Merge pull request #557 from fluxcd/build/tmp-dir-rm

Properly clean-up package build dirs

.github/aur/flux-bin/.SRCINFO.template

@@ -0,0 +1,17 @@
+pkgbase = flux-bin
+	pkgdesc = Open and extensible continuous delivery solution for Kubernetes
+	pkgver = ${PKGVER}
+	pkgrel = ${PKGREL}
+	url = https://fluxcd.io/
+	arch = x86_64
+	arch = armv6h
+	arch = armv7h
+	arch = aarch64
+	license = APACHE
+	optdepends = kubectl
+	source_x86_64 = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_amd64.tar.gz
+	source_armv6h = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm.tar.gz
+	source_armv7h = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm.tar.gz
+	source_aarch64 = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm64.tar.gz
+
+pkgname = flux-bin

.github/aur/flux-bin/.gitignore

@@ -0,0 +1 @@
+.pkg

.github/aur/flux-bin/PKGBUILD.template

@@ -0,0 +1,39 @@
+# Maintainer: Aurel Canciu <aurelcanciu@gmail.com>
+# Maintainer: Hidde Beydals <hello@hidde.co>
+
+pkgname=flux-bin
+pkgver=${PKGVER}
+pkgrel=${PKGREL}
+pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
+url="https://fluxcd.io/"
+arch=("x86_64" "armv6h" "armv7h" "aarch64")
+license=("APACHE")
+optdepends=("kubectl")
+source_x86_64=(
+  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_amd64.tar.gz"
+)
+source_armv6h=(
+  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+)
+source_armv7h=(
+  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+)
+source_aarch64=(
+  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm64.tar.gz"
+)
+sha256sums_x86_64=(
+  ${SHA256SUM_AMD64}
+)
+sha256sums_armv6h=(
+  ${SHA256SUM_ARM}
+)
+sha256sums_armv7h=(
+  ${SHA256SUM_ARM}
+)
+sha256sums_aarch64=(
+  ${SHA256SUM_ARM64}
+)
+
+package() {
+	install -Dm755 flux "$pkgdir/usr/bin/flux"
+}

.github/aur/flux-bin/publish.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+set -e
+
+WD=$(cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)
+PKGNAME=$(basename $WD)
+ROOT=${WD%/.github/aur/$PKGNAME}
+
+export VERSION=$1
+echo "Publishing to AUR as version ${VERSION}"
+
+cd $WD
+
+export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+eval $(ssh-agent -s)
+ssh-add <(echo "$AUR_BOT_SSH_PRIVATE_KEY")
+
+GITDIR=$(mktemp -d /tmp/aur-$PKGNAME-XXX)
+trap "rm -rf $GITDIR" EXIT
+git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
+
+CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
+CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
+
+export PKGVER=${VERSION/-/}
+
+if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
+    export PKGREL=$((CURRENT_PKGREL+1))
+else
+    export PKGREL=1
+fi
+
+export SHA256SUM_ARM=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_arm.tar.gz | awk '{ print $1 }')
+export SHA256SUM_ARM64=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_arm64.tar.gz | awk '{ print $1 }')
+export SHA256SUM_AMD64=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_amd64.tar.gz | awk '{ print $1 }')
+
+envsubst '$PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < PKGBUILD.template > $GITDIR/PKGBUILD
+
+cd $GITDIR
+git config user.name "fluxcdbot"
+git config user.email "fluxcdbot@users.noreply.github.com"
+git add -A
+if [ -z "$(git status --porcelain)" ]; then
+  echo "No changes."
+else
+  git commit -m "Updated to version v${PKGVER} release ${PKGREL}"
+  git push origin master
+fi

.github/aur/flux-go/.SRCINFO.template

@@ -0,0 +1,19 @@
+pkgbase = flux-go
+	pkgdesc = Open and extensible continuous delivery solution for Kubernetes
+	pkgver = ${PKGVER}
+	pkgrel = ${PKGREL}
+	url = https://fluxcd.io/
+	arch = x86_64
+	arch = armv6h
+	arch = armv7h
+	arch = aarch64
+	license = APACHE
+	makedepends = go
+	depends = glibc
+	optdepends = kubectl
+	provides = flux-bin
+	conflicts = flux-bin
+  replaces = flux-cli
+	source = flux-go-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/archive/v${PKGVER}.tar.gz
+
+pkgname = flux-go

.github/aur/flux-go/.gitignore

@@ -0,0 +1 @@
+.pkg

.github/aur/flux-go/PKGBUILD.template

@@ -0,0 +1,43 @@
+# Maintainer: Aurel Canciu <aurelcanciu@gmail.com>
+# Maintainer: Hidde Beydals <hello@hidde.co>
+
+pkgname=flux-go
+pkgver=${PKGVER}
+pkgrel=${PKGREL}
+pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
+url="https://fluxcd.io/"
+arch=("x86_64" "armv6h" "armv7h" "aarch64")
+license=("APACHE")
+provides=("flux-bin")
+conflicts=("flux-bin")
+replaces=("flux-cli")
+depends=("glibc")
+makedepends=("go")
+optdepends=("kubectl")
+source=(
+  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/archive/v$pkgver.tar.gz"
+)
+sha256sums=(
+  ${SHA256SUM}
+)
+
+build() {
+  cd "flux2-$pkgver"
+  export CGO_LDFLAGS="$LDFLAGS"
+  export CGO_CFLAGS="$CFLAGS"
+  export CGO_CXXFLAGS="$CXXFLAGS"
+  export CGO_CPPFLAGS="$CPPFLAGS"
+  export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
+  go build -ldflags "-X main.VERSION=$pkgver" -o flux-bin ./cmd/flux
+}
+
+check() {
+  cd "flux2-$pkgver"
+  make test
+}
+
+package() {
+  cd "flux2-$pkgver"
+  install -Dm755 flux-bin "$pkgdir/usr/bin/flux"
+  install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
+}

.github/aur/flux-go/publish.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+set -e
+
+WD=$(cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)
+PKGNAME=$(basename $WD)
+ROOT=${WD%/.github/aur/$PKGNAME}
+
+export VERSION=$1
+echo "Publishing to AUR as version ${VERSION}"
+
+cd $WD
+
+export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+eval $(ssh-agent -s)
+ssh-add <(echo "$AUR_BOT_SSH_PRIVATE_KEY")
+
+GITDIR=$(mktemp -d /tmp/aur-$PKGNAME-XXX)
+trap "rm -rf $GITDIR" EXIT
+git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
+
+CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
+CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
+
+export PKGVER=${VERSION/-/}
+
+if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
+    export PKGREL=$((CURRENT_PKGREL+1))
+else
+    export PKGREL=1
+fi
+
+export SHA256SUM=$(curl -sL https://github.com/fluxcd/flux2/archive/v$PKGVER.tar.gz | sha256sum | awk '{ print $1 }')
+
+envsubst '$PKGVER $PKGREL $SHA256SUM' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$PKGVER $PKGREL $SHA256SUM' < PKGBUILD.template > $GITDIR/PKGBUILD
+
+cd $GITDIR
+git config user.name "fluxcdbot"
+git config user.email "fluxcdbot@users.noreply.github.com"
+git add -A
+if [ -z "$(git status --porcelain)" ]; then
+  echo "No changes."
+else
+  git commit -m "Updated to version v${PKGVER} release ${PKGREL}"
+  git push origin master
+fi

.github/aur/flux-scm/.SRCINFO.template

@@ -0,0 +1,19 @@
+pkgbase = flux-scm
+	pkgdesc = Open and extensible continuous delivery solution for Kubernetes
+	pkgver = ${PKGVER}
+	pkgrel = ${PKGREL}
+	url = https://fluxcd.io/
+	arch = x86_64
+	arch = armv6h
+	arch = armv7h
+	arch = aarch64
+	license = APACHE
+	makedepends = go
+	depends = glibc
+	optdepends = kubectl
+	provides = flux-bin
+	conflicts = flux-bin
+	source = git+https://github.com/fluxcd/flux2.git
+	md5sums = SKIP
+
+pkgname = flux-scm

.github/aur/flux-scm/.gitignore

@@ -0,0 +1 @@
+.pkg

.github/aur/flux-scm/PKGBUILD.template

@@ -0,0 +1,45 @@
+# Maintainer: Aurel Canciu <aurelcanciu@gmail.com>
+# Maintainer: Hidde Beydals <hello@hidde.co>
+
+pkgname=flux-scm
+pkgver=${PKGVER}
+pkgrel=${PKGREL}
+pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
+url="https://fluxcd.io/"
+arch=("x86_64" "armv6h" "armv7h" "aarch64")
+license=("APACHE")
+provides=("flux-bin")
+conflicts=("flux-bin")
+depends=("glibc")
+makedepends=("go")
+optdepends=("kubectl")
+source=(
+  "git+https://github.com/fluxcd/flux2.git"
+)
+md5sums=('SKIP')
+
+pkgver() {
+  cd "flux2"
+  printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
+}
+
+build() {
+  cd "flux2"
+  export CGO_LDFLAGS="$LDFLAGS"
+  export CGO_CFLAGS="$CFLAGS"
+  export CGO_CXXFLAGS="$CXXFLAGS"
+  export CGO_CPPFLAGS="$CPPFLAGS"
+  export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
+  go build -ldflags "-X main.VERSION=$pkgver" -o flux-bin ./cmd/flux
+}
+
+check() {
+  cd "flux2"
+  make test
+}
+
+package() {
+  cd "flux2"
+  install -Dm755 flux-bin "$pkgdir/usr/bin/flux"
+  install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
+}

.github/aur/flux-scm/publish.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -e
+
+WD=$(cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)
+PKGNAME=$(basename $WD)
+ROOT=${WD%/.github/aur/$PKGNAME}
+
+export VERSION=$1
+echo "Publishing to AUR as version ${VERSION}"
+
+cd $WD
+
+export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+eval $(ssh-agent -s)
+ssh-add <(echo "$AUR_BOT_SSH_PRIVATE_KEY")
+
+GITDIR=$(mktemp -d /tmp/aur-$PKGNAME-XXX)
+trap "rm -rf $GITDIR" EXIT
+git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
+
+CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
+CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
+
+export PKGVER=${VERSION/-/}
+
+if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
+    export PKGREL=$((CURRENT_PKGREL+1))
+else
+    export PKGREL=1
+fi
+
+envsubst '$PKGVER $PKGREL' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$PKGVER $PKGREL' < PKGBUILD.template > $GITDIR/PKGBUILD
+
+cd $GITDIR
+git config user.name "fluxcdbot"
+git config user.email "fluxcdbot@users.noreply.github.com"
+git add -A
+if [ -z "$(git status --porcelain)" ]; then
+  echo "No changes."
+else
+  git commit -m "Updated to version v${PKGVER} release ${PKGREL}"
+  git push origin master
+fi

.github/workflows/e2e.yaml

@@ -136,6 +136,16 @@ jobs:
       - name: flux delete source git
         run: |
           ./bin/flux delete source git podinfo --silent
+      - name: flux create tenant
+        run: |
+          ./bin/flux create tenant dev-team --with-namespace=apps
+          ./bin/flux -n apps create source helm podinfo \
+            --url https://stefanprodan.github.io/podinfo
+          ./bin/flux -n apps create hr podinfo-helm \
+            --source=HelmRepository/podinfo \
+            --chart=podinfo \
+            --chart-version="5.0.x" \
+            --service-account=dev-team
       - name: flux check
         run: |
           ./bin/flux check

.github/workflows/release.yaml

@@ -59,24 +59,9 @@ jobs:
 
           # create tarball
           cd ./output && tar -cvzf manifests.tar.gz $files
-      - name: Create release
-        id: create_release
-        uses: actions/create-release@latest
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ github.ref }}
-          release_name: ${{ github.ref }}
-      - name: Upload artifacts
-        id: upload-release-asset
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./output/manifests.tar.gz
-          asset_name: manifests.tar.gz
-          asset_content_type: application/gzip
+      - name: Generate install manifest
+        run: |
+          kustomize build ./manifests/install > ./output/install.yaml
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v1
         with:
@@ -85,3 +70,4 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
+          AUR_BOT_SSH_PRIVATE_KEY: ${{ secrets.AUR_BOT_SSH_PRIVATE_KEY }}

.goreleaser.yml

@@ -23,6 +23,15 @@ builds:
     id: windows
     goos:
       - windows
+  - id: aurmock
+    binary: aurmock
+    main: ./cmd/flux
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
 archives:
   - name_template: "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
     id: nix
@@ -36,6 +45,9 @@ archives:
     format: zip
     files:
       - none*
+  - name_template: "aur_{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    id: aur
+    builds: [aurmock]
 brews:
   - name: flux
     tap:
@@ -50,3 +62,32 @@ brews:
         type: optional
     test: |
       system "#{bin}/flux --version"
+publishers:
+  - name: aur-pkg-bin
+    ids:
+      - aur
+    env:
+      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
+    cmd: |
+      .github/aur/flux-bin/publish.sh {{ .Version }}
+  - name: aur-pkg-scm
+    ids:
+      - aur
+    env:
+      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
+    cmd: |
+      .github/aur/flux-scm/publish.sh {{ .Version }}
+  - name: aur-pkg-go
+    ids:
+      - aur
+    env:
+      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
+    cmd: |
+      .github/aur/flux-go/publish.sh {{ .Version }}
+release:
+  ids:
+    - nix
+    - windows
+  extra_files:
+    - glob: ./output/manifests.tar.gz
+    - glob: ./output/install.yaml

MAINTAINERS

@@ -2,7 +2,17 @@ The maintainers are generally available in Slack at
 https://cloud-native.slack.com in #flux (https://cloud-native.slack.com/messages/CLAJ40HV3)
 (obtain an invitation at https://slack.cncf.io/).
 
+These maintainers are shared with other Flux v2-related git
+repositories under https://github.com/fluxcd, as noted in their
+respective MAINTAINERS files.
+
+For convenience, they are reflected in the GitHub team
+@fluxcd/flux2-maintainers -- if the list here changes, that team also
+should.
+
 In alphabetical order:
 
+Aurel Canciu, Sortlist <aurel@sortlist.com> (github: @relu, slack: relu)
 Hidde Beydals, Weaveworks <hidde@weave.works> (github: @hiddeco, slack: hidde)
+Philip Laine, Xenit <philip.laine@xenit.se> (github: @phillebaba, slack: phillebaba)
 Stefan Prodan, Weaveworks <stefan@weave.works> (github: @stefanprodan, slack: stefanprodan)

