Merge pull request #2042 from fluxcd/ecdsa-default

Set ECDSA as the default algorithm for `flux create source git`

.github/ISSUE_TEMPLATE/bug_report.yaml

@@ -48,19 +48,18 @@ body:
     required: true
   attributes:
     label: Flux version
-    description: Run `flux --version` to check. If not applicable, write `N/A`.
-    placeholder: e.g. 0.16.1
+    description: Run `flux version --client`. If not applicable, write `N/A`.
+    placeholder: e.g. v0.20.1
 - type: textarea
   validations:
     required: true
   attributes:
     label: Flux check
-    description: Run `flux check` to check. If not applicable, write `N/A`.
+    description: Run `flux check`. If not applicable, write `N/A`.
     placeholder: |
       For example:
       ► checking prerequisites
-      ✔ kubectl 1.21.0 >=1.18.0-0
-      ✔ Kubernetes 1.21.1 >=1.16.0-0
+      ✔ Kubernetes 1.21.1 >=1.19.0-0
       ► checking controllers
       ✔ all checks passed
 - type: input

.github/workflows/bootstrap.yaml

@@ -64,6 +64,22 @@ jobs:
           --team=team-z
         env:
           GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+      - name: bootstrap customize
+        run: |
+          make setup-bootstrap-patch
+          /tmp/flux bootstrap github --manifests ./manifests/install/ \
+          --owner=fluxcd-testing \
+          --repository=${{ steps.vars.outputs.test_repo_name }} \
+          --branch=main \
+          --path=test-cluster \
+          --team=team-z
+          if [ $(kubectl get deployments.apps source-controller -o jsonpath='{.spec.template.spec.securityContext.runAsUser}') != "10000" ]; then
+          echo "Bootstrap not customized as controller is not running as user 10000" && exit 1
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+          GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
+          GITHUB_ORG_NAME: fluxcd-testing
       - name: libgit2
         run: |
           /tmp/flux create source git test-libgit2 \

.github/workflows/e2e.yaml

@@ -80,6 +80,13 @@ jobs:
             --tag-semver=">=3.2.3" \
             --export | kubectl apply -f -
           /tmp/flux delete source git podinfo-export --silent
+      - name: flux create source git libgit2 semver
+        run: |
+          /tmp/flux create source git podinfo-libgit2 \
+            --url https://github.com/stefanprodan/podinfo  \
+            --tag-semver=">=3.2.3" \
+            --git-implementation=libgit2
+          /tmp/flux delete source git podinfo-libgit2 --silent
       - name: flux get sources git
         run: |
           /tmp/flux get sources git
@@ -184,7 +191,14 @@ jobs:
           /tmp/flux create kustomization flux-system \
           --source=flux-system \
           --path=./clusters/staging
+          kubectl -n flux-system wait kustomization/infrastructure --for=condition=ready --timeout=5m
           kubectl -n flux-system wait kustomization/apps --for=condition=ready --timeout=5m
+          kubectl -n nginx wait helmrelease/nginx --for=condition=ready --timeout=5m
+          kubectl -n redis wait helmrelease/redis --for=condition=ready --timeout=5m
+          kubectl -n podinfo wait helmrelease/podinfo --for=condition=ready --timeout=5m
+      - name: flux tree
+        run: |
+          /tmp/flux tree kustomization flux-system | grep Service/podinfo
       - name: flux check
         run: |
           /tmp/flux check

CONTRIBUTING.md

@@ -30,7 +30,7 @@ you can sign your commit automatically with `git commit -s`.
 
 For realtime communications we use Slack: To join the conversation, simply
 join the [CNCF](https://slack.cncf.io/) Slack workspace and use the
-[#flux-dev](https://cloud-native.slack.com/messages/flux-dev/) channel.
+[#flux-contributors](https://cloud-native.slack.com/messages/flux-contributors/) channel.
 
 To discuss ideas and specifications we use [Github
 Discussions](https://github.com/fluxcd/flux2/discussions).
@@ -63,27 +63,42 @@ To get started with developing controllers, you might want to review
 walks you through writing a short and concise controller that watches out
 for source changes.
 
-### How to run the test suite
+## How to run the test suite
 
 Prerequisites:
 
 * go >= 1.16
-* kubectl >= 1.18
-* kustomize >= 3.1
+* kubectl >= 1.19
+* kustomize >= 4.0
 
-You can run the unit tests by simply doing
+Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:
+
+```bash
+make install-envtest
+```
+
+Then you can run the unit tests with:
 
 ```bash
 make test
 ```
 
-The e2e test suite uses [kind](https://kind.sigs.k8s.io/) for running kubernetes cluster inside docker containers. You can run the e2e tests by simply doing
+After [installing Kubernetes kind](https://kind.sigs.k8s.io/docs/user/quick-start#installation) on your machine,
+create a cluster for testing with:
 
 ```bash
 make setup-kind
-make e2e
+```
 
-# When done
+Then you can run the end-to-end tests with:
+
+```bash
+make e2e
+```
+
+Teardown the e2e environment with:
+
+```bash
 make cleanup-kind
 ```
 

MAINTAINERS

@@ -14,5 +14,7 @@ In alphabetical order:
 
 Aurel Canciu, Sortlist <aurel@sortlist.com> (github: @relu, slack: relu)
 Hidde Beydals, Weaveworks <hidde@weave.works> (github: @hiddeco, slack: hidde)
+Max Jonas Werner, D2iQ <mwerner@d2iq.com> (github: @makkes, slack: max)
 Philip Laine, Xenit <philip.laine@xenit.se> (github: @phillebaba, slack: phillebaba)
 Stefan Prodan, Weaveworks <stefan@weave.works> (github: @stefanprodan, slack: stefanprodan)
+Sunny, Weaveworks <sunny@weave.works> (github: @darkowlzz, slack: darkowlzz)

Makefile

@@ -2,7 +2,7 @@ VERSION?=$(shell grep 'VERSION' cmd/flux/main.go | awk '{ print $$4 }' | head -n
 EMBEDDED_MANIFESTS_TARGET=cmd/flux/.manifests.done
 TEST_KUBECONFIG?=/tmp/flux-e2e-test-kubeconfig
 ENVTEST_BIN_VERSION?=latest
-KUBEBUILDER_ASSETS?="$(shell $(SETUP_ENVTEST) use -i $(ENVTEST_BIN_VERSION) -p path)"
+KUBEBUILDER_ASSETS?=$(shell $(SETUP_ENVTEST) use -i $(ENVTEST_BIN_VERSION) -p path)
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -33,13 +33,13 @@ cleanup-kind:
 	kind delete cluster --name=flux-e2e-test
 	rm $(TEST_KUBECONFIG)
 
-test: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet setup-envtest
-	KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS) go test ./... -coverprofile cover.out --tags=unit
+test: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet install-envtest
+	KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test ./... -coverprofile cover.out --tags=unit
 
 e2e: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet
 	TEST_KUBECONFIG=$(TEST_KUBECONFIG) go test ./cmd/flux/... -coverprofile e2e.cover.out --tags=e2e -v -failfast
 
-test-with-kind: setup-envtest
+test-with-kind: install-envtest
 	make setup-kind
 	make e2e
 	make cleanup-kind
@@ -58,6 +58,12 @@ install:
 install-dev:
 	CGO_ENABLED=0 go build -o /usr/local/bin ./cmd/flux
 
+install-envtest:  setup-envtest
+	 $(SETUP_ENVTEST) use $(ENVTEST_BIN_VERSION)
+
+setup-bootstrap-patch:
+	go run ./tests/bootstrap/main.go
+
 # Find or download setup-envtest
 setup-envtest:
 ifeq (, $(shell which setup-envtest))

cmd/flux/bootstrap.go

@@ -140,7 +140,7 @@ func NewBootstrapFlags() bootstrapFlags {
 	return bootstrapFlags{
 		logLevel:           flags.LogLevel(rootArgs.defaults.LogLevel),
 		requiredComponents: []string{"source-controller", "kustomize-controller"},
-		keyAlgorithm:       flags.PublicKeyAlgorithm(sourcesecret.RSAPrivateKeyAlgorithm),
+		keyAlgorithm:       flags.PublicKeyAlgorithm(sourcesecret.ECDSAPrivateKeyAlgorithm),
 		keyRSABits:         2048,
 		keyECDSACurve:      flags.ECDSACurve{Curve: elliptic.P384()},
 	}

cmd/flux/check.go

@@ -30,6 +30,7 @@ import (
 	"github.com/fluxcd/pkg/version"
 
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/status"
 )
@@ -51,6 +52,7 @@ type checkFlags struct {
 	pre             bool
 	components      []string
 	extraComponents []string
+	pollInterval    time.Duration
 }
 
 var kubernetesConstraints = []string{
@@ -69,6 +71,8 @@ func init() {
 		"list of components, accepts comma-separated values")
 	checkCmd.Flags().StringSliceVar(&checkArgs.extraComponents, "components-extra", nil,
 		"list of components in addition to those supplied or defaulted, accepts comma-separated values")
+	checkCmd.Flags().DurationVar(&checkArgs.pollInterval, "poll-interval", 5*time.Second,
+		"how often the health checker should poll the cluster for the latest state of the resources.")
 	rootCmd.AddCommand(checkCmd)
 }
 
@@ -177,7 +181,7 @@ func componentsCheck() bool {
 		return false
 	}
 
-	statusChecker, err := status.NewStatusChecker(kubeConfig, time.Second, rootArgs.timeout, logger)
+	statusChecker, err := status.NewStatusChecker(kubeConfig, checkArgs.pollInterval, rootArgs.timeout, logger)
 	if err != nil {
 		return false
 	}
@@ -188,7 +192,7 @@ func componentsCheck() bool {
 	}
 
 	ok := true
-	selector := client.MatchingLabels{"app.kubernetes.io/instance": rootArgs.namespace}
+	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 	var list v1.DeploymentList
 	if err := kubeClient.List(ctx, &list, client.InNamespace(rootArgs.namespace), selector); err == nil {
 		for _, d := range list.Items {

cmd/flux/create_secret_git.go

@@ -105,7 +105,7 @@ func init() {
 
 func NewSecretGitFlags() secretGitFlags {
 	return secretGitFlags{
-		keyAlgorithm: flags.PublicKeyAlgorithm(sourcesecret.RSAPrivateKeyAlgorithm),
+		keyAlgorithm: flags.PublicKeyAlgorithm(sourcesecret.ECDSAPrivateKeyAlgorithm),
 		rsaBits:      2048,
 		ecdsaCurve:   flags.ECDSACurve{Curve: elliptic.P384()},
 	}
@@ -161,7 +161,7 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	if createArgs.export {
-		fmt.Println(secret.Content)
+		rootCmd.Println(secret.Content)
 		return nil
 	}
 

cmd/flux/create_secret_git_test.go

@@ -0,0 +1,44 @@
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateGitSecret(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "no args",
+			args:   "create secret git",
+			assert: assertError("secret name is required"),
+		},
+		{
+			name:   "basic secret",
+			args:   "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=my-username --password=my-password --namespace=my-namespace --export",
+			assert: assertGoldenFile("./testdata/create_secret/git/secret-git-basic.yaml"),
+		},
+		{
+			name:   "ssh key",
+			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/rsa.private --namespace=my-namespace --export",
+			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret.yaml"),
+		},
+		{
+			name:   "ssh key with password",
+			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/rsa-password.private --password=password --namespace=my-namespace --export",
+			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret-password.yaml"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}

cmd/flux/create_secret_helm.go

@@ -94,7 +94,7 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	if createArgs.export {
-		fmt.Println(secret.Content)
+		rootCmd.Println(secret.Content)
 		return nil
 	}
 

cmd/flux/create_secret_helm_test.go

@@ -0,0 +1,31 @@
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateHelmSecret(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			args:   "create secret helm",
+			assert: assertError("secret name is required"),
+		},
+		{
+			args:   "create secret helm helm-secret --username=my-username --password=my-password --namespace=my-namespace --export",
+			assert: assertGoldenFile("testdata/create_secret/helm/secret-helm.yaml"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}

cmd/flux/create_secret_tls.go

@@ -91,7 +91,7 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	if createArgs.export {
-		fmt.Println(secret.Content)
+		rootCmd.Print(secret.Content)
 		return nil
 	}
 

cmd/flux/create_secret_tls_test.go

@@ -0,0 +1,31 @@
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateTlsSecretNoArgs(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			args:   "create secret tls",
+			assert: assertError("secret name is required"),
+		},
+		{
+			args:   "create secret tls certs --namespace=my-namespace --cert-file=./testdata/create_secret/tls/test-cert.pem --key-file=./testdata/create_secret/tls/test-key.pem --export",
+			assert: assertGoldenFile("testdata/create_secret/tls/secret-tls.yaml"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}

cmd/flux/create_source.go

@@ -17,6 +17,8 @@ limitations under the License.
 package main
 
 import (
+	"time"
+
 	"github.com/spf13/cobra"
 )
 
@@ -26,6 +28,14 @@ var createSourceCmd = &cobra.Command{
 	Long:  "The create source sub-commands generate sources.",
 }
 
+type createSourceFlags struct {
+	fetchTimeout time.Duration
+}
+
+var createSourceArgs createSourceFlags
+
 func init() {
+	createSourceCmd.PersistentFlags().DurationVar(&createSourceArgs.fetchTimeout, "fetch-timeout", createSourceArgs.fetchTimeout,
+		"set a timeout for fetch operations performed by source-controller (e.g. 'git clone' or 'helm repo update')")
 	createCmd.AddCommand(createSourceCmd)
 }

cmd/flux/create_source_bucket.go

@@ -134,6 +134,11 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 			},
 		},
 	}
+
+	if createSourceArgs.fetchTimeout > 0 {
+		bucket.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
+	}
+
 	if sourceBucketArgs.secretRef != "" {
 		bucket.Spec.SecretRef = &meta.LocalObjectReference{
 			Name: sourceBucketArgs.secretRef,

cmd/flux/create_source_git.go

@@ -143,7 +143,7 @@ func init() {
 
 func newSourceGitFlags() sourceGitFlags {
 	return sourceGitFlags{
-		keyAlgorithm:  flags.PublicKeyAlgorithm(sourcesecret.RSAPrivateKeyAlgorithm),
+		keyAlgorithm:  flags.PublicKeyAlgorithm(sourcesecret.ECDSAPrivateKeyAlgorithm),
 		keyRSABits:    2048,
 		keyECDSACurve: flags.ECDSACurve{Curve: elliptic.P384()},
 	}
@@ -206,6 +206,10 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}
 
