Refer to authorisation model in RFC-0001

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

.github/runners/README.md

@@ -1,42 +1,72 @@
-# Flux GitHub runners
+# Flux ARM64 GitHub runners
 
-How to provision GitHub Actions self-hosted runners for Flux conformance testing.
+The Flux ARM64 end-to-end tests run on Equinix instances provisioned with Docker and GitHub self-hosted runners.
 
-## ARM64 Instance specs
+## Current instances
+
+| Runner        | Instance            | Region |
+|---------------|---------------------|--------|
+| equinix-arm-1 | flux-equinix-arm-01 | AMS1   |
+| equinix-arm-2 | flux-equinix-arm-01 | AMS1   |
+| equinix-arm-3 | flux-equinix-arm-01 | AMS1   |
+| equinix-arm-4 | flux-equinix-arm-02 | DFW2   |
+| equinix-arm-5 | flux-equinix-arm-02 | DFW2   |
+| equinix-arm-6 | flux-equinix-arm-02 | DFW2   |
+
+## Instance setup
 
 In order to add a new runner to the GitHub Actions pool,
-first create an instance on Oracle Cloud with the following configuration:
-- OS: Canonical Ubuntu 20.04
-- Shape: VM.Standard.A1.Flex
-- OCPU Count: 2 
-- Memory (GB): 12
-- Network Bandwidth (Gbps): 2
-- Local Disk: Block Storage Only  
+first create a server on Equinix with the following configuration:
+- Type: c2.large.arm
+- OS: Ubuntu 20.04
 
-Note that the instance image source must be **Canonical Ubuntu** instead of the default Oracle Linux.
-
-## ARM64 Instance setup
+### Install prerequisites
 
 - SSH into a newly created instance
 ```shell
-ssh ubuntu@<instance-public-IP>
+ssh root@<instance-public-IP>
 ``` 
-- Create the action runner dir
+
+- Create the ubuntu user
 ```shell
-mkdir -p actions-runner && cd actions-runner
+adduser ubuntu
+usermod -aG sudo ubuntu
+su - ubuntu
 ```
-- Download the provisioning script
+
+- Create the prerequisites dir
 ```shell
-curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/arm64.sh > arm64.sh \
-  && chmod +x ./arm64.sh
+mkdir -p prereq && cd prereq
 ```
+
+- Download the prerequisites script
+```shell
+curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/prereq.sh > prereq.sh \
+  && chmod +x ./prereq.sh
+```
+
+- Install the prerequisites
+```shell
+sudo ./prereq.sh
+```
+
+### Install runners
+
 - Retrieve the GitHub runner token from the repository [settings page](https://github.com/fluxcd/flux2/settings/actions/runners/new?arch=arm64&os=linux)
-- Run the provisioning script passing the token as the first argument
+
+- Create 3 directories `runner1`, `runner2`, `runner3`
+
+- In each dir run:
 ```shell
-sudo ./arm64.sh <TOKEN>
+curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/runner-setup.sh > runner-setup.sh \
+  && chmod +x ./runner-setup.sh
+
+./runner-setup.sh equinix-arm-<NUMBER> <TOKEN>
 ```
+
 - Reboot the instance
 ```shell
 sudo reboot
-```  
+```
+
 - Navigate to the GitHub repository [runners page](https://github.com/fluxcd/flux2/settings/actions/runners) and check the runner status

.github/runners/prereq.sh

@@ -14,19 +14,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# This script is meant to be run locally and in CI to validate the Kubernetes
-# manifests (including Flux custom resources) before changes are merged into
-# the branch synced by Flux in-cluster.
+# This script installs the prerequisites for running Flux end-to-end tests with Docker and GitHub self-hosted runners.
 
 set -eu
 
-REPOSITORY_TOKEN=$1
-REPOSITORY_URL=${2:-https://github.com/fluxcd/flux2}
-
 KIND_VERSION=0.11.1
 KUBECTL_VERSION=1.21.2
 KUSTOMIZE_VERSION=4.1.3
-GITHUB_RUNNER_VERSION=2.278.0
+GITHUB_RUNNER_VERSION=2.285.1
 PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq"
 
 # install prerequisites
@@ -64,10 +59,3 @@ curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/r
 
 # install runner dependencies
 ./bin/installdependencies.sh
-
-# register runner with GitHub
-sudo -u ubuntu ./config.sh --unattended --url ${REPOSITORY_URL} --token ${REPOSITORY_TOKEN}
-
-# start runner
-./svc.sh install
-./svc.sh start

.github/runners/runner-setup.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# Copyright 2021 The Flux authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script installs a GitHub self-hosted ARM64 runner for running Flux end-to-end tests.
+
+set -eu
+
+RUNNER_NAME=$1
+REPOSITORY_TOKEN=$2
+REPOSITORY_URL=${3:-https://github.com/fluxcd/flux2}
+
+GITHUB_RUNNER_VERSION=2.285.1
+
+# download runner
+curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
+  && tar xzf actions-runner-linux-arm64.tar.gz \
+  && rm actions-runner-linux-arm64.tar.gz
+
+# register runner with GitHub
+./config.sh --unattended --url ${REPOSITORY_URL} --token ${REPOSITORY_TOKEN} --name ${RUNNER_NAME}
+
+# start runner
+sudo ./svc.sh install
+sudo ./svc.sh start

.github/workflows/bootstrap.yaml

@@ -91,16 +91,24 @@ jobs:
         run: |
           /tmp/flux uninstall -s --keep-namespace
           kubectl delete ns flux-system --timeout=10m --wait=true
-      - name: bootstrap reinstall
+      - name: test image automation
         run: |
+          make setup-image-automation
           /tmp/flux bootstrap github --manifests ./manifests/install/ \
           --owner=fluxcd-testing \
           --repository=${{ steps.vars.outputs.test_repo_name }} \
           --branch=main \
           --path=test-cluster \
-          --team=team-z
+          --read-write-key
+          /tmp/flux reconcile image repository podinfo
+          /tmp/flux reconcile image update flux-system
+          /tmp/flux get images all
+          /tmp/flux get images policy podinfo | grep "5.2.1"
+          /tmp/flux get image update flux-system | grep commit
         env:
           GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+          GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
+          GITHUB_ORG_NAME: fluxcd-testing
       - name: delete repository
         run: |
           curl \

.github/workflows/e2e-arm64.yaml

@@ -3,14 +3,13 @@ name: e2e-arm64
 on:
   workflow_dispatch:
   push:
-    branches: [ main, update-components, arm64-e2e ]
+    branches: [ main, update-components, equinix-runners ]
 
 jobs:
-  ampere:
-    # Runner info
-    # Owner: Stefan Prodan
+  test:
+    # Hosted on Equinix
     # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
-    runs-on: [self-hosted, Linux, ARM64]
+    runs-on: [self-hosted, Linux, ARM64, equinix]
     steps:
       - name: Checkout
         uses: actions/checkout@v2

.github/workflows/e2e.yaml

@@ -2,7 +2,7 @@ name: e2e
 
 on:
   push:
-    branches: [ main ]
+    branches: [ main, e2e* ]
   pull_request:
     branches: [ main ]
 
@@ -35,7 +35,7 @@ jobs:
           version: "1.21.x"
       - name: Setup Calico for network policy
         run: |
-          kubectl apply -f https://docs.projectcalico.org/v3.16/manifests/calico.yaml
+          kubectl apply -f https://docs.projectcalico.org/v3.20/manifests/calico.yaml
           kubectl -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
       - name: Setup Kustomize
         uses: fluxcd/pkg//actions/kustomize@main

.github/workflows/release.yaml

@@ -56,8 +56,10 @@ jobs:
       - name: Build CRDs
         run: |
           kustomize build manifests/crds > all-crds.yaml
+      # Pinned to commit before https://github.com/fluxcd/pkg/pull/189 due to
+      # introduction faulty behavior.
       - name: Generate OpenAPI JSON schemas from CRDs
-        uses: fluxcd/pkg//actions/crdjsonschema@main
+        uses: fluxcd/pkg//actions/crdjsonschema@49e26aa2ee9e734c3233c560253fd9542afe18ae
         with:
           crd: all-crds.yaml
           output: schemas

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.13 as builder
+FROM alpine:3.14 as builder
 
 RUN apk add --no-cache ca-certificates curl
 
@@ -9,7 +9,7 @@ RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECT
     -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
     kubectl version --client=true
 
-FROM alpine:3.13 as flux-cli
+FROM alpine:3.14 as flux-cli
 
 # Create minimal nsswitch.conf file to prioritize the usage of /etc/hosts over DNS queries.
 # https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-354316460

MAINTAINERS

@@ -12,9 +12,9 @@ should.
 
 In alphabetical order:
 
-Aurel Canciu, Sortlist <aurel@sortlist.com> (github: @relu, slack: relu)
+Aurel Canciu, NexHealth <aurel.canciu@nexhealth.com> (github: @relu, slack: relu)
 Hidde Beydals, Weaveworks <hidde@weave.works> (github: @hiddeco, slack: hidde)
-Max Jonas Werner, D2iQ <mwerner@d2iq.com> (github: @makkes, slack: max)
+Max Jonas Werner, D2iQ <max@e13.dev> (github: @makkes, slack: max)
 Philip Laine, Xenit <philip.laine@xenit.se> (github: @phillebaba, slack: phillebaba)
 Stefan Prodan, Weaveworks <stefan@weave.works> (github: @stefanprodan, slack: stefanprodan)
 Sunny, Weaveworks <sunny@weave.works> (github: @darkowlzz, slack: darkowlzz)

Makefile

@@ -64,6 +64,9 @@ install-envtest:  setup-envtest
 setup-bootstrap-patch:
 	go run ./tests/bootstrap/main.go
 
+setup-image-automation:
+	cd tests/image-automation && go run main.go
+
 # Find or download setup-envtest
 setup-envtest:
 ifeq (, $(shell which setup-envtest))

cmd/flux/bootstrap_bitbucket_server.go

@@ -0,0 +1,279 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	"github.com/spf13/cobra"
+
+	"github.com/fluxcd/flux2/internal/bootstrap"
+	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
+	"github.com/fluxcd/flux2/internal/bootstrap/provider"
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+)
+
+var bootstrapBServerCmd = &cobra.Command{
+	Use:   "bitbucket-server",
+	Short: "Bootstrap toolkit components in a Bitbucket Server repository",
+	Long: `The bootstrap bitbucket-server command creates the Bitbucket Server repository if it doesn't exists and
+commits the toolkit components manifests to the master branch.
+Then it configures the target cluster to synchronize with the repository.
+If the toolkit components are present on the cluster,
+the bootstrap command will perform an upgrade if needed.`,
+	Example: `  # Create a Bitbucket Server API token and export it as an env var
+  export BITBUCKET_TOKEN=<my-token>
+
+  # Run bootstrap for a private repository using HTTPS token authentication
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --token-auth
+
+  # Run bootstrap for a private repository using SSH authentication
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain>
+
+  # Run bootstrap for a repository path
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --path=dev-cluster --hostname=<domain>
+
+  # Run bootstrap for a public repository on a personal account
+  flux bootstrap bitbucket-server --owner=<user> --repository=<repository name> --private=false --personal --hostname=<domain> --token-auth
+
+  # Run bootstrap for a an existing repository with a branch named main
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --branch=main --hostname=<domain> --token-auth`,
+	RunE: bootstrapBServerCmdRun,
+}
+
+const (
+	bServerDefaultPermission = "push"
+	bServerTokenEnvVar       = "BITBUCKET_TOKEN"
+)
+
+type bServerFlags struct {
+	owner        string
+	repository   string
+	interval     time.Duration
+	personal     bool
+	username     string
+	private      bool
+	hostname     string
+	path         flags.SafeRelativePath
+	teams        []string
+	readWriteKey bool
+	reconcile    bool
+}
+
+var bServerArgs bServerFlags
+
+func init() {
+	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.owner, "owner", "", "Bitbucket Server user or project name")
+	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.repository, "repository", "", "Bitbucket Server repository name")
+	bootstrapBServerCmd.Flags().StringSliceVar(&bServerArgs.teams, "group", []string{}, "Bitbucket Server groups to be given write access (also accepts comma-separated values)")
+	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.personal, "personal", false, "if true, the owner is assumed to be a Bitbucket Server user; otherwise a group")
+	bootstrapBServerCmd.Flags().StringVarP(&bServerArgs.username, "username", "u", "git", "authentication username")
+	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.private, "private", true, "if true, the repository is setup or configured as private")
+	bootstrapBServerCmd.Flags().DurationVar(&bServerArgs.interval, "interval", time.Minute, "sync interval")
+	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.hostname, "hostname", "", "Bitbucket Server hostname")
