Refer to authorisation model in RFC-0001

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Explain authorisation model and mechanisms
2026-03-01 11:16:56 +00:00 · 2021-12-17 11:58:45 +02:00 · 2021-12-17 11:58:39 +02:00 · 2021-12-17 11:58:39 +02:00 · 2021-12-17 11:58:38 +02:00 · 2021-12-13 14:23:25 +02:00
284 changed files with 8779 additions and 1286 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yaml
@@ -48,19 +48,18 @@ body:
    required: true
  attributes:
    label: Flux version
-    description: Run `flux --version` to check. If not applicable, write `N/A`.
+    description: Run `flux version --client`. If not applicable, write `N/A`.
-    placeholder: e.g. 0.16.1
+    placeholder: e.g. v0.20.1
 - type: textarea
  validations:
    required: true
  attributes:
    label: Flux check
-    description: Run `flux check` to check. If not applicable, write `N/A`.
+    description: Run `flux check`. If not applicable, write `N/A`.
    placeholder: |
      For example:
      ► checking prerequisites
-      ✔ kubectl 1.21.0 >=1.18.0-0
+      ✔ Kubernetes 1.21.1 >=1.19.0-0
      ✔ Kubernetes 1.21.1 >=1.16.0-0
      ► checking controllers
      ✔ all checks passed
 - type: input
--- a/.github/aur/flux-bin/.SRCINFO.template
+++ b/.github/aur/flux-bin/.SRCINFO.template
@@ -8,7 +8,6 @@ pkgbase = flux-bin
 	arch = armv7h
 	arch = aarch64
 	license = APACHE
 	optdepends = kubectl
 	source_x86_64 = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_amd64.tar.gz
 	source_armv6h = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm.tar.gz
 	source_armv7h = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm.tar.gz
--- a/.github/aur/flux-bin/PKGBUILD.template
+++ b/.github/aur/flux-bin/PKGBUILD.template
@@ -8,8 +8,7 @@ pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
 arch=("x86_64" "armv6h" "armv7h" "aarch64")
 license=("APACHE")
-optdepends=('kubectl: for apply actions on the Kubernetes cluster',
+optdepends=('bash-completion: auto-completion for flux in Bash',
 'bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source_x86_64=(
  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_amd64.tar.gz"
--- a/.github/aur/flux-go/.SRCINFO.template
+++ b/.github/aur/flux-go/.SRCINFO.template
@@ -10,7 +10,6 @@ pkgbase = flux-go
 	license = APACHE
 	makedepends = go
 	depends = glibc
 	optdepends = kubectl
 	provides = flux-bin
 	conflicts = flux-bin
  replaces = flux-cli
--- a/.github/aur/flux-go/PKGBUILD.template
+++ b/.github/aur/flux-go/PKGBUILD.template
@@ -13,8 +13,7 @@ conflicts=("flux-bin")
 replaces=("flux-cli")
 depends=("glibc")
 makedepends=('go>=1.16', 'kustomize>=3.0')
-optdepends=('kubectl: for apply actions on the Kubernetes cluster',
+optdepends=('bash-completion: auto-completion for flux in Bash',
 'bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/archive/v${pkgver}.tar.gz"
--- a/.github/aur/flux-scm/.SRCINFO.template
+++ b/.github/aur/flux-scm/.SRCINFO.template
@@ -10,7 +10,6 @@ pkgbase = flux-scm
 	license = APACHE
 	makedepends = go
 	depends = glibc
 	optdepends = kubectl
 	provides = flux-bin
 	conflicts = flux-bin
 	source = git+https://github.com/fluxcd/flux2.git
--- a/.github/aur/flux-scm/PKGBUILD.template
+++ b/.github/aur/flux-scm/PKGBUILD.template
@@ -12,8 +12,7 @@ provides=("flux-bin")
 conflicts=("flux-bin")
 depends=("glibc")
 makedepends=('go>=1.16', 'kustomize>=3.0')
-optdepends=('kubectl: for apply actions on the Kubernetes cluster',
+optdepends=('bash-completion: auto-completion for flux in Bash',
 'bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
  "git+https://github.com/fluxcd/flux2.git"
--- a/.github/runners/README.md
+++ b/.github/runners/README.md
@@ -1,42 +1,72 @@
-# Flux GitHub runners
+# Flux ARM64 GitHub runners
-How to provision GitHub Actions self-hosted runners for Flux conformance testing.
+The Flux ARM64 end-to-end tests run on Equinix instances provisioned with Docker and GitHub self-hosted runners.
-## ARM64 Instance specs
+## Current instances
 | Runner        | Instance            | Region |
 |---------------|---------------------|--------|
 | equinix-arm-1 | flux-equinix-arm-01 | AMS1   |
 | equinix-arm-2 | flux-equinix-arm-01 | AMS1   |
 | equinix-arm-3 | flux-equinix-arm-01 | AMS1   |
 | equinix-arm-4 | flux-equinix-arm-02 | DFW2   |
 | equinix-arm-5 | flux-equinix-arm-02 | DFW2   |
 | equinix-arm-6 | flux-equinix-arm-02 | DFW2   |
 ## Instance setup
 In order to add a new runner to the GitHub Actions pool,
-first create an instance on Oracle Cloud with the following configuration:
+first create a server on Equinix with the following configuration:
- OS: Canonical Ubuntu 20.04
+- Type: c2.large.arm
- Shape: VM.Standard.A1.Flex
+- OS: Ubuntu 20.04
 - OCPU Count: 2 
 - Memory (GB): 12
 - Network Bandwidth (Gbps): 2
 - Local Disk: Block Storage Only  
-Note that the instance image source must be **Canonical Ubuntu** instead of the default Oracle Linux.
+### Install prerequisites
 ## ARM64 Instance setup
 - SSH into a newly created instance
 ```shell
-ssh ubuntu@<instance-public-IP>
+ssh root@<instance-public-IP>
 ``` 
- Create the action runner dir
+
 - Create the ubuntu user
 ```shell
-mkdir -p actions-runner && cd actions-runner
+adduser ubuntu
 usermod -aG sudo ubuntu
 su - ubuntu
 ```
- Download the provisioning script
+
 - Create the prerequisites dir
 ```shell
-curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/arm64.sh > arm64.sh \
+mkdir -p prereq && cd prereq
  && chmod +x ./arm64.sh
 ```
 - Download the prerequisites script
 ```shell
 curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/prereq.sh > prereq.sh \
  && chmod +x ./prereq.sh
 ```
 - Install the prerequisites
 ```shell
 sudo ./prereq.sh
 ```
 ### Install runners
 - Retrieve the GitHub runner token from the repository [settings page](https://github.com/fluxcd/flux2/settings/actions/runners/new?arch=arm64&os=linux)
- Run the provisioning script passing the token as the first argument
+
 - Create 3 directories `runner1`, `runner2`, `runner3`
 - In each dir run:
 ```shell
-sudo ./arm64.sh <TOKEN>
+curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/runner-setup.sh > runner-setup.sh \
  && chmod +x ./runner-setup.sh
 ./runner-setup.sh equinix-arm-<NUMBER> <TOKEN>
 ```
 - Reboot the instance
 ```shell
 sudo reboot
-```  
+```
 - Navigate to the GitHub repository [runners page](https://github.com/fluxcd/flux2/settings/actions/runners) and check the runner status
--- a/.github/runners/prereq.sh
+++ b/.github/runners/prereq.sh
@@ -14,19 +14,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
-# This script is meant to be run locally and in CI to validate the Kubernetes
+# This script installs the prerequisites for running Flux end-to-end tests with Docker and GitHub self-hosted runners.
 # manifests (including Flux custom resources) before changes are merged into
 # the branch synced by Flux in-cluster.
 set -eu
 REPOSITORY_TOKEN=$1
 REPOSITORY_URL=${2:-https://github.com/fluxcd/flux2}
 KIND_VERSION=0.11.1
 KUBECTL_VERSION=1.21.2
 KUSTOMIZE_VERSION=4.1.3
-GITHUB_RUNNER_VERSION=2.278.0
+GITHUB_RUNNER_VERSION=2.285.1
 PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq"
 # install prerequisites
@@ -64,10 +59,3 @@ curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/r
 # install runner dependencies
 ./bin/installdependencies.sh
 # register runner with GitHub
 sudo -u ubuntu ./config.sh --unattended --url ${REPOSITORY_URL} --token ${REPOSITORY_TOKEN}
 # start runner
 ./svc.sh install
 ./svc.sh start
--- a/.github/runners/runner-setup.sh
+++ b/.github/runners/runner-setup.sh
@@ -0,0 +1,37 @@
 #!/usr/bin/env bash
 # Copyright 2021 The Flux authors. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # This script installs a GitHub self-hosted ARM64 runner for running Flux end-to-end tests.
 set -eu
 RUNNER_NAME=$1
 REPOSITORY_TOKEN=$2
 REPOSITORY_URL=${3:-https://github.com/fluxcd/flux2}
 GITHUB_RUNNER_VERSION=2.285.1
 # download runner
 curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
  && tar xzf actions-runner-linux-arm64.tar.gz \
  && rm actions-runner-linux-arm64.tar.gz
 # register runner with GitHub
 ./config.sh --unattended --url ${REPOSITORY_URL} --token ${REPOSITORY_TOKEN} --name ${RUNNER_NAME}
 # start runner
 sudo ./svc.sh install
 sudo ./svc.sh start
--- a/.github/workflows/bootstrap.yaml
+++ b/.github/workflows/bootstrap.yaml
@@ -33,7 +33,7 @@ jobs:
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Build
        run: |
-          make cmd/flux/manifests
+          make cmd/flux/.manifests.done
          go build -o /tmp/flux ./cmd/flux
      - name: Set outputs
        id: vars
@@ -64,6 +64,22 @@ jobs:
          --team=team-z
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: bootstrap customize
        run: |
          make setup-bootstrap-patch
          /tmp/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
          --team=team-z
          if [ $(kubectl get deployments.apps source-controller -o jsonpath='{.spec.template.spec.securityContext.runAsUser}') != "10000" ]; then
          echo "Bootstrap not customized as controller is not running as user 10000" && exit 1
          fi
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
          GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
          GITHUB_ORG_NAME: fluxcd-testing
      - name: libgit2
        run: |
          /tmp/flux create source git test-libgit2 \
@@ -75,16 +91,24 @@ jobs:
        run: |
          /tmp/flux uninstall -s --keep-namespace
          kubectl delete ns flux-system --timeout=10m --wait=true
-      - name: bootstrap reinstall
+      - name: test image automation
        run: |
          make setup-image-automation
          /tmp/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
-          --team=team-z
+          --read-write-key
          /tmp/flux reconcile image repository podinfo
          /tmp/flux reconcile image update flux-system
          /tmp/flux get images all
          /tmp/flux get images policy podinfo | grep "5.2.1"
          /tmp/flux get image update flux-system | grep commit
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
          GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
          GITHUB_ORG_NAME: fluxcd-testing
      - name: delete repository
        run: |
          curl \
--- a/.github/workflows/e2e-arm64.yaml
+++ b/.github/workflows/e2e-arm64.yaml
@@ -3,14 +3,13 @@ name: e2e-arm64
 on:
  workflow_dispatch:
  push:
-    branches: [ main, update-components ]
+    branches: [ main, update-components, equinix-runners ]
 jobs:
-  ampere:
+  test:
-    # Runner info
+    # Hosted on Equinix
    # Owner: Stefan Prodan
    # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
-    runs-on: [self-hosted, Linux, ARM64]
+    runs-on: [self-hosted, Linux, ARM64, equinix]
    steps:
      - name: Checkout
        uses: actions/checkout@v2
@@ -23,86 +22,16 @@ jobs:
        run: |
          echo ::set-output name=CLUSTER::arm64-${GITHUB_SHA:0:7}-$(date +%s)
          echo ::set-output name=CONTEXT::kind-arm64-${GITHUB_SHA:0:7}-$(date +%s)
      - name: Run unit tests
        run: make test
      - name: Check if working tree is dirty
        run: |
          if [[ $(git diff --stat) != '' ]]; then
            git diff
            echo 'run make test and commit changes'
            exit 1
          fi
      - name: Build
        run: |
-          go build -o /tmp/flux ./cmd/flux
+          make build
      - name: Setup Kubernetes Kind
        run: |
-          kind create cluster --name ${{ steps.prep.outputs.CLUSTER }}
+          kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }}
-      - name: flux check --pre
+      - name: Run e2e tests
-        run: |
+        run: TEST_KUBECONFIG=/tmp/${{ steps.prep.outputs.CLUSTER }} make e2e
          /tmp/flux check --pre \
          --context ${{ steps.prep.outputs.CONTEXT }}
      - name: flux install
        run: |
          /tmp/flux install \
          --components-extra=image-reflector-controller,image-automation-controller \
          --context ${{ steps.prep.outputs.CONTEXT }}
      - name: flux create source git
        run: |
          /tmp/flux create source git podinfo-gogit \
            --git-implementation=go-git \
            --url https://github.com/stefanprodan/podinfo  \
            --tag-semver=">1.0.0" \
            --context ${{ steps.prep.outputs.CONTEXT }}
          /tmp/flux create source git podinfo-libgit2 \
            --git-implementation=libgit2 \
            --url https://github.com/stefanprodan/podinfo  \
            --branch="master" \
            --context ${{ steps.prep.outputs.CONTEXT }}
      - name: flux create kustomization
        run: |
          /tmp/flux create kustomization podinfo \
            --source=podinfo-gogit \
            --path="./deploy/overlays/dev" \
            --prune=true \
            --interval=5m \
            --validation=client \
            --health-check="Deployment/frontend.dev" \
            --health-check="Deployment/backend.dev" \
            --health-check-timeout=3m \
            --context ${{ steps.prep.outputs.CONTEXT }}
      - name: flux create tenant
        run: |
          /tmp/flux create tenant dev-team \
            --with-namespace=apps \
            --context ${{ steps.prep.outputs.CONTEXT }}
      - name: flux create helmrelease
        run: |
          /tmp/flux -n apps create source helm podinfo \
            --url https://stefanprodan.github.io/podinfo \
            --context ${{ steps.prep.outputs.CONTEXT }}
          /tmp/flux -n apps create hr podinfo-helm \
            --source=HelmRepository/podinfo \
            --chart=podinfo \
            --chart-version="6.0.x" \
            --service-account=dev-team \
            --context ${{ steps.prep.outputs.CONTEXT }}
      - name: flux get all
        run: |
          /tmp/flux get all --all-namespaces \
            --context ${{ steps.prep.outputs.CONTEXT }}
      - name: flux uninstall
        run: |
          /tmp/flux uninstall -s \
            --context ${{ steps.prep.outputs.CONTEXT }}
      - name: Debug failure
        if: failure()
        run: |
          kubectl --context ${{ steps.prep.outputs.CONTEXT }} -n flux-system get all
          kubectl --context ${{ steps.prep.outputs.CONTEXT }} -n flux-system describe pods
          /tmp/flux logs --all-namespaces
      - name: Cleanup
        if: always()
        run: |
          kind delete cluster --name ${{ steps.prep.outputs.CLUSTER }}
          rm /tmp/${{ steps.prep.outputs.CLUSTER }}
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@@ -0,0 +1,66 @@
 name: e2e-azure
 on:
  workflow_dispatch:
  schedule:
    - cron:  '0 6 * * *'
  push:
    branches: [ azure* ]
 jobs:
  e2e:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Restore Go cache
        uses: actions/cache@v1
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go1.16-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go1.16-
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
          go-version: 1.16.x
      - name: Install libgit2
        run: |
          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138
          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9
          echo "deb http://deb.debian.org/debian unstable main" | sudo tee -a /etc/apt/sources.list
          echo "deb-src http://deb.debian.org/debian unstable main" | sudo tee -a /etc/apt/sources.list
          sudo apt-get update
          sudo apt-get install -y --allow-downgrades libgit2-dev/unstable zlib1g-dev/unstable libssh2-1-dev/unstable libpcre3-dev/unstable
      - name: Setup Flux CLI
        run: |
          make build
          mkdir -p $HOME/.local/bin
          mv ./bin/flux $HOME/.local/bin
      - name: Setup SOPS
        run: |
          wget https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux
          chmod +x sops-v3.7.1.linux
          mkdir -p $HOME/.local/bin
          mv sops-v3.7.1.linux $HOME/.local/bin/sops
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v1
        with:
          terraform_version: 1.0.7
          terraform_wrapper: false
      - name: Setup Azure CLI
        run: |
          curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
      - name: Run Azure e2e tests
        env:
          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
        run: |
          echo $HOME
          echo $PATH
          ls $HOME/.local/bin
          az login --service-principal -u ${ARM_CLIENT_ID} -p ${ARM_CLIENT_SECRET} -t ${ARM_TENANT_ID}
          cd ./tests/azure
          go test -v -coverprofile cover.out -timeout 60m .