+	if createSourceArgs.fetchTimeout > 0 {
+		gitRepository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
+	}
+
 	if sourceGitArgs.gitImplementation != "" {
 		gitRepository.Spec.GitImplementation = sourceGitArgs.gitImplementation.String()
 	}

cmd/flux/create_source_helm.go

@@ -129,6 +129,10 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}
 
+	if createSourceArgs.fetchTimeout > 0 {
+		helmRepository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
+	}
+
 	if sourceHelmArgs.secretRef != "" {
 		helmRepository.Spec.SecretRef = &meta.LocalObjectReference{
 			Name: sourceHelmArgs.secretRef,

cmd/flux/export.go

@@ -113,8 +113,8 @@ func printExport(export interface{}) error {
 	if err != nil {
 		return err
 	}
-	fmt.Println("---")
-	fmt.Println(resourceToString(data))
+	rootCmd.Println("---")
+	rootCmd.Println(resourceToString(data))
 	return nil
 }
 

cmd/flux/export_test.go

@@ -0,0 +1,88 @@
+// +build unit
+
+package main
+
+import (
+	"testing"
+)
+
+func TestExport(t *testing.T) {
+	cases := []struct {
+		name       string
+		arg        string
+		goldenFile string
+	}{
+		{
+			"alert-provider",
+			"export alert-provider slack",
+			"testdata/export/provider.yaml",
+		},
+		{
+			"alert",
+			"export alert flux-system",
+			"testdata/export/alert.yaml",
+		},
+		{
+			"image policy",
+			"export image policy flux-system",
+			"testdata/export/image-policy.yaml",
+		},
+		{
+			"image repository",
+			"export image repository flux-system",
+			"testdata/export/image-repo.yaml",
+		},
+		{
+			"image update",
+			"export image update flux-system",
+			"testdata/export/image-update.yaml",
+		},
+		{
+			"source git",
+			"export source git flux-system",
+			"testdata/export/git-repo.yaml",
+		},
+		{
+			"source helm",
+			"export source helm flux-system",
+			"testdata/export/helm-repo.yaml",
+		},
+		{
+			"receiver",
+			"export receiver flux-system",
+			"testdata/export/receiver.yaml",
+		},
+		{
+			"kustomization",
+			"export kustomization flux-system",
+			"testdata/export/ks.yaml",
+		},
+		{
+			"helmrelease",
+			"export helmrelease flux-system",
+			"testdata/export/helm-release.yaml",
+		},
+		{
+			"bucket",
+			"export source bucket flux-system",
+			"testdata/export/bucket.yaml",
+		},
+	}
+
+	objectFile := "testdata/export/objects.yaml"
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	testEnv.CreateObjectFile(objectFile, tmpl, t)
+
+	for _, tt := range cases {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.arg + " -n=" + tmpl["fluxns"],
+				assert: assertGoldenTemplateFile(tt.goldenFile, tmpl),
+			}
+
+			cmd.runTestCmd(t)
+		})
+	}
+}

cmd/flux/install.go

@@ -206,7 +206,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return fmt.Errorf("install failed: %w", err)
 	}
-	statusChecker, err := status.NewStatusChecker(kubeConfig, time.Second, rootArgs.timeout, logger)
+	statusChecker, err := status.NewStatusChecker(kubeConfig, 5*time.Second, rootArgs.timeout, logger)
 	if err != nil {
 		return fmt.Errorf("install failed: %w", err)
 	}

cmd/flux/logs.go

@@ -39,6 +39,7 @@ import (
 
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
 )
 
 var logsCmd = &cobra.Command{
@@ -93,7 +94,7 @@ func init() {
 }
 
 func logsCmdRun(cmd *cobra.Command, args []string) error {
-	fluxSelector := fmt.Sprintf("app.kubernetes.io/instance=%s", logsArgs.fluxNamespace)
+	fluxSelector := fmt.Sprintf("%s=%s", manifestgen.PartOfLabelKey, manifestgen.PartOfLabelValue)
 
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

cmd/flux/main.go

@@ -107,7 +107,8 @@ type rootFlags struct {
 var rootArgs = NewRootFlags()
 
 func init() {
-	rootCmd.PersistentFlags().StringVarP(&rootArgs.namespace, "namespace", "n", rootArgs.defaults.Namespace, "the namespace scope for this operation")
+	rootCmd.PersistentFlags().StringVarP(&rootArgs.namespace, "namespace", "n", rootArgs.defaults.Namespace,
+		"the namespace scope for this operation, can be set with FLUX_SYSTEM_NAMESPACE env var")
 	rootCmd.RegisterFlagCompletionFunc("namespace", resourceNamesCompletionFunc(corev1.SchemeGroupVersion.WithKind("Namespace")))
 
 	rootCmd.PersistentFlags().DurationVar(&rootArgs.timeout, "timeout", 5*time.Minute, "timeout for this operation")
@@ -119,6 +120,7 @@ func init() {
 	rootCmd.RegisterFlagCompletionFunc("context", contextsCompletionFunc)
 
 	rootCmd.DisableAutoGenTag = true
+	rootCmd.SetOut(os.Stdout)
 }
 
 func NewRootFlags() rootFlags {
@@ -133,6 +135,7 @@ func NewRootFlags() rootFlags {
 func main() {
 	log.SetFlags(0)
 	configureKubeconfig()
+	configureDefaultNamespace()
 	if err := rootCmd.Execute(); err != nil {
 		logger.Failuref("%v", err)
 		os.Exit(1)
@@ -151,6 +154,13 @@ func configureKubeconfig() {
 	}
 }
 
+func configureDefaultNamespace() {
+	fromEnv := os.Getenv("FLUX_SYSTEM_NAMESPACE")
+	if fromEnv != "" && rootArgs.namespace == rootArgs.defaults.Namespace {
+		rootArgs.namespace = fromEnv
+	}
+}
+
 func homeDir() string {
 	if h := os.Getenv("HOME"); h != "" {
 		return h

cmd/flux/main_test.go

@@ -311,6 +311,7 @@ func executeTemplate(content string, templateValues map[string]string) (string,
 
 // Run the command and return the captured output.
 func executeCommand(cmd string) (string, error) {
+	defer resetCmdArgs()
 	args, err := shellwords.Parse(cmd)
 	if err != nil {
 		return "", err
@@ -329,3 +330,9 @@ func executeCommand(cmd string) (string, error) {
 
 	return result, err
 }
+
+func resetCmdArgs() {
+	createArgs = createFlags{}
+	getArgs = GetFlags{}
+	secretGitArgs = NewSecretGitFlags()
+}

cmd/flux/reconcile.go

@@ -122,7 +122,7 @@ func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
 	}
 
 	if readyCond.Status != metav1.ConditionTrue {
-		return fmt.Errorf("%s reconciliation failed: ''%s", reconcile.kind, readyCond.Message)
+		return fmt.Errorf("%s reconciliation failed: '%s'", reconcile.kind, readyCond.Message)
 	}
 	logger.Successf(reconcile.object.successMessage())
 	return nil

cmd/flux/testdata/create_secret/git/git-ssh-secret-password.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: podinfo-auth
+  namespace: my-namespace
+stringData:
+  identity: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAZPOy4O0
+    XmgKgRJuR9WaShAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDmuJnVljOr
+    pA3OiaAkCJuPT+lHRb/Kuc7fByldlYihsrNjWKVa9xB844mNrpntevFJ6ESEE13ElY2O8M
+    /L58Eh4hmrzqBDtk7XnP/bJVdHAOGvEYavLEeN9K9nZdYYnyOae4OMZacA4oHxUSyrSWvl
+    LDTOOZnFYlCkVXogBcvCrg+HZe/FaHmB4R3ni9eojsX/gQII970SD6d2DLhCW3r+qNW03S
+    O8bj28xyjGLhVgNPyRimWkeZ8DpiJKm2Ccf2oYqtVp1wtrihz4QZ30cZ0KWxdf2iJKCMhp
+    e5B2F8Gw3+3ZWWA8xmg1buDwLkGmroibPY9hUAzt05E8THuwpl7GA/8xdge+LCcCdBhx+i
+    WYhcPrQOCD/5ajRM7OkjJbJwRxdZgdYDSUvQNnHYh02pj+ZYjQBARhSRCEkFnxklyNjzSD
+    ETwXO5tW57CmcegLS8ig3Z3WcgBX0sdDsttMBmlWt4fb6qPB6ctTjx/wlkC0YlHXuI+Fzm
+    CyAP8ikQk63ckAAAWQy3GOOOYpvMAgXIDYUJZnCiy4jnzpt3vX0kIpWogfwqT8QwbuhhDb
+    ogQT6mZqt88nKUlRv3eRPmeG6MebsuweMw6WJfP0ZARFJS9+nXfNSJGN+Tqze252C1w2uu
+    vlzK1GnY5pnZzpaZAf/d+UAtNXDYdWA1DlJsNsBXgIJVkc47sp/cv6EGced+UXuV+Yr80s
+    ECqqOqa+IZWxd+Buca2EWQhG2loLlk6JQ8D+vNm3yhPCrb+1BcoZgxGItL70TdLtUCsmpP
+    y+ejnIxiHl79CjSNANBA7SgjJCQWYjFTcNUb98pGMsMVKIqczNtUZrL6WiSBrLDl5luFIb
+    bZi6iQsjVU6AUd+rcTSsdCec7xnoDddytmh2oG0tHG9wlCQh9yo0NBGaBQP/euqiSgIAvZ
+    zTJTy1AUo/M6FRdMpuGoDrxDPDGj/Q4OsUQzDS0c10WHGv2TLIoloa/FvhjdOn4pXOOIOB
+    nzgRn1xEHwgmSsyyiQP8gCEWM3XgLTOZIS+B4AT6hFPGCbbRetqwKF6qG68xsoLmQ5BXJN
+    kdIKqT7BlAvvX7t80XnvWiuZUjBS2qyTJ3FWCkyaxQVmrNsfZbg4qRJ377+ip3BwuaTl3X
+    VuZEEEy6+cwc+fRL8hPbKKIAcSLjRJnGHMiPvEFcL7yMkmGhv/vd78QdF/0XfVqCGr1gH3
+    gO3O//2Bdcp7Vo9QGqlK66Cusk5HiVSv6StQdqoauW2bxF4JKm3azHL1wWkyWtf2FQD425
+    0V+qib4Qz4KALj9uPwUyP6umDSk1NSBEMohGYpbm/O/Hpr6x2XET6kYbcK/sb5pDlZ81QQ
+    A6GJ87fQyVe0FeoWwg256LiNyDTqFUKm0R508hlnzaAtMnW8TvSqmjrKfLy9YU8IaF0dcS
+    kLheF4EwU2B5exumCx5JDe/xbVw5M8bx5m9lMx1NxGwNr2HtLvgMdQCwI5KchBzC+SIfGd
+    h94Gv39xRGKAhgtBzRRC5LLnRHeBWuLroWY/MoPDH5dWsMvSDkDjaGWHczlPNeN+epv17O
+    G5rR4oyVBfbR5+/qB//1c8avbBrmMLZoFaGMYSQaX8kTcus/Xu5qoDvxlkT4mjb6VvjMq0
+    iPUDNz8hAXv6NUlAViMGNV/sKhNcHRmwqkai79p0JJ+Ni635YNY2E7mS6QwVce1KCsUMet
+    xjeDItSaLLQTaC2LfLybL9/3ppJiaOusnSN+J+yHvUIu7IsI2a9OpGRGhYIU/25r2KBtFV
+    GdSGLNOdI3CB+J6eDXwkt3BmkIVYABc12o94PAXShnCgXK4u6tcowkNKVjyIrE64tckBsr
+    l08apsj7SkTbly34MucgKya0pwBQKUXEUSHCQ70h8q4fK0dWrs7ahODXdwj0Lrp6My5eFR
+    sV24X8U7kPailGowAVh9f/7afZs9CURwlUDjaXKWewGyQ7j3WVHOXSikOfxxbdQ+19juDO
+    1h7Gtk+fKLsq0har0KDnVFSvP16f3ETKfAp5/acmXE4dnJGoo5k2Ak0QUBNIH163biBKS0
+    Y6ePms4PghUFWINzaReZi1E4NiXdWKgOLXJBta7fg+ISFCocYdBRk9w3VUZa/1IvgzNg3l
+    QxyLLH4YPcAGiSPpwcHhWxh/OMY4m6av9BslsG9ajXBpVto0X3oEa78ZuJVVXWAP2E891g
+    I/atxZ+fBkght3oIMiIuyWPeKZVNvdx1eKCU76jCEXxMrlAM47OZEJnaeMdhqPA1ICqERx
+    2L9Tq2W30mgwwP/QaDOiqNBn3UWt28ly+LqUOoQKt/w/z9YZUlpN090rs1iWOTkpamXTYd
+    o+WewKF1Ax4TbsSfNX7P1ROTeIsQCisu3iFWkym9QZ/2RcZYcEPGGAR3ve8rPS2tsy9nL8
+    4TDo1LUXShRgQxOEAsPNJ4440vY=
+    -----END OPENSSH PRIVATE KEY-----
+  identity.pub: |
+    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmuJnVljOrpA3OiaAkCJuPT+lHRb/Kuc7fByldlYihsrNjWKVa9xB844mNrpntevFJ6ESEE13ElY2O8M/L58Eh4hmrzqBDtk7XnP/bJVdHAOGvEYavLEeN9K9nZdYYnyOae4OMZacA4oHxUSyrSWvlLDTOOZnFYlCkVXogBcvCrg+HZe/FaHmB4R3ni9eojsX/gQII970SD6d2DLhCW3r+qNW03SO8bj28xyjGLhVgNPyRimWkeZ8DpiJKm2Ccf2oYqtVp1wtrihz4QZ30cZ0KWxdf2iJKCMhpe5B2F8Gw3+3ZWWA8xmg1buDwLkGmroibPY9hUAzt05E8THuwpl7GA/8xdge+LCcCdBhx+iWYhcPrQOCD/5ajRM7OkjJbJwRxdZgdYDSUvQNnHYh02pj+ZYjQBARhSRCEkFnxklyNjzSDETwXO5tW57CmcegLS8ig3Z3WcgBX0sdDsttMBmlWt4fb6qPB6ctTjx/wlkC0YlHXuI+FzmCyAP8ikQk63ck=
+  known_hosts: github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+  password: password
+

