Update toolkit components

- helm-controller to v0.17.2
  https://github.com/fluxcd/helm-controller/blob/v0.17.2/CHANGELOG.md
- notification-controller to v0.22.3
  https://github.com/fluxcd/notification-controller/blob/v0.22.3/CHANGELOG.md

Signed-off-by: GitHub <noreply@github.com>

.github/aur/flux-go/PKGBUILD.template

@@ -30,12 +30,20 @@ build() {
   export CGO_CXXFLAGS="$CXXFLAGS"
   export CGO_CPPFLAGS="$CPPFLAGS"
   export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
-  ./manifests/scripts/bundle.sh "${PWD}/manifests" "${PWD}/cmd/flux/manifests"
+  make cmd/flux/.manifests.done
   go build -ldflags "-linkmode=external -X main.VERSION=${pkgver}" -o ${_srcname} ./cmd/flux
 }
 
 check() {
   cd "flux2-${pkgver}"
+  case $CARCH in
+    aarch64)
+      export ENVTEST_ARCH=arm64
+      ;;
+    armv6h|armv7h)
+      export ENVTEST_ARCH=arm
+      ;;
+  esac
   make test
 }
 

.github/aur/flux-scm/PKGBUILD.template

@@ -11,7 +11,7 @@ license=("APACHE")
 provides=("flux-bin")
 conflicts=("flux-bin")
 depends=("glibc")
-makedepends=('go>=1.17', 'kustomize>=3.0')
+makedepends=('go>=1.17', 'kustomize>=3.0', 'git')
 optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
@@ -32,12 +32,20 @@ build() {
   export CGO_CXXFLAGS="$CXXFLAGS"
   export CGO_CPPFLAGS="$CPPFLAGS"
   export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
-  make cmd/flux/manifests
+  make cmd/flux/.manifests.done
   go build -ldflags "-linkmode=external -X main.VERSION=${pkgver}" -o ${_srcname} ./cmd/flux
 }
 
 check() {
   cd "flux2"
+  case $CARCH in
+    aarch64)
+      export ENVTEST_ARCH=arm64
+      ;;
+    armv6h|armv7h)
+      export ENVTEST_ARCH=arm
+      ;;
+  esac
   make test
 }
 

.github/runners/prereq.sh

@@ -23,7 +23,7 @@ KUBECTL_VERSION=1.21.2
 KUSTOMIZE_VERSION=4.1.3
 HELM_VERSION=3.7.2
 GITHUB_RUNNER_VERSION=2.285.1
-PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq"
+PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq pkg-config"
 
 # install prerequisites
 apt-get update \

.github/workflows/bootstrap.yaml

@@ -103,13 +103,26 @@ jobs:
           /tmp/flux reconcile image repository podinfo
           /tmp/flux reconcile image update flux-system
           /tmp/flux get images all
-          /tmp/flux get images policy podinfo | grep "5.2.1"
-          /tmp/flux get image update flux-system | grep commit
+          
+          retries=10
+          count=0
+          ok=false
+          until ${ok}; do
+              /tmp/flux get image update flux-system | grep 'commit' && ok=true || ok=false
+              count=$(($count + 1))
+              if [[ ${count} -eq ${retries} ]]; then
+                  echo "No more retries left"
+                  exit 1
+              fi
+              sleep 6
+              /tmp/flux reconcile image update flux-system
+          done
         env:
           GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
           GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
           GITHUB_ORG_NAME: fluxcd-testing
       - name: delete repository
+        if: ${{ always() }}
         run: |
           curl \
             -X DELETE \

.github/workflows/e2e.yaml

@@ -27,12 +27,8 @@ jobs:
         uses: engineerd/setup-kind@v0.5.0
         with:
           version: v0.11.1
-          image: kindest/node:v1.19.11@sha256:07db187ae84b4b7de440a73886f008cf903fcf5764ba8106a9fd5243d6f32729
+          image: kindest/node:v1.20.7
           config: .github/kind/config.yaml # disable KIND-net
-      - name: Setup envtest
-        uses: fluxcd/pkg/actions/envtest@main
-        with:
-          version: "1.21.x"
       - name: Setup Calico for network policy
         run: |
           kubectl apply -f https://docs.projectcalico.org/v3.20/manifests/calico.yaml

.github/workflows/release.yaml

@@ -4,6 +4,11 @@ on:
   push:
     tags: [ 'v*' ]
 
+permissions:
+  contents: write # needed to write releases
+  id-token: write # needed for keyless signing
+  packages: write # needed for ghcr access
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
@@ -18,13 +23,15 @@ jobs:
           go-version: 1.17.x
       - name: Setup QEMU
         uses: docker/setup-qemu-action@v1
-        with:
-          platforms: all
       - name: Setup Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v1
-        with:
-          buildkitd-flags: "--debug"
+      - name: Setup Syft
+        uses: anchore/sbom-action/download-syft@v0
+      - name: Setup Cosign
+        uses: sigstore/cosign-installer@main
+      - name: Setup Kustomize
+        uses: fluxcd/pkg//actions/kustomize@main
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v1
         with:
@@ -36,18 +43,6 @@ jobs:
         with:
           username: fluxcdbot
           password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
-      - name: Download release notes utility
-        env:
-          GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
-        run: cd /tmp && curl -sSL ${GH_REL_URL} | tar xz && sudo mv github-release-notes /usr/local/bin/
-      - name: Generate release notes
-        run: |
-          echo 'CHANGELOG' > /tmp/release.txt
-          github-release-notes -org fluxcd -repo toolkit -since-latest-release -include-author >> /tmp/release.txt
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Setup Kustomize
-        uses: fluxcd/pkg//actions/kustomize@main
       - name: Generate manifests
         run: |
           make cmd/flux/.manifests.done
@@ -66,11 +61,22 @@ jobs:
       - name: Archive the OpenAPI JSON schemas
         run: |
           tar -czvf ./output/crd-schemas.tar.gz -C schemas .
+      - name: Download release notes utility
+        env:
+          GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
+        run: cd /tmp && curl -sSL ${GH_REL_URL} | tar xz && sudo mv github-release-notes /usr/local/bin/
+      - name: Generate release notes
+        run: |
+          NOTES="./output/notes.md"
+          echo '## CLI Changelog' > ${NOTES}
+          github-release-notes -org fluxcd -repo flux2 -since-latest-release -include-author >> ${NOTES}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v1
         with:
           version: latest
-          args: release --release-notes=/tmp/release.txt --skip-validate
+          args: release --release-notes=output/notes.md --skip-validate
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}

.gitignore

@@ -20,6 +20,7 @@ bin/
 output/
 cmd/flux/manifests/
 cmd/flux/.manifests.done
+testbin/
 
 # Docs
 site/

.goreleaser.yml

@@ -40,6 +40,36 @@ archives:
     format: zip
     files:
       - none*
+source:
+  enabled: true
+  name_template: '{{ .ProjectName }}_{{ .Version }}_source_code'
+sboms:
+  - id: source
+    artifacts: source
+    documents:
+      - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
+release:
+  extra_files:
+    - glob: output/crd-schemas.tar.gz
+    - glob: output/manifests.tar.gz
+    - glob: output/install.yaml
+checksum:
+  extra_files:
+    - glob: output/crd-schemas.tar.gz
+    - glob: output/manifests.tar.gz
+    - glob: output/install.yaml
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    artifacts: checksum
+    output: true
 brews:
   - name: flux
     tap:
@@ -78,17 +108,12 @@ publishers:
       - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
     cmd: |
       .github/aur/flux-go/publish.sh {{ .Version }}
-release:
-  extra_files:
-    - glob: ./output/crd-schemas.tar.gz
-    - glob: ./output/manifests.tar.gz
-    - glob: ./output/install.yaml
 dockers:
 - image_templates:
     - 'fluxcd/flux-cli:{{ .Tag }}-amd64'
     - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-amd64'
   dockerfile: Dockerfile
-  use_buildx: true
+  use: buildx
   goos: linux
   goarch: amd64
   build_flag_templates:
@@ -104,7 +129,7 @@ dockers:
     - 'fluxcd/flux-cli:{{ .Tag }}-arm64'
     - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm64'
   dockerfile: Dockerfile
-  use_buildx: true
+  use: buildx
   goos: linux
   goarch: arm64
   build_flag_templates:
@@ -120,7 +145,7 @@ dockers:
     - 'fluxcd/flux-cli:{{ .Tag }}-arm'
     - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm'
   dockerfile: Dockerfile
-  use_buildx: true
+  use: buildx
   goos: linux
   goarch: arm
   goarm: 7
@@ -144,3 +169,12 @@ docker_manifests:
     - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-amd64'
     - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm64'
     - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm'
+docker_signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    args:
+      - sign
+      - '${artifact}'
+    artifacts: all
+    output: true

CONTRIBUTING.md

@@ -67,9 +67,9 @@ for source changes.
 
 Prerequisites:
 
-* go >= 1.16
-* kubectl >= 1.19
-* kustomize >= 4.0
+* go >= 1.17
+* kubectl >= 1.20
+* kustomize >= 4.4
 
 Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:
 

Dockerfile

@@ -3,7 +3,7 @@ FROM alpine:3.15 as builder
 RUN apk add --no-cache ca-certificates curl
 
 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.22.2
+ARG KUBECTL_VER=1.23.1
 
 RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
     -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
@@ -20,4 +20,5 @@ RUN apk add --no-cache ca-certificates
 COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/
 COPY --chmod=755 flux /usr/local/bin/
 
+USER 65534:65534
 ENTRYPOINT [ "flux" ]

Makefile

@@ -1,8 +1,8 @@
 VERSION?=$(shell grep 'VERSION' cmd/flux/main.go | awk '{ print $$4 }' | head -n 1 | tr -d '"')
 EMBEDDED_MANIFESTS_TARGET=cmd/flux/.manifests.done
 TEST_KUBECONFIG?=/tmp/flux-e2e-test-kubeconfig
-ENVTEST_BIN_VERSION?=latest
-KUBEBUILDER_ASSETS?=$(shell $(SETUP_ENVTEST) use -i $(ENVTEST_BIN_VERSION) -p path)
+# Architecture to use envtest with
+ENVTEST_ARCH ?= amd64
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -34,6 +34,7 @@ cleanup-kind:
 	kind delete cluster --name=flux-e2e-test
 	rm $(TEST_KUBECONFIG)
 
+KUBEBUILDER_ASSETS?="$(shell $(ENVTEST) --arch=$(ENVTEST_ARCH) use -i $(ENVTEST_KUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR) -p path)"
 test: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet install-envtest
 	KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test ./... -coverprofile cover.out --tags=unit
 