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -2,7 +2,7 @@ name: e2e
 on:
  push:
-    branches: [ main ]
+    branches: [ main, e2e* ]
  pull_request:
    branches: [ main ]
@@ -27,16 +27,22 @@ jobs:
        uses: engineerd/setup-kind@v0.5.0
        with:
          version: v0.11.1
-          image: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
+          image: kindest/node:v1.19.11@sha256:07db187ae84b4b7de440a73886f008cf903fcf5764ba8106a9fd5243d6f32729
          config: .github/kind/config.yaml # disable KIND-net
      - name: Setup envtest
        uses: fluxcd/pkg/actions/envtest@main
        with:
          version: "1.21.x"
      - name: Setup Calico for network policy
        run: |
-          kubectl apply -f https://docs.projectcalico.org/v3.16/manifests/calico.yaml
+          kubectl apply -f https://docs.projectcalico.org/v3.20/manifests/calico.yaml
          kubectl -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
-      - name: Run test
+      - name: Run tests
        run: make test
      - name: Run e2e tests
        run: TEST_KUBECONFIG=$HOME/.kube/config make e2e
      - name: Check if working tree is dirty
        run: |
          if [[ $(git diff --stat) != '' ]]; then
@@ -74,6 +80,13 @@ jobs:
            --tag-semver=">=3.2.3" \
            --export | kubectl apply -f -
          /tmp/flux delete source git podinfo-export --silent
      - name: flux create source git libgit2 semver
        run: |
          /tmp/flux create source git podinfo-libgit2 \
            --url https://github.com/stefanprodan/podinfo  \
            --tag-semver=">=3.2.3" \
            --git-implementation=libgit2
          /tmp/flux delete source git podinfo-libgit2 --silent
      - name: flux get sources git
        run: |
          /tmp/flux get sources git
@@ -87,7 +100,6 @@ jobs:
            --path="./deploy/overlays/dev" \
            --prune=true \
            --interval=5m \
            --validation=client \
            --health-check="Deployment/frontend.dev" \
            --health-check="Deployment/backend.dev" \
            --health-check-timeout=3m
@@ -170,26 +182,6 @@ jobs:
            --chart=podinfo \
            --chart-version="5.0.x" \
            --service-account=dev-team
      - name: flux create image repository
        run: |
          /tmp/flux create image repository podinfo \
            --image=ghcr.io/stefanprodan/podinfo \
            --interval=1m
      - name: flux create image policy
        run: |
          /tmp/flux create image policy podinfo \
            --image-ref=podinfo \
            --interval=1m \
            --select-semver=5.0.x
      - name: flux create image policy podinfo-select-alpha
        run: |
          /tmp/flux create image policy podinfo-alpha \
            --image-ref=podinfo \
            --interval=1m \
            --select-alpha=desc
      - name: flux get image policy
        run: |
          /tmp/flux get image policy podinfo | grep '5.0.3'
      - name: flux2-kustomize-helm-example
        run: |
          /tmp/flux create source git flux-system \
@@ -199,7 +191,14 @@ jobs:
          /tmp/flux create kustomization flux-system \
          --source=flux-system \
          --path=./clusters/staging
          kubectl -n flux-system wait kustomization/infrastructure --for=condition=ready --timeout=5m
          kubectl -n flux-system wait kustomization/apps --for=condition=ready --timeout=5m
          kubectl -n nginx wait helmrelease/nginx --for=condition=ready --timeout=5m
          kubectl -n redis wait helmrelease/redis --for=condition=ready --timeout=5m
          kubectl -n podinfo wait helmrelease/podinfo --for=condition=ready --timeout=5m
      - name: flux tree
        run: |
          /tmp/flux tree kustomization flux-system | grep Service/podinfo
      - name: flux check
        run: |
          /tmp/flux check
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -50,14 +50,16 @@ jobs:
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Generate manifests
        run: |
-          make cmd/flux/manifests
+          make cmd/flux/.manifests.done
          ./manifests/scripts/bundle.sh "" ./output manifests.tar.gz
          kustomize build ./manifests/install > ./output/install.yaml
      - name: Build CRDs
        run: |
          kustomize build manifests/crds > all-crds.yaml
      # Pinned to commit before https://github.com/fluxcd/pkg/pull/189 due to
      # introduction faulty behavior.
      - name: Generate OpenAPI JSON schemas from CRDs
-        uses: fluxcd/pkg//actions/crdjsonschema@main
+        uses: fluxcd/pkg//actions/crdjsonschema@49e26aa2ee9e734c3233c560253fd9542afe18ae
        with:
          crd: all-crds.yaml
          output: schemas
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -31,7 +31,7 @@ jobs:
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Build manifests
        run: |
-          make cmd/flux/manifests
+          make cmd/flux/.manifests.done
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/golang@master
        continue-on-error: true
--- a/.gitignore
+++ b/.gitignore
@@ -19,6 +19,7 @@ dist/
 bin/
 output/
 cmd/flux/manifests/
 cmd/flux/.manifests.done
 # Docs
 site/
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -49,9 +49,17 @@ brews:
    folder: Formula
    homepage: "https://fluxcd.io/"
    description: "Flux CLI"
-    dependencies:
+    install: |
-      - name: kubectl
+      bin.install "flux"
-        type: optional
+
      bash_output = Utils.safe_popen_read(bin/"flux", "completion", "bash")
      (bash_completion/"flux").write bash_output
      zsh_output = Utils.safe_popen_read(bin/"flux", "completion", "zsh")
      (zsh_completion/"_flux").write zsh_output
      fish_output = Utils.safe_popen_read(bin/"flux", "completion", "fish")
      (fish_completion/"flux.fish").write fish_output
    test: |
      system "#{bin}/flux --version"
 publishers:
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -30,7 +30,7 @@ you can sign your commit automatically with `git commit -s`.
 For realtime communications we use Slack: To join the conversation, simply
 join the [CNCF](https://slack.cncf.io/) Slack workspace and use the
-[#flux-dev](https://cloud-native.slack.com/messages/flux-dev/) channel.
+[#flux-contributors](https://cloud-native.slack.com/messages/flux-contributors/) channel.
 To discuss ideas and specifications we use [Github
 Discussions](https://github.com/fluxcd/flux2/discussions).
@@ -63,20 +63,45 @@ To get started with developing controllers, you might want to review
 walks you through writing a short and concise controller that watches out
 for source changes.
-### How to run the test suite
+## How to run the test suite
 Prerequisites:
 * go >= 1.16
-* kubectl >= 1.18
+* kubectl >= 1.19
-* kustomize >= 3.1
+* kustomize >= 4.0
-You can run the unit tests by simply doing
+Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:
 ```bash
 make install-envtest
 ```
 Then you can run the unit tests with:
 ```bash
 make test
 ```
 After [installing Kubernetes kind](https://kind.sigs.k8s.io/docs/user/quick-start#installation) on your machine,
 create a cluster for testing with:
 ```bash
 make setup-kind
 ```
 Then you can run the end-to-end tests with:
 ```bash
 make e2e
 ```
 Teardown the e2e environment with:
 ```bash
 make cleanup-kind
 ```
 ## Acceptance policy
 These things will make a PR more likely to be accepted:
--- a/6
+++ b/6
@@ -1,15 +1,15 @@
-FROM alpine:3.13 as builder
+FROM alpine:3.14 as builder
 RUN apk add --no-cache ca-certificates curl
 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.20.4
+ARG KUBECTL_VER=1.22.2
 RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
    kubectl version --client=true
-FROM alpine:3.13 as flux-cli
+FROM alpine:3.14 as flux-cli
 # Create minimal nsswitch.conf file to prioritize the usage of /etc/hosts over DNS queries.
 # https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-354316460
--- a/4
+++ b/4
@@ -12,7 +12,9 @@ should.
 In alphabetical order:
-Aurel Canciu, Sortlist <aurel@sortlist.com> (github: @relu, slack: relu)
+Aurel Canciu, NexHealth <aurel.canciu@nexhealth.com> (github: @relu, slack: relu)
 Hidde Beydals, Weaveworks <hidde@weave.works> (github: @hiddeco, slack: hidde)
 Max Jonas Werner, D2iQ <max@e13.dev> (github: @makkes, slack: max)
 Philip Laine, Xenit <philip.laine@xenit.se> (github: @phillebaba, slack: phillebaba)
 Stefan Prodan, Weaveworks <stefan@weave.works> (github: @stefanprodan, slack: stefanprodan)
 Sunny, Weaveworks <sunny@weave.works> (github: @darkowlzz, slack: darkowlzz)
--- a/66
+++ b/66
@@ -1,5 +1,15 @@
-VERSION?=$(shell grep 'VERSION' cmd/flux/main.go | awk '{ print $$4 }' | tr -d '"')
+VERSION?=$(shell grep 'VERSION' cmd/flux/main.go | awk '{ print $$4 }' | head -n 1 | tr -d '"')
-EMBEDDED_MANIFESTS_TARGET=cmd/flux/manifests
+EMBEDDED_MANIFESTS_TARGET=cmd/flux/.manifests.done
 TEST_KUBECONFIG?=/tmp/flux-e2e-test-kubeconfig
 ENVTEST_BIN_VERSION?=latest
 KUBEBUILDER_ASSETS?=$(shell $(SETUP_ENVTEST) use -i $(ENVTEST_BIN_VERSION) -p path)
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
 else
 GOBIN=$(shell go env GOBIN)
 endif
 rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2)) $(filter $(subst *,%,$(2)),$(d)))
@@ -14,17 +24,61 @@ fmt:
 vet:
 	go vet ./...
-test: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet
+setup-kind:
-	go test ./... -coverprofile cover.out
+	kind create cluster --name=flux-e2e-test --kubeconfig=$(TEST_KUBECONFIG) --config=.github/kind/config.yaml
 	kubectl --kubeconfig=$(TEST_KUBECONFIG) apply -f https://docs.projectcalico.org/v3.16/manifests/calico.yaml
 	kubectl --kubeconfig=$(TEST_KUBECONFIG) -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
 cleanup-kind:
 	kind delete cluster --name=flux-e2e-test
 	rm $(TEST_KUBECONFIG)
 test: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet install-envtest
 	KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test ./... -coverprofile cover.out --tags=unit
 e2e: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet
 	TEST_KUBECONFIG=$(TEST_KUBECONFIG) go test ./cmd/flux/... -coverprofile e2e.cover.out --tags=e2e -v -failfast
 test-with-kind: install-envtest
 	make setup-kind
 	make e2e
 	make cleanup-kind
 $(EMBEDDED_MANIFESTS_TARGET): $(call rwildcard,manifests/,*.yaml *.json)
 	./manifests/scripts/bundle.sh
 	touch $@
 build: $(EMBEDDED_MANIFESTS_TARGET)
-	CGO_ENABLED=0 go build -o ./bin/flux ./cmd/flux
+	CGO_ENABLED=0 go build -ldflags="-s -w -X main.VERSION=$(VERSION)" -o ./bin/flux ./cmd/flux
 .PHONY: install
 install:
-	go install cmd/flux
+	CGO_ENABLED=0 go install ./cmd/flux
 install-dev:
 	CGO_ENABLED=0 go build -o /usr/local/bin ./cmd/flux
 install-envtest:  setup-envtest
 	 $(SETUP_ENVTEST) use $(ENVTEST_BIN_VERSION)
 setup-bootstrap-patch:
 	go run ./tests/bootstrap/main.go
 setup-image-automation:
 	cd tests/image-automation && go run main.go
 # Find or download setup-envtest
 setup-envtest:
 ifeq (, $(shell which setup-envtest))
 	@{ \
 	set -e ;\
 	SETUP_ENVTEST_TMP_DIR=$$(mktemp -d) ;\
 	cd $$SETUP_ENVTEST_TMP_DIR ;\
 	go mod init tmp ;\
 	go get sigs.k8s.io/controller-runtime/tools/setup-envtest@latest ;\
 	rm -rf $$SETUP_ENVTEST_TMP_DIR ;\
 	}
 SETUP_ENVTEST=$(GOBIN)/setup-envtest
 else
 SETUP_ENVTEST=$(shell which setup-envtest)
 endif
--- a/README.md
+++ b/README.md
@@ -20,59 +20,15 @@ Flux v2 is constructed with the [GitOps Toolkit](#gitops-toolkit), a
 set of composable APIs and specialized tools for building Continuous
 Delivery on top of Kubernetes.
-## Flux installation
+Flux is a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/)) project.
-With [Homebrew](https://brew.sh) for macOS and Linux:
+## Quickstart and documentation
-```sh
+To get started check out this [guide](https://fluxcd.io/docs/get-started/)
-brew install fluxcd/tap/flux
+on how to bootstrap Flux on Kubernetes and deploy a sample application in a GitOps manner.
 ```
-With [GoFish](https://gofi.sh) for Windows, macOS and Linux:
+For more comprehensive documentation, see the following guides:
-
+- [Ways of structuring your repositories](https://fluxcd.io/docs/guides/repository-structure/)
 ```sh
 gofish install flux
 ```
 With Bash for macOS and Linux:
 ```sh
 curl -s https://fluxcd.io/install.sh | sudo bash
 # enable completions in ~/.bash_profile
 . <(flux completion bash)
 ```
 Arch Linux (AUR) packages:
 - [flux-bin](https://aur.archlinux.org/packages/flux-bin): install the latest
  stable version using a pre-build binary (recommended)
 - [flux-go](https://aur.archlinux.org/packages/flux-go): build the latest
  stable version from source code
 - [flux-scm](https://aur.archlinux.org/packages/flux-scm): build the latest
  (unstable) version from source code from our git `main` branch
 Binaries for macOS AMD64/ARM64, Linux AMD64/ARM/ARM64 and Windows are available to
 download on the [release page](https://github.com/fluxcd/flux2/releases).
 A multi-arch container image with `kubectl` and `flux` is available on Docker Hub and GitHub:
 * `docker.io/fluxcd/flux-cli:<version>`
 * `ghcr.io/fluxcd/flux-cli:<version>`
 Verify that your cluster satisfies the prerequisites with:
 ```sh
 flux check --pre
 ```
 ## Get started
 To get started with Flux, start [browsing the
 documentation](https://fluxcd.io/docs/) or get started with one of
 the following guides:
 - [Get started with Flux](https://fluxcd.io/docs/get-started/)
 - [Manage Helm Releases](https://fluxcd.io/docs/guides/helmreleases/)
 - [Automate image updates to Git](https://fluxcd.io/docs/guides/image-update/)  
 - [Manage Kubernetes secrets with Mozilla SOPS](https://fluxcd.io/docs/guides/mozilla-sops/)  
@@ -133,7 +89,9 @@ new contributors and there are a multitude of ways to get involved.
 ### Events
-Check out our **[events calendar](https://fluxcd.io/community/#talks)**,
+Check out our **[events calendar](https://fluxcd.io/#calendar)**,
-both with upcoming talks you can attend or past events videos you can watch.
+both with upcoming talks, events and meetings you can attend.
 Or view the **[resources section](https://fluxcd.io/resources)**
 with past events videos you can watch.
 We look forward to seeing you with us!
--- a/cmd/flux/bootstrap.go
+++ b/cmd/flux/bootstrap.go
@@ -20,6 +20,7 @@ import (
 	"crypto/elliptic"
 	"fmt"
 	"os"
 	"strings"
 	"github.com/spf13/cobra"
@@ -67,6 +68,10 @@ type bootstrapFlags struct {
 	authorName  string
 	authorEmail string
 	gpgKeyRingPath string
 	gpgPassphrase  string
 	gpgKeyID       string
 	commitMessageAppendix string
 }
@@ -118,6 +123,10 @@ func init() {
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.authorName, "author-name", "Flux", "author name for Git commits")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.authorEmail, "author-email", "", "author email for Git commits")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.gpgKeyRingPath, "gpg-key-ring", "", "path to GPG key ring for signing commits")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.gpgPassphrase, "gpg-passphrase", "", "passphrase for decrypting GPG private key")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.gpgKeyID, "gpg-key-id", "", "key id for selecting a particular key")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.commitMessageAppendix, "commit-message-appendix", "", "string to add to the commit messages, e.g. '[ci skip]'")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.arch, "arch", bootstrapArgs.arch.Description())
@@ -131,7 +140,7 @@ func NewBootstrapFlags() bootstrapFlags {
 	return bootstrapFlags{
 		logLevel:           flags.LogLevel(rootArgs.defaults.LogLevel),
 		requiredComponents: []string{"source-controller", "kustomize-controller"},
-		keyAlgorithm:       flags.PublicKeyAlgorithm(sourcesecret.RSAPrivateKeyAlgorithm),
+		keyAlgorithm:       flags.PublicKeyAlgorithm(sourcesecret.ECDSAPrivateKeyAlgorithm),
 		keyRSABits:         2048,
 		keyECDSACurve:      flags.ECDSACurve{Curve: elliptic.P384()},
 	}
@@ -174,6 +183,10 @@ func mapTeamSlice(s []string, defaultPermission string) map[string]string {
 	m := make(map[string]string, len(s))
 	for _, v := range s {
 		m[v] = defaultPermission
 		if s := strings.Split(v, ":"); len(s) == 2 {
 			m[s[0]] = s[1]
 		}
 	}
 	return m
 }
--- a/cmd/flux/bootstrap_bitbucket_server.go
+++ b/cmd/flux/bootstrap_bitbucket_server.go
@@ -0,0 +1,279 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"time"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/internal/bootstrap"
 	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
 	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
 var bootstrapBServerCmd = &cobra.Command{
 	Use:   "bitbucket-server",
 	Short: "Bootstrap toolkit components in a Bitbucket Server repository",
 	Long: `The bootstrap bitbucket-server command creates the Bitbucket Server repository if it doesn't exists and
 commits the toolkit components manifests to the master branch.
 Then it configures the target cluster to synchronize with the repository.
 If the toolkit components are present on the cluster,
 the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a Bitbucket Server API token and export it as an env var
  export BITBUCKET_TOKEN=<my-token>
  # Run bootstrap for a private repository using HTTPS token authentication
  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --token-auth
  # Run bootstrap for a private repository using SSH authentication
  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain>
  # Run bootstrap for a repository path
  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --path=dev-cluster --hostname=<domain>
  # Run bootstrap for a public repository on a personal account
  flux bootstrap bitbucket-server --owner=<user> --repository=<repository name> --private=false --personal --hostname=<domain> --token-auth
  # Run bootstrap for a an existing repository with a branch named main
  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --branch=main --hostname=<domain> --token-auth`,
 	RunE: bootstrapBServerCmdRun,
 }
 const (
 	bServerDefaultPermission = "push"
 	bServerTokenEnvVar       = "BITBUCKET_TOKEN"
 )
 type bServerFlags struct {
 	owner        string
 	repository   string
 	interval     time.Duration
 	personal     bool
 	username     string
 	private      bool
 	hostname     string
 	path         flags.SafeRelativePath
 	teams        []string
 	readWriteKey bool
 	reconcile    bool
 }
 var bServerArgs bServerFlags
 func init() {
 	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.owner, "owner", "", "Bitbucket Server user or project name")
 	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.repository, "repository", "", "Bitbucket Server repository name")
 	bootstrapBServerCmd.Flags().StringSliceVar(&bServerArgs.teams, "group", []string{}, "Bitbucket Server groups to be given write access (also accepts comma-separated values)")
 	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.personal, "personal", false, "if true, the owner is assumed to be a Bitbucket Server user; otherwise a group")
 	bootstrapBServerCmd.Flags().StringVarP(&bServerArgs.username, "username", "u", "git", "authentication username")
 	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.private, "private", true, "if true, the repository is setup or configured as private")
 	bootstrapBServerCmd.Flags().DurationVar(&bServerArgs.interval, "interval", time.Minute, "sync interval")
 	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.hostname, "hostname", "", "Bitbucket Server hostname")
 	bootstrapBServerCmd.Flags().Var(&bServerArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
 	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
 	bootstrapCmd.AddCommand(bootstrapBServerCmd)
 }
 func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 	bitbucketToken := os.Getenv(bServerTokenEnvVar)
 	if bitbucketToken == "" {
 		var err error
 		bitbucketToken, err = readPasswordFromStdin("Please enter your Bitbucket personal access token (PAT): ")
 		if err != nil {
 			return fmt.Errorf("could not read token: %w", err)
 		}
 	}
 	if bServerArgs.hostname == "" {
 		return fmt.Errorf("invalid hostname %q", bServerArgs.hostname)
 	}
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
 	// Manifest base
 	if ver, err := getVersion(bootstrapArgs.version); err == nil {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(manifestsBase)
 	user := bServerArgs.username
 	if bServerArgs.personal {
 		user = bServerArgs.owner
 	}
 	var caBundle []byte
 	if bootstrapArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	// Build Bitbucket Server provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderStash,
 		Hostname: bServerArgs.hostname,
 		Username: user,
 		Token:    bitbucketToken,
 		CaBundle: caBundle,
 	}
 	providerClient, err := provider.BuildGitProvider(providerCfg)
 	if err != nil {
 		return err
 	}
 	// Lazy go-git repository
 	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
 	gitClient := gogit.New(tmpDir, &http.BasicAuth{
 		Username: user,
 		Password: bitbucketToken,
 	})
 	// Install manifest config
 	installOptions := install.Options{
 		BaseURL:                rootArgs.defaults.BaseURL,
 		Version:                bootstrapArgs.version,
 		Namespace:              rootArgs.namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
 		LogLevel:               bootstrapArgs.logLevel.String(),
 		NotificationController: rootArgs.defaults.NotificationController,
 		ManifestFile:           rootArgs.defaults.ManifestFile,
 		Timeout:                rootArgs.timeout,
 		TargetPath:             bServerArgs.path.ToSlash(),
 		ClusterDomain:          bootstrapArgs.clusterDomain,
 		TolerationKeys:         bootstrapArgs.tolerationKeys,
 	}
 	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
 		installOptions.BaseURL = customBaseURL
 	}
 	// Source generation and secret config
 	secretOpts := sourcesecret.Options{
 		Name:         bootstrapArgs.secretName,
 		Namespace:    rootArgs.namespace,
 		TargetPath:   bServerArgs.path.String(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
 	if bootstrapArgs.tokenAuth {
 		if bServerArgs.personal {
 			secretOpts.Username = bServerArgs.owner
 		} else {
 			secretOpts.Username = bServerArgs.username
 		}
 		secretOpts.Password = bitbucketToken
 		if bootstrapArgs.caFile != "" {
 			secretOpts.CAFilePath = bootstrapArgs.caFile
 		}
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
 		secretOpts.SSHHostname = bServerArgs.hostname
 		if bootstrapArgs.privateKeyFile != "" {
 			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
 		}
 		if bootstrapArgs.sshHostname != "" {
 			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
 	}
 	// Sync manifest config
 	syncOpts := sync.Options{
 		Interval:          bServerArgs.interval,
 		Name:              rootArgs.namespace,
 		Namespace:         rootArgs.namespace,
 		Branch:            bootstrapArgs.branch,
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        bServerArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
 		GitImplementation: sourceGitArgs.gitImplementation.String(),
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(bServerArgs.owner, bServerArgs.repository, bServerArgs.personal),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
 		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(bServerArgs.teams, bServerDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(bServerArgs.readWriteKey),
 		bootstrap.WithKubeconfig(rootArgs.kubeconfig, rootArgs.kubecontext),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
 	}
 	if bootstrapArgs.tokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
 	}
 	if !bServerArgs.private {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
 	}
 	if bServerArgs.reconcile {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
 	}
 	// Setup bootstrapper with constructed configs
 	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
 	if err != nil {
 		return err
 	}
 	// Run
 	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 }
--- a/cmd/flux/bootstrap_git.go
+++ b/cmd/flux/bootstrap_git.go
@@ -171,8 +171,14 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
-		// Configure repository URL to match auth config for sync.
+		// Configure repository URL to match auth config for sync
-		repositoryURL.User = url.User(gitArgs.username)
+
 		// Override existing user when user is not already set
 		// or when a username was passed in
 		if repositoryURL.User == nil || gitArgs.username != "git" {
 			repositoryURL.User = url.User(gitArgs.username)
 		}
 		repositoryURL.Scheme = "ssh"
 		if bootstrapArgs.sshHostname != "" {
 			repositoryURL.Host = bootstrapArgs.sshHostname
@@ -199,6 +205,15 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	var caBundle []byte
 	if bootstrapArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitOption{
 		bootstrap.WithRepositoryURL(gitArgs.url),
@@ -208,6 +223,8 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithKubeconfig(rootArgs.kubeconfig, rootArgs.kubecontext),
 		bootstrap.WithPostGenerateSecretFunc(promptPublicKey),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
 		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	// Setup bootstrapper with constructed configs
--- a/cmd/flux/bootstrap_github.go
+++ b/cmd/flux/bootstrap_github.go
@@ -52,6 +52,9 @@ the bootstrap command will perform an upgrade if needed.`,
  # Run bootstrap for a private repository and assign organization teams to it
  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug> --team=<team2 slug>
  # Run bootstrap for a private repository and assign organization teams with their access level(e.g maintain, admin) to it
  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug>:<access-level>
  # Run bootstrap for a repository path
  flux bootstrap github --owner=<organization> --repository=<repository name> --path=dev-cluster
@@ -93,7 +96,7 @@ var githubArgs githubFlags
 func init() {
 	bootstrapGitHubCmd.Flags().StringVar(&githubArgs.owner, "owner", "", "GitHub user or organization name")
 	bootstrapGitHubCmd.Flags().StringVar(&githubArgs.repository, "repository", "", "GitHub repository name")
-	bootstrapGitHubCmd.Flags().StringSliceVar(&githubArgs.teams, "team", []string{}, "GitHub team to be given maintainer access (also accepts comma-separated values)")
+	bootstrapGitHubCmd.Flags().StringSliceVar(&githubArgs.teams, "team", []string{}, "GitHub team and the access to be given to it(team:maintain). Defaults to maintainer access if no access level is specified (also accepts comma-separated values)")
 	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.personal, "personal", false, "if true, the owner is assumed to be a GitHub user; otherwise an org")
 	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.private, "private", true, "if true, the repository is setup or configured as private")
 	bootstrapGitHubCmd.Flags().DurationVar(&githubArgs.interval, "interval", time.Minute, "sync interval")
@@ -108,7 +111,11 @@ func init() {
 func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	ghToken := os.Getenv(ghTokenEnvVar)
 	if ghToken == "" {
-		return fmt.Errorf("%s environment variable not found", ghTokenEnvVar)
+		var err error
 		ghToken, err = readPasswordFromStdin("Please enter your GitHub personal access token (PAT): ")
 		if err != nil {
 			return fmt.Errorf("could not read token: %w", err)
 		}
 	}
 	if err := bootstrapValidate(); err != nil {
@@ -133,11 +140,20 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	defer os.RemoveAll(manifestsBase)
 	var caBundle []byte
 	if bootstrapArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	// Build GitHub provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderGitHub,
 		Hostname: githubArgs.hostname,
 		Token:    ghToken,
 		CaBundle: caBundle,
 	}
 	providerClient, err := provider.BuildGitProvider(providerCfg)
 	if err != nil {
@@ -226,6 +242,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithReadWriteKeyPermissions(githubArgs.readWriteKey),
 		bootstrap.WithKubeconfig(rootArgs.kubeconfig, rootArgs.kubecontext),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
--- a/cmd/flux/bootstrap_gitlab.go
+++ b/cmd/flux/bootstrap_gitlab.go
@@ -108,7 +108,11 @@ func init() {
 func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	glToken := os.Getenv(glTokenEnvVar)
 	if glToken == "" {
-		return fmt.Errorf("%s environment variable not found", glTokenEnvVar)
+		var err error
 		glToken, err = readPasswordFromStdin("Please enter your GitLab personal access token (PAT): ")
 		if err != nil {
 			return fmt.Errorf("could not read token: %w", err)
 		}
 	}
 	if projectNameIsValid, err := regexp.MatchString(gitlabProjectRegex, gitlabArgs.repository); err != nil || !projectNameIsValid {
@@ -140,11 +144,21 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	defer os.RemoveAll(manifestsBase)
 	var caBundle []byte
 	if bootstrapArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	// Build GitLab provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderGitLab,
 		Hostname: gitlabArgs.hostname,
 		Token:    glToken,
 		CaBundle: caBundle,
 	}
 	// Workaround for: https://github.com/fluxcd/go-git-providers/issues/55
 	if hostname := providerCfg.Hostname; hostname != glDefaultDomain &&
@@ -242,6 +256,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithReadWriteKeyPermissions(gitlabArgs.readWriteKey),
 		bootstrap.WithKubeconfig(rootArgs.kubeconfig, rootArgs.kubecontext),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
--- a/cmd/flux/check.go
+++ b/cmd/flux/check.go
@@ -18,21 +18,19 @@ package main
 import (
 	"context"
 	"encoding/json"
 	"os"
 	"os/exec"
 	"time"
 	"github.com/Masterminds/semver/v3"
 	"github.com/spf13/cobra"
 	v1 "k8s.io/api/apps/v1"
 	apimachineryversion "k8s.io/apimachinery/pkg/version"
 	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/pkg/version"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/status"
 )
@@ -54,10 +52,14 @@ type checkFlags struct {
 	pre             bool
 	components      []string
 	extraComponents []string
 	pollInterval    time.Duration
 }
-type kubectlVersion struct {
+var kubernetesConstraints = []string{
-	ClientVersion *apimachineryversion.Info `json:"clientVersion"`
+	">=1.19.0-0",
 	">=1.16.11-0 <=1.16.15-0",
 	">=1.17.7-0 <=1.17.17-0",
 	">=1.18.4-0 <=1.18.20-0",
 }
 var checkArgs checkFlags
@@ -69,23 +71,18 @@ func init() {
 		"list of components, accepts comma-separated values")
 	checkCmd.Flags().StringSliceVar(&checkArgs.extraComponents, "components-extra", nil,
 		"list of components in addition to those supplied or defaulted, accepts comma-separated values")
 	checkCmd.Flags().DurationVar(&checkArgs.pollInterval, "poll-interval", 5*time.Second,
 		"how often the health checker should poll the cluster for the latest state of the resources.")
 	rootCmd.AddCommand(checkCmd)
 }
 func runCheckCmd(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	logger.Actionf("checking prerequisites")
 	checkFailed := false
 	fluxCheck()
-	if !kubectlCheck(ctx, ">=1.18.0-0") {
+	if !kubernetesCheck(kubernetesConstraints) {
 		checkFailed = true
 	}
 	if !kubernetesCheck(">=1.16.0-0") {
 		checkFailed = true
 	}
@@ -130,43 +127,7 @@ func fluxCheck() {
 	}
 }
-func kubectlCheck(ctx context.Context, constraint string) bool {
+func kubernetesCheck(constraints []string) bool {
 	_, err := exec.LookPath("kubectl")
 	if err != nil {
 		logger.Failuref("kubectl not found")
 		return false
 	}
 	kubectlArgs := []string{"version", "--client", "--output", "json"}
 	output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, rootArgs.kubeconfig, rootArgs.kubecontext, kubectlArgs...)