+	bootstrapBServerCmd.Flags().Var(&bServerArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
+	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
+	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
+
+	bootstrapCmd.AddCommand(bootstrapBServerCmd)
+}
+
+func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
+	bitbucketToken := os.Getenv(bServerTokenEnvVar)
+	if bitbucketToken == "" {
+		var err error
+		bitbucketToken, err = readPasswordFromStdin("Please enter your Bitbucket personal access token (PAT): ")
+		if err != nil {
+			return fmt.Errorf("could not read token: %w", err)
+		}
+	}
+
+	if bServerArgs.hostname == "" {
+		return fmt.Errorf("invalid hostname %q", bServerArgs.hostname)
+	}
+
+	if err := bootstrapValidate(); err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	if err != nil {
+		return err
+	}
+
+	// Manifest base
+	if ver, err := getVersion(bootstrapArgs.version); err == nil {
+		bootstrapArgs.version = ver
+	}
+	manifestsBase, err := buildEmbeddedManifestBase()
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(manifestsBase)
+
+	user := bServerArgs.username
+	if bServerArgs.personal {
+		user = bServerArgs.owner
+	}
+
+	var caBundle []byte
+	if bootstrapArgs.caFile != "" {
+		var err error
+		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	}
+
+	// Build Bitbucket Server provider
+	providerCfg := provider.Config{
+		Provider: provider.GitProviderStash,
+		Hostname: bServerArgs.hostname,
+		Username: user,
+		Token:    bitbucketToken,
+		CaBundle: caBundle,
+	}
+
+	providerClient, err := provider.BuildGitProvider(providerCfg)
+	if err != nil {
+		return err
+	}
+
+	// Lazy go-git repository
+	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
+	if err != nil {
+		return fmt.Errorf("failed to create temporary working dir: %w", err)
+	}
+	defer os.RemoveAll(tmpDir)
+	gitClient := gogit.New(tmpDir, &http.BasicAuth{
+		Username: user,
+		Password: bitbucketToken,
+	})
+
+	// Install manifest config
+	installOptions := install.Options{
+		BaseURL:                rootArgs.defaults.BaseURL,
+		Version:                bootstrapArgs.version,
+		Namespace:              rootArgs.namespace,
+		Components:             bootstrapComponents(),
+		Registry:               bootstrapArgs.registry,
+		ImagePullSecret:        bootstrapArgs.imagePullSecret,
+		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
+		NetworkPolicy:          bootstrapArgs.networkPolicy,
+		LogLevel:               bootstrapArgs.logLevel.String(),
+		NotificationController: rootArgs.defaults.NotificationController,
+		ManifestFile:           rootArgs.defaults.ManifestFile,
+		Timeout:                rootArgs.timeout,
+		TargetPath:             bServerArgs.path.ToSlash(),
+		ClusterDomain:          bootstrapArgs.clusterDomain,
+		TolerationKeys:         bootstrapArgs.tolerationKeys,
+	}
+	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
+		installOptions.BaseURL = customBaseURL
+	}
+
+	// Source generation and secret config
+	secretOpts := sourcesecret.Options{
+		Name:         bootstrapArgs.secretName,
+		Namespace:    rootArgs.namespace,
+		TargetPath:   bServerArgs.path.String(),
+		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
+	}
+	if bootstrapArgs.tokenAuth {
+		if bServerArgs.personal {
+			secretOpts.Username = bServerArgs.owner
+		} else {
+			secretOpts.Username = bServerArgs.username
+		}
+		secretOpts.Password = bitbucketToken
+
+		if bootstrapArgs.caFile != "" {
+			secretOpts.CAFilePath = bootstrapArgs.caFile
+		}
+	} else {
+		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
+		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
+		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
+		secretOpts.SSHHostname = bServerArgs.hostname
+
+		if bootstrapArgs.privateKeyFile != "" {
+			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
+		}
+		if bootstrapArgs.sshHostname != "" {
+			secretOpts.SSHHostname = bootstrapArgs.sshHostname
+		}
+	}
+
+	// Sync manifest config
+	syncOpts := sync.Options{
+		Interval:          bServerArgs.interval,
+		Name:              rootArgs.namespace,
+		Namespace:         rootArgs.namespace,
+		Branch:            bootstrapArgs.branch,
+		Secret:            bootstrapArgs.secretName,
+		TargetPath:        bServerArgs.path.ToSlash(),
+		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
+		GitImplementation: sourceGitArgs.gitImplementation.String(),
+		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
+	}
+
+	// Bootstrap config
+	bootstrapOpts := []bootstrap.GitProviderOption{
+		bootstrap.WithProviderRepository(bServerArgs.owner, bServerArgs.repository, bServerArgs.personal),
+		bootstrap.WithBranch(bootstrapArgs.branch),
+		bootstrap.WithBootstrapTransportType("https"),
+		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
+		bootstrap.WithProviderTeamPermissions(mapTeamSlice(bServerArgs.teams, bServerDefaultPermission)),
+		bootstrap.WithReadWriteKeyPermissions(bServerArgs.readWriteKey),
+		bootstrap.WithKubeconfig(rootArgs.kubeconfig, rootArgs.kubecontext),
+		bootstrap.WithLogger(logger),
+		bootstrap.WithCABundle(caBundle),
+	}
+	if bootstrapArgs.sshHostname != "" {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
+	}
+	if bootstrapArgs.tokenAuth {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
+	}
+	if !bServerArgs.private {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
+	}
+	if bServerArgs.reconcile {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
+	}
+
+	// Setup bootstrapper with constructed configs
+	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
+	if err != nil {
+		return err
+	}
+
+	// Run
+	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
+}

cmd/flux/bootstrap_github.go

@@ -140,11 +140,20 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	defer os.RemoveAll(manifestsBase)
 
+	var caBundle []byte
+	if bootstrapArgs.caFile != "" {
+		var err error
+		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	}
 	// Build GitHub provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderGitHub,
 		Hostname: githubArgs.hostname,
 		Token:    ghToken,
+		CaBundle: caBundle,
 	}
 	providerClient, err := provider.BuildGitProvider(providerCfg)
 	if err != nil {
@@ -233,6 +242,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithReadWriteKeyPermissions(githubArgs.readWriteKey),
 		bootstrap.WithKubeconfig(rootArgs.kubeconfig, rootArgs.kubecontext),
 		bootstrap.WithLogger(logger),
+		bootstrap.WithCABundle(caBundle),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))

cmd/flux/bootstrap_gitlab.go

@@ -144,11 +144,21 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	defer os.RemoveAll(manifestsBase)
 
+	var caBundle []byte
+	if bootstrapArgs.caFile != "" {
+		var err error
+		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	}
+
 	// Build GitLab provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderGitLab,
 		Hostname: gitlabArgs.hostname,
 		Token:    glToken,
+		CaBundle: caBundle,
 	}
 	// Workaround for: https://github.com/fluxcd/go-git-providers/issues/55
 	if hostname := providerCfg.Hostname; hostname != glDefaultDomain &&
@@ -246,6 +256,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithReadWriteKeyPermissions(gitlabArgs.readWriteKey),
 		bootstrap.WithKubeconfig(rootArgs.kubeconfig, rootArgs.kubecontext),
 		bootstrap.WithLogger(logger),
+		bootstrap.WithCABundle(caBundle),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))

cmd/flux/create_secret_git_test.go

@@ -22,12 +22,12 @@ func TestCreateGitSecret(t *testing.T) {
 		},
 		{
 			name:   "ssh key",
-			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/rsa.private --namespace=my-namespace --export",
+			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa.private --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret.yaml"),
 		},
 		{
 			name:   "ssh key with password",
-			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/rsa-password.private --password=password --namespace=my-namespace --export",
+			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa-password.private --password=password --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret-password.yaml"),
 		},
 	}

cmd/flux/testdata/create_secret/git/ecdsa-password.private

@@ -0,0 +1,10 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABA9i7hZ7m
+UBPxF7GuUswZiXAAAAEAAAAAEAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlz
+dHAyNTYAAABBBOOAQfhwylg6WhJRXha2K1dJY5BG12nsS7YyFlKPAovOAC8d8rTOzjjDWu
+kG24JVRrXoWUN6eWWvxDvMd5pZT1wAAADAepYZPGTQnH6genhU+y9aD1GFO8BsODIllxEq
+T8n2eLAmPWYLv4HhgtmbqtsOmTE9sVM5ynYj/dAX1SreoGeoMEVFIt1cYtWgyuJccEiK4t
+1JQLFLMKnBRTY+yIdD6gX7tLRRL/jqzMR4XZF5/Yf48lvU4h+ljuOitWH3ea9142izl2Wk
+eXAfeoezJaDntZUUEYvKMI5U6iWVni+c7vOcJFTZgBeV4i54ua06tY5mE/mWARldiSDtJG
+yGEOankDnf
+-----END OPENSSH PRIVATE KEY-----

cmd/flux/testdata/create_secret/git/ecdsa.private

@@ -0,0 +1,9 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQTuiu+gGwLIu9E5J4vRshoIBHScKx4Y
+f9oniWMsLFHXq5p9GJ/eb9Cr3jgNACnGOIGOqlwBQvP5rCJuaJ0pCRKUAAAAuNE1GtvRNR
+rbAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6K76AbAsi70Tkn
+i9GyGggEdJwrHhh/2ieJYywsUdermn0Yn95v0KveOA0AKcY4gY6qXAFC8/msIm5onSkJEp
+QAAAAhAPaO6PiN+1238KMrHg34M7XdftGypt2/UKEz2L2Pf40yAAAAH3NvbXRvY2hpb255
+ZWt3ZXJlQFNvbXRvY2hpcy1NQlA=
+-----END OPENSSH PRIVATE KEY-----

cmd/flux/testdata/create_secret/git/git-ssh-secret-password.yaml

@@ -7,46 +7,17 @@ metadata:
 stringData:
   identity: |
     -----BEGIN OPENSSH PRIVATE KEY-----
-    b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAZPOy4O0
-    XmgKgRJuR9WaShAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDmuJnVljOr
-    pA3OiaAkCJuPT+lHRb/Kuc7fByldlYihsrNjWKVa9xB844mNrpntevFJ6ESEE13ElY2O8M
-    /L58Eh4hmrzqBDtk7XnP/bJVdHAOGvEYavLEeN9K9nZdYYnyOae4OMZacA4oHxUSyrSWvl
-    LDTOOZnFYlCkVXogBcvCrg+HZe/FaHmB4R3ni9eojsX/gQII970SD6d2DLhCW3r+qNW03S
-    O8bj28xyjGLhVgNPyRimWkeZ8DpiJKm2Ccf2oYqtVp1wtrihz4QZ30cZ0KWxdf2iJKCMhp
-    e5B2F8Gw3+3ZWWA8xmg1buDwLkGmroibPY9hUAzt05E8THuwpl7GA/8xdge+LCcCdBhx+i
-    WYhcPrQOCD/5ajRM7OkjJbJwRxdZgdYDSUvQNnHYh02pj+ZYjQBARhSRCEkFnxklyNjzSD
-    ETwXO5tW57CmcegLS8ig3Z3WcgBX0sdDsttMBmlWt4fb6qPB6ctTjx/wlkC0YlHXuI+Fzm
-    CyAP8ikQk63ckAAAWQy3GOOOYpvMAgXIDYUJZnCiy4jnzpt3vX0kIpWogfwqT8QwbuhhDb
-    ogQT6mZqt88nKUlRv3eRPmeG6MebsuweMw6WJfP0ZARFJS9+nXfNSJGN+Tqze252C1w2uu
-    vlzK1GnY5pnZzpaZAf/d+UAtNXDYdWA1DlJsNsBXgIJVkc47sp/cv6EGced+UXuV+Yr80s
-    ECqqOqa+IZWxd+Buca2EWQhG2loLlk6JQ8D+vNm3yhPCrb+1BcoZgxGItL70TdLtUCsmpP
-    y+ejnIxiHl79CjSNANBA7SgjJCQWYjFTcNUb98pGMsMVKIqczNtUZrL6WiSBrLDl5luFIb
-    bZi6iQsjVU6AUd+rcTSsdCec7xnoDddytmh2oG0tHG9wlCQh9yo0NBGaBQP/euqiSgIAvZ
-    zTJTy1AUo/M6FRdMpuGoDrxDPDGj/Q4OsUQzDS0c10WHGv2TLIoloa/FvhjdOn4pXOOIOB
-    nzgRn1xEHwgmSsyyiQP8gCEWM3XgLTOZIS+B4AT6hFPGCbbRetqwKF6qG68xsoLmQ5BXJN
-    kdIKqT7BlAvvX7t80XnvWiuZUjBS2qyTJ3FWCkyaxQVmrNsfZbg4qRJ377+ip3BwuaTl3X
-    VuZEEEy6+cwc+fRL8hPbKKIAcSLjRJnGHMiPvEFcL7yMkmGhv/vd78QdF/0XfVqCGr1gH3
-    gO3O//2Bdcp7Vo9QGqlK66Cusk5HiVSv6StQdqoauW2bxF4JKm3azHL1wWkyWtf2FQD425
-    0V+qib4Qz4KALj9uPwUyP6umDSk1NSBEMohGYpbm/O/Hpr6x2XET6kYbcK/sb5pDlZ81QQ
-    A6GJ87fQyVe0FeoWwg256LiNyDTqFUKm0R508hlnzaAtMnW8TvSqmjrKfLy9YU8IaF0dcS
-    kLheF4EwU2B5exumCx5JDe/xbVw5M8bx5m9lMx1NxGwNr2HtLvgMdQCwI5KchBzC+SIfGd
-    h94Gv39xRGKAhgtBzRRC5LLnRHeBWuLroWY/MoPDH5dWsMvSDkDjaGWHczlPNeN+epv17O
-    G5rR4oyVBfbR5+/qB//1c8avbBrmMLZoFaGMYSQaX8kTcus/Xu5qoDvxlkT4mjb6VvjMq0
-    iPUDNz8hAXv6NUlAViMGNV/sKhNcHRmwqkai79p0JJ+Ni635YNY2E7mS6QwVce1KCsUMet
-    xjeDItSaLLQTaC2LfLybL9/3ppJiaOusnSN+J+yHvUIu7IsI2a9OpGRGhYIU/25r2KBtFV
-    GdSGLNOdI3CB+J6eDXwkt3BmkIVYABc12o94PAXShnCgXK4u6tcowkNKVjyIrE64tckBsr
-    l08apsj7SkTbly34MucgKya0pwBQKUXEUSHCQ70h8q4fK0dWrs7ahODXdwj0Lrp6My5eFR
-    sV24X8U7kPailGowAVh9f/7afZs9CURwlUDjaXKWewGyQ7j3WVHOXSikOfxxbdQ+19juDO
-    1h7Gtk+fKLsq0har0KDnVFSvP16f3ETKfAp5/acmXE4dnJGoo5k2Ak0QUBNIH163biBKS0
-    Y6ePms4PghUFWINzaReZi1E4NiXdWKgOLXJBta7fg+ISFCocYdBRk9w3VUZa/1IvgzNg3l
-    QxyLLH4YPcAGiSPpwcHhWxh/OMY4m6av9BslsG9ajXBpVto0X3oEa78ZuJVVXWAP2E891g
-    I/atxZ+fBkght3oIMiIuyWPeKZVNvdx1eKCU76jCEXxMrlAM47OZEJnaeMdhqPA1ICqERx
-    2L9Tq2W30mgwwP/QaDOiqNBn3UWt28ly+LqUOoQKt/w/z9YZUlpN090rs1iWOTkpamXTYd
-    o+WewKF1Ax4TbsSfNX7P1ROTeIsQCisu3iFWkym9QZ/2RcZYcEPGGAR3ve8rPS2tsy9nL8
-    4TDo1LUXShRgQxOEAsPNJ4440vY=
+    b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABA9i7hZ7m
+    UBPxF7GuUswZiXAAAAEAAAAAEAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlz
+    dHAyNTYAAABBBOOAQfhwylg6WhJRXha2K1dJY5BG12nsS7YyFlKPAovOAC8d8rTOzjjDWu