README.md

@@ -36,6 +36,15 @@ curl -s https://toolkit.fluxcd.io/install.sh | sudo bash
 . <(flux completion bash)
 ```
 
+Arch Linux (AUR) packages:
+
+- [flux-bin](https://aur.archlinux.org/packages/flux-bin): install the latest
+  stable version using a pre-build binary (recommended)
+- [flux-go](https://aur.archlinux.org/packages/flux-go): build the latest
+  stable version from source code
+- [flux-scm](https://aur.archlinux.org/packages/flux-scm): build the latest
+  (unstable) version from source code from our git `main` branch
+
 Binaries for macOS, Windows and Linux AMD64/ARM are available to download on the
 [release page](https://github.com/fluxcd/flux2/releases).
 
@@ -100,6 +109,7 @@ Depending on what you want to do, some of the following bits might be your first
 
 ### Featured Talks
 
+- 24 Nov 2020 - [Flux CD v2 with GitOps Toolkit - Kubernetes Deployment and Sync Mechanism](https://youtu.be/R6OeIgb7lUI)
 - 28 Oct 2020 - [The Kubelist Podcast: Flux with Michael Bridgen](https://www.heavybit.com/library/podcasts/the-kubelist-podcast/ep-5-flux-with-michael-bridgen-of-weaveworks/)
 - 19 Oct 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 1 with Leigh Capili](https://youtu.be/0v5bjysXTL8)
 - 12 Oct 2020 - [Rawkode Live: Introduction to GitOps Toolkit with Stefan Prodan](https://youtu.be/HqTzuOBP0eY)
@@ -109,8 +119,6 @@ Depending on what you want to do, some of the following bits might be your first
 
 ### Upcoming Events
 
-- 2 Nov 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 2 with Leigh Capili](https://www.meetup.com/GitOps-Community/events/273934676/)
-- 12-13 Nov 2020 - [GitOps Days EMEA](https://www.gitopsdays.com/) with talks and workshops on migrating to Flux v2 and Helm Controller
-- 19 Nov 2020 - [KubeCon NA: Progressive Delivery Techniques with Flagger and Flux v2 with Stefan Prodan](https://kccncna20.sched.com/event/1b04f8408b49976b843a5d0019cb8112)
+- 30 Nov 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 3 with Leigh Capili](https://www.meetup.com/Weave-User-Group/events/274657228/)
 
 We are looking forward to seeing you with us!

action/Dockerfile

@@ -0,0 +1,6 @@
+FROM stefanprodan/alpine-base:latest
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

action/README.md

@@ -0,0 +1,79 @@
+# Flux GitHub Action
+
+Usage:
+
+```yaml
+    steps:
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Run Flux commands
+        run: flux -v
+```
+
+### Automate Flux updates
+
+Example workflow for updating Flux's components generated with `flux bootstrap --arch=amd64 --path=clusters/production`:
+
+```yaml
+name: update-flux
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 * * * *"
+
+jobs:
+  components:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Check for updates
+        id: update
+        run: |
+          flux install --arch=amd64 \
+            --export > ./clusters/production/flux-system/gotk-components.yaml
+
+          VERSION="$(flux -v)"
+          echo "::set-output name=flux_version::$VERSION"
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v3
+        with:
+            token: ${{ secrets.GITHUB_TOKEN }}
+            branch: update-flux
+            commit-message: Update to ${{ steps.update.outputs.flux_version }}
+            title: Update to ${{ steps.update.outputs.flux_version }}
+            body: |
+              ${{ steps.update.outputs.flux_version }}
+```
+
+### End-to-end testing
+
+Example workflow for running Flux in Kubernetes Kind:
+
+```yaml
+name: e2e
+
+on:
+  push:
+    branches:
+      - '*'
+
+jobs:
+  kubernetes:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Setup Kubernetes Kind
+        uses: engineerd/setup-kind@v0.5.0
+      - name: Install Flux in Kubernetes Kind
+        run: flux install
+```
+
+A complete e2e testing workflow is available here
+[flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example/blob/main/.github/workflows/e2e.yaml)

action/action.yml

@@ -0,0 +1,15 @@
+name: 'kustomize'
+description: 'A GitHub Action for running Flux commands'
+author: 'Flux project'
+branding:
+  icon: 'command'
+  color: 'blue'
+inputs:
+  version:
+    description: 'strict semver'
+    required: false
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  args:
+    - ${{ inputs.version }}

action/entrypoint.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+#  Copyright 2020 The Flux authors
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+set -e
+
+VERSION=$1
+
+if [ -z $VERSION ]; then
+  # Find latest release if no version is specified
+  VERSION=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
+fi
+
+# Download linux binary
+BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_amd64.tar.gz"
+curl -sL $BIN_URL | tar xz
+
+# Copy binary to GitHub runner
+mkdir -p $GITHUB_WORKSPACE/bin
+cp ./flux $GITHUB_WORKSPACE/bin
+chmod +x $GITHUB_WORKSPACE/bin/flux
+
+# Print version
+$GITHUB_WORKSPACE/bin/flux -v
+
+# Add binary to GitHub runner path
+echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
+echo "$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin" >> $GITHUB_PATH

cmd/flux/bootstrap.go

@@ -135,13 +135,13 @@ func generateInstallManifests(targetPath, namespace, tmpDir string, localManifes
 
 func applyInstallManifests(ctx context.Context, manifestPath string, components []string) error {
 	kubectlArgs := []string{"apply", "-f", manifestPath}
-	if _, err := utils.ExecKubectlCommand(ctx, utils.ModeOS, kubectlArgs...); err != nil {
+	if _, err := utils.ExecKubectlCommand(ctx, utils.ModeOS, kubeconfig, kubecontext, kubectlArgs...); err != nil {
 		return fmt.Errorf("install failed")
 	}
 
 	for _, deployment := range components {
 		kubectlArgs = []string{"-n", namespace, "rollout", "status", "deployment", deployment, "--timeout", timeout.String()}
-		if _, err := utils.ExecKubectlCommand(ctx, utils.ModeOS, kubectlArgs...); err != nil {
+		if _, err := utils.ExecKubectlCommand(ctx, utils.ModeOS, kubeconfig, kubecontext, kubectlArgs...); err != nil {
 			return fmt.Errorf("install failed")
 		}
 	}
@@ -177,7 +177,7 @@ func generateSyncManifests(url, branch, name, namespace, targetPath, tmpDir stri
 
 func applySyncManifests(ctx context.Context, kubeClient client.Client, name, namespace, targetPath, tmpDir string) error {
 	kubectlArgs := []string{"apply", "-k", filepath.Join(tmpDir, targetPath, namespace)}
-	if _, err := utils.ExecKubectlCommand(ctx, utils.ModeStderrOS, kubectlArgs...); err != nil {
+	if _, err := utils.ExecKubectlCommand(ctx, utils.ModeStderrOS, kubeconfig, kubecontext, kubectlArgs...); err != nil {
 		return err
 	}
 

cmd/flux/check.go

@@ -104,7 +104,7 @@ func kubectlCheck(ctx context.Context, version string) bool {
 	}
 
 	kubectlArgs := []string{"version", "--client", "--output", "json"}
-	output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, kubectlArgs...)
+	output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, kubeconfig, kubecontext, kubectlArgs...)
 	if err != nil {
 		logger.Failuref("kubectl version can't be determined")
 		return false
@@ -174,14 +174,14 @@ func componentsCheck() bool {
 	ok := true
 	for _, deployment := range checkComponents {
 		kubectlArgs := []string{"-n", namespace, "rollout", "status", "deployment", deployment, "--timeout", timeout.String()}
-		if output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, kubectlArgs...); err != nil {
+		if output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, kubeconfig, kubecontext, kubectlArgs...); err != nil {
 			logger.Failuref("%s: %s", deployment, strings.TrimSuffix(output, "\n"))
 			ok = false
 		} else {
 			logger.Successf("%s is healthy", deployment)
 		}
 		kubectlArgs = []string{"-n", namespace, "get", "deployment", deployment, "-o", "jsonpath=\"{..image}\""}
-		if output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, kubectlArgs...); err == nil {
+		if output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, kubeconfig, kubecontext, kubectlArgs...); err == nil {
 			logger.Actionf(strings.TrimPrefix(strings.TrimSuffix(output, "\""), "\""))
 		}
 	}

cmd/flux/create_alert.go

@@ -26,6 +26,7 @@ import (
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -179,11 +180,11 @@ func isAlertReady(ctx context.Context, kubeClient client.Client,
 			return false, err
 		}
 
-		if c := meta.GetCondition(alert.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(alert.Status.Conditions, meta.ReadyCondition); c != nil {
 			switch c.Status {
-			case corev1.ConditionTrue:
+			case metav1.ConditionTrue:
 				return true, nil
-			case corev1.ConditionFalse:
+			case metav1.ConditionFalse:
 				return false, fmt.Errorf(c.Message)
 			}
 		}

cmd/flux/create_alertprovider.go

@@ -23,6 +23,7 @@ import (
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -177,11 +178,11 @@ func isAlertProviderReady(ctx context.Context, kubeClient client.Client,
 			return false, err
 		}
 
-		if c := meta.GetCondition(provider.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(provider.Status.Conditions, meta.ReadyCondition); c != nil {
 			switch c.Status {
-			case corev1.ConditionTrue:
+			case metav1.ConditionTrue:
 				return true, nil
-			case corev1.ConditionFalse:
+			case metav1.ConditionFalse:
 				return false, fmt.Errorf(c.Message)
 			}
 		}

cmd/flux/create_helmrelease.go

@@ -28,6 +28,7 @@ import (
 	"github.com/spf13/cobra"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -67,6 +68,14 @@ var createHelmReleaseCmd = &cobra.Command{
     --chart=podinfo \
     --values=./my-values.yaml
 
+  # Create a HelmRelease with values from a Kubernetes secret
+  kubectl -n app create secret generic my-secret-values \
+	--from-file=values.yaml=/path/to/my-secret-values.yaml
+  flux -n app create hr podinfo \
+    --source=HelmRepository/podinfo \
+    --chart=podinfo \
+    --values-from=Secret/my-secret-values
+
   # Create a HelmRelease with a custom release name
   flux create hr podinfo \
     --release-name=podinfo-dev
@@ -97,6 +106,8 @@ var (
 	hrChartVersion    string
 	hrTargetNamespace string
 	hrValuesFile      string
+	hrValuesFrom      flags.HelmReleaseValuesFrom
+	hrSAName          string
 )
 
 func init() {
@@ -106,7 +117,9 @@ func init() {
 	createHelmReleaseCmd.Flags().StringVar(&hrChartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
 	createHelmReleaseCmd.Flags().StringArrayVar(&hrDependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
 	createHelmReleaseCmd.Flags().StringVar(&hrTargetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
+	createHelmReleaseCmd.Flags().StringVar(&hrSAName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
 	createHelmReleaseCmd.Flags().StringVar(&hrValuesFile, "values", "", "local path to the values.yaml file")
+	createHelmReleaseCmd.Flags().Var(&hrValuesFrom, "values-from", hrValuesFrom.Description())
 	createCmd.AddCommand(createHelmReleaseCmd)
 }
 
@@ -156,6 +169,10 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}
 
+	if hrSAName != "" {
+		helmRelease.Spec.ServiceAccountName = hrSAName
+	}
+
 	if hrValuesFile != "" {
 		data, err := ioutil.ReadFile(hrValuesFile)
 		if err != nil {
@@ -170,6 +187,13 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		helmRelease.Spec.Values = &apiextensionsv1.JSON{Raw: json}
 	}
 
+	if hrValuesFrom.String() != "" {
+		helmRelease.Spec.ValuesFrom = []helmv2.ValuesReference{{
+			Kind: hrValuesFrom.Kind,
+			Name: hrValuesFrom.Name,
+		}}
+	}
+
 	if export {
 		return exportHelmRelease(helmRelease)
 	}
@@ -243,6 +267,6 @@ func isHelmReleaseReady(ctx context.Context, kubeClient client.Client,
 			return false, nil
 		}
 
-		return meta.HasReadyCondition(helmRelease.Status.Conditions), nil
+		return apimeta.IsStatusConditionTrue(helmRelease.Status.Conditions, meta.ReadyCondition), nil
 	}
 }

cmd/flux/create_kustomization.go

@@ -25,6 +25,7 @@ import (
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -80,7 +81,6 @@ var (
 	ksHealthCheck        []string
 	ksHealthTimeout      time.Duration
 	ksSAName             string
-	ksSANamespace        string
 	ksDecryptionProvider flags.DecryptionProvider
 	ksDecryptionSecret   string
 	ksTargetNamespace    string
@@ -88,14 +88,13 @@ var (
 
 func init() {
 	createKsCmd.Flags().Var(&ksSource, "source", ksSource.Description())
-	createKsCmd.Flags().StringVar(&ksPath, "path", "./", "path to the directory containing the Kustomization file")
+	createKsCmd.Flags().StringVar(&ksPath, "path", "./", "path to the directory containing a kustomization.yaml file")
 	createKsCmd.Flags().BoolVar(&ksPrune, "prune", false, "enable garbage collection")
 	createKsCmd.Flags().StringArrayVar(&ksHealthCheck, "health-check", nil, "workload to be included in the health assessment, in the format '<kind>/<name>.<namespace>'")
 	createKsCmd.Flags().DurationVar(&ksHealthTimeout, "health-check-timeout", 2*time.Minute, "timeout of health checking operations")
 	createKsCmd.Flags().StringVar(&ksValidation, "validation", "", "validate the manifests before applying them on the cluster, can be 'client' or 'server'")
 	createKsCmd.Flags().StringArrayVar(&ksDependsOn, "depends-on", nil, "Kustomization that must be ready before this Kustomization can be applied, supported formats '<name>' and '<namespace>/<name>'")
-	createKsCmd.Flags().StringVar(&ksSAName, "sa-name", "", "service account name")
-	createKsCmd.Flags().StringVar(&ksSANamespace, "sa-namespace", "", "service account namespace")
+	createKsCmd.Flags().StringVar(&ksSAName, "service-account", "", "the name of the service account to impersonate when reconciling this Kustomization")
 	createKsCmd.Flags().Var(&ksDecryptionProvider, "decryption-provider", ksDecryptionProvider.Description())
 	createKsCmd.Flags().StringVar(&ksDecryptionSecret, "decryption-secret", "", "set the Kubernetes secret name that contains the OpenPGP private keys used for sops decryption")
 	createKsCmd.Flags().StringVar(&ksTargetNamespace, "target-namespace", "", "overrides the namespace of all Kustomization objects reconciled by this Kustomization")
@@ -188,11 +187,8 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	if ksSAName != "" && ksSANamespace != "" {
-		kustomization.Spec.ServiceAccount = &kustomizev1.ServiceAccount{
-			Name:      ksSAName,
-			Namespace: ksSANamespace,
-		}
+	if ksSAName != "" {
+		kustomization.Spec.ServiceAccountName = ksSAName
 	}
 
 	if ksDecryptionProvider != "" {
@@ -278,11 +274,11 @@ func isKustomizationReady(ctx context.Context, kubeClient client.Client,
 			return false, nil
 		}
 
-		if c := meta.GetCondition(kustomization.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(kustomization.Status.Conditions, meta.ReadyCondition); c != nil {
 			switch c.Status {
-			case corev1.ConditionTrue:
+			case metav1.ConditionTrue:
 				return true, nil
-			case corev1.ConditionFalse:
+			case metav1.ConditionFalse:
 				return false, fmt.Errorf(c.Message)
 			}
 		}

cmd/flux/create_receiver.go

@@ -23,6 +23,7 @@ import (
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -189,11 +190,11 @@ func isReceiverReady(ctx context.Context, kubeClient client.Client,
 			return false, err
 		}
 
-		if c := meta.GetCondition(receiver.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(receiver.Status.Conditions, meta.ReadyCondition); c != nil {
 			switch c.Status {
-			case corev1.ConditionTrue:
+			case metav1.ConditionTrue:
 				return true, nil
-			case corev1.ConditionFalse:
+			case metav1.ConditionFalse:
 				return false, fmt.Errorf(c.Message)
 			}
 		}

cmd/flux/create_secret.go

@@ -0,0 +1,52 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
+)
+
+var createSecretCmd = &cobra.Command{
+	Use:   "secret",
+	Short: "Create or update Kubernetes secrets",
+	Long:  "The create source sub-commands generate Kubernetes secrets specific to Flux.",
+}
+
+func init() {
+	createCmd.AddCommand(createSecretCmd)
+}
+
+func exportSecret(secret corev1.Secret) error {
+	secret.TypeMeta = metav1.TypeMeta{
+		APIVersion: "v1",
+		Kind:       "Secret",
+	}
+
+	data, err := yaml.Marshal(secret)
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("---")
+	fmt.Println(resourceToString(data))
+	return nil
+}

cmd/flux/create_secret_git.go

@@ -0,0 +1,173 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"crypto/elliptic"
+	"fmt"
+	"net/url"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
+)
+
+var createSecretGitCmd = &cobra.Command{
+	Use:   "git [name]",
+	Short: "Create or update a Kubernetes secret for Git authentication",
+	Long: `
+The create secret git command generates a Kubernetes secret with Git credentials.
+For Git over SSH, the host and SSH keys are automatically generated and stored in the secret.
+For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.`,
+	Example: `  # Create a Git SSH authentication secret using an ECDSA P-521 curve public key
+
+  flux create secret git podinfo-auth \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+    --ssh-key-algorithm=ecdsa \
+    --ssh-ecdsa-curve=p521
+
+  # Create a secret for a Git repository using basic authentication
+  flux create secret git podinfo-auth \
+    --url=https://github.com/stefanprodan/podinfo \
+    --username=username \
+    --password=password
+
+  # Create a Git SSH secret on disk and print the deploy key
+  flux create secret git podinfo-auth \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+	--export > podinfo-auth.yaml
+
+  yq read podinfo-auth.yaml 'data."identity.pub"' | base64 --decode
+
+  # Create a Git SSH secret on disk and encrypt it with Mozilla SOPS
+  flux create secret git podinfo-auth \
+    --namespace=apps \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+	--export > podinfo-auth.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place podinfo-auth.yaml
+`,
+	RunE: createSecretGitCmdRun,
+}
+
+var (
+	secretGitURL          string
+	secretGitUsername     string
+	secretGitPassword     string
+	secretGitKeyAlgorithm flags.PublicKeyAlgorithm = "rsa"
+	secretGitRSABits      flags.RSAKeyBits         = 2048
+	secretGitECDSACurve                            = flags.ECDSACurve{Curve: elliptic.P384()}
+)
+
+func init() {
+	createSecretGitCmd.Flags().StringVar(&secretGitURL, "url", "", "git address, e.g. ssh://git@host/org/repository")
+	createSecretGitCmd.Flags().StringVarP(&secretGitUsername, "username", "u", "", "basic authentication username")
+	createSecretGitCmd.Flags().StringVarP(&secretGitPassword, "password", "p", "", "basic authentication password")
+	createSecretGitCmd.Flags().Var(&secretGitKeyAlgorithm, "ssh-key-algorithm", sourceGitKeyAlgorithm.Description())
+	createSecretGitCmd.Flags().Var(&secretGitRSABits, "ssh-rsa-bits", sourceGitRSABits.Description())
+	createSecretGitCmd.Flags().Var(&secretGitECDSACurve, "ssh-ecdsa-curve", sourceGitECDSACurve.Description())
+
+	createSecretCmd.AddCommand(createSecretGitCmd)
+}
+
+func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("secret name is required")
+	}
+	name := args[0]
+
+	if secretGitURL == "" {
+		return fmt.Errorf("url is required")
+	}
+
+	u, err := url.Parse(secretGitURL)
+	if err != nil {
+		return fmt.Errorf("git URL parse failed: %w", err)
+	}
+
+	secretLabels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	secret := corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			Labels:    secretLabels,
+		},
+	}
+
+	switch u.Scheme {
+	case "ssh":
+		pair, err := generateKeyPair(ctx)
+		if err != nil {
+			return err
+		}
+
+		hostKey, err := scanHostKey(ctx, u)
+		if err != nil {
+			return err
+		}
+
+		secret.Data = map[string][]byte{
+			"identity":     pair.PrivateKey,
+			"identity.pub": pair.PublicKey,
+			"known_hosts":  hostKey,
+		}
+
+		if !export {
+			logger.Generatef("deploy key: %s", string(pair.PublicKey))
+		}
+	case "http", "https":
+		if sourceGitUsername == "" || sourceGitPassword == "" {
+			return fmt.Errorf("for Git over HTTP/S the username and password are required")
+		}
+
+		// TODO: add cert data when it's implemented in source-controller
+		secret.Data = map[string][]byte{
+			"username": []byte(secretGitUsername),
+			"password": []byte(secretGitPassword),
+		}
+	default:
+		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
+	}
+
+	if export {
+		return exportSecret(secret)
+	}
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+		return err
+	}
+	logger.Actionf("secret '%s' created in '%s' namespace", name, namespace)
+
+	return nil
+}

cmd/flux/create_source_bucket.go

@@ -154,6 +154,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      secretName,
 				Namespace: namespace,
+				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{},
 		}

cmd/flux/create_source_git.go

@@ -34,6 +34,7 @@ import (
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -214,6 +215,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: namespace,
+				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{
 				"identity":     string(pair.PrivateKey),
@@ -231,6 +233,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: namespace,
+				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{
 				"username": sourceGitUsername,
@@ -375,11 +378,11 @@ func isGitRepositoryReady(ctx context.Context, kubeClient client.Client,
 			return false, err
 		}
 
-		if c := meta.GetCondition(gitRepository.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(gitRepository.Status.Conditions, meta.ReadyCondition); c != nil {
 			switch c.Status {
-			case corev1.ConditionTrue:
+			case metav1.ConditionTrue:
 				return true, nil
-			case corev1.ConditionFalse:
+			case metav1.ConditionFalse:
 				return false, fmt.Errorf(c.Message)
 			}
 		}

cmd/flux/create_source_helm.go

@@ -23,9 +23,11 @@ import (
 	"net/url"
 	"os"
 
+	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -149,6 +151,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      secretName,
 				Namespace: namespace,
+				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{},
 		}
@@ -242,3 +245,28 @@ func upsertHelmRepository(ctx context.Context, kubeClient client.Client,
 	logger.Successf("source updated")
 	return namespacedName, nil
 }
+
+func isHelmRepositoryReady(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, helmRepository *sourcev1.HelmRepository) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, helmRepository)
+		if err != nil {
+			return false, err
+		}
+
+		// Confirm the state we are observing is for the current generation
+		if helmRepository.Generation != helmRepository.Status.ObservedGeneration {
+			return false, nil
+		}
+
+		if c := apimeta.FindStatusCondition(helmRepository.Status.Conditions, meta.ReadyCondition); c != nil {
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}

cmd/flux/create_tenant.go

@@ -38,7 +38,7 @@ var createTenantCmd = &cobra.Command{
 	Use:   "tenant",
 	Short: "Create or update a tenant",
 	Long: `
-The create tenant command generates namespaces and role bindings to limit the
+The create tenant command generates namespaces, service accounts and role bindings to limit the
 reconcilers scope to the tenant namespaces.`,
 	Example: `  # Create a tenant with access to a namespace 
   flux create tenant dev-team \
@@ -55,8 +55,7 @@ reconcilers scope to the tenant namespaces.`,
 }
 
 const (
-	tenantLabel       = "toolkit.fluxcd.io/tenant"
-	tenantRoleBinding = "gotk-reconciler"
+	tenantLabel = "toolkit.fluxcd.io/tenant"
 )
 
 var (
@@ -65,7 +64,6 @@ var (
 )
 
 func init() {
-	createTenantCmd.Hidden = true
 	createTenantCmd.Flags().StringSliceVar(&tenantNamespaces, "with-namespace", nil, "namespace belonging to this tenant")
 	createTenantCmd.Flags().StringVar(&tenantClusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
 	createCmd.AddCommand(createTenantCmd)
@@ -89,6 +87,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	var namespaces []corev1.Namespace
+	var accounts []corev1.ServiceAccount
 	var roleBindings []rbacv1.RoleBinding
 
 	for _, ns := range tenantNamespaces {
@@ -111,9 +110,19 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 		}
 		namespaces = append(namespaces, namespace)
 
+		account := corev1.ServiceAccount{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      tenant,
+				Namespace: ns,
+				Labels:    objLabels,
+			},
+		}
+
+		accounts = append(accounts, account)
+
 		roleBinding := rbacv1.RoleBinding{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      tenantRoleBinding,
+				Name:      fmt.Sprintf("%s-reconciler", tenant),
 				Namespace: ns,
 				Labels:    objLabels,
 			},
@@ -123,6 +132,11 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 					Kind:     "User",
 					Name:     fmt.Sprintf("gotk:%s:reconciler", ns),
 				},
+				{
+					Kind:      "ServiceAccount",
+					Name:      tenant,
+					Namespace: ns,
+				},
 			},
 			RoleRef: rbacv1.RoleRef{
 				APIGroup: "rbac.authorization.k8s.io",
@@ -135,7 +149,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 
 	if export {
 		for i, _ := range tenantNamespaces {
-			if err := exportTenant(namespaces[i], roleBindings[i]); err != nil {
+			if err := exportTenant(namespaces[i], accounts[i], roleBindings[i]); err != nil {
