:   "git authentication with bearer token",
-			args:   "create secret git bearer-token-auth --url=https://github.com/stefanprodan/podinfo --bearer-token=ghp_baR2qnFF0O41WlucePL3udt2N9vVZS4R0hAS --namespace=my-namespace --export",
-			assert: assertGoldenFile("testdata/create_secret/git/git-bearer-token.yaml"),
-		},
-		{
-			name:   "git authentication with CA certificate",
-			args:   fmt.Sprintf("create secret git ca-crt --url=https://github.com/stefanprodan/podinfo --password=my-password --username=my-username --ca-crt-file=%s --namespace=my-namespace --export", file.Name()),
-			assert: assertGoldenFile("testdata/create_secret/git/secret-ca-crt.yaml"),
-		},
-		{
-			name:   "git authentication with basic auth and bearer token",
-			args:   "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=aaa --password=zzzz --bearer-token=aaaa --namespace=my-namespace --export",
-			assert: assertError("user credentials and bearer token cannot be used together"),
-		},
 	}
 
 	for _, tt := range tests {

cmd/flux/create_secret_github_app.go

@@ -1,128 +0,0 @@
-/*
-Copyright 2024 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"os"
-
-	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
-	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
-	"sigs.k8s.io/yaml"
-)
-
-var createSecretGitHubAppCmd = &cobra.Command{
-	Use:   "githubapp [name]",
-	Short: "Create or update a github app secret",
-	Long:  withPreviewNote(`The create secret githubapp command generates a Kubernetes secret that can be used for GitRepository authentication with github app`),
-	Example: `  # Create a githubapp authentication secret on disk and encrypt it with Mozilla SOPS
-  flux create secret githubapp podinfo-auth \
-    --app-id="1" \
-    --app-installation-id="2" \
-    --app-private-key=./private-key-file.pem \
-    --export > githubapp-auth.yaml
-
-  sops --encrypt --encrypted-regex '^(data|stringData)$' \
-    --in-place githubapp-auth.yaml
-	`,
-	RunE: createSecretGitHubAppCmdRun,
-}
-
-type secretGitHubAppFlags struct {
-	appID             string
-	appInstallationID string
-	privateKeyFile    string
-	baseURL           string
-}
-
-var secretGitHubAppArgs = secretGitHubAppFlags{}
-
-func init() {
-	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appID, "app-id", "", "github app ID")
-	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appInstallationID, "app-installation-id", "", "github app installation ID")
-	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.privateKeyFile, "app-private-key", "", "github app private key file path")
-	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.baseURL, "app-base-url", "", "github app base URL")
-
-	createSecretCmd.AddCommand(createSecretGitHubAppCmd)
-}
-
-func createSecretGitHubAppCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("name is required")
-	}
-
-	secretName := args[0]
-
-	if secretGitHubAppArgs.appID == "" {
-		return fmt.Errorf("--app-id is required")
-	}
-
-	if secretGitHubAppArgs.appInstallationID == "" {
-		return fmt.Errorf("--app-installation-id is required")
-	}
-
-	if secretGitHubAppArgs.privateKeyFile == "" {
-		return fmt.Errorf("--app-private-key is required")
-	}
-
-	privateKey, err := os.ReadFile(secretGitHubAppArgs.privateKeyFile)
-	if err != nil {
-		return fmt.Errorf("unable to read private key file: %w", err)
-	}
-
-	opts := sourcesecret.Options{
-		Name:                    secretName,
-		Namespace:               *kubeconfigArgs.Namespace,
-		GitHubAppID:             secretGitHubAppArgs.appID,
-		GitHubAppInstallationID: secretGitHubAppArgs.appInstallationID,
-		GitHubAppPrivateKey:     string(privateKey),
-	}
-
-	if secretGitHubAppArgs.baseURL != "" {
-		opts.GitHubAppBaseURL = secretGitHubAppArgs.baseURL
-	}
-
-	secret, err := sourcesecret.Generate(opts)
-	if err != nil {
-		return err
-	}
-
-	if createArgs.export {
-		rootCmd.Println(secret.Content)
-		return nil
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return err
-	}
-	var s corev1.Secret
-	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
-		return err
-	}
-	if err := upsertSecret(ctx, kubeClient, s); err != nil {
-		return err
-	}
-
-	logger.Actionf("githubapp secret '%s' created in '%s' namespace", secretName, *kubeconfigArgs.Namespace)
-	return nil
-}

cmd/flux/create_secret_githubapp_test.go

@@ -1,74 +0,0 @@
-/*
-Copyright 2022 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"testing"
-)
-
-func TestCreateSecretGitHubApp(t *testing.T) {
-	tests := []struct {
-		name   string
-		args   string
-		assert assertFunc
-	}{
-		{
-			name:   "create githubapp secret with missing name",
-			args:   "create secret githubapp",
-			assert: assertError("name is required"),
-		},
-		{
-			name:   "create githubapp secret with missing app-id",
-			args:   "create secret githubapp appinfo",
-			assert: assertError("--app-id is required"),
-		},
-		{
-			name:   "create githubapp secret with missing appInstallationID",
-			args:   "create secret githubapp appinfo --app-id 1",
-			assert: assertError("--app-installation-id is required"),
-		},
-		{
-			name:   "create githubapp secret with missing private key file",
-			args:   "create secret githubapp appinfo --app-id 1 --app-installation-id 2",
-			assert: assertError("--app-private-key is required"),
-		},
-		{
-			name:   "create githubapp secret with private key file that does not exist",
-			args:   "create secret githubapp appinfo --app-id 1 --app-installation-id 2 --app-private-key pk.pem",
-			assert: assertError("unable to read private key file: open pk.pem: no such file or directory"),
-		},
-		{
-			name:   "create githubapp secret with app info",
-			args:   "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-id 2 --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --export",
-			assert: assertGoldenFile("testdata/create_secret/githubapp/secret.yaml"),
-		},
-		{
-			name:   "create githubapp secret with appinfo and base url",
-			args:   "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-id 2 --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --app-base-url www.example.com/api/v3 --export",
-			assert: assertGoldenFile("testdata/create_secret/githubapp/secret-with-baseurl.yaml"),
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			cmd := cmdTestCase{
-				args:   tt.args,
-				assert: tt.assert,
-			}
-			cmd.runTestCmd(t)
-		})
-	}
-}

cmd/flux/create_secret_helm.go

@@ -18,15 +18,13 @@ package main
 
 import (
 	"context"
-	"fmt"
-	"os"
 
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 
 var createSecretHelmCmd = &cobra.Command{
@@ -41,8 +39,15 @@ var createSecretHelmCmd = &cobra.Command{
     --export > repo-auth.yaml
 
   sops --encrypt --encrypted-regex '^(data|stringData)$' \
-    --in-place repo-auth.yaml`,
+    --in-place repo-auth.yaml
 
+  # Create a Helm authentication secret using a custom TLS cert
+  flux create secret helm repo-auth \
+    --username=username \
+    --password=password \
+    --cert-file=./cert.crt \
+    --key-file=./key.crt \
+    --ca-file=./ca.crt`,
 	RunE: createSecretHelmCmdRun,
 }
 
@@ -55,13 +60,9 @@ type secretHelmFlags struct {
 var secretHelmArgs secretHelmFlags
 
 func init() {
-	flags := createSecretHelmCmd.Flags()
+	createSecretHelmCmd.Flags().StringVarP(&secretHelmArgs.username, "username", "u", "", "basic authentication username")
-	flags.StringVarP(&secretHelmArgs.username, "username", "u", "", "basic authentication username")
+	createSecretHelmCmd.Flags().StringVarP(&secretHelmArgs.password, "password", "p", "", "basic authentication password")
-	flags.StringVarP(&secretHelmArgs.password, "password", "p", "", "basic authentication password")
+	initSecretTLSFlags(createSecretHelmCmd.Flags(), &secretHelmArgs.secretTLSFlags)
-	flags.StringVar(&secretHelmArgs.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
-	flags.StringVar(&secretHelmArgs.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
-	flags.StringVar(&secretHelmArgs.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
-
 	createSecretCmd.AddCommand(createSecretHelmCmd)
 }
 
@@ -73,34 +74,15 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	caBundle := []byte{}
-	if secretHelmArgs.caCrtFile != "" {
-		var err error
-		caBundle, err = os.ReadFile(secretHelmArgs.caCrtFile)
-		if err != nil {
-			return fmt.Errorf("unable to read TLS CA file: %w", err)
-		}
-	}
-
-	var certFile, keyFile []byte
-	if secretHelmArgs.tlsCrtFile != "" && secretHelmArgs.tlsKeyFile != "" {
-		if certFile, err = os.ReadFile(secretHelmArgs.tlsCrtFile); err != nil {
-			return fmt.Errorf("failed to read cert file: %w", err)
-		}
-		if keyFile, err = os.ReadFile(secretHelmArgs.tlsKeyFile); err != nil {
-			return fmt.Errorf("failed to read key file: %w", err)
-		}
-	}
-
 	opts := sourcesecret.Options{
-		Name:      name,
+		Name:         name,
-		Namespace: *kubeconfigArgs.Namespace,
+		Namespace:    *kubeconfigArgs.Namespace,
-		Labels:    labels,
+		Labels:       labels,
-		Username:  secretHelmArgs.username,
+		Username:     secretHelmArgs.username,
-		Password:  secretHelmArgs.password,
+		Password:     secretHelmArgs.password,
-		CACrt:     caBundle,
+		CAFilePath:   secretHelmArgs.caFile,
-		TLSCrt:    certFile,
+		CertFilePath: secretHelmArgs.certFile,
-		TLSKey:    keyFile,
+		KeyFilePath:  secretHelmArgs.keyFile,
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {

cmd/flux/create_secret_helm_test.go

@@ -1,19 +1,3 @@
-/*
-Copyright 2022 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
 package main
 
 import (

cmd/flux/create_secret_notation.go

@@ -1,161 +0,0 @@
-/*
-Copyright 2024 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
-	"github.com/notaryproject/notation-go/verifier/trustpolicy"
-	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
-	"sigs.k8s.io/yaml"
-)
-
-var createSecretNotationCmd = &cobra.Command{
-	Use:   "notation [name]",
-	Short: "Create or update a Kubernetes secret for verifications of artifacts signed by Notation",
-	Long:  withPreviewNote(`The create secret notation command generates a Kubernetes secret with root ca certificates and trust policy.`),
-	Example: ` # Create a Notation configuration secret on disk and encrypt it with Mozilla SOPS
-  flux create secret notation my-notation-cert \
-    --namespace=my-namespace \
-    --trust-policy-file=./my-trust-policy.json \
-    --ca-cert-file=./my-cert.crt \
-    --export > my-notation-cert.yaml
-
-  sops --encrypt --encrypted-regex '^(data|stringData)$' \
-    --in-place my-notation-cert.yaml`,
-
-	RunE: createSecretNotationCmdRun,
-}
-
-type secretNotationFlags struct {
-	trustPolicyFile string
-	caCrtFile       []string
-}
-
-var secretNotationArgs secretNotationFlags
-
-func init() {
-	createSecretNotationCmd.Flags().StringVar(&secretNotationArgs.trustPolicyFile, "trust-policy-file", "", "notation trust policy file path")
-	createSecretNotationCmd.Flags().StringSliceVar(&secretNotationArgs.caCrtFile, "ca-cert-file", []string{}, "root ca cert file path")
-
-	createSecretCmd.AddCommand(createSecretNotationCmd)
-}
-
-func createSecretNotationCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("name is required")
-	}
-
-	if secretNotationArgs.caCrtFile == nil || len(secretNotationArgs.caCrtFile) == 0 {
-		return fmt.Errorf("--ca-cert-file is required")
-	}
-
-	if secretNotationArgs.trustPolicyFile == "" {
-		return fmt.Errorf("--trust-policy-file is required")
-	}
-
-	name := args[0]
-
-	labels, err := parseLabels()
-	if err != nil {
-		return err
-	}
-
-	policy, err := os.ReadFile(secretNotationArgs.trustPolicyFile)
-	if err != nil {
-		return fmt.Errorf("unable to read trust policy file: %w", err)
-	}
-
-	var doc trustpolicy.Document
-
-	if err := json.Unmarshal(policy, &doc); err != nil {
-		return fmt.Errorf("failed to unmarshal trust policy %s: %w", secretNotationArgs.trustPolicyFile, err)
-	}
-
-	if err := doc.Validate(); err != nil {
-		return fmt.Errorf("invalid trust policy: %w", err)
-	}
-
-	var (
-		caCerts []sourcesecret.VerificationCrt
-		fileErr error
-	)
-	for _, caCrtFile := range secretNotationArgs.caCrtFile {
-		fileName := filepath.Base(caCrtFile)
-		if !strings.HasSuffix(fileName, ".crt") && !strings.HasSuffix(fileName, ".pem") {
-			fileErr = errors.Join(fileErr, fmt.Errorf("%s must end with either .crt or .pem", fileName))
-			continue
-		}
-		caBundle, err := os.ReadFile(caCrtFile)
-		if err != nil {
-			fileErr = errors.Join(fileErr, fmt.Errorf("unable to read TLS CA file: %w", err))
-			continue
-		}
-		caCerts = append(caCerts, sourcesecret.VerificationCrt{Name: fileName, CACrt: caBundle})
-	}
-
-	if fileErr != nil {
-		return fileErr
-	}
-
-	if len(caCerts) == 0 {
-		return fmt.Errorf("no CA certs found")
-	}
-
-	opts := sourcesecret.Options{
-		Name:             name,
-		Namespace:        *kubeconfigArgs.Namespace,
-		Labels:           labels,
-		VerificationCrts: caCerts,
-		TrustPolicy:      policy,
-	}
-	secret, err := sourcesecret.Generate(opts)
-	if err != nil {
-		return err
-	}
-
-	if createArgs.export {
-		rootCmd.Println(secret.Content)
-		return nil
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return err
-	}
-	var s corev1.Secret
-	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
-		return err
-	}
-	if err := upsertSecret(ctx, kubeClient, s); err != nil {
-		return err
-	}
-
-	logger.Actionf("notation configuration secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
-	return nil
-}

cmd/flux/create_secret_notation_test.go

@@ -1,124 +0,0 @@
-/*
-Copyright 2024 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-const (
-	trustPolicy        = "./testdata/create_secret/notation/test-trust-policy.json"
-	invalidTrustPolicy = "./testdata/create_secret/notation/invalid-trust-policy.json"
-	invalidJson        = "./testdata/create_secret/notation/invalid.json"
-	testCertFolder     = "./testdata/create_secret/notation"
-)
-
-func TestCreateNotationSecret(t *testing.T) {
-	crt, err := os.Create(filepath.Join(t.TempDir(), "ca.crt"))
-	if err != nil {
-		t.Fatal("could not create ca.crt file")
-	}
-
-	pem, err := os.Create(filepath.Join(t.TempDir(), "ca.pem"))
-	if err != nil {
-		t.Fatal("could not create ca.pem file")
-	}
-
-	invalidCert, err := os.Create(filepath.Join(t.TempDir(), "ca.p12"))
-	if err != nil {
-		t.Fatal("could not create ca.p12 file")
-	}
-
-	_, err = crt.Write([]byte("ca-data-crt"))
-	if err != nil {
-		t.Fatal("could not write to crt certificate file")
-	}
-
-	_, err = pem.Write([]byte("ca-data-pem"))
-	if err != nil {
-		t.Fatal("could not write to pem certificate file")
-	}
-
-	tests := []struct {
-		name   string
-		args   string
-		assert assertFunc
-	}{
-		{
-			name:   "no args",
-			args:   "create secret notation",
-			assert: assertError("name is required"),
-		},
-		{
-			name:   "no trust policy",
-			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s", testCertFolder),
-			assert: assertError("--trust-policy-file is required"),
-		},
-		{
-			name:   "no cert",
-			args:   fmt.Sprintf("create secret notation notation-config --trust-policy-file=%s", trustPolicy),
-			assert: assertError("--ca-cert-file is required"),
-		},
-		{
-			name:   "non pem and crt cert",
-			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", invalidCert.Name(), trustPolicy),
-			assert: assertError("ca.p12 must end with either .crt or .pem"),
-		},
-		{
-			name:   "invalid trust policy",
-			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidTrustPolicy),
-			assert: assertError("invalid trust policy: trust policy: a trust policy statement is missing a name, every statement requires a name"),
-		},
-		{
-			name:   "invalid trust policy json",
-			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidJson),
-			assert: assertError(fmt.Sprintf("failed to unmarshal trust policy %s: json: cannot unmarshal string into Go value of type trustpolicy.Document", invalidJson)),
-		},
-		{
-			name:   "crt secret",
-			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", crt.Name(), trustPolicy),
-			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-crt.yaml"),
-		},
-		{
-			name:   "pem secret",
-			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", pem.Name(), trustPolicy),
-			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-pem.yaml"),
-		},
-		{
-			name:   "multi secret",
-			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", crt.Name(), pem.Name(), trustPolicy),
-			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-multi.yaml"),
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			defer func() {
-				secretNotationArgs = secretNotationFlags{}
-			}()
-
-			cmd := cmdTestCase{
-				args:   tt.args,
-				assert: tt.assert,
-			}
-			cmd.runTestCmd(t)
-		})
-	}
-}

cmd/flux/create_secret_oci.go

@@ -1,121 +0,0 @@
-/*
-Copyright 2022 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
-	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
-	"sigs.k8s.io/yaml"
-)
-
-var createSecretOCICmd = &cobra.Command{
-	Use:   "oci [name]",
-	Short: "Create or update a Kubernetes image pull secret",
-	Long:  withPreviewNote(`The create secret oci command generates a Kubernetes secret that can be used for OCIRepository authentication`),
-	Example: `  # Create an OCI authentication secret on disk and encrypt it with Mozilla SOPS
-  flux create secret oci podinfo-auth \
-    --url=ghcr.io \
-    --username=username \
-    --password=password \
-    --export > repo-auth.yaml
-
-  sops --encrypt --encrypted-regex '^(data|stringData)$' \
-    --in-place repo-auth.yaml
-	`,
-	RunE: createSecretOCICmdRun,
-}
-
-type secretOCIFlags struct {
-	url      string
-	password string
-	username string
-}
-
-var secretOCIArgs = secretOCIFlags{}
-
-func init() {
-	createSecretOCICmd.Flags().StringVar(&secretOCIArgs.url, "url", "", "oci repository address e.g ghcr.io/stefanprodan/charts")
-	createSecretOCICmd.Flags().StringVarP(&secretOCIArgs.username, "username", "u", "", "basic authentication username")
-	createSecretOCICmd.Flags().StringVarP(&secretOCIArgs.password, "password", "p", "", "basic authentication password")
-
-	createSecretCmd.AddCommand(createSecretOCICmd)
-}
-
-func createSecretOCICmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("name is required")
-	}
-
-	secretName := args[0]
-
-	if secretOCIArgs.url == "" {
-		return fmt.Errorf("--url is required")
-	}
-
-	if secretOCIArgs.username == "" {
-		return fmt.Errorf("--username is required")
-	}
-
-	if secretOCIArgs.password == "" {
-		return fmt.Errorf("--password is required")
-	}
-
-	if _, err := name.ParseReference(secretOCIArgs.url); err != nil {
-		return fmt.Errorf("error parsing url: '%s'", err)
-	}
-
-	opts := sourcesecret.Options{
-		Name:      secretName,
-		Namespace: *kubeconfigArgs.Namespace,
-		Registry:  secretOCIArgs.url,
-		Password:  secretOCIArgs.password,
-		Username:  secretOCIArgs.username,
-	}
-
-	secret, err := sourcesecret.Generate(opts)
-	if err != nil {
-		return err
-	}
-
-	if createArgs.export {
-		rootCmd.Println(secret.Content)
-		return nil
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return err
-	}
-	var s corev1.Secret
-	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
-		return err
-	}
-	if err := upsertSecret(ctx, kubeClient, s); err != nil {
-		return err
-	}
-
-	logger.Actionf("oci secret '%s' created in '%s' namespace", secretName, *kubeconfigArgs.Namespace)
-	return nil
-}

