Merge pull request #557 from fluxcd/build/tmp-dir-rm

Properly clean-up package build dirs

.github/aur/flux-bin/.SRCINFO.template

@@ -0,0 +1,17 @@
+pkgbase = flux-bin
+	pkgdesc = Open and extensible continuous delivery solution for Kubernetes
+	pkgver = ${PKGVER}
+	pkgrel = ${PKGREL}
+	url = https://fluxcd.io/
+	arch = x86_64
+	arch = armv6h
+	arch = armv7h
+	arch = aarch64
+	license = APACHE
+	optdepends = kubectl
+	source_x86_64 = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_amd64.tar.gz
+	source_armv6h = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm.tar.gz
+	source_armv7h = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm.tar.gz
+	source_aarch64 = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm64.tar.gz
+
+pkgname = flux-bin

.github/aur/flux-bin/.gitignore

@@ -0,0 +1 @@
+.pkg

.github/aur/flux-bin/PKGBUILD.template

@@ -0,0 +1,39 @@
+# Maintainer: Aurel Canciu <aurelcanciu@gmail.com>
+# Maintainer: Hidde Beydals <hello@hidde.co>
+
+pkgname=flux-bin
+pkgver=${PKGVER}
+pkgrel=${PKGREL}
+pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
+url="https://fluxcd.io/"
+arch=("x86_64" "armv6h" "armv7h" "aarch64")
+license=("APACHE")
+optdepends=("kubectl")
+source_x86_64=(
+  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_amd64.tar.gz"
+)
+source_armv6h=(
+  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+)
+source_armv7h=(
+  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+)
+source_aarch64=(
+  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm64.tar.gz"
+)
+sha256sums_x86_64=(
+  ${SHA256SUM_AMD64}
+)
+sha256sums_armv6h=(
+  ${SHA256SUM_ARM}
+)
+sha256sums_armv7h=(
+  ${SHA256SUM_ARM}
+)
+sha256sums_aarch64=(
+  ${SHA256SUM_ARM64}
+)
+
+package() {
+	install -Dm755 flux "$pkgdir/usr/bin/flux"
+}

.github/aur/flux-bin/publish.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+set -e
+
+WD=$(cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)
+PKGNAME=$(basename $WD)
+ROOT=${WD%/.github/aur/$PKGNAME}
+
+export VERSION=$1
+echo "Publishing to AUR as version ${VERSION}"
+
+cd $WD
+
+export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+eval $(ssh-agent -s)
+ssh-add <(echo "$AUR_BOT_SSH_PRIVATE_KEY")
+
+GITDIR=$(mktemp -d /tmp/aur-$PKGNAME-XXX)
+trap "rm -rf $GITDIR" EXIT
+git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
+
+CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
+CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
+
+export PKGVER=${VERSION/-/}
+
+if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
+    export PKGREL=$((CURRENT_PKGREL+1))
+else
+    export PKGREL=1
+fi
+
+export SHA256SUM_ARM=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_arm.tar.gz | awk '{ print $1 }')
+export SHA256SUM_ARM64=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_arm64.tar.gz | awk '{ print $1 }')
+export SHA256SUM_AMD64=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_amd64.tar.gz | awk '{ print $1 }')
+
+envsubst '$PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < PKGBUILD.template > $GITDIR/PKGBUILD
+
+cd $GITDIR
+git config user.name "fluxcdbot"
+git config user.email "fluxcdbot@users.noreply.github.com"
+git add -A
+if [ -z "$(git status --porcelain)" ]; then
+  echo "No changes."
+else
+  git commit -m "Updated to version v${PKGVER} release ${PKGREL}"
+  git push origin master
+fi

.github/aur/flux-go/.SRCINFO.template

@@ -0,0 +1,19 @@
+pkgbase = flux-go
+	pkgdesc = Open and extensible continuous delivery solution for Kubernetes
+	pkgver = ${PKGVER}
+	pkgrel = ${PKGREL}
+	url = https://fluxcd.io/
+	arch = x86_64
+	arch = armv6h
+	arch = armv7h
+	arch = aarch64
+	license = APACHE
+	makedepends = go
+	depends = glibc
+	optdepends = kubectl
+	provides = flux-bin
+	conflicts = flux-bin
+  replaces = flux-cli
+	source = flux-go-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/archive/v${PKGVER}.tar.gz
+
+pkgname = flux-go

.github/aur/flux-go/.gitignore

@@ -0,0 +1 @@
+.pkg

.github/aur/flux-go/PKGBUILD.template

@@ -0,0 +1,43 @@
+# Maintainer: Aurel Canciu <aurelcanciu@gmail.com>
+# Maintainer: Hidde Beydals <hello@hidde.co>
+
+pkgname=flux-go
+pkgver=${PKGVER}
+pkgrel=${PKGREL}
+pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
+url="https://fluxcd.io/"
+arch=("x86_64" "armv6h" "armv7h" "aarch64")
+license=("APACHE")
+provides=("flux-bin")
+conflicts=("flux-bin")
+replaces=("flux-cli")
+depends=("glibc")
+makedepends=("go")
+optdepends=("kubectl")
+source=(
+  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/archive/v$pkgver.tar.gz"
+)
+sha256sums=(
+  ${SHA256SUM}
+)
+
+build() {
+  cd "flux2-$pkgver"
+  export CGO_LDFLAGS="$LDFLAGS"
+  export CGO_CFLAGS="$CFLAGS"
+  export CGO_CXXFLAGS="$CXXFLAGS"
+  export CGO_CPPFLAGS="$CPPFLAGS"
+  export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
+  go build -ldflags "-X main.VERSION=$pkgver" -o flux-bin ./cmd/flux
+}
+
+check() {
+  cd "flux2-$pkgver"
+  make test
+}
+
+package() {
+  cd "flux2-$pkgver"
+  install -Dm755 flux-bin "$pkgdir/usr/bin/flux"
+  install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
+}