 				return err
 			}
 		}
@@ -156,6 +170,11 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 			return err
 		}
 
+		logger.Actionf("applying service account %s", accounts[i].Name)
+		if err := upsertServiceAccount(ctx, kubeClient, accounts[i]); err != nil {
+			return err
+		}
+
 		logger.Actionf("applying role binding %s", roleBindings[i].Name)
 		if err := upsertRoleBinding(ctx, kubeClient, roleBindings[i]); err != nil {
 			return err
@@ -195,6 +214,35 @@ func upsertNamespace(ctx context.Context, kubeClient client.Client, namespace co
 	return nil
 }
 
+func upsertServiceAccount(ctx context.Context, kubeClient client.Client, account corev1.ServiceAccount) error {
+	namespacedName := types.NamespacedName{
+		Namespace: account.GetNamespace(),
+		Name:      account.GetName(),
+	}
+
+	var existing corev1.ServiceAccount
+	err := kubeClient.Get(ctx, namespacedName, &existing)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			if err := kubeClient.Create(ctx, &account); err != nil {
+				return err
+			} else {
+				return nil
+			}
+		}
+		return err
+	}
+
+	if !equality.Semantic.DeepDerivative(account.Labels, existing.Labels) {
+		existing.Labels = account.Labels
+		if err := kubeClient.Update(ctx, &existing); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 func upsertRoleBinding(ctx context.Context, kubeClient client.Client, roleBinding rbacv1.RoleBinding) error {
 	namespacedName := types.NamespacedName{
 		Namespace: roleBinding.GetNamespace(),
@@ -228,7 +276,7 @@ func upsertRoleBinding(ctx context.Context, kubeClient client.Client, roleBindin
 	return nil
 }
 
-func exportTenant(namespace corev1.Namespace, roleBinding rbacv1.RoleBinding) error {
+func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, roleBinding rbacv1.RoleBinding) error {
 	namespace.TypeMeta = metav1.TypeMeta{
 		APIVersion: "v1",
 		Kind:       "Namespace",
@@ -242,6 +290,19 @@ func exportTenant(namespace corev1.Namespace, roleBinding rbacv1.RoleBinding) er
 	data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
 	fmt.Println(resourceToString(data))
 
+	account.TypeMeta = metav1.TypeMeta{
+		APIVersion: "v1",
+		Kind:       "ServiceAccount",
+	}
+	data, err = yaml.Marshal(account)
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("---")
+	data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
+	fmt.Println(resourceToString(data))
+
 	roleBinding.TypeMeta = metav1.TypeMeta{
 		APIVersion: "rbac.authorization.k8s.io/v1",
 		Kind:       "RoleBinding",

cmd/flux/get_alert.go

@@ -23,7 +23,8 @@ import (
 	"strings"
 
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/flux2/internal/utils"
@@ -69,28 +70,26 @@ func getAlertCmdRun(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
-	header := []string{"Name", "Suspended", "Ready", "Message"}
+	header := []string{"Name", "Ready", "Message", "Suspended"}
 	if allNamespaces {
 		header = append([]string{"Namespace"}, header...)
 	}
 	var rows [][]string
 	for _, alert := range list.Items {
 		row := []string{}
-		if c := meta.GetCondition(alert.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(alert.Status.Conditions, meta.ReadyCondition); c != nil {
 			row = []string{
 				alert.GetName(),
-				//alert.Status.LastAppliedRevision,
-				strings.Title(strconv.FormatBool(alert.Spec.Suspend)),
 				string(c.Status),
 				c.Message,
+				strings.Title(strconv.FormatBool(alert.Spec.Suspend)),
 			}
 		} else {
 			row = []string{
 				alert.GetName(),
-				//alert.Status.LastAppliedRevision,
-				strings.Title(strconv.FormatBool(alert.Spec.Suspend)),
-				string(corev1.ConditionFalse),
+				string(metav1.ConditionFalse),
 				"waiting to be reconciled",
+				strings.Title(strconv.FormatBool(alert.Spec.Suspend)),
 			}
 		}
 		if allNamespaces {

cmd/flux/get_alertprovider.go

@@ -21,7 +21,8 @@ import (
 	"os"
 
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/flux2/internal/utils"
@@ -74,7 +75,7 @@ func getAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	var rows [][]string
 	for _, provider := range list.Items {
 		row := []string{}
-		if c := meta.GetCondition(provider.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(provider.Status.Conditions, meta.ReadyCondition); c != nil {
 			row = []string{
 				provider.GetName(),
 				string(c.Status),
@@ -83,7 +84,7 @@ func getAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 		} else {
 			row = []string{
 				provider.GetName(),
-				string(corev1.ConditionFalse),
+				string(metav1.ConditionFalse),
 				"waiting to be reconciled",
 			}
 		}

cmd/flux/get_helmrelease.go

@@ -26,7 +26,8 @@ import (
 	"github.com/fluxcd/pkg/apis/meta"
 
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
@@ -71,28 +72,28 @@ func getHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
-	header := []string{"Name", "Revision", "Suspended", "Ready", "Message"}
+	header := []string{"Name", "Ready", "Message", "Revision", "Suspended"}
 	if allNamespaces {
 		header = append([]string{"Namespace"}, header...)
 	}
 	var rows [][]string
 	for _, helmRelease := range list.Items {
 		row := []string{}
-		if c := meta.GetCondition(helmRelease.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(helmRelease.Status.Conditions, meta.ReadyCondition); c != nil {
 			row = []string{
 				helmRelease.GetName(),
-				helmRelease.Status.LastAppliedRevision,
-				strings.Title(strconv.FormatBool(helmRelease.Spec.Suspend)),
 				string(c.Status),
 				c.Message,
+				helmRelease.Status.LastAppliedRevision,
+				strings.Title(strconv.FormatBool(helmRelease.Spec.Suspend)),
 			}
 		} else {
 			row = []string{
 				helmRelease.GetName(),
+				string(metav1.ConditionFalse),
+				"waiting to be reconciled",
 				helmRelease.Status.LastAppliedRevision,
 				strings.Title(strconv.FormatBool(helmRelease.Spec.Suspend)),
-				string(corev1.ConditionFalse),
-				"waiting to be reconciled",
 			}
 		}
 		if allNamespaces {

cmd/flux/get_kustomization.go

@@ -27,7 +27,8 @@ import (
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -70,28 +71,28 @@ func getKsCmdRun(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
-	header := []string{"Name", "Revision", "Suspended", "Ready", "Message"}
+	header := []string{"Name", "Ready", "Message", "Revision", "Suspended"}
 	if allNamespaces {
 		header = append([]string{"Namespace"}, header...)
 	}
 	var rows [][]string
 	for _, kustomization := range list.Items {
 		row := []string{}
-		if c := meta.GetCondition(kustomization.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(kustomization.Status.Conditions, meta.ReadyCondition); c != nil {
 			row = []string{
 				kustomization.GetName(),
-				kustomization.Status.LastAppliedRevision,
-				strings.Title(strconv.FormatBool(kustomization.Spec.Suspend)),
 				string(c.Status),
 				c.Message,
+				kustomization.Status.LastAppliedRevision,
+				strings.Title(strconv.FormatBool(kustomization.Spec.Suspend)),
 			}
 		} else {
 			row = []string{
 				kustomization.GetName(),
+				string(metav1.ConditionFalse),
+				"waiting to be reconciled",
 				kustomization.Status.LastAppliedRevision,
 				strings.Title(strconv.FormatBool(kustomization.Spec.Suspend)),
-				string(corev1.ConditionFalse),
-				"waiting to be reconciled",
 			}
 		}
 		if allNamespaces {

cmd/flux/get_receiver.go

@@ -23,7 +23,8 @@ import (
 	"strings"
 
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/flux2/internal/utils"
@@ -69,26 +70,26 @@ func getReceiverCmdRun(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
-	header := []string{"Name", "Suspended", "Ready", "Message"}
+	header := []string{"Name", "Ready", "Message", "Suspended"}
 	if allNamespaces {
 		header = append([]string{"Namespace"}, header...)
 	}
 	var rows [][]string
 	for _, receiver := range list.Items {
 		row := []string{}
-		if c := meta.GetCondition(receiver.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(receiver.Status.Conditions, meta.ReadyCondition); c != nil {
 			row = []string{
 				receiver.GetName(),
-				strings.Title(strconv.FormatBool(receiver.Spec.Suspend)),
 				string(c.Status),
 				c.Message,
+				strings.Title(strconv.FormatBool(receiver.Spec.Suspend)),
 			}
 		} else {
 			row = []string{
 				receiver.GetName(),
-				strings.Title(strconv.FormatBool(receiver.Spec.Suspend)),
-				string(corev1.ConditionFalse),
+				string(metav1.ConditionFalse),
 				"waiting to be reconciled",
+				strings.Title(strconv.FormatBool(receiver.Spec.Suspend)),
 			}
 		}
 		rows = append(rows, row)

cmd/flux/get_source_bucket.go

@@ -19,13 +19,16 @@ package main
 import (
 	"context"
 	"os"
+	"strconv"
+	"strings"
 
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/pkg/apis/meta"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -35,6 +38,9 @@ var getSourceBucketCmd = &cobra.Command{
 	Long:  "The get sources bucket command prints the status of the Bucket sources.",
 	Example: `  # List all Buckets and their status
   flux get sources bucket
+
+ # List buckets from all namespaces
+  flux get sources helm --all-namespaces
 `,
 	RunE: getSourceBucketCmdRun,
 }
@@ -67,7 +73,7 @@ func getSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
-	header := []string{"Name", "Revision", "Ready", "Message"}
+	header := []string{"Name", "Ready", "Message", "Revision", "Suspended"}
 	if allNamespaces {
 		header = append([]string{"Namespace"}, header...)
 	}
@@ -78,19 +84,21 @@ func getSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		if source.GetArtifact() != nil {
 			revision = source.GetArtifact().Revision
 		}
-		if c := meta.GetCondition(source.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(source.Status.Conditions, meta.ReadyCondition); c != nil {
 			row = []string{
 				source.GetName(),
-				revision,
 				string(c.Status),
 				c.Message,
+				revision,
+				strings.Title(strconv.FormatBool(source.Spec.Suspend)),
 			}
 		} else {
 			row = []string{
 				source.GetName(),
-				revision,
-				string(corev1.ConditionFalse),
+				string(metav1.ConditionFalse),
 				"waiting to be reconciled",
+				revision,
+				strings.Title(strconv.FormatBool(source.Spec.Suspend)),
 			}
 		}
 		if allNamespaces {

cmd/flux/get_source_chart.go

@@ -0,0 +1,111 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/pkg/apis/meta"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	"github.com/spf13/cobra"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+var getSourceHelmChartCmd = &cobra.Command{
+	Use:   "chart",
+	Short: "Get HelmChart statuses",
+	Long:  "The get sources chart command prints the status of the HelmCharts.",
+	Example: `  # List all Helm charts and their status
+  flux get sources chart
+
+ # List Helm charts from all namespaces
+  flux get sources chart --all-namespaces
+`,
+	RunE: getSourceHelmChartCmdRun,
+}
+
+func init() {
+	getSourceCmd.AddCommand(getSourceHelmChartCmd)
+}
+
+func getSourceHelmChartCmdRun(cmd *cobra.Command, args []string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	var listOpts []client.ListOption
+	if !allNamespaces {
+		listOpts = append(listOpts, client.InNamespace(namespace))
+	}
+	var list sourcev1.HelmChartList
+	err = kubeClient.List(ctx, &list, listOpts...)
+	if err != nil {
+		return err
+	}
+
+	if len(list.Items) == 0 {
+		logger.Failuref("no chart sources found in %s namespace", namespace)
+		return nil
+	}
+
+	header := []string{"Name", "Ready", "Message", "Revision", "Suspended"}
+	if allNamespaces {
+		header = append([]string{"Namespace"}, header...)
+	}
+	var rows [][]string
+	for _, source := range list.Items {
+		var row []string
+		var revision string
+		if source.GetArtifact() != nil {
+			revision = source.GetArtifact().Revision
+		}
+		if c := apimeta.FindStatusCondition(source.Status.Conditions, meta.ReadyCondition); c != nil {
+			row = []string{
+				source.GetName(),
+				string(c.Status),
+				c.Message,
+				revision,
+				strings.Title(strconv.FormatBool(source.Spec.Suspend)),
+			}
+		} else {
+			row = []string{
+				source.GetName(),
+				string(metav1.ConditionFalse),
+				"waiting to be reconciled",
+				revision,
+				strings.Title(strconv.FormatBool(source.Spec.Suspend)),
+			}
+		}
+		if allNamespaces {
+			row = append([]string{source.Namespace}, row...)
+		}
+		rows = append(rows, row)
+	}
+	utils.PrintTable(os.Stdout, header, rows)
+	return nil
+}

cmd/flux/get_source_git.go

@@ -19,13 +19,16 @@ package main
 import (
 	"context"
 	"os"
+	"strconv"
+	"strings"
 
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/pkg/apis/meta"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -35,6 +38,9 @@ var getSourceGitCmd = &cobra.Command{
 	Long:  "The get sources git command prints the status of the GitRepository sources.",
 	Example: `  # List all Git repositories and their status
   flux get sources git
+
+ # List Git repositories from all namespaces
+  flux get sources git --all-namespaces
 `,
 	RunE: getSourceGitCmdRun,
 }
@@ -67,7 +73,7 @@ func getSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
-	header := []string{"Name", "Revision", "Ready", "Message"}
+	header := []string{"Name", "Ready", "Message", "Revision", "Suspended"}
 	if allNamespaces {
 		header = append([]string{"Namespace"}, header...)
 	}
@@ -78,19 +84,21 @@ func getSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		if source.GetArtifact() != nil {
 			revision = source.GetArtifact().Revision
 		}
-		if c := meta.GetCondition(source.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(source.Status.Conditions, meta.ReadyCondition); c != nil {
 			row = []string{
 				source.GetName(),
-				revision,
 				string(c.Status),
 				c.Message,
+				revision,
+				strings.Title(strconv.FormatBool(source.Spec.Suspend)),
 			}
 		} else {
 			row = []string{
 				source.GetName(),
-				revision,
-				string(corev1.ConditionFalse),
+				string(metav1.ConditionFalse),
 				"waiting to be reconciled",
+				revision,
+				strings.Title(strconv.FormatBool(source.Spec.Suspend)),
 			}
 		}
 		if allNamespaces {

cmd/flux/get_source_helm.go

@@ -19,13 +19,16 @@ package main
 import (
 	"context"
 	"os"
+	"strconv"
+	"strings"
 
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/pkg/apis/meta"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -35,6 +38,9 @@ var getSourceHelmCmd = &cobra.Command{
 	Long:  "The get sources helm command prints the status of the HelmRepository sources.",
 	Example: `  # List all Helm repositories and their status
   flux get sources helm
+
+ # List Helm repositories from all namespaces
+  flux get sources helm --all-namespaces
 `,
 	RunE: getSourceHelmCmdRun,
 }
@@ -67,7 +73,7 @@ func getSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
-	header := []string{"Name", "Revision", "Ready", "Message"}
+	header := []string{"Name", "Ready", "Message", "Revision", "Suspended"}
 	if allNamespaces {
 		header = append([]string{"Namespace"}, header...)
 	}
@@ -78,19 +84,21 @@ func getSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		if source.GetArtifact() != nil {
 			revision = source.GetArtifact().Revision
 		}
-		if c := meta.GetCondition(source.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(source.Status.Conditions, meta.ReadyCondition); c != nil {
 			row = []string{
 				source.GetName(),
-				revision,
 				string(c.Status),
 				c.Message,
+				revision,
+				strings.Title(strconv.FormatBool(source.Spec.Suspend)),
 			}
 		} else {
 			row = []string{
 				source.GetName(),
-				revision,
-				string(corev1.ConditionFalse),
+				string(metav1.ConditionFalse),
 				"waiting to be reconciled",
+				revision,
+				strings.Title(strconv.FormatBool(source.Spec.Suspend)),
 			}
 		}
 		if allNamespaces {

cmd/flux/install.go

@@ -152,10 +152,10 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 
 	kubectlArgs := []string{"apply", "-f", filepath.Join(tmpDir, manifest.Path)}
 	if installDryRun {
-		args = append(args, "--dry-run=client")
+		kubectlArgs = append(kubectlArgs, "--dry-run=client")
 		applyOutput = utils.ModeOS
 	}
-	if _, err := utils.ExecKubectlCommand(ctx, applyOutput, kubectlArgs...); err != nil {
+	if _, err := utils.ExecKubectlCommand(ctx, applyOutput, kubeconfig, kubecontext, kubectlArgs...); err != nil {
 		return fmt.Errorf("install failed")
 	}
 
@@ -169,7 +169,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	logger.Waitingf("verifying installation")
 	for _, deployment := range installComponents {
 		kubectlArgs = []string{"-n", namespace, "rollout", "status", "deployment", deployment, "--timeout", timeout.String()}
-		if _, err := utils.ExecKubectlCommand(ctx, applyOutput, kubectlArgs...); err != nil {
+		if _, err := utils.ExecKubectlCommand(ctx, applyOutput, kubeconfig, kubecontext, kubectlArgs...); err != nil {
 			return fmt.Errorf("install failed")
 		} else {
 			logger.Successf("%s ready", deployment)

cmd/flux/reconcile_alert.go

@@ -64,13 +64,17 @@ func reconcileAlertCmdRun(cmd *cobra.Command, args []string) error {
 		Name:      name,
 	}
 
-	logger.Actionf("annotating Alert %s in %s namespace", name, namespace)
 	var alert notificationv1.Alert
 	err = kubeClient.Get(ctx, namespacedName, &alert)
 	if err != nil {
 		return err
 	}
 
+	if alert.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
+	logger.Actionf("annotating Alert %s in %s namespace", name, namespace)
 	if alert.Annotations == nil {
 		alert.Annotations = map[string]string{
 			meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),
@@ -78,6 +82,7 @@ func reconcileAlertCmdRun(cmd *cobra.Command, args []string) error {
 	} else {
 		alert.Annotations[meta.ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
 	}
+
 	if err := kubeClient.Update(ctx, &alert); err != nil {
 		return err
 	}

cmd/flux/reconcile_helmrelease.go

@@ -22,7 +22,8 @@ import (
 	"time"
 
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/util/retry"
@@ -85,6 +86,10 @@ func reconcileHrCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if helmRelease.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
 	if syncHrWithSource {
 		switch helmRelease.Spec.Chart.Spec.SourceRef.Kind {
 		case sourcev1.HelmRepositoryKind:
@@ -118,9 +123,9 @@ func reconcileHrCmdRun(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
-	if c := meta.GetCondition(helmRelease.Status.Conditions, meta.ReadyCondition); c != nil {
+	if c := apimeta.FindStatusCondition(helmRelease.Status.Conditions, meta.ReadyCondition); c != nil {
 		switch c.Status {
-		case corev1.ConditionFalse:
+		case metav1.ConditionFalse:
 			return fmt.Errorf("HelmRelease reconciliation failed: %s", c.Message)
 		default:
 			logger.Successf("reconciled revision %s", helmRelease.Status.LastAppliedRevision)

cmd/flux/reconcile_kustomization.go

@@ -21,7 +21,7 @@ import (
 	"fmt"
 	"time"
 
-	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/client-go/util/retry"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -84,6 +84,10 @@ func reconcileKsCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if kustomization.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
 	if syncKsWithSource {
 		switch kustomization.Spec.SourceRef.Kind {
 		case sourcev1.GitRepositoryKind:
@@ -112,14 +116,10 @@ func reconcileKsCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Successf("Kustomization reconciliation completed")
 
-	if c := meta.GetCondition(kustomization.Status.Conditions, meta.ReadyCondition); c != nil {
-		switch c.Status {
-		case corev1.ConditionFalse:
-			return fmt.Errorf("Kustomization reconciliation failed")
-		default:
-			logger.Successf("reconciled revision %s", kustomization.Status.LastAppliedRevision)
-		}
+	if apimeta.IsStatusConditionFalse(kustomization.Status.Conditions, meta.ReadyCondition) {
+		return fmt.Errorf("Kustomization reconciliation failed")
 	}
+	logger.Successf("reconciled revision %s", kustomization.Status.LastAppliedRevision)
 	return nil
 }
 

cmd/flux/reconcile_receiver.go

@@ -64,13 +64,17 @@ func reconcileReceiverCmdRun(cmd *cobra.Command, args []string) error {
 		Name:      name,
 	}
 
-	logger.Actionf("annotating Receiver %s in %s namespace", name, namespace)
 	var receiver notificationv1.Receiver
 	err = kubeClient.Get(ctx, namespacedName, &receiver)
 	if err != nil {
 		return err
 	}
 
+	if receiver.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
+	logger.Actionf("annotating Receiver %s in %s namespace", name, namespace)
 	if receiver.Annotations == nil {
 		receiver.Annotations = map[string]string{
 			meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),

cmd/flux/reconcile_source_bucket.go

@@ -21,11 +21,14 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/pkg/apis/meta"
+	"k8s.io/client-go/util/retry"
+
+	"github.com/fluxcd/flux2/internal/utils"
 
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -65,35 +68,34 @@ func reconcileSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace: namespace,
 		Name:      name,
 	}
-
-	logger.Actionf("annotating Bucket source %s in %s namespace", name, namespace)
 	var bucket sourcev1.Bucket
 	err = kubeClient.Get(ctx, namespacedName, &bucket)
 	if err != nil {
 		return err
 	}
 
-	if bucket.Annotations == nil {
-		bucket.Annotations = map[string]string{
-			meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),
-		}
-	} else {
-		bucket.Annotations[meta.ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
+	if bucket.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
 	}
-	if err := kubeClient.Update(ctx, &bucket); err != nil {
+
+	lastHandledReconcileAt := bucket.Status.LastHandledReconcileAt
+	logger.Actionf("annotating Bucket source %s in %s namespace", name, namespace)
+	if err := requestBucketReconciliation(ctx, kubeClient, namespacedName, &bucket); err != nil {
 		return err
 	}
 	logger.Successf("Bucket source annotated")
 
 	logger.Waitingf("waiting for Bucket source reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
-		isBucketReady(ctx, kubeClient, namespacedName, &bucket)); err != nil {
+	if err := wait.PollImmediate(
+		pollInterval, timeout,
+		bucketReconciliationHandled(ctx, kubeClient, namespacedName, &bucket, lastHandledReconcileAt),
+	); err != nil {
 		return err
 	}
 	logger.Successf("Bucket source reconciliation completed")
 
-	if bucket.Status.Artifact == nil {
-		return fmt.Errorf("Bucket source reconciliation completed but no artifact was found")
+	if apimeta.IsStatusConditionFalse(bucket.Status.Conditions, meta.ReadyCondition) {
+		return fmt.Errorf("Bucket source reconciliation failed")
 	}
 	logger.Successf("fetched revision %s", bucket.Status.Artifact.Revision)
 	return nil
@@ -112,14 +114,42 @@ func isBucketReady(ctx context.Context, kubeClient client.Client,
 			return false, nil
 		}
 
-		if c := meta.GetCondition(bucket.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(bucket.Status.Conditions, meta.ReadyCondition); c != nil {
 			switch c.Status {
-			case corev1.ConditionTrue:
+			case metav1.ConditionTrue:
 				return true, nil
-			case corev1.ConditionFalse:
+			case metav1.ConditionFalse:
 				return false, fmt.Errorf(c.Message)
 			}
 		}
 		return false, nil
 	}
 }
+
+func bucketReconciliationHandled(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, bucket *sourcev1.Bucket, lastHandledReconcileAt string) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, bucket)
+		if err != nil {
+			return false, err
+		}
+		return bucket.Status.LastHandledReconcileAt != lastHandledReconcileAt, nil
+	}
+}
+
+func requestBucketReconciliation(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, bucket *sourcev1.Bucket) error {
+	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
+		if err := kubeClient.Get(ctx, namespacedName, bucket); err != nil {
+			return err
+		}
+		if bucket.Annotations == nil {
+			bucket.Annotations = map[string]string{
+				meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),
+			}
+		} else {
+			bucket.Annotations[meta.ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
+		}
+		return kubeClient.Update(ctx, bucket)
+	})
+}

cmd/flux/reconcile_source_git.go

@@ -23,6 +23,9 @@ import (
 
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/pkg/apis/meta"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/client-go/util/retry"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
@@ -63,36 +66,61 @@ func reconcileSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace: namespace,
 		Name:      name,
 	}
-
-	logger.Actionf("annotating GitRepository source %s in %s namespace", name, namespace)
-	var gitRepository sourcev1.GitRepository
-	err = kubeClient.Get(ctx, namespacedName, &gitRepository)
+	var repository sourcev1.GitRepository
+	err = kubeClient.Get(ctx, namespacedName, &repository)
 	if err != nil {
 		return err
 	}
 
-	if gitRepository.Annotations == nil {
-		gitRepository.Annotations = map[string]string{
-			meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),
-		}
-	} else {
-		gitRepository.Annotations[meta.ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
+	if repository.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
 	}
-	if err := kubeClient.Update(ctx, &gitRepository); err != nil {
