Merge pull request #2305 from fluxcd/kubectl-1.23.1

Update kubectl to 1.23.1 in flux-cli container image

.github/aur/flux-go/PKGBUILD.template

@@ -12,7 +12,7 @@ provides=("flux-bin")
 conflicts=("flux-bin")
 replaces=("flux-cli")
 depends=("glibc")
-makedepends=('go>=1.16', 'kustomize>=3.0')
+makedepends=('go>=1.17', 'kustomize>=3.0')
 optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
@@ -30,12 +30,20 @@ build() {
   export CGO_CXXFLAGS="$CXXFLAGS"
   export CGO_CPPFLAGS="$CPPFLAGS"
   export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
-  ./manifests/scripts/bundle.sh "${PWD}/manifests" "${PWD}/cmd/flux/manifests"
+  make cmd/flux/.manifests.done
   go build -ldflags "-linkmode=external -X main.VERSION=${pkgver}" -o ${_srcname} ./cmd/flux
 }
 
 check() {
   cd "flux2-${pkgver}"
+  case $CARCH in
+    aarch64)
+      export ENVTEST_ARCH=arm64
+      ;;
+    armv6h|armv7h)
+      export ENVTEST_ARCH=arm
+      ;;
+  esac
   make test
 }
 

.github/aur/flux-scm/PKGBUILD.template

@@ -11,7 +11,7 @@ license=("APACHE")
 provides=("flux-bin")
 conflicts=("flux-bin")
 depends=("glibc")
-makedepends=('go>=1.16', 'kustomize>=3.0')
+makedepends=('go>=1.17', 'kustomize>=3.0', 'git')
 optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
@@ -32,12 +32,20 @@ build() {
   export CGO_CXXFLAGS="$CXXFLAGS"
   export CGO_CPPFLAGS="$CPPFLAGS"
   export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
-  make cmd/flux/manifests
+  make cmd/flux/.manifests.done
   go build -ldflags "-linkmode=external -X main.VERSION=${pkgver}" -o ${_srcname} ./cmd/flux
 }
 
 check() {
   cd "flux2"
+  case $CARCH in
+    aarch64)
+      export ENVTEST_ARCH=arm64
+      ;;
+    armv6h|armv7h)
+      export ENVTEST_ARCH=arm
+      ;;
+  esac
   make test
 }
 

.github/runners/README.md

@@ -1,42 +1,72 @@
-# Flux GitHub runners
+# Flux ARM64 GitHub runners
 
-How to provision GitHub Actions self-hosted runners for Flux conformance testing.
+The Flux ARM64 end-to-end tests run on Equinix instances provisioned with Docker and GitHub self-hosted runners.
 
-## ARM64 Instance specs
+## Current instances
+
+| Runner        | Instance            | Region |
+|---------------|---------------------|--------|
+| equinix-arm-1 | flux-equinix-arm-01 | AMS1   |
+| equinix-arm-2 | flux-equinix-arm-01 | AMS1   |
+| equinix-arm-3 | flux-equinix-arm-01 | AMS1   |
+| equinix-arm-4 | flux-equinix-arm-02 | DFW2   |
+| equinix-arm-5 | flux-equinix-arm-02 | DFW2   |
+| equinix-arm-6 | flux-equinix-arm-02 | DFW2   |
+
+## Instance setup
 
 In order to add a new runner to the GitHub Actions pool,
-first create an instance on Oracle Cloud with the following configuration:
-- OS: Canonical Ubuntu 20.04
-- Shape: VM.Standard.A1.Flex
-- OCPU Count: 2 
-- Memory (GB): 12
-- Network Bandwidth (Gbps): 2
-- Local Disk: Block Storage Only  
+first create a server on Equinix with the following configuration:
+- Type: c2.large.arm
+- OS: Ubuntu 20.04
 
-Note that the instance image source must be **Canonical Ubuntu** instead of the default Oracle Linux.
-
-## ARM64 Instance setup
+### Install prerequisites
 
 - SSH into a newly created instance
 ```shell
-ssh ubuntu@<instance-public-IP>
+ssh root@<instance-public-IP>
 ``` 
-- Create the action runner dir
+
+- Create the ubuntu user
 ```shell
-mkdir -p actions-runner && cd actions-runner
+adduser ubuntu
+usermod -aG sudo ubuntu
+su - ubuntu
 ```
-- Download the provisioning script
+
+- Create the prerequisites dir
 ```shell
-curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/arm64.sh > arm64.sh \
-  && chmod +x ./arm64.sh
+mkdir -p prereq && cd prereq
 ```
+
+- Download the prerequisites script
+```shell
+curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/prereq.sh > prereq.sh \
+  && chmod +x ./prereq.sh
+```
+
+- Install the prerequisites
+```shell
+sudo ./prereq.sh
+```
+
+### Install runners
+
 - Retrieve the GitHub runner token from the repository [settings page](https://github.com/fluxcd/flux2/settings/actions/runners/new?arch=arm64&os=linux)
-- Run the provisioning script passing the token as the first argument
+
+- Create 3 directories `runner1`, `runner2`, `runner3`
+
+- In each dir run:
 ```shell
-sudo ./arm64.sh <TOKEN>
+curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/runner-setup.sh > runner-setup.sh \
+  && chmod +x ./runner-setup.sh
+
+./runner-setup.sh equinix-arm-<NUMBER> <TOKEN>
 ```
+
 - Reboot the instance
 ```shell
 sudo reboot
-```  
+```
+
 - Navigate to the GitHub repository [runners page](https://github.com/fluxcd/flux2/settings/actions/runners) and check the runner status

.github/runners/prereq.sh

@@ -14,19 +14,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# This script is meant to be run locally and in CI to validate the Kubernetes
-# manifests (including Flux custom resources) before changes are merged into
-# the branch synced by Flux in-cluster.
+# This script installs the prerequisites for running Flux end-to-end tests with Docker and GitHub self-hosted runners.
 
 set -eu
 
-REPOSITORY_TOKEN=$1
-REPOSITORY_URL=${2:-https://github.com/fluxcd/flux2}
-
 KIND_VERSION=0.11.1
 KUBECTL_VERSION=1.21.2
 KUSTOMIZE_VERSION=4.1.3
-GITHUB_RUNNER_VERSION=2.278.0
+HELM_VERSION=3.7.2
+GITHUB_RUNNER_VERSION=2.285.1
 PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq"
 
 # install prerequisites
@@ -57,6 +53,12 @@ curl -Lo ./kustomize.tar.gz https://github.com/kubernetes-sigs/kustomize/release
   && rm kustomize.tar.gz
 install -o root -g root -m 0755 kustomize /usr/local/bin/kustomize
 
+# install helm
+curl -Lo ./helm.tar.gz https://get.helm.sh/helm-v${HELM_VERSION}-linux-arm64.tar.gz \
+  && tar -zxvf helm.tar.gz \
+  && rm helm.tar.gz
+install -o root -g root -m 0755 linux-arm64/helm /usr/local/bin/helm
+
 # download runner
 curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
   && tar xzf actions-runner-linux-arm64.tar.gz \
@@ -64,10 +66,3 @@ curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/r
 
 # install runner dependencies
 ./bin/installdependencies.sh
-
-# register runner with GitHub
-sudo -u ubuntu ./config.sh --unattended --url ${REPOSITORY_URL} --token ${REPOSITORY_TOKEN}
-
-# start runner
-./svc.sh install
-./svc.sh start

.github/runners/runner-setup.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# Copyright 2021 The Flux authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script installs a GitHub self-hosted ARM64 runner for running Flux end-to-end tests.
+
+set -eu
+
+RUNNER_NAME=$1
+REPOSITORY_TOKEN=$2
+REPOSITORY_URL=${3:-https://github.com/fluxcd/flux2}
+
+GITHUB_RUNNER_VERSION=2.285.1
+
+# download runner
+curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
+  && tar xzf actions-runner-linux-arm64.tar.gz \
+  && rm actions-runner-linux-arm64.tar.gz
+
+# register runner with GitHub
+./config.sh --unattended --url ${REPOSITORY_URL} --token ${REPOSITORY_TOKEN} --name ${RUNNER_NAME}
+
+# start runner
+sudo ./svc.sh install
+sudo ./svc.sh start

.github/workflows/bootstrap.yaml

@@ -17,13 +17,13 @@ jobs:
         uses: actions/cache@v1
         with:
           path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go1.16-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go1.17-${{ hashFiles('**/go.sum') }}
           restore-keys: |
-            ${{ runner.os }}-go1.16-
+            ${{ runner.os }}-go1.17-
       - name: Setup Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16.x
+          go-version: 1.17.x
       - name: Setup Kubernetes
         uses: engineerd/setup-kind@v0.5.0
         with:
@@ -91,17 +91,38 @@ jobs:
         run: |
           /tmp/flux uninstall -s --keep-namespace
           kubectl delete ns flux-system --timeout=10m --wait=true
-      - name: bootstrap reinstall
+      - name: test image automation
         run: |
+          make setup-image-automation
           /tmp/flux bootstrap github --manifests ./manifests/install/ \
           --owner=fluxcd-testing \
           --repository=${{ steps.vars.outputs.test_repo_name }} \
           --branch=main \
           --path=test-cluster \
-          --team=team-z
+          --read-write-key
+          /tmp/flux reconcile image repository podinfo
+          /tmp/flux reconcile image update flux-system
+          /tmp/flux get images all
+          
+          retries=10
+          count=0
+          ok=false
+          until ${ok}; do
+              /tmp/flux get image update flux-system | grep 'commit' && ok=true || ok=false
+              count=$(($count + 1))
+              if [[ ${count} -eq ${retries} ]]; then
+                  echo "No more retries left"
+                  exit 1
+              fi
+              sleep 6
+              /tmp/flux reconcile image update flux-system
+          done
         env:
           GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+          GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
+          GITHUB_ORG_NAME: fluxcd-testing
       - name: delete repository
+        if: ${{ always() }}
         run: |
           curl \
             -X DELETE \

.github/workflows/e2e-arm64.yaml

@@ -3,21 +3,20 @@ name: e2e-arm64
 on:
   workflow_dispatch:
   push:
-    branches: [ main, update-components, arm64-e2e ]
+    branches: [ main, update-components, equinix-runners ]
 
 jobs:
-  ampere:
-    # Runner info
-    # Owner: Stefan Prodan
+  test:
+    # Hosted on Equinix
     # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
-    runs-on: [self-hosted, Linux, ARM64]
+    runs-on: [self-hosted, Linux, ARM64, equinix]
     steps:
       - name: Checkout
         uses: actions/checkout@v2
       - name: Setup Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16.x
+          go-version: 1.17.x
       - name: Prepare
         id: prep
         run: |

.github/workflows/e2e-azure.yaml

@@ -17,13 +17,13 @@ jobs:
         uses: actions/cache@v1
         with:
           path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go1.16-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go1.17-${{ hashFiles('**/go.sum') }}
           restore-keys: |
-            ${{ runner.os }}-go1.16-
+            ${{ runner.os }}-go1.17-
       - name: Setup Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16.x
+          go-version: 1.17.x
       - name: Install libgit2
         run: |
           sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138

.github/workflows/e2e.yaml

@@ -2,7 +2,7 @@ name: e2e
 
 on:
   push:
-    branches: [ main ]
+    branches: [ main, e2e* ]
   pull_request:
     branches: [ main ]
 
@@ -16,26 +16,22 @@ jobs:
         uses: actions/cache@v1
         with:
           path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go1.16-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go1.17-${{ hashFiles('**/go.sum') }}
           restore-keys: |
-            ${{ runner.os }}-go1.16-
+            ${{ runner.os }}-go1.17-
       - name: Setup Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16.x
+          go-version: 1.17.x
       - name: Setup Kubernetes
         uses: engineerd/setup-kind@v0.5.0
         with:
           version: v0.11.1
           image: kindest/node:v1.19.11@sha256:07db187ae84b4b7de440a73886f008cf903fcf5764ba8106a9fd5243d6f32729
           config: .github/kind/config.yaml # disable KIND-net
-      - name: Setup envtest
-        uses: fluxcd/pkg/actions/envtest@main
-        with:
-          version: "1.21.x"
       - name: Setup Calico for network policy
         run: |
-          kubectl apply -f https://docs.projectcalico.org/v3.16/manifests/calico.yaml
+          kubectl apply -f https://docs.projectcalico.org/v3.20/manifests/calico.yaml
           kubectl -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
       - name: Setup Kustomize
         uses: fluxcd/pkg//actions/kustomize@main

.github/workflows/release.yaml

@@ -4,6 +4,11 @@ on:
   push:
     tags: [ 'v*' ]
 
+permissions:
+  contents: write # needed to write releases
+  id-token: write # needed for keyless signing
+  packages: write # needed for ghcr access
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
@@ -15,16 +20,18 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16.x
+          go-version: 1.17.x
       - name: Setup QEMU
         uses: docker/setup-qemu-action@v1
-        with:
-          platforms: all
       - name: Setup Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v1
-        with:
-          buildkitd-flags: "--debug"
+      - name: Setup Syft
+        uses: anchore/sbom-action/download-syft@v0
+      - name: Setup Cosign
+        uses: sigstore/cosign-installer@main
+      - name: Setup Kustomize
+        uses: fluxcd/pkg//actions/kustomize@main
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v1
         with:
@@ -36,18 +43,6 @@ jobs:
         with:
           username: fluxcdbot
           password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
-      - name: Download release notes utility
-        env:
-          GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
-        run: cd /tmp && curl -sSL ${GH_REL_URL} | tar xz && sudo mv github-release-notes /usr/local/bin/
-      - name: Generate release notes
-        run: |
-          echo 'CHANGELOG' > /tmp/release.txt
-          github-release-notes -org fluxcd -repo toolkit -since-latest-release -include-author >> /tmp/release.txt
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Setup Kustomize
-        uses: fluxcd/pkg//actions/kustomize@main
       - name: Generate manifests
         run: |
           make cmd/flux/.manifests.done
@@ -56,19 +51,32 @@ jobs:
       - name: Build CRDs
         run: |
           kustomize build manifests/crds > all-crds.yaml
+      # Pinned to commit before https://github.com/fluxcd/pkg/pull/189 due to
+      # introduction faulty behavior.
       - name: Generate OpenAPI JSON schemas from CRDs
-        uses: fluxcd/pkg//actions/crdjsonschema@main
+        uses: fluxcd/pkg//actions/crdjsonschema@49e26aa2ee9e734c3233c560253fd9542afe18ae
         with:
           crd: all-crds.yaml
           output: schemas
       - name: Archive the OpenAPI JSON schemas
         run: |
           tar -czvf ./output/crd-schemas.tar.gz -C schemas .
+      - name: Download release notes utility
+        env:
+          GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
+        run: cd /tmp && curl -sSL ${GH_REL_URL} | tar xz && sudo mv github-release-notes /usr/local/bin/
+      - name: Generate release notes
+        run: |
+          NOTES="./output/notes.md"
+          echo '## CLI Changelog' > ${NOTES}
+          github-release-notes -org fluxcd -repo flux2 -since-latest-release -include-author >> ${NOTES}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v1
         with:
           version: latest
-          args: release --release-notes=/tmp/release.txt --skip-validate
+          args: release --release-notes=output/notes.md --skip-validate
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}

.github/workflows/update.yaml

@@ -16,7 +16,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16.x
+          go-version: 1.17.x
       - name: Update component versions
         id: update
         run: |

.gitignore

@@ -20,6 +20,7 @@ bin/
 output/
 cmd/flux/manifests/
 cmd/flux/.manifests.done
+testbin/
 
 # Docs
 site/

.goreleaser.yml

@@ -40,6 +40,36 @@ archives:
     format: zip
     files:
       - none*
+source:
+  enabled: true
+  name_template: '{{ .ProjectName }}_{{ .Version }}_source_code'
+sboms:
+  - id: source
+    artifacts: source
+    documents:
+      - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
+release:
+  extra_files:
+    - glob: output/crd-schemas.tar.gz
+    - glob: output/manifests.tar.gz
+    - glob: output/install.yaml
+checksum:
+  extra_files:
+    - glob: output/crd-schemas.tar.gz
+    - glob: output/manifests.tar.gz
+    - glob: output/install.yaml
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    artifacts: checksum
+    output: true
 brews:
   - name: flux
     tap:
@@ -78,17 +108,12 @@ publishers:
       - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
     cmd: |
       .github/aur/flux-go/publish.sh {{ .Version }}
-release:
-  extra_files:
-    - glob: ./output/crd-schemas.tar.gz
-    - glob: ./output/manifests.tar.gz
-    - glob: ./output/install.yaml
 dockers:
 - image_templates:
     - 'fluxcd/flux-cli:{{ .Tag }}-amd64'
     - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-amd64'
   dockerfile: Dockerfile
-  use_buildx: true
+  use: buildx
   goos: linux
   goarch: amd64
   build_flag_templates:
@@ -104,7 +129,7 @@ dockers:
     - 'fluxcd/flux-cli:{{ .Tag }}-arm64'
     - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm64'
   dockerfile: Dockerfile
-  use_buildx: true
+  use: buildx
   goos: linux
   goarch: arm64
   build_flag_templates:
@@ -120,7 +145,7 @@ dockers:
     - 'fluxcd/flux-cli:{{ .Tag }}-arm'
     - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm'
   dockerfile: Dockerfile
-  use_buildx: true
+  use: buildx
   goos: linux
   goarch: arm
   goarm: 7
@@ -144,3 +169,12 @@ docker_manifests:
     - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-amd64'
     - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm64'
     - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm'
+docker_signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    args:
+      - sign
+      - '${artifact}'
+    artifacts: all
+    output: true

Dockerfile

@@ -1,15 +1,15 @@
-FROM alpine:3.13 as builder
+FROM alpine:3.15 as builder
 
 RUN apk add --no-cache ca-certificates curl
 
 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.22.2
+ARG KUBECTL_VER=1.23.1
 
 RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
     -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
     kubectl version --client=true
 
-FROM alpine:3.13 as flux-cli
+FROM alpine:3.15 as flux-cli
 
 # Create minimal nsswitch.conf file to prioritize the usage of /etc/hosts over DNS queries.
 # https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-354316460

MAINTAINERS

@@ -12,9 +12,9 @@ should.
