Merge pull request #2905 from fluxcd/update-components

Update toolkit components

Dockerfile

@@ -3,7 +3,7 @@ FROM alpine:3.16 as builder
 RUN apk add --no-cache ca-certificates curl
 
 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.24.0
+ARG KUBECTL_VER=1.24.1
 
 RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
     -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \

cmd/flux/check.go

@@ -24,6 +24,7 @@ import (
 	"github.com/Masterminds/semver/v3"
 	"github.com/spf13/cobra"
 	v1 "k8s.io/api/apps/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -95,9 +96,17 @@ func runCheckCmd(cmd *cobra.Command, args []string) error {
 	if !componentsCheck() {
 		checkFailed = true
 	}
+
+	logger.Actionf("checking crds")
+	if !crdsCheck() {
+		checkFailed = true
+	}
+
 	if checkFailed {
+		logger.Failuref("check failed")
 		os.Exit(1)
 	}
+
 	logger.Successf("all checks passed")
 	return nil
 }
@@ -191,7 +200,14 @@ func componentsCheck() bool {
 	ok := true
 	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 	var list v1.DeploymentList
-	if err := kubeClient.List(ctx, &list, client.InNamespace(*kubeconfigArgs.Namespace), selector); err == nil {
+	ns := *kubeconfigArgs.Namespace
+	if err := kubeClient.List(ctx, &list, client.InNamespace(ns), selector); err == nil {
+		if len(list.Items) == 0 {
+			logger.Failuref("no controllers found in the '%s' namespace with the label selector '%s=%s'",
+				ns, manifestgen.PartOfLabelKey, manifestgen.PartOfLabelValue)
+			return false
+		}
+
 		for _, d := range list.Items {
 			if ref, err := buildComponentObjectRefs(d.Name); err == nil {
 				if err := statusChecker.Assess(ref...); err != nil {
@@ -205,3 +221,34 @@ func componentsCheck() bool {
 	}
 	return ok
 }
+
+func crdsCheck() bool {
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return false
+	}
+
+	ok := true
+	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
+	var list apiextensionsv1.CustomResourceDefinitionList
+	if err := kubeClient.List(ctx, &list, client.InNamespace(*kubeconfigArgs.Namespace), selector); err == nil {
+		if len(list.Items) == 0 {
+			logger.Failuref("no crds found with the label selector '%s=%s'",
+				manifestgen.PartOfLabelKey, manifestgen.PartOfLabelValue)
+			return false
+		}
+
+		for _, crd := range list.Items {
+			if len(crd.Status.StoredVersions) > 0 {
+				logger.Successf(crd.Name + "/" + crd.Status.StoredVersions[0])
+			} else {
+				ok = false
+				logger.Failuref("no stored versions for %s", crd.Name)
+			}
+		}
+	}
+	return ok
+}

cmd/flux/create_helmrelease.go

@@ -21,6 +21,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/fluxcd/flux2/internal/flags"
@@ -117,7 +118,7 @@ type helmReleaseFlags struct {
 	targetNamespace     string
 	createNamespace     bool
 	valuesFiles         []string
-	valuesFrom          flags.HelmReleaseValuesFrom
+	valuesFrom          []string
 	saName              string
 	crds                flags.CRDsPolicy
 	reconcileStrategy   string
@@ -127,6 +128,8 @@ type helmReleaseFlags struct {
 
 var helmReleaseArgs helmReleaseFlags
 
+var supportedHelmReleaseValuesFromKinds = []string{"Secret", "ConfigMap"}
+
 func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.name, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.source, "source", helmReleaseArgs.source.Description())
@@ -139,7 +142,7 @@ func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart created by the helm release(accepted values: Revision and ChartRevision)")
 	createHelmReleaseCmd.Flags().DurationVarP(&helmReleaseArgs.chartInterval, "chart-interval", "", 0, "the interval of which to check for new chart versions")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFiles, "values", nil, "local path to values.yaml files, also accepts comma-separated values")
-	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.valuesFrom, "values-from", helmReleaseArgs.valuesFrom.Description())
+	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFrom, "values-from", nil, "a Kubernetes object reference that contains the values.yaml data key in the format '<kind>/<name>', where kind must be one of: (Secret,ConfigMap)")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.crds, "crds", helmReleaseArgs.crds.Description())
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
 	createCmd.AddCommand(createHelmReleaseCmd)
@@ -260,11 +263,25 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		helmRelease.Spec.Values = &apiextensionsv1.JSON{Raw: jsonRaw}
 	}
 
-	if helmReleaseArgs.valuesFrom.String() != "" {
+	if len(helmReleaseArgs.valuesFrom) != 0 {
-		helmRelease.Spec.ValuesFrom = []helmv2.ValuesReference{{
+		values := []helmv2.ValuesReference{}
-			Kind: helmReleaseArgs.valuesFrom.Kind,
+		for _, value := range helmReleaseArgs.valuesFrom {
-			Name: helmReleaseArgs.valuesFrom.Name,
+			sourceKind, sourceName := utils.ParseObjectKindName(value)
-		}}
+			if sourceKind == "" {
+				return fmt.Errorf("invalid Kubernetes object reference '%s', must be in format <kind>/<name>", value)
+			}
+			cleanSourceKind, ok := utils.ContainsEqualFoldItemString(supportedHelmReleaseValuesFromKinds, sourceKind)
+			if !ok {
+				return fmt.Errorf("reference kind '%s' is not supported, must be one of: %s",
+					sourceKind, strings.Join(supportedHelmReleaseValuesFromKinds, ", "))
+			}
+
+			values = append(values, helmv2.ValuesReference{
+				Name: sourceName,
+				Kind: cleanSourceKind,
+			})
+		}
+		helmRelease.Spec.ValuesFrom = values
 	}
 
 	if createArgs.export {

cmd/flux/create_source_git.go

@@ -117,6 +117,7 @@ For private Git repositories, the basic authentication credentials are stored in
   # Create a source for a Git repository using basic authentication
   flux create source git podinfo \
     --url=https://github.com/stefanprodan/podinfo \
+    --branch=master \
     --username=username \
     --password=password`,
 	RunE: createSourceGitCmdRun,

cmd/flux/logs.go

@@ -80,6 +80,8 @@ var logsArgs = &logsFlags{
 	tail: -1,
 }
 
+const controllerContainer = "manager"
+
 func init() {
 	logsCmd.Flags().Var(&logsArgs.logLevel, "level", logsArgs.logLevel.Description())
 	logsCmd.Flags().StringVarP(&logsArgs.kind, "kind", "", logsArgs.kind, "displays errors of a particular toolkit kind e.g GitRepository")
@@ -146,6 +148,10 @@ func logsCmdRun(cmd *cobra.Command, args []string) error {
 
 	var requests []rest.ResponseWrapper
 	for _, pod := range pods {
+		logOpts := logOpts.DeepCopy()
+		if len(pod.Spec.Containers) > 1 {
+			logOpts.Container = controllerContainer
+		}
 		req := clientset.CoreV1().Pods(logsArgs.fluxNamespace).GetLogs(pod.Name, logOpts)
 		requests = append(requests, req)
 	}
@@ -198,12 +204,10 @@ func parallelPodLogs(ctx context.Context, requests []rest.ResponseWrapper) error
 	wg := &sync.WaitGroup{}
 	wg.Add(len(requests))
 
-	var mutex = &sync.Mutex{}
-
 	for _, request := range requests {
 		go func(req rest.ResponseWrapper) {
 			defer wg.Done()
-			if err := logRequest(mutex, ctx, req, os.Stdout); err != nil {
+			if err := logRequest(ctx, req, writer); err != nil {
 				writer.CloseWithError(err)
 				return
 			}
@@ -220,9 +224,8 @@ func parallelPodLogs(ctx context.Context, requests []rest.ResponseWrapper) error
 }
 
 func podLogs(ctx context.Context, requests []rest.ResponseWrapper) error {
-	mutex := &sync.Mutex{}
 	for _, req := range requests {
-		if err := logRequest(mutex, ctx, req, os.Stdout); err != nil {
+		if err := logRequest(ctx, req, os.Stdout); err != nil {
 			return err
 		}
 	}
@@ -240,7 +243,7 @@ func createLabelStringFromMap(m map[string]string) string {
 	return strings.Join(strArr, ",")
 }
 
