Merge pull request #1594 from chanwit/status-selector

Add status-selector flag for get commands to filter results based on status conditions

.github/runners/README.md

@@ -0,0 +1,42 @@
+# Flux GitHub runners
+
+How to provision GitHub Actions self-hosted runners for Flux conformance testing.
+
+## ARM64 Instance specs
+
+In order to add a new runner to the GitHub Actions pool,
+first create an instance on Oracle Cloud with the following configuration:
+- OS: Canonical Ubuntu 20.04
+- Shape: VM.Standard.A1.Flex
+- OCPU Count: 2 
+- Memory (GB): 12
+- Network Bandwidth (Gbps): 2
+- Local Disk: Block Storage Only  
+
+Note that the instance image source must be **Canonical Ubuntu** instead of the default Oracle Linux.
+
+## ARM64 Instance setup
+
+- SSH into a newly created instance
+```shell
+ssh ubuntu@<instance-public-IP>
+``` 
+- Create the action runner dir
+```shell
+mkdir -p actions-runner && cd actions-runner
+```
+- Download the provisioning script
+```shell
+curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/arm64.sh > arm64.sh \
+  && chmod +x ./arm64.sh
+```
+- Retrieve the GitHub runner token from the repository [settings page](https://github.com/fluxcd/flux2/settings/actions/runners/new?arch=arm64&os=linux)
+- Run the provisioning script passing the token as the first argument
+```shell
+sudo ./arm64.sh <TOKEN>
+```
+- Reboot the instance
+```shell
+sudo reboot
+```  
+- Navigate to the GitHub repository [runners page](https://github.com/fluxcd/flux2/settings/actions/runners) and check the runner status

.github/runners/arm64.sh

@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+
+# Copyright 2021 The Flux authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script is meant to be run locally and in CI to validate the Kubernetes
+# manifests (including Flux custom resources) before changes are merged into
+# the branch synced by Flux in-cluster.
+
+set -eu
+
+REPOSITORY_TOKEN=$1
+REPOSITORY_URL=${2:-https://github.com/fluxcd/flux2}
+
+KIND_VERSION=0.11.1
+KUBECTL_VERSION=1.21.2
+KUSTOMIZE_VERSION=4.1.3
+GITHUB_RUNNER_VERSION=2.278.0
+PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq"
+
+# install prerequisites
+apt-get update \
+  && apt-get install -y -q ${PACKAGES} \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+
+# install docker
+curl -fsSL https://get.docker.com -o get-docker.sh \
+  && chmod +x get-docker.sh
+./get-docker.sh
+systemctl enable docker.service
+systemctl enable containerd.service
+usermod -aG docker ubuntu
+
+# install kind
+curl -Lo ./kind https://kind.sigs.k8s.io/dl/v${KIND_VERSION}/kind-linux-arm64
+install -o root -g root -m 0755 kind /usr/local/bin/kind
+
+# install kubectl
+curl -LO "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/arm64/kubectl"
+install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+
+# install kustomize
+curl -Lo ./kustomize.tar.gz https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_arm64.tar.gz \
+  && tar -zxvf kustomize.tar.gz \
+  && rm kustomize.tar.gz
+install -o root -g root -m 0755 kustomize /usr/local/bin/kustomize
+
+# download runner
+curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
+  && tar xzf actions-runner-linux-arm64.tar.gz \
+  && rm actions-runner-linux-arm64.tar.gz
+
+# install runner dependencies
+./bin/installdependencies.sh
+
+# register runner with GitHub
+sudo -u ubuntu ./config.sh --unattended --url ${REPOSITORY_URL} --token ${REPOSITORY_TOKEN}
+
+# start runner
+./svc.sh install
+./svc.sh start

.github/workflows/bootstrap.yaml

@@ -26,6 +26,9 @@ jobs:
           go-version: 1.16.x
       - name: Setup Kubernetes
         uses: engineerd/setup-kind@v0.5.0
+        with:
+          version: v0.11.1
+          image: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
       - name: Setup Kustomize
         uses: fluxcd/pkg//actions/kustomize@main
       - name: Build
@@ -61,6 +64,13 @@ jobs:
           --team=team-z
         env:
           GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+      - name: libgit2
+        run: |
+          /tmp/flux create source git test-libgit2 \
+          --url=ssh://git@github.com/fluxcd-testing/${{ steps.vars.outputs.test_repo_name }} \
+          --git-implementation=libgit2 \
+          --secret-ref=flux-system \
+          --branch=main
       - name: uninstall
         run: |
           /tmp/flux uninstall -s --keep-namespace

.github/workflows/e2e-arm64.yaml

@@ -0,0 +1,108 @@
+name: e2e-arm64
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ main, update-components ]
+
+jobs:
+  ampere:
+    # Runner info
+    # Owner: Stefan Prodan
+    # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
+    runs-on: [self-hosted, Linux, ARM64]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16.x
+      - name: Prepare
+        id: prep
+        run: |
+          echo ::set-output name=CLUSTER::arm64-${GITHUB_SHA:0:7}-$(date +%s)
+          echo ::set-output name=CONTEXT::kind-arm64-${GITHUB_SHA:0:7}-$(date +%s)
+      - name: Run unit tests
+        run: make test
+      - name: Check if working tree is dirty
+        run: |
+          if [[ $(git diff --stat) != '' ]]; then
+            git diff
+            echo 'run make test and commit changes'
+            exit 1
+          fi
+      - name: Build
+        run: |
+          go build -o /tmp/flux ./cmd/flux
+      - name: Setup Kubernetes Kind
+        run: |
+          kind create cluster --name ${{ steps.prep.outputs.CLUSTER }}
+      - name: flux check --pre
+        run: |
+          /tmp/flux check --pre \
+          --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux install
+        run: |
+          /tmp/flux install \
+          --components-extra=image-reflector-controller,image-automation-controller \
+          --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux create source git
+        run: |
+          /tmp/flux create source git podinfo-gogit \
+            --git-implementation=go-git \
+            --url https://github.com/stefanprodan/podinfo  \
+            --tag-semver=">1.0.0" \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+          /tmp/flux create source git podinfo-libgit2 \
+            --git-implementation=libgit2 \
+            --url https://github.com/stefanprodan/podinfo  \
+            --branch="master" \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux create kustomization
+        run: |
+          /tmp/flux create kustomization podinfo \
+            --source=podinfo-gogit \
+            --path="./deploy/overlays/dev" \
+            --prune=true \
+            --interval=5m \
+            --validation=client \
+            --health-check="Deployment/frontend.dev" \
+            --health-check="Deployment/backend.dev" \
+            --health-check-timeout=3m \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux create tenant
+        run: |
+          /tmp/flux create tenant dev-team \
+            --with-namespace=apps \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux create helmrelease
+        run: |
+          /tmp/flux -n apps create source helm podinfo \
+            --url https://stefanprodan.github.io/podinfo \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+
+          /tmp/flux -n apps create hr podinfo-helm \
+            --source=HelmRepository/podinfo \
+            --chart=podinfo \
+            --chart-version="6.0.x" \
+            --service-account=dev-team \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux get all
+        run: |
+          /tmp/flux get all --all-namespaces \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux uninstall
+        run: |
+          /tmp/flux uninstall -s \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: Debug failure
+        if: failure()
+        run: |
+          kubectl --context ${{ steps.prep.outputs.CONTEXT }} -n flux-system get all
+          kubectl --context ${{ steps.prep.outputs.CONTEXT }} -n flux-system describe pods
+          /tmp/flux logs --all-namespaces
+      - name: Cleanup
+        if: always()
+        run: |
+          kind delete cluster --name ${{ steps.prep.outputs.CLUSTER }}

.github/workflows/e2e.yaml

@@ -26,8 +26,8 @@ jobs:
       - name: Setup Kubernetes
         uses: engineerd/setup-kind@v0.5.0
         with:
-          version: "v0.10.0"
+          version: v0.11.1
-          image: kindest/node:v1.20.2@sha256:8f7ea6e7642c0da54f04a7ee10431549c0257315b3a634f6ef2fecaaedb19bab
+          image: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
           config: .github/kind/config.yaml # disable KIND-net
       - name: Setup Calico for network policy
         run: |
@@ -91,6 +91,12 @@ jobs:
             --health-check="Deployment/frontend.dev" \
             --health-check="Deployment/backend.dev" \
             --health-check-timeout=3m
+      - name: flux trace
+        run: |
+          /tmp/flux trace frontend \
+            --kind=deployment \
+            --api-version=apps/v1 \
+            --namespace=dev
       - name: flux reconcile kustomization --with-source
         run: |
           /tmp/flux reconcile kustomization podinfo --with-source
@@ -193,7 +199,7 @@ jobs:
           /tmp/flux create kustomization flux-system \
           --source=flux-system \
           --path=./clusters/staging
-          kubectl -n flux-system wait kustomization/apps --for=condition=ready --timeout=2m
+          kubectl -n flux-system wait kustomization/apps --for=condition=ready --timeout=5m
       - name: flux check
         run: |
           /tmp/flux check
@@ -205,6 +211,7 @@ jobs:
         run: |
           kubectl version --client --short
           kubectl -n flux-system get all
+          kubectl -n flux-system describe pods
           kubectl -n flux-system get kustomizations -oyaml
           kubectl -n flux-system logs deploy/source-controller
           kubectl -n flux-system logs deploy/kustomize-controller

README.md

@@ -22,13 +22,19 @@ Delivery on top of Kubernetes.
 