 
 In alphabetical order:
 
-Aurel Canciu, Sortlist <aurel@sortlist.com> (github: @relu, slack: relu)
+Aurel Canciu, NexHealth <aurel.canciu@nexhealth.com> (github: @relu, slack: relu)
 Hidde Beydals, Weaveworks <hidde@weave.works> (github: @hiddeco, slack: hidde)
-Max Jonas Werner, D2iQ <mwerner@d2iq.com> (github: @makkes, slack: max)
+Max Jonas Werner, D2iQ <max@e13.dev> (github: @makkes, slack: max)
 Philip Laine, Xenit <philip.laine@xenit.se> (github: @phillebaba, slack: phillebaba)
 Stefan Prodan, Weaveworks <stefan@weave.works> (github: @stefanprodan, slack: stefanprodan)
 Sunny, Weaveworks <sunny@weave.works> (github: @darkowlzz, slack: darkowlzz)

Makefile

@@ -1,8 +1,8 @@
 VERSION?=$(shell grep 'VERSION' cmd/flux/main.go | awk '{ print $$4 }' | head -n 1 | tr -d '"')
 EMBEDDED_MANIFESTS_TARGET=cmd/flux/.manifests.done
 TEST_KUBECONFIG?=/tmp/flux-e2e-test-kubeconfig
-ENVTEST_BIN_VERSION?=latest
-KUBEBUILDER_ASSETS?=$(shell $(SETUP_ENVTEST) use -i $(ENVTEST_BIN_VERSION) -p path)
+# Architecture to use envtest with
+ENVTEST_ARCH ?= amd64
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -17,6 +17,7 @@ all: test build
 
 tidy:
 	go mod tidy
+	cd tests/azure && go mod tidy
 
 fmt:
 	go fmt ./...
@@ -33,6 +34,7 @@ cleanup-kind:
 	kind delete cluster --name=flux-e2e-test
 	rm $(TEST_KUBECONFIG)
 
+KUBEBUILDER_ASSETS?="$(shell $(ENVTEST) --arch=$(ENVTEST_ARCH) use -i $(ENVTEST_KUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR) -p path)"
 test: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet install-envtest
 	KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test ./... -coverprofile cover.out --tags=unit
 
@@ -58,24 +60,33 @@ install:
 install-dev:
 	CGO_ENABLED=0 go build -o /usr/local/bin ./cmd/flux
 
-install-envtest:  setup-envtest
-	 $(SETUP_ENVTEST) use $(ENVTEST_BIN_VERSION)
-
 setup-bootstrap-patch:
 	go run ./tests/bootstrap/main.go
 
-# Find or download setup-envtest
-setup-envtest:
-ifeq (, $(shell which setup-envtest))
-	@{ \
-	set -e ;\
-	SETUP_ENVTEST_TMP_DIR=$$(mktemp -d) ;\
-	cd $$SETUP_ENVTEST_TMP_DIR ;\
-	go mod init tmp ;\
-	go get sigs.k8s.io/controller-runtime/tools/setup-envtest@latest ;\
-	rm -rf $$SETUP_ENVTEST_TMP_DIR ;\
-	}
-SETUP_ENVTEST=$(GOBIN)/setup-envtest
-else
-SETUP_ENVTEST=$(shell which setup-envtest)
-endif
+setup-image-automation:
+	cd tests/image-automation && go run main.go
+
+ENVTEST_ASSETS_DIR=$(shell pwd)/testbin
+ENVTEST_KUBERNETES_VERSION?=latest
+install-envtest: setup-envtest
+	mkdir -p ${ENVTEST_ASSETS_DIR}
+	$(ENVTEST) use $(ENVTEST_KUBERNETES_VERSION) --arch=$(ENVTEST_ARCH) --bin-dir=$(ENVTEST_ASSETS_DIR)
+
+ENVTEST = $(shell pwd)/bin/setup-envtest
+.PHONY: envtest
+setup-envtest: ## Download envtest-setup locally if necessary.
+	$(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
+
+# go-install-tool will 'go install' any package $2 and install it to $1.
+PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
+define go-install-tool
+@[ -f $(1) ] || { \
+set -e ;\
+TMP_DIR=$$(mktemp -d) ;\
+cd $$TMP_DIR ;\
+go mod init tmp ;\
+echo "Downloading $(2)" ;\
+GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
+rm -rf $$TMP_DIR ;\
+}
+endef

action/action.yml

@@ -12,6 +12,9 @@ inputs:
     description: "arch can be amd64, arm64 or arm"
     required: true
     default: "amd64"
+  bindir:
+    description: "Optional location of the Flux binary. Will not use sudo if set. Updates System Path."
+    required: false
 runs:
   using: composite
   steps:
@@ -29,10 +32,16 @@ runs:
         curl -sL ${BIN_URL} -o /tmp/flux.tar.gz
         mkdir -p /tmp/flux
         tar -C /tmp/flux/ -zxvf /tmp/flux.tar.gz
-    - name: "Add flux binary to /usr/local/bin"
+    - name: "Copy Flux binary to execute location"
       shell: bash
       run: |
-        sudo cp /tmp/flux/flux /usr/local/bin
+        BINDIR=${{ inputs.bindir }}
+        if [ -z $BINDIR ]; then
+          sudo cp /tmp/flux/flux /usr/local/bin
+        else
+          cp /tmp/flux/flux "${BINDIR}"
+          echo "${BINDIR}" >> $GITHUB_PATH
+        fi
     - name: "Cleanup tmp"
       shell: bash
       run: |

cmd/flux/bootstrap_bitbucket_server.go

@@ -0,0 +1,279 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	"github.com/spf13/cobra"
+
+	"github.com/fluxcd/flux2/internal/bootstrap"
+	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
+	"github.com/fluxcd/flux2/internal/bootstrap/provider"
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+)
+
+var bootstrapBServerCmd = &cobra.Command{
+	Use:   "bitbucket-server",
+	Short: "Bootstrap toolkit components in a Bitbucket Server repository",
+	Long: `The bootstrap bitbucket-server command creates the Bitbucket Server repository if it doesn't exists and
+commits the toolkit components manifests to the master branch.
+Then it configures the target cluster to synchronize with the repository.
+If the toolkit components are present on the cluster,
+the bootstrap command will perform an upgrade if needed.`,
+	Example: `  # Create a Bitbucket Server API token and export it as an env var
+  export BITBUCKET_TOKEN=<my-token>
+
+  # Run bootstrap for a private repository using HTTPS token authentication
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --token-auth
+
+  # Run bootstrap for a private repository using SSH authentication
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain>
+
+  # Run bootstrap for a repository path
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --path=dev-cluster --hostname=<domain>
+
+  # Run bootstrap for a public repository on a personal account
+  flux bootstrap bitbucket-server --owner=<user> --repository=<repository name> --private=false --personal --hostname=<domain> --token-auth
+
+  # Run bootstrap for a an existing repository with a branch named main
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --branch=main --hostname=<domain> --token-auth`,
+	RunE: bootstrapBServerCmdRun,
+}
+
+const (
+	bServerDefaultPermission = "push"
+	bServerTokenEnvVar       = "BITBUCKET_TOKEN"
+)
+
+type bServerFlags struct {
+	owner        string
+	repository   string
+	interval     time.Duration
+	personal     bool
+	username     string
+	private      bool
+	hostname     string
+	path         flags.SafeRelativePath
+	teams        []string
+	readWriteKey bool
+	reconcile    bool
+}
+
+var bServerArgs bServerFlags
+
+func init() {
+	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.owner, "owner", "", "Bitbucket Server user or project name")
+	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.repository, "repository", "", "Bitbucket Server repository name")
+	bootstrapBServerCmd.Flags().StringSliceVar(&bServerArgs.teams, "group", []string{}, "Bitbucket Server groups to be given write access (also accepts comma-separated values)")
+	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.personal, "personal", false, "if true, the owner is assumed to be a Bitbucket Server user; otherwise a group")
+	bootstrapBServerCmd.Flags().StringVarP(&bServerArgs.username, "username", "u", "git", "authentication username")
+	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.private, "private", true, "if true, the repository is setup or configured as private")
+	bootstrapBServerCmd.Flags().DurationVar(&bServerArgs.interval, "interval", time.Minute, "sync interval")
+	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.hostname, "hostname", "", "Bitbucket Server hostname")
+	bootstrapBServerCmd.Flags().Var(&bServerArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
+	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
+	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
+
+	bootstrapCmd.AddCommand(bootstrapBServerCmd)
+}
+
+func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
+	bitbucketToken := os.Getenv(bServerTokenEnvVar)
+	if bitbucketToken == "" {
+		var err error
+		bitbucketToken, err = readPasswordFromStdin("Please enter your Bitbucket personal access token (PAT): ")
+		if err != nil {
+			return fmt.Errorf("could not read token: %w", err)
+		}
+	}
+
+	if bServerArgs.hostname == "" {
+		return fmt.Errorf("invalid hostname %q", bServerArgs.hostname)
+	}
+
+	if err := bootstrapValidate(); err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	if err != nil {
+		return err
+	}
+
+	// Manifest base
+	if ver, err := getVersion(bootstrapArgs.version); err == nil {
+		bootstrapArgs.version = ver
+	}
+	manifestsBase, err := buildEmbeddedManifestBase()
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(manifestsBase)
+
+	user := bServerArgs.username
+	if bServerArgs.personal {
+		user = bServerArgs.owner
+	}
+
+	var caBundle []byte
+	if bootstrapArgs.caFile != "" {
+		var err error
+		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	}
+
+	// Build Bitbucket Server provider
+	providerCfg := provider.Config{
+		Provider: provider.GitProviderStash,
+		Hostname: bServerArgs.hostname,
+		Username: user,
+		Token:    bitbucketToken,
+		CaBundle: caBundle,
+	}
+
+	providerClient, err := provider.BuildGitProvider(providerCfg)
+	if err != nil {
+		return err
+	}
+
+	// Lazy go-git repository
+	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
+	if err != nil {
+		return fmt.Errorf("failed to create temporary working dir: %w", err)
+	}
+	defer os.RemoveAll(tmpDir)
+	gitClient := gogit.New(tmpDir, &http.BasicAuth{
+		Username: user,
+		Password: bitbucketToken,
+	})
+
+	// Install manifest config
+	installOptions := install.Options{
+		BaseURL:                rootArgs.defaults.BaseURL,
+		Version:                bootstrapArgs.version,
+		Namespace:              *kubeconfigArgs.Namespace,
+		Components:             bootstrapComponents(),
+		Registry:               bootstrapArgs.registry,
+		ImagePullSecret:        bootstrapArgs.imagePullSecret,
+		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
+		NetworkPolicy:          bootstrapArgs.networkPolicy,
+		LogLevel:               bootstrapArgs.logLevel.String(),
+		NotificationController: rootArgs.defaults.NotificationController,
+		ManifestFile:           rootArgs.defaults.ManifestFile,
+		Timeout:                rootArgs.timeout,
+		TargetPath:             bServerArgs.path.ToSlash(),
+		ClusterDomain:          bootstrapArgs.clusterDomain,
+		TolerationKeys:         bootstrapArgs.tolerationKeys,
+	}
+	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
+		installOptions.BaseURL = customBaseURL
+	}
+
+	// Source generation and secret config
+	secretOpts := sourcesecret.Options{
+		Name:         bootstrapArgs.secretName,
+		Namespace:    *kubeconfigArgs.Namespace,
+		TargetPath:   bServerArgs.path.String(),
+		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
+	}
+	if bootstrapArgs.tokenAuth {
+		if bServerArgs.personal {
+			secretOpts.Username = bServerArgs.owner
+		} else {
+			secretOpts.Username = bServerArgs.username
+		}
+		secretOpts.Password = bitbucketToken
+
+		if bootstrapArgs.caFile != "" {
+			secretOpts.CAFilePath = bootstrapArgs.caFile
+		}
+	} else {
+		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
+		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
+		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
+		secretOpts.SSHHostname = bServerArgs.hostname
+
+		if bootstrapArgs.privateKeyFile != "" {
+			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
+		}
+		if bootstrapArgs.sshHostname != "" {
+			secretOpts.SSHHostname = bootstrapArgs.sshHostname
+		}
+	}
+
+	// Sync manifest config
+	syncOpts := sync.Options{
+		Interval:          bServerArgs.interval,
+		Name:              *kubeconfigArgs.Namespace,
+		Namespace:         *kubeconfigArgs.Namespace,
+		Branch:            bootstrapArgs.branch,
+		Secret:            bootstrapArgs.secretName,
+		TargetPath:        bServerArgs.path.ToSlash(),
+		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
+		GitImplementation: sourceGitArgs.gitImplementation.String(),
+		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
+	}
+
+	// Bootstrap config
+	bootstrapOpts := []bootstrap.GitProviderOption{
+		bootstrap.WithProviderRepository(bServerArgs.owner, bServerArgs.repository, bServerArgs.personal),
+		bootstrap.WithBranch(bootstrapArgs.branch),
+		bootstrap.WithBootstrapTransportType("https"),
+		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
+		bootstrap.WithProviderTeamPermissions(mapTeamSlice(bServerArgs.teams, bServerDefaultPermission)),
+		bootstrap.WithReadWriteKeyPermissions(bServerArgs.readWriteKey),
+		bootstrap.WithKubeconfig(kubeconfigArgs),
+		bootstrap.WithLogger(logger),
+		bootstrap.WithCABundle(caBundle),
+	}
+	if bootstrapArgs.sshHostname != "" {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
+	}
+	if bootstrapArgs.tokenAuth {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
+	}
+	if !bServerArgs.private {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
+	}
+	if bServerArgs.reconcile {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
+	}
+
+	// Setup bootstrapper with constructed configs
+	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
+	if err != nil {
+		return err
+	}
+
+	// Run
+	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
+}

cmd/flux/bootstrap_git.go

@@ -101,7 +101,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
@@ -128,7 +128,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	installOptions := install.Options{
 		BaseURL:                rootArgs.defaults.BaseURL,
 		Version:                bootstrapArgs.version,
-		Namespace:              rootArgs.namespace,
+		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
@@ -149,7 +149,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	// Source generation and secret config
 	secretOpts := sourcesecret.Options{
 		Name:         bootstrapArgs.secretName,
-		Namespace:    rootArgs.namespace,
+		Namespace:    *kubeconfigArgs.Namespace,
 		TargetPath:   gitArgs.path.String(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
@@ -161,10 +161,15 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 			secretOpts.CAFilePath = bootstrapArgs.caFile
 		}
 
+		// Remove port of the given host when not syncing over HTTP/S to not assume port for protocol
+		// This _might_ be overwritten later on by e.g. --ssh-hostname
+		if repositoryURL.Scheme != "https" && repositoryURL.Scheme != "http" {
+			repositoryURL.Host = repositoryURL.Hostname()
+		}
+
 		// Configure repository URL to match auth config for sync.