@@ -59,27 +60,33 @@ install:
 install-dev:
 	CGO_ENABLED=0 go build -o /usr/local/bin ./cmd/flux
 
-install-envtest:  setup-envtest
-	 $(SETUP_ENVTEST) use $(ENVTEST_BIN_VERSION)
-
 setup-bootstrap-patch:
 	go run ./tests/bootstrap/main.go
 
 setup-image-automation:
 	cd tests/image-automation && go run main.go
 
-# Find or download setup-envtest
-setup-envtest:
-ifeq (, $(shell which setup-envtest))
-	@{ \
-	set -e ;\
-	SETUP_ENVTEST_TMP_DIR=$$(mktemp -d) ;\
-	cd $$SETUP_ENVTEST_TMP_DIR ;\
-	go mod init tmp ;\
-	go get sigs.k8s.io/controller-runtime/tools/setup-envtest@latest ;\
-	rm -rf $$SETUP_ENVTEST_TMP_DIR ;\
-	}
-SETUP_ENVTEST=$(GOBIN)/setup-envtest
-else
-SETUP_ENVTEST=$(shell which setup-envtest)
-endif
+ENVTEST_ASSETS_DIR=$(shell pwd)/testbin
+ENVTEST_KUBERNETES_VERSION?=latest
+install-envtest: setup-envtest
+	mkdir -p ${ENVTEST_ASSETS_DIR}
+	$(ENVTEST) use $(ENVTEST_KUBERNETES_VERSION) --arch=$(ENVTEST_ARCH) --bin-dir=$(ENVTEST_ASSETS_DIR)
+
+ENVTEST = $(shell pwd)/bin/setup-envtest
+.PHONY: envtest
+setup-envtest: ## Download envtest-setup locally if necessary.
+	$(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
+
+# go-install-tool will 'go install' any package $2 and install it to $1.
+PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
+define go-install-tool
+@[ -f $(1) ] || { \
+set -e ;\
+TMP_DIR=$$(mktemp -d) ;\
+cd $$TMP_DIR ;\
+go mod init tmp ;\
+echo "Downloading $(2)" ;\
+GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
+rm -rf $$TMP_DIR ;\
+}
+endef

cmd/flux/alert.go

@@ -25,8 +25,9 @@ import (
 // notificationv1.Alert
 
 var alertType = apiType{
-	kind:      notificationv1.AlertKind,
-	humanKind: "alert",
+	kind:         notificationv1.AlertKind,
+	humanKind:    "alert",
+	groupVersion: notificationv1.GroupVersion,
 }
 
 type alertAdapter struct {

cmd/flux/alert_provider.go

@@ -25,8 +25,9 @@ import (
 // notificationv1.Provider
 
 var alertProviderType = apiType{
-	kind:      notificationv1.ProviderKind,
-	humanKind: "alert provider",
+	kind:         notificationv1.ProviderKind,
+	humanKind:    "alert provider",
+	groupVersion: notificationv1.GroupVersion,
 }
 
 type alertProviderAdapter struct {

cmd/flux/bootstrap_bitbucket_server.go

@@ -254,6 +254,7 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithKubeconfig(kubeconfigArgs),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))

cmd/flux/bootstrap_git.go

@@ -161,10 +161,15 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 			secretOpts.CAFilePath = bootstrapArgs.caFile
 		}
 
+		// Remove port of the given host when not syncing over HTTP/S to not assume port for protocol
+		// This _might_ be overwritten later on by e.g. --ssh-hostname
+		if repositoryURL.Scheme != "https" && repositoryURL.Scheme != "http" {
+			repositoryURL.Host = repositoryURL.Hostname()
+		}
+
 		// Configure repository URL to match auth config for sync.
 		repositoryURL.User = nil
 		repositoryURL.Scheme = "https"
-		repositoryURL.Host = repositoryURL.Hostname()
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.Password = gitArgs.password

cmd/flux/bootstrap_github.go

@@ -243,6 +243,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithKubeconfig(kubeconfigArgs),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))

cmd/flux/bootstrap_gitlab.go

@@ -257,6 +257,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithKubeconfig(kubeconfigArgs),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))

cmd/flux/build.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var buildCmd = &cobra.Command{
+	Use:   "build",
+	Short: "Build a flux resource",
+	Long:  "The build command is used to build flux resources.",
+}
+
+func init() {
+	rootCmd.AddCommand(buildCmd)
+}

cmd/flux/build_kustomization.go

@@ -0,0 +1,100 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"os/signal"
+
+	"github.com/spf13/cobra"
+
+	"github.com/fluxcd/flux2/internal/build"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+)
+
+var buildKsCmd = &cobra.Command{
+	Use:     "kustomization",
+	Aliases: []string{"ks"},
+	Short:   "Build Kustomization",
+	Long: `The build command queries the Kubernetes API and fetches the specified Flux Kustomization. 
+It then uses the fetched in cluster flux kustomization to perform needed transformation on the local kustomization.yaml
+pointed at by --path. The local kustomization.yaml is generated if it does not exist. Finally it builds the overlays using the local kustomization.yaml, and write the resulting multi-doc YAML to stdout.`,
+	Example: `# Build the local manifests as they were built on the cluster
+flux build kustomization my-app --path ./path/to/local/manifests`,
+	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
+	RunE:              buildKsCmdRun,
+}
+
+type buildKsFlags struct {
+	path string
+}
+
+var buildKsArgs buildKsFlags
+
+func init() {
+	buildKsCmd.Flags().StringVar(&buildKsArgs.path, "path", "", "Path to the manifests location.)")
+	buildCmd.AddCommand(buildKsCmd)
+}
+
+func buildKsCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("%s name is required", kustomizationType.humanKind)
+	}
+	name := args[0]
+
+	if buildKsArgs.path == "" {
+		return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
+	}
+
+	if fs, err := os.Stat(buildKsArgs.path); err != nil || !fs.IsDir() {
+		return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
+	}
+
+	builder, err := build.NewBuilder(kubeconfigArgs, name, buildKsArgs.path, build.WithTimeout(rootArgs.timeout))
+	if err != nil {
+		return err
+	}
+
+	// create a signal channel
+	sigc := make(chan os.Signal, 1)
+	signal.Notify(sigc, os.Interrupt)
+
+	errChan := make(chan error)
+	go func() {
+		manifests, err := builder.Build()
+		if err != nil {
+			errChan <- err
+		}
+
+		cmd.Print(string(manifests))
+		errChan <- nil
+	}()
+
+	select {
+	case <-sigc:
+		fmt.Println("Build cancelled... exiting.")
+		return builder.Cancel()
+	case err := <-errChan:
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+
+}

cmd/flux/build_kustomization_test.go

@@ -0,0 +1,83 @@
+//go:build unit
+// +build unit
+
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func setup(t *testing.T, tmpl map[string]string) {
+	t.Helper()
+	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-source.yaml", tmpl, t)
+	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-kustomization.yaml", tmpl, t)
+}
+
+func TestBuildKustomization(t *testing.T) {
+	tests := []struct {
+		name       string
+		args       string
+		resultFile string
+		assertFunc string
+	}{
+		{
+			name:       "no args",
+			args:       "build kustomization podinfo",
+			resultFile: "invalid resource path \"\"",
+			assertFunc: "assertError",
+		},
+		{
+			name:       "build podinfo",
+			args:       "build kustomization podinfo --path ./testdata/build-kustomization/podinfo",
+			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build podinfo without service",
+			args:       "build kustomization podinfo --path ./testdata/build-kustomization/delete-service",
+			resultFile: "./testdata/build-kustomization/podinfo-without-service-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+	}
+
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	setup(t, tmpl)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var assert assertFunc
+
+			switch tt.assertFunc {
+			case "assertGoldenTemplateFile":
+				assert = assertGoldenTemplateFile(tt.resultFile, tmpl)
+			case "assertError":
+				assert = assertError(tt.resultFile)
+			}
+
+			cmd := cmdTestCase{
+				args:   tt.args + " -n " + tmpl["fluxns"],
+				assert: assert,
+			}
+
+			cmd.runTestCmd(t)
+		})
+	}
+}

cmd/flux/check.go

@@ -56,10 +56,7 @@ type checkFlags struct {
 }
 
 var kubernetesConstraints = []string{
-	">=1.19.0-0",
-	">=1.16.11-0 <=1.16.15-0",
-	">=1.17.7-0 <=1.17.17-0",
-	">=1.18.4-0 <=1.18.20-0",
+	">=1.20.6-0",
 }
 
 var checkArgs checkFlags

cmd/flux/create.go

@@ -19,6 +19,7 @@ package main
 import (
 	"context"
 	"fmt"
+	"regexp"
 	"strings"
 	"time"
 
@@ -51,6 +52,18 @@ func init() {
 	createCmd.PersistentFlags().BoolVar(&createArgs.export, "export", false, "export in YAML format to stdout")
 	createCmd.PersistentFlags().StringSliceVar(&createArgs.labels, "label", nil,
 		"set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)")
+	createCmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 {
+			return fmt.Errorf("name is required")
+		}
+
+		name := args[0]
+		if !validateObjectName(name) {
+			return fmt.Errorf("name '%s' is invalid, it should adhere to standard defined in RFC 1123, the name can only contain alphanumeric characters or '-'", name)
+		}
+
+		return nil
+	}
 	rootCmd.AddCommand(createCmd)
 }
 