.github/aur/flux-go/publish.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+set -e
+
+WD=$(cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)
+PKGNAME=$(basename $WD)
+ROOT=${WD%/.github/aur/$PKGNAME}
+
+export VERSION=$1
+echo "Publishing to AUR as version ${VERSION}"
+
+cd $WD
+
+export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+eval $(ssh-agent -s)
+ssh-add <(echo "$AUR_BOT_SSH_PRIVATE_KEY")
+
+GITDIR=$(mktemp -d /tmp/aur-$PKGNAME-XXX)
+trap "rm -rf $GITDIR" EXIT
+git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
+
+CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
+CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
+
+export PKGVER=${VERSION/-/}
+
+if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
+    export PKGREL=$((CURRENT_PKGREL+1))
+else
+    export PKGREL=1
+fi
+
+export SHA256SUM=$(curl -sL https://github.com/fluxcd/flux2/archive/v$PKGVER.tar.gz | sha256sum | awk '{ print $1 }')
+
+envsubst '$PKGVER $PKGREL $SHA256SUM' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$PKGVER $PKGREL $SHA256SUM' < PKGBUILD.template > $GITDIR/PKGBUILD
+
+cd $GITDIR
+git config user.name "fluxcdbot"
+git config user.email "fluxcdbot@users.noreply.github.com"
+git add -A
+if [ -z "$(git status --porcelain)" ]; then
+  echo "No changes."
+else
+  git commit -m "Updated to version v${PKGVER} release ${PKGREL}"
+  git push origin master
+fi

.github/aur/flux-scm/.SRCINFO.template

@@ -0,0 +1,19 @@
+pkgbase = flux-scm
+	pkgdesc = Open and extensible continuous delivery solution for Kubernetes
+	pkgver = ${PKGVER}
+	pkgrel = ${PKGREL}
+	url = https://fluxcd.io/
+	arch = x86_64
+	arch = armv6h
+	arch = armv7h
+	arch = aarch64
+	license = APACHE
+	makedepends = go
+	depends = glibc
+	optdepends = kubectl
+	provides = flux-bin
+	conflicts = flux-bin
+	source = git+https://github.com/fluxcd/flux2.git
+	md5sums = SKIP
+
+pkgname = flux-scm

.github/aur/flux-scm/.gitignore

@@ -0,0 +1 @@
+.pkg

.github/aur/flux-scm/PKGBUILD.template

@@ -0,0 +1,45 @@
+# Maintainer: Aurel Canciu <aurelcanciu@gmail.com>
+# Maintainer: Hidde Beydals <hello@hidde.co>
+
+pkgname=flux-scm
+pkgver=${PKGVER}
+pkgrel=${PKGREL}
+pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
+url="https://fluxcd.io/"
+arch=("x86_64" "armv6h" "armv7h" "aarch64")
+license=("APACHE")
+provides=("flux-bin")
+conflicts=("flux-bin")
+depends=("glibc")
+makedepends=("go")
+optdepends=("kubectl")
+source=(
+  "git+https://github.com/fluxcd/flux2.git"
+)
+md5sums=('SKIP')
+
+pkgver() {
+  cd "flux2"
+  printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
+}
+
+build() {
+  cd "flux2"
+  export CGO_LDFLAGS="$LDFLAGS"
+  export CGO_CFLAGS="$CFLAGS"
+  export CGO_CXXFLAGS="$CXXFLAGS"
+  export CGO_CPPFLAGS="$CPPFLAGS"
+  export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
+  go build -ldflags "-X main.VERSION=$pkgver" -o flux-bin ./cmd/flux
+}
+
+check() {
+  cd "flux2"
+  make test
+}
+
+package() {
+  cd "flux2"
+  install -Dm755 flux-bin "$pkgdir/usr/bin/flux"
+  install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
+}

.github/aur/flux-scm/publish.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -e
+
+WD=$(cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)
+PKGNAME=$(basename $WD)
+ROOT=${WD%/.github/aur/$PKGNAME}
+
+export VERSION=$1
+echo "Publishing to AUR as version ${VERSION}"
+
+cd $WD
+
+export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+eval $(ssh-agent -s)
+ssh-add <(echo "$AUR_BOT_SSH_PRIVATE_KEY")
+
+GITDIR=$(mktemp -d /tmp/aur-$PKGNAME-XXX)
+trap "rm -rf $GITDIR" EXIT
+git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
+
+CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
+CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
+
+export PKGVER=${VERSION/-/}
+
+if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
+    export PKGREL=$((CURRENT_PKGREL+1))
+else
+    export PKGREL=1
+fi
+
+envsubst '$PKGVER $PKGREL' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$PKGVER $PKGREL' < PKGBUILD.template > $GITDIR/PKGBUILD
+
+cd $GITDIR
+git config user.name "fluxcdbot"
+git config user.email "fluxcdbot@users.noreply.github.com"
+git add -A
+if [ -z "$(git status --porcelain)" ]; then
+  echo "No changes."
+else
+  git commit -m "Updated to version v${PKGVER} release ${PKGREL}"
+  git push origin master
+fi

.github/workflows/e2e.yaml

@@ -136,6 +136,16 @@ jobs:
       - name: flux delete source git
         run: |
           ./bin/flux delete source git podinfo --silent
+      - name: flux create tenant
+        run: |
+          ./bin/flux create tenant dev-team --with-namespace=apps
+          ./bin/flux -n apps create source helm podinfo \
+            --url https://stefanprodan.github.io/podinfo
+          ./bin/flux -n apps create hr podinfo-helm \
+            --source=HelmRepository/podinfo \
+            --chart=podinfo \
+            --chart-version="5.0.x" \
+            --service-account=dev-team
       - name: flux check
         run: |
           ./bin/flux check

.github/workflows/release.yaml

@@ -59,24 +59,9 @@ jobs:
 