 		repositoryURL.User = nil
 		repositoryURL.Scheme = "https"
-		repositoryURL.Host = repositoryURL.Hostname()
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.Password = gitArgs.password
@@ -194,8 +199,8 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	// Sync manifest config
 	syncOpts := sync.Options{
 		Interval:          gitArgs.interval,
-		Name:              rootArgs.namespace,
-		Namespace:         rootArgs.namespace,
+		Name:              *kubeconfigArgs.Namespace,
+		Namespace:         *kubeconfigArgs.Namespace,
 		URL:               repositoryURL.String(),
 		Branch:            bootstrapArgs.branch,
 		Secret:            bootstrapArgs.secretName,
@@ -220,7 +225,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
-		bootstrap.WithKubeconfig(rootArgs.kubeconfig, rootArgs.kubecontext),
+		bootstrap.WithKubeconfig(kubeconfigArgs),
 		bootstrap.WithPostGenerateSecretFunc(promptPublicKey),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),

cmd/flux/bootstrap_github.go

@@ -125,7 +125,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
@@ -140,11 +140,20 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	defer os.RemoveAll(manifestsBase)
 
+	var caBundle []byte
+	if bootstrapArgs.caFile != "" {
+		var err error
+		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	}
 	// Build GitHub provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderGitHub,
 		Hostname: githubArgs.hostname,
 		Token:    ghToken,
+		CaBundle: caBundle,
 	}
 	providerClient, err := provider.BuildGitProvider(providerCfg)
 	if err != nil {
@@ -166,7 +175,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	installOptions := install.Options{
 		BaseURL:                rootArgs.defaults.BaseURL,
 		Version:                bootstrapArgs.version,
-		Namespace:              rootArgs.namespace,
+		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
@@ -187,7 +196,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	// Source generation and secret config
 	secretOpts := sourcesecret.Options{
 		Name:         bootstrapArgs.secretName,
-		Namespace:    rootArgs.namespace,
+		Namespace:    *kubeconfigArgs.Namespace,
 		TargetPath:   githubArgs.path.ToSlash(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
@@ -212,8 +221,8 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	// Sync manifest config
 	syncOpts := sync.Options{
 		Interval:          githubArgs.interval,
-		Name:              rootArgs.namespace,
-		Namespace:         rootArgs.namespace,
+		Name:              *kubeconfigArgs.Namespace,
+		Namespace:         *kubeconfigArgs.Namespace,
 		Branch:            bootstrapArgs.branch,
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        githubArgs.path.ToSlash(),
@@ -231,8 +240,9 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(githubArgs.teams, ghDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(githubArgs.readWriteKey),
-		bootstrap.WithKubeconfig(rootArgs.kubeconfig, rootArgs.kubecontext),
+		bootstrap.WithKubeconfig(kubeconfigArgs),
 		bootstrap.WithLogger(logger),
+		bootstrap.WithCABundle(caBundle),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))

cmd/flux/bootstrap_gitlab.go

@@ -129,7 +129,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
@@ -144,11 +144,21 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	defer os.RemoveAll(manifestsBase)
 
+	var caBundle []byte
+	if bootstrapArgs.caFile != "" {
+		var err error
+		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	}
+
 	// Build GitLab provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderGitLab,
 		Hostname: gitlabArgs.hostname,
 		Token:    glToken,
+		CaBundle: caBundle,
 	}
 	// Workaround for: https://github.com/fluxcd/go-git-providers/issues/55
 	if hostname := providerCfg.Hostname; hostname != glDefaultDomain &&
@@ -176,7 +186,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	installOptions := install.Options{
 		BaseURL:                rootArgs.defaults.BaseURL,
 		Version:                bootstrapArgs.version,
-		Namespace:              rootArgs.namespace,
+		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
@@ -197,7 +207,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	// Source generation and secret config
 	secretOpts := sourcesecret.Options{
 		Name:         bootstrapArgs.secretName,
-		Namespace:    rootArgs.namespace,
+		Namespace:    *kubeconfigArgs.Namespace,
 		TargetPath:   gitlabArgs.path.String(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
@@ -225,8 +235,8 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	// Sync manifest config
 	syncOpts := sync.Options{
 		Interval:          gitlabArgs.interval,
-		Name:              rootArgs.namespace,
-		Namespace:         rootArgs.namespace,
+		Name:              *kubeconfigArgs.Namespace,
+		Namespace:         *kubeconfigArgs.Namespace,
 		Branch:            bootstrapArgs.branch,
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        gitlabArgs.path.ToSlash(),
@@ -244,8 +254,9 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(gitlabArgs.teams, glDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(gitlabArgs.readWriteKey),
-		bootstrap.WithKubeconfig(rootArgs.kubeconfig, rootArgs.kubecontext),
+		bootstrap.WithKubeconfig(kubeconfigArgs),
 		bootstrap.WithLogger(logger),
+		bootstrap.WithCABundle(caBundle),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))

cmd/flux/check.go

@@ -128,7 +128,7 @@ func fluxCheck() {
 }
 
 func kubernetesCheck(constraints []string) bool {
-	cfg, err := utils.KubeConfig(rootArgs.kubeconfig, rootArgs.kubecontext)
+	cfg, err := utils.KubeConfig(kubeconfigArgs)
 	if err != nil {
 		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
 		return false
@@ -176,7 +176,7 @@ func componentsCheck() bool {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeConfig, err := utils.KubeConfig(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeConfig, err := utils.KubeConfig(kubeconfigArgs)
 	if err != nil {
 		return false
 	}
@@ -186,7 +186,7 @@ func componentsCheck() bool {
 		return false
 	}
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return false
 	}
@@ -194,7 +194,7 @@ func componentsCheck() bool {
 	ok := true
 	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 	var list v1.DeploymentList
-	if err := kubeClient.List(ctx, &list, client.InNamespace(rootArgs.namespace), selector); err == nil {
+	if err := kubeClient.List(ctx, &list, client.InNamespace(*kubeconfigArgs.Namespace), selector); err == nil {
 		for _, d := range list.Items {
 			if ref, err := buildComponentObjectRefs(d.Name); err == nil {
 				if err := statusChecker.Assess(ref...); err != nil {

cmd/flux/check_test.go

@@ -1,3 +1,4 @@
+//go:build e2e
 // +build e2e
 
 /*
@@ -29,7 +30,7 @@ import (
 )
 
 func TestCheckPre(t *testing.T) {
-	jsonOutput, err := utils.ExecKubectlCommand(context.TODO(), utils.ModeCapture, rootArgs.kubeconfig, rootArgs.kubecontext, "version", "--output", "json")
+	jsonOutput, err := utils.ExecKubectlCommand(context.TODO(), utils.ModeCapture, *kubeconfigArgs.KubeConfig, *kubeconfigArgs.Context, "version", "--output", "json")
 	if err != nil {
 		t.Fatalf("Error running utils.ExecKubectlCommand: %v", err.Error())
 	}

cmd/flux/completion.go

@@ -25,10 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/client-go/discovery"
-	memory "k8s.io/client-go/discovery/cached"
 	"k8s.io/client-go/dynamic"
-	"k8s.io/client-go/restmapper"
 )
 
 var completionCmd = &cobra.Command{
@@ -42,7 +39,7 @@ func init() {
 }
 
 func contextsCompletionFunc(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-	rawConfig, err := utils.ClientConfig(rootArgs.kubeconfig, rootArgs.kubecontext).RawConfig()
+	rawConfig, err := kubeconfigArgs.ToRawKubeConfigLoader().RawConfig()
 	if err != nil {
 		return completionError(err)
 	}
@@ -63,16 +60,15 @@ func resourceNamesCompletionFunc(gvk schema.GroupVersionKind) func(cmd *cobra.Co
 		ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 		defer cancel()
 
-		cfg, err := utils.KubeConfig(rootArgs.kubeconfig, rootArgs.kubecontext)
+		cfg, err := utils.KubeConfig(kubeconfigArgs)
 		if err != nil {
 			return completionError(err)
 		}
 
-		dc, err := discovery.NewDiscoveryClientForConfig(cfg)
+		mapper, err := kubeconfigArgs.ToRESTMapper()
 		if err != nil {
 			return completionError(err)
 		}
-		mapper := restmapper.NewDeferredDiscoveryRESTMapper(memory.NewMemCacheClient(dc))
 
 		mapping, err := mapper.RESTMapping(gvk.GroupKind(), gvk.Version)
 		if err != nil {
@@ -86,7 +82,7 @@ func resourceNamesCompletionFunc(gvk schema.GroupVersionKind) func(cmd *cobra.Co
 
 		var dr dynamic.ResourceInterface
 		if mapping.Scope.Name() == meta.RESTScopeNameNamespace {
-			dr = client.Resource(mapping.Resource).Namespace(rootArgs.namespace)
+			dr = client.Resource(mapping.Resource).Namespace(*kubeconfigArgs.Namespace)
 		} else {
 			dr = client.Resource(mapping.Resource)
 		}

cmd/flux/create.go

@@ -104,7 +104,7 @@ func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) e
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext) // NB globals
+	kubeClient, err := utils.KubeClient(kubeconfigArgs) // NB globals
 	if err != nil {
 		return err
 	}

cmd/flux/create_alert.go

@@ -102,7 +102,7 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 	alert := notificationv1.Alert{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: rootArgs.namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: notificationv1.AlertSpec{
@@ -122,7 +122,7 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}

cmd/flux/create_alertprovider.go

@@ -94,7 +94,7 @@ func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	provider := notificationv1.Provider{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: rootArgs.namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: notificationv1.ProviderSpec{
@@ -118,7 +118,7 @@ func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}

cmd/flux/create_helmrelease.go

@@ -160,7 +160,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	helmRelease := helmv2.HelmRelease{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: rootArgs.namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: helmv2.HelmReleaseSpec{
@@ -250,7 +250,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}

cmd/flux/create_image_policy.go

@@ -101,7 +101,7 @@ func createImagePolicyRun(cmd *cobra.Command, args []string) error {
 	var policy = imagev1.ImagePolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      objectName,
-			Namespace: rootArgs.namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    labels,
 		},
 		Spec: imagev1.ImagePolicySpec{

cmd/flux/create_image_repository.go

@@ -104,7 +104,7 @@ func createImageRepositoryRun(cmd *cobra.Command, args []string) error {
 	var repo = imagev1.ImageRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      objectName,
-			Namespace: rootArgs.namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    labels,
 		},
 		Spec: imagev1.ImageRepositorySpec{

cmd/flux/create_image_update.go

@@ -108,7 +108,7 @@ func createImageUpdateRun(cmd *cobra.Command, args []string) error {
 	var update = autov1.ImageUpdateAutomation{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      objectName,
-			Namespace: rootArgs.namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    labels,
 		},
 		Spec: autov1.ImageUpdateAutomationSpec{

cmd/flux/create_kustomization.go

@@ -143,7 +143,7 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	kustomization := kustomizev1.Kustomization{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: rootArgs.namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    kslabels,
 		},
 		Spec: kustomizev1.KustomizationSpec{
@@ -232,7 +232,7 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}

cmd/flux/create_receiver.go

@@ -109,7 +109,7 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	receiver := notificationv1.Receiver{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: rootArgs.namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: notificationv1.ReceiverSpec{
@@ -130,7 +130,7 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret_git.go

@@ -132,7 +132,7 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 
 	opts := sourcesecret.Options{
 		Name:         name,
-		Namespace:    rootArgs.namespace,
+		Namespace:    *kubeconfigArgs.Namespace,
 		Labels:       labels,
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
@@ -176,14 +176,14 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
-	logger.Actionf("git secret '%s' created in '%s' namespace", name, rootArgs.namespace)
+	logger.Actionf("git secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
 
 	return nil
 }

cmd/flux/create_secret_git_test.go

@@ -22,12 +22,12 @@ func TestCreateGitSecret(t *testing.T) {
 		},
 		{
 			name:   "ssh key",
-			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/rsa.private --namespace=my-namespace --export",
+			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa.private --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret.yaml"),
 		},
 		{
 			name:   "ssh key with password",
-			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/rsa-password.private --password=password --namespace=my-namespace --export",
+			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa-password.private --password=password --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret-password.yaml"),
 		},
 	}

cmd/flux/create_secret_helm.go

@@ -80,7 +80,7 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 
 	opts := sourcesecret.Options{
 		Name:         name,
-		Namespace:    rootArgs.namespace,
+		Namespace:    *kubeconfigArgs.Namespace,
 		Labels:       labels,
 		Username:     secretHelmArgs.username,
 		Password:     secretHelmArgs.password,
@@ -100,7 +100,7 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
@@ -112,6 +112,6 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	logger.Actionf("helm secret '%s' created in '%s' namespace", name, rootArgs.namespace)
+	logger.Actionf("helm secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
 	return nil
 }

cmd/flux/create_secret_tls.go

@@ -79,7 +79,7 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 
 	opts := sourcesecret.Options{
 		Name:         name,
-		Namespace:    rootArgs.namespace,
+		Namespace:    *kubeconfigArgs.Namespace,
 		Labels:       labels,
 		CAFilePath:   secretTLSArgs.caFile,
 		CertFilePath: secretTLSArgs.certFile,
@@ -97,7 +97,7 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
@@ -109,6 +109,6 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	logger.Actionf("tls secret '%s' created in '%s' namespace", name, rootArgs.namespace)
+	logger.Actionf("tls secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
 	return nil
 }

cmd/flux/create_source_bucket.go

@@ -120,7 +120,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	bucket := &sourcev1.Bucket{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: rootArgs.namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: sourcev1.BucketSpec{
@@ -152,7 +152,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
@@ -165,7 +165,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		secret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      secretName,
-				Namespace: rootArgs.namespace,
+				Namespace: *kubeconfigArgs.Namespace,
 				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{},

cmd/flux/create_source_git.go

@@ -193,7 +193,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	gitRepository := sourcev1.GitRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: rootArgs.namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: sourcev1.GitRepositorySpec{
@@ -235,7 +235,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
@@ -244,7 +244,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	if sourceGitArgs.secretRef == "" {
 		secretOpts := sourcesecret.Options{
 			Name:         name,
-			Namespace:    rootArgs.namespace,
+			Namespace:    *kubeconfigArgs.Namespace,
 			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
 		switch u.Scheme {

cmd/flux/create_source_git_test.go

@@ -1,3 +1,4 @@
+//go:build unit
 // +build unit
 
 /*

cmd/flux/create_source_helm.go

@@ -118,7 +118,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	helmRepository := &sourcev1.HelmRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: rootArgs.namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: sourcev1.HelmRepositorySpec{
@@ -147,7 +147,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
@@ -157,7 +157,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		secretName := fmt.Sprintf("helm-%s", name)
 		secretOpts := sourcesecret.Options{
 			Name:         secretName,
-			Namespace:    rootArgs.namespace,
+			Namespace:    *kubeconfigArgs.Namespace,
 			Username:     sourceHelmArgs.username,
 			Password:     sourceHelmArgs.password,
 			CertFilePath: sourceHelmArgs.certFile,

cmd/flux/create_tenant.go

@@ -159,7 +159,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}

cmd/flux/delete.go

@@ -60,13 +60,13 @@ func (del deleteCommand) run(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 
 	namespacedName := types.NamespacedName{
-		Namespace: rootArgs.namespace,
+		Namespace: *kubeconfigArgs.Namespace,
 		Name:      name,
 	}
 
@@ -85,7 +85,7 @@ func (del deleteCommand) run(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	logger.Actionf("deleting %s %s in %s namespace", del.humanKind, name, rootArgs.namespace)
+	logger.Actionf("deleting %s %s in %s namespace", del.humanKind, name, *kubeconfigArgs.Namespace)
 	err = kubeClient.Delete(ctx, del.object.asClientObject())
 	if err != nil {
 		return err

cmd/flux/export.go

@@ -20,6 +20,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -73,19 +74,19 @@ func (export exportCommand) run(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 
 	if exportArgs.all {
-		err = kubeClient.List(ctx, export.list.asClientList(), client.InNamespace(rootArgs.namespace))
+		err = kubeClient.List(ctx, export.list.asClientList(), client.InNamespace(*kubeconfigArgs.Namespace))
 		if err != nil {
 			return err
 		}
 
 		if export.list.len() == 0 {
-			return fmt.Errorf("no objects found in %s namespace", rootArgs.namespace)
+			return fmt.Errorf("no objects found in %s namespace", *kubeconfigArgs.Namespace)
 		}
 
 		for i := 0; i < export.list.len(); i++ {
@@ -96,7 +97,7 @@ func (export exportCommand) run(cmd *cobra.Command, args []string) error {
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
-			Namespace: rootArgs.namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Name:      name,
 		}
 		err = kubeClient.Get(ctx, namespacedName, export.object.asClientObject())

cmd/flux/export_secret.go

@@ -19,6 +19,7 @@ package main
 import (
 	"context"
 	"fmt"
+
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -58,19 +59,19 @@ func (export exportWithSecretCommand) run(cmd *cobra.Command, args []string) err
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 
 	if exportArgs.all {
-		err = kubeClient.List(ctx, export.list.asClientList(), client.InNamespace(rootArgs.namespace))
+		err = kubeClient.List(ctx, export.list.asClientList(), client.InNamespace(*kubeconfigArgs.Namespace))
 		if err != nil {
 			return err
 		}
 
 		if export.list.len() == 0 {
-			return fmt.Errorf("no objects found in %s namespace", rootArgs.namespace)
+			return fmt.Errorf("no objects found in %s namespace", *kubeconfigArgs.Namespace)
 		}
 
 		for i := 0; i < export.list.len(); i++ {
@@ -88,7 +89,7 @@ func (export exportWithSecretCommand) run(cmd *cobra.Command, args []string) err
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
-			Namespace: rootArgs.namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Name:      name,
 		}
 		err = kubeClient.Get(ctx, namespacedName, export.object.asClientObject())

cmd/flux/export_test.go

@@ -1,3 +1,4 @@
+//go:build unit
 // +build unit
 
 package main

cmd/flux/get.go

@@ -135,14 +135,14 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 
 	var listOpts []client.ListOption
 	if !getArgs.allNamespaces {
-		listOpts = append(listOpts, client.InNamespace(rootArgs.namespace))
+		listOpts = append(listOpts, client.InNamespace(*kubeconfigArgs.Namespace))
 	}
 
 	if len(args) > 0 {
@@ -162,7 +162,7 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 
 	if get.list.len() == 0 {
 		if !getAll {
-			logger.Failuref("no %s objects found in %s namespace", get.kind, rootArgs.namespace)
+			logger.Failuref("no %s objects found in %s namespace", get.kind, *kubeconfigArgs.Namespace)
 		}
 		return nil
 	}

cmd/flux/helmrelease_test.go

@@ -1,3 +1,4 @@
+//go:build e2e
 // +build e2e
 
 /*

cmd/flux/image_test.go

@@ -1,3 +1,4 @@
+//go:build e2e
 // +build e2e
 
 package main

cmd/flux/install.go

@@ -131,7 +131,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Generatef("generating manifests")
 	}
 
-	tmpDir, err := os.MkdirTemp("", rootArgs.namespace)
+	tmpDir, err := os.MkdirTemp("", *kubeconfigArgs.Namespace)
 	if err != nil {
 		return err
 	}
@@ -148,7 +148,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	opts := install.Options{
 		BaseURL:                installArgs.manifestsPath,
 		Version:                installArgs.version,
-		Namespace:              rootArgs.namespace,
+		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             components,
 		Registry:               installArgs.registry,
 		ImagePullSecret:        installArgs.imagePullSecret,
@@ -156,7 +156,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 		NetworkPolicy:          installArgs.networkPolicy,
 		LogLevel:               installArgs.logLevel.String(),
 		NotificationController: rootArgs.defaults.NotificationController,
-		ManifestFile:           fmt.Sprintf("%s.yaml", rootArgs.namespace),
+		ManifestFile:           fmt.Sprintf("%s.yaml", *kubeconfigArgs.Namespace),
 		Timeout:                rootArgs.timeout,
 		ClusterDomain:          installArgs.clusterDomain,
 		TolerationKeys:         installArgs.tolerationKeys,
@@ -183,21 +183,21 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Successf("manifests build completed")
-	logger.Actionf("installing components in %s namespace", rootArgs.namespace)
+	logger.Actionf("installing components in %s namespace", *kubeconfigArgs.Namespace)
 
 	if installArgs.dryRun {
 		logger.Successf("install dry-run finished")
 		return nil
 	}
 
-	applyOutput, err := utils.Apply(ctx, rootArgs.kubeconfig, rootArgs.kubecontext, filepath.Join(tmpDir, manifest.Path))
+	applyOutput, err := utils.Apply(ctx, kubeconfigArgs, filepath.Join(tmpDir, manifest.Path))
 	if err != nil {
 		return fmt.Errorf("install failed: %w", err)
 	}
 
 	fmt.Fprintln(os.Stderr, applyOutput)
 
-	kubeConfig, err := utils.KubeConfig(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeConfig, err := utils.KubeConfig(kubeconfigArgs)
 	if err != nil {
 		return fmt.Errorf("install failed: %w", err)
 	}

cmd/flux/kustomization_test.go

@@ -1,3 +1,4 @@
+//go:build e2e
 // +build e2e
 
 /*

cmd/flux/logs.go

@@ -99,7 +99,7 @@ func logsCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	cfg, err := utils.KubeConfig(rootArgs.kubeconfig, rootArgs.kubecontext)
+	cfg, err := utils.KubeConfig(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
@@ -278,7 +278,7 @@ func filterPrintLog(t *template.Template, l *ControllerLogEntry) {
 	if logsArgs.logLevel != "" && logsArgs.logLevel != l.Level ||
 		logsArgs.kind != "" && strings.ToLower(logsArgs.kind) != strings.ToLower(l.Kind) ||
 		logsArgs.name != "" && strings.ToLower(logsArgs.name) != strings.ToLower(l.Name) ||
-		!logsArgs.allNamespaces && strings.ToLower(rootArgs.namespace) != strings.ToLower(l.Namespace) {
+		!logsArgs.allNamespaces && strings.ToLower(*kubeconfigArgs.Namespace) != strings.ToLower(l.Namespace) {
 		return
 	}
 

cmd/flux/logs_test.go

@@ -1,3 +1,4 @@
+//go:build unit
 // +build unit
 
 /*

cmd/flux/main.go

@@ -21,13 +21,13 @@ import (
 	"fmt"
 	"log"
 	"os"
-	"path/filepath"
 	"strings"
 	"time"
 
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
@@ -99,9 +99,6 @@ Command line utility for assembling Kubernetes CD pipelines the GitOps way.`,
 var logger = stderrLogger{stderr: os.Stderr}
 
 type rootFlags struct {
-	kubeconfig   string
-	kubecontext  string
-	namespace    string
 	timeout      time.Duration
 	verbose      bool
 	pollInterval time.Duration
@@ -109,19 +106,26 @@ type rootFlags struct {
 }
 
 var rootArgs = NewRootFlags()
+var kubeconfigArgs = genericclioptions.NewConfigFlags(false)
 
 func init() {
-	rootCmd.PersistentFlags().StringVarP(&rootArgs.namespace, "namespace", "n", rootArgs.defaults.Namespace,
-		"the namespace scope for this operation, can be set with FLUX_SYSTEM_NAMESPACE env var")
-	rootCmd.RegisterFlagCompletionFunc("namespace", resourceNamesCompletionFunc(corev1.SchemeGroupVersion.WithKind("Namespace")))
-
 	rootCmd.PersistentFlags().DurationVar(&rootArgs.timeout, "timeout", 5*time.Minute, "timeout for this operation")
 	rootCmd.PersistentFlags().BoolVar(&rootArgs.verbose, "verbose", false, "print generated objects")
-	rootCmd.PersistentFlags().StringVarP(&rootArgs.kubeconfig, "kubeconfig", "", "",
-		"absolute path to the kubeconfig file")
 
-	rootCmd.PersistentFlags().StringVarP(&rootArgs.kubecontext, "context", "", "", "kubernetes context to use")
+	configureDefaultNamespace()
+	kubeconfigArgs.APIServer = nil // prevent AddFlags from configuring --server flag
+	kubeconfigArgs.Timeout = nil   // prevent AddFlags from configuring --request-timeout flag, we have --timeout instead
+	kubeconfigArgs.AddFlags(rootCmd.PersistentFlags())
+
+	// Since some subcommands use the `-s` flag as a short version for `--silent`, we manually configure the server flag
+	// without the `-s` short version. While we're no longer on par with kubectl's flags, we maintain backwards compatibility
+	// on the CLI interface.