@@ -150,3 +163,8 @@ func parseLabels() (map[string]string, error) {
 
 	return result, nil
 }
+
+func validateObjectName(name string) bool {
+	r := regexp.MustCompile("^[a-z0-9]([a-z0-9\\-]){0,61}[a-z0-9]$")
+	return r.MatchString(name)
+}

cmd/flux/create_alert.go

@@ -63,9 +63,6 @@ func init() {
 }
 
 func createAlertCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("Alert name is required")
-	}
 	name := args[0]
 
 	if alertArgs.providerRef == "" {

cmd/flux/create_alertprovider.go

@@ -73,9 +73,6 @@ func init() {
 }
 
 func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("Provider name is required")
-	}
 	name := args[0]
 
 	if alertProviderArgs.alertType == "" {

cmd/flux/create_helmrelease.go

@@ -139,9 +139,6 @@ func init() {
 }
 
 func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("HelmRelease name is required")
-	}
 	name := args[0]
 
 	if helmReleaseArgs.chart == "" {

cmd/flux/create_image_policy.go

@@ -84,9 +84,6 @@ func (obj imagePolicyAdapter) getObservedGeneration() int64 {
 }
 
 func createImagePolicyRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("ImagePolicy name is required")
-	}
 	objectName := args[0]
 
 	if imagePolicyArgs.imageRef == "" {

cmd/flux/create_image_repository.go

@@ -83,9 +83,6 @@ func init() {
 }
 
 func createImageRepositoryRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("ImageRepository name is required")
-	}
 	objectName := args[0]
 
 	if imageRepoArgs.image == "" {

cmd/flux/create_image_update.go

@@ -49,25 +49,40 @@ mentioned in YAMLs in a git repository.`,
     --push-branch=image-updates \
     --author-name=flux \
     --author-email=flux@example.com \
-    --commit-template="{{range .Updated.Images}}{{println .}}{{end}}"`,
+    --commit-template="{{range .Updated.Images}}{{println .}}{{end}}"
+
+  # Configure image updates for a Git repository in a different namespace
+  flux create image update apps \
+    --namespace=apps \
+    --git-repo-ref=flux-system \
+    --git-repo-namespace=flux-system \
+    --git-repo-path="./clusters/my-cluster" \
+    --checkout-branch=main \
+    --push-branch=image-updates \
+    --author-name=flux \
+    --author-email=flux@example.com \
+    --commit-template="{{range .Updated.Images}}{{println .}}{{end}}"
+`,
 	RunE: createImageUpdateRun,
 }
 
 type imageUpdateFlags struct {
-	gitRepoRef     string
-	gitRepoPath    string
-	checkoutBranch string
-	pushBranch     string
-	commitTemplate string
-	authorName     string
-	authorEmail    string
+	gitRepoName      string
+	gitRepoNamespace string
+	gitRepoPath      string
+	checkoutBranch   string
+	pushBranch       string
+	commitTemplate   string
+	authorName       string
+	authorEmail      string
 }
 
 var imageUpdateArgs = imageUpdateFlags{}
 
 func init() {
 	flags := createImageUpdateCmd.Flags()
-	flags.StringVar(&imageUpdateArgs.gitRepoRef, "git-repo-ref", "", "the name of a GitRepository resource with details of the upstream Git repository")
+	flags.StringVar(&imageUpdateArgs.gitRepoName, "git-repo-ref", "", "the name of a GitRepository resource with details of the upstream Git repository")
+	flags.StringVar(&imageUpdateArgs.gitRepoNamespace, "git-repo-namespace", "", "the namespace of the GitRepository resource, defaults to the ImageUpdateAutomation namespace")
 	flags.StringVar(&imageUpdateArgs.gitRepoPath, "git-repo-path", "", "path to the directory containing the manifests to be updated, defaults to the repository root")
 	flags.StringVar(&imageUpdateArgs.checkoutBranch, "checkout-branch", "", "the branch to checkout")
 	flags.StringVar(&imageUpdateArgs.pushBranch, "push-branch", "", "the branch to push commits to, defaults to the checkout branch if not specified")
@@ -79,12 +94,9 @@ func init() {
 }
 
 func createImageUpdateRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("ImageUpdateAutomation name is required")
-	}
 	objectName := args[0]
 
-	if imageUpdateArgs.gitRepoRef == "" {
+	if imageUpdateArgs.gitRepoName == "" {
 		return fmt.Errorf("a reference to a GitRepository is required (--git-repo-ref)")
 	}
 
@@ -112,9 +124,10 @@ func createImageUpdateRun(cmd *cobra.Command, args []string) error {
 			Labels:    labels,
 		},
 		Spec: autov1.ImageUpdateAutomationSpec{
-			SourceRef: autov1.SourceReference{
-				Kind: sourcev1.GitRepositoryKind,
-				Name: imageUpdateArgs.gitRepoRef,
+			SourceRef: autov1.CrossNamespaceSourceReference{
+				Kind:      sourcev1.GitRepositoryKind,
+				Name:      imageUpdateArgs.gitRepoName,
+				Namespace: imageUpdateArgs.gitRepoNamespace,
 			},
 
 			GitSpec: &autov1.GitSpec{

cmd/flux/create_kustomization.go

@@ -119,9 +119,6 @@ func NewKustomizationFlags() kustomizationFlags {
 }
 
 func createKsCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("Kustomization name is required")
-	}
 	name := args[0]
 
 	if kustomizationArgs.path == "" {

cmd/flux/create_receiver.go

@@ -67,9 +67,6 @@ func init() {
 }
 
 func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("Receiver name is required")
-	}
 	name := args[0]
 
 	if receiverArgs.receiverType == "" {

cmd/flux/create_secret_git.go

@@ -112,9 +112,6 @@ func NewSecretGitFlags() secretGitFlags {
 }
 
 func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("secret name is required")
-	}
 	name := args[0]
 	if secretGitArgs.url == "" {
 		return fmt.Errorf("url is required")

cmd/flux/create_secret_git_test.go

@@ -13,7 +13,7 @@ func TestCreateGitSecret(t *testing.T) {
 		{
 			name:   "no args",
 			args:   "create secret git",
-			assert: assertError("secret name is required"),
+			assert: assertError("name is required"),
 		},
 		{
 			name:   "basic secret",

cmd/flux/create_secret_helm.go

@@ -18,7 +18,6 @@ package main
 
 import (
 	"context"
-	"fmt"
 
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
@@ -68,9 +67,6 @@ func init() {
 }
 
 func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("secret name is required")
-	}
 	name := args[0]
 
 	labels, err := parseLabels()

cmd/flux/create_secret_helm_test.go

@@ -12,7 +12,7 @@ func TestCreateHelmSecret(t *testing.T) {
 	}{
 		{
 			args:   "create secret helm",
-			assert: assertError("secret name is required"),
+			assert: assertError("name is required"),
 		},
 		{
 			args:   "create secret helm helm-secret --username=my-username --password=my-password --namespace=my-namespace --export",

cmd/flux/create_secret_tls.go

@@ -18,7 +18,6 @@ package main
 
 import (
 	"context"
-	"fmt"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -67,9 +66,6 @@ func init() {
 }
 
 func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("secret name is required")
-	}
 	name := args[0]
 
 	labels, err := parseLabels()

cmd/flux/create_secret_tls_test.go

@@ -12,7 +12,7 @@ func TestCreateTlsSecretNoArgs(t *testing.T) {
 	}{
 		{
 			args:   "create secret tls",
-			assert: assertError("secret name is required"),
+			assert: assertError("name is required"),
 		},
 		{
 			args:   "create secret tls certs --namespace=my-namespace --cert-file=./testdata/create_secret/tls/test-cert.pem --key-file=./testdata/create_secret/tls/test-key.pem --export",

cmd/flux/create_source_bucket.go

@@ -93,9 +93,6 @@ func NewSourceBucketFlags() sourceBucketFlags {
 }
 
 func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("Bucket source name is required")
-	}
 	name := args[0]
 
 	if sourceBucketArgs.name == "" {

cmd/flux/create_source_git.go

@@ -150,9 +150,6 @@ func newSourceGitFlags() sourceGitFlags {
 }
 
 func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("GitRepository source name is required")
-	}
 	name := args[0]
 
 	if sourceGitArgs.url == "" {

cmd/flux/create_source_git_test.go

@@ -96,7 +96,7 @@ func TestCreateSourceGit(t *testing.T) {
 		{
 			"NoArgs",
 			"create source git",
-			assertError("GitRepository source name is required"),
+			assertError("name is required"),
 			nil,
 		}, {
 			"Succeeded",

cmd/flux/create_source_helm.go

@@ -91,9 +91,6 @@ func init() {
 }
 
 func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("HelmRepository source name is required")
-	}
 	name := args[0]
 
 	if sourceHelmArgs.url == "" {

cmd/flux/create_tenant.go

@@ -70,9 +70,6 @@ func init() {
 }
 
 func createTenantCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("tenant name is required")
-	}
 	tenant := args[0]
 	if err := validation.IsQualifiedName(tenant); len(err) > 0 {
 		return fmt.Errorf("invalid tenant name '%s': %v", tenant, err)

cmd/flux/create_test.go

@@ -0,0 +1,55 @@
+package main
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/rand"
+)
+
+func Test_validateObjectName(t *testing.T) {
+	tests := []struct {
+		name  string
+		valid bool
+	}{
+		{
+			name:  "flux-system",
+			valid: true,
+		},
+		{
+			name:  "-flux-system",
+			valid: false,
+		},
+		{
+			name:  "-flux-system-",
+			valid: false,
+		},
+		{
+			name:  "third.first",
+			valid: false,
+		},
+		{
+			name:  "THirdfirst",
+			valid: false,
+		},
+		{
+			name:  "THirdfirst",
+			valid: false,
+		},
+		{
+			name:  rand.String(63),
+			valid: true,
+		},
+		{
+			name:  rand.String(64),
+			valid: false,
+		},
+	}
+
+	for _, tt := range tests {
+		valid := validateObjectName(tt.name)
+		if valid != tt.valid {
+			t.Errorf("expected name %q to return %t for validateObjectName func but got %t",
+				tt.name, tt.valid, valid)
+		}
+	}
+}

cmd/flux/diff.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var diffCmd = &cobra.Command{
+	Use:   "diff",
+	Short: "Diff a flux resource",
+	Long:  "The diff command is used to do a server-side dry-run on flux resources, then prints the diff.",
+}
+
+func init() {
+	rootCmd.AddCommand(diffCmd)
+}