cmd/flux/testdata/create_secret/git/git-ssh-secret.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: podinfo-auth
+  namespace: my-namespace
+stringData:
+  identity: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+    NhAAAAAwEAAQAAAYEAyF0WPHSGTC1fELE2N+2Inas2VsN8XyeGjMtrPfWIchOz2YCLt1of
+    HCUMgE8x2/v7tN3hZ0s5q8lqW7O9zyc6dnVvEYlmMfd0zG6ThenwANOW5pQhgRqrEKQdQA
+    OGlAUdDh9aSeynl5+1miEPGrmG2csVw2XOZBNgoqkqu13LJBUx0mJhJ4+h45KYnCfRnzJc
+    5kJ1halTbcT52aFQnX0GwtrykiHJvF/3J35Zktg60pspLFgYuRulRmQzfkNSYg494XXitn
+    V5b5H8seGeiMnS7b0yDjjVWoMfdOvn2W/qbAPKr8ro0eGEx/fZAzHj5hvLDgqJkQ+IvfrI
+    xcLRmbpJfxTJ+Pm99hSRXZTLztksCQXFy7qtqZrxxpj7zeMPqJJ8VmU5xm0vUHJKX+lKMN
+    X8TnZOZU8URXK5nF91F2SSopQXIa2O7Xtq/AuAU2A8tQnyLfnPMbIJK4VYkuQVbcO4AtVi
+    Y0rNKEJQDomF2EgAQOEPPj950gt6ZG7zRvON5UWPAAAFgD981gI/fNYCAAAAB3NzaC1yc2
+    EAAAGBAMhdFjx0hkwtXxCxNjftiJ2rNlbDfF8nhozLaz31iHITs9mAi7daHxwlDIBPMdv7
+    +7Td4WdLOavJaluzvc8nOnZ1bxGJZjH3dMxuk4Xp8ADTluaUIYEaqxCkHUADhpQFHQ4fWk
+    nsp5eftZohDxq5htnLFcNlzmQTYKKpKrtdyyQVMdJiYSePoeOSmJwn0Z8yXOZCdYWpU23E
+    +dmhUJ19BsLa8pIhybxf9yd+WZLYOtKbKSxYGLkbpUZkM35DUmIOPeF14rZ1eW+R/LHhno
+    jJ0u29Mg441VqDH3Tr59lv6mwDyq/K6NHhhMf32QMx4+Ybyw4KiZEPiL36yMXC0Zm6SX8U
+    yfj5vfYUkV2Uy87ZLAkFxcu6rama8caY+83jD6iSfFZlOcZtL1BySl/pSjDV/E52TmVPFE
+    VyuZxfdRdkkqKUFyGtju17avwLgFNgPLUJ8i35zzGyCSuFWJLkFW3DuALVYmNKzShCUA6J
+    hdhIAEDhDz4/edILemRu80bzjeVFjwAAAAMBAAEAAAGBAIffsIOg1a31GsG8GzOELqAVik
+    z+VmpE6Ja0H+6tgjEyMUWvSZA2WmCAs2CT1BEFaaU2znN47QwVE75KPs6rIJdSfdaboaUC
+    1b8IwZwPj8VPt8Z379yYVCd906Qkf/ADI7f/BQCarvBAyytRfee2pr8tXH3cnUD6bw7/v0
+    2+hlLa2KV+N7pXSgaE1F8ZFatqwNsZeI8Cy+PlrzWpknyqW5pqVhNJPIA1Z+rtYRsW7ZUC
+    ycIbn/Bv0f3RV6YpS0XZt2OvJtDp9XTOoRKCWeM0VpKqV6ACzL+Gi2lso4iw75zDZaPl+s
+    BNtozqE1GR6ee6NVNhXlcqHw2B6HCE0NqS87YI+nsLVQQ803Z36LUmQYsgCqFL7zCVwNkb
+    BBbbp2jxWRYKf7ZyNef+knVn5N2oj0x+J1fTD8SGHFrF04oIpf1fx3TcIGk8n9TA1EJPHK
+    VkOQLjbMWkPqyJEj62WdyDOYdpz/It4a6xpHaLCneUCZzEKas3OXY+IoPdNVU1zQSC2QAA
+    AMEA3gStXY04rdwWssOO+8zeHtAgTH3wIfSJYz/TcDX/MMWarmZevdv+7OzMAI7jcerkV4
+    H+wux+xl1UZ1mjgcX70tdsEXo4MdDXJNELM3Fps+be245s9EpfzF3w1x43KBeab++0TrT6
+    N5km0G61NUHwcA5flT4dsPFqwwBQLUYnr1JnbEy+FxILHH/Pr0BoxtRS3cPc/TPJEJwSgR
+    OJI/U3TIRy7A/ruN53MWg6+KOwNVBT7/ZgtJ+Bwo+nM1a3hvnFAAAAwQDr58RqF7JBmAdZ
+    tuZA6dd2sJDrWDeQ0ExUcJnHtSgLDMflssazsv1U263UKDejXw3XqLNI8rvcmdAiDvTnAv
+    nb97ofHI4wOVjA+MC///CgnvZ69Nm9RIo5EBuIg8QWq3q65Hpiea2/rQn8V2uzmNHPLOEC
+    oPv4DqUeYqOx1yW5UqmCF+ZVYbzwabuEPs/1TeE6cWQgOIe75ttsNtHyWWBH307vCFYDOD
+    EOmdToAZ0KWKxVfwIFr6CUxOKvBNntLYMAAADBANluSOCSTBvZPb/I0UJuJR3vGGSjlqwT
+    9YhcT0P2Hz2QDobo3gCGkBkLwDUkaioj/vSwYnJvidQD8FM2yfydV68o7Mhq4BbDy9K66T
+    jqWOu7AgU/aTriPfiMV7KaqfVsKhOGSlOTTxf0HpsG38yiiLXlhI2V2kdskMTTR4n3nr+H
+    tZB+zPNKJUviC/DcLo2mizjfGvGUk6DBRShVEmOIfcRUwoeBYn24tKjs/s6WIuDtGFAFZW
+    6erRhI2tHZsEN2BQAAAAd0ZXN0a2V5AQI=
+    -----END OPENSSH PRIVATE KEY-----
+  identity.pub: |
+    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIXRY8dIZMLV8QsTY37YidqzZWw3xfJ4aMy2s99YhyE7PZgIu3Wh8cJQyATzHb+/u03eFnSzmryWpbs73PJzp2dW8RiWYx93TMbpOF6fAA05bmlCGBGqsQpB1AA4aUBR0OH1pJ7KeXn7WaIQ8auYbZyxXDZc5kE2CiqSq7XcskFTHSYmEnj6HjkpicJ9GfMlzmQnWFqVNtxPnZoVCdfQbC2vKSIcm8X/cnflmS2DrSmyksWBi5G6VGZDN+Q1JiDj3hdeK2dXlvkfyx4Z6IydLtvTIOONVagx906+fZb+psA8qvyujR4YTH99kDMePmG8sOComRD4i9+sjFwtGZukl/FMn4+b32FJFdlMvO2SwJBcXLuq2pmvHGmPvN4w+oknxWZTnGbS9Qckpf6Uow1fxOdk5lTxRFcrmcX3UXZJKilBchrY7te2r8C4BTYDy1CfIt+c8xsgkrhViS5BVtw7gC1WJjSs0oQlAOiYXYSABA4Q8+P3nSC3pkbvNG843lRY8=
+  known_hosts: github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+

cmd/flux/testdata/create_secret/git/rsa-password.private

@@ -0,0 +1,39 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAZPOy4O0
+XmgKgRJuR9WaShAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDmuJnVljOr
+pA3OiaAkCJuPT+lHRb/Kuc7fByldlYihsrNjWKVa9xB844mNrpntevFJ6ESEE13ElY2O8M
+/L58Eh4hmrzqBDtk7XnP/bJVdHAOGvEYavLEeN9K9nZdYYnyOae4OMZacA4oHxUSyrSWvl
+LDTOOZnFYlCkVXogBcvCrg+HZe/FaHmB4R3ni9eojsX/gQII970SD6d2DLhCW3r+qNW03S
+O8bj28xyjGLhVgNPyRimWkeZ8DpiJKm2Ccf2oYqtVp1wtrihz4QZ30cZ0KWxdf2iJKCMhp
+e5B2F8Gw3+3ZWWA8xmg1buDwLkGmroibPY9hUAzt05E8THuwpl7GA/8xdge+LCcCdBhx+i
+WYhcPrQOCD/5ajRM7OkjJbJwRxdZgdYDSUvQNnHYh02pj+ZYjQBARhSRCEkFnxklyNjzSD
+ETwXO5tW57CmcegLS8ig3Z3WcgBX0sdDsttMBmlWt4fb6qPB6ctTjx/wlkC0YlHXuI+Fzm
+CyAP8ikQk63ckAAAWQy3GOOOYpvMAgXIDYUJZnCiy4jnzpt3vX0kIpWogfwqT8QwbuhhDb
+ogQT6mZqt88nKUlRv3eRPmeG6MebsuweMw6WJfP0ZARFJS9+nXfNSJGN+Tqze252C1w2uu
+vlzK1GnY5pnZzpaZAf/d+UAtNXDYdWA1DlJsNsBXgIJVkc47sp/cv6EGced+UXuV+Yr80s
+ECqqOqa+IZWxd+Buca2EWQhG2loLlk6JQ8D+vNm3yhPCrb+1BcoZgxGItL70TdLtUCsmpP
+y+ejnIxiHl79CjSNANBA7SgjJCQWYjFTcNUb98pGMsMVKIqczNtUZrL6WiSBrLDl5luFIb
+bZi6iQsjVU6AUd+rcTSsdCec7xnoDddytmh2oG0tHG9wlCQh9yo0NBGaBQP/euqiSgIAvZ
+zTJTy1AUo/M6FRdMpuGoDrxDPDGj/Q4OsUQzDS0c10WHGv2TLIoloa/FvhjdOn4pXOOIOB
+nzgRn1xEHwgmSsyyiQP8gCEWM3XgLTOZIS+B4AT6hFPGCbbRetqwKF6qG68xsoLmQ5BXJN
+kdIKqT7BlAvvX7t80XnvWiuZUjBS2qyTJ3FWCkyaxQVmrNsfZbg4qRJ377+ip3BwuaTl3X
+VuZEEEy6+cwc+fRL8hPbKKIAcSLjRJnGHMiPvEFcL7yMkmGhv/vd78QdF/0XfVqCGr1gH3
+gO3O//2Bdcp7Vo9QGqlK66Cusk5HiVSv6StQdqoauW2bxF4JKm3azHL1wWkyWtf2FQD425
+0V+qib4Qz4KALj9uPwUyP6umDSk1NSBEMohGYpbm/O/Hpr6x2XET6kYbcK/sb5pDlZ81QQ
+A6GJ87fQyVe0FeoWwg256LiNyDTqFUKm0R508hlnzaAtMnW8TvSqmjrKfLy9YU8IaF0dcS
+kLheF4EwU2B5exumCx5JDe/xbVw5M8bx5m9lMx1NxGwNr2HtLvgMdQCwI5KchBzC+SIfGd
+h94Gv39xRGKAhgtBzRRC5LLnRHeBWuLroWY/MoPDH5dWsMvSDkDjaGWHczlPNeN+epv17O
+G5rR4oyVBfbR5+/qB//1c8avbBrmMLZoFaGMYSQaX8kTcus/Xu5qoDvxlkT4mjb6VvjMq0
+iPUDNz8hAXv6NUlAViMGNV/sKhNcHRmwqkai79p0JJ+Ni635YNY2E7mS6QwVce1KCsUMet
+xjeDItSaLLQTaC2LfLybL9/3ppJiaOusnSN+J+yHvUIu7IsI2a9OpGRGhYIU/25r2KBtFV
+GdSGLNOdI3CB+J6eDXwkt3BmkIVYABc12o94PAXShnCgXK4u6tcowkNKVjyIrE64tckBsr
+l08apsj7SkTbly34MucgKya0pwBQKUXEUSHCQ70h8q4fK0dWrs7ahODXdwj0Lrp6My5eFR
+sV24X8U7kPailGowAVh9f/7afZs9CURwlUDjaXKWewGyQ7j3WVHOXSikOfxxbdQ+19juDO
+1h7Gtk+fKLsq0har0KDnVFSvP16f3ETKfAp5/acmXE4dnJGoo5k2Ak0QUBNIH163biBKS0
+Y6ePms4PghUFWINzaReZi1E4NiXdWKgOLXJBta7fg+ISFCocYdBRk9w3VUZa/1IvgzNg3l
+QxyLLH4YPcAGiSPpwcHhWxh/OMY4m6av9BslsG9ajXBpVto0X3oEa78ZuJVVXWAP2E891g
+I/atxZ+fBkght3oIMiIuyWPeKZVNvdx1eKCU76jCEXxMrlAM47OZEJnaeMdhqPA1ICqERx
+2L9Tq2W30mgwwP/QaDOiqNBn3UWt28ly+LqUOoQKt/w/z9YZUlpN090rs1iWOTkpamXTYd
+o+WewKF1Ax4TbsSfNX7P1ROTeIsQCisu3iFWkym9QZ/2RcZYcEPGGAR3ve8rPS2tsy9nL8
+4TDo1LUXShRgQxOEAsPNJ4440vY=
+-----END OPENSSH PRIVATE KEY-----

cmd/flux/testdata/create_secret/git/rsa.private

@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEAyF0WPHSGTC1fELE2N+2Inas2VsN8XyeGjMtrPfWIchOz2YCLt1of
+HCUMgE8x2/v7tN3hZ0s5q8lqW7O9zyc6dnVvEYlmMfd0zG6ThenwANOW5pQhgRqrEKQdQA
+OGlAUdDh9aSeynl5+1miEPGrmG2csVw2XOZBNgoqkqu13LJBUx0mJhJ4+h45KYnCfRnzJc
+5kJ1halTbcT52aFQnX0GwtrykiHJvF/3J35Zktg60pspLFgYuRulRmQzfkNSYg494XXitn
+V5b5H8seGeiMnS7b0yDjjVWoMfdOvn2W/qbAPKr8ro0eGEx/fZAzHj5hvLDgqJkQ+IvfrI
+xcLRmbpJfxTJ+Pm99hSRXZTLztksCQXFy7qtqZrxxpj7zeMPqJJ8VmU5xm0vUHJKX+lKMN
+X8TnZOZU8URXK5nF91F2SSopQXIa2O7Xtq/AuAU2A8tQnyLfnPMbIJK4VYkuQVbcO4AtVi
+Y0rNKEJQDomF2EgAQOEPPj950gt6ZG7zRvON5UWPAAAFgD981gI/fNYCAAAAB3NzaC1yc2
+EAAAGBAMhdFjx0hkwtXxCxNjftiJ2rNlbDfF8nhozLaz31iHITs9mAi7daHxwlDIBPMdv7
++7Td4WdLOavJaluzvc8nOnZ1bxGJZjH3dMxuk4Xp8ADTluaUIYEaqxCkHUADhpQFHQ4fWk
+nsp5eftZohDxq5htnLFcNlzmQTYKKpKrtdyyQVMdJiYSePoeOSmJwn0Z8yXOZCdYWpU23E
++dmhUJ19BsLa8pIhybxf9yd+WZLYOtKbKSxYGLkbpUZkM35DUmIOPeF14rZ1eW+R/LHhno
+jJ0u29Mg441VqDH3Tr59lv6mwDyq/K6NHhhMf32QMx4+Ybyw4KiZEPiL36yMXC0Zm6SX8U
+yfj5vfYUkV2Uy87ZLAkFxcu6rama8caY+83jD6iSfFZlOcZtL1BySl/pSjDV/E52TmVPFE
+VyuZxfdRdkkqKUFyGtju17avwLgFNgPLUJ8i35zzGyCSuFWJLkFW3DuALVYmNKzShCUA6J
+hdhIAEDhDz4/edILemRu80bzjeVFjwAAAAMBAAEAAAGBAIffsIOg1a31GsG8GzOELqAVik
+z+VmpE6Ja0H+6tgjEyMUWvSZA2WmCAs2CT1BEFaaU2znN47QwVE75KPs6rIJdSfdaboaUC
+1b8IwZwPj8VPt8Z379yYVCd906Qkf/ADI7f/BQCarvBAyytRfee2pr8tXH3cnUD6bw7/v0
+2+hlLa2KV+N7pXSgaE1F8ZFatqwNsZeI8Cy+PlrzWpknyqW5pqVhNJPIA1Z+rtYRsW7ZUC
+ycIbn/Bv0f3RV6YpS0XZt2OvJtDp9XTOoRKCWeM0VpKqV6ACzL+Gi2lso4iw75zDZaPl+s
+BNtozqE1GR6ee6NVNhXlcqHw2B6HCE0NqS87YI+nsLVQQ803Z36LUmQYsgCqFL7zCVwNkb
+BBbbp2jxWRYKf7ZyNef+knVn5N2oj0x+J1fTD8SGHFrF04oIpf1fx3TcIGk8n9TA1EJPHK
+VkOQLjbMWkPqyJEj62WdyDOYdpz/It4a6xpHaLCneUCZzEKas3OXY+IoPdNVU1zQSC2QAA
+AMEA3gStXY04rdwWssOO+8zeHtAgTH3wIfSJYz/TcDX/MMWarmZevdv+7OzMAI7jcerkV4
+H+wux+xl1UZ1mjgcX70tdsEXo4MdDXJNELM3Fps+be245s9EpfzF3w1x43KBeab++0TrT6
+N5km0G61NUHwcA5flT4dsPFqwwBQLUYnr1JnbEy+FxILHH/Pr0BoxtRS3cPc/TPJEJwSgR
+OJI/U3TIRy7A/ruN53MWg6+KOwNVBT7/ZgtJ+Bwo+nM1a3hvnFAAAAwQDr58RqF7JBmAdZ
+tuZA6dd2sJDrWDeQ0ExUcJnHtSgLDMflssazsv1U263UKDejXw3XqLNI8rvcmdAiDvTnAv
+nb97ofHI4wOVjA+MC///CgnvZ69Nm9RIo5EBuIg8QWq3q65Hpiea2/rQn8V2uzmNHPLOEC
+oPv4DqUeYqOx1yW5UqmCF+ZVYbzwabuEPs/1TeE6cWQgOIe75ttsNtHyWWBH307vCFYDOD
+EOmdToAZ0KWKxVfwIFr6CUxOKvBNntLYMAAADBANluSOCSTBvZPb/I0UJuJR3vGGSjlqwT
+9YhcT0P2Hz2QDobo3gCGkBkLwDUkaioj/vSwYnJvidQD8FM2yfydV68o7Mhq4BbDy9K66T
+jqWOu7AgU/aTriPfiMV7KaqfVsKhOGSlOTTxf0HpsG38yiiLXlhI2V2kdskMTTR4n3nr+H
+tZB+zPNKJUviC/DcLo2mizjfGvGUk6DBRShVEmOIfcRUwoeBYn24tKjs/s6WIuDtGFAFZW
+6erRhI2tHZsEN2BQAAAAd0ZXN0a2V5AQI=
+-----END OPENSSH PRIVATE KEY-----