+
+	logger.Actionf("annotating GitRepository source %s in %s namespace", name, namespace)
+	if err := requestGitRepositoryReconciliation(ctx, kubeClient, namespacedName, &repository); err != nil {
 		return err
 	}
 	logger.Successf("GitRepository source annotated")
 
+	lastHandledReconcileAt := repository.Status.LastHandledReconcileAt
 	logger.Waitingf("waiting for GitRepository source reconciliation")
 	if err := wait.PollImmediate(pollInterval, timeout,
-		isGitRepositoryReady(ctx, kubeClient, namespacedName, &gitRepository)); err != nil {
+		gitRepositoryReconciliationHandled(ctx, kubeClient, namespacedName, &repository, lastHandledReconcileAt)); err != nil {
 		return err
 	}
 	logger.Successf("GitRepository source reconciliation completed")
 
-	if gitRepository.Status.Artifact == nil {
-		return fmt.Errorf("GitRepository source reconciliation completed but no artifact was found")
+	if apimeta.IsStatusConditionFalse(repository.Status.Conditions, meta.ReadyCondition) {
+		return fmt.Errorf("GitRepository source reconciliation failed")
 	}
-	logger.Successf("fetched revision %s", gitRepository.Status.Artifact.Revision)
+	logger.Successf("fetched revision %s", repository.Status.Artifact.Revision)
 	return nil
 }
+
+func gitRepositoryReconciliationHandled(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, repository *sourcev1.GitRepository, lastHandledReconcileAt string) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, repository)
+		if err != nil {
+			return false, err
+		}
+		return repository.Status.LastHandledReconcileAt != lastHandledReconcileAt, nil
+	}
+}
+
+func requestGitRepositoryReconciliation(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, repository *sourcev1.GitRepository) error {
+	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
+		if err := kubeClient.Get(ctx, namespacedName, repository); err != nil {
+			return err
+		}
+		if repository.Annotations == nil {
+			repository.Annotations = map[string]string{
+				meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),
+			}
+		} else {
+			repository.Annotations[meta.ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
+		}
+		return kubeClient.Update(ctx, repository)
+	})
+}

cmd/flux/reconcile_source_helm.go

@@ -21,11 +21,13 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/pkg/apis/meta"
+	"k8s.io/client-go/util/retry"
+
+	"github.com/fluxcd/flux2/internal/utils"
 
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -65,61 +67,61 @@ func reconcileSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace: namespace,
 		Name:      name,
 	}
-
-	logger.Actionf("annotating HelmRepository source %s in %s namespace", name, namespace)
-	var helmRepository sourcev1.HelmRepository
-	err = kubeClient.Get(ctx, namespacedName, &helmRepository)
+	var repository sourcev1.HelmRepository
+	err = kubeClient.Get(ctx, namespacedName, &repository)
 	if err != nil {
 		return err
 	}
 
-	if helmRepository.Annotations == nil {
-		helmRepository.Annotations = map[string]string{
-			meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),
-		}
-	} else {
-		helmRepository.Annotations[meta.ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
+	if repository.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
 	}
-	if err := kubeClient.Update(ctx, &helmRepository); err != nil {
+
+	logger.Actionf("annotating HelmRepository source %s in %s namespace", name, namespace)
+	if err := requestHelmRepositoryReconciliation(ctx, kubeClient, namespacedName, &repository); err != nil {
 		return err
 	}
 	logger.Successf("HelmRepository source annotated")
 
+	lastHandledReconcileAt := repository.Status.LastHandledReconcileAt
 	logger.Waitingf("waiting for HelmRepository source reconciliation")
 	if err := wait.PollImmediate(pollInterval, timeout,
-		isHelmRepositoryReady(ctx, kubeClient, namespacedName, &helmRepository)); err != nil {
+		helmRepositoryReconciliationHandled(ctx, kubeClient, namespacedName, &repository, lastHandledReconcileAt)); err != nil {
 		return err
 	}
 	logger.Successf("HelmRepository source reconciliation completed")
 
-	if helmRepository.Status.Artifact == nil {
-		return fmt.Errorf("HelmRepository source reconciliation completed but no artifact was found")
+	if apimeta.IsStatusConditionFalse(repository.Status.Conditions, meta.ReadyCondition) {
+		return fmt.Errorf("HelmRepository source reconciliation failed")
 	}
-	logger.Successf("fetched revision %s", helmRepository.Status.Artifact.Revision)
+	logger.Successf("fetched revision %s", repository.Status.Artifact.Revision)
 	return nil
 }
 
-func isHelmRepositoryReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, helmRepository *sourcev1.HelmRepository) wait.ConditionFunc {
+func helmRepositoryReconciliationHandled(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, repository *sourcev1.HelmRepository, lastHandledReconcileAt string) wait.ConditionFunc {
 	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, helmRepository)
+		err := kubeClient.Get(ctx, namespacedName, repository)
 		if err != nil {
 			return false, err
 		}
-
-		// Confirm the state we are observing is for the current generation
-		if helmRepository.Generation != helmRepository.Status.ObservedGeneration {
-			return false, nil
-		}
-
-		if c := meta.GetCondition(helmRepository.Status.Conditions, meta.ReadyCondition); c != nil {
-			switch c.Status {
-			case corev1.ConditionTrue:
-				return true, nil
-			case corev1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
+		return repository.Status.LastHandledReconcileAt != lastHandledReconcileAt, nil
 	}
 }
+
+func requestHelmRepositoryReconciliation(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, repository *sourcev1.HelmRepository) error {
+	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
+		if err := kubeClient.Get(ctx, namespacedName, repository); err != nil {
+			return err
+		}
+		if repository.Annotations == nil {
+			repository.Annotations = map[string]string{
+				meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),
+			}
+		} else {
+			repository.Annotations[meta.ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
+		}
+		return kubeClient.Update(ctx, repository)
+	})
+}

cmd/flux/resume_alert.go

@@ -24,7 +24,8 @@ import (
 	"github.com/fluxcd/pkg/apis/meta"
 
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -95,11 +96,11 @@ func isAlertResumed(ctx context.Context, kubeClient client.Client,
 			return false, err
 		}
 
-		if c := meta.GetCondition(alert.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(alert.Status.Conditions, meta.ReadyCondition); c != nil {
 			switch c.Status {
-			case corev1.ConditionTrue:
+			case metav1.ConditionTrue:
 				return true, nil
-			case corev1.ConditionFalse:
+			case metav1.ConditionFalse:
 				if c.Reason == meta.SuspendedReason {
 					return false, nil
 				}

cmd/flux/resume_helmrelease.go

@@ -24,7 +24,8 @@ import (
 	"github.com/fluxcd/pkg/apis/meta"
 
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -103,14 +104,11 @@ func isHelmReleaseResumed(ctx context.Context, kubeClient client.Client,
 			return false, err
 		}
 
-		if c := meta.GetCondition(helmRelease.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(helmRelease.Status.Conditions, meta.ReadyCondition); c != nil {
 			switch c.Status {
-			case corev1.ConditionTrue:
+			case metav1.ConditionTrue:
 				return true, nil
-			case corev1.ConditionFalse:
-				if c.Reason == meta.SuspendedReason {
-					return false, nil
-				}
+			case metav1.ConditionFalse:
 				return false, fmt.Errorf(c.Message)
 			}
 		}

cmd/flux/resume_kustomization.go

@@ -25,7 +25,8 @@ import (
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -102,14 +103,11 @@ func isKustomizationResumed(ctx context.Context, kubeClient client.Client,
 			return false, nil
 		}
 
-		if c := meta.GetCondition(kustomization.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(kustomization.Status.Conditions, meta.ReadyCondition); c != nil {
 			switch c.Status {
-			case corev1.ConditionTrue:
+			case metav1.ConditionTrue:
 				return true, nil
-			case corev1.ConditionFalse:
-				if c.Reason == meta.SuspendedReason {
-					return false, nil
-				}
+			case metav1.ConditionFalse:
 				return false, fmt.Errorf(c.Message)
 			}
 		}

cmd/flux/resume_receiver.go

@@ -24,7 +24,8 @@ import (
 	"github.com/fluxcd/pkg/apis/meta"
 
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -96,11 +97,11 @@ func isReceiverResumed(ctx context.Context, kubeClient client.Client,
 			return false, err
 		}
 
-		if c := meta.GetCondition(receiver.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(receiver.Status.Conditions, meta.ReadyCondition); c != nil {
 			switch c.Status {
-			case corev1.ConditionTrue:
+			case metav1.ConditionTrue:
 				return true, nil
-			case corev1.ConditionFalse:
+			case metav1.ConditionFalse:
 				if c.Reason == meta.SuspendedReason {
 					return false, nil
 				}

cmd/flux/resume_source.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var resumeSourceCmd = &cobra.Command{
+	Use:   "source",
+	Short: "Resume sources",
+	Long:  "The resume sub-commands resume a suspended source.",
+}
+
+func init() {
+	resumeCmd.AddCommand(resumeSourceCmd)
+}

cmd/flux/resume_source_bucket.go

@@ -0,0 +1,115 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/pkg/apis/meta"
+
+	"github.com/spf13/cobra"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+)
+
+var resumeSourceBucketCmd = &cobra.Command{
+	Use:   "bucket [name]",
+	Short: "Resume a suspended Bucket",
+	Long:  `The resume command marks a previously suspended Bucket resource for reconciliation and waits for it to finish.`,
+	Example: `  # Resume reconciliation for an existing Bucket
+  flux resume source bucket podinfo
+`,
+	RunE: resumeSourceBucketCmdRun,
+}
+
+func init() {
+	resumeSourceCmd.AddCommand(resumeSourceBucketCmd)
+}
+
+func resumeSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("source name is required")
+	}
+	name := args[0]
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	namespacedName := types.NamespacedName{
+		Namespace: namespace,
+		Name:      name,
+	}
+	var bucket sourcev1.Bucket
+	err = kubeClient.Get(ctx, namespacedName, &bucket)
+	if err != nil {
+		return err
+	}
+
+	logger.Actionf("resuming source %s in %s namespace", name, namespace)
+	bucket.Spec.Suspend = false
+	if err := kubeClient.Update(ctx, &bucket); err != nil {
+		return err
+	}
+	logger.Successf("source resumed")
+
+	logger.Waitingf("waiting for Bucket reconciliation")
+	if err := wait.PollImmediate(pollInterval, timeout,
+		isBucketResumed(ctx, kubeClient, namespacedName, &bucket)); err != nil {
+		return err
+	}
+	logger.Successf("Bucket reconciliation completed")
+
+	logger.Successf("fetched revision %s", bucket.Status.Artifact.Revision)
+	return nil
+}
+
+func isBucketResumed(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, bucket *sourcev1.Bucket) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, bucket)
+		if err != nil {
+			return false, err
+		}
+
+		// Confirm the state we are observing is for the current generation
+		if bucket.Generation != bucket.Status.ObservedGeneration {
+			return false, nil
+		}
+
+		if c := apimeta.FindStatusCondition(bucket.Status.Conditions, meta.ReadyCondition); c != nil {
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}

cmd/flux/resume_source_chart.go

@@ -0,0 +1,115 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/pkg/apis/meta"
+
+	"github.com/spf13/cobra"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+)
+
+var resumeSourceHelmChartCmd = &cobra.Command{
+	Use:   "chart [name]",
+	Short: "Resume a suspended HelmChart",
+	Long:  `The resume command marks a previously suspended HelmChart resource for reconciliation and waits for it to finish.`,
+	Example: `  # Resume reconciliation for an existing HelmChart
+  flux resume source chart podinfo
+`,
+	RunE: resumeSourceHelmChartCmdRun,
+}
+
+func init() {
+	resumeSourceCmd.AddCommand(resumeSourceHelmChartCmd)
+}
+
+func resumeSourceHelmChartCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("source name is required")
+	}
+	name := args[0]
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	namespacedName := types.NamespacedName{
+		Namespace: namespace,
+		Name:      name,
+	}
+	var repository sourcev1.HelmChart
+	err = kubeClient.Get(ctx, namespacedName, &repository)
+	if err != nil {
+		return err
+	}
+
+	logger.Actionf("resuming source %s in %s namespace", name, namespace)
+	repository.Spec.Suspend = false
+	if err := kubeClient.Update(ctx, &repository); err != nil {
+		return err
+	}
+	logger.Successf("source resumed")
+
+	logger.Waitingf("waiting for HelmChart reconciliation")
+	if err := wait.PollImmediate(pollInterval, timeout,
+		isHelmChartResumed(ctx, kubeClient, namespacedName, &repository)); err != nil {
+		return err
+	}
+	logger.Successf("HelmChart reconciliation completed")
+
+	logger.Successf("fetched revision %s", repository.Status.Artifact.Revision)
+	return nil
+}
+
+func isHelmChartResumed(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, chart *sourcev1.HelmChart) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, chart)
+		if err != nil {
+			return false, err
+		}
+
+		// Confirm the state we are observing is for the current generation
+		if chart.Generation != chart.Status.ObservedGeneration {
+			return false, nil
+		}
+
+		if c := apimeta.FindStatusCondition(chart.Status.Conditions, meta.ReadyCondition); c != nil {
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}

cmd/flux/resume_source_git.go

@@ -0,0 +1,115 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/pkg/apis/meta"
+
+	"github.com/spf13/cobra"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+)
+
+var resumeSourceGitCmd = &cobra.Command{
+	Use:   "git [name]",
+	Short: "Resume a suspended GitRepository",
+	Long:  `The resume command marks a previously suspended GitRepository resource for reconciliation and waits for it to finish.`,
+	Example: `  # Resume reconciliation for an existing GitRepository
+  flux resume source git podinfo
+`,
+	RunE: resumeSourceGitCmdRun,
+}
+
+func init() {
+	resumeSourceCmd.AddCommand(resumeSourceGitCmd)
+}
+
+func resumeSourceGitCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("source name is required")
+	}
+	name := args[0]
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	namespacedName := types.NamespacedName{
+		Namespace: namespace,
+		Name:      name,
+	}
+	var repository sourcev1.GitRepository
+	err = kubeClient.Get(ctx, namespacedName, &repository)
+	if err != nil {
+		return err
+	}
+
+	logger.Actionf("resuming source %s in %s namespace", name, namespace)
+	repository.Spec.Suspend = false
+	if err := kubeClient.Update(ctx, &repository); err != nil {
+		return err
+	}
+	logger.Successf("source resumed")
+
+	logger.Waitingf("waiting for GitRepository reconciliation")
+	if err := wait.PollImmediate(pollInterval, timeout,
+		isGitRepositoryResumed(ctx, kubeClient, namespacedName, &repository)); err != nil {
+		return err
+	}
+	logger.Successf("GitRepository reconciliation completed")
+
+	logger.Successf("fetched revision %s", repository.Status.Artifact.Revision)
+	return nil
+}
+
+func isGitRepositoryResumed(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, repository *sourcev1.GitRepository) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, repository)
+		if err != nil {
+			return false, err
+		}
+
+		// Confirm the state we are observing is for the current generation
+		if repository.Generation != repository.Status.ObservedGeneration {
+			return false, nil
+		}
+
+		if c := apimeta.FindStatusCondition(repository.Status.Conditions, meta.ReadyCondition); c != nil {
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}

cmd/flux/resume_source_helm.go

@@ -0,0 +1,115 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/pkg/apis/meta"
+
+	"github.com/spf13/cobra"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+)
+
+var resumeSourceHelmCmd = &cobra.Command{
+	Use:   "helm [name]",
+	Short: "Resume a suspended HelmRepository",
+	Long:  `The resume command marks a previously suspended HelmRepository resource for reconciliation and waits for it to finish.`,
+	Example: `  # Resume reconciliation for an existing HelmRepository
+  flux resume source helm bitnami
+`,
+	RunE: resumeSourceHelmCmdRun,
+}
+
+func init() {
+	resumeSourceCmd.AddCommand(resumeSourceHelmCmd)
+}
+
+func resumeSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("source name is required")
+	}
+	name := args[0]
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	namespacedName := types.NamespacedName{
+		Namespace: namespace,
+		Name:      name,
+	}
+	var repository sourcev1.HelmRepository
+	err = kubeClient.Get(ctx, namespacedName, &repository)
+	if err != nil {
+		return err
+	}
+
+	logger.Actionf("resuming source %s in %s namespace", name, namespace)
+	repository.Spec.Suspend = false
+	if err := kubeClient.Update(ctx, &repository); err != nil {
+		return err
+	}
+	logger.Successf("source resumed")
+
+	logger.Waitingf("waiting for HelmRepository reconciliation")
+	if err := wait.PollImmediate(pollInterval, timeout,
+		isHelmRepositoryResumed(ctx, kubeClient, namespacedName, &repository)); err != nil {
+		return err
+	}
+	logger.Successf("HelmRepository reconciliation completed")
+
+	logger.Successf("fetched revision %s", repository.Status.Artifact.Revision)
+	return nil
+}
+
+func isHelmRepositoryResumed(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, repository *sourcev1.HelmRepository) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, repository)
+		if err != nil {
+			return false, err
+		}
+
+		// Confirm the state we are observing is for the current generation
+		if repository.Generation != repository.Status.ObservedGeneration {
+			return false, nil
+		}
+
+		if c := apimeta.FindStatusCondition(repository.Status.Conditions, meta.ReadyCondition); c != nil {
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}

cmd/flux/suspend_source.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var suspendSourceCmd = &cobra.Command{
+	Use:   "source",
+	Short: "Suspend sources",
+	Long:  "The suspend sub-commands suspend the reconciliation of a source.",
+}
+
+func init() {
+	suspendCmd.AddCommand(suspendSourceCmd)
+}

cmd/flux/suspend_source_bucket.go

@@ -0,0 +1,75 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+var suspendSourceBucketCmd = &cobra.Command{
+	Use:   "bucket [name]",
+	Short: "Suspend reconciliation of a Bucket",
+	Long:  "The suspend command disables the reconciliation of a Bucket resource.",
+	Example: `  # Suspend reconciliation for an existing Bucket
+  flux suspend source bucket podinfo
+`,
+	RunE: suspendSourceBucketCmdRun,
+}
+
+func init() {
+	suspendSourceCmd.AddCommand(suspendSourceBucketCmd)
+}
+
+func suspendSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("source name is required")
+	}
+	name := args[0]
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	namespacedName := types.NamespacedName{
+		Namespace: namespace,
+		Name:      name,
+	}
+	var bucket sourcev1.Bucket
+	err = kubeClient.Get(ctx, namespacedName, &bucket)
+	if err != nil {
+		return err
+	}
+
+	logger.Actionf("suspending source %s in %s namespace", name, namespace)
+	bucket.Spec.Suspend = true
+	if err := kubeClient.Update(ctx, &bucket); err != nil {
+		return err
+	}
+	logger.Successf("source suspended")
+
+	return nil
+}

cmd/flux/suspend_source_chart.go

@@ -0,0 +1,75 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+var suspendSourceHelmChartCmd = &cobra.Command{
+	Use:   "chart [name]",
+	Short: "Suspend reconciliation of a HelmChart",
+	Long:  "The suspend command disables the reconciliation of a HelmChart resource.",
+	Example: `  # Suspend reconciliation for an existing HelmChart
+  flux suspend source chart podinfo
+`,
+	RunE: suspendSourceHelmChartCmdRun,
+}
+
+func init() {
+	suspendSourceCmd.AddCommand(suspendSourceHelmChartCmd)
+}
+
+func suspendSourceHelmChartCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("source name is required")
+	}
+	name := args[0]
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	namespacedName := types.NamespacedName{
+		Namespace: namespace,
+		Name:      name,
+	}
+	var chart sourcev1.HelmChart
+	err = kubeClient.Get(ctx, namespacedName, &chart)
+	if err != nil {
+		return err
+	}
+
+	logger.Actionf("suspending source %s in %s namespace", name, namespace)
+	chart.Spec.Suspend = true
+	if err := kubeClient.Update(ctx, &chart); err != nil {
+		return err
+	}
+	logger.Successf("source suspended")
+
+	return nil
+}

cmd/flux/suspend_source_git.go

@@ -0,0 +1,75 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+var suspendSourceGitCmd = &cobra.Command{
+	Use:   "git [name]",
+	Short: "Suspend reconciliation of a GitRepository",
+	Long:  "The suspend command disables the reconciliation of a GitRepository resource.",
+	Example: `  # Suspend reconciliation for an existing GitRepository
+  flux suspend source git podinfo
+`,
+	RunE: suspendSourceGitCmdRun,
+}
+
+func init() {
+	suspendSourceCmd.AddCommand(suspendSourceGitCmd)
+}
+
+func suspendSourceGitCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("source name is required")
+	}
+	name := args[0]
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	namespacedName := types.NamespacedName{
+		Namespace: namespace,
+		Name:      name,
+	}
+	var repository sourcev1.GitRepository
+	err = kubeClient.Get(ctx, namespacedName, &repository)
+	if err != nil {
+		return err
+	}
+
+	logger.Actionf("suspending source %s in %s namespace", name, namespace)
+	repository.Spec.Suspend = true
+	if err := kubeClient.Update(ctx, &repository); err != nil {
+		return err
+	}
+	logger.Successf("source suspended")
+
+	return nil
+}

cmd/flux/suspend_source_helm.go

@@ -0,0 +1,75 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+var suspendSourceHelmCmd = &cobra.Command{
+	Use:   "helm [name]",
+	Short: "Suspend reconciliation of a HelmRepository",
+	Long:  "The suspend command disables the reconciliation of a HelmRepository resource.",
+	Example: `  # Suspend reconciliation for an existing HelmRepository
+  flux suspend source helm bitnami
+`,
+	RunE: suspendSourceHelmCmdRun,
+}
+
+func init() {
+	suspendSourceCmd.AddCommand(suspendSourceHelmCmd)
+}
+
+func suspendSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("source name is required")
+	}
+	name := args[0]
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	namespacedName := types.NamespacedName{
+		Namespace: namespace,
+		Name:      name,
+	}
+	var repository sourcev1.HelmRepository
+	err = kubeClient.Get(ctx, namespacedName, &repository)
+	if err != nil {
+		return err
+	}
+
+	logger.Actionf("suspending source %s in %s namespace", name, namespace)
+	repository.Spec.Suspend = true
+	if err := kubeClient.Update(ctx, &repository); err != nil {
+		return err
+	}
+	logger.Successf("source suspended")
+
+	return nil
+}

cmd/flux/uninstall.go

@@ -144,7 +144,7 @@ func uninstallCmdRun(cmd *cobra.Command, args []string) error {
 		if uninstallDryRun {
 			kubectlArgs = append(kubectlArgs, dryRun)
 		}
-		if _, err := utils.ExecKubectlCommand(ctx, utils.ModeOS, kubectlArgs...); err != nil {
+		if _, err := utils.ExecKubectlCommand(ctx, utils.ModeOS, kubeconfig, kubecontext, kubectlArgs...); err != nil {
 			return fmt.Errorf("uninstall failed: %w", err)
 		}
 	}
@@ -164,6 +164,6 @@ func deleteAll(ctx context.Context, kind string, dryRun bool) error {
 		kubectlArgs = append(kubectlArgs, "--dry-run=server")
 	}
 
-	_, err := utils.ExecKubectlCommand(ctx, utils.ModeOS, kubectlArgs...)
+	_, err := utils.ExecKubectlCommand(ctx, utils.ModeOS, kubeconfig, kubecontext, kubectlArgs...)
 	return err
 }

docs/cmd/flux_create.md

@@ -33,5 +33,7 @@ The create sub-commands generate sources and resources.
 * [flux create helmrelease](flux_create_helmrelease.md)	 - Create or update a HelmRelease resource
 * [flux create kustomization](flux_create_kustomization.md)	 - Create or update a Kustomization resource
 * [flux create receiver](flux_create_receiver.md)	 - Create or update a Receiver resource
+* [flux create secret](flux_create_secret.md)	 - Create or update Kubernetes secrets
 * [flux create source](flux_create_source.md)	 - Create or update sources
+* [flux create tenant](flux_create_tenant.md)	 - Create or update a tenant
 

docs/cmd/flux_create_helmrelease.md

@@ -38,6 +38,14 @@ flux create helmrelease [name] [flags]
     --chart=podinfo \
     --values=./my-values.yaml
 
+  # Create a HelmRelease with values from a Kubernetes secret
+  kubectl -n app create secret generic my-secret-values \
+	--from-file=values.yaml=/path/to/my-secret-values.yaml
+  flux -n app create hr podinfo \
+    --source=HelmRepository/podinfo \
+    --chart=podinfo \
+    --values-from=Secret/my-secret-values
+
   # Create a HelmRelease with a custom release name
   flux create hr podinfo \
     --release-name=podinfo-dev
@@ -62,14 +70,16 @@ flux create helmrelease [name] [flags]
 ### Options
 