cmd/flux/diff_kustomization.go

@@ -0,0 +1,113 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"os/signal"
+
+	"github.com/spf13/cobra"
+
+	"github.com/fluxcd/flux2/internal/build"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+)
+
+var diffKsCmd = &cobra.Command{
+	Use:     "kustomization",
+	Aliases: []string{"ks"},
+	Short:   "Diff Kustomization",
+	Long: `The diff command does a build, then it performs a server-side dry-run and prints the diff.
+Exit status: 0 No differences were found. 1 Differences were found. >1 diff failed with an error.`,
+	Example: `# Preview local changes as they were applied on the cluster
+flux diff kustomization my-app --path ./path/to/local/manifests`,
+	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
+	RunE:              diffKsCmdRun,
+}
+
+type diffKsFlags struct {
+	path        string
+	progressBar bool
+}
+
+var diffKsArgs diffKsFlags
+
+func init() {
+	diffKsCmd.Flags().StringVar(&diffKsArgs.path, "path", "", "Path to a local directory that matches the specified Kustomization.spec.path.)")
+	diffKsCmd.Flags().BoolVar(&diffKsArgs.progressBar, "progress-bar", true, "Boolean to set the progress bar. The default value is true.")
+	diffCmd.AddCommand(diffKsCmd)
+}
+
+func diffKsCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("%s name is required", kustomizationType.humanKind)
+	}
+	name := args[0]
+
+	if diffKsArgs.path == "" {
+		return &RequestError{StatusCode: 2, Err: fmt.Errorf("invalid resource path %q", diffKsArgs.path)}
+	}
+
+	if fs, err := os.Stat(diffKsArgs.path); err != nil || !fs.IsDir() {
+		return &RequestError{StatusCode: 2, Err: fmt.Errorf("invalid resource path %q", diffKsArgs.path)}
+	}
+
+	var builder *build.Builder
+	var err error
+	if diffKsArgs.progressBar {
+		builder, err = build.NewBuilder(kubeconfigArgs, name, diffKsArgs.path, build.WithTimeout(rootArgs.timeout), build.WithProgressBar())
+	} else {
+		builder, err = build.NewBuilder(kubeconfigArgs, name, diffKsArgs.path, build.WithTimeout(rootArgs.timeout))
+	}
+
+	if err != nil {
+		return &RequestError{StatusCode: 2, Err: err}
+	}
+
+	// create a signal channel
+	sigc := make(chan os.Signal, 1)
+	signal.Notify(sigc, os.Interrupt)
+
+	errChan := make(chan error)
+	go func() {
+		output, hasChanged, err := builder.Diff()
+		if err != nil {
+			errChan <- &RequestError{StatusCode: 2, Err: err}
+		}
+
+		cmd.Print(output)
+
+		if hasChanged {
+			errChan <- &RequestError{StatusCode: 1, Err: fmt.Errorf("identified at least one change, exiting with non-zero exit code")}
+		} else {
+			errChan <- nil
+		}
+	}()
+
+	select {
+	case <-sigc:
+		fmt.Println("Build cancelled... exiting.")
+		return builder.Cancel()
+	case err := <-errChan:
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+
+}

cmd/flux/diff_kustomization_test.go

@@ -0,0 +1,145 @@
+//go:build unit
+// +build unit
+
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/fluxcd/flux2/internal/build"
+	"github.com/fluxcd/pkg/ssa"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+func TestDiffKustomization(t *testing.T) {
+	tests := []struct {
+		name       string
+		args       string
+		objectFile string
+		assert     assertFunc
+	}{
+		{
+			name:       "no args",
+			args:       "diff kustomization podinfo",
+			objectFile: "",
+			assert:     assertError("invalid resource path \"\""),
+		},
+		{
+			name:       "diff nothing deployed",
+			args:       "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo --progress-bar=false",
+			objectFile: "",
+			assert:     assertGoldenFile("./testdata/diff-kustomization/nothing-is-deployed.golden"),
+		},
+		{
+			name:       "diff with a deployment object",
+			args:       "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo --progress-bar=false",
+			objectFile: "./testdata/diff-kustomization/deployment.yaml",
+			assert:     assertGoldenFile("./testdata/diff-kustomization/diff-with-deployment.golden"),
+		},
+		{
+			name:       "diff with a drifted service object",
+			args:       "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo --progress-bar=false",
+			objectFile: "./testdata/diff-kustomization/service.yaml",
+			assert:     assertGoldenFile("./testdata/diff-kustomization/diff-with-drifted-service.golden"),
+		},
+		{
+			name:       "diff with a drifted secret object",
+			args:       "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo --progress-bar=false",
+			objectFile: "./testdata/diff-kustomization/secret.yaml",
+			assert:     assertGoldenFile("./testdata/diff-kustomization/diff-with-drifted-secret.golden"),
+		},
+		{
+			name:       "diff with a drifted key in sops secret object",
+			args:       "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo --progress-bar=false",
+			objectFile: "./testdata/diff-kustomization/key-sops-secret.yaml",
+			assert:     assertGoldenFile("./testdata/diff-kustomization/diff-with-drifted-key-sops-secret.golden"),
+		},
+		{
+			name:       "diff with a drifted value in sops secret object",
+			args:       "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo --progress-bar=false",
+			objectFile: "./testdata/diff-kustomization/value-sops-secret.yaml",
+			assert:     assertGoldenFile("./testdata/diff-kustomization/diff-with-drifted-value-sops-secret.golden"),
+		},
+		{
+			name:       "diff with a sops dockerconfigjson secret object",
+			args:       "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo --progress-bar=false",
+			objectFile: "./testdata/diff-kustomization/dockerconfigjson-sops-secret.yaml",
+			assert:     assertGoldenFile("./testdata/diff-kustomization/diff-with-dockerconfigjson-sops-secret.golden"),
+		},
+		{
+			name:       "diff with a sops stringdata secret object",
+			args:       "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo --progress-bar=false",
+			objectFile: "./testdata/diff-kustomization/stringdata-sops-secret.yaml",
+			assert:     assertGoldenFile("./testdata/diff-kustomization/diff-with-drifted-stringdata-sops-secret.golden"),
+		},
+	}
+
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+
+	b, _ := build.NewBuilder(kubeconfigArgs, "podinfo", "")
+
+	resourceManager, err := b.Manager()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	setup(t, tmpl)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.objectFile != "" {
+				resourceManager.ApplyAll(context.Background(), createObjectFromFile(tt.objectFile, tmpl, t), ssa.DefaultApplyOptions())
+			}
+			cmd := cmdTestCase{
+				args:   tt.args + " -n " + tmpl["fluxns"],
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+			if tt.objectFile != "" {
+				testEnv.DeleteObjectFile(tt.objectFile, tmpl, t)
+			}
+		})
+	}
+}
+
+func createObjectFromFile(objectFile string, templateValues map[string]string, t *testing.T) []*unstructured.Unstructured {
+	buf, err := os.ReadFile(objectFile)
+	if err != nil {
+		t.Fatalf("Error reading file '%s': %v", objectFile, err)
+	}
+	content, err := executeTemplate(string(buf), templateValues)
+	if err != nil {
+		t.Fatalf("Error evaluating template file '%s': '%v'", objectFile, err)
+	}
+	clientObjects, err := readYamlObjects(strings.NewReader(content))
+	if err != nil {
+		t.Fatalf("Error decoding yaml file '%s': %v", objectFile, err)
+	}
+
+	if err := ssa.SetNativeKindsDefaults(clientObjects); err != nil {
+		t.Fatalf("Error setting native kinds defaults for '%s': %v", objectFile, err)
+	}
+
+	return clientObjects
+}

cmd/flux/get_image.go

@@ -25,9 +25,6 @@ var getImageCmd = &cobra.Command{
 	Aliases: []string{"image"},
 	Short:   "Get image automation object status",
 	Long:    "The get image sub-commands print the status of image automation objects.",
-	RunE: func(cmd *cobra.Command, args []string) error {
-		return validateWatchOption(cmd, "images")
-	},
 }
 
 func init() {

cmd/flux/get_kustomization.go

@@ -18,10 +18,12 @@ package main
 
 import (
 	"fmt"
+	"regexp"
 	"strconv"
 	"strings"
 
 	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
@@ -78,6 +80,10 @@ func (a kustomizationListAdapter) summariseItem(i int, includeNamespace bool, in
 	item := a.Items[i]
 	revision := item.Status.LastAppliedRevision
 	status, msg := statusAndMessage(item.Status.Conditions)
+	if status == string(metav1.ConditionTrue) {
+		revision = shortenCommitSha(revision)
+		msg = shortenCommitSha(msg)
+	}
 	return append(nameColumns(&item, includeNamespace, includeKind),
 		status, msg, revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
 }
@@ -94,3 +100,13 @@ func (a kustomizationListAdapter) statusSelectorMatches(i int, conditionType, co
 	item := a.Items[i]
 	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
 }
+
+func shortenCommitSha(msg string) string {
+	r := regexp.MustCompile("/([a-f0-9]{40})$")
+	sha := r.FindString(msg)
+	if sha != "" {
+		msg = strings.Replace(msg, sha, string([]rune(sha)[:8]), -1)
+	}
+
+	return msg
+}

cmd/flux/get_source.go

@@ -25,10 +25,6 @@ var getSourceCmd = &cobra.Command{
 	Aliases: []string{"source"},
 	Short:   "Get source statuses",
 	Long:    "The get source sub-commands print the statuses of the sources.",
-	RunE: func(cmd *cobra.Command, args []string) error {
-
-		return validateWatchOption(cmd, "sources")
-	},
 }
 
 func init() {

cmd/flux/get_source_git.go

@@ -22,6 +22,7 @@ import (
 	"strings"
 
 	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
@@ -80,6 +81,10 @@ func (a *gitRepositoryListAdapter) summariseItem(i int, includeNamespace bool, i
 		revision = item.GetArtifact().Revision
 	}
 	status, msg := statusAndMessage(item.Status.Conditions)
+	if status == string(metav1.ConditionTrue) {
+		revision = shortenCommitSha(revision)
+		msg = shortenCommitSha(msg)
+	}
 	return append(nameColumns(&item, includeNamespace, includeKind),
 		status, msg, revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
 }

cmd/flux/helmrelease.go

@@ -25,8 +25,9 @@ import (
 // helmv2.HelmRelease
 
 var helmReleaseType = apiType{
-	kind:      helmv2.HelmReleaseKind,
-	humanKind: "helmreleases",
+	kind:         helmv2.HelmReleaseKind,
+	humanKind:    "helmrelease",
+	groupVersion: helmv2.GroupVersion,
 }
 
 type helmReleaseAdapter struct {

cmd/flux/image.go

@@ -30,8 +30,9 @@ import (
 // imagev1.ImageRepository
 
 var imageRepositoryType = apiType{
-	kind:      imagev1.ImageRepositoryKind,
-	humanKind: "image repository",
+	kind:         imagev1.ImageRepositoryKind,
+	humanKind:    "image repository",
+	groupVersion: imagev1.GroupVersion,
 }
 
 type imageRepositoryAdapter struct {
@@ -63,8 +64,9 @@ func (a imageRepositoryListAdapter) len() int {
 // imagev1.ImagePolicy
 
 var imagePolicyType = apiType{
-	kind:      imagev1.ImagePolicyKind,
-	humanKind: "image policy",
+	kind:         imagev1.ImagePolicyKind,
+	humanKind:    "image policy",
+	groupVersion: imagev1.GroupVersion,
 }
 
 type imagePolicyAdapter struct {
@@ -92,8 +94,9 @@ func (a imagePolicyListAdapter) len() int {
 // autov1.ImageUpdateAutomation
 
 var imageUpdateAutomationType = apiType{
-	kind:      autov1.ImageUpdateAutomationKind,
-	humanKind: "image update automation",
+	kind:         autov1.ImageUpdateAutomationKind,
+	humanKind:    "image update automation",
+	groupVersion: autov1.GroupVersion,
 }
 
 type imageUpdateAutomationAdapter struct {

cmd/flux/kustomization.go

@@ -25,8 +25,9 @@ import (
 // kustomizev1.Kustomization
 
 var kustomizationType = apiType{
-	kind:      kustomizev1.KustomizationKind,
-	humanKind: "kustomizations",
+	kind:         kustomizev1.KustomizationKind,
+	humanKind:    "kustomization",
+	groupVersion: kustomizev1.GroupVersion,
 }
 
 type kustomizationAdapter struct {

cmd/flux/logs.go

@@ -21,12 +21,12 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"html/template"
 	"io"
 	"os"
 	"sort"
 	"strings"
 	"sync"
+	"text/template"
 	"time"
 
