Merge pull request #3097 from fluxcd/oci-insecure-flag

Add `--insecure` flag to `flux create source oci`

.github/aur/flux-bin/.SRCINFO.template

@@ -8,9 +8,15 @@ pkgbase = flux-bin
 	arch = armv7h
 	arch = aarch64
 	license = APACHE
-	source_x86_64 = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_amd64.tar.gz
-	source_armv6h = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm.tar.gz
-	source_armv7h = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm.tar.gz
-	source_aarch64 = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm64.tar.gz
+	optdepends = bash-completion: auto-completion for flux in Bash
+	optdepends = zsh-completions: auto-completion for flux in ZSH
+	source_x86_64 = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_amd64.tar.gz
+	sha256sums_x86_64 = ${SHA256SUM_AMD64}
+	source_armv6h = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm.tar.gz
+	sha256sums_armv6h = ${SHA256SUM_ARM}
+	source_armv7h = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm.tar.gz
+	sha256sums_armv7h = ${SHA256SUM_ARM}
+	source_aarch64 = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm64.tar.gz
+	sha256sums_aarch64 = ${SHA256SUM_ARM64}
 
 pkgname = flux-bin

.github/aur/flux-bin/PKGBUILD.template

@@ -8,8 +8,8 @@ pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
 arch=("x86_64" "armv6h" "armv7h" "aarch64")
 license=("APACHE")
-optdepends=('bash-completion: auto-completion for flux in Bash',
-'zsh-completions: auto-completion for flux in ZSH')
+optdepends=('bash-completion: auto-completion for flux in Bash'
+            'zsh-completions: auto-completion for flux in ZSH')
 source_x86_64=(
   "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_amd64.tar.gz"
 )

.github/runners/prereq.sh

@@ -18,11 +18,11 @@
 
 set -eu
 
-KIND_VERSION=0.11.1
-KUBECTL_VERSION=1.21.2
-KUSTOMIZE_VERSION=4.1.3
-HELM_VERSION=3.7.2
-GITHUB_RUNNER_VERSION=2.285.1
+KIND_VERSION=0.14.0
+KUBECTL_VERSION=1.24.0
+KUSTOMIZE_VERSION=4.5.4
+HELM_VERSION=3.8.2
+GITHUB_RUNNER_VERSION=2.291.1
 PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq pkg-config"
 
 # install prerequisites

.github/workflows/bootstrap.yaml

@@ -12,18 +12,18 @@ jobs:
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Restore Go cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go1.17-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
           restore-keys: |
-            ${{ runner.os }}-go1.17-
+            ${{ runner.os }}-go1.18-
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
-          go-version: 1.17.x
+          go-version: 1.18.x
       - name: Setup Kubernetes
         uses: engineerd/setup-kind@v0.5.0
         with:

.github/workflows/e2e-arm64.yaml

@@ -3,7 +3,7 @@ name: e2e-arm64
 on:
   workflow_dispatch:
   push:
-    branches: [ main, update-components, equinix-runners ]
+    branches: [ main, update-components ]
 
 jobs:
   test:
@@ -12,11 +12,11 @@ jobs:
     runs-on: [self-hosted, Linux, ARM64, equinix]
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
-          go-version: 1.17.x
+          go-version: 1.18.x
       - name: Prepare
         id: prep
         run: |

.github/workflows/e2e-azure.yaml

@@ -12,18 +12,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Restore Go cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go1.17-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
           restore-keys: |
-            ${{ runner.os }}-go1.17-
+            ${{ runner.os }}-go1.18-
       - name: Setup Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.17.x
+          go-version: 1.18.x
       - name: Install libgit2
         run: |
           sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138
@@ -46,7 +46,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v1
         with:
-          terraform_version: 1.0.7
+          terraform_version: 1.2.8
           terraform_wrapper: false
       - name: Setup Azure CLI
         run: |

.github/workflows/e2e.yaml

@@ -2,27 +2,32 @@ name: e2e
 
 on:
   push:
-    branches: [ main, e2e* ]
-  pull_request:
     branches: [ main ]
+  pull_request:
+    branches: [ main, oci ]
 
 jobs:
   kind:
     runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Restore Go cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go1.17-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
           restore-keys: |
-            ${{ runner.os }}-go1.17-
+            ${{ runner.os }}-go1.18-
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
-          go-version: 1.17.x
+          go-version: 1.18.x
       - name: Setup Kubernetes
         uses: engineerd/setup-kind@v0.5.0
         with:
@@ -168,6 +173,36 @@ jobs:
       - name: flux delete source git
         run: |
           /tmp/flux delete source git podinfo --silent
+      - name: flux oci artifacts
+        run: |
+          /tmp/flux push artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
+            --path="./manifests" \
+            --source="${{ github.repositoryUrl }}" \
+            --revision="${{ github.ref }}/${{ github.sha }}"
+          /tmp/flux tag artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
+            --tag latest
+          /tmp/flux list artifacts oci://localhost:5000/fluxcd/flux
+      - name: flux oci repositories
+        run: |
+          /tmp/flux create source oci podinfo-oci \
+            --url oci://ghcr.io/stefanprodan/manifests/podinfo \
+            --tag-semver 6.1.x \
+            --interval 10m
+          /tmp/flux create kustomization podinfo-oci \
+            --source=OCIRepository/podinfo-oci \
+            --path="./kustomize" \
+            --prune=true \
+            --interval=5m \
+            --target-namespace=default \
+            --wait=true \
+            --health-check-timeout=3m
+          /tmp/flux reconcile source oci podinfo-oci
+          /tmp/flux suspend source oci podinfo-oci
+          /tmp/flux get sources oci
+          /tmp/flux resume source oci podinfo-oci
+          /tmp/flux export source oci podinfo-oci
+          /tmp/flux delete ks podinfo-oci --silent
+          /tmp/flux delete source oci podinfo-oci --silent
       - name: flux create tenant
         run: |
           /tmp/flux create tenant dev-team --with-namespace=apps

.github/workflows/rebase.yaml

@@ -1,21 +0,0 @@
-name: rebase
-
-on:
-  pull_request:
-    types: [ opened ]
-  issue_comment:
-    types: [ created ]
-
-jobs:
-  rebase:
-    if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') && (github.event.comment.author_association == 'CONTRIBUTOR' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER')
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout the latest code
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - name: Automatic Rebase
-        uses: cirrus-actions/rebase@1.3.1
-        env:
-          GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}

.github/workflows/release-manifests.yml

@@ -0,0 +1,73 @@
+name: release-manifests
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  id-token: write # needed for keyless signing
+  packages: write # needed for ghcr access
+
+jobs:
+  build-push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Kustomize
+        uses: fluxcd/pkg/actions/kustomize@main
+      - name: Setup Flux CLI
+        uses: ./action/
+      - name: Prepare
+        id: prep
+        run: |
+          VERSION=$(flux version --client | awk '{ print $NF }')
+          echo ::set-output name=VERSION::${VERSION}
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: fluxcdbot
+          password: ${{ secrets.GHCR_TOKEN }}
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: fluxcdbot
+          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+      - name: Push manifests to GHCR
+        run: |
+          mkdir -p ./ghcr.io/flux-system
+          flux install --registry=ghcr.io/fluxcd \
+          --components-extra=image-reflector-controller,image-automation-controller \
+          --export > ./ghcr.io/flux-system/gotk-components.yaml
+          
+          cd ./ghcr.io && flux push artifact \
+          oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
+          --path="./flux-system" \
+          --source=${{ github.repositoryUrl }} \
+          --revision="${{ github.ref_name }}/${{ github.sha }}"
+      - name: Push manifests to DockerHub
+        run: |
+          mkdir -p ./docker.io/flux-system
+          flux install --registry=docker.io/fluxcd \
+          --components-extra=image-reflector-controller,image-automation-controller \
+          --export > ./docker.io/flux-system/gotk-components.yaml
+          
+          cd ./docker.io && flux push artifact \
+          oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
+          --path="./flux-system" \
+          --source=${{ github.repositoryUrl }} \
+          --revision="${{ github.ref_name }}/${{ github.sha }}"
+      - uses: sigstore/cosign-installer@main
+      - name: Sign manifests
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          cosign sign ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }}
+          cosign sign docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }}
+      - name: Tag manifests
+        run: |
+          flux tag artifact oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
+          --tag latest
+
+          flux tag artifact oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
+          --tag latest

.github/workflows/release.yaml

@@ -14,18 +14,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Unshallow
         run: git fetch --prune --unshallow
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
-          go-version: 1.17.x
+          go-version: 1.18.x
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       - name: Setup Syft
         uses: anchore/sbom-action/download-syft@v0
       - name: Setup Cosign
@@ -33,13 +33,13 @@ jobs:
       - name: Setup Kustomize
         uses: fluxcd/pkg//actions/kustomize@main
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: fluxcdbot
           password: ${{ secrets.GHCR_TOKEN }}
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: fluxcdbot
           password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -73,7 +73,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v1
+        uses: goreleaser/goreleaser-action@v3
         with:
           version: latest
           args: release --release-notes=output/notes.md --skip-validate

.github/workflows/scan.yaml

@@ -1,4 +1,4 @@
-name: Scan
+name: scan
 
 on:
   push:
@@ -8,12 +8,16 @@ on:
   schedule:
     - cron: '18 10 * * 3'
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for codeQL to write security events
+
 jobs:
   fossa:
     name: FOSSA
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Run FOSSA scan and upload build data
         uses: fossa-contrib/fossa-action@v1
         with:
@@ -26,7 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Setup Kustomize
         uses: fluxcd/pkg//actions/kustomize@main
       - name: Build manifests
@@ -49,12 +53,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.18
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v2
         with:
           languages: go
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
+        uses: github/codeql-action/autobuild@v2
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v2

.github/workflows/update.yaml

@@ -12,11 +12,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
-          go-version: 1.17.x
+          go-version: 1.18.x
       - name: Update component versions
         id: update
         run: |
@@ -42,8 +42,7 @@ jobs:
 
             if [[ "${MOD_VERSION}" != "${LATEST_VERSION}" ]]; then
               go mod edit -require="github.com/fluxcd/$1/api@${LATEST_VERSION}"
-              rm go.sum
-              go mod tidy
+              make tidy
               changed=true
             fi
 

CONTRIBUTING.md

@@ -59,7 +59,7 @@ This project is composed of:
 ### Understanding the code
 
 To get started with developing controllers, you might want to review
-[our guide](https://fluxcd.io/docs/gitops-toolkit/source-watcher/) which
+[our guide](https://fluxcd.io/flux/gitops-toolkit/source-watcher/) which
 walks you through writing a short and concise controller that watches out
 for source changes.
 
@@ -70,6 +70,7 @@ Prerequisites:
 * go >= 1.17
 * kubectl >= 1.20
 * kustomize >= 4.4
+* coreutils (on Mac OS)
 
 Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:
 
@@ -96,6 +97,25 @@ Then you can run the end-to-end tests with:
 make e2e
 ```
 
+When the output of the Flux CLI changes, to automatically update the golden
+files used in the test, pass `-update` flag to the test as:
+
+```bash
+make e2e TEST_ARGS="-update"
+```
+
+Since not all packages use golden files for testing, `-update` argument must be
+passed only for the packages that use golden files. Use the variables
+`TEST_PKG_PATH` for unit tests and `E2E_TEST_PKG_PATH` for e2e tests, to set the
+path of the target test package:
+
+```bash
+# Unit test
+make test TEST_PKG_PATH="./cmd/flux" TEST_ARGS="-update"
+# e2e test
+make e2e E2E_TEST_PKG_PATH="./cmd/flux" TEST_ARGS="-update"
+```
+
 Teardown the e2e environment with:
 
 ```bash

Dockerfile

@@ -1,15 +1,15 @@
-FROM alpine:3.15 as builder
+FROM alpine:3.16 as builder
 
 RUN apk add --no-cache ca-certificates curl
 
 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.23.1
+ARG KUBECTL_VER=1.25.0
 
 RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
     -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
     kubectl version --client=true
 
-FROM alpine:3.15 as flux-cli
+FROM alpine:3.16 as flux-cli
 
 # Create minimal nsswitch.conf file to prioritize the usage of /etc/hosts over DNS queries.
 # https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-354316460

MAINTAINERS

@@ -2,19 +2,7 @@ The maintainers are generally available in Slack at
 https://cloud-native.slack.com in #flux (https://cloud-native.slack.com/messages/CLAJ40HV3)
 (obtain an invitation at https://slack.cncf.io/).
 
-These maintainers are shared with other Flux v2-related git
-repositories under https://github.com/fluxcd, as noted in their
-respective MAINTAINERS files.
+The Flux2 maintainers team is identical with the core maintainers of the project
+as listed in
 
-For convenience, they are reflected in the GitHub team
-@fluxcd/flux2-maintainers -- if the list here changes, that team also
-should.
-
-In alphabetical order:
-
-Aurel Canciu, NexHealth <aurel.canciu@nexhealth.com> (github: @relu, slack: relu)
-Hidde Beydals, Weaveworks <hidde@weave.works> (github: @hiddeco, slack: hidde)
-Max Jonas Werner, D2iQ <max@e13.dev> (github: @makkes, slack: max)
-Philip Laine, Xenit <philip.laine@xenit.se> (github: @phillebaba, slack: phillebaba)
-Stefan Prodan, Weaveworks <stefan@weave.works> (github: @stefanprodan, slack: stefanprodan)
-Sunny, Weaveworks <sunny@weave.works> (github: @darkowlzz, slack: darkowlzz)
+    https://github.com/fluxcd/community/blob/main/CORE-MAINTAINERS

Makefile

@@ -1,4 +1,5 @@
 VERSION?=$(shell grep 'VERSION' cmd/flux/main.go | awk '{ print $$4 }' | head -n 1 | tr -d '"')
+DEV_VERSION?=0.0.0-$(shell git rev-parse --abbrev-ref HEAD)-$(shell git rev-parse --short HEAD)-$(shell date +%s)
 EMBEDDED_MANIFESTS_TARGET=cmd/flux/.manifests.done
 TEST_KUBECONFIG?=/tmp/flux-e2e-test-kubeconfig
 # Architecture to use envtest with
@@ -16,8 +17,8 @@ rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2
 all: test build
 
 tidy:
-	go mod tidy
-	cd tests/azure && go mod tidy
+	go mod tidy -compat=1.18
+	cd tests/azure && go mod tidy -compat=1.18
 
 fmt:
 	go fmt ./...
@@ -35,11 +36,13 @@ cleanup-kind:
 	rm $(TEST_KUBECONFIG)
 
 KUBEBUILDER_ASSETS?="$(shell $(ENVTEST) --arch=$(ENVTEST_ARCH) use -i $(ENVTEST_KUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR) -p path)"
+TEST_PKG_PATH="./..."
 test: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet install-envtest
-	KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test ./... -coverprofile cover.out --tags=unit
+	KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test $(TEST_PKG_PATH) -coverprofile cover.out --tags=unit $(TEST_ARGS)
 
+E2E_TEST_PKG_PATH="./cmd/flux/..."
 e2e: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet
-	TEST_KUBECONFIG=$(TEST_KUBECONFIG) go test ./cmd/flux/... -coverprofile e2e.cover.out --tags=e2e -v -failfast
+	TEST_KUBECONFIG=$(TEST_KUBECONFIG) go test $(E2E_TEST_PKG_PATH) -coverprofile e2e.cover.out --tags=e2e -v -failfast $(TEST_ARGS)
 
 test-with-kind: install-envtest
 	make setup-kind
@@ -53,6 +56,9 @@ $(EMBEDDED_MANIFESTS_TARGET): $(call rwildcard,manifests/,*.yaml *.json)
 build: $(EMBEDDED_MANIFESTS_TARGET)
 	CGO_ENABLED=0 go build -ldflags="-s -w -X main.VERSION=$(VERSION)" -o ./bin/flux ./cmd/flux
 
+build-dev: $(EMBEDDED_MANIFESTS_TARGET)
+	CGO_ENABLED=0 go build -ldflags="-s -w -X main.VERSION=$(DEV_VERSION)" -o ./bin/flux ./cmd/flux
+
 .PHONY: install
 install:
 	CGO_ENABLED=0 go install ./cmd/flux

README.md

@@ -24,14 +24,14 @@ Flux is a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/)) proje
 
 ## Quickstart and documentation
 
-To get started check out this [guide](https://fluxcd.io/docs/get-started/)
+To get started check out this [guide](https://fluxcd.io/flux/get-started/)
 on how to bootstrap Flux on Kubernetes and deploy a sample application in a GitOps manner.
 
 For more comprehensive documentation, see the following guides:
-- [Ways of structuring your repositories](https://fluxcd.io/docs/guides/repository-structure/)
-- [Manage Helm Releases](https://fluxcd.io/docs/guides/helmreleases/)
-- [Automate image updates to Git](https://fluxcd.io/docs/guides/image-update/)  
-- [Manage Kubernetes secrets with Mozilla SOPS](https://fluxcd.io/docs/guides/mozilla-sops/)  
+- [Ways of structuring your repositories](https://fluxcd.io/flux/guides/repository-structure/)
+- [Manage Helm Releases](https://fluxcd.io/flux/guides/helmreleases/)
+- [Automate image updates to Git](https://fluxcd.io/flux/guides/image-update/)  
+- [Manage Kubernetes secrets with Mozilla SOPS](https://fluxcd.io/flux/guides/mozilla-sops/)  
 
 If you need help, please refer to our **[Support page](https://fluxcd.io/support/)**.
 