+    kG24JVRrXoWUN6eWWvxDvMd5pZT1wAAADAepYZPGTQnH6genhU+y9aD1GFO8BsODIllxEq
+    T8n2eLAmPWYLv4HhgtmbqtsOmTE9sVM5ynYj/dAX1SreoGeoMEVFIt1cYtWgyuJccEiK4t
+    1JQLFLMKnBRTY+yIdD6gX7tLRRL/jqzMR4XZF5/Yf48lvU4h+ljuOitWH3ea9142izl2Wk
+    eXAfeoezJaDntZUUEYvKMI5U6iWVni+c7vOcJFTZgBeV4i54ua06tY5mE/mWARldiSDtJG
+    yGEOankDnf
     -----END OPENSSH PRIVATE KEY-----
   identity.pub: |
-    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmuJnVljOrpA3OiaAkCJuPT+lHRb/Kuc7fByldlYihsrNjWKVa9xB844mNrpntevFJ6ESEE13ElY2O8M/L58Eh4hmrzqBDtk7XnP/bJVdHAOGvEYavLEeN9K9nZdYYnyOae4OMZacA4oHxUSyrSWvlLDTOOZnFYlCkVXogBcvCrg+HZe/FaHmB4R3ni9eojsX/gQII970SD6d2DLhCW3r+qNW03SO8bj28xyjGLhVgNPyRimWkeZ8DpiJKm2Ccf2oYqtVp1wtrihz4QZ30cZ0KWxdf2iJKCMhpe5B2F8Gw3+3ZWWA8xmg1buDwLkGmroibPY9hUAzt05E8THuwpl7GA/8xdge+LCcCdBhx+iWYhcPrQOCD/5ajRM7OkjJbJwRxdZgdYDSUvQNnHYh02pj+ZYjQBARhSRCEkFnxklyNjzSDETwXO5tW57CmcegLS8ig3Z3WcgBX0sdDsttMBmlWt4fb6qPB6ctTjx/wlkC0YlHXuI+FzmCyAP8ikQk63ck=
-  known_hosts: github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+    ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOOAQfhwylg6WhJRXha2K1dJY5BG12nsS7YyFlKPAovOAC8d8rTOzjjDWukG24JVRrXoWUN6eWWvxDvMd5pZT1w=
+  known_hosts: github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
   password: password
 

cmd/flux/testdata/create_secret/git/git-ssh-secret.yaml

@@ -7,44 +7,15 @@ metadata:
 stringData:
   identity: |
     -----BEGIN OPENSSH PRIVATE KEY-----
-    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
-    NhAAAAAwEAAQAAAYEAyF0WPHSGTC1fELE2N+2Inas2VsN8XyeGjMtrPfWIchOz2YCLt1of
-    HCUMgE8x2/v7tN3hZ0s5q8lqW7O9zyc6dnVvEYlmMfd0zG6ThenwANOW5pQhgRqrEKQdQA
-    OGlAUdDh9aSeynl5+1miEPGrmG2csVw2XOZBNgoqkqu13LJBUx0mJhJ4+h45KYnCfRnzJc
-    5kJ1halTbcT52aFQnX0GwtrykiHJvF/3J35Zktg60pspLFgYuRulRmQzfkNSYg494XXitn
-    V5b5H8seGeiMnS7b0yDjjVWoMfdOvn2W/qbAPKr8ro0eGEx/fZAzHj5hvLDgqJkQ+IvfrI
-    xcLRmbpJfxTJ+Pm99hSRXZTLztksCQXFy7qtqZrxxpj7zeMPqJJ8VmU5xm0vUHJKX+lKMN
-    X8TnZOZU8URXK5nF91F2SSopQXIa2O7Xtq/AuAU2A8tQnyLfnPMbIJK4VYkuQVbcO4AtVi
-    Y0rNKEJQDomF2EgAQOEPPj950gt6ZG7zRvON5UWPAAAFgD981gI/fNYCAAAAB3NzaC1yc2
-    EAAAGBAMhdFjx0hkwtXxCxNjftiJ2rNlbDfF8nhozLaz31iHITs9mAi7daHxwlDIBPMdv7
-    +7Td4WdLOavJaluzvc8nOnZ1bxGJZjH3dMxuk4Xp8ADTluaUIYEaqxCkHUADhpQFHQ4fWk
-    nsp5eftZohDxq5htnLFcNlzmQTYKKpKrtdyyQVMdJiYSePoeOSmJwn0Z8yXOZCdYWpU23E
-    +dmhUJ19BsLa8pIhybxf9yd+WZLYOtKbKSxYGLkbpUZkM35DUmIOPeF14rZ1eW+R/LHhno
-    jJ0u29Mg441VqDH3Tr59lv6mwDyq/K6NHhhMf32QMx4+Ybyw4KiZEPiL36yMXC0Zm6SX8U
-    yfj5vfYUkV2Uy87ZLAkFxcu6rama8caY+83jD6iSfFZlOcZtL1BySl/pSjDV/E52TmVPFE
-    VyuZxfdRdkkqKUFyGtju17avwLgFNgPLUJ8i35zzGyCSuFWJLkFW3DuALVYmNKzShCUA6J
-    hdhIAEDhDz4/edILemRu80bzjeVFjwAAAAMBAAEAAAGBAIffsIOg1a31GsG8GzOELqAVik
-    z+VmpE6Ja0H+6tgjEyMUWvSZA2WmCAs2CT1BEFaaU2znN47QwVE75KPs6rIJdSfdaboaUC
-    1b8IwZwPj8VPt8Z379yYVCd906Qkf/ADI7f/BQCarvBAyytRfee2pr8tXH3cnUD6bw7/v0
-    2+hlLa2KV+N7pXSgaE1F8ZFatqwNsZeI8Cy+PlrzWpknyqW5pqVhNJPIA1Z+rtYRsW7ZUC
-    ycIbn/Bv0f3RV6YpS0XZt2OvJtDp9XTOoRKCWeM0VpKqV6ACzL+Gi2lso4iw75zDZaPl+s
-    BNtozqE1GR6ee6NVNhXlcqHw2B6HCE0NqS87YI+nsLVQQ803Z36LUmQYsgCqFL7zCVwNkb
-    BBbbp2jxWRYKf7ZyNef+knVn5N2oj0x+J1fTD8SGHFrF04oIpf1fx3TcIGk8n9TA1EJPHK
-    VkOQLjbMWkPqyJEj62WdyDOYdpz/It4a6xpHaLCneUCZzEKas3OXY+IoPdNVU1zQSC2QAA
-    AMEA3gStXY04rdwWssOO+8zeHtAgTH3wIfSJYz/TcDX/MMWarmZevdv+7OzMAI7jcerkV4
-    H+wux+xl1UZ1mjgcX70tdsEXo4MdDXJNELM3Fps+be245s9EpfzF3w1x43KBeab++0TrT6
-    N5km0G61NUHwcA5flT4dsPFqwwBQLUYnr1JnbEy+FxILHH/Pr0BoxtRS3cPc/TPJEJwSgR
-    OJI/U3TIRy7A/ruN53MWg6+KOwNVBT7/ZgtJ+Bwo+nM1a3hvnFAAAAwQDr58RqF7JBmAdZ
-    tuZA6dd2sJDrWDeQ0ExUcJnHtSgLDMflssazsv1U263UKDejXw3XqLNI8rvcmdAiDvTnAv
-    nb97ofHI4wOVjA+MC///CgnvZ69Nm9RIo5EBuIg8QWq3q65Hpiea2/rQn8V2uzmNHPLOEC
-    oPv4DqUeYqOx1yW5UqmCF+ZVYbzwabuEPs/1TeE6cWQgOIe75ttsNtHyWWBH307vCFYDOD
-    EOmdToAZ0KWKxVfwIFr6CUxOKvBNntLYMAAADBANluSOCSTBvZPb/I0UJuJR3vGGSjlqwT
-    9YhcT0P2Hz2QDobo3gCGkBkLwDUkaioj/vSwYnJvidQD8FM2yfydV68o7Mhq4BbDy9K66T
-    jqWOu7AgU/aTriPfiMV7KaqfVsKhOGSlOTTxf0HpsG38yiiLXlhI2V2kdskMTTR4n3nr+H
-    tZB+zPNKJUviC/DcLo2mizjfGvGUk6DBRShVEmOIfcRUwoeBYn24tKjs/s6WIuDtGFAFZW
-    6erRhI2tHZsEN2BQAAAAd0ZXN0a2V5AQI=
+    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+    1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQTuiu+gGwLIu9E5J4vRshoIBHScKx4Y
+    f9oniWMsLFHXq5p9GJ/eb9Cr3jgNACnGOIGOqlwBQvP5rCJuaJ0pCRKUAAAAuNE1GtvRNR
+    rbAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6K76AbAsi70Tkn
+    i9GyGggEdJwrHhh/2ieJYywsUdermn0Yn95v0KveOA0AKcY4gY6qXAFC8/msIm5onSkJEp
+    QAAAAhAPaO6PiN+1238KMrHg34M7XdftGypt2/UKEz2L2Pf40yAAAAH3NvbXRvY2hpb255
+    ZWt3ZXJlQFNvbXRvY2hpcy1NQlA=
     -----END OPENSSH PRIVATE KEY-----
   identity.pub: |
-    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIXRY8dIZMLV8QsTY37YidqzZWw3xfJ4aMy2s99YhyE7PZgIu3Wh8cJQyATzHb+/u03eFnSzmryWpbs73PJzp2dW8RiWYx93TMbpOF6fAA05bmlCGBGqsQpB1AA4aUBR0OH1pJ7KeXn7WaIQ8auYbZyxXDZc5kE2CiqSq7XcskFTHSYmEnj6HjkpicJ9GfMlzmQnWFqVNtxPnZoVCdfQbC2vKSIcm8X/cnflmS2DrSmyksWBi5G6VGZDN+Q1JiDj3hdeK2dXlvkfyx4Z6IydLtvTIOONVagx906+fZb+psA8qvyujR4YTH99kDMePmG8sOComRD4i9+sjFwtGZukl/FMn4+b32FJFdlMvO2SwJBcXLuq2pmvHGmPvN4w+oknxWZTnGbS9Qckpf6Uow1fxOdk5lTxRFcrmcX3UXZJKilBchrY7te2r8C4BTYDy1CfIt+c8xsgkrhViS5BVtw7gC1WJjSs0oQlAOiYXYSABA4Q8+P3nSC3pkbvNG843lRY8=
-  known_hosts: github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+    ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6K76AbAsi70Tkni9GyGggEdJwrHhh/2ieJYywsUdermn0Yn95v0KveOA0AKcY4gY6qXAFC8/msIm5onSkJEpQ=
+  known_hosts: github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
 

cmd/flux/testdata/create_secret/git/rsa-password.private

@@ -1,39 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAZPOy4O0
-XmgKgRJuR9WaShAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDmuJnVljOr
-pA3OiaAkCJuPT+lHRb/Kuc7fByldlYihsrNjWKVa9xB844mNrpntevFJ6ESEE13ElY2O8M
-/L58Eh4hmrzqBDtk7XnP/bJVdHAOGvEYavLEeN9K9nZdYYnyOae4OMZacA4oHxUSyrSWvl
-LDTOOZnFYlCkVXogBcvCrg+HZe/FaHmB4R3ni9eojsX/gQII970SD6d2DLhCW3r+qNW03S
-O8bj28xyjGLhVgNPyRimWkeZ8DpiJKm2Ccf2oYqtVp1wtrihz4QZ30cZ0KWxdf2iJKCMhp
-e5B2F8Gw3+3ZWWA8xmg1buDwLkGmroibPY9hUAzt05E8THuwpl7GA/8xdge+LCcCdBhx+i
-WYhcPrQOCD/5ajRM7OkjJbJwRxdZgdYDSUvQNnHYh02pj+ZYjQBARhSRCEkFnxklyNjzSD
-ETwXO5tW57CmcegLS8ig3Z3WcgBX0sdDsttMBmlWt4fb6qPB6ctTjx/wlkC0YlHXuI+Fzm
-CyAP8ikQk63ckAAAWQy3GOOOYpvMAgXIDYUJZnCiy4jnzpt3vX0kIpWogfwqT8QwbuhhDb
-ogQT6mZqt88nKUlRv3eRPmeG6MebsuweMw6WJfP0ZARFJS9+nXfNSJGN+Tqze252C1w2uu
-vlzK1GnY5pnZzpaZAf/d+UAtNXDYdWA1DlJsNsBXgIJVkc47sp/cv6EGced+UXuV+Yr80s
-ECqqOqa+IZWxd+Buca2EWQhG2loLlk6JQ8D+vNm3yhPCrb+1BcoZgxGItL70TdLtUCsmpP
-y+ejnIxiHl79CjSNANBA7SgjJCQWYjFTcNUb98pGMsMVKIqczNtUZrL6WiSBrLDl5luFIb
-bZi6iQsjVU6AUd+rcTSsdCec7xnoDddytmh2oG0tHG9wlCQh9yo0NBGaBQP/euqiSgIAvZ
-zTJTy1AUo/M6FRdMpuGoDrxDPDGj/Q4OsUQzDS0c10WHGv2TLIoloa/FvhjdOn4pXOOIOB
-nzgRn1xEHwgmSsyyiQP8gCEWM3XgLTOZIS+B4AT6hFPGCbbRetqwKF6qG68xsoLmQ5BXJN
-kdIKqT7BlAvvX7t80XnvWiuZUjBS2qyTJ3FWCkyaxQVmrNsfZbg4qRJ377+ip3BwuaTl3X
-VuZEEEy6+cwc+fRL8hPbKKIAcSLjRJnGHMiPvEFcL7yMkmGhv/vd78QdF/0XfVqCGr1gH3
-gO3O//2Bdcp7Vo9QGqlK66Cusk5HiVSv6StQdqoauW2bxF4JKm3azHL1wWkyWtf2FQD425
-0V+qib4Qz4KALj9uPwUyP6umDSk1NSBEMohGYpbm/O/Hpr6x2XET6kYbcK/sb5pDlZ81QQ
-A6GJ87fQyVe0FeoWwg256LiNyDTqFUKm0R508hlnzaAtMnW8TvSqmjrKfLy9YU8IaF0dcS
-kLheF4EwU2B5exumCx5JDe/xbVw5M8bx5m9lMx1NxGwNr2HtLvgMdQCwI5KchBzC+SIfGd
-h94Gv39xRGKAhgtBzRRC5LLnRHeBWuLroWY/MoPDH5dWsMvSDkDjaGWHczlPNeN+epv17O
-G5rR4oyVBfbR5+/qB//1c8avbBrmMLZoFaGMYSQaX8kTcus/Xu5qoDvxlkT4mjb6VvjMq0
-iPUDNz8hAXv6NUlAViMGNV/sKhNcHRmwqkai79p0JJ+Ni635YNY2E7mS6QwVce1KCsUMet
-xjeDItSaLLQTaC2LfLybL9/3ppJiaOusnSN+J+yHvUIu7IsI2a9OpGRGhYIU/25r2KBtFV
-GdSGLNOdI3CB+J6eDXwkt3BmkIVYABc12o94PAXShnCgXK4u6tcowkNKVjyIrE64tckBsr
-l08apsj7SkTbly34MucgKya0pwBQKUXEUSHCQ70h8q4fK0dWrs7ahODXdwj0Lrp6My5eFR
-sV24X8U7kPailGowAVh9f/7afZs9CURwlUDjaXKWewGyQ7j3WVHOXSikOfxxbdQ+19juDO
-1h7Gtk+fKLsq0har0KDnVFSvP16f3ETKfAp5/acmXE4dnJGoo5k2Ak0QUBNIH163biBKS0
-Y6ePms4PghUFWINzaReZi1E4NiXdWKgOLXJBta7fg+ISFCocYdBRk9w3VUZa/1IvgzNg3l
-QxyLLH4YPcAGiSPpwcHhWxh/OMY4m6av9BslsG9ajXBpVto0X3oEa78ZuJVVXWAP2E891g
-I/atxZ+fBkght3oIMiIuyWPeKZVNvdx1eKCU76jCEXxMrlAM47OZEJnaeMdhqPA1ICqERx
-2L9Tq2W30mgwwP/QaDOiqNBn3UWt28ly+LqUOoQKt/w/z9YZUlpN090rs1iWOTkpamXTYd
-o+WewKF1Ax4TbsSfNX7P1ROTeIsQCisu3iFWkym9QZ/2RcZYcEPGGAR3ve8rPS2tsy9nL8
-4TDo1LUXShRgQxOEAsPNJ4440vY=
------END OPENSSH PRIVATE KEY-----

cmd/flux/testdata/create_secret/git/rsa.private

@@ -1,38 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
-NhAAAAAwEAAQAAAYEAyF0WPHSGTC1fELE2N+2Inas2VsN8XyeGjMtrPfWIchOz2YCLt1of
-HCUMgE8x2/v7tN3hZ0s5q8lqW7O9zyc6dnVvEYlmMfd0zG6ThenwANOW5pQhgRqrEKQdQA
-OGlAUdDh9aSeynl5+1miEPGrmG2csVw2XOZBNgoqkqu13LJBUx0mJhJ4+h45KYnCfRnzJc
-5kJ1halTbcT52aFQnX0GwtrykiHJvF/3J35Zktg60pspLFgYuRulRmQzfkNSYg494XXitn
-V5b5H8seGeiMnS7b0yDjjVWoMfdOvn2W/qbAPKr8ro0eGEx/fZAzHj5hvLDgqJkQ+IvfrI
-xcLRmbpJfxTJ+Pm99hSRXZTLztksCQXFy7qtqZrxxpj7zeMPqJJ8VmU5xm0vUHJKX+lKMN
-X8TnZOZU8URXK5nF91F2SSopQXIa2O7Xtq/AuAU2A8tQnyLfnPMbIJK4VYkuQVbcO4AtVi
-Y0rNKEJQDomF2EgAQOEPPj950gt6ZG7zRvON5UWPAAAFgD981gI/fNYCAAAAB3NzaC1yc2
-EAAAGBAMhdFjx0hkwtXxCxNjftiJ2rNlbDfF8nhozLaz31iHITs9mAi7daHxwlDIBPMdv7
-+7Td4WdLOavJaluzvc8nOnZ1bxGJZjH3dMxuk4Xp8ADTluaUIYEaqxCkHUADhpQFHQ4fWk
-nsp5eftZohDxq5htnLFcNlzmQTYKKpKrtdyyQVMdJiYSePoeOSmJwn0Z8yXOZCdYWpU23E
-+dmhUJ19BsLa8pIhybxf9yd+WZLYOtKbKSxYGLkbpUZkM35DUmIOPeF14rZ1eW+R/LHhno
-jJ0u29Mg441VqDH3Tr59lv6mwDyq/K6NHhhMf32QMx4+Ybyw4KiZEPiL36yMXC0Zm6SX8U
-yfj5vfYUkV2Uy87ZLAkFxcu6rama8caY+83jD6iSfFZlOcZtL1BySl/pSjDV/E52TmVPFE
-VyuZxfdRdkkqKUFyGtju17avwLgFNgPLUJ8i35zzGyCSuFWJLkFW3DuALVYmNKzShCUA6J
-hdhIAEDhDz4/edILemRu80bzjeVFjwAAAAMBAAEAAAGBAIffsIOg1a31GsG8GzOELqAVik
-z+VmpE6Ja0H+6tgjEyMUWvSZA2WmCAs2CT1BEFaaU2znN47QwVE75KPs6rIJdSfdaboaUC
-1b8IwZwPj8VPt8Z379yYVCd906Qkf/ADI7f/BQCarvBAyytRfee2pr8tXH3cnUD6bw7/v0
-2+hlLa2KV+N7pXSgaE1F8ZFatqwNsZeI8Cy+PlrzWpknyqW5pqVhNJPIA1Z+rtYRsW7ZUC
-ycIbn/Bv0f3RV6YpS0XZt2OvJtDp9XTOoRKCWeM0VpKqV6ACzL+Gi2lso4iw75zDZaPl+s
-BNtozqE1GR6ee6NVNhXlcqHw2B6HCE0NqS87YI+nsLVQQ803Z36LUmQYsgCqFL7zCVwNkb
-BBbbp2jxWRYKf7ZyNef+knVn5N2oj0x+J1fTD8SGHFrF04oIpf1fx3TcIGk8n9TA1EJPHK
-VkOQLjbMWkPqyJEj62WdyDOYdpz/It4a6xpHaLCneUCZzEKas3OXY+IoPdNVU1zQSC2QAA
-AMEA3gStXY04rdwWssOO+8zeHtAgTH3wIfSJYz/TcDX/MMWarmZevdv+7OzMAI7jcerkV4
-H+wux+xl1UZ1mjgcX70tdsEXo4MdDXJNELM3Fps+be245s9EpfzF3w1x43KBeab++0TrT6
-N5km0G61NUHwcA5flT4dsPFqwwBQLUYnr1JnbEy+FxILHH/Pr0BoxtRS3cPc/TPJEJwSgR
-OJI/U3TIRy7A/ruN53MWg6+KOwNVBT7/ZgtJ+Bwo+nM1a3hvnFAAAAwQDr58RqF7JBmAdZ
-tuZA6dd2sJDrWDeQ0ExUcJnHtSgLDMflssazsv1U263UKDejXw3XqLNI8rvcmdAiDvTnAv
-nb97ofHI4wOVjA+MC///CgnvZ69Nm9RIo5EBuIg8QWq3q65Hpiea2/rQn8V2uzmNHPLOEC
-oPv4DqUeYqOx1yW5UqmCF+ZVYbzwabuEPs/1TeE6cWQgOIe75ttsNtHyWWBH307vCFYDOD
-EOmdToAZ0KWKxVfwIFr6CUxOKvBNntLYMAAADBANluSOCSTBvZPb/I0UJuJR3vGGSjlqwT
-9YhcT0P2Hz2QDobo3gCGkBkLwDUkaioj/vSwYnJvidQD8FM2yfydV68o7Mhq4BbDy9K66T
-jqWOu7AgU/aTriPfiMV7KaqfVsKhOGSlOTTxf0HpsG38yiiLXlhI2V2kdskMTTR4n3nr+H
-tZB+zPNKJUviC/DcLo2mizjfGvGUk6DBRShVEmOIfcRUwoeBYn24tKjs/s6WIuDtGFAFZW
-6erRhI2tHZsEN2BQAAAAd0ZXN0a2V5AQI=
------END OPENSSH PRIVATE KEY-----

cmd/flux/trace.go

@@ -40,7 +40,7 @@ import (
 
 var traceCmd = &cobra.Command{
 	Use:   "trace [name]",
-	Short: "trace an in-cluster object throughout the GitOps delivery pipeline",
+	Short: "Trace an in-cluster object throughout the GitOps delivery pipeline",
 	Long: `The trace command shows how an object is managed by Flux,
 from which source and revision it comes, and what's the latest reconciliation status.'`,
 	Example: `  # Trace a Kubernetes Deployment

cmd/flux/tree_kustomization.go

@@ -23,7 +23,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"strings"
 
 	"github.com/fluxcd/flux2/internal/tree"
@@ -256,7 +256,7 @@ func getHelmReleaseInventory(ctx context.Context, objectKey client.ObjectKey, ku
 			return nil, err
 		}
 		defer r.Close()
-		b2, err := ioutil.ReadAll(r)
+		b2, err := io.ReadAll(r)
 		if err != nil {
 			return nil, err
 		}

go.mod

@@ -6,19 +6,19 @@ require (
 	github.com/Masterminds/semver/v3 v3.1.0
 	github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7
 	github.com/cyphar/filepath-securejoin v0.2.2
-	github.com/fluxcd/go-git-providers v0.3.1
-	github.com/fluxcd/helm-controller/api v0.12.2
-	github.com/fluxcd/image-automation-controller/api v0.17.1
-	github.com/fluxcd/image-reflector-controller/api v0.13.1
-	github.com/fluxcd/kustomize-controller/api v0.17.0
-	github.com/fluxcd/notification-controller/api v0.18.1
-	github.com/fluxcd/pkg/apis/meta v0.10.0
-	github.com/fluxcd/pkg/runtime v0.12.0
+	github.com/fluxcd/go-git-providers v0.4.0
+	github.com/fluxcd/helm-controller/api v0.14.1
+	github.com/fluxcd/image-automation-controller/api v0.18.0