 ```
-      --chart string              Helm chart name or path
-      --chart-version string      Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)
-      --depends-on stringArray    HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'
-  -h, --help                      help for helmrelease
-      --release-name string       name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'
-      --source helmChartSource    source that contains the chart in the format '<kind>/<name>',where kind can be one of: (HelmRepository, GitRepository, Bucket)
-      --target-namespace string   namespace to install this release, defaults to the HelmRelease namespace
-      --values string             local path to the values.yaml file
+      --chart string                        Helm chart name or path
+      --chart-version string                Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)
+      --depends-on stringArray              HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'
+  -h, --help                                help for helmrelease
+      --release-name string                 name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'
+      --service-account string              the name of the service account to impersonate when reconciling this HelmRelease
+      --source helmChartSource              source that contains the chart in the format '<kind>/<name>',where kind can be one of: (HelmRepository, GitRepository, Bucket)
+      --target-namespace string             namespace to install this release, defaults to the HelmRelease namespace
+      --values string                       local path to the values.yaml file
+      --values-from helmReleaseValuesFrom   Kubernetes object reference that contains the values.yaml data key in the format '<kind>/<name>',where kind can be one of: (Secret, ConfigMap)
 ```
 
 ### Options inherited from parent commands

docs/cmd/flux_create_kustomization.md

@@ -50,10 +50,9 @@ flux create kustomization [name] [flags]
       --health-check stringArray                 workload to be included in the health assessment, in the format '<kind>/<name>.<namespace>'
       --health-check-timeout duration            timeout of health checking operations (default 2m0s)
   -h, --help                                     help for kustomization
-      --path string                              path to the directory containing the Kustomization file (default "./")
+      --path string                              path to the directory containing a kustomization.yaml file (default "./")
       --prune                                    enable garbage collection
-      --sa-name string                           service account name
-      --sa-namespace string                      service account namespace
+      --service-account string                   the name of the service account to impersonate when reconciling this Kustomization
       --source kustomizationSource               source that contains the Kubernetes manifests in the format '[<kind>/]<name>',where kind can be one of: (GitRepository, Bucket), if kind is not specified it defaults to GitRepository
       --target-namespace string                  overrides the namespace of all Kustomization objects reconciled by this Kustomization
       --validation string                        validate the manifests before applying them on the cluster, can be 'client' or 'server'

docs/cmd/flux_create_secret.md

@@ -0,0 +1,32 @@
+## flux create secret
+
+Create or update Kubernetes secrets
+
+### Synopsis
+
+The create source sub-commands generate Kubernetes secrets specific to Flux.
+
+### Options
+
+```
+  -h, --help   help for secret
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --export              export in YAML format to stdout
+      --interval duration   source sync interval (default 1m0s)
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+      --label strings       set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux create](flux_create.md)	 - Create or update sources and resources
+* [flux create secret git](flux_create_secret_git.md)	 - Create or update a Kubernetes secret for Git authentication
+

docs/cmd/flux_create_secret_git.md

@@ -0,0 +1,78 @@
+## flux create secret git
+
+Create or update a Kubernetes secret for Git authentication
+
+### Synopsis
+
+
+The create secret git command generates a Kubernetes secret with Git credentials.
+For Git over SSH, the host and SSH keys are automatically generated and stored in the secret.
+For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.
+
+```
+flux create secret git [name] [flags]
+```
+
+### Examples
+
+```
+  # Create a Git SSH authentication secret using an ECDSA P-521 curve public key
+
+  flux create secret git podinfo-auth \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+    --ssh-key-algorithm=ecdsa \
+    --ssh-ecdsa-curve=p521
+
+  # Create a secret for a Git repository using basic authentication
+  flux create secret git podinfo-auth \
+    --url=https://github.com/stefanprodan/podinfo \
+    --username=username \
+    --password=password
+
+  # Create a Git SSH secret on disk and print the deploy key
+  flux create secret git podinfo-auth \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+	--export > podinfo-auth.yaml
+
+  yq read podinfo-auth.yaml 'data."identity.pub"' | base64 --decode
+
+  # Create a Git SSH secret on disk and encrypt it with Mozilla SOPS
+  flux create secret git podinfo-auth \
+    --namespace=apps \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+	--export > podinfo-auth.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place podinfo-auth.yaml
+
+```
+
+### Options
+
+```
+  -h, --help                                   help for git
+  -p, --password string                        basic authentication password
+      --ssh-ecdsa-curve ecdsaCurve             SSH ECDSA public key curve (p256, p384, p521) (default p384)
+      --ssh-key-algorithm publicKeyAlgorithm   SSH public key algorithm (rsa, ecdsa, ed25519) (default rsa)
+      --ssh-rsa-bits rsaKeyBits                SSH RSA public key bit size (multiplies of 8) (default 2048)
+      --url string                             git address, e.g. ssh://git@host/org/repository
+  -u, --username string                        basic authentication username
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --export              export in YAML format to stdout
+      --interval duration   source sync interval (default 1m0s)
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+      --label strings       set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux create secret](flux_create_secret.md)	 - Create or update Kubernetes secrets
+

docs/cmd/flux_create_tenant.md

@@ -0,0 +1,55 @@
+## flux create tenant
+
+Create or update a tenant
+
+### Synopsis
+
+
+The create tenant command generates namespaces, service accounts and role bindings to limit the
+reconcilers scope to the tenant namespaces.
+
+```
+flux create tenant [flags]
+```
+
+### Examples
+
+```
+  # Create a tenant with access to a namespace 
+  flux create tenant dev-team \
+    --with-namespace=frontend \
+    --label=environment=dev
+
+  # Generate tenant namespaces and role bindings in YAML format
+  flux create tenant dev-team \
+    --with-namespace=frontend \
+    --with-namespace=backend \
+	--export > dev-team.yaml
+
+```
+
+### Options
+
+```
+      --cluster-role string      cluster role of the tenant role binding (default "cluster-admin")
+  -h, --help                     help for tenant
+      --with-namespace strings   namespace belonging to this tenant
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --export              export in YAML format to stdout
+      --interval duration   source sync interval (default 1m0s)
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+      --label strings       set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux create](flux_create.md)	 - Create or update sources and resources
+

docs/cmd/flux_get_sources.md

@@ -27,6 +27,7 @@ The get source sub-commands print the statuses of the sources.
 
 * [flux get](flux_get.md)	 - Get sources and resources
 * [flux get sources bucket](flux_get_sources_bucket.md)	 - Get Bucket source statuses
+* [flux get sources chart](flux_get_sources_chart.md)	 - Get HelmChart statuses
 * [flux get sources git](flux_get_sources_git.md)	 - Get GitRepository source statuses
 * [flux get sources helm](flux_get_sources_helm.md)	 - Get HelmRepository source statuses
 

docs/cmd/flux_get_sources_bucket.md

@@ -16,6 +16,9 @@ flux get sources bucket [flags]
   # List all Buckets and their status
   flux get sources bucket
 
+ # List buckets from all namespaces
+  flux get sources helm --all-namespaces
+
 ```
 