@@ -46,27 +46,28 @@ automation tooling.
 
 You can use the toolkit to extend Flux, or to build your own systems
 for continuous delivery -- see [the developer
-guides](https://fluxcd.io/docs/gitops-toolkit/source-watcher/).
+guides](https://fluxcd.io/flux/gitops-toolkit/source-watcher/).
 
 ### Components
 
-- [Source Controller](https://fluxcd.io/docs/components/source/)
-    - [GitRepository CRD](https://fluxcd.io/docs/components/source/gitrepositories/)
-    - [HelmRepository CRD](https://fluxcd.io/docs/components/source/helmrepositories/)
-    - [HelmChart CRD](https://fluxcd.io/docs/components/source/helmcharts/)
-    - [Bucket CRD](https://fluxcd.io/docs/components/source/buckets/)
-- [Kustomize Controller](https://fluxcd.io/docs/components/kustomize/)
-    - [Kustomization CRD](https://fluxcd.io/docs/components/kustomize/kustomization/)
-- [Helm Controller](https://fluxcd.io/docs/components/helm/)
-    - [HelmRelease CRD](https://fluxcd.io/docs/components/helm/helmreleases/)
-- [Notification Controller](https://fluxcd.io/docs/components/notification/)
-    - [Provider CRD](https://fluxcd.io/docs/components/notification/provider/)
-    - [Alert CRD](https://fluxcd.io/docs/components/notification/alert/)
-    - [Receiver CRD](https://fluxcd.io/docs/components/notification/receiver/)
-- [Image Automation Controllers](https://fluxcd.io/docs/components/image/)
-  - [ImageRepository CRD](https://fluxcd.io/docs/components/image/imagerepositories/)
-  - [ImagePolicy CRD](https://fluxcd.io/docs/components/image/imagepolicies/)
-  - [ImageUpdateAutomation CRD](https://fluxcd.io/docs/components/image/imageupdateautomations/)
+- [Source Controller](https://fluxcd.io/flux/components/source/)
+    - [GitRepository CRD](https://fluxcd.io/flux/components/source/gitrepositories/)
+    - [OCIRepository CRD](https://fluxcd.io/flux/components/source/ocirepositories/)
+    - [HelmRepository CRD](https://fluxcd.io/flux/components/source/helmrepositories/)
+    - [HelmChart CRD](https://fluxcd.io/flux/components/source/helmcharts/)
+    - [Bucket CRD](https://fluxcd.io/flux/components/source/buckets/)
+- [Kustomize Controller](https://fluxcd.io/flux/components/kustomize/)
+    - [Kustomization CRD](https://fluxcd.io/flux/components/kustomize/kustomization/)
+- [Helm Controller](https://fluxcd.io/flux/components/helm/)
+    - [HelmRelease CRD](https://fluxcd.io/flux/components/helm/helmreleases/)
+- [Notification Controller](https://fluxcd.io/flux/components/notification/)
+    - [Provider CRD](https://fluxcd.io/flux/components/notification/provider/)
+    - [Alert CRD](https://fluxcd.io/flux/components/notification/alert/)
+    - [Receiver CRD](https://fluxcd.io/flux/components/notification/receiver/)
+- [Image Automation Controllers](https://fluxcd.io/flux/components/image/)
+  - [ImageRepository CRD](https://fluxcd.io/flux/components/image/imagerepositories/)
+  - [ImagePolicy CRD](https://fluxcd.io/flux/components/image/imagepolicies/)
+  - [ImageUpdateAutomation CRD](https://fluxcd.io/flux/components/image/imageupdateautomations/)
   
 ## Community
 
@@ -74,7 +75,7 @@ Need help or want to contribute? Please see the links below. The Flux project is
 new contributors and there are a multitude of ways to get involved.
 
 - Getting Started?
-    - Look at our [Get Started guide](https://fluxcd.io/docs/get-started/) and give us feedback
+    - Look at our [Get Started guide](https://fluxcd.io/flux/get-started/) and give us feedback
 - Need help?
     - First: Ask questions on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions)
     - Second: Talk to us in the #flux channel on [CNCF Slack](https://slack.cncf.io/)

action/README.md

@@ -32,7 +32,7 @@ You can download a specific version with:
       - name: Setup Flux CLI
         uses: fluxcd/flux2/action@main
         with:
-          version: 0.8.0
+          version: 0.32.0
 ```
 
 ### Automate Flux updates
@@ -74,6 +74,92 @@ jobs:
               ${{ steps.update.outputs.flux_version }}
 ```
 
+### Push Kubernetes manifests to container registries
+
+Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to GitHub Container Registry:
+
+```yaml
+name: push-artifact-staging
+
+on:
+  push:
+    branches:
+      - 'main'
+
+permissions:
+  packages: write # needed for ghcr.io access
+
+env:
+  OCI_REPO: "oci://ghcr.io/my-org/manifests/${{ github.event.repository.name }}"
+
+jobs:
+  kubernetes:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate manifests
+        run: |
+          kustomize build ./manifests/staging > ./deploy/app.yaml
+      - name: Push manifests
+        run: |
+          flux push artifact $OCI_REPO:$(git rev-parse --short HEAD) \
+            --path="./deploy" \
+            --source="$(git config --get remote.origin.url)" \
+            --revision="$(git branch --show-current)/$(git rev-parse HEAD)"
+      - name: Deploy manifests to staging
+        run: |
+          flux tag artifact $OCI_REPO:$(git rev-parse --short HEAD) --tag staging
+```
+
+Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to Docker Hub:
+
+```yaml
+name: push-artifact-production
+
+on:
+  push:
+    tags:
+      - '*'
+
+env:
+  OCI_REPO: "oci://docker.io/my-org/app-config"
+
+jobs:
+  kubernetes:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Generate manifests
+        run: |
+          kustomize build ./manifests/production > ./deploy/app.yaml
+      - name: Push manifests
+        run: |
+          flux push artifact $OCI_REPO:$(git tag --points-at HEAD) \
+            --path="./deploy" \
+            --source="$(git config --get remote.origin.url)" \
+            --revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"
+      - name: Deploy manifests to production
+        run: |
+          flux tag artifact $OCI_REPO:$(git tag --points-at HEAD) --tag production
+```
+
 ### End-to-end testing
 
 Example workflow for running Flux in Kubernetes Kind:

cmd/flux/bootstrap.go

@@ -19,13 +19,13 @@ package main
 import (
 	"crypto/elliptic"
 	"fmt"
-	"os"
 	"strings"
 
 	"github.com/spf13/cobra"
 
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 
@@ -88,7 +88,7 @@ func init() {
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.defaultComponents, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.extraComponents, "components-extra", nil,
-		"list of components in addition to those supplied or defaulted, accepts comma-separated values")
+		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller'")
 
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registry, "registry", "ghcr.io/fluxcd",
 		"container registry where the toolkit images are published")
@@ -154,7 +154,7 @@ func buildEmbeddedManifestBase() (string, error) {
 	if !isEmbeddedVersion(bootstrapArgs.version) {
 		return "", nil
 	}
-	tmpBaseDir, err := os.MkdirTemp("", "flux-manifests-")
+	tmpBaseDir, err := manifestgen.MkdirTempAbs("", "flux-manifests-")
 	if err != nil {
 		return "", err
 	}

cmd/flux/bootstrap_bitbucket_server.go

@@ -30,6 +30,7 @@ import (
 	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
@@ -121,7 +122,7 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
@@ -165,7 +166,7 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	// Lazy go-git repository
-	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
+	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
@@ -251,7 +252,7 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(bServerArgs.teams, bServerDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(bServerArgs.readWriteKey),
-		bootstrap.WithKubeconfig(kubeconfigArgs),
+		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
 		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),

cmd/flux/bootstrap_git.go

@@ -35,6 +35,7 @@ import (
 	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
@@ -53,6 +54,9 @@ command will perform an upgrade if needed.`,
   # Run bootstrap for a Git repository and authenticate using a password
   flux bootstrap git --url=https://example.com/repository.git --password=<password>
 
+  # Run bootstrap for a Git repository and authenticate using a password from environment variable
+  GIT_PASSWORD=<password> && flux bootstrap git --url=https://example.com/repository.git
+
   # Run bootstrap for a Git repository with a passwordless private key
   flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key>
 
@@ -63,14 +67,19 @@ command will perform an upgrade if needed.`,
 }
 
 type gitFlags struct {
-	url      string
-	interval time.Duration
-	path     flags.SafeRelativePath
-	username string
-	password string
-	silent   bool
+	url                 string
+	interval            time.Duration
+	path                flags.SafeRelativePath
+	username            string
+	password            string
+	silent              bool
+	insecureHttpAllowed bool
 }
 
+const (
+	gitPasswordEnvVar = "GIT_PASSWORD"
+)
+
 var gitArgs gitFlags
 
 func init() {
@@ -80,11 +89,25 @@ func init() {
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.username, "username", "u", "git", "basic authentication username")
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.password, "password", "p", "", "basic authentication password")
 	bootstrapGitCmd.Flags().BoolVarP(&gitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
+	bootstrapGitCmd.Flags().BoolVar(&gitArgs.insecureHttpAllowed, "allow-insecure-http", false, "allows http git url connections")
 
 	bootstrapCmd.AddCommand(bootstrapGitCmd)
 }
 
 func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
+	gitPassword := os.Getenv(gitPasswordEnvVar)
+	if gitPassword != "" && gitArgs.password == "" {
+		gitArgs.password = gitPassword
+	}
+	if bootstrapArgs.tokenAuth && gitArgs.password == "" {
+		var err error
+		gitPassword, err = readPasswordFromStdin("Please enter your Git repository password: ")
+		if err != nil {
+			return fmt.Errorf("could not read token: %w", err)
+		}
+		gitArgs.password = gitPassword
+	}
+
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
@@ -101,7 +124,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
@@ -117,7 +140,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	defer os.RemoveAll(manifestsBase)
 
 	// Lazy go-git repository
-	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
+	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
@@ -225,7 +248,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
-		bootstrap.WithKubeconfig(kubeconfigArgs),
+		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithPostGenerateSecretFunc(promptPublicKey),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
@@ -248,6 +271,14 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 // SSH-agent is attempted.
 func transportForURL(u *url.URL) (transport.AuthMethod, error) {
 	switch u.Scheme {
+	case "http":
+		if !gitArgs.insecureHttpAllowed {
+			return nil, fmt.Errorf("scheme http is insecure, pass --allow-insecure-http=true to allow it")
+		}
+		return &http.BasicAuth{
+			Username: gitArgs.username,
+			Password: gitArgs.password,
+		}, nil
 	case "https":
 		return &http.BasicAuth{
 			Username: gitArgs.username,

cmd/flux/bootstrap_github.go

@@ -30,6 +30,7 @@ import (
 	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
@@ -125,7 +126,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
@@ -161,7 +162,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	// Lazy go-git repository
-	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
+	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
@@ -240,7 +241,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(githubArgs.teams, ghDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(githubArgs.readWriteKey),
-		bootstrap.WithKubeconfig(kubeconfigArgs),
+		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
 		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),

cmd/flux/bootstrap_gitlab.go

@@ -32,6 +32,7 @@ import (
 	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
@@ -129,7 +130,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
@@ -172,7 +173,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	// Lazy go-git repository
-	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
+	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
@@ -254,7 +255,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(gitlabArgs.teams, glDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(gitlabArgs.readWriteKey),
-		bootstrap.WithKubeconfig(kubeconfigArgs),
+		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
 		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),

cmd/flux/build_artifact.go

@@ -0,0 +1,80 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	oci "github.com/fluxcd/pkg/oci/client"
+	"github.com/fluxcd/pkg/sourceignore"
+)
+
+var buildArtifactCmd = &cobra.Command{
+	Use:   "artifact",
+	Short: "Build artifact",
+	Long:  `The build artifact command creates a tgz file with the manifests from the given directory.`,
+	Example: `  # Build the given manifests directory into an artifact
+  flux build artifact --path ./path/to/local/manifests --output ./path/to/artifact.tgz
+
+  # List the files bundled in the artifact
+  tar -ztvf ./path/to/artifact.tgz
+`,
+	RunE: buildArtifactCmdRun,
+}
+
+type buildArtifactFlags struct {
+	output      string
+	path        string
+	ignorePaths []string
+}
+
+var excludeOCI = append(strings.Split(sourceignore.ExcludeVCS, ","), strings.Split(sourceignore.ExcludeExt, ",")...)
+
+var buildArtifactArgs buildArtifactFlags
+
+func init() {
+	buildArtifactCmd.Flags().StringVar(&buildArtifactArgs.path, "path", "", "Path to the directory where the Kubernetes manifests are located.")
+	buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.output, "output", "o", "artifact.tgz", "Path to where the artifact tgz file should be written.")
+	buildArtifactCmd.Flags().StringSliceVar(&buildArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
+
+	buildCmd.AddCommand(buildArtifactCmd)
+}
+
+func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {
+	if buildArtifactArgs.path == "" {
+		return fmt.Errorf("invalid path %q", buildArtifactArgs.path)
+	}
+
+	if fs, err := os.Stat(buildArtifactArgs.path); err != nil || !fs.IsDir() {
+		return fmt.Errorf("invalid path '%s', must point to an existing directory", buildArtifactArgs.path)
+	}
+
+	logger.Actionf("building artifact from %s", buildArtifactArgs.path)
+
+	ociClient := oci.NewLocalClient()
+	if err := ociClient.Build(buildArtifactArgs.output, buildArtifactArgs.path, buildArtifactArgs.ignorePaths); err != nil {
+		return fmt.Errorf("bulding artifact failed, error: %w", err)
+	}
+
+	logger.Successf("artifact created at %s", buildArtifactArgs.output)
+
+	return nil
+}

cmd/flux/build_kustomization.go

@@ -33,21 +33,28 @@ var buildKsCmd = &cobra.Command{
 	Short:   "Build Kustomization",
 	Long: `The build command queries the Kubernetes API and fetches the specified Flux Kustomization. 
 It then uses the fetched in cluster flux kustomization to perform needed transformation on the local kustomization.yaml
-pointed at by --path. The local kustomization.yaml is generated if it does not exist. Finally it builds the overlays using the local kustomization.yaml, and write the resulting multi-doc YAML to stdout.`,
+pointed at by --path. The local kustomization.yaml is generated if it does not exist. Finally it builds the overlays using the local kustomization.yaml, and write the resulting multi-doc YAML to stdout.
+
+It is possible to specify a Flux kustomization file using --kustomization-file.`,
 	Example: `# Build the local manifests as they were built on the cluster
-flux build kustomization my-app --path ./path/to/local/manifests`,
+flux build kustomization my-app --path ./path/to/local/manifests
+
+# Build using a local flux kustomization file
+flux build kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              buildKsCmdRun,
 }
 
 type buildKsFlags struct {
-	path string
+	kustomizationFile string
+	path              string
 }
 
 var buildKsArgs buildKsFlags
 
 func init() {
-	buildKsCmd.Flags().StringVar(&buildKsArgs.path, "path", "", "Path to the manifests location.)")
+	buildKsCmd.Flags().StringVar(&buildKsArgs.path, "path", "", "Path to the manifests location.")
+	buildKsCmd.Flags().StringVar(&buildKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
 	buildCmd.AddCommand(buildKsCmd)
 }
 