           # create tarball
           cd ./output && tar -cvzf manifests.tar.gz $files
-      - name: Create release
+      - name: Generate install manifest
-        id: create_release
+        run: |
-        uses: actions/create-release@latest
+          kustomize build ./manifests/install > ./output/install.yaml
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ github.ref }}
-          release_name: ${{ github.ref }}
-      - name: Upload artifacts
-        id: upload-release-asset
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./output/manifests.tar.gz
-          asset_name: manifests.tar.gz
-          asset_content_type: application/gzip
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v1
         with:
@@ -85,3 +70,4 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
+          AUR_BOT_SSH_PRIVATE_KEY: ${{ secrets.AUR_BOT_SSH_PRIVATE_KEY }}

.goreleaser.yml

@@ -23,6 +23,15 @@ builds:
     id: windows
     goos:
       - windows
+  - id: aurmock
+    binary: aurmock
+    main: ./cmd/flux
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
 archives:
   - name_template: "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
     id: nix
@@ -36,6 +45,9 @@ archives:
     format: zip
     files:
       - none*
+  - name_template: "aur_{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    id: aur
+    builds: [aurmock]
 brews:
   - name: flux
     tap:
@@ -50,3 +62,32 @@ brews:
         type: optional
     test: |
       system "#{bin}/flux --version"
+publishers:
+  - name: aur-pkg-bin
+    ids:
+      - aur
+    env:
+      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
+    cmd: |
+      .github/aur/flux-bin/publish.sh {{ .Version }}
+  - name: aur-pkg-scm
+    ids:
+      - aur
+    env:
+      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
+    cmd: |
+      .github/aur/flux-scm/publish.sh {{ .Version }}
+  - name: aur-pkg-go
+    ids:
+      - aur
+    env:
+      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
+    cmd: |
+      .github/aur/flux-go/publish.sh {{ .Version }}
+release:
+  ids:
+    - nix
+    - windows
+  extra_files:
+    - glob: ./output/manifests.tar.gz
+    - glob: ./output/install.yaml

MAINTAINERS

@@ -2,8 +2,17 @@ The maintainers are generally available in Slack at
 https://cloud-native.slack.com in #flux (https://cloud-native.slack.com/messages/CLAJ40HV3)
 (obtain an invitation at https://slack.cncf.io/).
 
+These maintainers are shared with other Flux v2-related git
+repositories under https://github.com/fluxcd, as noted in their
+respective MAINTAINERS files.
+
+For convenience, they are reflected in the GitHub team
+@fluxcd/flux2-maintainers -- if the list here changes, that team also
+should.
+
 In alphabetical order:
 
 Aurel Canciu, Sortlist <aurel@sortlist.com> (github: @relu, slack: relu)
 Hidde Beydals, Weaveworks <hidde@weave.works> (github: @hiddeco, slack: hidde)
+Philip Laine, Xenit <philip.laine@xenit.se> (github: @phillebaba, slack: phillebaba)
 Stefan Prodan, Weaveworks <stefan@weave.works> (github: @stefanprodan, slack: stefanprodan)

README.md

@@ -36,6 +36,15 @@ curl -s https://toolkit.fluxcd.io/install.sh | sudo bash
 . <(flux completion bash)
 ```
 
+Arch Linux (AUR) packages:
+
+- [flux-bin](https://aur.archlinux.org/packages/flux-bin): install the latest
+  stable version using a pre-build binary (recommended)
+- [flux-go](https://aur.archlinux.org/packages/flux-go): build the latest
+  stable version from source code
+- [flux-scm](https://aur.archlinux.org/packages/flux-scm): build the latest
+  (unstable) version from source code from our git `main` branch
+
 Binaries for macOS, Windows and Linux AMD64/ARM are available to download on the
 [release page](https://github.com/fluxcd/flux2/releases).
 
@@ -100,6 +109,7 @@ Depending on what you want to do, some of the following bits might be your first
 
 ### Featured Talks
 
+- 24 Nov 2020 - [Flux CD v2 with GitOps Toolkit - Kubernetes Deployment and Sync Mechanism](https://youtu.be/R6OeIgb7lUI)
 - 28 Oct 2020 - [The Kubelist Podcast: Flux with Michael Bridgen](https://www.heavybit.com/library/podcasts/the-kubelist-podcast/ep-5-flux-with-michael-bridgen-of-weaveworks/)
 - 19 Oct 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 1 with Leigh Capili](https://youtu.be/0v5bjysXTL8)
 - 12 Oct 2020 - [Rawkode Live: Introduction to GitOps Toolkit with Stefan Prodan](https://youtu.be/HqTzuOBP0eY)

action/README.md

@@ -1,6 +1,57 @@
 # Flux GitHub Action
 
-Example workflow:
+Usage:
+
+```yaml
+    steps:
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Run Flux commands
+        run: flux -v
+```
+
+### Automate Flux updates
+
+Example workflow for updating Flux's components generated with `flux bootstrap --arch=amd64 --path=clusters/production`:
+
+```yaml
+name: update-flux
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 * * * *"
+
+jobs:
+  components:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Check for updates
+        id: update
+        run: |
+          flux install --arch=amd64 \
+            --export > ./clusters/production/flux-system/gotk-components.yaml
+
+          VERSION="$(flux -v)"
+          echo "::set-output name=flux_version::$VERSION"
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v3
+        with:
+            token: ${{ secrets.GITHUB_TOKEN }}
+            branch: update-flux
+            commit-message: Update to ${{ steps.update.outputs.flux_version }}
+            title: Update to ${{ steps.update.outputs.flux_version }}
+            body: |
+              ${{ steps.update.outputs.flux_version }}
+```
+
+### End-to-end testing
+
+Example workflow for running Flux in Kubernetes Kind:
 