+	apiServer := ""
+	kubeconfigArgs.APIServer = &apiServer
+	rootCmd.PersistentFlags().StringVar(kubeconfigArgs.APIServer, "server", *kubeconfigArgs.APIServer, "The address and port of the Kubernetes API server")
+
 	rootCmd.RegisterFlagCompletionFunc("context", contextsCompletionFunc)
+	rootCmd.RegisterFlagCompletionFunc("namespace", resourceNamesCompletionFunc(corev1.SchemeGroupVersion.WithKind("Namespace")))
 
 	rootCmd.DisableAutoGenTag = true
 	rootCmd.SetOut(os.Stdout)
@@ -138,30 +142,17 @@ func NewRootFlags() rootFlags {
 
 func main() {
 	log.SetFlags(0)
-	configureKubeconfig()
-	configureDefaultNamespace()
 	if err := rootCmd.Execute(); err != nil {
 		logger.Failuref("%v", err)
 		os.Exit(1)
 	}
 }
 
-func configureKubeconfig() {
-	switch {
-	case len(rootArgs.kubeconfig) > 0:
-	case len(os.Getenv("KUBECONFIG")) > 0:
-		rootArgs.kubeconfig = os.Getenv("KUBECONFIG")
-	default:
-		if home := homeDir(); len(home) > 0 {
-			rootArgs.kubeconfig = filepath.Join(home, ".kube", "config")
-		}
-	}
-}
-
 func configureDefaultNamespace() {
+	*kubeconfigArgs.Namespace = rootArgs.defaults.Namespace
 	fromEnv := os.Getenv("FLUX_SYSTEM_NAMESPACE")
-	if fromEnv != "" && rootArgs.namespace == rootArgs.defaults.Namespace {
-		rootArgs.namespace = fromEnv
+	if fromEnv != "" {
+		kubeconfigArgs.Namespace = &fromEnv
 	}
 }
 

cmd/flux/main_e2e_test.go

@@ -1,3 +1,4 @@
+//go:build e2e
 // +build e2e
 
 /*
@@ -35,7 +36,7 @@ func TestMain(m *testing.M) {
 	if err != nil {
 		panic(fmt.Errorf("error creating kube manager: '%w'", err))
 	}
-	rootArgs.kubeconfig = testEnv.kubeConfigPath
+	kubeconfigArgs.KubeConfig = &testEnv.kubeConfigPath
 
 	// Install Flux.
 	output, err := executeCommand("install --components-extra=image-reflector-controller,image-automation-controller")
@@ -54,7 +55,7 @@ func TestMain(m *testing.M) {
 
 	// Delete namespace and wait for finalisation
 	kubectlArgs := []string{"delete", "namespace", "flux-system"}
-	_, err = utils.ExecKubectlCommand(context.TODO(), utils.ModeStderrOS, rootArgs.kubeconfig, rootArgs.kubecontext, kubectlArgs...)
+	_, err = utils.ExecKubectlCommand(context.TODO(), utils.ModeStderrOS, *kubeconfigArgs.KubeConfig, *kubeconfigArgs.Context, kubectlArgs...)
 	if err != nil {
 		panic(fmt.Errorf("delete namespace error:'%w'", err))
 	}
@@ -66,13 +67,13 @@ func TestMain(m *testing.M) {
 
 func setupTestNamespace(namespace string) (func(), error) {
 	kubectlArgs := []string{"create", "namespace", namespace}
-	_, err := utils.ExecKubectlCommand(context.TODO(), utils.ModeStderrOS, rootArgs.kubeconfig, rootArgs.kubecontext, kubectlArgs...)
+	_, err := utils.ExecKubectlCommand(context.TODO(), utils.ModeStderrOS, *kubeconfigArgs.KubeConfig, *kubeconfigArgs.Context, kubectlArgs...)
 	if err != nil {
 		return nil, err
 	}
 
 	return func() {
 		kubectlArgs := []string{"delete", "namespace", namespace}
-		utils.ExecKubectlCommand(context.TODO(), utils.ModeCapture, rootArgs.kubeconfig, rootArgs.kubecontext, kubectlArgs...)
+		utils.ExecKubectlCommand(context.TODO(), utils.ModeCapture, *kubeconfigArgs.KubeConfig, *kubeconfigArgs.Context, kubectlArgs...)
 	}, nil
 }

cmd/flux/main_unit_test.go

@@ -1,3 +1,4 @@
+//go:build unit
 // +build unit
 
 /*
@@ -42,7 +43,8 @@ func TestMain(m *testing.M) {
 		panic(fmt.Errorf("error creating kube manager: '%w'", err))
 	}
 	testEnv = km
-	rootArgs.kubeconfig = testEnv.kubeConfigPath
+	// rootArgs.kubeconfig = testEnv.kubeConfigPath
+	kubeconfigArgs.KubeConfig = &testEnv.kubeConfigPath
 
 	// Run tests
 	code := m.Run()

cmd/flux/reconcile.go

@@ -75,13 +75,13 @@ func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 
 	namespacedName := types.NamespacedName{
-		Namespace: rootArgs.namespace,
+		Namespace: *kubeconfigArgs.Namespace,
 		Name:      name,
 	}
 
@@ -94,7 +94,7 @@ func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("resource is suspended")
 	}
 
-	logger.Actionf("annotating %s %s in %s namespace", reconcile.kind, name, rootArgs.namespace)
+	logger.Actionf("annotating %s %s in %s namespace", reconcile.kind, name, *kubeconfigArgs.Namespace)
 	if err := requestReconciliation(ctx, kubeClient, namespacedName, reconcile.object); err != nil {
 		return err
 	}

cmd/flux/reconcile_alertprovider.go

@@ -54,17 +54,17 @@ func reconcileAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 
 	namespacedName := types.NamespacedName{
-		Namespace: rootArgs.namespace,
+		Namespace: *kubeconfigArgs.Namespace,
 		Name:      name,
 	}
 
-	logger.Actionf("annotating Provider %s in %s namespace", name, rootArgs.namespace)
+	logger.Actionf("annotating Provider %s in %s namespace", name, *kubeconfigArgs.Namespace)
 	var alertProvider notificationv1.Provider
 	err = kubeClient.Get(ctx, namespacedName, &alertProvider)
 	if err != nil {

cmd/flux/reconcile_receiver.go

@@ -54,13 +54,13 @@ func reconcileReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 
 	namespacedName := types.NamespacedName{
-		Namespace: rootArgs.namespace,
+		Namespace: *kubeconfigArgs.Namespace,
 		Name:      name,
 	}
 
@@ -74,7 +74,7 @@ func reconcileReceiverCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("resource is suspended")
 	}
 
-	logger.Actionf("annotating Receiver %s in %s namespace", name, rootArgs.namespace)
+	logger.Actionf("annotating Receiver %s in %s namespace", name, *kubeconfigArgs.Namespace)
 	if receiver.Annotations == nil {
 		receiver.Annotations = map[string]string{
 			meta.ReconcileRequestAnnotation: time.Now().Format(time.RFC3339Nano),

cmd/flux/reconcile_with_source.go

@@ -36,13 +36,13 @@ func (reconcile reconcileWithSourceCommand) run(cmd *cobra.Command, args []strin
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 
 	namespacedName := types.NamespacedName{
-		Namespace: rootArgs.namespace,
+		Namespace: *kubeconfigArgs.Namespace,
 		Name:      name,
 	}
 
@@ -57,20 +57,20 @@ func (reconcile reconcileWithSourceCommand) run(cmd *cobra.Command, args []strin
 
 	if reconcile.object.reconcileSource() {
 		reconcileCmd, nsName := reconcile.object.getSource()
-		nsCopy := rootArgs.namespace
+		nsCopy := *kubeconfigArgs.Namespace
 		if nsName.Namespace != "" {
-			rootArgs.namespace = nsName.Namespace
+			*kubeconfigArgs.Namespace = nsName.Namespace
 		}
 
 		err := reconcileCmd.run(nil, []string{nsName.Name})
 		if err != nil {
 			return err
 		}
-		rootArgs.namespace = nsCopy
+		*kubeconfigArgs.Namespace = nsCopy
 	}
 
 	lastHandledReconcileAt := reconcile.object.lastHandledReconcileRequest()
-	logger.Actionf("annotating %s %s in %s namespace", reconcile.kind, name, rootArgs.namespace)
+	logger.Actionf("annotating %s %s in %s namespace", reconcile.kind, name, *kubeconfigArgs.Namespace)
 	if err := requestReconciliation(ctx, kubeClient, namespacedName, reconcile.object); err != nil {
 		return err
 	}

cmd/flux/resume.go

@@ -72,13 +72,13 @@ func (resume resumeCommand) run(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 
 	var listOpts []client.ListOption
-	listOpts = append(listOpts, client.InNamespace(rootArgs.namespace))
+	listOpts = append(listOpts, client.InNamespace(*kubeconfigArgs.Namespace))
 	if len(args) > 0 {
 		listOpts = append(listOpts, client.MatchingFields{
 			"metadata.name": args[0],
@@ -91,12 +91,12 @@ func (resume resumeCommand) run(cmd *cobra.Command, args []string) error {
 	}
 
 	if resume.list.len() == 0 {
-		logger.Failuref("no %s objects found in %s namespace", resume.kind, rootArgs.namespace)
+		logger.Failuref("no %s objects found in %s namespace", resume.kind, *kubeconfigArgs.Namespace)
 		return nil
 	}
 
 	for i := 0; i < resume.list.len(); i++ {
-		logger.Actionf("resuming %s %s in %s namespace", resume.humanKind, resume.list.resumeItem(i).asClientObject().GetName(), rootArgs.namespace)
+		logger.Actionf("resuming %s %s in %s namespace", resume.humanKind, resume.list.resumeItem(i).asClientObject().GetName(), *kubeconfigArgs.Namespace)
 		resume.list.resumeItem(i).setUnsuspended()
 		if err := kubeClient.Update(ctx, resume.list.resumeItem(i).asClientObject()); err != nil {
 			return err
@@ -105,7 +105,7 @@ func (resume resumeCommand) run(cmd *cobra.Command, args []string) error {
 
 		namespacedName := types.NamespacedName{
 			Name:      resume.list.resumeItem(i).asClientObject().GetName(),
-			Namespace: rootArgs.namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 		}
 
 		logger.Waitingf("waiting for %s reconciliation", resume.kind)

cmd/flux/status.go

@@ -69,11 +69,11 @@ func isReady(ctx context.Context, kubeClient client.Client,
 func buildComponentObjectRefs(components ...string) ([]object.ObjMetadata, error) {
 	var objRefs []object.ObjMetadata
 	for _, deployment := range components {
-		objMeta, err := object.CreateObjMetadata(rootArgs.namespace, deployment, schema.GroupKind{Group: "apps", Kind: "Deployment"})
-		if err != nil {
-			return nil, err
-		}
-		objRefs = append(objRefs, objMeta)
+		objRefs = append(objRefs, object.ObjMetadata{
+			Namespace: *kubeconfigArgs.Namespace,
+			Name:      deployment,
+			GroupKind: schema.GroupKind{Group: "apps", Kind: "Deployment"},
+		})
 	}
 	return objRefs, nil
 }

cmd/flux/suspend.go

@@ -69,13 +69,13 @@ func (suspend suspendCommand) run(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 
 	var listOpts []client.ListOption
-	listOpts = append(listOpts, client.InNamespace(rootArgs.namespace))
+	listOpts = append(listOpts, client.InNamespace(*kubeconfigArgs.Namespace))
 	if len(args) > 0 {
 		listOpts = append(listOpts, client.MatchingFields{
 			"metadata.name": args[0],
@@ -88,12 +88,12 @@ func (suspend suspendCommand) run(cmd *cobra.Command, args []string) error {
 	}
 
 	if suspend.list.len() == 0 {
-		logger.Failuref("no %s objects found in %s namespace", suspend.kind, rootArgs.namespace)
+		logger.Failuref("no %s objects found in %s namespace", suspend.kind, *kubeconfigArgs.Namespace)
 		return nil
 	}
 
 	for i := 0; i < suspend.list.len(); i++ {
-		logger.Actionf("suspending %s %s in %s namespace", suspend.humanKind, suspend.list.item(i).asClientObject().GetName(), rootArgs.namespace)
+		logger.Actionf("suspending %s %s in %s namespace", suspend.humanKind, suspend.list.item(i).asClientObject().GetName(), *kubeconfigArgs.Namespace)
 		suspend.list.item(i).setSuspended()
 		if err := kubeClient.Update(ctx, suspend.list.item(i).asClientObject()); err != nil {
 			return err

cmd/flux/testdata/create_secret/git/ecdsa-password.private

@@ -0,0 +1,10 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABA9i7hZ7m
+UBPxF7GuUswZiXAAAAEAAAAAEAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlz
+dHAyNTYAAABBBOOAQfhwylg6WhJRXha2K1dJY5BG12nsS7YyFlKPAovOAC8d8rTOzjjDWu
+kG24JVRrXoWUN6eWWvxDvMd5pZT1wAAADAepYZPGTQnH6genhU+y9aD1GFO8BsODIllxEq
+T8n2eLAmPWYLv4HhgtmbqtsOmTE9sVM5ynYj/dAX1SreoGeoMEVFIt1cYtWgyuJccEiK4t
+1JQLFLMKnBRTY+yIdD6gX7tLRRL/jqzMR4XZF5/Yf48lvU4h+ljuOitWH3ea9142izl2Wk
+eXAfeoezJaDntZUUEYvKMI5U6iWVni+c7vOcJFTZgBeV4i54ua06tY5mE/mWARldiSDtJG
+yGEOankDnf
+-----END OPENSSH PRIVATE KEY-----

cmd/flux/testdata/create_secret/git/ecdsa.private

@@ -0,0 +1,9 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQTuiu+gGwLIu9E5J4vRshoIBHScKx4Y
+f9oniWMsLFHXq5p9GJ/eb9Cr3jgNACnGOIGOqlwBQvP5rCJuaJ0pCRKUAAAAuNE1GtvRNR
+rbAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6K76AbAsi70Tkn
+i9GyGggEdJwrHhh/2ieJYywsUdermn0Yn95v0KveOA0AKcY4gY6qXAFC8/msIm5onSkJEp
+QAAAAhAPaO6PiN+1238KMrHg34M7XdftGypt2/UKEz2L2Pf40yAAAAH3NvbXRvY2hpb255
+ZWt3ZXJlQFNvbXRvY2hpcy1NQlA=
+-----END OPENSSH PRIVATE KEY-----

cmd/flux/testdata/create_secret/git/git-ssh-secret-password.yaml

@@ -7,46 +7,17 @@ metadata:
 stringData:
   identity: |
     -----BEGIN OPENSSH PRIVATE KEY-----
-    b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAZPOy4O0
-    XmgKgRJuR9WaShAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDmuJnVljOr
-    pA3OiaAkCJuPT+lHRb/Kuc7fByldlYihsrNjWKVa9xB844mNrpntevFJ6ESEE13ElY2O8M
-    /L58Eh4hmrzqBDtk7XnP/bJVdHAOGvEYavLEeN9K9nZdYYnyOae4OMZacA4oHxUSyrSWvl
-    LDTOOZnFYlCkVXogBcvCrg+HZe/FaHmB4R3ni9eojsX/gQII970SD6d2DLhCW3r+qNW03S
-    O8bj28xyjGLhVgNPyRimWkeZ8DpiJKm2Ccf2oYqtVp1wtrihz4QZ30cZ0KWxdf2iJKCMhp
-    e5B2F8Gw3+3ZWWA8xmg1buDwLkGmroibPY9hUAzt05E8THuwpl7GA/8xdge+LCcCdBhx+i
-    WYhcPrQOCD/5ajRM7OkjJbJwRxdZgdYDSUvQNnHYh02pj+ZYjQBARhSRCEkFnxklyNjzSD
-    ETwXO5tW57CmcegLS8ig3Z3WcgBX0sdDsttMBmlWt4fb6qPB6ctTjx/wlkC0YlHXuI+Fzm
-    CyAP8ikQk63ckAAAWQy3GOOOYpvMAgXIDYUJZnCiy4jnzpt3vX0kIpWogfwqT8QwbuhhDb
-    ogQT6mZqt88nKUlRv3eRPmeG6MebsuweMw6WJfP0ZARFJS9+nXfNSJGN+Tqze252C1w2uu
-    vlzK1GnY5pnZzpaZAf/d+UAtNXDYdWA1DlJsNsBXgIJVkc47sp/cv6EGced+UXuV+Yr80s
-    ECqqOqa+IZWxd+Buca2EWQhG2loLlk6JQ8D+vNm3yhPCrb+1BcoZgxGItL70TdLtUCsmpP
-    y+ejnIxiHl79CjSNANBA7SgjJCQWYjFTcNUb98pGMsMVKIqczNtUZrL6WiSBrLDl5luFIb
-    bZi6iQsjVU6AUd+rcTSsdCec7xnoDddytmh2oG0tHG9wlCQh9yo0NBGaBQP/euqiSgIAvZ
-    zTJTy1AUo/M6FRdMpuGoDrxDPDGj/Q4OsUQzDS0c10WHGv2TLIoloa/FvhjdOn4pXOOIOB
-    nzgRn1xEHwgmSsyyiQP8gCEWM3XgLTOZIS+B4AT6hFPGCbbRetqwKF6qG68xsoLmQ5BXJN
-    kdIKqT7BlAvvX7t80XnvWiuZUjBS2qyTJ3FWCkyaxQVmrNsfZbg4qRJ377+ip3BwuaTl3X
-    VuZEEEy6+cwc+fRL8hPbKKIAcSLjRJnGHMiPvEFcL7yMkmGhv/vd78QdF/0XfVqCGr1gH3
-    gO3O//2Bdcp7Vo9QGqlK66Cusk5HiVSv6StQdqoauW2bxF4JKm3azHL1wWkyWtf2FQD425
-    0V+qib4Qz4KALj9uPwUyP6umDSk1NSBEMohGYpbm/O/Hpr6x2XET6kYbcK/sb5pDlZ81QQ
-    A6GJ87fQyVe0FeoWwg256LiNyDTqFUKm0R508hlnzaAtMnW8TvSqmjrKfLy9YU8IaF0dcS
-    kLheF4EwU2B5exumCx5JDe/xbVw5M8bx5m9lMx1NxGwNr2HtLvgMdQCwI5KchBzC+SIfGd
-    h94Gv39xRGKAhgtBzRRC5LLnRHeBWuLroWY/MoPDH5dWsMvSDkDjaGWHczlPNeN+epv17O
-    G5rR4oyVBfbR5+/qB//1c8avbBrmMLZoFaGMYSQaX8kTcus/Xu5qoDvxlkT4mjb6VvjMq0
-    iPUDNz8hAXv6NUlAViMGNV/sKhNcHRmwqkai79p0JJ+Ni635YNY2E7mS6QwVce1KCsUMet
-    xjeDItSaLLQTaC2LfLybL9/3ppJiaOusnSN+J+yHvUIu7IsI2a9OpGRGhYIU/25r2KBtFV
-    GdSGLNOdI3CB+J6eDXwkt3BmkIVYABc12o94PAXShnCgXK4u6tcowkNKVjyIrE64tckBsr
-    l08apsj7SkTbly34MucgKya0pwBQKUXEUSHCQ70h8q4fK0dWrs7ahODXdwj0Lrp6My5eFR
-    sV24X8U7kPailGowAVh9f/7afZs9CURwlUDjaXKWewGyQ7j3WVHOXSikOfxxbdQ+19juDO
-    1h7Gtk+fKLsq0har0KDnVFSvP16f3ETKfAp5/acmXE4dnJGoo5k2Ak0QUBNIH163biBKS0
-    Y6ePms4PghUFWINzaReZi1E4NiXdWKgOLXJBta7fg+ISFCocYdBRk9w3VUZa/1IvgzNg3l
-    QxyLLH4YPcAGiSPpwcHhWxh/OMY4m6av9BslsG9ajXBpVto0X3oEa78ZuJVVXWAP2E891g
-    I/atxZ+fBkght3oIMiIuyWPeKZVNvdx1eKCU76jCEXxMrlAM47OZEJnaeMdhqPA1ICqERx
-    2L9Tq2W30mgwwP/QaDOiqNBn3UWt28ly+LqUOoQKt/w/z9YZUlpN090rs1iWOTkpamXTYd
-    o+WewKF1Ax4TbsSfNX7P1ROTeIsQCisu3iFWkym9QZ/2RcZYcEPGGAR3ve8rPS2tsy9nL8
-    4TDo1LUXShRgQxOEAsPNJ4440vY=
+    b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABA9i7hZ7m
+    UBPxF7GuUswZiXAAAAEAAAAAEAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlz
+    dHAyNTYAAABBBOOAQfhwylg6WhJRXha2K1dJY5BG12nsS7YyFlKPAovOAC8d8rTOzjjDWu
+    kG24JVRrXoWUN6eWWvxDvMd5pZT1wAAADAepYZPGTQnH6genhU+y9aD1GFO8BsODIllxEq
+    T8n2eLAmPWYLv4HhgtmbqtsOmTE9sVM5ynYj/dAX1SreoGeoMEVFIt1cYtWgyuJccEiK4t
+    1JQLFLMKnBRTY+yIdD6gX7tLRRL/jqzMR4XZF5/Yf48lvU4h+ljuOitWH3ea9142izl2Wk
+    eXAfeoezJaDntZUUEYvKMI5U6iWVni+c7vOcJFTZgBeV4i54ua06tY5mE/mWARldiSDtJG
+    yGEOankDnf
     -----END OPENSSH PRIVATE KEY-----
   identity.pub: |
-    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmuJnVljOrpA3OiaAkCJuPT+lHRb/Kuc7fByldlYihsrNjWKVa9xB844mNrpntevFJ6ESEE13ElY2O8M/L58Eh4hmrzqBDtk7XnP/bJVdHAOGvEYavLEeN9K9nZdYYnyOae4OMZacA4oHxUSyrSWvlLDTOOZnFYlCkVXogBcvCrg+HZe/FaHmB4R3ni9eojsX/gQII970SD6d2DLhCW3r+qNW03SO8bj28xyjGLhVgNPyRimWkeZ8DpiJKm2Ccf2oYqtVp1wtrihz4QZ30cZ0KWxdf2iJKCMhpe5B2F8Gw3+3ZWWA8xmg1buDwLkGmroibPY9hUAzt05E8THuwpl7GA/8xdge+LCcCdBhx+iWYhcPrQOCD/5ajRM7OkjJbJwRxdZgdYDSUvQNnHYh02pj+ZYjQBARhSRCEkFnxklyNjzSDETwXO5tW57CmcegLS8ig3Z3WcgBX0sdDsttMBmlWt4fb6qPB6ctTjx/wlkC0YlHXuI+FzmCyAP8ikQk63ck=
-  known_hosts: github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+    ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOOAQfhwylg6WhJRXha2K1dJY5BG12nsS7YyFlKPAovOAC8d8rTOzjjDWukG24JVRrXoWUN6eWWvxDvMd5pZT1w=
+  known_hosts: github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
   password: password
 

cmd/flux/testdata/create_secret/git/git-ssh-secret.yaml

@@ -7,44 +7,15 @@ metadata:
 stringData:
   identity: |
     -----BEGIN OPENSSH PRIVATE KEY-----
-    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
-    NhAAAAAwEAAQAAAYEAyF0WPHSGTC1fELE2N+2Inas2VsN8XyeGjMtrPfWIchOz2YCLt1of
-    HCUMgE8x2/v7tN3hZ0s5q8lqW7O9zyc6dnVvEYlmMfd0zG6ThenwANOW5pQhgRqrEKQdQA
-    OGlAUdDh9aSeynl5+1miEPGrmG2csVw2XOZBNgoqkqu13LJBUx0mJhJ4+h45KYnCfRnzJc
-    5kJ1halTbcT52aFQnX0GwtrykiHJvF/3J35Zktg60pspLFgYuRulRmQzfkNSYg494XXitn
-    V5b5H8seGeiMnS7b0yDjjVWoMfdOvn2W/qbAPKr8ro0eGEx/fZAzHj5hvLDgqJkQ+IvfrI
-    xcLRmbpJfxTJ+Pm99hSRXZTLztksCQXFy7qtqZrxxpj7zeMPqJJ8VmU5xm0vUHJKX+lKMN
-    X8TnZOZU8URXK5nF91F2SSopQXIa2O7Xtq/AuAU2A8tQnyLfnPMbIJK4VYkuQVbcO4AtVi
-    Y0rNKEJQDomF2EgAQOEPPj950gt6ZG7zRvON5UWPAAAFgD981gI/fNYCAAAAB3NzaC1yc2
-    EAAAGBAMhdFjx0hkwtXxCxNjftiJ2rNlbDfF8nhozLaz31iHITs9mAi7daHxwlDIBPMdv7
-    +7Td4WdLOavJaluzvc8nOnZ1bxGJZjH3dMxuk4Xp8ADTluaUIYEaqxCkHUADhpQFHQ4fWk
-    nsp5eftZohDxq5htnLFcNlzmQTYKKpKrtdyyQVMdJiYSePoeOSmJwn0Z8yXOZCdYWpU23E
-    +dmhUJ19BsLa8pIhybxf9yd+WZLYOtKbKSxYGLkbpUZkM35DUmIOPeF14rZ1eW+R/LHhno
-    jJ0u29Mg441VqDH3Tr59lv6mwDyq/K6NHhhMf32QMx4+Ybyw4KiZEPiL36yMXC0Zm6SX8U
-    yfj5vfYUkV2Uy87ZLAkFxcu6rama8caY+83jD6iSfFZlOcZtL1BySl/pSjDV/E52TmVPFE
-    VyuZxfdRdkkqKUFyGtju17avwLgFNgPLUJ8i35zzGyCSuFWJLkFW3DuALVYmNKzShCUA6J
-    hdhIAEDhDz4/edILemRu80bzjeVFjwAAAAMBAAEAAAGBAIffsIOg1a31GsG8GzOELqAVik
-    z+VmpE6Ja0H+6tgjEyMUWvSZA2WmCAs2CT1BEFaaU2znN47QwVE75KPs6rIJdSfdaboaUC
-    1b8IwZwPj8VPt8Z379yYVCd906Qkf/ADI7f/BQCarvBAyytRfee2pr8tXH3cnUD6bw7/v0
-    2+hlLa2KV+N7pXSgaE1F8ZFatqwNsZeI8Cy+PlrzWpknyqW5pqVhNJPIA1Z+rtYRsW7ZUC
-    ycIbn/Bv0f3RV6YpS0XZt2OvJtDp9XTOoRKCWeM0VpKqV6ACzL+Gi2lso4iw75zDZaPl+s
-    BNtozqE1GR6ee6NVNhXlcqHw2B6HCE0NqS87YI+nsLVQQ803Z36LUmQYsgCqFL7zCVwNkb
-    BBbbp2jxWRYKf7ZyNef+knVn5N2oj0x+J1fTD8SGHFrF04oIpf1fx3TcIGk8n9TA1EJPHK
-    VkOQLjbMWkPqyJEj62WdyDOYdpz/It4a6xpHaLCneUCZzEKas3OXY+IoPdNVU1zQSC2QAA
-    AMEA3gStXY04rdwWssOO+8zeHtAgTH3wIfSJYz/TcDX/MMWarmZevdv+7OzMAI7jcerkV4
-    H+wux+xl1UZ1mjgcX70tdsEXo4MdDXJNELM3Fps+be245s9EpfzF3w1x43KBeab++0TrT6
-    N5km0G61NUHwcA5flT4dsPFqwwBQLUYnr1JnbEy+FxILHH/Pr0BoxtRS3cPc/TPJEJwSgR
-    OJI/U3TIRy7A/ruN53MWg6+KOwNVBT7/ZgtJ+Bwo+nM1a3hvnFAAAAwQDr58RqF7JBmAdZ
-    tuZA6dd2sJDrWDeQ0ExUcJnHtSgLDMflssazsv1U263UKDejXw3XqLNI8rvcmdAiDvTnAv
-    nb97ofHI4wOVjA+MC///CgnvZ69Nm9RIo5EBuIg8QWq3q65Hpiea2/rQn8V2uzmNHPLOEC
-    oPv4DqUeYqOx1yW5UqmCF+ZVYbzwabuEPs/1TeE6cWQgOIe75ttsNtHyWWBH307vCFYDOD
-    EOmdToAZ0KWKxVfwIFr6CUxOKvBNntLYMAAADBANluSOCSTBvZPb/I0UJuJR3vGGSjlqwT
-    9YhcT0P2Hz2QDobo3gCGkBkLwDUkaioj/vSwYnJvidQD8FM2yfydV68o7Mhq4BbDy9K66T
-    jqWOu7AgU/aTriPfiMV7KaqfVsKhOGSlOTTxf0HpsG38yiiLXlhI2V2kdskMTTR4n3nr+H
-    tZB+zPNKJUviC/DcLo2mizjfGvGUk6DBRShVEmOIfcRUwoeBYn24tKjs/s6WIuDtGFAFZW
-    6erRhI2tHZsEN2BQAAAAd0ZXN0a2V5AQI=
+    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+    1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQTuiu+gGwLIu9E5J4vRshoIBHScKx4Y
+    f9oniWMsLFHXq5p9GJ/eb9Cr3jgNACnGOIGOqlwBQvP5rCJuaJ0pCRKUAAAAuNE1GtvRNR
+    rbAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6K76AbAsi70Tkn
+    i9GyGggEdJwrHhh/2ieJYywsUdermn0Yn95v0KveOA0AKcY4gY6qXAFC8/msIm5onSkJEp
+    QAAAAhAPaO6PiN+1238KMrHg34M7XdftGypt2/UKEz2L2Pf40yAAAAH3NvbXRvY2hpb255
+    ZWt3ZXJlQFNvbXRvY2hpcy1NQlA=
     -----END OPENSSH PRIVATE KEY-----
   identity.pub: |
-    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIXRY8dIZMLV8QsTY37YidqzZWw3xfJ4aMy2s99YhyE7PZgIu3Wh8cJQyATzHb+/u03eFnSzmryWpbs73PJzp2dW8RiWYx93TMbpOF6fAA05bmlCGBGqsQpB1AA4aUBR0OH1pJ7KeXn7WaIQ8auYbZyxXDZc5kE2CiqSq7XcskFTHSYmEnj6HjkpicJ9GfMlzmQnWFqVNtxPnZoVCdfQbC2vKSIcm8X/cnflmS2DrSmyksWBi5G6VGZDN+Q1JiDj3hdeK2dXlvkfyx4Z6IydLtvTIOONVagx906+fZb+psA8qvyujR4YTH99kDMePmG8sOComRD4i9+sjFwtGZukl/FMn4+b32FJFdlMvO2SwJBcXLuq2pmvHGmPvN4w+oknxWZTnGbS9Qckpf6Uow1fxOdk5lTxRFcrmcX3UXZJKilBchrY7te2r8C4BTYDy1CfIt+c8xsgkrhViS5BVtw7gC1WJjSs0oQlAOiYXYSABA4Q8+P3nSC3pkbvNG843lRY8=
-  known_hosts: github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+    ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6K76AbAsi70Tkni9GyGggEdJwrHhh/2ieJYywsUdermn0Yn95v0KveOA0AKcY4gY6qXAFC8/msIm5onSkJEpQ=
+  known_hosts: github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
 

cmd/flux/testdata/create_secret/git/rsa-password.private

@@ -1,39 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAZPOy4O0
-XmgKgRJuR9WaShAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDmuJnVljOr
-pA3OiaAkCJuPT+lHRb/Kuc7fByldlYihsrNjWKVa9xB844mNrpntevFJ6ESEE13ElY2O8M
-/L58Eh4hmrzqBDtk7XnP/bJVdHAOGvEYavLEeN9K9nZdYYnyOae4OMZacA4oHxUSyrSWvl
-LDTOOZnFYlCkVXogBcvCrg+HZe/FaHmB4R3ni9eojsX/gQII970SD6d2DLhCW3r+qNW03S
-O8bj28xyjGLhVgNPyRimWkeZ8DpiJKm2Ccf2oYqtVp1wtrihz4QZ30cZ0KWxdf2iJKCMhp
-e5B2F8Gw3+3ZWWA8xmg1buDwLkGmroibPY9hUAzt05E8THuwpl7GA/8xdge+LCcCdBhx+i
-WYhcPrQOCD/5ajRM7OkjJbJwRxdZgdYDSUvQNnHYh02pj+ZYjQBARhSRCEkFnxklyNjzSD
-ETwXO5tW57CmcegLS8ig3Z3WcgBX0sdDsttMBmlWt4fb6qPB6ctTjx/wlkC0YlHXuI+Fzm
-CyAP8ikQk63ckAAAWQy3GOOOYpvMAgXIDYUJZnCiy4jnzpt3vX0kIpWogfwqT8QwbuhhDb
-ogQT6mZqt88nKUlRv3eRPmeG6MebsuweMw6WJfP0ZARFJS9+nXfNSJGN+Tqze252C1w2uu
-vlzK1GnY5pnZzpaZAf/d+UAtNXDYdWA1DlJsNsBXgIJVkc47sp/cv6EGced+UXuV+Yr80s
-ECqqOqa+IZWxd+Buca2EWQhG2loLlk6JQ8D+vNm3yhPCrb+1BcoZgxGItL70TdLtUCsmpP
-y+ejnIxiHl79CjSNANBA7SgjJCQWYjFTcNUb98pGMsMVKIqczNtUZrL6WiSBrLDl5luFIb
-bZi6iQsjVU6AUd+rcTSsdCec7xnoDddytmh2oG0tHG9wlCQh9yo0NBGaBQP/euqiSgIAvZ
-zTJTy1AUo/M6FRdMpuGoDrxDPDGj/Q4OsUQzDS0c10WHGv2TLIoloa/FvhjdOn4pXOOIOB
-nzgRn1xEHwgmSsyyiQP8gCEWM3XgLTOZIS+B4AT6hFPGCbbRetqwKF6qG68xsoLmQ5BXJN
-kdIKqT7BlAvvX7t80XnvWiuZUjBS2qyTJ3FWCkyaxQVmrNsfZbg4qRJ377+ip3BwuaTl3X
-VuZEEEy6+cwc+fRL8hPbKKIAcSLjRJnGHMiPvEFcL7yMkmGhv/vd78QdF/0XfVqCGr1gH3
-gO3O//2Bdcp7Vo9QGqlK66Cusk5HiVSv6StQdqoauW2bxF4JKm3azHL1wWkyWtf2FQD425
-0V+qib4Qz4KALj9uPwUyP6umDSk1NSBEMohGYpbm/O/Hpr6x2XET6kYbcK/sb5pDlZ81QQ
-A6GJ87fQyVe0FeoWwg256LiNyDTqFUKm0R508hlnzaAtMnW8TvSqmjrKfLy9YU8IaF0dcS
-kLheF4EwU2B5exumCx5JDe/xbVw5M8bx5m9lMx1NxGwNr2HtLvgMdQCwI5KchBzC+SIfGd
-h94Gv39xRGKAhgtBzRRC5LLnRHeBWuLroWY/MoPDH5dWsMvSDkDjaGWHczlPNeN+epv17O
-G5rR4oyVBfbR5+/qB//1c8avbBrmMLZoFaGMYSQaX8kTcus/Xu5qoDvxlkT4mjb6VvjMq0
-iPUDNz8hAXv6NUlAViMGNV/sKhNcHRmwqkai79p0JJ+Ni635YNY2E7mS6QwVce1KCsUMet
-xjeDItSaLLQTaC2LfLybL9/3ppJiaOusnSN+J+yHvUIu7IsI2a9OpGRGhYIU/25r2KBtFV
-GdSGLNOdI3CB+J6eDXwkt3BmkIVYABc12o94PAXShnCgXK4u6tcowkNKVjyIrE64tckBsr
-l08apsj7SkTbly34MucgKya0pwBQKUXEUSHCQ70h8q4fK0dWrs7ahODXdwj0Lrp6My5eFR
-sV24X8U7kPailGowAVh9f/7afZs9CURwlUDjaXKWewGyQ7j3WVHOXSikOfxxbdQ+19juDO
-1h7Gtk+fKLsq0har0KDnVFSvP16f3ETKfAp5/acmXE4dnJGoo5k2Ak0QUBNIH163biBKS0
-Y6ePms4PghUFWINzaReZi1E4NiXdWKgOLXJBta7fg+ISFCocYdBRk9w3VUZa/1IvgzNg3l
-QxyLLH4YPcAGiSPpwcHhWxh/OMY4m6av9BslsG9ajXBpVto0X3oEa78ZuJVVXWAP2E891g
-I/atxZ+fBkght3oIMiIuyWPeKZVNvdx1eKCU76jCEXxMrlAM47OZEJnaeMdhqPA1ICqERx
-2L9Tq2W30mgwwP/QaDOiqNBn3UWt28ly+LqUOoQKt/w/z9YZUlpN090rs1iWOTkpamXTYd
-o+WewKF1Ax4TbsSfNX7P1ROTeIsQCisu3iFWkym9QZ/2RcZYcEPGGAR3ve8rPS2tsy9nL8
-4TDo1LUXShRgQxOEAsPNJ4440vY=
------END OPENSSH PRIVATE KEY-----

cmd/flux/testdata/create_secret/git/rsa.private

@@ -1,38 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
-NhAAAAAwEAAQAAAYEAyF0WPHSGTC1fELE2N+2Inas2VsN8XyeGjMtrPfWIchOz2YCLt1of
-HCUMgE8x2/v7tN3hZ0s5q8lqW7O9zyc6dnVvEYlmMfd0zG6ThenwANOW5pQhgRqrEKQdQA
-OGlAUdDh9aSeynl5+1miEPGrmG2csVw2XOZBNgoqkqu13LJBUx0mJhJ4+h45KYnCfRnzJc
-5kJ1halTbcT52aFQnX0GwtrykiHJvF/3J35Zktg60pspLFgYuRulRmQzfkNSYg494XXitn
-V5b5H8seGeiMnS7b0yDjjVWoMfdOvn2W/qbAPKr8ro0eGEx/fZAzHj5hvLDgqJkQ+IvfrI
-xcLRmbpJfxTJ+Pm99hSRXZTLztksCQXFy7qtqZrxxpj7zeMPqJJ8VmU5xm0vUHJKX+lKMN
-X8TnZOZU8URXK5nF91F2SSopQXIa2O7Xtq/AuAU2A8tQnyLfnPMbIJK4VYkuQVbcO4AtVi
-Y0rNKEJQDomF2EgAQOEPPj950gt6ZG7zRvON5UWPAAAFgD981gI/fNYCAAAAB3NzaC1yc2
-EAAAGBAMhdFjx0hkwtXxCxNjftiJ2rNlbDfF8nhozLaz31iHITs9mAi7daHxwlDIBPMdv7
-+7Td4WdLOavJaluzvc8nOnZ1bxGJZjH3dMxuk4Xp8ADTluaUIYEaqxCkHUADhpQFHQ4fWk
-nsp5eftZohDxq5htnLFcNlzmQTYKKpKrtdyyQVMdJiYSePoeOSmJwn0Z8yXOZCdYWpU23E
-+dmhUJ19BsLa8pIhybxf9yd+WZLYOtKbKSxYGLkbpUZkM35DUmIOPeF14rZ1eW+R/LHhno
-jJ0u29Mg441VqDH3Tr59lv6mwDyq/K6NHhhMf32QMx4+Ybyw4KiZEPiL36yMXC0Zm6SX8U
-yfj5vfYUkV2Uy87ZLAkFxcu6rama8caY+83jD6iSfFZlOcZtL1BySl/pSjDV/E52TmVPFE
-VyuZxfdRdkkqKUFyGtju17avwLgFNgPLUJ8i35zzGyCSuFWJLkFW3DuALVYmNKzShCUA6J
-hdhIAEDhDz4/edILemRu80bzjeVFjwAAAAMBAAEAAAGBAIffsIOg1a31GsG8GzOELqAVik
-z+VmpE6Ja0H+6tgjEyMUWvSZA2WmCAs2CT1BEFaaU2znN47QwVE75KPs6rIJdSfdaboaUC
-1b8IwZwPj8VPt8Z379yYVCd906Qkf/ADI7f/BQCarvBAyytRfee2pr8tXH3cnUD6bw7/v0
-2+hlLa2KV+N7pXSgaE1F8ZFatqwNsZeI8Cy+PlrzWpknyqW5pqVhNJPIA1Z+rtYRsW7ZUC
-ycIbn/Bv0f3RV6YpS0XZt2OvJtDp9XTOoRKCWeM0VpKqV6ACzL+Gi2lso4iw75zDZaPl+s
-BNtozqE1GR6ee6NVNhXlcqHw2B6HCE0NqS87YI+nsLVQQ803Z36LUmQYsgCqFL7zCVwNkb
-BBbbp2jxWRYKf7ZyNef+knVn5N2oj0x+J1fTD8SGHFrF04oIpf1fx3TcIGk8n9TA1EJPHK
-VkOQLjbMWkPqyJEj62WdyDOYdpz/It4a6xpHaLCneUCZzEKas3OXY+IoPdNVU1zQSC2QAA
-AMEA3gStXY04rdwWssOO+8zeHtAgTH3wIfSJYz/TcDX/MMWarmZevdv+7OzMAI7jcerkV4
-H+wux+xl1UZ1mjgcX70tdsEXo4MdDXJNELM3Fps+be245s9EpfzF3w1x43KBeab++0TrT6
-N5km0G61NUHwcA5flT4dsPFqwwBQLUYnr1JnbEy+FxILHH/Pr0BoxtRS3cPc/TPJEJwSgR
-OJI/U3TIRy7A/ruN53MWg6+KOwNVBT7/ZgtJ+Bwo+nM1a3hvnFAAAAwQDr58RqF7JBmAdZ
-tuZA6dd2sJDrWDeQ0ExUcJnHtSgLDMflssazsv1U263UKDejXw3XqLNI8rvcmdAiDvTnAv
-nb97ofHI4wOVjA+MC///CgnvZ69Nm9RIo5EBuIg8QWq3q65Hpiea2/rQn8V2uzmNHPLOEC
-oPv4DqUeYqOx1yW5UqmCF+ZVYbzwabuEPs/1TeE6cWQgOIe75ttsNtHyWWBH307vCFYDOD
-EOmdToAZ0KWKxVfwIFr6CUxOKvBNntLYMAAADBANluSOCSTBvZPb/I0UJuJR3vGGSjlqwT
-9YhcT0P2Hz2QDobo3gCGkBkLwDUkaioj/vSwYnJvidQD8FM2yfydV68o7Mhq4BbDy9K66T
-jqWOu7AgU/aTriPfiMV7KaqfVsKhOGSlOTTxf0HpsG38yiiLXlhI2V2kdskMTTR4n3nr+H
-tZB+zPNKJUviC/DcLo2mizjfGvGUk6DBRShVEmOIfcRUwoeBYn24tKjs/s6WIuDtGFAFZW
-6erRhI2tHZsEN2BQAAAAd0ZXN0a2V5AQI=
------END OPENSSH PRIVATE KEY-----

cmd/flux/trace.go

@@ -27,8 +27,10 @@ import (
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/cli-runtime/pkg/resource"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/flux2/internal/utils"
@@ -39,20 +41,26 @@ import (
 )
 
 var traceCmd = &cobra.Command{
-	Use:   "trace [name]",
-	Short: "trace an in-cluster object throughout the GitOps delivery pipeline",
-	Long: `The trace command shows how an object is managed by Flux,
-from which source and revision it comes, and what's the latest reconciliation status.'`,
-	Example: `  # Trace a Kubernetes Deployment
-  flux trace my-app --kind=deployment --api-version=apps/v1 --namespace=apps
+	Use:   "trace <resource> <name> [<name> ...]",
+	Short: "Trace in-cluster objects throughout the GitOps delivery pipeline",
+	Long: `The trace command shows how one or more objects are managed by Flux,
+from which source and revision they come, and what the latest reconciliation status is.
 
-  # Trace a Kubernetes Pod
-  flux trace redis-master-0 --kind=pod --api-version=v1 -n redis
+You can also trace multiple objects with different resource kinds using <resource>/<name> multiple times.`,
+	Example: `  # Trace a Kubernetes Deployment
+  flux trace -n apps deployment my-app
+
+  # Trace a Kubernetes Pod and a config map
+  flux trace -n redis pod/redis-master-0 cm/redis
 
   # Trace a Kubernetes global object
-  flux trace redis --kind=namespace --api-version=v1
+  flux trace namespace redis
 
   # Trace a Kubernetes custom resource
+  flux trace -n redis helmrelease redis
+  
+  # API Version and Kind can also be specified explicitly
+  # Note that either both, kind and api-version, or neither have to be specified.
   flux trace redis --kind=helmrelease --api-version=helm.toolkit.fluxcd.io/v2beta1 -n redis`,
 	RunE: traceCmdRun,
 }
@@ -73,49 +81,43 @@ func init() {
 }
 
 func traceCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("object name is required")
-	}
-	name := args[0]
-
-	if traceArgs.kind == "" {
-		return fmt.Errorf("object kind is required (--kind)")
-	}
-
-	if traceArgs.apiVersion == "" {
-		return fmt.Errorf("object apiVersion is required (--api-version)")
-	}
-
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 
-	gv, err := schema.ParseGroupVersion(traceArgs.apiVersion)
+	var objects []*unstructured.Unstructured
+	if traceArgs.kind != "" || traceArgs.apiVersion != "" {
+		var obj *unstructured.Unstructured
+		obj, err = getObjectStatic(ctx, kubeClient, args)
+		objects = []*unstructured.Unstructured{obj}
+	} else {
+		objects, err = getObjectDynamic(args)
+	}
 	if err != nil {
-		return fmt.Errorf("invaild apiVersion: %w", err)
+		return err
 	}
 
-	obj := &unstructured.Unstructured{}
-	obj.SetGroupVersionKind(schema.GroupVersionKind{
-		Group:   gv.Group,
-		Version: gv.Version,
-		Kind:    traceArgs.kind,
-	})
+	return traceObjects(ctx, kubeClient, objects)
+}
 
-	objName := types.NamespacedName{
-		Namespace: rootArgs.namespace,
-		Name:      name,
-	}
-
-	err = kubeClient.Get(ctx, objName, obj)
-	if err != nil {
-		return fmt.Errorf("failed to find object: %w", err)
+func traceObjects(ctx context.Context, kubeClient client.Client, objects []*unstructured.Unstructured) error {
+	for i, obj := range objects {
+		err := traceObject(ctx, kubeClient, obj)
+		if err != nil {
+			rootCmd.PrintErrf("failed to trace %v/%v in namespace %v: %v", obj.GetKind(), obj.GetName(), obj.GetNamespace(), err)
+		}
+		if i < len(objects)-1 {
+			rootCmd.Println("---")
+		}
 	}
+	return nil
+}
 
+func traceObject(ctx context.Context, kubeClient client.Client, obj *unstructured.Unstructured) error {
 	if ks, ok := isOwnerManagedByFlux(ctx, kubeClient, obj, kustomizev1.GroupVersion.Group); ok {
 		report, err := traceKustomization(ctx, kubeClient, ks, obj)
 		if err != nil {
@@ -137,14 +139,85 @@ func traceCmdRun(cmd *cobra.Command, args []string) error {
 	return fmt.Errorf("object not managed by Flux")
 }
 
+func getObjectStatic(ctx context.Context, kubeClient client.Client, args []string) (*unstructured.Unstructured, error) {
+	if len(args) < 1 {
+		return nil, fmt.Errorf("object name is required")
+	}
+
+	if traceArgs.kind == "" {
+		return nil, fmt.Errorf("object kind is required (--kind)")
+	}
+
+	if traceArgs.apiVersion == "" {
+		return nil, fmt.Errorf("object apiVersion is required (--api-version)")
+	}
+
+	gv, err := schema.ParseGroupVersion(traceArgs.apiVersion)
+	if err != nil {
+		return nil, fmt.Errorf("invaild apiVersion: %w", err)
+	}
+
+	obj := &unstructured.Unstructured{}
+	obj.SetGroupVersionKind(schema.GroupVersionKind{
+		Group:   gv.Group,
+		Version: gv.Version,
+		Kind:    traceArgs.kind,
+	})
+
+	objName := types.NamespacedName{
+		Namespace: *kubeconfigArgs.Namespace,
+		Name:      args[0],
+	}
+
+	if err = kubeClient.Get(ctx, objName, obj); err != nil {
+		return nil, fmt.Errorf("failed to find object: %w", err)
+	}
+	return obj, nil
+}
+
+func getObjectDynamic(args []string) ([]*unstructured.Unstructured, error) {
+	r := resource.NewBuilder(kubeconfigArgs).
+		Unstructured().
+		NamespaceParam(*kubeconfigArgs.Namespace).DefaultNamespace().
+		ResourceTypeOrNameArgs(false, args...).
+		ContinueOnError().
+		Latest().