@@ -65,7 +72,13 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
 	}
 
-	builder, err := build.NewBuilder(kubeconfigArgs, name, buildKsArgs.path, build.WithTimeout(rootArgs.timeout))
+	if buildKsArgs.kustomizationFile != "" {
+		if fs, err := os.Stat(buildKsArgs.kustomizationFile); os.IsNotExist(err) || fs.IsDir() {
+			return fmt.Errorf("invalid kustomization file %q", buildKsArgs.kustomizationFile)
+		}
+	}
+
+	builder, err := build.NewBuilder(kubeconfigArgs, kubeclientOptions, name, buildKsArgs.path, build.WithTimeout(rootArgs.timeout), build.WithKustomizationFile(buildKsArgs.kustomizationFile))
 	if err != nil {
 		return err
 	}

cmd/flux/build_kustomization_test.go

@@ -20,7 +20,10 @@ limitations under the License.
 package main
 
 import (
+	"bytes"
+	"os"
 	"testing"
+	"text/template"
 )
 
 func setup(t *testing.T, tmpl map[string]string) {
@@ -54,6 +57,12 @@ func TestBuildKustomization(t *testing.T) {
 			resultFile: "./testdata/build-kustomization/podinfo-without-service-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
+		{
+			name:       "build deployment and configmap with var substitution",
+			args:       "build kustomization podinfo --path ./testdata/build-kustomization/var-substitution",
+			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
 	}
 
 	tmpl := map[string]string{
@@ -81,3 +90,101 @@ func TestBuildKustomization(t *testing.T) {
 		})
 	}
 }
+
+func TestBuildLocalKustomization(t *testing.T) {
+	podinfo := `apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: podinfo
+  namespace: {{ .fluxns }}
+spec:
+  interval: 5m0s
+  path: ./kustomize
+  force: true
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: podinfo
+  targetNamespace: default
+  postBuild:
+    substitute:
+      cluster_env: "prod"
+      cluster_region: "eu-central-1"
+`
+
+	tests := []struct {
+		name       string
+		args       string
+		resultFile string
+		assertFunc string
+	}{
+		{
+			name:       "no args",
+			args:       "build kustomization podinfo --kustomization-file ./wrongfile/ --path ./testdata/build-kustomization/podinfo",
+			resultFile: "invalid kustomization file \"./wrongfile/\"",
+			assertFunc: "assertError",
+		},
+		{
+			name:       "build podinfo",
+			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/podinfo",
+			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build podinfo without service",
+			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/delete-service",
+			resultFile: "./testdata/build-kustomization/podinfo-without-service-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build deployment and configmap with var substitution",
+			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/var-substitution",
+			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+	}
+
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+
+	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-source.yaml", tmpl, t)
+
+	temp, err := template.New("podinfo").Parse(podinfo)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var b bytes.Buffer
+	err = temp.Execute(&b, tmpl)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = os.WriteFile("./testdata/build-kustomization/podinfo.yaml", b.Bytes(), 0666)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	defer os.Remove("./testdata/build-kustomization/podinfo.yaml")
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var assert assertFunc
+
+			switch tt.assertFunc {
+			case "assertGoldenTemplateFile":
+				assert = assertGoldenTemplateFile(tt.resultFile, tmpl)
+			case "assertError":
+				assert = assertError(tt.resultFile)
+			}
+
+			cmd := cmdTestCase{
+				args:   tt.args + " -n " + tmpl["fluxns"],
+				assert: assert,
+			}
+
+			cmd.runTestCmd(t)
+		})
+	}
+}

cmd/flux/check.go

@@ -24,6 +24,7 @@ import (
 	"github.com/Masterminds/semver/v3"
 	"github.com/spf13/cobra"
 	v1 "k8s.io/api/apps/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -95,9 +96,17 @@ func runCheckCmd(cmd *cobra.Command, args []string) error {
 	if !componentsCheck() {
 		checkFailed = true
 	}
+
+	logger.Actionf("checking crds")
+	if !crdsCheck() {
+		checkFailed = true
+	}
+
 	if checkFailed {
+		logger.Failuref("check failed")
 		os.Exit(1)
 	}
+
 	logger.Successf("all checks passed")
 	return nil
 }
@@ -125,7 +134,7 @@ func fluxCheck() {
 }
 
 func kubernetesCheck(constraints []string) bool {
-	cfg, err := utils.KubeConfig(kubeconfigArgs)
+	cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
 		return false
@@ -173,7 +182,7 @@ func componentsCheck() bool {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeConfig, err := utils.KubeConfig(kubeconfigArgs)
+	kubeConfig, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return false
 	}
@@ -183,7 +192,7 @@ func componentsCheck() bool {
 		return false
 	}
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return false
 	}
@@ -191,7 +200,14 @@ func componentsCheck() bool {
 	ok := true
 	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 	var list v1.DeploymentList
-	if err := kubeClient.List(ctx, &list, client.InNamespace(*kubeconfigArgs.Namespace), selector); err == nil {
+	ns := *kubeconfigArgs.Namespace
+	if err := kubeClient.List(ctx, &list, client.InNamespace(ns), selector); err == nil {
+		if len(list.Items) == 0 {
+			logger.Failuref("no controllers found in the '%s' namespace with the label selector '%s=%s'",
+				ns, manifestgen.PartOfLabelKey, manifestgen.PartOfLabelValue)
+			return false
+		}
+
 		for _, d := range list.Items {
 			if ref, err := buildComponentObjectRefs(d.Name); err == nil {
 				if err := statusChecker.Assess(ref...); err != nil {
@@ -205,3 +221,34 @@ func componentsCheck() bool {
 	}
 	return ok
 }
+
+func crdsCheck() bool {
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return false
+	}
+
+	ok := true
+	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
+	var list apiextensionsv1.CustomResourceDefinitionList
+	if err := kubeClient.List(ctx, &list, client.InNamespace(*kubeconfigArgs.Namespace), selector); err == nil {
+		if len(list.Items) == 0 {
+			logger.Failuref("no crds found with the label selector '%s=%s'",
+				manifestgen.PartOfLabelKey, manifestgen.PartOfLabelValue)
+			return false
+		}
+
+		for _, crd := range list.Items {
+			if len(crd.Status.StoredVersions) > 0 {
+				logger.Successf(crd.Name + "/" + crd.Status.StoredVersions[0])
+			} else {
+				ok = false
+				logger.Failuref("no stored versions for %s", crd.Name)
+			}
+		}
+	}
+	return ok
+}

cmd/flux/check_test.go

@@ -26,7 +26,6 @@ import (
 	"testing"
 
 	"github.com/fluxcd/flux2/internal/utils"
-	"k8s.io/apimachinery/pkg/version"
 )
 
 func TestCheckPre(t *testing.T) {
@@ -35,17 +34,19 @@ func TestCheckPre(t *testing.T) {
 		t.Fatalf("Error running utils.ExecKubectlCommand: %v", err.Error())
 	}
 
-	var versions map[string]version.Info
+	var versions map[string]interface{}
 	if err := json.Unmarshal([]byte(jsonOutput), &versions); err != nil {
-		t.Fatalf("Error unmarshalling: %v", err.Error())
+		t.Fatalf("Error unmarshalling '%s': %v", jsonOutput, err.Error())
 	}
 
-	serverVersion := strings.TrimPrefix(versions["serverVersion"].GitVersion, "v")
+	serverGitVersion := strings.TrimPrefix(
+		versions["serverVersion"].(map[string]interface{})["gitVersion"].(string),
+		"v")
 
 	cmd := cmdTestCase{
 		args: "check --pre",
 		assert: assertGoldenTemplateFile("testdata/check/check_pre.golden", map[string]string{
-			"serverVersion": serverVersion,
+			"serverVersion": serverGitVersion,
 		}),
 	}
 	cmd.runTestCmd(t)

cmd/flux/completion.go

@@ -60,7 +60,7 @@ func resourceNamesCompletionFunc(gvk schema.GroupVersionKind) func(cmd *cobra.Co
 		ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 		defer cancel()
 
-		cfg, err := utils.KubeConfig(kubeconfigArgs)
+		cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
 		if err != nil {
 			return completionError(err)
 		}

cmd/flux/create.go

@@ -117,7 +117,7 @@ func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) e
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs) // NB globals
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions) // NB globals
 	if err != nil {
 		return err
 	}

cmd/flux/create_alert.go

@@ -119,7 +119,7 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

cmd/flux/create_alertprovider.go

@@ -115,7 +115,7 @@ func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

cmd/flux/create_helmrelease.go

@@ -21,6 +21,8 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"strings"
+	"time"
 
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
@@ -108,21 +110,26 @@ var createHelmReleaseCmd = &cobra.Command{
 }
 
 type helmReleaseFlags struct {
-	name            string
-	source          flags.HelmChartSource
-	dependsOn       []string
-	chart           string
-	chartVersion    string
-	targetNamespace string
-	createNamespace bool
-	valuesFiles     []string
-	valuesFrom      flags.HelmReleaseValuesFrom
-	saName          string
-	crds            flags.CRDsPolicy
+	name                string
+	source              flags.HelmChartSource
+	dependsOn           []string
+	chart               string
+	chartVersion        string
+	targetNamespace     string
+	createNamespace     bool
+	valuesFiles         []string
+	valuesFrom          []string
+	saName              string
+	crds                flags.CRDsPolicy
+	reconcileStrategy   string
+	chartInterval       time.Duration
+	kubeConfigSecretRef string
 }
 
 var helmReleaseArgs helmReleaseFlags
 
+var supportedHelmReleaseValuesFromKinds = []string{"Secret", "ConfigMap"}
+
 func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.name, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.source, "source", helmReleaseArgs.source.Description())
@@ -132,9 +139,12 @@ func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.targetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
 	createHelmReleaseCmd.Flags().BoolVar(&helmReleaseArgs.createNamespace, "create-target-namespace", false, "create the target namespace if it does not exist")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart created by the helm release(accepted values: Revision and ChartRevision)")
+	createHelmReleaseCmd.Flags().DurationVarP(&helmReleaseArgs.chartInterval, "chart-interval", "", 0, "the interval of which to check for new chart versions")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFiles, "values", nil, "local path to values.yaml files, also accepts comma-separated values")
-	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.valuesFrom, "values-from", helmReleaseArgs.valuesFrom.Description())
+	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFrom, "values-from", nil, "a Kubernetes object reference that contains the values.yaml data key in the format '<kind>/<name>', where kind must be one of: (Secret,ConfigMap)")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.crds, "crds", helmReleaseArgs.crds.Description())
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
 	createCmd.AddCommand(createHelmReleaseCmd)
 }
 
@@ -154,6 +164,11 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Generatef("generating HelmRelease")
 	}
 
+	if !validateStrategy(helmReleaseArgs.reconcileStrategy) {
+		return fmt.Errorf("'%s' is an invalid reconcile strategy(valid: Revision, ChartVersion)",
+			helmReleaseArgs.reconcileStrategy)
+	}
+
 	helmRelease := helmv2.HelmRelease{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
@@ -177,12 +192,27 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 						Name:      helmReleaseArgs.source.Name,
 						Namespace: helmReleaseArgs.source.Namespace,
 					},
+					ReconcileStrategy: helmReleaseArgs.reconcileStrategy,
 				},
 			},
 			Suspend: false,
 		},
 	}
 
+	if helmReleaseArgs.kubeConfigSecretRef != "" {
+		helmRelease.Spec.KubeConfig = &helmv2.KubeConfig{
+			SecretRef: meta.SecretKeyReference{
+				Name: helmReleaseArgs.kubeConfigSecretRef,
+			},
+		}
+	}
+
+	if helmReleaseArgs.chartInterval != 0 {
+		helmRelease.Spec.Chart.Spec.Interval = &metav1.Duration{
+			Duration: helmReleaseArgs.chartInterval,
+		}
+	}
+
 	if helmReleaseArgs.createNamespace {
 		if helmRelease.Spec.Install == nil {
 			helmRelease.Spec.Install = &helmv2.Install{}
@@ -233,11 +263,25 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		helmRelease.Spec.Values = &apiextensionsv1.JSON{Raw: jsonRaw}
 	}
 
-	if helmReleaseArgs.valuesFrom.String() != "" {
-		helmRelease.Spec.ValuesFrom = []helmv2.ValuesReference{{
-			Kind: helmReleaseArgs.valuesFrom.Kind,
-			Name: helmReleaseArgs.valuesFrom.Name,
-		}}
+	if len(helmReleaseArgs.valuesFrom) != 0 {
+		values := []helmv2.ValuesReference{}
+		for _, value := range helmReleaseArgs.valuesFrom {
+			sourceKind, sourceName := utils.ParseObjectKindName(value)
+			if sourceKind == "" {
+				return fmt.Errorf("invalid Kubernetes object reference '%s', must be in format <kind>/<name>", value)
+			}
+			cleanSourceKind, ok := utils.ContainsEqualFoldItemString(supportedHelmReleaseValuesFromKinds, sourceKind)
+			if !ok {
+				return fmt.Errorf("reference kind '%s' is not supported, must be one of: %s",
+					sourceKind, strings.Join(supportedHelmReleaseValuesFromKinds, ", "))
+			}
+
+			values = append(values, helmv2.ValuesReference{
+				Name: sourceName,
+				Kind: cleanSourceKind,
+			})
+		}
+		helmRelease.Spec.ValuesFrom = values
 	}
 
 	if createArgs.export {
@@ -247,7 +291,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
@@ -316,3 +360,15 @@ func isHelmReleaseReady(ctx context.Context, kubeClient client.Client,
 		return apimeta.IsStatusConditionTrue(helmRelease.Status.Conditions, meta.ReadyCondition), nil
 	}
 }
+
+func validateStrategy(input string) bool {
+	allowedStrategy := []string{"Revision", "ChartVersion"}
+
+	for _, strategy := range allowedStrategy {
+		if strategy == input {
+			return true
+		}
+	}
+
+	return false
+}

cmd/flux/create_image_update.go

@@ -23,7 +23,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var createImageUpdateCmd = &cobra.Command{

cmd/flux/create_kustomization.go

@@ -42,22 +42,21 @@ var createKsCmd = &cobra.Command{
 	Use:     "kustomization [name]",
 	Aliases: []string{"ks"},
 	Short:   "Create or update a Kustomization resource",
-	Long:    "The kustomization source create command generates a Kustomize resource for a given source.",
+	Long:    "The create command generates a Kustomization resource for a given source.",
 	Example: `  # Create a Kustomization resource from a source at a given path
-  flux create kustomization contour \
-    --source=GitRepository/contour \
-    --path="./examples/contour/" \
+  flux create kustomization kyverno \
+    --source=GitRepository/kyverno \
+    --path="./config/release" \
     --prune=true \
-    --interval=10m \
-    --health-check="Deployment/contour.projectcontour" \
-    --health-check="DaemonSet/envoy.projectcontour" \
+    --interval=60m \
+    --wait=true \
     --health-check-timeout=3m
 
   # Create a Kustomization resource that depends on the previous one
-  flux create kustomization webapp \
-    --depends-on=contour \
-    --source=GitRepository/webapp \
-    --path="./deploy/overlays/dev" \
+  flux create kustomization kyverno-policies \
+    --depends-on=kyverno \
+    --source=GitRepository/kyverno-policies \
+    --path="./policies/flux" \
     --prune=true \
     --interval=5m
 
@@ -65,7 +64,14 @@ var createKsCmd = &cobra.Command{
   flux create kustomization podinfo \
     --namespace=default \
     --source=GitRepository/podinfo.flux-system \
-    --path="./deploy/overlays/dev" \
+    --path="./kustomize" \
+    --prune=true \
+    --interval=5m
+
+  # Create a Kustomization resource that references an OCIRepository
+  flux create kustomization podinfo \
+    --source=OCIRepository/podinfo \
+    --target-namespace=default \
     --prune=true \
     --interval=5m
 
@@ -78,18 +84,19 @@ var createKsCmd = &cobra.Command{
 }
 
 type kustomizationFlags struct {
-	source             flags.KustomizationSource
-	path               flags.SafeRelativePath
-	prune              bool
-	dependsOn          []string
-	validation         string
-	healthCheck        []string
-	healthTimeout      time.Duration
-	saName             string
-	decryptionProvider flags.DecryptionProvider
-	decryptionSecret   string
-	targetNamespace    string
-	wait               bool
+	source              flags.KustomizationSource
+	path                flags.SafeRelativePath
+	prune               bool
+	dependsOn           []string
+	validation          string
+	healthCheck         []string
+	healthTimeout       time.Duration
+	saName              string
+	decryptionProvider  flags.DecryptionProvider
+	decryptionSecret    string
+	targetNamespace     string
+	wait                bool
+	kubeConfigSecretRef string
 }
 
 var kustomizationArgs = NewKustomizationFlags()
@@ -107,6 +114,7 @@ func init() {
 	createKsCmd.Flags().Var(&kustomizationArgs.decryptionProvider, "decryption-provider", kustomizationArgs.decryptionProvider.Description())
 	createKsCmd.Flags().StringVar(&kustomizationArgs.decryptionSecret, "decryption-secret", "", "set the Kubernetes secret name that contains the OpenPGP private keys used for sops decryption")
 	createKsCmd.Flags().StringVar(&kustomizationArgs.targetNamespace, "target-namespace", "", "overrides the namespace of all Kustomization objects reconciled by this Kustomization")
+	createKsCmd.Flags().StringVar(&kustomizationArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
 	createKsCmd.Flags().MarkDeprecated("validation", "this arg is no longer used, all resources are validated using server-side apply dry-run")
 
 	createCmd.AddCommand(createKsCmd)
@@ -160,6 +168,14 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}
 
+	if kustomizationArgs.kubeConfigSecretRef != "" {
+		kustomization.Spec.KubeConfig = &kustomizev1.KubeConfig{
+			SecretRef: meta.SecretKeyReference{
+				Name: kustomizationArgs.kubeConfigSecretRef,
+			},
+		}
+	}
+
 	if len(kustomizationArgs.healthCheck) > 0 && !kustomizationArgs.wait {
 		healthChecks := make([]meta.NamespacedObjectKindReference, 0)
 		for _, w := range kustomizationArgs.healthCheck {
@@ -229,7 +245,7 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

cmd/flux/create_receiver.go

@@ -127,7 +127,7 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret_git.go

@@ -173,7 +173,7 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret_helm.go

@@ -96,7 +96,7 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret_helm_test.go