+	github.com/fluxcd/image-reflector-controller/api v0.14.0
+	github.com/fluxcd/kustomize-controller/api v0.18.2
+	github.com/fluxcd/notification-controller/api v0.19.0
+	github.com/fluxcd/pkg/apis/meta v0.10.1
+	github.com/fluxcd/pkg/runtime v0.12.2
 	github.com/fluxcd/pkg/ssa v0.3.1
 	github.com/fluxcd/pkg/ssh v0.0.5
 	github.com/fluxcd/pkg/untar v0.0.5
 	github.com/fluxcd/pkg/version v0.0.1
-	github.com/fluxcd/source-controller/api v0.17.2
+	github.com/fluxcd/source-controller/api v0.19.2
 	github.com/go-errors/errors v1.4.0 // indirect
 	github.com/go-git/go-git/v5 v5.4.2
 	github.com/google/go-cmp v0.5.6

go.sum

@@ -223,25 +223,27 @@ github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZM
 github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/fluxcd/go-git-providers v0.3.1 h1:9B3b7mK3XmMxZzcbes3xEJTnQlhkNURhmOY1kLijnZA=
-github.com/fluxcd/go-git-providers v0.3.1/go.mod h1:enIPrXnSOBxahS6rngohpG3d/QZ3yjjy/w+agbp97ZI=
-github.com/fluxcd/helm-controller/api v0.12.2 h1:KOJDzAQ2FfEEcQytAEakC4KuvO/WxGpsyPzRO8lxhME=
-github.com/fluxcd/helm-controller/api v0.12.2/go.mod h1:zWmzV0s2SU4rEIGLPTt+dsaMs40OsNQgSgOATgJmxB0=
-github.com/fluxcd/image-automation-controller/api v0.17.1 h1:nINAsH6ERKItuWQSH2/Iovjn6a/fu/n7WRFVrloryFE=
-github.com/fluxcd/image-automation-controller/api v0.17.1/go.mod h1:wn6XjTpUnrQ2bakHhgJNAUj53snw50J0/+36pY4zXSE=
-github.com/fluxcd/image-reflector-controller/api v0.13.1 h1:zDORBtuMk8bn0DyH5qw0yENPEA9ZUl+hZS5m8atwH1U=
-github.com/fluxcd/image-reflector-controller/api v0.13.1/go.mod h1:lgQHGFz29OHmDU5Jwg689C/M+P/f9ujt6NS0zCLT0BQ=
-github.com/fluxcd/kustomize-controller/api v0.17.0 h1:jOJegj2odhvK/NfKGLa6O/ee8theBvRrIGGezu/Mx38=
-github.com/fluxcd/kustomize-controller/api v0.17.0/go.mod h1:OhnZuXBeDl4NqbDZgpYKRg8nmsmeUIddH3vX8wxym9A=
-github.com/fluxcd/notification-controller/api v0.18.1 h1:by9+1WCgPUEMXqOiFNOFFIQROabA3Ja4hzgGaF8bLms=
-github.com/fluxcd/notification-controller/api v0.18.1/go.mod h1:t28GMWMLiLqho+ikpZrldv22/vmCsFdQR8vdJluxknc=
-github.com/fluxcd/pkg/apis/kustomize v0.1.0/go.mod h1:gEl+W5cVykCC3RfrCaqe+Pz+j4lKl2aeR4dxsom/zII=
-github.com/fluxcd/pkg/apis/kustomize v0.2.0 h1:jhu2QHvs+j3Zo9rR6w8hkO3LSC6h3M37zY5ejufOmxY=
-github.com/fluxcd/pkg/apis/kustomize v0.2.0/go.mod h1:gEl+W5cVykCC3RfrCaqe+Pz+j4lKl2aeR4dxsom/zII=
-github.com/fluxcd/pkg/apis/meta v0.10.0 h1:N7wVGHC1cyPdT87hrDC7UwCwRwnZdQM46PBSLjG2rlE=
+github.com/fluxcd/go-git-providers v0.4.0 h1:hdGGRDCNphf9FRrk297lorhwHWcST74R7cGAOZTRtSU=
+github.com/fluxcd/go-git-providers v0.4.0/go.mod h1:enIPrXnSOBxahS6rngohpG3d/QZ3yjjy/w+agbp97ZI=
+github.com/fluxcd/helm-controller/api v0.14.1 h1:aAWaYZxTI68SD1R2SpNJh8+hm9oBeIOa9nW4YX5qYjM=
+github.com/fluxcd/helm-controller/api v0.14.1/go.mod h1:NkfZ5ugs9EUUPSGHfAnNs295mf8sVKG0842aL6cFzMM=
+github.com/fluxcd/image-automation-controller/api v0.18.0 h1:/FMwAJ31s4xk5XL7AKYWT0Z9f+GpLbd55e2I1m6jg/o=
+github.com/fluxcd/image-automation-controller/api v0.18.0/go.mod h1:XqrRtH4aFOY1llgf4wx8VcSmzLsdV/xWcrPbdZjvvLg=
+github.com/fluxcd/image-reflector-controller/api v0.14.0 h1:JlwwpQENkGSxtAC7VXykpOqObsupO61easXu30jpvb0=
+github.com/fluxcd/image-reflector-controller/api v0.14.0/go.mod h1:ew7uL5XzPH3QTfNxt3BAklDh9ONrR5I2m3D7ST0zE9E=
+github.com/fluxcd/kustomize-controller/api v0.18.2 h1:rGu9R6PMFw3x0S6tVj/ZS54sJWW6/cdWe0Gga09e1AY=
+github.com/fluxcd/kustomize-controller/api v0.18.2/go.mod h1:psXYbb3lbSCbakC715fzdpUnuILra00N++t/S1UUDRM=
+github.com/fluxcd/notification-controller/api v0.19.0 h1:mSsDj30T4v/9aL2GoMY616p+6nIifD1nrZiBD/rUi8U=
+github.com/fluxcd/notification-controller/api v0.19.0/go.mod h1:SkB3tLOXouLN6PAceNCsJrJaawHt+WiUVfUSIYcpwjs=
+github.com/fluxcd/pkg/apis/acl v0.0.1 h1:biCgZMjpDSv3Q4mZPikUJILx3t2MuNXR4Oa5jRQxaNQ=
+github.com/fluxcd/pkg/apis/acl v0.0.1/go.mod h1:y3qOXUFObVWk7jzOjubMnr/u18j1kCeSi6olycnxr/E=
+github.com/fluxcd/pkg/apis/kustomize v0.3.0 h1:o7o8hHIWh+1kyx/E21b2tZpCD4tX8NRijbGioAZXSBU=
+github.com/fluxcd/pkg/apis/kustomize v0.3.0/go.mod h1:bkeOkDpm2PQamZT+RLs20ZOt3TgOdLKWmi9kVxmcdmM=
 github.com/fluxcd/pkg/apis/meta v0.10.0/go.mod h1:CW9X9ijMTpNe7BwnokiUOrLl/h13miwVr/3abEQLbKE=
-github.com/fluxcd/pkg/runtime v0.12.0 h1:BPZZ8bBkimpqGAPXqOf3LTaw+tcw6HgbWyCuzbbsJGs=
-github.com/fluxcd/pkg/runtime v0.12.0/go.mod h1:EyaTR2TOYcjL5U//C4yH3bt2tvTgIOSXpVRbWxUn/C4=
+github.com/fluxcd/pkg/apis/meta v0.10.1 h1:zISenRlqNG7WK8TP3HxZTvv+1Z7JZOUIQvZrOr6pQ2w=
+github.com/fluxcd/pkg/apis/meta v0.10.1/go.mod h1:yUblM2vg+X8TE3A2VvJfdhkGmg+uqBlSPkLk7dxi0UM=
+github.com/fluxcd/pkg/runtime v0.12.2 h1:4iOpx2j/w15kNemDOnZrF6ugJ/rhSmRu7aI+xn23+BI=
+github.com/fluxcd/pkg/runtime v0.12.2/go.mod h1:tuWdqpWPhgjQvYrSnojdZ4plyU8DRU1NDzsfOhnzl2g=
 github.com/fluxcd/pkg/ssa v0.3.1 h1:lKjTRQmSWFEXpKJadK9Fu0GSLL8lv0k5muIcc+7hZIs=
 github.com/fluxcd/pkg/ssa v0.3.1/go.mod h1:rFhWBX9/TfNwSFR+5NHOGnpl9OsWdaQrG5CggN+74EQ=
 github.com/fluxcd/pkg/ssh v0.0.5 h1:rnbFZ7voy2JBlUfMbfyqArX2FYaLNpDhccGFC3qW83A=
@@ -250,8 +252,9 @@ github.com/fluxcd/pkg/untar v0.0.5 h1:UGI3Ch1UIEIaqQvMicmImL1s9npQa64DJ/ozqHKB7g
 github.com/fluxcd/pkg/untar v0.0.5/go.mod h1:O6V9+rtl8c1mHBafgqFlJN6zkF1HS5SSYn7RpQJ/nfw=
 github.com/fluxcd/pkg/version v0.0.1 h1:/8asQoDXSThz3csiwi4Qo8Zb6blAxLXbtxNgeMJ9bCg=
 github.com/fluxcd/pkg/version v0.0.1/go.mod h1:WAF4FEEA9xyhngF8TDxg3UPu5fA1qhEYV8Pmi2Il01Q=
-github.com/fluxcd/source-controller/api v0.17.2 h1:noePJGsevuvxWols6ErbowujuAHGWb/ZO8irtRHcVAc=
-github.com/fluxcd/source-controller/api v0.17.2/go.mod h1:guUCCapjzE2kocwFreQTM/IGvtAglIJc4L97mokairo=
+github.com/fluxcd/source-controller/api v0.19.0/go.mod h1:rUqw0LmoCyGUoElmtLqHc8O35WAQUd8LdgdyDA+kNs4=
+github.com/fluxcd/source-controller/api v0.19.2 h1:+C1s9KslnkA/3SIfvEkFDIesaEpzLKFkumCUYOx5lz8=
+github.com/fluxcd/source-controller/api v0.19.2/go.mod h1:rUqw0LmoCyGUoElmtLqHc8O35WAQUd8LdgdyDA+kNs4=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c=
@@ -469,6 +472,7 @@ github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBt
 github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
 github.com/hashicorp/consul/sdk v0.3.0/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
+github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.1 h1:dH3aiDG9Jvb5r5+bYHsikaOUIpcM0xvgMXVoDkXMzJM=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
@@ -477,6 +481,7 @@ github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrj
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-retryablehttp v0.6.8 h1:92lWxgpa+fF3FozM4B3UZtHZMJX8T5XT+TFdCxsPyWs=
 github.com/hashicorp/go-retryablehttp v0.6.8/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
@@ -652,8 +657,6 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
 github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.12.0/go.mod h1:lRk9szgn8TxENtWd0Tp4c3wjlRfMTMH27I+3Je41yGY=
-github.com/onsi/gomega v1.13.0/go.mod h1:lRk9szgn8TxENtWd0Tp4c3wjlRfMTMH27I+3Je41yGY=
-github.com/onsi/gomega v1.14.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
 github.com/onsi/gomega v1.15.0 h1:WjP/FQ/sk43MRmnEcT+MlDw2TFvkrXlprrPST/IudjU=
 github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
@@ -862,7 +865,6 @@ go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
 go.uber.org/zap v1.16.0/go.mod h1:MA8QOfq0BHJwdXa996Y4dYkAqRKB8/1K1QMMZVaNZjQ=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
-go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 go.uber.org/zap v1.19.0 h1:mZQZefskPPCMIBCSEH0v2/iUqqLrYtaeqwD6FUGUnFE=
 go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -1054,7 +1056,6 @@ golang.org/x/sys v0.0.0-20210502180810-71e4cd670f79/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2 h1:c8PlLMqBbOHoqtjteWm5/kbe6rNY2pbRfbIMVnepueo=
 golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
@@ -1277,44 +1278,31 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 k8s.io/api v0.18.8/go.mod h1:d/CXqwWv+Z2XEG1LgceeDmHQwpUJhROPx16SlxJgERY=
 k8s.io/api v0.21.1/go.mod h1:FstGROTmsSHBarKc8bylzXih8BLNYTiS3TZcsoEDg2s=
-k8s.io/api v0.21.3/go.mod h1:hUgeYHUbBp23Ue4qdX9tR8/ANi/g3ehylAqDn9NWVOg=
-k8s.io/api v0.22.1/go.mod h1:bh13rkTp3F1XEaLGykbyRD2QaTTzPm0e/BMd8ptFONY=
 k8s.io/api v0.22.2 h1:M8ZzAD0V6725Fjg53fKeTJxGsJvRbk4TEm/fexHMtfw=
 k8s.io/api v0.22.2/go.mod h1:y3ydYpLJAaDI+BbSe2xmGcqxiWHmWjkEeIbiwHvnPR8=
 k8s.io/apiextensions-apiserver v0.21.1/go.mod h1:KESQFCGjqVcVsZ9g0xX5bacMjyX5emuWcS2arzdEouA=
-k8s.io/apiextensions-apiserver v0.21.3/go.mod h1:kl6dap3Gd45+21Jnh6utCx8Z2xxLm8LGDkprcd+KbsE=
-k8s.io/apiextensions-apiserver v0.22.1/go.mod h1:HeGmorjtRmRLE+Q8dJu6AYRoZccvCMsghwS8XTUYb2c=
 k8s.io/apiextensions-apiserver v0.22.2 h1:zK7qI8Ery7j2CaN23UCFaC1hj7dMiI87n01+nKuewd4=
 k8s.io/apiextensions-apiserver v0.22.2/go.mod h1:2E0Ve/isxNl7tWLSUDgi6+cmwHi5fQRdwGVCxbC+KFA=
 k8s.io/apimachinery v0.18.8/go.mod h1:6sQd+iHEqmOtALqOFjSWp2KZ9F0wlU/nWm0ZgsYWMig=
 k8s.io/apimachinery v0.21.1/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY=
-k8s.io/apimachinery v0.21.3/go.mod h1:H/IM+5vH9kZRNJ4l3x/fXP/5bOPJaVP/guptnZPeCFI=
-k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
+k8s.io/apimachinery v0.21.2/go.mod h1:CdTY8fU/BlvAbJ2z/8kBwimGki5Zp8/fbVuLY8gJumM=
 k8s.io/apimachinery v0.22.2 h1:ejz6y/zNma8clPVfNDLnPbleBo6MpoFy/HBiBqCouVk=
 k8s.io/apimachinery v0.22.2/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
 k8s.io/apiserver v0.18.8/go.mod h1:12u5FuGql8Cc497ORNj79rhPdiXQC4bf53X/skR/1YM=
 k8s.io/apiserver v0.21.1/go.mod h1:nLLYZvMWn35glJ4/FZRhzLG/3MPxAaZTgV4FJZdr+tY=
-k8s.io/apiserver v0.21.3/go.mod h1:eDPWlZG6/cCCMj/JBcEpDoK+I+6i3r9GsChYBHSbAzU=
-k8s.io/apiserver v0.22.1/go.mod h1:2mcM6dzSt+XndzVQJX21Gx0/Klo7Aen7i0Ai6tIa400=
 k8s.io/apiserver v0.22.2/go.mod h1:vrpMmbyjWrgdyOvZTSpsusQq5iigKNWv9o9KlDAbBHI=
 k8s.io/cli-runtime v0.21.1 h1:Oj/iZxa7LLXrhzShaLNF4rFJEIEBTDHj0dJw4ra2vX4=
 k8s.io/cli-runtime v0.21.1/go.mod h1:TI9Bvl8lQWZB2KqE91QLCp9AZE4l29zNFnj/x4IX4Fw=
 k8s.io/client-go v0.18.8/go.mod h1:HqFqMllQ5NnQJNwjro9k5zMyfhZlOwpuTLVrxjkYSxU=
 k8s.io/client-go v0.21.1/go.mod h1:/kEw4RgW+3xnBGzvp9IWxKSNA+lXn3A7AuH3gdOAzLs=
-k8s.io/client-go v0.21.3/go.mod h1:+VPhCgTsaFmGILxR/7E1N0S+ryO010QBeNCv5JwRGYU=
-k8s.io/client-go v0.22.1/go.mod h1:BquC5A4UOo4qVDUtoc04/+Nxp1MeHcVc1HJm1KmG8kk=
 k8s.io/client-go v0.22.2 h1:DaSQgs02aCC1QcwUdkKZWOeaVsQjYvWv8ZazcZ6JcHc=
 k8s.io/client-go v0.22.2/go.mod h1:sAlhrkVDf50ZHx6z4K0S40wISNTarf1r800F+RlCF6U=
 k8s.io/cloud-provider v0.18.8/go.mod h1:cn9AlzMPVIXA4HHLVbgGUigaQlZyHSZ7WAwDEFNrQSs=
 k8s.io/code-generator v0.17.2/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s=
 k8s.io/code-generator v0.21.1/go.mod h1:hUlps5+9QaTrKx+jiM4rmq7YmH8wPOIko64uZCHDh6Q=
-k8s.io/code-generator v0.21.3/go.mod h1:K3y0Bv9Cz2cOW2vXUrNZlFbflhuPvuadW6JdnN6gGKo=
-k8s.io/code-generator v0.22.1/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o=
 k8s.io/code-generator v0.22.2/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o=
 k8s.io/component-base v0.18.8/go.mod h1:00frPRDas29rx58pPCxNkhUfPbwajlyyvu8ruNgSErU=
 k8s.io/component-base v0.21.1/go.mod h1:NgzFZ2qu4m1juby4TnrmpR8adRk6ka62YdH5DkIIyKA=
-k8s.io/component-base v0.21.3/go.mod h1:kkuhtfEHeZM6LkX0saqSK8PbdO7A0HigUngmhhrwfGQ=
-k8s.io/component-base v0.22.1/go.mod h1:0D+Bl8rrnsPN9v0dyYvkqFfBeAd4u7n77ze+p8CMiPo=
 k8s.io/component-base v0.22.2 h1:vNIvE0AIrLhjX8drH0BgCNJcR4QZxMXcJzBsDplDx9M=
 k8s.io/component-base v0.22.2/go.mod h1:5Br2QhI9OTe79p+TzPe9JKNQYvEKbq9rTJDWllunGug=
 k8s.io/component-helpers v0.21.1/go.mod h1:FtC1flbiQlosHQrLrRUulnKxE4ajgWCGy/67fT2GRlQ=
@@ -1344,9 +1332,6 @@ k8s.io/metrics v0.21.1/go.mod h1:pyDVLsLe++FIGDBFU80NcW4xMFsuiVTWL8Zfi7+PpNo=
 k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20210517184530-5a248b5acedc/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20210527160623-6fdb442a123b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20210722164352-7f3ee0f31471/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a h1:8dYfu/Fc9Gz2rNJKB9IQRGgQOh2clmRzNIPPY1xLY5g=
 k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw=
@@ -1359,13 +1344,10 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.19/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
 sigs.k8s.io/cli-utils v0.26.0 h1:N1X1NVN19+daTihVimkSVNMgiVPIHG9OO3SJPh6SBQI=
 sigs.k8s.io/cli-utils v0.26.0/go.mod h1:myCFn83XMe7vC1ZX5CEJJIY2cqsl6IxYI727mLW1mfE=
 sigs.k8s.io/controller-runtime v0.9.0-beta.5.0.20210524185538-7181f1162e79/go.mod h1:rgf+cBz72pYlKXDRNhI1WFQv/S86EMUV4/ySmsEYgHk=
-sigs.k8s.io/controller-runtime v0.9.0/go.mod h1:TgkfvrhhEw3PlI0BRL/5xM+89y3/yc0ZDfdbTl84si8=
-sigs.k8s.io/controller-runtime v0.9.5/go.mod h1:q6PpkM5vqQubEKUKOM6qr06oXGzOBcCby1DA9FbyZeA=
 sigs.k8s.io/controller-runtime v0.10.1/go.mod h1:CQp8eyUQZ/Q7PJvnIrB6/hgfTC1kBkGylwsLgOQi1WY=
 sigs.k8s.io/controller-runtime v0.10.2 h1:jW8qiY+yMnnPx6O9hu63tgcwaKzd1yLYui+mpvClOOc=
 sigs.k8s.io/controller-runtime v0.10.2/go.mod h1:CQp8eyUQZ/Q7PJvnIrB6/hgfTC1kBkGylwsLgOQi1WY=

internal/bootstrap/bootstrap_plain_git.go

@@ -75,16 +75,6 @@ func WithRepositoryURL(url string) GitOption {
 	return repositoryURLOption(url)
 }
 
-func WithCABundle(b []byte) GitOption {
-	return caBundleOption(b)
-}
-
-type caBundleOption []byte
-
-func (o caBundleOption) applyGit(b *PlainGitBootstrapper) {
-	b.caBundle = o
-}
-
 type repositoryURLOption string
 
 func (o repositoryURLOption) applyGit(b *PlainGitBootstrapper) {

internal/bootstrap/bootstrap_provider.go

@@ -30,6 +30,7 @@ import (
 	"github.com/fluxcd/go-git-providers/gitprovider"
 
 	"github.com/fluxcd/flux2/internal/bootstrap/git"
+	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
@@ -37,9 +38,11 @@ import (
 type GitProviderBootstrapper struct {
 	*PlainGitBootstrapper
 
-	owner      string
-	repository string
-	personal   bool
+	owner          string
+	repositoryName string
+	repository     gitprovider.UserRepository
+
+	personal bool
 
 	description   string
 	defaultBranch string
@@ -80,23 +83,23 @@ type GitProviderOption interface {
 	applyGitProvider(b *GitProviderBootstrapper)
 }
 
-func WithProviderRepository(owner, repository string, personal bool) GitProviderOption {
+func WithProviderRepository(owner, repositoryName string, personal bool) GitProviderOption {
 	return providerRepositoryOption{
-		owner:      owner,
-		repository: repository,
-		personal:   personal,
+		owner:          owner,
+		repositoryName: repositoryName,
+		personal:       personal,
 	}
 }
 
 type providerRepositoryOption struct {
-	owner      string
-	repository string
-	personal   bool
+	owner          string
+	repositoryName string
+	personal       bool
 }
 
 func (o providerRepositoryOption) applyGitProvider(b *GitProviderBootstrapper) {
 	b.owner = o.owner
-	b.repository = o.repository
+	b.repositoryName = o.repositoryName
 	b.personal = o.personal
 }
 
@@ -181,19 +184,19 @@ func (o reconcileOption) applyGitProvider(b *GitProviderBootstrapper) {
 }
 
 func (b *GitProviderBootstrapper) ReconcileSyncConfig(ctx context.Context, options sync.Options) error {
-	repo, err := b.getRepository(ctx)
-	if err != nil {
-		return err
+	if b.repository == nil {
+		return errors.New("repository is required")
 	}
+
 	if b.url == "" {
-		bootstrapURL, err := b.getCloneURL(repo, gitprovider.TransportType(b.bootstrapTransportType))
+		bootstrapURL, err := b.getCloneURL(b.repository, gitprovider.TransportType(b.bootstrapTransportType))
 		if err != nil {
 			return err
 		}
 		WithRepositoryURL(bootstrapURL).applyGit(b.PlainGitBootstrapper)
 	}
 	if options.URL == "" {
-		syncURL, err := b.getCloneURL(repo, gitprovider.TransportType(b.syncTransportType))
+		syncURL, err := b.getCloneURL(b.repository, gitprovider.TransportType(b.syncTransportType))
 		if err != nil {
 			return err
 		}
@@ -211,7 +214,6 @@ func (b *GitProviderBootstrapper) ReconcileSyncConfig(ctx context.Context, optio
 func (b *GitProviderBootstrapper) ReconcileRepository(ctx context.Context) error {
 	var repo gitprovider.UserRepository
 	var err error
-
 	if b.personal {
 		repo, err = b.reconcileUserRepository(ctx)
 	} else {
@@ -221,36 +223,37 @@ func (b *GitProviderBootstrapper) ReconcileRepository(ctx context.Context) error
 		return err
 	}
 
-	cloneURL := repo.Repository().GetCloneURL(gitprovider.TransportType(b.bootstrapTransportType))
-	// TODO(hidde): https://github.com/fluxcd/go-git-providers/issues/55
-	if strings.HasPrefix(cloneURL, "https://https://") {
-		cloneURL = strings.TrimPrefix(cloneURL, "https://")
+	cloneURL, err := b.getCloneURL(repo, gitprovider.TransportType(b.bootstrapTransportType))
+	if err != nil {
+		return err
 	}
+
+	b.repository = repo
 	WithRepositoryURL(cloneURL).applyGit(b.PlainGitBootstrapper)
 
 	return err
 }
 
 func (b *GitProviderBootstrapper) reconcileDeployKey(ctx context.Context, secret corev1.Secret, options sourcesecret.Options) error {
+	if b.repository == nil {
+		return errors.New("repository is required")
+	}
+
 	ppk, ok := secret.StringData[sourcesecret.PublicKeySecretKey]
 	if !ok {
 		return nil
 	}
 	b.logger.Successf("public key: %s", strings.TrimSpace(ppk))
 
-	repo, err := b.getRepository(ctx)
+	name := deployKeyName(options.Namespace, b.branch, options.Name, options.TargetPath)
+	deployKeyInfo := newDeployKeyInfo(name, ppk, b.readWriteKey)
+
+	_, changed, err := b.repository.DeployKeys().Reconcile(ctx, deployKeyInfo)
 	if err != nil {
 		return err
 	}
-
-	name := deployKeyName(options.Namespace, b.branch, options.Name, options.TargetPath)
-	deployKeyInfo := newDeployKeyInfo(name, ppk, b.readWriteKey)
-	var changed bool
-	if _, changed, err = repo.DeployKeys().Reconcile(ctx, deployKeyInfo); err != nil {
-		return err
-	}
 	if changed {
-		b.logger.Successf("configured deploy key %q for %q", deployKeyInfo.Name, repo.Repository().String())
+		b.logger.Successf("configured deploy key %q for %q", deployKeyInfo.Name, b.repository.Repository().String())
 	}
 	return nil
 }
@@ -267,9 +270,12 @@ func (b *GitProviderBootstrapper) reconcileOrgRepository(ctx context.Context) (g
 
 	// Construct the repository and other configuration objects
 	// go-git-provider likes to work with
-	subOrgs, repoName := splitSubOrganizationsFromRepositoryName(b.repository)
-	orgRef := newOrganizationRef(b.provider.SupportedDomain(), b.owner, subOrgs)
-	repoRef := newOrgRepositoryRef(orgRef, repoName)
+	subOrgs, repoName := splitSubOrganizationsFromRepositoryName(b.repositoryName)
+	orgRef, err := b.getOrganization(ctx, subOrgs)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create new Git repository for the organization %q: %w", orgRef.String(), err)
+	}
+	repoRef := newOrgRepositoryRef(*orgRef, repoName)
 	repoInfo := newRepositoryInfo(b.description, b.defaultBranch, b.visibility)
 
 	// Reconcile the organization repository
@@ -343,7 +349,7 @@ func (b *GitProviderBootstrapper) reconcileUserRepository(ctx context.Context) (
 
 	// Construct the repository and other metadata objects
 	// go-git-provider likes to work with.
-	_, repoName := splitSubOrganizationsFromRepositoryName(b.repository)
+	_, repoName := splitSubOrganizationsFromRepositoryName(b.repositoryName)
 	userRef := newUserRef(b.provider.SupportedDomain(), b.owner)
 	repoRef := newUserRepositoryRef(userRef, repoName)
 	repoInfo := newRepositoryInfo(b.description, b.defaultBranch, b.visibility)
@@ -383,21 +389,22 @@ func (b *GitProviderBootstrapper) reconcileUserRepository(ctx context.Context) (
 	return repo, nil
 }
 
-// getRepository retrieves and returns the gitprovider.UserRepository
-// for organization and user repositories using the
-// GitProviderBootstrapper values.
-// As gitprovider.OrgRepository is a superset of gitprovider.UserRepository, this
-// type is returned.
-func (b *GitProviderBootstrapper) getRepository(ctx context.Context) (gitprovider.UserRepository, error) {
-	subOrgs, repoName := splitSubOrganizationsFromRepositoryName(b.repository)
-
-	if b.personal {
-		userRef := newUserRef(b.provider.SupportedDomain(), b.owner)
-		return b.provider.UserRepositories().Get(ctx, newUserRepositoryRef(userRef, repoName))
-	}
-
+// getOrganization retrieves and returns the gitprovider.Organization
+// using the GitProviderBootstrapper values.
+func (b *GitProviderBootstrapper) getOrganization(ctx context.Context, subOrgs []string) (*gitprovider.OrganizationRef, error) {
 	orgRef := newOrganizationRef(b.provider.SupportedDomain(), b.owner, subOrgs)
-	return b.provider.OrgRepositories().Get(ctx, newOrgRepositoryRef(orgRef, repoName))
+	// With Stash get the organization to be sure to get the correct key
+	if string(b.provider.ProviderID()) == string(provider.GitProviderStash) {
+		org, err := b.provider.Organizations().Get(ctx, orgRef)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get Git organization: %w", err)
+		}
+
+		orgRef = org.Organization()
+
+		return &orgRef, nil
+	}
+	return &orgRef, nil
 }
 
 // getCloneURL returns the Git clone URL for the given
@@ -405,18 +412,23 @@ func (b *GitProviderBootstrapper) getRepository(ctx context.Context) (gitprovide
 // gitprovider.TransportTypeSSH and a custom SSH hostname is configured,
 // the hostname of the URL will be modified to this hostname.
 func (b *GitProviderBootstrapper) getCloneURL(repository gitprovider.UserRepository, transport gitprovider.TransportType) (string, error) {
-	u := repository.Repository().GetCloneURL(transport)
+	var url string
+	if cloner, ok := repository.(gitprovider.CloneableURL); ok {
+		return cloner.GetCloneURL("", transport), nil
+	}
+
+	url = repository.Repository().GetCloneURL(transport)
 	// TODO(hidde): https://github.com/fluxcd/go-git-providers/issues/55
-	if strings.HasPrefix(u, "https://https://") {
-		u = strings.TrimPrefix(u, "https://")
+	if strings.HasPrefix(url, "https://https://") {
+		url = strings.TrimPrefix(url, "https://")
 	}
 	var err error
 	if transport == gitprovider.TransportTypeSSH && b.sshHostname != "" {
-		if u, err = setHostname(u, b.sshHostname); err != nil {
-			err = fmt.Errorf("failed to set SSH hostname for URL %q: %w", u, err)
+		if url, err = setHostname(url, b.sshHostname); err != nil {
+			err = fmt.Errorf("failed to set SSH hostname for URL %q: %w", url, err)
 		}
 	}
-	return u, err
+	return url, err
 }
 
 // splitSubOrganizationsFromRepositoryName removes any prefixed sub

internal/bootstrap/options.go

@@ -62,6 +62,20 @@ func (o authorOption) applyGitProvider(b *GitProviderBootstrapper) {
 	o.applyGit(b.PlainGitBootstrapper)
 }
 
+func WithCABundle(b []byte) Option {
+	return caBundleOption(b)
+}
+
+type caBundleOption []byte
+
+func (o caBundleOption) applyGit(b *PlainGitBootstrapper) {
+	b.caBundle = o
+}
+
+func (o caBundleOption) applyGitProvider(b *GitProviderBootstrapper) {
+	b.caBundle = o
+}
+
 func WithCommitMessageAppendix(appendix string) Option {
 	return commitMessageAppendixOption(appendix)
 }

internal/bootstrap/provider/factory.go

@@ -22,6 +22,7 @@ import (
 	"github.com/fluxcd/go-git-providers/github"
 	"github.com/fluxcd/go-git-providers/gitlab"
 	"github.com/fluxcd/go-git-providers/gitprovider"
+	"github.com/fluxcd/go-git-providers/stash"
 )
 
 // BuildGitProvider builds a gitprovider.Client for the provided
@@ -38,6 +39,9 @@ func BuildGitProvider(config Config) (gitprovider.Client, error) {
 		if config.Hostname != "" {
 			opts = append(opts, gitprovider.WithDomain(config.Hostname))
 		}
+		if config.CaBundle != nil {
+			opts = append(opts, gitprovider.WithCustomCAPostChainTransportHook(config.CaBundle))
+		}
 		if client, err = github.NewClient(opts...); err != nil {
 			return nil, err
 		}
@@ -48,9 +52,23 @@ func BuildGitProvider(config Config) (gitprovider.Client, error) {
 		if config.Hostname != "" {
 			opts = append(opts, gitprovider.WithDomain(config.Hostname))
 		}
+		if config.CaBundle != nil {
+			opts = append(opts, gitprovider.WithCustomCAPostChainTransportHook(config.CaBundle))
+		}
 		if client, err = gitlab.NewClient(config.Token, "", opts...); err != nil {
 			return nil, err
 		}
+	case GitProviderStash:
+		opts := []gitprovider.ClientOption{}
+		if config.Hostname != "" {
+			opts = append(opts, gitprovider.WithDomain(config.Hostname))
+		}
+		if config.CaBundle != nil {
+			opts = append(opts, gitprovider.WithCustomCAPostChainTransportHook(config.CaBundle))
+		}
+		if client, err = stash.NewStashClient(config.Username, config.Token, opts...); err != nil {
+			return nil, err
+		}
 	default:
 		return nil, fmt.Errorf("unsupported Git provider '%s'", config.Provider)
 	}

internal/bootstrap/provider/provider.go

@@ -22,6 +22,7 @@ type GitProvider string
 const (
 	GitProviderGitHub GitProvider = "github"
 	GitProviderGitLab GitProvider = "gitlab"
+	GitProviderStash  GitProvider = "stash"
 )
 
 // Config defines the configuration for connecting to a GitProvider.
@@ -33,7 +34,14 @@ type Config struct {
 	// e.g. github.example.com.
 	Hostname string
 
+	// Username contains the username used to authenticate with
+	// the Provider.
+	Username string
+
 	// Token contains the token used to authenticate with the
 	// Provider.
 	Token string
+
+	// CABunle contains the CA bundle to use for the client.