cmd/flux/testdata/create_secret/git/secret-git-basic.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: podinfo-auth
+  namespace: my-namespace
+stringData:
+  password: my-password
+  username: my-username
+

cmd/flux/testdata/create_secret/helm/secret-helm.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: helm-secret
+  namespace: my-namespace
+stringData:
+  password: my-password
+  username: my-username
+

cmd/flux/testdata/create_secret/tls/secret-tls.yaml

@@ -0,0 +1,92 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: certs
+  namespace: my-namespace
+stringData:
+  certFile: |
+    -----BEGIN CERTIFICATE-----
+    MIIFazCCA1OgAwIBAgIUT84jeO/ncOrqI+FY05Fzbg8Ed7MwDQYJKoZIhvcNAQEL
+    BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+    GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTA4MDgxNDQyMzVaFw0yMjA4
+    MDgxNDQyMzVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+    HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB
+    AQUAA4ICDwAwggIKAoICAQDn/rPsZ74oypiwCzLlx57zplTiCi/WLSF+MmLGuTvM
+    EQnV+OND2zFgvDIV/vFs3brkd6rLVI4NcdgSj4YKULCMwwOl45hQPdCTEPJvUhCm
+    M+FuQ0czmEEJSjZtdLFz1B7QB/JemNnbfigxM9mlg58AlBhVJqn8q64wd/kC/W/K
+    JTLJuBiVf12ZiPoPfO4WSxAqD3opZ8gdbmK0KYQAhKjEto6ZrYGisfwU1gt3l8M7
+    sCJSpEkOkpuQgJ8D+xzJS36VXBJQMMP9nAPps+x/rGFplsPMsXEFFiwvR1+FJZwz
+    lg2sJ91bLGZQ7vn74MfsGrxpiJwllRThJyT7C9V0sjb5trT2lEqZlP2dRSJYt7aJ
+    1crEcdGSl6RIKgxSV6Hk8dh/ZaTjrTwaKxVkPo2IeEXy5xrR7DyonOQ6Yes0KOCm
+    JB5yHkFlIVEnLm/HZXEtm3bPHsFgTZuInyBCOMXpUESuVZIw8YK+Vd6AExGPPwZ4
+    n5I/sCDxWII9owIj3LeLzdUG6JoroahhGmo8rgpbJpPnS+VgryQ/raUQjqDzDCuE
+    9vKXKBlSUqK6H9A+NMc0mme7M8/GX7T7ewFGUB/xsdrcO4yXjqHnAe0yLf8epDjC
+    hh76bYqwwinVrmfcNcRxFVJZW2z0gGdgkOkOLaVVb9ggPV2SNAHbN4A+St/iRYR5
+    awIDAQABo1MwUTAdBgNVHQ4EFgQUzMaCqVM30EZFfTeNUIJ5fNPAhaQwHwYDVR0j
+    BBgwFoAUzMaCqVM30EZFfTeNUIJ5fNPAhaQwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+    hkiG9w0BAQsFAAOCAgEAVmk1rXtVkYR1Vs2Va/xrUaGXlFznhPU/Fft44kiEkkLp
+    mLVelWyAqvXYioqssZwuZnTjGz0DQPqzJjqwuGy4CHwPLmhCtfHplrbWo8a0ivYC
+    cL20KfZsG941siUh7LGBjTsq6mWBf2ytlFmg/fg93SgmqcEUAUcdps0JpZD8lgWB
+    ZMstfr6E3jaEus3OsvDD6hJNYZ5clJ5+ynLoWZ99A9JC0U46hmIZpRjbdSvasKpD
+    XrXTdpzyL/Do3znXE/yfoHv4//Rj2CpPHJLYRCIzvuf1mo1fWd53FjHvrbUvaHFz
+    CGuZROd4dC4Rx5nZw2ogIYvJ8m6HpIDkL3pBNSQJtIsvAYEQcotJoa5D/e9fu2Wr
+    +og37oCY4OXzViEBQvyxKD4cajNco1fgGKEaFROADwr3JceGI7Anq5W+xdUvAGNM
+    QuGeCueqNyrJ0CbQ1zEhwgpk/VYfB0u9m0bjMellRlKMdojby+FDCJtAJesx9no4
+    SQXyx+aNHhj3qReysjGNwZvBk1IHL04HAT+ogNiYhTl1J/YON4MB5UN6Y2PxP6uG
+    KvJGPigx4fAwfR/d78o5ngwoH9m+8FUg8+qllJ8XgIbl/VXKTk3G4ceOm4eBmrel
+    DwWuBhELSjtXWPWhMlkiebgejDbAear53Lia2Cc43zx/KuhMHBTlKY/vY4F2YiI=
+    -----END CERTIFICATE-----
+  keyFile: |
+    -----BEGIN PRIVATE KEY-----
+    MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDn/rPsZ74oypiw
+    CzLlx57zplTiCi/WLSF+MmLGuTvMEQnV+OND2zFgvDIV/vFs3brkd6rLVI4NcdgS
+    j4YKULCMwwOl45hQPdCTEPJvUhCmM+FuQ0czmEEJSjZtdLFz1B7QB/JemNnbfigx
+    M9mlg58AlBhVJqn8q64wd/kC/W/KJTLJuBiVf12ZiPoPfO4WSxAqD3opZ8gdbmK0
+    KYQAhKjEto6ZrYGisfwU1gt3l8M7sCJSpEkOkpuQgJ8D+xzJS36VXBJQMMP9nAPp
+    s+x/rGFplsPMsXEFFiwvR1+FJZwzlg2sJ91bLGZQ7vn74MfsGrxpiJwllRThJyT7
+    C9V0sjb5trT2lEqZlP2dRSJYt7aJ1crEcdGSl6RIKgxSV6Hk8dh/ZaTjrTwaKxVk
+    Po2IeEXy5xrR7DyonOQ6Yes0KOCmJB5yHkFlIVEnLm/HZXEtm3bPHsFgTZuInyBC
+    OMXpUESuVZIw8YK+Vd6AExGPPwZ4n5I/sCDxWII9owIj3LeLzdUG6JoroahhGmo8
+    rgpbJpPnS+VgryQ/raUQjqDzDCuE9vKXKBlSUqK6H9A+NMc0mme7M8/GX7T7ewFG
+    UB/xsdrcO4yXjqHnAe0yLf8epDjChh76bYqwwinVrmfcNcRxFVJZW2z0gGdgkOkO
+    LaVVb9ggPV2SNAHbN4A+St/iRYR5awIDAQABAoICAQCTxuixQ/wbW8IbEWcgeyHD
+    LkaPndGO6jyVeF73GvL+MDRFuj558NvpNLfqzvTWVf9AnQGMd5Xs9oGegRHu7Csp
+    3ucp+moBYv7DT14+jtXQKOgGJpDqSqfS1RUKb/TBRXNDLGy02UScziWoAdE33zmf
+    UraVNwW8z1crxKA3yVw2Na++UqhGQlVLAbfXucqnJLVtNWKpkVQlezUgcfmFovsm
+    Iut+9MjI6/sZAqdXTLKuCKo0XjWzNKwnRecE0CYsCwzc80MvFYEiwQi1C0kwoouC
+    iOi8MKM/jDok+5/a3nQ7X+/ho5sbApNCJpfSXAK9YOJ3ju93+RjNuvORfp4/sW3W
+    OGXw6X30Ym7WS/7oYuwEILyqdyNOvKU7a+17d/W/YA60NOdA4iJI3aTfYFMD3l14
+    Da+D/wkTlEN3Ye7GN21A9AsZwWWiT9G5FOxWWVv7nTPG+Ix5ewehQWt/3DxhSizR
+    inMBizL5xpwx9LRWHnXX277lChYmPFAAMXINl1hnX6s0EY9pSDHN0IddibJkNKBD
+    m1CN37rqxoXQz4zoAyJGfQVkakqe16ayqI9yuQwO6AUkZcD5DYQdz9QYOTnYrQc6
+    6haC3D0Fmqg1s4v+6gpxZA/qTri0gVl/v/NN4Mk2/qWtK33imOedgD+5LXhZdBgJ
+    Mqn53AErG/AT622jvSb5UQKCAQEA/DTGLh0Ct97PCm+c+PxRFyieaHNJLWENKyxp
+    HoWGHfp2Bvt2Vphoi7GpRCM/yta4vCZgZmeWTQ0yBg6iPVPRA6Ho5hqh9OkUYVoh
+    prL3JsIU20jTutYjo2aefO4qXnJfkkXxNO2FElUHDTwtWdlGJQKvlUJwTv6xO19v
+    bQQkhZSpri6gIpi5Nkm2SGEtDofRJ+F6ThbQibEatL6DR00dh39MYQz+tZP5olzn
+    kX5bHEBWB7gy+YxTGF8FdlCSQTBBtNSKsAv3Cxj4qEHm+fu09vnH6fOZKenT2nXD
+    5QE/RpgQzLV1TumCjqLzqwp7bbzH+4mjsXpF3KHBZwnhMnDIRwKCAQEA63wYzjBy
+    no0GBBz0hOWrOwQ/AjUHfi47o3Xvl4RBjZclM171HKH7oMCnQvVKTNq8jvakCZjc
+    UI6i+H4R6aokiFS2xGbC2H3ZlSMFNwhb2xUs/C4Nr7JSOWZBtDy5QBspUsp26f7m
+    9VNVRzCmnxWV9be/1TxHDzDhslNlL5TMejbMorWnrtNG41KWwGtwvv2gApr3894j
+    eJNOh0WGfsMkXUM6+4v4WcCGrdV8Cr6Nvu96ZZe2PWu2dANtAfnxqogXXCoFE6r1
+    vie7hFSfJ2QR/vEbanED4pYGTtGYP1oseScx0u0hLhGLGccVBUNZlRbox4rIOELI
+    v9MLuiOL4YX7vQKCAQAGzMl3HtMe8AP3DRFXaT4qeK7ktA8KCS7YtibTatg14LXj
+    9E25gfx3n7+nlae3qVhrwkEhIbPcuflaTnSzYJonFet4oMkzGEGzakG0A+lEA0Ga
+    s/j5daKaWj71sVo1F7JZ+EbLnYfT+bTp93BllsUcZFkllhf/GUDgD++qKc1uSJbW
+    mm044ZNE0nH2u6ACX0kVYS/yAQ14WO0WaHiTqJGeQKFnkHkhni7B4O1hb923AkkP
+    hjjhn5Xx90Xnbb6zwUBURtLCcmAjzXWO29AFd3Lmoc9xEF9V0PckUb6JYyI4ngr9
+    6fqSuRsLC3u0ZeD0EX322zwtodVWYIodZBfNS1srAoIBAQCjTUPGeUKDQTjS0WGg
+    Z8T/AErRtQSlNFqXWMn2QPlUv2RE460HVi2xpOhZPtFvyqDIY7IOFbtzAfdya7rw
+    V9VN1bGJMdodV+jzy31qVJmerGit2SIUnYz30TnvS80L78oQZ+dfDi4MIuYYoFxs
+    JgQAipS1wz9kAXoCuGKLRJ0og6gVjfPjARE/w55XgiqFyEyWgfFBZOMkUsM6e7Rx
+    Y9Jr+puEpeRsGV9MXafPq6WQq3It0a/HmFLG0TlfDX3RzN6mQ12R7hTM8bDQa/6S
+    yorQSVPB1O3kzDVDo4X5KQd+XPfoVhmUYQYdsjmZlMMi6Og0uMFwgp/Epw6S3uO6
+    WbfhAoIBAQCOp4iIc87GyxWL8u6HrJaqmFlqkfou0hI+y9h6FfzsBYU6y3+gRYdF
+    wr2S9EUAb80kEQ1v0pt9417NOGc1pmYjKCZmDZ7qeGCGk2PR0U59+xJetXBWWhbq
+    5JxcwdRYoHyrmC/LINxzzqYOQbQevbW0zcEskeKfJsOtj9WJt6U9B1YZbE8pu2QV
+    xjvb+YekD2R+n/umV6eiaGfDau+EWudYVTqY0mR7y9hTiFR/KnqSsy2BUjljpacS
+    XBQO4ig7vY8+1+L3w2xpTN95/rXAvB4BbO/DLea9ArikePoSJ+bVTj0YwrKBghep
+    kOvbvVANrpsunlSAcpXm1qkV+G+xPnyJ
+    -----END PRIVATE KEY-----