-func logRequest(mu *sync.Mutex, ctx context.Context, request rest.ResponseWrapper, w io.Writer) error {
+func logRequest(ctx context.Context, request rest.ResponseWrapper, w io.Writer) error {
 	stream, err := request.Stream(ctx)
 	if err != nil {
 		return err
@@ -255,6 +258,7 @@ func logRequest(mu *sync.Mutex, ctx context.Context, request rest.ResponseWrappe
 		return fmt.Errorf("unable to create template, err: %s", err)
 	}
 
+	bw := bufio.NewWriter(w)
 	for scanner.Scan() {
 		line := scanner.Text()
 		if !strings.HasPrefix(line, "{") {
@@ -265,24 +269,21 @@ func logRequest(mu *sync.Mutex, ctx context.Context, request rest.ResponseWrappe
 			logger.Failuref("parse error: %s", err)
 			break
 		}
-
+		filterPrintLog(t, &l, bw)
-		mu.Lock()
+		bw.Flush()
-		filterPrintLog(t, &l)
-		mu.Unlock()
 	}
 
 	return nil
 }
 
-func filterPrintLog(t *template.Template, l *ControllerLogEntry) {
+func filterPrintLog(t *template.Template, l *ControllerLogEntry, w io.Writer) {
 	if logsArgs.logLevel != "" && logsArgs.logLevel != l.Level ||
-		logsArgs.kind != "" && strings.ToLower(logsArgs.kind) != strings.ToLower(l.Kind) ||
+		logsArgs.kind != "" && strings.EqualFold(logsArgs.kind, l.Kind) ||
-		logsArgs.name != "" && strings.ToLower(logsArgs.name) != strings.ToLower(l.Name) ||
+		logsArgs.name != "" && strings.EqualFold(logsArgs.name, l.Name) ||
-		!logsArgs.allNamespaces && strings.ToLower(*kubeconfigArgs.Namespace) != strings.ToLower(l.Namespace) {
+		!logsArgs.allNamespaces && strings.EqualFold(*kubeconfigArgs.Namespace, l.Namespace) {
 		return
 	}
-
+	err := t.Execute(w, l)
-	err := t.Execute(os.Stdout, l)
 	if err != nil {
 		logger.Failuref("log template error: %s", err)
 	}

cmd/flux/reconcile_source_helm.go

@@ -21,6 +21,8 @@ import (
 
 	"github.com/spf13/cobra"
 
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
@@ -46,5 +48,15 @@ func (obj helmRepositoryAdapter) lastHandledReconcileRequest() string {
 }
 
 func (obj helmRepositoryAdapter) successMessage() string {
+	// HelmRepository of type OCI don't set an Artifact
+	if obj.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
+		readyCondition := conditions.Get(obj.HelmRepository, meta.ReadyCondition)
+		// This shouldn't happen, successMessage shouldn't be called if
+		// object isn't ready
+		if readyCondition == nil {
+			return ""
+		}
+		return readyCondition.Message
+	}
 	return fmt.Sprintf("fetched revision %s", obj.Status.Artifact.Revision)
 }

cmd/flux/uninstall.go

@@ -33,6 +33,8 @@ import (
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
@@ -261,6 +263,45 @@ func uninstallFinalizers(ctx context.Context, kubeClient client.Client, dryRun b
 			}
 		}
 	}
+	{
+		var list imagev1.ImagePolicyList
+		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
+			for _, r := range list.Items {
+				r.Finalizers = []string{}
+				if err := kubeClient.Update(ctx, &r, opts); err != nil {
+					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
+				} else {
+					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
+				}
+			}
+		}
+	}
+	{
+		var list imagev1.ImageRepositoryList
+		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
+			for _, r := range list.Items {
+				r.Finalizers = []string{}
+				if err := kubeClient.Update(ctx, &r, opts); err != nil {
+					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
+				} else {
+					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
+				}
+			}
+		}
+	}
+	{
+		var list autov1.ImageUpdateAutomationList
+		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
+			for _, r := range list.Items {
+				r.Finalizers = []string{}
+				if err := kubeClient.Update(ctx, &r, opts); err != nil {
+					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
+				} else {
+					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
+				}
+			}
+		}
+	}
 }
 
 func uninstallCustomResourceDefinitions(ctx context.Context, kubeClient client.Client, dryRun bool) {

go.mod

@@ -7,19 +7,19 @@ require (
 	github.com/ProtonMail/go-crypto v0.0.0-20220517143526-88bb52951d5b
 	github.com/cyphar/filepath-securejoin v0.2.3
 	github.com/fluxcd/go-git-providers v0.6.0
-	github.com/fluxcd/helm-controller/api v0.22.0
+	github.com/fluxcd/helm-controller/api v0.22.2
-	github.com/fluxcd/image-automation-controller/api v0.23.0
+	github.com/fluxcd/image-automation-controller/api v0.23.5
-	github.com/fluxcd/image-reflector-controller/api v0.19.0
+	github.com/fluxcd/image-reflector-controller/api v0.19.3
-	github.com/fluxcd/kustomize-controller/api v0.26.0
+	github.com/fluxcd/kustomize-controller/api v0.26.3
-	github.com/fluxcd/notification-controller/api v0.24.0
+	github.com/fluxcd/notification-controller/api v0.24.1
-	github.com/fluxcd/pkg/apis/meta v0.14.1
+	github.com/fluxcd/pkg/apis/meta v0.14.2
-	github.com/fluxcd/pkg/kustomize v0.5.1
+	github.com/fluxcd/pkg/kustomize v0.5.2
-	github.com/fluxcd/pkg/runtime v0.16.1
+	github.com/fluxcd/pkg/runtime v0.16.2
-	github.com/fluxcd/pkg/ssa v0.16.1
+	github.com/fluxcd/pkg/ssa v0.17.0
-	github.com/fluxcd/pkg/ssh v0.4.1
+	github.com/fluxcd/pkg/ssh v0.5.0
 	github.com/fluxcd/pkg/untar v0.1.0
 	github.com/fluxcd/pkg/version v0.1.0
-	github.com/fluxcd/source-controller/api v0.25.3
+	github.com/fluxcd/source-controller/api v0.25.10
 	github.com/go-git/go-git/v5 v5.4.2
 	github.com/gonvenience/bunt v1.3.4
 	github.com/gonvenience/ytbx v1.4.4
@@ -42,7 +42,7 @@ require (
 	k8s.io/cli-runtime v0.24.1
 	k8s.io/client-go v0.24.1
 	k8s.io/kubectl v0.24.1
-	sigs.k8s.io/cli-utils v0.31.1
+	sigs.k8s.io/cli-utils v0.31.2
 	sigs.k8s.io/controller-runtime v0.11.2
 	sigs.k8s.io/kustomize/api v0.11.5
 	sigs.k8s.io/kustomize/kyaml v0.13.7
@@ -80,7 +80,7 @@ require (
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/fluxcd/pkg/apis/acl v0.0.3 // indirect
-	github.com/fluxcd/pkg/apis/kustomize v0.4.1 // indirect
+	github.com/fluxcd/pkg/apis/kustomize v0.4.2 // indirect
 	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect

go.sum

@@ -191,36 +191,36 @@ github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYF
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fluxcd/go-git-providers v0.6.0 h1:XJc3MTYFpuahBSoKTVxmH9OBPCeIyvYoQkTjTqa3fH4=
 github.com/fluxcd/go-git-providers v0.6.0/go.mod h1:UMFHnMCIO9CBpEln7ZsArEWyXSNxTpm76fyQxUmClrc=
-github.com/fluxcd/helm-controller/api v0.22.0 h1:e6yW+TV+UKssXaYCyoDKzXpNuFDy5TiHxj+9OJ714cw=
+github.com/fluxcd/helm-controller/api v0.22.2 h1:nh0GZBsUE0gNzm4PmPa4aOoqYlbZbpGt2pcIL9S2184=
-github.com/fluxcd/helm-controller/api v0.22.0/go.mod h1:YpRB4ycayD4ryDKxNZU3Y+lydvFr4HZsgh0b28xJcZc=
+github.com/fluxcd/helm-controller/api v0.22.2/go.mod h1:GfD9TFgLyn81VgwZN1yM47/aUdz0SwTSyRAGmC8xZ+c=
-github.com/fluxcd/image-automation-controller/api v0.23.0 h1:cIKb//6VeAUGMz0A7ugbCWkOvpXFWhEZj2PH/eEzbTQ=
+github.com/fluxcd/image-automation-controller/api v0.23.5 h1:haMWilXLHXQGn4YXwm70kYvU+7QU5iNoS+0Ybm+4Gac=
-github.com/fluxcd/image-automation-controller/api v0.23.0/go.mod h1:YnvSmTzFFleSAkZJ9qOqmYQERmDHHrzB9KJ55Qfghvg=
+github.com/fluxcd/image-automation-controller/api v0.23.5/go.mod h1:v/sRqXwo0jNyXK0f4oUY7GZt8NgcNy5twP3OVEsoAt0=
-github.com/fluxcd/image-reflector-controller/api v0.19.0 h1:8R9ppgKzagFKy04Z/+IG8fjQrPn71xet+w7sTXPudpc=
+github.com/fluxcd/image-reflector-controller/api v0.19.3 h1:mgKNHZL8AAvqzBdiuVNQtOVlEijgFyGvTr4A6vuNVgc=
-github.com/fluxcd/image-reflector-controller/api v0.19.0/go.mod h1:7eyHh5yq/2vm6eg70tfeSn7ZfbgMrrmoSJEeBMNGDDs=
+github.com/fluxcd/image-reflector-controller/api v0.19.3/go.mod h1:QFRYeJTfUQY9l3r+PqGGAlr7KzJRCKN7Lsvg9nXaWHk=
-github.com/fluxcd/kustomize-controller/api v0.26.0 h1:B/KQKzMXte0nj3P1D5whQTb5btpuHfcHV4J25eyqbIM=
+github.com/fluxcd/kustomize-controller/api v0.26.3 h1:RTrRM9N+YWIX8M690x/rDq/ryiEkhnOaq9Sj1AeWcNQ=
-github.com/fluxcd/kustomize-controller/api v0.26.0/go.mod h1:ybeF/mSNgAL1sgXav1+Z5zDHfnisOA8Re3hgjHWhcJ8=
+github.com/fluxcd/kustomize-controller/api v0.26.3/go.mod h1:Zwvl6iBKbR6SKl5W8APK5hvHfH55S50zAqFLJ/188LQ=
-github.com/fluxcd/notification-controller/api v0.24.0 h1:pvLcCD1HT+x0Hup8VLfDrVGFDK33oJKNC7WX6mtEEh0=
+github.com/fluxcd/notification-controller/api v0.24.1 h1:aGe4AEPmCW/8gIRCRhOosppXb2mqZYgfftt16Q05/30=
-github.com/fluxcd/notification-controller/api v0.24.0/go.mod h1:pld1fyodxqdWPBr+Ez+kTixmtmO2o3o0I5Zf5wQDHGM=
+github.com/fluxcd/notification-controller/api v0.24.1/go.mod h1:hqn/1JsYiv8Gg3xjBYkLJQhez3hbYj2v57ATfSo637M=
 github.com/fluxcd/pkg/apis/acl v0.0.3 h1:Lw0ZHdpnO4G7Zy9KjrzwwBmDZQuy4qEjaU/RvA6k1lc=
 github.com/fluxcd/pkg/apis/acl v0.0.3/go.mod h1:XPts6lRJ9C9fIF9xVWofmQwftvhY25n1ps7W9xw0XLU=
-github.com/fluxcd/pkg/apis/kustomize v0.4.1 h1:YgIF9TJ23pH66W/gYlEu+DeH1pU3tS4xYlRc5AQzk58=
+github.com/fluxcd/pkg/apis/kustomize v0.4.2 h1:5mC/t+OndouK7poFaG4soWLqvHqOxJ3HCsbxu8qyt30=
-github.com/fluxcd/pkg/apis/kustomize v0.4.1/go.mod h1:U9rfSgDHaQd74PgPKt9DprtuzT+i1m18zlHxatq7c5Y=
+github.com/fluxcd/pkg/apis/kustomize v0.4.2/go.mod h1:y/TpJvnhR08BRt3E7oLpDPvx0/J/2AS8tOiAFJpctu8=
-github.com/fluxcd/pkg/apis/meta v0.14.1 h1:lPDs9yV67DnwalHPb13bbnDkAatALfUiAMRHjUm4UBw=
+github.com/fluxcd/pkg/apis/meta v0.14.2 h1:/Hf7I/Vz01vv3m7Qx7DtQvrzAL1oVt0MJcLb/I1Y1HE=
-github.com/fluxcd/pkg/apis/meta v0.14.1/go.mod h1:1uJkTJGSZWrZxL5PFpx1IxGLrFmT1Cd0C2fFWrbv77I=
+github.com/fluxcd/pkg/apis/meta v0.14.2/go.mod h1:ijZ61VG/8T3U17gj0aFL3fdtZL+mulD6V8VrLLUCAgM=
-github.com/fluxcd/pkg/kustomize v0.5.1 h1:151Ih34ltxN2z1e2mA5AvQONyE6phc4es57oVK3+plU=
+github.com/fluxcd/pkg/kustomize v0.5.2 h1:Nhaw/Tqwt588Cp4PYa83nj45t3mGgojMl23zhq/t/fM=
-github.com/fluxcd/pkg/kustomize v0.5.1/go.mod h1:58MFITy24bIbGI6cC3JkV/YpFQj648sVvgs0K1kraJw=
+github.com/fluxcd/pkg/kustomize v0.5.2/go.mod h1:X3Uls1l13giFPwig1NDoXvrF53yyXUemSyR3nYGw28s=
-github.com/fluxcd/pkg/runtime v0.16.1 h1:WU1vNZz4TAzmATQ/tl2zB/FX6GIUTgYeBn/G5RuTA2c=
+github.com/fluxcd/pkg/runtime v0.16.2 h1:CexfMmJK+r12sHTvKWyAax0pcPomjd6VnaHXcxjUrRY=
-github.com/fluxcd/pkg/runtime v0.16.1/go.mod h1:cgVJkOXCg9OmrIUGklf/0UtV28MNzkuoBJhaEQICT6E=
+github.com/fluxcd/pkg/runtime v0.16.2/go.mod h1:OHSKsrO+T+Ym8WZRS2oidrnauWRARuE2nfm8ewevm7M=
-github.com/fluxcd/pkg/ssa v0.16.1 h1:hWXMtDhiAPRPHpHiQ5NzVjqIDhOfyzWmc2zA49Wxw7E=
+github.com/fluxcd/pkg/ssa v0.17.0 h1:iO4EQ+/xIbd79VKrh+8fvsAvq3RlmgAdWtnzOAUxD5s=
-github.com/fluxcd/pkg/ssa v0.16.1/go.mod h1:rLqpc2CDtyZhRIMKHDRJoMHXj0MgQBpg5134zk+ARHM=
+github.com/fluxcd/pkg/ssa v0.17.0/go.mod h1:UZkF5CwbDuvWPXnISoaXWlc0JPbHh8BKfa4ExeTtWgY=
-github.com/fluxcd/pkg/ssh v0.4.1 h1:O5FCjb5NIZ9PeRjdF2iL9jaPNM+RL+IjrMBZPkqF9W4=
+github.com/fluxcd/pkg/ssh v0.5.0 h1:jE9F2XvUXC2mgseeXMATvO014fLqdB30/VzlPLKsk20=
-github.com/fluxcd/pkg/ssh v0.4.1/go.mod h1:KGgOUOy1uI6RC6+qxIBLvP1AeOOs/nLB25Ca6TZMIXE=
+github.com/fluxcd/pkg/ssh v0.5.0/go.mod h1:KGgOUOy1uI6RC6+qxIBLvP1AeOOs/nLB25Ca6TZMIXE=
 github.com/fluxcd/pkg/untar v0.1.0 h1:k97V/xV5hFrAkIkVPuv5AVhyxh1ZzzAKba/lbDfGo6o=
 github.com/fluxcd/pkg/untar v0.1.0/go.mod h1:aGswNyzB1mlz/T/kpOS58mITBMxMKc9tlJBH037A2HY=
 github.com/fluxcd/pkg/version v0.1.0 h1:v+SmCanmCB5Tj2Cx9TXlj+kNRfPGbAvirkeqsp7ZEAQ=
 github.com/fluxcd/pkg/version v0.1.0/go.mod h1:V7Z/w8dxLQzv0FHqa5ox5TeyOd2zOd49EeuWFgnwyj4=
-github.com/fluxcd/source-controller/api v0.25.3 h1:ReIlQo/7hZ9T+otmg/2XkRkvGEd07aBrU4qPgskSNxg=
+github.com/fluxcd/source-controller/api v0.25.10 h1:nwOB6Awy6mLlysEHfmqmk6Ek5yebYQ8kYq0lv+bSKb8=
-github.com/fluxcd/source-controller/api v0.25.3/go.mod h1:tuMrqHHpRt7mxdLeRXGIMtTKAMufLwLTm5uXkEOJWFw=
+github.com/fluxcd/source-controller/api v0.25.10/go.mod h1:5kihSWjg+gIXLPTTXbe6AnY+g+iDmP+CY4g6nFqublc=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c=
@@ -1256,8 +1256,8 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30/go.mod h1:fEO7lRTdivWO2qYVCVG7dEADOMo/MLDCVr8So2g88Uw=
-sigs.k8s.io/cli-utils v0.31.1 h1:F9WPmyF5NWdgTmzvLzeTWd1smHHi/yOWu14Ae70D++Y=
+sigs.k8s.io/cli-utils v0.31.2 h1:0yX0GPyvbc+yAEWwWlhgHlPF7JtvlLco6HjolSWewt4=
-sigs.k8s.io/cli-utils v0.31.1/go.mod h1:g/zB9hJ5eUN7zIEBIxrO0CwhXU4YISJ+BkLJzvWwlEs=
+sigs.k8s.io/cli-utils v0.31.2/go.mod h1:g/zB9hJ5eUN7zIEBIxrO0CwhXU4YISJ+BkLJzvWwlEs=
 sigs.k8s.io/controller-runtime v0.11.2 h1:H5GTxQl0Mc9UjRJhORusqfJCIjBO8UtUxGggCwL1rLA=
 sigs.k8s.io/controller-runtime v0.11.2/go.mod h1:P6QCzrEjLaZGqHsfd+os7JQ+WFZhvB8MRFsn4dWF7O4=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y=