 	"github.com/spf13/cobra"

cmd/flux/main.go

@@ -105,6 +105,16 @@ type rootFlags struct {
 	defaults     install.Options
 }
 
+// RequestError is a custom error type that wraps an error returned by the flux api.
+type RequestError struct {
+	StatusCode int
+	Err        error
+}
+
+func (r *RequestError) Error() string {
+	return r.Err.Error()
+}
+
 var rootArgs = NewRootFlags()
 var kubeconfigArgs = genericclioptions.NewConfigFlags(false)
 
@@ -143,6 +153,17 @@ func NewRootFlags() rootFlags {
 func main() {
 	log.SetFlags(0)
 	if err := rootCmd.Execute(); err != nil {
+
+		if err, ok := err.(*RequestError); ok {
+			if err.StatusCode == 1 {
+				logger.Warningf("%v", err)
+			} else {
+				logger.Failuref("%v", err)
+			}
+
+			os.Exit(err.StatusCode)
+		}
+
 		logger.Failuref("%v", err)
 		os.Exit(1)
 	}

cmd/flux/main_test.go

@@ -49,8 +49,8 @@ func allocateNamespace(prefix string) string {
 	return fmt.Sprintf("%s-%d", prefix, id)
 }
 
-func readYamlObjects(rdr io.Reader) ([]unstructured.Unstructured, error) {
-	objects := []unstructured.Unstructured{}
+func readYamlObjects(rdr io.Reader) ([]*unstructured.Unstructured, error) {
+	objects := []*unstructured.Unstructured{}
 	reader := k8syaml.NewYAMLReader(bufio.NewReader(rdr))
 	for {
 		doc, err := reader.Read()
@@ -65,7 +65,7 @@ func readYamlObjects(rdr io.Reader) ([]unstructured.Unstructured, error) {
 		if err != nil {
 			return nil, err
 		}
-		objects = append(objects, *unstructuredObj)
+		objects = append(objects, unstructuredObj)
 	}
 	return objects, nil
 }
@@ -96,7 +96,7 @@ func (m *testEnvKubeManager) CreateObjectFile(objectFile string, templateValues
 	}
 }
 
-func (m *testEnvKubeManager) CreateObjects(clientObjects []unstructured.Unstructured, t *testing.T) error {
+func (m *testEnvKubeManager) CreateObjects(clientObjects []*unstructured.Unstructured, t *testing.T) error {
 	for _, obj := range clientObjects {
 		// First create the object then set its status if present in the
 		// yaml file. Make a copy first since creating an object may overwrite
@@ -107,7 +107,7 @@ func (m *testEnvKubeManager) CreateObjects(clientObjects []unstructured.Unstruct
 			return err
 		}
 		obj.SetResourceVersion(createObj.GetResourceVersion())
-		err = m.client.Status().Update(context.Background(), &obj)
+		err = m.client.Status().Update(context.Background(), obj)
 		if err != nil {
 			return err
 		}
@@ -115,6 +115,36 @@ func (m *testEnvKubeManager) CreateObjects(clientObjects []unstructured.Unstruct
 	return nil
 }
 
+func (m *testEnvKubeManager) DeleteObjectFile(objectFile string, templateValues map[string]string, t *testing.T) {
+	buf, err := os.ReadFile(objectFile)
+	if err != nil {
+		t.Fatalf("Error reading file '%s': %v", objectFile, err)
+	}
+	content, err := executeTemplate(string(buf), templateValues)
+	if err != nil {
+		t.Fatalf("Error evaluating template file '%s': '%v'", objectFile, err)
+	}
+	clientObjects, err := readYamlObjects(strings.NewReader(content))
+	if err != nil {
+		t.Fatalf("Error decoding yaml file '%s': %v", objectFile, err)
+	}
+	err = m.DeleteObjects(clientObjects, t)
+	if err != nil {
+		t.Logf("Error deleting test objects: '%v'", err)
+	}
+}
+
+func (m *testEnvKubeManager) DeleteObjects(clientObjects []*unstructured.Unstructured, t *testing.T) error {
+	for _, obj := range clientObjects {
+		err := m.client.Delete(context.Background(), obj)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 func (m *testEnvKubeManager) Stop() error {
 	if m.testEnv == nil {
 		return fmt.Errorf("do nothing because testEnv is nil")
@@ -295,6 +325,12 @@ type cmdTestCase struct {
 
 func (cmd *cmdTestCase) runTestCmd(t *testing.T) {
 	actual, testErr := executeCommand(cmd.args)
+
+	// If the cmd error is a change, discard it
+	if isChangeError(testErr) {
+		testErr = nil
+	}
+
 	if assertErr := cmd.assert(actual, testErr); assertErr != nil {
 		t.Error(assertErr)
 	}
@@ -336,3 +372,12 @@ func resetCmdArgs() {
 	getArgs = GetFlags{}
 	secretGitArgs = NewSecretGitFlags()
 }
+
+func isChangeError(err error) bool {
+	if reqErr, ok := err.(*RequestError); ok {
+		if strings.Contains(err.Error(), "identified at least one change, exiting with non-zero exit code") && reqErr.StatusCode == 1 {
+			return true
+		}
+	}
+	return false
+}

cmd/flux/object.go

@@ -28,6 +28,7 @@ import (
 // implementation can pick whichever it wants to use.
 type apiType struct {
 	kind, humanKind string
+	groupVersion    schema.GroupVersion
 }
 
 // adapter is an interface for a wrapper or alias from which we can

cmd/flux/receiver.go

@@ -25,8 +25,9 @@ import (
 // notificationv1.Receiver
 
 var receiverType = apiType{
-	kind:      notificationv1.ReceiverKind,
-	humanKind: "receiver",
+	kind:         notificationv1.ReceiverKind,
+	humanKind:    "receiver",
+	groupVersion: notificationv1.GroupVersion,
 }
 
 type receiverAdapter struct {

cmd/flux/reconcile.go

@@ -24,6 +24,7 @@ import (
 	"github.com/spf13/cobra"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/util/retry"
@@ -95,7 +96,8 @@ func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Actionf("annotating %s %s in %s namespace", reconcile.kind, name, *kubeconfigArgs.Namespace)
-	if err := requestReconciliation(ctx, kubeClient, namespacedName, reconcile.object); err != nil {
+	if err := requestReconciliation(ctx, kubeClient, namespacedName,
+		reconcile.groupVersion.WithKind(reconcile.kind)); err != nil {
 		return err
 	}
 	logger.Successf("%s annotated", reconcile.kind)
@@ -142,21 +144,25 @@ func reconciliationHandled(ctx context.Context, kubeClient client.Client,
 }
 
 func requestReconciliation(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, obj reconcilable) error {
+	namespacedName types.NamespacedName, gvk schema.GroupVersionKind) error {
 	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
-		if err := kubeClient.Get(ctx, namespacedName, obj.asClientObject()); err != nil {
+		object := &metav1.PartialObjectMetadata{}
+		object.SetGroupVersionKind(gvk)
+		object.SetName(namespacedName.Name)
+		object.SetNamespace(namespacedName.Namespace)
+		if err := kubeClient.Get(ctx, namespacedName, object); err != nil {
 			return err
 		}
-		patch := client.MergeFrom(obj.deepCopyClientObject())
-		if ann := obj.GetAnnotations(); ann == nil {
-			obj.SetAnnotations(map[string]string{
+		patch := client.MergeFrom(object.DeepCopy())
+		if ann := object.GetAnnotations(); ann == nil {
+			object.SetAnnotations(map[string]string{
 				meta.ReconcileRequestAnnotation: time.Now().Format(time.RFC3339Nano),
 			})
 		} else {
 			ann[meta.ReconcileRequestAnnotation] = time.Now().Format(time.RFC3339Nano)
-			obj.SetAnnotations(ann)
+			object.SetAnnotations(ann)
 		}
-		return kubeClient.Patch(ctx, obj.asClientObject(), patch)
+		return kubeClient.Patch(ctx, object, patch)
 	})
 }
 

cmd/flux/reconcile_with_source.go

@@ -71,7 +71,8 @@ func (reconcile reconcileWithSourceCommand) run(cmd *cobra.Command, args []strin
 
 	lastHandledReconcileAt := reconcile.object.lastHandledReconcileRequest()
 	logger.Actionf("annotating %s %s in %s namespace", reconcile.kind, name, *kubeconfigArgs.Namespace)
-	if err := requestReconciliation(ctx, kubeClient, namespacedName, reconcile.object); err != nil {
+	if err := requestReconciliation(ctx, kubeClient, namespacedName,
+		reconcile.groupVersion.WithKind(reconcile.kind)); err != nil {
 		return err
 	}
 	logger.Successf("%s annotated", reconcile.kind)

cmd/flux/resume.go

@@ -35,7 +35,8 @@ var resumeCmd = &cobra.Command{
 }
 
 type ResumeFlags struct {
-	all bool
+	all  bool
+	wait bool
 }
 
 var resumeArgs ResumeFlags
@@ -43,11 +44,14 @@ var resumeArgs ResumeFlags
 func init() {
 	resumeCmd.PersistentFlags().BoolVarP(&resumeArgs.all, "all", "", false,
 		"resume all resources in that namespace")
+	resumeCmd.PersistentFlags().BoolVarP(&resumeArgs.wait, "wait", "", false,
+		"waits for one resource to reconcile before moving to the next one")
 	rootCmd.AddCommand(resumeCmd)
 }
 
 type resumable interface {
 	adapter
+	copyable
 	statusable
 	setUnsuspended()
 	successMessage() string
@@ -97,25 +101,30 @@ func (resume resumeCommand) run(cmd *cobra.Command, args []string) error {
 
 	for i := 0; i < resume.list.len(); i++ {
 		logger.Actionf("resuming %s %s in %s namespace", resume.humanKind, resume.list.resumeItem(i).asClientObject().GetName(), *kubeconfigArgs.Namespace)
-		resume.list.resumeItem(i).setUnsuspended()
-		if err := kubeClient.Update(ctx, resume.list.resumeItem(i).asClientObject()); err != nil {
+		obj := resume.list.resumeItem(i)
+		patch := client.MergeFrom(obj.deepCopyClientObject())
+		obj.setUnsuspended()
+		if err := kubeClient.Patch(ctx, obj.asClientObject(), patch); err != nil {
 			return err
 		}
+
 		logger.Successf("%s resumed", resume.humanKind)
 
