Concept: encrypt init command for SOPS bootstrap

Signed-off-by: Hidde Beydals <hello@hidde.co>

.github/workflows/e2e-arm64.yaml

@@ -0,0 +1,109 @@
+name: e2e-arm64
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ main, update-components ]
+
+jobs:
+  ampere:
+    # Runner info
+    # Owner: Stefan Prodan
+    # VM: Oracle Cloud VM.Standard.A1.Flex 4CPU 24GB RAM
+    # OS: Linux 5.4.0-1045-oracle #49-Ubuntu SMP aarch64
+    # Packages: docker, kind, kubectl, kustomize
+    runs-on: [self-hosted, Linux, ARM64]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16.x
+      - name: Prepare
+        id: prep
+        run: |
+          echo ::set-output name=CLUSTER::arm64-${GITHUB_SHA:0:7}-$(date +%s)
+          echo ::set-output name=CONTEXT::kind-arm64-${GITHUB_SHA:0:7}-$(date +%s)
+      - name: Run unit tests
+        run: make test
+      - name: Check if working tree is dirty
+        run: |
+          if [[ $(git diff --stat) != '' ]]; then
+            git diff
+            echo 'run make test and commit changes'
+            exit 1
+          fi
+      - name: Build
+        run: |
+          go build -o /tmp/flux ./cmd/flux
+      - name: Setup Kubernetes Kind
+        run: |
+          kind create cluster --name ${{ steps.prep.outputs.CLUSTER }}
+      - name: flux check --pre
+        run: |
+          /tmp/flux check --pre \
+          --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux install
+        run: |
+          /tmp/flux install \
+          --components-extra=image-reflector-controller,image-automation-controller \
+          --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux create source git
+        run: |
+          /tmp/flux create source git podinfo-gogit \
+            --git-implementation=go-git \
+            --url https://github.com/stefanprodan/podinfo  \
+            --tag-semver=">1.0.0" \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+          /tmp/flux create source git podinfo-libgit2 \
+            --git-implementation=libgit2 \
+            --url https://github.com/stefanprodan/podinfo  \
+            --branch="master" \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux create kustomization
+        run: |
+          /tmp/flux create kustomization podinfo \
+            --source=podinfo-gogit \
+            --path="./deploy/overlays/dev" \
+            --prune=true \
+            --interval=5m \
+            --validation=client \
+            --health-check="Deployment/frontend.dev" \
+            --health-check="Deployment/backend.dev" \
+            --health-check-timeout=3m \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux create tenant
+        run: |
+          /tmp/flux create tenant dev-team \
+            --with-namespace=apps \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux create helmrelease
+        run: |
+          /tmp/flux -n apps create source helm podinfo \
+            --url https://stefanprodan.github.io/podinfo \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+
+          /tmp/flux -n apps create hr podinfo-helm \
+            --source=HelmRepository/podinfo \
+            --chart=podinfo \
+            --chart-version="6.0.x" \
+            --service-account=dev-team \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux get all
+        run: |
+          /tmp/flux get all --all-namespaces \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: flux uninstall
+        run: |
+          /tmp/flux uninstall -s \
+            --context ${{ steps.prep.outputs.CONTEXT }}
+      - name: Debug failure
+        if: failure()
+        run: |
+          kubectl --context ${{ steps.prep.outputs.CONTEXT }} -n flux-system get all
+          /tmp/flux logs --all-namespaces
+      - name: Cleanup
+        if: always()
+        run: |
+          kind delete cluster --name ${{ steps.prep.outputs.CLUSTER }}

cmd/flux/create_helmrelease.go

@@ -87,7 +87,8 @@ var createHelmReleaseCmd = &cobra.Command{
 
   # Create a HelmRelease targeting another namespace than the resource
   flux create hr podinfo \
-    --target-namespace=default \
+    --target-namespace=test \
+    --create-target-namespace=true \
     --source=HelmRepository/podinfo \
     --chart=podinfo
 