+		Do()
+
+	if err := r.Err(); err != nil {
+		if resource.IsUsageError(err) {
+			return nil, fmt.Errorf("either `<resource>/<name>` or `<resource> <name>` is required as an argument")
+		}
+		return nil, err
+	}
+
+	infos, err := r.Infos()
+	if err != nil {
+		return nil, fmt.Errorf("x: %v", err)
+	}
+	if len(infos) == 0 {
+		return nil, fmt.Errorf("failed to find object: %w", err)
+	}
+
+	objects := []*unstructured.Unstructured{}
+	for _, info := range infos {
+		obj := &unstructured.Unstructured{}
+		obj.Object, err = runtime.DefaultUnstructuredConverter.ToUnstructured(info.Object)
+		if err != nil {
+			return objects, err
+		}
+		objects = append(objects, obj)
+	}
+	return objects, nil
+}
+
 func traceKustomization(ctx context.Context, kubeClient client.Client, ksName types.NamespacedName, obj *unstructured.Unstructured) (string, error) {
 	ks := &kustomizev1.Kustomization{}
-	ksReady := &metav1.Condition{}
 	err := kubeClient.Get(ctx, ksName, ks)
 	if err != nil {
 		return "", fmt.Errorf("failed to find kustomization: %w", err)
 	}
-	ksReady = meta.FindStatusCondition(ks.Status.Conditions, fluxmeta.ReadyCondition)
+	ksReady := meta.FindStatusCondition(ks.Status.Conditions, fluxmeta.ReadyCondition)
 
 	var ksRepository *sourcev1.GitRepository
 	var ksRepositoryReady *metav1.Condition
@@ -252,12 +325,11 @@ Status:        Unknown
 
 func traceHelm(ctx context.Context, kubeClient client.Client, hrName types.NamespacedName, obj *unstructured.Unstructured) (string, error) {
 	hr := &helmv2.HelmRelease{}
-	hrReady := &metav1.Condition{}
 	err := kubeClient.Get(ctx, hrName, hr)
 	if err != nil {
 		return "", fmt.Errorf("failed to find HelmRelease: %w", err)
 	}
-	hrReady = meta.FindStatusCondition(hr.Status.Conditions, fluxmeta.ReadyCondition)
+	hrReady := meta.FindStatusCondition(hr.Status.Conditions, fluxmeta.ReadyCondition)
 
 	var hrChart *sourcev1.HelmChart
 	var hrChartReady *metav1.Condition

cmd/flux/trace_test.go

@@ -1,3 +1,4 @@
+//go:build unit
 // +build unit
 
 package main
@@ -9,7 +10,7 @@ import (
 func TestTraceNoArgs(t *testing.T) {
 	cmd := cmdTestCase{
 		args:   "trace",
-		assert: assertError("object name is required"),
+		assert: assertError("either `<resource>/<name>` or `<resource> <name>` is required as an argument"),
 	}
 	cmd.runTestCmd(t)
 }

cmd/flux/tree_kustomization.go

@@ -23,7 +23,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"strings"
 
 	"github.com/fluxcd/flux2/internal/tree"
@@ -77,27 +77,26 @@ func treeKsCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 
 	k := &kustomizev1.Kustomization{}
 	err = kubeClient.Get(ctx, client.ObjectKey{
-		Namespace: rootArgs.namespace,
+		Namespace: *kubeconfigArgs.Namespace,
 		Name:      name,
 	}, k)
 	if err != nil {
 		return err
 	}
 
-	kMeta, err := object.CreateObjMetadata(k.Namespace, k.Name,
-		schema.GroupKind{Group: kustomizev1.GroupVersion.Group, Kind: kustomizev1.KustomizationKind})
-	if err != nil {
-		return err
-	}
+	kTree := tree.New(object.ObjMetadata{
+		Namespace: k.Namespace,
+		Name:      k.Name,
+		GroupKind: schema.GroupKind{Group: kustomizev1.GroupVersion.Group, Kind: kustomizev1.KustomizationKind},
+	})
 
-	kTree := tree.New(kMeta)
 	err = treeKustomization(ctx, kTree, k, kubeClient, treeKsArgs.compact)
 	if err != nil {
 		return err
@@ -256,7 +255,7 @@ func getHelmReleaseInventory(ctx context.Context, objectKey client.ObjectKey, ku
 			return nil, err
 		}
 		defer r.Close()
-		b2, err := ioutil.ReadAll(r)
+		b2, err := io.ReadAll(r)
 		if err != nil {
 			return nil, err
 		}
@@ -273,5 +272,5 @@ func getHelmReleaseInventory(ctx context.Context, objectKey client.ObjectKey, ku
 		return nil, fmt.Errorf("failed to read the Helm storage object for HelmRelease '%s': %w", objectKey.String(), err)
 	}
 
-	return object.UnstructuredsToObjMetas(objects)
+	return object.UnstructuredSetToObjMetadataSet(objects), nil
 }

cmd/flux/tree_kustomization_test.go

@@ -1,3 +1,4 @@
+//go:build unit
 // +build unit
 
 /*

cmd/flux/uninstall.go

@@ -82,13 +82,13 @@ func uninstallCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 
-	logger.Actionf("deleting components in %s namespace", rootArgs.namespace)
-	uninstallComponents(ctx, kubeClient, rootArgs.namespace, uninstallArgs.dryRun)
+	logger.Actionf("deleting components in %s namespace", *kubeconfigArgs.Namespace)
+	uninstallComponents(ctx, kubeClient, *kubeconfigArgs.Namespace, uninstallArgs.dryRun)
 
 	logger.Actionf("deleting toolkit.fluxcd.io finalizers in all namespaces")
 	uninstallFinalizers(ctx, kubeClient, uninstallArgs.dryRun)
@@ -97,7 +97,7 @@ func uninstallCmdRun(cmd *cobra.Command, args []string) error {
 	uninstallCustomResourceDefinitions(ctx, kubeClient, uninstallArgs.dryRun)
 
 	if !uninstallArgs.keepNamespace {
-		uninstallNamespace(ctx, kubeClient, rootArgs.namespace, uninstallArgs.dryRun)
+		uninstallNamespace(ctx, kubeClient, *kubeconfigArgs.Namespace, uninstallArgs.dryRun)
 	}
 
 	logger.Successf("uninstall finished")

cmd/flux/version.go

@@ -74,19 +74,19 @@ func versionCmdRun(cmd *cobra.Command, args []string) error {
 	info["flux"] = rootArgs.defaults.Version
 
 	if !versionArgs.client {
-		kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+		kubeClient, err := utils.KubeClient(kubeconfigArgs)
 		if err != nil {
 			return err
 		}
 
 		selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 		var list v1.DeploymentList
-		if err := kubeClient.List(ctx, &list, client.InNamespace(rootArgs.namespace), selector); err != nil {
+		if err := kubeClient.List(ctx, &list, client.InNamespace(*kubeconfigArgs.Namespace), selector); err != nil {
 			return err
 		}
 
 		if len(list.Items) == 0 {
-			return fmt.Errorf("no deployments found in %s namespace", rootArgs.namespace)
+			return fmt.Errorf("no deployments found in %s namespace", *kubeconfigArgs.Namespace)
 		}
 
 		for _, d := range list.Items {

cmd/flux/version_utils_test.go

@@ -1,3 +1,4 @@
+//go:build unit
 // +build unit
 
 /*

go.mod

@@ -1,42 +1,140 @@
 module github.com/fluxcd/flux2
 
-go 1.16
+go 1.17
 
 require (
 	github.com/Masterminds/semver/v3 v3.1.0
-	github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7
+	github.com/ProtonMail/go-crypto v0.0.0-20211221144345-a4f6767435ab
 	github.com/cyphar/filepath-securejoin v0.2.2
-	github.com/fluxcd/go-git-providers v0.3.1
-	github.com/fluxcd/helm-controller/api v0.13.0
-	github.com/fluxcd/image-automation-controller/api v0.17.1
-	github.com/fluxcd/image-reflector-controller/api v0.13.2
-	github.com/fluxcd/kustomize-controller/api v0.18.0
-	github.com/fluxcd/notification-controller/api v0.18.1
-	github.com/fluxcd/pkg/apis/meta v0.10.1
-	github.com/fluxcd/pkg/runtime v0.12.2
-	github.com/fluxcd/pkg/ssa v0.3.1
-	github.com/fluxcd/pkg/ssh v0.0.5
+	github.com/fluxcd/go-git-providers v0.5.2
+	github.com/fluxcd/helm-controller/api v0.15.0
+	github.com/fluxcd/image-automation-controller/api v0.19.0
+	github.com/fluxcd/image-reflector-controller/api v0.15.0
+	github.com/fluxcd/kustomize-controller/api v0.19.1
+	github.com/fluxcd/notification-controller/api v0.20.1
+	github.com/fluxcd/pkg/apis/meta v0.10.2
+	github.com/fluxcd/pkg/runtime v0.12.3
+	github.com/fluxcd/pkg/ssa v0.10.0
+	github.com/fluxcd/pkg/ssh v0.3.1
 	github.com/fluxcd/pkg/untar v0.0.5
 	github.com/fluxcd/pkg/version v0.0.1
-	github.com/fluxcd/source-controller/api v0.18.0
-	github.com/go-errors/errors v1.4.0 // indirect
+	github.com/fluxcd/source-controller/api v0.20.1
 	github.com/go-git/go-git/v5 v5.4.2
 	github.com/google/go-cmp v0.5.6
 	github.com/google/go-containerregistry v0.2.0
 	github.com/manifoldco/promptui v0.9.0
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/olekukonko/tablewriter v0.0.4
-	github.com/spf13/cobra v1.1.3
+	github.com/spf13/cobra v1.2.1
 	github.com/spf13/pflag v1.0.5
-	golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b
-	golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d
-	k8s.io/api v0.22.2
-	k8s.io/apiextensions-apiserver v0.22.2
-	k8s.io/apimachinery v0.22.2
-	k8s.io/client-go v0.22.2
-	k8s.io/kubectl v0.21.1
-	sigs.k8s.io/cli-utils v0.26.0
-	sigs.k8s.io/controller-runtime v0.10.2
-	sigs.k8s.io/kustomize/api v0.8.10
+	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
+	k8s.io/api v0.23.1
+	k8s.io/apiextensions-apiserver v0.23.1
+	k8s.io/apimachinery v0.23.1
+	k8s.io/cli-runtime v0.23.1
+	k8s.io/client-go v0.23.1
+	k8s.io/kubectl v0.23.1
+	sigs.k8s.io/cli-utils v0.27.0
+	sigs.k8s.io/controller-runtime v0.11.0
+	sigs.k8s.io/kustomize/api v0.10.1
 	sigs.k8s.io/yaml v1.3.0
 )
+
+require (
+	cloud.google.com/go v0.81.0 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.18 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.13 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect
+	github.com/Microsoft/go-winio v0.4.16 // indirect
+	github.com/PuerkitoBio/purell v1.1.1 // indirect
+	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
+	github.com/acomagu/bufpipe v1.0.3 // indirect
+	github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
+	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emirpasic/gods v1.12.0 // indirect
+	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
+	github.com/fluxcd/pkg/apis/acl v0.0.3 // indirect
+	github.com/fluxcd/pkg/apis/kustomize v0.3.1 // indirect
+	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
+	github.com/fvbommel/sortorder v1.0.1 // indirect
+	github.com/go-errors/errors v1.0.1 // indirect
+	github.com/go-git/gcfg v1.5.0 // indirect
+	github.com/go-git/go-billy/v5 v5.3.1 // indirect
+	github.com/go-logr/logr v1.2.2 // indirect
+	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonreference v0.19.5 // indirect
+	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/btree v1.0.1 // indirect
+	github.com/google/go-github/v41 v41.0.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/googleapis/gnostic v0.5.5 // indirect
+	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
+	github.com/hashicorp/errwrap v1.0.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.1 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.6.8 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
+	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/mattn/go-runewidth v0.0.7 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
+	github.com/moby/spdystream v0.2.0 // indirect
+	github.com/moby/term v0.0.0-20210610120745-9d4ed1856297 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/russross/blackfriday v1.5.2 // indirect
+	github.com/russross/blackfriday/v2 v2.0.1 // indirect
+	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
+	github.com/stretchr/testify v1.7.0 // indirect
+	github.com/xanzy/go-gitlab v0.54.3 // indirect
+	github.com/xanzy/ssh-agent v0.3.0 // indirect
+	github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
+	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
+	golang.org/x/net v0.0.0-20211216030914-fe4d6282115f // indirect
+	golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f // indirect
+	golang.org/x/sys v0.0.0-20211029165221-6e7872819dc8 // indirect
+	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	k8s.io/component-base v0.23.1 // indirect
+	k8s.io/klog/v2 v2.30.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
+	k8s.io/utils v0.0.0-20211208161948-7d6a63dca704 // indirect
+	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.13.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.0 // indirect
+)
+
+// Fix for CVE-2020-29652: https://github.com/golang/crypto/commit/8b5274cf687fd9316b4108863654cc57385531e8
+// Fix for CVE-2021-43565: https://github.com/golang/crypto/commit/5770296d904e90f15f38f77dfc2e43fdf5efc083
+replace golang.org/x/crypto => golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3

internal/bootstrap/bootstrap_plain_git.go

@@ -27,6 +27,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"sigs.k8s.io/cli-utils/pkg/object"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/kustomize/api/filesys"
@@ -57,8 +58,7 @@ type PlainGitBootstrapper struct {
 	gpgPassphrase  string
 	gpgKeyID       string
 
-	kubeconfig  string
-	kubecontext string
+	restClientGetter genericclioptions.RESTClientGetter
 
 	postGenerateSecret []PostGenerateSecretFunc
 
@@ -75,16 +75,6 @@ func WithRepositoryURL(url string) GitOption {
 	return repositoryURLOption(url)
 }
 
-func WithCABundle(b []byte) GitOption {
-	return caBundleOption(b)
-}
-
-type caBundleOption []byte
-
-func (o caBundleOption) applyGit(b *PlainGitBootstrapper) {
-	b.caBundle = o
-}
-
 type repositoryURLOption string
 
 func (o repositoryURLOption) applyGit(b *PlainGitBootstrapper) {
@@ -177,12 +167,12 @@ func (b *PlainGitBootstrapper) ReconcileComponents(ctx context.Context, manifest
 		if _, err := os.Stat(kfile); err == nil {
 			// Apply the components and their patches
 			b.logger.Actionf("installing components in %q namespace", options.Namespace)
-			if _, err := utils.Apply(ctx, b.kubeconfig, b.kubecontext, kfile); err != nil {
+			if _, err := utils.Apply(ctx, b.restClientGetter, kfile); err != nil {
 				return err
 			}
 		} else {
 			// Apply the CRDs and controllers
-			if _, err := utils.Apply(ctx, b.kubeconfig, b.kubecontext, componentsYAML); err != nil {
+			if _, err := utils.Apply(ctx, b.restClientGetter, componentsYAML); err != nil {
 				return err
 			}
 		}
@@ -309,7 +299,7 @@ func (b *PlainGitBootstrapper) ReconcileSyncConfig(ctx context.Context, options
 
 	// Apply to cluster
 	b.logger.Actionf("applying sync manifests")
-	if _, err := utils.Apply(ctx, b.kubeconfig, b.kubecontext, filepath.Join(b.git.Path(), kusManifests.Path)); err != nil {
+	if _, err := utils.Apply(ctx, b.restClientGetter, filepath.Join(b.git.Path(), kusManifests.Path)); err != nil {
 		return err
 	}
 
@@ -342,7 +332,7 @@ func (b *PlainGitBootstrapper) ReportKustomizationHealth(ctx context.Context, op
 }
 
 func (b *PlainGitBootstrapper) ReportComponentsHealth(ctx context.Context, install install.Options, timeout time.Duration) error {
-	cfg, err := utils.KubeConfig(b.kubeconfig, b.kubecontext)
+	cfg, err := utils.KubeConfig(b.restClientGetter)
 	if err != nil {
 		return err
 	}

internal/bootstrap/bootstrap_provider.go

@@ -30,6 +30,7 @@ import (
 	"github.com/fluxcd/go-git-providers/gitprovider"
 
 	"github.com/fluxcd/flux2/internal/bootstrap/git"
+	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
@@ -37,9 +38,11 @@ import (
 type GitProviderBootstrapper struct {
 	*PlainGitBootstrapper
 
-	owner      string
-	repository string
-	personal   bool
+	owner          string
+	repositoryName string
+	repository     gitprovider.UserRepository
+
+	personal bool
 
 	description   string
 	defaultBranch string
@@ -80,23 +83,23 @@ type GitProviderOption interface {
 	applyGitProvider(b *GitProviderBootstrapper)
 }
 
-func WithProviderRepository(owner, repository string, personal bool) GitProviderOption {
+func WithProviderRepository(owner, repositoryName string, personal bool) GitProviderOption {
 	return providerRepositoryOption{
-		owner:      owner,
-		repository: repository,
-		personal:   personal,
+		owner:          owner,
+		repositoryName: repositoryName,
+		personal:       personal,
 	}
 }
 
 type providerRepositoryOption struct {
-	owner      string
-	repository string
-	personal   bool
+	owner          string
+	repositoryName string
+	personal       bool
 }
 
 func (o providerRepositoryOption) applyGitProvider(b *GitProviderBootstrapper) {
 	b.owner = o.owner
-	b.repository = o.repository
+	b.repositoryName = o.repositoryName
 	b.personal = o.personal
 }
 
@@ -181,24 +184,26 @@ func (o reconcileOption) applyGitProvider(b *GitProviderBootstrapper) {
 }
 
 func (b *GitProviderBootstrapper) ReconcileSyncConfig(ctx context.Context, options sync.Options) error {
-	repo, err := b.getRepository(ctx)
-	if err != nil {
-		return err
+	if b.repository == nil {
+		return errors.New("repository is required")
 	}
+
 	if b.url == "" {
-		bootstrapURL, err := b.getCloneURL(repo, gitprovider.TransportType(b.bootstrapTransportType))
+		bootstrapURL, err := b.getCloneURL(b.repository, gitprovider.TransportType(b.bootstrapTransportType))
 		if err != nil {
 			return err
 		}
 		WithRepositoryURL(bootstrapURL).applyGit(b.PlainGitBootstrapper)
 	}
 	if options.URL == "" {
-		syncURL, err := b.getCloneURL(repo, gitprovider.TransportType(b.syncTransportType))
+		syncURL, err := b.getCloneURL(b.repository, gitprovider.TransportType(b.syncTransportType))
 		if err != nil {
 			return err
 		}
+
 		options.URL = syncURL
 	}
+
 	return b.PlainGitBootstrapper.ReconcileSyncConfig(ctx, options)
 }
 
@@ -211,7 +216,6 @@ func (b *GitProviderBootstrapper) ReconcileSyncConfig(ctx context.Context, optio
 func (b *GitProviderBootstrapper) ReconcileRepository(ctx context.Context) error {
 	var repo gitprovider.UserRepository
 	var err error
-
 	if b.personal {
 		repo, err = b.reconcileUserRepository(ctx)
 	} else {
@@ -221,36 +225,37 @@ func (b *GitProviderBootstrapper) ReconcileRepository(ctx context.Context) error
 		return err
 	}
 
-	cloneURL := repo.Repository().GetCloneURL(gitprovider.TransportType(b.bootstrapTransportType))
-	// TODO(hidde): https://github.com/fluxcd/go-git-providers/issues/55
-	if strings.HasPrefix(cloneURL, "https://https://") {
-		cloneURL = strings.TrimPrefix(cloneURL, "https://")
+	cloneURL, err := b.getCloneURL(repo, gitprovider.TransportType(b.bootstrapTransportType))
+	if err != nil {
+		return err
 	}
+
+	b.repository = repo
 	WithRepositoryURL(cloneURL).applyGit(b.PlainGitBootstrapper)
 
 	return err
 }
 
 func (b *GitProviderBootstrapper) reconcileDeployKey(ctx context.Context, secret corev1.Secret, options sourcesecret.Options) error {
+	if b.repository == nil {
+		return errors.New("repository is required")
+	}
+
 	ppk, ok := secret.StringData[sourcesecret.PublicKeySecretKey]
 	if !ok {
 		return nil
 	}
 	b.logger.Successf("public key: %s", strings.TrimSpace(ppk))
 
-	repo, err := b.getRepository(ctx)
+	name := deployKeyName(options.Namespace, b.branch, options.Name, options.TargetPath)
+	deployKeyInfo := newDeployKeyInfo(name, ppk, b.readWriteKey)
+
+	_, changed, err := b.repository.DeployKeys().Reconcile(ctx, deployKeyInfo)
 	if err != nil {
 		return err
 	}
-
-	name := deployKeyName(options.Namespace, b.branch, options.Name, options.TargetPath)
-	deployKeyInfo := newDeployKeyInfo(name, ppk, b.readWriteKey)
-	var changed bool
-	if _, changed, err = repo.DeployKeys().Reconcile(ctx, deployKeyInfo); err != nil {
-		return err
-	}
 	if changed {
-		b.logger.Successf("configured deploy key %q for %q", deployKeyInfo.Name, repo.Repository().String())
+		b.logger.Successf("configured deploy key %q for %q", deployKeyInfo.Name, b.repository.Repository().String())
 	}
 	return nil
 }
@@ -267,9 +272,12 @@ func (b *GitProviderBootstrapper) reconcileOrgRepository(ctx context.Context) (g
 
 	// Construct the repository and other configuration objects
 	// go-git-provider likes to work with
-	subOrgs, repoName := splitSubOrganizationsFromRepositoryName(b.repository)
-	orgRef := newOrganizationRef(b.provider.SupportedDomain(), b.owner, subOrgs)
-	repoRef := newOrgRepositoryRef(orgRef, repoName)
+	subOrgs, repoName := splitSubOrganizationsFromRepositoryName(b.repositoryName)
+	orgRef, err := b.getOrganization(ctx, subOrgs)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create new Git repository for the organization %q: %w", orgRef.String(), err)
+	}
+	repoRef := newOrgRepositoryRef(*orgRef, repoName)
 	repoInfo := newRepositoryInfo(b.description, b.defaultBranch, b.visibility)
 
 	// Reconcile the organization repository
@@ -343,7 +351,7 @@ func (b *GitProviderBootstrapper) reconcileUserRepository(ctx context.Context) (
 
 	// Construct the repository and other metadata objects
 	// go-git-provider likes to work with.