@@ -1,3 +1,19 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package main
 
 import (

cmd/flux/create_secret_oci.go

@@ -0,0 +1,121 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
+)
+
+var createSecretOCICmd = &cobra.Command{
+	Use:   "oci [name]",
+	Short: "Create or update a Kubernetes image pull secret",
+	Long:  `The create secret oci command generates a Kubernetes secret that can be used for OCIRepository authentication`,
+	Example: `  # Create an OCI authentication secret on disk and encrypt it with Mozilla SOPS
+  flux create secret oci podinfo-auth \
+    --url=ghcr.io \
+    --username=username \
+    --password=password \
+    --export > repo-auth.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place repo-auth.yaml
+	`,
+	RunE: createSecretOCICmdRun,
+}
+
+type secretOCIFlags struct {
+	url      string
+	password string
+	username string
+}
+
+var secretOCIArgs = secretOCIFlags{}
+
+func init() {
+	createSecretOCICmd.Flags().StringVar(&secretOCIArgs.url, "url", "", "oci repository address e.g ghcr.io/stefanprodan/charts")
+	createSecretOCICmd.Flags().StringVarP(&secretOCIArgs.username, "username", "u", "", "basic authentication username")
+	createSecretOCICmd.Flags().StringVarP(&secretOCIArgs.password, "password", "p", "", "basic authentication password")
+
+	createSecretCmd.AddCommand(createSecretOCICmd)
+}
+
+func createSecretOCICmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("name is required")
+	}
+
+	secretName := args[0]
+
+	if secretOCIArgs.url == "" {
+		return fmt.Errorf("--url is required")
+	}
+
+	if secretOCIArgs.username == "" {
+		return fmt.Errorf("--username is required")
+	}
+
+	if secretOCIArgs.password == "" {
+		return fmt.Errorf("--password is required")
+	}
+
+	if _, err := name.ParseReference(secretOCIArgs.url); err != nil {
+		return fmt.Errorf("error parsing url: '%s'", err)
+	}
+
+	opts := sourcesecret.Options{
+		Name:      secretName,
+		Namespace: *kubeconfigArgs.Namespace,
+		Registry:  secretOCIArgs.url,
+		Password:  secretOCIArgs.password,
+		Username:  secretOCIArgs.username,
+	}
+
+	secret, err := sourcesecret.Generate(opts)
+	if err != nil {
+		return err
+	}
+
+	if createArgs.export {
+		rootCmd.Println(secret.Content)
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+	if err := upsertSecret(ctx, kubeClient, s); err != nil {
+		return err
+	}
+
+	logger.Actionf("oci secret '%s' created in '%s' namespace", secretName, *kubeconfigArgs.Namespace)
+	return nil
+}

cmd/flux/create_secret_oci_test.go

@@ -0,0 +1,51 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateSecretOCI(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			args:   "create secret oci",
+			assert: assertError("name is required"),
+		},
+		{
+			args:   "create secret oci ghcr",
+			assert: assertError("--url is required"),
+		},
+		{
+			args:   "create secret oci ghcr --namespace=my-namespace --url ghcr.io --username stefanprodan --password=password --export",
+			assert: assertGoldenFile("testdata/create_secret/oci/create-secret.yaml"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}

cmd/flux/create_secret_tls.go

@@ -93,7 +93,7 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

cmd/flux/create_source_bucket.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
@@ -30,7 +31,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/pkg/apis/meta"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	"github.com/fluxcd/pkg/runtime/conditions"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
@@ -61,17 +64,18 @@ For Buckets with static authentication, the credentials are stored in a Kubernet
 }
 
 type sourceBucketFlags struct {
-	name      string
-	provider  flags.SourceBucketProvider
-	endpoint  string
-	accessKey string
-	secretKey string
-	region    string
-	insecure  bool
-	secretRef string
+	name        string
+	provider    flags.SourceBucketProvider
+	endpoint    string
+	accessKey   string
+	secretKey   string
+	region      string
+	insecure    bool
+	secretRef   string
+	ignorePaths []string
 }
 
-var sourceBucketArgs = NewSourceBucketFlags()
+var sourceBucketArgs = newSourceBucketFlags()
 
 func init() {
 	createSourceBucketCmd.Flags().Var(&sourceBucketArgs.provider, "provider", sourceBucketArgs.provider.Description())
@@ -82,11 +86,12 @@ func init() {
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.region, "region", "", "the bucket region")
 	createSourceBucketCmd.Flags().BoolVar(&sourceBucketArgs.insecure, "insecure", false, "for when connecting to a non-TLS S3 HTTP endpoint")
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.secretRef, "secret-ref", "", "the name of an existing secret containing credentials")
+	createSourceBucketCmd.Flags().StringSliceVar(&sourceBucketArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in bucket resource (can specify multiple paths with commas: path1,path2)")
 
 	createSourceCmd.AddCommand(createSourceBucketCmd)
 }
 
-func NewSourceBucketFlags() sourceBucketFlags {
+func newSourceBucketFlags() sourceBucketFlags {
 	return sourceBucketFlags{
 		provider: flags.SourceBucketProvider(sourcev1.GenericBucketProvider),
 	}
@@ -114,6 +119,12 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	defer os.RemoveAll(tmpDir)
 
+	var ignorePaths *string
+	if len(sourceBucketArgs.ignorePaths) > 0 {
+		ignorePathsStr := strings.Join(sourceBucketArgs.ignorePaths, "\n")
+		ignorePaths = &ignorePathsStr
+	}
+
 	bucket := &sourcev1.Bucket{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
@@ -129,6 +140,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
+			Ignore: ignorePaths,
 		},
 	}
 
@@ -149,7 +161,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
@@ -235,3 +247,30 @@ func upsertBucket(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Bucket source updated")
 	return namespacedName, nil
 }
+
+func isBucketReady(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, bucket *sourcev1.Bucket) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, bucket)
+		if err != nil {
+			return false, err
+		}
+
+		if c := conditions.Get(bucket, meta.ReadyCondition); c != nil {
+			// Confirm the Ready condition we are observing is for the
+			// current generation
+			if c.ObservedGeneration != bucket.GetGeneration() {
+				return false, nil
+			}
+
+			// Further check the Status
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}

cmd/flux/create_source_git.go

@@ -22,20 +22,23 @@ import (
 	"fmt"
 	"net/url"
 	"os"
+	"strings"
 
-	"github.com/fluxcd/pkg/apis/meta"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
@@ -57,6 +60,7 @@ type sourceGitFlags struct {
 	privateKeyFile    string
 	recurseSubmodules bool
 	silent            bool
+	ignorePaths       []string
 }
 
 var createSourceGitCmd = &cobra.Command{
@@ -113,6 +117,7 @@ For private Git repositories, the basic authentication credentials are stored in
   # Create a source for a Git repository using basic authentication
   flux create source git podinfo \
     --url=https://github.com/stefanprodan/podinfo \
+    --branch=master \
     --username=username \
     --password=password`,
 	RunE: createSourceGitCmdRun,
@@ -137,6 +142,7 @@ func init() {
 	createSourceGitCmd.Flags().BoolVar(&sourceGitArgs.recurseSubmodules, "recurse-submodules", false,
 		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
 	createSourceGitCmd.Flags().BoolVarP(&sourceGitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
+	createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in git resource (can specify multiple paths with commas: path1,path2)")
 
 	createSourceCmd.AddCommand(createSourceGitCmd)
 }
@@ -169,7 +175,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	if sourceGitArgs.caFile != "" && u.Scheme == "ssh" {
-		return fmt.Errorf("specifing a CA file is not supported for Git over SSH")
+		return fmt.Errorf("specifying a CA file is not supported for Git over SSH")
 	}
 
 	if sourceGitArgs.recurseSubmodules && sourceGitArgs.gitImplementation == sourcev1.LibGit2Implementation {
@@ -187,6 +193,12 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	var ignorePaths *string
+	if len(sourceGitArgs.ignorePaths) > 0 {
+		ignorePathsStr := strings.Join(sourceGitArgs.ignorePaths, "\n")
+		ignorePaths = &ignorePathsStr
+	}
+
 	gitRepository := sourcev1.GitRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
@@ -200,6 +212,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			},
 			RecurseSubmodules: sourceGitArgs.recurseSubmodules,
 			Reference:         &sourcev1.GitRepositoryRef{},
+			Ignore:            ignorePaths,
 		},
 	}
 
@@ -232,7 +245,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
@@ -355,7 +368,14 @@ func isGitRepositoryReady(ctx context.Context, kubeClient client.Client,
 			return false, err
 		}
 
-		if c := apimeta.FindStatusCondition(gitRepository.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := conditions.Get(gitRepository, meta.ReadyCondition); c != nil {
+			// Confirm the Ready condition we are observing is for the
+			// current generation
+			if c.ObservedGeneration != gitRepository.GetGeneration() {
+				return false, nil
+			}
+
+			// Further check the Status
 			switch c.Status {
 			case metav1.ConditionTrue:
 				return true, nil

cmd/flux/create_source_git_test.go

@@ -21,15 +21,17 @@ package main
 
 import (
 	"context"
+	"testing"
+	"time"
+
 	"github.com/fluxcd/pkg/apis/meta"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"k8s.io/apimachinery/pkg/api/errors"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"testing"
-	"time"
 )
 
 var pollInterval = 50 * time.Millisecond
@@ -83,6 +85,31 @@ func (r *reconciler) conditionFunc() (bool, error) {
 	return true, err
 }
 
+func TestCreateSourceGitExport(t *testing.T) {
+	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String()
+
+	cases := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			"ExportSucceeded",
+			command,
+			assertGoldenFile("testdata/create_source_git/export.golden"),
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tc.args,
+				assert: tc.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
+
 func TestCreateSourceGit(t *testing.T) {
 	// Default command used for multiple tests
 	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --timeout=" + testTimeout.String()
@@ -103,7 +130,14 @@ func TestCreateSourceGit(t *testing.T) {
 			command,
 			assertGoldenFile("testdata/create_source_git/success.golden"),
 			func(repo *sourcev1.GitRepository) {
-				meta.SetResourceCondition(repo, meta.ReadyCondition, metav1.ConditionTrue, sourcev1.GitOperationSucceedReason, "succeeded message")
+				newCondition := metav1.Condition{
+					Type:               meta.ReadyCondition,
+					Status:             metav1.ConditionTrue,
+					Reason:             sourcev1.GitOperationSucceedReason,
+					Message:            "succeeded message",
+					ObservedGeneration: repo.GetGeneration(),
+				}
+				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
 				repo.Status.Artifact = &sourcev1.Artifact{
 					Path:     "some-path",
 					Revision: "v1",
@@ -114,7 +148,14 @@ func TestCreateSourceGit(t *testing.T) {
 			command,
 			assertError("failed message"),
 			func(repo *sourcev1.GitRepository) {
-				meta.SetResourceCondition(repo, meta.ReadyCondition, metav1.ConditionFalse, sourcev1.URLInvalidReason, "failed message")
+				newCondition := metav1.Condition{
+					Type:               meta.ReadyCondition,
+					Status:             metav1.ConditionFalse,
+					Reason:             sourcev1.URLInvalidReason,
+					Message:            "failed message",
+					ObservedGeneration: repo.GetGeneration(),
+				}
+				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
 			},
 		}, {
 			"NoArtifact",
@@ -122,7 +163,14 @@ func TestCreateSourceGit(t *testing.T) {
 			assertError("GitRepository source reconciliation completed but no artifact was found"),
 			func(repo *sourcev1.GitRepository) {
 				// Updated with no artifact
-				meta.SetResourceCondition(repo, meta.ReadyCondition, metav1.ConditionTrue, sourcev1.GitOperationSucceedReason, "succeeded message")
+				newCondition := metav1.Condition{
+					Type:               meta.ReadyCondition,
+					Status:             metav1.ConditionTrue,
+					Reason:             sourcev1.GitOperationSucceedReason,
+					Message:            "succeeded message",
+					ObservedGeneration: repo.GetGeneration(),
+				}
+				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
 			},
 		},
 	}

cmd/flux/create_source_helm.go

@@ -23,17 +23,17 @@ import (
 	"os"
 
 	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
@@ -44,23 +44,34 @@ var createSourceHelmCmd = &cobra.Command{
 	Short: "Create or update a HelmRepository source",
 	Long: `The create source helm command generates a HelmRepository resource and waits for it to fetch the index.
 For private Helm repositories, the basic authentication credentials are stored in a Kubernetes secret.`,
-	Example: `  # Create a source for a public Helm repository
+	Example: `  # Create a source for an HTTPS public Helm repository
   flux create source helm podinfo \
     --url=https://stefanprodan.github.io/podinfo \
     --interval=10m
 
-  # Create a source for a Helm repository using basic authentication
+  # Create a source for an HTTPS Helm repository using basic authentication
   flux create source helm podinfo \
     --url=https://stefanprodan.github.io/podinfo \
     --username=username \
     --password=password
 
-  # Create a source for a Helm repository using TLS authentication
+  # Create a source for an HTTPS Helm repository using TLS authentication
   flux create source helm podinfo \
     --url=https://stefanprodan.github.io/podinfo \
     --cert-file=./cert.crt \
     --key-file=./key.crt \
-    --ca-file=./ca.crt`,
+    --ca-file=./ca.crt
+
+  # Create a source for an OCI Helm repository
+  flux create source helm podinfo \
+    --url=oci://ghcr.io/stefanprodan/charts/podinfo
+    --username=username \
+    --password=password
+
+  # Create a source for an OCI Helm repository using an existing secret with basic auth or dockerconfig credentials
+  flux create source helm podinfo \
+    --url=oci://ghcr.io/stefanprodan/charts/podinfo
+    --secret-ref=docker-config`,
 	RunE: createSourceHelmCmdRun,
 }
 
@@ -84,7 +95,7 @@ func init() {
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.certFile, "cert-file", "", "TLS authentication cert file path")
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.keyFile, "key-file", "", "TLS authentication key file path")
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.caFile, "ca-file", "", "TLS authentication CA file path")
-	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.secretRef, "secret-ref", "", "", "the name of an existing secret containing TLS or basic auth credentials")
+	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.secretRef, "secret-ref", "", "", "the name of an existing secret containing TLS, basic auth or docker-config credentials")
 	createSourceHelmCmd.Flags().BoolVarP(&sourceHelmArgs.passCredentials, "pass-credentials", "", false, "pass credentials to all domains")
 
 	createSourceCmd.AddCommand(createSourceHelmCmd)
@@ -126,6 +137,14 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}
 
+	url, err := url.Parse(sourceHelmArgs.url)
+	if err != nil {
+		return fmt.Errorf("failed to parse URL: %w", err)
+	}
+	if url.Scheme == sourcev1.HelmRepositoryTypeOCI {
+		helmRepository.Spec.Type = sourcev1.HelmRepositoryTypeOCI
+	}
+
 	if createSourceArgs.fetchTimeout > 0 {
 		helmRepository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
 	}
@@ -144,7 +163,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
@@ -196,6 +215,11 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Successf("HelmRepository source reconciliation completed")
 
+	if helmRepository.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
+		// OCI repos don't expose any artifact so we just return early here
+		return nil
+	}
+
 	if helmRepository.Status.Artifact == nil {
 		return fmt.Errorf("HelmRepository source reconciliation completed but no artifact was found")
 	}
@@ -242,12 +266,14 @@ func isHelmRepositoryReady(ctx context.Context, kubeClient client.Client,
 			return false, err
 		}
 
-		// Confirm the state we are observing is for the current generation
-		if helmRepository.Generation != helmRepository.Status.ObservedGeneration {
-			return false, nil
-		}
+		if c := conditions.Get(helmRepository, meta.ReadyCondition); c != nil {
+			// Confirm the Ready condition we are observing is for the
+			// current generation
+			if c.ObservedGeneration != helmRepository.GetGeneration() {
+				return false, nil
+			}
 