+	CaBundle []byte
 }

manifests/bases/helm-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/helm-controller/releases/download/v0.12.2/helm-controller.crds.yaml
-- https://github.com/fluxcd/helm-controller/releases/download/v0.12.2/helm-controller.deployment.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.14.1/helm-controller.crds.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.14.1/helm-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/image-automation-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.17.1/image-automation-controller.crds.yaml
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.17.1/image-automation-controller.deployment.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.18.0/image-automation-controller.crds.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.18.0/image-automation-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/image-reflector-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.13.1/image-reflector-controller.crds.yaml
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.13.1/image-reflector-controller.deployment.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.14.0/image-reflector-controller.crds.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.14.0/image-reflector-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/kustomize-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.17.0/kustomize-controller.crds.yaml
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.17.0/kustomize-controller.deployment.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.18.2/kustomize-controller.crds.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.18.2/kustomize-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/notification-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/notification-controller/releases/download/v0.18.1/notification-controller.crds.yaml
-- https://github.com/fluxcd/notification-controller/releases/download/v0.18.1/notification-controller.deployment.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.19.0/notification-controller.crds.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.19.0/notification-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
   - target:

manifests/bases/source-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.17.2/source-controller.crds.yaml
-- https://github.com/fluxcd/source-controller/releases/download/v0.17.2/source-controller.deployment.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.19.2/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.19.2/source-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/crds/kustomization.yaml

@@ -1,9 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.17.2/source-controller.crds.yaml
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.17.0/kustomize-controller.crds.yaml
-- https://github.com/fluxcd/helm-controller/releases/download/v0.12.2/helm-controller.crds.yaml
-- https://github.com/fluxcd/notification-controller/releases/download/v0.18.1/notification-controller.crds.yaml
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.13.1/image-reflector-controller.crds.yaml
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.17.1/image-automation-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.19.2/source-controller.crds.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.18.2/kustomize-controller.crds.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.14.1/helm-controller.crds.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.19.0/notification-controller.crds.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.14.0/image-reflector-controller.crds.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.18.0/image-automation-controller.crds.yaml

manifests/monitoring/grafana/dashboards/control-plane.json

@@ -8,22 +8,30 @@
         "hide": true,
         "iconColor": "rgba(0, 211, 255, 1)",
         "name": "Annotations & Alerts",
+        "target": {
+          "limit": 100,
+          "matchAny": false,
+          "tags": [],
+          "type": "dashboard"
+        },
         "type": "dashboard"
       }
     ]
   },
   "editable": true,
+  "fiscalYearStartMonth": 0,
   "gnetId": null,
   "graphTooltip": 0,
-  "iteration": 1596541513301,
+  "id": 29,
+  "iteration": 1639041352219,
   "links": [],
+  "liveNow": false,
   "panels": [
     {
       "datasource": "${DS_PROMETHEUS}",
       "description": "",
       "fieldConfig": {
         "defaults": {
-          "custom": {},
           "decimals": 0,
           "mappings": [],
           "thresholds": {
@@ -62,9 +70,10 @@
           "fields": "",
           "values": false
         },
+        "text": {},
         "textMode": "value"
       },
-      "pluginVersion": "7.1.1",
+      "pluginVersion": "8.2.3",
       "targets": [
         {
           "expr": "sum(go_info{namespace=\"$namespace\",pod=~\".*-controller-.*\"})",
@@ -83,7 +92,6 @@
       "description": "",
       "fieldConfig": {
         "defaults": {
-          "custom": {},
           "mappings": [],
           "thresholds": {
             "mode": "absolute",
@@ -125,9 +133,10 @@
           "fields": "",
           "values": false
         },
+        "text": {},
         "textMode": "auto"
       },
-      "pluginVersion": "7.1.1",
+      "pluginVersion": "8.2.3",
       "targets": [
         {
           "expr": "max(workqueue_longest_running_processor_seconds{namespace=\"$namespace\",pod=~\".*-controller-.*\"})",
@@ -147,7 +156,6 @@
       "description": "",
       "fieldConfig": {
         "defaults": {
-          "custom": {},
           "mappings": [],
           "thresholds": {
             "mode": "absolute",
@@ -187,9 +195,10 @@
           "values": false
         },
         "showThresholdLabels": false,
-        "showThresholdMarkers": true
+        "showThresholdMarkers": true,
+        "text": {}
       },
-      "pluginVersion": "7.1.1",
+      "pluginVersion": "8.2.3",
       "targets": [
         {
           "expr": "sum(go_memstats_alloc_bytes{namespace=\"$namespace\",pod=~\".*-controller-.*\"})",
@@ -208,9 +217,6 @@
       "description": "",
       "fieldConfig": {
         "defaults": {
-          "custom": {
-            "align": null
-          },
           "mappings": [],
           "thresholds": {
             "mode": "absolute",
@@ -251,9 +257,10 @@
           "fields": "",
           "values": false
         },
+        "text": {},
         "textMode": "auto"
       },
-      "pluginVersion": "7.1.1",
+      "pluginVersion": "8.2.3",
       "targets": [
         {
           "expr": "sum(rate(rest_client_requests_total{namespace=\"$namespace\",pod=~\".*-controller-.*\"}[1m]))",
@@ -267,131 +274,6 @@
       "title": "API Requests",
       "type": "stat"
     },
-    {
-      "collapsed": false,
-      "datasource": "${DS_PROMETHEUS}",
-      "gridPos": {
-        "h": 1,
-        "w": 24,
-        "x": 0,
-        "y": 5
-      },
-      "id": 15,
-      "panels": [],
-      "title": "Resource Usage",
-      "type": "row"
-    },
-    {
-      "aliasColors": {},
-      "bars": false,
-      "dashLength": 10,
-      "dashes": false,
-      "datasource": "${DS_PROMETHEUS}",
-      "description": "",
-      "fieldConfig": {
-        "defaults": {
-          "custom": {}
-        },
-        "overrides": []
-      },
-      "fill": 1,
-      "fillGradient": 0,
-      "gridPos": {
-        "h": 8,
-        "w": 12,
-        "x": 0,
-        "y": 6
-      },
-      "hiddenSeries": false,
-      "id": 8,
-      "legend": {
-        "alignAsTable": true,
-        "avg": true,
-        "current": true,
-        "max": false,
-        "min": false,
-        "rightSide": false,
-        "show": true,
-        "total": false,
-        "values": true
-      },
-      "lines": true,
-      "linewidth": 1,
-      "nullPointMode": "null",
-      "percentage": false,
-      "pluginVersion": "7.1.1",
-      "pointradius": 2,
-      "points": false,
-      "renderer": "flot",
-      "seriesOverrides": [],
-      "spaceLength": 10,
-      "stack": false,
-      "steppedLine": false,
-      "targets": [
-        {
-          "expr": "histogram_quantile(0.50, sum(rate(rest_client_request_latency_seconds_bucket{namespace=\"$namespace\"}[5m])) by (le))",
-          "interval": "",
-          "legendFormat": "P50",
-          "refId": "A"
-        },
-        {
-          "expr": "histogram_quantile(0.90, sum(rate(rest_client_request_latency_seconds_bucket{namespace=\"$namespace\"}[5m])) by (le))",
-          "hide": true,
-          "interval": "",
-          "legendFormat": "P90",
-          "refId": "B"
-        },
-        {
-          "expr": "histogram_quantile(0.99, sum(rate(rest_client_request_latency_seconds_bucket{namespace=\"$namespace\"}[5m])) by (le))",
-          "hide": false,
-          "interval": "",
-          "legendFormat": "P99",
-          "refId": "C"
-        }
-      ],
-      "thresholds": [],
-      "timeFrom": null,
-      "timeRegions": [],
-      "timeShift": null,
-      "title": "Kubernetes API Requests Duration",
-      "tooltip": {
-        "shared": true,
-        "sort": 0,
-        "value_type": "individual"
-      },
-      "type": "graph",
-      "xaxis": {
-        "buckets": null,
-        "mode": "time",
-        "name": null,
-        "show": true,
-        "values": []
-      },
-      "yaxes": [
-        {
-          "$$hashKey": "object:912",
-          "format": "s",
-          "label": null,
-          "logBase": 1,
-          "max": null,
-          "min": null,
-          "show": true
-        },
-        {
-          "$$hashKey": "object:913",
-          "format": "short",
-          "label": null,
-          "logBase": 1,
-          "max": null,
-          "min": null,
-          "show": true
-        }
-      ],
-      "yaxis": {
-        "align": false,
-        "alignLevel": null
-      }
-    },
     {
       "aliasColors": {},
       "bars": false,
@@ -400,19 +282,13 @@
       "datasource": "${DS_PROMETHEUS}",
       "decimals": null,
       "description": "",
-      "fieldConfig": {
-        "defaults": {
-          "custom": {}
-        },
-        "overrides": []
-      },
       "fill": 1,
       "fillGradient": 0,
       "gridPos": {
         "h": 8,
-        "w": 12,
-        "x": 12,
-        "y": 6
+        "w": 24,
+        "x": 0,
+        "y": 5
       },
       "hiddenSeries": false,
       "id": 21,
@@ -430,8 +306,11 @@
       "lines": true,
       "linewidth": 1,
       "nullPointMode": "null",
+      "options": {
+        "alertThreshold": true
+      },
       "percentage": false,
-      "pluginVersion": "7.1.1",
+      "pluginVersion": "8.2.3",
       "pointradius": 2,
       "points": false,
       "renderer": "flot",
@@ -499,18 +378,30 @@
         "alignLevel": null
       }
     },
+    {
+      "collapsed": false,
+      "datasource": "${DS_PROMETHEUS}",
+      "fieldConfig": {
+        "defaults": {},
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 1,
+        "w": 24,
+        "x": 0,
+        "y": 13
+      },
+      "id": 15,
+      "panels": [],
+      "title": "Resource Usage",
+      "type": "row"
+    },
     {
       "aliasColors": {},
       "bars": false,
       "dashLength": 10,
       "dashes": false,
       "datasource": "${DS_PROMETHEUS}",
-      "fieldConfig": {
-        "defaults": {
-          "custom": {}
-        },
-        "overrides": []
-      },
       "fill": 1,
       "fillGradient": 0,
       "gridPos": {
@@ -534,8 +425,11 @@
       "lines": true,
       "linewidth": 1,
       "nullPointMode": "null",
+      "options": {
+        "alertThreshold": true
+      },
       "percentage": false,
-      "pluginVersion": "7.1.1",
+      "pluginVersion": "8.2.3",
       "pointradius": 2,
       "points": false,
       "renderer": "flot",
@@ -600,12 +494,6 @@
       "dashLength": 10,
       "dashes": false,
       "datasource": "${DS_PROMETHEUS}",
-      "fieldConfig": {
-        "defaults": {
-          "custom": {}
-        },
-        "overrides": []
-      },
       "fill": 1,
       "fillGradient": 0,
       "gridPos": {
@@ -629,8 +517,11 @@
       "lines": true,
       "linewidth": 1,
       "nullPointMode": "null",
+      "options": {
+        "alertThreshold": true
+      },
       "percentage": false,
-      "pluginVersion": "7.1.1",
+      "pluginVersion": "8.2.3",
       "pointradius": 2,
       "points": false,
       "renderer": "flot",
@@ -694,6 +585,10 @@
     {
       "collapsed": false,
       "datasource": "${DS_PROMETHEUS}",
+      "fieldConfig": {
+        "defaults": {},
+        "overrides": []
+      },
       "gridPos": {
         "h": 1,
         "w": 24,
@@ -711,12 +606,6 @@
       "dashLength": 10,
       "dashes": false,
       "datasource": "${DS_PROMETHEUS}",
-      "fieldConfig": {
-        "defaults": {
-          "custom": {}
-        },
-        "overrides": []
-      },
       "fill": 1,
       "fillGradient": 0,
       "gridPos": {
@@ -741,8 +630,11 @@
       "lines": true,
       "linewidth": 1,
       "nullPointMode": "null",
+      "options": {
+        "alertThreshold": true
+      },
       "percentage": false,
-      "pluginVersion": "7.1.1",
+      "pluginVersion": "8.2.3",
       "pointradius": 2,
       "points": false,
       "renderer": "flot",
@@ -810,12 +702,6 @@
       "datasource": "${DS_PROMETHEUS}",
       "decimals": 2,
       "description": "",
-      "fieldConfig": {
-        "defaults": {
-          "custom": {}
-        },
-        "overrides": []
-      },
       "fill": 1,
       "fillGradient": 0,
       "gridPos": {
@@ -841,7 +727,7 @@
       "linewidth": 1,
       "nullPointMode": "null",
       "percentage": false,
-      "pluginVersion": "7.1.1",
+      "pluginVersion": "8.2.3",
       "pointradius": 2,
       "points": false,
       "renderer": "flot",
@@ -916,12 +802,6 @@
       "datasource": "${DS_PROMETHEUS}",
       "decimals": 2,
       "description": "",
-      "fieldConfig": {
-        "defaults": {
-          "custom": {}
-        },
-        "overrides": []
-      },
       "fill": 1,
       "fillGradient": 0,
       "gridPos": {
@@ -947,7 +827,7 @@
       "linewidth": 1,
       "nullPointMode": "null",
       "percentage": false,
-      "pluginVersion": "7.1.1",
+      "pluginVersion": "8.2.3",
       "pointradius": 2,
       "points": false,
       "renderer": "flot",
@@ -1017,6 +897,10 @@
     {
       "collapsed": false,
       "datasource": "${DS_PROMETHEUS}",
+      "fieldConfig": {
+        "defaults": {},
+        "overrides": []
+      },
       "gridPos": {
         "h": 1,
         "w": 24,
@@ -1034,12 +918,6 @@
       "dashLength": 10,
       "dashes": false,
       "datasource": "${DS_PROMETHEUS}",
-      "fieldConfig": {
-        "defaults": {
-          "custom": {}
-        },
-        "overrides": []
-      },
       "fill": 1,
       "fillGradient": 0,
       "gridPos": {
@@ -1065,7 +943,7 @@
       "linewidth": 1,
       "nullPointMode": "null as zero",
       "percentage": false,
-      "pluginVersion": "7.1.1",
+      "pluginVersion": "8.2.3",
       "pointradius": 2,
       "points": false,
       "renderer": "flot",
@@ -1147,12 +1025,6 @@
       "datasource": "${DS_PROMETHEUS}",
       "decimals": 2,
       "description": "",
-      "fieldConfig": {
-        "defaults": {
-          "custom": {}
-        },
-        "overrides": []
-      },
       "fill": 1,
       "fillGradient": 0,
       "gridPos": {
@@ -1178,7 +1050,7 @@
       "linewidth": 1,
       "nullPointMode": "null",
       "percentage": false,
-      "pluginVersion": "7.1.1",
+      "pluginVersion": "8.2.3",
       "pointradius": 2,
       "points": false,
       "renderer": "flot",
@@ -1253,12 +1125,6 @@
       "datasource": "${DS_PROMETHEUS}",
       "decimals": 2,
       "description": "",
-      "fieldConfig": {
-        "defaults": {
-          "custom": {}
-        },
-        "overrides": []
-      },
       "fill": 1,
       "fillGradient": 0,
       "gridPos": {
@@ -1284,7 +1150,7 @@
       "linewidth": 1,
       "nullPointMode": "null",
       "percentage": false,
-      "pluginVersion": "7.1.1",
+      "pluginVersion": "8.2.3",
       "pointradius": 2,
       "points": false,
       "renderer": "flot",
@@ -1353,7 +1219,7 @@
     }
   ],
   "refresh": "10s",
-  "schemaVersion": 26,
+  "schemaVersion": 31,
   "style": "light",
   "tags": [
     "flux"
@@ -1366,6 +1232,8 @@
           "text": "Prometheus",
           "value": "Prometheus"
         },
+        "description": null,
+        "error": null,
         "hide": 2,
         "includeAll": false,
         "label": null,
@@ -1387,19 +1255,23 @@
         },
         "datasource": "${DS_PROMETHEUS}",
         "definition": "workqueue_work_duration_seconds_count",
+        "description": null,
+        "error": null,
         "hide": 0,
         "includeAll": false,
         "label": null,
         "multi": false,
         "name": "namespace",
         "options": [],
-        "query": "workqueue_work_duration_seconds_count",
+        "query": {
+          "query": "workqueue_work_duration_seconds_count",
+          "refId": "Prometheus-namespace-Variable-Query"
+        },
         "refresh": 2,
         "regex": "/.*namespace=\"([^\"]*).*/",
         "skipUrlSync": false,
         "sort": 0,
         "tagValuesQuery": "",
-        "tags": [],
         "tagsQuery": "",
         "type": "query",
         "useTags": false
@@ -1426,5 +1298,5 @@
   "timezone": "",
   "title": "Flux Control Plane",
   "uid": "flux-control-plane",
-  "version": 1
-}
+  "version": 2
+}

manifests/monitoring/kube-prometheus-stack/release.yaml

@@ -6,6 +6,7 @@ spec:
   interval: 5m
   chart:
     spec:
+      version: 23.2.0
       chart: kube-prometheus-stack
       sourceRef:
         kind: HelmRepository

manifests/scripts/bundle.sh

@@ -16,8 +16,8 @@
 
 set -e
 
-IN_PATH=${1:-"$(git rev-parse --show-toplevel)/manifests"}
-OUT_PATH=${2:-"$(git rev-parse --show-toplevel)/cmd/flux/manifests"}
+IN_PATH=${1:-"$(realpath $(dirname "${BASH_SOURCE[0]}")/../..)/manifests"}
+OUT_PATH=${2:-"$(realpath $(dirname "${BASH_SOURCE[0]}")/../..)/cmd/flux/manifests"}
 TAR=${3}
 
 info() {

rfcs/0004-multi-tenancy/README.md

@@ -0,0 +1,225 @@
+# RFC-0004 Flux Multi-Tenancy
+
+**Status:** provisional
+
+**Creation date:** 2021-11-15
+
+**Last update:** 2021-12-17
+
+## Summary
+
+This RFC explains the mechanisms available in Flux for implementing multi-tenancy, defines two
+models for multi-tenancy, and gives reference implementations for those models.
+
+## Motivation
+
+To this point, the Flux project has provided [examples of multi-tenancy][mt], but not explained exactly
+how they relate to Flux's authorisation model. This RFC explains two multi-tenancy implementations,
+their security properties, and how they are implemented within the authorisation model
+as defined in [RFC-0001](https://github.com/fluxcd/flux2/pull/2212).
+
+### Goals
+
+- Explain the mechanisms available in Flux for supporting multi-tenancy
+- Define two models for multi-tenancy, "soft multi-tenancy" and "hard multi-tenancy".
+- Explain when each model is appropriate.
+- Describe a reference implementation of each model with Flux.
+
+### Non-Goals
+
+- Give an exhaustive account of multi-tenancy implementations in general.
+- Provide an [end-to-end workflow][mt] of
+  how to set up multi-tenancy with Flux.
+
+## Introduction
+
+Flux allows different organizations and/or teams to share the same Kubernetes control plane; this is
+referred to as "multi-tenancy". To make this safe, Flux supports segmentation and isolation of
+resources by using namespaces and role-based access control ("RBAC"), and integrating with
+Kubernetes Cluster API.
+
+The following subsections explain the existing mechanisms used for safe multi-tenancy.
+
+### Flux's authorisation model
+
+Flux defers to Kubernetes' native RBAC to specify which operations are authorised when processing
+the custom resources in the Flux API. By default, this means operations are constrained by the
+service account under which the controllers run, which (again, by default) has the `cluster-admin`
+role bound to it. This is convenient for a deployment in which all users are trusted.
+
+In a multi-tenant deployment, each tenant needs to be restricted in the operations that can be done
+on their behalf. Since tenants control Flux via its API objects, this becomes a matter of attaching
+RBAC rules to Flux API objects. There are two mechanisms that do this, "impersonation" and "remote
+apply".