internal/flags/helm_release_values.go

@@ -1,72 +0,0 @@
-/*
-Copyright 2020 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package flags
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/fluxcd/flux2/internal/utils"
-)
-
-var supportedHelmReleaseValuesFromKinds = []string{"Secret", "ConfigMap"}
-
-type HelmReleaseValuesFrom struct {
-	Kind string
-	Name string
-}
-
-func (v *HelmReleaseValuesFrom) String() string {
-	if v.Name == "" {
-		return ""
-	}
-	return fmt.Sprintf("%s/%s", v.Kind, v.Name)
-}
-
-func (v *HelmReleaseValuesFrom) Set(str string) error {
-	if strings.TrimSpace(str) == "" {
-		return fmt.Errorf("no values given, please specify %s",
-			v.Description())
-	}
-
-	sourceKind, sourceName := utils.ParseObjectKindName(str)
-	if sourceKind == "" {
-		return fmt.Errorf("invalid Kubernetes object reference '%s', must be in format <kind>/<name>", str)
-	}
-	cleanSourceKind, ok := utils.ContainsEqualFoldItemString(supportedHelmReleaseValuesFromKinds, sourceKind)
-	if !ok {
-		return fmt.Errorf("reference kind '%s' is not supported, must be one of: %s",
-			sourceKind, strings.Join(supportedHelmReleaseValuesFromKinds, ", "))
-	}
-
-	v.Name = sourceName
-	v.Kind = cleanSourceKind
-
-	return nil
-}
-
-func (v *HelmReleaseValuesFrom) Type() string {
-	return "helmReleaseValuesFrom"
-}
-
-func (v *HelmReleaseValuesFrom) Description() string {
-	return fmt.Sprintf(
-		"Kubernetes object reference that contains the values.yaml data key in the format '<kind>/<name>', "+
-			"where kind must be one of: (%s)",
-		strings.Join(supportedHelmReleaseValuesFromKinds, ", "),
-	)
-}

internal/flags/helm_release_values_test.go

@@ -1,50 +0,0 @@
-//go:build !e2e
-// +build !e2e
-
-/*
-Copyright 2020 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package flags
-
-import (
-	"testing"
-)
-
-func TestHelmReleaseValuesFrom_Set(t *testing.T) {
-	tests := []struct {
-		name      string
-		str       string
-		expect    string
-		expectErr bool
-	}{
-		{"supported", "Secret/foo", "Secret/foo", false},
-		{"lower case kind", "secret/foo", "Secret/foo", false},
-		{"unsupported", "Unsupported/kind", "", true},
-		{"invalid format", "Secret", "", true},
-		{"empty", "", "", true},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			var h HelmReleaseValuesFrom
-			if err := h.Set(tt.str); (err != nil) != tt.expectErr {
-				t.Errorf("Set() error = %v, expectErr %v", err, tt.expectErr)
-			}
-			if str := h.String(); str != tt.expect {
-				t.Errorf("Set() = %v, expect %v", str, tt.expect)
-			}
-		})
-	}
-}

manifests/bases/helm-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/helm-controller/releases/download/v0.22.0/helm-controller.crds.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.22.2/helm-controller.crds.yaml
-- https://github.com/fluxcd/helm-controller/releases/download/v0.22.0/helm-controller.deployment.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.22.2/helm-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/image-automation-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.23.0/image-automation-controller.crds.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.23.5/image-automation-controller.crds.yaml
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.23.0/image-automation-controller.deployment.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.23.5/image-automation-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/image-reflector-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.19.0/image-reflector-controller.crds.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.19.3/image-reflector-controller.crds.yaml
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.19.0/image-reflector-controller.deployment.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.19.3/image-reflector-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/kustomize-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.26.0/kustomize-controller.crds.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.26.3/kustomize-controller.crds.yaml
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.26.0/kustomize-controller.deployment.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.26.3/kustomize-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/notification-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/notification-controller/releases/download/v0.24.0/notification-controller.crds.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.24.1/notification-controller.crds.yaml
-- https://github.com/fluxcd/notification-controller/releases/download/v0.24.0/notification-controller.deployment.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.24.1/notification-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
   - target:

manifests/bases/source-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.25.3/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.25.10/source-controller.crds.yaml
-- https://github.com/fluxcd/source-controller/releases/download/v0.25.3/source-controller.deployment.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.25.10/source-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/crds/kustomization.yaml

@@ -1,9 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.25.3/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.25.10/source-controller.crds.yaml
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.26.0/kustomize-controller.crds.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.26.3/kustomize-controller.crds.yaml
-- https://github.com/fluxcd/helm-controller/releases/download/v0.22.0/helm-controller.crds.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.22.2/helm-controller.crds.yaml
-- https://github.com/fluxcd/notification-controller/releases/download/v0.24.0/notification-controller.crds.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.24.1/notification-controller.crds.yaml
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.19.0/image-reflector-controller.crds.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.19.3/image-reflector-controller.crds.yaml
-- https://github.com/fluxcd/image-automation-controller/releases/download/v0.23.0/image-automation-controller.crds.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.23.5/image-automation-controller.crds.yaml

manifests/monitoring/monitoring-config/kustomization.yaml

@@ -1,6 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: flux-system
+namespace: monitoring
 resources:
   - podmonitor.yaml
 configMapGenerator:

rfcs/0002-helm-oci/README.md

@@ -1,10 +1,10 @@
 # RFC-0002 Flux OCI support for Helm
 
-**Status:** implementable
+**Status:** implemented (partially)
 
 **Creation date:** 2022-03-30
 
-**Last update:** 2022-04-13
+**Last update:** 2022-06-07
 
 ## Summary
 
@@ -33,9 +33,9 @@ they do today for container images.
 