-		if c := apimeta.FindStatusCondition(helmRepository.Status.Conditions, meta.ReadyCondition); c != nil {
+			// Further check the Status
 			switch c.Status {
 			case metav1.ConditionTrue:
 				return true, nil

cmd/flux/create_source_helm_test.go

@@ -0,0 +1,81 @@
+//go:build unit
+// +build unit
+
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateSourceHelm(t *testing.T) {
+	tests := []struct {
+		name       string
+		args       string
+		resultFile string
+		assertFunc string
+	}{
+		{
+			name:       "no args",
+			args:       "create source helm",
+			resultFile: "name is required",
+			assertFunc: "assertError",
+		},
+		{
+			name:       "OCI repo",
+			args:       "create source helm podinfo --url=oci://ghcr.io/stefanprodan/charts/podinfo --interval 5m --export",
+			resultFile: "./testdata/create_source_helm/oci.golden",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "OCI repo with Secret ref",
+			args:       "create source helm podinfo --url=oci://ghcr.io/stefanprodan/charts/podinfo --interval 5m --secret-ref=creds --export",
+			resultFile: "./testdata/create_source_helm/oci-with-secret.golden",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "HTTPS repo",
+			args:       "create source helm podinfo --url=https://stefanprodan.github.io/charts/podinfo --interval 5m --export",
+			resultFile: "./testdata/create_source_helm/https.golden",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+	}
+
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	setup(t, tmpl)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var assert assertFunc
+			switch tt.assertFunc {
+			case "assertGoldenTemplateFile":
+				assert = assertGoldenTemplateFile(tt.resultFile, tmpl)
+			case "assertError":
+				assert = assertError(tt.resultFile)
+			}
+
+			cmd := cmdTestCase{
+				args:   tt.args + " -n " + tmpl["fluxns"],
+				assert: assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}

cmd/flux/create_source_oci.go

@@ -0,0 +1,247 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
+)
+
+var createSourceOCIRepositoryCmd = &cobra.Command{
+	Use:   "oci [name]",
+	Short: "Create or update an OCIRepository",
+	Long:  `The create source oci command generates an OCIRepository resource and waits for it to be ready.`,
+	Example: `  # Create an OCIRepository for a public container image
+  flux create source oci podinfo \
+    --url=oci://ghcr.io/stefanprodan/manifests/podinfo \
+    --tag=6.1.6 \
+    --interval=10m
+`,
+	RunE: createSourceOCIRepositoryCmdRun,
+}
+
+type sourceOCIRepositoryFlags struct {
+	url            string
+	tag            string
+	semver         string
+	digest         string
+	secretRef      string
+	serviceAccount string
+	certSecretRef  string
+	ignorePaths    []string
+	provider       flags.SourceOCIProvider
+	insecure       bool
+}
+
+var sourceOCIRepositoryArgs = newSourceOCIFlags()
+
+func newSourceOCIFlags() sourceOCIRepositoryFlags {
+	return sourceOCIRepositoryFlags{
+		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
+	}
+}
+
+func init() {
+	createSourceOCIRepositoryCmd.Flags().Var(&sourceOCIRepositoryArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.url, "url", "", "the OCI repository URL")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.tag, "tag", "", "the OCI artifact tag")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.semver, "tag-semver", "", "the OCI artifact tag semver range")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.digest, "digest", "", "the OCI artifact digest")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.secretRef, "secret-ref", "", "the name of the Kubernetes image pull secret (type 'kubernetes.io/dockerconfigjson')")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.serviceAccount, "service-account", "", "the name of the Kubernetes service account that refers to an image pull secret")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
+	createSourceOCIRepositoryCmd.Flags().StringSliceVar(&sourceOCIRepositoryArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore resources (can specify multiple paths with commas: path1,path2)")
+	createSourceOCIRepositoryCmd.Flags().BoolVar(&sourceOCIRepositoryArgs.insecure, "insecure", false, "for when connecting to a non-TLS registries over plain HTTP")
+
+	createSourceCmd.AddCommand(createSourceOCIRepositoryCmd)
+}
+
+func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	if sourceOCIRepositoryArgs.url == "" {
+		return fmt.Errorf("url is required")
+	}
+
+	if sourceOCIRepositoryArgs.semver == "" && sourceOCIRepositoryArgs.tag == "" && sourceOCIRepositoryArgs.digest == "" {
+		return fmt.Errorf("--tag, --tag-semver or --digest is required")
+	}
+
+	sourceLabels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	var ignorePaths *string
+	if len(sourceOCIRepositoryArgs.ignorePaths) > 0 {
+		ignorePathsStr := strings.Join(sourceOCIRepositoryArgs.ignorePaths, "\n")
+		ignorePaths = &ignorePathsStr
+	}
+
+	repository := &sourcev1.OCIRepository{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: *kubeconfigArgs.Namespace,
+			Labels:    sourceLabels,
+		},
+		Spec: sourcev1.OCIRepositorySpec{
+			Provider: sourceOCIRepositoryArgs.provider.String(),
+			URL:      sourceOCIRepositoryArgs.url,
+			Insecure: sourceOCIRepositoryArgs.insecure,
+			Interval: metav1.Duration{
+				Duration: createArgs.interval,
+			},
+			Reference: &sourcev1.OCIRepositoryRef{},
+			Ignore:    ignorePaths,
+		},
+	}
+
+	if digest := sourceOCIRepositoryArgs.digest; digest != "" {
+		repository.Spec.Reference.Digest = digest
+	}
+	if semver := sourceOCIRepositoryArgs.semver; semver != "" {
+		repository.Spec.Reference.SemVer = semver
+	}
+	if tag := sourceOCIRepositoryArgs.tag; tag != "" {
+		repository.Spec.Reference.Tag = tag
+	}
+
+	if createSourceArgs.fetchTimeout > 0 {
+		repository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
+	}
+
+	if saName := sourceOCIRepositoryArgs.serviceAccount; saName != "" {
+		repository.Spec.ServiceAccountName = saName
+	}
+
+	if secretName := sourceOCIRepositoryArgs.secretRef; secretName != "" {
+		repository.Spec.SecretRef = &meta.LocalObjectReference{
+			Name: secretName,
+		}
+	}
+
+	if secretName := sourceOCIRepositoryArgs.certSecretRef; secretName != "" {
+		repository.Spec.CertSecretRef = &meta.LocalObjectReference{
+			Name: secretName,
+		}
+	}
+
+	if createArgs.export {
+		return printExport(exportOCIRepository(repository))
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+
+	logger.Actionf("applying OCIRepository")
+	namespacedName, err := upsertOCIRepository(ctx, kubeClient, repository)
+	if err != nil {
+		return err
+	}
+
+	logger.Waitingf("waiting for OCIRepository reconciliation")
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
+		isOCIRepositoryReady(ctx, kubeClient, namespacedName, repository)); err != nil {
+		return err
+	}
+	logger.Successf("OCIRepository reconciliation completed")
+
+	if repository.Status.Artifact == nil {
+		return fmt.Errorf("no artifact was found")
+	}
+	logger.Successf("fetched revision: %s", repository.Status.Artifact.Revision)
+	return nil
+}
+
+func upsertOCIRepository(ctx context.Context, kubeClient client.Client,
+	ociRepository *sourcev1.OCIRepository) (types.NamespacedName, error) {
+	namespacedName := types.NamespacedName{
+		Namespace: ociRepository.GetNamespace(),
+		Name:      ociRepository.GetName(),
+	}
+
+	var existing sourcev1.OCIRepository
+	err := kubeClient.Get(ctx, namespacedName, &existing)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			if err := kubeClient.Create(ctx, ociRepository); err != nil {
+				return namespacedName, err
+			} else {
+				logger.Successf("OCIRepository created")
+				return namespacedName, nil
+			}
+		}
+		return namespacedName, err
+	}
+
+	existing.Labels = ociRepository.Labels
+	existing.Spec = ociRepository.Spec
+	if err := kubeClient.Update(ctx, &existing); err != nil {
+		return namespacedName, err
+	}
+	ociRepository = &existing
+	logger.Successf("OCIRepository updated")
+	return namespacedName, nil
+}
+
+func isOCIRepositoryReady(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, ociRepository *sourcev1.OCIRepository) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, ociRepository)
+		if err != nil {
+			return false, err
+		}
+
+		if c := conditions.Get(ociRepository, meta.ReadyCondition); c != nil {
+			// Confirm the Ready condition we are observing is for the
+			// current generation
+			if c.ObservedGeneration != ociRepository.GetGeneration() {
+				return false, nil
+			}
+
+			// Further check the Status
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}

cmd/flux/create_source_oci_test.go

@@ -0,0 +1,61 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateSourceOCI(t *testing.T) {
+	tests := []struct {
+		name       string
+		args       string
+		assertFunc assertFunc
+	}{
+		{
+			name:       "NoArgs",
+			args:       "create source oci",
+			assertFunc: assertError("name is required"),
+		},
+		{
+			name:       "NoURL",
+			args:       "create source oci podinfo",
+			assertFunc: assertError("url is required"),
+		},
+		{
+			name:       "export manifest",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.1.6 --interval 10m --export",
+			assertFunc: assertGoldenFile("./testdata/oci/export.golden"),
+		},
+		{
+			name:       "export manifest with secret",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.1.6 --interval 10m --secret-ref=creds --export",
+			assertFunc: assertGoldenFile("./testdata/oci/export_with_secret.golden"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assertFunc,
+			}
+
+			cmd.runTestCmd(t)
+		})
+	}
+}

cmd/flux/create_tenant.go

@@ -156,7 +156,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

cmd/flux/delete.go

@@ -60,7 +60,7 @@ func (del deleteCommand) run(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

cmd/flux/delete_kustomization.go

@@ -27,7 +27,7 @@ var deleteKsCmd = &cobra.Command{
 	Aliases: []string{"ks"},
 	Short:   "Delete a Kustomization resource",
 	Long:    "The delete kustomization command deletes the given Kustomization from the cluster.",
-	Example: `  # Delete a kustomization and the Kubernetes resources created by it
+	Example: `  # Delete a kustomization and the Kubernetes resources created by it when prune is enabled
   flux delete kustomization podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE: deleteCommand{

cmd/flux/delete_source_bucket.go

@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var deleteSourceBucketCmd = &cobra.Command{

cmd/flux/delete_source_git.go

@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var deleteSourceGitCmd = &cobra.Command{

cmd/flux/delete_source_helm.go

@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var deleteSourceHelmCmd = &cobra.Command{

cmd/flux/delete_source_oci.go

@@ -0,0 +1,40 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+)
+
+var deleteSourceOCIRepositoryCmd = &cobra.Command{
+	Use:   "oci [name]",
+	Short: "Delete an OCIRepository source",
+	Long:  "The delete source oci command deletes the given OCIRepository from the cluster.",
+	Example: `  # Delete an OCIRepository 
+  flux delete source oci podinfo`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
+	RunE: deleteCommand{
+		apiType: ociRepositoryType,
+		object:  universalAdapter{&sourcev1.OCIRepository{}},
+	}.run,
+}
+
+func init() {
+	deleteSourceCmd.AddCommand(deleteSourceOCIRepositoryCmd)
+}

cmd/flux/diff_kustomization.go

@@ -34,21 +34,26 @@ var diffKsCmd = &cobra.Command{
 	Long: `The diff command does a build, then it performs a server-side dry-run and prints the diff.
 Exit status: 0 No differences were found. 1 Differences were found. >1 diff failed with an error.`,
 	Example: `# Preview local changes as they were applied on the cluster
-flux diff kustomization my-app --path ./path/to/local/manifests`,
+flux diff kustomization my-app --path ./path/to/local/manifests
+
+# Preview using a local flux kustomization file
+flux diff kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              diffKsCmdRun,
 }
 
 type diffKsFlags struct {
-	path        string
-	progressBar bool
+	kustomizationFile string
+	path              string
+	progressBar       bool
 }
 
 var diffKsArgs diffKsFlags
 
 func init() {
-	diffKsCmd.Flags().StringVar(&diffKsArgs.path, "path", "", "Path to a local directory that matches the specified Kustomization.spec.path.)")
+	diffKsCmd.Flags().StringVar(&diffKsArgs.path, "path", "", "Path to a local directory that matches the specified Kustomization.spec.path.")
 	diffKsCmd.Flags().BoolVar(&diffKsArgs.progressBar, "progress-bar", true, "Boolean to set the progress bar. The default value is true.")
+	diffKsCmd.Flags().StringVar(&diffKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
 	diffCmd.AddCommand(diffKsCmd)
 }
 
@@ -66,12 +71,18 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 		return &RequestError{StatusCode: 2, Err: fmt.Errorf("invalid resource path %q", diffKsArgs.path)}
 	}
 
+	if diffKsArgs.kustomizationFile != "" {
+		if fs, err := os.Stat(diffKsArgs.kustomizationFile); os.IsNotExist(err) || fs.IsDir() {
+			return fmt.Errorf("invalid kustomization file %q", diffKsArgs.kustomizationFile)
+		}
+	}
+
 	var builder *build.Builder
 	var err error
 	if diffKsArgs.progressBar {
-		builder, err = build.NewBuilder(kubeconfigArgs, name, diffKsArgs.path, build.WithTimeout(rootArgs.timeout), build.WithProgressBar())
+		builder, err = build.NewBuilder(kubeconfigArgs, kubeclientOptions, name, diffKsArgs.path, build.WithTimeout(rootArgs.timeout), build.WithKustomizationFile(diffKsArgs.kustomizationFile), build.WithProgressBar())
 	} else {
-		builder, err = build.NewBuilder(kubeconfigArgs, name, diffKsArgs.path, build.WithTimeout(rootArgs.timeout))
+		builder, err = build.NewBuilder(kubeconfigArgs, kubeclientOptions, name, diffKsArgs.path, build.WithTimeout(rootArgs.timeout), build.WithKustomizationFile(diffKsArgs.kustomizationFile))
 	}
 
 	if err != nil {

cmd/flux/diff_kustomization_test.go

@@ -97,7 +97,7 @@ func TestDiffKustomization(t *testing.T) {
 		"fluxns": allocateNamespace("flux-system"),
 	}
 
-	b, _ := build.NewBuilder(kubeconfigArgs, "podinfo", "")
+	b, _ := build.NewBuilder(kubeconfigArgs, kubeclientOptions, "podinfo", "")
 
 	resourceManager, err := b.Manager()
 	if err != nil {

cmd/flux/export.go

@@ -74,7 +74,7 @@ func (export exportCommand) run(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

cmd/flux/export_secret.go

@@ -59,7 +59,7 @@ func (export exportWithSecretCommand) run(cmd *cobra.Command, args []string) err
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

cmd/flux/export_source_bucket.go

@@ -21,7 +21,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var exportSourceBucketCmd = &cobra.Command{

cmd/flux/export_source_git.go

@@ -21,7 +21,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var exportSourceGitCmd = &cobra.Command{

cmd/flux/export_source_helm.go

@@ -21,7 +21,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var exportSourceHelmCmd = &cobra.Command{

cmd/flux/export_source_oci.go

@@ -0,0 +1,92 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+)
+
+var exportSourceOCIRepositoryCmd = &cobra.Command{
+	Use:   "oci [name]",
+	Short: "Export OCIRepository sources in YAML format",
+	Long:  "The export source oci command exports one or all OCIRepository sources in YAML format.",
+	Example: `  # Export all OCIRepository sources
+  flux export source oci --all > sources.yaml
+
+  # Export a OCIRepository including the static credentials
+  flux export source oci my-app --with-credentials > source.yaml`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
+	RunE: exportWithSecretCommand{
+		list:   ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
+		object: ociRepositoryAdapter{&sourcev1.OCIRepository{}},
+	}.run,
+}
+
+func init() {
+	exportSourceCmd.AddCommand(exportSourceOCIRepositoryCmd)
+}
+
+func exportOCIRepository(source *sourcev1.OCIRepository) interface{} {
+	gvk := sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)
+	export := sourcev1.OCIRepository{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       gvk.Kind,
+			APIVersion: gvk.GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        source.Name,
+			Namespace:   source.Namespace,
+			Labels:      source.Labels,
+			Annotations: source.Annotations,
+		},
+		Spec: source.Spec,
+	}
+	return export
+}
+
+func getOCIRepositorySecret(source *sourcev1.OCIRepository) *types.NamespacedName {
+	if source.Spec.SecretRef != nil {
+		namespacedName := types.NamespacedName{
+			Namespace: source.Namespace,
+			Name:      source.Spec.SecretRef.Name,
+		}
+
+		return &namespacedName
+	}
+
+	return nil
+}
+
+func (ex ociRepositoryAdapter) secret() *types.NamespacedName {
+	return getOCIRepositorySecret(ex.OCIRepository)
+}
+
+func (ex ociRepositoryListAdapter) secretItem(i int) *types.NamespacedName {
+	return getOCIRepositorySecret(&ex.OCIRepositoryList.Items[i])
+}
+
+func (ex ociRepositoryAdapter) export() interface{} {
+	return exportOCIRepository(ex.OCIRepository)
+}
+
+func (ex ociRepositoryListAdapter) exportItem(i int) interface{} {
+	return exportOCIRepository(&ex.OCIRepositoryList.Items[i])
+}

cmd/flux/get.go

@@ -33,6 +33,7 @@ import (
 	"github.com/fluxcd/pkg/apis/meta"
 