 	if err != nil {
 		logger.Failuref("kubectl version can't be determined")
 		return false
 	}
 	kv := &kubectlVersion{}
 	if err = json.Unmarshal([]byte(output), kv); err != nil {
 		logger.Failuref("kubectl version output can't be unmarshalled")
 		return false
 	}
 	v, err := version.ParseVersion(kv.ClientVersion.GitVersion)
 	if err != nil {
 		logger.Failuref("kubectl version can't be parsed")
 		return false
 	}
 	c, _ := semver.NewConstraint(constraint)
 	if !c.Check(v) {
 		logger.Failuref("kubectl version %s < %s", v.Original(), constraint)
 		return false
 	}
 	logger.Successf("kubectl %s %s", v.String(), constraint)
 	return true
 }
 func kubernetesCheck(constraint string) bool {
 	cfg, err := utils.KubeConfig(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
@@ -191,13 +152,23 @@ func kubernetesCheck(constraint string) bool {
 		return false
 	}
-	c, _ := semver.NewConstraint(constraint)
+	var valid bool
-	if !c.Check(v) {
+	var vrange string
-		logger.Failuref("Kubernetes version %s < %s", v.Original(), constraint)
+	for _, constraint := range constraints {
 		c, _ := semver.NewConstraint(constraint)
 		if c.Check(v) {
 			valid = true
 			vrange = constraint
 			break
 		}
 	}
 	if !valid {
 		logger.Failuref("Kubernetes version %s does not match %s", v.Original(), constraints[0])
 		return false
 	}
-	logger.Successf("Kubernetes %s %s", v.String(), constraint)
+	logger.Successf("Kubernetes %s %s", v.String(), vrange)
 	return true
 }
@@ -210,7 +181,7 @@ func componentsCheck() bool {
 		return false
 	}
-	statusChecker, err := status.NewStatusChecker(kubeConfig, time.Second, rootArgs.timeout, logger)
+	statusChecker, err := status.NewStatusChecker(kubeConfig, checkArgs.pollInterval, rootArgs.timeout, logger)
 	if err != nil {
 		return false
 	}
@@ -221,7 +192,7 @@ func componentsCheck() bool {
 	}
 	ok := true
-	selector := client.MatchingLabels{"app.kubernetes.io/instance": rootArgs.namespace}
+	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 	var list v1.DeploymentList
 	if err := kubeClient.List(ctx, &list, client.InNamespace(rootArgs.namespace), selector); err == nil {
 		for _, d := range list.Items {
--- a/cmd/flux/check_test.go
+++ b/cmd/flux/check_test.go
@@ -0,0 +1,51 @@
 // +build e2e
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"encoding/json"
 	"strings"
 	"testing"
 	"github.com/fluxcd/flux2/internal/utils"
 	"k8s.io/apimachinery/pkg/version"
 )
 func TestCheckPre(t *testing.T) {
 	jsonOutput, err := utils.ExecKubectlCommand(context.TODO(), utils.ModeCapture, rootArgs.kubeconfig, rootArgs.kubecontext, "version", "--output", "json")
 	if err != nil {
 		t.Fatalf("Error running utils.ExecKubectlCommand: %v", err.Error())
 	}
 	var versions map[string]version.Info
 	if err := json.Unmarshal([]byte(jsonOutput), &versions); err != nil {
 		t.Fatalf("Error unmarshalling: %v", err.Error())
 	}
 	serverVersion := strings.TrimPrefix(versions["serverVersion"].GitVersion, "v")
 	cmd := cmdTestCase{
 		args: "check --pre",
 		assert: assertGoldenTemplateFile("testdata/check/check_pre.golden", map[string]string{
 			"serverVersion": serverVersion,
 		}),
 	}
 	cmd.runTestCmd(t)
 }
--- a/cmd/flux/completion.go
+++ b/cmd/flux/completion.go
@@ -17,7 +17,18 @@ limitations under the License.
 package main
 import (
 	"context"
 	"strings"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/discovery"
 	memory "k8s.io/client-go/discovery/cached"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/restmapper"
 )
 var completionCmd = &cobra.Command{
@@ -29,3 +40,77 @@ var completionCmd = &cobra.Command{
 func init() {
 	rootCmd.AddCommand(completionCmd)
 }
 func contextsCompletionFunc(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 	rawConfig, err := utils.ClientConfig(rootArgs.kubeconfig, rootArgs.kubecontext).RawConfig()
 	if err != nil {
 		return completionError(err)
 	}
 	var comps []string
 	for name := range rawConfig.Contexts {
 		if strings.HasPrefix(name, toComplete) {
 			comps = append(comps, name)
 		}
 	}
 	return comps, cobra.ShellCompDirectiveNoFileComp
 }
 func resourceNamesCompletionFunc(gvk schema.GroupVersionKind) func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 		defer cancel()
 		cfg, err := utils.KubeConfig(rootArgs.kubeconfig, rootArgs.kubecontext)
 		if err != nil {
 			return completionError(err)
 		}
 		dc, err := discovery.NewDiscoveryClientForConfig(cfg)
 		if err != nil {
 			return completionError(err)
 		}
 		mapper := restmapper.NewDeferredDiscoveryRESTMapper(memory.NewMemCacheClient(dc))
 		mapping, err := mapper.RESTMapping(gvk.GroupKind(), gvk.Version)
 		if err != nil {
 			return completionError(err)
 		}
 		client, err := dynamic.NewForConfig(cfg)
 		if err != nil {
 			return completionError(err)
 		}
 		var dr dynamic.ResourceInterface
 		if mapping.Scope.Name() == meta.RESTScopeNameNamespace {
 			dr = client.Resource(mapping.Resource).Namespace(rootArgs.namespace)
 		} else {
 			dr = client.Resource(mapping.Resource)
 		}
 		list, err := dr.List(ctx, metav1.ListOptions{})
 		if err != nil {
 			return completionError(err)
 		}
 		var comps []string
 		for _, item := range list.Items {
 			name := item.GetName()
 			if strings.HasPrefix(name, toComplete) {
 				comps = append(comps, name)
 			}
 		}
 		return comps, cobra.ShellCompDirectiveNoFileComp
 	}
 }
 func completionError(err error) ([]string, cobra.ShellCompDirective) {
 	cobra.CompError(err.Error())
 	return nil, cobra.ShellCompDirectiveError
 }
--- a/cmd/flux/completion_zsh.go
+++ b/cmd/flux/completion_zsh.go
@@ -17,6 +17,7 @@ limitations under the License.
 package main
 import (
 	"fmt"
 	"os"
 	"github.com/spf13/cobra"
@@ -27,12 +28,12 @@ var completionZshCmd = &cobra.Command{
 	Short: "Generates zsh completion scripts",
 	Example: `To load completion run
-. <(flux completion zsh) && compdef _flux flux
+. <(flux completion zsh)
 To configure your zsh shell to load completions for each session add to your zshrc
 # ~/.zshrc or ~/.profile
-command -v flux >/dev/null && . <(flux completion zsh) && compdef _flux flux
+command -v flux >/dev/null && . <(flux completion zsh)
 or write a cached file in one of the completion directories in your ${fpath}:
@@ -43,6 +44,8 @@ mv _flux ~/.oh-my-zsh/completions  # oh-my-zsh
 mv _flux ~/.zprezto/modules/completion/external/src/  # zprezto`,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenZshCompletion(os.Stdout)
 		// Cobra doesn't source zsh completion file, explicitly doing it here
 		fmt.Println("compdef _flux flux")
 	},
 }
--- a/cmd/flux/create_helmrelease.go
+++ b/cmd/flux/create_helmrelease.go
@@ -182,18 +182,27 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 					},
 				},
 			},
 			Install: &helmv2.Install{
 				CreateNamespace: helmReleaseArgs.createNamespace,
 			},
 			Suspend: false,
 		},
 	}
 	if helmReleaseArgs.createNamespace {
 		if helmRelease.Spec.Install == nil {
 			helmRelease.Spec.Install = &helmv2.Install{}
 		}
 		helmRelease.Spec.Install.CreateNamespace = helmReleaseArgs.createNamespace
 	}
 	if helmReleaseArgs.saName != "" {
 		helmRelease.Spec.ServiceAccountName = helmReleaseArgs.saName
 	}
 	if helmReleaseArgs.crds != "" {
 		if helmRelease.Spec.Install == nil {
 			helmRelease.Spec.Install = &helmv2.Install{}
 		}
 		helmRelease.Spec.Install.CRDs = helmv2.Create
 		helmRelease.Spec.Upgrade = &helmv2.Upgrade{CRDs: helmv2.CRDsPolicy(helmReleaseArgs.crds.String())}
 	}
--- a/cmd/flux/create_image_policy.go
+++ b/cmd/flux/create_image_policy.go
@@ -105,7 +105,7 @@ func createImagePolicyRun(cmd *cobra.Command, args []string) error {
 			Labels:    labels,
 		},
 		Spec: imagev1.ImagePolicySpec{
-			ImageRepositoryRef: meta.LocalObjectReference{
+			ImageRepositoryRef: meta.NamespacedObjectReference{
 				Name: imagePolicyArgs.imageRef,
 			},
 		},
--- a/cmd/flux/create_kustomization.go
+++ b/cmd/flux/create_kustomization.go
@@ -31,7 +31,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/internal/flags"
@@ -49,7 +49,6 @@ var createKsCmd = &cobra.Command{
    --path="./examples/contour/" \
    --prune=true \
    --interval=10m \
    --validation=client \
    --health-check="Deployment/contour.projectcontour" \
    --health-check="DaemonSet/envoy.projectcontour" \
    --health-check-timeout=3m
@@ -60,8 +59,7 @@ var createKsCmd = &cobra.Command{
    --source=GitRepository/webapp \
    --path="./deploy/overlays/dev" \
    --prune=true \
-    --interval=5m \
+    --interval=5m
    --validation=client
  # Create a Kustomization using a source from a different namespace
  flux create kustomization podinfo \
@@ -69,8 +67,7 @@ var createKsCmd = &cobra.Command{
    --source=GitRepository/podinfo.flux-system \
    --path="./deploy/overlays/dev" \
    --prune=true \
-    --interval=5m \
+    --interval=5m
    --validation=client
  # Create a Kustomization resource that references a Bucket
  flux create kustomization secrets \
@@ -92,6 +89,7 @@ type kustomizationFlags struct {
 	decryptionProvider flags.DecryptionProvider
 	decryptionSecret   string
 	targetNamespace    string
 	wait               bool
 }
 var kustomizationArgs = NewKustomizationFlags()
@@ -100,6 +98,7 @@ func init() {
 	createKsCmd.Flags().Var(&kustomizationArgs.source, "source", kustomizationArgs.source.Description())
 	createKsCmd.Flags().Var(&kustomizationArgs.path, "path", "path to the directory containing a kustomization.yaml file")
 	createKsCmd.Flags().BoolVar(&kustomizationArgs.prune, "prune", false, "enable garbage collection")
 	createKsCmd.Flags().BoolVar(&kustomizationArgs.wait, "wait", false, "enable health checking of all the applied resources")
 	createKsCmd.Flags().StringSliceVar(&kustomizationArgs.healthCheck, "health-check", nil, "workload to be included in the health assessment, in the format '<kind>/<name>.<namespace>'")
 	createKsCmd.Flags().DurationVar(&kustomizationArgs.healthTimeout, "health-check-timeout", 2*time.Minute, "timeout of health checking operations")
 	createKsCmd.Flags().StringVar(&kustomizationArgs.validation, "validation", "", "validate the manifests before applying them on the cluster, can be 'client' or 'server'")
@@ -108,6 +107,8 @@ func init() {
 	createKsCmd.Flags().Var(&kustomizationArgs.decryptionProvider, "decryption-provider", kustomizationArgs.decryptionProvider.Description())
 	createKsCmd.Flags().StringVar(&kustomizationArgs.decryptionSecret, "decryption-secret", "", "set the Kubernetes secret name that contains the OpenPGP private keys used for sops decryption")
 	createKsCmd.Flags().StringVar(&kustomizationArgs.targetNamespace, "target-namespace", "", "overrides the namespace of all Kustomization objects reconciled by this Kustomization")
 	createKsCmd.Flags().MarkDeprecated("validation", "this arg is no longer used, all resources are validated using server-side apply dry-run")
 	createCmd.AddCommand(createKsCmd)
 }
@@ -158,12 +159,11 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 				Namespace: kustomizationArgs.source.Namespace,
 			},
 			Suspend:         false,
 			Validation:      kustomizationArgs.validation,
 			TargetNamespace: kustomizationArgs.targetNamespace,
 		},
 	}
-	if len(kustomizationArgs.healthCheck) > 0 {
+	if len(kustomizationArgs.healthCheck) > 0 && !kustomizationArgs.wait {
 		healthChecks := make([]meta.NamespacedObjectKindReference, 0)
 		for _, w := range kustomizationArgs.healthCheck {
 			kindObj := strings.Split(w, "/")
@@ -204,6 +204,13 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 	if kustomizationArgs.wait {
 		kustomization.Spec.Wait = true
 		kustomization.Spec.Timeout = &metav1.Duration{
 			Duration: kustomizationArgs.healthTimeout,
 		}
 	}
 	if kustomizationArgs.saName != "" {
 		kustomization.Spec.ServiceAccountName = kustomizationArgs.saName
 	}
--- a/cmd/flux/create_secret_git.go
+++ b/cmd/flux/create_secret_git.go
@@ -105,7 +105,7 @@ func init() {
 func NewSecretGitFlags() secretGitFlags {
 	return secretGitFlags{
-		keyAlgorithm: flags.PublicKeyAlgorithm(sourcesecret.RSAPrivateKeyAlgorithm),
+		keyAlgorithm: flags.PublicKeyAlgorithm(sourcesecret.ECDSAPrivateKeyAlgorithm),
 		rsaBits:      2048,
 		ecdsaCurve:   flags.ECDSACurve{Curve: elliptic.P384()},
 	}
@@ -161,7 +161,7 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	if createArgs.export {
-		fmt.Println(secret.Content)
+		rootCmd.Println(secret.Content)
 		return nil
 	}
--- a/cmd/flux/create_secret_git_test.go
+++ b/cmd/flux/create_secret_git_test.go
@@ -0,0 +1,44 @@
 package main
 import (
 	"testing"
 )
 func TestCreateGitSecret(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "no args",
 			args:   "create secret git",
 			assert: assertError("secret name is required"),
 		},
 		{
 			name:   "basic secret",
 			args:   "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=my-username --password=my-password --namespace=my-namespace --export",
 			assert: assertGoldenFile("./testdata/create_secret/git/secret-git-basic.yaml"),
 		},
 		{
 			name:   "ssh key",
 			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa.private --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret.yaml"),
 		},
 		{
 			name:   "ssh key with password",
 			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa-password.private --password=password --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret-password.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_secret_helm.go
+++ b/cmd/flux/create_secret_helm.go
@@ -94,7 +94,7 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	if createArgs.export {
-		fmt.Println(secret.Content)
+		rootCmd.Println(secret.Content)
 		return nil
 	}
--- a/cmd/flux/create_secret_helm_test.go
+++ b/cmd/flux/create_secret_helm_test.go
@@ -0,0 +1,31 @@
 package main
 import (
 	"testing"
 )
 func TestCreateHelmSecret(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			args:   "create secret helm",
 			assert: assertError("secret name is required"),
 		},
 		{
 			args:   "create secret helm helm-secret --username=my-username --password=my-password --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/helm/secret-helm.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_secret_tls.go
+++ b/cmd/flux/create_secret_tls.go
@@ -91,7 +91,7 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	if createArgs.export {
-		fmt.Println(secret.Content)
+		rootCmd.Print(secret.Content)
 		return nil
 	}
--- a/cmd/flux/create_secret_tls_test.go
+++ b/cmd/flux/create_secret_tls_test.go
@@ -0,0 +1,31 @@
 package main
 import (
 	"testing"
 )
 func TestCreateTlsSecretNoArgs(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			args:   "create secret tls",
 			assert: assertError("secret name is required"),
 		},
 		{
 			args:   "create secret tls certs --namespace=my-namespace --cert-file=./testdata/create_secret/tls/test-cert.pem --key-file=./testdata/create_secret/tls/test-key.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/tls/secret-tls.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_source.go
+++ b/cmd/flux/create_source.go
@@ -17,6 +17,8 @@ limitations under the License.