 Introduce an optional field called `type` to the `HelmRepository` spec.
 
-When not specified, the `spec.type` field defaults to `Default` which preserve the current `HelmRepository` API behaviour.
+When not specified, the `spec.type` field defaults to `default` which preserve the current `HelmRepository` API behaviour.
 
-When the `spec.type` field is set to `OCI`, the `spec.url` field must be prefixed with `oci://` (to follow the Helm conventions).
+When the `spec.type` field is set to `oci`, the `spec.url` field must be prefixed with `oci://` (to follow the Helm conventions).
 For `oci://` URLs, source-controller will use the Helm SDK and the `oras` library to connect to the OCI remote storage.
 For authentication, the controller will use Kubernetes secrets of `kubernetes.io/dockerconfigjson` type.
 
@@ -55,7 +55,7 @@ kubectl create secret docker-registry ghcr-charts \
     --docker-password=$GITHUB_TOKEN
 ```
 
-Then define a `HelmRepository` of type `OCI` and reference the `dockerconfig` secret:
+Then define a `HelmRepository` of type `oci` and reference the `dockerconfig` secret:
 
 ```yaml
 apiVersion: source.toolkit.fluxcd.io/v1beta2
@@ -64,7 +64,7 @@ metadata:
   name: ghcr-charts
   namespace: default
 spec:
-  type: OCI
+  type: oci
   url: oci://ghcr.io/my-org/charts/
   secretRef:
     name: ghcr-charts
@@ -156,19 +156,28 @@ Bucket API design, where the same Kind servers different implementations: AWS S3
 
 In source-controller we'll add a new predicate for filtering `HelmRepositories` based on the `spec.type` field.
 
-The current `HelmRepositoryReconciler` will be renamed to `HelmRepositoryDefaultReconciler`,
+The current `HelmRepositoryReconciler` will handle only objects with `type: default`,
-it's scope remains unchanged, and it will handle only objects with `type: Default`.
+it's scope remains unchanged.
 
 We'll introduce a new reconciler named `HelmRepositoryOCIReconciler`, that will handle
-objects with `type: OCI`. This reconciler will set the `HelmRepository` Ready status to
+objects with `type: oci`. This reconciler will set the `HelmRepository` Ready status to
-`False` if the URL is not prefixed with `oci://`, otherwise the Ready status will be set to `True`.
+`False` if:
+- the URL is not prefixed with `oci://`
+- the URL is malformed and can't be parsed
+- the specified credentials result in an authentication error
 
-The current `HelmChartReconciler` will be renamed to `HelmChartDefaultReconciler`,
+The current `HelmChartReconciler` will be adapted to handle both types.
-it's scope remains unchanged, and it will handle only objects that refer to `HelmRepositories` with `type: Default`.
-
-For `type: OCI` we'll introduce a new reconciler `HelmChartOCIReconciler` that uses `oras` to download charts
-and their dependencies.
 
 ### Enabling the feature
 
 The feature is enabled by default.
+
+## Implementation History
+
+* **2022-05-19** Partially implemented by [source-controller#690](https://github.com/fluxcd/source-controller/pull/690)
+* **2022-06-06** First implementation released with [flux2 v0.31.0](https://github.com/fluxcd/flux2/releases/tag/v0.31.0)
+
+### TODOs
+
+* [Resolve chart dependencies from OCI](https://github.com/fluxcd/source-controller/issues/722)
+* [Add support for container registries with self-signed TLS certs](https://github.com/fluxcd/source-controller/issues/723)