cmd/flux/testdata/create_secret/tls/test-cert.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIUT84jeO/ncOrqI+FY05Fzbg8Ed7MwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTA4MDgxNDQyMzVaFw0yMjA4
+MDgxNDQyMzVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQDn/rPsZ74oypiwCzLlx57zplTiCi/WLSF+MmLGuTvM
+EQnV+OND2zFgvDIV/vFs3brkd6rLVI4NcdgSj4YKULCMwwOl45hQPdCTEPJvUhCm
+M+FuQ0czmEEJSjZtdLFz1B7QB/JemNnbfigxM9mlg58AlBhVJqn8q64wd/kC/W/K
+JTLJuBiVf12ZiPoPfO4WSxAqD3opZ8gdbmK0KYQAhKjEto6ZrYGisfwU1gt3l8M7
+sCJSpEkOkpuQgJ8D+xzJS36VXBJQMMP9nAPps+x/rGFplsPMsXEFFiwvR1+FJZwz
+lg2sJ91bLGZQ7vn74MfsGrxpiJwllRThJyT7C9V0sjb5trT2lEqZlP2dRSJYt7aJ
+1crEcdGSl6RIKgxSV6Hk8dh/ZaTjrTwaKxVkPo2IeEXy5xrR7DyonOQ6Yes0KOCm
+JB5yHkFlIVEnLm/HZXEtm3bPHsFgTZuInyBCOMXpUESuVZIw8YK+Vd6AExGPPwZ4
+n5I/sCDxWII9owIj3LeLzdUG6JoroahhGmo8rgpbJpPnS+VgryQ/raUQjqDzDCuE
+9vKXKBlSUqK6H9A+NMc0mme7M8/GX7T7ewFGUB/xsdrcO4yXjqHnAe0yLf8epDjC
+hh76bYqwwinVrmfcNcRxFVJZW2z0gGdgkOkOLaVVb9ggPV2SNAHbN4A+St/iRYR5
+awIDAQABo1MwUTAdBgNVHQ4EFgQUzMaCqVM30EZFfTeNUIJ5fNPAhaQwHwYDVR0j
+BBgwFoAUzMaCqVM30EZFfTeNUIJ5fNPAhaQwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAgEAVmk1rXtVkYR1Vs2Va/xrUaGXlFznhPU/Fft44kiEkkLp
+mLVelWyAqvXYioqssZwuZnTjGz0DQPqzJjqwuGy4CHwPLmhCtfHplrbWo8a0ivYC
+cL20KfZsG941siUh7LGBjTsq6mWBf2ytlFmg/fg93SgmqcEUAUcdps0JpZD8lgWB
+ZMstfr6E3jaEus3OsvDD6hJNYZ5clJ5+ynLoWZ99A9JC0U46hmIZpRjbdSvasKpD
+XrXTdpzyL/Do3znXE/yfoHv4//Rj2CpPHJLYRCIzvuf1mo1fWd53FjHvrbUvaHFz
+CGuZROd4dC4Rx5nZw2ogIYvJ8m6HpIDkL3pBNSQJtIsvAYEQcotJoa5D/e9fu2Wr
++og37oCY4OXzViEBQvyxKD4cajNco1fgGKEaFROADwr3JceGI7Anq5W+xdUvAGNM
+QuGeCueqNyrJ0CbQ1zEhwgpk/VYfB0u9m0bjMellRlKMdojby+FDCJtAJesx9no4
+SQXyx+aNHhj3qReysjGNwZvBk1IHL04HAT+ogNiYhTl1J/YON4MB5UN6Y2PxP6uG
+KvJGPigx4fAwfR/d78o5ngwoH9m+8FUg8+qllJ8XgIbl/VXKTk3G4ceOm4eBmrel
+DwWuBhELSjtXWPWhMlkiebgejDbAear53Lia2Cc43zx/KuhMHBTlKY/vY4F2YiI=
+-----END CERTIFICATE-----

cmd/flux/testdata/create_secret/tls/test-key.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDn/rPsZ74oypiw
+CzLlx57zplTiCi/WLSF+MmLGuTvMEQnV+OND2zFgvDIV/vFs3brkd6rLVI4NcdgS
+j4YKULCMwwOl45hQPdCTEPJvUhCmM+FuQ0czmEEJSjZtdLFz1B7QB/JemNnbfigx
+M9mlg58AlBhVJqn8q64wd/kC/W/KJTLJuBiVf12ZiPoPfO4WSxAqD3opZ8gdbmK0
+KYQAhKjEto6ZrYGisfwU1gt3l8M7sCJSpEkOkpuQgJ8D+xzJS36VXBJQMMP9nAPp
+s+x/rGFplsPMsXEFFiwvR1+FJZwzlg2sJ91bLGZQ7vn74MfsGrxpiJwllRThJyT7
+C9V0sjb5trT2lEqZlP2dRSJYt7aJ1crEcdGSl6RIKgxSV6Hk8dh/ZaTjrTwaKxVk
+Po2IeEXy5xrR7DyonOQ6Yes0KOCmJB5yHkFlIVEnLm/HZXEtm3bPHsFgTZuInyBC
+OMXpUESuVZIw8YK+Vd6AExGPPwZ4n5I/sCDxWII9owIj3LeLzdUG6JoroahhGmo8
+rgpbJpPnS+VgryQ/raUQjqDzDCuE9vKXKBlSUqK6H9A+NMc0mme7M8/GX7T7ewFG
+UB/xsdrcO4yXjqHnAe0yLf8epDjChh76bYqwwinVrmfcNcRxFVJZW2z0gGdgkOkO
+LaVVb9ggPV2SNAHbN4A+St/iRYR5awIDAQABAoICAQCTxuixQ/wbW8IbEWcgeyHD
+LkaPndGO6jyVeF73GvL+MDRFuj558NvpNLfqzvTWVf9AnQGMd5Xs9oGegRHu7Csp
+3ucp+moBYv7DT14+jtXQKOgGJpDqSqfS1RUKb/TBRXNDLGy02UScziWoAdE33zmf
+UraVNwW8z1crxKA3yVw2Na++UqhGQlVLAbfXucqnJLVtNWKpkVQlezUgcfmFovsm
+Iut+9MjI6/sZAqdXTLKuCKo0XjWzNKwnRecE0CYsCwzc80MvFYEiwQi1C0kwoouC
+iOi8MKM/jDok+5/a3nQ7X+/ho5sbApNCJpfSXAK9YOJ3ju93+RjNuvORfp4/sW3W
+OGXw6X30Ym7WS/7oYuwEILyqdyNOvKU7a+17d/W/YA60NOdA4iJI3aTfYFMD3l14
+Da+D/wkTlEN3Ye7GN21A9AsZwWWiT9G5FOxWWVv7nTPG+Ix5ewehQWt/3DxhSizR
+inMBizL5xpwx9LRWHnXX277lChYmPFAAMXINl1hnX6s0EY9pSDHN0IddibJkNKBD
+m1CN37rqxoXQz4zoAyJGfQVkakqe16ayqI9yuQwO6AUkZcD5DYQdz9QYOTnYrQc6
+6haC3D0Fmqg1s4v+6gpxZA/qTri0gVl/v/NN4Mk2/qWtK33imOedgD+5LXhZdBgJ
+Mqn53AErG/AT622jvSb5UQKCAQEA/DTGLh0Ct97PCm+c+PxRFyieaHNJLWENKyxp
+HoWGHfp2Bvt2Vphoi7GpRCM/yta4vCZgZmeWTQ0yBg6iPVPRA6Ho5hqh9OkUYVoh
+prL3JsIU20jTutYjo2aefO4qXnJfkkXxNO2FElUHDTwtWdlGJQKvlUJwTv6xO19v
+bQQkhZSpri6gIpi5Nkm2SGEtDofRJ+F6ThbQibEatL6DR00dh39MYQz+tZP5olzn
+kX5bHEBWB7gy+YxTGF8FdlCSQTBBtNSKsAv3Cxj4qEHm+fu09vnH6fOZKenT2nXD
+5QE/RpgQzLV1TumCjqLzqwp7bbzH+4mjsXpF3KHBZwnhMnDIRwKCAQEA63wYzjBy
+no0GBBz0hOWrOwQ/AjUHfi47o3Xvl4RBjZclM171HKH7oMCnQvVKTNq8jvakCZjc
+UI6i+H4R6aokiFS2xGbC2H3ZlSMFNwhb2xUs/C4Nr7JSOWZBtDy5QBspUsp26f7m
+9VNVRzCmnxWV9be/1TxHDzDhslNlL5TMejbMorWnrtNG41KWwGtwvv2gApr3894j
+eJNOh0WGfsMkXUM6+4v4WcCGrdV8Cr6Nvu96ZZe2PWu2dANtAfnxqogXXCoFE6r1
+vie7hFSfJ2QR/vEbanED4pYGTtGYP1oseScx0u0hLhGLGccVBUNZlRbox4rIOELI
+v9MLuiOL4YX7vQKCAQAGzMl3HtMe8AP3DRFXaT4qeK7ktA8KCS7YtibTatg14LXj
+9E25gfx3n7+nlae3qVhrwkEhIbPcuflaTnSzYJonFet4oMkzGEGzakG0A+lEA0Ga
+s/j5daKaWj71sVo1F7JZ+EbLnYfT+bTp93BllsUcZFkllhf/GUDgD++qKc1uSJbW
+mm044ZNE0nH2u6ACX0kVYS/yAQ14WO0WaHiTqJGeQKFnkHkhni7B4O1hb923AkkP
+hjjhn5Xx90Xnbb6zwUBURtLCcmAjzXWO29AFd3Lmoc9xEF9V0PckUb6JYyI4ngr9
+6fqSuRsLC3u0ZeD0EX322zwtodVWYIodZBfNS1srAoIBAQCjTUPGeUKDQTjS0WGg
+Z8T/AErRtQSlNFqXWMn2QPlUv2RE460HVi2xpOhZPtFvyqDIY7IOFbtzAfdya7rw
+V9VN1bGJMdodV+jzy31qVJmerGit2SIUnYz30TnvS80L78oQZ+dfDi4MIuYYoFxs
+JgQAipS1wz9kAXoCuGKLRJ0og6gVjfPjARE/w55XgiqFyEyWgfFBZOMkUsM6e7Rx
+Y9Jr+puEpeRsGV9MXafPq6WQq3It0a/HmFLG0TlfDX3RzN6mQ12R7hTM8bDQa/6S
+yorQSVPB1O3kzDVDo4X5KQd+XPfoVhmUYQYdsjmZlMMi6Og0uMFwgp/Epw6S3uO6
+WbfhAoIBAQCOp4iIc87GyxWL8u6HrJaqmFlqkfou0hI+y9h6FfzsBYU6y3+gRYdF
+wr2S9EUAb80kEQ1v0pt9417NOGc1pmYjKCZmDZ7qeGCGk2PR0U59+xJetXBWWhbq
+5JxcwdRYoHyrmC/LINxzzqYOQbQevbW0zcEskeKfJsOtj9WJt6U9B1YZbE8pu2QV
+xjvb+YekD2R+n/umV6eiaGfDau+EWudYVTqY0mR7y9hTiFR/KnqSsy2BUjljpacS
+XBQO4ig7vY8+1+L3w2xpTN95/rXAvB4BbO/DLea9ArikePoSJ+bVTj0YwrKBghep
+kOvbvVANrpsunlSAcpXm1qkV+G+xPnyJ
+-----END PRIVATE KEY-----

cmd/flux/testdata/export/alert.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta1
+kind: Alert
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  eventSeverity: info
+  eventSources:
+  - kind: GitRepository
+    name: '*'
+  - kind: Kustomization
+    name: '*'
+  providerRef:
+    name: slack
+  summary: Slacktest Notification
+

cmd/flux/testdata/export/bucket.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: Bucket
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  bucketName: podinfo
+  endpoint: s3.amazonaws.com
+  interval: 5m0s
+  provider: aws
+  region: us-east-1
+  timeout: 30s
+

cmd/flux/testdata/export/git-repo.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  gitImplementation: go-git
+  interval: 5m0s
+  ref:
+    branch: main
+  secretRef:
+    name: flux-system
+  timeout: 20s
+  url: ssh://git@github.com/example/repo
+

cmd/flux/testdata/export/helm-release.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  chart:
+    spec:
+      chart: podinfo
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: flux-systen
+        namespace: {{ .fluxns }}
+      version: '*'
+  interval: 5m0s
+

cmd/flux/testdata/export/helm-repo.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  interval: 5m0s
+  timeout: 1m0s
+  url: https://stefanprodan.github.io/podinfo
+

cmd/flux/testdata/export/image-policy.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImagePolicy
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  imageRepositoryRef:
+    name: flux-system
+  policy:
+    semver:
+      range: 5.0.x
+

cmd/flux/testdata/export/image-repo.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImageRepository
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  image: ghcr.io/test/podinfo
+  interval: 1m0s
+

cmd/flux/testdata/export/image-update.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImageUpdateAutomation
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  git:
+    commit:
+      author:
+        email: fluxcdbot@users.noreply.github.com
+        name: fluxcdbot
+  interval: 1m0s
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  update:
+    path: ./clusters/my-cluster
+    strategy: Setters
+

cmd/flux/testdata/export/ks.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  interval: 5m0s
+  path: ./infrastructure/
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+

cmd/flux/testdata/export/objects.yaml

@@ -0,0 +1,153 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .fluxns }}
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta1
+kind: Provider
+metadata:
+  name: slack
+  namespace: {{ .fluxns }}
+spec:
+  type: slack
+  channel: 'A channel with spacess'
+  address: https://hooks.slack.com/services/mock
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta1
+kind: Alert
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  summary: "Slacktest Notification"
+  providerRef:
+    name: slack
+  eventSeverity: info
+  eventSources:
+    - kind: "GitRepository"
+      name: "*"
+    - kind: "Kustomization"
+      name: "*"
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImageRepository
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  image: ghcr.io/test/podinfo
+  interval: 1m0s
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImagePolicy
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  imageRepositoryRef:
+    name: flux-system
+  policy:
+    semver:
+      range: 5.0.x
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImageUpdateAutomation
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  interval: 1m0s
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  git:
+    commit:
+      author:
+        email: fluxcdbot@users.noreply.github.com
+        name: fluxcdbot
+      messageTemplate: '{{range .Updated.Images}}{{println .}}{{end}}'
+  update:
+    path: ./clusters/my-cluster
+    strategy: Setters
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  ref:
+    branch: main
+  secretRef:
+    name: flux-system
+  interval: 5m
+  url: ssh://git@github.com/example/repo
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
+kind: Kustomization
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  path: ./infrastructure/
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  interval: 5m
+  prune: true
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta1
+kind: Receiver
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  type: github
+  events:
+    - "ping"
+    - "push"
+  secretRef:
+    name: webhook-token
+  resources:
+    - kind: GitRepository
+      name: flux-system
+      namespace: flux-system
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  interval: 5m
+  timeout: 1m0s
+  url: https://stefanprodan.github.io/podinfo
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: podinfo
+      sourceRef:
+        kind: HelmRepository
+        name: flux-systen
+        namespace: {{ .fluxns }}
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: Bucket
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  interval: 5m
+  provider: aws
+  bucketName: podinfo
+  endpoint: s3.amazonaws.com
+  region: us-east-1
+  timeout: 30s

