rfc: Add story 2 and alternatives

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
Add proposal for adding a gating mechanism to Flux
2026-05-28 19:20:47 +00:00 · 2022-10-04 16:06:09 +01:00 · 2022-09-29 17:57:30 +03:00 · 2022-09-29 11:16:10 +03:00 · 2022-09-29 07:49:13 +00:00 · 2022-09-29 09:42:20 +03:00
178 changed files with 6819 additions and 2371 deletions
@@ -8,9 +8,15 @@ pkgbase = flux-bin
 	arch = armv7h
 	arch = aarch64
 	license = APACHE
-	source_x86_64 = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_amd64.tar.gz
-	source_armv6h = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm.tar.gz
-	source_armv7h = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm.tar.gz
-	source_aarch64 = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm64.tar.gz
+	optdepends = bash-completion: auto-completion for flux in Bash
+	optdepends = zsh-completions: auto-completion for flux in ZSH
+	source_x86_64 = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_amd64.tar.gz
+	sha256sums_x86_64 = ${SHA256SUM_AMD64}
+	source_armv6h = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm.tar.gz
+	sha256sums_armv6h = ${SHA256SUM_ARM}
+	source_armv7h = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm.tar.gz
+	sha256sums_armv7h = ${SHA256SUM_ARM}
+	source_aarch64 = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm64.tar.gz
+	sha256sums_aarch64 = ${SHA256SUM_ARM64}

 pkgname = flux-bin
@@ -8,8 +8,8 @@ pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
 arch=("x86_64" "armv6h" "armv7h" "aarch64")
 license=("APACHE")
-optdepends=('bash-completion: auto-completion for flux in Bash',
-'zsh-completions: auto-completion for flux in ZSH')
+optdepends=('bash-completion: auto-completion for flux in Bash'
+            'zsh-completions: auto-completion for flux in ZSH')
 source_x86_64=(
  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_amd64.tar.gz"
 )
@@ -18,11 +18,11 @@

 set -eu

-KIND_VERSION=0.11.1
-KUBECTL_VERSION=1.21.2
-KUSTOMIZE_VERSION=4.1.3
-HELM_VERSION=3.7.2
-GITHUB_RUNNER_VERSION=2.285.1
+KIND_VERSION=0.14.0
+KUBECTL_VERSION=1.24.0
+KUSTOMIZE_VERSION=4.5.4
+HELM_VERSION=3.8.2
+GITHUB_RUNNER_VERSION=2.291.1
 PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq pkg-config"

 # install prerequisites
@@ -12,23 +12,23 @@ jobs:
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Restore Go cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
        with:
          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go1.17-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-go1.17-
+            ${{ runner.os }}-go1.18-
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
-          go-version: 1.17.x
+          go-version: 1.19.x
      - name: Setup Kubernetes
        uses: engineerd/setup-kind@v0.5.0
        with:
-          version: v0.11.1
-          image: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
+          version: v0.16.0
+          image: kindest/node:v1.25.2@sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Build
@@ -3,7 +3,7 @@ name: e2e-arm64
 on:
  workflow_dispatch:
  push:
-    branches: [ main, update-components, equinix-runners ]
+    branches: [ main, update-components ]

 jobs:
  test:
@@ -12,11 +12,11 @@ jobs:
    runs-on: [self-hosted, Linux, ARM64, equinix]
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
-          go-version: 1.17.x
+          go-version: 1.19.x
      - name: Prepare
        id: prep
        run: |
@@ -12,18 +12,18 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Restore Go cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
        with:
          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go1.17-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-go1.17-
+            ${{ runner.os }}-go1.18-
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
-          go-version: 1.17.x
+          go-version: 1.19.x
      - name: Install libgit2
        run: |
          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138
@@ -46,7 +46,7 @@ jobs:
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v1
        with:
-          terraform_version: 1.0.7
+          terraform_version: 1.2.8
          terraform_wrapper: false
      - name: Setup Azure CLI
        run: |
@@ -2,27 +2,32 @@ name: e2e

 on:
  push:
-    branches: [ main, e2e* ]
-  pull_request:
    branches: [ main ]
+  pull_request:
+    branches: [ main, oci ]

 jobs:
  kind:
    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Restore Go cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
        with:
          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go1.17-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-go1.17-
+            ${{ runner.os }}-go1.18-
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
-          go-version: 1.17.x
+          go-version: 1.19.x
      - name: Setup Kubernetes
        uses: engineerd/setup-kind@v0.5.0
        with:
@@ -168,6 +173,36 @@ jobs:
      - name: flux delete source git
        run: |
          /tmp/flux delete source git podinfo --silent
+      - name: flux oci artifacts
+        run: |
+          /tmp/flux push artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
+            --path="./manifests" \
+            --source="${{ github.repositoryUrl }}" \
+            --revision="${{ github.ref }}/${{ github.sha }}"
+          /tmp/flux tag artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
+            --tag latest
+          /tmp/flux list artifacts oci://localhost:5000/fluxcd/flux
+      - name: flux oci repositories
+        run: |
+          /tmp/flux create source oci podinfo-oci \
+            --url oci://ghcr.io/stefanprodan/manifests/podinfo \
+            --tag-semver 6.1.x \
+            --interval 10m
+          /tmp/flux create kustomization podinfo-oci \
+            --source=OCIRepository/podinfo-oci \
+            --path="./kustomize" \
+            --prune=true \
+            --interval=5m \
+            --target-namespace=default \
+            --wait=true \
+            --health-check-timeout=3m
+          /tmp/flux reconcile source oci podinfo-oci
+          /tmp/flux suspend source oci podinfo-oci
+          /tmp/flux get sources oci
+          /tmp/flux resume source oci podinfo-oci
+          /tmp/flux export source oci podinfo-oci
+          /tmp/flux delete ks podinfo-oci --silent
+          /tmp/flux delete source oci podinfo-oci --silent
      - name: flux create tenant
        run: |
          /tmp/flux create tenant dev-team --with-namespace=apps
@@ -1,21 +0,0 @@
-name: rebase
-
-on:
-  pull_request:
-    types: [ opened ]
-  issue_comment:
-    types: [ created ]
-
-jobs:
-  rebase:
-    if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') && (github.event.comment.author_association == 'CONTRIBUTOR' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER')
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout the latest code
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - name: Automatic Rebase
-        uses: cirrus-actions/rebase@1.3.1
-        env:
-          GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
@@ -0,0 +1,73 @@
+name: release-manifests
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  id-token: write # needed for keyless signing
+  packages: write # needed for ghcr access
+
+jobs:
+  build-push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Kustomize
+        uses: fluxcd/pkg/actions/kustomize@main
+      - name: Setup Flux CLI
+        uses: ./action/
+      - name: Prepare
+        id: prep
+        run: |
+          VERSION=$(flux version --client | awk '{ print $NF }')
+          echo ::set-output name=VERSION::${VERSION}
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: fluxcdbot
+          password: ${{ secrets.GHCR_TOKEN }}
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: fluxcdbot
+          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+      - name: Push manifests to GHCR
+        run: |
+          mkdir -p ./ghcr.io/flux-system
+          flux install --registry=ghcr.io/fluxcd \
+          --components-extra=image-reflector-controller,image-automation-controller \
+          --export > ./ghcr.io/flux-system/gotk-components.yaml
+          
+          cd ./ghcr.io && flux push artifact \
+          oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
+          --path="./flux-system" \
+          --source=${{ github.repositoryUrl }} \
+          --revision="${{ github.ref_name }}/${{ github.sha }}"
+      - name: Push manifests to DockerHub
+        run: |
+          mkdir -p ./docker.io/flux-system
+          flux install --registry=docker.io/fluxcd \
+          --components-extra=image-reflector-controller,image-automation-controller \
+          --export > ./docker.io/flux-system/gotk-components.yaml
+          
+          cd ./docker.io && flux push artifact \
+          oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
+          --path="./flux-system" \
+          --source=${{ github.repositoryUrl }} \
+          --revision="${{ github.ref_name }}/${{ github.sha }}"
+      - uses: sigstore/cosign-installer@main
+      - name: Sign manifests
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          cosign sign ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }}
+          cosign sign docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }}
+      - name: Tag manifests
+        run: |
+          flux tag artifact oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
+          --tag latest
+
+          flux tag artifact oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
+          --tag latest
@@ -14,18 +14,18 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Unshallow
        run: git fetch --prune --unshallow
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
-          go-version: 1.17.x
+          go-version: 1.19.x
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
      - name: Setup Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
      - name: Setup Syft
        uses: anchore/sbom-action/download-syft@v0
      - name: Setup Cosign
@@ -33,13 +33,13 @@ jobs:
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -73,7 +73,7 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v1
+        uses: goreleaser/goreleaser-action@v3
        with:
          version: latest
          args: release --release-notes=output/notes.md --skip-validate
@@ -1,4 +1,4 @@
-name: Scan
+name: scan

 on:
  push:
@@ -8,12 +8,16 @@ on:
  schedule:
    - cron: '18 10 * * 3'

+permissions:
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for codeQL to write security events
+
 jobs:
  fossa:
    name: FOSSA
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Run FOSSA scan and upload build data
        uses: fossa-contrib/fossa-action@v1
        with:
@@ -26,7 +30,7 @@ jobs:
    runs-on: ubuntu-latest
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Build manifests
@@ -49,12 +53,16 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.19.x
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v2
        with:
          languages: go
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
+        uses: github/codeql-action/autobuild@v2
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v2
@@ -12,11 +12,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
-          go-version: 1.17.x
+          go-version: 1.19.x
      - name: Update component versions
        id: update
        run: |
@@ -59,7 +59,7 @@ This project is composed of:
 ### Understanding the code

 To get started with developing controllers, you might want to review
-[our guide](https://fluxcd.io/docs/gitops-toolkit/source-watcher/) which
+[our guide](https://fluxcd.io/flux/gitops-toolkit/source-watcher/) which
 walks you through writing a short and concise controller that watches out
 for source changes.

@@ -67,9 +67,10 @@ for source changes.

 Prerequisites:

-* go >= 1.17
+* go >= 1.19
 * kubectl >= 1.20
 * kustomize >= 4.4
+* coreutils (on Mac OS)

 Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:

@@ -1,15 +1,15 @@
-FROM alpine:3.15 as builder
+FROM alpine:3.16 as builder

 RUN apk add --no-cache ca-certificates curl

 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.23.1
+ARG KUBECTL_VER=1.25.0

 RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
    kubectl version --client=true

-FROM alpine:3.15 as flux-cli
+FROM alpine:3.16 as flux-cli

 # Create minimal nsswitch.conf file to prioritize the usage of /etc/hosts over DNS queries.
 # https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-354316460
@@ -2,19 +2,7 @@ The maintainers are generally available in Slack at
 https://cloud-native.slack.com in #flux (https://cloud-native.slack.com/messages/CLAJ40HV3)
 (obtain an invitation at https://slack.cncf.io/).

-These maintainers are shared with other Flux v2-related git
-repositories under https://github.com/fluxcd, as noted in their
-respective MAINTAINERS files.
+The Flux2 maintainers team is identical with the core maintainers of the project
+as listed in

-For convenience, they are reflected in the GitHub team
-@fluxcd/flux2-maintainers -- if the list here changes, that team also
-should.
-
-In alphabetical order:
-
-Aurel Canciu, NexHealth <aurel.canciu@nexhealth.com> (github: @relu, slack: relu)
-Hidde Beydals, Weaveworks <hidde@weave.works> (github: @hiddeco, slack: hidde)
-Max Jonas Werner, D2iQ <max@e13.dev> (github: @makkes, slack: max)
-Philip Laine, Xenit <philip.laine@xenit.se> (github: @phillebaba, slack: phillebaba)
-Stefan Prodan, Weaveworks <stefan@weave.works> (github: @stefanprodan, slack: stefanprodan)
-Sunny, Weaveworks <sunny@weave.works> (github: @darkowlzz, slack: darkowlzz)
+    https://github.com/fluxcd/community/blob/main/CORE-MAINTAINERS
@@ -1,4 +1,5 @@
 VERSION?=$(shell grep 'VERSION' cmd/flux/main.go | awk '{ print $$4 }' | head -n 1 | tr -d '"')
+DEV_VERSION?=0.0.0-$(shell git rev-parse --abbrev-ref HEAD)-$(shell git rev-parse --short HEAD)-$(shell date +%s)
 EMBEDDED_MANIFESTS_TARGET=cmd/flux/.manifests.done
 TEST_KUBECONFIG?=/tmp/flux-e2e-test-kubeconfig
 # Architecture to use envtest with
@@ -16,8 +17,8 @@ rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2
 all: test build

 tidy:
-	go mod tidy -compat=1.17
-	cd tests/azure && go mod tidy -compat=1.17
+	go mod tidy -compat=1.19
+	cd tests/azure && go mod tidy -compat=1.19

 fmt:
 	go fmt ./...
@@ -55,6 +56,9 @@ $(EMBEDDED_MANIFESTS_TARGET): $(call rwildcard,manifests/,*.yaml *.json)
 build: $(EMBEDDED_MANIFESTS_TARGET)
 	CGO_ENABLED=0 go build -ldflags="-s -w -X main.VERSION=$(VERSION)" -o ./bin/flux ./cmd/flux

+build-dev: $(EMBEDDED_MANIFESTS_TARGET)
+	CGO_ENABLED=0 go build -ldflags="-s -w -X main.VERSION=$(DEV_VERSION)" -o ./bin/flux ./cmd/flux
+
 .PHONY: install
 install:
 	CGO_ENABLED=0 go install ./cmd/flux
@@ -24,14 +24,14 @@ Flux is a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/)) proje

 ## Quickstart and documentation

-To get started check out this [guide](https://fluxcd.io/docs/get-started/)
+To get started check out this [guide](https://fluxcd.io/flux/get-started/)
 on how to bootstrap Flux on Kubernetes and deploy a sample application in a GitOps manner.

 For more comprehensive documentation, see the following guides:
- [Ways of structuring your repositories](https://fluxcd.io/docs/guides/repository-structure/)
- [Manage Helm Releases](https://fluxcd.io/docs/guides/helmreleases/)
- [Automate image updates to Git](https://fluxcd.io/docs/guides/image-update/)  
- [Manage Kubernetes secrets with Mozilla SOPS](https://fluxcd.io/docs/guides/mozilla-sops/)  
+- [Ways of structuring your repositories](https://fluxcd.io/flux/guides/repository-structure/)
+- [Manage Helm Releases](https://fluxcd.io/flux/guides/helmreleases/)
+- [Automate image updates to Git](https://fluxcd.io/flux/guides/image-update/)  
+- [Manage Kubernetes secrets with Mozilla SOPS](https://fluxcd.io/flux/guides/mozilla-sops/)  

 If you need help, please refer to our **[Support page](https://fluxcd.io/support/)**.

@@ -46,27 +46,28 @@ automation tooling.

 You can use the toolkit to extend Flux, or to build your own systems
 for continuous delivery -- see [the developer
-guides](https://fluxcd.io/docs/gitops-toolkit/source-watcher/).
+guides](https://fluxcd.io/flux/gitops-toolkit/source-watcher/).

 ### Components

- [Source Controller](https://fluxcd.io/docs/components/source/)
-    - [GitRepository CRD](https://fluxcd.io/docs/components/source/gitrepositories/)
-    - [HelmRepository CRD](https://fluxcd.io/docs/components/source/helmrepositories/)
-    - [HelmChart CRD](https://fluxcd.io/docs/components/source/helmcharts/)
-    - [Bucket CRD](https://fluxcd.io/docs/components/source/buckets/)
- [Kustomize Controller](https://fluxcd.io/docs/components/kustomize/)
-    - [Kustomization CRD](https://fluxcd.io/docs/components/kustomize/kustomization/)
- [Helm Controller](https://fluxcd.io/docs/components/helm/)
-    - [HelmRelease CRD](https://fluxcd.io/docs/components/helm/helmreleases/)
- [Notification Controller](https://fluxcd.io/docs/components/notification/)
-    - [Provider CRD](https://fluxcd.io/docs/components/notification/provider/)
-    - [Alert CRD](https://fluxcd.io/docs/components/notification/alert/)
-    - [Receiver CRD](https://fluxcd.io/docs/components/notification/receiver/)
- [Image Automation Controllers](https://fluxcd.io/docs/components/image/)
-  - [ImageRepository CRD](https://fluxcd.io/docs/components/image/imagerepositories/)
-  - [ImagePolicy CRD](https://fluxcd.io/docs/components/image/imagepolicies/)
-  - [ImageUpdateAutomation CRD](https://fluxcd.io/docs/components/image/imageupdateautomations/)
+- [Source Controller](https://fluxcd.io/flux/components/source/)
+    - [GitRepository CRD](https://fluxcd.io/flux/components/source/gitrepositories/)
+    - [OCIRepository CRD](https://fluxcd.io/flux/components/source/ocirepositories/)
+    - [HelmRepository CRD](https://fluxcd.io/flux/components/source/helmrepositories/)
+    - [HelmChart CRD](https://fluxcd.io/flux/components/source/helmcharts/)
+    - [Bucket CRD](https://fluxcd.io/flux/components/source/buckets/)
+- [Kustomize Controller](https://fluxcd.io/flux/components/kustomize/)
+    - [Kustomization CRD](https://fluxcd.io/flux/components/kustomize/kustomization/)
+- [Helm Controller](https://fluxcd.io/flux/components/helm/)
+    - [HelmRelease CRD](https://fluxcd.io/flux/components/helm/helmreleases/)
+- [Notification Controller](https://fluxcd.io/flux/components/notification/)
+    - [Provider CRD](https://fluxcd.io/flux/components/notification/provider/)
+    - [Alert CRD](https://fluxcd.io/flux/components/notification/alert/)
+    - [Receiver CRD](https://fluxcd.io/flux/components/notification/receiver/)
+- [Image Automation Controllers](https://fluxcd.io/flux/components/image/)
+  - [ImageRepository CRD](https://fluxcd.io/flux/components/image/imagerepositories/)
+  - [ImagePolicy CRD](https://fluxcd.io/flux/components/image/imagepolicies/)
+  - [ImageUpdateAutomation CRD](https://fluxcd.io/flux/components/image/imageupdateautomations/)
  
 ## Community

@@ -74,7 +75,7 @@ Need help or want to contribute? Please see the links below. The Flux project is
 new contributors and there are a multitude of ways to get involved.