 package main
 import (
 	"time"
 	"github.com/spf13/cobra"
 )
@@ -26,6 +28,14 @@ var createSourceCmd = &cobra.Command{
 	Long:  "The create source sub-commands generate sources.",
 }
 type createSourceFlags struct {
 	fetchTimeout time.Duration
 }
 var createSourceArgs createSourceFlags
 func init() {
 	createSourceCmd.PersistentFlags().DurationVar(&createSourceArgs.fetchTimeout, "fetch-timeout", createSourceArgs.fetchTimeout,
 		"set a timeout for fetch operations performed by source-controller (e.g. 'git clone' or 'helm repo update')")
 	createCmd.AddCommand(createSourceCmd)
 }
--- a/cmd/flux/create_source_bucket.go
+++ b/cmd/flux/create_source_bucket.go
@@ -134,7 +134,12 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 			},
 		},
 	}
-	if sourceHelmArgs.secretRef != "" {
+
 	if createSourceArgs.fetchTimeout > 0 {
 		bucket.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
 	}
 	if sourceBucketArgs.secretRef != "" {
 		bucket.Spec.SecretRef = &meta.LocalObjectReference{
 			Name: sourceBucketArgs.secretRef,
 		}
--- a/cmd/flux/create_source_git.go
+++ b/cmd/flux/create_source_git.go
@@ -56,6 +56,7 @@ type sourceGitFlags struct {
 	caFile            string
 	privateKeyFile    string
 	recurseSubmodules bool
 	silent            bool
 }
 var createSourceGitCmd = &cobra.Command{
@@ -135,13 +136,14 @@ func init() {
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSourceGitCmd.Flags().BoolVar(&sourceGitArgs.recurseSubmodules, "recurse-submodules", false,
 		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
 	createSourceGitCmd.Flags().BoolVarP(&sourceGitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
 	createSourceCmd.AddCommand(createSourceGitCmd)
 }
 func newSourceGitFlags() sourceGitFlags {
 	return sourceGitFlags{
-		keyAlgorithm:  flags.PublicKeyAlgorithm(sourcesecret.RSAPrivateKeyAlgorithm),
+		keyAlgorithm:  flags.PublicKeyAlgorithm(sourcesecret.ECDSAPrivateKeyAlgorithm),
 		keyRSABits:    2048,
 		keyECDSACurve: flags.ECDSACurve{Curve: elliptic.P384()},
 	}
@@ -204,6 +206,10 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}
 	if createSourceArgs.fetchTimeout > 0 {
 		gitRepository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
 	}
 	if sourceGitArgs.gitImplementation != "" {
 		gitRepository.Spec.GitImplementation = sourceGitArgs.gitImplementation.String()
 	}
@@ -272,12 +278,14 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			}
 			if ppk, ok := s.StringData[sourcesecret.PublicKeySecretKey]; ok {
 				logger.Generatef("deploy key: %s", ppk)
-				prompt := promptui.Prompt{
+				if !sourceGitArgs.silent {
-					Label:     "Have you added the deploy key to your repository",
+					prompt := promptui.Prompt{
-					IsConfirm: true,
+						Label:     "Have you added the deploy key to your repository",
-				}
+						IsConfirm: true,
-				if _, err := prompt.Run(); err != nil {
+					}
-					return fmt.Errorf("aborting")
+					if _, err := prompt.Run(); err != nil {
 						return fmt.Errorf("aborting")
 					}
 				}
 			}
 			logger.Actionf("applying secret with repository credentials")
--- a/cmd/flux/create_source_git_test.go
+++ b/cmd/flux/create_source_git_test.go
@@ -0,0 +1,147 @@
 // +build unit
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"testing"
 	"time"
 )
 var pollInterval = 50 * time.Millisecond
 var testTimeout = 10 * time.Second
 // Update the GitRepository once created to exercise test specific behavior
 type reconcileFunc func(repo *sourcev1.GitRepository)
 // reconciler waits for an object to be created, then invokes a test supplied
 // function to mutate that object, simulating a controller.
 // Test should invoke run() to run the background reconciler task which
 // polls to wait for the object to exist before applying the update function.
 // Any errors from the reconciler are asserted on test completion.
 type reconciler struct {
 	client    client.Client
 	name      types.NamespacedName
 	reconcile reconcileFunc
 }
 // Start the background task that waits for the object to exist then applies
 // the update function.
 func (r *reconciler) run(t *testing.T) {
 	result := make(chan error)
 	go func() {
 		defer close(result)
 		err := wait.PollImmediate(
 			pollInterval,
 			testTimeout,
 			r.conditionFunc)
 		result <- err
 	}()
 	t.Cleanup(func() {
 		if err := <-result; err != nil {
 			t.Errorf("Failure from test reconciler: '%v':", err.Error())
 		}
 	})
 }
 // A ConditionFunction that waits for the named GitRepository to be created,
 // then sets the ready condition to true.
 func (r *reconciler) conditionFunc() (bool, error) {
 	var repo sourcev1.GitRepository
 	if err := r.client.Get(context.Background(), r.name, &repo); err != nil {
 		if errors.IsNotFound(err) {
 			return false, nil // Keep polling until object is created
 		}
 		return true, err
 	}
 	r.reconcile(&repo)
 	err := r.client.Status().Update(context.Background(), &repo)
 	return true, err
 }
 func TestCreateSourceGit(t *testing.T) {
 	// Default command used for multiple tests
 	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --timeout=" + testTimeout.String()
 	cases := []struct {
 		name      string
 		args      string
 		assert    assertFunc
 		reconcile reconcileFunc
 	}{
 		{
 			"NoArgs",
 			"create source git",
 			assertError("GitRepository source name is required"),
 			nil,
 		}, {
 			"Succeeded",
 			command,
 			assertGoldenFile("testdata/create_source_git/success.golden"),
 			func(repo *sourcev1.GitRepository) {
 				meta.SetResourceCondition(repo, meta.ReadyCondition, metav1.ConditionTrue, sourcev1.GitOperationSucceedReason, "succeeded message")
 				repo.Status.Artifact = &sourcev1.Artifact{
 					Path:     "some-path",
 					Revision: "v1",
 				}
 			},
 		}, {
 			"Failed",
 			command,
 			assertError("failed message"),
 			func(repo *sourcev1.GitRepository) {
 				meta.SetResourceCondition(repo, meta.ReadyCondition, metav1.ConditionFalse, sourcev1.URLInvalidReason, "failed message")
 			},
 		}, {
 			"NoArtifact",
 			command,
 			assertError("GitRepository source reconciliation completed but no artifact was found"),
 			func(repo *sourcev1.GitRepository) {
 				// Updated with no artifact
 				meta.SetResourceCondition(repo, meta.ReadyCondition, metav1.ConditionTrue, sourcev1.GitOperationSucceedReason, "succeeded message")
 			},
 		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			ns := allocateNamespace("podinfo")
 			setupTestNamespace(ns, t)
 			if tc.reconcile != nil {
 				r := reconciler{
 					client:    testEnv.client,
 					name:      types.NamespacedName{Namespace: ns, Name: "podinfo"},
 					reconcile: tc.reconcile,
 				}
 				r.run(t)
 			}
 			cmd := cmdTestCase{
 				args:   tc.args + " -n=" + ns,
 				assert: tc.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_source_helm.go
+++ b/cmd/flux/create_source_helm.go
@@ -129,6 +129,10 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}
 	if createSourceArgs.fetchTimeout > 0 {
 		helmRepository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
 	}
 	if sourceHelmArgs.secretRef != "" {
 		helmRepository.Spec.SecretRef = &meta.LocalObjectReference{
 			Name: sourceHelmArgs.secretRef,
--- a/cmd/flux/delete_alert.go
+++ b/cmd/flux/delete_alert.go
@@ -28,6 +28,7 @@ var deleteAlertCmd = &cobra.Command{
 	Long:  "The delete alert command removes the given Alert from the cluster.",
 	Example: `  # Delete an Alert and the Kubernetes resources created by it
  flux delete alert main`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.AlertKind)),
 	RunE: deleteCommand{
 		apiType: alertType,
 		object:  universalAdapter{&notificationv1.Alert{}},
--- a/cmd/flux/delete_alertprovider.go
+++ b/cmd/flux/delete_alertprovider.go
@@ -28,6 +28,7 @@ var deleteAlertProviderCmd = &cobra.Command{
 	Long:  "The delete alert-provider command removes the given Provider from the cluster.",
 	Example: `  # Delete a Provider and the Kubernetes resources created by it
  flux delete alert-provider slack`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ProviderKind)),
 	RunE: deleteCommand{
 		apiType: alertProviderType,
 		object:  universalAdapter{&notificationv1.Provider{}},
--- a/cmd/flux/delete_helmrelease.go
+++ b/cmd/flux/delete_helmrelease.go
@@ -29,6 +29,7 @@ var deleteHelmReleaseCmd = &cobra.Command{
 	Long:    "The delete helmrelease command removes the given HelmRelease from the cluster.",
 	Example: `  # Delete a Helm release and the Kubernetes resources created by it
  flux delete hr podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
 	RunE: deleteCommand{
 		apiType: helmReleaseType,
 		object:  universalAdapter{&helmv2.HelmRelease{}},
--- a/cmd/flux/delete_image_policy.go
+++ b/cmd/flux/delete_image_policy.go
@@ -28,6 +28,7 @@ var deleteImagePolicyCmd = &cobra.Command{
 	Long:  "The delete image policy command deletes the given ImagePolicy from the cluster.",
 	Example: `  # Delete an image policy
  flux delete image policy alpine3.x`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)),
 	RunE: deleteCommand{
 		apiType: imagePolicyType,
 		object:  universalAdapter{&imagev1.ImagePolicy{}},
--- a/cmd/flux/delete_image_repository.go
+++ b/cmd/flux/delete_image_repository.go
@@ -28,6 +28,7 @@ var deleteImageRepositoryCmd = &cobra.Command{
 	Long:  "The delete image repository command deletes the given ImageRepository from the cluster.",
 	Example: `  # Delete an image repository
  flux delete image repository alpine`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)),
 	RunE: deleteCommand{
 		apiType: imageRepositoryType,
 		object:  universalAdapter{&imagev1.ImageRepository{}},
--- a/cmd/flux/delete_image_update.go
+++ b/cmd/flux/delete_image_update.go
@@ -28,6 +28,7 @@ var deleteImageUpdateCmd = &cobra.Command{
 	Long:  "The delete image update command deletes the given ImageUpdateAutomation from the cluster.",
 	Example: `  # Delete an image update automation
  flux delete image update latest-images`,
 	ValidArgsFunction: resourceNamesCompletionFunc(autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)),
 	RunE: deleteCommand{
 		apiType: imageUpdateAutomationType,
 		object:  universalAdapter{&autov1.ImageUpdateAutomation{}},
--- a/cmd/flux/delete_kustomization.go
+++ b/cmd/flux/delete_kustomization.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 )
 var deleteKsCmd = &cobra.Command{
@@ -29,6 +29,7 @@ var deleteKsCmd = &cobra.Command{
 	Long:    "The delete kustomization command deletes the given Kustomization from the cluster.",
 	Example: `  # Delete a kustomization and the Kubernetes resources created by it
  flux delete kustomization podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE: deleteCommand{
 		apiType: kustomizationType,
 		object:  universalAdapter{&kustomizev1.Kustomization{}},
--- a/cmd/flux/delete_receiver.go
+++ b/cmd/flux/delete_receiver.go
@@ -28,6 +28,7 @@ var deleteReceiverCmd = &cobra.Command{
 	Long:  "The delete receiver command removes the given Receiver from the cluster.",
 	Example: `  # Delete an Receiver and the Kubernetes resources created by it
  flux delete receiver main`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ReceiverKind)),
 	RunE: deleteCommand{
 		apiType: receiverType,
 		object:  universalAdapter{&notificationv1.Receiver{}},
--- a/cmd/flux/delete_source_bucket.go
+++ b/cmd/flux/delete_source_bucket.go
@@ -28,6 +28,7 @@ var deleteSourceBucketCmd = &cobra.Command{
 	Long:  "The delete source bucket command deletes the given Bucket from the cluster.",
 	Example: `  # Delete a Bucket source
  flux delete source bucket podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)),
 	RunE: deleteCommand{
 		apiType: bucketType,
 		object:  universalAdapter{&sourcev1.Bucket{}},
--- a/cmd/flux/delete_source_git.go
+++ b/cmd/flux/delete_source_git.go
@@ -28,6 +28,7 @@ var deleteSourceGitCmd = &cobra.Command{
 	Long:  "The delete source git command deletes the given GitRepository from the cluster.",
 	Example: `  # Delete a Git repository
  flux delete source git podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)),
 	RunE: deleteCommand{
 		apiType: gitRepositoryType,
 		object:  universalAdapter{&sourcev1.GitRepository{}},
--- a/cmd/flux/delete_source_helm.go
+++ b/cmd/flux/delete_source_helm.go
@@ -28,6 +28,7 @@ var deleteSourceHelmCmd = &cobra.Command{
 	Long:  "The delete source helm command deletes the given HelmRepository from the cluster.",
 	Example: `  # Delete a Helm repository
  flux delete source helm podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)),
 	RunE: deleteCommand{
 		apiType: helmRepositoryType,
 		object:  universalAdapter{&sourcev1.HelmRepository{}},
--- a/cmd/flux/export.go
+++ b/cmd/flux/export.go
@@ -113,8 +113,8 @@ func printExport(export interface{}) error {
 	if err != nil {
 		return err
 	}
-	fmt.Println("---")
+	rootCmd.Println("---")
-	fmt.Println(resourceToString(data))
+	rootCmd.Println(resourceToString(data))
 	return nil
 }
--- a/cmd/flux/export_alert.go
+++ b/cmd/flux/export_alert.go
@@ -32,6 +32,7 @@ var exportAlertCmd = &cobra.Command{
  # Export a Alert
  flux export alert main > main.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.AlertKind)),
 	RunE: exportCommand{
 		object: alertAdapter{&notificationv1.Alert{}},
 		list:   alertListAdapter{&notificationv1.AlertList{}},
--- a/cmd/flux/export_alertprovider.go
+++ b/cmd/flux/export_alertprovider.go
@@ -32,6 +32,7 @@ var exportAlertProviderCmd = &cobra.Command{
  # Export a Provider
  flux export alert-provider slack > slack.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ProviderKind)),
 	RunE: exportCommand{
 		object: alertProviderAdapter{&notificationv1.Provider{}},
 		list:   alertProviderListAdapter{&notificationv1.ProviderList{}},
--- a/cmd/flux/export_helmrelease.go
+++ b/cmd/flux/export_helmrelease.go
@@ -33,6 +33,7 @@ var exportHelmReleaseCmd = &cobra.Command{
  # Export a HelmRelease
  flux export hr my-app > app-release.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
 	RunE: exportCommand{
 		object: helmReleaseAdapter{&helmv2.HelmRelease{}},
 		list:   helmReleaseListAdapter{&helmv2.HelmReleaseList{}},
--- a/cmd/flux/export_image_policy.go
+++ b/cmd/flux/export_image_policy.go
@@ -32,6 +32,7 @@ var exportImagePolicyCmd = &cobra.Command{
  # Export a specific policy
  flux export image policy alpine1x > alpine1x.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)),
 	RunE: exportCommand{
 		object: imagePolicyAdapter{&imagev1.ImagePolicy{}},
 		list:   imagePolicyListAdapter{&imagev1.ImagePolicyList{}},
--- a/cmd/flux/export_image_repository.go
+++ b/cmd/flux/export_image_repository.go
@@ -32,6 +32,7 @@ var exportImageRepositoryCmd = &cobra.Command{
  # Export a specific ImageRepository resource
  flux export image repository alpine > alpine.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)),
 	RunE: exportCommand{
 		object: imageRepositoryAdapter{&imagev1.ImageRepository{}},
 		list:   imageRepositoryListAdapter{&imagev1.ImageRepositoryList{}},
--- a/cmd/flux/export_image_update.go
+++ b/cmd/flux/export_image_update.go
@@ -32,6 +32,7 @@ var exportImageUpdateCmd = &cobra.Command{
  # Export a specific automation
  flux export image update latest-images > latest.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)),
 	RunE: exportCommand{
 		object: imageUpdateAutomationAdapter{&autov1.ImageUpdateAutomation{}},
 		list:   imageUpdateAutomationListAdapter{&autov1.ImageUpdateAutomationList{}},
--- a/cmd/flux/export_kustomization.go
+++ b/cmd/flux/export_kustomization.go
@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 )
 var exportKsCmd = &cobra.Command{
@@ -33,6 +33,7 @@ var exportKsCmd = &cobra.Command{
  # Export a Kustomization
  flux export kustomization my-app > kustomization.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE: exportCommand{
 		object: kustomizationAdapter{&kustomizev1.Kustomization{}},
 		list:   kustomizationListAdapter{&kustomizev1.KustomizationList{}},
--- a/cmd/flux/export_receiver.go
+++ b/cmd/flux/export_receiver.go
@@ -32,6 +32,7 @@ var exportReceiverCmd = &cobra.Command{
  # Export a Receiver
  flux export receiver main > main.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ReceiverKind)),
 	RunE: exportCommand{
 		list:   receiverListAdapter{&notificationv1.ReceiverList{}},
 		object: receiverAdapter{&notificationv1.Receiver{}},
--- a/cmd/flux/export_source_bucket.go
+++ b/cmd/flux/export_source_bucket.go
@@ -33,6 +33,7 @@ var exportSourceBucketCmd = &cobra.Command{
  # Export a Bucket source including the static credentials
  flux export source bucket my-bucket --with-credentials > source.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)),
 	RunE: exportWithSecretCommand{
 		list:   bucketListAdapter{&sourcev1.BucketList{}},
 		object: bucketAdapter{&sourcev1.Bucket{}},
--- a/cmd/flux/export_source_git.go
+++ b/cmd/flux/export_source_git.go
@@ -33,6 +33,7 @@ var exportSourceGitCmd = &cobra.Command{
  # Export a GitRepository source including the SSH key pair or basic auth credentials
  flux export source git my-private-repo --with-credentials > source.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)),
 	RunE: exportWithSecretCommand{
 		object: gitRepositoryAdapter{&sourcev1.GitRepository{}},
 		list:   gitRepositoryListAdapter{&sourcev1.GitRepositoryList{}},
--- a/cmd/flux/export_source_helm.go
+++ b/cmd/flux/export_source_helm.go
@@ -33,6 +33,7 @@ var exportSourceHelmCmd = &cobra.Command{
  # Export a HelmRepository source including the basic auth credentials
  flux export source helm my-private-repo --with-credentials > source.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)),
 	RunE: exportWithSecretCommand{
 		list:   helmRepositoryListAdapter{&sourcev1.HelmRepositoryList{}},
 		object: helmRepositoryAdapter{&sourcev1.HelmRepository{}},
--- a/cmd/flux/export_test.go
+++ b/cmd/flux/export_test.go
@@ -0,0 +1,88 @@
 // +build unit
 package main
 import (
 	"testing"
 )
 func TestExport(t *testing.T) {
 	cases := []struct {
 		name       string
 		arg        string
 		goldenFile string
 	}{
 		{
 			"alert-provider",
 			"export alert-provider slack",
 			"testdata/export/provider.yaml",
 		},
 		{
 			"alert",
 			"export alert flux-system",
 			"testdata/export/alert.yaml",
 		},
 		{
 			"image policy",
 			"export image policy flux-system",
 			"testdata/export/image-policy.yaml",
 		},
 		{
 			"image repository",
 			"export image repository flux-system",
 			"testdata/export/image-repo.yaml",
 		},
 		{
 			"image update",
 			"export image update flux-system",
 			"testdata/export/image-update.yaml",
 		},
 		{
 			"source git",
 			"export source git flux-system",
 			"testdata/export/git-repo.yaml",
 		},
 		{
 			"source helm",
 			"export source helm flux-system",
 			"testdata/export/helm-repo.yaml",
 		},
 		{
 			"receiver",
 			"export receiver flux-system",
 			"testdata/export/receiver.yaml",
 		},
 		{
 			"kustomization",
 			"export kustomization flux-system",
 			"testdata/export/ks.yaml",
 		},
 		{
 			"helmrelease",
 			"export helmrelease flux-system",
 			"testdata/export/helm-release.yaml",
 		},
 		{
 			"bucket",
 			"export source bucket flux-system",
 			"testdata/export/bucket.yaml",
 		},
 	}
 	objectFile := "testdata/export/objects.yaml"
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
 	testEnv.CreateObjectFile(objectFile, tmpl, t)
 	for _, tt := range cases {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.arg + " -n=" + tmpl["fluxns"],
 				assert: assertGoldenTemplateFile(tt.goldenFile, tmpl),
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/get.go
+++ b/cmd/flux/get.go
@@ -177,7 +177,7 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	utils.PrintTable(os.Stdout, header, rows)
+	utils.PrintTable(cmd.OutOrStdout(), header, rows)
 	if getAll {
 		fmt.Println()
--- a/cmd/flux/get_alert.go
+++ b/cmd/flux/get_alert.go
@@ -34,6 +34,7 @@ var getAlertCmd = &cobra.Command{
 	Long:    "The get alert command prints the statuses of the resources.",
 	Example: `  # List all Alerts and their status
  flux get alerts`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.AlertKind)),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		get := getCommand{
 			apiType: alertType,
--- a/cmd/flux/get_alertprovider.go
+++ b/cmd/flux/get_alertprovider.go
@@ -32,6 +32,7 @@ var getAlertProviderCmd = &cobra.Command{
 	Long:    "The get alert-provider command prints the statuses of the resources.",
 	Example: `  # List all Providers and their status
  flux get alert-providers`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ProviderKind)),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		get := getCommand{
 			apiType: alertProviderType,
--- a/cmd/flux/get_all.go
+++ b/cmd/flux/get_all.go
@@ -22,7 +22,7 @@ import (
 	"github.com/spf13/cobra"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
--- a/cmd/flux/get_helmrelease.go
+++ b/cmd/flux/get_helmrelease.go
@@ -33,6 +33,7 @@ var getHelmReleaseCmd = &cobra.Command{
 	Long:    "The get helmreleases command prints the statuses of the resources.",
 	Example: `  # List all Helm releases and their status
  flux get helmreleases`,
 	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		get := getCommand{
 			apiType: helmReleaseType,
--- a/cmd/flux/get_image_policy.go
+++ b/cmd/flux/get_image_policy.go
@@ -34,6 +34,7 @@ var getImagePolicyCmd = &cobra.Command{
 # List image policies from all namespaces
  flux get image policy --all-namespaces`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		get := getCommand{
 			apiType: imagePolicyType,
--- a/cmd/flux/get_image_repository.go
+++ b/cmd/flux/get_image_repository.go
@@ -37,6 +37,7 @@ var getImageRepositoryCmd = &cobra.Command{
 # List image repositories from all namespaces
  flux get image repository --all-namespaces`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		get := getCommand{
 			apiType: imageRepositoryType,
--- a/cmd/flux/get_image_update.go
+++ b/cmd/flux/get_image_update.go
@@ -37,6 +37,7 @@ var getImageUpdateCmd = &cobra.Command{
 # List image update automations from all namespaces
  flux get image update --all-namespaces`,
 	ValidArgsFunction: resourceNamesCompletionFunc(autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		get := getCommand{
 			apiType: imageUpdateAutomationType,
--- a/cmd/flux/get_kustomization.go
+++ b/cmd/flux/get_kustomization.go
@@ -24,7 +24,7 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 )
 var getKsCmd = &cobra.Command{
@@ -34,6 +34,7 @@ var getKsCmd = &cobra.Command{
 	Long:    "The get kustomizations command prints the statuses of the resources.",
 	Example: `  # List all kustomizations and their status
  flux get kustomizations`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		get := getCommand{
 			apiType: kustomizationType,
--- a/cmd/flux/get_receiver.go
+++ b/cmd/flux/get_receiver.go
@@ -34,6 +34,7 @@ var getReceiverCmd = &cobra.Command{
 	Long:    "The get receiver command prints the statuses of the resources.",
 	Example: `  # List all Receiver and their status
  flux get receivers`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ReceiverKind)),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		get := getCommand{
 			apiType: receiverType,
--- a/cmd/flux/get_source_bucket.go
+++ b/cmd/flux/get_source_bucket.go
@@ -36,6 +36,7 @@ var getSourceBucketCmd = &cobra.Command{
 # List buckets from all namespaces
  flux get sources helm --all-namespaces`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		get := getCommand{
 			apiType: bucketType,
--- a/cmd/flux/get_source_chart.go
+++ b/cmd/flux/get_source_chart.go
@@ -36,6 +36,7 @@ var getSourceHelmChartCmd = &cobra.Command{
 # List Helm charts from all namespaces
  flux get sources chart --all-namespaces`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.HelmChartKind)),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		get := getCommand{
 			apiType: helmChartType,
--- a/cmd/flux/get_source_git.go
+++ b/cmd/flux/get_source_git.go
@@ -36,6 +36,7 @@ var getSourceGitCmd = &cobra.Command{
 # List Git repositories from all namespaces
  flux get sources git --all-namespaces`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		get := getCommand{
 			apiType: gitRepositoryType,
--- a/cmd/flux/get_source_helm.go
+++ b/cmd/flux/get_source_helm.go
@@ -36,6 +36,7 @@ var getSourceHelmCmd = &cobra.Command{
 # List Helm repositories from all namespaces
  flux get sources helm --all-namespaces`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		get := getCommand{
 			apiType: helmRepositoryType,
--- a/cmd/flux/helmrelease_test.go
+++ b/cmd/flux/helmrelease_test.go
@@ -0,0 +1,72 @@
 // +build e2e
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import "testing"
 func TestHelmReleaseFromGit(t *testing.T) {
 	cases := []struct {
 		args       string
 		goldenFile string
 	}{
 		{
 			"create source git thrfg --url=https://github.com/stefanprodan/podinfo --branch=main --tag=6.0.0",
 			"testdata/helmrelease/create_source_git.golden",
 		},
 		{
 			"create helmrelease thrfg --source=GitRepository/thrfg --chart=./charts/podinfo",
 			"testdata/helmrelease/create_helmrelease_from_git.golden",
 		},
 		{
 			"get helmrelease thrfg",
 			"testdata/helmrelease/get_helmrelease_from_git.golden",
 		},
 		{
 			"reconcile helmrelease thrfg --with-source",
 			"testdata/helmrelease/reconcile_helmrelease_from_git.golden",
 		},
 		{
 			"suspend helmrelease thrfg",
 			"testdata/helmrelease/suspend_helmrelease_from_git.golden",
 		},
 		{
 			"resume helmrelease thrfg",
 			"testdata/helmrelease/resume_helmrelease_from_git.golden",
 		},
 		{
 			"delete helmrelease thrfg --silent",
 			"testdata/helmrelease/delete_helmrelease_from_git.golden",
 		},
 	}
 	namespace := allocateNamespace("thrfg")
 	del, err := setupTestNamespace(namespace)
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer del()
 	for _, tc := range cases {
 		cmd := cmdTestCase{
 			args:   tc.args + " -n=" + namespace,
 			assert: assertGoldenTemplateFile(tc.goldenFile, map[string]string{"ns": namespace}),
 		}
 		cmd.runTestCmd(t)
 	}
 }
--- a/cmd/flux/image_test.go
+++ b/cmd/flux/image_test.go
@@ -0,0 +1,48 @@
 // +build e2e
 package main
 import "testing"
 func TestImageScanning(t *testing.T) {
 	cases := []struct {
 		args       string
 		goldenFile string
 	}{
 		{
 			"create image repository podinfo --image=ghcr.io/stefanprodan/podinfo --interval=10m",
 			"testdata/image/create_image_repository.golden",
 		},
 		{
 			"create image policy podinfo-semver --image-ref=podinfo --interval=10m --select-semver=5.0.x",
 			"testdata/image/create_image_policy.golden",
 		},
 		{
 			"get image policy podinfo-semver",
 			"testdata/image/get_image_policy_semver.golden",
 		},
 		{
 			`create image policy podinfo-regex --image-ref=podinfo --interval=10m --select-semver=">4.0.0" --filter-regex="5\.0\.0"`,
 			"testdata/image/create_image_policy.golden",
 		},
 		{
 			"get image policy podinfo-regex",
 			"testdata/image/get_image_policy_regex.golden",
 		},
 	}
 	namespace := allocateNamespace("tis")
 	del, err := setupTestNamespace(namespace)
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer del()
 	for _, tc := range cases {
 		cmd := cmdTestCase{
 			args:   tc.args + " -n=" + namespace,
 			assert: assertGoldenFile(tc.goldenFile),
 		}
 		cmd.runTestCmd(t)
 	}
 }
--- a/cmd/flux/install.go
+++ b/cmd/flux/install.go
@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/spf13/cobra"
@@ -41,13 +40,13 @@ If a previous version is installed, then an in-place upgrade will be performed.`
  flux install --version=latest --namespace=flux-system
  # Install a specific version and a series of components
-  flux install --dry-run --version=v0.0.7 --components="source-controller,kustomize-controller"
+  flux install --version=v0.0.7 --components="source-controller,kustomize-controller"
  # Install Flux onto tainted Kubernetes nodes
  flux install --toleration-keys=node.kubernetes.io/dedicated-to-flux
-  # Dry-run install with manifests preview
+  # Dry-run install
-  flux install --dry-run --verbose
+  flux install --export | kubectl apply --dry-run=client -f- 
  # Write install manifests to file
  flux install --export > flux-system.yaml`,
@@ -102,6 +101,7 @@ func init() {
 		"list of toleration keys used to schedule the components pods onto nodes with matching taints")
 	installCmd.Flags().MarkHidden("manifests")
 	installCmd.Flags().MarkDeprecated("arch", "multi-arch container image is now available for AMD64, ARMv7 and ARM64")
 	installCmd.Flags().MarkDeprecated("dry-run", "use 'flux install --export | kubectl apply --dry-run=client -f-'")
 	rootCmd.AddCommand(installCmd)
 }
@@ -176,11 +176,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	if installArgs.export {
 		fmt.Println("---")
 		fmt.Println("# Flux version:", installArgs.version)
 		fmt.Println("# Components:", strings.Join(components, ","))
 		fmt.Print(manifest.Content)
 		fmt.Println("---")
 		return nil
 	} else if rootArgs.verbose {
 		fmt.Print(manifest.Content)
@@ -188,30 +184,24 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	logger.Successf("manifests build completed")
 	logger.Actionf("installing components in %s namespace", rootArgs.namespace)
 	applyOutput := utils.ModeStderrOS
 	if rootArgs.verbose {
 		applyOutput = utils.ModeOS
 	}
 	kubectlArgs := []string{"apply", "-f", filepath.Join(tmpDir, manifest.Path)}
 	if installArgs.dryRun {
 		kubectlArgs = append(kubectlArgs, "--dry-run=client")
 		applyOutput = utils.ModeOS
 	}
 	if _, err := utils.ExecKubectlCommand(ctx, applyOutput, rootArgs.kubeconfig, rootArgs.kubecontext, kubectlArgs...); err != nil {
 		return fmt.Errorf("install failed: %w", err)
 	}
 	if installArgs.dryRun {
 		logger.Successf("install dry-run finished")
 		return nil
 	}
 	applyOutput, err := utils.Apply(ctx, rootArgs.kubeconfig, rootArgs.kubecontext, filepath.Join(tmpDir, manifest.Path))
 	if err != nil {
 		return fmt.Errorf("install failed: %w", err)
 	}
 	fmt.Fprintln(os.Stderr, applyOutput)
 	kubeConfig, err := utils.KubeConfig(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return fmt.Errorf("install failed: %w", err)
 	}
-	statusChecker, err := status.NewStatusChecker(kubeConfig, time.Second, rootArgs.timeout, logger)
+	statusChecker, err := status.NewStatusChecker(kubeConfig, 5*time.Second, rootArgs.timeout, logger)
 	if err != nil {
 		return fmt.Errorf("install failed: %w", err)
 	}
--- a/cmd/flux/kustomization.go
+++ b/cmd/flux/kustomization.go
@@ -19,7 +19,7 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 )
 // kustomizev1.Kustomization
--- a/cmd/flux/kustomization_test.go
+++ b/cmd/flux/kustomization_test.go
@@ -0,0 +1,72 @@
 // +build e2e
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import "testing"
 func TestKustomizationFromGit(t *testing.T) {
 	cases := []struct {
 		args       string
 		goldenFile string
 	}{
 		{
 			"create source git tkfg --url=https://github.com/stefanprodan/podinfo --branch=main --tag=6.0.0",
 			"testdata/kustomization/create_source_git.golden",
 		},
 		{
 			"create kustomization tkfg --source=tkfg --path=./deploy/overlays/dev --prune=true --interval=5m --health-check=Deployment/frontend.dev --health-check=Deployment/backend.dev --health-check-timeout=3m",
 			"testdata/kustomization/create_kustomization_from_git.golden",
 		},
 		{
 			"get kustomization tkfg",
 			"testdata/kustomization/get_kustomization_from_git.golden",
 		},
 		{
 			"reconcile kustomization tkfg --with-source",
 			"testdata/kustomization/reconcile_kustomization_from_git.golden",
 		},
 		{
 			"suspend kustomization tkfg",
 			"testdata/kustomization/suspend_kustomization_from_git.golden",
 		},
 		{
 			"resume kustomization tkfg",
 			"testdata/kustomization/resume_kustomization_from_git.golden",
 		},
 		{
 			"delete kustomization tkfg --silent",
 			"testdata/kustomization/delete_kustomization_from_git.golden",
 		},
 	}
 	namespace := allocateNamespace("tkfg")
 	del, err := setupTestNamespace(namespace)
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer del()
 	for _, tc := range cases {
 		cmd := cmdTestCase{
 			args:   tc.args + " -n=" + namespace,
 			assert: assertGoldenTemplateFile(tc.goldenFile, map[string]string{"ns": namespace}),
 		}
 		cmd.runTestCmd(t)
 	}
 }
--- a/cmd/flux/logs.go
+++ b/cmd/flux/logs.go
@@ -24,17 +24,22 @@ import (
 	"html/template"
 	"io"
 	"os"
 	"sort"
 	"strings"
 	"sync"
 	"time"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/kubectl/pkg/util"
 	"k8s.io/kubectl/pkg/util/podutils"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen"
 )
 var logsCmd = &cobra.Command{
@@ -42,16 +47,19 @@ var logsCmd = &cobra.Command{
 	Short: "Display formatted logs for Flux components",
 	Long:  "The logs command displays formatted logs from various Flux components.",
 	Example: `  # Print the reconciliation logs of all Flux custom resources in your cluster
-	 flux logs --all-namespaces
+  flux logs --all-namespaces
  # Print all logs of all Flux custom resources newer than 2 minutes
  flux logs --all-namespaces --since=2m
-	# Stream logs for a particular log level
+  # Stream logs for a particular log level
-	flux logs --follow --level=error --all-namespaces
+  flux logs --follow --level=error --all-namespaces
-	# Filter logs by kind, name and namespace
+  # Filter logs by kind, name and namespace
-	flux logs --kind=Kustomization --name=podinfo --namespace=default
+  flux logs --kind=Kustomization --name=podinfo --namespace=default
-	# Print logs when Flux is installed in a different namespace than flux-system
+  # Print logs when Flux is installed in a different namespace than flux-system
-	flux logs --flux-namespace=my-namespace
+  flux logs --flux-namespace=my-namespace
    `,
 	RunE: logsCmdRun,
 }
@@ -64,6 +72,8 @@ type logsFlags struct {
 	name          string
 	fluxNamespace string
 	allNamespaces bool
 	sinceTime     string
 	sinceSeconds  time.Duration
 }
 var logsArgs = &logsFlags{
@@ -78,16 +88,17 @@ func init() {
 	logsCmd.Flags().Int64VarP(&logsArgs.tail, "tail", "", logsArgs.tail, "lines of recent log file to display")
 	logsCmd.Flags().StringVarP(&logsArgs.fluxNamespace, "flux-namespace", "", rootArgs.defaults.Namespace, "the namespace where the Flux components are running")
 	logsCmd.Flags().BoolVarP(&logsArgs.allNamespaces, "all-namespaces", "A", false, "displays logs for objects across all namespaces")
 	logsCmd.Flags().DurationVar(&logsArgs.sinceSeconds, "since", logsArgs.sinceSeconds, "Only return logs newer than a relative duration like 5s, 2m, or 3h. Defaults to all logs. Only one of since-time / since may be used.")
 	logsCmd.Flags().StringVar(&logsArgs.sinceTime, "since-time", logsArgs.sinceTime, "Only return logs after a specific date (RFC3339). Defaults to all logs. Only one of since-time / since may be used.")
 	rootCmd.AddCommand(logsCmd)
 }
 func logsCmdRun(cmd *cobra.Command, args []string) error {
-	fluxSelector := fmt.Sprintf("app.kubernetes.io/instance=%s", logsArgs.fluxNamespace)
+	fluxSelector := fmt.Sprintf("%s=%s", manifestgen.PartOfLabelKey, manifestgen.PartOfLabelValue)
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	var pods []corev1.Pod
 	cfg, err := utils.KubeConfig(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
@@ -102,7 +113,7 @@ func logsCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("no argument required")
 	}
-	pods, err = getPods(ctx, clientset, fluxSelector)
+	pods, err := getPods(ctx, clientset, fluxSelector)
 	if err != nil {
 		return err
 	}
@@ -115,6 +126,24 @@ func logsCmdRun(cmd *cobra.Command, args []string) error {
 		logOpts.TailLines = &logsArgs.tail
 	}
 	if len(logsArgs.sinceTime) > 0 && logsArgs.sinceSeconds != 0 {
 		return fmt.Errorf("at most one of `sinceTime` or `sinceSeconds` may be specified")
 	}
 	if len(logsArgs.sinceTime) > 0 {
 		t, err := util.ParseRFC3339(logsArgs.sinceTime, metav1.Now)
 		if err != nil {
 			return fmt.Errorf("%s is not a valid (RFC3339) time", logsArgs.sinceTime)
 		}
 		logOpts.SinceTime = &t
 	}
 	if logsArgs.sinceSeconds != 0 {
 		// round up to the nearest second
 		sec := int64(logsArgs.sinceSeconds.Round(time.Second).Seconds())
 		logOpts.SinceSeconds = &sec
 	}
 	var requests []rest.ResponseWrapper
 	for _, pod := range pods {
 		req := clientset.CoreV1().Pods(logsArgs.fluxNamespace).GetLogs(pod.Name, logOpts)
@@ -148,7 +177,17 @@ func getPods(ctx context.Context, c *kubernetes.Clientset, label string) ([]core
 		if err != nil {
 			return ret, err
 		}
-		ret = append(ret, podList.Items...)
+		pods := []*corev1.Pod{}
 		for i := range podList.Items {
 			pod := podList.Items[i]
 			pods = append(pods, &pod)
 		}
 		if len(pods) > 0 {
 			// sort pods to prioritize running pods over others
 			sort.Sort(podutils.ByLogging(pods))
 			ret = append(ret, *pods[0])
 		}
 	}
 	return ret, nil
--- a/cmd/flux/logs_test.go
+++ b/cmd/flux/logs_test.go
@@ -0,0 +1,79 @@
 // +build unit
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"testing"
 )
 func TestLogsNoArgs(t *testing.T) {
 	cmd := cmdTestCase{
 		args:   "logs",
 		assert: assertSuccess(),
 	}
 	cmd.runTestCmd(t)
 }
 func TestLogsAllNamespaces(t *testing.T) {
 	cmd := cmdTestCase{
 		args:   "logs --all-namespaces",
 		assert: assertSuccess(),
 	}
 	cmd.runTestCmd(t)
 }
 func TestLogsSince(t *testing.T) {
 	cmd := cmdTestCase{
 		args:   "logs --since=2m",
 		assert: assertSuccess(),
 	}
 	cmd.runTestCmd(t)
 }
 func TestLogsSinceInvalid(t *testing.T) {
 	cmd := cmdTestCase{
 		args:   "logs --since=XXX",
 		assert: assertError(`invalid argument "XXX" for "--since" flag: time: invalid duration "XXX"`),
 	}
 	cmd.runTestCmd(t)
 }
 func TestLogsSinceTime(t *testing.T) {
 	cmd := cmdTestCase{
 		args:   "logs --since-time=2021-08-06T14:26:25.546Z",
 		assert: assertSuccess(),
 	}
 	cmd.runTestCmd(t)
 }
 func TestLogsSinceTimeInvalid(t *testing.T) {
 	cmd := cmdTestCase{
 		args:   "logs --since-time=XXX",
 		assert: assertError("XXX is not a valid (RFC3339) time"),
 	}
 	cmd.runTestCmd(t)
 }
 func TestLogsSinceOnlyOneAllowed(t *testing.T) {
 	cmd := cmdTestCase{
 		args:   "logs --since=2m --since-time=2021-08-06T14:26:25.546Z",
 		assert: assertError("at most one of `sinceTime` or `sinceSeconds` may be specified"),
 	}
 	cmd.runTestCmd(t)
 }
--- a/cmd/flux/main.go
+++ b/cmd/flux/main.go
@@ -17,15 +17,19 @@ limitations under the License.
 package main
 import (
 	"bufio"
 	"fmt"
 	"log"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 	corev1 "k8s.io/api/core/v1"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 )
@@ -43,7 +47,7 @@ Command line utility for assembling Kubernetes CD pipelines the GitOps way.`,
  flux check --pre
  # Install the latest version of Flux
-  flux install --version=master
+  flux install
  # Create a source for a public Git repository
  flux create source git webapp-latest \
@@ -66,7 +70,6 @@ Command line utility for assembling Kubernetes CD pipelines the GitOps way.`,
    --path="./deploy/webapp/" \
    --prune=true \
    --interval=5m \
    --validation=client \
    --health-check="Deployment/backend.webapp" \
    --health-check="Deployment/frontend.webapp" \
    --health-check-timeout=2m
@@ -108,14 +111,20 @@ type rootFlags struct {
 var rootArgs = NewRootFlags()
 func init() {
-	rootCmd.PersistentFlags().StringVarP(&rootArgs.namespace, "namespace", "n", rootArgs.defaults.Namespace, "the namespace scope for this operation")
+	rootCmd.PersistentFlags().StringVarP(&rootArgs.namespace, "namespace", "n", rootArgs.defaults.Namespace,
 		"the namespace scope for this operation, can be set with FLUX_SYSTEM_NAMESPACE env var")
 	rootCmd.RegisterFlagCompletionFunc("namespace", resourceNamesCompletionFunc(corev1.SchemeGroupVersion.WithKind("Namespace")))
 	rootCmd.PersistentFlags().DurationVar(&rootArgs.timeout, "timeout", 5*time.Minute, "timeout for this operation")
 	rootCmd.PersistentFlags().BoolVar(&rootArgs.verbose, "verbose", false, "print generated objects")
 	rootCmd.PersistentFlags().StringVarP(&rootArgs.kubeconfig, "kubeconfig", "", "",
 		"absolute path to the kubeconfig file")
 	rootCmd.PersistentFlags().StringVarP(&rootArgs.kubecontext, "context", "", "", "kubernetes context to use")
 	rootCmd.RegisterFlagCompletionFunc("context", contextsCompletionFunc)
 	rootCmd.DisableAutoGenTag = true
 	rootCmd.SetOut(os.Stdout)
 }
 func NewRootFlags() rootFlags {
@@ -127,21 +136,10 @@ func NewRootFlags() rootFlags {
 	return rf
 }
 type rootContext struct {
 	kubeManager utils.KubeManager
 }
 var rootCtx = NewRootContext()
 func NewRootContext() rootContext {
 	var rc rootContext
 	rc.kubeManager = utils.DefaultKubeManager()
 	return rc
 }
 func main() {
 	log.SetFlags(0)
 	configureKubeconfig()
 	configureDefaultNamespace()
 	if err := rootCmd.Execute(); err != nil {
 		logger.Failuref("%v", err)
 		os.Exit(1)
@@ -160,9 +158,38 @@ func configureKubeconfig() {
 	}
 }
 func configureDefaultNamespace() {
 	fromEnv := os.Getenv("FLUX_SYSTEM_NAMESPACE")
 	if fromEnv != "" && rootArgs.namespace == rootArgs.defaults.Namespace {
 		rootArgs.namespace = fromEnv
 	}
 }
 func homeDir() string {
 	if h := os.Getenv("HOME"); h != "" {
 		return h
 	}
 	return os.Getenv("USERPROFILE") // windows
 }
 // readPasswordFromStdin reads a password from stdin and returns the input
 // with trailing newline and/or carriage return removed. It also makes sure that terminal
 // echoing is turned off if stdin is a terminal.
 func readPasswordFromStdin(prompt string) (string, error) {
 	var out string
 	var err error
 	fmt.Fprint(os.Stdout, prompt)
 	stdinFD := int(os.Stdin.Fd())
 	if term.IsTerminal(stdinFD) {
 		var inBytes []byte
 		inBytes, err = term.ReadPassword(int(os.Stdin.Fd()))
 		out = string(inBytes)
 	} else {
 		out, err = bufio.NewReader(os.Stdin).ReadString('\n')
 	}
 	if err != nil {
 		return "", fmt.Errorf("could not read from stdin: %w", err)
 	}
 	fmt.Println()
 	return strings.TrimRight(out, "\r\n"), nil
 }
--- a/cmd/flux/main_e2e_test.go
+++ b/cmd/flux/main_e2e_test.go
@@ -0,0 +1,78 @@
 // +build e2e
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"testing"
 	"github.com/fluxcd/flux2/internal/utils"
 )
 func TestMain(m *testing.M) {
 	// Ensure tests print consistent timestamps regardless of timezone
 	os.Setenv("TZ", "UTC")
 	testEnv, err := NewTestEnvKubeManager(ExistingClusterMode)
 	if err != nil {
 		panic(fmt.Errorf("error creating kube manager: '%w'", err))
 	}
 	rootArgs.kubeconfig = testEnv.kubeConfigPath
 	// Install Flux.
 	output, err := executeCommand("install --components-extra=image-reflector-controller,image-automation-controller")
 	if err != nil {
 		panic(fmt.Errorf("install falied: %s error:'%w'", output, err))
 	}
 	// Run tests
 	code := m.Run()
 	// Uninstall Flux
 	output, err = executeCommand("uninstall -s --keep-namespace")
 	if err != nil {
 		panic(fmt.Errorf("uninstall falied: %s error:'%w'", output, err))
 	}
 	// Delete namespace and wait for finalisation
 	kubectlArgs := []string{"delete", "namespace", "flux-system"}
 	_, err = utils.ExecKubectlCommand(context.TODO(), utils.ModeStderrOS, rootArgs.kubeconfig, rootArgs.kubecontext, kubectlArgs...)
 	if err != nil {
 		panic(fmt.Errorf("delete namespace error:'%w'", err))
 	}
 	testEnv.Stop()
 	os.Exit(code)
 }
 func setupTestNamespace(namespace string) (func(), error) {
 	kubectlArgs := []string{"create", "namespace", namespace}
 	_, err := utils.ExecKubectlCommand(context.TODO(), utils.ModeStderrOS, rootArgs.kubeconfig, rootArgs.kubecontext, kubectlArgs...)
 	if err != nil {
 		return nil, err
 	}
 	return func() {
 		kubectlArgs := []string{"delete", "namespace", namespace}
 		utils.ExecKubectlCommand(context.TODO(), utils.ModeCapture, rootArgs.kubeconfig, rootArgs.kubecontext, kubectlArgs...)
 	}, nil
 }
--- a/cmd/flux/main_test.go
+++ b/cmd/flux/main_test.go
@@ -1,35 +1,57 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"bufio"
 	"bytes"
 	"context"
 	"fmt"
 	"io"
 	"os"
 	"path/filepath"
 	"strings"
 	"sync/atomic"
 	"testing"
 	"text/template"
 	"time"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/google/go-cmp/cmp"
 	"github.com/mattn/go-shellwords"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	k8syaml "k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/client-go/tools/clientcmd"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
 )
-func TestMain(m *testing.M) {
+var nextNamespaceId int64
-	// Ensure tests print consistent timestamps regardless of timezone
+
-	os.Setenv("TZ", "UTC")
+// Return a unique namespace with the specified prefix, for tests to create
-	os.Exit(m.Run())
+// objects that won't collide with each other.
 func allocateNamespace(prefix string) string {
 	id := atomic.AddInt64(&nextNamespaceId, 1)
 	return fmt.Sprintf("%s-%d", prefix, id)
 }
-func readYamlObjects(objectFile string) ([]client.Object, error) {
+func readYamlObjects(rdr io.Reader) ([]unstructured.Unstructured, error) {
-	obj, err := os.ReadFile(objectFile)
+	objects := []unstructured.Unstructured{}
-	if err != nil {
+	reader := k8syaml.NewYAMLReader(bufio.NewReader(rdr))
 		return nil, err
 	}
 	objects := []client.Object{}
 	reader := k8syaml.NewYAMLReader(bufio.NewReader(bytes.NewReader(obj)))
 	for {
 		doc, err := reader.Read()
 		if err != nil {
@@ -43,23 +65,49 @@ func readYamlObjects(objectFile string) ([]client.Object, error) {
 		if err != nil {
 			return nil, err
 		}
-		objects = append(objects, unstructuredObj)
+		objects = append(objects, *unstructuredObj)
 	}
 	return objects, nil
 }
 // A KubeManager that can create objects that are subject to a test.