cmd/flux/testdata/export/provider.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta1
+kind: Provider
+metadata:
+  name: slack
+  namespace: {{ .fluxns }}
+spec:
+  address: https://hooks.slack.com/services/mock
+  channel: A channel with spacess
+  type: slack
+

cmd/flux/testdata/export/receiver.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta1
+kind: Receiver
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  events:
+  - ping
+  - push
+  resources:
+  - kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  secretRef:
+    name: webhook-token
+  type: github
+

cmd/flux/testdata/tree/kustomizations.yaml

@@ -0,0 +1,88 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .fluxns }}
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  path: ./clusters/production
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  interval: 5m
+  prune: true
+status:
+  conditions:
+  - lastTransitionTime: "2021-08-01T04:52:56Z"
+    message: 'Applied revision: main/696f056df216eea4f9401adbee0ff744d4df390f'
+    reason: ReconciliationSucceeded
+    status: "True"
+    type: Ready
+  inventory:
+    entries:
+      - id: _{{ .fluxns }}__Namespace
+        v: v1
+      - id: {{ .fluxns }}_helm-controller_apps_Deployment
+        v: v1
+      - id: {{ .fluxns }}_kustomize-controller_apps_Deployment
+        v: v1
+      - id: {{ .fluxns }}_notification-controller_apps_Deployment
+        v: v1
+      - id: {{ .fluxns }}_source-controller_apps_Deployment
+        v: v1
+      - id: {{ .fluxns }}_infrastructure_kustomize.toolkit.fluxcd.io_Kustomization
+        v: v1beta2
+      - id: {{ .fluxns }}_flux-system_source.toolkit.fluxcd.io_GitRepository
+        v: v1beta1
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: infrastructure
+  namespace: {{ .fluxns }}
+spec:
+  path: ./infrastructure/production
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  interval: 5m
+  prune: true
+status:
+  conditions:
+    - lastTransitionTime: "2021-08-01T04:52:56Z"
+      message: 'Applied revision: main/696f056df216eea4f9401adbee0ff744d4df390f'
+      reason: ReconciliationSucceeded
+      status: "True"
+      type: Ready
+  inventory:
+    entries:
+      - id: _cert-manager__Namespace
+        v: v1
+      - id: cert-manager_cert-manager_source.toolkit.fluxcd.io_HelmRepository
+        v: v1beta1
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: empty
+  namespace: {{ .fluxns }}
+spec:
+  path: ./apps/todo
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  interval: 5m
+  prune: true
+status:
+  conditions:
+    - lastTransitionTime: "2021-08-01T04:52:56Z"
+      message: 'Applied revision: main/696f056df216eea4f9401adbee0ff744d4df390f'
+      reason: ReconciliationSucceeded
+      status: "True"
+      type: Ready
+---

cmd/flux/testdata/tree/tree-compact.golden

@@ -0,0 +1,5 @@
+Kustomization/{{ .fluxns }}/flux-system
+├── Kustomization/{{ .fluxns }}/infrastructure
+│   └── HelmRepository/cert-manager/cert-manager
+└── GitRepository/{{ .fluxns }}/flux-system
+

cmd/flux/testdata/tree/tree-empty.golden

@@ -0,0 +1,2 @@
+Kustomization/{{ .fluxns }}/empty
+

cmd/flux/testdata/tree/tree.golden

@@ -0,0 +1,11 @@
+Kustomization/{{ .fluxns }}/flux-system
+├── Namespace/{{ .fluxns }}
+├── Deployment/{{ .fluxns }}/helm-controller
+├── Deployment/{{ .fluxns }}/kustomize-controller
+├── Deployment/{{ .fluxns }}/notification-controller
+├── Deployment/{{ .fluxns }}/source-controller
+├── Kustomization/{{ .fluxns }}/infrastructure
+│   ├── Namespace/cert-manager
+│   └── HelmRepository/cert-manager/cert-manager
+└── GitRepository/{{ .fluxns }}/flux-system
+

cmd/flux/tree.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var treeCmd = &cobra.Command{
+	Use:   "tree",
+	Short: "Print the resources reconciled by Flux",
+	Long:  `The tree command shows the list of resources reconciled by a Flux object.'`,
+}
+
+func init() {
+	rootCmd.AddCommand(treeCmd)
+}

cmd/flux/tree_kustomization.go

@@ -0,0 +1,270 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"bytes"
+	"compress/gzip"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"strings"
+
+	"github.com/fluxcd/flux2/internal/tree"
+	"github.com/fluxcd/flux2/internal/utils"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	"github.com/fluxcd/pkg/ssa"
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/cli-utils/pkg/object"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/yaml"
+)
+
+var treeKsCmd = &cobra.Command{
+	Use:     "kustomization [name]",
+	Aliases: []string{"ks", "kustomization"},
+	Short:   "Print the resource inventory of a Kustomization",
+	Long:    `The tree command prints the resource list reconciled by a Kustomization.'`,
+	Example: `  # Print the resources managed by the root Kustomization
+  flux tree kustomization flux-system
+
+  # Print the Flux resources managed by the root Kustomization
+  flux tree kustomization flux-system --compact`,
+	RunE:              treeKsCmdRun,
+	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
+}
+
+type TreeKsFlags struct {
+	compact bool
+	output  string
+}
+
+var treeKsArgs TreeKsFlags
+
+func init() {
+	treeKsCmd.Flags().BoolVar(&treeKsArgs.compact, "compact", false, "list Flux resources only.")
+	treeKsCmd.Flags().StringVarP(&treeKsArgs.output, "output", "o", "",
+		"the format in which the tree should be printed. can be 'json' or 'yaml'")
+	treeCmd.AddCommand(treeKsCmd)
+}
+
+func treeKsCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("kustomization name is required")
+	}
+	name := args[0]
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	if err != nil {
+		return err
+	}
+
+	k := &kustomizev1.Kustomization{}
+	err = kubeClient.Get(ctx, client.ObjectKey{
+		Namespace: rootArgs.namespace,
+		Name:      name,
+	}, k)
+	if err != nil {
+		return err
+	}
+
+	kMeta, err := object.CreateObjMetadata(k.Namespace, k.Name,
+		schema.GroupKind{Group: kustomizev1.GroupVersion.Group, Kind: kustomizev1.KustomizationKind})
+	if err != nil {
+		return err
+	}
+
+	kTree := tree.New(kMeta)
+	err = treeKustomization(ctx, kTree, k, kubeClient, treeKsArgs.compact)
+	if err != nil {
+		return err
+	}
+
+	switch treeKsArgs.output {
+	case "json":
+		data, err := json.MarshalIndent(kTree, "", "  ")
+		if err != nil {
+			return err
+		}
+		rootCmd.Println(string(data))
+	case "yaml":
+		data, err := yaml.Marshal(kTree)
+		if err != nil {
+			return err
+		}
+		rootCmd.Println(string(data))
+	default:
+		rootCmd.Println(kTree.Print())
+	}
+
+	return nil
+}
+
+func treeKustomization(ctx context.Context, tree tree.ObjMetadataTree, item *kustomizev1.Kustomization, kubeClient client.Client, compact bool) error {
+	if item.Status.Inventory == nil || len(item.Status.Inventory.Entries) == 0 {
+		return nil
+	}
+
+	compactGroup := "toolkit.fluxcd.io"
+
+	for _, entry := range item.Status.Inventory.Entries {
+		objMetadata, err := object.ParseObjMetadata(entry.ID)
+		if err != nil {
+			return err
+		}
+
+		if compact && !strings.Contains(objMetadata.GroupKind.Group, compactGroup) {
+			continue
+		}
+
+		if objMetadata.GroupKind.Group == kustomizev1.GroupVersion.Group &&
+			objMetadata.GroupKind.Kind == kustomizev1.KustomizationKind &&
+			objMetadata.Namespace == item.Namespace &&
+			objMetadata.Name == item.Name {
+			continue
+		}
+
+		ks := tree.Add(objMetadata)
+
+		if objMetadata.GroupKind.Group == helmv2.GroupVersion.Group &&
+			objMetadata.GroupKind.Kind == helmv2.HelmReleaseKind {
+			objects, err := getHelmReleaseInventory(
+				ctx, client.ObjectKey{
+					Namespace: objMetadata.Namespace,
+					Name:      objMetadata.Name,
+				}, kubeClient)
+			if err != nil {
+				return err
+			}
+
+			for _, obj := range objects {
+				if compact && !strings.Contains(obj.GroupKind.Group, compactGroup) {
+					continue
+				}
+				ks.Add(obj)
+			}
+		}
+
+		if objMetadata.GroupKind.Group == kustomizev1.GroupVersion.Group &&
+			objMetadata.GroupKind.Kind == kustomizev1.KustomizationKind {
+			k := &kustomizev1.Kustomization{}
+			err = kubeClient.Get(ctx, client.ObjectKey{
+				Namespace: objMetadata.Namespace,
+				Name:      objMetadata.Name,
+			}, k)
+			if err != nil {
+				return fmt.Errorf("failed to find object: %w", err)
+			}
+			err := treeKustomization(ctx, ks, k, kubeClient, compact)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+type hrStorage struct {
+	Name     string `json:"name,omitempty"`
+	Manifest string `json:"manifest,omitempty"`
+}
+
+func getHelmReleaseInventory(ctx context.Context, objectKey client.ObjectKey, kubeClient client.Client) ([]object.ObjMetadata, error) {
+	hr := &helmv2.HelmRelease{}
+	if err := kubeClient.Get(ctx, objectKey, hr); err != nil {
+		return nil, err
+	}
+
+	storageNamespace := hr.GetNamespace()
+	if hr.Spec.StorageNamespace != "" {
+		storageNamespace = hr.Spec.StorageNamespace
+	}
+
+	storageName := hr.GetName()
+	if hr.Spec.ReleaseName != "" {
+		storageName = hr.Spec.ReleaseName
+	} else if hr.Spec.TargetNamespace != "" {
+		storageName = strings.Join([]string{hr.Spec.TargetNamespace, hr.Name}, "-")
+	}
+
+	storageVersion := hr.Status.LastReleaseRevision
+	// skip release if it failed to install
+	if storageVersion < 1 {
+		return nil, nil
+	}
+
+	storageKey := client.ObjectKey{
+		Namespace: storageNamespace,
+		Name:      fmt.Sprintf("sh.helm.release.v1.%s.v%v", storageName, storageVersion),
+	}
+
+	storageSecret := &corev1.Secret{}
+	if err := kubeClient.Get(ctx, storageKey, storageSecret); err != nil {
+		// skip release if it has no storage
+		if apierrors.IsNotFound(err) {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("failed to find the Helm storage object for HelmRelease '%s': %w", objectKey.String(), err)
+	}
+
+	releaseData, releaseFound := storageSecret.Data["release"]
+	if !releaseFound {
+		return nil, fmt.Errorf("failed to decode the Helm storage object for HelmRelease '%s'", objectKey.String())
+	}
+
+	// adapted from https://github.com/helm/helm/blob/02685e94bd3862afcb44f6cd7716dbeb69743567/pkg/storage/driver/util.go
+	var b64 = base64.StdEncoding
+	b, err := b64.DecodeString(string(releaseData))
+	if err != nil {
+		return nil, err
+	}
+	var magicGzip = []byte{0x1f, 0x8b, 0x08}
+	if bytes.Equal(b[0:3], magicGzip) {
+		r, err := gzip.NewReader(bytes.NewReader(b))
+		if err != nil {
+			return nil, err
+		}
+		defer r.Close()
+		b2, err := ioutil.ReadAll(r)
+		if err != nil {
+			return nil, err
+		}
+		b = b2
+	}
+
+	var rls hrStorage
+	if err := json.Unmarshal(b, &rls); err != nil {
+		return nil, fmt.Errorf("failed to decode the Helm storage object for HelmRelease '%s': %w", objectKey.String(), err)
+	}
+
+	objects, err := ssa.ReadObjects(strings.NewReader(rls.Manifest))
+	if err != nil {
+		return nil, fmt.Errorf("failed to read the Helm storage object for HelmRelease '%s': %w", objectKey.String(), err)
+	}
+
+	return object.UnstructuredsToObjMetas(objects)
+}

cmd/flux/tree_kustomization_test.go

@@ -0,0 +1,64 @@
+// +build unit
+
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestTree(t *testing.T) {
+	cases := []struct {
+		name       string
+		args       string
+		objectFile string
+		goldenFile string
+	}{
+		{
+			"tree kustomization",
+			"tree kustomization flux-system",
+			"testdata/tree/kustomizations.yaml",
+			"testdata/tree/tree.golden",
+		},
+		{
+			"tree kustomization compact",
+			"tree kustomization flux-system --compact",
+			"testdata/tree/kustomizations.yaml",
+			"testdata/tree/tree-compact.golden",
+		},
+		{
+			"tree kustomization empty",
+			"tree kustomization empty",
+			"testdata/tree/kustomizations.yaml",
+			"testdata/tree/tree-empty.golden",
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			tmpl := map[string]string{
+				"fluxns": allocateNamespace("flux-system"),
+			}
+			testEnv.CreateObjectFile(tc.objectFile, tmpl, t)
+			cmd := cmdTestCase{
+				args:   tc.args + " -n=" + tmpl["fluxns"],
+				assert: assertGoldenTemplateFile(tc.goldenFile, tmpl),
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}

cmd/flux/uninstall.go

@@ -31,6 +31,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
@@ -93,7 +94,7 @@ func uninstallCmdRun(cmd *cobra.Command, args []string) error {
 	uninstallFinalizers(ctx, kubeClient, uninstallArgs.dryRun)
 
 	logger.Actionf("deleting toolkit.fluxcd.io custom resource definitions")
-	uninstallCustomResourceDefinitions(ctx, kubeClient, rootArgs.namespace, uninstallArgs.dryRun)
+	uninstallCustomResourceDefinitions(ctx, kubeClient, uninstallArgs.dryRun)
 
 	if !uninstallArgs.keepNamespace {
 		uninstallNamespace(ctx, kubeClient, rootArgs.namespace, uninstallArgs.dryRun)
@@ -105,7 +106,7 @@ func uninstallCmdRun(cmd *cobra.Command, args []string) error {
 
 func uninstallComponents(ctx context.Context, kubeClient client.Client, namespace string, dryRun bool) {
 	opts, dryRunStr := getDeleteOptions(dryRun)
-	selector := client.MatchingLabels{"app.kubernetes.io/instance": namespace}
+	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 	{
 		var list appsv1.DeploymentList
 		if err := kubeClient.List(ctx, &list, client.InNamespace(namespace), selector); err == nil {
@@ -262,9 +263,9 @@ func uninstallFinalizers(ctx context.Context, kubeClient client.Client, dryRun b
 	}
 }
 
-func uninstallCustomResourceDefinitions(ctx context.Context, kubeClient client.Client, namespace string, dryRun bool) {
+func uninstallCustomResourceDefinitions(ctx context.Context, kubeClient client.Client, dryRun bool) {
 	opts, dryRunStr := getDeleteOptions(dryRun)
-	selector := client.MatchingLabels{"app.kubernetes.io/instance": namespace}
+	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 	{
 		var list apiextensionsv1.CustomResourceDefinitionList
 		if err := kubeClient.List(ctx, &list, selector); err == nil {

cmd/flux/version.go

@@ -28,6 +28,7 @@ import (
 	"sigs.k8s.io/yaml"
 