-		namespacedName := types.NamespacedName{
-			Name:      resume.list.resumeItem(i).asClientObject().GetName(),
-			Namespace: *kubeconfigArgs.Namespace,
-		}
+		if resumeArgs.wait || !resumeArgs.all {
+			namespacedName := types.NamespacedName{
+				Name:      resume.list.resumeItem(i).asClientObject().GetName(),
+				Namespace: *kubeconfigArgs.Namespace,
+			}
 
-		logger.Waitingf("waiting for %s reconciliation", resume.kind)
-		if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-			isReady(ctx, kubeClient, namespacedName, resume.list.resumeItem(i))); err != nil {
-			logger.Failuref(err.Error())
-			continue
+			logger.Waitingf("waiting for %s reconciliation", resume.kind)
+			if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
+				isReady(ctx, kubeClient, namespacedName, resume.list.resumeItem(i))); err != nil {
+				logger.Failuref(err.Error())
+				continue
+			}
+			logger.Successf("%s reconciliation completed", resume.kind)
+			logger.Successf(resume.list.resumeItem(i).successMessage())
 		}
-		logger.Successf("%s reconciliation completed", resume.kind)
-		logger.Successf(resume.list.resumeItem(i).successMessage())
 	}
 
 	return nil

cmd/flux/source.go

@@ -29,8 +29,9 @@ import (
 // sourcev1.Bucket
 
 var bucketType = apiType{
-	kind:      sourcev1.BucketKind,
-	humanKind: "source bucket",
+	kind:         sourcev1.BucketKind,
+	humanKind:    "source bucket",
+	groupVersion: sourcev1.GroupVersion,
 }
 
 type bucketAdapter struct {
@@ -62,8 +63,9 @@ func (a bucketListAdapter) len() int {
 // sourcev1.HelmChart
 
 var helmChartType = apiType{
-	kind:      sourcev1.HelmChartKind,
-	humanKind: "source chart",
+	kind:         sourcev1.HelmChartKind,
+	humanKind:    "source chart",
+	groupVersion: sourcev1.GroupVersion,
 }
 
 type helmChartAdapter struct {
@@ -95,8 +97,9 @@ func (a helmChartListAdapter) len() int {
 // sourcev1.GitRepository
 
 var gitRepositoryType = apiType{
-	kind:      sourcev1.GitRepositoryKind,
-	humanKind: "source git",
+	kind:         sourcev1.GitRepositoryKind,
+	humanKind:    "source git",
+	groupVersion: sourcev1.GroupVersion,
 }
 
 type gitRepositoryAdapter struct {
@@ -128,8 +131,9 @@ func (a gitRepositoryListAdapter) len() int {
 // sourcev1.HelmRepository
 
 var helmRepositoryType = apiType{
-	kind:      sourcev1.HelmRepositoryKind,
-	humanKind: "source helm",
+	kind:         sourcev1.HelmRepositoryKind,
+	humanKind:    "source helm",
+	groupVersion: sourcev1.GroupVersion,
 }
 
 type helmRepositoryAdapter struct {

cmd/flux/status.go

@@ -69,11 +69,11 @@ func isReady(ctx context.Context, kubeClient client.Client,
 func buildComponentObjectRefs(components ...string) ([]object.ObjMetadata, error) {
 	var objRefs []object.ObjMetadata
 	for _, deployment := range components {
-		objMeta, err := object.CreateObjMetadata(*kubeconfigArgs.Namespace, deployment, schema.GroupKind{Group: "apps", Kind: "Deployment"})
-		if err != nil {
-			return nil, err
-		}
-		objRefs = append(objRefs, objMeta)
+		objRefs = append(objRefs, object.ObjMetadata{
+			Namespace: *kubeconfigArgs.Namespace,
+			Name:      deployment,
+			GroupKind: schema.GroupKind{Group: "apps", Kind: "Deployment"},
+		})
 	}
 	return objRefs, nil
 }

cmd/flux/suspend.go

@@ -46,6 +46,7 @@ func init() {
 
 type suspendable interface {
 	adapter
+	copyable
 	isSuspended() bool
 	setSuspended()
 }
@@ -94,8 +95,11 @@ func (suspend suspendCommand) run(cmd *cobra.Command, args []string) error {
 
 	for i := 0; i < suspend.list.len(); i++ {
 		logger.Actionf("suspending %s %s in %s namespace", suspend.humanKind, suspend.list.item(i).asClientObject().GetName(), *kubeconfigArgs.Namespace)
-		suspend.list.item(i).setSuspended()
-		if err := kubeClient.Update(ctx, suspend.list.item(i).asClientObject()); err != nil {
+
+		obj := suspend.list.item(i)
+		patch := client.MergeFrom(obj.deepCopyClientObject())
+		obj.setSuspended()
+		if err := kubeClient.Patch(ctx, obj.asClientObject(), patch); err != nil {
 			return err
 		}
 		logger.Successf("%s suspended", suspend.humanKind)

cmd/flux/testdata/build-kustomization/delete-service/deployment.yaml

@@ -0,0 +1,74 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: podinfo
+spec:
+  minReadySeconds: 3
+  revisionHistoryLimit: 5
+  progressDeadlineSeconds: 60
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: podinfo
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9797"
+      labels:
+        app: podinfo
+    spec:
+      containers:
+      - name: podinfod
+        image: ghcr.io/stefanprodan/podinfo:6.0.3
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: http
+          containerPort: 9898
+          protocol: TCP
+        - name: http-metrics
+          containerPort: 9797
+          protocol: TCP
+        - name: grpc
+          containerPort: 9999
+          protocol: TCP
+        command:
+        - ./podinfo
+        - --port=9898
+        - --port-metrics=9797
+        - --grpc-port=9999
+        - --grpc-service-name=podinfo
+        - --level=info
+        - --random-delay=false
+        - --random-error=false
+        env:
+        - name: PODINFO_UI_COLOR
+          value: "#34577c"
+        livenessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/healthz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        readinessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/readyz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 512Mi
+          requests:
+            cpu: 100m
+            memory: 64Mi

cmd/flux/testdata/build-kustomization/delete-service/hpa.yaml

@@ -0,0 +1,20 @@
+apiVersion: autoscaling/v2beta2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: podinfo
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: podinfo
+  minReplicas: 2
+  maxReplicas: 4
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        # scale up if usage is above
+        # 99% of the requested CPU (100m)
+        averageUtilization: 99

cmd/flux/testdata/build-kustomization/delete-service/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./deployment.yaml
+- ./hpa.yaml

cmd/flux/testdata/build-kustomization/podinfo-kustomization.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: podinfo
+  namespace: {{ .fluxns }}
+spec:
+  interval: 5m0s
+  path: ./kustomize
+  force: true
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: podinfo
+  targetNamespace: default

cmd/flux/testdata/build-kustomization/podinfo-result.yaml

@@ -0,0 +1,173 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: podinfo
+    kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: podinfo
+  namespace: default
+spec:
+  minReadySeconds: 3
+  progressDeadlineSeconds: 60
+  revisionHistoryLimit: 5
+  selector:
+    matchLabels:
+      app: podinfo
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        prometheus.io/port: "9797"
+        prometheus.io/scrape: "true"
+      labels:
+        app: podinfo
+    spec:
+      containers:
+      - command:
+        - ./podinfo
+        - --port=9898
+        - --port-metrics=9797
+        - --grpc-port=9999
+        - --grpc-service-name=podinfo
+        - --level=info
+        - --random-delay=false
+        - --random-error=false
+        env:
+        - name: PODINFO_UI_COLOR
+          value: '#34577c'
+        image: ghcr.io/stefanprodan/podinfo:6.0.10
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/healthz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        name: podinfod
+        ports:
+        - containerPort: 9898
+          name: http
+          protocol: TCP
+        - containerPort: 9797
+          name: http-metrics
+          protocol: TCP
+        - containerPort: 9999
+          name: grpc
+          protocol: TCP
+        readinessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/readyz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 512Mi
+          requests:
+            cpu: 100m
+            memory: 64Mi
+---
+apiVersion: autoscaling/v2beta2
+kind: HorizontalPodAutoscaler
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: podinfo
+    kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: podinfo
+  namespace: default
+spec:
+  maxReplicas: 4
+  metrics:
+  - resource:
+      name: cpu
+      target:
+        averageUtilization: 99
+        type: Utilization
+    type: Resource
+  minReplicas: 2
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: podinfo
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: podinfo
+    kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: podinfo
+  namespace: default
+spec:
+  ports:
+  - name: http
+    port: 9898
+    protocol: TCP
+    targetPort: http
+  - name: grpc
+    port: 9999
+    protocol: TCP
+    targetPort: grpc
+  selector:
+    app: podinfo
+  type: ClusterIP
+---
+apiVersion: v1
+data:
+  .dockerconfigjson: eyJtYXNrIjoiKipTT1BTKioifQ==
+kind: Secret
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: podinfo
+    kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: docker-secret
+  namespace: default
+type: kubernetes.io/dockerconfigjson
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: podinfo
+    kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: secret-basic-auth-stringdata
+  namespace: default
+stringData:
+  password: '**SOPS**'
+  username: '**SOPS**'
+type: kubernetes.io/basic-auth
+---
+apiVersion: v1
+data:
+  token: KipTT1BTKio=
+kind: Secret
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: podinfo
+    kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: podinfo-token-77t89m9b67
+  namespace: default
+type: Opaque
+---
+apiVersion: v1
+data:
+  password: MWYyZDFlMmU2N2Rm
+  username: YWRtaW4=
+kind: Secret
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: podinfo
+    kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: db-user-pass-bkbd782d2c
+  namespace: default
+type: Opaque