-type fakeKubeManager struct {
+type testEnvKubeManager struct {
-	fakeClient client.WithWatch
+	client         client.WithWatch
 	testEnv        *envtest.Environment
 	kubeConfigPath string
 }
-func (m *fakeKubeManager) NewClient(kubeconfig string, kubecontext string) (client.WithWatch, error) {
+func (m *testEnvKubeManager) CreateObjectFile(objectFile string, templateValues map[string]string, t *testing.T) {
-	return m.fakeClient, nil
+	buf, err := os.ReadFile(objectFile)
 	if err != nil {
 		t.Fatalf("Error reading file '%s': %v", objectFile, err)
 	}
 	content, err := executeTemplate(string(buf), templateValues)
 	if err != nil {
 		t.Fatalf("Error evaluating template file '%s': '%v'", objectFile, err)
 	}
 	clientObjects, err := readYamlObjects(strings.NewReader(content))
 	if err != nil {
 		t.Fatalf("Error decoding yaml file '%s': %v", objectFile, err)
 	}
 	err = m.CreateObjects(clientObjects, t)
 	if err != nil {
 		t.Logf("Error creating test objects: '%v'", err)
 	}
 }
-func (m *fakeKubeManager) CreateObjects(clientObjects []client.Object) error {
+func (m *testEnvKubeManager) CreateObjects(clientObjects []unstructured.Unstructured, t *testing.T) error {
 	for _, obj := range clientObjects {
-		err := m.fakeClient.Create(context.Background(), obj)
+		// First create the object then set its status if present in the
 		// yaml file. Make a copy first since creating an object may overwrite
 		// the status.
 		createObj := obj.DeepCopy()
 		err := m.client.Create(context.Background(), createObj)
 		if err != nil {
 			return err
 		}
 		obj.SetResourceVersion(createObj.GetResourceVersion())
 		err = m.client.Status().Update(context.Background(), &obj)
 		if err != nil {
 			return err
 		}
@@ -67,15 +115,203 @@ func (m *fakeKubeManager) CreateObjects(clientObjects []client.Object) error {
 	return nil
 }
-func NewFakeKubeManager() *fakeKubeManager {
+func (m *testEnvKubeManager) Stop() error {
-	c := fakeclient.NewClientBuilder().WithScheme(utils.NewScheme()).Build()
+	if m.testEnv == nil {
-	return &fakeKubeManager{
+		return fmt.Errorf("do nothing because testEnv is nil")
 		fakeClient: c,
 	}
 	return m.testEnv.Stop()
 }
 func NewTestEnvKubeManager(testClusterMode TestClusterMode) (*testEnvKubeManager, error) {
 	switch testClusterMode {
 	case TestEnvClusterMode:
 		useExistingCluster := false
 		testEnv := &envtest.Environment{
 			UseExistingCluster: &useExistingCluster,
 			CRDDirectoryPaths:  []string{"manifests"},
 		}
 		cfg, err := testEnv.Start()
 		if err != nil {
 			return nil, err
 		}
 		user, err := testEnv.ControlPlane.AddUser(envtest.User{
 			Name:   "envtest-admin",
 			Groups: []string{"system:masters"},
 		}, nil)
 		if err != nil {
 			return nil, err
 		}
 		kubeConfig, err := user.KubeConfig()
 		if err != nil {
 			return nil, err
 		}
 		tmpFilename := filepath.Join("/tmp", "kubeconfig-"+time.Nanosecond.String())
 		os.WriteFile(tmpFilename, kubeConfig, 0644)
 		k8sClient, err := client.NewWithWatch(cfg, client.Options{
 			Scheme: utils.NewScheme(),
 		})
 		if err != nil {
 			return nil, err
 		}
 		return &testEnvKubeManager{
 			testEnv:        testEnv,
 			client:         k8sClient,
 			kubeConfigPath: tmpFilename,
 		}, nil
 	case ExistingClusterMode:
 		// TEST_KUBECONFIG is mandatory to prevent destroying a current cluster accidentally.
 		testKubeConfig := os.Getenv("TEST_KUBECONFIG")
 		if testKubeConfig == "" {
 			return nil, fmt.Errorf("environment variable TEST_KUBECONFIG is required to run tests against an existing cluster")
 		}
 		useExistingCluster := true
 		config, err := clientcmd.BuildConfigFromFlags("", testKubeConfig)
 		testEnv := &envtest.Environment{
 			UseExistingCluster: &useExistingCluster,
 			Config:             config,
 		}
 		cfg, err := testEnv.Start()
 		if err != nil {
 			return nil, err
 		}
 		k8sClient, err := client.NewWithWatch(cfg, client.Options{
 			Scheme: utils.NewScheme(),
 		})
 		if err != nil {
 			return nil, err
 		}
 		return &testEnvKubeManager{
 			testEnv:        testEnv,
 			client:         k8sClient,
 			kubeConfigPath: testKubeConfig,
 		}, nil
 	}
 	return nil, nil
 }
 // Function that sets an expectation on the output of a command. Tests can
 // either implement this directly or use a helper below.
 type assertFunc func(output string, err error) error
 // Assemble multiple assertFuncs into a single assertFunc
 func assert(fns ...assertFunc) assertFunc {
 	return func(output string, err error) error {
 		for _, fn := range fns {
 			if assertErr := fn(output, err); assertErr != nil {
 				return assertErr
 			}
 		}
 		return nil
 	}
 }
 // Expect the command to run without error
 func assertSuccess() assertFunc {
 	return func(output string, err error) error {
 		if err != nil {
 			return fmt.Errorf("Expected success but was error: %v", err)
 		}
 		return nil
 	}
 }
 // Expect the command to fail with the specified error
 func assertError(expected string) assertFunc {
 	return func(output string, err error) error {
 		if err == nil {
 			return fmt.Errorf("Expected error but was success")
 		}
 		if expected != err.Error() {
 			return fmt.Errorf("Expected error '%v' but got '%v'", expected, err.Error())
 		}
 		return nil
 	}
 }
 // Expect the command to succeed with the expected test output.
 func assertGoldenValue(expected string) assertFunc {
 	return assert(
 		assertSuccess(),
 		func(output string, err error) error {
 			diff := cmp.Diff(expected, output)
 			if diff != "" {
 				return fmt.Errorf("Mismatch from expected value (-want +got):\n%s", diff)
 			}
 			return nil
 		})
 }
 // Filename that contains the expected test output.
 func assertGoldenFile(goldenFile string) assertFunc {
 	return assertGoldenTemplateFile(goldenFile, map[string]string{})
 }
 // Filename that contains the expected test output. The golden file is a template that
 // is pre-processed with the specified templateValues.
 func assertGoldenTemplateFile(goldenFile string, templateValues map[string]string) assertFunc {
 	goldenFileContents, fileErr := os.ReadFile(goldenFile)
 	return func(output string, err error) error {
 		if fileErr != nil {
 			return fmt.Errorf("Error reading golden file '%s': %s", goldenFile, fileErr)
 		}
 		var expectedOutput string
 		if len(templateValues) > 0 {
 			expectedOutput, err = executeTemplate(string(goldenFileContents), templateValues)
 			if err != nil {
 				return fmt.Errorf("Error executing golden template file '%s': %s", goldenFile, err)
 			}
 		} else {
 			expectedOutput = string(goldenFileContents)
 		}
 		if assertErr := assertGoldenValue(expectedOutput)(output, err); assertErr != nil {
 			return fmt.Errorf("Mismatch from golden file '%s': %v", goldenFile, assertErr)
 		}
 		return nil
 	}
 }
 type TestClusterMode int
 const (
 	TestEnvClusterMode = TestClusterMode(iota + 1)
 	ExistingClusterMode
 )
 // Structure used for each test to load objects into kubernetes, run
 // commands and assert on the expected output.
 type cmdTestCase struct {
 	// The command line arguments to test.
 	args string
 	// Tests use assertFunc to assert on an output, success or failure. This
 	// can be a function defined by the test or existing function above.
 	assert assertFunc
 	// Filename that contains yaml objects to load into Kubernetes
 	objectFile string
 }
 func (cmd *cmdTestCase) runTestCmd(t *testing.T) {
 	actual, testErr := executeCommand(cmd.args)
 	if assertErr := cmd.assert(actual, testErr); assertErr != nil {
 		t.Error(assertErr)
 	}
 }
 func executeTemplate(content string, templateValues map[string]string) (string, error) {
 	tmpl := template.Must(template.New("golden").Parse(content))
 	var out bytes.Buffer
 	if err := tmpl.Execute(&out, templateValues); err != nil {
 		return "", err
 	}
 	return out.String(), nil
 }
 // Run the command and return the captured output.
 func executeCommand(cmd string) (string, error) {
 	defer resetCmdArgs()
 	args, err := shellwords.Parse(cmd)
 	if err != nil {
 		return "", err
@@ -87,72 +323,16 @@ func executeCommand(cmd string) (string, error) {
 	rootCmd.SetErr(buf)
 	rootCmd.SetArgs(args)
 	logger.stderr = rootCmd.ErrOrStderr()
 	_, err = rootCmd.ExecuteC()
 	result := buf.String()
 	return result, err
 }
-// Structure used for each test to load objects into kubernetes, run
+func resetCmdArgs() {
-// commands and assert on the expected output.
+	createArgs = createFlags{}
-type cmdTestCase struct {
+	getArgs = GetFlags{}
-	// The command line arguments to test.
+	secretGitArgs = NewSecretGitFlags()
 	args string
 	// When true, the test expects the command to fail.
 	wantError bool
 	// String literal that contains the expected test output.
 	goldenValue string
 	// Filename that contains the expected test output.
 	goldenFile string
 	// Filename that contains yaml objects to load into Kubernetes
 	objectFile string
 }
 func (cmd *cmdTestCase) runTestCmd(t *testing.T) {
 	km := NewFakeKubeManager()
 	rootCtx.kubeManager = km
 	if cmd.objectFile != "" {
 		clientObjects, err := readYamlObjects(cmd.objectFile)
 		if err != nil {
 			t.Fatalf("Error loading yaml: '%v'", err)
 		}
 		err = km.CreateObjects(clientObjects)
 		if err != nil {
 			t.Fatalf("Error creating test objects: '%v'", err)
 		}
 	}
 	actual, err := executeCommand(cmd.args)
 	if (err != nil) != cmd.wantError {
 		t.Fatalf("Expected error='%v', Got: %v", cmd.wantError, err)
 	}
 	if err != nil {
 		actual = err.Error()
 	}
 	var expected string
 	if cmd.goldenValue != "" {
 		expected = cmd.goldenValue
 	}
 	if cmd.goldenFile != "" {
 		expectedOutput, err := os.ReadFile(cmd.goldenFile)
 		if err != nil {
 			t.Fatalf("Error reading golden file: '%s'", err)
 		}
 		expected = string(expectedOutput)
 	}
 	diff := cmp.Diff(expected, actual)
 	if diff != "" {
 		t.Errorf("Mismatch from '%s' (-want +got):\n%s", cmd.goldenFile, diff)
 	}
 }
 func TestVersion(t *testing.T) {
 	cmd := cmdTestCase{
 		args:        "--version",
 		goldenValue: "flux version 0.0.0-dev.0\n",
 	}
 	cmd.runTestCmd(t)
 }
--- a/cmd/flux/main_unit_test.go
+++ b/cmd/flux/main_unit_test.go
@@ -0,0 +1,64 @@
 // +build unit
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"os"
 	"testing"
 )
 // The test environment is long running process shared between tests, initialized
 // by a `TestMain` function depending on how the test is involved and which tests
 // are a part of the build.
 var testEnv *testEnvKubeManager
 func TestMain(m *testing.M) {
 	// Ensure tests print consistent timestamps regardless of timezone
 	os.Setenv("TZ", "UTC")
 	// Creating the test env manager sets rootArgs client flags
 	km, err := NewTestEnvKubeManager(TestEnvClusterMode)
 	if err != nil {
 		panic(fmt.Errorf("error creating kube manager: '%w'", err))
 	}
 	testEnv = km
 	rootArgs.kubeconfig = testEnv.kubeConfigPath
 	// Run tests
 	code := m.Run()
 	km.Stop()
 	os.Exit(code)
 }
 func setupTestNamespace(namespace string, t *testing.T) {
 	ns := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: namespace}}
 	err := testEnv.client.Create(context.Background(), ns)
 	if err != nil {
 		t.Fatalf("Failed to create namespace: %v", err)
 	}
 	t.Cleanup(func() {
 		_ = testEnv.client.Delete(context.Background(), ns)
 	})
 }
--- a/cmd/flux/manifests.embed.go
+++ b/cmd/flux/manifests.embed.go
@@ -1,3 +1,19 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
--- a/cmd/flux/reconcile.go
+++ b/cmd/flux/reconcile.go
@@ -116,11 +116,13 @@ func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
 		reconciliationHandled(ctx, kubeClient, namespacedName, reconcile.object, lastHandledReconcileAt)); err != nil {
 		return err
 	}
 	readyCond := apimeta.FindStatusCondition(*reconcile.object.GetStatusConditions(), meta.ReadyCondition)
 	if readyCond == nil {
 		return fmt.Errorf("status can't be determined")
 	}
-	logger.Successf("%s reconciliation completed", reconcile.kind)
+	if readyCond.Status != metav1.ConditionTrue {
-
+		return fmt.Errorf("%s reconciliation failed: '%s'", reconcile.kind, readyCond.Message)
 	if apimeta.IsStatusConditionFalse(*reconcile.object.GetStatusConditions(), meta.ReadyCondition) {
 		return fmt.Errorf("%s reconciliation failed", reconcile.kind)
 	}
 	logger.Successf(reconcile.object.successMessage())
 	return nil
@@ -133,7 +135,9 @@ func reconciliationHandled(ctx context.Context, kubeClient client.Client,
 		if err != nil {
 			return false, err
 		}
-		return obj.lastHandledReconcileRequest() != lastHandledReconcileAt, nil
+		isProgressing := apimeta.IsStatusConditionPresentAndEqual(*obj.GetStatusConditions(),
 			meta.ReadyCondition, metav1.ConditionUnknown)
 		return obj.lastHandledReconcileRequest() != lastHandledReconcileAt && !isProgressing, nil
 	}
 }
--- a/cmd/flux/reconcile_alert.go
+++ b/cmd/flux/reconcile_alert.go
@@ -28,6 +28,7 @@ var reconcileAlertCmd = &cobra.Command{
 	Long:  `The reconcile alert command triggers a reconciliation of an Alert resource and waits for it to finish.`,
 	Example: `  # Trigger a reconciliation for an existing alert
  flux reconcile alert main`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.AlertKind)),
 	RunE: reconcileCommand{
 		apiType: alertType,
 		object:  alertAdapter{&notificationv1.Alert{}},
--- a/cmd/flux/reconcile_alertprovider.go
+++ b/cmd/flux/reconcile_alertprovider.go
@@ -37,7 +37,8 @@ var reconcileAlertProviderCmd = &cobra.Command{
 	Long:  `The reconcile alert-provider command triggers a reconciliation of a Provider resource and waits for it to finish.`,
 	Example: `  # Trigger a reconciliation for an existing provider
  flux reconcile alert-provider slack`,
-	RunE: reconcileAlertProviderCmdRun,
+	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ProviderKind)),
 	RunE:              reconcileAlertProviderCmdRun,
 }
 func init() {
--- a/cmd/flux/reconcile_helmrelease.go
+++ b/cmd/flux/reconcile_helmrelease.go
@@ -35,6 +35,7 @@ The reconcile kustomization command triggers a reconciliation of a HelmRelease r
  # Trigger a reconciliation of the HelmRelease's source and apply changes
  flux reconcile hr podinfo --with-source`,
 	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
 	RunE: reconcileWithSourceCommand{
 		apiType: helmReleaseType,
 		object:  helmReleaseAdapter{&helmv2.HelmRelease{}},
--- a/Show More
+++ b/Show More