 ```yaml
 name: e2e
@@ -23,3 +74,6 @@ jobs:
       - name: Install Flux in Kubernetes Kind
         run: flux install
 ```
+
+A complete e2e testing workflow is available here
+[flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example/blob/main/.github/workflows/e2e.yaml)

cmd/flux/create_helmrelease.go

@@ -107,6 +107,7 @@ var (
 	hrTargetNamespace string
 	hrValuesFile      string
 	hrValuesFrom      flags.HelmReleaseValuesFrom
+	hrSAName          string
 )
 
 func init() {
@@ -116,6 +117,7 @@ func init() {
 	createHelmReleaseCmd.Flags().StringVar(&hrChartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
 	createHelmReleaseCmd.Flags().StringArrayVar(&hrDependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
 	createHelmReleaseCmd.Flags().StringVar(&hrTargetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
+	createHelmReleaseCmd.Flags().StringVar(&hrSAName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
 	createHelmReleaseCmd.Flags().StringVar(&hrValuesFile, "values", "", "local path to the values.yaml file")
 	createHelmReleaseCmd.Flags().Var(&hrValuesFrom, "values-from", hrValuesFrom.Description())
 	createCmd.AddCommand(createHelmReleaseCmd)
@@ -167,6 +169,10 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}
 
+	if hrSAName != "" {
+		helmRelease.Spec.ServiceAccountName = hrSAName
+	}
+
 	if hrValuesFile != "" {
 		data, err := ioutil.ReadFile(hrValuesFile)
 		if err != nil {

cmd/flux/create_kustomization.go

@@ -88,13 +88,13 @@ var (
 
 func init() {
 	createKsCmd.Flags().Var(&ksSource, "source", ksSource.Description())
-	createKsCmd.Flags().StringVar(&ksPath, "path", "./", "path to the directory containing the Kustomization file")
+	createKsCmd.Flags().StringVar(&ksPath, "path", "./", "path to the directory containing a kustomization.yaml file")
 	createKsCmd.Flags().BoolVar(&ksPrune, "prune", false, "enable garbage collection")
 	createKsCmd.Flags().StringArrayVar(&ksHealthCheck, "health-check", nil, "workload to be included in the health assessment, in the format '<kind>/<name>.<namespace>'")
 	createKsCmd.Flags().DurationVar(&ksHealthTimeout, "health-check-timeout", 2*time.Minute, "timeout of health checking operations")
 	createKsCmd.Flags().StringVar(&ksValidation, "validation", "", "validate the manifests before applying them on the cluster, can be 'client' or 'server'")
 	createKsCmd.Flags().StringArrayVar(&ksDependsOn, "depends-on", nil, "Kustomization that must be ready before this Kustomization can be applied, supported formats '<name>' and '<namespace>/<name>'")
-	createKsCmd.Flags().StringVar(&ksSAName, "sa-name", "", "service account name")
+	createKsCmd.Flags().StringVar(&ksSAName, "service-account", "", "the name of the service account to impersonate when reconciling this Kustomization")
 	createKsCmd.Flags().Var(&ksDecryptionProvider, "decryption-provider", ksDecryptionProvider.Description())
 	createKsCmd.Flags().StringVar(&ksDecryptionSecret, "decryption-secret", "", "set the Kubernetes secret name that contains the OpenPGP private keys used for sops decryption")
 	createKsCmd.Flags().StringVar(&ksTargetNamespace, "target-namespace", "", "overrides the namespace of all Kustomization objects reconciled by this Kustomization")

cmd/flux/create_secret.go

@@ -0,0 +1,52 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
+)
+
+var createSecretCmd = &cobra.Command{
+	Use:   "secret",
+	Short: "Create or update Kubernetes secrets",
+	Long:  "The create source sub-commands generate Kubernetes secrets specific to Flux.",
+}
+
+func init() {
+	createCmd.AddCommand(createSecretCmd)
+}
+
+func exportSecret(secret corev1.Secret) error {
+	secret.TypeMeta = metav1.TypeMeta{
+		APIVersion: "v1",
+		Kind:       "Secret",
+	}
+
+	data, err := yaml.Marshal(secret)
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("---")
+	fmt.Println(resourceToString(data))
+	return nil
+}

cmd/flux/create_secret_git.go

@@ -0,0 +1,173 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"crypto/elliptic"
+	"fmt"
+	"net/url"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
+)
+
+var createSecretGitCmd = &cobra.Command{
+	Use:   "git [name]",
+	Short: "Create or update a Kubernetes secret for Git authentication",
+	Long: `
+The create secret git command generates a Kubernetes secret with Git credentials.
+For Git over SSH, the host and SSH keys are automatically generated and stored in the secret.
+For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.`,
+	Example: `  # Create a Git SSH authentication secret using an ECDSA P-521 curve public key
+
+  flux create secret git podinfo-auth \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+    --ssh-key-algorithm=ecdsa \
+    --ssh-ecdsa-curve=p521
+
+  # Create a secret for a Git repository using basic authentication
+  flux create secret git podinfo-auth \
+    --url=https://github.com/stefanprodan/podinfo \
+    --username=username \
+    --password=password
+
+  # Create a Git SSH secret on disk and print the deploy key
+  flux create secret git podinfo-auth \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+	--export > podinfo-auth.yaml
+
+  yq read podinfo-auth.yaml 'data."identity.pub"' | base64 --decode
+
+  # Create a Git SSH secret on disk and encrypt it with Mozilla SOPS
+  flux create secret git podinfo-auth \
+    --namespace=apps \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+	--export > podinfo-auth.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place podinfo-auth.yaml
+`,
+	RunE: createSecretGitCmdRun,
+}
+
+var (
+	secretGitURL          string
+	secretGitUsername     string
+	secretGitPassword     string
+	secretGitKeyAlgorithm flags.PublicKeyAlgorithm = "rsa"
+	secretGitRSABits      flags.RSAKeyBits         = 2048
+	secretGitECDSACurve                            = flags.ECDSACurve{Curve: elliptic.P384()}
+)
+
+func init() {
+	createSecretGitCmd.Flags().StringVar(&secretGitURL, "url", "", "git address, e.g. ssh://git@host/org/repository")
+	createSecretGitCmd.Flags().StringVarP(&secretGitUsername, "username", "u", "", "basic authentication username")
+	createSecretGitCmd.Flags().StringVarP(&secretGitPassword, "password", "p", "", "basic authentication password")
+	createSecretGitCmd.Flags().Var(&secretGitKeyAlgorithm, "ssh-key-algorithm", sourceGitKeyAlgorithm.Description())
+	createSecretGitCmd.Flags().Var(&secretGitRSABits, "ssh-rsa-bits", sourceGitRSABits.Description())
+	createSecretGitCmd.Flags().Var(&secretGitECDSACurve, "ssh-ecdsa-curve", sourceGitECDSACurve.Description())
+
+	createSecretCmd.AddCommand(createSecretGitCmd)
+}
+
+func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("secret name is required")
+	}
+	name := args[0]
+
+	if secretGitURL == "" {
+		return fmt.Errorf("url is required")
+	}
+
+	u, err := url.Parse(secretGitURL)