+
+#### Impersonation
+
+The Kustomize controller and Helm controller both apply arbitrary sets of Kubernetes configuration
+to a cluster. These controllers are subject to authorisation on two counts:
+
+ - when accessing Kubernetes resources that are needed for a
+   particular "apply" operation -- for example, a secret referenced in
+   the field `.spec.valuesFrom` in a `HelmRelease`;
+ - when creating, watching, updating and deleting Kubernetes resources
+   in the process of applying a piece of configuration.
+
+To give users control over this authorisation, these two controllers will _impersonate_ (assume the
+identity of) a service account mentioned in the apply specification (e.g., the field
+`.spec.serviceAccountName` in a [`Kustomization` object][kcsa]
+or in a [`HelmRelease` object][hcsa]) for both accessing resources and applying configuration.
+This lets a user constrain the operations mentioned above with RBAC.
+
+As stated in [RFC-0003](https://github.com/fluxcd/flux2/pull/2093),
+the platform admins can configure Flux to enforce service account impersonation
+by setting a default service account name when `.spec.serviceAccountName` is not specified.
+
+#### Remote apply
+
+The Kustomize controller and Helm controller are able to apply a set of configuration to a cluster
+other than the cluster in which they run. If the specification [refers to a secret containing a
+"kubeconfig" file][kubeconfig], the controller will construct a client using that kubeconfig, then
+the client used to apply the specified set of configuration. The effect of this is that the
+configuration will be applied as the user given in the kubeconfig; often this is a user with the
+`cluster-admin` role bound to it, but not necessarily so.
+
+## Assumptions made by the multi-tenancy models
+
+### User Roles
+
+The tenancy models assume two types of user: platform admins and tenants.
+Besides installing Flux, all the other operations (deploy applications, configure ingress, policies, etc)
+do not require users to have direct access to the Kubernetes API. Flux acts as a proxy between users and
+the Kubernetes API, using Git as source of truth for the cluster desired state. Changes to the clusters
+and workloads configuration can be made in a collaborative manner, where the various teams responsible for
+the delivery process propose, review and approve changes via pull request workflows.
+
+#### Platform Admins
+
+The platform admins have unrestricted access to Kubernetes API.
+They are responsible for installing Flux and granting Flux
+access to the sources (Git, Helm, OCI repositories) that make up the cluster(s) control plane desired state.
+The repository(s) owned by the platform admins are reconciled on the cluster(s) by Flux, under
+the [cluster-admin](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
+Kubernetes cluster role.
+
+Example of operations performed by platform admins:
+
+- Bootstrap Flux onto cluster(s).
+- Extend the Kubernetes API with custom resource definitions and validation webhooks.
+- Configure various controllers for ingress, storage, logging, monitoring, progressive delivery, etc.
+- Set up namespaces for tenants and define their level of access with Kubernetes RBAC.
+- Onboard tenants by registering their Git repositories with Flux.
+
+#### Tenants
+
+The tenants have restricted access to the cluster(s) according to the Kubernetes RBAC configured
+by the platform admins. The repositories owned by tenants are reconciled on the cluster(s) by Flux,
+under the Kubernetes account(s) assigned by platform admins.
+
+Example of operations performed by tenants:
+
+- Register their sources with Flux (`GitRepositories`, `HelmRepositories` and `Buckets`).
+- Deploy workload(s) into their namespace(s) using Flux custom resources (`Kustomizations` and `HelmReleases`).
+- Automate application updates using Flux custom resources (`ImageRepositories`, `ImagePolicies` and `ImageUpdateAutomations`).
+- Configure the release pipeline(s) using Flagger custom resources (`Canaries` and `MetricsTemplates`).
+- Setup webhooks and alerting for their release pipeline(s) using Flux custom resources (`Receivers` and `Alerts`).
+
+## Tenancy Models
+
+The Kubernetes tenancy models supported by Flux are: soft multi-tenancy and hard multi-tenancy.
+
+For an overview of the Kubernetes multi-tenant architecture please consult the following documentation:
+
+- [Three Tenancy Models For Kubernetes](https://kubernetes.io/blog/2021/04/15/three-tenancy-models-for-kubernetes/)
+- [GKE multi-tenancy overview](https://cloud.google.com/kubernetes-engine/docs/concepts/multitenancy-overview)
+- [EKS multi-tenancy best practices](https://aws.github.io/aws-eks-best-practices/security/docs/multitenancy/)
+
+### Soft Multi-Tenancy
+
+With soft multi-tenancy, the platform admins use Kubernetes constructs such as namespaces, accounts,
+roles and role bindings to create a logical separation between tenants.
+
+When Flux deploys workloads from a repository belonging to a tenant, it uses the Kubernetes account assigned to that
+tenant to perform the git-to-cluster reconciliation. By leveraging Kubernetes RBAC, Flux can ensure
+that the operations performed by tenants are restricted to their namespaces.
+
+Note that with this model, tenants share cluster-wide resources such as
+`ClusterRoles`, `CustomResourceDefinitions`, `IngressClasses`, `StorageClasses`,
+and they cannot create or alter these resources.
+If a tenant adds a cluster-scoped resource definition to their repository,
+Flux will fail the git-to-cluster reconciliation due to Kubernetes RBAC restrictions.
+
+To restrict the reconciliation of tenant's sources, a Kubernetes service account name can be specified 
+in Flux `Kustomizations` and `HelmReleases` under `.spec.serviceAccountName`. Please consult the Flux  
+documentation for more details:
+
+- [Kustomization API: Role-based access control][kcsa]
+- [HelmRelease API: Role-based access control][hcsa]
+- [Flux multi-tenancy example repository][mt]
+
+Note that with soft multi-tenancy, true tenant isolation requires security measures beyond Kubernetes RBAC.
+Please refer to the Kubernetes [security considerations documentation](https://kubernetes.io/blog/2021/04/15/three-tenancy-models-for-kubernetes/#security-considerations)
+for more details on how to harden shared clusters.
+
+#### Tenants Onboarding
+
+When onboarding tenants, platform admins have the option to assign namespaces, set
+permissions and register the tenants main repositories onto clusters.
+
+The Flux CLI offers an easy way of generating all the Kubernetes manifests needed to onboard tenants:
+
+- `flux create tenant` command generates namespaces, service accounts and Kubernetes RBAC
+  with restricted access to the cluster resources, given tenants access only to their namespaces.
+- `flux create secret git` command generates SSH keys used by Flux to clone the tenants repositories.
+- `flux create source git` command generates the configuration that tells Flux which repositories belong to tenants.
+- `flux create kustomization` command generates the configuration that tells Flux how to reconcile the manifests found in the tenants repositories.
+
+Once the tenants main repositories are registered on the cluster(s), the tenants can configure their app delivery
+in Git using Kubernetes namespace-scoped resources such as `Deployments`, `Services`, Flagger `Canaries`,
+Flux `GitRepositories`, `Kustomizations`, `HelmRepositories`, `HelmReleases`, `ImageUpdateAutomations`,
+`Alerts`, `Receivers`, etc.
+
+### Hard Multi-Tenancy
+
+With hard multi-tenancy, the platform admins create dedicated clusters for each tenant.
+
+When the tenants's clusters are created with Kubernetes Cluster API, the Flux instance
+installed on the management cluster is responsible for reconciling the cluster
+definitions belonging to tenants.
+
+To enable GitOps for the tenant's clusters, the platform admins can configure the Flux instance running on the
+management cluster to connect to the tenant's cluster using the kubeconfig generated by the Cluster API provider
+or by creating kubeconfig secrets for the clusters created by other means than Cluster API.
+
+To configure Flux reconciliation of remote clusters, a Kubernetes secret containing a `kubeConfig` can be specified
+in Flux `Kustomizations` and `HelmReleases` under `.spec.kubeConfig.secretRef`. Please consult the Flux API
+documentation for more details:
+
+- [Kustomization API: Remote Clusters](https://fluxcd.io/docs/components/kustomize/kustomization/#remote-clusters--cluster-api)
+- [HelmRelease API: Remote Clusters](https://fluxcd.io/docs/components/helm/helmreleases/#remote-clusters--cluster-api)
+
+Note that with hard multi-tenancy, tenants have full access to cluster-wide resources, so they have the option
+to manage Flux independently of platform admins, by deploying a Flux instance on each cluster.
+
+#### Caveats
+
+When using a Kubernetes Cluster API provider, the `kubeConfig` secret is automatically generated and Flux can
+make use of it without any manual actions. For clusters created by other means than Cluster API, the
+platform team has to create the `kubeConfig` secrets to allow Flux access to the remote clusters.
+
+As of Flux v0.24 (Nov 2021), we don't provide any guidance for cluster admins on how to generate the `kubeConfig` secrets.
+
+## Implementation History
+
+- Soft multi-tenancy based on service account impersonation was first released in flux2 **v0.0.1**.
+- Generating namespaces and RBAC for defining tenants with `flux create tenant` was first released in flux2 **v0.1.0**.
+- Hard multi-tenancy based on remote cluster reconciliation was first released in flux2 **v0.2.0**.
+- Soft multi-tenancy end-to-end workflow example was first published on 27 Nov 2020 at
+  [fluxcd/flux2-multi-tenancy](https://github.com/fluxcd/flux2-multi-tenancy).
+- Soft multi-tenancy [CVE-2021-41254](https://github.com/fluxcd/kustomize-controller/security/advisories/GHSA-35rf-v2jv-gfg7)
+  "Privilege escalation to cluster admin on multi-tenant environments" was fixed in flux2 **v0.15.0**.
+
+[mt]: https://github.com/fluxcd/flux2-multi-tenancy/tree/v0.1.0
+[kcsa]: https://fluxcd.io/docs/components/kustomize/kustomization/#role-based-access-control
+[hcsa]: https://fluxcd.io/docs/components/helm/helmreleases/#role-based-access-control
+[kubeconfig]: https://fluxcd.io/docs/components/kustomize/api/#kustomize.toolkit.fluxcd.io/v1beta2.KubeConfig

rfcs/README.md

@@ -0,0 +1,45 @@
+# Flux RFCs
+
+In many cases, new features and enhancements are proposed on [flux2/discussions](https://github.com/fluxcd/flux2/discussions).
+A proposal is discussed in public by maintainers, contributors, users and other interested parties.
+After some form of consensus is reached between participants, the proposed changes go through the
+pull request process where the implementation details are reviewed, approved or rejected by maintainers.
+
+Some proposals may be **substantial**, and for these we ask for a design process to be followed
+so that all stakeholders can be confident about the direction Flux is evolving in.
+
+The "RFC" (request for comments) process is intended to provide a consistent and
+controlled path for substantial changes to enter Flux.
+
+Examples of substantial changes:
+
+- API additions (new kinds of resources, new relationships between existing APIs)
+- API breaking changes (new required fields, field removals)
+- Security related changes (Flux controllers permissions, tenant isolation and impersonation)
+- Impactful UX changes (new required inputs to the bootstrap process)
+- Drop capabilities (sunset an existing integration with an external service due to security concerns)
+
+## RFC Process
+
+- Before submitting an RFC please discuss the proposal with the Flux community.
+  Start a discussion on GitHub and ask for feedback at the weekly dev meeting.
+  You must find a maintainer willing to sponsor the RFC.
+- Submit an RFC by opening a pull request using [RFC-0000](RFC-0000/README.md) as template.
+- The sponsor will assign the PR to themselves, will label the PR with `area/RFC` and
+  will request other maintainers to begin the review process.
+- Integrate feedback by adding commits without overriding the history.
+- At least two maintainers have to approve the proposal before it can be merged.
+  Approvers must be satisfied that an
+  [appropriate level of consensus](https://github.com/fluxcd/community/blob/main/GOVERNANCE.md#decision-guidelines)
+  has been reached.
+- Before the merge, an RFC number is assigned by the sponsor and the PR branch must be rebased with main.
+- Once merged, the proposal may be implemented in Flux.
+  The progress could be tracked using the RFC number (used as prefix for issues and PRs).
+- After the proposal implementation is available in a release candidate or final release,
+  the RFC should be updated with the Flux version added to the "Implementation History" section.
+- During the implementation phase, the RFC could be discarded due to security or performance concerns.
+  In this case, the RFC "Implementation History" should state the rejection motives.
+  Ultimately the decision on the feasibility of a particular implementation,
+  resides with the maintainers that reviewed the code changes.
+- A new RFC could be summited with the scope of replacing an RFC rejected during implementation.
+  The new RFC must come with a solution for the rejection motives of the previous RFC.

rfcs/RFC-0000/README.md

@@ -0,0 +1,92 @@
+# RFC-NNNN Title
+
+<!--
+The title must be short and descriptive.
+-->
+
+**Status:** provisional
+
+<!--
+Status represents the current state of the RFC.
+Must be one of `provisional`, `implementable`, `implemented`, `deferred`, `rejected`, `withdrawn`, or `replaced`.
+-->
+
+**Creation date:** YYYY-MM-DD
+
+**Last update:** YYYY-MM-DD
+
+## Summary
+
+<!--
+One paragraph explanation of the proposed feature or enhancement.
+-->
+
+## Motivation
+
+<!--
+This section is for explicitly listing the motivation, goals, and non-goals of
+this RFC. Describe why the change is important and the benefits to users.
+-->
+
+### Goals
+
+<!--
+List the specific goals of this RFC. What is it trying to achieve? How will we
+know that this has succeeded?
+-->
+
+### Non-Goals
+
+<!--
+What is out of scope for this RFC? Listing non-goals helps to focus discussion
+and make progress.
+-->
+
+## Proposal
+
+<!--
+This is where we get down to the specifics of what the proposal actually is.
+This should have enough detail that reviewers can understand exactly what
+you're proposing, but should not include things like API designs or
+implementation.
+
+If the RFC goal is to document best practices,
+then this section can be replaced with the the actual documentation.
+-->
+
+### User Stories
+
+<!--
+Optional if existing discussions and/or issues are linked in the motivation section.
+-->
+
+### Alternatives
+
+<!--
+List plausible alternatives to the proposal and explain why the proposal is superior.
+
+This is a good place to incorporate suggestions made during discussion of the RFC.
+-->
+
+## Design Details
+
+<!--
+This section should contain enough information that the specifics of your
+change are understandable. This may include API specs and code snippets.
+
+The design details should address at least the following questions:
+- How can this feature be enabled / disabled?
+- Does enabling the feature change any default behavior?
+- Can the feature be disabled once it has been enabled?
+- How can an operator determine if the feature is in use?
+- Are there any drawbacks when enabling this feature?
+-->
+
+## Implementation History
+
+<!--
+Major milestones in the lifecycle of the RFC such as:
+- The first Flux release where an initial version of the RFC was available.
+- The version of Flux where the RFC graduated to general availability.
+- The version of Flux where the RFC was retired or superseded.