rfcs/0003-kubernetes-oci/README.md

@@ -0,0 +1,425 @@
+# RFC-0003 Flux OCI support for Kubernetes manifests
+
+**Status:** implementable
+
+**Creation date:** 2022-03-31
+
+**Last update:** 2022-07-06
+
+## Summary
+
+Flux should be able to distribute and reconcile Kubernetes configuration packaged as OCI artifacts.
+
+On the client-side, the Flux CLI should offer a command for packaging Kubernetes configs into
+an OCI artifact and pushing the artifact to a container registry using the Docker config file
+and the Docker credential helpers for authentication.
+
+On the server-side, the Flux source-controller should offer a dedicated API Kind for defining
+how OCI artifacts are pulled from container registries and how the artifact's authenticity can be verified.
+Flux should be able to work with any type of artifact even if it's not created with the Flux CLI.
+
+## Motivation
+
+Given that OCI registries are evolving into a generic artifact storage solution,
+we should extend Flux to allow fetching Kubernetes manifests and related configs
+from container registries similar to how Flux works with Git and Bucket storage.
+
+With OCI support, Flux users can automate artifact updates to Git in the same way
+they do today for container images.
+
+### Goals
+
+- Add support to the Flux CLI for packaging Kubernetes manifests and related configs into OCI artifacts.
+- Add support to Flux source-controller for fetching configs stored as OCI artifacts.
+- Make it easy for users to switch from Git repositories and Buckets to OCI repositories.
+
+### Non-Goals
+
+- Introduce a new OCI media type for artifacts containing Kubernetes manifests.
+
+## Proposal
+
+### Push artifacts
+
+Flux users should be able to package a local directory containing Kubernetes configs into a tarball
+and push the archive to a container registry as an OCI artifact.
+
+```sh
+flux push artifact oci://docker.io/org/app-config:v1.0.0 \
+  --source="$(git config --get remote.origin.url)" \
+  --revision="$(git branch --show-current)/$(git rev-parse HEAD)" \
+  --path="./deploy"
+```
+
+The Flux CLI will produce artifacts of type `application/vnd.docker.distribution.manifest.v2+json`
+which ensures compatibility with container registries that don't support custom OCI media types.
+
+The directory pointed to by `--path` is archived and compressed in the `tar+gzip` format
+and the layer media type is set to `application/vnd.docker.image.rootfs.diff.tar.gzip`.
+
+The source URL and revision are added to the OCI artifact as annotations in the format:
+
+```json
+{
+  "schemaVersion": 2,
+  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+  "annotations": {
+    "source.toolkit.fluxcd.io/url": "https://github.com/org/app.git",
+    "source.toolkit.fluxcd.io/revision": "main/450796ddb2ab6724ee1cc32a4be56da032d1cca0"
+  }
+}
+```
+
+To ease the promotion workflow of a specific version from one environment to another, the CLI
+should offer a tagging command.
+
+```sh
+flux tag artifact oci://docker.io/org/app-config:v1.0.0 --tag=latest --tag=production
+```
+
+To view all the available artifacts in a repository and their metadata, the CLI should
+offer a list command.
+
+```sh
+flux list artifacts oci://docker.io/org/app-config
+```
+
+To help inspect artifacts, the Flux CLI will offer a `build` and a `pull` command for generating
+tarballs locally and for downloading the tarballs from remote container registries.
+
+```sh
+flux build artifact --path ./deploy --output tmp/artifact.tgz
+flux pull artifact oci://docker.io/org/app-config:v1.0.0 --output ./manifests
+```
+
+### Pull artifacts
+
+Flux users should be able to define a source for pulling manifests inside the cluster from an OCI repository.
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: app-config
+  namespace: flux-system
+spec:
+  interval: 10m
+  url: oci://docker.io/org/app-config
+  ref:
+    tag: v1.0.0
+```
+
+The `spec.url` field points to the container image repository in the format `oci://<host>:<port>/<org-name>/<repo-name>`. 
+Note that specifying a tag or digest is not in accepted for this field. The `spec.url` value is used by the controller
+to fetch the list of tags from the remote OCI repository.
+
+An `OCIRepository` can refer to an artifact by tag, digest or semver range:
+
+```yaml
+spec:
+  ref:
+    # one of
+    tag: "latest"
+    digest: "sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2"
+    semver: "6.0.x"
+```
+
+To verify the authenticity of an artifact, the Sigstore cosign public key can be supplied with:
+
+```yaml
+spec:
+  verify:
+    provider: cosign
+    secretRef:
+      name: cosign-key
+```
+
+### Pull artifacts from private repositories
+
+For authentication purposes, Flux users can choose between supplying static credentials with Kubernetes secrets
+and cloud-based OIDC using an IAM role binding to the source-controller Kubernetes service account.
+
+#### Basic auth
+
+For private repositories hosted on DockerHub, GitHub, Quay, self-hosted Docker Registry and others,
+the credentials can be supplied with:
+
+```yaml
+spec:
+  secretRef:
+    name: regcred
+```
+
+The `secretRef` points to a Kubernetes secret in the same namespace as the `OCIRepository`,
+the secret type must be `kubernetes.io/dockerconfigjson`:
+
+```shell
+kubectl create secret docker-registry regcred \
+  --docker-server=<your-registry-server> \
+  --docker-username=<your-name> \
+  --docker-password=<your-pword>
+```
+
+For image pull secrets attached to a service account, the account name can be specified with:
+
+```yaml
+spec:
+  serviceAccountName: regsa
+```
+
+#### Client cert auth
+
+For private repositories which require a certificate to authenticate,
+the client certificate, private key and the CA certificate (if self-signed), can be provided with:
+
+```yaml
+spec:
+  certSecretRef:
+    name: regcert
+```
+
+The `certSecretRef` points to a Kubernetes secret in the same namespace as the `OCIRepository`:
+
+```shell
+kubectl create secret generic regcert \
+  --from-file=certFile=client.crt \
+  --from-file=keyFile=client.key \
+  --from-file=caFile=ca.crt
+```
+
+#### OIDC auth
+
+When Flux runs on AKS, EKS or GKE, an IAM role (that grants read-only access to ACR, ECR or GCR)
+can be used to bind the `source-controller` to the IAM role.
+
+Similar to image-reflector-controller
+[auto-login feature](https://fluxcd.io/docs/guides/image-update/#imagerepository-cloud-providers-authentication),
+source-controller will expose dedicated flags for each cloud provider:
+
+```sh
+--aws-autologin-for-ecr
+--azure-autologin-for-acr
+--gcp-autologin-for-gcr
+```
+
+### Reconcile artifacts
+
+The `OCIRepository` can be used as a drop-in replacement for `GitRepository` and `Bucket` sources.
+For example, a Flux Kustomization can refer to an `OCIRepository` and reconcile the manifests found in the OCI artifact:
+
+```yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: app
+  namespace: flux-system
+spec:
+  interval: 10m
+  sourceRef:
+    kind: OCIRepository
+    name: app-config
+  path: ./
+```
+
+### User Stories
+
+#### Story 1
+
+> As a developer I want to publish my app Kubernetes manifests to the same GHCR registry
+> where I publish my app containers.
+
+First login to GHCR with Docker:
+
+```sh
+docker login ghcr.io -u ${GITHUB_USER} -p ${GITHUB_TOKEN}
+```
+
+Build your app container image and push it to GHCR:
+
+```sh
+docker build -t ghcr.io/org/my-app:v1.0.0 .
+docker push ghcr.io/org/my-app:v1.0.0
+```
+
+Edit the app deployment manifest and set the new image tag.
+Then push the Kubernetes manifests to GHCR:
+
+```sh
+flux push artifact oci://ghcr.io/org/my-app-config:v1.0.0 \
+	--source="$(git config --get remote.origin.url)" \
+	--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"\
+	--path="./deploy"
+```
+
+Sign the config image with cosign:
+
+```sh
+cosign sign --key cosign.key ghcr.io/org/my-app-config:v1.0.0
+```
+
+Mark `v1.0.0` as latest:
+
+```sh
+flux tag artifact oci://ghcr.io/org/my-app-config:v1.0.0 --tag latest
+```
+
+List the artifacts and their metadata with:
+
+```console
+$ flux list artifacts oci://ghcr.io/org/my-app-config
+ARTIFACT                                DIGEST                                                                 	SOURCE                                          REVISION                                      
+ghcr.io/org/my-app-config:latest   	sha256:45b95019d30af335137977a369ad56e9ea9e9c75bb01afb081a629ba789b890c	https://github.com/org/my-app-config.git   	v1.0.0/20b3a674391df53f05e59a33554973d1cbd4d549	
+ghcr.io/org/my-app-config:v1.0.0	sha256:45b95019d30af335137977a369ad56e9ea9e9c75bb01afb081a629ba789b890c	https://github.com/org/my-app-config.git	v1.0.0/3f45e72f0d3457e91e3c530c346d86969f9f4034	
+```
+
+#### Story 2
+
+> As a developer I want to deploy my app using Kubernetes manifests published as OCI artifacts to GHCR.
+
+First create a secret using a GitHub token that allows access to GHCR:
+
+```sh
+kubectl create secret docker-registry my-app-regcred \
+    --docker-server=ghcr.io \
+    --docker-username=$GITHUB_USER \
+    --docker-password=$GITHUB_TOKEN
+```
+
+Then create a secret with your cosgin public key:
+
+```sh
+kubectl create secret generic my-app-cosgin-key \
+    --from-file=cosign.pub=cosign/my-key.pub
+```
+
+Then define an `OCIRepository` to fetch and verify the latest app config version:
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: app-config
+  namespace: default
+spec:
+  interval: 10m
+  url: oci://ghcr.io/org/my-app-config
+  ref:
+    semver: "1.x"
+  secretRef:
+    name: my-app-regcred
+  verify:
+    provider: cosign
+    secretRef:
+      name: my-app-cosgin-key
+```
+
+And finally, create a Flux Kustomization to reconcile the app on the cluster:
+
+```yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: app
+  namespace: default
+spec:
+  interval: 10m
+  sourceRef:
+    kind: OCIRepository
+    name: app-config
+  path: ./deploy
+  prune: true
+  wait: true
+  timeout: 2m
+```
+
+### Alternatives
+
+An alternative solution is to introduce an OCI artifact type especially made for Kubernetes configuration.
+That is considered unpractical, as introducing an OCI type has to go through the
+IANA process and Flux is not the owner of those type as Helm is for Helm artifact for example.
+
+## Design Details
+
+Both the Flux CLI and source-controller will use the [go-containerregistry](https://github.com/google/go-containerregistry)
+library for OCI operations such as push, pull, tag, list tags, etc.
+
+For authentication purposes, the `flux <verb> artifact` commands will use the `~/.docker/config.json`
+config file and the Docker credential helpers.
+
+The source-controller will reuse the authentication library from
+[image-reflector-controller](https://github.com/fluxcd/image-reflector-controller).
+
+The Flux CLI will produce OCI artifacts with the following format:
+
+```json
+{
+  "schemaVersion": 2,
+  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+  "config": {
+    "mediaType": "application/vnd.docker.container.image.v1+json",
+    "size": 233,
+    "digest": "sha256:e7c52109f8e375176a888fd571dc0e0b40ed8a80d9301208474a2a906b0a2dcc"
+  },
+  "layers": [
+    {
+      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+      "size": 1091,
+      "digest": "sha256:ad804afeae14a8a5c9a45b29f4931104a887844691d040c8737ee3cce6fd6735"
+    }
+  ],
+  "annotations": {
+    "source.toolkit.fluxcd.io/revision": "6.1.6/450796ddb2ab6724ee1cc32a4be56da032d1cca0",
+    "source.toolkit.fluxcd.io/url": "https://github.com/stefanprodan/podinfo.git"
+  }
+}
+```
+
+The source-controller will extract the first layer from the OCI artifact, and will repackage it
+as an internal `sourcev1.Artifact`. The internal artifact revision will be set to the OCI SHA256 digest:
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  creationTimestamp: "2022-06-22T09:14:19Z"
+  finalizers:
+  - finalizers.fluxcd.io
+  generation: 1
+  name: podinfo
+  namespace: oci
+  resourceVersion: "6603"
+  uid: 42e0b9f0-021c-476d-86c7-2cd20747bfff
+spec:
+  interval: 10m
+  ref:
+    tag: 6.1.6
+  timeout: 60s
+  url: oci://ghcr.io/stefanprodan/manifests/podinfo
+status:
+  artifact:
+    checksum: d7e924b4882e55b97627355c7b3d2e711e9b54303afa2f50c25377f4df66a83b
+    lastUpdateTime: "2022-06-22T09:14:21Z"
+    path: ocirepository/oci/podinfo/3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de.tar.gz
+    revision: 3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de
+    size: 1105
+    url: http://source-controller.flux-system.svc.cluster.local./ocirepository/oci/podinfo/3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de.tar.gz
+  conditions:
+  - lastTransitionTime: "2022-06-22T09:14:21Z"
+    message: stored artifact for revision '3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
+    observedGeneration: 1
+    reason: Succeeded
+    status: "True"
+    type: Ready
+  - lastTransitionTime: "2022-06-22T09:14:21Z"
+    message: stored artifact for revision '3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
+    observedGeneration: 1
+    reason: Succeeded
+    status: "True"
+    type: ArtifactInStorage
+  observedGeneration: 1
+  url: http://source-controller.flux-system.svc.cluster.local./ocirepository/oci/podinfo/latest.tar.gz
+```
+
+### Enabling the feature
+
+The feature is enabled by default.

tests/azure/go.mod

@@ -4,14 +4,14 @@ go 1.17
 
 require (
 	github.com/Azure/azure-event-hubs-go/v3 v3.3.18
-	github.com/fluxcd/helm-controller/api v0.22.0
+	github.com/fluxcd/helm-controller/api v0.22.1
-	github.com/fluxcd/image-automation-controller/api v0.23.0
+	github.com/fluxcd/image-automation-controller/api v0.23.2
-	github.com/fluxcd/image-reflector-controller/api v0.19.0
+	github.com/fluxcd/image-reflector-controller/api v0.19.1
-	github.com/fluxcd/kustomize-controller/api v0.26.0
+	github.com/fluxcd/kustomize-controller/api v0.26.1
 	github.com/fluxcd/notification-controller/api v0.24.0
-	github.com/fluxcd/pkg/apis/meta v0.14.1
+	github.com/fluxcd/pkg/apis/meta v0.14.2
-	github.com/fluxcd/pkg/runtime v0.16.1
+	github.com/fluxcd/pkg/runtime v0.16.2
-	github.com/fluxcd/source-controller/api v0.25.2
+	github.com/fluxcd/source-controller/api v0.25.5
 	github.com/hashicorp/terraform-exec v0.15.0
 	github.com/libgit2/git2go/v31 v31.7.9
 	github.com/microsoft/azure-devops-go-api/azuredevops v1.0.0-b5
@@ -27,6 +27,9 @@ require (
 // Fix CVE-2022-28948
 replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
 
+// Fix CVE-2022-26945
+replace github.com/hashicorp/go-getter => github.com/hashicorp/go-getter v1.6.1
+
 require (
 	cloud.google.com/go v0.81.0 // indirect
 	cloud.google.com/go/storage v1.10.0 // indirect
@@ -52,7 +55,7 @@ require (
 	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/fluxcd/pkg/apis/acl v0.0.3 // indirect
-	github.com/fluxcd/pkg/apis/kustomize v0.4.1 // indirect
+	github.com/fluxcd/pkg/apis/kustomize v0.4.2 // indirect
 	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
@@ -108,7 +111,7 @@ require (
 	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
 	golang.org/x/net v0.0.0-20220225172249-27dd8689420f // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sys v0.0.0-20220209214540-3681064d5158 // indirect
+	golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
@@ -123,8 +126,8 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
-	k8s.io/apiextensions-apiserver v0.24.0 // indirect
+	k8s.io/apiextensions-apiserver v0.24.1 // indirect
-	k8s.io/component-base v0.24.0 // indirect
+	k8s.io/component-base v0.24.1 // indirect
 	k8s.io/klog/v2 v2.60.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect
 	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect

tests/azure/go.sum

@@ -194,26 +194,26 @@ github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH
 github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/fluxcd/helm-controller/api v0.22.0 h1:e6yW+TV+UKssXaYCyoDKzXpNuFDy5TiHxj+9OJ714cw=
+github.com/fluxcd/helm-controller/api v0.22.1 h1:J+i6AZMj0SCuQxcpHmyf1qmPdgDKP0nTkyS4/oLHx0M=
-github.com/fluxcd/helm-controller/api v0.22.0/go.mod h1:YpRB4ycayD4ryDKxNZU3Y+lydvFr4HZsgh0b28xJcZc=
+github.com/fluxcd/helm-controller/api v0.22.1/go.mod h1:2xuHOYjbRv86ekTYkF7VzTwu5hEHYawrdi7FZrvpr4g=
-github.com/fluxcd/image-automation-controller/api v0.23.0 h1:cIKb//6VeAUGMz0A7ugbCWkOvpXFWhEZj2PH/eEzbTQ=
+github.com/fluxcd/image-automation-controller/api v0.23.2 h1:2e5ZWaKUGzCD7ItxQDbrO6OXHMYoSHV1drCwFIh8DMQ=
-github.com/fluxcd/image-automation-controller/api v0.23.0/go.mod h1:YnvSmTzFFleSAkZJ9qOqmYQERmDHHrzB9KJ55Qfghvg=
+github.com/fluxcd/image-automation-controller/api v0.23.2/go.mod h1:HhjBfqtjsb+Pe5S4ig2cq3n25Rifs8NJ+bppf++Bmb8=
-github.com/fluxcd/image-reflector-controller/api v0.19.0 h1:8R9ppgKzagFKy04Z/+IG8fjQrPn71xet+w7sTXPudpc=
+github.com/fluxcd/image-reflector-controller/api v0.19.1 h1:5vEHLVhgxdznn6AfwMea5Bi/qsuIsjiV3goj3pg4FcI=
-github.com/fluxcd/image-reflector-controller/api v0.19.0/go.mod h1:7eyHh5yq/2vm6eg70tfeSn7ZfbgMrrmoSJEeBMNGDDs=
+github.com/fluxcd/image-reflector-controller/api v0.19.1/go.mod h1:WvPujFOXzWttkETUxkCgP9BesCTAfVYzgCeZXu43nY4=
-github.com/fluxcd/kustomize-controller/api v0.26.0 h1:B/KQKzMXte0nj3P1D5whQTb5btpuHfcHV4J25eyqbIM=
+github.com/fluxcd/kustomize-controller/api v0.26.1 h1:hX8vPe49/ytKzSAO8Qewb/Cmswt8oit/JNIQ9h5l+xQ=
-github.com/fluxcd/kustomize-controller/api v0.26.0/go.mod h1:ybeF/mSNgAL1sgXav1+Z5zDHfnisOA8Re3hgjHWhcJ8=
+github.com/fluxcd/kustomize-controller/api v0.26.1/go.mod h1:f16v3IErWGQJ0WXtpOW3ATjFukz/KhbkanqS9ZTM8ks=
 github.com/fluxcd/notification-controller/api v0.24.0 h1:pvLcCD1HT+x0Hup8VLfDrVGFDK33oJKNC7WX6mtEEh0=
 github.com/fluxcd/notification-controller/api v0.24.0/go.mod h1:pld1fyodxqdWPBr+Ez+kTixmtmO2o3o0I5Zf5wQDHGM=
 github.com/fluxcd/pkg/apis/acl v0.0.3 h1:Lw0ZHdpnO4G7Zy9KjrzwwBmDZQuy4qEjaU/RvA6k1lc=
 github.com/fluxcd/pkg/apis/acl v0.0.3/go.mod h1:XPts6lRJ9C9fIF9xVWofmQwftvhY25n1ps7W9xw0XLU=
-github.com/fluxcd/pkg/apis/kustomize v0.4.1 h1:YgIF9TJ23pH66W/gYlEu+DeH1pU3tS4xYlRc5AQzk58=
+github.com/fluxcd/pkg/apis/kustomize v0.4.2 h1:5mC/t+OndouK7poFaG4soWLqvHqOxJ3HCsbxu8qyt30=
-github.com/fluxcd/pkg/apis/kustomize v0.4.1/go.mod h1:U9rfSgDHaQd74PgPKt9DprtuzT+i1m18zlHxatq7c5Y=
+github.com/fluxcd/pkg/apis/kustomize v0.4.2/go.mod h1:y/TpJvnhR08BRt3E7oLpDPvx0/J/2AS8tOiAFJpctu8=
-github.com/fluxcd/pkg/apis/meta v0.14.1 h1:lPDs9yV67DnwalHPb13bbnDkAatALfUiAMRHjUm4UBw=
+github.com/fluxcd/pkg/apis/meta v0.14.2 h1:/Hf7I/Vz01vv3m7Qx7DtQvrzAL1oVt0MJcLb/I1Y1HE=
-github.com/fluxcd/pkg/apis/meta v0.14.1/go.mod h1:1uJkTJGSZWrZxL5PFpx1IxGLrFmT1Cd0C2fFWrbv77I=
+github.com/fluxcd/pkg/apis/meta v0.14.2/go.mod h1:ijZ61VG/8T3U17gj0aFL3fdtZL+mulD6V8VrLLUCAgM=
-github.com/fluxcd/pkg/runtime v0.16.1 h1:WU1vNZz4TAzmATQ/tl2zB/FX6GIUTgYeBn/G5RuTA2c=
+github.com/fluxcd/pkg/runtime v0.16.2 h1:CexfMmJK+r12sHTvKWyAax0pcPomjd6VnaHXcxjUrRY=
-github.com/fluxcd/pkg/runtime v0.16.1/go.mod h1:cgVJkOXCg9OmrIUGklf/0UtV28MNzkuoBJhaEQICT6E=
+github.com/fluxcd/pkg/runtime v0.16.2/go.mod h1:OHSKsrO+T+Ym8WZRS2oidrnauWRARuE2nfm8ewevm7M=
-github.com/fluxcd/source-controller/api v0.25.2 h1:RqCOlqLixPkdGzR8MwSZwp7FK60kZZY/632ohQM9baQ=
+github.com/fluxcd/source-controller/api v0.25.5 h1:64rLb5cuHhZ3LcRIxkp+/oAVCyVtjOhQ9kbphdFfR/s=
-github.com/fluxcd/source-controller/api v0.25.2/go.mod h1:tuMrqHHpRt7mxdLeRXGIMtTKAMufLwLTm5uXkEOJWFw=
+github.com/fluxcd/source-controller/api v0.25.5/go.mod h1:/e7YRDOqb8z8I3N8ifbDF1mknf8zFsoADtS/Q93iWPs=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c=
@@ -372,8 +372,8 @@ github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-getter v1.5.3 h1:NF5+zOlQegim+w/EUhSLh6QhXHmZMEeHLQzllkQ3ROU=
+github.com/hashicorp/go-getter v1.6.1 h1:NASsgP4q6tL94WH6nJxKWj8As2H/2kop/bB1d8JMyRY=
-github.com/hashicorp/go-getter v1.5.3/go.mod h1:BrrV/1clo8cCYu6mxvboYg+KutTiFnXjMEgDD8+i7ZI=
+github.com/hashicorp/go-getter v1.6.1/go.mod h1:IZCrswsZPeWv9IkVnLElzRU/gz/QPi6pZHn4tv6vbwA=
 github.com/hashicorp/go-hclog v0.9.2 h1:CG6TE5H9/JXsFWJCfoIVpKFIkFe6ysEuHirp4DxCsHI=
 github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
@@ -866,8 +866,9 @@ golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220209214540-3681064d5158 h1:rm+CHSpPEEW2IsXUib1ThaHIjuBVZjxNgSKmBLFfD4c=
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e h1:w36l2Uw3dRan1K3TyXriXvY+6T56GNmlKGcqiQUJDfM=
+golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -1110,21 +1111,18 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.24.0/go.mod h1:5Jl90IUrJHUJYEMANRURMiVvJ0g7Ax7r3R1bqO8zx8I=
 k8s.io/api v0.24.1 h1:BjCMRDcyEYz03joa3K1+rbshwh1Ay6oB53+iUx2H8UY=
 k8s.io/api v0.24.1/go.mod h1:JhoOvNiLXKTPQ60zh2g0ewpA+bnEYf5q44Flhquh4vQ=
-k8s.io/apiextensions-apiserver v0.24.0 h1:JfgFqbA8gKJ/uDT++feAqk9jBIwNnL9YGdQvaI9DLtY=
+k8s.io/apiextensions-apiserver v0.24.1 h1:5yBh9+ueTq/kfnHQZa0MAo6uNcPrtxPMpNQgorBaKS0=
-k8s.io/apiextensions-apiserver v0.24.0/go.mod h1:iuVe4aEpe6827lvO6yWQVxiPSpPoSKVjkq+MIdg84cM=
+k8s.io/apiextensions-apiserver v0.24.1/go.mod h1:A6MHfaLDGfjOc/We2nM7uewD5Oa/FnEbZ6cD7g2ca4Q=
-k8s.io/apimachinery v0.24.0/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM=
 k8s.io/apimachinery v0.24.1 h1:ShD4aDxTQKN5zNf8K1RQ2u98ELLdIW7jEnlO9uAMX/I=
 k8s.io/apimachinery v0.24.1/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM=
-k8s.io/apiserver v0.24.0/go.mod h1:WFx2yiOMawnogNToVvUYT9nn1jaIkMKj41ZYCVycsBA=
+k8s.io/apiserver v0.24.1/go.mod h1:dQWNMx15S8NqJMp0gpYfssyvhYnkilc1LpExd/dkLh0=
-k8s.io/client-go v0.24.0/go.mod h1:VFPQET+cAFpYxh6Bq6f4xyMY80G6jKKktU6G0m00VDw=
 k8s.io/client-go v0.24.1 h1:w1hNdI9PFrzu3OlovVeTnf4oHDt+FJLd9Ndluvnb42E=
 k8s.io/client-go v0.24.1/go.mod h1:f1kIDqcEYmwXS/vTbbhopMUbhKp2JhOeVTfxgaCIlF8=
-k8s.io/code-generator v0.24.0/go.mod h1:dpVhs00hTuTdTY6jvVxvTFCk6gSMrtfRydbhZwHI15w=
+k8s.io/code-generator v0.24.1/go.mod h1:dpVhs00hTuTdTY6jvVxvTFCk6gSMrtfRydbhZwHI15w=
-k8s.io/component-base v0.24.0 h1:h5jieHZQoHrY/lHG+HyrSbJeyfuitheBvqvKwKHVC0g=
+k8s.io/component-base v0.24.1 h1:APv6W/YmfOWZfo+XJ1mZwep/f7g7Tpwvdbo9CQLDuts=
-k8s.io/component-base v0.24.0/go.mod h1:Dgazgon0i7KYUsS8krG8muGiMVtUZxG037l1MKyXgrA=
+k8s.io/component-base v0.24.1/go.mod h1:DW5vQGYVCog8WYpNob3PMmmsY8A3L9QZNg4j/dV3s38=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/gengo v0.0.0-20211129171323-c02415ce4185/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=