-	_, repoName := splitSubOrganizationsFromRepositoryName(b.repository)
+	_, repoName := splitSubOrganizationsFromRepositoryName(b.repositoryName)
 	userRef := newUserRef(b.provider.SupportedDomain(), b.owner)
 	repoRef := newUserRepositoryRef(userRef, repoName)
 	repoInfo := newRepositoryInfo(b.description, b.defaultBranch, b.visibility)
@@ -383,21 +391,22 @@ func (b *GitProviderBootstrapper) reconcileUserRepository(ctx context.Context) (
 	return repo, nil
 }
 
-// getRepository retrieves and returns the gitprovider.UserRepository
-// for organization and user repositories using the
-// GitProviderBootstrapper values.
-// As gitprovider.OrgRepository is a superset of gitprovider.UserRepository, this
-// type is returned.
-func (b *GitProviderBootstrapper) getRepository(ctx context.Context) (gitprovider.UserRepository, error) {
-	subOrgs, repoName := splitSubOrganizationsFromRepositoryName(b.repository)
-
-	if b.personal {
-		userRef := newUserRef(b.provider.SupportedDomain(), b.owner)
-		return b.provider.UserRepositories().Get(ctx, newUserRepositoryRef(userRef, repoName))
-	}
-
+// getOrganization retrieves and returns the gitprovider.Organization
+// using the GitProviderBootstrapper values.
+func (b *GitProviderBootstrapper) getOrganization(ctx context.Context, subOrgs []string) (*gitprovider.OrganizationRef, error) {
 	orgRef := newOrganizationRef(b.provider.SupportedDomain(), b.owner, subOrgs)
-	return b.provider.OrgRepositories().Get(ctx, newOrgRepositoryRef(orgRef, repoName))
+	// With Stash get the organization to be sure to get the correct key
+	if string(b.provider.ProviderID()) == string(provider.GitProviderStash) {
+		org, err := b.provider.Organizations().Get(ctx, orgRef)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get Git organization: %w", err)
+		}
+
+		orgRef = org.Organization()
+
+		return &orgRef, nil
+	}
+	return &orgRef, nil
 }
 
 // getCloneURL returns the Git clone URL for the given
@@ -405,18 +414,20 @@ func (b *GitProviderBootstrapper) getRepository(ctx context.Context) (gitprovide
 // gitprovider.TransportTypeSSH and a custom SSH hostname is configured,
 // the hostname of the URL will be modified to this hostname.
 func (b *GitProviderBootstrapper) getCloneURL(repository gitprovider.UserRepository, transport gitprovider.TransportType) (string, error) {
-	u := repository.Repository().GetCloneURL(transport)
-	// TODO(hidde): https://github.com/fluxcd/go-git-providers/issues/55
-	if strings.HasPrefix(u, "https://https://") {
-		u = strings.TrimPrefix(u, "https://")
+	var url string
+	if cloner, ok := repository.(gitprovider.CloneableURL); ok {
+		url = cloner.GetCloneURL("", transport)
+	} else {
+		url = repository.Repository().GetCloneURL(transport)
 	}
+
 	var err error
 	if transport == gitprovider.TransportTypeSSH && b.sshHostname != "" {
-		if u, err = setHostname(u, b.sshHostname); err != nil {
-			err = fmt.Errorf("failed to set SSH hostname for URL %q: %w", u, err)
+		if url, err = setHostname(url, b.sshHostname); err != nil {
+			err = fmt.Errorf("failed to set SSH hostname for URL %q: %w", url, err)
 		}
 	}
-	return u, err
+	return url, err
 }
 
 // splitSubOrganizationsFromRepositoryName removes any prefixed sub

internal/bootstrap/git/gogit/gogit_test.go

@@ -1,3 +1,4 @@
+//go:build unit
 // +build unit
 
 package gogit

internal/bootstrap/options.go

@@ -19,6 +19,7 @@ package bootstrap
 import (
 	"github.com/fluxcd/flux2/internal/bootstrap/git"
 	"github.com/fluxcd/flux2/pkg/log"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
 )
 
 type Option interface {
@@ -62,6 +63,20 @@ func (o authorOption) applyGitProvider(b *GitProviderBootstrapper) {
 	o.applyGit(b.PlainGitBootstrapper)
 }
 
+func WithCABundle(b []byte) Option {
+	return caBundleOption(b)
+}
+
+type caBundleOption []byte
+
+func (o caBundleOption) applyGit(b *PlainGitBootstrapper) {
+	b.caBundle = o
+}
+
+func (o caBundleOption) applyGitProvider(b *GitProviderBootstrapper) {
+	b.caBundle = o
+}
+
 func WithCommitMessageAppendix(appendix string) Option {
 	return commitMessageAppendixOption(appendix)
 }
@@ -76,21 +91,18 @@ func (o commitMessageAppendixOption) applyGitProvider(b *GitProviderBootstrapper
 	o.applyGit(b.PlainGitBootstrapper)
 }
 
-func WithKubeconfig(kubeconfig, kubecontext string) Option {
+func WithKubeconfig(rcg genericclioptions.RESTClientGetter) Option {
 	return kubeconfigOption{
-		kubeconfig:  kubeconfig,
-		kubecontext: kubecontext,
+		rcg: rcg,
 	}
 }
 
 type kubeconfigOption struct {
-	kubeconfig  string
-	kubecontext string
+	rcg genericclioptions.RESTClientGetter
 }
 
 func (o kubeconfigOption) applyGit(b *PlainGitBootstrapper) {
-	b.kubeconfig = o.kubeconfig
-	b.kubecontext = o.kubecontext
+	b.restClientGetter = o.rcg
 }
 
 func (o kubeconfigOption) applyGitProvider(b *GitProviderBootstrapper) {

internal/bootstrap/provider/factory.go

@@ -22,6 +22,7 @@ import (
 	"github.com/fluxcd/go-git-providers/github"
 	"github.com/fluxcd/go-git-providers/gitlab"
 	"github.com/fluxcd/go-git-providers/gitprovider"
+	"github.com/fluxcd/go-git-providers/stash"
 )
 
 // BuildGitProvider builds a gitprovider.Client for the provided
@@ -38,6 +39,9 @@ func BuildGitProvider(config Config) (gitprovider.Client, error) {
 		if config.Hostname != "" {
 			opts = append(opts, gitprovider.WithDomain(config.Hostname))
 		}
+		if config.CaBundle != nil {
+			opts = append(opts, gitprovider.WithCustomCAPostChainTransportHook(config.CaBundle))
+		}
 		if client, err = github.NewClient(opts...); err != nil {
 			return nil, err
 		}
@@ -48,9 +52,23 @@ func BuildGitProvider(config Config) (gitprovider.Client, error) {
 		if config.Hostname != "" {
 			opts = append(opts, gitprovider.WithDomain(config.Hostname))
 		}
+		if config.CaBundle != nil {
+			opts = append(opts, gitprovider.WithCustomCAPostChainTransportHook(config.CaBundle))
+		}
 		if client, err = gitlab.NewClient(config.Token, "", opts...); err != nil {
 			return nil, err
 		}
+	case GitProviderStash:
+		opts := []gitprovider.ClientOption{}
+		if config.Hostname != "" {
+			opts = append(opts, gitprovider.WithDomain(config.Hostname))
+		}
+		if config.CaBundle != nil {
+			opts = append(opts, gitprovider.WithCustomCAPostChainTransportHook(config.CaBundle))
+		}
+		if client, err = stash.NewStashClient(config.Username, config.Token, opts...); err != nil {
+			return nil, err
+		}
 	default:
 		return nil, fmt.Errorf("unsupported Git provider '%s'", config.Provider)
 	}

internal/bootstrap/provider/provider.go

@@ -22,6 +22,7 @@ type GitProvider string
 const (
 	GitProviderGitHub GitProvider = "github"
 	GitProviderGitLab GitProvider = "gitlab"
+	GitProviderStash  GitProvider = "stash"
 )
 
 // Config defines the configuration for connecting to a GitProvider.
@@ -33,7 +34,14 @@ type Config struct {
 	// e.g. github.example.com.
 	Hostname string
 
+	// Username contains the username used to authenticate with
+	// the Provider.
+	Username string
+
 	// Token contains the token used to authenticate with the
 	// Provider.
 	Token string
+
+	// CABunle contains the CA bundle to use for the client.
+	CaBundle []byte
 }

internal/flags/crds_test.go

@@ -1,3 +1,4 @@
+//go:build !e2e
 // +build !e2e
 
 /*

internal/flags/decryption_provider_test.go

@@ -1,3 +1,4 @@
+//go:build !e2e
 // +build !e2e
 
 /*

internal/flags/ecdsa_curve_test.go

@@ -1,3 +1,4 @@
+//go:build !e2e
 // +build !e2e
 
 /*

internal/flags/git_implementation_test.go

@@ -1,3 +1,4 @@
+//go:build !e2e
 // +build !e2e
 
 /*

internal/flags/helm_chart_source_test.go

@@ -1,3 +1,4 @@
+//go:build !e2e
 // +build !e2e
 
 /*

internal/flags/helm_release_values_test.go

@@ -1,3 +1,4 @@
+//go:build !e2e
 // +build !e2e
 
 /*

internal/flags/kustomization_source_test.go

@@ -1,3 +1,4 @@
+//go:build !e2e
 // +build !e2e
 
 /*

internal/flags/log_level_test.go

@@ -1,3 +1,4 @@
+//go:build !e2e
 // +build !e2e
 
 /*

internal/flags/public_key_algorithm_test.go

@@ -1,3 +1,4 @@
+//go:build !e2e
 // +build !e2e
 
 /*

internal/flags/rsa_key_bits_test.go

@@ -1,3 +1,4 @@
+//go:build !e2e
 // +build !e2e
 
 /*

internal/flags/safe_relative_path_test.go

@@ -1,3 +1,4 @@
+//go:build !e2e
 // +build !e2e
 
 /*

internal/flags/source_bucket_provider_test.go

@@ -1,3 +1,4 @@
+//go:build !e2e
 // +build !e2e
 
 /*

internal/utils/apply.go

@@ -26,9 +26,9 @@ import (
 
 	"github.com/fluxcd/pkg/ssa"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"sigs.k8s.io/cli-utils/pkg/kstatus/polling"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 	"sigs.k8s.io/kustomize/api/konfig"
 
 	"github.com/fluxcd/flux2/pkg/manifestgen/kustomization"
@@ -36,12 +36,12 @@ import (
 
 // Apply is the equivalent of 'kubectl apply --server-side -f'.
 // If the given manifest is a kustomization.yaml, then apply performs the equivalent of 'kubectl apply --server-side -k'.
-func Apply(ctx context.Context, kubeConfigPath string, kubeContext string, manifestPath string) (string, error) {
-	cfg, err := KubeConfig(kubeConfigPath, kubeContext)
+func Apply(ctx context.Context, rcg genericclioptions.RESTClientGetter, manifestPath string) (string, error) {
+	cfg, err := KubeConfig(rcg)
 	if err != nil {
 		return "", err
 	}
-	restMapper, err := apiutil.NewDynamicRESTMapper(cfg)
+	restMapper, err := rcg.ToRESTMapper()
 	if err != nil {
 		return "", err
 	}
@@ -49,7 +49,7 @@ func Apply(ctx context.Context, kubeConfigPath string, kubeContext string, manif
 	if err != nil {
 		return "", err
 	}
-	kubePoller := polling.NewStatusPoller(kubeClient, restMapper)
+	kubePoller := polling.NewStatusPoller(kubeClient, restMapper, nil)
 
 	resourceManager := ssa.NewResourceManager(kubeClient, kubePoller, ssa.Owner{
 		Field: "flux",

internal/utils/utils.go

@@ -37,8 +37,8 @@ import (
 	apiruntime "k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	sigyaml "k8s.io/apimachinery/pkg/util/yaml"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/client-go/rest"
-	"k8s.io/client-go/tools/clientcmd"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 
@@ -107,22 +107,8 @@ func ExecKubectlCommand(ctx context.Context, mode ExecMode, kubeConfigPath strin
 	return "", nil
 }
 
-func ClientConfig(kubeConfigPath string, kubeContext string) clientcmd.ClientConfig {
-	configFiles := SplitKubeConfigPath(kubeConfigPath)
-	configOverrides := clientcmd.ConfigOverrides{}
-
-	if len(kubeContext) > 0 {
-		configOverrides.CurrentContext = kubeContext
-	}
-
-	return clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
-		&clientcmd.ClientConfigLoadingRules{Precedence: configFiles},
-		&configOverrides,
-	)
-}
-
-func KubeConfig(kubeConfigPath string, kubeContext string) (*rest.Config, error) {
-	cfg, err := ClientConfig(kubeConfigPath, kubeContext).ClientConfig()
+func KubeConfig(rcg genericclioptions.RESTClientGetter) (*rest.Config, error) {
+	cfg, err := rcg.ToRESTConfig()
 	if err != nil {
 		return nil, fmt.Errorf("kubernetes configuration load failed: %w", err)
 	}
@@ -152,10 +138,10 @@ func NewScheme() *apiruntime.Scheme {
 	return scheme
 }
 
-func KubeClient(kubeConfigPath string, kubeContext string) (client.WithWatch, error) {
-	cfg, err := KubeConfig(kubeConfigPath, kubeContext)
+func KubeClient(rcg genericclioptions.RESTClientGetter) (client.WithWatch, error) {
+	cfg, err := rcg.ToRESTConfig()
 	if err != nil {
-		return nil, fmt.Errorf("kubernetes client initialization failed: %w", err)
+		return nil, err
 	}
 
 	scheme := NewScheme()

internal/utils/utils_test.go

@@ -1,3 +1,4 @@
+//go:build !e2e
 // +build !e2e
 
 /*

manifests/bases/helm-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/helm-controller/releases/download/v0.13.0/helm-controller.crds.yaml
-- https://github.com/fluxcd/helm-controller/releases/download/v0.13.0/helm-controller.deployment.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.15.0/helm-controller.crds.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.15.0/helm-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target: