Set Homebrew formula name

Publish Homebrew formula

.github/workflows/release.yaml

@@ -82,3 +82,4 @@ jobs:
           args: release --release-notes=/tmp/release.txt --skip-validate
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}

.goreleaser.yml

@@ -8,9 +8,24 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm64
     env:
       - CGO_ENABLED=0
 archives:
   - name_template: "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
     files:
       - none*
+brews:
+  - name: gotk
+    tap:
+      owner: fluxcd
+      name: homebrew-tap
+      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
+    folder: Formula
+    homepage: "https://toolkit.fluxcd.io/"
+    description: "GitOps Toolkit CLI"
+    dependencies:
+      - name: kubectl
+        type: optional
+    test: |
+      system "#{bin}/gotk --version"

cmd/gotk/bootstrap.go

@@ -23,7 +23,6 @@ import (
 	"os"
 	"path"
 	"path/filepath"
-	"sigs.k8s.io/yaml"
 	"strings"
 	"time"
 
@@ -33,6 +32,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/yaml"
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1alpha1"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1alpha1"
@@ -49,6 +49,7 @@ var (
 	bootstrapComponents      []string
 	bootstrapRegistry        string
 	bootstrapImagePullSecret string
+	bootstrapArch            string
 )
 
 const (
@@ -63,10 +64,12 @@ func init() {
 		"toolkit version")
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapComponents, "components", defaultComponents,
 		"list of components, accepts comma-separated values")
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapRegistry, "registry", "docker.io/fluxcd",
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapRegistry, "registry", "ghcr.io/fluxcd",
 		"container registry where the toolkit images are published")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapImagePullSecret, "image-pull-secret", "",
 		"Kubernetes secret name used for pulling the toolkit images from a private registry")
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArch, "arch", "amd64",
+		"arch can be amd64 or arm64")
 	rootCmd.AddCommand(bootstrapCmd)
 }
 
@@ -78,7 +81,7 @@ func generateInstallManifests(targetPath, namespace, tmpDir string) (string, err
 		return "", fmt.Errorf("generating manifests failed: %w", err)
 	}
 
-	if err := genInstallManifests(bootstrapVersion, namespace, bootstrapComponents, bootstrapRegistry, bootstrapImagePullSecret, gotkDir); err != nil {
+	if err := genInstallManifests(bootstrapVersion, namespace, bootstrapComponents, bootstrapRegistry, bootstrapImagePullSecret, bootstrapArch, gotkDir); err != nil {
 		return "", fmt.Errorf("generating manifests failed: %w", err)
 	}
 

cmd/gotk/bootstrap_github.go

@@ -93,6 +93,10 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("%s environment variable not found", git.GitHubTokenName)
 	}
 
+	if !utils.containsItemString(supportedArch, bootstrapArch) {
+		return fmt.Errorf("arch %s is not supported, can be %v", bootstrapArch, supportedArch)
+	}
+
 	repository, err := git.NewRepository(ghRepository, ghOwner, ghHostname, ghToken, "gotk", ghOwner+"@users.noreply.github.com")
 	if err != nil {
 		return err

cmd/gotk/bootstrap_gitlab.go

@@ -86,6 +86,10 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("%s environment variable not found", git.GitLabTokenName)
 	}
 
+	if !utils.containsItemString(supportedArch, bootstrapArch) {
+		return fmt.Errorf("arch %s is not supported, can be %v", bootstrapArch, supportedArch)
+	}
+
 	repository, err := git.NewRepository(glRepository, glOwner, glHostname, glToken, "gotk", glOwner+"@users.noreply.gitlab.com")
 	if err != nil {
 		return err

cmd/gotk/create_helmrelease.go

@@ -42,37 +42,41 @@ var createHelmReleaseCmd = &cobra.Command{
 	Aliases: []string{"hr"},
 	Short:   "Create or update a HelmRelease resource",
 	Long:    "The helmrelease create command generates a HelmRelease resource for a given HelmRepository source.",
-	Example: `  # Create a HelmRelease from a HelmRepository source
+	Example: `  # Create a HelmRelease with a chart from a HelmRepository source
   gotk create hr podinfo \
     --interval=10m \
-    --release-name=podinfo \
-    --target-namespace=default \
     --source=HelmRepository/podinfo \
     --chart=podinfo \
     --chart-version=">4.0.0"
 
-  # Create a HelmRelease from a GitRepository source
+  # Create a HelmRelease with a chart from a GitRepository source
   gotk create hr podinfo \
     --interval=10m \
-    --release-name=podinfo \
-    --target-namespace=default \
     --source=GitRepository/podinfo \
     --chart=./charts/podinfo
 
-  # Create a HelmRelease with values for a local YAML file
+  # Create a HelmRelease with values from a local YAML file
+  gotk create hr podinfo \
+    --source=HelmRepository/podinfo \
+    --chart=podinfo \
+    --values=./my-values.yaml
+
+  # Create a HelmRelease with a custom release name
+  gotk create hr podinfo \
+    --release-name=podinfo-dev
+    --source=HelmRepository/podinfo \
+    --chart=podinfo \
+
+  # Create a HelmRelease targeting another namespace than the resource
   gotk create hr podinfo \
     --target-namespace=default \
     --source=HelmRepository/podinfo \
-    --chart=podinfo \
+    --chart=podinfo
-    --chart-version=4.0.5 \
-    --values=./my-values.yaml
 
   # Create a HelmRelease definition on disk without applying it on the cluster
   gotk create hr podinfo \
-    --target-namespace=default \
     --source=HelmRepository/podinfo \
     --chart=podinfo \
-    --chart-version=4.0.5 \
     --values=./values.yaml \
     --export > podinfo-release.yaml
 `,
@@ -90,10 +94,10 @@ var (
 )
 
 func init() {
-	createHelmReleaseCmd.Flags().StringVar(&hrName, "release-name", "", "name used for the Helm release, defaults to a composition of '<target-namespace>-<hr-name>'")
+	createHelmReleaseCmd.Flags().StringVar(&hrName, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<hr-name>'")
 	createHelmReleaseCmd.Flags().StringVar(&hrSource, "source", "", "source that contains the chart (<kind>/<name>)")
 	createHelmReleaseCmd.Flags().StringVar(&hrChart, "chart", "", "Helm chart name or path")
-	createHelmReleaseCmd.Flags().StringVar(&hrChartVersion, "chart-version", "", "Helm chart version, accepts semver range (ignored for charts from GitRepository sources)")
+	createHelmReleaseCmd.Flags().StringVar(&hrChartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
 	createHelmReleaseCmd.Flags().StringArrayVar(&hrDependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed")
 	createHelmReleaseCmd.Flags().StringVar(&hrTargetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
 	createHelmReleaseCmd.Flags().StringVar(&hrValuesFile, "values", "", "local path to the values.yaml file")

cmd/gotk/create_kustomization.go

@@ -73,15 +73,17 @@ var createKsCmd = &cobra.Command{
 }
 
 var (
-	ksSource        string
+	ksSource             string
-	ksPath          string
+	ksPath               string
-	ksPrune         bool
+	ksPrune              bool
-	ksDependsOn     []string
+	ksDependsOn          []string
-	ksValidation    string
+	ksValidation         string
-	ksHealthCheck   []string
+	ksHealthCheck        []string
-	ksHealthTimeout time.Duration
+	ksHealthTimeout      time.Duration
-	ksSAName        string
+	ksSAName             string
-	ksSANamespace   string
+	ksSANamespace        string
+	ksDecryptionProvider string
+	ksDecryptionSecret   string
 )
 
 func init() {
@@ -94,6 +96,8 @@ func init() {
 	createKsCmd.Flags().StringArrayVar(&ksDependsOn, "depends-on", nil, "Kustomization that must be ready before this Kustomization can be applied")
 	createKsCmd.Flags().StringVar(&ksSAName, "sa-name", "", "service account name")
 	createKsCmd.Flags().StringVar(&ksSANamespace, "sa-namespace", "", "service account namespace")
+	createKsCmd.Flags().StringVar(&ksDecryptionProvider, "decryption-provider", "", "enables secrets decryption, provider can be 'sops'")
+	createKsCmd.Flags().StringVar(&ksDecryptionSecret, "decryption-secret", "", "set the Kubernetes secret name that contains the OpenPGP private keys used for sops decryption")
 	createCmd.AddCommand(createKsCmd)
 }
 
@@ -178,6 +182,21 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 
+	if ksDecryptionProvider != "" {
+		if !utils.containsItemString(supportedDecryptionProviders, ksDecryptionProvider) {
+			return fmt.Errorf("decryption provider %s is not supported, can be %v",
+				ksDecryptionProvider, supportedDecryptionProviders)
+		}
+
+		kustomization.Spec.Decryption = &kustomizev1.Decryption{
+			Provider: ksDecryptionProvider,
+		}
+
+		if ksDecryptionSecret != "" {
+			kustomization.Spec.Decryption.SecretRef = &corev1.LocalObjectReference{Name: ksDecryptionSecret}
+		}
+	}
+
 	if export {
 		return exportKs(kustomization)
 	}

cmd/gotk/install.go

@@ -19,7 +19,6 @@ package main
 import (
 	"context"
 	"fmt"
-	"github.com/fluxcd/pkg/untar"
 	"io/ioutil"
 	"net/http"
 	"os"
@@ -31,6 +30,8 @@ import (
 	"github.com/spf13/cobra"
 	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/krusty"
+
+	"github.com/fluxcd/pkg/untar"
 )
 
 var installCmd = &cobra.Command{
@@ -61,6 +62,7 @@ var (
 	installComponents      []string
 	installRegistry        string
 	installImagePullSecret string
+	installArch            string
 )
 
 func init() {
@@ -74,14 +76,20 @@ func init() {
 		"list of components, accepts comma-separated values")
 	installCmd.Flags().StringVar(&installManifestsPath, "manifests", "",
 		"path to the manifest directory, dev only")
-	installCmd.Flags().StringVar(&installRegistry, "registry", "docker.io/fluxcd",
+	installCmd.Flags().StringVar(&installRegistry, "registry", "ghcr.io/fluxcd",
 		"container registry where the toolkit images are published")
 	installCmd.Flags().StringVar(&installImagePullSecret, "image-pull-secret", "",
 		"Kubernetes secret name used for pulling the toolkit images from a private registry")
+	installCmd.Flags().StringVar(&installArch, "arch", "amd64",
+		"arch can be amd64 or arm64")
 	rootCmd.AddCommand(installCmd)
 }
 
 func installCmdRun(cmd *cobra.Command, args []string) error {
+	if !utils.containsItemString(supportedArch, installArch) {
+		return fmt.Errorf("arch %s is not supported, can be %v", installArch, supportedArch)
+	}
+
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 
@@ -103,7 +111,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Generatef("generating manifests")
 	}
 	if kustomizePath == "" {
-		err = genInstallManifests(installVersion, namespace, installComponents, installRegistry, installImagePullSecret, tmpDir)
+		err = genInstallManifests(installVersion, namespace, installComponents, installRegistry, installImagePullSecret, installArch, tmpDir)
 		if err != nil {
 			return fmt.Errorf("install failed: %w", err)
 		}
@@ -192,6 +200,7 @@ fieldSpecs:
 var kustomizationTmpl = `---
 {{- $eventsAddr := .EventsAddr }}
 {{- $registry := .Registry }}
+{{- $arch := .Arch }}
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: {{.Namespace}}
@@ -231,7 +240,11 @@ patchesJson6902:
 images:
 {{- range $i, $component := .Components }}
   - name: fluxcd/{{$component}}
+{{- if eq $arch "amd64" }}
     newName: {{$registry}}/{{$component}}
+{{- else }}
+    newName: {{$registry}}/{{$component}}-{{$arch}}
+{{- end }}
 {{- end }}
 {{- end }}
 `
@@ -253,7 +266,7 @@ spec:
   template:
     spec:
       nodeSelector:
-        kubernetes.io/arch: amd64
+        kubernetes.io/arch: {{.Arch}}
         kubernetes.io/os: linux
 {{- if .ImagePullSecret }}
       imagePullSecrets:
@@ -295,7 +308,7 @@ func downloadManifests(version string, tmpDir string) error {
 	return nil
 }
 
-func genInstallManifests(version string, namespace string, components []string, registry, imagePullSecret, tmpDir string) error {
+func genInstallManifests(version string, namespace string, components []string, registry, imagePullSecret, arch, tmpDir string) error {
 	eventsAddr := ""
 	if utils.containsItemString(components, defaultNotification) {
 		eventsAddr = fmt.Sprintf("http://%s/", defaultNotification)
@@ -308,6 +321,7 @@ func genInstallManifests(version string, namespace string, components []string,
 		EventsAddr      string
 		Registry        string
 		ImagePullSecret string
+		Arch            string
 	}{
 		Version:         version,
 		Namespace:       namespace,
@@ -315,6 +329,7 @@ func genInstallManifests(version string, namespace string, components []string,
 		EventsAddr:      eventsAddr,
 		Registry:        registry,
 		ImagePullSecret: imagePullSecret,
+		Arch:            arch,
 	}
 
 	if err := downloadManifests(version, tmpDir); err != nil {

cmd/gotk/main.go

@@ -104,10 +104,12 @@ var (
 )
 
 var (
-	defaultComponents   = []string{"source-controller", "kustomize-controller", "helm-controller", "notification-controller"}
+	defaultComponents            = []string{"source-controller", "kustomize-controller", "helm-controller", "notification-controller"}
-	defaultVersion      = "latest"
+	defaultVersion               = "latest"
-	defaultNamespace    = "gitops-system"
+	defaultNamespace             = "gitops-system"
-	defaultNotification = "notification-controller"
+	defaultNotification          = "notification-controller"
+	supportedArch                = []string{"arm64", "amd64"}
+	supportedDecryptionProviders = []string{"sops"}
 )
 
 func init() {

docs/cmd/gotk_bootstrap.md

@@ -9,10 +9,11 @@ The bootstrap sub-commands bootstrap the toolkit components on the targeted Git
 ### Options
 
 ```
+      --arch string                arch can be amd64 or arm64 (default "amd64")
       --components strings         list of components, accepts comma-separated values (default [source-controller,kustomize-controller,helm-controller,notification-controller])
   -h, --help                       help for bootstrap
       --image-pull-secret string   Kubernetes secret name used for pulling the toolkit images from a private registry
-      --registry string            container registry where the toolkit images are published (default "docker.io/fluxcd")
+      --registry string            container registry where the toolkit images are published (default "ghcr.io/fluxcd")
   -v, --version string             toolkit version (default "latest")
 ```
 

docs/cmd/gotk_bootstrap_github.md

@@ -54,11 +54,12 @@ gotk bootstrap github [flags]
 ### Options inherited from parent commands
 
 ```
+      --arch string                arch can be amd64 or arm64 (default "amd64")
       --components strings         list of components, accepts comma-separated values (default [source-controller,kustomize-controller,helm-controller,notification-controller])
       --image-pull-secret string   Kubernetes secret name used for pulling the toolkit images from a private registry
       --kubeconfig string          path to the kubeconfig file (default "~/.kube/config")
       --namespace string           the namespace scope for this operation (default "gitops-system")
-      --registry string            container registry where the toolkit images are published (default "docker.io/fluxcd")
+      --registry string            container registry where the toolkit images are published (default "ghcr.io/fluxcd")
       --timeout duration           timeout for this operation (default 5m0s)
       --verbose                    print generated objects
   -v, --version string             toolkit version (default "latest")

docs/cmd/gotk_bootstrap_gitlab.md

@@ -51,11 +51,12 @@ gotk bootstrap gitlab [flags]
 ### Options inherited from parent commands
 
 ```
+      --arch string                arch can be amd64 or arm64 (default "amd64")
       --components strings         list of components, accepts comma-separated values (default [source-controller,kustomize-controller,helm-controller,notification-controller])
       --image-pull-secret string   Kubernetes secret name used for pulling the toolkit images from a private registry
       --kubeconfig string          path to the kubeconfig file (default "~/.kube/config")
       --namespace string           the namespace scope for this operation (default "gitops-system")
-      --registry string            container registry where the toolkit images are published (default "docker.io/fluxcd")
+      --registry string            container registry where the toolkit images are published (default "ghcr.io/fluxcd")
       --timeout duration           timeout for this operation (default 5m0s)
       --verbose                    print generated objects
   -v, --version string             toolkit version (default "latest")

docs/cmd/gotk_create_helmrelease.md

@@ -13,37 +13,41 @@ gotk create helmrelease [name] [flags]
 ### Examples
 
 ```
-  # Create a HelmRelease from a HelmRepository source
+  # Create a HelmRelease with a chart from a HelmRepository source
   gotk create hr podinfo \
     --interval=10m \
-    --release-name=podinfo \
-    --target-namespace=default \
     --source=HelmRepository/podinfo \
     --chart=podinfo \
     --chart-version=">4.0.0"
 
-  # Create a HelmRelease from a GitRepository source
+  # Create a HelmRelease with a chart from a GitRepository source
   gotk create hr podinfo \
     --interval=10m \
-    --release-name=podinfo \
-    --target-namespace=default \
     --source=GitRepository/podinfo \
     --chart=./charts/podinfo
 
-  # Create a HelmRelease with values for a local YAML file
+  # Create a HelmRelease with values from a local YAML file
+  gotk create hr podinfo \
+    --source=HelmRepository/podinfo \
+    --chart=podinfo \
+    --values=./my-values.yaml
+
+  # Create a HelmRelease with a custom release name
+  gotk create hr podinfo \
+    --release-name=podinfo-dev
+    --source=HelmRepository/podinfo \
+    --chart=podinfo \
+
+  # Create a HelmRelease targeting another namespace than the resource
   gotk create hr podinfo \
     --target-namespace=default \
     --source=HelmRepository/podinfo \
-    --chart=podinfo \
+    --chart=podinfo
-    --chart-version=4.0.5 \
-    --values=./my-values.yaml
 
   # Create a HelmRelease definition on disk without applying it on the cluster
   gotk create hr podinfo \
-    --target-namespace=default \
     --source=HelmRepository/podinfo \
     --chart=podinfo \
-    --chart-version=4.0.5 \
     --values=./values.yaml \
     --export > podinfo-release.yaml
 
@@ -53,10 +57,10 @@ gotk create helmrelease [name] [flags]
 
 ```
       --chart string              Helm chart name or path
-      --chart-version string      Helm chart version, accepts semver range (ignored for charts from GitRepository sources)
+      --chart-version string      Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)
       --depends-on stringArray    HelmReleases that must be ready before this release can be installed
   -h, --help                      help for helmrelease
-      --release-name string       name used for the Helm release, defaults to a composition of '<target-namespace>-<hr-name>'
+      --release-name string       name used for the Helm release, defaults to a composition of '[<target-namespace>-]<hr-name>'
       --source string             source that contains the chart (<kind>/<name>)
       --target-namespace string   namespace to install this release, defaults to the HelmRelease namespace
       --values string             local path to the values.yaml file

docs/cmd/gotk_create_kustomization.md

@@ -48,6 +48,8 @@ gotk create kustomization [name] [flags]
 ### Options
 
 ```
+      --decryption-provider string      enables secrets decryption, provider can be 'sops'
+      --decryption-secret string        set the Kubernetes secret name that contains the OpenPGP private keys used for sops decryption
       --depends-on stringArray          Kustomization that must be ready before this Kustomization can be applied
       --health-check stringArray        workload to be included in the health assessment, in the format '<kind>/<name>.<namespace>'
       --health-check-timeout duration   timeout of health checking operations (default 2m0s)

docs/cmd/gotk_install.md

@@ -31,13 +31,14 @@ gotk install [flags]
 ### Options
 
 ```
+      --arch string                arch can be amd64 or arm64 (default "amd64")
       --components strings         list of components, accepts comma-separated values (default [source-controller,kustomize-controller,helm-controller,notification-controller])
       --dry-run                    only print the object that would be applied
       --export                     write the install manifests to stdout and exit
   -h, --help                       help for install
       --image-pull-secret string   Kubernetes secret name used for pulling the toolkit images from a private registry
       --manifests string           path to the manifest directory, dev only
-      --registry string            container registry where the toolkit images are published (default "docker.io/fluxcd")
+      --registry string            container registry where the toolkit images are published (default "ghcr.io/fluxcd")
   -v, --version string             toolkit version (default "latest")
 ```
 

docs/get-started/index.md

@@ -19,17 +19,25 @@ export GITHUB_USER=<your-username>
 
 ## Install the toolkit CLI
 
-To install the latest `gotk` release run:
+To install the latest `gotk` release on MacOS and Linux using
+[Homebrew](https://brew.sh/) run:
+
+```sh
+brew tap fluxcd/tap
+brew install gotk
+```
+
+Or install `gotk` by downloading precompiled binaries using a Bash script:
 
 ```sh
 curl -s https://toolkit.fluxcd.io/install.sh | sudo bash
 ```
 
 The install script downloads the gotk binary to `/usr/local/bin`.
-Binaries for macOS and Linux AMD64 are available for download on the 
+Binaries for macOS and Linux AMD64/ARM64 are available for download on the 
 [release page](https://github.com/fluxcd/toolkit/releases).
 
-To configure your shell to load gotk completions add to your bash profile:
+To configure your shell to load gotk completions add to your Bash profile:
 
 ```sh
 # ~/.bashrc or ~/.bash_profile

docs/guides/helmreleases.md

@@ -14,17 +14,28 @@ toolkit controllers installed on it.
 Please see the [get started guide](../get-started/index.md)
 or the [installation guide](installation.md).
 
-## Define a Helm repository
+## Define a chart source
 
-To be able to deploy a Helm chart, the Helm chart repository has to be
+To be able to release a Helm chart, the source that contains the chart
-known first to the source-controller, so that the `HelmRelease` can
+(either a `HelmRepository` or `GitRepository`) has to be known first to
-reference to it.
+the source-controller, so that the `HelmRelease` can reference to it.
 
 A cluster administrator should register trusted sources by creating
-`HelmRepository` resources in the `gitops-system` namespace.
+the resources in the `gitops-system` namespace. By default, the
-By default, the source-controller watches for sources only in the
+source-controller watches for sources only in the `gitops-system`
-`gitops-system` namespace, this way cluster admins can prevent
+namespace, this way cluster admins can prevent untrusted sources from
-untrusted sources from being registered by users.
+being registered by users.
+
+### Helm repository
+
+Helm repositories are the recommended source to retrieve Helm charts
+from, as they are lightweight in processing and make it possible to
+configure a semantic version selector for the chart version that should
+be released.
+
+They can be declared by creating a `HelmRepository` resource, the
+source-controller will fetch the Helm repository index for this
+resource on an interval and expose it as an artifact:
 
 ```yaml
 apiVersion: source.toolkit.fluxcd.io/v1alpha1
@@ -48,11 +59,73 @@ The `url` can be any HTTP/S Helm repository URL.
     HTTP/S basic and TLS authentication can be configured for private
     Helm repositories. See the [`HelmRepository` CRD docs](../components/source/helmrepositories.md)
     for more details.
+    
+### Git repository
+
+Charts from Git repositories can be released by declaring a
+`GitRepository`, the source-controller will fetch the contents
+of the repository on an interval and expose it as an artifact.
+
+The source-controller can build and expose Helm charts as
+artifacts from the contents of the `GitRepository` artifact
+(more about this later on in the guide).
+
+There are two caveats you should be aware of:
+
+* To make the source-controller produce a new chart artifact,
+  the `version` in the `Chart.yaml` of the chart **must** be
+  bumped.
+* Chart dependencies **must** be committed to Git, as the
+  source-controller does not attempt to download them. This
+  limitation may be removed in a future release.
+  
+An example `GitRepository`:
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1alpha1
+kind: GitRepository
+metadata:
+  name: podinfo
+  namespace: gitops-system
+spec:
+  interval: 1m
+  url: https://github.com/stefanprodan/podinfo
+  ref:
+    branch: master
+  ignore: |
+    # exclude all
+    /*
+    # include charts directory
+    !/charts/
+```
+
+The `interval` defines at which interval the Git repository contents
+are fetched, and should be at least `1m`. Setting this to a higher
+value means newer chart versions will be detected at a slower pace,
+a push-based fetch can be introduced using [webhook receivers](webhook-receivers.md)
+
+The `url` can be any HTTP/S or SSH address (the latter requiring
+authentication).
+
+The `ref` defines the checkout strategy, and is set to follow the
+`master` branch in the above example. For other strategies like
+tags or commits, see the [`GitRepository` CRD docs](../components/source/gitrepositories.md).
+
+The `ignore` defines file and folder exclusion for the
+artifact produced, and follows the [`.gitignore` pattern
+format](https://git-scm.com/docs/gitignore#_pattern_format).
+The above example only includes the `charts` directory of the
+repository and omits all other files.
+
+!!! hint "Authentication"
+    HTTP/S basic and SSH authentication can be configured for private
+    Git repositories. See the [`GitRepository` CRD docs](../components/source/gitrepositories.md)
+    for more details.
 
 ## Define a Helm release
 
-With the `HelmRepository` created, define a new `HelmRelease` to deploy
+With the chart source created, define a new `HelmRelease` to release
-the Helm chart from the repository:
+the Helm chart:
 
 ```yaml
 apiVersion: helm.toolkit.fluxcd.io/v2alpha1
@@ -64,10 +137,10 @@ spec:
   interval: 5m
   chart:
     spec:
-      chart: podinfo
+      chart: <name|path>
       version: '4.0.x'
       sourceRef:
-        kind: HelmRepository
+        kind: <HelmRepository|GitRepository>
         name: podinfo
         namespace: gitops-system
       interval: 1m
@@ -75,19 +148,25 @@ spec:
     replicaCount: 2
 ```
 
-The `chart.spec.chart` is the name of the chart as made available by
-the Helm repository, and may not include any aliases.
-
-The `chart.spec.version` can be a fixed semver, or any semver range
-(i.e. `>=4.0.0 <5.0.0`).
-
 The `chart.spec` values are used by the helm-controller as a template
 to create a new `HelmChart` resource in the same namespace as the
 `sourceRef`. The source-controller will then lookup the chart in the
-artifact of the referenced `HelmRepository`, fetch the chart, and make
+artifact of the referenced source, and either fetch the chart for a
-it available as a `HelmChart` artifact to be used by the
+`HelmRepository`, or build it from a `GitRepository`. It will then
+make it available as a `HelmChart` artifact to be used by the
 helm-controller.
 
+The `chart.spec.chart` can either contain:
+
+* The name of the chart as made available by the `HelmRepository`
+  (without any aliases), for example: `podinfo`
+* The relative path the chart can be found at in the `GitRepository`,
+  for example: `./charts/podinfo`
+
+The `chart.spec.version` can be a fixed semver, or any semver range
+(i.e. `>=4.0.0 <5.0.0`). It is ignored for `HelmRelease` resources
+that reference a `GitRepository` source.
+
 !!! hint "Advanced configuration"
     The `HelmRelease` offers an extensive set of configurable flags
     for finer grain control over how Helm actions are performed.

docs/guides/installation.md

@@ -8,14 +8,25 @@ to manage one or more Kubernetes clusters.
 You will need a Kubernetes cluster version **1.16** or newer
 and kubectl version **1.18** or newer.
 
-Install the toolkit CLI with:
+## Install the toolkit CLI
+
+With Homebrew:
+
+```sh
+brew tap fluxcd/tap
+brew install gotk
+```
+
+With Bash:
 
 ```sh
 curl -s https://toolkit.fluxcd.io/install.sh | sudo bash
+
+# enable completions in ~/.bash_profile
+. <(gotk completion)
 ```
 
-The install script downloads the gotk binary to `/usr/local/bin`.
+Binaries for macOS and Linux AMD64/ARM64 are available for download on the 
-Binaries for macOS and Linux AMD64 are available for download on the 
 [release page](https://github.com/fluxcd/toolkit/releases).
 
 Verify that your cluster satisfies the prerequisites with:
@@ -47,6 +58,10 @@ gotk bootstrap <GIT-PROVIDER> \
   --version=latest
 ```
 
+!!! hint "ARM64"
+    When deploying to a Kubernetes cluster with ARM 64-bit architecture,
+    you can use `--arch=arm64` to pull the linux/arm64 toolkit container images.
+
 If you wish to install a specific version, use the toolkit 
 [release tag](https://github.com/fluxcd/toolkit/releases) e.g. `--version=v0.0.14`.
 
@@ -169,16 +184,17 @@ Generate the toolkit manifests with:
 
 ```sh
 gotk install --version=latest \
+  --arch=amd64 \ # on ARM64/AARCH64 clusters use --arch=arm64
   --export > ./my-cluster/gitops-system/toolkit-components.yaml
 ```
 
 If your cluster must pull images from a private container registry, first you should pull
-the toolkit images from Docker Hub and push them to your registry, for example:
+the toolkit images from GitHub Container Registry and push them to your registry, for example:
 
 ```sh
-docker pull fluxcd/source-controller:v0.0.7
+docker pull ghcr.io/fluxcd/source-controller:v0.0.14
-docker tag fluxcd/source-controller:v0.0.7 registry.internal/fluxcd/source-controller:v0.0.7
+docker tag ghcr.io/fluxcd/source-controller:v0.0.14 registry.internal/fluxcd/source-controller:v0.0.14
-docker push registry.internal/fluxcd/source-controller:v0.0.7
+docker push registry.internal/fluxcd/source-controller:v0.0.14
 ```
 
 Create the pull secret in the `gitops-system` namespace:
@@ -324,9 +340,9 @@ gotk create helmrelease sealed-secrets \
 --interval=1h \
 --release-name=sealed-secrets \
 --target-namespace=gitops-system \
---source=stable \
+--source=HelmRepository/stable \
---chart-name=sealed-secrets \
+--chart=sealed-secrets \
---chart-version="^1.10.0"
+--chart-version="1.10.x"
 ```
 
 ### Monitoring with Prometheus and Grafana

docs/guides/mozilla-sops.md

@@ -0,0 +1,166 @@
+# Manage Kubernetes secrets with Mozilla SOPS
+
+In order to store secrets safely in a public or private Git repository, you can use
+Mozilla's [SOPS](https://github.com/mozilla/sops) CLI to encrypt 
+Kubernetes secrets with OpenPGP, AWS KMS, GCP KMS and Azure Key Vault.
+
+## Prerequisites
+
+To follow this guide you'll need a Kubernetes cluster with the GitOps 
+toolkit controllers installed on it.
+Please see the [get started guide](../get-started/index.md)
+or the [installation guide](installation.md).
+
+Install [gnupg](https://www.gnupg.org/) and [sops](https://github.com/mozilla/sops):
+
+```sh
+brew install gnupg sops
+```
+
+## Generate a GPG key
+
+Generate a GPG key with OpenPGP without specifying a passphrase:
+
+```console
+$ gpg --full-generate-key
+
+Real name: stefanprodan
+Email address: stefanprodan@users.noreply.github.com
+Comment: 
+You selected this USER-ID:
+    "stefanprodan <stefanprodan@users.noreply.github.com>"
+```
+
+Retrieve the GPG key ID (second row of the sec column):
+
+```console
+$ gpg --list-secret-keys stefanprodan@users.noreply.github.com
+
+sec   rsa3072 2020-09-06 [SC]
+      1F3D1CED2F865F5E59CA564553241F147E7C5FA4
+```
+
+Export the public and private keypair from your local GPG keyring and
+create a Kubernetes secret named `sops-gpg` in the `gitops-system` namespace:
+
+```sh
+gpg --export-secret-keys \
+--armor 1F3D1CED2F865F5E59CA564553241F147E7C5FA4 |
+kubectl create secret generic sops-gpg \
+--namespace=gitops-system \
+--from-file=sops.asc=/dev/stdin 
+```
+
+## Encrypt secrets
+
+Generate a Kubernetes secret manifest with kubectl:
+
+```sh
+kubectl -n default create secret generic basic-auth \
+--from-literal=user=admin \
+--from-literal=password=change-me \
+--dry-run=client \
+-o yaml > basic-auth.yaml
+```
+
+Encrypt the secret with sops using your GPG key:
+
+```sh
+sops --encrypt \
+--pgp=1F3D1CED2F865F5E59CA564553241F147E7C5FA4 \
+--encrypted-regex '^(data|stringData)$' \
+--in-place basic-auth.yaml
+```
+
+!!! hint
+    Note that you should encrypt only the `data` section. Encrypting the Kubernetes
+    secret metadata, kind or apiVersion is not supported by kustomize-controller.
+
+You can now commit the encrypted secret to your Git repository.
+
+## Configure secrets decryption
+
+Registry the Git repository on your cluster:
+
+```sh
+gotk create source git my-secrets \
+--url=https://github.com/my-org/my-secrets
+```
+
+Create a kustomization for reconciling the secrets on the cluster:
+
+```sh
+gotk create kustomization my-secrets \
+--source=my-secrets \
+--prune=true \
+--interval=10m \
+--decryption-provider=sops \
+--decryption-secret=sops-gpg
+```
+
+Note that the `sops-gpg` can contain more than one key, sops will try to decrypt the
+secrets by iterating over all the private keys until it finds one that works.
+
+!!! hint KMS
+    When using AWS/GCP KMS or Azure Key Vault, you'll have to bind an IAM Role
+    with read access to the KMS keys to the `default` service account of the
+    `gitops-system` namespace for kustomize-controller to be able to fetch
+    keys from KMS.
+
+## GitOps workflow
+
+A cluster admin should create the Kubernetes secret with the PGP keys on each cluster and
+add the GitRepository/Kustomization manifests to the fleet repository.
+
+Git repository manifest:
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1alpha1
+kind: GitRepository
+metadata:
+  name: my-secrets
+  namespace: gitops-system
+spec:
+  interval: 1m
+  url: https://github.com/my-org/my-secrets
+```
+
+Kustomization manifest:
+
+```yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1alpha1
+kind: Kustomization
+metadata:
+  name: my-secrets
+  namespace: gitops-system
+spec:
+  interval: 10m0s
+  sourceRef:
+    kind: GitRepository
+    name: my-secrets
+  path: ./
+  prune: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+```
+
+!!! hint
+    You can generate the above manifests using `gotk create <kind> --export > manifest.yaml`.
+
+Assuming a team member wants to deploy an application that needs to connect
+to a database using a username and password, they'll be doing the following:
+
+* create a Kubernetes Secret manifest locally with the db credentials e.g. `db-auth.yaml`
+* encrypt the secret `data` field with sops
+* create a Kubernetes Deployment manifest for the app e.g. `app-deployment.yaml`
+* add the Secret to the Deployment manifest as a [volume mount or env var](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets)
+* commit the manifests `db-auth.yaml` and `app-deployment.yaml` to a Git repository that's being synced by the GitOps toolkit controllers
+
+Once the manifests have been pushed to the Git repository, the following happens:
+
+* source-controller pulls the changes from Git
+* kustomize-controller loads the GPG keys from the `sops-pgp` secret 
+* kustomize-controller decrypts the Kubernetes secrets with sops and applies them on the cluster
+* kubelet creates the pods and mounts the secret as a volume or env variable inside the app container

docs/guides/sealed-secrets.md

@@ -50,13 +50,13 @@ gotk create helmrelease sealed-secrets \
 --interval=1h \
 --release-name=sealed-secrets \
 --target-namespace=gitops-system \
---source=stable \
+--source=HelmRepository/stable \
---chart-name=sealed-secrets \
+--chart=sealed-secrets \
---chart-version="^1.10.0"
+--chart-version="1.10.x"
 ```
 
-With chart version `^1.10.0` we configure helm-controller to automatically upgrade the release
+With chart version `1.10.x` we configure helm-controller to automatically upgrade the release
-when a new chart version is fetch by source-controller. 
+when a new chart patch version is fetched by source-controller.
 
 At startup, the sealed-secrets controller generates a 4096-bit RSA key pair and 
 persists the private and public keys as Kubernetes secrets in the `gitops-system` namespace.
@@ -102,7 +102,7 @@ kubectl apply -f basic-auth-sealed.yaml
 Verify that the sealed-secrets controller has created the `basic-auth` Kubernetes Secret:
 
 ```console
-$ kubectl -n default get secrets basic-auth 
+$ kubectl -n default get secrets basic-auth
 
 NAME         TYPE     DATA   AGE
 basic-auth   Opaque   2      1m43s

go.mod

@@ -4,12 +4,12 @@ go 1.14
 
 require (
 	github.com/blang/semver v3.5.1+incompatible
-	github.com/fluxcd/helm-controller/api v0.0.6
+	github.com/fluxcd/helm-controller/api v0.0.7
-	github.com/fluxcd/kustomize-controller/api v0.0.8
+	github.com/fluxcd/kustomize-controller/api v0.0.10
 	github.com/fluxcd/pkg/git v0.0.6
 	github.com/fluxcd/pkg/ssh v0.0.5
 	github.com/fluxcd/pkg/untar v0.0.5
-	github.com/fluxcd/source-controller/api v0.0.13
+	github.com/fluxcd/source-controller/api v0.0.14
 	github.com/manifoldco/promptui v0.7.0
 	github.com/spf13/cobra v1.0.0
 	golang.org/x/net v0.0.0-20200602114024-627f9648deb9 // indirect

go.sum

@@ -111,18 +111,18 @@ github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi
 github.com/evanphx/json-patch v4.5.0+incompatible h1:ouOWdg56aJriqS0huScTkVXPC5IcNrDCXZ6OoTAWu7M=
 github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fluxcd/helm-controller/api v0.0.6 h1:EpP1/cYClFrZqaw4B2mZ/qxTSDmvxJxj+VYZZR1XaTI=
+github.com/fluxcd/helm-controller/api v0.0.7 h1:aidjXvcklClH8omhYqiKswZ+MS6t8knOpUacsuESue8=
-github.com/fluxcd/helm-controller/api v0.0.6/go.mod h1:KlzwTkpphQxulgWBwCl/uxfBU0QxK/X+w4YcJqGy/1c=
+github.com/fluxcd/helm-controller/api v0.0.7/go.mod h1:KlzwTkpphQxulgWBwCl/uxfBU0QxK/X+w4YcJqGy/1c=
-github.com/fluxcd/kustomize-controller/api v0.0.8 h1:Yi5/MZuS2jXiRV73fuUkBCyRTuG0yx2HJTpWZaM+WHA=
+github.com/fluxcd/kustomize-controller/api v0.0.10 h1:dhkTOg3LzNQwRL+lO0YlzOP7AhdpZdghUQNXYhvfiYU=
-github.com/fluxcd/kustomize-controller/api v0.0.8/go.mod h1:c4035rZrt2p3RExpLe64ASVEvePm7FjiY4PzHKpRJXI=
+github.com/fluxcd/kustomize-controller/api v0.0.10/go.mod h1:88m3p6xY3J2pjh5OsL3ANy7PkyA93KiqAJE58JMQyoc=
 github.com/fluxcd/pkg/git v0.0.6 h1:4qktw8M3zj98MAs4ny6qSi36sYvTiI1czif5FqlQl4o=
 github.com/fluxcd/pkg/git v0.0.6/go.mod h1:9AI9yPkb2ruIcE70moVG3WhunA2/RAMJPc3rtoH8QFE=
 github.com/fluxcd/pkg/ssh v0.0.5 h1:rnbFZ7voy2JBlUfMbfyqArX2FYaLNpDhccGFC3qW83A=
 github.com/fluxcd/pkg/ssh v0.0.5/go.mod h1:7jXPdXZpc0ttMNz2kD9QuMi3RNn/e0DOFbj0Tij/+Hs=
 github.com/fluxcd/pkg/untar v0.0.5 h1:UGI3Ch1UIEIaqQvMicmImL1s9npQa64DJ/ozqHKB7gk=
 github.com/fluxcd/pkg/untar v0.0.5/go.mod h1:O6V9+rtl8c1mHBafgqFlJN6zkF1HS5SSYn7RpQJ/nfw=
-github.com/fluxcd/source-controller/api v0.0.13 h1:rf0uZ20OAN+yJVs0uHJUhw3n3ci9ZyjaLqt5Jt/5K9A=
+github.com/fluxcd/source-controller/api v0.0.14 h1:iNG6AGnr44z4T6F0JC2M82ekyxzJ29c3m+DVC7FwSHQ=
-github.com/fluxcd/source-controller/api v0.0.13/go.mod h1:PUe+EYQ/s+KPnz2iOCgdf+L6clM0SWkyvdXIpbfpkQE=
+github.com/fluxcd/source-controller/api v0.0.14/go.mod h1:PUe+EYQ/s+KPnz2iOCgdf+L6clM0SWkyvdXIpbfpkQE=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
@@ -726,35 +726,24 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI=
-k8s.io/api v0.18.4 h1:8x49nBRxuXGUlDlwlWd3RMY1SayZrzFfxea3UZSkFw4=
-k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4=
 k8s.io/api v0.18.6/go.mod h1:eeyxr+cwCjMdLAmr2W3RyDI0VvTawSg/3RFFBEnmZGI=
 k8s.io/api v0.18.8 h1:aIKUzJPb96f3fKec2lxtY7acZC9gQNDLVhfSGpxBAC4=
 k8s.io/api v0.18.8/go.mod h1:d/CXqwWv+Z2XEG1LgceeDmHQwpUJhROPx16SlxJgERY=
-k8s.io/apiextensions-apiserver v0.18.4 h1:Y3HGERmS8t9u12YNUFoOISqefaoGRuTc43AYCLzWmWE=
-k8s.io/apiextensions-apiserver v0.18.4/go.mod h1:NYeyeYq4SIpFlPxSAB6jHPIdvu3hL0pc36wuRChybio=
 k8s.io/apiextensions-apiserver v0.18.6/go.mod h1:lv89S7fUysXjLZO7ke783xOwVTm6lKizADfvUM/SS/M=
 k8s.io/apiextensions-apiserver v0.18.8 h1:pkqYPKTHa0/3lYwH7201RpF9eFm0lmZDFBNzhN+k/sA=
 k8s.io/apiextensions-apiserver v0.18.8/go.mod h1:7f4ySEkkvifIr4+BRrRWriKKIJjPyg9mb/p63dJKnlM=
 k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
-k8s.io/apimachinery v0.18.4 h1:ST2beySjhqwJoIFk6p7Hp5v5O0hYY6Gngq/gUYXTPIA=
-k8s.io/apimachinery v0.18.4/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
 k8s.io/apimachinery v0.18.6/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
 k8s.io/apimachinery v0.18.8 h1:jimPrycCqgx2QPearX3to1JePz7wSbVLq+7PdBTTwQ0=
 k8s.io/apimachinery v0.18.8/go.mod h1:6sQd+iHEqmOtALqOFjSWp2KZ9F0wlU/nWm0ZgsYWMig=
-k8s.io/apiserver v0.18.4/go.mod h1:q+zoFct5ABNnYkGIaGQ3bcbUNdmPyOCoEBcg51LChY8=
 k8s.io/apiserver v0.18.6/go.mod h1:Zt2XvTHuaZjBz6EFYzpp+X4hTmgWGy8AthNVnTdm3Wg=
 k8s.io/apiserver v0.18.8/go.mod h1:12u5FuGql8Cc497ORNj79rhPdiXQC4bf53X/skR/1YM=
 k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k=
-k8s.io/client-go v0.18.4 h1:un55V1Q/B3JO3A76eS0kUSywgGK/WR3BQ8fHQjNa6Zc=
-k8s.io/client-go v0.18.4/go.mod h1:f5sXwL4yAZRkAtzOxRWUhA/N8XzGCb+nPZI8PfobZ9g=
 k8s.io/client-go v0.18.6/go.mod h1:/fwtGLjYMS1MaM5oi+eXhKwG+1UHidUEXRh6cNsdO0Q=
 k8s.io/client-go v0.18.8 h1:SdbLpIxk5j5YbFr1b7fq8S7mDgDjYmUxSbszyoesoDM=
 k8s.io/client-go v0.18.8/go.mod h1:HqFqMllQ5NnQJNwjro9k5zMyfhZlOwpuTLVrxjkYSxU=
-k8s.io/code-generator v0.18.4/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c=
 k8s.io/code-generator v0.18.6/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c=
 k8s.io/code-generator v0.18.8/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c=
-k8s.io/component-base v0.18.4/go.mod h1:7jr/Ef5PGmKwQhyAz/pjByxJbC58mhKAhiaDu0vXfPk=
 k8s.io/component-base v0.18.6/go.mod h1:knSVsibPR5K6EW2XOjEHik6sdU5nCvKMrzMt2D4In14=
 k8s.io/component-base v0.18.8/go.mod h1:00frPRDas29rx58pPCxNkhUfPbwajlyyvu8ruNgSErU=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
@@ -776,8 +765,6 @@ mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIa
 mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4=
 mvdan.cc/unparam v0.0.0-20190720180237-d51796306d8f/go.mod h1:4G1h5nDURzA3bwVMZIVpwbkw+04kSxk3rAtzlimaUJw=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0=
-sigs.k8s.io/controller-runtime v0.6.1 h1:LcK2+nk0kmaOnKGN+vBcWHqY5WDJNJNB/c5pW+sU8fc=
-sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A=
 sigs.k8s.io/controller-runtime v0.6.2 h1:jkAnfdTYBpFwlmBn3pS5HFO06SfxvnTZ1p5PeEF/zAA=
 sigs.k8s.io/controller-runtime v0.6.2/go.mod h1:vhcq/rlnENJ09SIRp3EveTaZ0yqH526hjf9iJdbUJ/E=
 sigs.k8s.io/kustomize/api v0.5.1 h1:iHGTs5LcnJGqHstUSxWD/kX6XZgmd82x79LLlZwDU0I=

install/gotk.sh

@@ -42,6 +42,9 @@ setup_verify_arch() {
         ARCH=$(uname -m)
     fi
     case ${ARCH} in
+        arm64)
+            ARCH=arm64
+            ;;
         amd64)
             ARCH=amd64
             ;;

manifests/bases/helm-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- github.com/fluxcd/helm-controller/config//crd?ref=v0.0.6
+- github.com/fluxcd/helm-controller/config//crd?ref=v0.0.7
-- github.com/fluxcd/helm-controller/config//manager?ref=v0.0.6
+- github.com/fluxcd/helm-controller/config//manager?ref=v0.0.7
 patchesJson6902:
 - target:
     group: apps

manifests/bases/kustomize-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- github.com/fluxcd/kustomize-controller/config//crd?ref=v0.0.8
+- github.com/fluxcd/kustomize-controller/config//crd?ref=v0.0.10
-- github.com/fluxcd/kustomize-controller/config//manager?ref=v0.0.8
+- github.com/fluxcd/kustomize-controller/config//manager?ref=v0.0.10
 patchesJson6902:
 - target:
     group: apps

manifests/bases/source-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- github.com/fluxcd/source-controller/config//crd?ref=v0.0.13
+- github.com/fluxcd/source-controller/config//crd?ref=v0.0.14
-- github.com/fluxcd/source-controller/config//manager?ref=v0.0.13
+- github.com/fluxcd/source-controller/config//manager?ref=v0.0.14
 patchesJson6902:
 - target:
     group: apps

mkdocs.yml

@@ -50,6 +50,7 @@ nav:
       - Setup Notifications: guides/notifications.md
       - Setup Webhook Receivers: guides/webhook-receivers.md
       - Sealed Secrets: guides/sealed-secrets.md
+      - Mozilla SOPS: guides/mozilla-sops.md
   - Toolkit Components:
     - Source Controller:
       - Overview: components/source/controller.md