@@ -113,6 +114,7 @@ type helmReleaseFlags struct {
 	chart           string
 	chartVersion    string
 	targetNamespace string
+	createNamespace bool
 	valuesFiles     []string
 	valuesFrom      flags.HelmReleaseValuesFrom
 	saName          string
@@ -128,6 +130,7 @@ func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.dependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.targetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
+	createHelmReleaseCmd.Flags().BoolVar(&helmReleaseArgs.createNamespace, "create-target-namespace", false, "create the target namespace if it does not exist")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFiles, "values", nil, "local path to values.yaml files, also accepts comma-separated values")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.valuesFrom, "values-from", helmReleaseArgs.valuesFrom.Description())
@@ -167,6 +170,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 				Duration: createArgs.interval,
 			},
 			TargetNamespace: helmReleaseArgs.targetNamespace,
+
 			Chart: helmv2.HelmChartTemplate{
 				Spec: helmv2.HelmChartTemplateSpec{
 					Chart:   helmReleaseArgs.chart,
@@ -178,6 +182,9 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 					},
 				},
 			},
+			Install: &helmv2.Install{
+				CreateNamespace: helmReleaseArgs.createNamespace,
+			},
 			Suspend: false,
 		},
 	}
@@ -187,7 +194,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	if helmReleaseArgs.crds != "" {
-		helmRelease.Spec.Install = &helmv2.Install{CRDs: helmv2.Create}
+		helmRelease.Spec.Install.CRDs = helmv2.Create
 		helmRelease.Spec.Upgrade = &helmv2.Upgrade{CRDs: helmv2.CRDsPolicy(helmReleaseArgs.crds.String())}
 	}
 

cmd/flux/create_source_helm.go

@@ -66,13 +66,14 @@ For private Helm repositories, the basic authentication credentials are stored i
 }
 
 type sourceHelmFlags struct {
-	url       string
+	url             string
-	username  string
+	username        string
-	password  string
+	password        string
-	certFile  string
+	certFile        string
-	keyFile   string
+	keyFile         string
-	caFile    string
+	caFile          string
-	secretRef string
+	secretRef       string
+	passCredentials bool
 }
 
 var sourceHelmArgs sourceHelmFlags
@@ -85,6 +86,7 @@ func init() {
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.keyFile, "key-file", "", "TLS authentication key file path")
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.caFile, "ca-file", "", "TLS authentication CA file path")
 	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.secretRef, "secret-ref", "", "", "the name of an existing secret containing TLS or basic auth credentials")
+	createSourceHelmCmd.Flags().BoolVarP(&sourceHelmArgs.passCredentials, "pass-credentials", "", false, "pass credentials to all domains")
 
 	createSourceCmd.AddCommand(createSourceHelmCmd)
 }
@@ -132,6 +134,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		helmRepository.Spec.SecretRef = &meta.LocalObjectReference{
 			Name: sourceHelmArgs.secretRef,
 		}
+		helmRepository.Spec.PassCredentials = sourceHelmArgs.passCredentials
 	}
 
 	if createArgs.export {
@@ -175,6 +178,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			helmRepository.Spec.SecretRef = &meta.LocalObjectReference{
 				Name: secretName,
 			}
+			helmRepository.Spec.PassCredentials = sourceHelmArgs.passCredentials
 			logger.Successf("authentication configured")
 		}
 	}

cmd/flux/encrypt.go

@@ -0,0 +1,39 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var encryptCmd = &cobra.Command{
+	Use:   "encrypt",
+	Short: "Encrypt secrets using SOPS",
+	Long:  "The encrypt sub-commands initialise and manage Secret encryption using SOPS.",
+}
+
+type encryptFlags struct {
+	export bool
+}
+
+var encryptArgs encryptFlags
+
+func init() {
+	encryptCmd.PersistentFlags().BoolVar(&encryptArgs.export, "export", false, "export in YAML format to stdout")
+
+	rootCmd.AddCommand(encryptCmd)
+}