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/printers"
 )
 
 type deriveType func(runtime.Object) (summarisable, error)
@@ -135,7 +136,7 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
@@ -161,7 +162,9 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 	}
 
 	if get.list.len() == 0 {
-		if !getAll {
+		if len(args) > 0 {
+			logger.Failuref("%s object '%s' not found in '%s' namespace", get.kind, args[0], *kubeconfigArgs.Namespace)
+		} else if !getAll {
 			logger.Failuref("no %s objects found in %s namespace", get.kind, *kubeconfigArgs.Namespace)
 		}
 		return nil
@@ -177,7 +180,10 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	utils.PrintTable(cmd.OutOrStdout(), header, rows)
+	err = printers.TablePrinter(header).Print(cmd.OutOrStdout(), rows)
+	if err != nil {
+		return err
+	}
 
 	if getAll {
 		fmt.Println()
@@ -242,10 +248,16 @@ func watchUntil(ctx context.Context, w watch.Interface, get *getCommand) (bool,
 			return false, err
 		}
 		if firstIteration {
-			utils.PrintTable(os.Stdout, header, rows)
+			err = printers.TablePrinter(header).Print(os.Stdout, rows)
+			if err != nil {
+				return false, err
+			}
 			firstIteration = false
 		} else {
-			utils.PrintTable(os.Stdout, []string{}, rows)
+			err = printers.TablePrinter([]string{}).Print(os.Stdout, rows)
+			if err != nil {
+				return false, err
+			}
 		}
 
 		return false, nil

cmd/flux/get_alert.go

@@ -77,11 +77,11 @@ func init() {
 func (s alertListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := s.Items[i]
 	status, msg := statusAndMessage(item.Status.Conditions)
-	return append(nameColumns(&item, includeNamespace, includeKind), status, msg, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
+	return append(nameColumns(&item, includeNamespace, includeKind), strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (s alertListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Ready", "Message", "Suspended"}
+	headers := []string{"Name", "Suspended", "Ready", "Message"}
 	if includeNamespace {
 		return append(namespaceHeader, headers...)
 	}

cmd/flux/get_helmrelease.go

@@ -75,11 +75,11 @@ func (a helmReleaseListAdapter) summariseItem(i int, includeNamespace bool, incl
 	revision := item.Status.LastAppliedRevision
 	status, msg := statusAndMessage(item.Status.Conditions)
 	return append(nameColumns(&item, includeNamespace, includeKind),
-		status, msg, revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
+		revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (a helmReleaseListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Ready", "Message", "Revision", "Suspended"}
+	headers := []string{"Name", "Revision", "Suspended", "Ready", "Message"}
 	if includeNamespace {
 		headers = append([]string{"Namespace"}, headers...)
 	}

cmd/flux/get_image_policy.go

@@ -74,11 +74,11 @@ func init() {
 func (s imagePolicyListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := s.Items[i]
 	status, msg := statusAndMessage(item.Status.Conditions)
-	return append(nameColumns(&item, includeNamespace, includeKind), status, msg, item.Status.LatestImage)
+	return append(nameColumns(&item, includeNamespace, includeKind), item.Status.LatestImage, status, msg)
 }
 
 func (s imagePolicyListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Ready", "Message", "Latest image"}
+	headers := []string{"Name", "Latest image", "Ready", "Message"}
 	if includeNamespace {
 		return append(namespaceHeader, headers...)
 	}

cmd/flux/get_image_repository.go

@@ -82,11 +82,11 @@ func (s imageRepositoryListAdapter) summariseItem(i int, includeNamespace bool,
 		lastScan = item.Status.LastScanResult.ScanTime.Time.Format(time.RFC3339)
 	}
 	return append(nameColumns(&item, includeNamespace, includeKind),
-		status, msg, lastScan, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
+		lastScan, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (s imageRepositoryListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Ready", "Message", "Last scan", "Suspended"}
+	headers := []string{"Name", "Last scan", "Suspended", "Ready", "Message"}
 	if includeNamespace {
 		return append(namespaceHeader, headers...)
 	}

cmd/flux/get_image_update.go

@@ -81,11 +81,11 @@ func (s imageUpdateAutomationListAdapter) summariseItem(i int, includeNamespace
 	if item.Status.LastAutomationRunTime != nil {
 		lastRun = item.Status.LastAutomationRunTime.Time.Format(time.RFC3339)
 	}
-	return append(nameColumns(&item, includeNamespace, includeKind), status, msg, lastRun, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
+	return append(nameColumns(&item, includeNamespace, includeKind), lastRun, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (s imageUpdateAutomationListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Ready", "Message", "Last run", "Suspended"}
+	headers := []string{"Name", "Last run", "Suspended", "Ready", "Message"}
 	if includeNamespace {
 		return append(namespaceHeader, headers...)
 	}

cmd/flux/get_kustomization.go

@@ -85,11 +85,11 @@ func (a kustomizationListAdapter) summariseItem(i int, includeNamespace bool, in
 		msg = shortenCommitSha(msg)
 	}
 	return append(nameColumns(&item, includeNamespace, includeKind),
-		status, msg, revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
+		revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (a kustomizationListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Ready", "Message", "Revision", "Suspended"}
+	headers := []string{"Name", "Revision", "Suspended", "Ready", "Message"}
 	if includeNamespace {
 		headers = append([]string{"Namespace"}, headers...)
 	}

cmd/flux/get_receiver.go

@@ -74,11 +74,11 @@ func init() {
 func (s receiverListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := s.Items[i]
 	status, msg := statusAndMessage(item.Status.Conditions)
-	return append(nameColumns(&item, includeNamespace, includeKind), status, msg, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
+	return append(nameColumns(&item, includeNamespace, includeKind), strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (s receiverListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Ready", "Message", "Suspended"}
+	headers := []string{"Name", "Suspended", "Ready", "Message"}
 	if includeNamespace {
 		return append(namespaceHeader, headers...)
 	}

cmd/flux/get_source_all.go

@@ -21,7 +21,7 @@ import (
 
 	"github.com/spf13/cobra"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var getSourceAllCmd = &cobra.Command{
@@ -40,6 +40,10 @@ var getSourceAllCmd = &cobra.Command{
 		}
 
 		var allSourceCmd = []getCommand{
+			{
+				apiType: ociRepositoryType,
+				list:    &ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
+			},
 			{
 				apiType: bucketType,
 				list:    &bucketListAdapter{&sourcev1.BucketList{}},

cmd/flux/get_source_bucket.go

@@ -24,7 +24,7 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var getSourceBucketCmd = &cobra.Command{
@@ -81,11 +81,11 @@ func (a *bucketListAdapter) summariseItem(i int, includeNamespace bool, includeK
 	}
 	status, msg := statusAndMessage(item.Status.Conditions)
 	return append(nameColumns(&item, includeNamespace, includeKind),
-		status, msg, revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
+		revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (a bucketListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Ready", "Message", "Revision", "Suspended"}
+	headers := []string{"Name", "Revision", "Suspended", "Ready", "Message"}
 	if includeNamespace {
 		headers = append([]string{"Namespace"}, headers...)
 	}

cmd/flux/get_source_chart.go

@@ -24,7 +24,7 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var getSourceHelmChartCmd = &cobra.Command{
@@ -81,11 +81,11 @@ func (a *helmChartListAdapter) summariseItem(i int, includeNamespace bool, inclu
 	}
 	status, msg := statusAndMessage(item.Status.Conditions)
 	return append(nameColumns(&item, includeNamespace, includeKind),
-		status, msg, revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
+		revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (a helmChartListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Ready", "Message", "Revision", "Suspended"}
+	headers := []string{"Name", "Revision", "Suspended", "Ready", "Message"}
 	if includeNamespace {
 		headers = append([]string{"Namespace"}, headers...)
 	}

cmd/flux/get_source_git.go

@@ -25,7 +25,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var getSourceGitCmd = &cobra.Command{
@@ -86,11 +86,11 @@ func (a *gitRepositoryListAdapter) summariseItem(i int, includeNamespace bool, i
 		msg = shortenCommitSha(msg)
 	}
 	return append(nameColumns(&item, includeNamespace, includeKind),
-		status, msg, revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
+		revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (a gitRepositoryListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Ready", "Message", "Revision", "Suspended"}
+	headers := []string{"Name", "Revision", "Suspended", "Ready", "Message"}
 	if includeNamespace {
 		headers = append([]string{"Namespace"}, headers...)
 	}

cmd/flux/get_source_helm.go

@@ -24,7 +24,7 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var getSourceHelmCmd = &cobra.Command{
@@ -81,11 +81,11 @@ func (a *helmRepositoryListAdapter) summariseItem(i int, includeNamespace bool,
 	}
 	status, msg := statusAndMessage(item.Status.Conditions)
 	return append(nameColumns(&item, includeNamespace, includeKind),
-		status, msg, revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
+		revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (a helmRepositoryListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Ready", "Message", "Revision", "Suspended"}
+	headers := []string{"Name", "Revision", "Suspended", "Ready", "Message"}
 	if includeNamespace {
 		headers = append([]string{"Namespace"}, headers...)
 	}

cmd/flux/get_source_oci.go

@@ -0,0 +1,98 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+)
+
+var getSourceOCIRepositoryCmd = &cobra.Command{
+	Use:   "oci",
+	Short: "Get OCIRepository status",
+	Long:  "The get sources oci command prints the status of the OCIRepository sources.",
+	Example: `  # List all OCIRepositories and their status
+  flux get sources oci
+
+  # List OCIRepositories from all namespaces
+  flux get sources oci --all-namespaces`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		get := getCommand{
+			apiType: ociRepositoryType,
+			list:    &ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
+			funcMap: make(typeMap),
+		}
+
+		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
+			o, ok := obj.(*sourcev1.OCIRepository)
+			if !ok {
+				return nil, fmt.Errorf("impossible to cast type %#v to OCIRepository", obj)
+			}
+
+			sink := &ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{
+				Items: []sourcev1.OCIRepository{
+					*o,
+				}}}
+			return sink, nil
+		})
+
+		if err != nil {
+			return err
+		}
+
+		if err := get.run(cmd, args); err != nil {
+			return err
+		}
+
+		return nil
+	},
+}
+
+func init() {
+	getSourceCmd.AddCommand(getSourceOCIRepositoryCmd)
+}
+
+func (a *ociRepositoryListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
+	item := a.Items[i]
+	var revision string
+	if item.GetArtifact() != nil {
+		revision = item.GetArtifact().Revision
+	}
+	status, msg := statusAndMessage(item.Status.Conditions)
+	return append(nameColumns(&item, includeNamespace, includeKind),
+		revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
+}
+
+func (a ociRepositoryListAdapter) headers(includeNamespace bool) []string {
+	headers := []string{"Name", "Revision", "Suspended", "Ready", "Message"}
+	if includeNamespace {
+		headers = append([]string{"Namespace"}, headers...)
+	}
+	return headers
+}
+
+func (a ociRepositoryListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := a.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/image_test.go

@@ -1,6 +1,22 @@
 //go:build e2e
 // +build e2e
 
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package main
 
 import "testing"

cmd/flux/install.go

@@ -27,6 +27,7 @@ import (
 
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/status"
 )
@@ -37,10 +38,13 @@ var installCmd = &cobra.Command{
 	Long: `The install command deploys Flux in the specified namespace.
 If a previous version is installed, then an in-place upgrade will be performed.`,
 	Example: `  # Install the latest version in the flux-system namespace
-  flux install --version=latest --namespace=flux-system
+  flux install --namespace=flux-system
 
-  # Install a specific version and a series of components
-  flux install --version=v0.0.7 --components="source-controller,kustomize-controller"
+  # Install a specific series of components
+  flux install --components="source-controller,kustomize-controller"
+
+  # Install all components including the image automation ones
+  flux install --components-extra="image-reflector-controller,image-automation-controller"
 
   # Install Flux onto tainted Kubernetes nodes
   flux install --toleration-keys=node.kubernetes.io/dedicated-to-flux
@@ -84,7 +88,7 @@ func init() {
 	installCmd.Flags().StringSliceVar(&installArgs.defaultComponents, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
 	installCmd.Flags().StringSliceVar(&installArgs.extraComponents, "components-extra", nil,
-		"list of components in addition to those supplied or defaulted, accepts comma-separated values")
+		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller'")
 	installCmd.Flags().StringVar(&installArgs.manifestsPath, "manifests", "", "path to the manifest directory")
 	installCmd.Flags().StringVar(&installArgs.registry, "registry", rootArgs.defaults.Registry,
 		"container registry where the toolkit images are published")
@@ -131,7 +135,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Generatef("generating manifests")
 	}
 
-	tmpDir, err := os.MkdirTemp("", *kubeconfigArgs.Namespace)
+	tmpDir, err := manifestgen.MkdirTempAbs("", *kubeconfigArgs.Namespace)
 	if err != nil {
 		return err
 	}
@@ -190,14 +194,14 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
-	applyOutput, err := utils.Apply(ctx, kubeconfigArgs, filepath.Join(tmpDir, manifest.Path))
+	applyOutput, err := utils.Apply(ctx, kubeconfigArgs, kubeclientOptions, tmpDir, filepath.Join(tmpDir, manifest.Path))
 	if err != nil {
 		return fmt.Errorf("install failed: %w", err)
 	}
 
 	fmt.Fprintln(os.Stderr, applyOutput)
 
-	kubeConfig, err := utils.KubeConfig(kubeconfigArgs)
+	kubeConfig, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return fmt.Errorf("install failed: %w", err)
 	}

cmd/flux/install_test.go

@@ -0,0 +1,53 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import "testing"
+
+func TestInstall(t *testing.T) {
+	// The pointer to kubeconfigArgs.Namespace is shared across
+	// the tests. When a new value is set, it will linger and
+	// impact subsequent tests.
+	// Given that this test uses an invalid namespace, it ensures
+	// to restore whatever value it had previously.
+	currentNamespace := *kubeconfigArgs.Namespace
+	defer func() {
+		*kubeconfigArgs.Namespace = currentNamespace
+	}()
+
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "invalid namespace",
+			args:   "install --namespace='@#[]'",
+			assert: assertError("namespace must be a valid DNS label: \"@#[]\""),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}

cmd/flux/list.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2021 The Flux authors
+Copyright 2022 The Flux authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,22 +14,18 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package test
+package main
 
 import (
-	"context"
-	"os/exec"
-	"strings"
+	"github.com/spf13/cobra"
 )
 
-type whichTerraform struct{}
-
-func (w *whichTerraform) ExecPath(ctx context.Context) (string, error) {
-	cmd := exec.CommandContext(ctx, "which", "terraform")
-	output, err := cmd.Output()
-	if err != nil {
-		return "", err
-	}
-	path := strings.TrimSuffix(string(output), "\n")
-	return path, nil
+var listCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List artifacts",
+	Long:  "The list command is used for printing the OCI artifacts metadata.",
+}
+
+func init() {
+	rootCmd.AddCommand(listCmd)
 }

cmd/flux/list_artifact.go

@@ -0,0 +1,123 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/spf13/cobra"
+
+	oci "github.com/fluxcd/pkg/oci/client"
+
+	"github.com/fluxcd/flux2/pkg/printers"
+)
+
+type listArtifactFlags struct {
+	semverFilter string
+	regexFilter  string
+	creds        string
+	provider     flags.SourceOCIProvider
+}
+
+var listArtifactArgs = newListArtifactFlags()
+
+func newListArtifactFlags() listArtifactFlags {
+	return listArtifactFlags{
+		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
+	}
+}
+
+var listArtifactsCmd = &cobra.Command{
+	Use:   "artifacts",
+	Short: "list artifacts",
+	Long: `The list command fetches the tags and their metadata from a remote OCI repository.
+The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`,
+	Example: `  # List the artifacts stored in an OCI repository
+  flux list artifact oci://ghcr.io/org/config/app
+`,
+	RunE: listArtifactsCmdRun,
+}
+
+func init() {
+	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.semverFilter, "filter-semver", "", "filter tags returned from the oci repository using semver")
+	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.regexFilter, "filter-regex", "", "filter tags returned from the oci repository using regex")
+	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
+	listArtifactsCmd.Flags().Var(&listArtifactArgs.provider, "provider", listArtifactArgs.provider.Description())
+
+	listCmd.AddCommand(listArtifactsCmd)
+}
+
+func listArtifactsCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("artifact repository URL is required")
+	}
+	ociURL := args[0]
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	url, err := oci.ParseArtifactURL(ociURL)
+	if err != nil {
+		return err
+	}
+
+	ociClient := oci.NewLocalClient()
+
+	if listArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && listArtifactArgs.creds != "" {
+		logger.Actionf("logging in to registry with credentials")
+		if err := ociClient.LoginWithCredentials(listArtifactArgs.creds); err != nil {
+			return fmt.Errorf("could not login with credentials: %w", err)
+		}
+	}
+
+	if listArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
+		logger.Actionf("logging in to registry with provider credentials")
+		ociProvider, err := listArtifactArgs.provider.ToOCIProvider()
+		if err != nil {
+			return fmt.Errorf("provider not supported: %w", err)
+		}
+
+		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
+			return fmt.Errorf("error during login with provider: %w", err)
+		}
+	}
+
+	opts := oci.ListOptions{
+		RegexFilter:  listArtifactArgs.regexFilter,
+		SemverFilter: listArtifactArgs.semverFilter,
+	}
+
+	metas, err := ociClient.List(ctx, url, opts)
+	if err != nil {
+		return err
+	}
+
+	var rows [][]string
+	for _, meta := range metas {
+		rows = append(rows, []string{meta.URL, meta.Digest, meta.Source, meta.Revision})
+	}
+
+	err = printers.TablePrinter([]string{"artifact", "digest", "source", "revision"}).Print(cmd.OutOrStdout(), rows)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

cmd/flux/logs.go

@@ -80,6 +80,8 @@ var logsArgs = &logsFlags{
 	tail: -1,
 }
 
+const controllerContainer = "manager"
+
 func init() {
 	logsCmd.Flags().Var(&logsArgs.logLevel, "level", logsArgs.logLevel.Description())
 	logsCmd.Flags().StringVarP(&logsArgs.kind, "kind", "", logsArgs.kind, "displays errors of a particular toolkit kind e.g GitRepository")
@@ -99,7 +101,7 @@ func logsCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	cfg, err := utils.KubeConfig(kubeconfigArgs)
+	cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
@@ -146,6 +148,10 @@ func logsCmdRun(cmd *cobra.Command, args []string) error {
 
 	var requests []rest.ResponseWrapper
 	for _, pod := range pods {
+		logOpts := logOpts.DeepCopy()
+		if len(pod.Spec.Containers) > 1 {
+			logOpts.Container = controllerContainer
+		}
 		req := clientset.CoreV1().Pods(logsArgs.fluxNamespace).GetLogs(pod.Name, logOpts)
 		requests = append(requests, req)
 	}
@@ -198,12 +204,10 @@ func parallelPodLogs(ctx context.Context, requests []rest.ResponseWrapper) error
 	wg := &sync.WaitGroup{}
 	wg.Add(len(requests))
 