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
 )
 
 var versionCmd = &cobra.Command{
@@ -78,7 +79,7 @@ func versionCmdRun(cmd *cobra.Command, args []string) error {
 			return err
 		}
 
-		selector := client.MatchingLabels{"app.kubernetes.io/instance": rootArgs.namespace}
+		selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 		var list v1.DeploymentList
 		if err := kubeClient.List(ctx, &list, client.InNamespace(rootArgs.namespace), selector); err != nil {
 			return err

docs/internal/release.md

@@ -82,7 +82,7 @@ Flux has the following Kubernetes dependencies:
 - `k8s.io/client-go`
 - `sigs.k8s.io/controller-runtime`
 
-**Note** that all `k8s.io/*` packages must the have the same version in `go.mod` e.g.:
+**Note** that all `k8s.io/*` packages must have the same version in `go.mod` e.g.:
 
 ```
 	k8s.io/api v0.20.2
@@ -101,7 +101,7 @@ The specialised reconcilers depend on:
 **Note** that the `k8s.io/*` version must be compatible with both `kustomize/api` and `helm/v3`.
 If there is a breaking change in `client-go` we have to wait for Kustomize and Helm to upgrade first.
 
-Upgrade procedure:
+### Upgrade procedure:
 
 `fluxcd/pkg`:
 
@@ -122,10 +122,10 @@ Upgrade procedure:
 
 `fluxcd/<kustomize|helm|notification|image-automation>-controller`:
 
-1. Update the `github.com/fluxcd/source-controller/api` version in `controller/api/go.mod`  and `controller/go.mod`
-1. Update the `github.com/fluxcd/pkg/apis/meta` version in `controller/api/go.mod` and `controller/go.mod`
-1. Update the `k8s.io/*` version in `controller/api/go.mod`  and `controller/go.mod`
-1. Update the `github.com/fluxcd/pkg/runtime` version in `controller/go.mod`
+1. Update the `github.com/fluxcd/source-controller/api` version in `<NAME>-controller/api/go.mod`  and `<NAME>-controller/go.mod`
+1. Update the `github.com/fluxcd/pkg/apis/meta` version in `<NAME>-controller/api/go.mod` and `<NAME>-controller/go.mod`
+1. Update the `k8s.io/*` version in `<NAME>-controller/api/go.mod`  and `<NAME>-controller/go.mod`
+1. Update the `github.com/fluxcd/pkg/runtime` version in `<NAME>-controller/go.mod`
 1. Release the `api` package
 
 `fluxcd/flux2`:

go.mod

@@ -8,17 +8,17 @@ require (
 	github.com/cyphar/filepath-securejoin v0.2.2
 	github.com/fluxcd/go-git-providers v0.1.1
 	github.com/fluxcd/helm-controller/api v0.12.1
-	github.com/fluxcd/image-automation-controller/api v0.15.0
+	github.com/fluxcd/image-automation-controller/api v0.16.0
 	github.com/fluxcd/image-reflector-controller/api v0.13.0
 	github.com/fluxcd/kustomize-controller/api v0.16.0
-	github.com/fluxcd/notification-controller/api v0.18.0
+	github.com/fluxcd/notification-controller/api v0.18.1
 	github.com/fluxcd/pkg/apis/meta v0.10.0
 	github.com/fluxcd/pkg/runtime v0.12.0
 	github.com/fluxcd/pkg/ssa v0.2.0
 	github.com/fluxcd/pkg/ssh v0.0.5
 	github.com/fluxcd/pkg/untar v0.0.5
 	github.com/fluxcd/pkg/version v0.0.1
-	github.com/fluxcd/source-controller/api v0.16.0
+	github.com/fluxcd/source-controller/api v0.17.1
 	github.com/go-errors/errors v1.4.0 // indirect
 	github.com/go-git/go-git/v5 v5.4.2
 	github.com/google/go-cmp v0.5.6

go.sum

@@ -227,14 +227,14 @@ github.com/fluxcd/go-git-providers v0.1.1 h1:R4VafMOo1IlfEZcImApCeElge/HajhFvRzD
 github.com/fluxcd/go-git-providers v0.1.1/go.mod h1:nRgNpHZmZhrsyNSma1JcAhjUG9xrqMGJcIUr9K7M7vk=
 github.com/fluxcd/helm-controller/api v0.12.1 h1:rDyhMPvbhCxslqiNNG4nlfDCeYgrk6D+1ZKLsBS/Irs=
 github.com/fluxcd/helm-controller/api v0.12.1/go.mod h1:zWmzV0s2SU4rEIGLPTt+dsaMs40OsNQgSgOATgJmxB0=
-github.com/fluxcd/image-automation-controller/api v0.15.0 h1:KI350vt5JahE43D17VyLZFH4ZxtbnyHrekAd8AJsT5E=
-github.com/fluxcd/image-automation-controller/api v0.15.0/go.mod h1:XvrEEpM1rVU+x1gQeXB/dj56w1dmOJRraTxQWOiuNME=
+github.com/fluxcd/image-automation-controller/api v0.16.0 h1:pPvEdb8Q7LgNVfugF3+/z2JQdUZ4ecYWrXiezLPov0w=
+github.com/fluxcd/image-automation-controller/api v0.16.0/go.mod h1:tEQCFKGgxii7zfXti2MxixwFbxhEXnVJqLGM2x9zlGw=
 github.com/fluxcd/image-reflector-controller/api v0.13.0 h1:5kq0Jqh+ndZIye+4csfEbuos5GaXIiK77Gpx+ojo+f8=
 github.com/fluxcd/image-reflector-controller/api v0.13.0/go.mod h1:lgQHGFz29OHmDU5Jwg689C/M+P/f9ujt6NS0zCLT0BQ=
 github.com/fluxcd/kustomize-controller/api v0.16.0 h1:L/LRxS6oroGZe1AdElP3k1mnNIKGCpi0ntgHwJzdNYY=
 github.com/fluxcd/kustomize-controller/api v0.16.0/go.mod h1:OhnZuXBeDl4NqbDZgpYKRg8nmsmeUIddH3vX8wxym9A=
-github.com/fluxcd/notification-controller/api v0.18.0 h1:YfPuC5FzXnl1ysDTulZOFWvIMyaB5vg38QZ/m14Lg8s=
-github.com/fluxcd/notification-controller/api v0.18.0/go.mod h1:t28GMWMLiLqho+ikpZrldv22/vmCsFdQR8vdJluxknc=
+github.com/fluxcd/notification-controller/api v0.18.1 h1:by9+1WCgPUEMXqOiFNOFFIQROabA3Ja4hzgGaF8bLms=
+github.com/fluxcd/notification-controller/api v0.18.1/go.mod h1:t28GMWMLiLqho+ikpZrldv22/vmCsFdQR8vdJluxknc=
 github.com/fluxcd/pkg/apis/kustomize v0.1.0/go.mod h1:gEl+W5cVykCC3RfrCaqe+Pz+j4lKl2aeR4dxsom/zII=
 github.com/fluxcd/pkg/apis/kustomize v0.2.0 h1:jhu2QHvs+j3Zo9rR6w8hkO3LSC6h3M37zY5ejufOmxY=
 github.com/fluxcd/pkg/apis/kustomize v0.2.0/go.mod h1:gEl+W5cVykCC3RfrCaqe+Pz+j4lKl2aeR4dxsom/zII=
@@ -250,8 +250,9 @@ github.com/fluxcd/pkg/untar v0.0.5 h1:UGI3Ch1UIEIaqQvMicmImL1s9npQa64DJ/ozqHKB7g
 github.com/fluxcd/pkg/untar v0.0.5/go.mod h1:O6V9+rtl8c1mHBafgqFlJN6zkF1HS5SSYn7RpQJ/nfw=
 github.com/fluxcd/pkg/version v0.0.1 h1:/8asQoDXSThz3csiwi4Qo8Zb6blAxLXbtxNgeMJ9bCg=
 github.com/fluxcd/pkg/version v0.0.1/go.mod h1:WAF4FEEA9xyhngF8TDxg3UPu5fA1qhEYV8Pmi2Il01Q=
-github.com/fluxcd/source-controller/api v0.16.0 h1:xFz+K7lLg/82uOQp+a0g04GsgoWNfyzwXAoVQy4T/oI=
-github.com/fluxcd/source-controller/api v0.16.0/go.mod h1:guUCCapjzE2kocwFreQTM/IGvtAglIJc4L97mokairo=
+github.com/fluxcd/source-controller/api v0.17.0/go.mod h1:guUCCapjzE2kocwFreQTM/IGvtAglIJc4L97mokairo=
+github.com/fluxcd/source-controller/api v0.17.1 h1:bsYMc/6U2sYXLfxcZtDavsqUYGDHFycqVEAEGW3NiPs=
+github.com/fluxcd/source-controller/api v0.17.1/go.mod h1:guUCCapjzE2kocwFreQTM/IGvtAglIJc4L97mokairo=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c=

internal/bootstrap/bootstrap.go

@@ -159,6 +159,10 @@ func kustomizationPathDiffers(ctx context.Context, kube client.Client, objKey cl
 		return "", err
 	}
 	normalizePath := func(p string) string {
+		// remove the trailing '/' if the path is not './'
+		if len(p) > 2 {
+			p = strings.TrimSuffix(p, "/")
+		}
 		return fmt.Sprintf("./%s", strings.TrimPrefix(p, "./"))
 	}
 	if normalizePath(path) == normalizePath(k.Spec.Path) {

internal/bootstrap/bootstrap_plain_git.go

@@ -347,7 +347,7 @@ func (b *PlainGitBootstrapper) ReportComponentsHealth(ctx context.Context, insta
 		return err
 	}
 
-	checker, err := status.NewStatusChecker(cfg, 2*time.Second, timeout, b.logger)
+	checker, err := status.NewStatusChecker(cfg, 5*time.Second, timeout, b.logger)
 	if err != nil {
 		return err
 	}

internal/tree/tree.go

@@ -0,0 +1,141 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Derived work from https://github.com/d6o/GoTree
+Copyright (c) 2017 Diego Siqueira
+*/
+
+package tree
+
+import (
+	"strings"
+
+	"github.com/fluxcd/pkg/ssa"
+	"sigs.k8s.io/cli-utils/pkg/object"
+)
+
+const (
+	newLine      = "\n"
+	emptySpace   = "    "
+	middleItem   = "├── "
+	continueItem = "│   "
+	lastItem     = "└── "
+)
+
+type (
+	objMetadataTree struct {
+		Resource     object.ObjMetadata `json:"resource"`
+		ResourceTree []ObjMetadataTree  `json:"resources,omitempty"`
+	}
+
+	ObjMetadataTree interface {
+		Add(objMetadata object.ObjMetadata) ObjMetadataTree
+		AddTree(tree ObjMetadataTree)
+		Items() []ObjMetadataTree
+		Text() string
+		Print() string
+	}
+
+	printer struct {
+	}
+
+	Printer interface {
+		Print(ObjMetadataTree) string
+	}
+)
+
+func New(objMetadata object.ObjMetadata) ObjMetadataTree {
+	return &objMetadataTree{
+		Resource:     objMetadata,
+		ResourceTree: []ObjMetadataTree{},
+	}
+}
+
+func (t *objMetadataTree) Add(objMetadata object.ObjMetadata) ObjMetadataTree {
+	n := New(objMetadata)
+	t.ResourceTree = append(t.ResourceTree, n)
+	return n
+}
+
+func (t *objMetadataTree) AddTree(tree ObjMetadataTree) {
+	t.ResourceTree = append(t.ResourceTree, tree)
+}
+
+func (t *objMetadataTree) Text() string {
+	return ssa.FmtObjMetadata(t.Resource)
+}
+
+func (t *objMetadataTree) Items() []ObjMetadataTree {
+	return t.ResourceTree
+}
+
+func (t *objMetadataTree) Print() string {
+	return newPrinter().Print(t)
+}
+
+func newPrinter() Printer {
+	return &printer{}
+}
+
+func (p *printer) Print(t ObjMetadataTree) string {
+	return t.Text() + newLine + p.printItems(t.Items(), []bool{})
+}
+
+func (p *printer) printText(text string, spaces []bool, last bool) string {
+	var result string
+	for _, space := range spaces {
+		if space {
+			result += emptySpace
+		} else {
+			result += continueItem
+		}
+	}
+
+	indicator := middleItem
+	if last {
+		indicator = lastItem
+	}
+
+	var out string
+	lines := strings.Split(text, "\n")
+	for i := range lines {
+		text := lines[i]
+		if i == 0 {
+			out += result + indicator + text + newLine
+			continue
+		}
+		if last {
+			indicator = emptySpace
+		} else {
+			indicator = continueItem
+		}
+		out += result + indicator + text + newLine
+	}
+
+	return out
+}
+
+func (p *printer) printItems(t []ObjMetadataTree, spaces []bool) string {
+	var result string
+	for i, f := range t {
+		last := i == len(t)-1
+		result += p.printText(f.Text(), spaces, last)
+		if len(f.Items()) > 0 {
+			spacesChild := append(spaces, last)
+			result += p.printItems(f.Items(), spacesChild)
+		}
+	}
+	return result
+}

manifests/bases/image-automation-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.15.0/image-automation-controller.crds.yaml
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.15.0/image-automation-controller.deployment.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.16.0/image-automation-controller.crds.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.16.0/image-automation-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/notification-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/notification-controller/releases/download/v0.18.0/notification-controller.crds.yaml
-- https://github.com/fluxcd/notification-controller/releases/download/v0.18.0/notification-controller.deployment.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.18.1/notification-controller.crds.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.18.1/notification-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
   - target:

manifests/bases/source-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.16.0/source-controller.crds.yaml
-- https://github.com/fluxcd/source-controller/releases/download/v0.16.0/source-controller.deployment.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.17.1/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.17.1/source-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/crds/kustomization.yaml

@@ -1,9 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.16.0/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.17.1/source-controller.crds.yaml
 - https://github.com/fluxcd/kustomize-controller/releases/download/v0.16.0/kustomize-controller.crds.yaml
 - https://github.com/fluxcd/helm-controller/releases/download/v0.12.1/helm-controller.crds.yaml
-- https://github.com/fluxcd/notification-controller/releases/download/v0.18.0/notification-controller.crds.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.18.1/notification-controller.crds.yaml
 - https://github.com/fluxcd/image-reflector-controller/releases/download/v0.13.0/image-reflector-controller.crds.yaml
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.15.0/image-automation-controller.crds.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.16.0/image-automation-controller.crds.yaml

pkg/manifestgen/labels.go

@@ -0,0 +1,26 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package manifestgen
+
+// These labels can be used to track down the namespace, custom resource definitions, deployments,