cmd/flux/encrypt_init.go

@@ -0,0 +1,113 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"filippo.io/age"
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/go-git/go-git/v5"
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+var encryptInitCmd = &cobra.Command{
+	Use:   "init",
+	Short: "Init SOPS encryption with age identity",
+	Long:  "The encryption init command creates a new age identity and writes a .sops.yaml file to the current working directory.",
+	Example: `  # Init SOPS encryption with a new age identity
+  flux encryption init`,
+	RunE: encryptInitCmdRun,
+}
+
+func init() {
+	encryptCmd.AddCommand(encryptInitCmd)
+}
+
+func encryptInitCmdRun(cmd *cobra.Command, args []string) error {
+	// Confirm our current path is in a Git repository
+	path, err := os.Getwd()
+	if err != nil {
+		return err
+	}
+	if _, err := git.PlainOpen(path); err != nil {
+		if err == git.ErrRepositoryNotExists {
+			err = fmt.Errorf("'%s' is not in a Git repository", path)
+		}
+		return err
+	}
+
+	// Abort early if .sops.yaml already exists
+	sopsCfgPath := filepath.Join(path, ".sops.yaml")
+	if _, err := os.Stat(sopsCfgPath); err == nil || os.IsExist(err) {
+		return fmt.Errorf("'%s' already contains a .sops.yaml config", path)
+	}
+
+	// Generate a new identity
+	i, err := age.GenerateX25519Identity()
+	if err != nil {
+		return err
+	}
+	logger.Successf("Generated identity %s", i.Recipient().String())
+
+	// Attempt to configure identity in .sops.yaml
+	const sopsCfg = `creation_rules:
+  - path_regex: .*.yaml
+    encrypted_regex: ^(data|stringData)$
+    age: %s
+`
+	if err := ioutil.WriteFile(sopsCfgPath, []byte(fmt.Sprintf(sopsCfg, i.Recipient().String())), 0644); err != nil {
+		logger.Failuref("Failed to write recipient to .sops.yaml file")
+		return err
+	}
+	logger.Successf("Configured recipient in .sops.yaml file")
+
+	// Init client
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	if err != nil {
+		return err
+	}
+
+	// Create a secret
+	secret := &corev1.Secret{
+		ObjectMeta: v1.ObjectMeta{
+			Name:      "sops-age",
+			Namespace: rootArgs.namespace,
+		},
+		StringData: map[string]string{
+			"flux-auto.age": i.String(),
+		},
+	}
+	if err := kubeClient.Create(ctx, secret); err != nil {
+		return err
+	}
+	logger.Successf(`Secret '%s' with private key created`, secret.Name)
+
+	// TODO(hidde): lookup kustomize based on path ref? Do direct cluster mutation? (Preferably not!)
+	//  Feels something is missing in general to provide a user experience improving bridge between "die hard"
+	//  `--export` and "please do not do this" direct-apply-to-cluster.
+
+	return nil
+}

go.mod

@@ -3,10 +3,11 @@ module github.com/fluxcd/flux2
 go 1.16
 
 require (
+	filippo.io/age v1.0.0-rc.3
 	github.com/Masterminds/semver/v3 v3.1.0
 	github.com/cyphar/filepath-securejoin v0.2.2
 	github.com/fluxcd/go-git-providers v0.1.1
-	github.com/fluxcd/helm-controller/api v0.11.0
+	github.com/fluxcd/helm-controller/api v0.11.1
 	github.com/fluxcd/image-automation-controller/api v0.12.0
 	github.com/fluxcd/image-reflector-controller/api v0.10.0
 	github.com/fluxcd/kustomize-controller/api v0.13.0
@@ -16,7 +17,7 @@ require (
 	github.com/fluxcd/pkg/ssh v0.0.5
 	github.com/fluxcd/pkg/untar v0.0.5
 	github.com/fluxcd/pkg/version v0.0.1
-	github.com/fluxcd/source-controller/api v0.15.0
+	github.com/fluxcd/source-controller/api v0.15.1
 	github.com/go-git/go-git/v5 v5.4.2
 	github.com/google/go-containerregistry v0.2.0
 	github.com/manifoldco/promptui v0.7.0