 - Getting Started?
-    - Look at our [Get Started guide](https://fluxcd.io/docs/get-started/) and give us feedback
+    - Look at our [Get Started guide](https://fluxcd.io/flux/get-started/) and give us feedback
 - Need help?
    - First: Ask questions on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions)
    - Second: Talk to us in the #flux channel on [CNCF Slack](https://slack.cncf.io/)
@@ -32,7 +32,7 @@ You can download a specific version with:
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
        with:
-          version: 0.8.0
+          version: 0.32.0
 ```

 ### Automate Flux updates
@@ -74,6 +74,92 @@ jobs:
              ${{ steps.update.outputs.flux_version }}
 ```

+### Push Kubernetes manifests to container registries
+
+Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to GitHub Container Registry:
+
+```yaml
+name: push-artifact-staging
+
+on:
+  push:
+    branches:
+      - 'main'
+
+permissions:
+  packages: write # needed for ghcr.io access
+
+env:
+  OCI_REPO: "oci://ghcr.io/my-org/manifests/${{ github.event.repository.name }}"
+
+jobs:
+  kubernetes:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate manifests
+        run: |
+          kustomize build ./manifests/staging > ./deploy/app.yaml
+      - name: Push manifests
+        run: |
+          flux push artifact $OCI_REPO:$(git rev-parse --short HEAD) \
+            --path="./deploy" \
+            --source="$(git config --get remote.origin.url)" \
+            --revision="$(git branch --show-current)/$(git rev-parse HEAD)"
+      - name: Deploy manifests to staging
+        run: |
+          flux tag artifact $OCI_REPO:$(git rev-parse --short HEAD) --tag staging
+```
+
+Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to Docker Hub:
+
+```yaml
+name: push-artifact-production
+
+on:
+  push:
+    tags:
+      - '*'
+
+env:
+  OCI_REPO: "oci://docker.io/my-org/app-config"
+
+jobs:
+  kubernetes:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Generate manifests
+        run: |
+          kustomize build ./manifests/production > ./deploy/app.yaml
+      - name: Push manifests
+        run: |
+          flux push artifact $OCI_REPO:$(git tag --points-at HEAD) \
+            --path="./deploy" \
+            --source="$(git config --get remote.origin.url)" \
+            --revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"
+      - name: Deploy manifests to production
+        run: |
+          flux tag artifact $OCI_REPO:$(git tag --points-at HEAD) --tag production
+```
+
 ### End-to-end testing

 Example workflow for running Flux in Kubernetes Kind:
@@ -19,13 +19,13 @@ package main
 import (
 	"crypto/elliptic"
 	"fmt"
-	"os"
 	"strings"

 	"github.com/spf13/cobra"

 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )

@@ -154,7 +154,7 @@ func buildEmbeddedManifestBase() (string, error) {
 	if !isEmbeddedVersion(bootstrapArgs.version) {
 		return "", nil
 	}
-	tmpBaseDir, err := os.MkdirTemp("", "flux-manifests-")
+	tmpBaseDir, err := manifestgen.MkdirTempAbs("", "flux-manifests-")
 	if err != nil {
 		return "", err
 	}
@@ -30,6 +30,7 @@ import (
 	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
@@ -165,7 +166,7 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	// Lazy go-git repository
-	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
+	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
@@ -35,6 +35,7 @@ import (
 	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
@@ -53,6 +54,9 @@ command will perform an upgrade if needed.`,
  # Run bootstrap for a Git repository and authenticate using a password
  flux bootstrap git --url=https://example.com/repository.git --password=<password>

+  # Run bootstrap for a Git repository and authenticate using a password from environment variable
+  GIT_PASSWORD=<password> && flux bootstrap git --url=https://example.com/repository.git
+
  # Run bootstrap for a Git repository with a passwordless private key
  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key>

@@ -69,8 +73,13 @@ type gitFlags struct {
 	username            string
 	password            string
 	silent              bool
+	insecureHttpAllowed bool
 }

+const (
+	gitPasswordEnvVar = "GIT_PASSWORD"
+)
+
 var gitArgs gitFlags

 func init() {
@@ -80,11 +89,25 @@ func init() {
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.username, "username", "u", "git", "basic authentication username")
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.password, "password", "p", "", "basic authentication password")
 	bootstrapGitCmd.Flags().BoolVarP(&gitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
+	bootstrapGitCmd.Flags().BoolVar(&gitArgs.insecureHttpAllowed, "allow-insecure-http", false, "allows http git url connections")

 	bootstrapCmd.AddCommand(bootstrapGitCmd)
 }

 func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
+	gitPassword := os.Getenv(gitPasswordEnvVar)
+	if gitPassword != "" && gitArgs.password == "" {
+		gitArgs.password = gitPassword
+	}
+	if bootstrapArgs.tokenAuth && gitArgs.password == "" {
+		var err error
+		gitPassword, err = readPasswordFromStdin("Please enter your Git repository password: ")
+		if err != nil {
+			return fmt.Errorf("could not read token: %w", err)
+		}
+		gitArgs.password = gitPassword
+	}
+
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
@@ -117,7 +140,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	defer os.RemoveAll(manifestsBase)

 	// Lazy go-git repository
-	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
+	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
@@ -169,7 +192,9 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {

 		// Configure repository URL to match auth config for sync.
 		repositoryURL.User = nil
+		if !gitArgs.insecureHttpAllowed {
 			repositoryURL.Scheme = "https"
+		}
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.Password = gitArgs.password
@@ -248,6 +273,14 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 // SSH-agent is attempted.
 func transportForURL(u *url.URL) (transport.AuthMethod, error) {
 	switch u.Scheme {
+	case "http":
+		if !gitArgs.insecureHttpAllowed {
+			return nil, fmt.Errorf("scheme http is insecure, pass --allow-insecure-http=true to allow it")
+		}
+		return &http.BasicAuth{
+			Username: gitArgs.username,
+			Password: gitArgs.password,
+		}, nil
 	case "https":
 		return &http.BasicAuth{
 			Username: gitArgs.username,
@@ -30,6 +30,7 @@ import (
 	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
@@ -161,7 +162,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	// Lazy go-git repository
-	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
+	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
@@ -32,6 +32,7 @@ import (
 	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
@@ -172,7 +173,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	// Lazy go-git repository
-	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
+	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
@@ -0,0 +1,80 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	oci "github.com/fluxcd/pkg/oci/client"
+	"github.com/fluxcd/pkg/sourceignore"
+)
+
+var buildArtifactCmd = &cobra.Command{
+	Use:   "artifact",
+	Short: "Build artifact",
+	Long:  `The build artifact command creates a tgz file with the manifests from the given directory.`,
+	Example: `  # Build the given manifests directory into an artifact
+  flux build artifact --path ./path/to/local/manifests --output ./path/to/artifact.tgz
+
+  # List the files bundled in the artifact
+  tar -ztvf ./path/to/artifact.tgz
+`,
+	RunE: buildArtifactCmdRun,
+}
+
+type buildArtifactFlags struct {
+	output      string
+	path        string
+	ignorePaths []string
+}
+
+var excludeOCI = append(strings.Split(sourceignore.ExcludeVCS, ","), strings.Split(sourceignore.ExcludeExt, ",")...)
+
+var buildArtifactArgs buildArtifactFlags
+
+func init() {
+	buildArtifactCmd.Flags().StringVar(&buildArtifactArgs.path, "path", "", "Path to the directory where the Kubernetes manifests are located.")
+	buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.output, "output", "o", "artifact.tgz", "Path to where the artifact tgz file should be written.")
+	buildArtifactCmd.Flags().StringSliceVar(&buildArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
+
+	buildCmd.AddCommand(buildArtifactCmd)
+}
+
+func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {
+	if buildArtifactArgs.path == "" {
+		return fmt.Errorf("invalid path %q", buildArtifactArgs.path)
+	}
+
+	if fs, err := os.Stat(buildArtifactArgs.path); err != nil || !fs.IsDir() {
+		return fmt.Errorf("invalid path '%s', must point to an existing directory", buildArtifactArgs.path)
+	}
+
+	logger.Actionf("building artifact from %s", buildArtifactArgs.path)
+
+	ociClient := oci.NewLocalClient()
+	if err := ociClient.Build(buildArtifactArgs.output, buildArtifactArgs.path, buildArtifactArgs.ignorePaths); err != nil {
+		return fmt.Errorf("bulding artifact failed, error: %w", err)
+	}
+
+	logger.Successf("artifact created at %s", buildArtifactArgs.output)
+
+	return nil
+}
@@ -33,21 +33,28 @@ var buildKsCmd = &cobra.Command{
 	Short:   "Build Kustomization",
 	Long: `The build command queries the Kubernetes API and fetches the specified Flux Kustomization. 
 It then uses the fetched in cluster flux kustomization to perform needed transformation on the local kustomization.yaml
-pointed at by --path. The local kustomization.yaml is generated if it does not exist. Finally it builds the overlays using the local kustomization.yaml, and write the resulting multi-doc YAML to stdout.`,
+pointed at by --path. The local kustomization.yaml is generated if it does not exist. Finally it builds the overlays using the local kustomization.yaml, and write the resulting multi-doc YAML to stdout.
+
+It is possible to specify a Flux kustomization file using --kustomization-file.`,
 	Example: `# Build the local manifests as they were built on the cluster
-flux build kustomization my-app --path ./path/to/local/manifests`,
+flux build kustomization my-app --path ./path/to/local/manifests
+
+# Build using a local flux kustomization file
+flux build kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              buildKsCmdRun,
 }

 type buildKsFlags struct {
+	kustomizationFile string
 	path              string
 }

 var buildKsArgs buildKsFlags

 func init() {
-	buildKsCmd.Flags().StringVar(&buildKsArgs.path, "path", "", "Path to the manifests location.)")
+	buildKsCmd.Flags().StringVar(&buildKsArgs.path, "path", "", "Path to the manifests location.")
+	buildKsCmd.Flags().StringVar(&buildKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
 	buildCmd.AddCommand(buildKsCmd)
 }

@@ -65,7 +72,13 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
 	}

-	builder, err := build.NewBuilder(kubeconfigArgs, kubeclientOptions, name, buildKsArgs.path, build.WithTimeout(rootArgs.timeout))
+	if buildKsArgs.kustomizationFile != "" {
+		if fs, err := os.Stat(buildKsArgs.kustomizationFile); os.IsNotExist(err) || fs.IsDir() {
+			return fmt.Errorf("invalid kustomization file %q", buildKsArgs.kustomizationFile)
+		}
+	}
+
+	builder, err := build.NewBuilder(kubeconfigArgs, kubeclientOptions, name, buildKsArgs.path, build.WithTimeout(rootArgs.timeout), build.WithKustomizationFile(buildKsArgs.kustomizationFile))
 	if err != nil {
 		return err
 	}
@@ -20,7 +20,10 @@ limitations under the License.
 package main

 import (
+	"bytes"
+	"os"
 	"testing"
+	"text/template"
 )

 func setup(t *testing.T, tmpl map[string]string) {
@@ -54,6 +57,12 @@ func TestBuildKustomization(t *testing.T) {
 			resultFile: "./testdata/build-kustomization/podinfo-without-service-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
+		{
+			name:       "build deployment and configmap with var substitution",
+			args:       "build kustomization podinfo --path ./testdata/build-kustomization/var-substitution",
+			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
 	}

 	tmpl := map[string]string{
@@ -81,3 +90,101 @@ func TestBuildKustomization(t *testing.T) {
 		})
 	}
 }
+
+func TestBuildLocalKustomization(t *testing.T) {
+	podinfo := `apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: podinfo
+  namespace: {{ .fluxns }}
+spec:
+  interval: 5m0s
+  path: ./kustomize
+  force: true
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: podinfo
+  targetNamespace: default
+  postBuild:
+    substitute:
+      cluster_env: "prod"
+      cluster_region: "eu-central-1"
+`
+
+	tests := []struct {
+		name       string
+		args       string
+		resultFile string
+		assertFunc string
+	}{
+		{
+			name:       "no args",
+			args:       "build kustomization podinfo --kustomization-file ./wrongfile/ --path ./testdata/build-kustomization/podinfo",
+			resultFile: "invalid kustomization file \"./wrongfile/\"",
+			assertFunc: "assertError",
+		},
+		{
+			name:       "build podinfo",
+			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/podinfo",
+			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build podinfo without service",
+			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/delete-service",
+			resultFile: "./testdata/build-kustomization/podinfo-without-service-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build deployment and configmap with var substitution",
+			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/var-substitution",
+			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+	}
+
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+
+	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-source.yaml", tmpl, t)
+
+	temp, err := template.New("podinfo").Parse(podinfo)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var b bytes.Buffer
+	err = temp.Execute(&b, tmpl)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = os.WriteFile("./testdata/build-kustomization/podinfo.yaml", b.Bytes(), 0666)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	defer os.Remove("./testdata/build-kustomization/podinfo.yaml")
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var assert assertFunc
+
+			switch tt.assertFunc {
+			case "assertGoldenTemplateFile":
+				assert = assertGoldenTemplateFile(tt.resultFile, tmpl)
+			case "assertError":
+				assert = assertError(tt.resultFile)
+			}
+
+			cmd := cmdTestCase{
+				args:   tt.args + " -n " + tmpl["fluxns"],
+				assert: assert,
+			}
+
+			cmd.runTestCmd(t)
+		})
+	}
+}
@@ -24,6 +24,7 @@ import (
 	"github.com/Masterminds/semver/v3"
 	"github.com/spf13/cobra"
 	v1 "k8s.io/api/apps/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client"

@@ -95,9 +96,17 @@ func runCheckCmd(cmd *cobra.Command, args []string) error {
 	if !componentsCheck() {
 		checkFailed = true
 	}
+
+	logger.Actionf("checking crds")
+	if !crdsCheck() {
+		checkFailed = true
+	}
+
 	if checkFailed {
+		logger.Failuref("check failed")
 		os.Exit(1)
 	}
+
 	logger.Successf("all checks passed")
 	return nil
 }
@@ -191,7 +200,14 @@ func componentsCheck() bool {
 	ok := true
 	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 	var list v1.DeploymentList
-	if err := kubeClient.List(ctx, &list, client.InNamespace(*kubeconfigArgs.Namespace), selector); err == nil {
+	ns := *kubeconfigArgs.Namespace
+	if err := kubeClient.List(ctx, &list, client.InNamespace(ns), selector); err == nil {
+		if len(list.Items) == 0 {
+			logger.Failuref("no controllers found in the '%s' namespace with the label selector '%s=%s'",
+				ns, manifestgen.PartOfLabelKey, manifestgen.PartOfLabelValue)
+			return false
+		}
+
 		for _, d := range list.Items {
 			if ref, err := buildComponentObjectRefs(d.Name); err == nil {
 				if err := statusChecker.Assess(ref...); err != nil {
@@ -205,3 +221,34 @@ func componentsCheck() bool {
 	}
 	return ok
 }
+
+func crdsCheck() bool {
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return false
+	}
+
+	ok := true
+	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
+	var list apiextensionsv1.CustomResourceDefinitionList
+	if err := kubeClient.List(ctx, &list, client.InNamespace(*kubeconfigArgs.Namespace), selector); err == nil {
+		if len(list.Items) == 0 {
+			logger.Failuref("no crds found with the label selector '%s=%s'",
+				manifestgen.PartOfLabelKey, manifestgen.PartOfLabelValue)
+			return false
+		}
+
+		for _, crd := range list.Items {
+			if len(crd.Status.StoredVersions) > 0 {
+				logger.Successf(crd.Name + "/" + crd.Status.StoredVersions[0])
+			} else {
+				ok = false
+				logger.Failuref("no stored versions for %s", crd.Name)
+			}
+		}
+	}
+	return ok
+}
@@ -26,7 +26,6 @@ import (
 	"testing"

 	"github.com/fluxcd/flux2/internal/utils"
-	"k8s.io/apimachinery/pkg/version"
 )

 func TestCheckPre(t *testing.T) {
@@ -35,17 +34,19 @@ func TestCheckPre(t *testing.T) {
 		t.Fatalf("Error running utils.ExecKubectlCommand: %v", err.Error())
 	}

-	var versions map[string]version.Info
+	var versions map[string]interface{}
 	if err := json.Unmarshal([]byte(jsonOutput), &versions); err != nil {
-		t.Fatalf("Error unmarshalling: %v", err.Error())
+		t.Fatalf("Error unmarshalling '%s': %v", jsonOutput, err.Error())
 	}

-	serverVersion := strings.TrimPrefix(versions["serverVersion"].GitVersion, "v")
+	serverGitVersion := strings.TrimPrefix(
+		versions["serverVersion"].(map[string]interface{})["gitVersion"].(string),
+		"v")

 	cmd := cmdTestCase{
 		args: "check --pre",
 		assert: assertGoldenTemplateFile("testdata/check/check_pre.golden", map[string]string{
-			"serverVersion": serverVersion,
+			"serverVersion": serverGitVersion,
 		}),
 	}
 	cmd.runTestCmd(t)
@@ -21,6 +21,8 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"strings"
+	"time"

 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
@@ -116,13 +118,18 @@ type helmReleaseFlags struct {
 	targetNamespace     string
 	createNamespace     bool
 	valuesFiles         []string
-	valuesFrom      flags.HelmReleaseValuesFrom
+	valuesFrom          []string
 	saName              string
 	crds                flags.CRDsPolicy
+	reconcileStrategy   string
+	chartInterval       time.Duration
+	kubeConfigSecretRef string
 }

 var helmReleaseArgs helmReleaseFlags

+var supportedHelmReleaseValuesFromKinds = []string{"Secret", "ConfigMap"}
+
 func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.name, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.source, "source", helmReleaseArgs.source.Description())
@@ -132,9 +139,12 @@ func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.targetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
 	createHelmReleaseCmd.Flags().BoolVar(&helmReleaseArgs.createNamespace, "create-target-namespace", false, "create the target namespace if it does not exist")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart created by the helm release(accepted values: Revision and ChartRevision)")
+	createHelmReleaseCmd.Flags().DurationVarP(&helmReleaseArgs.chartInterval, "chart-interval", "", 0, "the interval of which to check for new chart versions")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFiles, "values", nil, "local path to values.yaml files, also accepts comma-separated values")
-	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.valuesFrom, "values-from", helmReleaseArgs.valuesFrom.Description())
+	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFrom, "values-from", nil, "a Kubernetes object reference that contains the values.yaml data key in the format '<kind>/<name>', where kind must be one of: (Secret,ConfigMap)")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.crds, "crds", helmReleaseArgs.crds.Description())
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
 	createCmd.AddCommand(createHelmReleaseCmd)
 }

@@ -154,6 +164,11 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Generatef("generating HelmRelease")
 	}

+	if !validateStrategy(helmReleaseArgs.reconcileStrategy) {
+		return fmt.Errorf("'%s' is an invalid reconcile strategy(valid: Revision, ChartVersion)",
+			helmReleaseArgs.reconcileStrategy)
+	}
+
 	helmRelease := helmv2.HelmRelease{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
@@ -177,12 +192,27 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 						Name:      helmReleaseArgs.source.Name,
 						Namespace: helmReleaseArgs.source.Namespace,
 					},
+					ReconcileStrategy: helmReleaseArgs.reconcileStrategy,
 				},
 			},
 			Suspend: false,
 		},
 	}

+	if helmReleaseArgs.kubeConfigSecretRef != "" {
+		helmRelease.Spec.KubeConfig = &helmv2.KubeConfig{
+			SecretRef: meta.SecretKeyReference{
+				Name: helmReleaseArgs.kubeConfigSecretRef,
+			},
+		}
+	}
+
+	if helmReleaseArgs.chartInterval != 0 {
+		helmRelease.Spec.Chart.Spec.Interval = &metav1.Duration{
+			Duration: helmReleaseArgs.chartInterval,
+		}
+	}
+
 	if helmReleaseArgs.createNamespace {
 		if helmRelease.Spec.Install == nil {
 			helmRelease.Spec.Install = &helmv2.Install{}
@@ -233,11 +263,25 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		helmRelease.Spec.Values = &apiextensionsv1.JSON{Raw: jsonRaw}
 	}

-	if helmReleaseArgs.valuesFrom.String() != "" {
-		helmRelease.Spec.ValuesFrom = []helmv2.ValuesReference{{
-			Kind: helmReleaseArgs.valuesFrom.Kind,
-			Name: helmReleaseArgs.valuesFrom.Name,
-		}}
+	if len(helmReleaseArgs.valuesFrom) != 0 {
+		values := []helmv2.ValuesReference{}
+		for _, value := range helmReleaseArgs.valuesFrom {
+			sourceKind, sourceName := utils.ParseObjectKindName(value)
+			if sourceKind == "" {
+				return fmt.Errorf("invalid Kubernetes object reference '%s', must be in format <kind>/<name>", value)
+			}
+			cleanSourceKind, ok := utils.ContainsEqualFoldItemString(supportedHelmReleaseValuesFromKinds, sourceKind)
+			if !ok {
+				return fmt.Errorf("reference kind '%s' is not supported, must be one of: %s",
+					sourceKind, strings.Join(supportedHelmReleaseValuesFromKinds, ", "))
+			}
+
+			values = append(values, helmv2.ValuesReference{
+				Name: sourceName,
+				Kind: cleanSourceKind,
+			})
+		}
+		helmRelease.Spec.ValuesFrom = values
 	}

 	if createArgs.export {
@@ -316,3 +360,15 @@ func isHelmReleaseReady(ctx context.Context, kubeClient client.Client,
 		return apimeta.IsStatusConditionTrue(helmRelease.Status.Conditions, meta.ReadyCondition), nil
 	}
 }
+
+func validateStrategy(input string) bool {
+	allowedStrategy := []string{"Revision", "ChartVersion"}
+
+	for _, strategy := range allowedStrategy {
+		if strategy == input {
+			return true
+		}
+	}
+
+	return false
+}
@@ -42,22 +42,21 @@ var createKsCmd = &cobra.Command{
 	Use:     "kustomization [name]",
 	Aliases: []string{"ks"},
 	Short:   "Create or update a Kustomization resource",
-	Long:    "The kustomization source create command generates a Kustomize resource for a given source.",
+	Long:    "The create command generates a Kustomization resource for a given source.",
 	Example: `  # Create a Kustomization resource from a source at a given path
-  flux create kustomization contour \
-    --source=GitRepository/contour \
-    --path="./examples/contour/" \
+  flux create kustomization kyverno \
+    --source=GitRepository/kyverno \
+    --path="./config/release" \
    --prune=true \
-    --interval=10m \
-    --health-check="Deployment/contour.projectcontour" \
-    --health-check="DaemonSet/envoy.projectcontour" \
+    --interval=60m \
+    --wait=true \
    --health-check-timeout=3m

  # Create a Kustomization resource that depends on the previous one
-  flux create kustomization webapp \
-    --depends-on=contour \
-    --source=GitRepository/webapp \
-    --path="./deploy/overlays/dev" \
+  flux create kustomization kyverno-policies \
+    --depends-on=kyverno \
+    --source=GitRepository/kyverno-policies \
+    --path="./policies/flux" \
    --prune=true \
    --interval=5m

@@ -65,7 +64,14 @@ var createKsCmd = &cobra.Command{
  flux create kustomization podinfo \
    --namespace=default \
    --source=GitRepository/podinfo.flux-system \
-    --path="./deploy/overlays/dev" \
+    --path="./kustomize" \
+    --prune=true \
+    --interval=5m
+
+  # Create a Kustomization resource that references an OCIRepository
+  flux create kustomization podinfo \
+    --source=OCIRepository/podinfo \
+    --target-namespace=default \
    --prune=true \
    --interval=5m

@@ -90,6 +96,7 @@ type kustomizationFlags struct {
 	decryptionSecret    string
 	targetNamespace     string
 	wait                bool
+	kubeConfigSecretRef string
 }

 var kustomizationArgs = NewKustomizationFlags()
@@ -107,6 +114,7 @@ func init() {
 	createKsCmd.Flags().Var(&kustomizationArgs.decryptionProvider, "decryption-provider", kustomizationArgs.decryptionProvider.Description())
 	createKsCmd.Flags().StringVar(&kustomizationArgs.decryptionSecret, "decryption-secret", "", "set the Kubernetes secret name that contains the OpenPGP private keys used for sops decryption")
 	createKsCmd.Flags().StringVar(&kustomizationArgs.targetNamespace, "target-namespace", "", "overrides the namespace of all Kustomization objects reconciled by this Kustomization")
+	createKsCmd.Flags().StringVar(&kustomizationArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
 	createKsCmd.Flags().MarkDeprecated("validation", "this arg is no longer used, all resources are validated using server-side apply dry-run")

 	createCmd.AddCommand(createKsCmd)
@@ -160,6 +168,14 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}

+	if kustomizationArgs.kubeConfigSecretRef != "" {
+		kustomization.Spec.KubeConfig = &kustomizev1.KubeConfig{
+			SecretRef: meta.SecretKeyReference{
+				Name: kustomizationArgs.kubeConfigSecretRef,
+			},
+		}
+	}
+
 	if len(kustomizationArgs.healthCheck) > 0 && !kustomizationArgs.wait {
 		healthChecks := make([]meta.NamespacedObjectKindReference, 0)
 		for _, w := range kustomizationArgs.healthCheck {
@@ -1,3 +1,19 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package main

 import (
@@ -0,0 +1,121 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
+)
+
+var createSecretOCICmd = &cobra.Command{
+	Use:   "oci [name]",
+	Short: "Create or update a Kubernetes image pull secret",
+	Long:  `The create secret oci command generates a Kubernetes secret that can be used for OCIRepository authentication`,
+	Example: `  # Create an OCI authentication secret on disk and encrypt it with Mozilla SOPS
+  flux create secret oci podinfo-auth \
+    --url=ghcr.io \
+    --username=username \
+    --password=password \
+    --export > repo-auth.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place repo-auth.yaml
+	`,
+	RunE: createSecretOCICmdRun,
+}
+
+type secretOCIFlags struct {
+	url      string
+	password string
+	username string
+}
+
+var secretOCIArgs = secretOCIFlags{}
+
+func init() {
+	createSecretOCICmd.Flags().StringVar(&secretOCIArgs.url, "url", "", "oci repository address e.g ghcr.io/stefanprodan/charts")
+	createSecretOCICmd.Flags().StringVarP(&secretOCIArgs.username, "username", "u", "", "basic authentication username")
+	createSecretOCICmd.Flags().StringVarP(&secretOCIArgs.password, "password", "p", "", "basic authentication password")
+
+	createSecretCmd.AddCommand(createSecretOCICmd)
+}
+
+func createSecretOCICmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("name is required")
+	}
+
+	secretName := args[0]
+
+	if secretOCIArgs.url == "" {
+		return fmt.Errorf("--url is required")
+	}
+
+	if secretOCIArgs.username == "" {
+		return fmt.Errorf("--username is required")
+	}
+
+	if secretOCIArgs.password == "" {
+		return fmt.Errorf("--password is required")
+	}
+
+	if _, err := name.ParseReference(secretOCIArgs.url); err != nil {
+		return fmt.Errorf("error parsing url: '%s'", err)
+	}
+
+	opts := sourcesecret.Options{
+		Name:      secretName,
+		Namespace: *kubeconfigArgs.Namespace,
+		Registry:  secretOCIArgs.url,
+		Password:  secretOCIArgs.password,
+		Username:  secretOCIArgs.username,
+	}
+
+	secret, err := sourcesecret.Generate(opts)
+	if err != nil {
+		return err
+	}
+
+	if createArgs.export {
+		rootCmd.Println(secret.Content)
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+	if err := upsertSecret(ctx, kubeClient, s); err != nil {
+		return err
+	}
+
+	logger.Actionf("oci secret '%s' created in '%s' namespace", secretName, *kubeconfigArgs.Namespace)
+	return nil
+}
@@ -0,0 +1,51 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateSecretOCI(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			args:   "create secret oci",
+			assert: assertError("name is required"),
+		},
+		{
+			args:   "create secret oci ghcr",
+			assert: assertError("--url is required"),
+		},
+		{
+			args:   "create secret oci ghcr --namespace=my-namespace --url ghcr.io --username stefanprodan --password=password --export",
+			assert: assertGoldenFile("testdata/create_secret/oci/create-secret.yaml"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"strings"

 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
@@ -71,9 +72,10 @@ type sourceBucketFlags struct {
 	region      string
 	insecure    bool
 	secretRef   string
+	ignorePaths []string
 }

-var sourceBucketArgs = NewSourceBucketFlags()
+var sourceBucketArgs = newSourceBucketFlags()

 func init() {
 	createSourceBucketCmd.Flags().Var(&sourceBucketArgs.provider, "provider", sourceBucketArgs.provider.Description())
@@ -84,11 +86,12 @@ func init() {
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.region, "region", "", "the bucket region")
 	createSourceBucketCmd.Flags().BoolVar(&sourceBucketArgs.insecure, "insecure", false, "for when connecting to a non-TLS S3 HTTP endpoint")
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.secretRef, "secret-ref", "", "the name of an existing secret containing credentials")
+	createSourceBucketCmd.Flags().StringSliceVar(&sourceBucketArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in bucket resource (can specify multiple paths with commas: path1,path2)")

 	createSourceCmd.AddCommand(createSourceBucketCmd)
 }

-func NewSourceBucketFlags() sourceBucketFlags {
+func newSourceBucketFlags() sourceBucketFlags {
 	return sourceBucketFlags{
 		provider: flags.SourceBucketProvider(sourcev1.GenericBucketProvider),
 	}
@@ -116,6 +119,12 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	defer os.RemoveAll(tmpDir)

+	var ignorePaths *string
+	if len(sourceBucketArgs.ignorePaths) > 0 {
+		ignorePathsStr := strings.Join(sourceBucketArgs.ignorePaths, "\n")
+		ignorePaths = &ignorePathsStr
+	}
+
 	bucket := &sourcev1.Bucket{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
@@ -131,6 +140,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
+			Ignore: ignorePaths,
 		},
 	}

@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"net/url"
 	"os"
+	"strings"

 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
@@ -59,6 +60,7 @@ type sourceGitFlags struct {
 	privateKeyFile    string
 	recurseSubmodules bool
 	silent            bool
+	ignorePaths       []string
 }

 var createSourceGitCmd = &cobra.Command{
@@ -115,6 +117,7 @@ For private Git repositories, the basic authentication credentials are stored in
  # Create a source for a Git repository using basic authentication
  flux create source git podinfo \
    --url=https://github.com/stefanprodan/podinfo \
+    --branch=master \
    --username=username \
    --password=password`,
 	RunE: createSourceGitCmdRun,
@@ -139,6 +142,7 @@ func init() {
 	createSourceGitCmd.Flags().BoolVar(&sourceGitArgs.recurseSubmodules, "recurse-submodules", false,
 		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
 	createSourceGitCmd.Flags().BoolVarP(&sourceGitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
+	createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in git resource (can specify multiple paths with commas: path1,path2)")

 	createSourceCmd.AddCommand(createSourceGitCmd)
 }
@@ -189,6 +193,12 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	var ignorePaths *string
+	if len(sourceGitArgs.ignorePaths) > 0 {
+		ignorePathsStr := strings.Join(sourceGitArgs.ignorePaths, "\n")
+		ignorePaths = &ignorePathsStr
+	}
+
 	gitRepository := sourcev1.GitRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
@@ -202,6 +212,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			},
 			RecurseSubmodules: sourceGitArgs.recurseSubmodules,
 			Reference:         &sourcev1.GitRepositoryRef{},
+			Ignore:            ignorePaths,
 		},
 	}

@@ -85,6 +85,31 @@ func (r *reconciler) conditionFunc() (bool, error) {
 	return true, err
 }

+func TestCreateSourceGitExport(t *testing.T) {
+	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String()
+
+	cases := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			"ExportSucceeded",
+			command,
+			assertGoldenFile("testdata/create_source_git/export.golden"),
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tc.args,
+				assert: tc.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
+
 func TestCreateSourceGit(t *testing.T) {
 	// Default command used for multiple tests
 	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --timeout=" + testTimeout.String()
@@ -44,23 +44,34 @@ var createSourceHelmCmd = &cobra.Command{
 	Short: "Create or update a HelmRepository source",
 	Long: `The create source helm command generates a HelmRepository resource and waits for it to fetch the index.
 For private Helm repositories, the basic authentication credentials are stored in a Kubernetes secret.`,
-	Example: `  # Create a source for a public Helm repository
+	Example: `  # Create a source for an HTTPS public Helm repository
  flux create source helm podinfo \
    --url=https://stefanprodan.github.io/podinfo \
    --interval=10m

-  # Create a source for a Helm repository using basic authentication
+  # Create a source for an HTTPS Helm repository using basic authentication
  flux create source helm podinfo \
    --url=https://stefanprodan.github.io/podinfo \
    --username=username \
    --password=password

-  # Create a source for a Helm repository using TLS authentication
+  # Create a source for an HTTPS Helm repository using TLS authentication
  flux create source helm podinfo \
    --url=https://stefanprodan.github.io/podinfo \
    --cert-file=./cert.crt \
    --key-file=./key.crt \
-    --ca-file=./ca.crt`,
+    --ca-file=./ca.crt
+
+  # Create a source for an OCI Helm repository
+  flux create source helm podinfo \
+    --url=oci://ghcr.io/stefanprodan/charts/podinfo
+    --username=username \
+    --password=password
+
+  # Create a source for an OCI Helm repository using an existing secret with basic auth or dockerconfig credentials
+  flux create source helm podinfo \
+    --url=oci://ghcr.io/stefanprodan/charts/podinfo
+    --secret-ref=docker-config`,
 	RunE: createSourceHelmCmdRun,
 }

@@ -84,7 +95,7 @@ func init() {
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.certFile, "cert-file", "", "TLS authentication cert file path")
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.keyFile, "key-file", "", "TLS authentication key file path")
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.caFile, "ca-file", "", "TLS authentication CA file path")
-	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.secretRef, "secret-ref", "", "", "the name of an existing secret containing TLS or basic auth credentials")
+	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.secretRef, "secret-ref", "", "", "the name of an existing secret containing TLS, basic auth or docker-config credentials")
 	createSourceHelmCmd.Flags().BoolVarP(&sourceHelmArgs.passCredentials, "pass-credentials", "", false, "pass credentials to all domains")

 	createSourceCmd.AddCommand(createSourceHelmCmd)
@@ -126,6 +137,14 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}

+	url, err := url.Parse(sourceHelmArgs.url)
+	if err != nil {
+		return fmt.Errorf("failed to parse URL: %w", err)
+	}
+	if url.Scheme == sourcev1.HelmRepositoryTypeOCI {
+		helmRepository.Spec.Type = sourcev1.HelmRepositoryTypeOCI
+	}
+
 	if createSourceArgs.fetchTimeout > 0 {
 		helmRepository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
 	}
@@ -196,6 +215,11 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Successf("HelmRepository source reconciliation completed")

+	if helmRepository.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
+		// OCI repos don't expose any artifact so we just return early here
+		return nil
+	}
+
 	if helmRepository.Status.Artifact == nil {
 		return fmt.Errorf("HelmRepository source reconciliation completed but no artifact was found")
 	}
@@ -0,0 +1,81 @@
+//go:build unit
+// +build unit
+
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateSourceHelm(t *testing.T) {
+	tests := []struct {
+		name       string
+		args       string
+		resultFile string
+		assertFunc string
+	}{
+		{
+			name:       "no args",
+			args:       "create source helm",
+			resultFile: "name is required",
+			assertFunc: "assertError",
+		},
+		{
+			name:       "OCI repo",
+			args:       "create source helm podinfo --url=oci://ghcr.io/stefanprodan/charts/podinfo --interval 5m --export",
+			resultFile: "./testdata/create_source_helm/oci.golden",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "OCI repo with Secret ref",
+			args:       "create source helm podinfo --url=oci://ghcr.io/stefanprodan/charts/podinfo --interval 5m --secret-ref=creds --export",
+			resultFile: "./testdata/create_source_helm/oci-with-secret.golden",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "HTTPS repo",
+			args:       "create source helm podinfo --url=https://stefanprodan.github.io/charts/podinfo --interval 5m --export",
+			resultFile: "./testdata/create_source_helm/https.golden",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+	}
+
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	setup(t, tmpl)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var assert assertFunc
+			switch tt.assertFunc {
+			case "assertGoldenTemplateFile":
+				assert = assertGoldenTemplateFile(tt.resultFile, tmpl)
+			case "assertError":
+				assert = assertError(tt.resultFile)
+			}
+
+			cmd := cmdTestCase{
+				args:   tt.args + " -n " + tmpl["fluxns"],
+				assert: assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
@@ -0,0 +1,247 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
+)
+
+var createSourceOCIRepositoryCmd = &cobra.Command{
+	Use:   "oci [name]",
+	Short: "Create or update an OCIRepository",
+	Long:  `The create source oci command generates an OCIRepository resource and waits for it to be ready.`,
+	Example: `  # Create an OCIRepository for a public container image
+  flux create source oci podinfo \
+    --url=oci://ghcr.io/stefanprodan/manifests/podinfo \
+    --tag=6.1.6 \
+    --interval=10m
+`,
+	RunE: createSourceOCIRepositoryCmdRun,
+}
+
+type sourceOCIRepositoryFlags struct {
+	url            string
+	tag            string
+	semver         string
+	digest         string
+	secretRef      string
+	serviceAccount string
+	certSecretRef  string
+	ignorePaths    []string
+	provider       flags.SourceOCIProvider
+	insecure       bool
+}
+
+var sourceOCIRepositoryArgs = newSourceOCIFlags()
+
+func newSourceOCIFlags() sourceOCIRepositoryFlags {
+	return sourceOCIRepositoryFlags{
+		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
+	}
+}
+
+func init() {
+	createSourceOCIRepositoryCmd.Flags().Var(&sourceOCIRepositoryArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.url, "url", "", "the OCI repository URL")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.tag, "tag", "", "the OCI artifact tag")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.semver, "tag-semver", "", "the OCI artifact tag semver range")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.digest, "digest", "", "the OCI artifact digest")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.secretRef, "secret-ref", "", "the name of the Kubernetes image pull secret (type 'kubernetes.io/dockerconfigjson')")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.serviceAccount, "service-account", "", "the name of the Kubernetes service account that refers to an image pull secret")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
+	createSourceOCIRepositoryCmd.Flags().StringSliceVar(&sourceOCIRepositoryArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore resources (can specify multiple paths with commas: path1,path2)")
+	createSourceOCIRepositoryCmd.Flags().BoolVar(&sourceOCIRepositoryArgs.insecure, "insecure", false, "for when connecting to a non-TLS registries over plain HTTP")
+
+	createSourceCmd.AddCommand(createSourceOCIRepositoryCmd)
+}
+
+func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	if sourceOCIRepositoryArgs.url == "" {
+		return fmt.Errorf("url is required")
+	}
+
+	if sourceOCIRepositoryArgs.semver == "" && sourceOCIRepositoryArgs.tag == "" && sourceOCIRepositoryArgs.digest == "" {
+		return fmt.Errorf("--tag, --tag-semver or --digest is required")
+	}
+
+	sourceLabels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	var ignorePaths *string
+	if len(sourceOCIRepositoryArgs.ignorePaths) > 0 {
+		ignorePathsStr := strings.Join(sourceOCIRepositoryArgs.ignorePaths, "\n")
+		ignorePaths = &ignorePathsStr
+	}
+
+	repository := &sourcev1.OCIRepository{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: *kubeconfigArgs.Namespace,
+			Labels:    sourceLabels,
+		},
+		Spec: sourcev1.OCIRepositorySpec{
+			Provider: sourceOCIRepositoryArgs.provider.String(),
+			URL:      sourceOCIRepositoryArgs.url,
+			Insecure: sourceOCIRepositoryArgs.insecure,
+			Interval: metav1.Duration{
+				Duration: createArgs.interval,
+			},
+			Reference: &sourcev1.OCIRepositoryRef{},
+			Ignore:    ignorePaths,
+		},
+	}
+
+	if digest := sourceOCIRepositoryArgs.digest; digest != "" {
+		repository.Spec.Reference.Digest = digest
+	}
+	if semver := sourceOCIRepositoryArgs.semver; semver != "" {
+		repository.Spec.Reference.SemVer = semver
+	}
+	if tag := sourceOCIRepositoryArgs.tag; tag != "" {
+		repository.Spec.Reference.Tag = tag
+	}
+
+	if createSourceArgs.fetchTimeout > 0 {
+		repository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
+	}
+
+	if saName := sourceOCIRepositoryArgs.serviceAccount; saName != "" {
+		repository.Spec.ServiceAccountName = saName
+	}
+
+	if secretName := sourceOCIRepositoryArgs.secretRef; secretName != "" {
+		repository.Spec.SecretRef = &meta.LocalObjectReference{
+			Name: secretName,
+		}
+	}
+
+	if secretName := sourceOCIRepositoryArgs.certSecretRef; secretName != "" {
+		repository.Spec.CertSecretRef = &meta.LocalObjectReference{
+			Name: secretName,
+		}
+	}
+
+	if createArgs.export {
+		return printExport(exportOCIRepository(repository))
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+
+	logger.Actionf("applying OCIRepository")
+	namespacedName, err := upsertOCIRepository(ctx, kubeClient, repository)
+	if err != nil {
+		return err
+	}
+
+	logger.Waitingf("waiting for OCIRepository reconciliation")
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
+		isOCIRepositoryReady(ctx, kubeClient, namespacedName, repository)); err != nil {
+		return err
+	}
+	logger.Successf("OCIRepository reconciliation completed")
+
+	if repository.Status.Artifact == nil {
+		return fmt.Errorf("no artifact was found")
+	}
+	logger.Successf("fetched revision: %s", repository.Status.Artifact.Revision)
+	return nil
+}
+
+func upsertOCIRepository(ctx context.Context, kubeClient client.Client,
+	ociRepository *sourcev1.OCIRepository) (types.NamespacedName, error) {
+	namespacedName := types.NamespacedName{
+		Namespace: ociRepository.GetNamespace(),
+		Name:      ociRepository.GetName(),
+	}
+
+	var existing sourcev1.OCIRepository
+	err := kubeClient.Get(ctx, namespacedName, &existing)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			if err := kubeClient.Create(ctx, ociRepository); err != nil {
+				return namespacedName, err
+			} else {
+				logger.Successf("OCIRepository created")
+				return namespacedName, nil
+			}
+		}
+		return namespacedName, err
+	}
+
+	existing.Labels = ociRepository.Labels
+	existing.Spec = ociRepository.Spec
+	if err := kubeClient.Update(ctx, &existing); err != nil {
+		return namespacedName, err
+	}
+	ociRepository = &existing
+	logger.Successf("OCIRepository updated")
+	return namespacedName, nil
+}
+
+func isOCIRepositoryReady(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, ociRepository *sourcev1.OCIRepository) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, ociRepository)
+		if err != nil {
+			return false, err
+		}
+
+		if c := conditions.Get(ociRepository, meta.ReadyCondition); c != nil {
+			// Confirm the Ready condition we are observing is for the
+			// current generation
+			if c.ObservedGeneration != ociRepository.GetGeneration() {
+				return false, nil
+			}
+
+			// Further check the Status
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}
@@ -0,0 +1,61 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateSourceOCI(t *testing.T) {
+	tests := []struct {
+		name       string
+		args       string
+		assertFunc assertFunc
+	}{
+		{
+			name:       "NoArgs",
+			args:       "create source oci",
+			assertFunc: assertError("name is required"),
+		},
+		{
+			name:       "NoURL",
+			args:       "create source oci podinfo",
+			assertFunc: assertError("url is required"),
+		},
+		{
+			name:       "export manifest",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.1.6 --interval 10m --export",
+			assertFunc: assertGoldenFile("./testdata/oci/export.golden"),
+		},
+		{
+			name:       "export manifest with secret",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.1.6 --interval 10m --secret-ref=creds --export",
+			assertFunc: assertGoldenFile("./testdata/oci/export_with_secret.golden"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assertFunc,
+			}
+
+			cmd.runTestCmd(t)
+		})
+	}
+}
@@ -27,7 +27,7 @@ var deleteKsCmd = &cobra.Command{
 	Aliases: []string{"ks"},
 	Short:   "Delete a Kustomization resource",
 	Long:    "The delete kustomization command deletes the given Kustomization from the cluster.",
-	Example: `  # Delete a kustomization and the Kubernetes resources created by it
+	Example: `  # Delete a kustomization and the Kubernetes resources created by it when prune is enabled
  flux delete kustomization podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE: deleteCommand{
@@ -0,0 +1,40 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+)
+
+var deleteSourceOCIRepositoryCmd = &cobra.Command{
+	Use:   "oci [name]",
+	Short: "Delete an OCIRepository source",
+	Long:  "The delete source oci command deletes the given OCIRepository from the cluster.",
+	Example: `  # Delete an OCIRepository 
+  flux delete source oci podinfo`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
+	RunE: deleteCommand{
+		apiType: ociRepositoryType,
+		object:  universalAdapter{&sourcev1.OCIRepository{}},
+	}.run,
+}
+
+func init() {
+	deleteSourceCmd.AddCommand(deleteSourceOCIRepositoryCmd)
+}
@@ -34,12 +34,16 @@ var diffKsCmd = &cobra.Command{
 	Long: `The diff command does a build, then it performs a server-side dry-run and prints the diff.
 Exit status: 0 No differences were found. 1 Differences were found. >1 diff failed with an error.`,
 	Example: `# Preview local changes as they were applied on the cluster
-flux diff kustomization my-app --path ./path/to/local/manifests`,
+flux diff kustomization my-app --path ./path/to/local/manifests
+
+# Preview using a local flux kustomization file
+flux diff kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              diffKsCmdRun,
 }

 type diffKsFlags struct {
+	kustomizationFile string
 	path              string
 	progressBar       bool
 }
@@ -47,8 +51,9 @@ type diffKsFlags struct {
 var diffKsArgs diffKsFlags

 func init() {
-	diffKsCmd.Flags().StringVar(&diffKsArgs.path, "path", "", "Path to a local directory that matches the specified Kustomization.spec.path.)")
+	diffKsCmd.Flags().StringVar(&diffKsArgs.path, "path", "", "Path to a local directory that matches the specified Kustomization.spec.path.")
 	diffKsCmd.Flags().BoolVar(&diffKsArgs.progressBar, "progress-bar", true, "Boolean to set the progress bar. The default value is true.")
+	diffKsCmd.Flags().StringVar(&diffKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
 	diffCmd.AddCommand(diffKsCmd)
 }

@@ -66,12 +71,18 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 		return &RequestError{StatusCode: 2, Err: fmt.Errorf("invalid resource path %q", diffKsArgs.path)}
 	}

+	if diffKsArgs.kustomizationFile != "" {
+		if fs, err := os.Stat(diffKsArgs.kustomizationFile); os.IsNotExist(err) || fs.IsDir() {
+			return fmt.Errorf("invalid kustomization file %q", diffKsArgs.kustomizationFile)
+		}
+	}
+
 	var builder *build.Builder
 	var err error
 	if diffKsArgs.progressBar {
-		builder, err = build.NewBuilder(kubeconfigArgs, kubeclientOptions, name, diffKsArgs.path, build.WithTimeout(rootArgs.timeout), build.WithProgressBar())
+		builder, err = build.NewBuilder(kubeconfigArgs, kubeclientOptions, name, diffKsArgs.path, build.WithTimeout(rootArgs.timeout), build.WithKustomizationFile(diffKsArgs.kustomizationFile), build.WithProgressBar())
 	} else {
-		builder, err = build.NewBuilder(kubeconfigArgs, kubeclientOptions, name, diffKsArgs.path, build.WithTimeout(rootArgs.timeout))
+		builder, err = build.NewBuilder(kubeconfigArgs, kubeclientOptions, name, diffKsArgs.path, build.WithTimeout(rootArgs.timeout), build.WithKustomizationFile(diffKsArgs.kustomizationFile))
 	}

 	if err != nil {
@@ -0,0 +1,92 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+)
+
+var exportSourceOCIRepositoryCmd = &cobra.Command{
+	Use:   "oci [name]",
+	Short: "Export OCIRepository sources in YAML format",
+	Long:  "The export source oci command exports one or all OCIRepository sources in YAML format.",
+	Example: `  # Export all OCIRepository sources
+  flux export source oci --all > sources.yaml
+
+  # Export a OCIRepository including the static credentials
+  flux export source oci my-app --with-credentials > source.yaml`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
+	RunE: exportWithSecretCommand{
+		list:   ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
+		object: ociRepositoryAdapter{&sourcev1.OCIRepository{}},
+	}.run,
+}
+
+func init() {
+	exportSourceCmd.AddCommand(exportSourceOCIRepositoryCmd)
+}
+
+func exportOCIRepository(source *sourcev1.OCIRepository) interface{} {
+	gvk := sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)
+	export := sourcev1.OCIRepository{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       gvk.Kind,
+			APIVersion: gvk.GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        source.Name,
+			Namespace:   source.Namespace,
+			Labels:      source.Labels,
+			Annotations: source.Annotations,
+		},
+		Spec: source.Spec,
+	}
+	return export
+}
+
+func getOCIRepositorySecret(source *sourcev1.OCIRepository) *types.NamespacedName {
+	if source.Spec.SecretRef != nil {
+		namespacedName := types.NamespacedName{
+			Namespace: source.Namespace,
+			Name:      source.Spec.SecretRef.Name,
+		}
+
+		return &namespacedName
+	}
+
+	return nil
+}
+
+func (ex ociRepositoryAdapter) secret() *types.NamespacedName {
+	return getOCIRepositorySecret(ex.OCIRepository)
+}
+
+func (ex ociRepositoryListAdapter) secretItem(i int) *types.NamespacedName {
+	return getOCIRepositorySecret(&ex.OCIRepositoryList.Items[i])
+}
+
+func (ex ociRepositoryAdapter) export() interface{} {
+	return exportOCIRepository(ex.OCIRepository)
+}
+
+func (ex ociRepositoryListAdapter) exportItem(i int) interface{} {
+	return exportOCIRepository(&ex.OCIRepositoryList.Items[i])
+}
@@ -162,7 +162,9 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 	}

 	if get.list.len() == 0 {
-		if !getAll {
+		if len(args) > 0 {
+			logger.Failuref("%s object '%s' not found in '%s' namespace", get.kind, args[0], *kubeconfigArgs.Namespace)
+		} else if !getAll {
 			logger.Failuref("no %s objects found in %s namespace", get.kind, *kubeconfigArgs.Namespace)
 		}
 		return nil
@@ -212,7 +214,6 @@ func getRowsToPrint(getAll bool, list summarisable) ([][]string, error) {
 	return rows, nil
 }

-//
 // watch starts a client-side watch of one or more resources.
 func (get *getCommand) watch(ctx context.Context, kubeClient client.WithWatch, cmd *cobra.Command, args []string, listOpts []client.ListOption) error {
 	w, err := kubeClient.Watch(ctx, get.list.asClientList(), listOpts...)
@@ -40,6 +40,10 @@ var getSourceAllCmd = &cobra.Command{
 		}

 		var allSourceCmd = []getCommand{
+			{
+				apiType: ociRepositoryType,
+				list:    &ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
+			},
 			{
 				apiType: bucketType,
 				list:    &bucketListAdapter{&sourcev1.BucketList{}},
@@ -0,0 +1,98 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+)
+
+var getSourceOCIRepositoryCmd = &cobra.Command{
+	Use:   "oci",
+	Short: "Get OCIRepository status",
+	Long:  "The get sources oci command prints the status of the OCIRepository sources.",
+	Example: `  # List all OCIRepositories and their status
+  flux get sources oci
+
+  # List OCIRepositories from all namespaces
+  flux get sources oci --all-namespaces`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		get := getCommand{
+			apiType: ociRepositoryType,
+			list:    &ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
+			funcMap: make(typeMap),
+		}
+
+		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
+			o, ok := obj.(*sourcev1.OCIRepository)
+			if !ok {
+				return nil, fmt.Errorf("impossible to cast type %#v to OCIRepository", obj)
+			}
+
+			sink := &ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{
+				Items: []sourcev1.OCIRepository{
+					*o,
+				}}}
+			return sink, nil
+		})
+
+		if err != nil {
+			return err
+		}
+
+		if err := get.run(cmd, args); err != nil {
+			return err
+		}
+
+		return nil
+	},
+}
+
+func init() {
+	getSourceCmd.AddCommand(getSourceOCIRepositoryCmd)
+}
+
+func (a *ociRepositoryListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
+	item := a.Items[i]
+	var revision string
+	if item.GetArtifact() != nil {
+		revision = item.GetArtifact().Revision
+	}
+	status, msg := statusAndMessage(item.Status.Conditions)
+	return append(nameColumns(&item, includeNamespace, includeKind),
+		revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
+}
+
+func (a ociRepositoryListAdapter) headers(includeNamespace bool) []string {
+	headers := []string{"Name", "Revision", "Suspended", "Ready", "Message"}
+	if includeNamespace {
+		headers = append([]string{"Namespace"}, headers...)
+	}
+	return headers
+}
+
+func (a ociRepositoryListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := a.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}
@@ -1,6 +1,22 @@
 //go:build e2e
 // +build e2e

+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package main

 import "testing"
@@ -27,6 +27,7 @@ import (

 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/status"
 )
@@ -134,7 +135,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Generatef("generating manifests")
 	}

-	tmpDir, err := os.MkdirTemp("", *kubeconfigArgs.Namespace)
+	tmpDir, err := manifestgen.MkdirTempAbs("", *kubeconfigArgs.Namespace)
 	if err != nil {
 		return err
 	}
@@ -193,7 +194,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 		return nil
 	}

-	applyOutput, err := utils.Apply(ctx, kubeconfigArgs, kubeclientOptions, filepath.Join(tmpDir, manifest.Path))
+	applyOutput, err := utils.Apply(ctx, kubeconfigArgs, kubeclientOptions, tmpDir, filepath.Join(tmpDir, manifest.Path))
 	if err != nil {
 		return fmt.Errorf("install failed: %w", err)
 	}
@@ -0,0 +1,53 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import "testing"
+
+func TestInstall(t *testing.T) {
+	// The pointer to kubeconfigArgs.Namespace is shared across
+	// the tests. When a new value is set, it will linger and
+	// impact subsequent tests.
+	// Given that this test uses an invalid namespace, it ensures
+	// to restore whatever value it had previously.
+	currentNamespace := *kubeconfigArgs.Namespace
+	defer func() {
+		*kubeconfigArgs.Namespace = currentNamespace
+	}()
+
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "invalid namespace",
+			args:   "install --namespace='@#[]'",
+			assert: assertError("namespace must be a valid DNS label: \"@#[]\""),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
@@ -1,5 +1,5 @@
 /*
-Copyright 2021 The Flux authors
+Copyright 2022 The Flux authors

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,22 +14,18 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package test
+package main

 import (
-	"context"
-	"os/exec"
-	"strings"
+	"github.com/spf13/cobra"
 )

-type whichTerraform struct{}
-
-func (w *whichTerraform) ExecPath(ctx context.Context) (string, error) {
-	cmd := exec.CommandContext(ctx, "which", "terraform")
-	output, err := cmd.Output()
-	if err != nil {
-		return "", err
-	}
-	path := strings.TrimSuffix(string(output), "\n")
-	return path, nil
+var listCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List artifacts",
+	Long:  "The list command is used for printing the OCI artifacts metadata.",
+}
+
+func init() {
+	rootCmd.AddCommand(listCmd)
 }
@@ -0,0 +1,123 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/spf13/cobra"
+
+	oci "github.com/fluxcd/pkg/oci/client"
+
+	"github.com/fluxcd/flux2/pkg/printers"
+)
+
+type listArtifactFlags struct {
+	semverFilter string
+	regexFilter  string
+	creds        string
+	provider     flags.SourceOCIProvider
+}
+
+var listArtifactArgs = newListArtifactFlags()
+
+func newListArtifactFlags() listArtifactFlags {
+	return listArtifactFlags{
+		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
+	}
+}
+
+var listArtifactsCmd = &cobra.Command{
+	Use:   "artifacts",
+	Short: "list artifacts",
+	Long: `The list command fetches the tags and their metadata from a remote OCI repository.
+The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`,
+	Example: `  # List the artifacts stored in an OCI repository
+  flux list artifact oci://ghcr.io/org/config/app
+`,
+	RunE: listArtifactsCmdRun,
+}
+
+func init() {
+	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.semverFilter, "filter-semver", "", "filter tags returned from the oci repository using semver")
+	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.regexFilter, "filter-regex", "", "filter tags returned from the oci repository using regex")
+	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
+	listArtifactsCmd.Flags().Var(&listArtifactArgs.provider, "provider", listArtifactArgs.provider.Description())
+
+	listCmd.AddCommand(listArtifactsCmd)
+}
+
+func listArtifactsCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("artifact repository URL is required")
+	}
+	ociURL := args[0]
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	url, err := oci.ParseArtifactURL(ociURL)
+	if err != nil {
+		return err
+	}
+
+	ociClient := oci.NewLocalClient()
+
+	if listArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && listArtifactArgs.creds != "" {
+		logger.Actionf("logging in to registry with credentials")
+		if err := ociClient.LoginWithCredentials(listArtifactArgs.creds); err != nil {
+			return fmt.Errorf("could not login with credentials: %w", err)
+		}
+	}
+
+	if listArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
+		logger.Actionf("logging in to registry with provider credentials")
+		ociProvider, err := listArtifactArgs.provider.ToOCIProvider()
+		if err != nil {
+			return fmt.Errorf("provider not supported: %w", err)
+		}
+
+		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
+			return fmt.Errorf("error during login with provider: %w", err)
+		}
+	}
+
+	opts := oci.ListOptions{
+		RegexFilter:  listArtifactArgs.regexFilter,
+		SemverFilter: listArtifactArgs.semverFilter,
+	}
+
+	metas, err := ociClient.List(ctx, url, opts)
+	if err != nil {
+		return err
+	}
+
+	var rows [][]string
+	for _, meta := range metas {
+		rows = append(rows, []string{meta.URL, meta.Digest, meta.Source, meta.Revision})
+	}
+
+	err = printers.TablePrinter([]string{"artifact", "digest", "source", "revision"}).Print(cmd.OutOrStdout(), rows)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
@@ -80,6 +80,8 @@ var logsArgs = &logsFlags{
 	tail: -1,
 }

+const controllerContainer = "manager"
+
 func init() {
 	logsCmd.Flags().Var(&logsArgs.logLevel, "level", logsArgs.logLevel.Description())
 	logsCmd.Flags().StringVarP(&logsArgs.kind, "kind", "", logsArgs.kind, "displays errors of a particular toolkit kind e.g GitRepository")
@@ -146,6 +148,10 @@ func logsCmdRun(cmd *cobra.Command, args []string) error {

 	var requests []rest.ResponseWrapper
 	for _, pod := range pods {
+		logOpts := logOpts.DeepCopy()
+		if len(pod.Spec.Containers) > 1 {
+			logOpts.Container = controllerContainer
+		}
 		req := clientset.CoreV1().Pods(logsArgs.fluxNamespace).GetLogs(pod.Name, logOpts)
 		requests = append(requests, req)
 	}
@@ -198,12 +204,10 @@ func parallelPodLogs(ctx context.Context, requests []rest.ResponseWrapper) error
 	wg := &sync.WaitGroup{}
 	wg.Add(len(requests))

-	var mutex = &sync.Mutex{}
-
 	for _, request := range requests {
 		go func(req rest.ResponseWrapper) {
 			defer wg.Done()
-			if err := logRequest(mutex, ctx, req, os.Stdout); err != nil {
+			if err := logRequest(ctx, req, writer); err != nil {
 				writer.CloseWithError(err)
 				return
 			}
@@ -220,9 +224,8 @@ func parallelPodLogs(ctx context.Context, requests []rest.ResponseWrapper) error
 }

 func podLogs(ctx context.Context, requests []rest.ResponseWrapper) error {
-	mutex := &sync.Mutex{}
 	for _, req := range requests {
-		if err := logRequest(mutex, ctx, req, os.Stdout); err != nil {
+		if err := logRequest(ctx, req, os.Stdout); err != nil {
 			return err
 		}
 	}
@@ -240,7 +243,7 @@ func createLabelStringFromMap(m map[string]string) string {
 	return strings.Join(strArr, ",")
 }

-func logRequest(mu *sync.Mutex, ctx context.Context, request rest.ResponseWrapper, w io.Writer) error {
+func logRequest(ctx context.Context, request rest.ResponseWrapper, w io.Writer) error {
 	stream, err := request.Stream(ctx)
 	if err != nil {
 		return err
@@ -249,12 +252,13 @@ func logRequest(mu *sync.Mutex, ctx context.Context, request rest.ResponseWrappe

 	scanner := bufio.NewScanner(stream)

-	const logTmpl = "{{.Timestamp}} {{.Level}} {{.Kind}}{{if .Name}}/{{.Name}}.{{.Namespace}}{{end}} - {{.Message}} {{.Error}}\n"
+	const logTmpl = "{{.Timestamp}} {{.Level}} {{or .Kind .ControllerKind}}{{if .Name}}/{{.Name}}.{{.Namespace}}{{end}} - {{.Message}} {{.Error}}\n"
 	t, err := template.New("log").Parse(logTmpl)
 	if err != nil {
 		return fmt.Errorf("unable to create template, err: %s", err)
 	}

+	bw := bufio.NewWriter(w)
 	for scanner.Scan() {
 		line := scanner.Text()
 		if !strings.HasPrefix(line, "{") {
@@ -265,27 +269,23 @@ func logRequest(mu *sync.Mutex, ctx context.Context, request rest.ResponseWrappe
 			logger.Failuref("parse error: %s", err)
 			break
 		}
-
-		mu.Lock()
-		filterPrintLog(t, &l)
-		mu.Unlock()
+		filterPrintLog(t, &l, bw)
+		bw.Flush()
 	}

 	return nil
 }

-func filterPrintLog(t *template.Template, l *ControllerLogEntry) {
-	if logsArgs.logLevel != "" && logsArgs.logLevel != l.Level ||
-		logsArgs.kind != "" && strings.ToLower(logsArgs.kind) != strings.ToLower(l.Kind) ||
-		logsArgs.name != "" && strings.ToLower(logsArgs.name) != strings.ToLower(l.Name) ||
-		!logsArgs.allNamespaces && strings.ToLower(*kubeconfigArgs.Namespace) != strings.ToLower(l.Namespace) {
-		return
-	}
-
-	err := t.Execute(os.Stdout, l)
+func filterPrintLog(t *template.Template, l *ControllerLogEntry, w io.Writer) {
+	if (logsArgs.logLevel == "" || logsArgs.logLevel == l.Level) &&
+		(logsArgs.kind == "" || strings.EqualFold(logsArgs.kind, l.Kind) || strings.EqualFold(logsArgs.kind, l.ControllerKind)) &&
+		(logsArgs.name == "" || strings.EqualFold(logsArgs.name, l.Name)) &&
+		(logsArgs.allNamespaces || strings.EqualFold(*kubeconfigArgs.Namespace, l.Namespace)) {
+		err := t.Execute(w, l)
 		if err != nil {
 			logger.Failuref("log template error: %s", err)
 		}
+	}
 }

 type ControllerLogEntry struct {
@@ -295,6 +295,7 @@ type ControllerLogEntry struct {
 	Error          string         `json:"error,omitempty"`
 	Logger         string         `json:"logger"`
 	Kind           string         `json:"reconciler kind,omitempty"`
+	ControllerKind string         `json:"controllerKind,omitempty"`
 	Name           string         `json:"name,omitempty"`
 	Namespace      string         `json:"namespace,omitempty"`
 }
@@ -20,7 +20,14 @@ limitations under the License.
 package main

 import (
+	"bytes"
+	"context"
+	"io"
+	"os"
+	"strings"
 	"testing"
+
+	. "github.com/onsi/gomega"
 )

 func TestLogsNoArgs(t *testing.T) {
@@ -78,3 +85,106 @@ func TestLogsSinceOnlyOneAllowed(t *testing.T) {
 	}
 	cmd.runTestCmd(t)
 }
+
+func TestLogRequest(t *testing.T) {
+	mapper := &testResponseMapper{}
+	tests := []struct {
+		name       string
+		namespace  string
+		flags      *logsFlags
+		assertFile string
+	}{
+		{
+			name: "all logs",
+			flags: &logsFlags{
+				tail:          -1,
+				allNamespaces: true,
+			},
+			assertFile: "testdata/logs/all-logs.txt",
+		},
+		{
+			name:      "filter by namespace",
+			namespace: "default",
+			flags: &logsFlags{
+				tail: -1,
+			},
+			assertFile: "testdata/logs/namespace.txt",
+		},
+		{
+			name: "filter by kind and namespace",
+			flags: &logsFlags{
+				tail: -1,
+				kind: "Kustomization",
+			},
+			assertFile: "testdata/logs/kind.txt",
+		},
+		{
+			name: "filter by loglevel",
+			flags: &logsFlags{
+				tail:          -1,
+				logLevel:      "error",
+				allNamespaces: true,
+			},
+			assertFile: "testdata/logs/log-level.txt",
+		},
+		{
+			name:      "filter by namespace, name, loglevel and kind",
+			namespace: "flux-system",
+			flags: &logsFlags{
+				tail:     -1,
+				logLevel: "error",
+				kind:     "Kustomization",
+				name:     "podinfo",
+			},
+			assertFile: "testdata/logs/multiple-filters.txt",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			logsArgs = tt.flags
+			if tt.namespace != "" {
+				*kubeconfigArgs.Namespace = tt.namespace
+			}
+			w := bytes.NewBuffer([]byte{})
+			err := logRequest(context.Background(), mapper, w)
+			g.Expect(err).To(BeNil())
+
+			got := make([]byte, w.Len())
+			_, err = w.Read(got)
+			g.Expect(err).To(BeNil())
+
+			expected, err := os.ReadFile(tt.assertFile)
+			g.Expect(err).To(BeNil())
+
+			g.Expect(string(got)).To(Equal(string(expected)))
+
+			// reset flags to default
+			*kubeconfigArgs.Namespace = rootArgs.defaults.Namespace
+			logsArgs = &logsFlags{
+				tail: -1,
+			}
+		})
+	}
+}
+
+var testPodLogs = `{"level":"info","ts":"2022-08-02T12:55:34.419Z","msg":"no changes since last reconcilation: observed revision","controller":"gitrepository","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"GitRepository","gitRepository":{"name":"podinfo","namespace":"default"},"namespace":"default","name":"podinfo","reconcileID":"5ef9b2ef-4ea5-47b7-b887-a247cafc1bce"}
+{"level":"error","ts":"2022-08-02T12:56:04.679Z","logger":"controller.gitrepository","msg":"no changes since last reconcilation: observed revision","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"GitRepository","gitRepository":{"name":"podinfo","namespace":"flux-system"},"name":"flux-system","namespace":"flux-system","reconcileID":"543ef9b2ef-4ea5-47b7-b887-a247cafc1bce"}
+{"level":"error","ts":"2022-08-02T12:56:34.961Z","logger":"controller.kustomization","msg":"no changes since last reconcilation: observed revision","reconciler group":"kustomize.toolkit.fluxcd.io","reconciler kind":"Kustomization","name":"flux-system","namespace":"flux-system"}
+{"level":"info","ts":"2022-08-02T12:56:34.961Z","logger":"controller.kustomization","msg":"no changes since last reconcilation: observed revision","reconciler group":"kustomize.toolkit.fluxcd.io","reconciler kind":"Kustomization","name":"podinfo","namespace":"default"}
+{"level":"info","ts":"2022-08-02T12:56:34.961Z","logger":"controller.gitrepository","msg":"no changes since last reconcilation: observed revision","reconciler group":"source.toolkit.fluxcd.io","reconciler kind":"GitRepository","name":"podinfo","namespace":"default"}
+{"level":"error","ts":"2022-08-02T12:56:34.961Z","logger":"controller.kustomization","msg":"no changes since last reconcilation: observed revision","reconciler group":"kustomize.toolkit.fluxcd.io","reconciler kind":"Kustomization","name":"podinfo","namespace":"flux-system"}
+`
+
+type testResponseMapper struct {
+}
+
+func (t *testResponseMapper) DoRaw(_ context.Context) ([]byte, error) {
+	return nil, nil
+}
+
+func (t *testResponseMapper) Stream(_ context.Context) (io.ReadCloser, error) {
+	return io.NopCloser(strings.NewReader(testPodLogs)), nil
+}
@@ -27,6 +27,7 @@ import (
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"

@@ -96,6 +97,18 @@ Command line utility for assembling Kubernetes CD pipelines the GitOps way.`,

  # Uninstall Flux and delete CRDs
  flux uninstall`,
+	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+		ns, err := cmd.Flags().GetString("namespace")
+		if err != nil {
+			return fmt.Errorf("error getting namespace: %w", err)
+		}
+
+		if e := validation.IsDNS1123Label(ns); len(e) > 0 {
+			return fmt.Errorf("namespace must be a valid DNS label: %q", ns)
+		}
+
+		return nil
+	},
 }

 var logger = stderrLogger{stderr: os.Stderr}
@@ -178,17 +191,18 @@ func configureDefaultNamespace() {
 	*kubeconfigArgs.Namespace = rootArgs.defaults.Namespace
 	fromEnv := os.Getenv("FLUX_SYSTEM_NAMESPACE")
 	if fromEnv != "" {
+		// namespace must be a valid DNS label. Assess against validation
+		// used upstream, and ignore invalid values as environment vars
+		// may not be actively provided by end-user.
+		if e := validation.IsDNS1123Label(fromEnv); len(e) > 0 {
+			logger.Warningf(" ignoring invalid FLUX_SYSTEM_NAMESPACE: %q", fromEnv)
+			return
+		}
+
 		kubeconfigArgs.Namespace = &fromEnv
 	}
 }

-func homeDir() string {
-	if h := os.Getenv("HOME"); h != "" {
-		return h
-	}
-	return os.Getenv("USERPROFILE") // windows
-}
-
 // readPasswordFromStdin reads a password from stdin and returns the input
 // with trailing newline and/or carriage return removed. It also makes sure that terminal
 // echoing is turned off if stdin is a terminal.
@@ -288,7 +288,9 @@ func assertGoldenFile(goldenFile string) assertFunc {
 // is pre-processed with the specified templateValues.
 func assertGoldenTemplateFile(goldenFile string, templateValues map[string]string) assertFunc {
 	goldenFileContents, fileErr := os.ReadFile(goldenFile)
-	return func(output string, err error) error {
+	return assert(
+		assertSuccess(),
+		func(output string, err error) error {
 			if fileErr != nil {
 				return fmt.Errorf("Error reading golden file '%s': %s", goldenFile, fileErr)
 			}
@@ -317,7 +319,7 @@ func assertGoldenTemplateFile(goldenFile string, templateValues map[string]strin
 				return fmt.Errorf("Mismatch from golden file '%s': %v", goldenFile, assertErr)
 			}
 			return nil
-	}
+		})
 }

 type TestClusterMode int
@@ -341,7 +343,6 @@ type cmdTestCase struct {

 func (cmd *cmdTestCase) runTestCmd(t *testing.T) {
 	actual, testErr := executeCommand(cmd.args)
-
 	// If the cmd error is a change, discard it
 	if isChangeError(testErr) {
 		testErr = nil
@@ -383,10 +384,51 @@ func executeCommand(cmd string) (string, error) {
 	return result, err
 }

+// resetCmdArgs resets the flags for various cmd
+// Note: this will also clear default value of the flags set in init()
 func resetCmdArgs() {
+	*kubeconfigArgs.Namespace = rootArgs.defaults.Namespace
+	alertArgs = alertFlags{}
+	alertProviderArgs = alertProviderFlags{}
+	bootstrapArgs = NewBootstrapFlags()
+	bServerArgs = bServerFlags{}
+	buildKsArgs = buildKsFlags{}
+	checkArgs = checkFlags{}
 	createArgs = createFlags{}
+	deleteArgs = deleteFlags{}
+	diffKsArgs = diffKsFlags{}
+	exportArgs = exportFlags{}
 	getArgs = GetFlags{}
+	gitArgs = gitFlags{}
+	githubArgs = githubFlags{}
+	gitlabArgs = gitlabFlags{}
+	helmReleaseArgs = helmReleaseFlags{
+		reconcileStrategy: "ChartVersion",
+	}
+	imagePolicyArgs = imagePolicyFlags{}
+	imageRepoArgs = imageRepoFlags{}
+	imageUpdateArgs = imageUpdateFlags{}
+	kustomizationArgs = NewKustomizationFlags()
+	receiverArgs = receiverFlags{}
+	resumeArgs = ResumeFlags{}
+	rhrArgs = reconcileHelmReleaseFlags{}
+	rksArgs = reconcileKsFlags{}
 	secretGitArgs = NewSecretGitFlags()
+	secretHelmArgs = secretHelmFlags{}
+	secretTLSArgs = secretTLSFlags{}
+	sourceBucketArgs = sourceBucketFlags{}
+	sourceGitArgs = newSourceGitFlags()
+	sourceHelmArgs = sourceHelmFlags{}
+	sourceOCIRepositoryArgs = sourceOCIRepositoryFlags{}
+	suspendArgs = SuspendFlags{}
+	tenantArgs = tenantFlags{}
+	traceArgs = traceFlags{}
+	treeKsArgs = TreeKsFlags{}
+	uninstallArgs = uninstallFlags{}
+	versionArgs = versionFlags{
+		output: "yaml",
+	}
+
 }

 func isChangeError(err error) bool {
@@ -0,0 +1,31 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var pullCmd = &cobra.Command{
+	Use:   "pull",
+	Short: "Pull artifacts",
+	Long:  "The pull command is used to download OCI artifacts.",
+}
+
+func init() {
+	rootCmd.AddCommand(pullCmd)
+}
@@ -0,0 +1,119 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/spf13/cobra"
+
+	oci "github.com/fluxcd/pkg/oci/client"
+)
+
+var pullArtifactCmd = &cobra.Command{
+	Use:   "artifact",
+	Short: "Pull artifact",
+	Long: `The pull artifact command downloads and extracts the OCI artifact content to the given path.
+The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`,
+	Example: `  # Pull an OCI artifact created by flux from GHCR
+  flux pull artifact oci://ghcr.io/org/manifests/app:v0.0.1 --output ./path/to/local/manifests
+`,
+	RunE: pullArtifactCmdRun,
+}
+
+type pullArtifactFlags struct {
+	output   string
+	creds    string
+	provider flags.SourceOCIProvider
+}
+
+var pullArtifactArgs = newPullArtifactFlags()
+
+func newPullArtifactFlags() pullArtifactFlags {
+	return pullArtifactFlags{
+		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
+	}
+}
+
+func init() {
+	pullArtifactCmd.Flags().StringVarP(&pullArtifactArgs.output, "output", "o", "", "path where the artifact content should be extracted.")
+	pullArtifactCmd.Flags().StringVar(&pullArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
+	pullArtifactCmd.Flags().Var(&pullArtifactArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
+	pullCmd.AddCommand(pullArtifactCmd)
+}
+
+func pullArtifactCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("artifact URL is required")
+	}
+	ociURL := args[0]
+
+	if pullArtifactArgs.output == "" {
+		return fmt.Errorf("invalid output path %s", pullArtifactArgs.output)
+	}
+
+	if fs, err := os.Stat(pullArtifactArgs.output); err != nil || !fs.IsDir() {
+		return fmt.Errorf("invalid output path %s", pullArtifactArgs.output)
+	}
+
+	url, err := oci.ParseArtifactURL(ociURL)
+	if err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	ociClient := oci.NewLocalClient()
+
+	if pullArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && pullArtifactArgs.creds != "" {
+		logger.Actionf("logging in to registry with credentials")
+		if err := ociClient.LoginWithCredentials(pullArtifactArgs.creds); err != nil {
+			return fmt.Errorf("could not login with credentials: %w", err)
+		}
+	}
+
+	if pullArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
+		logger.Actionf("logging in to registry with provider credentials")
+		ociProvider, err := pullArtifactArgs.provider.ToOCIProvider()
+		if err != nil {
+			return fmt.Errorf("provider not supported: %w", err)
+		}
+
+		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
+			return fmt.Errorf("error during login with provider: %w", err)
+		}
+	}
+
+	logger.Actionf("pulling artifact from %s", url)
+
+	meta, err := ociClient.Pull(ctx, url, pullArtifactArgs.output)
+	if err != nil {
+		return err
+	}
+
+	logger.Successf("source %s", meta.Source)
+	logger.Successf("revision %s", meta.Revision)
+	logger.Successf("digest %s", meta.Digest)
+	logger.Successf("artifact content extracted to %s", pullArtifactArgs.output)
+
+	return nil
+}
@@ -0,0 +1,31 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var pushCmd = &cobra.Command{
+	Use:   "push",
+	Short: "Push artifacts",
+	Long:  "The push command is used to publish OCI artifacts.",
+}
+
+func init() {
+	rootCmd.AddCommand(pushCmd)
+}
@@ -0,0 +1,163 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/spf13/cobra"
+
+	oci "github.com/fluxcd/pkg/oci/client"
+)
+
+var pushArtifactCmd = &cobra.Command{
+	Use:   "artifact",
+	Short: "Push artifact",
+	Long: `The push artifact command creates a tarball from the given directory and uploads the artifact to an OCI repository.
+The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`,
+	Example: `  # Push manifests to GHCR using the short Git SHA as the OCI artifact tag
+  echo $GITHUB_PAT | docker login ghcr.io --username flux --password-stdin
+  flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
+	--path="./path/to/local/manifests" \
+	--source="$(git config --get remote.origin.url)" \
+	--revision="$(git branch --show-current)/$(git rev-parse HEAD)"
+
+  # Push manifests to Docker Hub using the Git tag as the OCI artifact tag
+  echo $DOCKER_PAT | docker login --username flux --password-stdin
+  flux push artifact oci://docker.io/org/app-config:$(git tag --points-at HEAD) \
+	--path="./path/to/local/manifests" \
+	--source="$(git config --get remote.origin.url)" \
+	--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"
+
+  # Login directly to the registry provider
+  # You might need to export the following variable if you use local config files for AWS:
+  # export AWS_SDK_LOAD_CONFIG=1
+  flux push artifact oci://<account>.dkr.ecr.<region>.amazonaws.com/foo:v1:$(git tag --points-at HEAD) \
+	--path="./path/to/local/manifests" \
+	--source="$(git config --get remote.origin.url)" \
+	--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" \
+	--provider aws
+
+  # Or pass credentials directly
+  flux push artifact oci://docker.io/org/app-config:$(git tag --points-at HEAD) \
+	--path="./path/to/local/manifests" \
+	--source="$(git config --get remote.origin.url)" \
+	--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" \
+	--creds flux:$DOCKER_PAT
+`,
+	RunE: pushArtifactCmdRun,
+}
+
+type pushArtifactFlags struct {
+	path        string
+	source      string
+	revision    string
+	creds       string
+	provider    flags.SourceOCIProvider
+	ignorePaths []string
+}
+
+var pushArtifactArgs = newPushArtifactFlags()
+
+func newPushArtifactFlags() pushArtifactFlags {
+	return pushArtifactFlags{
+		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
+	}
+}
+
+func init() {
+	pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.path, "path", "", "path to the directory where the Kubernetes manifests are located")
+	pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.source, "source", "", "the source address, e.g. the Git URL")
+	pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.revision, "revision", "", "the source revision in the format '<branch|tag>/<commit-sha>'")
+	pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
+	pushArtifactCmd.Flags().Var(&pushArtifactArgs.provider, "provider", pushArtifactArgs.provider.Description())
+	pushArtifactCmd.Flags().StringSliceVar(&pushArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
+
+	pushCmd.AddCommand(pushArtifactCmd)
+}
+
+func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("artifact URL is required")
+	}
+	ociURL := args[0]
+
+	if pushArtifactArgs.source == "" {
+		return fmt.Errorf("--source is required")
+	}
+
+	if pushArtifactArgs.revision == "" {
+		return fmt.Errorf("--revision is required")
+	}
+
+	if pushArtifactArgs.path == "" {
+		return fmt.Errorf("invalid path %q", pushArtifactArgs.path)
+	}
+
+	url, err := oci.ParseArtifactURL(ociURL)
+	if err != nil {
+		return err
+	}
+
+	if fs, err := os.Stat(pushArtifactArgs.path); err != nil || !fs.IsDir() {
+		return fmt.Errorf("invalid path %q", pushArtifactArgs.path)
+	}
+
+	meta := oci.Metadata{
+		Source:   pushArtifactArgs.source,
+		Revision: pushArtifactArgs.revision,
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	ociClient := oci.NewLocalClient()
+
+	if pushArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && pushArtifactArgs.creds != "" {
+		logger.Actionf("logging in to registry with credentials")
+		if err := ociClient.LoginWithCredentials(pushArtifactArgs.creds); err != nil {
+			return fmt.Errorf("could not login with credentials: %w", err)
+		}
+	}
+
+	if pushArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
+		logger.Actionf("logging in to registry with provider credentials")
+		ociProvider, err := pushArtifactArgs.provider.ToOCIProvider()
+		if err != nil {
+			return fmt.Errorf("provider not supported: %w", err)
+		}
+
+		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
+			return fmt.Errorf("error during login with provider: %w", err)
+		}
+	}
+
+	logger.Actionf("pushing artifact to %s", url)
+
+	digest, err := ociClient.Push(ctx, url, pushArtifactArgs.path, meta, pushArtifactArgs.ignorePaths)
+	if err != nil {
+		return fmt.Errorf("pushing artifact failed: %w", err)
+	}
+
+	logger.Successf("artifact successfully pushed to %s", digest)
+
+	return nil
+}
@@ -65,6 +65,11 @@ func (obj kustomizationAdapter) reconcileSource() bool {
 func (obj kustomizationAdapter) getSource() (reconcileCommand, types.NamespacedName) {
 	var cmd reconcileCommand
 	switch obj.Spec.SourceRef.Kind {
+	case sourcev1.OCIRepositoryKind:
+		cmd = reconcileCommand{
+			apiType: ociRepositoryType,
+			object:  ociRepositoryAdapter{&sourcev1.OCIRepository{}},
+		}
 	case sourcev1.GitRepositoryKind:
 		cmd = reconcileCommand{
 			apiType: gitRepositoryType,
@@ -21,6 +21,8 @@ import (

 	"github.com/spf13/cobra"

+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )

@@ -46,5 +48,15 @@ func (obj helmRepositoryAdapter) lastHandledReconcileRequest() string {
 }

 func (obj helmRepositoryAdapter) successMessage() string {
+	// HelmRepository of type OCI don't set an Artifact
+	if obj.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
+		readyCondition := conditions.Get(obj.HelmRepository, meta.ReadyCondition)
+		// This shouldn't happen, successMessage shouldn't be called if
+		// object isn't ready
+		if readyCondition == nil {
+			return ""
+		}
+		return readyCondition.Message
+	}
 	return fmt.Sprintf("fetched revision %s", obj.Status.Artifact.Revision)
 }
@@ -0,0 +1,50 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+)
+
+var reconcileSourceOCIRepositoryCmd = &cobra.Command{
+	Use:   "oci [name]",
+	Short: "Reconcile an OCIRepository",
+	Long:  `The reconcile source command triggers a reconciliation of an OCIRepository resource and waits for it to finish.`,
+	Example: `  # Trigger a reconciliation for an existing source
+  flux reconcile source oci podinfo`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
+	RunE: reconcileCommand{
+		apiType: ociRepositoryType,
+		object:  ociRepositoryAdapter{&sourcev1.OCIRepository{}},
+	}.run,
+}
+
+func init() {
+	reconcileSourceCmd.AddCommand(reconcileSourceOCIRepositoryCmd)
+}
+
+func (obj ociRepositoryAdapter) lastHandledReconcileRequest() string {
+	return obj.Status.GetLastHandledReconcileRequest()
+}
+
+func (obj ociRepositoryAdapter) successMessage() string {
+	return fmt.Sprintf("fetched revision %s", obj.Status.Artifact.Revision)
+}
@@ -0,0 +1,53 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+)
+
+var resumeSourceOCIRepositoryCmd = &cobra.Command{
+	Use:   "oci [name]",
+	Short: "Resume a suspended OCIRepository",
+	Long:  `The resume command marks a previously suspended OCIRepository resource for reconciliation and waits for it to finish.`,
+	Example: `  # Resume reconciliation for an existing OCIRepository
+  flux resume source oci podinfo`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
+	RunE: resumeCommand{
+		apiType: ociRepositoryType,
+		object:  ociRepositoryAdapter{&sourcev1.OCIRepository{}},
+		list:    ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
+	}.run,
+}
+
+func init() {
+	resumeSourceCmd.AddCommand(resumeSourceOCIRepositoryCmd)
+}
+
+func (obj ociRepositoryAdapter) getObservedGeneration() int64 {
+	return obj.OCIRepository.Status.ObservedGeneration
+}
+
+func (obj ociRepositoryAdapter) setUnsuspended() {
+	obj.OCIRepository.Spec.Suspend = false
+}
+
+func (a ociRepositoryListAdapter) resumeItem(i int) resumable {
+	return &ociRepositoryAdapter{&a.OCIRepositoryList.Items[i]}
+}
@@ -26,6 +26,40 @@ import (
 // the various commands. The *List adapters implement len(), since
 // it's used in at least a couple of commands.

+// sourcev1.ociRepository
+
+var ociRepositoryType = apiType{
+	kind:         sourcev1.OCIRepositoryKind,
+	humanKind:    "source oci",
+	groupVersion: sourcev1.GroupVersion,
+}
+
+type ociRepositoryAdapter struct {
+	*sourcev1.OCIRepository
+}
+
+func (a ociRepositoryAdapter) asClientObject() client.Object {
+	return a.OCIRepository
+}
+
+func (a ociRepositoryAdapter) deepCopyClientObject() client.Object {
+	return a.OCIRepository.DeepCopy()
+}
+
+// sourcev1.OCIRepositoryList
+
+type ociRepositoryListAdapter struct {
+	*sourcev1.OCIRepositoryList
+}
+
+func (a ociRepositoryListAdapter) asClientList() client.ObjectList {
+	return a.OCIRepositoryList
+}
+
+func (a ociRepositoryListAdapter) len() int {
+	return len(a.OCIRepositoryList.Items)
+}
+
 // sourcev1.Bucket

 var bucketType = apiType{
@@ -0,0 +1,71 @@
+//go:build e2e
+// +build e2e
+
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestSourceOCI(t *testing.T) {
+	cases := []struct {
+		args       string
+		goldenFile string
+	}{
+		{
+			"create source oci thrfg --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.1.6 --interval 10m",
+			"testdata/oci/create_source_oci.golden",
+		},
+		{
+			"get source oci thrfg",
+			"testdata/oci/get_oci.golden",
+		},
+		{
+			"reconcile source oci thrfg",
+			"testdata/oci/reconcile_oci.golden",
+		},
+		{
+			"suspend source oci thrfg",
+			"testdata/oci/suspend_oci.golden",
+		},
+		{
+			"resume source oci thrfg",
+			"testdata/oci/resume_oci.golden",
+		},
+		{
+			"delete source oci thrfg --silent",
+			"testdata/oci/delete_oci.golden",
+		},
+	}
+
+	namespace := allocateNamespace("oci-test")
+	del, err := setupTestNamespace(namespace)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer del()
+
+	for _, tc := range cases {
+		cmd := cmdTestCase{
+			args:   tc.args + " -n=" + namespace,
+			assert: assertGoldenTemplateFile(tc.goldenFile, map[string]string{"ns": namespace}),
+		}
+		cmd.runTestCmd(t)
+	}
+}
@@ -0,0 +1,53 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+)
+
+var suspendSourceOCIRepositoryCmd = &cobra.Command{
+	Use:   "oci [name]",
+	Short: "Suspend reconciliation of an OCIRepository",
+	Long:  "The suspend command disables the reconciliation of an OCIRepository resource.",
+	Example: `  # Suspend reconciliation for an existing OCIRepository
+  flux suspend source oci podinfo`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
+	RunE: suspendCommand{
+		apiType: ociRepositoryType,
+		object:  ociRepositoryAdapter{&sourcev1.OCIRepository{}},
+		list:    ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
+	}.run,
+}
+
+func init() {
+	suspendSourceCmd.AddCommand(suspendSourceOCIRepositoryCmd)
+}
+
+func (obj ociRepositoryAdapter) isSuspended() bool {
+	return obj.OCIRepository.Spec.Suspend
+}
+
+func (obj ociRepositoryAdapter) setSuspended() {
+	obj.OCIRepository.Spec.Suspend = true
+}
+
+func (a ociRepositoryListAdapter) item(i int) suspendable {
+	return &ociRepositoryAdapter{&a.OCIRepositoryList.Items[i]}
+}
@@ -0,0 +1,31 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var tagCmd = &cobra.Command{
+	Use:   "tag",
+	Short: "Tag artifacts",
+	Long:  "The tag command is used to tag OCI artifacts.",
+}
+
+func init() {
+	rootCmd.AddCommand(tagCmd)
+}
@@ -0,0 +1,114 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/spf13/cobra"
+
+	oci "github.com/fluxcd/pkg/oci/client"
+)
+
+var tagArtifactCmd = &cobra.Command{
+	Use:   "artifact",
+	Short: "Tag artifact",
+	Long: `The tag artifact command creates tags for the given OCI artifact.
+The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`,
+	Example: `  # Tag an artifact version as latest
+  flux tag artifact oci://ghcr.io/org/manifests/app:v0.0.1 --tag latest
+`,
+	RunE: tagArtifactCmdRun,
+}
+
+type tagArtifactFlags struct {
+	tags     []string
+	creds    string
+	provider flags.SourceOCIProvider
+}
+
+var tagArtifactArgs = newTagArtifactFlags()
+
+func newTagArtifactFlags() tagArtifactFlags {
+	return tagArtifactFlags{
+		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
+	}
+}
+
+func init() {
+	tagArtifactCmd.Flags().StringSliceVar(&tagArtifactArgs.tags, "tag", nil, "tag name")
+	tagArtifactCmd.Flags().StringVar(&tagArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
+	tagArtifactCmd.Flags().Var(&tagArtifactArgs.provider, "provider", tagArtifactArgs.provider.Description())
+	tagCmd.AddCommand(tagArtifactCmd)
+}
+
+func tagArtifactCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("artifact name is required")
+	}
+	ociURL := args[0]
+
+	if len(tagArtifactArgs.tags) < 1 {
+		return fmt.Errorf("--tag is required")
+	}
+
+	url, err := oci.ParseArtifactURL(ociURL)
+	if err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	ociClient := oci.NewLocalClient()
+
+	if tagArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && tagArtifactArgs.creds != "" {
+		logger.Actionf("logging in to registry with credentials")
+		if err := ociClient.LoginWithCredentials(tagArtifactArgs.creds); err != nil {
+			return fmt.Errorf("could not login with credentials: %w", err)
+		}
+	}
+
+	if tagArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
+		logger.Actionf("logging in to registry with provider credentials")
+		ociProvider, err := tagArtifactArgs.provider.ToOCIProvider()
+		if err != nil {
+			return fmt.Errorf("provider not supported: %w", err)
+		}
+
+		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
+			return fmt.Errorf("error during login with provider: %w", err)
+		}
+	}
+
+	logger.Actionf("tagging artifact")
+
+	for _, tag := range tagArtifactArgs.tags {
+		img, err := ociClient.Tag(ctx, url, tag)
+		if err != nil {
+			return fmt.Errorf("tagging artifact failed: %w", err)
+		}
+
+		logger.Successf("artifact tagged as %s", img)
+	}
+
+	return nil
+
+}
@@ -13,3 +13,7 @@ spec:
    kind: GitRepository
    name: podinfo
  targetNamespace: default
+  postBuild:
+    substitute:
+      cluster_env: "prod"
+      cluster_region: "eu-central-1"
@@ -0,0 +1,216 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    environment: prod
+    kustomize.toolkit.fluxcd.io/name: podinfo
+    kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+    region: eu-central-1
+  name: podinfo
+  namespace: default
+spec:
+  minReadySeconds: 3
+  progressDeadlineSeconds: 60
+  revisionHistoryLimit: 5
+  selector:
+    matchLabels:
+      app: podinfo
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        prometheus.io/port: "9797"
+        prometheus.io/scrape: "true"
+      labels:
+        app: podinfo
+    spec:
+      containers:
+      - command:
+        - ./podinfo
+        - --port=9898
+        - --port-metrics=9797
+        - --grpc-port=9999
+        - --grpc-service-name=podinfo
+        - --level=info
+        - --random-delay=false
+        - --random-error=false
+        env:
+        - name: PODINFO_UI_COLOR
+          value: '#34577c'
+        image: ghcr.io/stefanprodan/podinfo:6.0.10
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/healthz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        name: podinfod
+        ports:
+        - containerPort: 9898
+          name: http
+          protocol: TCP
+        - containerPort: 9797
+          name: http-metrics
+          protocol: TCP
+        - containerPort: 9999
+          name: grpc
+          protocol: TCP
+        readinessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/readyz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 512Mi
+          requests:
+            cpu: 100m
+            memory: 64Mi
+---
+apiVersion: v1
+data:
+  cluster.json: |
+    {
+      "annotations": {
+        "list": [
+          {
+            "builtIn": 1,
+            "datasource": "-- Grafana --",
+            "enable": true,
+            "hide": true,
+            "iconColor": "rgba(0, 211, 255, 1)",
+            "name": "Annotations & Alerts",
+            "type": "dashboard"
+          }
+        ]
+      },
+      "editable": true,
+      "gnetId": null,
+      "graphTooltip": 0,
+      "iteration": 1636369574387,
+      "links": [],
+      "panels": [
+        {
+          "datasource": "${DS_PROMETHEUS}",
+          "description": "",
+          "fieldConfig": {
+            "defaults": {
+              "decimals": 0,
+              "mappings": [],
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  {
+                    "color": "blue",
+                    "value": null
+                  },
+                  {
+                    "color": "red",
+                    "value": 100
+                  }
+                ]
+              },
+              "unit": "short"
+            },
+            "overrides": []
+          },
+          "gridPos": {
+            "h": 5,
+            "w": 6,
+            "x": 0,
+            "y": 0
+          },
+          "id": 24,
+          "options": {
+            "colorMode": "value",
+            "graphMode": "none",
+            "justifyMode": "auto",
+            "orientation": "auto",
+            "reduceOptions": {
+              "calcs": [
+                "last"
+              ],
+              "fields": "",
+              "values": false
+            },
+            "text": {},
+            "textMode": "value"
+          },
+          "pluginVersion": "7.5.5",
+          "targets": [
+            {
+              "exemplar": true,
+              "expr": "count(gotk_reconcile_condition{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",type=\"Ready\",status=\"True\",kind=~\"Kustomization|HelmRelease\"})\n-\nsum(gotk_reconcile_condition{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",type=\"Ready\",status=\"Deleted\",kind=~\"Kustomization|HelmRelease\"})",
+              "interval": "",
+              "legendFormat": "",
+              "refId": "A"
+            }
+          ],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Cluster Reconcilers",
+          "type": "stat"
+        },
+        {
+          "collapsed": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "gridPos": {
+            "h": 1,
+            "w": 24,
+            "x": 0,
+            "y": 9
+          },
+          "id": 15,
+          "panels": [],
+          "title": "Status",
+          "type": "row"
+        }
+      ],
+      "refresh": "",
+      "schemaVersion": 27,
+      "style": "light",
+      "tags": [
+        "flux"
+      ],
+      "time": {
+        "from": "now-15m",
+        "to": "now"
+      },
+      "timepicker": {
+        "refresh_intervals": [
+          "10s",
+          "30s",
+          "1m",
+          "5m",
+          "15m",
+          "30m",
+          "1h",
+          "2h",
+          "1d"
+        ]
+      },
+      "timezone": "",
+      "title": "Flux Cluster Stats",
+      "uid": "flux-cluster",
+      "version": 1
+    }
+kind: ConfigMap
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: podinfo
+    kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+    kustomize.toolkit.fluxcd.io/substitute: disabled
+  name: flux-grafana-dashboards-kt8md725kf
+  namespace: default
@@ -0,0 +1,124 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": "-- Grafana --",
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "gnetId": null,
+  "graphTooltip": 0,
+  "iteration": 1636369574387,
+  "links": [],
+  "panels": [
+    {
+      "datasource": "${DS_PROMETHEUS}",
+      "description": "",
+      "fieldConfig": {
+        "defaults": {
+          "decimals": 0,
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "blue",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 100
+              }
+            ]
+          },
+          "unit": "short"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 5,
+        "w": 6,
+        "x": 0,
+        "y": 0
+      },
+      "id": 24,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "none",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": [
+            "last"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "text": {},
+        "textMode": "value"
+      },
+      "pluginVersion": "7.5.5",
+      "targets": [
+        {
+          "exemplar": true,
+          "expr": "count(gotk_reconcile_condition{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",type=\"Ready\",status=\"True\",kind=~\"Kustomization|HelmRelease\"})\n-\nsum(gotk_reconcile_condition{namespace=~\"$operator_namespace\",exported_namespace=~\"$namespace\",type=\"Ready\",status=\"Deleted\",kind=~\"Kustomization|HelmRelease\"})",
+          "interval": "",
+          "legendFormat": "",
+          "refId": "A"
+        }
+      ],
+      "timeFrom": null,
+      "timeShift": null,
+      "title": "Cluster Reconcilers",
+      "type": "stat"
+    },
+    {
+      "collapsed": false,
+      "datasource": "${DS_PROMETHEUS}",
+      "gridPos": {
+        "h": 1,
+        "w": 24,
+        "x": 0,
+        "y": 9
+      },
+      "id": 15,
+      "panels": [],
+      "title": "Status",
+      "type": "row"
+    }
+  ],
+  "refresh": "",
+  "schemaVersion": 27,
+  "style": "light",
+  "tags": [
+    "flux"
+  ],
+  "time": {
+    "from": "now-15m",
+    "to": "now"
+  },
+  "timepicker": {
+    "refresh_intervals": [
+      "10s",
+      "30s",
+      "1m",
+      "5m",
+      "15m",
+      "30m",
+      "1h",
+      "2h",
+      "1d"
+    ]
+  },
+  "timezone": "",
+  "title": "Flux Cluster Stats",
+  "uid": "flux-cluster",
+  "version": 1
+}
@@ -0,0 +1,77 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    environment: ${cluster_env:=dev}
+    region: ${cluster_region}
+  name: podinfo
+spec:
+  minReadySeconds: 3
+  revisionHistoryLimit: 5
+  progressDeadlineSeconds: 60
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: podinfo
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9797"
+      labels:
+        app: podinfo
+    spec:
+      containers:
+      - name: podinfod
+        image: ghcr.io/stefanprodan/podinfo:6.0.10
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: http
+          containerPort: 9898
+          protocol: TCP
+        - name: http-metrics
+          containerPort: 9797
+          protocol: TCP
+        - name: grpc
+          containerPort: 9999
+          protocol: TCP
+        command:
+        - ./podinfo
+        - --port=9898
+        - --port-metrics=9797
+        - --grpc-port=9999
+        - --grpc-service-name=podinfo
+        - --level=info
+        - --random-delay=false
+        - --random-error=false
+        env:
+        - name: PODINFO_UI_COLOR
+          value: "#34577c"
+        livenessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/healthz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        readinessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/readyz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 512Mi
+          requests:
+            cpu: 100m
+            memory: 64Mi
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./deployment.yaml
+generatorOptions:
+  labels:
+    kustomize.toolkit.fluxcd.io/substitute: disabled
+configMapGenerator:
+  - name: flux-grafana-dashboards
+    files:
+      - cluster.json
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ghcr
+  namespace: my-namespace
+stringData:
+  .dockerconfigjson: '{"auths":{"ghcr.io":{"username":"stefanprodan","password":"password","auth":"c3RlZmFucHJvZGFuOnBhc3N3b3Jk"}}}'
+type: kubernetes.io/dockerconfigjson
+
@@ -0,0 +1,15 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: GitRepository
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  ignore: |-
+    .cosign
+    non-existent-dir/
+  interval: 1m0s
+  ref:
+    branch: master
+  url: https://github.com/stefanprodan/podinfo
+
@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: podinfo
+  namespace: {{ .fluxns }}
+spec:
+  interval: 5m0s
+  url: https://stefanprodan.github.io/charts/podinfo
+
@@ -0,0 +1,13 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: podinfo
+  namespace: {{ .fluxns }}
+spec:
+  interval: 5m0s
+  secretRef:
+    name: creds
+  type: oci
+  url: oci://ghcr.io/stefanprodan/charts/podinfo
+
@@ -0,0 +1,11 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: podinfo
+  namespace: {{ .fluxns }}
+spec:
+  interval: 5m0s
+  type: oci
+  url: oci://ghcr.io/stefanprodan/charts/podinfo
+
@@ -6,6 +6,7 @@ metadata:
  namespace: {{ .fluxns }}
 spec:
  interval: 5m0s
+  provider: generic
  timeout: 1m0s
  url: https://stefanprodan.github.io/podinfo

@@ -0,0 +1,6 @@
+2022-08-02T12:55:34.419Z info GitRepository/podinfo.default - no changes since last reconcilation: observed revision 
+2022-08-02T12:56:04.679Z error GitRepository/flux-system.flux-system - no changes since last reconcilation: observed revision 
+2022-08-02T12:56:34.961Z error Kustomization/flux-system.flux-system - no changes since last reconcilation: observed revision 
+2022-08-02T12:56:34.961Z info Kustomization/podinfo.default - no changes since last reconcilation: observed revision 
+2022-08-02T12:56:34.961Z info GitRepository/podinfo.default - no changes since last reconcilation: observed revision 
+2022-08-02T12:56:34.961Z error Kustomization/podinfo.flux-system - no changes since last reconcilation: observed revision 
@@ -0,0 +1,2 @@
+2022-08-02T12:56:34.961Z error Kustomization/flux-system.flux-system - no changes since last reconcilation: observed revision 
+2022-08-02T12:56:34.961Z error Kustomization/podinfo.flux-system - no changes since last reconcilation: observed revision 
@@ -0,0 +1,3 @@
+2022-08-02T12:56:04.679Z error GitRepository/flux-system.flux-system - no changes since last reconcilation: observed revision 
+2022-08-02T12:56:34.961Z error Kustomization/flux-system.flux-system - no changes since last reconcilation: observed revision 
+2022-08-02T12:56:34.961Z error Kustomization/podinfo.flux-system - no changes since last reconcilation: observed revision 
@@ -0,0 +1 @@
+2022-08-02T12:56:34.961Z error Kustomization/podinfo.flux-system - no changes since last reconcilation: observed revision 
@@ -0,0 +1,3 @@
+2022-08-02T12:55:34.419Z info GitRepository/podinfo.default - no changes since last reconcilation: observed revision 
+2022-08-02T12:56:34.961Z info Kustomization/podinfo.default - no changes since last reconcilation: observed revision 
+2022-08-02T12:56:34.961Z info GitRepository/podinfo.default - no changes since last reconcilation: observed revision 
@@ -0,0 +1,5 @@
+► applying OCIRepository
+✔ OCIRepository created
+◎ waiting for OCIRepository reconciliation
+✔ OCIRepository reconciliation completed
+✔ fetched revision: dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3
@@ -0,0 +1,2 @@
+► deleting source oci thrfg in {{ .ns }} namespace
+✔ source oci deleted
@@ -0,0 +1,12 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: podinfo
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  ref:
+    tag: 6.1.6
+  url: oci://ghcr.io/stefanprodan/manifests/podinfo
+
@@ -0,0 +1,14 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: podinfo
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  ref:
+    tag: 6.1.6
+  secretRef:
+    name: creds
+  url: oci://ghcr.io/stefanprodan/manifests/podinfo
+
@@ -0,0 +1,2 @@
+NAME 	REVISION                                                        	SUSPENDED	READY	MESSAGE                                                                                       
+thrfg	dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3	False    	True 	stored artifact for digest 'dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3'	
@@ -0,0 +1,4 @@
+► annotating OCIRepository thrfg in {{ .ns }} namespace
+✔ OCIRepository annotated
+◎ waiting for OCIRepository reconciliation
+✔ fetched revision dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3
@@ -0,0 +1,5 @@
+► resuming source oci thrfg in {{ .ns }} namespace
+✔ source oci resumed
+◎ waiting for OCIRepository reconciliation
+✔ OCIRepository reconciliation completed
+✔ fetched revision dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3
@@ -0,0 +1,2 @@
+► suspending source oci thrfg in {{ .ns }} namespace
+✔ source oci suspended
@@ -0,0 +1,21 @@
+
+Object:          HelmRelease/podinfo
+Namespace:       {{ .ns }}
+Status:          Managed by Flux
+---
+Kustomization:   infrastructure
+Namespace:       {{ .fluxns }}
+Path:            ./infrastructure
+Revision:        main/696f056df216eea4f9401adbee0ff744d4df390f
+Status:          Last reconciled at {{ .kustomizationLastReconcile }}
+Message:         Applied revision: main/696f056df216eea4f9401adbee0ff744d4df390f
+---
+OCIRepository:   flux-system
+Namespace:       {{ .fluxns }}
+URL:             oci://ghcr.io/example/repo
+Tag:             1.2.3
+Revision:        dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3
+Origin Revision: 6.1.6/450796ddb2ab6724ee1cc32a4be56da032d1cca0
+Origin Source:   https://github.com/stefanprodan/podinfo.git
+Status:          Last reconciled at {{ .ociRepositoryLastReconcile }}
+Message:         stored artifact for digest 'dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3'
@@ -0,0 +1,92 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .fluxns }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .ns }}
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: infrastructure
+    kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: podinfo
+  namespace: {{ .ns }}
+spec:
+  chart:
+    spec:
+      chart: podinfo
+      sourceRef:
+        kind: HelmRepository
+        name: podinfo
+        namespace: {{ .fluxns }}
+  interval: 5m
+status:
+  conditions:
+  - lastTransitionTime: "2021-07-16T15:42:20Z"
+    message: Release reconciliation succeeded
+    reason: ReconciliationSucceeded
+    status: "True"
+    type: Ready
+  helmChart: {{ .fluxns }}/podinfo-podinfo
+  lastAppliedRevision: 6.0.0
+  lastAttemptedRevision: 6.0.0
+  lastAttemptedValuesChecksum: c31db75d05b7515eba2eef47bd71038c74b2e531
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: infrastructure
+  namespace: {{ .fluxns }}
+spec:
+  path: ./infrastructure
+  sourceRef:
+    kind: OCIRepository
+    name: flux-system
+  validation: client
+  interval: 5m
+  prune: false
+status:
+  conditions:
+  - lastTransitionTime: "2021-08-01T04:52:56Z"
+    message: 'Applied revision: main/696f056df216eea4f9401adbee0ff744d4df390f'
+    reason: ReconciliationSucceeded
+    status: "True"
+    type: Ready
+  lastAppliedRevision: main/696f056df216eea4f9401adbee0ff744d4df390f
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: flux-system
+    kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  interval: 10m0s
+  provider: generic
+  ref:
+    tag: 1.2.3
+  timeout: 60s
+  url: oci://ghcr.io/example/repo
+status:
+  artifact:
+    lastUpdateTime: "2022-08-10T10:07:59Z"
+    metadata:
+      org.opencontainers.image.revision: 6.1.6/450796ddb2ab6724ee1cc32a4be56da032d1cca0
+      org.opencontainers.image.source: https://github.com/stefanprodan/podinfo.git
+    path: "example"
+    revision: dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3
+    url: "example"
+  conditions:
+  - lastTransitionTime: "2021-07-20T00:48:16Z"
+    message: "stored artifact for digest 'dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3'"
+    reason: Succeed
+    status: "True"
+    type: Ready
@@ -37,6 +37,7 @@ import (
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	fluxmeta "github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/oci"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )

@@ -219,10 +220,12 @@ func traceKustomization(ctx context.Context, kubeClient client.Client, ksName ty
 	}
 	ksReady := meta.FindStatusCondition(ks.Status.Conditions, fluxmeta.ReadyCondition)

-	var ksRepository *sourcev1.GitRepository
+	var gitRepository *sourcev1.GitRepository
+	var ociRepository *sourcev1.OCIRepository
 	var ksRepositoryReady *metav1.Condition
-	if ks.Spec.SourceRef.Kind == sourcev1.GitRepositoryKind {
-		ksRepository = &sourcev1.GitRepository{}
+	switch ks.Spec.SourceRef.Kind {
+	case sourcev1.GitRepositoryKind:
+		gitRepository = &sourcev1.GitRepository{}
 		sourceNamespace := ks.Namespace
 		if ks.Spec.SourceRef.Namespace != "" {
 			sourceNamespace = ks.Spec.SourceRef.Namespace
@@ -230,11 +233,25 @@ func traceKustomization(ctx context.Context, kubeClient client.Client, ksName ty
 		err = kubeClient.Get(ctx, types.NamespacedName{
 			Namespace: sourceNamespace,
 			Name:      ks.Spec.SourceRef.Name,
-		}, ksRepository)
+		}, gitRepository)
 		if err != nil {
 			return "", fmt.Errorf("failed to find GitRepository: %w", err)
 		}
-		ksRepositoryReady = meta.FindStatusCondition(ksRepository.Status.Conditions, fluxmeta.ReadyCondition)
+		ksRepositoryReady = meta.FindStatusCondition(gitRepository.Status.Conditions, fluxmeta.ReadyCondition)
+	case sourcev1.OCIRepositoryKind:
+		ociRepository = &sourcev1.OCIRepository{}
+		sourceNamespace := ks.Namespace
+		if ks.Spec.SourceRef.Namespace != "" {
+			sourceNamespace = ks.Spec.SourceRef.Namespace
+		}
+		err = kubeClient.Get(ctx, types.NamespacedName{
+			Namespace: sourceNamespace,
+			Name:      ks.Spec.SourceRef.Name,
+		}, ociRepository)
+		if err != nil {
+			return "", fmt.Errorf("failed to find OCIRepository: %w", err)
+		}
+		ksRepositoryReady = meta.FindStatusCondition(ociRepository.Status.Conditions, fluxmeta.ReadyCondition)
 	}

 	var traceTmpl = `
@@ -276,13 +293,47 @@ Branch:        {{.GitRepository.Spec.Reference.Branch}}
 {{- if .GitRepository.Status.Artifact }}
 Revision:        {{.GitRepository.Status.Artifact.Revision}}
 {{- end }}
-{{- if .GitRepositoryReady }}
-{{- if eq .GitRepositoryReady.Status "False" }}
-Status:        Last reconciliation failed at {{.GitRepositoryReady.LastTransitionTime}}
+{{- if .RepositoryReady }}
+{{- if eq .RepositoryReady.Status "False" }}
+Status:          Last reconciliation failed at {{.RepositoryReady.LastTransitionTime}}
 {{- else }}
-Status:        Last reconciled at {{.GitRepositoryReady.LastTransitionTime}}
+Status:          Last reconciled at {{.RepositoryReady.LastTransitionTime}}
 {{- end }}
-Message:       {{.GitRepositoryReady.Message}}
+Message:         {{.RepositoryReady.Message}}
+{{- else }}
+Status:          Unknown
+{{- end }}
+{{- end }}
+{{- if .OCIRepository }}
+---
+OCIRepository:   {{.OCIRepository.Name}}
+Namespace:       {{.OCIRepository.Namespace}}
+URL:             {{.OCIRepository.Spec.URL}}
+{{- if .OCIRepository.Spec.Reference }}
+{{- if .OCIRepository.Spec.Reference.Tag }}
+Tag:             {{.OCIRepository.Spec.Reference.Tag}}
+{{- else if .OCIRepository.Spec.Reference.SemVer }}
+Tag:             {{.OCIRepository.Spec.Reference.SemVer}}
+{{- else if .OCIRepository.Spec.Reference.Digest }}
+Digest:          {{.OCIRepository.Spec.Reference.Digest}}
+{{- end }}
+{{- end }}
+{{- if .OCIRepository.Status.Artifact }}
+Revision:        {{.OCIRepository.Status.Artifact.Revision}}
+{{- if .OCIRepository.Status.Artifact.Metadata }}
+{{- $metadata := .OCIRepository.Status.Artifact.Metadata }}
+{{- range $k, $v := .Annotations }}
+{{ with (index $metadata $v) }}{{ $k }}{{ . }}{{ end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if .RepositoryReady }}
+{{- if eq .RepositoryReady.Status "False" }}
+Status:          Last reconciliation failed at {{.RepositoryReady.LastTransitionTime}}
+{{- else }}
+Status:          Last reconciled at {{.RepositoryReady.LastTransitionTime}}
+{{- end }}
+Message:         {{.RepositoryReady.Message}}
 {{- else }}
 Status:          Unknown
 {{- end }}
@@ -295,14 +346,18 @@ Status:        Unknown
 		Kustomization      *kustomizev1.Kustomization
 		KustomizationReady *metav1.Condition
 		GitRepository      *sourcev1.GitRepository
-		GitRepositoryReady *metav1.Condition
+		OCIRepository      *sourcev1.OCIRepository
+		RepositoryReady    *metav1.Condition
+		Annotations        map[string]string
 	}{
 		ObjectName:         obj.GetKind() + "/" + obj.GetName(),
 		ObjectNamespace:    obj.GetNamespace(),
 		Kustomization:      ks,
 		KustomizationReady: ksReady,
-		GitRepository:      ksRepository,
-		GitRepositoryReady: ksRepositoryReady,
+		GitRepository:      gitRepository,
+		OCIRepository:      ociRepository,
+		RepositoryReady:    ksRepositoryReady,
+		Annotations:        map[string]string{"Origin Source:   ": oci.SourceAnnotation, "Origin Revision: ": oci.RevisionAnnotation},
 	}

 	t, err := template.New("tmpl").Parse(traceTmpl)
@@ -57,6 +57,18 @@ func TestTrace(t *testing.T) {
 				"gitRepositoryLastReconcile": toLocalTime(t, "2021-07-20T00:48:16Z"),
 			},
 		},
+		{
+			"HelmRelease from OCI registry",
+			"trace podinfo --kind HelmRelease --api-version=helm.toolkit.fluxcd.io/v2beta1",
+			"testdata/trace/helmrelease-oci.yaml",
+			"testdata/trace/helmrelease-oci.golden",
+			map[string]string{
+				"ns":                         allocateNamespace("podinfo"),
+				"fluxns":                     allocateNamespace("flux-system"),
+				"kustomizationLastReconcile": toLocalTime(t, "2021-08-01T04:52:56Z"),
+				"ociRepositoryLastReconcile": toLocalTime(t, "2021-07-20T00:48:16Z"),
+			},
+		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -33,7 +33,10 @@ import (
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )

@@ -196,6 +199,19 @@ func uninstallFinalizers(ctx context.Context, kubeClient client.Client, dryRun b
 			}
 		}
 	}
+	{
+		var list sourcev1.OCIRepositoryList
+		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
+			for _, r := range list.Items {
+				r.Finalizers = []string{}
+				if err := kubeClient.Update(ctx, &r, opts); err != nil {
+					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
+				} else {
+					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
+				}
+			}
+		}
+	}
 	{
 		var list sourcev1.HelmRepositoryList
 		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
@@ -261,6 +277,84 @@ func uninstallFinalizers(ctx context.Context, kubeClient client.Client, dryRun b
 			}
 		}
 	}
+	{
+		var list notificationv1.AlertList
+		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
+			for _, r := range list.Items {
+				r.Finalizers = []string{}
+				if err := kubeClient.Update(ctx, &r, opts); err != nil {
+					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
+				} else {
+					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
+				}
+			}
+		}
+	}
+	{
+		var list notificationv1.ProviderList
+		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
+			for _, r := range list.Items {
+				r.Finalizers = []string{}
+				if err := kubeClient.Update(ctx, &r, opts); err != nil {
+					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
+				} else {
+					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
+				}
+			}
+		}
+	}
+	{
+		var list notificationv1.ReceiverList
+		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
+			for _, r := range list.Items {
+				r.Finalizers = []string{}
+				if err := kubeClient.Update(ctx, &r, opts); err != nil {
+					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
+				} else {
+					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
+				}
+			}
+		}
+	}
+	{
+		var list imagev1.ImagePolicyList
+		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
+			for _, r := range list.Items {
+				r.Finalizers = []string{}
+				if err := kubeClient.Update(ctx, &r, opts); err != nil {
+					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
+				} else {
+					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
+				}
+			}
+		}
+	}
+	{
+		var list imagev1.ImageRepositoryList
+		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
+			for _, r := range list.Items {
+				r.Finalizers = []string{}
+				if err := kubeClient.Update(ctx, &r, opts); err != nil {
+					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
+				} else {
+					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
+				}
+			}
+		}
+	}
+	{
+		var list autov1.ImageUpdateAutomationList
+		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
+			for _, r := range list.Items {
+				r.Finalizers = []string{}
+				if err := kubeClient.Update(ctx, &r, opts); err != nil {
+					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
+				} else {
+					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
+				}
+			}
+		}
+	}
 }

 func uninstallCustomResourceDefinitions(ctx context.Context, kubeClient client.Client, dryRun bool) {
@@ -18,6 +18,7 @@ package main

 import (
 	"fmt"
+	"strings"

 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
@@ -28,6 +29,10 @@ func getVersion(input string) (string, error) {
 		return rootArgs.defaults.Version, nil
 	}

+	if input != install.MakeDefaultOptions().Version && !strings.HasPrefix(input, "v") {
+		return "", fmt.Errorf("targeted version '%s' must be prefixed with 'v'", input)
+	}
+
 	if isEmbeddedVersion(input) {
 		return input, nil
 	}
@@ -1,18 +1,18 @@
 # individual rules
-/core-concepts          https://fluxcd.io/docs/concepts                     301!
+/core-concepts          https://fluxcd.io/flux/concepts                     301!
 /contributing           https://fluxcd.io/contributing                      301!
 /install.sh             https://fluxcd.io/install.sh                        301!

 # refer to https://github.com/fluxcd/flux2/discussions/367
-/dev-guides/*           https://fluxcd.io/docs/gitops-toolkit/:splat        301!
+/dev-guides/*           https://fluxcd.io/flux/gitops-toolkit/:splat        301!


 # this is how things looked in the navbar anyway..?
-/guides/faq-migration                   https://fluxcd.io/docs/migration/faq-migration                  301!
-/guides/flux-v1-automation-migration    https://fluxcd.io/docs/migration/flux-v1-automation-migration   301!
-/guides/flux-v1-migration               https://fluxcd.io/docs/migration/flux-v1-migration              301!
-/guides/helm-operator-migration         https://fluxcd.io/docs/migration/helm-operator-migration        301!
+/guides/faq-migration                   https://fluxcd.io/flux/migration/faq-migration                  301!
+/guides/flux-v1-automation-migration    https://fluxcd.io/flux/migration/flux-v1-automation-migration   301!
+/guides/flux-v1-migration               https://fluxcd.io/flux/migration/flux-v1-migration              301!
+/guides/helm-operator-migration         https://fluxcd.io/flux/migration/helm-operator-migration        301!


 # catch all
-/*                      https://fluxcd.io/docs/:splat                       301!
+/*                      https://fluxcd.io/flux/:splat                       301!
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`2022-08-02T12:56:34.961Z error Kustomization/podinfo.flux-system - no changes since last reconcilation: observed revision`