 ### Options

docs/cmd/flux_get_sources_chart.md

@@ -0,0 +1,44 @@
+## flux get sources chart
+
+Get HelmChart statuses
+
+### Synopsis
+
+The get sources chart command prints the status of the HelmCharts.
+
+```
+flux get sources chart [flags]
+```
+
+### Examples
+
+```
+  # List all Helm charts and their status
+  flux get sources chart
+
+ # List Helm charts from all namespaces
+  flux get sources chart --all-namespaces
+
+```
+
+### Options
+
+```
+  -h, --help   help for chart
+```
+
+### Options inherited from parent commands
+
+```
+  -A, --all-namespaces      list the requested object(s) across all namespaces
+      --context string      kubernetes context to use
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux get sources](flux_get_sources.md)	 - Get source statuses
+

docs/cmd/flux_get_sources_git.md

@@ -16,6 +16,9 @@ flux get sources git [flags]
   # List all Git repositories and their status
   flux get sources git
 
+ # List Git repositories from all namespaces
+  flux get sources git --all-namespaces
+
 ```
 
 ### Options

docs/cmd/flux_get_sources_helm.md

@@ -16,6 +16,9 @@ flux get sources helm [flags]
   # List all Helm repositories and their status
   flux get sources helm
 
+ # List Helm repositories from all namespaces
+  flux get sources helm --all-namespaces
+
 ```
 
 ### Options

docs/cmd/flux_resume.md

@@ -29,4 +29,5 @@ The resume sub-commands resume a suspended resource.
 * [flux resume helmrelease](flux_resume_helmrelease.md)	 - Resume a suspended HelmRelease
 * [flux resume kustomization](flux_resume_kustomization.md)	 - Resume a suspended Kustomization
 * [flux resume receiver](flux_resume_receiver.md)	 - Resume a suspended Receiver
+* [flux resume source](flux_resume_source.md)	 - Resume sources
 

docs/cmd/flux_resume_source.md

@@ -0,0 +1,32 @@
+## flux resume source
+
+Resume sources
+
+### Synopsis
+
+The resume sub-commands resume a suspended source.
+
+### Options
+
+```
+  -h, --help   help for source
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux resume](flux_resume.md)	 - Resume suspended resources
+* [flux resume source bucket](flux_resume_source_bucket.md)	 - Resume a suspended Bucket
+* [flux resume source chart](flux_resume_source_chart.md)	 - Resume a suspended HelmChart
+* [flux resume source git](flux_resume_source_git.md)	 - Resume a suspended GitRepository
+* [flux resume source helm](flux_resume_source_helm.md)	 - Resume a suspended HelmRepository
+

docs/cmd/flux_resume_source_bucket.md

@@ -0,0 +1,40 @@
+## flux resume source bucket
+
+Resume a suspended Bucket
+
+### Synopsis
+
+The resume command marks a previously suspended Bucket resource for reconciliation and waits for it to finish.
+
+```
+flux resume source bucket [name] [flags]
+```
+
+### Examples
+
+```
+  # Resume reconciliation for an existing Bucket
+  flux resume source bucket podinfo
+
+```
+
+### Options
+
+```
+  -h, --help   help for bucket
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux resume source](flux_resume_source.md)	 - Resume sources
+

docs/cmd/flux_resume_source_chart.md

@@ -0,0 +1,40 @@
+## flux resume source chart
+
+Resume a suspended HelmChart
+
+### Synopsis
+
+The resume command marks a previously suspended HelmChart resource for reconciliation and waits for it to finish.
+
+```
+flux resume source chart [name] [flags]
+```
+
+### Examples
+
+```
+  # Resume reconciliation for an existing HelmChart
+  flux resume source chart podinfo
+
+```
+
+### Options
+
+```
+  -h, --help   help for chart
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux resume source](flux_resume_source.md)	 - Resume sources
+

docs/cmd/flux_resume_source_git.md

@@ -0,0 +1,40 @@
+## flux resume source git
+
+Resume a suspended GitRepository
+
+### Synopsis
+
+The resume command marks a previously suspended GitRepository resource for reconciliation and waits for it to finish.
+
+```
+flux resume source git [name] [flags]
+```
+
+### Examples
+
+```
+  # Resume reconciliation for an existing GitRepository
+  flux resume source git podinfo
+
+```
+
+### Options
+
+```
+  -h, --help   help for git
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux resume source](flux_resume_source.md)	 - Resume sources
+

docs/cmd/flux_resume_source_helm.md

@@ -0,0 +1,40 @@
+## flux resume source helm
+
+Resume a suspended HelmRepository
+
+### Synopsis
+
+The resume command marks a previously suspended HelmRepository resource for reconciliation and waits for it to finish.
+
+```
+flux resume source helm [name] [flags]
+```
+
+### Examples
+
+```
+  # Resume reconciliation for an existing HelmRepository
+  flux resume source helm bitnami
+
+```
+
+### Options
+
+```
+  -h, --help   help for helm
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux resume source](flux_resume_source.md)	 - Resume sources
+

docs/cmd/flux_suspend.md

@@ -29,4 +29,5 @@ The suspend sub-commands suspend the reconciliation of a resource.
 * [flux suspend helmrelease](flux_suspend_helmrelease.md)	 - Suspend reconciliation of HelmRelease
 * [flux suspend kustomization](flux_suspend_kustomization.md)	 - Suspend reconciliation of Kustomization
 * [flux suspend receiver](flux_suspend_receiver.md)	 - Suspend reconciliation of Receiver
+* [flux suspend source](flux_suspend_source.md)	 - Suspend sources
 

docs/cmd/flux_suspend_source.md

@@ -0,0 +1,32 @@
+## flux suspend source
+
+Suspend sources
+
+### Synopsis
+
+The suspend sub-commands suspend the reconciliation of a source.
+
+### Options
+
+```
+  -h, --help   help for source
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux suspend](flux_suspend.md)	 - Suspend resources
+* [flux suspend source bucket](flux_suspend_source_bucket.md)	 - Suspend reconciliation of a Bucket
+* [flux suspend source chart](flux_suspend_source_chart.md)	 - Suspend reconciliation of a HelmChart
+* [flux suspend source git](flux_suspend_source_git.md)	 - Suspend reconciliation of a GitRepository
+* [flux suspend source helm](flux_suspend_source_helm.md)	 - Suspend reconciliation of a HelmRepository
+

docs/cmd/flux_suspend_source_bucket.md

@@ -0,0 +1,40 @@
+## flux suspend source bucket
+
+Suspend reconciliation of a Bucket
+
+### Synopsis
+
+The suspend command disables the reconciliation of a Bucket resource.
+
+```
+flux suspend source bucket [name] [flags]
+```
+
+### Examples
+
+```
+  # Suspend reconciliation for an existing Bucket
+  flux suspend source bucket podinfo
+
+```
+
+### Options
+
+```
+  -h, --help   help for bucket
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux suspend source](flux_suspend_source.md)	 - Suspend sources
+

docs/cmd/flux_suspend_source_chart.md

@@ -0,0 +1,40 @@
+## flux suspend source chart
+
+Suspend reconciliation of a HelmChart
+
+### Synopsis
+
+The suspend command disables the reconciliation of a HelmChart resource.
+
+```
+flux suspend source chart [name] [flags]
+```
+
+### Examples
+
+```
+  # Suspend reconciliation for an existing HelmChart
+  flux suspend source chart podinfo
+
+```
+
+### Options
+
+```
+  -h, --help   help for chart
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux suspend source](flux_suspend_source.md)	 - Suspend sources
+

docs/cmd/flux_suspend_source_git.md

@@ -0,0 +1,40 @@
+## flux suspend source git
+
+Suspend reconciliation of a GitRepository
+
+### Synopsis
+
+The suspend command disables the reconciliation of a GitRepository resource.
+
+```
+flux suspend source git [name] [flags]
+```
+
+### Examples
+
+```
+  # Suspend reconciliation for an existing GitRepository
+  flux suspend source git podinfo
+
+```
+
+### Options
+
+```
+  -h, --help   help for git
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux suspend source](flux_suspend_source.md)	 - Suspend sources
+

docs/cmd/flux_suspend_source_helm.md

@@ -0,0 +1,40 @@
+## flux suspend source helm
+
+Suspend reconciliation of a HelmRepository
+
+### Synopsis
+
+The suspend command disables the reconciliation of a HelmRepository resource.
+
+```
+flux suspend source helm [name] [flags]
+```
+
+### Examples
+
+```
+  # Suspend reconciliation for an existing HelmRepository
+  flux suspend source helm bitnami
+
+```
+
+### Options
+
+```
+  -h, --help   help for helm
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux suspend source](flux_suspend_source.md)	 - Suspend sources
+

docs/get-started/index.md

@@ -34,6 +34,11 @@ curl -s https://toolkit.fluxcd.io/install.sh | sudo bash
 
 The install script downloads the flux binary to `/usr/local/bin`.
 
+If using Arch Linux, install the latest stable version from **AUR** using
+either [flux-bin](https://aur.archlinux.org/packages/flux-bin) (pre-built
+binary) or [flux-go](https://aur.archlinux.org/packages/flux-go) (locally built
+binary).
+
 Binaries for **macOS**, **Windows** and **Linux** AMD64/ARM are available for download on the
 [release page](https://github.com/fluxcd/flux2/releases).
 

docs/guides/flux-v1-migration.md

@@ -60,7 +60,7 @@ Flux v1 repository to the bootstrap one.
 ## In-place migration
 
 !!! warning
-    For production use we recommend using the **bootstrap** procedure,
+    For production use we recommend using the **bootstrap** procedure (see the [Gitops migration](#gitops-migration) section above),
     but if you wish to install Flux v2 in the 
     same way as Flux v1 then follow along.
 

docs/guides/helmreleases.md

@@ -257,6 +257,83 @@ The definition of the listed keys is as follows:
     You can read more about the available formats and limitations in
     the [Helm documentation](https://helm.sh/docs/intro/using_helm/#the-format-and-limitations-of---set).
 