+// services, network policies, service accounts, cluster roles and cluster role bindings belonging to Flux.
+const (
+	PartOfLabelKey   = "app.kubernetes.io/part-of"
+	PartOfLabelValue = "flux"
+	InstanceLabelKey = "app.kubernetes.io/instance"
+	VersionLabelKey  = "app.kubernetes.io/version"
+)

tests/azure/azure_test.go

@@ -37,6 +37,7 @@ import (
 	"github.com/microsoft/azure-devops-go-api/azuredevops/git"
 	"github.com/stretchr/testify/require"
 	giturls "github.com/whilp/git-urls"
+	"go.uber.org/multierr"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -53,6 +54,11 @@ import (
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 
+const (
+	aksTerraformPath      = "./terraform/aks"
+	azureDevOpsKnownHosts = "ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H"
+)
+
 type config struct {
 	kubeconfigPath string
 	kubeClient     client.Client
@@ -90,30 +96,60 @@ type acrConfig struct {
 var cfg config
 
 func TestMain(m *testing.M) {
+	exitVal, err := setup(m)
+	if err != nil {
+		log.Printf("Received an error while running setup: %v", err)
+		os.Exit(1)
+	}
+	os.Exit(exitVal)
+}
+
+func setup(m *testing.M) (exitVal int, err error) {
 	ctx := context.TODO()
 
+	// Setup Terraform binary and init state
 	log.Println("Setting up Azure test infrastructure")
 	execPath, err := tfinstall.Find(ctx, &whichTerraform{})
 	if err != nil {
-		log.Fatalf("terraform exec path not found: %v", err)
+		return 0, fmt.Errorf("terraform exec path not found: %v", err)
 	}
-	tf, err := tfexec.NewTerraform("./terraform/aks", execPath)
+	tf, err := tfexec.NewTerraform(aksTerraformPath, execPath)
 	if err != nil {
-		log.Fatalf("could not create terraform instance: %v", err)
+		return 0, fmt.Errorf("could not create terraform instance: %v", err)
 	}
 	log.Println("Init Terraform")
 	err = tf.Init(ctx, tfexec.Upgrade(true))
 	if err != nil {
-		log.Fatalf("error running init: %v", err)
+		return 0, fmt.Errorf("error running init: %v", err)
 	}
+
+	// Always destroy the infrastructure before exiting
+	defer func() {
+		log.Println("Tearing down Azure test infrastructure")
+		if ferr := tf.Destroy(ctx); ferr != nil {
+			err = multierr.Append(fmt.Errorf("could not destroy Azure infrastructure: %v", ferr), err)
+		}
+	}()
+
+	// Check that we are starting from a clean state
+	log.Println("Checking for an empty Terraform state")
+	state, err := tf.Show(ctx)
+	if err != nil {
+		return 0, fmt.Errorf("could not read state: %v", err)
+	}
+	if state.Values != nil {
+		return 0, fmt.Errorf("expected an empty state but got existing resources")
+	}
+
+	// Apply Terraform and read the output values
 	log.Println("Applying Terraform")
 	err = tf.Apply(ctx)
 	if err != nil {
-		log.Fatalf("error running apply: %v", err)
+		return 0, fmt.Errorf("error running apply: %v", err)
 	}
-	state, err := tf.Show(ctx)
+	state, err = tf.Show(ctx)
 	if err != nil {
-		log.Fatalf("error running show: %v", err)
+		return 0, fmt.Errorf("could not read state: %v", err)
 	}
 	outputs := state.Values.Outputs
 	kubeconfig := outputs["aks_kube_config"].Value.(string)
@@ -131,20 +167,26 @@ func TestMain(m *testing.M) {
 	acr := outputs["acr"].Value.(map[string]interface{})
 	eventHubSas := outputs["event_hub_sas"].Value.(string)
 
+	// Setup Kubernetes clients for test cluster
 	log.Println("Creating Kubernetes client")
 	kubeconfigPath, kubeClient, err := getKubernetesCredentials(kubeconfig, aksHost, aksCert, aksKey, aksCa)
 	if err != nil {
-		log.Fatalf("error create Kubernetes client: %v", err)
+		return 0, fmt.Errorf("error create Kubernetes client: %v", err)
 	}
-	defer os.RemoveAll(filepath.Dir(kubeconfigPath))
+	defer func() {
+		if ferr := os.RemoveAll(filepath.Dir(kubeconfigPath)); ferr != nil {
+			err = multierr.Append(fmt.Errorf("could not clean up kubeconfig file: %v", ferr), err)
+		}
+	}()
 
+	// Install Flux in the new cluster
 	cfg = config{
 		kubeconfigPath: kubeconfigPath,
 		kubeClient:     kubeClient,
 		azdoPat:        azdoPat,
 		idRsa:          idRsa,
 		idRsaPub:       idRsaPub,
-		knownHosts:     "ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H",
+		knownHosts:     azureDevOpsKnownHosts,
 		fleetInfraRepository: repoConfig{
 			http: fleetInfraRepository["http"].(string),
 			ssh:  fleetInfraRepository["ssh"].(string),
@@ -166,22 +208,15 @@ func TestMain(m *testing.M) {
 		},
 		eventHubSas: eventHubSas,
 	}
-
 	err = installFlux(ctx, kubeClient, kubeconfigPath, cfg.fleetInfraRepository.http, azdoPat, cfg.fluxAzureSp)
 	if err != nil {
-		log.Fatalf("error installing Flux: %v", err)
+		return 0, fmt.Errorf("error installing Flux: %v", err)
 	}
 
+	// Run tests
 	log.Println("Running Azure e2e tests")
-	exitVal := m.Run()
-
-	log.Println("Tearing down Azure test infrastructure")
-	err = tf.Destroy(ctx)
-	if err != nil {
-		log.Fatalf("error running Show: %v", err)
-	}
-
-	os.Exit(exitVal)
+	result := m.Run()
+	return result, nil
 }
 
 func TestFluxInstallation(t *testing.T) {

tests/azure/go.mod

@@ -5,18 +5,19 @@ go 1.16
 require (
 	github.com/Azure/azure-event-hubs-go/v3 v3.3.13
 	github.com/fluxcd/helm-controller/api v0.12.1
-	github.com/fluxcd/image-automation-controller/api v0.15.0
+	github.com/fluxcd/image-automation-controller/api v0.16.0
 	github.com/fluxcd/image-reflector-controller/api v0.13.0
 	github.com/fluxcd/kustomize-controller/api v0.16.0
-	github.com/fluxcd/notification-controller/api v0.18.0
+	github.com/fluxcd/notification-controller/api v0.18.1
 	github.com/fluxcd/pkg/apis/meta v0.10.1
 	github.com/fluxcd/pkg/runtime v0.12.1
-	github.com/fluxcd/source-controller/api v0.16.0
+	github.com/fluxcd/source-controller/api v0.17.0
 	github.com/hashicorp/terraform-exec v0.14.0
 	github.com/libgit2/git2go/v31 v31.6.1
 	github.com/microsoft/azure-devops-go-api/azuredevops v1.0.0-b5
 	github.com/stretchr/testify v1.7.0
 	github.com/whilp/git-urls v1.0.0
+	go.uber.org/multierr v1.6.0
 	k8s.io/api v0.22.2
 	k8s.io/apimachinery v0.22.2
 	k8s.io/client-go v0.22.2

tests/azure/go.sum

@@ -193,14 +193,14 @@ github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5Kwzbycv
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fluxcd/helm-controller/api v0.12.1 h1:rDyhMPvbhCxslqiNNG4nlfDCeYgrk6D+1ZKLsBS/Irs=
 github.com/fluxcd/helm-controller/api v0.12.1/go.mod h1:zWmzV0s2SU4rEIGLPTt+dsaMs40OsNQgSgOATgJmxB0=
-github.com/fluxcd/image-automation-controller/api v0.15.0 h1:KI350vt5JahE43D17VyLZFH4ZxtbnyHrekAd8AJsT5E=
-github.com/fluxcd/image-automation-controller/api v0.15.0/go.mod h1:XvrEEpM1rVU+x1gQeXB/dj56w1dmOJRraTxQWOiuNME=
+github.com/fluxcd/image-automation-controller/api v0.16.0 h1:pPvEdb8Q7LgNVfugF3+/z2JQdUZ4ecYWrXiezLPov0w=
+github.com/fluxcd/image-automation-controller/api v0.16.0/go.mod h1:tEQCFKGgxii7zfXti2MxixwFbxhEXnVJqLGM2x9zlGw=
 github.com/fluxcd/image-reflector-controller/api v0.13.0 h1:5kq0Jqh+ndZIye+4csfEbuos5GaXIiK77Gpx+ojo+f8=
 github.com/fluxcd/image-reflector-controller/api v0.13.0/go.mod h1:lgQHGFz29OHmDU5Jwg689C/M+P/f9ujt6NS0zCLT0BQ=
 github.com/fluxcd/kustomize-controller/api v0.16.0 h1:L/LRxS6oroGZe1AdElP3k1mnNIKGCpi0ntgHwJzdNYY=
 github.com/fluxcd/kustomize-controller/api v0.16.0/go.mod h1:OhnZuXBeDl4NqbDZgpYKRg8nmsmeUIddH3vX8wxym9A=
-github.com/fluxcd/notification-controller/api v0.18.0 h1:YfPuC5FzXnl1ysDTulZOFWvIMyaB5vg38QZ/m14Lg8s=
-github.com/fluxcd/notification-controller/api v0.18.0/go.mod h1:t28GMWMLiLqho+ikpZrldv22/vmCsFdQR8vdJluxknc=
+github.com/fluxcd/notification-controller/api v0.18.1 h1:by9+1WCgPUEMXqOiFNOFFIQROabA3Ja4hzgGaF8bLms=
+github.com/fluxcd/notification-controller/api v0.18.1/go.mod h1:t28GMWMLiLqho+ikpZrldv22/vmCsFdQR8vdJluxknc=
 github.com/fluxcd/pkg/apis/kustomize v0.1.0/go.mod h1:gEl+W5cVykCC3RfrCaqe+Pz+j4lKl2aeR4dxsom/zII=
 github.com/fluxcd/pkg/apis/kustomize v0.2.0 h1:jhu2QHvs+j3Zo9rR6w8hkO3LSC6h3M37zY5ejufOmxY=
 github.com/fluxcd/pkg/apis/kustomize v0.2.0/go.mod h1:gEl+W5cVykCC3RfrCaqe+Pz+j4lKl2aeR4dxsom/zII=
@@ -210,8 +210,8 @@ github.com/fluxcd/pkg/apis/meta v0.10.1/go.mod h1:yUblM2vg+X8TE3A2VvJfdhkGmg+uqB
 github.com/fluxcd/pkg/runtime v0.12.0/go.mod h1:EyaTR2TOYcjL5U//C4yH3bt2tvTgIOSXpVRbWxUn/C4=
 github.com/fluxcd/pkg/runtime v0.12.1 h1:r0KQG80gKY1NMp62FggSEdFBV60ZfbnA2RHL9y06DOY=
 github.com/fluxcd/pkg/runtime v0.12.1/go.mod h1:9czAjokV0w22eYGR9/SQKUHXhvh7ISNVgc/6a6YMBE8=
-github.com/fluxcd/source-controller/api v0.16.0 h1:xFz+K7lLg/82uOQp+a0g04GsgoWNfyzwXAoVQy4T/oI=
-github.com/fluxcd/source-controller/api v0.16.0/go.mod h1:guUCCapjzE2kocwFreQTM/IGvtAglIJc4L97mokairo=
+github.com/fluxcd/source-controller/api v0.17.0 h1:skXx2H5SeziUTwJrp9MPJNwTtYTctJMQ7ZIJfLmg9b0=
+github.com/fluxcd/source-controller/api v0.17.0/go.mod h1:guUCCapjzE2kocwFreQTM/IGvtAglIJc4L97mokairo=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c=

tests/azure/util_test.go

@@ -19,7 +19,6 @@ package test
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -49,7 +48,7 @@ const defaultBranch = "main"
 
 // getKubernetesCredentials returns a path to a kubeconfig file and a kube client instance.
 func getKubernetesCredentials(kubeconfig, aksHost, aksCert, aksKey, aksCa string) (string, client.Client, error) {
-	tmpDir, err := ioutil.TempDir("", "*-azure-e2e")
+	tmpDir, err := os.MkdirTemp("", "*-azure-e2e")
 	if err != nil {
 		return "", nil, err
 	}
@@ -309,7 +308,7 @@ func getRepository(url, branchName string, overrideBranch bool, password string)
 		checkoutBranch = branchName
 	}
 
-	tmpDir, err := ioutil.TempDir("", "*-repository")
+	tmpDir, err := os.MkdirTemp("", "*-repository")
 	if err != nil {
 		return nil, "", err
 	}

tests/bootstrap/main.go

@@ -0,0 +1,99 @@
+package main
+
+import (
+	"context"
+	"log"
+	"os"
+
+	"github.com/fluxcd/go-git-providers/github"
+	"github.com/fluxcd/go-git-providers/gitprovider"
+	"k8s.io/client-go/util/retry"
+)
+
+func main() {
+	ks := "test-cluster/flux-system/kustomization.yaml"
+	patchName := "test-cluster/flux-system/gotk-patches.yaml"
+	ksContent := `apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- gotk-components.yaml
+- gotk-sync.yaml
+patches:
+  - path: gotk-patches.yaml
+    target:
+      kind: Deployment`
+	patchContent := `apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: all-flux-components
+spec:
+  template:
+    metadata:
+      annotations:
+        # Required by Kubernetes node autoscaler
+        cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+    spec:
+      securityContext:
+        runAsUser: 10000
+        fsGroup: 1337
+      containers:
+        - name: manager
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
+`
+	commitFiles := []gitprovider.CommitFile{
+		{
+			Path:    &ks,
+			Content: &ksContent,
+		},
+		{
+			Path:    &patchName,
+			Content: &patchContent,
+		},
+	}
+
+	orgName := os.Getenv("GITHUB_ORG_NAME")
+	repoName := os.Getenv("GITHUB_REPO_NAME")
+	githubToken := os.Getenv(github.TokenVariable)
+	client, err := github.NewClient(github.WithOAuth2Token(githubToken))
+	if err != nil {
+		log.Fatalf("error initializing github client: %s", err)
+	}
+
+	repoRef := gitprovider.OrgRepositoryRef{
+		OrganizationRef: gitprovider.OrganizationRef{
+			Organization: orgName,
+			Domain:       github.DefaultDomain,
+		},
+		RepositoryName: repoName,
+	}
+
+	if ok, err := client.HasTokenPermission(context.Background(), gitprovider.TokenPermissionRWRepository); err != nil {
+		log.Fatalf("error getting token permission: %s", err)
+	} else {
+		if !ok {
+			log.Fatal("token has no write permissions")
+		}
+	}
+
+	var repo gitprovider.OrgRepository
+	err = retry.OnError(retry.DefaultRetry, func(err error) bool {
+		return err != nil
+	}, func() error {
+		repo, err = client.OrgRepositories().Get(context.Background(), repoRef)
+		return err
+	})
+	if err != nil {
+		log.Fatalf("error getting %s repository in org %s: %s", repoRef.RepositoryName, repoRef.Organization, err)
+	}
+
+	_, err = repo.Commits().Create(context.Background(), "main", "add patch manifest 3", commitFiles)
+	if err != nil {
+		log.Fatalf("error making commit: %s", err)
+	}
+}