 ## Flux installation
 
-With Homebrew:
+With [Homebrew](https://brew.sh) for macOS and Linux:
 
 ```sh
 brew install fluxcd/tap/flux
 ```
 
-With Bash:
+With [GoFish](https://gofi.sh) for Windows, macOS and Linux:
+
+```sh
+gofish install flux
+```
+
+With Bash for macOS and Linux:
 
 ```sh
 curl -s https://fluxcd.io/install.sh | sudo bash
@@ -46,10 +52,10 @@ Arch Linux (AUR) packages:
 - [flux-scm](https://aur.archlinux.org/packages/flux-scm): build the latest
   (unstable) version from source code from our git `main` branch
 
-Binaries for macOS, Windows and Linux AMD64/ARM are available to download on the
+Binaries for macOS AMD64/ARM64, Linux AMD64/ARM/ARM64 and Windows are available to
-[release page](https://github.com/fluxcd/flux2/releases).
+download on the [release page](https://github.com/fluxcd/flux2/releases).
 
-A container image with `kubectl` and `flux` is available on Docker Hub and GitHub:
+A multi-arch container image with `kubectl` and `flux` is available on Docker Hub and GitHub:
 
 * `docker.io/fluxcd/flux-cli:<version>`
 * `ghcr.io/fluxcd/flux-cli:<version>`

action/README.md

@@ -10,11 +10,21 @@ Usage:
         run: flux -v
 ```
 
-Note that this action can only be used on GitHub **Linux AMD64** runners.
 The latest stable version of the `flux` binary is downloaded from
 GitHub [releases](https://github.com/fluxcd/flux2/releases)
 and placed at `/usr/local/bin/flux`.
 