+## Refer to values in `ConfigMaps` generated with Kustomize
+
+It is possible to use Kustomize [ConfigMap generator](https://kubectl.docs.kubernetes.io/references/kustomize/configmapgenerator/)
+to trigger a Helm release upgrade every time the encoded values change.
+
+First create a `kustomizeconfig.yaml` for Kustomize to be able to patch
+`ConfigMaps` referenced in `HelmRelease` manifests:
+
+```yaml
+nameReference:
+- kind: ConfigMap
+  version: v1
+  fieldSpecs:
+  - path: spec/valuesFrom/name
+    kind: HelmRelease
+```
+
+Create a `HelmRelease` definition that references a `ConfigMap`:
+
+```yaml
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: podinfo
+  namespace: podinfo
+spec:
+  interval: 5m
+  releaseName: podinfo
+  chart:
+    spec:
+      chart: podinfo
+      sourceRef:
+        kind: HelmRepository
+        name: podinfo
+  valuesFrom:
+    - kind: ConfigMap
+      name: podinfo-values
+```
+
+Create a `kustomization.yaml` that generates the `ConfigMap` using our kustomize config:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: podinfo
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
+configMapGenerator:
+  - name: podinfo-values
+    files:
+      - values.yaml=my-values.yaml
+configurations:
+  - kustomizeconfig.yaml
+```
+
+When [kustomize-controller](../components/kustomize/controller.md) reconciles the above manifests, it will generate
+a unique name of the `ConfigMap` every time `my-values.yaml` content is updated in Git:
+
+```yaml
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: podinfo
+  namespace: podinfo
+spec:
+  valuesFrom:
+  - kind: ConfigMap
+    name: podinfo-values-2mh2t8m94h
+```
+
+!!! hint "Note"
+    Stale `ConfigMaps`, previously generated by Kustomize, will be
+    removed from the cluster by kustomize-controller if
+    [pruning](../components/kustomize/kustomization/#garbage-collection) is enabled.
+
 ## Refer to values inside the chart
 
 It is possible to replace the `values.yaml` with a different file present inside the Helm chart.

docs/guides/installation.md

@@ -84,12 +84,17 @@ cluster e.g. `clusters/staging` and `clusters/production`:
     └── flux-system
 ```
 
+After running bootstrap you can place Kubernetes YAMLs inside a dir under path
+e.g. `clusters/staging/my-app`, and Flux will reconcile them on your cluster.
+
 !!! hint "Change the default branch"
     If you wish to change the branch to something else than main, create the repository manually,
     push a branch to origin and then use `flux bootstrap <GIT-PROVIDER> --branch=your-branch`.
 
 For examples on how you can structure your Git repository see:
+
 * [flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example)
+* [flux2-multi-tenancy](https://github.com/fluxcd/flux2-multi-tenancy)
 
 ### GitHub and GitHub Enterprise
 
@@ -439,6 +444,12 @@ For testing purposes you can install Flux without storing its manifests in a Git
 flux install --arch=amd64
 ```
 
+Or using kubectl:
+
+```sh
+kubectl apply -f https://github.com/fluxcd/flux2/releases/latest/download/install.yaml
+```
+
 Then you can register Git repositories and reconcile them on your cluster:
 
 ```sh
@@ -473,12 +484,80 @@ flux create helmrelease nginx \
   --chart-version="5.x.x"
 ```
 
-## Monitoring with Prometheus and Grafana
+## Upgrade 
 
-Flux comes with a monitoring stack composed of Prometheus and Grafana. The controllers expose
-metrics that can be used to track the readiness of the cluster reconciliation process.
+Update Flux CLI to the latest release with `brew upgrade fluxcd/tap/flux` or by 
+downloading the binary from [GitHub](https://github.com/fluxcd/flux2/releases).
 
-To install the monitoring stack please follow this [guide](monitoring.md).
+Verify that you are running the latest version with:
+
+```sh
+flux --version
+```
+
+### Bootstrap upgrade
+
+If you've used the [bootstrap](#bootstrap) procedure to deploy Flux,
+then rerun the bootstrap command for each cluster using the same arguments as before:
+
+```sh
+flux bootstrap github \
+  --owner=my-github-username \
+  --repository=my-repository \
+  --branch=main \
+  --path=clusters/my-cluster \
+  --personal
+```
+
+The above command will clone the repository, it will update the components manifest in
+`<path>/flux-system/gotk-components.yaml` and it will push the changes to the remote branch.
+
+Tell Flux to pull the manifests from Git and upgrade itself with:
+
+```sh
+flux reconcile source git flux-system
+```
+
+Verify that the controllers have been upgrade with:
+
+```sh
+flux check
+```
+
+!!! hint "Automated upgrades"
+    You can automate the components manifest update with GitHub Actions
+    and open a PR when there is a new Flux version available.
+    For more details please see [Flux GitHub Action docs](https://github.com/fluxcd/flux2/tree/main/action).
+
+### Terraform upgrade
+
+Update the Flux provider to the [latest release](https://github.com/fluxcd/terraform-provider-flux/releases)
+and run `terraform apply`.
+
+Tell Flux to upgrade itself in-cluster or wait for it to pull the latest commit from Git:
+
+```sh
+kubectl annotate --overwrite gitrepository/flux-system reconcile.fluxcd.io/requestedAt="$(date +%s)"
+```
+
+### In-cluster upgrade
+
+If you've installed Flux directly on the cluster, then rerun the install command:
+
+```sh
+flux install --version=latest
+```
+
+The above command will download the latest manifests from
+[GitHub](https://github.com/fluxcd/flux2/releases) and it will apply them on your cluster.
+You can verify that the controllers have been upgraded to the latest version with `flux check`.
+
+If you've installed Flux directly on the cluster with kubectl,
+then rerun the command using the latest manifests from the `main` branch:
+
+```sh
+kustomize build https://github.com/fluxcd/flux2/manifests/install?ref=main | kubectl apply -f-
+```
 
 ## Uninstall
 

docs/guides/mozilla-sops.md

@@ -78,6 +78,9 @@ sops --encrypt \
 
 You can now commit the encrypted secret to your Git repository.
 
+!!! hint
+    Note that you shouldn't apply the encrypted secrets onto the cluster with kubectl. SOPS encrypted secrets are designed to be consumed by kustomize-controller.
+
 ## Configure secrets decryption
 
 Registry the Git repository on your cluster:
@@ -101,13 +104,36 @@ flux create kustomization my-secrets \
 Note that the `sops-gpg` can contain more than one key, sops will try to decrypt the
 secrets by iterating over all the private keys until it finds one that works.
 
-!!! hint KMS
-    When using AWS/GCP KMS, you'll have to bind an IAM Role
-    with read access to the KMS keys to the `default` service account of the
-    `flux-system` namespace for kustomize-controller to be able to fetch
-    keys from KMS. When using Azure Key Vault you need to authenticate the kustomize controller either by passing
-    [Service Principal credentials as environment variables](https://github.com/mozilla/sops#encrypting-using-azure-key-vault)
-    or with [add-pod-identity](https://github.com/Azure/aad-pod-identity).
+### AWS/Azure/GCP
+
+When using AWS/GCP KMS, you'll have to bind an IAM Role with access to the KMS
+keys to the `default` service account of the `flux-system` namespace for
+kustomize-controller to be able to fetch keys from KMS.
+
+AWS IAM Role example:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:DescribeKey"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:kms:eu-west-1:XXXXX209540:key/4f581f5b-7f78-45e9-a543-83a7022e8105"
+        }
+    ]
+}
+```
+
+When using Azure Key Vault you need to authenticate the kustomize controller either by passing
+[Service Principal credentials as environment variables](https://github.com/mozilla/sops#encrypting-using-azure-key-vault)
+or with [add-pod-identity](https://github.com/Azure/aad-pod-identity).
 
 ## GitOps workflow
 

docs/index.md

@@ -86,6 +86,7 @@ Depending on what you want to do, some of the following bits might be your first
 
 ### Featured Talks
 
+- 24 Nov 2020 - [Flux CD v2 with GitOps Toolkit - Kubernetes Deployment and Sync Mechanism](https://youtu.be/R6OeIgb7lUI)
 - 19 Oct 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 2 with Leigh Capili](https://youtu.be/fC2YCxQRUwU)
 - 28 Oct 2020 - [The Kubelist Podcast: Flux with Michael Bridgen](https://www.heavybit.com/library/podcasts/the-kubelist-podcast/ep-5-flux-with-michael-bridgen-of-weaveworks/)
 - 19 Oct 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 1 with Leigh Capili](https://youtu.be/0v5bjysXTL8)

docs/roadmap/index.md

@@ -14,6 +14,11 @@ All of the above will constitute "Flux v2".
 
 [= 100% "100%"]
 
+Flux v2 read-only is ready to try. See the [Getting
+Started](https://toolkit.fluxcd.io/get-started/) how-to, and the
+[Migration
+guide](https://toolkit.fluxcd.io/guides/flux-v1-migration/).
+
 This would be the first stepping stone: we want Flux v2 to be on-par with today's Flux in
 [read-only mode](https://github.com/fluxcd/flux/blob/master/docs/faq.md#can-i-run-flux-with-readonly-git-access)
 and [FluxCloud](https://github.com/justinbarrick/fluxcloud) notifications.
@@ -43,7 +48,11 @@ Tasks
 
 ### Flux image update feature parity
 
-[= 30% "30%"]
+[= 70% "70%"]
+
+Image automation is available as a prerelease. See [the
+README](https://github.com/fluxcd/image-automation-controller#readme)
+for instructions on installing it.
 
 Goals
 
@@ -55,12 +64,17 @@ Non-Goals
 
 Tasks
 
-- [x]  <span style="color:grey">[Design the image scanning and automation API](https://github.com/fluxcd/flux2/discussions/107)</span>
-- [ ]  Implement an image scanning controller
-- [x]  <span style="color:grey">Design the automation component</span>
-- [ ]  Implement the image scan/patch/push workflow
-- [ ]  Integrate the new components in the Flux CLI
-- [ ]  Create a migration guide from Flux annotations
+- [x] <span style="color:grey">[Design the image scanning and automation API](https://github.com/fluxcd/flux2/discussions/107)</span>
+- [x] <span style="color:grey">Implement an image scanning controller</span>
+- [x] <span style="color:grey">Public image repo support</span>
+- [x] <span style="color:grey">Credentials from Secret [fluxcd/image-reflector-controller#35](https://github.com/fluxcd/image-reflector-controller/pull/35)</span>
+- [ ] ECR-specific support [fluxcd/image-reflector-controller#11](https://github.com/fluxcd/image-reflector-controller/issues/11)
+- [ ] GCR-specific support [fluxcd/image-reflector-controller#11](https://github.com/fluxcd/image-reflector-controller/issues/11)
+- [ ] Azure-specific support [fluxcd/image-reflector-controller#11](https://github.com/fluxcd/image-reflector-controller/issues/11)
+- [x] <span style="color:grey">Design the automation component</span>
+- [x] <span style="color:grey">Implement the image scan/patch/push workflow</span>
+- [ ] Integrate the new components in the Flux CLI [fluxcd/flux2#538](https://github.com/fluxcd/flux2/pull/538)
+- [ ] Write a migration guide from Flux annotations
 
 ## The road to Helm Operator v2
 
@@ -68,6 +82,11 @@ Tasks
 
 [= 100% "100%"]
 
+Helm support in Flux v2 is ready to try. See the [Helm controller
+guide](https://toolkit.fluxcd.io/guides/helmreleases/), and the [Helm
+controller migration
+guide](https://toolkit.fluxcd.io/guides/helm-operator-migration/).
+
 Goals
 
 -  Offer a migration guide for those that are using Helm Operator with Helm v3 and charts from
@@ -93,4 +112,4 @@ Tasks
 - [x]  <span style="color:grey">Implement support for referring to an alternative chart values file</span>
 - [x]  <span style="color:grey">Stabilize API</span>
 - [x]  <span style="color:grey">[Create a migration guide for Helm Operator users](../guides/helm-operator-migration.md)</span>
-- [ ] [Gather feedback on the migration guide](https://github.com/fluxcd/flux2/discussions/413)
+- [ ] [Gather feedback on the migration guide](https://github.com/fluxcd/flux2/discussions/413)

go.mod

@@ -4,15 +4,15 @@ go 1.15
 
 require (
 	github.com/blang/semver/v4 v4.0.0
-	github.com/fluxcd/helm-controller/api v0.2.0
-	github.com/fluxcd/kustomize-controller/api v0.2.2
-	github.com/fluxcd/notification-controller/api v0.2.1
-	github.com/fluxcd/pkg/apis/meta v0.2.0
+	github.com/fluxcd/helm-controller/api v0.4.2
+	github.com/fluxcd/kustomize-controller/api v0.4.0
+	github.com/fluxcd/notification-controller/api v0.4.0
+	github.com/fluxcd/pkg/apis/meta v0.4.0
 	github.com/fluxcd/pkg/git v0.0.7
-	github.com/fluxcd/pkg/runtime v0.2.0
+	github.com/fluxcd/pkg/runtime v0.3.1
 	github.com/fluxcd/pkg/ssh v0.0.5
 	github.com/fluxcd/pkg/untar v0.0.5
-	github.com/fluxcd/source-controller/api v0.2.2
+	github.com/fluxcd/source-controller/api v0.4.1
 	github.com/manifoldco/promptui v0.7.0
 	github.com/olekukonko/tablewriter v0.0.4
 	github.com/spf13/cobra v1.0.0

go.sum

@@ -1,6 +1,5 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0 h1:ROfEUZz+Gh5pa62DJWXSaonyu3StP6EA6lPEXPI6mCo=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
 cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
 cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
@@ -15,20 +14,16 @@ cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiy
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/360EntSecGroup-Skylar/excelize v1.4.1/go.mod h1:vnax29X2usfl7HHkBrX5EvSCJcmH3dT9luvxzu8iGAE=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
-github.com/Azure/go-autorest/autorest v0.9.0 h1:MRvx8gncNaXJqOoLmhNjUAKh33JJF8LyxPhomEtOsjs=
 github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
 github.com/Azure/go-autorest/autorest v0.9.6 h1:5YWtOnckcudzIw8lPPBcWOnmIFWMtHci1ZWAZulMSx0=
 github.com/Azure/go-autorest/autorest v0.9.6/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630=
-github.com/Azure/go-autorest/autorest/adal v0.5.0 h1:q2gDruN08/guU9vAjuPWff0+QIrpH6ediguzdAzXAUU=
 github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
 github.com/Azure/go-autorest/autorest/adal v0.8.2 h1:O1X4oexUxnZCaEUGsvMnr8ZGj8HI37tNezwY4npRqA0=
 github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q=
-github.com/Azure/go-autorest/autorest/date v0.1.0 h1:YGrhWfrgtFs84+h0o46rJrlmsZtyZRg470CqAXTZaGM=
 github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
 github.com/Azure/go-autorest/autorest/date v0.2.0 h1:yW+Zlqf26583pE43KhfnhFcdmSWlm5Ew6bxipnr/tbM=
 github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g=
 github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/autorest/mocks v0.2.0 h1:Ww5g4zThfD/6cLb4z6xxgeyDa7QDkizMkJKe0ysZXp0=
 github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
 github.com/Azure/go-autorest/autorest/mocks v0.3.0 h1:qJumjCaCudz+OcqE9/XtEPfvtOjOmKaui4EOpFI6zZc=
 github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM=
@@ -67,7 +62,6 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY
 github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v1.0.0 h1:HWo1m869IqiPhD389kmkxeTalrjNbbJTC8LXupb+sl0=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
@@ -138,28 +132,25 @@ github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi
 github.com/evanphx/json-patch v4.9.0+incompatible h1:kLcOMZeuLAJvL2BPWLMIj5oaZQobrkAqrL+WFZwQses=
 github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fluxcd/helm-controller/api v0.2.0 h1:HWfqy4rUlo4ck+YnTIMcwWBrfeK2sW7lHCwNBcEI5Y4=
-github.com/fluxcd/helm-controller/api v0.2.0/go.mod h1:02vw8JOlzdOysJ8p5AMp7XhPqtH9DS12VIeN46yzHY0=
-github.com/fluxcd/kustomize-controller/api v0.2.2 h1:2RSvQKPu5+FCSIyKcuKLAxxo+lCSnC0TCqfwExeZhOw=
-github.com/fluxcd/kustomize-controller/api v0.2.2/go.mod h1:rNS7iETBnm3BvZmPtaLM1otIIyiu4SPeJEL2H2X0uAc=
-github.com/fluxcd/notification-controller/api v0.2.1 h1:G08+7BjsBLV62nvmGQ/uduozR3y3ldaet9y7dX1rN2E=
-github.com/fluxcd/notification-controller/api v0.2.1/go.mod h1:p0dP0a5iosNSdxQXIddx4E0TGOIxu5/Dp8UWAs535no=
-github.com/fluxcd/pkg/apis/meta v0.1.0 h1:CfOYHYaHslhcb3QlzgKCOXl4ziCbA5zG/fUa1qFlHis=
-github.com/fluxcd/pkg/apis/meta v0.1.0/go.mod h1:nCNps5JJOcEQr3MNDmZqI4o0chjePSUYL6Q2ktDtotU=
-github.com/fluxcd/pkg/apis/meta v0.2.0 h1:bxoFQtZM6OLLj0+n3h6ga7IEWUtGEDJPc65OWiXSMvY=
-github.com/fluxcd/pkg/apis/meta v0.2.0/go.mod h1:50RLLSfqM4LlQrh/+5LiJVf7Hjdthee8WDdXBvpjBdA=
+github.com/fluxcd/helm-controller/api v0.4.2 h1:7aXPOJwUWMqg/DAoYRj8acqzSkmVXDGrZgv05VFsXG8=
+github.com/fluxcd/helm-controller/api v0.4.2/go.mod h1:2oU4Q26TW39IGC7tmJehCNJpISj8ovpU0DoRI7Y76wE=
+github.com/fluxcd/kustomize-controller/api v0.4.0 h1:QBilPNIFf5VCmJrt0L96iPWfV0lRT28n6vD+W7Kz88s=
+github.com/fluxcd/kustomize-controller/api v0.4.0/go.mod h1:NB4aJ+hSWyg6Tx6p47ZWExzjwq4sPRRYvaP02JrHrNU=
+github.com/fluxcd/notification-controller/api v0.4.0 h1:x7QwF7F/uG0JuaMaEBWqHWhy5DLJEsC3zWlj5rK6kB8=
+github.com/fluxcd/notification-controller/api v0.4.0/go.mod h1:D/PyTHO0LiwEKwpBqbzJbjolJs1Ggw/tCMaLc7BHQi4=
+github.com/fluxcd/pkg/apis/meta v0.3.0/go.mod h1:wOzQQx8CdtUQCGaLzqGu4QgnNxYkI6/wvdvlovxWhF0=
+github.com/fluxcd/pkg/apis/meta v0.4.0 h1:JChqB9GGgorW9HWKxirTVV0rzrcLyzBaVjinmqZ0iHA=
+github.com/fluxcd/pkg/apis/meta v0.4.0/go.mod h1:wOzQQx8CdtUQCGaLzqGu4QgnNxYkI6/wvdvlovxWhF0=
 github.com/fluxcd/pkg/git v0.0.7 h1:tFSYPy7tcIYfOt8H5EUERXIRz7fk0id302oQZde1NtU=
 github.com/fluxcd/pkg/git v0.0.7/go.mod h1:5Vu92x6Q3CpxDUllmB69kAkVY5jAtPpXcY2TSZ/oCJI=
-github.com/fluxcd/pkg/runtime v0.1.2 h1:bKhjJGVOJgTQTWjqhwasyt69lBItq1ZWjX04rUkiypo=
-github.com/fluxcd/pkg/runtime v0.1.2/go.mod h1:HXYTNdkK8ulcT1mhuGhio9tsX65ACKaealtd/MsnkhM=
-github.com/fluxcd/pkg/runtime v0.2.0 h1:aZmSLuyA9pF/KANf4wi7pZIICE19BKTYFSPRbl6WHtY=
-github.com/fluxcd/pkg/runtime v0.2.0/go.mod h1:P1/S8TOSuJgVPU0SRahWzbNxLWYoUwvBcPCNGc+dWWg=
+github.com/fluxcd/pkg/runtime v0.3.1 h1:UI+FQd1OgipZ6N8YxXHtKYMAu1NRFWaR/Gp1M3T6RZA=
+github.com/fluxcd/pkg/runtime v0.3.1/go.mod h1:wg33L6k5FkGEYoZta7hbUlBIscM5VZd/PfCbaEi+wK4=
 github.com/fluxcd/pkg/ssh v0.0.5 h1:rnbFZ7voy2JBlUfMbfyqArX2FYaLNpDhccGFC3qW83A=
 github.com/fluxcd/pkg/ssh v0.0.5/go.mod h1:7jXPdXZpc0ttMNz2kD9QuMi3RNn/e0DOFbj0Tij/+Hs=
 github.com/fluxcd/pkg/untar v0.0.5 h1:UGI3Ch1UIEIaqQvMicmImL1s9npQa64DJ/ozqHKB7gk=
 github.com/fluxcd/pkg/untar v0.0.5/go.mod h1:O6V9+rtl8c1mHBafgqFlJN6zkF1HS5SSYn7RpQJ/nfw=
-github.com/fluxcd/source-controller/api v0.2.2 h1:/9piUviYFbDwK0bQdVopvKJtfvrjDobsmFKXfHq5e8I=
-github.com/fluxcd/source-controller/api v0.2.2/go.mod h1:T8ATZDpVVDENdbDWIYz5kj00AUTFa0ibmBt4W3o1bJo=
+github.com/fluxcd/source-controller/api v0.4.1 h1:HiMg8XNqGEDeelGG22GfCUGgfyXffiXyluDYsRrjvLQ=
+github.com/fluxcd/source-controller/api v0.4.1/go.mod h1:MYmvbADJp/21m4C+PEY7WXCeqEErMYuhns+jnKyewqs=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
@@ -188,13 +179,10 @@ github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2
 github.com/go-lintpack/lintpack v0.5.2/go.mod h1:NwZuYi2nUHho8XEIZ6SIxihrnPoqBTDqfpXvXAN0sXM=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-logr/logr v0.1.0 h1:M1Tv3VzNlEHg6uyACnRdtrploV2P7wZqH8BoQMtz0cg=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-logr/logr v0.2.0 h1:QvGt2nLcHH0WK9orKa+ppBPAxREcH364nPUedEpK0TY=
 github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 github.com/go-logr/logr v0.2.1 h1:fV3MLmabKIZ383XifUjFSwcoGee0v9qgPp8wy5svibE=
 github.com/go-logr/logr v0.2.1/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
-github.com/go-logr/zapr v0.1.0 h1:h+WVe9j6HAA01niTJPA/kKH0i7e0rLZBCwauQFcRE54=
 github.com/go-logr/zapr v0.1.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk=
 github.com/go-logr/zapr v0.2.0 h1:v6Ji8yBW77pva6NkJKQdHLAJKrIJKRHz0RXwPqCHSR4=
 github.com/go-logr/zapr v0.2.0/go.mod h1:qhKdvif7YF5GI9NWEpyxTSSBdGmzkNguibrdCNVPunU=
@@ -272,7 +260,6 @@ github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef h1:veQD95Isof8w9/WXiA+pa3tz3fJXkt5B7QaRBrM62gk=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 h1:5ZkaAPbicIKTF2I64qf5Fh8Aa83Q/dnOafMYV0OMwjA=
@@ -337,11 +324,9 @@ github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
 github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/googleapis/gnostic v0.3.1 h1:WeAefnSUHlBb0iJKwxFDZdbfGwkd7xRNuV+IpXMJhYk=
 github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU=
 github.com/googleapis/gnostic v0.4.1 h1:DLJCy1n/vrD4HPjOvYcT8aYQXpPIzoRZONaYwyycI+I=
 github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
-github.com/gophercloud/gophercloud v0.1.0 h1:P/nh25+rzXouhytV2pUHBb65fnds26Ghl8/391+sT5o=
 github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
 github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
@@ -357,7 +342,6 @@ github.com/hashicorp/go-cleanhttp v0.5.1 h1:dH3aiDG9Jvb5r5+bYHsikaOUIpcM0xvgMXVo
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-hclog v0.9.2 h1:CG6TE5H9/JXsFWJCfoIVpKFIkFe6ysEuHirp4DxCsHI=
 github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-retryablehttp v0.6.4 h1:BbgctKO892xEyOXnGiaAwIoSq1QZ/SS4AhjoAh9DnfY=
 github.com/hashicorp/go-retryablehttp v0.6.4/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
 github.com/hashicorp/go-retryablehttp v0.6.7 h1:8/CAEZt/+F7kR7GevNHulKkUjLht3CPmn7egmhieNKo=
 github.com/hashicorp/go-retryablehttp v0.6.7/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
@@ -437,7 +421,6 @@ github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzp
 github.com/mattn/go-runewidth v0.0.7 h1:Ei8KR0497xHyKJPAv59M1dkC+rOZCMBJ+t3fZ+twI54=
 github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpevwGNQEw=
-github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI=
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
@@ -489,7 +472,6 @@ github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtP
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -499,7 +481,6 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
-github.com/prometheus/client_golang v1.0.0 h1:vrDKnkGzuGvhNAL56c7DBz29ZL+KxnoR0x7enabFceM=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.7.1 h1:NTGy1Ja9pByO+xAeH/qiWnLrKtr3hJPNjaVUwnjpdpA=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
@@ -510,14 +491,12 @@ github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.4.1 h1:K0MGApIoQvMw27RTdJkPbr3JZ7DNbtxQNyi5STVM6Kw=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.10.0 h1:RyRA7RzGXQZiW+tGMr7sxa85G1z0yOpM1qq5c8lNawc=
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.11 h1:DhHlBtkHWPYi8O2y31JkK0TF+DGM+51OopZjH/Ia5qI=
 github.com/prometheus/procfs v0.0.11/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.1.3 h1:F0+tqvhOksq22sc6iCHF5WGlWjdwj92p0udFh1VFBS8=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
@@ -690,14 +669,12 @@ golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7 h1:AeiKBIuRw3UomYXSbLy0Mc2dDLfdtbT/IVn4keq83P0=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381 h1:VXak5I6aEWmAXeQjA+QSZzlgNrpq9mjcfDemuexIKsU=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6 h1:pE8b58s1HRDMi8RDc79m0HISf9D4TzseP40cEA6IGfs=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -740,7 +717,6 @@ golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd h1:xhmwyvizuTgC2qz7ZlMluP20uW+C3Rm0FD/WLDX8884=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4 h1:5/PjkGUjvEU5Gl6BxmvKRPpqo2uNMv4rcHBMwzk/st8=
@@ -807,7 +783,6 @@ google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsb
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM=
@@ -836,7 +811,6 @@ google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQ
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0 h1:UhZDfRO8JRQru4/+LlLE0BRKGF8L+PICnvYZmx/fEGA=
@@ -878,35 +852,24 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI=
 k8s.io/api v0.18.6/go.mod h1:eeyxr+cwCjMdLAmr2W3RyDI0VvTawSg/3RFFBEnmZGI=
-k8s.io/api v0.18.9 h1:7VDtivqwbvLOf8hmXSd/PDSSbpCBq49MELg84EYBYiQ=
-k8s.io/api v0.18.9/go.mod h1:9u/h6sUh6FxfErv7QqetX1EB3yBMIYOBXzdcf0Gf0rc=
 k8s.io/api v0.19.3 h1:GN6ntFnv44Vptj/b+OnMW7FmzkpDoIDLZRvKX3XH9aU=
 k8s.io/api v0.19.3/go.mod h1:VF+5FT1B74Pw3KxMdKyinLo+zynBaMBiAfGMuldcNDs=
 k8s.io/apiextensions-apiserver v0.18.6/go.mod h1:lv89S7fUysXjLZO7ke783xOwVTm6lKizADfvUM/SS/M=
-k8s.io/apiextensions-apiserver v0.18.9 h1:tVEf8rVKh5BnXORnYYCztjbf6CSyGNMt/rAIEyfU00Q=
-k8s.io/apiextensions-apiserver v0.18.9/go.mod h1:JagmAhU0TVENzgUZqHJsjCSDh7YuV5o6g01G1Fwh7zI=
 k8s.io/apiextensions-apiserver v0.19.3 h1:WZxBypSHW4SdXHbdPTS/Jy7L2la6Niggs8BuU5o+avo=
 k8s.io/apiextensions-apiserver v0.19.3/go.mod h1:igVEkrE9TzInc1tYE7qSqxaLg/rEAp6B5+k9Q7+IC8Q=
 k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
 k8s.io/apimachinery v0.18.6/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
-k8s.io/apimachinery v0.18.9 h1:3ZABKQx3F3xPWlsGhCfUl8W+JXRRblV6Wo2A3zn0pvY=
-k8s.io/apimachinery v0.18.9/go.mod h1:PF5taHbXgTEJLU+xMypMmYTXTWPJ5LaW8bfsisxnEXk=
 k8s.io/apimachinery v0.19.3 h1:bpIQXlKjB4cB/oNpnNnV+BybGPR7iP5oYpsOTEJ4hgc=
 k8s.io/apimachinery v0.19.3/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
 k8s.io/apiserver v0.18.6/go.mod h1:Zt2XvTHuaZjBz6EFYzpp+X4hTmgWGy8AthNVnTdm3Wg=
-k8s.io/apiserver v0.18.9/go.mod h1:vXQzMtUCLsGg1Bh+7Jo2mZKHpHZFCZn8eTNSepcIA1M=
 k8s.io/apiserver v0.19.3/go.mod h1:bx6dMm+H6ifgKFpCQT/SAhPwhzoeIMlHIaibomUDec0=
 k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k=
 k8s.io/client-go v0.18.6/go.mod h1:/fwtGLjYMS1MaM5oi+eXhKwG+1UHidUEXRh6cNsdO0Q=
-k8s.io/client-go v0.18.9 h1:sPHX49yOtUqv1fl49TwV3f8cC0N3etSnwgFGsIsXnZc=
-k8s.io/client-go v0.18.9/go.mod h1:UjkEetDmr40P9NX0Ok3Idt08FCf2I4mIHgjFsot77uY=
 k8s.io/client-go v0.19.3 h1:ctqR1nQ52NUs6LpI0w+a5U+xjYwflFwA13OJKcicMxg=
 k8s.io/client-go v0.19.3/go.mod h1:+eEMktZM+MG0KO+PTkci8xnbCZHvj9TqR6Q1XDUIJOM=
 k8s.io/code-generator v0.18.6/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c=
-k8s.io/code-generator v0.18.9/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c=
 k8s.io/code-generator v0.19.3/go.mod h1:moqLn7w0t9cMs4+5CQyxnfA/HV8MF6aAVENF+WZZhgk=
 k8s.io/component-base v0.18.6/go.mod h1:knSVsibPR5K6EW2XOjEHik6sdU5nCvKMrzMt2D4In14=
-k8s.io/component-base v0.18.9/go.mod h1:tUo4qZtV8m7t/U+0DgY+fcnn4BFZ480fZdzxOkWH4zk=
 k8s.io/component-base v0.19.3/go.mod h1:WhLWSIefQn8W8jxSLl5WNiR6z8oyMe/8Zywg7alOkRc=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
@@ -916,18 +879,15 @@ k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUc
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
 k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
-k8s.io/klog/v2 v2.0.0 h1:Foj74zO6RbjjP4hBEKjnYtjjAhGg4jNynUdYF6fJrok=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0 h1:XRvcwJozkgZ1UQJmfMGpvRthQHOvihEhYtDfAaxMz/A=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
-k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6 h1:Oh3Mzx5pJ+yIumsAD0MOECPVeXsVot0UkiaCGVyfGQY=
 k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
 k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6 h1:+WnxoVtG8TMiudHBSEtrVL1egv36TkkJm+bA8AxicmQ=
 k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o=
 k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
-k8s.io/utils v0.0.0-20200603063816-c1c6865ac451 h1:v8ud2Up6QK1lNOKFgiIVrZdMg7MpmSnvtrOieolJKoE=
 k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20200729134348-d5654de09c73 h1:uJmqzgNWG7XyClnU/mLPBWwfKKF1K8Hf8whTseBgJcg=
 k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
@@ -946,7 +906,6 @@ sigs.k8s.io/kustomize/kyaml v0.9.3/go.mod h1:UTm64bSWVdBUA8EQoYCxVOaBQxUdIOr5LKW
 sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e h1:4Z09Hglb792X0kfOBBJUPFEyvVfQWrYT/l8h5EKA6JQ=
 sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
 sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
-sigs.k8s.io/structured-merge-diff/v3 v3.0.0 h1:dOmIZBMfhcHS09XZkMyUgkq5trg3/jRyJYFZUiaOp8E=
 sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.1 h1:YXTMot5Qz/X1iBRJhAt+vI+HVttY0WkSqqhKxQ0xVbA=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=

install/flux.sh

@@ -42,7 +42,10 @@ setup_verify_arch() {
         ARCH=$(uname -m)
     fi
     case ${ARCH} in
-        arm64)
+        arm|armv6l|armv7l)
+            ARCH=arm
+            ;;
+        arm64|aarch64|armv8l)
             ARCH=arm64
             ;;
         amd64)

internal/flags/helm_release_values.go

@@ -0,0 +1,71 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package flags
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/fluxcd/flux2/internal/utils"
+)
+
+var supportedHelmReleaseValuesFromKinds = []string{"Secret", "ConfigMap"}
+
+type HelmReleaseValuesFrom struct {
+	Kind string
+	Name string
+}
+
+func (h *HelmReleaseValuesFrom) String() string {
+	if h.Name == "" {
+		return ""
+	}
+	return fmt.Sprintf("%s/%s", h.Kind, h.Name)
+}
+
+func (h *HelmReleaseValuesFrom) Set(str string) error {
+	if strings.TrimSpace(str) == "" {
+		return fmt.Errorf("no values given, please specify %s",
+			h.Description())
+	}
+
+	sourceKind, sourceName := utils.ParseObjectKindName(str)
+	if sourceKind == "" {
+		return fmt.Errorf("invalid Kubernetes object reference '%s', must be in format <kind>/<name>", str)
+	}
+	if !utils.ContainsItemString(supportedHelmReleaseValuesFromKinds, sourceKind) {
+		return fmt.Errorf("reference kind '%s' is not supported, can be one of: %s",
+			sourceKind, strings.Join(supportedHelmReleaseValuesFromKinds, ", "))
+	}
+
+	h.Name = sourceName
+	h.Kind = sourceKind
+
+	return nil
+}
+
+func (h *HelmReleaseValuesFrom) Type() string {
+	return "helmReleaseValuesFrom"
+}
+
+func (h *HelmReleaseValuesFrom) Description() string {
+	return fmt.Sprintf(
+		"Kubernetes object reference that contains the values.yaml data key in the format '<kind>/<name>',"+
+			"where kind can be one of: (%s)",
+		strings.Join(supportedHelmReleaseValuesFromKinds, ", "),
+	)
+}