go.sum

@@ -24,6 +24,9 @@ cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiy
 cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+filippo.io/age v1.0.0-rc.3 h1:8JjuJ5ffGKDmC4SS0zoyQxZROZX75so768b7AjulKLw=
+filippo.io/age v1.0.0-rc.3/go.mod h1:UjINLBMeA60aGZkHCGsmDzKcaXoTTzpvrqQM+Vo3YHU=
+filippo.io/edwards25519 v1.0.0-beta.3/go.mod h1:X+pm78QAUPtFLi1z9PYIlS/bdDnvbCOGKtZ+ACWEf7o=
 github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go v42.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
@@ -201,8 +204,8 @@ github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwo
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fluxcd/go-git-providers v0.1.1 h1:R4VafMOo1IlfEZcImApCeElge/HajhFvRzDKGlot+/c=
 github.com/fluxcd/go-git-providers v0.1.1/go.mod h1:nRgNpHZmZhrsyNSma1JcAhjUG9xrqMGJcIUr9K7M7vk=
-github.com/fluxcd/helm-controller/api v0.11.0 h1:rTjd3ETJU1s1I2Vf0beyi9LduNyXKREuE+BMnIXtxfM=
+github.com/fluxcd/helm-controller/api v0.11.1 h1:7oanAnhcRdqrnALDGpZcg5iuDqwCv+jNTmGvSrgDyCo=
-github.com/fluxcd/helm-controller/api v0.11.0/go.mod h1:nt5YdVS+jWXDSbP3gAX3HII6oX+8ahrHD6og2ZVsnN4=
+github.com/fluxcd/helm-controller/api v0.11.1/go.mod h1:nt5YdVS+jWXDSbP3gAX3HII6oX+8ahrHD6og2ZVsnN4=
 github.com/fluxcd/image-automation-controller/api v0.12.0 h1:TM37onbW9vqcwPZgcavrXka9OF+JmK2+m69V8GYRWIM=
 github.com/fluxcd/image-automation-controller/api v0.12.0/go.mod h1:f4KeYUdaQD8hfANsEOAdIxoloIBIY7UUHKM99h/swqg=
 github.com/fluxcd/image-reflector-controller/api v0.10.0 h1:uZsf5X0Djko2yJMNdKn516nKCiSBFecE8c+O66lrgyI=
@@ -225,8 +228,8 @@ github.com/fluxcd/pkg/untar v0.0.5/go.mod h1:O6V9+rtl8c1mHBafgqFlJN6zkF1HS5SSYn7
 github.com/fluxcd/pkg/version v0.0.1 h1:/8asQoDXSThz3csiwi4Qo8Zb6blAxLXbtxNgeMJ9bCg=
 github.com/fluxcd/pkg/version v0.0.1/go.mod h1:WAF4FEEA9xyhngF8TDxg3UPu5fA1qhEYV8Pmi2Il01Q=
 github.com/fluxcd/source-controller/api v0.14.0/go.mod h1:P1pIkaoIsiCJ/NLC7IBXPb9XEime9NvA1WN4hZu2Of4=
-github.com/fluxcd/source-controller/api v0.15.0 h1:EhuBZb+gLFbOWxX+UQzXqnAO0wUSViJEDcuVscmRoHc=
+github.com/fluxcd/source-controller/api v0.15.1 h1:ajJHCP3e3AST13nOJrM2ax2mqTS2vSjj7jkedhbMds0=
-github.com/fluxcd/source-controller/api v0.15.0/go.mod h1:P1pIkaoIsiCJ/NLC7IBXPb9XEime9NvA1WN4hZu2Of4=
+github.com/fluxcd/source-controller/api v0.15.1/go.mod h1:P1pIkaoIsiCJ/NLC7IBXPb9XEime9NvA1WN4hZu2Of4=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
@@ -799,6 +802,7 @@ golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b h1:7mWr3k41Qtv8XlltBkDkl8LoP3mpSgBW8BUoxtEdbXg=

manifests/bases/helm-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/helm-controller/releases/download/v0.11.0/helm-controller.crds.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.11.1/helm-controller.crds.yaml
-- https://github.com/fluxcd/helm-controller/releases/download/v0.11.0/helm-controller.deployment.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.11.1/helm-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/source-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.15.0/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.15.1/source-controller.crds.yaml
-- https://github.com/fluxcd/source-controller/releases/download/v0.15.0/source-controller.deployment.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.15.1/source-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/crds/kustomization.yaml

@@ -1,9 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.15.0/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.15.1/source-controller.crds.yaml
 - https://github.com/fluxcd/kustomize-controller/releases/download/v0.13.0/kustomize-controller.crds.yaml
-- https://github.com/fluxcd/helm-controller/releases/download/v0.11.0/helm-controller.crds.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.11.1/helm-controller.crds.yaml
 - https://github.com/fluxcd/notification-controller/releases/download/v0.15.0/notification-controller.crds.yaml
 - https://github.com/fluxcd/image-reflector-controller/releases/download/v0.10.0/image-reflector-controller.crds.yaml
 - https://github.com/fluxcd/image-automation-controller/releases/download/v0.12.0/image-automation-controller.crds.yaml

manifests/integrations/eventhub-credentials-sync/_base/sync.yaml

@@ -110,8 +110,8 @@ rules:
       - update
       - patch
     # Lock this down to the specific Secret name  (Optional)
-    resourceNames:
+    #resourceNames:
-     - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+    # - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

manifests/integrations/registry-credentials-sync/_base/sync.yaml

@@ -102,8 +102,8 @@ rules:
   - update
   - patch
   # # Lock this down to the specific Secret name  (Optional)
-  resourceNames:
+  #resourceNames:
-  - $(KUBE_SECRET)  # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
+  #- $(KUBE_SECRET)  # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

manifests/integrations/registry-credentials-sync/_cronjobs/_base/sync.yaml

@@ -49,7 +49,7 @@ spec:
 
               apply-secret() {
                 /kbin/kubectl create secret docker-registry "${1}" \
-                  --docker-passwrod="${2}" \
+                  --docker-password="${2}" \
                   --docker-username="${3}" \
                   --docker-server="${4}" \
                   --dry-run=client -o=yaml \