+Note that this action can only be used on GitHub **Linux** runners.
+You can change the arch (defaults to `amd64`) with:
+
+```yaml
+    steps:
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+        with:
+          arch: arm64 # can be amd64, arm64 or arm
+```
+
 You can download a specific version with:
 
 ```yaml

action/action.yml

@@ -8,19 +8,24 @@ inputs:
   version:
     description: "Flux version e.g. 0.8.0 (defaults to latest stable release)"
     required: false
+  arch:
+    description: "arch can be amd64, arm64 or arm"
+    required: true
+    default: "amd64"
 runs:
   using: composite
   steps:
     - name: "Download flux binary to tmp"
       shell: bash
       run: |
+        ARCH=${{ inputs.arch }}
         VERSION=${{ inputs.version }}
 
         if [ -z $VERSION ]; then
           VERSION=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
         fi
 
-        BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_amd64.tar.gz"
+        BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_${ARCH}.tar.gz"
         curl -sL ${BIN_URL} -o /tmp/flux.tar.gz
         mkdir -p /tmp/flux
         tar -C /tmp/flux/ -zxvf /tmp/flux.tar.gz

cmd/flux/bootstrap_git.go

@@ -30,7 +30,6 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/transport/ssh"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	cryptossh "golang.org/x/crypto/ssh"
 	corev1 "k8s.io/api/core/v1"
 
 	"github.com/fluxcd/flux2/internal/bootstrap"
@@ -70,6 +69,7 @@ type gitFlags struct {
 	path     flags.SafeRelativePath
 	username string
 	password string
+	silent   bool
 }
 
 var gitArgs gitFlags
@@ -80,6 +80,7 @@ func init() {
 	bootstrapGitCmd.Flags().Var(&gitArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.username, "username", "u", "git", "basic authentication username")
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.password, "password", "p", "", "basic authentication password")
+	bootstrapGitCmd.Flags().BoolVarP(&gitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
 
 	bootstrapCmd.AddCommand(bootstrapGitCmd)
 }
@@ -233,20 +234,7 @@ func transportForURL(u *url.URL) (transport.AuthMethod, error) {
 		}, nil
 	case "ssh":
 		if bootstrapArgs.privateKeyFile != "" {
-			// TODO(hidde): replace custom logic with https://github.com/go-git/go-git/pull/298
+			return ssh.NewPublicKeysFromFile(u.User.Username(), bootstrapArgs.privateKeyFile, gitArgs.password)
-			//  once made available in go-git release.
-			bytes, err := ioutil.ReadFile(bootstrapArgs.privateKeyFile)
-			if err != nil {
-				return nil, err
-			}
-			signer, err := cryptossh.ParsePrivateKey(bytes)
-			if _, ok := err.(*cryptossh.PassphraseMissingError); ok {
-				signer, err = cryptossh.ParsePrivateKeyWithPassphrase(bytes, []byte(gitArgs.password))
-			}
-			if err != nil {
-				return nil, err
-			}
-			return &ssh.PublicKeys{Signer: signer, User: u.User.Username()}, nil
 		}
 		return nil, nil
 	default:
@@ -261,13 +249,16 @@ func promptPublicKey(ctx context.Context, secret corev1.Secret, _ sourcesecret.O
 	}
 
 	logger.Successf("public key: %s", strings.TrimSpace(ppk))
-	prompt := promptui.Prompt{
+
-		Label:     "Please give the key access to your repository",
+	if !gitArgs.silent {
-		IsConfirm: true,
+		prompt := promptui.Prompt{
-	}
+			Label:     "Please give the key access to your repository",
-	_, err := prompt.Run()
+			IsConfirm: true,
-	if err != nil {
+		}
-		return fmt.Errorf("aborting")
+		_, err := prompt.Run()
+		if err != nil {
+			return fmt.Errorf("aborting")
+		}
 	}
 	return nil
 }

cmd/flux/create_helmrelease.go

@@ -87,7 +87,8 @@ var createHelmReleaseCmd = &cobra.Command{
 
   # Create a HelmRelease targeting another namespace than the resource
   flux create hr podinfo \
-    --target-namespace=default \
+    --target-namespace=test \
+    --create-target-namespace=true \
     --source=HelmRepository/podinfo \
     --chart=podinfo
 
@@ -113,6 +114,7 @@ type helmReleaseFlags struct {
 	chart           string
 	chartVersion    string
 	targetNamespace string
+	createNamespace bool
 	valuesFiles     []string
 	valuesFrom      flags.HelmReleaseValuesFrom
 	saName          string
@@ -128,6 +130,7 @@ func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.dependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.targetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
+	createHelmReleaseCmd.Flags().BoolVar(&helmReleaseArgs.createNamespace, "create-target-namespace", false, "create the target namespace if it does not exist")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFiles, "values", nil, "local path to values.yaml files, also accepts comma-separated values")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.valuesFrom, "values-from", helmReleaseArgs.valuesFrom.Description())
@@ -167,6 +170,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 				Duration: createArgs.interval,
 			},
 			TargetNamespace: helmReleaseArgs.targetNamespace,
+
 			Chart: helmv2.HelmChartTemplate{
 				Spec: helmv2.HelmChartTemplateSpec{
 					Chart:   helmReleaseArgs.chart,
@@ -178,6 +182,9 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 					},
 				},
 			},
+			Install: &helmv2.Install{
+				CreateNamespace: helmReleaseArgs.createNamespace,
+			},
 			Suspend: false,
 		},
 	}
@@ -187,7 +194,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	if helmReleaseArgs.crds != "" {
-		helmRelease.Spec.Install = &helmv2.Install{CRDs: helmv2.Create}
+		helmRelease.Spec.Install.CRDs = helmv2.Create
 		helmRelease.Spec.Upgrade = &helmv2.Upgrade{CRDs: helmv2.CRDsPolicy(helmReleaseArgs.crds.String())}
 	}
 

cmd/flux/create_image_policy.go

@@ -28,7 +28,7 @@ import (
 
 	"github.com/fluxcd/pkg/apis/meta"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 
 var createImagePolicyCmd = &cobra.Command{

cmd/flux/create_image_repository.go

@@ -26,7 +26,7 @@ import (
 
 	"github.com/fluxcd/pkg/apis/meta"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 
 var createImageRepositoryCmd = &cobra.Command{

cmd/flux/create_image_update.go

@@ -22,7 +22,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 

cmd/flux/create_secret_git.go

@@ -63,19 +63,15 @@ For Git over HTTP/S, the provided basic authentication credentials are stored in
     --username=username \
     --password=password
 
-  # Create a Git SSH secret on disk and print the deploy key
+  # Create a Git SSH secret on disk
   flux create secret git podinfo-auth \
     --url=ssh://git@github.com/stefanprodan/podinfo \
     --export > podinfo-auth.yaml
 
-  yq read podinfo-auth.yaml 'data."identity.pub"' | base64 --decode
+  # Print the deploy key
-
+  yq eval '.stringData."identity.pub"' podinfo-auth.yaml
-  # Create a Git SSH secret on disk and encrypt it with Mozilla SOPS
-  flux create secret git podinfo-auth \
-    --namespace=apps \
-    --url=ssh://git@github.com/stefanprodan/podinfo \
-    --export > podinfo-auth.yaml
 
+  # Encrypt the secret on disk with Mozilla SOPS
   sops --encrypt --encrypted-regex '^(data|stringData)$' \
     --in-place podinfo-auth.yaml`,
 	RunE: createSecretGitCmdRun,

cmd/flux/create_source_helm.go

@@ -66,13 +66,14 @@ For private Helm repositories, the basic authentication credentials are stored i
 }
 
 type sourceHelmFlags struct {
-	url       string
+	url             string
-	username  string
+	username        string
-	password  string
+	password        string
-	certFile  string
+	certFile        string
-	keyFile   string
+	keyFile         string
-	caFile    string
+	caFile          string
-	secretRef string
+	secretRef       string
+	passCredentials bool
 }
 
 var sourceHelmArgs sourceHelmFlags
@@ -85,6 +86,7 @@ func init() {
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.keyFile, "key-file", "", "TLS authentication key file path")
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.caFile, "ca-file", "", "TLS authentication CA file path")
 	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.secretRef, "secret-ref", "", "", "the name of an existing secret containing TLS or basic auth credentials")
+	createSourceHelmCmd.Flags().BoolVarP(&sourceHelmArgs.passCredentials, "pass-credentials", "", false, "pass credentials to all domains")
 
 	createSourceCmd.AddCommand(createSourceHelmCmd)
 }
@@ -132,6 +134,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		helmRepository.Spec.SecretRef = &meta.LocalObjectReference{
 			Name: sourceHelmArgs.secretRef,
 		}
+		helmRepository.Spec.PassCredentials = sourceHelmArgs.passCredentials
 	}
 
 	if createArgs.export {
@@ -175,6 +178,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			helmRepository.Spec.SecretRef = &meta.LocalObjectReference{
 				Name: secretName,
 			}
+			helmRepository.Spec.PassCredentials = sourceHelmArgs.passCredentials
 			logger.Successf("authentication configured")
 		}
 	}

cmd/flux/delete_image_policy.go

@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 
 var deleteImagePolicyCmd = &cobra.Command{

cmd/flux/delete_image_repository.go

@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 
 var deleteImageRepositoryCmd = &cobra.Command{

cmd/flux/delete_image_update.go

@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 )
 
 var deleteImageUpdateCmd = &cobra.Command{

cmd/flux/export_image_policy.go

@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 
 var exportImagePolicyCmd = &cobra.Command{

cmd/flux/export_image_repository.go

@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 
 var exportImageRepositoryCmd = &cobra.Command{

cmd/flux/export_image_update.go

@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 )
 
 var exportImageUpdateCmd = &cobra.Command{

cmd/flux/get.go

@@ -39,7 +39,9 @@ var getCmd = &cobra.Command{
 }
 
 type GetFlags struct {
-	allNamespaces bool
+	allNamespaces  bool
+	noHeader       bool
+	statusSelector string
 }
 
 var getArgs GetFlags
@@ -47,6 +49,9 @@ var getArgs GetFlags
 func init() {
 	getCmd.PersistentFlags().BoolVarP(&getArgs.allNamespaces, "all-namespaces", "A", false,
 		"list the requested object(s) across all namespaces")
+	getCmd.PersistentFlags().BoolVarP(&getArgs.noHeader, "no-header", "", false, "skip the header when printing the results")
+	getCmd.PersistentFlags().StringVar(&getArgs.statusSelector, "status-selector", "",
+		"specify the status condition name and the desired state to filter the get result, e.g. ready=false")
 	rootCmd.AddCommand(getCmd)
 }
 
@@ -54,6 +59,7 @@ type summarisable interface {
 	listAdapter
 	summariseItem(i int, includeNamespace bool, includeKind bool) []string
 	headers(includeNamespace bool) []string
+	statusSelectorMatches(i int, conditionType, conditionStatus string) bool
 }
 
 // --- these help with implementations of summarisable
@@ -65,6 +71,20 @@ func statusAndMessage(conditions []metav1.Condition) (string, string) {
 	return string(metav1.ConditionFalse), "waiting to be reconciled"
 }
 
+func statusMatches(conditionType, conditionStatus string, conditions []metav1.Condition) bool {
+	// we don't use apimeta.FindStatusCondition because we'd like to use EqualFold to compare two strings
+	var c *metav1.Condition
+	for i := range conditions {
+		if strings.EqualFold(conditions[i].Type, conditionType) {
+			c = &conditions[i]
+		}
+	}
+	if c != nil {
+		return strings.EqualFold(string(c.Status), conditionStatus)
+	}
+	return false
+}
+
 func nameColumns(item named, includeNamespace bool, includeKind bool) []string {
 	name := item.GetName()
 	if includeKind {
@@ -117,11 +137,27 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
-	header := get.list.headers(getArgs.allNamespaces)
+	var header []string
+	if !getArgs.noHeader {
+		header = get.list.headers(getArgs.allNamespaces)
+	}
+	noFilter := true
+	var conditionType, conditionStatus string
+	if getArgs.statusSelector != "" {
+		parts := strings.SplitN(getArgs.statusSelector, "=", 2)
+		if len(parts) != 2 {