-	var mutex = &sync.Mutex{}
-
 	for _, request := range requests {
 		go func(req rest.ResponseWrapper) {
 			defer wg.Done()
-			if err := logRequest(mutex, ctx, req, os.Stdout); err != nil {
+			if err := logRequest(ctx, req, writer); err != nil {
 				writer.CloseWithError(err)
 				return
 			}
@@ -220,9 +224,8 @@ func parallelPodLogs(ctx context.Context, requests []rest.ResponseWrapper) error
 }
 
 func podLogs(ctx context.Context, requests []rest.ResponseWrapper) error {
-	mutex := &sync.Mutex{}
 	for _, req := range requests {
-		if err := logRequest(mutex, ctx, req, os.Stdout); err != nil {
+		if err := logRequest(ctx, req, os.Stdout); err != nil {
 			return err
 		}
 	}
@@ -240,7 +243,7 @@ func createLabelStringFromMap(m map[string]string) string {
 	return strings.Join(strArr, ",")
 }
 
-func logRequest(mu *sync.Mutex, ctx context.Context, request rest.ResponseWrapper, w io.Writer) error {
+func logRequest(ctx context.Context, request rest.ResponseWrapper, w io.Writer) error {
 	stream, err := request.Stream(ctx)
 	if err != nil {
 		return err
@@ -249,12 +252,13 @@ func logRequest(mu *sync.Mutex, ctx context.Context, request rest.ResponseWrappe
 
 	scanner := bufio.NewScanner(stream)
 
-	const logTmpl = "{{.Timestamp}} {{.Level}} {{.Kind}}{{if .Name}}/{{.Name}}.{{.Namespace}}{{end}} - {{.Message}} {{.Error}}\n"
+	const logTmpl = "{{.Timestamp}} {{.Level}} {{or .Kind .ControllerKind}}{{if .Name}}/{{.Name}}.{{.Namespace}}{{end}} - {{.Message}} {{.Error}}\n"
 	t, err := template.New("log").Parse(logTmpl)
 	if err != nil {
 		return fmt.Errorf("unable to create template, err: %s", err)
 	}
 
+	bw := bufio.NewWriter(w)
 	for scanner.Scan() {
 		line := scanner.Text()
 		if !strings.HasPrefix(line, "{") {
@@ -265,36 +269,33 @@ func logRequest(mu *sync.Mutex, ctx context.Context, request rest.ResponseWrappe
 			logger.Failuref("parse error: %s", err)
 			break
 		}
-
-		mu.Lock()
-		filterPrintLog(t, &l)
-		mu.Unlock()
+		filterPrintLog(t, &l, bw)
+		bw.Flush()
 	}
 
 	return nil
 }
 
-func filterPrintLog(t *template.Template, l *ControllerLogEntry) {
-	if logsArgs.logLevel != "" && logsArgs.logLevel != l.Level ||
-		logsArgs.kind != "" && strings.ToLower(logsArgs.kind) != strings.ToLower(l.Kind) ||
-		logsArgs.name != "" && strings.ToLower(logsArgs.name) != strings.ToLower(l.Name) ||
-		!logsArgs.allNamespaces && strings.ToLower(*kubeconfigArgs.Namespace) != strings.ToLower(l.Namespace) {
-		return
-	}
-
-	err := t.Execute(os.Stdout, l)
-	if err != nil {
-		logger.Failuref("log template error: %s", err)
+func filterPrintLog(t *template.Template, l *ControllerLogEntry, w io.Writer) {
+	if (logsArgs.logLevel == "" || logsArgs.logLevel == l.Level) &&
+		(logsArgs.kind == "" || strings.EqualFold(logsArgs.kind, l.Kind) || strings.EqualFold(logsArgs.kind, l.ControllerKind)) &&
+		(logsArgs.name == "" || strings.EqualFold(logsArgs.name, l.Name)) &&
+		(logsArgs.allNamespaces || strings.EqualFold(*kubeconfigArgs.Namespace, l.Namespace)) {
+		err := t.Execute(w, l)
+		if err != nil {
+			logger.Failuref("log template error: %s", err)
+		}
 	}
 }
 
 type ControllerLogEntry struct {
-	Timestamp string         `json:"ts"`
-	Level     flags.LogLevel `json:"level"`
-	Message   string         `json:"msg"`
-	Error     string         `json:"error,omitempty"`
-	Logger    string         `json:"logger"`
-	Kind      string         `json:"reconciler kind,omitempty"`
-	Name      string         `json:"name,omitempty"`
-	Namespace string         `json:"namespace,omitempty"`
+	Timestamp      string         `json:"ts"`
+	Level          flags.LogLevel `json:"level"`
+	Message        string         `json:"msg"`
+	Error          string         `json:"error,omitempty"`
+	Logger         string         `json:"logger"`
+	Kind           string         `json:"reconciler kind,omitempty"`
+	ControllerKind string         `json:"controllerKind,omitempty"`
+	Name           string         `json:"name,omitempty"`
+	Namespace      string         `json:"namespace,omitempty"`
 }

cmd/flux/logs_test.go

@@ -20,7 +20,14 @@ limitations under the License.
 package main
 
 import (
+	"bytes"
+	"context"
+	"io"
+	"os"
+	"strings"
 	"testing"
+
+	. "github.com/onsi/gomega"
 )
 
 func TestLogsNoArgs(t *testing.T) {
@@ -78,3 +85,106 @@ func TestLogsSinceOnlyOneAllowed(t *testing.T) {
 	}
 	cmd.runTestCmd(t)
 }
+
+func TestLogRequest(t *testing.T) {
+	mapper := &testResponseMapper{}
+	tests := []struct {
+		name       string
+		namespace  string
+		flags      *logsFlags
+		assertFile string
+	}{
+		{
+			name: "all logs",
+			flags: &logsFlags{
+				tail:          -1,
+				allNamespaces: true,
+			},
+			assertFile: "testdata/logs/all-logs.txt",
+		},
+		{
+			name:      "filter by namespace",
+			namespace: "default",
+			flags: &logsFlags{
+				tail: -1,
+			},
+			assertFile: "testdata/logs/namespace.txt",
+		},
+		{
+			name: "filter by kind and namespace",
+			flags: &logsFlags{
+				tail: -1,
+				kind: "Kustomization",
+			},
+			assertFile: "testdata/logs/kind.txt",
+		},
+		{
+			name: "filter by loglevel",
+			flags: &logsFlags{
+				tail:          -1,
+				logLevel:      "error",
+				allNamespaces: true,
+			},
+			assertFile: "testdata/logs/log-level.txt",
+		},
+		{
+			name:      "filter by namespace, name, loglevel and kind",
+			namespace: "flux-system",
+			flags: &logsFlags{
+				tail:     -1,
+				logLevel: "error",
+				kind:     "Kustomization",
+				name:     "podinfo",
+			},
+			assertFile: "testdata/logs/multiple-filters.txt",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			logsArgs = tt.flags
+			if tt.namespace != "" {
+				*kubeconfigArgs.Namespace = tt.namespace
+			}
+			w := bytes.NewBuffer([]byte{})
+			err := logRequest(context.Background(), mapper, w)
+			g.Expect(err).To(BeNil())
+
+			got := make([]byte, w.Len())
+			_, err = w.Read(got)
+			g.Expect(err).To(BeNil())
+
+			expected, err := os.ReadFile(tt.assertFile)
+			g.Expect(err).To(BeNil())
+
+			g.Expect(string(got)).To(Equal(string(expected)))
+
+			// reset flags to default
+			*kubeconfigArgs.Namespace = rootArgs.defaults.Namespace
+			logsArgs = &logsFlags{
+				tail: -1,
+			}
+		})
+	}
+}
+
+var testPodLogs = `{"level":"info","ts":"2022-08-02T12:55:34.419Z","msg":"no changes since last reconcilation: observed revision","controller":"gitrepository","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"GitRepository","gitRepository":{"name":"podinfo","namespace":"default"},"namespace":"default","name":"podinfo","reconcileID":"5ef9b2ef-4ea5-47b7-b887-a247cafc1bce"}
+{"level":"error","ts":"2022-08-02T12:56:04.679Z","logger":"controller.gitrepository","msg":"no changes since last reconcilation: observed revision","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"GitRepository","gitRepository":{"name":"podinfo","namespace":"flux-system"},"name":"flux-system","namespace":"flux-system","reconcileID":"543ef9b2ef-4ea5-47b7-b887-a247cafc1bce"}
+{"level":"error","ts":"2022-08-02T12:56:34.961Z","logger":"controller.kustomization","msg":"no changes since last reconcilation: observed revision","reconciler group":"kustomize.toolkit.fluxcd.io","reconciler kind":"Kustomization","name":"flux-system","namespace":"flux-system"}
+{"level":"info","ts":"2022-08-02T12:56:34.961Z","logger":"controller.kustomization","msg":"no changes since last reconcilation: observed revision","reconciler group":"kustomize.toolkit.fluxcd.io","reconciler kind":"Kustomization","name":"podinfo","namespace":"default"}
+{"level":"info","ts":"2022-08-02T12:56:34.961Z","logger":"controller.gitrepository","msg":"no changes since last reconcilation: observed revision","reconciler group":"source.toolkit.fluxcd.io","reconciler kind":"GitRepository","name":"podinfo","namespace":"default"}
+{"level":"error","ts":"2022-08-02T12:56:34.961Z","logger":"controller.kustomization","msg":"no changes since last reconcilation: observed revision","reconciler group":"kustomize.toolkit.fluxcd.io","reconciler kind":"Kustomization","name":"podinfo","namespace":"flux-system"}
+`
+
+type testResponseMapper struct {
+}
+
+func (t *testResponseMapper) DoRaw(_ context.Context) ([]byte, error) {
+	return nil, nil
+}
+
+func (t *testResponseMapper) Stream(_ context.Context) (io.ReadCloser, error) {
+	return io.NopCloser(strings.NewReader(testPodLogs)), nil
+}

cmd/flux/main.go

@@ -27,9 +27,12 @@ import (
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
+	runclient "github.com/fluxcd/pkg/runtime/client"
+
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 )
 
@@ -94,6 +97,18 @@ Command line utility for assembling Kubernetes CD pipelines the GitOps way.`,
 
   # Uninstall Flux and delete CRDs
   flux uninstall`,
+	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+		ns, err := cmd.Flags().GetString("namespace")
+		if err != nil {
+			return fmt.Errorf("error getting namespace: %w", err)
+		}
+
+		if e := validation.IsDNS1123Label(ns); len(e) > 0 {
+			return fmt.Errorf("namespace must be a valid DNS label: %q", ns)
+		}
+
+		return nil
+	},
 }
 
 var logger = stderrLogger{stderr: os.Stderr}
@@ -117,6 +132,7 @@ func (r *RequestError) Error() string {
 
 var rootArgs = NewRootFlags()
 var kubeconfigArgs = genericclioptions.NewConfigFlags(false)
+var kubeclientOptions = new(runclient.Options)
 
 func init() {
 	rootCmd.PersistentFlags().DurationVar(&rootArgs.timeout, "timeout", 5*time.Minute, "timeout for this operation")
@@ -134,6 +150,8 @@ func init() {
 	kubeconfigArgs.APIServer = &apiServer
 	rootCmd.PersistentFlags().StringVar(kubeconfigArgs.APIServer, "server", *kubeconfigArgs.APIServer, "The address and port of the Kubernetes API server")
 
+	kubeclientOptions.BindFlags(rootCmd.PersistentFlags())
+
 	rootCmd.RegisterFlagCompletionFunc("context", contextsCompletionFunc)
 	rootCmd.RegisterFlagCompletionFunc("namespace", resourceNamesCompletionFunc(corev1.SchemeGroupVersion.WithKind("Namespace")))
 
@@ -173,17 +191,18 @@ func configureDefaultNamespace() {
 	*kubeconfigArgs.Namespace = rootArgs.defaults.Namespace
 	fromEnv := os.Getenv("FLUX_SYSTEM_NAMESPACE")
 	if fromEnv != "" {
+		// namespace must be a valid DNS label. Assess against validation
+		// used upstream, and ignore invalid values as environment vars
+		// may not be actively provided by end-user.
+		if e := validation.IsDNS1123Label(fromEnv); len(e) > 0 {
+			logger.Warningf(" ignoring invalid FLUX_SYSTEM_NAMESPACE: %q", fromEnv)
+			return
+		}
+
 		kubeconfigArgs.Namespace = &fromEnv
 	}
 }
 
-func homeDir() string {
-	if h := os.Getenv("HOME"); h != "" {
-		return h
-	}
-	return os.Getenv("USERPROFILE") // windows
-}
-
 // readPasswordFromStdin reads a password from stdin and returns the input
 // with trailing newline and/or carriage return removed. It also makes sure that terminal
 // echoing is turned off if stdin is a terminal.

cmd/flux/main_test.go

@@ -20,6 +20,7 @@ import (
 	"bufio"
 	"bytes"
 	"context"
+	"flag"
 	"fmt"
 	"io"
 	"os"
@@ -42,6 +43,9 @@ import (
 
 var nextNamespaceId int64
 
+// update allows golden files to be updated based on the current output.
+var update = flag.Bool("update", false, "update golden files")
+
 // Return a unique namespace with the specified prefix, for tests to create
 // objects that won't collide with each other.
 func allocateNamespace(prefix string) string {
@@ -284,24 +288,38 @@ func assertGoldenFile(goldenFile string) assertFunc {
 // is pre-processed with the specified templateValues.
 func assertGoldenTemplateFile(goldenFile string, templateValues map[string]string) assertFunc {
 	goldenFileContents, fileErr := os.ReadFile(goldenFile)
-	return func(output string, err error) error {
-		if fileErr != nil {
-			return fmt.Errorf("Error reading golden file '%s': %s", goldenFile, fileErr)
-		}
-		var expectedOutput string
-		if len(templateValues) > 0 {
-			expectedOutput, err = executeTemplate(string(goldenFileContents), templateValues)
-			if err != nil {
-				return fmt.Errorf("Error executing golden template file '%s': %s", goldenFile, err)
+	return assert(
+		assertSuccess(),
+		func(output string, err error) error {
+			if fileErr != nil {
+				return fmt.Errorf("Error reading golden file '%s': %s", goldenFile, fileErr)
 			}
-		} else {
-			expectedOutput = string(goldenFileContents)
-		}
-		if assertErr := assertGoldenValue(expectedOutput)(output, err); assertErr != nil {
-			return fmt.Errorf("Mismatch from golden file '%s': %v", goldenFile, assertErr)
-		}
-		return nil
-	}
+			var expectedOutput string
+			if len(templateValues) > 0 {
+				expectedOutput, err = executeTemplate(string(goldenFileContents), templateValues)
+				if err != nil {
+					return fmt.Errorf("Error executing golden template file '%s': %s", goldenFile, err)
+				}
+			} else {
+				expectedOutput = string(goldenFileContents)
+			}
+			if assertErr := assertGoldenValue(expectedOutput)(output, err); assertErr != nil {
+				// Update the golden files if comparison fails and the update flag is set.
+				if *update && output != "" {
+					// Skip update if there are template values.
+					if len(templateValues) > 0 {
+						fmt.Println("NOTE: -update flag passed but golden template files can't be updated, please update it manually")
+					} else {
+						if err := os.WriteFile(goldenFile, []byte(output), 0644); err != nil {
+							return fmt.Errorf("failed to update golden file '%s': %v", goldenFile, err)
+						}
+						return nil
+					}
+				}
+				return fmt.Errorf("Mismatch from golden file '%s': %v", goldenFile, assertErr)
+			}
+			return nil
+		})
 }
 
 type TestClusterMode int
@@ -325,7 +343,6 @@ type cmdTestCase struct {
 
 func (cmd *cmdTestCase) runTestCmd(t *testing.T) {
 	actual, testErr := executeCommand(cmd.args)
-
 	// If the cmd error is a change, discard it
 	if isChangeError(testErr) {
 		testErr = nil
@@ -367,10 +384,51 @@ func executeCommand(cmd string) (string, error) {
 	return result, err
 }
 