cmd/flux/create_secret_oci_test.go

@@ -1,51 +0,0 @@
-/*
-Copyright 2022 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"testing"
-)
-
-func TestCreateSecretOCI(t *testing.T) {
-	tests := []struct {
-		name   string
-		args   string
-		assert assertFunc
-	}{
-		{
-			args:   "create secret oci",
-			assert: assertError("name is required"),
-		},
-		{
-			args:   "create secret oci ghcr",
-			assert: assertError("--url is required"),
-		},
-		{
-			args:   "create secret oci ghcr --namespace=my-namespace --url ghcr.io --username stefanprodan --password=password --export",
-			assert: assertGoldenFile("testdata/create_secret/oci/create-secret.yaml"),
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			cmd := cmdTestCase{
-				args:   tt.args,
-				assert: tt.assert,
-			}
-			cmd.runTestCmd(t)
-		})
-	}
-}

cmd/flux/create_secret_proxy.go

@@ -1,112 +0,0 @@
-/*
-Copyright 2024 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"context"
-	"errors"
-
-	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
-	"sigs.k8s.io/yaml"
-
-	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
-)
-
-var createSecretProxyCmd = &cobra.Command{
-	Use:   "proxy [name]",
-	Short: "Create or update a Kubernetes secret for proxy authentication",
-	Long: `The create secret proxy command generates a Kubernetes secret with the
-proxy address and the basic authentication credentials.`,
-	Example: ` # Create a proxy secret on disk and encrypt it with SOPS
-  flux create secret proxy my-proxy \
-    --namespace=my-namespace \
-    --address=https://my-proxy.com \
-    --username=my-username \
-    --password=my-password \
-    --export > proxy.yaml
-
-  sops --encrypt --encrypted-regex '^(data|stringData)$' \
-    --in-place proxy.yaml`,
-
-	RunE: createSecretProxyCmdRun,
-}
-
-type secretProxyFlags struct {
-	address  string
-	username string
-	password string
-}
-
-var secretProxyArgs secretProxyFlags
-
-func init() {
-	createSecretProxyCmd.Flags().StringVar(&secretProxyArgs.address, "address", "", "proxy address")
-	createSecretProxyCmd.Flags().StringVarP(&secretProxyArgs.username, "username", "u", "", "basic authentication username")
-	createSecretProxyCmd.Flags().StringVarP(&secretProxyArgs.password, "password", "p", "", "basic authentication password")
-
-	createSecretCmd.AddCommand(createSecretProxyCmd)
-}
-
-func createSecretProxyCmdRun(cmd *cobra.Command, args []string) error {
-	name := args[0]
-
-	labels, err := parseLabels()
-	if err != nil {
-		return err
-	}
-
-	if secretProxyArgs.address == "" {
-		return errors.New("address is required")
-	}
-
-	opts := sourcesecret.Options{
-		Name:      name,
-		Namespace: *kubeconfigArgs.Namespace,
-		Labels:    labels,
-		Address:   secretProxyArgs.address,
-		Username:  secretProxyArgs.username,
-		Password:  secretProxyArgs.password,
-	}
-	secret, err := sourcesecret.Generate(opts)
-	if err != nil {
-		return err
-	}
-
-	if createArgs.export {
-		rootCmd.Println(secret.Content)
-		return nil
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return err
-	}
-	var s corev1.Secret
-	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
-		return err
-	}
-	if err := upsertSecret(ctx, kubeClient, s); err != nil {
-		return err
-	}
-
-	logger.Actionf("proxy secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
-	return nil
-}

cmd/flux/create_secret_proxy_test.go

@@ -1,47 +0,0 @@
-/*
-Copyright 2024 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"testing"
-)
-
-func TestCreateProxySecret(t *testing.T) {
-	tests := []struct {
-		name   string
-		args   string
-		assert assertFunc
-	}{
-		{
-			args:   "create secret proxy proxy-secret",
-			assert: assertError("address is required"),
-		},
-		{
-			args:   "create secret proxy proxy-secret --address=https://my-proxy.com --username=my-username --password=my-password --namespace=my-namespace --export",
-			assert: assertGoldenFile("testdata/create_secret/proxy/secret-proxy.yaml"),
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			cmd := cmdTestCase{
-				args:   tt.args,
-				assert: tt.assert,
-			}
-			cmd.runTestCmd(t)
-		})
-	}
-}

cmd/flux/create_secret_tls.go

@@ -18,28 +18,26 @@ package main
 
 import (
 	"context"
-	"fmt"
-	"os"
 
 	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 
 var createSecretTLSCmd = &cobra.Command{
 	Use:   "tls [name]",
 	Short: "Create or update a Kubernetes secret with TLS certificates",
 	Long:  `The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`,
-	Example: ` # Create a TLS secret on disk and encrypt it with SOPS.
+	Example: ` # Create a TLS secret on disk and encrypt it with Mozilla SOPS.
   # Files are expected to be PEM-encoded.
   flux create secret tls certs \
     --namespace=my-namespace \
-    --tls-crt-file=./client.crt \
+    --cert-file=./client.crt \
-    --tls-key-file=./client.key \
+    --key-file=./client.key \
-    --ca-crt-file=./ca.crt \
     --export > certs.yaml
 
   sops --encrypt --encrypted-regex '^(data|stringData)$' \
@@ -48,18 +46,22 @@ var createSecretTLSCmd = &cobra.Command{
 }
 
 type secretTLSFlags struct {
-	caCrtFile  string
+	certFile string
-	tlsKeyFile string
+	keyFile  string
-	tlsCrtFile string
+	caFile   string
 }
 
 var secretTLSArgs secretTLSFlags
 
-func init() {
+func initSecretTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
-	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
+	flags.StringVar(&args.certFile, "cert-file", "", "TLS authentication cert file path")
-	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
+	flags.StringVar(&args.keyFile, "key-file", "", "TLS authentication key file path")
-	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
+	flags.StringVar(&args.caFile, "ca-file", "", "TLS authentication CA file path")
+}
 
+func init() {
+	flags := createSecretTLSCmd.Flags()
+	initSecretTLSFlags(flags, &secretTLSArgs)
 	createSecretCmd.AddCommand(createSecretTLSCmd)
 }
 
@@ -72,27 +74,13 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	opts := sourcesecret.Options{
-		Name:      name,
+		Name:         name,
-		Namespace: *kubeconfigArgs.Namespace,
+		Namespace:    *kubeconfigArgs.Namespace,
-		Labels:    labels,
+		Labels:       labels,
-	}
+		CAFilePath:   secretTLSArgs.caFile,
-
+		CertFilePath: secretTLSArgs.certFile,
-	if secretTLSArgs.caCrtFile != "" {
+		KeyFilePath:  secretTLSArgs.keyFile,
-		opts.CACrt, err = os.ReadFile(secretTLSArgs.caCrtFile)
-		if err != nil {
-			return fmt.Errorf("unable to read TLS CA file: %w", err)
-		}
-	}
-
-	if secretTLSArgs.tlsCrtFile != "" && secretTLSArgs.tlsKeyFile != "" {
-		if opts.TLSCrt, err = os.ReadFile(secretTLSArgs.tlsCrtFile); err != nil {
-			return fmt.Errorf("failed to read cert file: %w", err)
-		}
-		if opts.TLSKey, err = os.ReadFile(secretTLSArgs.tlsKeyFile); err != nil {
-			return fmt.Errorf("failed to read key file: %w", err)
-		}
 	}
-
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err

cmd/flux/create_secret_tls_test.go

@@ -4,7 +4,7 @@ import (
 	"testing"
 )
 
-func TestCreateTlsSecret(t *testing.T) {
+func TestCreateTlsSecretNoArgs(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
@@ -15,7 +15,7 @@ func TestCreateTlsSecret(t *testing.T) {
 			assert: assertError("name is required"),
 		},
 		{
-			args:   "create secret tls certs --namespace=my-namespace --tls-crt-file=./testdata/create_secret/tls/test-cert.pem --tls-key-file=./testdata/create_secret/tls/test-key.pem --ca-crt-file=./testdata/create_secret/tls/test-ca.pem --export",
+			args:   "create secret tls certs --namespace=my-namespace --cert-file=./testdata/create_secret/tls/test-cert.pem --key-file=./testdata/create_secret/tls/test-key.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/tls/secret-tls.yaml"),
 		},
 	}

cmd/flux/create_source.go

@@ -25,7 +25,7 @@ import (
 var createSourceCmd = &cobra.Command{
 	Use:   "source",
 	Short: "Create or update sources",
-	Long:  `The create source sub-commands generate sources.`,
+	Long:  "The create source sub-commands generate sources.",
 }
 
 type createSourceFlags struct {

cmd/flux/create_source_bucket.go

@@ -31,11 +31,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 
-	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/utils"
 )
 
 var createSourceBucketCmd = &cobra.Command{
@@ -63,16 +64,15 @@ For Buckets with static authentication, the credentials are stored in a Kubernet
 }
 
 type sourceBucketFlags struct {
-	name           string
+	name        string
-	provider       flags.SourceBucketProvider
+	provider    flags.SourceBucketProvider
-	endpoint       string
+	endpoint    string
-	accessKey      string
+	accessKey   string
-	secretKey      string
+	secretKey   string
-	region         string
+	region      string
-	insecure       bool
+	insecure    bool
-	secretRef      string
+	secretRef   string
-	proxySecretRef string
+	ignorePaths []string
-	ignorePaths    []string
 }
 
 var sourceBucketArgs = newSourceBucketFlags()
@@ -86,7 +86,6 @@ func init() {
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.region, "region", "", "the bucket region")
 	createSourceBucketCmd.Flags().BoolVar(&sourceBucketArgs.insecure, "insecure", false, "for when connecting to a non-TLS S3 HTTP endpoint")
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.secretRef, "secret-ref", "", "the name of an existing secret containing credentials")
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.proxySecretRef, "proxy-secret-ref", "", "the name of an existing secret containing the proxy address and credentials")
 	createSourceBucketCmd.Flags().StringSliceVar(&sourceBucketArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in bucket resource (can specify multiple paths with commas: path1,path2)")
 
 	createSourceCmd.AddCommand(createSourceBucketCmd)
@@ -94,7 +93,7 @@ func init() {
 
 func newSourceBucketFlags() sourceBucketFlags {
 	return sourceBucketFlags{
-		provider: flags.SourceBucketProvider(sourcev1.BucketProviderGeneric),
+		provider: flags.SourceBucketProvider(sourcev1.GenericBucketProvider),
 	}
 }
 
@@ -155,12 +154,6 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	if sourceBucketArgs.proxySecretRef != "" {
-		bucket.Spec.ProxySecretRef = &meta.LocalObjectReference{
-			Name: sourceBucketArgs.proxySecretRef,
-		}
-	}
-
 	if createArgs.export {
 		return printExport(exportBucket(bucket))
 	}
@@ -211,8 +204,8 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for Bucket source reconciliation")
-	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isObjectReadyConditionFunc(kubeClient, namespacedName, bucket)); err != nil {
+		isBucketReady(ctx, kubeClient, namespacedName, bucket)); err != nil {
 		return err
 	}
 	logger.Successf("Bucket source reconciliation completed")
@@ -254,3 +247,30 @@ func upsertBucket(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Bucket source updated")
 	return namespacedName, nil
 }
+
+func isBucketReady(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, bucket *sourcev1.Bucket) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, bucket)
+		if err != nil {
+			return false, err
+		}
+
+		if c := conditions.Get(bucket, meta.ReadyCondition); c != nil {
+			// Confirm the Ready condition we are observing is for the
+			// current generation
+			if c.ObservedGeneration != bucket.GetGeneration() {
+				return false, nil
+			}
+
+			// Further check the Status
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}

cmd/flux/create_source_chart.go

@@ -1,217 +0,0 @@
-/*
-Copyright 2024 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/wait"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	"github.com/fluxcd/pkg/apis/meta"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-
-	"github.com/fluxcd/flux2/v2/internal/flags"
-	"github.com/fluxcd/flux2/v2/internal/utils"
-)
-
-var createSourceChartCmd = &cobra.Command{
-	Use:   "chart [name]",
-	Short: "Create or update a HelmChart source",
-	Long:  `The create source chart command generates a HelmChart resource and waits for the chart to be available.`,
-	Example: `  # Create a source for a chart residing in a HelmRepository
-  flux create source chart podinfo \
-    --source=HelmRepository/podinfo \
-    --chart=podinfo \
-    --chart-version=6.x
-
-  # Create a source for a chart residing in a Git repository
-  flux create source chart podinfo \
-    --source=GitRepository/podinfo \
-    --chart=./charts/podinfo
-
-  # Create a source for a chart residing in a S3 Bucket
-  flux create source chart podinfo \
-    --source=Bucket/podinfo \
-    --chart=./charts/podinfo
-
-  # Create a source for a chart from OCI and verify its signature
-  flux create source chart podinfo \
-    --source HelmRepository/podinfo \
-    --chart podinfo \
-    --chart-version=6.6.2 \
-    --verify-provider=cosign \
-    --verify-issuer=https://token.actions.githubusercontent.com \
-    --verify-subject=https://github.com/stefanprodan/podinfo/.github/workflows/release.yml@refs/tags/6.6.2`,
-	RunE: createSourceChartCmdRun,
-}
-
-type sourceChartFlags struct {
-	chart             string
-	chartVersion      string
-	source            flags.LocalHelmChartSource
-	reconcileStrategy string
-	verifyProvider    flags.SourceOCIVerifyProvider
-	verifySecretRef   string
-	verifyOIDCIssuer  string
-	verifySubject     string
-}
-
-var sourceChartArgs sourceChartFlags
-
-func init() {
-	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.chart, "chart", "", "Helm chart name or path")
-	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
-	createSourceChartCmd.Flags().Var(&sourceChartArgs.source, "source", sourceChartArgs.source.Description())
-	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart (accepted values: Revision and ChartRevision)")
-	createSourceChartCmd.Flags().Var(&sourceChartArgs.verifyProvider, "verify-provider", sourceOCIRepositoryArgs.verifyProvider.Description())
-	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifySecretRef, "verify-secret-ref", "", "the name of a secret to use for signature verification")
-	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifySubject, "verify-subject", "", "regular expression to use for the OIDC subject during signature verification")
-	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifyOIDCIssuer, "verify-issuer", "", "regular expression to use for the OIDC issuer during signature verification")
-
-	createSourceCmd.AddCommand(createSourceChartCmd)
-}
-
-func createSourceChartCmdRun(cmd *cobra.Command, args []string) error {
-	name := args[0]
-
-	if sourceChartArgs.source.Kind == "" || sourceChartArgs.source.Name == "" {
-		return fmt.Errorf("chart source is required")
-	}
-
-	if sourceChartArgs.chart == "" {
-		return fmt.Errorf("chart name or path is required")
-	}
-
-	logger.Generatef("generating HelmChart source")
-
-	sourceLabels, err := parseLabels()
-	if err != nil {
-		return err
-	}
-
-	helmChart := &sourcev1.HelmChart{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      name,
-			Namespace: *kubeconfigArgs.Namespace,
-			Labels:    sourceLabels,
-		},
-		Spec: sourcev1.HelmChartSpec{
-			Chart:   sourceChartArgs.chart,
-			Version: sourceChartArgs.chartVersion,
-			Interval: metav1.Duration{
-				Duration: createArgs.interval,
-			},
-			ReconcileStrategy: sourceChartArgs.reconcileStrategy,
-			SourceRef: sourcev1.LocalHelmChartSourceReference{
-				Kind: sourceChartArgs.source.Kind,
-				Name: sourceChartArgs.source.Name,
-			},
-		},
-	}
-
-	if provider := sourceChartArgs.verifyProvider.String(); provider != "" {
-		helmChart.Spec.Verify = &sourcev1.OCIRepositoryVerification{
-			Provider: provider,
-		}
-		if secretName := sourceChartArgs.verifySecretRef; secretName != "" {
-			helmChart.Spec.Verify.SecretRef = &meta.LocalObjectReference{
-				Name: secretName,
-			}
-		}
-		verifyIssuer := sourceChartArgs.verifyOIDCIssuer
-		verifySubject := sourceChartArgs.verifySubject
-		if verifyIssuer != "" || verifySubject != "" {
-			helmChart.Spec.Verify.MatchOIDCIdentity = []sourcev1.OIDCIdentityMatch{{
-				Issuer:  verifyIssuer,
-				Subject: verifySubject,
-			}}
-		}
-	} else if sourceChartArgs.verifySecretRef != "" {
-		return fmt.Errorf("a verification provider must be specified when a secret is specified")
-	} else if sourceChartArgs.verifyOIDCIssuer != "" || sourceOCIRepositoryArgs.verifySubject != "" {
-		return fmt.Errorf("a verification provider must be specified when OIDC issuer/subject is specified")
-	}
-
-	if createArgs.export {
-		return printExport(exportHelmChart(helmChart))
-	}
-
-	logger.Actionf("applying HelmChart source")
-
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return err
-	}
-
-	namespacedName, err := upsertHelmChart(ctx, kubeClient, helmChart)
-	if err != nil {
-		return err
-	}
-
-	logger.Waitingf("waiting for HelmChart source reconciliation")
-	readyConditionFunc := isObjectReadyConditionFunc(kubeClient, namespacedName, helmChart)
-	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true, readyConditionFunc); err != nil {
-		return err
-	}
-	logger.Successf("HelmChart source reconciliation completed")
-
-	if helmChart.Status.Artifact == nil {
-		return fmt.Errorf("HelmChart source reconciliation completed but no artifact was found")
-	}
-	logger.Successf("fetched revision: %s", helmChart.Status.Artifact.Revision)
-	return nil
-}
-
-func upsertHelmChart(ctx context.Context, kubeClient client.Client,
-	helmChart *sourcev1.HelmChart) (types.NamespacedName, error) {
-	namespacedName := types.NamespacedName{
-		Namespace: helmChart.GetNamespace(),
-		Name:      helmChart.GetName(),
-	}
-
-	var existing sourcev1.HelmChart
-	err := kubeClient.Get(ctx, namespacedName, &existing)
-	if err != nil {
-		if errors.IsNotFound(err) {
-			if err := kubeClient.Create(ctx, helmChart); err != nil {
-				return namespacedName, err
-			} else {
-				logger.Successf("source created")
-				return namespacedName, nil
-			}
-		}
-		return namespacedName, err
-	}
-
-	existing.Labels = helmChart.Labels
-	existing.Spec = helmChart.Spec
-	if err := kubeClient.Update(ctx, &existing); err != nil {
-		return namespacedName, err
-	}
-	helmChart = &existing
-	logger.Successf("source updated")
-	return namespacedName, nil
-}

cmd/flux/create_source_chart_test.go

@@ -1,91 +0,0 @@
-//go:build unit
-// +build unit
-
-/*
-Copyright 2024 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import "testing"
-
-func TestCreateSourceChart(t *testing.T) {
-	tmpl := map[string]string{
-		"fluxns": allocateNamespace("flux-system"),
-	}
-	setupSourceChart(t, tmpl)
-
-	tests := []struct {
-		name   string
-		args   string
-		assert assertFunc
-	}{
-		{
-			name:   "missing name",
-			args:   "create source chart --export",
-			assert: assertError("name is required"),
-		},
-		{
-			name:   "missing source reference",
-			args:   "create source chart podinfo --export ",
-			assert: assertError("chart source is required"),
-		},
-		{
-			name:   "missing chart name",
-			args:   "create source chart podinfo --source helmrepository/podinfo --export",
-			assert: assertError("chart name or path is required"),
-		},
-		{
-			name:   "unknown source kind",
-			args:   "create source chart podinfo --source foobar/podinfo --export",
-			assert: assertError(`invalid argument "foobar/podinfo" for "--source" flag: source kind 'foobar' is not supported, must be one of: HelmRepository, GitRepository, Bucket`),
-		},
-		{
-			name:   "basic chart",
-			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --export",
-			assert: assertGoldenTemplateFile("testdata/create_source_chart/basic.yaml", tmpl),
-		},
-		{
-			name:   "chart with basic signature verification",
-			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider cosign --export",
-			assert: assertGoldenTemplateFile("testdata/create_source_chart/verify_basic.yaml", tmpl),
-		},
-		{
-			name:   "unknown signature verification provider",
-			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider foobar --export",
-			assert: assertError(`invalid argument "foobar" for "--verify-provider" flag: source OCI verify provider 'foobar' is not supported, must be one of: cosign`),
-		},
-		{
-			name:   "chart with complete signature verification",
-			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider cosign --verify-issuer foo --verify-subject bar --export",
-			assert: assertGoldenTemplateFile("testdata/create_source_chart/verify_complete.yaml", tmpl),
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			cmd := cmdTestCase{
-				args:   tt.args + " -n " + tmpl["fluxns"],
-				assert: tt.assert,
-			}
-			cmd.runTestCmd(t)
-		})
-	}
-}
-
-func setupSourceChart(t *testing.T, tmpl map[string]string) {
-	t.Helper()
-	testEnv.CreateObjectFile("./testdata/create_source_chart/setup-source.yaml", tmpl, t)
-}

cmd/flux/create_source_git.go

@@ -35,12 +35,13 @@ import (
 	"sigs.k8s.io/yaml"
 
 	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 
-	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 
 type sourceGitFlags struct {
@@ -48,16 +49,13 @@ type sourceGitFlags struct {
 	branch            string
 	tag               string
 	semver            string
-	refName           string
-	commit            string
 	username          string
 	password          string
 	keyAlgorithm      flags.PublicKeyAlgorithm
 	keyRSABits        flags.RSAKeyBits
 	keyECDSACurve     flags.ECDSACurve
 	secretRef         string
-	proxySecretRef    string
+	gitImplementation flags.GitImplementation
-	provider          flags.SourceGitProvider
 	caFile            string
 	privateKeyFile    string
 	recurseSubmodules bool
@@ -119,15 +117,8 @@ For private Git repositories, the basic authentication credentials are stored in
   # Create a source for a Git repository using basic authentication
   flux create source git podinfo \
     --url=https://github.com/stefanprodan/podinfo \
-    --branch=master \
     --username=username \
-    --password=password
+    --password=password`,
-
-  # Create a source for a Git repository using azure provider
-  flux create source git podinfo \
-    --url=https://dev.azure.com/foo/bar/_git/podinfo \
-    --branch=master \
-    --provider=azure`,
 	RunE: createSourceGitCmdRun,
 }
 
@@ -138,16 +129,13 @@ func init() {
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.branch, "branch", "", "git branch")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.tag, "tag", "", "git tag")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.semver, "tag-semver", "", "git tag semver range")
-	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", "git reference name")
-	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.commit, "commit", "", "git commit")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.username, "username", "u", "", "basic authentication username")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.password, "password", "p", "", "basic authentication password")
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyAlgorithm, "ssh-key-algorithm", sourceGitArgs.keyAlgorithm.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyRSABits, "ssh-rsa-bits", sourceGitArgs.keyRSABits.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyECDSACurve, "ssh-ecdsa-curve", sourceGitArgs.keyECDSACurve.Description())
-	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials or github app authentication")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials")
-	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.proxySecretRef, "proxy-secret-ref", "", "the name of an existing secret containing the proxy address and credentials")
+	createSourceGitCmd.Flags().Var(&sourceGitArgs.gitImplementation, "git-implementation", sourceGitArgs.gitImplementation.Description())
-	createSourceGitCmd.Flags().Var(&sourceGitArgs.provider, "provider", sourceGitArgs.provider.Description())
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSourceGitCmd.Flags().BoolVar(&sourceGitArgs.recurseSubmodules, "recurse-submodules", false,
@@ -181,14 +169,18 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}
 
-	if sourceGitArgs.branch == "" && sourceGitArgs.tag == "" && sourceGitArgs.semver == "" && sourceGitArgs.commit == "" && sourceGitArgs.refName == "" {
+	if sourceGitArgs.branch == "" && sourceGitArgs.tag == "" && sourceGitArgs.semver == "" {
-		return fmt.Errorf("a Git ref is required, use one of the following: --branch, --tag, --commit, --ref-name or --tag-semver")
+		return fmt.Errorf("a Git ref is required, use one of the following: --branch, --tag or --tag-semver")
 	}
 
 	if sourceGitArgs.caFile != "" && u.Scheme == "ssh" {
 		return fmt.Errorf("specifying a CA file is not supported for Git over SSH")
 	}
 
+	if sourceGitArgs.recurseSubmodules && sourceGitArgs.gitImplementation == sourcev1.LibGit2Implementation {
+		return fmt.Errorf("recurse submodules requires --git-implementation=%s", sourcev1.GoGitImplementation)
+	}
+
 	tmpDir, err := os.MkdirTemp("", name)
 	if err != nil {
 		return err
@@ -227,12 +219,11 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		gitRepository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
 	}
 
-	if sourceGitArgs.commit != "" {
+	if sourceGitArgs.gitImplementation != "" {
-		gitRepository.Spec.Reference.Commit = sourceGitArgs.commit
+		gitRepository.Spec.GitImplementation = sourceGitArgs.gitImplementation.String()
-		gitRepository.Spec.Reference.Branch = sourceGitArgs.branch
+	}
-	} else if sourceGitArgs.refName != "" {
+
-		gitRepository.Spec.Reference.Name = sourceGitArgs.refName
+	if sourceGitArgs.semver != "" {
-	} else if sourceGitArgs.semver != "" {
 		gitRepository.Spec.Reference.SemVer = sourceGitArgs.semver
 	} else if sourceGitArgs.tag != "" {
 		gitRepository.Spec.Reference.Tag = sourceGitArgs.tag
@@ -246,16 +237,6 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	if sourceGitArgs.proxySecretRef != "" {
-		gitRepository.Spec.ProxySecretRef = &meta.LocalObjectReference{
-			Name: sourceGitArgs.proxySecretRef,
-		}
-	}
-
-	if provider := sourceGitArgs.provider.String(); provider != "" {
-		gitRepository.Spec.Provider = provider
-	}
-
 	if createArgs.export {
 		return printExport(exportGit(&gitRepository))
 	}
@@ -277,26 +258,16 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		}
 		switch u.Scheme {
 		case "ssh":
-			keypair, err := sourcesecret.LoadKeyPairFromPath(sourceGitArgs.privateKeyFile, sourceGitArgs.password)
-			if err != nil {
-				return err
-			}
-			secretOpts.Keypair = keypair
 			secretOpts.SSHHostname = u.Host
+			secretOpts.PrivateKeyPath = sourceGitArgs.privateKeyFile
 			secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(sourceGitArgs.keyAlgorithm)
 			secretOpts.RSAKeyBits = int(sourceGitArgs.keyRSABits)
 			secretOpts.ECDSACurve = sourceGitArgs.keyECDSACurve.Curve
 			secretOpts.Password = sourceGitArgs.password
 		case "https":
-			if sourceGitArgs.caFile != "" {
-				caBundle, err := os.ReadFile(sourceGitArgs.caFile)
-				if err != nil {
-					return fmt.Errorf("unable to read TLS CA file: %w", err)
-				}
-				secretOpts.CACrt = caBundle
-			}
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
+			secretOpts.CAFilePath = sourceGitArgs.caFile
 		case "http":
 			logger.Warningf("insecure configuration: credentials configured for an HTTP URL")
 			secretOpts.Username = sourceGitArgs.username
@@ -344,8 +315,8 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for GitRepository source reconciliation")
-	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isObjectReadyConditionFunc(kubeClient, namespacedName, &gitRepository)); err != nil {
+		isGitRepositoryReady(ctx, kubeClient, namespacedName, &gitRepository)); err != nil {
 		return err
 	}
 	logger.Successf("GitRepository source reconciliation completed")
@@ -387,3 +358,30 @@ func upsertGitRepository(ctx context.Context, kubeClient client.Client,
 	logger.Successf("GitRepository source updated")
 	return namespacedName, nil
 }
+
+func isGitRepositoryReady(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, gitRepository *sourcev1.GitRepository) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, gitRepository)
+		if err != nil {
+			return false, err
+		}
+
+		if c := conditions.Get(gitRepository, meta.ReadyCondition); c != nil {
+			// Confirm the Ready condition we are observing is for the
+			// current generation
+			if c.ObservedGeneration != gitRepository.GetGeneration() {
+				return false, nil
+			}
+
+			// Further check the Status
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}

cmd/flux/create_source_git_test.go

@@ -24,15 +24,14 @@ import (
 	"testing"
 	"time"
 
+	"github.com/fluxcd/pkg/apis/meta"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	"github.com/fluxcd/pkg/apis/meta"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 
 var pollInterval = 50 * time.Millisecond
@@ -99,71 +98,6 @@ func TestCreateSourceGitExport(t *testing.T) {
 			command,
 			assertGoldenFile("testdata/create_source_git/export.golden"),
 		},
-		{
-			name:   "no args",
-			args:   "create secret git",
-			assert: assertError("name is required"),
-		},
-		{
-			name:   "source with commit",
-			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --commit=c88a2f41 --interval=1m0s --export",
-			assert: assertGoldenFile("./testdata/create_source_git/source-git-commit.yaml"),
-		},
-		{
-			name:   "source with ref name",
-			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --ref-name=refs/heads/main --interval=1m0s --export",
-			assert: assertGoldenFile("testdata/create_source_git/source-git-refname.yaml"),
-		},
-		{
-			name:   "source with branch name and commit",
-			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --branch=main --commit=c88a2f41 --interval=1m0s --export",
-			assert: assertGoldenFile("testdata/create_source_git/source-git-branch-commit.yaml"),
-		},
-		{
-			name:   "source with semver",
-			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --tag-semver=v1.01 --interval=1m0s --export",
-			assert: assertGoldenFile("testdata/create_source_git/source-git-semver.yaml"),
-		},
-		{
-			name:   "source with git tag",
-			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --tag=test --interval=1m0s --export",
-			assert: assertGoldenFile("testdata/create_source_git/source-git-tag.yaml"),
-		},
-		{
-			name:   "source with git branch",
-			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --branch=test --interval=1m0s --export",
-			assert: assertGoldenFile("testdata/create_source_git/source-git-branch.yaml"),
-		},
-		{
-			name:   "source with generic provider",
-			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --provider generic --branch=test --interval=1m0s --export",
-			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-generic.yaml"),
-		},
-		{
-			name:   "source with azure provider",
-			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider azure --branch=test --interval=1m0s --export",
-			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-azure.yaml"),
-		},
-		{
-			name:   "source with github provider",
-			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --provider github --branch=test --interval=1m0s --secret-ref appinfo --export",
-			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-github.yaml"),
-		},
-		{
-			name:   "source with invalid provider",
-			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider dummy --branch=test --interval=1m0s --export",
-			assert: assertError("invalid argument \"dummy\" for \"--provider\" flag: source Git provider 'dummy' is not supported, must be one of: generic|azure|github"),
-		},
-		{
-			name:   "source with empty provider",
-			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider \"\" --branch=test --interval=1m0s --export",
-			assert: assertError("invalid argument \"\" for \"--provider\" flag: no source Git provider given, please specify the Git provider name"),
-		},
-		{
-			name:   "source with no provider",
-			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --branch=test --interval=1m0s --export --provider",
-			assert: assertError("flag needs an argument: --provider"),
-		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -207,25 +141,13 @@ func TestCreateSourceGit(t *testing.T) {
 				repo.Status.Artifact = &sourcev1.Artifact{
 					Path:     "some-path",
 					Revision: "v1",
-					LastUpdateTime: metav1.Time{
-						Time: time.Now(),
-					},
 				}
-				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
 		}, {
 			"Failed",
 			command,
 			assertError("failed message"),
 			func(repo *sourcev1.GitRepository) {
-				stalledCondition := metav1.Condition{
-					Type:               meta.StalledCondition,
-					Status:             metav1.ConditionTrue,
-					Reason:             sourcev1.URLInvalidReason,
-					Message:            "failed message",
-					ObservedGeneration: repo.GetGeneration(),
-				}
-				apimeta.SetStatusCondition(&repo.Status.Conditions, stalledCondition)
 				newCondition := metav1.Condition{
 					Type:               meta.ReadyCondition,
 					Status:             metav1.ConditionFalse,
@@ -234,7 +156,6 @@ func TestCreateSourceGit(t *testing.T) {
 					ObservedGeneration: repo.GetGeneration(),
 				}
 				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
-				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
 		}, {
 			"NoArtifact",
@@ -250,7 +171,6 @@ func TestCreateSourceGit(t *testing.T) {
 					ObservedGeneration: repo.GetGeneration(),
 				}
 				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
-				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
 		},
 	}

cmd/flux/create_source_helm.go

@@ -22,6 +22,8 @@ import (
 	"net/url"
 	"os"
 
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -31,11 +33,10 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 
-	"github.com/fluxcd/pkg/apis/meta"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 
 var createSourceHelmCmd = &cobra.Command{
@@ -63,13 +64,13 @@ For private Helm repositories, the basic authentication credentials are stored i
 
   # Create a source for an OCI Helm repository
   flux create source helm podinfo \
-    --url=oci://ghcr.io/stefanprodan/charts/podinfo \
+    --url=oci://ghcr.io/stefanprodan/charts/podinfo
     --username=username \
     --password=password
 
   # Create a source for an OCI Helm repository using an existing secret with basic auth or dockerconfig credentials
   flux create source helm podinfo \
-    --url=oci://ghcr.io/stefanprodan/charts/podinfo \
+    --url=oci://ghcr.io/stefanprodan/charts/podinfo
     --secret-ref=docker-config`,
 	RunE: createSourceHelmCmdRun,
 }
@@ -82,7 +83,6 @@ type sourceHelmFlags struct {
 	keyFile         string
 	caFile          string
 	secretRef       string
-	ociProvider     string
 	passCredentials bool
 }
 
@@ -96,7 +96,6 @@ func init() {
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.keyFile, "key-file", "", "TLS authentication key file path")
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.caFile, "ca-file", "", "TLS authentication CA file path")
 	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.secretRef, "secret-ref", "", "", "the name of an existing secret containing TLS, basic auth or docker-config credentials")
-	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.ociProvider, "oci-provider", "", "OCI provider for authentication")
 	createSourceHelmCmd.Flags().BoolVarP(&sourceHelmArgs.passCredentials, "pass-credentials", "", false, "pass credentials to all domains")
 
 	createSourceCmd.AddCommand(createSourceHelmCmd)
@@ -144,7 +143,6 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	if url.Scheme == sourcev1.HelmRepositoryTypeOCI {
 		helmRepository.Spec.Type = sourcev1.HelmRepositoryTypeOCI
-		helmRepository.Spec.Provider = sourceHelmArgs.ociProvider
 	}
 
 	if createSourceArgs.fetchTimeout > 0 {
@@ -170,25 +168,6 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	caBundle := []byte{}
-	if sourceHelmArgs.caFile != "" {
-		var err error
-		caBundle, err = os.ReadFile(sourceHelmArgs.caFile)
-		if err != nil {
-			return fmt.Errorf("unable to read TLS CA file: %w", err)
-		}
-	}
-
-	var certFile, keyFile []byte
-	if sourceHelmArgs.certFile != "" && sourceHelmArgs.keyFile != "" {
-		if certFile, err = os.ReadFile(sourceHelmArgs.certFile); err != nil {
-			return fmt.Errorf("failed to read cert file: %w", err)
-		}
-		if keyFile, err = os.ReadFile(sourceHelmArgs.keyFile); err != nil {
-			return fmt.Errorf("failed to read key file: %w", err)
-		}
-	}
-
 	logger.Generatef("generating HelmRepository source")
 	if sourceHelmArgs.secretRef == "" {
 		secretName := fmt.Sprintf("helm-%s", name)
@@ -197,9 +176,9 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			Namespace:    *kubeconfigArgs.Namespace,
 			Username:     sourceHelmArgs.username,
 			Password:     sourceHelmArgs.password,
-			CACrt:        caBundle,
+			CertFilePath: sourceHelmArgs.certFile,
-			TLSCrt:       certFile,
+			KeyFilePath:  sourceHelmArgs.keyFile,
-			TLSKey:       keyFile,
+			CAFilePath:   sourceHelmArgs.caFile,
 			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
 		secret, err := sourcesecret.Generate(secretOpts)
@@ -230,12 +209,8 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for HelmRepository source reconciliation")
-	readyConditionFunc := isObjectReadyConditionFunc(kubeClient, namespacedName, helmRepository)
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-	if helmRepository.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
+		isHelmRepositoryReady(ctx, kubeClient, namespacedName, helmRepository)); err != nil {
-		// HelmRepository type OCI is a static object.
-		readyConditionFunc = isStaticObjectReadyConditionFunc(kubeClient, namespacedName, helmRepository)
-	}
-	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true, readyConditionFunc); err != nil {
 		return err
 	}
 	logger.Successf("HelmRepository source reconciliation completed")
@@ -282,3 +257,30 @@ func upsertHelmRepository(ctx context.Context, kubeClient client.Client,
 	logger.Successf("source updated")
 	return namespacedName, nil
 }
+
+func isHelmRepositoryReady(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, helmRepository *sourcev1.HelmRepository) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, helmRepository)
+		if err != nil {
+			return false, err
+		}
+
+		if c := conditions.Get(helmRepository, meta.ReadyCondition); c != nil {
+			// Confirm the Ready condition we are observing is for the
+			// current generation
+			if c.ObservedGeneration != helmRepository.GetGeneration() {
+				return false, nil
+			}
+
+			// Further check the Status
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}

cmd/flux/create_source_oci.go

@@ -1,268 +0,0 @@
-/*
-Copyright 2022 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/wait"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	"github.com/fluxcd/pkg/apis/meta"
-
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
-
-	"github.com/fluxcd/flux2/v2/internal/flags"
-	"github.com/fluxcd/flux2/v2/internal/utils"
-)
-
-var createSourceOCIRepositoryCmd = &cobra.Command{
-	Use:   "oci [name]",
-	Short: "Create or update an OCIRepository",
-	Long:  withPreviewNote(`The create source oci command generates an OCIRepository resource and waits for it to be ready.`),
-	Example: `  # Create an OCIRepository for a public container image
-  flux create source oci podinfo \
-    --url=oci://ghcr.io/stefanprodan/manifests/podinfo \
-    --tag=6.6.2 \
-    --interval=10m
-
-  # Create an OCIRepository with OIDC signature verification
-  flux create source oci podinfo \
-    --url=oci://ghcr.io/stefanprodan/manifests/podinfo \
-    --tag=6.6.2 \
-    --interval=10m \
-    --verify-provider=cosign \
-    --verify-subject="^https://github.com/stefanprodan/podinfo/.github/workflows/release.yml@refs/tags/6.6.2$" \
-    --verify-issuer="^https://token.actions.githubusercontent.com$"
-`,
-	RunE: createSourceOCIRepositoryCmdRun,
-}
-
-type sourceOCIRepositoryFlags struct {
-	url              string
-	tag              string
-	semver           string
-	digest           string
-	secretRef        string
-	proxySecretRef   string
-	serviceAccount   string
-	certSecretRef    string
-	verifyProvider   flags.SourceOCIVerifyProvider
-	verifySecretRef  string
-	verifyOIDCIssuer string
-	verifySubject    string
-	ignorePaths      []string
-	provider         flags.SourceOCIProvider
-	insecure         bool
-}
-
-var sourceOCIRepositoryArgs = newSourceOCIFlags()
-
-func newSourceOCIFlags() sourceOCIRepositoryFlags {
-	return sourceOCIRepositoryFlags{
-		provider: flags.SourceOCIProvider(sourcev1b2.GenericOCIProvider),
-	}
-}
-
-func init() {
-	createSourceOCIRepositoryCmd.Flags().Var(&sourceOCIRepositoryArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
-	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.url, "url", "", "the OCI repository URL")
-	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.tag, "tag", "", "the OCI artifact tag")
-	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.semver, "tag-semver", "", "the OCI artifact tag semver range")
-	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.digest, "digest", "", "the OCI artifact digest")
-	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.secretRef, "secret-ref", "", "the name of the Kubernetes image pull secret (type 'kubernetes.io/dockerconfigjson')")
-	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.proxySecretRef, "proxy-secret-ref", "", "the name of an existing secret containing the proxy address and credentials")
-	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.serviceAccount, "service-account", "", "the name of the Kubernetes service account that refers to an image pull secret")
-	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
-	createSourceOCIRepositoryCmd.Flags().Var(&sourceOCIRepositoryArgs.verifyProvider, "verify-provider", sourceOCIRepositoryArgs.verifyProvider.Description())
-	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifySecretRef, "verify-secret-ref", "", "the name of a secret to use for signature verification")
-	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifySubject, "verify-subject", "", "regular expression to use for the OIDC subject during signature verification")
-	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifyOIDCIssuer, "verify-issuer", "", "regular expression to use for the OIDC issuer during signature verification")
-	createSourceOCIRepositoryCmd.Flags().StringSliceVar(&sourceOCIRepositoryArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore resources (can specify multiple paths with commas: path1,path2)")
-	createSourceOCIRepositoryCmd.Flags().BoolVar(&sourceOCIRepositoryArgs.insecure, "insecure", false, "for when connecting to a non-TLS registries over plain HTTP")
-
-	createSourceCmd.AddCommand(createSourceOCIRepositoryCmd)
-}
-
-func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
-	name := args[0]
-
-	if sourceOCIRepositoryArgs.url == "" {
-		return fmt.Errorf("url is required")
-	}
-
-	if sourceOCIRepositoryArgs.semver == "" && sourceOCIRepositoryArgs.tag == "" && sourceOCIRepositoryArgs.digest == "" {
-		return fmt.Errorf("--tag, --tag-semver or --digest is required")
-	}
-
-	sourceLabels, err := parseLabels()
-	if err != nil {
-		return err
-	}
-
-	var ignorePaths *string
-	if len(sourceOCIRepositoryArgs.ignorePaths) > 0 {
-		ignorePathsStr := strings.Join(sourceOCIRepositoryArgs.ignorePaths, "\n")
-		ignorePaths = &ignorePathsStr
-	}
-
-	repository := &sourcev1b2.OCIRepository{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      name,
-			Namespace: *kubeconfigArgs.Namespace,
-			Labels:    sourceLabels,
-		},
-		Spec: sourcev1b2.OCIRepositorySpec{
-			Provider: sourceOCIRepositoryArgs.provider.String(),
-			URL:      sourceOCIRepositoryArgs.url,
-			Insecure: sourceOCIRepositoryArgs.insecure,
-			Interval: metav1.Duration{
-				Duration: createArgs.interval,
-			},
-			Reference: &sourcev1b2.OCIRepositoryRef{},
-			Ignore:    ignorePaths,
-		},
-	}
-
-	if digest := sourceOCIRepositoryArgs.digest; digest != "" {
-		repository.Spec.Reference.Digest = digest
-	}
-	if semver := sourceOCIRepositoryArgs.semver; semver != "" {
-		repository.Spec.Reference.SemVer = semver
-	}
-	if tag := sourceOCIRepositoryArgs.tag; tag != "" {
-		repository.Spec.Reference.Tag = tag
-	}
-
-	if createSourceArgs.fetchTimeout > 0 {
-		repository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
-	}
-
-	if saName := sourceOCIRepositoryArgs.serviceAccount; saName != "" {
-		repository.Spec.ServiceAccountName = saName
-	}
-
-	if secretName := sourceOCIRepositoryArgs.secretRef; secretName != "" {
-		repository.Spec.SecretRef = &meta.LocalObjectReference{
-			Name: secretName,
-		}
-	}
-
-	if secretName := sourceOCIRepositoryArgs.proxySecretRef; secretName != "" {
-		repository.Spec.ProxySecretRef = &meta.LocalObjectReference{
-			Name: secretName,
-		}
-	}
-
-	if secretName := sourceOCIRepositoryArgs.certSecretRef; secretName != "" {
-		repository.Spec.CertSecretRef = &meta.LocalObjectReference{
-			Name: secretName,
-		}
-	}
-
-	if provider := sourceOCIRepositoryArgs.verifyProvider.String(); provider != "" {
-		repository.Spec.Verify = &sourcev1.OCIRepositoryVerification{
-			Provider: provider,
-		}
-		if secretName := sourceOCIRepositoryArgs.verifySecretRef; secretName != "" {
-			repository.Spec.Verify.SecretRef = &meta.LocalObjectReference{
-				Name: secretName,
-			}
-		}
-		verifyIssuer := sourceOCIRepositoryArgs.verifyOIDCIssuer
-		verifySubject := sourceOCIRepositoryArgs.verifySubject
-		if verifyIssuer != "" || verifySubject != "" {
-			repository.Spec.Verify.MatchOIDCIdentity = []sourcev1.OIDCIdentityMatch{{
-				Issuer:  verifyIssuer,
-				Subject: verifySubject,
-			}}
-		}
-	} else if sourceOCIRepositoryArgs.verifySecretRef != "" {
-		return fmt.Errorf("a verification provider must be specified when a secret is specified")
-	} else if sourceOCIRepositoryArgs.verifyOIDCIssuer != "" || sourceOCIRepositoryArgs.verifySubject != "" {
-		return fmt.Errorf("a verification provider must be specified when OIDC issuer/subject is specified")
-	}
-
-	if createArgs.export {
-		return printExport(exportOCIRepository(repository))
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return err
-	}
-
-	logger.Actionf("applying OCIRepository")
-	namespacedName, err := upsertOCIRepository(ctx, kubeClient, repository)
-	if err != nil {
-		return err
-	}
-
-	logger.Waitingf("waiting for OCIRepository reconciliation")
-	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
-		isObjectReadyConditionFunc(kubeClient, namespacedName, repository)); err != nil {
-		return err
-	}
-	logger.Successf("OCIRepository reconciliation completed")
-
-	if repository.Status.Artifact == nil {
-		return fmt.Errorf("no artifact was found")
-	}
-	logger.Successf("fetched revision: %s", repository.Status.Artifact.Revision)
-	return nil
-}
-
-func upsertOCIRepository(ctx context.Context, kubeClient client.Client,
-	ociRepository *sourcev1b2.OCIRepository) (types.NamespacedName, error) {
-	namespacedName := types.NamespacedName{
-		Namespace: ociRepository.GetNamespace(),
-		Name:      ociRepository.GetName(),
-	}
-
-	var existing sourcev1b2.OCIRepository
-	err := kubeClient.Get(ctx, namespacedName, &existing)
-	if err != nil {
-		if errors.IsNotFound(err) {
-			if err := kubeClient.Create(ctx, ociRepository); err != nil {
-				return namespacedName, err
-			} else {
-				logger.Successf("OCIRepository created")
-				return namespacedName, nil
-			}
-		}
-		return namespacedName, err
-	}
-
-	existing.Labels = ociRepository.Labels
-	existing.Spec = ociRepository.Spec
-	if err := kubeClient.Update(ctx, &existing); err != nil {
-		return namespacedName, err
-	}
-	ociRepository = &existing
-	logger.Successf("OCIRepository updated")
-	return namespacedName, nil
-}

cmd/flux/create_source_oci_test.go

@@ -1,96 +0,0 @@
-/*
-Copyright 2022 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"testing"
-)
-
-func TestCreateSourceOCI(t *testing.T) {
-	tests := []struct {
-		name       string
-		args       string
-		assertFunc assertFunc
-	}{
-		{
-			name:       "NoArgs",
-			args:       "create source oci",
-			assertFunc: assertError("name is required"),
-		},
-		{
-			name:       "NoURL",
-			args:       "create source oci podinfo",
-			assertFunc: assertError("url is required"),
-		},
-		{
-			name:       "verify secret specified but provider missing",
-			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-secret-ref=cosign-pub",
-			assertFunc: assertError("a verification provider must be specified when a secret is specified"),
-		},
-		{
-			name:       "verify issuer specified but provider missing",
-			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-issuer=github.com",
-			assertFunc: assertError("a verification provider must be specified when OIDC issuer/subject is specified"),
-		},
-		{
-			name:       "verify identity specified but provider missing",
-			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-subject=developer",
-			assertFunc: assertError("a verification provider must be specified when OIDC issuer/subject is specified"),
-		},
-		{
-			name:       "verify issuer specified but subject missing",
-			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-issuer=github --verify-provider=cosign --export",
-			assertFunc: assertGoldenFile("./testdata/oci/export_with_issuer.golden"),
-		},
-		{
-			name:       "all verify fields set",
-			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-issuer=github verify-subject=stefanprodan --verify-provider=cosign --export",
-			assertFunc: assertGoldenFile("./testdata/oci/export_with_issuer.golden"),
-		},
-		{
-			name:       "verify subject specified but issuer missing",
-			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-subject=stefanprodan --verify-provider=cosign --export",
-			assertFunc: assertGoldenFile("./testdata/oci/export_with_subject.golden"),
-		},
-		{
-			name:       "export manifest",
-			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --interval 10m --export",
-			assertFunc: assertGoldenFile("./testdata/oci/export.golden"),
-		},
-		{
-			name:       "export manifest with secret",
-			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --interval 10m --secret-ref=creds --export",
-			assertFunc: assertGoldenFile("./testdata/oci/export_with_secret.golden"),
-		},
-		{
-			name:       "export manifest with verify secret",
-			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --interval 10m --verify-provider=cosign --verify-secret-ref=cosign-pub --export",
-			assertFunc: assertGoldenFile("./testdata/oci/export_with_verify_secret.golden"),
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			cmd := cmdTestCase{
-				args:   tt.args,
-				assert: tt.assertFunc,
-			}
-
-			cmd.runTestCmd(t)
-		})
-	}
-}

cmd/flux/create_tenant.go

@@ -21,7 +21,7 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -37,8 +37,8 @@ import (
 var createTenantCmd = &cobra.Command{
 	Use:   "tenant",
 	Short: "Create or update a tenant",
-	Long: withPreviewNote(`The create tenant command generates namespaces, service accounts and role bindings to limit the
+	Long: `The create tenant command generates namespaces, service accounts and role bindings to limit the
-reconcilers scope to the tenant namespaces.`),
+reconcilers scope to the tenant namespaces.`,
 	Example: `  # Create a tenant with access to a namespace 
   flux create tenant dev-team \
     --with-namespace=frontend \

cmd/flux/debug.go

@@ -1,31 +0,0 @@
-/*
-Copyright 2024 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"github.com/spf13/cobra"
-)
-
-var debugCmd = &cobra.Command{
-	Use:   "debug",
-	Short: "Debug a flux resource",
-	Long:  `The debug command can be used to troubleshoot failing resource reconciliations.`,
-}
-
-func init() {
-	rootCmd.AddCommand(debugCmd)
-}

cmd/flux/debug_helmrelease.go

@@ -1,113 +0,0 @@
-/*
-Copyright 2024 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"context"
-	"fmt"
-
-	helmv2 "github.com/fluxcd/helm-controller/api/v2"
-	"github.com/fluxcd/pkg/chartutil"
-	"github.com/go-logr/logr"
-	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/yaml"
-
-	"github.com/fluxcd/flux2/v2/internal/utils"
-)
-
-var debugHelmReleaseCmd = &cobra.Command{
-	Use:     "helmrelease [name]",
-	Aliases: []string{"hr"},
-	Short:   "Debug a HelmRelease resource",
-	Long: withPreviewNote(`The debug helmrelease command can be used to troubleshoot failing Helm release reconciliations.
-WARNING: This command will print sensitive information if Kubernetes Secrets are referenced in the HelmRelease .spec.valuesFrom field.`),
-	Example: `  # Print the status of a Helm release
-  flux debug hr podinfo --show-status
-
-  # Export the final values of a Helm release composed from referred ConfigMaps and Secrets
-  flux debug hr podinfo --show-values > values.yaml`,
-	RunE:              debugHelmReleaseCmdRun,
-	Args:              cobra.ExactArgs(1),
-	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
-}
-
-type debugHelmReleaseFlags struct {
-	showStatus bool
-	showValues bool
-}
-
-var debugHelmReleaseArgs debugHelmReleaseFlags
-
-func init() {
-	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showStatus, "show-status", false, "print the status of the Helm release")
-	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showValues, "show-values", false, "print the final values of the Helm release")
-	debugCmd.AddCommand(debugHelmReleaseCmd)
-}
-
-func debugHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
-	name := args[0]
-
-	if (!debugHelmReleaseArgs.showStatus && !debugHelmReleaseArgs.showValues) ||
-		(debugHelmReleaseArgs.showStatus && debugHelmReleaseArgs.showValues) {
-		return fmt.Errorf("either --show-status or --show-values must be set")
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return err
-	}
-
-	hr := &helmv2.HelmRelease{}
-	hrName := types.NamespacedName{Namespace: *kubeconfigArgs.Namespace, Name: name}
-	if err := kubeClient.Get(ctx, hrName, hr); err != nil {
-		return err
-	}
-
-	if debugHelmReleaseArgs.showStatus {
-		status, err := yaml.Marshal(hr.Status)
-		if err != nil {
-			return err
-		}
-		rootCmd.Println("# Status documentation: https://fluxcd.io/flux/components/helm/helmreleases/#helmrelease-status")
-		rootCmd.Print(string(status))
-		return nil
-	}
-
-	if debugHelmReleaseArgs.showValues {
-		finalValues, err := chartutil.ChartValuesFromReferences(ctx,
-			logr.Discard(),
-			kubeClient,
-			hr.GetNamespace(),
-			hr.GetValues(),
-			hr.Spec.ValuesFrom...)
-		if err != nil {
-			return err
-		}
-
-		values, err := yaml.Marshal(finalValues)
-		if err != nil {
-			return err
-		}
-		rootCmd.Print(string(values))
-	}
-
-	return nil
-}

cmd/flux/debug_helmrelease_test.go

@@ -1,71 +0,0 @@
-//go:build unit
-// +build unit
-
-/*
-Copyright 2024 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"testing"
-)
-
-func TestDebugHelmRelease(t *testing.T) {
-	namespace := allocateNamespace("debug")
-
-	objectFile := "testdata/debug_helmrelease/objects.yaml"
-	tmpl := map[string]string{
-		"fluxns": namespace,
-	}
-	testEnv.CreateObjectFile(objectFile, tmpl, t)
-
-	cases := []struct {
-		name       string
-		arg        string
-		goldenFile string
-		tmpl       map[string]string
-	}{
-		{
-			"debug status",
-			"debug helmrelease test-values-inline --show-status --show-values=false",
-			"testdata/debug_helmrelease/status.golden.yaml",
-			tmpl,
-		},
-		{
-			"debug values",
-			"debug helmrelease test-values-inline --show-values --show-status=false",
-			"testdata/debug_helmrelease/values-inline.golden.yaml",
-			tmpl,
-		},
-		{
-			"debug values from",
-			"debug helmrelease test-values-from --show-values --show-status=false",
-			"testdata/debug_helmrelease/values-from.golden.yaml",
-			tmpl,
-		},
-	}
-
-	for _, tt := range cases {
-		t.Run(tt.name, func(t *testing.T) {
-			cmd := cmdTestCase{
-				args:   tt.arg + " -n=" + namespace,
-				assert: assertGoldenTemplateFile(tt.goldenFile, tmpl),
-			}
-
-			cmd.runTestCmd(t)
-		})
-	}
-}

cmd/flux/debug_kustomization.go

@@ -1,134 +0,0 @@
-/*
-Copyright 2024 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"sort"
-	"strings"
-
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
-	"github.com/fluxcd/pkg/kustomize"
-	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/yaml"
-
-	"github.com/fluxcd/flux2/v2/internal/utils"
-)
-
-var debugKustomizationCmd = &cobra.Command{
-	Use:     "kustomization [name]",
-	Aliases: []string{"ks"},
-	Short:   "Debug a Flux Kustomization resource",
-	Long: withPreviewNote(`The debug kustomization command can be used to troubleshoot failing Flux Kustomization reconciliations.
-WARNING: This command will print sensitive information if Kubernetes Secrets are referenced in the Kustomization .spec.postBuild.substituteFrom field.`),
-	Example: `  # Print the status of a Flux Kustomization
-  flux debug ks podinfo --show-status
-
-  # Export the final variables used for post-build substitutions composed from referred ConfigMaps and Secrets
-  flux debug ks podinfo --show-vars > vars.env`,
-	RunE:              debugKustomizationCmdRun,
-	Args:              cobra.ExactArgs(1),
-	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
-}
-
-type debugKustomizationFlags struct {
-	showStatus bool
-	showVars   bool
-}
-
-var debugKustomizationArgs debugKustomizationFlags
-
-func init() {
-	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showStatus, "show-status", false, "print the status of the Flux Kustomization")
-	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showVars, "show-vars", false, "print the final vars of the Flux Kustomization in dot env format")
-	debugCmd.AddCommand(debugKustomizationCmd)
-}
-
-func debugKustomizationCmdRun(cmd *cobra.Command, args []string) error {
-	name := args[0]
-
-	if (!debugKustomizationArgs.showStatus && !debugKustomizationArgs.showVars) ||
-		(debugKustomizationArgs.showStatus && debugKustomizationArgs.showVars) {
-		return fmt.Errorf("either --show-status or --show-vars must be set")
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return err
-	}
-
-	ks := &kustomizev1.Kustomization{}
-	ksName := types.NamespacedName{Namespace: *kubeconfigArgs.Namespace, Name: name}
-	if err := kubeClient.Get(ctx, ksName, ks); err != nil {
-		return err
-	}
-
-	if debugKustomizationArgs.showStatus {
-		status, err := yaml.Marshal(ks.Status)
-		if err != nil {
-			return err
-		}
-		rootCmd.Println("# Status documentation: https://fluxcd.io/flux/components/kustomize/kustomizations/#kustomization-status")
-		rootCmd.Print(string(status))
-		return nil
-	}
-
-	if debugKustomizationArgs.showVars {
-		if ks.Spec.PostBuild == nil {
-			return errors.New("no post build substitutions found")
-		}
-
-		ksObj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(ks)
-		if err != nil {
-			return err
-		}
-
-		finalVars, err := kustomize.LoadVariables(ctx, kubeClient, unstructured.Unstructured{Object: ksObj})
-		if err != nil {
-			return err
-		}
-
-		if len(ks.Spec.PostBuild.Substitute) > 0 {
-			for k, v := range ks.Spec.PostBuild.Substitute {
-				// Remove new lines from the values as they are not supported.
-				// Replicates the controller behavior from
-				// https://github.com/fluxcd/pkg/blob/main/kustomize/kustomize_varsub.go
-				finalVars[k] = strings.ReplaceAll(v, "\n", "")
-			}
-		}
-
-		keys := make([]string, 0, len(finalVars))
-		for k := range finalVars {
-			keys = append(keys, k)
-		}
-		sort.Strings(keys)
-
-		for _, k := range keys {
-			rootCmd.Println(k + "=" + finalVars[k])
-		}
-	}
-
-	return nil
-}

cmd/flux/debug_kustomization_test.go

@@ -1,71 +0,0 @@
-//go:build unit
-// +build unit
-
-/*
-Copyright 2024 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"testing"
-)
-
-func TestDebugKustomization(t *testing.T) {
-	namespace := allocateNamespace("debug")
-
-	objectFile := "testdata/debug_kustomization/objects.yaml"
-	tmpl := map[string]string{
-		"fluxns": namespace,
-	}
-	testEnv.CreateObjectFile(objectFile, tmpl, t)
-
-	cases := []struct {
-		name       string
-		arg        string
-		goldenFile string
-		tmpl       map[string]string
-	}{
-		{
-			"debug status",
-			"debug ks test --show-status --show-vars=false",
-			"testdata/debug_kustomization/status.golden.yaml",
-			tmpl,
-		},
-		{
-			"debug vars",
-			"debug ks test --show-vars --show-status=false",
-			"testdata/debug_kustomization/vars.golden.env",
-			tmpl,
-		},
-		{
-			"debug vars from",
-			"debug ks test-from --show-vars --show-status=false",
-			"testdata/debug_kustomization/vars-from.golden.env",
-			tmpl,
-		},
-	}
-
-	for _, tt := range cases {
-		t.Run(tt.name, func(t *testing.T) {
-			cmd := cmdTestCase{
-				args:   tt.arg + " -n=" + namespace,
-				assert: assertGoldenTemplateFile(tt.goldenFile, tmpl),
-			}
-
-			cmd.runTestCmd(t)
-		})
-	}
-}