+			return fmt.Errorf("expected status selector in type=status format, but found: %s", getArgs.statusSelector)
+		}
+		conditionType = parts[0]
+		conditionStatus = parts[1]
+		noFilter = false
+	}
 	var rows [][]string
 	for i := 0; i < get.list.len(); i++ {
-		row := get.list.summariseItem(i, getArgs.allNamespaces, getAll)
+		if noFilter || get.list.statusSelectorMatches(i, conditionType, conditionStatus) {
-		rows = append(rows, row)
+			row := get.list.summariseItem(i, getArgs.allNamespaces, getAll)
+			rows = append(rows, row)
+		}
 	}
 	utils.PrintTable(os.Stdout, header, rows)
 

cmd/flux/get_alert.go

@@ -55,3 +55,8 @@ func (s alertListAdapter) headers(includeNamespace bool) []string {
 	}
 	return headers
 }
+
+func (s alertListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := s.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/get_alertprovider.go

@@ -52,3 +52,8 @@ func (s alertProviderListAdapter) headers(includeNamespace bool) []string {
 	}
 	return headers
 }
+
+func (s alertProviderListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := s.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/get_helmrelease.go

@@ -56,3 +56,8 @@ func (a helmReleaseListAdapter) headers(includeNamespace bool) []string {
 	}
 	return headers
 }
+
+func (a helmReleaseListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := a.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/get_image_all.go

@@ -21,8 +21,8 @@ import (
 
 	"github.com/spf13/cobra"
 
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 
 var getImageAllCmd = &cobra.Command{

cmd/flux/get_image_policy.go

@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 
 var getImagePolicyCmd = &cobra.Command{
@@ -54,3 +54,8 @@ func (s imagePolicyListAdapter) headers(includeNamespace bool) []string {
 	}
 	return headers
 }
+
+func (s imagePolicyListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := s.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/get_image_repository.go

@@ -23,7 +23,7 @@ import (
 
 	"github.com/spf13/cobra"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 
 var getImageRepositoryCmd = &cobra.Command{
@@ -63,3 +63,8 @@ func (s imageRepositoryListAdapter) headers(includeNamespace bool) []string {
 	}
 	return headers
 }
+
+func (s imageRepositoryListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := s.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/get_image_update.go

@@ -23,7 +23,7 @@ import (
 
 	"github.com/spf13/cobra"
 
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 )
 
 var getImageUpdateCmd = &cobra.Command{
@@ -62,3 +62,8 @@ func (s imageUpdateAutomationListAdapter) headers(includeNamespace bool) []strin
 	}
 	return headers
 }
+
+func (s imageUpdateAutomationListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := s.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/get_kustomization.go

@@ -57,3 +57,8 @@ func (a kustomizationListAdapter) headers(includeNamespace bool) []string {
 	}
 	return headers
 }
+
+func (a kustomizationListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := a.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/get_receiver.go

@@ -55,3 +55,8 @@ func (s receiverListAdapter) headers(includeNamespace bool) []string {
 	}
 	return headers
 }
+
+func (s receiverListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := s.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/get_source_bucket.go

@@ -62,3 +62,8 @@ func (a bucketListAdapter) headers(includeNamespace bool) []string {
 	}
 	return headers
 }
+
+func (a bucketListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := a.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/get_source_chart.go

@@ -62,3 +62,8 @@ func (a helmChartListAdapter) headers(includeNamespace bool) []string {
 	}
 	return headers
 }
+
+func (a helmChartListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := a.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/get_source_git.go

@@ -62,3 +62,8 @@ func (a gitRepositoryListAdapter) headers(includeNamespace bool) []string {
 	}
 	return headers
 }
+
+func (a gitRepositoryListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := a.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/get_source_helm.go

@@ -62,3 +62,8 @@ func (a helmRepositoryListAdapter) headers(includeNamespace bool) []string {
 	}
 	return headers
 }
+
+func (a helmRepositoryListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := a.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/image.go

@@ -19,8 +19,8 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 
 // These are general-purpose adapters for attaching methods to, for

cmd/flux/reconcile_image_repository.go

@@ -21,7 +21,7 @@ import (
 
 	"github.com/spf13/cobra"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 
 var reconcileImageRepositoryCmd = &cobra.Command{

cmd/flux/reconcile_image_updateauto.go

@@ -22,7 +22,7 @@ import (
 	"github.com/spf13/cobra"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 	meta "github.com/fluxcd/pkg/apis/meta"
 )
 

cmd/flux/resume_image_repository.go

@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 
 var resumeImageRepositoryCmd = &cobra.Command{

cmd/flux/resume_image_updateauto.go

@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 )
 
 var resumeImageUpdateCmd = &cobra.Command{

cmd/flux/suspend_image_repository.go

@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 
 var suspendImageRepositoryCmd = &cobra.Command{

cmd/flux/suspend_image_updateauto.go

@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 )
 
 var suspendImageUpdateCmd = &cobra.Command{

cmd/flux/trace.go

@@ -0,0 +1,488 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"fmt"
+	"text/template"
+
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/flux2/internal/utils"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
+	fluxmeta "github.com/fluxcd/pkg/apis/meta"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+)
+
+var traceCmd = &cobra.Command{
+	Use:   "trace [name]",
+	Short: "trace an in-cluster object throughout the GitOps delivery pipeline",
+	Long: `The trace command shows how an object is managed by Flux,
+from which source and revision it comes, and what's the latest reconciliation status.'`,
+	Example: `  # Trace a Kubernetes Deployment
+  flux trace my-app --kind=deployment --api-version=apps/v1 --namespace=apps
+
+  # Trace a Kubernetes Pod
+  flux trace redis-master-0 --kind=pod --api-version=v1 -n redis
+
+  # Trace a Kubernetes global object
+  flux trace redis --kind=namespace --api-version=v1
+
+  # Trace a Kubernetes custom resource
+  flux trace redis --kind=helmrelease --api-version=helm.toolkit.fluxcd.io/v2beta1 -n redis`,
+	RunE: traceCmdRun,
+}
+
+type traceFlags struct {
+	apiVersion string
+	kind       string
+}
+
+var traceArgs = traceFlags{}
+
+func init() {
+	traceCmd.Flags().StringVar(&traceArgs.kind, "kind", "",
+		"the Kubernetes object kind, e.g. Deployment'")
+	traceCmd.Flags().StringVar(&traceArgs.apiVersion, "api-version", "",
+		"the Kubernetes object API version, e.g. 'apps/v1'")
+	rootCmd.AddCommand(traceCmd)
+}
+
+func traceCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("object name is required")
+	}
+	name := args[0]
+
+	if traceArgs.kind == "" {
+		return fmt.Errorf("object kind is required (--kind)")
+	}
+
+	if traceArgs.apiVersion == "" {
+		return fmt.Errorf("object apiVersion is required (--api-version)")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	if err != nil {
+		return err
+	}
+
+	gv, err := schema.ParseGroupVersion(traceArgs.apiVersion)
+	if err != nil {
+		return fmt.Errorf("invaild apiVersion: %w", err)
+	}
+
+	obj := &unstructured.Unstructured{}
+	obj.SetGroupVersionKind(schema.GroupVersionKind{
+		Group:   gv.Group,
+		Version: gv.Version,
+		Kind:    traceArgs.kind,
+	})
+
+	objName := types.NamespacedName{
+		Namespace: rootArgs.namespace,
+		Name:      name,
+	}
+
+	err = kubeClient.Get(ctx, objName, obj)
+	if err != nil {
+		return fmt.Errorf("failed to find object: %w", err)
+	}
+
+	if ks, ok := isOwnerManagedByFlux(ctx, kubeClient, obj, kustomizev1.GroupVersion.Group); ok {
+		report, err := traceKustomization(ctx, kubeClient, ks, obj)
+		if err != nil {
+			return err
+		}
+		fmt.Println(report)
+		return nil
+	}
+
+	if hr, ok := isOwnerManagedByFlux(ctx, kubeClient, obj, helmv2.GroupVersion.Group); ok {
+		report, err := traceHelm(ctx, kubeClient, hr, obj)
+		if err != nil {
+			return err
+		}
+		fmt.Println(report)
+		return nil
+	}
+
+	return fmt.Errorf("object not managed by Flux")
+}
+
+func traceKustomization(ctx context.Context, kubeClient client.Client, ksName types.NamespacedName, obj *unstructured.Unstructured) (string, error) {
+	ks := &kustomizev1.Kustomization{}
+	ksReady := &metav1.Condition{}
+	err := kubeClient.Get(ctx, ksName, ks)
+	if err != nil {
+		return "", fmt.Errorf("failed to find kustomization: %w", err)
+	}
+	ksReady = meta.FindStatusCondition(ks.Status.Conditions, fluxmeta.ReadyCondition)
+
+	var ksRepository *sourcev1.GitRepository
+	var ksRepositoryReady *metav1.Condition
+	if ks.Spec.SourceRef.Kind == sourcev1.GitRepositoryKind {
+		ksRepository = &sourcev1.GitRepository{}
+		sourceNamespace := ks.Namespace
+		if ks.Spec.SourceRef.Namespace != "" {
+			sourceNamespace = ks.Spec.SourceRef.Namespace
+		}
+		err = kubeClient.Get(ctx, types.NamespacedName{
+			Namespace: sourceNamespace,
+			Name:      ks.Spec.SourceRef.Name,
+		}, ksRepository)
+		if err != nil {
+			return "", fmt.Errorf("failed to find GitRepository: %w", err)
+		}
+		ksRepositoryReady = meta.FindStatusCondition(ksRepository.Status.Conditions, fluxmeta.ReadyCondition)
+	}
+
+	var traceTmpl = `
+Object:        {{.ObjectName}}
+{{- if .ObjectNamespace }}
+Namespace:     {{.ObjectNamespace}}
+{{- end }}
+Status:        Managed by Flux
+{{- if .Kustomization }}
+---
+Kustomization: {{.Kustomization.Name}}
+Namespace:     {{.Kustomization.Namespace}}
+{{- if .Kustomization.Spec.TargetNamespace }}
+Target:        {{.Kustomization.Spec.TargetNamespace}}
+{{- end }}
+Path:          {{.Kustomization.Spec.Path}}
+Revision:      {{.Kustomization.Status.LastAppliedRevision}}
+{{- if .KustomizationReady }}
+Status:        Last reconciled at {{.KustomizationReady.LastTransitionTime}}
+Message:       {{.KustomizationReady.Message}}
+{{- else }}
+Status:        Unknown
+{{- end }}
+{{- end }}
+{{- if .GitRepository }}
+---
+GitRepository: {{.GitRepository.Name}}
+Namespace:     {{.GitRepository.Namespace}}
+URL:           {{.GitRepository.Spec.URL}}
+{{- if .GitRepository.Spec.Reference.Tag }}
+Tag:           {{.GitRepository.Spec.Reference.Tag}}
+{{- else if .GitRepository.Spec.Reference.SemVer }}
+Tag:           {{.GitRepository.Spec.Reference.SemVer}}
+{{- else if .GitRepository.Spec.Reference.Branch }}
+Branch:        {{.GitRepository.Spec.Reference.Branch}}
+{{- end }}
+{{- if .GitRepository.Status.Artifact }}
+Revision:      {{.GitRepository.Status.Artifact.Revision}}
+{{- end }}
+{{- if .GitRepositoryReady }}
+{{- if eq .GitRepositoryReady.Status "False" }}
+Status:        Last reconciliation failed at {{.GitRepositoryReady.LastTransitionTime}}
+{{- else }}
+Status:        Last reconciled at {{.GitRepositoryReady.LastTransitionTime}}
+{{- end }}
+Message:       {{.GitRepositoryReady.Message}}
+{{- else }}
+Status:        Unknown
+{{- end }}
+{{- end }}
+`
+
+	traceResult := struct {
+		ObjectName         string
+		ObjectNamespace    string
+		Kustomization      *kustomizev1.Kustomization
+		KustomizationReady *metav1.Condition
+		GitRepository      *sourcev1.GitRepository
+		GitRepositoryReady *metav1.Condition
+	}{
+		ObjectName:         obj.GetKind() + "/" + obj.GetName(),
+		ObjectNamespace:    obj.GetNamespace(),
+		Kustomization:      ks,
+		KustomizationReady: ksReady,
+		GitRepository:      ksRepository,
+		GitRepositoryReady: ksRepositoryReady,