+// resetCmdArgs resets the flags for various cmd
+// Note: this will also clear default value of the flags set in init()
 func resetCmdArgs() {
+	*kubeconfigArgs.Namespace = rootArgs.defaults.Namespace
+	alertArgs = alertFlags{}
+	alertProviderArgs = alertProviderFlags{}
+	bootstrapArgs = NewBootstrapFlags()
+	bServerArgs = bServerFlags{}
+	buildKsArgs = buildKsFlags{}
+	checkArgs = checkFlags{}
 	createArgs = createFlags{}
+	deleteArgs = deleteFlags{}
+	diffKsArgs = diffKsFlags{}
+	exportArgs = exportFlags{}
 	getArgs = GetFlags{}
+	gitArgs = gitFlags{}
+	githubArgs = githubFlags{}
+	gitlabArgs = gitlabFlags{}
+	helmReleaseArgs = helmReleaseFlags{
+		reconcileStrategy: "ChartVersion",
+	}
+	imagePolicyArgs = imagePolicyFlags{}
+	imageRepoArgs = imageRepoFlags{}
+	imageUpdateArgs = imageUpdateFlags{}
+	kustomizationArgs = NewKustomizationFlags()
+	receiverArgs = receiverFlags{}
+	resumeArgs = ResumeFlags{}
+	rhrArgs = reconcileHelmReleaseFlags{}
+	rksArgs = reconcileKsFlags{}
 	secretGitArgs = NewSecretGitFlags()
+	secretHelmArgs = secretHelmFlags{}
+	secretTLSArgs = secretTLSFlags{}
+	sourceBucketArgs = sourceBucketFlags{}
+	sourceGitArgs = newSourceGitFlags()
+	sourceHelmArgs = sourceHelmFlags{}
+	sourceOCIRepositoryArgs = sourceOCIRepositoryFlags{}
+	suspendArgs = SuspendFlags{}
+	tenantArgs = tenantFlags{}
+	traceArgs = traceFlags{}
+	treeKsArgs = TreeKsFlags{}
+	uninstallArgs = uninstallFlags{}
+	versionArgs = versionFlags{
+		output: "yaml",
+	}
+
 }
 
 func isChangeError(err error) bool {

cmd/flux/pull.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var pullCmd = &cobra.Command{
+	Use:   "pull",
+	Short: "Pull artifacts",
+	Long:  "The pull command is used to download OCI artifacts.",
+}
+
+func init() {
+	rootCmd.AddCommand(pullCmd)
+}

cmd/flux/pull_artifact.go

@@ -0,0 +1,119 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/spf13/cobra"
+
+	oci "github.com/fluxcd/pkg/oci/client"
+)
+
+var pullArtifactCmd = &cobra.Command{
+	Use:   "artifact",
+	Short: "Pull artifact",
+	Long: `The pull artifact command downloads and extracts the OCI artifact content to the given path.
+The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`,
+	Example: `  # Pull an OCI artifact created by flux from GHCR
+  flux pull artifact oci://ghcr.io/org/manifests/app:v0.0.1 --output ./path/to/local/manifests
+`,
+	RunE: pullArtifactCmdRun,
+}
+
+type pullArtifactFlags struct {
+	output   string
+	creds    string
+	provider flags.SourceOCIProvider
+}
+
+var pullArtifactArgs = newPullArtifactFlags()
+
+func newPullArtifactFlags() pullArtifactFlags {
+	return pullArtifactFlags{
+		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
+	}
+}
+
+func init() {
+	pullArtifactCmd.Flags().StringVarP(&pullArtifactArgs.output, "output", "o", "", "path where the artifact content should be extracted.")
+	pullArtifactCmd.Flags().StringVar(&pullArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
+	pullArtifactCmd.Flags().Var(&pullArtifactArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
+	pullCmd.AddCommand(pullArtifactCmd)
+}
+
+func pullArtifactCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("artifact URL is required")
+	}
+	ociURL := args[0]
+
+	if pullArtifactArgs.output == "" {
+		return fmt.Errorf("invalid output path %s", pullArtifactArgs.output)
+	}
+
+	if fs, err := os.Stat(pullArtifactArgs.output); err != nil || !fs.IsDir() {
+		return fmt.Errorf("invalid output path %s", pullArtifactArgs.output)
+	}
+
+	url, err := oci.ParseArtifactURL(ociURL)
+	if err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	ociClient := oci.NewLocalClient()
+
+	if pullArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && pullArtifactArgs.creds != "" {
+		logger.Actionf("logging in to registry with credentials")
+		if err := ociClient.LoginWithCredentials(pullArtifactArgs.creds); err != nil {
+			return fmt.Errorf("could not login with credentials: %w", err)
+		}
+	}
+
+	if pullArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
+		logger.Actionf("logging in to registry with provider credentials")
+		ociProvider, err := pullArtifactArgs.provider.ToOCIProvider()
+		if err != nil {
+			return fmt.Errorf("provider not supported: %w", err)
+		}
+
+		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
+			return fmt.Errorf("error during login with provider: %w", err)
+		}
+	}
+
+	logger.Actionf("pulling artifact from %s", url)
+
+	meta, err := ociClient.Pull(ctx, url, pullArtifactArgs.output)
+	if err != nil {
+		return err
+	}
+
+	logger.Successf("source %s", meta.Source)
+	logger.Successf("revision %s", meta.Revision)
+	logger.Successf("digest %s", meta.Digest)
+	logger.Successf("artifact content extracted to %s", pullArtifactArgs.output)
+
+	return nil
+}

cmd/flux/push.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var pushCmd = &cobra.Command{
+	Use:   "push",
+	Short: "Push artifacts",
+	Long:  "The push command is used to publish OCI artifacts.",
+}
+
+func init() {
+	rootCmd.AddCommand(pushCmd)
+}

cmd/flux/push_artifact.go

@@ -0,0 +1,163 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/spf13/cobra"
+
+	oci "github.com/fluxcd/pkg/oci/client"
+)
+
+var pushArtifactCmd = &cobra.Command{
+	Use:   "artifact",
+	Short: "Push artifact",
+	Long: `The push artifact command creates a tarball from the given directory and uploads the artifact to an OCI repository.
+The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`,
+	Example: `  # Push manifests to GHCR using the short Git SHA as the OCI artifact tag
+  echo $GITHUB_PAT | docker login ghcr.io --username flux --password-stdin
+  flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
+	--path="./path/to/local/manifests" \
+	--source="$(git config --get remote.origin.url)" \
+	--revision="$(git branch --show-current)/$(git rev-parse HEAD)"
+
+  # Push manifests to Docker Hub using the Git tag as the OCI artifact tag
+  echo $DOCKER_PAT | docker login --username flux --password-stdin
+  flux push artifact oci://docker.io/org/app-config:$(git tag --points-at HEAD) \
+	--path="./path/to/local/manifests" \
+	--source="$(git config --get remote.origin.url)" \
+	--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"
+
+  # Login directly to the registry provider
+  # You might need to export the following variable if you use local config files for AWS:
+  # export AWS_SDK_LOAD_CONFIG=1
+  flux push artifact oci://<account>.dkr.ecr.<region>.amazonaws.com/foo:v1:$(git tag --points-at HEAD) \
+	--path="./path/to/local/manifests" \
+	--source="$(git config --get remote.origin.url)" \
+	--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" \
+	--provider aws
+
+  # Or pass credentials directly
+  flux push artifact oci://docker.io/org/app-config:$(git tag --points-at HEAD) \
+	--path="./path/to/local/manifests" \
+	--source="$(git config --get remote.origin.url)" \
+	--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" \
+	--creds flux:$DOCKER_PAT
+`,
+	RunE: pushArtifactCmdRun,
+}
+
+type pushArtifactFlags struct {
+	path        string
+	source      string
+	revision    string
+	creds       string
+	provider    flags.SourceOCIProvider
+	ignorePaths []string
+}
+
+var pushArtifactArgs = newPushArtifactFlags()
+
+func newPushArtifactFlags() pushArtifactFlags {
+	return pushArtifactFlags{
+		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
+	}
+}
+
+func init() {
+	pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.path, "path", "", "path to the directory where the Kubernetes manifests are located")
+	pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.source, "source", "", "the source address, e.g. the Git URL")
+	pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.revision, "revision", "", "the source revision in the format '<branch|tag>/<commit-sha>'")
+	pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
+	pushArtifactCmd.Flags().Var(&pushArtifactArgs.provider, "provider", pushArtifactArgs.provider.Description())
+	pushArtifactCmd.Flags().StringSliceVar(&pushArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
+
+	pushCmd.AddCommand(pushArtifactCmd)
+}
+
+func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("artifact URL is required")
+	}
+	ociURL := args[0]
+
+	if pushArtifactArgs.source == "" {
+		return fmt.Errorf("--source is required")
+	}
+
+	if pushArtifactArgs.revision == "" {
+		return fmt.Errorf("--revision is required")
+	}
+
+	if pushArtifactArgs.path == "" {
+		return fmt.Errorf("invalid path %q", pushArtifactArgs.path)
+	}
+
+	url, err := oci.ParseArtifactURL(ociURL)
+	if err != nil {
+		return err
+	}
+
+	if fs, err := os.Stat(pushArtifactArgs.path); err != nil || !fs.IsDir() {
+		return fmt.Errorf("invalid path %q", pushArtifactArgs.path)
+	}
+
+	meta := oci.Metadata{
+		Source:   pushArtifactArgs.source,
+		Revision: pushArtifactArgs.revision,
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	ociClient := oci.NewLocalClient()
+
+	if pushArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && pushArtifactArgs.creds != "" {
+		logger.Actionf("logging in to registry with credentials")
+		if err := ociClient.LoginWithCredentials(pushArtifactArgs.creds); err != nil {
+			return fmt.Errorf("could not login with credentials: %w", err)
+		}
+	}
+
+	if pushArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
+		logger.Actionf("logging in to registry with provider credentials")
+		ociProvider, err := pushArtifactArgs.provider.ToOCIProvider()
+		if err != nil {
+			return fmt.Errorf("provider not supported: %w", err)
+		}
+
+		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
+			return fmt.Errorf("error during login with provider: %w", err)
+		}
+	}
+
+	logger.Actionf("pushing artifact to %s", url)
+
+	digest, err := ociClient.Push(ctx, url, pushArtifactArgs.path, meta, pushArtifactArgs.ignorePaths)
+	if err != nil {
+		return fmt.Errorf("pushing artifact failed: %w", err)
+	}
+
+	logger.Successf("artifact successfully pushed to %s", digest)
+
+	return nil
+}

cmd/flux/reconcile.go

@@ -60,13 +60,22 @@ type reconcilable interface {
 	GetAnnotations() map[string]string
 	SetAnnotations(map[string]string)
 
-	// this is usually implemented by GOTK types, since it's used for meta.SetResourceCondition
-	GetStatusConditions() *[]metav1.Condition
-
 	lastHandledReconcileRequest() string // what was the last handled reconcile request?
 	successMessage() string              // what do you want to tell people when successfully reconciled?
 }
 
+func reconcilableConditions(object reconcilable) []metav1.Condition {
+	if s, ok := object.(meta.ObjectWithConditions); ok {
+		return s.GetConditions()
+	}
+
+	if s, ok := object.(oldConditions); ok {
+		return *s.GetStatusConditions()
+	}
+
+	return []metav1.Condition{}
+}
+
 func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("%s name is required", reconcile.kind)
@@ -76,7 +85,7 @@ func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
@@ -118,7 +127,7 @@ func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
 		reconciliationHandled(ctx, kubeClient, namespacedName, reconcile.object, lastHandledReconcileAt)); err != nil {
 		return err
 	}
-	readyCond := apimeta.FindStatusCondition(*reconcile.object.GetStatusConditions(), meta.ReadyCondition)
+	readyCond := apimeta.FindStatusCondition(reconcilableConditions(reconcile.object), meta.ReadyCondition)
 	if readyCond == nil {
 		return fmt.Errorf("status can't be determined")
 	}
@@ -137,7 +146,7 @@ func reconciliationHandled(ctx context.Context, kubeClient client.Client,
 		if err != nil {
 			return false, err
 		}
-		isProgressing := apimeta.IsStatusConditionPresentAndEqual(*obj.GetStatusConditions(),
+		isProgressing := apimeta.IsStatusConditionPresentAndEqual(reconcilableConditions(obj),
 			meta.ReadyCondition, metav1.ConditionUnknown)
 		return obj.lastHandledReconcileRequest() != lastHandledReconcileAt && !isProgressing, nil
 	}
@@ -174,7 +183,7 @@ func isReconcileReady(ctx context.Context, kubeClient client.Client,
 			return false, err
 		}
 
-		if c := apimeta.FindStatusCondition(*obj.GetStatusConditions(), meta.ReadyCondition); c != nil {
+		if c := apimeta.FindStatusCondition(reconcilableConditions(obj), meta.ReadyCondition); c != nil {
 			switch c.Status {
 			case metav1.ConditionTrue:
 				return true, nil

cmd/flux/reconcile_alertprovider.go

@@ -54,7 +54,7 @@ func reconcileAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

cmd/flux/reconcile_helmrelease.go

@@ -21,7 +21,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var reconcileHrCmd = &cobra.Command{

cmd/flux/reconcile_kustomization.go

@@ -21,7 +21,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var reconcileKsCmd = &cobra.Command{
@@ -65,6 +65,11 @@ func (obj kustomizationAdapter) reconcileSource() bool {
 func (obj kustomizationAdapter) getSource() (reconcileCommand, types.NamespacedName) {
 	var cmd reconcileCommand
 	switch obj.Spec.SourceRef.Kind {
+	case sourcev1.OCIRepositoryKind:
+		cmd = reconcileCommand{
+			apiType: ociRepositoryType,
+			object:  ociRepositoryAdapter{&sourcev1.OCIRepository{}},
+		}
 	case sourcev1.GitRepositoryKind:
 		cmd = reconcileCommand{
 			apiType: gitRepositoryType,

cmd/flux/reconcile_receiver.go

@@ -54,7 +54,7 @@ func reconcileReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	kubeClient, err := utils.KubeClient(kubeconfigArgs)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

cmd/flux/reconcile_source_bucket.go

@@ -17,18 +17,11 @@ limitations under the License.
 package main
 
 import (
-	"context"
 	"fmt"
 
 	"github.com/spf13/cobra"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/wait"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	"github.com/fluxcd/pkg/apis/meta"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var reconcileSourceBucketCmd = &cobra.Command{
@@ -48,31 +41,6 @@ func init() {
 	reconcileSourceCmd.AddCommand(reconcileSourceBucketCmd)
 }
 
-func isBucketReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, bucket *sourcev1.Bucket) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, bucket)
-		if err != nil {
-			return false, err
-		}
-
-		// Confirm the state we are observing is for the current generation
-		if bucket.Generation != bucket.Status.ObservedGeneration {
-			return false, nil
-		}
-
-		if c := apimeta.FindStatusCondition(bucket.Status.Conditions, meta.ReadyCondition); c != nil {
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
-
 func (obj bucketAdapter) lastHandledReconcileRequest() string {
 	return obj.Status.GetLastHandledReconcileRequest()
 }

cmd/flux/reconcile_source_git.go

@@ -21,7 +21,7 @@ import (
 
 	"github.com/spf13/cobra"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var reconcileSourceGitCmd = &cobra.Command{

cmd/flux/reconcile_source_helm.go

@@ -21,7 +21,9 @@ import (
 
 	"github.com/spf13/cobra"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var reconcileSourceHelmCmd = &cobra.Command{
@@ -46,5 +48,15 @@ func (obj helmRepositoryAdapter) lastHandledReconcileRequest() string {
 }
 
 func (obj helmRepositoryAdapter) successMessage() string {
+	// HelmRepository of type OCI don't set an Artifact
+	if obj.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
+		readyCondition := conditions.Get(obj.HelmRepository, meta.ReadyCondition)
+		// This shouldn't happen, successMessage shouldn't be called if
+		// object isn't ready
+		if readyCondition == nil {
+			return ""
+		}
+		return readyCondition.Message
+	}
 	return fmt.Sprintf("fetched revision %s", obj.Status.Artifact.Revision)
 }

cmd/flux/reconcile_source_oci.go

@@ -0,0 +1,50 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+)
+
+var reconcileSourceOCIRepositoryCmd = &cobra.Command{
+	Use:   "oci [name]",
+	Short: "Reconcile an OCIRepository",
+	Long:  `The reconcile source command triggers a reconciliation of an OCIRepository resource and waits for it to finish.`,
+	Example: `  # Trigger a reconciliation for an existing source
+  flux reconcile source oci podinfo`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
+	RunE: reconcileCommand{
+		apiType: ociRepositoryType,
+		object:  ociRepositoryAdapter{&sourcev1.OCIRepository{}},
+	}.run,
+}
+
+func init() {
+	reconcileSourceCmd.AddCommand(reconcileSourceOCIRepositoryCmd)
+}
+
+func (obj ociRepositoryAdapter) lastHandledReconcileRequest() string {
+	return obj.Status.GetLastHandledReconcileRequest()
+}
+
+func (obj ociRepositoryAdapter) successMessage() string {
+	return fmt.Sprintf("fetched revision %s", obj.Status.Artifact.Revision)
+}