+	if err != nil {
+		return fmt.Errorf("git URL parse failed: %w", err)
+	}
+
+	secretLabels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	secret := corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			Labels:    secretLabels,
+		},
+	}
+
+	switch u.Scheme {
+	case "ssh":
+		pair, err := generateKeyPair(ctx)
+		if err != nil {
+			return err
+		}
+
+		hostKey, err := scanHostKey(ctx, u)
+		if err != nil {
+			return err
+		}
+
+		secret.Data = map[string][]byte{
+			"identity":     pair.PrivateKey,
+			"identity.pub": pair.PublicKey,
+			"known_hosts":  hostKey,
+		}
+
+		if !export {
+			logger.Generatef("deploy key: %s", string(pair.PublicKey))
+		}
+	case "http", "https":
+		if sourceGitUsername == "" || sourceGitPassword == "" {
+			return fmt.Errorf("for Git over HTTP/S the username and password are required")
+		}
+
+		// TODO: add cert data when it's implemented in source-controller
+		secret.Data = map[string][]byte{
+			"username": []byte(secretGitUsername),
+			"password": []byte(secretGitPassword),
+		}
+	default:
+		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
+	}
+
+	if export {
+		return exportSecret(secret)
+	}
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+		return err
+	}
+	logger.Actionf("secret '%s' created in '%s' namespace", name, namespace)
+
+	return nil
+}

cmd/flux/create_source_bucket.go

@@ -154,6 +154,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      secretName,
 				Namespace: namespace,
+				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{},
 		}

cmd/flux/create_source_git.go

@@ -215,6 +215,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: namespace,
+				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{
 				"identity":     string(pair.PrivateKey),
@@ -232,6 +233,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: namespace,
+				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{
 				"username": sourceGitUsername,

cmd/flux/create_source_helm.go

@@ -151,6 +151,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      secretName,
 				Namespace: namespace,
+				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{},
 		}

cmd/flux/create_tenant.go

@@ -56,7 +56,6 @@ reconcilers scope to the tenant namespaces.`,
 
 const (
 	tenantLabel = "toolkit.fluxcd.io/tenant"
-	tenantRoleBinding = "gotk-reconciler"
 )
 
 var (
@@ -123,18 +122,20 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 
 		roleBinding := rbacv1.RoleBinding{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      tenantRoleBinding,
+				Name:      fmt.Sprintf("%s-reconciler", tenant),
 				Namespace: ns,
 				Labels:    objLabels,
 			},
 			Subjects: []rbacv1.Subject{
 				{
+					APIGroup: "rbac.authorization.k8s.io",
 					Kind:     "User",
 					Name:     fmt.Sprintf("gotk:%s:reconciler", ns),
 				},
 				{
 					Kind:      "ServiceAccount",
 					Name:      tenant,
+					Namespace: ns,
 				},
 			},
 			RoleRef: rbacv1.RoleRef{
@@ -290,7 +291,7 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 	fmt.Println(resourceToString(data))
 
 	account.TypeMeta = metav1.TypeMeta{
-		APIVersion: "",
+		APIVersion: "v1",
 		Kind:       "ServiceAccount",
 	}
 	data, err = yaml.Marshal(account)

cmd/flux/reconcile_alert.go

@@ -64,13 +64,17 @@ func reconcileAlertCmdRun(cmd *cobra.Command, args []string) error {
 		Name:      name,
 	}
 
-	logger.Actionf("annotating Alert %s in %s namespace", name, namespace)
 	var alert notificationv1.Alert
 	err = kubeClient.Get(ctx, namespacedName, &alert)
 	if err != nil {
 		return err
 	}
 
+	if alert.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
+	logger.Actionf("annotating Alert %s in %s namespace", name, namespace)
 	if alert.Annotations == nil {
 		alert.Annotations = map[string]string{
 			meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),
@@ -78,6 +82,7 @@ func reconcileAlertCmdRun(cmd *cobra.Command, args []string) error {
 	} else {
 		alert.Annotations[meta.ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
 	}
+
 	if err := kubeClient.Update(ctx, &alert); err != nil {
 		return err
 	}

cmd/flux/reconcile_helmrelease.go

@@ -86,6 +86,10 @@ func reconcileHrCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if helmRelease.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
 	if syncHrWithSource {
 		switch helmRelease.Spec.Chart.Spec.SourceRef.Kind {
 		case sourcev1.HelmRepositoryKind:

cmd/flux/reconcile_kustomization.go

@@ -84,6 +84,10 @@ func reconcileKsCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if kustomization.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
 	if syncKsWithSource {
 		switch kustomization.Spec.SourceRef.Kind {
 		case sourcev1.GitRepositoryKind:

cmd/flux/reconcile_receiver.go

@@ -64,13 +64,17 @@ func reconcileReceiverCmdRun(cmd *cobra.Command, args []string) error {
 		Name:      name,
 	}
 
-	logger.Actionf("annotating Receiver %s in %s namespace", name, namespace)
 	var receiver notificationv1.Receiver
 	err = kubeClient.Get(ctx, namespacedName, &receiver)
 	if err != nil {
 		return err
 	}
 
+	if receiver.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
+	logger.Actionf("annotating Receiver %s in %s namespace", name, namespace)
 	if receiver.Annotations == nil {
 		receiver.Annotations = map[string]string{
 			meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),

cmd/flux/reconcile_source_bucket.go

@@ -74,6 +74,10 @@ func reconcileSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if bucket.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
 	lastHandledReconcileAt := bucket.Status.LastHandledReconcileAt
 	logger.Actionf("annotating Bucket source %s in %s namespace", name, namespace)
 	if err := requestBucketReconciliation(ctx, kubeClient, namespacedName, &bucket); err != nil {

cmd/flux/reconcile_source_git.go

@@ -72,6 +72,10 @@ func reconcileSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if repository.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
 	logger.Actionf("annotating GitRepository source %s in %s namespace", name, namespace)
 	if err := requestGitRepositoryReconciliation(ctx, kubeClient, namespacedName, &repository); err != nil {
 		return err

cmd/flux/reconcile_source_helm.go

@@ -73,6 +73,10 @@ func reconcileSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if repository.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
 	logger.Actionf("annotating HelmRepository source %s in %s namespace", name, namespace)
 	if err := requestHelmRepositoryReconciliation(ctx, kubeClient, namespacedName, &repository); err != nil {
 		return err

docs/cmd/flux_create.md

@@ -33,6 +33,7 @@ The create sub-commands generate sources and resources.
 * [flux create helmrelease](flux_create_helmrelease.md)	 - Create or update a HelmRelease resource