+	}
+
+	t, err := template.New("tmpl").Parse(traceTmpl)
+	if err != nil {
+		return "", err
+	}
+
+	var data bytes.Buffer
+	writer := bufio.NewWriter(&data)
+	if err := t.Execute(writer, traceResult); err != nil {
+		return "", err
+	}
+
+	if err := writer.Flush(); err != nil {
+		return "", err
+	}
+
+	return data.String(), nil
+}
+
+func traceHelm(ctx context.Context, kubeClient client.Client, hrName types.NamespacedName, obj *unstructured.Unstructured) (string, error) {
+	hr := &helmv2.HelmRelease{}
+	hrReady := &metav1.Condition{}
+	err := kubeClient.Get(ctx, hrName, hr)
+	if err != nil {
+		return "", fmt.Errorf("failed to find HelmRelease: %w", err)
+	}
+	hrReady = meta.FindStatusCondition(hr.Status.Conditions, fluxmeta.ReadyCondition)
+
+	var hrChart *sourcev1.HelmChart
+	var hrChartReady *metav1.Condition
+	if chart := hr.Status.HelmChart; chart != "" {
+		hrChart = &sourcev1.HelmChart{}
+		err = kubeClient.Get(ctx, utils.ParseNamespacedName(chart), hrChart)
+		if err != nil {
+			return "", fmt.Errorf("failed to find HelmChart: %w", err)
+		}
+		hrChartReady = meta.FindStatusCondition(hrChart.Status.Conditions, fluxmeta.ReadyCondition)
+	}
+
+	var hrGitRepository *sourcev1.GitRepository
+	var hrGitRepositoryReady *metav1.Condition
+	if hr.Spec.Chart.Spec.SourceRef.Kind == sourcev1.GitRepositoryKind {
+		hrGitRepository = &sourcev1.GitRepository{}
+		sourceNamespace := hr.Namespace
+		if hr.Spec.Chart.Spec.SourceRef.Namespace != "" {
+			sourceNamespace = hr.Spec.Chart.Spec.SourceRef.Namespace
+		}
+		err = kubeClient.Get(ctx, types.NamespacedName{
+			Namespace: sourceNamespace,
+			Name:      hr.Spec.Chart.Spec.SourceRef.Name,
+		}, hrGitRepository)
+		if err != nil {
+			return "", fmt.Errorf("failed to find GitRepository: %w", err)
+		}
+		hrGitRepositoryReady = meta.FindStatusCondition(hrGitRepository.Status.Conditions, fluxmeta.ReadyCondition)
+	}
+
+	var hrHelmRepository *sourcev1.HelmRepository
+	var hrHelmRepositoryReady *metav1.Condition
+	if hr.Spec.Chart.Spec.SourceRef.Kind == sourcev1.HelmRepositoryKind {
+		hrHelmRepository = &sourcev1.HelmRepository{}
+		sourceNamespace := hr.Namespace
+		if hr.Spec.Chart.Spec.SourceRef.Namespace != "" {
+			sourceNamespace = hr.Spec.Chart.Spec.SourceRef.Namespace
+		}
+		err = kubeClient.Get(ctx, types.NamespacedName{
+			Namespace: sourceNamespace,
+			Name:      hr.Spec.Chart.Spec.SourceRef.Name,
+		}, hrHelmRepository)
+		if err != nil {
+			return "", fmt.Errorf("failed to find HelmRepository: %w", err)
+		}
+		hrHelmRepositoryReady = meta.FindStatusCondition(hrHelmRepository.Status.Conditions, fluxmeta.ReadyCondition)
+	}
+
+	var traceTmpl = `
+Object:         {{.ObjectName}}
+{{- if .ObjectNamespace }}
+Namespace:      {{.ObjectNamespace}}
+{{- end }}
+Status:         Managed by Flux
+{{- if .HelmRelease }}
+---
+HelmRelease:    {{.HelmRelease.Name}}
+Namespace:      {{.HelmRelease.Namespace}}
+{{- if .HelmRelease.Spec.TargetNamespace }}
+Target:         {{.HelmRelease.Spec.TargetNamespace}}
+{{- end }}
+Revision:       {{.HelmRelease.Status.LastAppliedRevision}}
+{{- if .HelmReleaseReady }}
+Status:         Last reconciled at {{.HelmReleaseReady.LastTransitionTime}}
+Message:        {{.HelmReleaseReady.Message}}
+{{- else }}
+Status:         Unknown
+{{- end }}
+{{- end }}
+{{- if .HelmChart }}
+---
+HelmChart:      {{.HelmChart.Name}}
+Namespace:      {{.HelmChart.Namespace}}
+Chart:          {{.HelmChart.Spec.Chart}}
+Version:        {{.HelmChart.Spec.Version}}
+{{- if .HelmChart.Status.Artifact }}
+Revision:       {{.HelmChart.Status.Artifact.Revision}}
+{{- end }}
+{{- if .HelmChartReady }}
+Status:         Last reconciled at {{.HelmChartReady.LastTransitionTime}}
+Message:        {{.HelmChartReady.Message}}
+{{- else }}
+Status:         Unknown
+{{- end }}
+{{- end }}
+{{- if .HelmRepository }}
+---
+HelmRepository: {{.HelmRepository.Name}}
+Namespace:      {{.HelmRepository.Namespace}}
+URL:            {{.HelmRepository.Spec.URL}}
+{{- if .HelmRepository.Status.Artifact }}
+Revision:       {{.HelmRepository.Status.Artifact.Revision}}
+{{- end }}
+{{- if .HelmRepositoryReady }}
+Status:         Last reconciled at {{.HelmRepositoryReady.LastTransitionTime}}
+Message:        {{.HelmRepositoryReady.Message}}
+{{- else }}
+Status:         Unknown
+{{- end }}
+{{- end }}
+{{- if .GitRepository }}
+---
+GitRepository: {{.GitRepository.Name}}
+Namespace:     {{.GitRepository.Namespace}}
+URL:           {{.GitRepository.Spec.URL}}
+{{- if .GitRepository.Spec.Reference.Tag }}
+Tag:           {{.GitRepository.Spec.Reference.Tag}}
+{{- else if .GitRepository.Spec.Reference.SemVer }}
+Tag:           {{.GitRepository.Spec.Reference.SemVer}}
+{{- else if .GitRepository.Spec.Reference.Branch }}
+Branch:        {{.GitRepository.Spec.Reference.Branch}}
+{{- end }}
+{{- if .GitRepository.Status.Artifact }}
+Revision:      {{.GitRepository.Status.Artifact.Revision}}
+{{- end }}
+{{- if .GitRepositoryReady }}
+{{- if eq .GitRepositoryReady.Status "False" }}
+Status:        Last reconciliation failed at {{.GitRepositoryReady.LastTransitionTime}}
+{{- else }}
+Status:        Last reconciled at {{.GitRepositoryReady.LastTransitionTime}}
+{{- end }}
+Message:       {{.GitRepositoryReady.Message}}
+{{- else }}
+Status:        Unknown
+{{- end }}
+{{- end }}
+`
+
+	traceResult := struct {
+		ObjectName          string
+		ObjectNamespace     string
+		HelmRelease         *helmv2.HelmRelease
+		HelmReleaseReady    *metav1.Condition
+		HelmChart           *sourcev1.HelmChart
+		HelmChartReady      *metav1.Condition
+		GitRepository       *sourcev1.GitRepository
+		GitRepositoryReady  *metav1.Condition
+		HelmRepository      *sourcev1.HelmRepository
+		HelmRepositoryReady *metav1.Condition
+	}{
+		ObjectName:          obj.GetKind() + "/" + obj.GetName(),
+		ObjectNamespace:     obj.GetNamespace(),
+		HelmRelease:         hr,
+		HelmReleaseReady:    hrReady,
+		HelmChart:           hrChart,
+		HelmChartReady:      hrChartReady,
+		GitRepository:       hrGitRepository,
+		GitRepositoryReady:  hrGitRepositoryReady,
+		HelmRepository:      hrHelmRepository,
+		HelmRepositoryReady: hrHelmRepositoryReady,
+	}
+
+	t, err := template.New("tmpl").Parse(traceTmpl)
+	if err != nil {
+		return "", err
+	}
+
+	var data bytes.Buffer
+	writer := bufio.NewWriter(&data)
+	if err := t.Execute(writer, traceResult); err != nil {
+		return "", err
+	}
+
+	if err := writer.Flush(); err != nil {
+		return "", err
+	}
+
+	return data.String(), nil
+}
+
+func isManagedByFlux(obj *unstructured.Unstructured, group string) (types.NamespacedName, bool) {
+	nameKey := fmt.Sprintf("%s/name", group)
+	namespaceKey := fmt.Sprintf("%s/namespace", group)
+	namespacedName := types.NamespacedName{}
+
+	for k, v := range obj.GetLabels() {
+		if k == nameKey {
+			namespacedName.Name = v
+		}
+		if k == namespaceKey {
+			namespacedName.Namespace = v
+		}
+	}
+
+	if namespacedName.Name == "" {
+		return namespacedName, false
+	}
+	return namespacedName, true
+}
+
+func isOwnerManagedByFlux(ctx context.Context, kubeClient client.Client, obj *unstructured.Unstructured, group string) (types.NamespacedName, bool) {
+	if n, ok := isManagedByFlux(obj, group); ok {
+		return n, true
+	}
+
+	namespacedName := types.NamespacedName{}
+	for _, reference := range obj.GetOwnerReferences() {
+		owner := &unstructured.Unstructured{}
+		gv, err := schema.ParseGroupVersion(reference.APIVersion)
+		if err != nil {
+			return namespacedName, false
+		}
+
+		owner.SetGroupVersionKind(schema.GroupVersionKind{
+			Group:   gv.Group,
+			Version: gv.Version,
+			Kind:    reference.Kind,
+		})
+
+		ownerName := types.NamespacedName{
+			Namespace: obj.GetNamespace(),
+			Name:      reference.Name,
+		}
+
+		err = kubeClient.Get(ctx, ownerName, owner)
+		if err != nil {
+			return namespacedName, false
+		}
+
+		if n, ok := isManagedByFlux(owner, group); ok {
+			return n, true
+		}
+
+		if len(owner.GetOwnerReferences()) > 0 {
+			return isOwnerManagedByFlux(ctx, kubeClient, owner, group)
+		}
+	}
+
+	return namespacedName, false
+}

go.mod

@@ -6,31 +6,30 @@ require (
 	github.com/Masterminds/semver/v3 v3.1.0
 	github.com/cyphar/filepath-securejoin v0.2.2
 	github.com/fluxcd/go-git-providers v0.1.1
-	github.com/fluxcd/helm-controller/api v0.10.1
+	github.com/fluxcd/helm-controller/api v0.11.1
-	github.com/fluxcd/image-automation-controller/api v0.9.1
+	github.com/fluxcd/image-automation-controller/api v0.14.0
-	github.com/fluxcd/image-reflector-controller/api v0.9.1
+	github.com/fluxcd/image-reflector-controller/api v0.11.0
-	github.com/fluxcd/kustomize-controller/api v0.12.0
+	github.com/fluxcd/kustomize-controller/api v0.13.2
-	github.com/fluxcd/notification-controller/api v0.13.0
+	github.com/fluxcd/notification-controller/api v0.15.0
-	github.com/fluxcd/pkg/apis/meta v0.9.0
+	github.com/fluxcd/pkg/apis/meta v0.10.0
-	github.com/fluxcd/pkg/runtime v0.11.0
+	github.com/fluxcd/pkg/runtime v0.12.0
 	github.com/fluxcd/pkg/ssh v0.0.5
 	github.com/fluxcd/pkg/untar v0.0.5
 	github.com/fluxcd/pkg/version v0.0.1
-	github.com/fluxcd/source-controller/api v0.12.2
+	github.com/fluxcd/source-controller/api v0.15.3
-	github.com/go-git/go-git/v5 v5.1.0
+	github.com/go-git/go-git/v5 v5.4.2
 	github.com/google/go-containerregistry v0.2.0
 	github.com/manifoldco/promptui v0.7.0
 	github.com/olekukonko/tablewriter v0.0.4
-	github.com/spf13/cobra v1.1.1
+	github.com/spf13/cobra v1.1.3
 	github.com/spf13/pflag v1.0.5
-	golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0
+	golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b
-	k8s.io/api v0.20.4
+	k8s.io/api v0.21.1
-	k8s.io/apiextensions-apiserver v0.20.4
+	k8s.io/apiextensions-apiserver v0.21.1
-	k8s.io/apimachinery v0.20.4
+	k8s.io/apimachinery v0.21.1
-	k8s.io/cli-runtime v0.20.2 // indirect
+	k8s.io/client-go v0.21.1
-	k8s.io/client-go v0.20.4
+	sigs.k8s.io/cli-utils v0.25.1-0.20210608181808-f3974341173a
-	sigs.k8s.io/cli-utils v0.22.2
+	sigs.k8s.io/controller-runtime v0.9.0
-	sigs.k8s.io/controller-runtime v0.8.3
+	sigs.k8s.io/kustomize/api v0.8.10
-	sigs.k8s.io/kustomize/api v0.7.4
 	sigs.k8s.io/yaml v1.2.0
 )

internal/utils/utils.go

@@ -17,7 +17,6 @@ limitations under the License.
 package utils
 
 import (
-	"bufio"
 	"bytes"
 	"context"
 	"fmt"
@@ -28,7 +27,6 @@ import (
 	"path/filepath"
 	"runtime"
 	"strings"
-	"text/template"
 
 	"github.com/olekukonko/tablewriter"
 	appsv1 "k8s.io/api/apps/v1"
@@ -38,6 +36,7 @@ import (
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	apiruntime "k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 	sigyaml "k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
@@ -45,8 +44,8 @@ import (
 	"sigs.k8s.io/yaml"
 
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
-	imageautov1 "github.com/fluxcd/image-automation-controller/api/v1alpha2"
+	imageautov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
-	imagereflectv1 "github.com/fluxcd/image-reflector-controller/api/v1alpha2"
+	imagereflectv1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 	"github.com/fluxcd/pkg/runtime/dependency"
@@ -109,36 +108,6 @@ func ExecKubectlCommand(ctx context.Context, mode ExecMode, kubeConfigPath strin
 	return "", nil
 }
 
-func ExecTemplate(obj interface{}, tmpl, filename string) error {
-	t, err := template.New("tmpl").Parse(tmpl)
-	if err != nil {
-		return err
-	}
-
-	var data bytes.Buffer
-	writer := bufio.NewWriter(&data)
-	if err := t.Execute(writer, obj); err != nil {
-		return err
-	}
-
-	if err := writer.Flush(); err != nil {
-		return err
-	}
-
-	file, err := os.Create(filename)
-	if err != nil {
-		return err
-	}
-	defer file.Close()
-
-	_, err = io.WriteString(file, data.String())
-	if err != nil {
-		return err
-	}
-
-	return file.Sync()
-}
-
 func KubeConfig(kubeConfigPath string, kubeContext string) (*rest.Config, error) {