cmd/flux/testdata/build-kustomization/podinfo-source.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .fluxns }}
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: podinfo
+  namespace: {{ .fluxns }}
+spec:
+  interval: 30s
+  ref:
+    branch: master
+  url: https://github.com/stefanprodan/podinfo

cmd/flux/testdata/build-kustomization/podinfo-without-service-result.yaml

@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: podinfo
+    kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: podinfo
+  namespace: default
+spec:
+  minReadySeconds: 3
+  progressDeadlineSeconds: 60
+  revisionHistoryLimit: 5
+  selector:
+    matchLabels:
+      app: podinfo
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        prometheus.io/port: "9797"
+        prometheus.io/scrape: "true"
+      labels:
+        app: podinfo
+    spec:
+      containers:
+      - command:
+        - ./podinfo
+        - --port=9898
+        - --port-metrics=9797
+        - --grpc-port=9999
+        - --grpc-service-name=podinfo
+        - --level=info
+        - --random-delay=false
+        - --random-error=false
+        env:
+        - name: PODINFO_UI_COLOR
+          value: '#34577c'
+        image: ghcr.io/stefanprodan/podinfo:6.0.3
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/healthz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        name: podinfod
+        ports:
+        - containerPort: 9898
+          name: http
+          protocol: TCP
+        - containerPort: 9797
+          name: http-metrics
+          protocol: TCP
+        - containerPort: 9999
+          name: grpc
+          protocol: TCP
+        readinessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/readyz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 512Mi
+          requests:
+            cpu: 100m
+            memory: 64Mi
+---
+apiVersion: autoscaling/v2beta2
+kind: HorizontalPodAutoscaler
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: podinfo
+    kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: podinfo
+  namespace: default
+spec:
+  maxReplicas: 4
+  metrics:
+  - resource:
+      name: cpu
+      target:
+        averageUtilization: 99
+        type: Utilization
+    type: Resource
+  minReplicas: 2
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: podinfo

cmd/flux/testdata/build-kustomization/podinfo/deployment.yaml

@@ -0,0 +1,74 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: podinfo
+spec:
+  minReadySeconds: 3
+  revisionHistoryLimit: 5
+  progressDeadlineSeconds: 60
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: podinfo
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9797"
+      labels:
+        app: podinfo
+    spec:
+      containers:
+      - name: podinfod
+        image: ghcr.io/stefanprodan/podinfo:6.0.10
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: http
+          containerPort: 9898
+          protocol: TCP
+        - name: http-metrics
+          containerPort: 9797
+          protocol: TCP
+        - name: grpc
+          containerPort: 9999
+          protocol: TCP
+        command:
+        - ./podinfo
+        - --port=9898
+        - --port-metrics=9797
+        - --grpc-port=9999
+        - --grpc-service-name=podinfo
+        - --level=info
+        - --random-delay=false
+        - --random-error=false
+        env:
+        - name: PODINFO_UI_COLOR
+          value: "#34577c"
+        livenessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/healthz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        readinessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/readyz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 512Mi
+          requests:
+            cpu: 100m
+            memory: 64Mi

cmd/flux/testdata/build-kustomization/podinfo/dockerconfigjson-sops-secret.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+data:
+  .dockerconfigjson: ENC[AES256_GCM,data:KHCFH3hNnc+PMfWLFEPjebf3W4z4WXbGFAANRZyZC+07z7wlrTALJM6rn8YslW4tMAWCoAYxblC5WRCszTy0h9rw0U/RGOv5H0qCgnNg/FILFUqhwo9pNfrUH+MEP4M9qxxbLKZwObpHUE7DUsKx1JYAxsI=,iv:q48lqUbUQD+0cbYcjNMZMJLRdGHi78ZmDhNAT2th9tg=,tag:QRI2SZZXQrAcdql3R5AH2g==,type:str]
+kind: Secret
+metadata:
+  name: docker-secret
+type: kubernetes.io/dockerconfigjson
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age10la2ge0wtvx3qr7datqf7rs4yngxszdal927fs9rukamr8u2pshsvtz7ce
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eU1CTEJhVXZ4eEVYYkVV
+        OU90TEcrR2pYckttN0pBanJoSUZWSW1RQXlRCkUydFJ3V1NZUTBuVFF0aC9GUEcw
+        bUdhNjJWTkoyL1FUVi9Dc1dxUDBkM0UKLS0tIE1sQXkwcWdGaEFuY0RHQTVXM0J6
+        dWpJcThEbW15V3dXYXpPZklBdW1Hd1kKoIAdmGNPrEctV8h1w8KuvQ5S+BGmgqN9
+        MgpNmUhJjWhgcQpb5BRYpQesBOgU5TBGK7j58A6DMDKlSiYZsdQchQ==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2022-02-03T16:03:17Z"
+  mac: ENC[AES256_GCM,data:AHdYSawajwgAFwlmDN1IPNmT9vWaYKzyVIra2d6sPcjTbZ8/p+VRSRpVm4XZFFsaNnW5AUJaouwXnKYDTmJDXKlr/rQcu9kXqsssQgdzcXaA6l5uJlgsnml8ba7J3OK+iEKMax23mwQEx2EUskCd9ENOwFDkunP02sxqDNOz20k=,iv:8F5OamHt3fAVorf6p+SoIrWoqkcATSGWVoM0EK87S4M=,tag:E1mxXnc7wWkEX5BxhpLtng==,type:str]
+  pgp: []
+  encrypted_regex: ^(data|stringData)$
+  version: 3.7.1

cmd/flux/testdata/build-kustomization/podinfo/hpa.yaml

@@ -0,0 +1,20 @@
+apiVersion: autoscaling/v2beta2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: podinfo
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: podinfo
+  minReplicas: 2
+  maxReplicas: 4
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        # scale up if usage is above
+        # 99% of the requested CPU (100m)
+        averageUtilization: 99

cmd/flux/testdata/build-kustomization/podinfo/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./deployment.yaml
+- ./hpa.yaml
+- ./service.yaml
+- ./dockerconfigjson-sops-secret.yaml
+- ./stringdata-secret.yaml
+secretGenerator:
+ - files:
+   - token=token.encrypted
+   name: podinfo-token
+ - literals:
+   - username=admin
+   - password=1f2d1e2e67df
+   name: db-user-pass

cmd/flux/testdata/build-kustomization/podinfo/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: podinfo
+spec:
+  type: ClusterIP
+  selector:
+    app: podinfo
+  ports:
+    - name: http
+      port: 9898
+      protocol: TCP
+      targetPort: http
+    - port: 9999
+      targetPort: grpc
+      protocol: TCP
+      name: grpc

cmd/flux/testdata/build-kustomization/podinfo/stringdata-secret.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: secret-basic-auth-stringdata
+type: kubernetes.io/basic-auth
+stringData:
+    username: ENC[AES256_GCM,data:uKiQR48=,iv:jh2lgyAVu7igJAgoJsnOGhjxFyvUAa9lvT21u3hhqpU=,tag:zXM2JEpk3ZEH7WfkcWXXkw==,type:str]
+    password: ENC[AES256_GCM,data:PyhZmNhy929JGQ==,iv:PBqPaJmSw21+kn4gIlg5VdjLNZyf613z5RUTCesBoVw=,tag:Hjc7DsuUrtsz7PYPdNkL3g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10la2ge0wtvx3qr7datqf7rs4yngxszdal927fs9rukamr8u2pshsvtz7ce
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJd0xxbDZhYjVoZzY4YWhK
+            d2NvMVgrSGRVUGhHRGg3R1FpVURnbmh1TDBzCjcwby85M3JaK09QVk0yZFNMb2NL
+            c2NQZW5hS1FhYlBHU0VoUzBVYzZYUUUKLS0tIEdaNEw2Y0VjVHpZc3pyYUtLVmJk
+            NmN3K2VLU0NiZ1d0VHBYbGlCM1lrNmMKeWz3yfFbMNE+ly21oLfc1XnDSPRmnlPP
+            wIs8lk/qrzVZ45C9GdWnnPeGZZiia46Yop9TxseUS8gCjJ6KCxJCAg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-02-06T12:51:07Z"
+    mac: ENC[AES256_GCM,data:jtdzwj19uxdxvnmXg1HkAkDA6XlKMJOYFy7uLI5t/t11LwGop5Yeo7a4nQEEELehRx9J7B6U6NiySxAxBxWx5uW5vI5c8+069VV6dkiCIefnYSzuoIhQafjlFl1/KvH7VEjIWfHYuXF09v9PEKXkxEHUYDpS3QqQ3ymHRRI08pU=,  iv:xX3E7F+AM29Pm8G5oqxRfYu9E7tEBGIaHeCJYgrtFmc=,tag:MJPGusNvu05z939jg8PAwQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.1

cmd/flux/testdata/build-kustomization/podinfo/token.encrypted

@@ -0,0 +1,20 @@
+ {
+     "data": "ENC[AES256_GCM,data:oBe5PlPmfQCUUc4sqKImjw==,iv:MLLEW15QC9kRdVVagJnzLCSk0xZGWIpAeTfHzyxT10g=,tag:K3GkBCGS+ut4Tpk6ndb0CA==,type:str]",
+     "sops": {
+         "kms": null,
+         "gcp_kms": null,
+         "azure_kv": null,
+         "hc_vault": null,
+         "age": [
+             {
+                 "recipient": "age10la2ge0wtvx3qr7datqf7rs4yngxszdal927fs9rukamr8u2pshsvtz7ce",
+                 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+                                                                                                                IFgyNTUxOSA1L2RpZHRrK1FSVmYrd1Va\nY0hxWFQzSDBsT1k3WjNtYmU1QmliaDJycXlNCnF1YjdNOThVbVNvMG9rNS9ZUXZw\nMnV0bnRUMGNtejFPbzM4U2UzWkszeVkKLS0tIGJ6UGhxMUV3YmVJTHlJSUJpRVRZ\nVjd0RVRadU8wekxXTHIrYUplYkN2aEEK0I/   MCEtXRk+b/N2G1JF3vHQT24dShWYD\nw+JIUSA3aLf2sv0zr2MdUEdVWBJoM8nT4D4xVbBORD+669W+9nDeSw==\n-----END AGE ENCRYPTED FILE-----\n"
+             }
+         ],
+         "lastmodified": "2021-11-26T16:34:51Z",
+         "mac": "ENC[AES256_GCM,data:COGzf5YCHNNP6z4JaEKrjN3M8f5+Q1uKUKTMHwj388/ICmLyi2sSrTmj7PP+X7M9jTVwa8wVgYTpNLiVJx+LcxqvIXM0Tyo+/Cu1zrfao98aiACP8+TSEDiFQNtEus23H+d/X1hqMwRHDI3kQ+                      6scgEGnqY57r3RDSA3E8EhHr4=,iv:LxitVIYm8srZVqFueJh9loClA44Y2Z3XAVYmxesMmOg=,tag:Y8qFD8UGlDfwNSv7xlcn6A==,type:str]",
+         "pgp": null,
+         "unencrypted_suffix": "_unencrypted",
+         "version": "3.7.1"
+     }
+ }