 * [flux create kustomization](flux_create_kustomization.md)	 - Create or update a Kustomization resource
 * [flux create receiver](flux_create_receiver.md)	 - Create or update a Receiver resource
+* [flux create secret](flux_create_secret.md)	 - Create or update Kubernetes secrets
 * [flux create source](flux_create_source.md)	 - Create or update sources
 * [flux create tenant](flux_create_tenant.md)	 - Create or update a tenant
 

docs/cmd/flux_create_helmrelease.md

@@ -75,6 +75,7 @@ flux create helmrelease [name] [flags]
       --depends-on stringArray              HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'
   -h, --help                                help for helmrelease
       --release-name string                 name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'
+      --service-account string              the name of the service account to impersonate when reconciling this HelmRelease
       --source helmChartSource              source that contains the chart in the format '<kind>/<name>',where kind can be one of: (HelmRepository, GitRepository, Bucket)
       --target-namespace string             namespace to install this release, defaults to the HelmRelease namespace
       --values string                       local path to the values.yaml file

docs/cmd/flux_create_kustomization.md

@@ -50,9 +50,9 @@ flux create kustomization [name] [flags]
       --health-check stringArray                 workload to be included in the health assessment, in the format '<kind>/<name>.<namespace>'
       --health-check-timeout duration            timeout of health checking operations (default 2m0s)
   -h, --help                                     help for kustomization
-      --path string                              path to the directory containing the Kustomization file (default "./")
+      --path string                              path to the directory containing a kustomization.yaml file (default "./")
       --prune                                    enable garbage collection
-      --sa-name string                           service account name
+      --service-account string                   the name of the service account to impersonate when reconciling this Kustomization
       --source kustomizationSource               source that contains the Kubernetes manifests in the format '[<kind>/]<name>',where kind can be one of: (GitRepository, Bucket), if kind is not specified it defaults to GitRepository
       --target-namespace string                  overrides the namespace of all Kustomization objects reconciled by this Kustomization
       --validation string                        validate the manifests before applying them on the cluster, can be 'client' or 'server'

docs/cmd/flux_create_secret.md

@@ -0,0 +1,32 @@
+## flux create secret
+
+Create or update Kubernetes secrets
+
+### Synopsis
+
+The create source sub-commands generate Kubernetes secrets specific to Flux.
+
+### Options
+
+```
+  -h, --help   help for secret
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --export              export in YAML format to stdout
+      --interval duration   source sync interval (default 1m0s)
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+      --label strings       set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux create](flux_create.md)	 - Create or update sources and resources
+* [flux create secret git](flux_create_secret_git.md)	 - Create or update a Kubernetes secret for Git authentication
+

docs/cmd/flux_create_secret_git.md

@@ -0,0 +1,78 @@
+## flux create secret git
+
+Create or update a Kubernetes secret for Git authentication
+
+### Synopsis
+
+
+The create secret git command generates a Kubernetes secret with Git credentials.
+For Git over SSH, the host and SSH keys are automatically generated and stored in the secret.
+For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.
+
+```
+flux create secret git [name] [flags]
+```
+
+### Examples
+
+```
+  # Create a Git SSH authentication secret using an ECDSA P-521 curve public key
+
+  flux create secret git podinfo-auth \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+    --ssh-key-algorithm=ecdsa \
+    --ssh-ecdsa-curve=p521
+
+  # Create a secret for a Git repository using basic authentication
+  flux create secret git podinfo-auth \
+    --url=https://github.com/stefanprodan/podinfo \
+    --username=username \
+    --password=password
+
+  # Create a Git SSH secret on disk and print the deploy key
+  flux create secret git podinfo-auth \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+	--export > podinfo-auth.yaml
+
+  yq read podinfo-auth.yaml 'data."identity.pub"' | base64 --decode
+
+  # Create a Git SSH secret on disk and encrypt it with Mozilla SOPS
+  flux create secret git podinfo-auth \
+    --namespace=apps \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+	--export > podinfo-auth.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place podinfo-auth.yaml
+
+```
+
+### Options
+
+```
+  -h, --help                                   help for git
+  -p, --password string                        basic authentication password
+      --ssh-ecdsa-curve ecdsaCurve             SSH ECDSA public key curve (p256, p384, p521) (default p384)
+      --ssh-key-algorithm publicKeyAlgorithm   SSH public key algorithm (rsa, ecdsa, ed25519) (default rsa)
+      --ssh-rsa-bits rsaKeyBits                SSH RSA public key bit size (multiplies of 8) (default 2048)
+      --url string                             git address, e.g. ssh://git@host/org/repository
+  -u, --username string                        basic authentication username
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --export              export in YAML format to stdout
+      --interval duration   source sync interval (default 1m0s)
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+      --label strings       set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux create secret](flux_create_secret.md)	 - Create or update Kubernetes secrets
+

docs/get-started/index.md

@@ -34,6 +34,11 @@ curl -s https://toolkit.fluxcd.io/install.sh | sudo bash
 
 The install script downloads the flux binary to `/usr/local/bin`.
 
+If using Arch Linux, install the latest stable version from **AUR** using
+either [flux-bin](https://aur.archlinux.org/packages/flux-bin) (pre-built
+binary) or [flux-go](https://aur.archlinux.org/packages/flux-go) (locally built
+binary).
+
 Binaries for **macOS**, **Windows** and **Linux** AMD64/ARM are available for download on the
 [release page](https://github.com/fluxcd/flux2/releases).
 

docs/guides/installation.md

@@ -84,12 +84,17 @@ cluster e.g. `clusters/staging` and `clusters/production`:
     └── flux-system
 ```
 
+After running bootstrap you can place Kubernetes YAMLs inside a dir under path
+e.g. `clusters/staging/my-app`, and Flux will reconcile them on your cluster.
+
 !!! hint "Change the default branch"
     If you wish to change the branch to something else than main, create the repository manually,
     push a branch to origin and then use `flux bootstrap <GIT-PROVIDER> --branch=your-branch`.
 
 For examples on how you can structure your Git repository see:
+
 * [flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example)
+* [flux2-multi-tenancy](https://github.com/fluxcd/flux2-multi-tenancy)
 
 ### GitHub and GitHub Enterprise
 
@@ -439,6 +444,12 @@ For testing purposes you can install Flux without storing its manifests in a Git
 flux install --arch=amd64
 ```
 
+Or using kubectl:
+
+```sh
+kubectl apply -f https://github.com/fluxcd/flux2/releases/latest/download/install.yaml
+```
+
 Then you can register Git repositories and reconcile them on your cluster:
 
 ```sh
@@ -473,12 +484,80 @@ flux create helmrelease nginx \
   --chart-version="5.x.x"
 ```
 
-## Monitoring with Prometheus and Grafana
+## Upgrade 
 
-Flux comes with a monitoring stack composed of Prometheus and Grafana. The controllers expose
+Update Flux CLI to the latest release with `brew upgrade fluxcd/tap/flux` or by 
-metrics that can be used to track the readiness of the cluster reconciliation process.
+downloading the binary from [GitHub](https://github.com/fluxcd/flux2/releases).
 
-To install the monitoring stack please follow this [guide](monitoring.md).
+Verify that you are running the latest version with:
+
+```sh
+flux --version
+```
+
+### Bootstrap upgrade
+
+If you've used the [bootstrap](#bootstrap) procedure to deploy Flux,
+then rerun the bootstrap command for each cluster using the same arguments as before:
+
+```sh
+flux bootstrap github \
+  --owner=my-github-username \
+  --repository=my-repository \
+  --branch=main \
+  --path=clusters/my-cluster \
+  --personal
+```
+
+The above command will clone the repository, it will update the components manifest in
+`<path>/flux-system/gotk-components.yaml` and it will push the changes to the remote branch.
+
+Tell Flux to pull the manifests from Git and upgrade itself with:
+
+```sh
+flux reconcile source git flux-system
+```
+
+Verify that the controllers have been upgrade with:
+
+```sh
+flux check
+```
+
+!!! hint "Automated upgrades"
+    You can automate the components manifest update with GitHub Actions
+    and open a PR when there is a new Flux version available.
+    For more details please see [Flux GitHub Action docs](https://github.com/fluxcd/flux2/tree/main/action).
+
+### Terraform upgrade
+
+Update the Flux provider to the [latest release](https://github.com/fluxcd/terraform-provider-flux/releases)
+and run `terraform apply`.
+
+Tell Flux to upgrade itself in-cluster or wait for it to pull the latest commit from Git:
+
+```sh
+kubectl annotate --overwrite gitrepository/flux-system reconcile.fluxcd.io/requestedAt="$(date +%s)"
+```
+
+### In-cluster upgrade
+
+If you've installed Flux directly on the cluster, then rerun the install command:
+
+```sh
+flux install --version=latest
+```
+
+The above command will download the latest manifests from
+[GitHub](https://github.com/fluxcd/flux2/releases) and it will apply them on your cluster.
+You can verify that the controllers have been upgraded to the latest version with `flux check`.
+
+If you've installed Flux directly on the cluster with kubectl,
+then rerun the command using the latest manifests from the `main` branch:
+
+```sh
+kustomize build https://github.com/fluxcd/flux2/manifests/install?ref=main | kubectl apply -f-
+```
 
 ## Uninstall
 

docs/index.md

@@ -86,6 +86,7 @@ Depending on what you want to do, some of the following bits might be your first
 
 ### Featured Talks
 
+- 24 Nov 2020 - [Flux CD v2 with GitOps Toolkit - Kubernetes Deployment and Sync Mechanism](https://youtu.be/R6OeIgb7lUI)
 - 19 Oct 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 2 with Leigh Capili](https://youtu.be/fC2YCxQRUwU)
 - 28 Oct 2020 - [The Kubelist Podcast: Flux with Michael Bridgen](https://www.heavybit.com/library/podcasts/the-kubelist-podcast/ep-5-flux-with-michael-bridgen-of-weaveworks/)
 - 19 Oct 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 1 with Leigh Capili](https://youtu.be/0v5bjysXTL8)

docs/roadmap/index.md

@@ -14,6 +14,11 @@ All of the above will constitute "Flux v2".
 
 [= 100% "100%"]
 
+Flux v2 read-only is ready to try. See the [Getting
+Started](https://toolkit.fluxcd.io/get-started/) how-to, and the
+[Migration
+guide](https://toolkit.fluxcd.io/guides/flux-v1-migration/).
+
 This would be the first stepping stone: we want Flux v2 to be on-par with today's Flux in
 [read-only mode](https://github.com/fluxcd/flux/blob/master/docs/faq.md#can-i-run-flux-with-readonly-git-access)
 and [FluxCloud](https://github.com/justinbarrick/fluxcloud) notifications.
@@ -43,7 +48,11 @@ Tasks
 
 ### Flux image update feature parity
 
-[= 30% "30%"]
+[= 70% "70%"]
+
+Image automation is available as a prerelease. See [the
+README](https://github.com/fluxcd/image-automation-controller#readme)
+for instructions on installing it.
 
 Goals
 
@@ -56,11 +65,16 @@ Non-Goals
 Tasks
 
 - [x] <span style="color:grey">[Design the image scanning and automation API](https://github.com/fluxcd/flux2/discussions/107)</span>
-- [ ]  Implement an image scanning controller
+- [x] <span style="color:grey">Implement an image scanning controller</span>
+- [x] <span style="color:grey">Public image repo support</span>
+- [x] <span style="color:grey">Credentials from Secret [fluxcd/image-reflector-controller#35](https://github.com/fluxcd/image-reflector-controller/pull/35)</span>
+- [ ] ECR-specific support [fluxcd/image-reflector-controller#11](https://github.com/fluxcd/image-reflector-controller/issues/11)
+- [ ] GCR-specific support [fluxcd/image-reflector-controller#11](https://github.com/fluxcd/image-reflector-controller/issues/11)
+- [ ] Azure-specific support [fluxcd/image-reflector-controller#11](https://github.com/fluxcd/image-reflector-controller/issues/11)
 - [x] <span style="color:grey">Design the automation component</span>
-- [ ]  Implement the image scan/patch/push workflow
+- [x] <span style="color:grey">Implement the image scan/patch/push workflow</span>
-- [ ]  Integrate the new components in the Flux CLI
+- [ ] Integrate the new components in the Flux CLI [fluxcd/flux2#538](https://github.com/fluxcd/flux2/pull/538)
-- [ ]  Create a migration guide from Flux annotations
+- [ ] Write a migration guide from Flux annotations
 
 ## The road to Helm Operator v2
 
@@ -68,6 +82,11 @@ Tasks
 
 [= 100% "100%"]
 
+Helm support in Flux v2 is ready to try. See the [Helm controller
+guide](https://toolkit.fluxcd.io/guides/helmreleases/), and the [Helm
+controller migration
+guide](https://toolkit.fluxcd.io/guides/helm-operator-migration/).
+
 Goals
 
 -  Offer a migration guide for those that are using Helm Operator with Helm v3 and charts from

go.mod

@@ -4,7 +4,7 @@ go 1.15
 
 require (
 	github.com/blang/semver/v4 v4.0.0
-	github.com/fluxcd/helm-controller/api v0.4.0
+	github.com/fluxcd/helm-controller/api v0.4.2
 	github.com/fluxcd/kustomize-controller/api v0.4.0
 	github.com/fluxcd/notification-controller/api v0.4.0
 	github.com/fluxcd/pkg/apis/meta v0.4.0

go.sum

@@ -132,8 +132,8 @@ github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi
 github.com/evanphx/json-patch v4.9.0+incompatible h1:kLcOMZeuLAJvL2BPWLMIj5oaZQobrkAqrL+WFZwQses=
 github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fluxcd/helm-controller/api v0.4.0 h1:sFWhxiFi1x7IHdmmOAZm4y0aN32O6xTgdt4sXfsW0po=
+github.com/fluxcd/helm-controller/api v0.4.2 h1:7aXPOJwUWMqg/DAoYRj8acqzSkmVXDGrZgv05VFsXG8=
-github.com/fluxcd/helm-controller/api v0.4.0/go.mod h1:2oU4Q26TW39IGC7tmJehCNJpISj8ovpU0DoRI7Y76wE=
+github.com/fluxcd/helm-controller/api v0.4.2/go.mod h1:2oU4Q26TW39IGC7tmJehCNJpISj8ovpU0DoRI7Y76wE=
 github.com/fluxcd/kustomize-controller/api v0.4.0 h1:QBilPNIFf5VCmJrt0L96iPWfV0lRT28n6vD+W7Kz88s=
 github.com/fluxcd/kustomize-controller/api v0.4.0/go.mod h1:NB4aJ+hSWyg6Tx6p47ZWExzjwq4sPRRYvaP02JrHrNU=
 github.com/fluxcd/notification-controller/api v0.4.0 h1:x7QwF7F/uG0JuaMaEBWqHWhy5DLJEsC3zWlj5rK6kB8=

install/flux.sh

@@ -42,7 +42,10 @@ setup_verify_arch() {
         ARCH=$(uname -m)
     fi
     case ${ARCH} in
-        arm64)
+        arm|armv6l|armv7l)
+            ARCH=arm
+            ;;
+        arm64|aarch64|armv8l)
             ARCH=arm64
             ;;
         amd64)

manifests/bases/helm-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/helm-controller/archive/v0.4.0.zip//helm-controller-0.4.0/config/crd
+- https://github.com/fluxcd/helm-controller/archive/v0.4.2.zip//helm-controller-0.4.2/config/crd
-- https://github.com/fluxcd/helm-controller/archive/v0.4.0.zip//helm-controller-0.4.0/config/manager
+- https://github.com/fluxcd/helm-controller/archive/v0.4.2.zip//helm-controller-0.4.2/config/manager
 patchesJson6902:
 - target:
     group: apps

mkdocs.yml

@@ -96,6 +96,8 @@ nav:
     - Create alert: cmd/flux_create_alert.md
     - Create receiver: cmd/flux_create_receiver.md
     - Create tenant: cmd/flux_create_tenant.md
+    - Create secret: cmd/flux_create_secret.md
+    - Create secret git: cmd/flux_create_secret_git.md
     - Delete: cmd/flux_delete.md
     - Delete kustomization: cmd/flux_delete_kustomization.md
     - Delete helmrelease: cmd/flux_delete_helmrelease.md