+-->

tests/azure/go.mod

@@ -4,14 +4,14 @@ go 1.16
 
 require (
 	github.com/Azure/azure-event-hubs-go/v3 v3.3.13
-	github.com/fluxcd/helm-controller/api v0.12.1
-	github.com/fluxcd/image-automation-controller/api v0.16.0
-	github.com/fluxcd/image-reflector-controller/api v0.13.0
-	github.com/fluxcd/kustomize-controller/api v0.16.0
-	github.com/fluxcd/notification-controller/api v0.18.1
+	github.com/fluxcd/helm-controller/api v0.14.0
+	github.com/fluxcd/image-automation-controller/api v0.18.0
+	github.com/fluxcd/image-reflector-controller/api v0.14.0
+	github.com/fluxcd/kustomize-controller/api v0.18.1
+	github.com/fluxcd/notification-controller/api v0.19.0
 	github.com/fluxcd/pkg/apis/meta v0.10.1
-	github.com/fluxcd/pkg/runtime v0.12.1
-	github.com/fluxcd/source-controller/api v0.17.0
+	github.com/fluxcd/pkg/runtime v0.12.2
+	github.com/fluxcd/source-controller/api v0.19.0
 	github.com/hashicorp/terraform-exec v0.14.0
 	github.com/libgit2/git2go/v31 v31.6.1
 	github.com/microsoft/azure-devops-go-api/azuredevops v1.0.0-b5
@@ -21,5 +21,5 @@ require (
 	k8s.io/api v0.22.2
 	k8s.io/apimachinery v0.22.2
 	k8s.io/client-go v0.22.2
-	sigs.k8s.io/controller-runtime v0.10.1
+	sigs.k8s.io/controller-runtime v0.10.2
 )

tests/azure/go.sum

@@ -191,27 +191,27 @@ github.com/evanphx/json-patch v4.11.0+incompatible h1:glyUF9yIYtMHzn8xaKw5rMhdWc
 github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/fluxcd/helm-controller/api v0.12.1 h1:rDyhMPvbhCxslqiNNG4nlfDCeYgrk6D+1ZKLsBS/Irs=
-github.com/fluxcd/helm-controller/api v0.12.1/go.mod h1:zWmzV0s2SU4rEIGLPTt+dsaMs40OsNQgSgOATgJmxB0=
-github.com/fluxcd/image-automation-controller/api v0.16.0 h1:pPvEdb8Q7LgNVfugF3+/z2JQdUZ4ecYWrXiezLPov0w=
-github.com/fluxcd/image-automation-controller/api v0.16.0/go.mod h1:tEQCFKGgxii7zfXti2MxixwFbxhEXnVJqLGM2x9zlGw=
-github.com/fluxcd/image-reflector-controller/api v0.13.0 h1:5kq0Jqh+ndZIye+4csfEbuos5GaXIiK77Gpx+ojo+f8=
-github.com/fluxcd/image-reflector-controller/api v0.13.0/go.mod h1:lgQHGFz29OHmDU5Jwg689C/M+P/f9ujt6NS0zCLT0BQ=
-github.com/fluxcd/kustomize-controller/api v0.16.0 h1:L/LRxS6oroGZe1AdElP3k1mnNIKGCpi0ntgHwJzdNYY=
-github.com/fluxcd/kustomize-controller/api v0.16.0/go.mod h1:OhnZuXBeDl4NqbDZgpYKRg8nmsmeUIddH3vX8wxym9A=
-github.com/fluxcd/notification-controller/api v0.18.1 h1:by9+1WCgPUEMXqOiFNOFFIQROabA3Ja4hzgGaF8bLms=
-github.com/fluxcd/notification-controller/api v0.18.1/go.mod h1:t28GMWMLiLqho+ikpZrldv22/vmCsFdQR8vdJluxknc=
-github.com/fluxcd/pkg/apis/kustomize v0.1.0/go.mod h1:gEl+W5cVykCC3RfrCaqe+Pz+j4lKl2aeR4dxsom/zII=
+github.com/fluxcd/helm-controller/api v0.14.0 h1:I6gyOaEcUUEk0cuXgKhvmvgN833LxdZ3dngTnMDii7w=
+github.com/fluxcd/helm-controller/api v0.14.0/go.mod h1:3wDrDVSH/3yH31PzfXzYCCf8OP70eg82tlQU1+QGsS0=
+github.com/fluxcd/image-automation-controller/api v0.18.0 h1:/FMwAJ31s4xk5XL7AKYWT0Z9f+GpLbd55e2I1m6jg/o=
+github.com/fluxcd/image-automation-controller/api v0.18.0/go.mod h1:XqrRtH4aFOY1llgf4wx8VcSmzLsdV/xWcrPbdZjvvLg=
+github.com/fluxcd/image-reflector-controller/api v0.14.0 h1:JlwwpQENkGSxtAC7VXykpOqObsupO61easXu30jpvb0=
+github.com/fluxcd/image-reflector-controller/api v0.14.0/go.mod h1:ew7uL5XzPH3QTfNxt3BAklDh9ONrR5I2m3D7ST0zE9E=
+github.com/fluxcd/kustomize-controller/api v0.18.1 h1:cssv85lh5RlDDEFvMv/4InR/7SzqX/+rVMYA3GqpnFI=
+github.com/fluxcd/kustomize-controller/api v0.18.1/go.mod h1:xGHBIzVXepzm2/0iQJJSbCIRY0Ahq5AgbYsVojpRyX0=
+github.com/fluxcd/notification-controller/api v0.19.0 h1:mSsDj30T4v/9aL2GoMY616p+6nIifD1nrZiBD/rUi8U=
+github.com/fluxcd/notification-controller/api v0.19.0/go.mod h1:SkB3tLOXouLN6PAceNCsJrJaawHt+WiUVfUSIYcpwjs=
+github.com/fluxcd/pkg/apis/acl v0.0.1 h1:biCgZMjpDSv3Q4mZPikUJILx3t2MuNXR4Oa5jRQxaNQ=
+github.com/fluxcd/pkg/apis/acl v0.0.1/go.mod h1:y3qOXUFObVWk7jzOjubMnr/u18j1kCeSi6olycnxr/E=
 github.com/fluxcd/pkg/apis/kustomize v0.2.0 h1:jhu2QHvs+j3Zo9rR6w8hkO3LSC6h3M37zY5ejufOmxY=
 github.com/fluxcd/pkg/apis/kustomize v0.2.0/go.mod h1:gEl+W5cVykCC3RfrCaqe+Pz+j4lKl2aeR4dxsom/zII=
 github.com/fluxcd/pkg/apis/meta v0.10.0/go.mod h1:CW9X9ijMTpNe7BwnokiUOrLl/h13miwVr/3abEQLbKE=
 github.com/fluxcd/pkg/apis/meta v0.10.1 h1:zISenRlqNG7WK8TP3HxZTvv+1Z7JZOUIQvZrOr6pQ2w=
 github.com/fluxcd/pkg/apis/meta v0.10.1/go.mod h1:yUblM2vg+X8TE3A2VvJfdhkGmg+uqBlSPkLk7dxi0UM=
-github.com/fluxcd/pkg/runtime v0.12.0/go.mod h1:EyaTR2TOYcjL5U//C4yH3bt2tvTgIOSXpVRbWxUn/C4=
-github.com/fluxcd/pkg/runtime v0.12.1 h1:r0KQG80gKY1NMp62FggSEdFBV60ZfbnA2RHL9y06DOY=
-github.com/fluxcd/pkg/runtime v0.12.1/go.mod h1:9czAjokV0w22eYGR9/SQKUHXhvh7ISNVgc/6a6YMBE8=
-github.com/fluxcd/source-controller/api v0.17.0 h1:skXx2H5SeziUTwJrp9MPJNwTtYTctJMQ7ZIJfLmg9b0=
-github.com/fluxcd/source-controller/api v0.17.0/go.mod h1:guUCCapjzE2kocwFreQTM/IGvtAglIJc4L97mokairo=
+github.com/fluxcd/pkg/runtime v0.12.2 h1:4iOpx2j/w15kNemDOnZrF6ugJ/rhSmRu7aI+xn23+BI=
+github.com/fluxcd/pkg/runtime v0.12.2/go.mod h1:tuWdqpWPhgjQvYrSnojdZ4plyU8DRU1NDzsfOhnzl2g=
+github.com/fluxcd/source-controller/api v0.19.0 h1:D4hc/ROhcl7iJdgeVhmM6B7WkDqwtQKnvpl04n+LcNg=
+github.com/fluxcd/source-controller/api v0.19.0/go.mod h1:rUqw0LmoCyGUoElmtLqHc8O35WAQUd8LdgdyDA+kNs4=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c=
@@ -379,7 +379,6 @@ github.com/hashicorp/go-version v1.3.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09
 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
@@ -503,15 +502,12 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W
 github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
-github.com/onsi/ginkgo v1.16.2/go.mod h1:CObGmKUOKaSC0RjmoAK7tKyn4Azo5P2IWuoMnvwxz1E=
 github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc=
 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.13.0/go.mod h1:lRk9szgn8TxENtWd0Tp4c3wjlRfMTMH27I+3Je41yGY=
-github.com/onsi/gomega v1.14.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
 github.com/onsi/gomega v1.15.0 h1:WjP/FQ/sk43MRmnEcT+MlDw2TFvkrXlprrPST/IudjU=
 github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
@@ -661,7 +657,6 @@ go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
-go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 go.uber.org/zap v1.19.0 h1:mZQZefskPPCMIBCSEH0v2/iUqqLrYtaeqwD6FUGUnFE=
 go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -829,7 +824,6 @@ golang.org/x/sys v0.0.0-20210502180810-71e4cd670f79/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2 h1:c8PlLMqBbOHoqtjteWm5/kbe6rNY2pbRfbIMVnepueo=
 golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
@@ -850,7 +844,6 @@ golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20210611083556-38a9dc6acbc6/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs=
 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -1021,43 +1014,23 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt
 honnef.co/go/tools v0.0.1-2020.1.3 h1:sXmLre5bzIR6ypkjXCDI3jHPssRhc8KD/Ome589sc3U=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 k8s.io/api v0.21.1/go.mod h1:FstGROTmsSHBarKc8bylzXih8BLNYTiS3TZcsoEDg2s=
-k8s.io/api v0.21.2/go.mod h1:Lv6UGJZ1rlMI1qusN8ruAp9PUBFyBwpEHAdG24vIsiU=
-k8s.io/api v0.21.3/go.mod h1:hUgeYHUbBp23Ue4qdX9tR8/ANi/g3ehylAqDn9NWVOg=
-k8s.io/api v0.22.1/go.mod h1:bh13rkTp3F1XEaLGykbyRD2QaTTzPm0e/BMd8ptFONY=
 k8s.io/api v0.22.2 h1:M8ZzAD0V6725Fjg53fKeTJxGsJvRbk4TEm/fexHMtfw=
 k8s.io/api v0.22.2/go.mod h1:y3ydYpLJAaDI+BbSe2xmGcqxiWHmWjkEeIbiwHvnPR8=
 k8s.io/apiextensions-apiserver v0.21.1/go.mod h1:KESQFCGjqVcVsZ9g0xX5bacMjyX5emuWcS2arzdEouA=
-k8s.io/apiextensions-apiserver v0.21.2/go.mod h1:+Axoz5/l3AYpGLlhJDfcVQzCerVYq3K3CvDMvw6X1RA=
-k8s.io/apiextensions-apiserver v0.21.3/go.mod h1:kl6dap3Gd45+21Jnh6utCx8Z2xxLm8LGDkprcd+KbsE=
-k8s.io/apiextensions-apiserver v0.22.1/go.mod h1:HeGmorjtRmRLE+Q8dJu6AYRoZccvCMsghwS8XTUYb2c=
 k8s.io/apiextensions-apiserver v0.22.2 h1:zK7qI8Ery7j2CaN23UCFaC1hj7dMiI87n01+nKuewd4=
 k8s.io/apiextensions-apiserver v0.22.2/go.mod h1:2E0Ve/isxNl7tWLSUDgi6+cmwHi5fQRdwGVCxbC+KFA=
 k8s.io/apimachinery v0.21.1/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY=
 k8s.io/apimachinery v0.21.2/go.mod h1:CdTY8fU/BlvAbJ2z/8kBwimGki5Zp8/fbVuLY8gJumM=
-k8s.io/apimachinery v0.21.3/go.mod h1:H/IM+5vH9kZRNJ4l3x/fXP/5bOPJaVP/guptnZPeCFI=
-k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
 k8s.io/apimachinery v0.22.2 h1:ejz6y/zNma8clPVfNDLnPbleBo6MpoFy/HBiBqCouVk=
 k8s.io/apimachinery v0.22.2/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
 k8s.io/apiserver v0.21.1/go.mod h1:nLLYZvMWn35glJ4/FZRhzLG/3MPxAaZTgV4FJZdr+tY=
-k8s.io/apiserver v0.21.2/go.mod h1:lN4yBoGyiNT7SC1dmNk0ue6a5Wi6O3SWOIw91TsucQw=
-k8s.io/apiserver v0.21.3/go.mod h1:eDPWlZG6/cCCMj/JBcEpDoK+I+6i3r9GsChYBHSbAzU=
-k8s.io/apiserver v0.22.1/go.mod h1:2mcM6dzSt+XndzVQJX21Gx0/Klo7Aen7i0Ai6tIa400=
 k8s.io/apiserver v0.22.2/go.mod h1:vrpMmbyjWrgdyOvZTSpsusQq5iigKNWv9o9KlDAbBHI=
 k8s.io/client-go v0.21.1/go.mod h1:/kEw4RgW+3xnBGzvp9IWxKSNA+lXn3A7AuH3gdOAzLs=
-k8s.io/client-go v0.21.2/go.mod h1:HdJ9iknWpbl3vMGtib6T2PyI/VYxiZfq936WNVHBRrA=
-k8s.io/client-go v0.21.3/go.mod h1:+VPhCgTsaFmGILxR/7E1N0S+ryO010QBeNCv5JwRGYU=
-k8s.io/client-go v0.22.1/go.mod h1:BquC5A4UOo4qVDUtoc04/+Nxp1MeHcVc1HJm1KmG8kk=
 k8s.io/client-go v0.22.2 h1:DaSQgs02aCC1QcwUdkKZWOeaVsQjYvWv8ZazcZ6JcHc=
 k8s.io/client-go v0.22.2/go.mod h1:sAlhrkVDf50ZHx6z4K0S40wISNTarf1r800F+RlCF6U=
 k8s.io/code-generator v0.21.1/go.mod h1:hUlps5+9QaTrKx+jiM4rmq7YmH8wPOIko64uZCHDh6Q=
-k8s.io/code-generator v0.21.2/go.mod h1:8mXJDCB7HcRo1xiEQstcguZkbxZaqeUOrO9SsicWs3U=
-k8s.io/code-generator v0.21.3/go.mod h1:K3y0Bv9Cz2cOW2vXUrNZlFbflhuPvuadW6JdnN6gGKo=
-k8s.io/code-generator v0.22.1/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o=
 k8s.io/code-generator v0.22.2/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o=
 k8s.io/component-base v0.21.1/go.mod h1:NgzFZ2qu4m1juby4TnrmpR8adRk6ka62YdH5DkIIyKA=
-k8s.io/component-base v0.21.2/go.mod h1:9lvmIThzdlrJj5Hp8Z/TOgIkdfsNARQ1pT+3PByuiuc=
-k8s.io/component-base v0.21.3/go.mod h1:kkuhtfEHeZM6LkX0saqSK8PbdO7A0HigUngmhhrwfGQ=
-k8s.io/component-base v0.22.1/go.mod h1:0D+Bl8rrnsPN9v0dyYvkqFfBeAd4u7n77ze+p8CMiPo=
 k8s.io/component-base v0.22.2/go.mod h1:5Br2QhI9OTe79p+TzPe9JKNQYvEKbq9rTJDWllunGug=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
@@ -1070,22 +1043,15 @@ k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iL
 k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e h1:KLHHjkdQFomZy8+06csTWZ0m1343QqxZhR2LJ1OxCYM=
 k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw=
 k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20210527160623-6fdb442a123b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20210722164352-7f3ee0f31471/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a h1:8dYfu/Fc9Gz2rNJKB9IQRGgQOh2clmRzNIPPY1xLY5g=
 k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.19/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
-sigs.k8s.io/controller-runtime v0.9.0/go.mod h1:TgkfvrhhEw3PlI0BRL/5xM+89y3/yc0ZDfdbTl84si8=
-sigs.k8s.io/controller-runtime v0.9.2/go.mod h1:TxzMCHyEUpaeuOiZx/bIdc2T81vfs/aKdvJt9wuu0zk=
-sigs.k8s.io/controller-runtime v0.9.5/go.mod h1:q6PpkM5vqQubEKUKOM6qr06oXGzOBcCby1DA9FbyZeA=
-sigs.k8s.io/controller-runtime v0.10.1 h1:+eLHgY/VrJWnfg6iXUqhCUqNXgPH1NZeP9drNAAgWlg=
-sigs.k8s.io/controller-runtime v0.10.1/go.mod h1:CQp8eyUQZ/Q7PJvnIrB6/hgfTC1kBkGylwsLgOQi1WY=
+sigs.k8s.io/controller-runtime v0.10.2 h1:jW8qiY+yMnnPx6O9hu63tgcwaKzd1yLYui+mpvClOOc=
+sigs.k8s.io/controller-runtime v0.10.2/go.mod h1:CQp8eyUQZ/Q7PJvnIrB6/hgfTC1kBkGylwsLgOQi1WY=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.1.0/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.1.2 h1:Hr/htKFmJEbtMgS/UD0N+gtgctAqz81t3nu+sPzynno=

tests/image-automation/auto.yaml

@@ -0,0 +1,45 @@
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImageRepository
+metadata:
+  name: podinfo
+  namespace: flux-system
+spec:
+  image: ghcr.io/stefanprodan/podinfo
+  interval: 1m0s
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImagePolicy
+metadata:
+  name: podinfo
+  namespace: flux-system
+spec:
+  imageRepositoryRef:
+    name: podinfo
+  policy:
+    semver:
+      range: 5.2.x
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImageUpdateAutomation
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 5m0s
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  git:
+    checkout:
+      ref:
+        branch: main
+    commit:
+      author:
+        email: fluxcdbot@users.noreply.github.com
+        name: fluxcdbot
+      messageTemplate: '{{range .Updated.Images}}{{println .}}{{end}}'
+    push:
+      branch: main
+  update:
+    path: ./test-cluster/podinfo-auto
+    strategy: Setters

tests/image-automation/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: flux-system
+resources:
+  - https://raw.githubusercontent.com/stefanprodan/podinfo/5.2.0/kustomize/deployment.yaml
+  - auto.yaml
+images:
+  - name: ghcr.io/stefanprodan/podinfo
+    newName: ghcr.io/stefanprodan/podinfo
+    newTag: 5.2.0 # {"$imagepolicy": "flux-system:podinfo:tag"}

tests/image-automation/main.go

@@ -0,0 +1,71 @@
+package main
+
+import (
+	"context"
+	"log"
+	"os"
+
+	"github.com/fluxcd/go-git-providers/github"
+	"github.com/fluxcd/go-git-providers/gitprovider"
+	"k8s.io/client-go/util/retry"
+)
+
+func main() {
+	ksPath := "test-cluster/podinfo-auto/kustomization.yaml"
+	autoPath := "test-cluster/podinfo-auto/auto.yaml"
+
+	ksContent, err := os.ReadFile("kustomization.yaml")
+	if err != nil {
+		log.Fatal(err)
+	}
+	ks := string(ksContent)
+
+	autoContent, err := os.ReadFile("auto.yaml")
+	if err != nil {
+		log.Fatal(err)
+	}
+	auto := string(autoContent)
+
+	commitFiles := []gitprovider.CommitFile{
+		{
+			Path:    &ksPath,
+			Content: &ks,
+		},
+		{
+			Path:    &autoPath,
+			Content: &auto,
+		},
+	}
+
+	orgName := os.Getenv("GITHUB_ORG_NAME")
+	repoName := os.Getenv("GITHUB_REPO_NAME")
+	githubToken := os.Getenv(github.TokenVariable)
+	client, err := github.NewClient(gitprovider.WithOAuth2Token(githubToken))
+	if err != nil {
+		log.Fatalf("error initializing github client: %s", err)
+	}
+
+	repoRef := gitprovider.OrgRepositoryRef{
+		OrganizationRef: gitprovider.OrganizationRef{
+			Organization: orgName,
+			Domain:       github.DefaultDomain,
+		},
+		RepositoryName: repoName,
+	}
+
+	var repo gitprovider.OrgRepository
+	err = retry.OnError(retry.DefaultRetry, func(err error) bool {
+		return err != nil
+	}, func() error {
+		repo, err = client.OrgRepositories().Get(context.Background(), repoRef)
+		return err
+	})
+	if err != nil {
+		log.Fatalf("error getting %s repository in org %s: %s", repoRef.RepositoryName, repoRef.Organization, err)
+	}
+
+	_, err = repo.Commits().Create(context.Background(), "main", "automation test", commitFiles)
+	if err != nil {
+		log.Fatalf("error making commit: %s", err)
+	}
+}