cmd/flux/testdata/check/check_pre.golden

@@ -1,3 +1,3 @@
 ► checking prerequisites
-✔ Kubernetes {{ .serverVersion }} >=1.19.0-0
+✔ Kubernetes {{ .serverVersion }} >=1.20.6-0
 ✔ prerequisites checks passed

cmd/flux/testdata/diff-kustomization/deployment.yaml

@@ -0,0 +1,78 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+      kustomize.toolkit.fluxcd.io/name: podinfo
+      kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: podinfo
+  namespace: default
+spec:
+  minReadySeconds: 3
+  revisionHistoryLimit: 5
+  progressDeadlineSeconds: 60
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: podinfo
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9797"
+      labels:
+        app: podinfo
+    spec:
+      containers:
+      - name: podinfod
+        image: ghcr.io/stefanprodan/podinfo:6.0.10
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: http
+          containerPort: 9898
+          protocol: TCP
+        - name: http-metrics
+          containerPort: 9797
+          protocol: TCP
+        - name: grpc
+          containerPort: 9999
+          protocol: TCP
+        command:
+        - ./podinfo
+        - --port=9898
+        - --port-metrics=9797
+        - --grpc-port=9999
+        - --grpc-service-name=podinfo
+        - --level=info
+        - --random-delay=false
+        - --random-error=false
+        env:
+        - name: PODINFO_UI_COLOR
+          value: "#34577c"
+        livenessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/healthz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        readinessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/readyz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 512Mi
+          requests:
+            cpu: 100m
+            memory: 64Mi

cmd/flux/testdata/diff-kustomization/diff-with-deployment.golden

@@ -0,0 +1,6 @@
+► HorizontalPodAutoscaler/default/podinfo created
+► Service/default/podinfo created
+► Secret/default/docker-secret created
+► Secret/default/secret-basic-auth-stringdata created
+► Secret/default/podinfo-token-77t89m9b67 created
+► Secret/default/db-user-pass-bkbd782d2c created

cmd/flux/testdata/diff-kustomization/diff-with-dockerconfigjson-sops-secret.golden

@@ -0,0 +1,6 @@
+► Deployment/default/podinfo created
+► HorizontalPodAutoscaler/default/podinfo created
+► Service/default/podinfo created
+► Secret/default/secret-basic-auth-stringdata created
+► Secret/default/podinfo-token-77t89m9b67 created
+► Secret/default/db-user-pass-bkbd782d2c created

cmd/flux/testdata/diff-kustomization/diff-with-drifted-key-sops-secret.golden

@@ -0,0 +1,12 @@
+► Deployment/default/podinfo created
+► HorizontalPodAutoscaler/default/podinfo created
+► Service/default/podinfo created
+► Secret/default/docker-secret created
+► Secret/default/secret-basic-auth-stringdata created
+► Secret/default/podinfo-token-77t89m9b67 drifted
+
+data
+  - one map entry removed:     + one map entry added:
+    drift-key: "*****"           token: "*****"
+
+► Secret/default/db-user-pass-bkbd782d2c created

cmd/flux/testdata/diff-kustomization/diff-with-drifted-secret.golden

@@ -0,0 +1,13 @@
+► Deployment/default/podinfo created
+► HorizontalPodAutoscaler/default/podinfo created
+► Service/default/podinfo created
+► Secret/default/docker-secret created
+► Secret/default/secret-basic-auth-stringdata created
+► Secret/default/podinfo-token-77t89m9b67 created
+► Secret/default/db-user-pass-bkbd782d2c drifted
+
+data.password
+  ± value change
+    - ******
+    + *****
+

cmd/flux/testdata/diff-kustomization/diff-with-drifted-service.golden

@@ -0,0 +1,13 @@
+► Deployment/default/podinfo created
+► HorizontalPodAutoscaler/default/podinfo created
+► Service/default/podinfo drifted
+
+spec.ports.http.port
+  ± value change
+    - 9899
+    + 9898
+
+► Secret/default/docker-secret created
+► Secret/default/secret-basic-auth-stringdata created
+► Secret/default/podinfo-token-77t89m9b67 created
+► Secret/default/db-user-pass-bkbd782d2c created

cmd/flux/testdata/diff-kustomization/diff-with-drifted-stringdata-sops-secret.golden

@@ -0,0 +1,12 @@
+► Deployment/default/podinfo created
+► HorizontalPodAutoscaler/default/podinfo created
+► Service/default/podinfo created
+► Secret/default/docker-secret created
+► Secret/default/secret-basic-auth-stringdata drifted
+
+data
+  - one map entry removed:     + one map entry added:
+    username1: "*****"           username: "*****"
+
+► Secret/default/podinfo-token-77t89m9b67 created
+► Secret/default/db-user-pass-bkbd782d2c created

cmd/flux/testdata/diff-kustomization/diff-with-drifted-value-sops-secret.golden

@@ -0,0 +1,6 @@
+► Deployment/default/podinfo created
+► HorizontalPodAutoscaler/default/podinfo created
+► Service/default/podinfo created
+► Secret/default/docker-secret created
+► Secret/default/secret-basic-auth-stringdata created
+► Secret/default/db-user-pass-bkbd782d2c created

cmd/flux/testdata/diff-kustomization/dockerconfigjson-sops-secret.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  .dockerconfigjson: eyJtYXNrIjoiKipTT1BTKioifQ==
+kind: Secret
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: podinfo
+    kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: docker-secret
+  namespace: default
+type: kubernetes.io/dockerconfigjson

cmd/flux/testdata/diff-kustomization/key-sops-secret.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  drift-key: bXktc2VjcmV0LXRva2VuCg==
+kind: Secret
+metadata:
+  labels:
+      kustomize.toolkit.fluxcd.io/name: podinfo
+      kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: podinfo-token-77t89m9b67
+  namespace: default
+type: Opaque

cmd/flux/testdata/diff-kustomization/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./deployment.yaml
+- ./hpa.yaml
+- ./service.yaml
+secretGenerator:
+ - literals:
+   - username=admin
+   - password=1f2d1e2e67df
+   name: secret-basic-auth

cmd/flux/testdata/diff-kustomization/nothing-is-deployed.golden

@@ -0,0 +1,7 @@
+► Deployment/default/podinfo created
+► HorizontalPodAutoscaler/default/podinfo created
+► Service/default/podinfo created
+► Secret/default/docker-secret created
+► Secret/default/secret-basic-auth-stringdata created
+► Secret/default/podinfo-token-77t89m9b67 created
+► Secret/default/db-user-pass-bkbd782d2c created

cmd/flux/testdata/diff-kustomization/secret.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+data:
+  password: cGFzc3dvcmQK
+  username: YWRtaW4=
+kind: Secret
+metadata:
+  labels:
+      kustomize.toolkit.fluxcd.io/name: podinfo
+      kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: db-user-pass-bkbd782d2c
+  namespace: default
+type: Opaque

cmd/flux/testdata/diff-kustomization/service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+      kustomize.toolkit.fluxcd.io/name: podinfo
+      kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: podinfo
+  namespace: default
+spec:
+  type: ClusterIP
+  selector:
+    app: podinfo
+  ports:
+    - name: http
+      port: 9899
+      protocol: TCP
+      targetPort: http
+    - port: 9999
+      targetPort: grpc
+      protocol: TCP
+      name: grpc

cmd/flux/testdata/diff-kustomization/stringdata-sops-secret.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: podinfo
+    kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: secret-basic-auth-stringdata
+  namespace: default
+stringData:
+  password: KipTT1BTKio=
+  username1: KipTT1BTKio=
+type: kubernetes.io/basic-auth

cmd/flux/testdata/diff-kustomization/value-sops-secret.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  token: ZHJpZnQtdmFsdWUK
+kind: Secret
+metadata:
+  labels:
+      kustomize.toolkit.fluxcd.io/name: podinfo
+      kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: podinfo-token-77t89m9b67
+  namespace: default
+type: Opaque

cmd/flux/testdata/export/git-repo.yaml

@@ -11,6 +11,6 @@ spec:
     branch: main
   secretRef:
     name: flux-system
-  timeout: 20s
+  timeout: 1m0s
   url: ssh://git@github.com/example/repo
 

cmd/flux/testdata/helmrelease/delete_helmrelease_from_git.golden

@@ -1,2 +1,2 @@
-► deleting helmreleases thrfg in {{ .ns }} namespace
-✔ helmreleases deleted
+► deleting helmrelease thrfg in {{ .ns }} namespace
+✔ helmrelease deleted

cmd/flux/testdata/helmrelease/resume_helmrelease_from_git.golden

@@ -1,5 +1,5 @@
-► resuming helmreleases thrfg in {{ .ns }} namespace
-✔ helmreleases resumed
+► resuming helmrelease thrfg in {{ .ns }} namespace
+✔ helmrelease resumed
 ◎ waiting for HelmRelease reconciliation
 ✔ HelmRelease reconciliation completed
 ✔ applied revision 6.0.0

cmd/flux/testdata/helmrelease/suspend_helmrelease_from_git.golden

@@ -1,2 +1,2 @@
-► suspending helmreleases thrfg in {{ .ns }} namespace
-✔ helmreleases suspended
+► suspending helmrelease thrfg in {{ .ns }} namespace
+✔ helmrelease suspended

cmd/flux/testdata/kustomization/delete_kustomization_from_git.golden

@@ -1,2 +1,2 @@
-► deleting kustomizations tkfg in {{ .ns }} namespace
-✔ kustomizations deleted
+► deleting kustomization tkfg in {{ .ns }} namespace
+✔ kustomization deleted

cmd/flux/testdata/kustomization/get_kustomization_from_git.golden

@@ -1,2 +1,2 @@
-NAME	READY	MESSAGE                                                         	REVISION                                      	SUSPENDED 
-tkfg	True 	Applied revision: 6.0.0/627d5c4bb67b77185f37e31d734b085019ff2951	6.0.0/627d5c4bb67b77185f37e31d734b085019ff2951	False    	
+NAME	READY	MESSAGE                        	REVISION     	SUSPENDED 
+tkfg	True 	Applied revision: 6.0.0/627d5c4	6.0.0/627d5c4	False