 	configFiles := SplitKubeConfigPath(kubeConfigPath)
 	configOverrides := clientcmd.ConfigOverrides{}
@@ -156,6 +125,10 @@ func KubeConfig(kubeConfigPath string, kubeContext string) (*rest.Config, error)
 		return nil, fmt.Errorf("kubernetes configuration load failed: %w", err)
 	}
 
+	// avoid throttling request when some Flux CRDs are not registered
+	cfg.QPS = 50
+	cfg.Burst = 100
+
 	return cfg, nil
 }
 
@@ -221,6 +194,21 @@ func ContainsEqualFoldItemString(s []string, e string) (string, bool) {
 	return "", false
 }
 
+// ParseNamespacedName extracts the NamespacedName of a resource
+// based on the '<namespace>/<name>' format
+func ParseNamespacedName(input string) types.NamespacedName {
+	parts := strings.Split(input, "/")
+	if len(parts) == 2 {
+		return types.NamespacedName{
+			Namespace: parts[0],
+			Name:      parts[1],
+		}
+	}
+	return types.NamespacedName{
+		Name: input,
+	}
+}
+
 // ParseObjectKindName extracts the kind and name of a resource
 // based on the '<kind>/<name>' format
 func ParseObjectKindName(input string) (kind, name string) {

manifests/bases/helm-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/helm-controller/releases/download/v0.10.1/helm-controller.crds.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.11.1/helm-controller.crds.yaml
-- https://github.com/fluxcd/helm-controller/releases/download/v0.10.1/helm-controller.deployment.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.11.1/helm-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/image-automation-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.9.1/image-automation-controller.crds.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.14.0/image-automation-controller.crds.yaml
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.9.1/image-automation-controller.deployment.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.14.0/image-automation-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/image-reflector-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.9.1/image-reflector-controller.crds.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.11.0/image-reflector-controller.crds.yaml
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.9.1/image-reflector-controller.deployment.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.11.0/image-reflector-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/kustomize-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.0/kustomize-controller.crds.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.13.2/kustomize-controller.crds.yaml
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.0/kustomize-controller.deployment.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.13.2/kustomize-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/notification-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/notification-controller/releases/download/v0.13.0/notification-controller.crds.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.15.0/notification-controller.crds.yaml
-- https://github.com/fluxcd/notification-controller/releases/download/v0.13.0/notification-controller.deployment.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.15.0/notification-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
   - target:

manifests/bases/source-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.12.2/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.15.3/source-controller.crds.yaml
-- https://github.com/fluxcd/source-controller/releases/download/v0.12.2/source-controller.deployment.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.15.3/source-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/crds/kustomization.yaml

@@ -1,9 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.12.2/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.15.3/source-controller.crds.yaml
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.12.0/kustomize-controller.crds.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.13.2/kustomize-controller.crds.yaml
-- https://github.com/fluxcd/helm-controller/releases/download/v0.10.1/helm-controller.crds.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.11.1/helm-controller.crds.yaml
-- https://github.com/fluxcd/notification-controller/releases/download/v0.13.0/notification-controller.crds.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.15.0/notification-controller.crds.yaml
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.9.1/image-reflector-controller.crds.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.11.0/image-reflector-controller.crds.yaml
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.9.1/image-automation-controller.crds.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.14.0/image-automation-controller.crds.yaml

manifests/integrations/Makefile

@@ -0,0 +1,14 @@
+
+bases := $(shell dirname $(shell find | grep kustomization.yaml | sort))
+
+all: $(bases)
+
+permutations := $(bases) $(addsuffix /,$(bases))
+.PHONY: $(permutations)
+$(permutations):
+	@echo $@
+	@warnings=$$(kustomize build $@ -o /dev/null 2>&1); \
+		if [ "$$warnings" ]; then \
+			echo "$$warnings"; \
+			false; \
+		fi

manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+spec:
+  template:
+    spec:
+      initContainers:
+        - image: bitnami/kubectl
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+          name: copy-kubectl
+          # it's okay to do this because kubectl is a statically linked binary
+          command:
+            - sh
+            - -ceu
+            - cp $(which kubectl) /kbin/
+          resources: {}
+          volumeMounts:
+            - name: kbin
+              mountPath: /kbin
+      containers:
+        - name: sync
+          volumeMounts:
+            - name: kbin
+              mountPath: /kbin
+      volumes:
+        - name: kbin
+          emptyDir: {}

manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml

@@ -0,0 +1,23 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+commonLabels:
+  app: credentials-sync-eventhub
+
+resources:
+  - sync.yaml
+
+patchesStrategicMerge:
+  - kubectl-patch.yaml
+
+vars:
+  - name: KUBE_SECRET
+    objref:
+      kind: ConfigMap
+      name: credentials-sync-eventhub
+      apiVersion: v1
+    fieldref:
+      fieldpath: data.KUBE_SECRET
+
+configurations:
+  - kustomizeconfig.yaml

manifests/integrations/eventhub-credentials-sync/_base/kustomizeconfig.yaml

@@ -0,0 +1,3 @@
+varReference:
+- path: rules/resourceNames
+  kind: Role

manifests/integrations/eventhub-credentials-sync/_base/sync.yaml

@@ -0,0 +1,133 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credentials-sync-eventhub
+data:
+  # Patch this ConfigMap with additional values needed for your cloud
+  KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
+  ADDRESS: "fluxv2" # the Azure Event Hub name
+  SYNC_PERIOD: "3600" # tokens expire; refresh faster than that
+
+---
+# This Deployment frequently fetches registry tokens and applies them as an imagePullSecret.
+# It's done as a 1-replica Deployment rather than a CronJob, because CronJob scheduling can
+# block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time.
+# This deployment will immediately fetch a token, which reduces latency for working image updates.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  template:
+    spec:
+      serviceAccountName: credentials-sync-eventhub
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1001
+      containers:
+        - image: busybox # override this with a cloud-specific image
+          name: sync
+          envFrom:
+            - configMapRef:
+                name: credentials-sync-eventhub
+          env:
+            - name: RECONCILE_SH # override this env var with a shell function in a kustomize patch
+              value: |-
+                reconcile() {
+                  echo reconciling...
+                }
+          command:
+            - bash
+            - -ceu
+            - |-
+              # template reconcile() into the script
+              # env var is expanded by k8s before the pod starts
+              $(RECONCILE_SH)
+
+              apply-secret() {
+                /kbin/kubectl create secret generic "${1}" \
+                  --from-literal=token="${2}" \
+                  --from-literal=address="${3}" \
+                  --dry-run=client -o=yaml \
+                  | grep -v "creationTimestamp:" \
+                  | /kbin/kubectl apply -f -
+              }
+
+              pause_loop() {
+                sleep "${SYNC_PERIOD:-3600}" || true
+              }
+
+              graceful_exit() {
+                echo "Trapped signal -- $(date)"
+                job_ids="$(
+                  jobs \
+                    | grep "pause_loop" \
+                    | cut -d] -f1 \
+                    | tr [ %
+                  )"
+                # shellcheck disable=SC2086
+                if [ "${job_ids}" ]; then
+                  kill ${job_ids}
+                fi
+                wait
+                echo "Graceful exit -- $(date)"
+              }
+
+              trap graceful_exit INT TERM
+
+              echo "Loop started (period: ${SYNC_PERIOD} s) -- $(date)"
+              while true; do
+                reconcile & wait $!
+                pause_loop & wait $!
+              done
+          resources: {}
+          volumeMounts:
+            - mountPath: /.azure
+              name: cache-volume
+      volumes:
+        - emptyDir: {}
+          name: cache-volume
+
+# RBAC necessary for our Deployment to apply our secret that will store the JWT token
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+rules:
+  - apiGroups: [""]
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+      - update
+      - patch
+    # Lock this down to the specific Secret name  (Optional)
+    #resourceNames:
+    # - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+subjects:
+  - kind: ServiceAccount
+    name: credentials-sync-eventhub
+roleRef:
+  kind: Role
+  name: credentials-sync-eventhub
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system

manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml

@@ -1,7 +1,7 @@
 apiVersion: batch/v1beta1
 kind: CronJob
 metadata:
-  name: credentials-sync
+  name: credentials-sync-eventhub
   namespace: flux-system
 spec:
   jobTemplate:

manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml

@@ -0,0 +1,23 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+commonLabels:
+  app: credentials-sync-eventhub
+
+resources:
+  - sync.yaml
+
+patchesStrategicMerge:
+  - kubectl-patch.yaml
+
+vars:
+  - name: KUBE_SECRET
+    objref:
+      kind: ConfigMap
+      name: credentials-sync-eventhub
+      apiVersion: v1
+    fieldref:
+      fieldpath: data.KUBE_SECRET
+
+configurations:
+  - kustomizeconfig.yaml

manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomizeconfig.yaml

@@ -0,0 +1,3 @@
+varReference:
+- path: rules/resourceNames
+  kind: Role

manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/sync.yaml

@@ -0,0 +1,109 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credentials-sync-eventhub
+data:
+  # Patch this ConfigMap with additional values needed for your cloud
+  KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
+  ADDRESS: "fluxv2" # the Azure Event Hub name
+
+---
+# This CronJob frequently fetches registry tokens and applies them as an imagePullSecret.
+# note: CronJob scheduling can block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time.
+# To run the job immediately, do `kubectl create job --from=cronjob/credentials-sync-eventhub -n flux-system credentials-sync-eventhub-init`
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+spec:
+  suspend: false
+  schedule: 0 */6 * * *
+  failedJobsHistoryLimit: 1
+  successfulJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: credentials-sync-eventhub
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1001
+          restartPolicy: Never
+          containers:
+            - image: busybox # override this with a cloud-specific image
+              name: sync
+              envFrom:
+                - configMapRef:
+                    name: credentials-sync-eventhub
+              env:
+                - name: RECONCILE_SH # override this env var with a shell function in a kustomize patch
+                  value: |-
+                    reconcile() {
+                      echo reconciling...
+                    }
+              command:
+                - bash
+                - -ceu
+                - |-
+                  # template reconcile() into the script
+                  # env var is expanded by k8s before the pod starts
+                  $(RECONCILE_SH)
+
+                  apply-secret() {
+                    /kbin/kubectl create secret generic "${1}" \
+                      --from-literal=token="${2}" \
+                      --from-literal=address="${3}" \
+                      --dry-run=client -o=yaml \
+                      | grep -v "creationTimestamp:" \
+                      | /kbin/kubectl apply -f -
+                  }
+
+                  reconcile
+              resources: {}
+              volumeMounts:
+                - mountPath: /.azure
+                  name: cache-volume
+          volumes:
+            - emptyDir: {}
+              name: cache-volume
+
+# RBAC necessary for our Deployment to apply our secret that will store the JWT token
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+rules:
+  - apiGroups: [""]
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+      - update
+      - patch
+    # Lock this down to the specific Secret name  (Optional)
+    resourceNames:
+     - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+subjects:
+  - kind: ServiceAccount
+    name: credentials-sync-eventhub
+roleRef:
+  kind: Role
+  name: credentials-sync-eventhub
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/az-identity.yaml

@@ -0,0 +1,16 @@
+# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentity
+metadata:
+  name: lab # if this is changed, also change in config-patches.yaml
+  namespace: flux-system
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentityBinding
+metadata:
+  name: lab
+  namespace: flux-system
+spec:
+  azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
+  selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/config-patches.yaml

@@ -0,0 +1,41 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credentials-sync-eventhub
+data:
+  KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
+  ADDRESS: "fluxv2" # the Azure Event Hub name
+
+# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
+#     az identity create -n eventhub-write
+#     az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
+# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
+#     az identity show -n eventhub-write -otsv --query clientId
+#     az identity show -n eventhub-write -otsv --query resourceId
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentity
+metadata:
+  name: lab
+  namespace: flux-system
+spec:
+  clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
+  resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
+  type: 0
+
+# Set the reconcile period + specify the pod-identity via the aadpodidbinding label
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+spec:
+  schedule: 0 * * * * # JWT tokens expire every 24 hours; refresh faster than that
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomization.yaml

@@ -0,0 +1,27 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namePrefix: jwt-
+commonLabels:
+  app: jwt-eventhub-credentials-sync
+
+namespace: flux-system
+
+bases:
+  - ../_base
+resources:
+  - az-identity.yaml
+
+patchesStrategicMerge:
+  - config-patches.yaml
+  - reconcile-patch.yaml
+
+vars:
+  - name: AZ_IDENTITY_NAME
+    objref:
+      kind: AzureIdentity
+      name: lab
+      apiVersion: aadpodidentity.k8s.io/v1
+
+configurations:
+  - kustomizeconfig.yaml

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml

@@ -0,0 +1,7 @@
+varReference:
+- path: spec/jobTemplate/spec/template/metadata/labels
+  kind: CronJob
+- path: spec/azureIdentity
+  kind: AzureIdentityBinding
+- path: spec/selector
+  kind: AzureIdentityBinding

manifests/integrations/eventhub-credentials-sync/_cronjobs/azure/reconcile-patch.yaml

@@ -0,0 +1,27 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+spec:
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: sync
+              image: mcr.microsoft.com/azure-cli
+              env:
+                - name: RECONCILE_SH
+                  value: |-
+                    reconcile() {
+                      echo "Starting JWT token sync -- $(date)"
+                      echo "Logging into Azure"
+                      az login --identity
+                      echo "Getting JWT token"
+                      token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
+                      echo "Creating secret: ${KUBE_SECRET}"
+                      apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
+                      echo "Finished JWT token sync -- $(date)"
+                      echo
+                    }

manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/config-patches.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credentials-sync-eventhub
+data:
+  KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
+  ADDRESS: "fluxv2" # the Azure Event Hub name
+
+# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
+#     az identity create -n eventhub-write
+#     az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
+# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
+#     az identity show -n eventhub-write -otsv --query clientId
+#     az identity show -n eventhub-write -otsv --query resourceId

manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namePrefix: jwt-
+commonLabels:
+  app: jwt-eventhub-credentials-sync
+
+namespace: flux-system
+
+bases:
+  - ../_base
+resources:
+  - secret-azure-credentials.yaml
+
+patchesStrategicMerge:
+  - config-patches.yaml
+  - reconcile-patch.yaml

manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/reconcile-patch.yaml

@@ -0,0 +1,42 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+spec:
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: sync
+              image: mcr.microsoft.com/azure-cli
+              env:
+                - name: RECONCILE_SH
+                  value: |-
+                    reconcile() {
+                      echo "Starting JWT token sync -- $(date)"
+                      echo "Logging into Azure"
+                      az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID}
+                      echo "Getting JWT token"
+                      token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
+                      echo "Creating secret: ${KUBE_SECRET}"
+                      apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
+                      echo "Finished JWT token sync -- $(date)"
+                      echo
+                    }
+                - name: AZURE_CLIENT_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: azure-credentials
+                      key: AZURE_CLIENT_ID
+                - name: AZURE_CLIENT_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      name: azure-credentials
+                      key: AZURE_CLIENT_SECRET
+                - name: AZURE_TENANT_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: azure-credentials
+                      key: AZURE_TENANT_ID

manifests/integrations/eventhub-credentials-sync/_cronjobs/generic/secret-azure-credentials.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+data:
+  AZURE_CLIENT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
+  AZURE_CLIENT_SECRET: c28tbXVjaC1zZWNyZXQ=
+  AZURE_TENANT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
+kind: Secret
+metadata:
+  name: azure-credentials
+  namespace: flux-system
+type: Opaque
+# This is just a example secret, you should never store secrets in git.
+# One way forward can be to use sealed-secrets or SOPS
+# https://fluxcd.io/docs/guides/sealed-secrets/
+# https://fluxcd.io/docs/guides/mozilla-sops/

manifests/integrations/eventhub-credentials-sync/azure/az-identity.yaml

@@ -0,0 +1,16 @@
+# This is a stub resource patched by config-patches.yaml, so that all config is visible in one file
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentity
+metadata:
+  name: lab # if this is changed, also change in config-patches.yaml
+  namespace: flux-system
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentityBinding
+metadata:
+  name: lab # this can have a different name, but it's nice to keep them the same
+  namespace: flux-system
+spec:
+  azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
+  selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name

manifests/integrations/eventhub-credentials-sync/azure/config-patches.yaml

@@ -0,0 +1,39 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credentials-sync-eventhub
+data:
+  KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
+  ADDRESS: "fluxv2" # the Azure Event Hub name
+  SYNC_PERIOD: "3600" # tokens expire; refresh faster than that
+
+# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
+#     az identity create -n eventhub-write
+#     az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
+# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
+#     az identity show -n eventhub-write -otsv --query clientId
+#     az identity show -n eventhub-write -otsv --query resourceId
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentity
+metadata:
+  name: lab
+  namespace: flux-system
+spec:
+  clientID: 82d01fb0-7799-4d9d-92c7-21e7632c0000
+  resourceID: /subscriptions/82d01fb0-7799-4d9d-92c7-21e7632c0000/resourceGroups/stealthybox/providers/Microsoft.ManagedIdentity/userAssignedIdentities/eventhub-write
+  type: 0
+
+# Specify the pod-identity via the aadpodidbinding label
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+spec:
+  template:
+    metadata:
+      labels:
+        aadpodidbinding: $(AZ_IDENTITY_NAME) # match the AzureIdentity name

manifests/integrations/eventhub-credentials-sync/azure/kustomization.yaml

@@ -0,0 +1,27 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namePrefix: jwt-
+commonLabels:
+  app: jwt-eventhub-credentials-sync
+
+namespace: flux-system
+
+bases:
+  - ../_base
+resources:
+  - az-identity.yaml
+
+patchesStrategicMerge:
+  - config-patches.yaml
+  - reconcile-patch.yaml
+
+vars:
+  - name: AZ_IDENTITY_NAME
+    objref:
+      kind: AzureIdentity
+      name: lab
+      apiVersion: aadpodidentity.k8s.io/v1
+
+configurations:
+  - kustomizeconfig.yaml

manifests/integrations/eventhub-credentials-sync/azure/kustomizeconfig.yaml

@@ -0,0 +1,7 @@
+varReference:
+- path: spec/template/metadata/labels
+  kind: Deployment
+- path: spec/azureIdentity
+  kind: AzureIdentityBinding
+- path: spec/selector
+  kind: AzureIdentityBinding

manifests/integrations/eventhub-credentials-sync/azure/reconcile-patch.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+spec:
+  template:
+    spec:
+      containers:
+        - name: sync
+          image: mcr.microsoft.com/azure-cli
+          env:
+            - name: RECONCILE_SH
+              value: |-
+                reconcile() {
+                  echo "Starting JWT token sync -- $(date)"
+                  echo "Logging into Azure"
+                  az login --identity
+                  echo "Getting JWT token"
+                  token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
+                  echo "Creating secret: ${KUBE_SECRET}"
+                  apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
+                  echo "Finished JWT token sync -- $(date)"
+                  echo
+                }

manifests/integrations/eventhub-credentials-sync/generic/config-patches.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credentials-sync-eventhub
+data:
+  KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
+  ADDRESS: "fluxv2" # the Azure Event Hub name
+  SYNC_PERIOD: "3600" # tokens expire; refresh faster than that
+
+# Create an identity in Azure and assign it a role to write to Azure Event Hub (note: the identity's resourceGroup should match the Azure Event Hub):
+#     az identity create -n eventhub-write
+#     az role assignment create --role eventhub --assignee-object-id "$(az identity show -n eventhub-write -o tsv --query principalId)"
+# Fetch the clientID and resourceID to configure the AzureIdentity spec below:
+#     az identity show -n eventhub-write -otsv --query clientId
+#     az identity show -n eventhub-write -otsv --query resourceId
+# Specify the pod-identity via the aadpodidbinding label

manifests/integrations/eventhub-credentials-sync/generic/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namePrefix: jwt-
+commonLabels:
+  app: jwt-eventhub-credentials-sync
+
+namespace: flux-system
+
+bases:
+  - ../_base
+resources:
+  - secret-azure-credentials.yaml
+
+patchesStrategicMerge:
+  - config-patches.yaml
+  - reconcile-patch.yaml

manifests/integrations/eventhub-credentials-sync/generic/reconcile-patch.yaml

@@ -0,0 +1,41 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: credentials-sync-eventhub
+  namespace: flux-system
+spec:
+  template:
+    spec:
+      containers:
+        - name: sync
+          image: mcr.microsoft.com/azure-cli
+          env:
+            - name: RECONCILE_SH
+              value: |-
+                reconcile() {
+                  echo "Starting JWT token sync -- $(date)"
+                  echo "Logging into Azure"
+                  az login --service-principal -u ${AZURE_CLIENT_ID} -p ${AZURE_CLIENT_SECRET} --tenant ${AZURE_TENANT_ID}
+                  echo "Getting JWT token"
+                  token=$(az account get-access-token --resource https://eventhubs.azure.net |jq -r .accessToken)
+                  echo "Creating secret: ${KUBE_SECRET}"
+                  apply-secret "${KUBE_SECRET}" ${token} "${ADDRESS}"
+                  echo "Finished JWT token sync -- $(date)"
+                  echo
+                }
+            - name: AZURE_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: azure-credentials
+                  key: AZURE_CLIENT_ID
+            - name: AZURE_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: azure-credentials
+                  key: AZURE_CLIENT_SECRET
+            - name: AZURE_TENANT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: azure-credentials
+                  key: AZURE_TENANT_ID

manifests/integrations/eventhub-credentials-sync/generic/secret-azure-credentials.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+data:
+  AZURE_CLIENT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
+  AZURE_CLIENT_SECRET: c28tbXVjaC1zZWNyZXQ=
+  AZURE_TENANT_ID: MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMA==
+kind: Secret
+metadata:
+  name: azure-credentials
+  namespace: flux-system
+type: Opaque
+# This is just a example secret, you should never store secrets in git.
+# One way forward can be to use sealed-secrets or SOPS
+# https://fluxcd.io/docs/guides/sealed-secrets/
+# https://fluxcd.io/docs/guides/mozilla-sops/

manifests/integrations/registry-credentials-sync/_base/kustomization.yaml

@@ -7,6 +7,9 @@ commonLabels:
 resources:
 - sync.yaml
 
+patchesStrategicMerge:
+  - kubectl-patch.yaml
+
 vars:
 - name: KUBE_SECRET
   objref:

manifests/integrations/registry-credentials-sync/_base/sync.yaml

@@ -24,7 +24,7 @@ spec:
     type: Recreate
   template:
     spec:
-      serviceAccount: credentials-sync
+      serviceAccountName: credentials-sync
       containers:
       - image: busybox  # override this with a cloud-specific image
         name: sync
@@ -102,8 +102,8 @@ rules:
   - update
   - patch
   # # Lock this down to the specific Secret name  (Optional)
-  resourceNames:
+  #resourceNames:
-  - $(KUBE_SECRET)  # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+  #- $(KUBE_SECRET)  # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml

@@ -7,6 +7,9 @@ commonLabels:
 resources:
 - sync.yaml
 
+patchesStrategicMerge:
+  - kubectl-patch.yaml
+
 vars:
 - name: KUBE_SECRET
   objref:

manifests/integrations/registry-credentials-sync/_cronjobs/_base/sync.yaml

@@ -49,7 +49,7 @@ spec:
 
               apply-secret() {
                 /kbin/kubectl create secret docker-registry "${1}" \
-                  --docker-passwrod="${2}" \
+                  --docker-password="${2}" \
                   --docker-username="${3}" \
                   --docker-server="${4}" \
                   --dry-run=client -o=yaml \

manifests/integrations/registry-credentials-sync/_cronjobs/aws/kustomization.yaml

@@ -14,7 +14,6 @@ bases:
 
 patchesStrategicMerge:
 - config-patches.yaml
-- kubectl-patch.yaml
 - reconcile-patch.yaml
 
 ## uncomment if using encrypted-secret.yaml

manifests/integrations/registry-credentials-sync/_cronjobs/azure/az-identity.yaml

@@ -5,3 +5,12 @@ kind: AzureIdentity
 metadata:
   name: credentials-sync  # if this is changed, also change in config-patches.yaml
   namespace: flux-system
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentityBinding
+metadata:
+  name: credentials-sync  # this can have a different name, but it's nice to keep them the same
+  namespace: flux-system
+spec:
+  azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
+  selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name

manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomization.yaml

@@ -14,7 +14,6 @@ resources:
 
 patchesStrategicMerge:
 - config-patches.yaml
-- kubectl-patch.yaml
 - reconcile-patch.yaml
 
 vars:

manifests/integrations/registry-credentials-sync/_cronjobs/azure/kustomizeconfig.yaml

@@ -1,3 +1,7 @@
 varReference:
 - path: spec/jobTemplate/spec/template/metadata/labels
-  kind: Deployment
+  kind: CronJob
+- path: spec/azureIdentity
+  kind: AzureIdentityBinding
+- path: spec/selector
+  kind: AzureIdentityBinding

manifests/integrations/registry-credentials-sync/_cronjobs/gcp/reconcile-patch.yaml

@@ -10,7 +10,7 @@ spec:
         spec:
           containers:
           - name: sync
-            image: aws/aws-cli
+            image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
             env:
             - name: RECONCILE_SH
               value: |-

manifests/integrations/registry-credentials-sync/aws/kustomization.yaml

@@ -14,7 +14,6 @@ bases:
 
 patchesStrategicMerge:
 - config-patches.yaml
-- kubectl-patch.yaml
 - reconcile-patch.yaml
 
 ## uncomment if using encrypted-secret.yaml

manifests/integrations/registry-credentials-sync/azure/az-identity.yaml

@@ -5,3 +5,12 @@ kind: AzureIdentity
 metadata:
   name: credentials-sync  # if this is changed, also change in config-patches.yaml
   namespace: flux-system
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentityBinding
+metadata:
+  name: credentials-sync  # this can have a different name, but it's nice to keep them the same
+  namespace: flux-system
+spec:
+  azureIdentity: $(AZ_IDENTITY_NAME) # match the AzureIdentity name
+  selector: $(AZ_IDENTITY_NAME) # match the AzureIdentity name

manifests/integrations/registry-credentials-sync/azure/kubectl-patch.yaml

@@ -1,28 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: credentials-sync
-  namespace: flux-system
-spec:
-  template:
-    spec:
-      initContainers:
-      - image: bitnami/kubectl
-        name: copy-kubectl
-        # it's okay to do this because kubectl is a statically linked binary
-        command:
-        - sh
-        - -ceu
-        - cp $(which kubectl) /kbin/
-        resources: {}
-        volumeMounts:
-        - name: kbin
-          mountPath: /kbin
-      containers:
-      - name: sync
-        volumeMounts:
-        - name: kbin
-          mountPath: /kbin
-      volumes:
-      - name: kbin
-        emptyDir: {}

manifests/integrations/registry-credentials-sync/azure/kustomization.yaml

@@ -14,7 +14,6 @@ resources:
 
 patchesStrategicMerge:
 - config-patches.yaml
-- kubectl-patch.yaml
 - reconcile-patch.yaml
 
 vars:

manifests/integrations/registry-credentials-sync/azure/kustomizeconfig.yaml

@@ -1,3 +1,7 @@
 varReference:
 - path: spec/template/metadata/labels
   kind: Deployment
+- path: spec/azureIdentity
+  kind: AzureIdentityBinding
+- path: spec/selector
+  kind: AzureIdentityBinding

manifests/integrations/registry-credentials-sync/gcp/reconcile-patch.yaml

@@ -9,7 +9,7 @@ spec:
     spec:
       containers:
       - name: sync
-        image: aws/aws-cli
+        image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
         env:
         - name: RECONCILE_SH
           value: |-

manifests/monitoring/grafana/dashboards/cluster.json

@@ -482,16 +482,20 @@
               "job": true,
               "kubernetes_namespace": true,
               "kubernetes_pod_name": true,
-              "namespace": true,
               "pod_template_hash": true,
               "status": true,
-              "type": true
+              "type": true,
+              "pod": true,
+              "container": true,
+              "endpoint": true,
+              "exported_namespace": true
             },
             "indexByName": {},
             "renameByName": {
               "Value": "Status",
               "kind": "Kind",
-              "name": "Name"
+              "name": "Name",
+              "namespace": "Namespace"
             }
           }
         }
@@ -594,15 +598,19 @@
               "job": true,
               "kubernetes_namespace": true,
               "kubernetes_pod_name": true,
-              "namespace": true,
               "pod_template_hash": true,
+              "pod": true,
               "status": true,
-              "type": true
+              "type": true,
+              "container": true,
+              "endpoint": true,
+              "exported_namespace": true
             },
             "indexByName": {},
             "renameByName": {
               "Value": "Status",
               "kind": "Kind",
+              "namespace": "Namespace",
               "name": "Name"
             }
           }
@@ -831,7 +839,7 @@
   "schemaVersion": 26,
   "style": "light",
   "tags": [
-    "gitops-toolkit"
+    "flux"
   ],
   "templating": {
     "list": [

manifests/monitoring/grafana/dashboards/control-plane.json

@@ -547,7 +547,7 @@
         {
           "expr": "rate(process_cpu_seconds_total{namespace=\"$namespace\",pod=~\".*-controller-.*\"}[1m])",
           "interval": "",
-          "legendFormat": "{{kubernetes_pod_name}}",
+          "legendFormat": "{{pod}}",
           "refId": "A"
         }
       ],
@@ -643,7 +643,7 @@
           "expr": "rate(go_memstats_alloc_bytes_total{namespace=\"$namespace\",pod=~\".*-controller-.*\"}[1m])",
           "hide": false,
           "interval": "",
-          "legendFormat": "{{kubernetes_pod_name}}",
+          "legendFormat": "{{pod}}",
           "refId": "A"
         }
       ],
@@ -1356,7 +1356,7 @@
   "schemaVersion": 26,
   "style": "light",
   "tags": [
-    "gitops-toolkit"
+    "flux"
   ],
   "templating": {
     "list": [
@@ -1424,7 +1424,7 @@
     ]
   },
   "timezone": "",
-  "title": "GitOps Toolkit Control Plane",
+  "title": "Flux Control Plane",
-  "uid": "gitops-toolkit-control-plane",
+  "uid": "flux-control-plane",
   "version": 1
 }

manifests/monitoring/kube-prometheus-stack/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: monitoring
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml