Merge pull request #3049 from fluxcd/kube-1.25

Update Kubernetes dependencies to v1.25.0
2026-03-01 11:16:56 +00:00 · 2022-08-29 15:24:31 +03:00 · 2022-08-29 15:03:36 +03:00 · 2022-08-29 14:28:37 +03:00 · 2022-08-29 14:09:42 +03:00 · 2022-08-29 10:57:30 +00:00
664 changed files with 32971 additions and 15201 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yaml
@@ -0,0 +1,84 @@
+---
+name: Bug report
+description: Create a report to help us improve Flux
+body:
+- type: markdown
+  attributes:
+    value: |
+      ## Support
+      Find out more about your support options and getting help at: https://fluxcd.io/support/
+- type: textarea
+  validations:
+    required: true
+  attributes:
+    label: Describe the bug
+    description: A clear description of what the bug is.
+- type: textarea
+  validations:
+    required: true
+  attributes:
+    label: Steps to reproduce
+    description: |
+      Steps to reproduce the problem.
+    placeholder: |
+      For example:
+      1. Install Flux with the additional image automation controllers
+      2. Run command '...'
+      3. See error
+- type: textarea
+  validations:
+    required: true
+  attributes:
+    label: Expected behavior
+    description: A brief description of what you expected to happen.
+- type: textarea
+  attributes:
+    label: Screenshots and recordings
+    description: |
+      If applicable, add screenshots to help explain your problem. You can also record an asciinema session: https://asciinema.org/
+- type: input
+  validations:
+    required: true
+  attributes:
+    label: OS / Distro
+    description: The OS / distro you are executing `flux` on. If not applicable, write `N/A`.
+    placeholder: e.g. Windows 10, Ubuntu 20.04, Arch Linux, macOS 10.15...
+- type: input
+  validations:
+    required: true
+  attributes:
+    label: Flux version
+    description: Run `flux version --client`. If not applicable, write `N/A`.
+    placeholder: e.g. v0.20.1
+- type: textarea
+  validations:
+    required: true
+  attributes:
+    label: Flux check
+    description: Run `flux check`. If not applicable, write `N/A`.
+    placeholder: |
+      For example:
+      ► checking prerequisites
+      ✔ Kubernetes 1.21.1 >=1.19.0-0
+      ► checking controllers
+      ✔ all checks passed
+- type: input
+  attributes:
+    label: Git provider
+    description: If applicable, add the Git provider you are having problems with, e.g. GitHub (Enterprise), GitLab, etc.
+- type: input
+  attributes:
+    label: Container Registry provider
+    description: If applicable, add the Container Registry provider you are having problems with, e.g. DockerHub, GitHub Packages, Quay.io, etc.
+- type: textarea
+  attributes:
+    label: Additional context
+    description: Add any other context about the problem here. This can be logs (e.g. output from `flux logs`), environment specific caveats, etc.
+- type: checkboxes
+  id: terms
+  attributes:
+    label: Code of Conduct
+    description: By submitting this issue, you agree to follow our [Code of Conduct](https://github.com/fluxcd/.github/blob/main/CODE_OF_CONDUCT.md)
+    options:
+    - label: I agree to follow this project's Code of Conduct
+      required: true
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,5 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Ask a question
+    url: https://github.com/fluxcd/flux2/discussions
+    about: Please ask and answer questions here.
--- a/.github/aur/flux-bin/.SRCINFO.template
+++ b/.github/aur/flux-bin/.SRCINFO.template
@@ -0,0 +1,22 @@
+pkgbase = flux-bin
+	pkgdesc = Open and extensible continuous delivery solution for Kubernetes
+	pkgver = ${PKGVER}
+	pkgrel = ${PKGREL}
+	url = https://fluxcd.io/
+	arch = x86_64
+	arch = armv6h
+	arch = armv7h
+	arch = aarch64
+	license = APACHE
+	optdepends = bash-completion: auto-completion for flux in Bash
+	optdepends = zsh-completions: auto-completion for flux in ZSH
+	source_x86_64 = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_amd64.tar.gz
+	sha256sums_x86_64 = ${SHA256SUM_AMD64}
+	source_armv6h = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm.tar.gz
+	sha256sums_armv6h = ${SHA256SUM_ARM}
+	source_armv7h = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm.tar.gz
+	sha256sums_armv7h = ${SHA256SUM_ARM}
+	source_aarch64 = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm64.tar.gz
+	sha256sums_aarch64 = ${SHA256SUM_ARM64}
+
+pkgname = flux-bin
--- a/.github/aur/flux-bin/.gitignore
+++ b/.github/aur/flux-bin/.gitignore
@@ -0,0 +1 @@
+.pkg
--- a/.github/aur/flux-bin/PKGBUILD.template
+++ b/.github/aur/flux-bin/PKGBUILD.template
@@ -0,0 +1,45 @@
+# Maintainer: Aurel Canciu <aurelcanciu@gmail.com>
+# Maintainer: Hidde Beydals <hello@hidde.co>
+
+pkgname=flux-bin
+pkgver=${PKGVER}
+pkgrel=${PKGREL}
+pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
+url="https://fluxcd.io/"
+arch=("x86_64" "armv6h" "armv7h" "aarch64")
+license=("APACHE")
+optdepends=('bash-completion: auto-completion for flux in Bash'
+            'zsh-completions: auto-completion for flux in ZSH')
+source_x86_64=(
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_amd64.tar.gz"
+)
+source_armv6h=(
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+)
+source_armv7h=(
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+)
+source_aarch64=(
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm64.tar.gz"
+)
+sha256sums_x86_64=(
+  ${SHA256SUM_AMD64}
+)
+sha256sums_armv6h=(
+  ${SHA256SUM_ARM}
+)
+sha256sums_armv7h=(
+  ${SHA256SUM_ARM}
+)
+sha256sums_aarch64=(
+  ${SHA256SUM_ARM64}
+)
+_srcname=flux
+
+package() {
+	install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
+
+    "${pkgdir}/usr/bin/${_srcname}" completion bash | install -Dm644 /dev/stdin "${pkgdir}/usr/share/bash-completion/completions/${_srcname}"
+    "${pkgdir}/usr/bin/${_srcname}" completion fish | install -Dm644 /dev/stdin "${pkgdir}/usr/share/fish/vendor_completions.d/${_srcname}.fish"
+    "${pkgdir}/usr/bin/${_srcname}" completion zsh | install -Dm644 /dev/stdin "${pkgdir}/usr/share/zsh/site-functions/_${_srcname}"
+}
--- a/.github/aur/flux-bin/publish.sh
+++ b/.github/aur/flux-bin/publish.sh
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+set -e
+
+WD=$(cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)
+PKGNAME=$(basename $WD)
+ROOT=${WD%/.github/aur/$PKGNAME}
+
+LOCKFILE=/tmp/aur-$PKGNAME.lock
+exec 100>$LOCKFILE || exit 0
+flock -n 100 || exit 0
+trap "rm -f $LOCKFILE" EXIT
+
+export VERSION=$1
+echo "Publishing to AUR as version ${VERSION}"
+
+cd $WD
+
+export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+eval $(ssh-agent -s)
+ssh-add <(echo "$AUR_BOT_SSH_PRIVATE_KEY")
+
+GITDIR=$(mktemp -d /tmp/aur-$PKGNAME-XXX)
+trap "rm -rf $GITDIR" EXIT
+git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
+
+CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
+CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
+
+export PKGVER=${VERSION/-/}
+
+if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
+    export PKGREL=$((CURRENT_PKGREL+1))
+else
+    export PKGREL=1
+fi
+
+export SHA256SUM_ARM=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_arm.tar.gz | awk '{ print $1 }')
+export SHA256SUM_ARM64=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_arm64.tar.gz | awk '{ print $1 }')
+export SHA256SUM_AMD64=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_amd64.tar.gz | awk '{ print $1 }')
+
+envsubst '$PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < PKGBUILD.template > $GITDIR/PKGBUILD
+
+cd $GITDIR
+git config user.name "fluxcdbot"
+git config user.email "fluxcdbot@users.noreply.github.com"
+git add -A
+if [ -z "$(git status --porcelain)" ]; then
+  echo "No changes."
+else
+  git commit -m "Updated to version v${PKGVER} release ${PKGREL}"
+  git push origin master
+fi
--- a/.github/aur/flux-go/.SRCINFO.template
+++ b/.github/aur/flux-go/.SRCINFO.template
@@ -0,0 +1,18 @@
+pkgbase = flux-go
+	pkgdesc = Open and extensible continuous delivery solution for Kubernetes
+	pkgver = ${PKGVER}
+	pkgrel = ${PKGREL}
+	url = https://fluxcd.io/
+	arch = x86_64
+	arch = armv6h
+	arch = armv7h
+	arch = aarch64
+	license = APACHE
+	makedepends = go
+	depends = glibc
+	provides = flux-bin
+	conflicts = flux-bin
+  replaces = flux-cli
+	source = flux-go-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/archive/v${PKGVER}.tar.gz
+
+pkgname = flux-go
--- a/.github/aur/flux-go/.gitignore
+++ b/.github/aur/flux-go/.gitignore
@@ -0,0 +1 @@
+.pkg
--- a/.github/aur/flux-go/PKGBUILD.template
+++ b/.github/aur/flux-go/PKGBUILD.template
@@ -0,0 +1,58 @@
+# Maintainer: Aurel Canciu <aurelcanciu@gmail.com>
+# Maintainer: Hidde Beydals <hello@hidde.co>
+
+pkgname=flux-go
+pkgver=${PKGVER}
+pkgrel=${PKGREL}
+pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
+url="https://fluxcd.io/"
+arch=("x86_64" "armv6h" "armv7h" "aarch64")
+license=("APACHE")
+provides=("flux-bin")
+conflicts=("flux-bin")
+replaces=("flux-cli")
+depends=("glibc")
+makedepends=('go>=1.17', 'kustomize>=3.0')
+optdepends=('bash-completion: auto-completion for flux in Bash',
+'zsh-completions: auto-completion for flux in ZSH')
+source=(
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/archive/v${pkgver}.tar.gz"
+)
+sha256sums=(
+  ${SHA256SUM}
+)
+_srcname=flux
+
+build() {
+  cd "flux2-${pkgver}"
+  export CGO_LDFLAGS="$LDFLAGS"
+  export CGO_CFLAGS="$CFLAGS"
+  export CGO_CXXFLAGS="$CXXFLAGS"
+  export CGO_CPPFLAGS="$CPPFLAGS"
+  export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
+  make cmd/flux/.manifests.done
+  go build -ldflags "-linkmode=external -X main.VERSION=${pkgver}" -o ${_srcname} ./cmd/flux
+}
+
+check() {
+  cd "flux2-${pkgver}"
+  case $CARCH in
+    aarch64)
+      export ENVTEST_ARCH=arm64
+      ;;
+    armv6h|armv7h)
+      export ENVTEST_ARCH=arm
+      ;;
+  esac
+  make test
+}
+
+package() {
+  cd "flux2-${pkgver}"
+  install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
+  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
+
+  "${pkgdir}/usr/bin/${_srcname}" completion bash | install -Dm644 /dev/stdin "${pkgdir}/usr/share/bash-completion/completions/${_srcname}"
+  "${pkgdir}/usr/bin/${_srcname}" completion fish | install -Dm644 /dev/stdin "${pkgdir}/usr/share/fish/vendor_completions.d/${_srcname}.fish"
+  "${pkgdir}/usr/bin/${_srcname}" completion zsh | install -Dm644 /dev/stdin "${pkgdir}/usr/share/zsh/site-functions/_${_srcname}"
+}
--- a/.github/aur/flux-go/publish.sh
+++ b/.github/aur/flux-go/publish.sh
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+set -e
+
+WD=$(cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)
+PKGNAME=$(basename $WD)
+ROOT=${WD%/.github/aur/$PKGNAME}
+
+LOCKFILE=/tmp/aur-$PKGNAME.lock
+exec 100>$LOCKFILE || exit 0
+flock -n 100 || exit 0
+trap "rm -f $LOCKFILE" EXIT
+
+export VERSION=$1
+echo "Publishing to AUR as version ${VERSION}"
+
+cd $WD
+
+export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+eval $(ssh-agent -s)
+ssh-add <(echo "$AUR_BOT_SSH_PRIVATE_KEY")
+
+GITDIR=$(mktemp -d /tmp/aur-$PKGNAME-XXX)
+trap "rm -rf $GITDIR" EXIT
+git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
+
+CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
+CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
+
+export PKGVER=${VERSION/-/}
+
+if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
+    export PKGREL=$((CURRENT_PKGREL+1))
+else
+    export PKGREL=1
+fi
+
+export SHA256SUM=$(curl -sL https://github.com/fluxcd/flux2/archive/v$PKGVER.tar.gz | sha256sum | awk '{ print $1 }')
+
+envsubst '$PKGVER $PKGREL $SHA256SUM' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$PKGVER $PKGREL $SHA256SUM' < PKGBUILD.template > $GITDIR/PKGBUILD
+
+cd $GITDIR
+git config user.name "fluxcdbot"
+git config user.email "fluxcdbot@users.noreply.github.com"
+git add -A
+if [ -z "$(git status --porcelain)" ]; then
+  echo "No changes."
+else
+  git commit -m "Updated to version v${PKGVER} release ${PKGREL}"
+  git push origin master
+fi
--- a/.github/aur/flux-scm/.SRCINFO.template
+++ b/.github/aur/flux-scm/.SRCINFO.template
@@ -0,0 +1,18 @@
+pkgbase = flux-scm
+	pkgdesc = Open and extensible continuous delivery solution for Kubernetes
+	pkgver = ${PKGVER}
+	pkgrel = ${PKGREL}
+	url = https://fluxcd.io/
+	arch = x86_64
+	arch = armv6h
+	arch = armv7h
+	arch = aarch64
+	license = APACHE
+	makedepends = go
+	depends = glibc
+	provides = flux-bin
+	conflicts = flux-bin
+	source = git+https://github.com/fluxcd/flux2.git
+	md5sums = SKIP
+
+pkgname = flux-scm
--- a/.github/aur/flux-scm/.gitignore
+++ b/.github/aur/flux-scm/.gitignore
@@ -0,0 +1 @@
+.pkg
--- a/.github/aur/flux-scm/PKGBUILD.template
+++ b/.github/aur/flux-scm/PKGBUILD.template
@@ -0,0 +1,60 @@
+# Maintainer: Aurel Canciu <aurelcanciu@gmail.com>
+# Maintainer: Hidde Beydals <hello@hidde.co>
+
+pkgname=flux-scm
+pkgver=${PKGVER}
+pkgrel=${PKGREL}
+pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
+url="https://fluxcd.io/"
+arch=("x86_64" "armv6h" "armv7h" "aarch64")
+license=("APACHE")
+provides=("flux-bin")
+conflicts=("flux-bin")
+depends=("glibc")
+makedepends=('go>=1.17', 'kustomize>=3.0', 'git')
+optdepends=('bash-completion: auto-completion for flux in Bash',
+'zsh-completions: auto-completion for flux in ZSH')
+source=(
+  "git+https://github.com/fluxcd/flux2.git"
+)
+md5sums=('SKIP')
+_srcname=flux
+
+pkgver() {
+  cd "flux2"
+  printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
+}
+
+build() {
+  cd "flux2"
+  export CGO_LDFLAGS="$LDFLAGS"
+  export CGO_CFLAGS="$CFLAGS"
+  export CGO_CXXFLAGS="$CXXFLAGS"
+  export CGO_CPPFLAGS="$CPPFLAGS"
+  export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
+  make cmd/flux/.manifests.done
+  go build -ldflags "-linkmode=external -X main.VERSION=${pkgver}" -o ${_srcname} ./cmd/flux
+}
+
+check() {
+  cd "flux2"
+  case $CARCH in
+    aarch64)
+      export ENVTEST_ARCH=arm64
+      ;;
+    armv6h|armv7h)
+      export ENVTEST_ARCH=arm
+      ;;
+  esac
+  make test
+}
+
+package() {
+  cd "flux2"
+  install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
+  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
+
+  "${pkgdir}/usr/bin/${_srcname}" completion bash | install -Dm644 /dev/stdin "${pkgdir}/usr/share/bash-completion/completions/${_srcname}"
+  "${pkgdir}/usr/bin/${_srcname}" completion fish | install -Dm644 /dev/stdin "${pkgdir}/usr/share/fish/vendor_completions.d/${_srcname}.fish"
+  "${pkgdir}/usr/bin/${_srcname}" completion zsh | install -Dm644 /dev/stdin "${pkgdir}/usr/share/zsh/site-functions/_${_srcname}"
+}
--- a/.github/aur/flux-scm/publish.sh
+++ b/.github/aur/flux-scm/publish.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+set -e
+
+WD=$(cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)
+PKGNAME=$(basename $WD)
+ROOT=${WD%/.github/aur/$PKGNAME}
+
+LOCKFILE=/tmp/aur-$PKGNAME.lock
+exec 100>$LOCKFILE || exit 0
+flock -n 100 || exit 0
+trap "rm -f $LOCKFILE" EXIT
+
+export VERSION=$1
+echo "Publishing to AUR as version ${VERSION}"
+
+cd $WD
+
+export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+eval $(ssh-agent -s)
+ssh-add <(echo "$AUR_BOT_SSH_PRIVATE_KEY")
+
+GITDIR=$(mktemp -d /tmp/aur-$PKGNAME-XXX)
+trap "rm -rf $GITDIR" EXIT
+git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
+
+CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
+CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
+
+export PKGVER=${VERSION/-/}
+
+if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
+    export PKGREL=$((CURRENT_PKGREL+1))
+else
+    export PKGREL=1
+fi
+
+envsubst '$PKGVER $PKGREL' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$PKGVER $PKGREL' < PKGBUILD.template > $GITDIR/PKGBUILD
+
+cd $GITDIR
+git config user.name "fluxcdbot"
+git config user.email "fluxcdbot@users.noreply.github.com"
+git add -A
+if [ -z "$(git status --porcelain)" ]; then
+  echo "No changes."
+else
+  git commit -m "Updated to version v${PKGVER} release ${PKGREL}"
+  git push origin master
+fi
--- a/.github/kind/config.yaml
+++ b/.github/kind/config.yaml
@@ -0,0 +1,5 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+networking:
+  disableDefaultCNI: true   # disable kindnet
+  podSubnet: 192.168.0.0/16 # set to Calico's default subnet
--- a/.github/runners/README.md
+++ b/.github/runners/README.md
@@ -0,0 +1,72 @@
+# Flux ARM64 GitHub runners
+
+The Flux ARM64 end-to-end tests run on Equinix instances provisioned with Docker and GitHub self-hosted runners.
+
+## Current instances
+
+| Runner        | Instance            | Region |
+|---------------|---------------------|--------|
+| equinix-arm-1 | flux-equinix-arm-01 | AMS1   |
+| equinix-arm-2 | flux-equinix-arm-01 | AMS1   |
+| equinix-arm-3 | flux-equinix-arm-01 | AMS1   |
+| equinix-arm-4 | flux-equinix-arm-02 | DFW2   |
+| equinix-arm-5 | flux-equinix-arm-02 | DFW2   |
+| equinix-arm-6 | flux-equinix-arm-02 | DFW2   |
+
+## Instance setup
+
+In order to add a new runner to the GitHub Actions pool,
+first create a server on Equinix with the following configuration:
+- Type: c2.large.arm
+- OS: Ubuntu 20.04
+
+### Install prerequisites
+
+- SSH into a newly created instance
+```shell
+ssh root@<instance-public-IP>
+``` 
+
+- Create the ubuntu user
+```shell
+adduser ubuntu
+usermod -aG sudo ubuntu
+su - ubuntu
+```
+
+- Create the prerequisites dir
+```shell
+mkdir -p prereq && cd prereq
+```
+
+- Download the prerequisites script
+```shell
+curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/prereq.sh > prereq.sh \
+  && chmod +x ./prereq.sh
+```
+
+- Install the prerequisites
+```shell
+sudo ./prereq.sh
+```
+
+### Install runners
+
+- Retrieve the GitHub runner token from the repository [settings page](https://github.com/fluxcd/flux2/settings/actions/runners/new?arch=arm64&os=linux)
+
+- Create 3 directories `runner1`, `runner2`, `runner3`
+
+- In each dir run:
+```shell
+curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/runner-setup.sh > runner-setup.sh \
+  && chmod +x ./runner-setup.sh
+
+./runner-setup.sh equinix-arm-<NUMBER> <TOKEN>
+```
+
+- Reboot the instance
+```shell
+sudo reboot
+```
+
+- Navigate to the GitHub repository [runners page](https://github.com/fluxcd/flux2/settings/actions/runners) and check the runner status
--- a/.github/runners/prereq.sh
+++ b/.github/runners/prereq.sh
@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+
+# Copyright 2021 The Flux authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script installs the prerequisites for running Flux end-to-end tests with Docker and GitHub self-hosted runners.
+
+set -eu
+
+KIND_VERSION=0.14.0
+KUBECTL_VERSION=1.24.0
+KUSTOMIZE_VERSION=4.5.4
+HELM_VERSION=3.8.2
+GITHUB_RUNNER_VERSION=2.291.1
+PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq pkg-config"
+
+# install prerequisites
+apt-get update \
+  && apt-get install -y -q ${PACKAGES} \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+
+# install docker
+curl -fsSL https://get.docker.com -o get-docker.sh \
+  && chmod +x get-docker.sh
+./get-docker.sh
+systemctl enable docker.service
+systemctl enable containerd.service
+usermod -aG docker ubuntu
+
+# install kind
+curl -Lo ./kind https://kind.sigs.k8s.io/dl/v${KIND_VERSION}/kind-linux-arm64
+install -o root -g root -m 0755 kind /usr/local/bin/kind
+
+# install kubectl
+curl -LO "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/arm64/kubectl"
+install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+
+# install kustomize
+curl -Lo ./kustomize.tar.gz https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_arm64.tar.gz \
+  && tar -zxvf kustomize.tar.gz \
+  && rm kustomize.tar.gz
+install -o root -g root -m 0755 kustomize /usr/local/bin/kustomize
+
+# install helm
+curl -Lo ./helm.tar.gz https://get.helm.sh/helm-v${HELM_VERSION}-linux-arm64.tar.gz \
+  && tar -zxvf helm.tar.gz \
+  && rm helm.tar.gz
+install -o root -g root -m 0755 linux-arm64/helm /usr/local/bin/helm
+
+# download runner
+curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
+  && tar xzf actions-runner-linux-arm64.tar.gz \
+  && rm actions-runner-linux-arm64.tar.gz
+
+# install runner dependencies
+./bin/installdependencies.sh
--- a/.github/runners/runner-setup.sh
+++ b/.github/runners/runner-setup.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# Copyright 2021 The Flux authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script installs a GitHub self-hosted ARM64 runner for running Flux end-to-end tests.
+
+set -eu
+
+RUNNER_NAME=$1
+REPOSITORY_TOKEN=$2
+REPOSITORY_URL=${3:-https://github.com/fluxcd/flux2}
+
+GITHUB_RUNNER_VERSION=2.285.1
+
+# download runner
+curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
+  && tar xzf actions-runner-linux-arm64.tar.gz \
+  && rm actions-runner-linux-arm64.tar.gz
+
+# register runner with GitHub
+./config.sh --unattended --url ${REPOSITORY_URL} --token ${REPOSITORY_TOKEN} --name ${RUNNER_NAME}
+
+# start runner
+sudo ./svc.sh install
+sudo ./svc.sh start
--- a/.github/workflows/bootstrap.yaml
+++ b/.github/workflows/bootstrap.yaml
@@ -2,72 +2,134 @@ name: bootstrap

 on:
  push:
-    branches:
-      - '*'
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]

 jobs:
  github:
    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Restore Go cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
        with:
          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-go-
+            ${{ runner.os }}-go1.18-
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
-          go-version: 1.15.x
+          go-version: 1.18.x
      - name: Setup Kubernetes
        uses: engineerd/setup-kind@v0.5.0
+        with:
+          version: v0.11.1
+          image: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
+      - name: Setup Kustomize
+        uses: fluxcd/pkg//actions/kustomize@main
+      - name: Build
+        run: |
+          make cmd/flux/.manifests.done
+          go build -o /tmp/flux ./cmd/flux
      - name: Set outputs
        id: vars
-        run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
-      - name: Build
-        run: sudo go build -o ./bin/flux ./cmd/flux
+        run: |
+          REPOSITORY_NAME=${{ github.event.repository.name }}
+          BRANCH_NAME=${GITHUB_REF##*/}
+          COMMIT_SHA=$(git rev-parse HEAD)
+          PSEUDO_RAND_SUFFIX=$(echo "${BRANCH_NAME}-${COMMIT_SHA}" | shasum | awk '{print $1}')
+          TEST_REPO_NAME="${REPOSITORY_NAME}-${PSEUDO_RAND_SUFFIX}"
+          echo "::set-output name=test_repo_name::$TEST_REPO_NAME"
      - name: bootstrap init
        run: |
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          /tmp/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
-          --repository=flux-test-${{ steps.vars.outputs.sha_short }} \
+          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
-          --path=test-cluster
+          --path=test-cluster \
+          --team=team-z
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: bootstrap no-op
        run: |
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          /tmp/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
-          --repository=flux-test-${{ steps.vars.outputs.sha_short }} \
-          --branch=main \
-          --path=test-cluster
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
-      - name: uninstall
-        run: |
-          ./bin/flux suspend kustomization flux-system
-          ./bin/flux uninstall --resources --crds -s
-      - name: bootstrap reinstall
-        run: |
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
-          --owner=fluxcd-testing \
-          --repository=flux-test-${{ steps.vars.outputs.sha_short }} \
-          --branch=main \
-          --path=test-cluster
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
-      - name: delete repository
-        run: |
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
-          --owner=fluxcd-testing \
-          --repository=flux-test-${{ steps.vars.outputs.sha_short }} \
+          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
-          --delete
+          --team=team-z
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+      - name: bootstrap customize
+        run: |
+          make setup-bootstrap-patch
+          /tmp/flux bootstrap github --manifests ./manifests/install/ \
+          --owner=fluxcd-testing \
+          --repository=${{ steps.vars.outputs.test_repo_name }} \
+          --branch=main \
+          --path=test-cluster \
+          --team=team-z
+          if [ $(kubectl get deployments.apps source-controller -o jsonpath='{.spec.template.spec.securityContext.runAsUser}') != "10000" ]; then
+          echo "Bootstrap not customized as controller is not running as user 10000" && exit 1
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+          GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
+          GITHUB_ORG_NAME: fluxcd-testing
+      - name: libgit2
+        run: |
+          /tmp/flux create source git test-libgit2 \
+          --url=ssh://git@github.com/fluxcd-testing/${{ steps.vars.outputs.test_repo_name }} \
+          --git-implementation=libgit2 \
+          --secret-ref=flux-system \
+          --branch=main
+      - name: uninstall
+        run: |
+          /tmp/flux uninstall -s --keep-namespace
+          kubectl delete ns flux-system --timeout=10m --wait=true
+      - name: test image automation
+        run: |
+          make setup-image-automation
+          /tmp/flux bootstrap github --manifests ./manifests/install/ \
+          --owner=fluxcd-testing \
+          --repository=${{ steps.vars.outputs.test_repo_name }} \
+          --branch=main \
+          --path=test-cluster \
+          --read-write-key
+          /tmp/flux reconcile image repository podinfo
+          /tmp/flux reconcile image update flux-system
+          /tmp/flux get images all
+          
+          retries=10
+          count=0
+          ok=false
+          until ${ok}; do
+              /tmp/flux get image update flux-system | grep 'commit' && ok=true || ok=false
+              count=$(($count + 1))
+              if [[ ${count} -eq ${retries} ]]; then
+                  echo "No more retries left"
+                  exit 1
+              fi
+              sleep 6
+              /tmp/flux reconcile image update flux-system
+          done
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+          GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
+          GITHUB_ORG_NAME: fluxcd-testing
+      - name: delete repository
+        if: ${{ always() }}
+        run: |
+          curl \
+            -X DELETE \
+            -H "Accept: application/vnd.github.v3+json" \
+            -H "Authorization: token ${GITHUB_TOKEN}" \
+            --fail --silent \
+            https://api.github.com/repos/fluxcd-testing/${{ steps.vars.outputs.test_repo_name }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Debug failure
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -1,65 +0,0 @@
-name: Publish docs via GitHub Pages
-on:
-  push:
-    branches:
-      - docs*
-      - main
-
-jobs:
-  build:
-    name: Deploy docs
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout master
-        uses: actions/checkout@v1
-      - name: Copy assets
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          controller_version() {
-            sed -n "s/.*$1\/archive\/\(.*\).zip.*/\1/p;n" manifests/bases/$1/kustomization.yaml
-          }
-
-          {
-            # source-controller CRDs
-            SOURCE_VER=$(controller_version source-controller)
-            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/api/source.md" > docs/components/source/api.md
-            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/spec/v1beta1/gitrepositories.md" > docs/components/source/gitrepositories.md
-            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/spec/v1beta1/helmrepositories.md" > docs/components/source/helmrepositories.md
-            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/spec/v1beta1/helmcharts.md" > docs/components/source/helmcharts.md
-            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/spec/v1beta1/buckets.md" > docs/components/source/buckets.md
-          }
-
-          {
-            # kustomize-controller CRDs
-            KUSTOMIZE_VER=$(controller_version kustomize-controller)
-            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/kustomize-controller/$KUSTOMIZE_VER/docs/api/kustomize.md" > docs/components/kustomize/api.md
-            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/kustomize-controller/$KUSTOMIZE_VER/docs/spec/v1beta1/kustomization.md" > docs/components/kustomize/kustomization.md
-          }
-
-          {
-            # helm-controller CRDs
-            HELM_VER=$(controller_version helm-controller)
-            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/helm-controller/$HELM_VER/docs/api/helmrelease.md" > docs/components/helm/api.md
-            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/helm-controller/$HELM_VER/docs/spec/v2beta1/helmreleases.md" > docs/components/helm/helmreleases.md
-          }
-
-          {
-            # notification-controller CRDs
-            NOTIFICATION_VER=$(controller_version notification-controller)
-            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/api/notification.md" > docs/components/notification/api.md
-            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/spec/v1beta1/event.md" > docs/components/notification/event.md
-            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/spec/v1beta1/alert.md" > docs/components/notification/alert.md
-            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/spec/v1beta1/provider.md" > docs/components/notification/provider.md
-            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/spec/v1beta1/receiver.md" > docs/components/notification/receiver.md
-          }
-
-          {
-            # install script
-            cp install/flux.sh docs/install.sh
-          }
-      - name: Deploy docs
-        uses: mhausenblas/mkdocs-deploy-gh-pages@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CUSTOM_DOMAIN: toolkit.fluxcd.io
--- a/.github/workflows/e2e-arm64.yaml
+++ b/.github/workflows/e2e-arm64.yaml
@@ -0,0 +1,37 @@
+name: e2e-arm64
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ main, update-components ]
+
+jobs:
+  test:
+    # Hosted on Equinix
+    # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
+    runs-on: [self-hosted, Linux, ARM64, equinix]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.18.x
+      - name: Prepare
+        id: prep
+        run: |
+          echo ::set-output name=CLUSTER::arm64-${GITHUB_SHA:0:7}-$(date +%s)
+          echo ::set-output name=CONTEXT::kind-arm64-${GITHUB_SHA:0:7}-$(date +%s)
+      - name: Build
+        run: |
+          make build
+      - name: Setup Kubernetes Kind
+        run: |
+          kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }}
+      - name: Run e2e tests
+        run: TEST_KUBECONFIG=/tmp/${{ steps.prep.outputs.CLUSTER }} make e2e
+      - name: Cleanup
+        if: always()
+        run: |
+          kind delete cluster --name ${{ steps.prep.outputs.CLUSTER }}
+          rm /tmp/${{ steps.prep.outputs.CLUSTER }}
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@@ -0,0 +1,66 @@
+name: e2e-azure
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron:  '0 6 * * *'
+  push:
+    branches: [ azure* ]
+
+jobs:
+  e2e:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Restore Go cache
+        uses: actions/cache@v3
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go1.18-
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.18.x
+      - name: Install libgit2
+        run: |
+          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138
+          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9
+          echo "deb http://deb.debian.org/debian unstable main" | sudo tee -a /etc/apt/sources.list
+          echo "deb-src http://deb.debian.org/debian unstable main" | sudo tee -a /etc/apt/sources.list
+          sudo apt-get update
+          sudo apt-get install -y --allow-downgrades libgit2-dev/unstable zlib1g-dev/unstable libssh2-1-dev/unstable libpcre3-dev/unstable
+      - name: Setup Flux CLI
+        run: |
+          make build
+          mkdir -p $HOME/.local/bin
+          mv ./bin/flux $HOME/.local/bin
+      - name: Setup SOPS
+        run: |
+          wget https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux
+          chmod +x sops-v3.7.1.linux
+          mkdir -p $HOME/.local/bin
+          mv sops-v3.7.1.linux $HOME/.local/bin/sops
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: 1.0.7
+          terraform_wrapper: false
+      - name: Setup Azure CLI
+        run: |
+          curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+      - name: Run Azure e2e tests
+        env:
+          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
+        run: |
+          echo $HOME
+          echo $PATH
+          ls $HOME/.local/bin
+          az login --service-principal -u ${ARM_CLIENT_ID} -p ${ARM_CLIENT_SECRET} -t ${ARM_TENANT_ID}
+          cd ./tests/azure
+          go test -v -coverprofile cover.out -timeout 60m .
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -1,34 +1,49 @@
 name: e2e

 on:
-  pull_request:
  push:
-    branches:
-      - main
+    branches: [ main ]
+  pull_request:
+    branches: [ main, oci ]

 jobs:
  kind:
    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Restore Go cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
        with:
          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-go-
+            ${{ runner.os }}-go1.18-
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
-          go-version: 1.15.x
+          go-version: 1.18.x
      - name: Setup Kubernetes
        uses: engineerd/setup-kind@v0.5.0
        with:
-          image: kindest/node:v1.16.9
-      - name: Run test
+          version: v0.11.1
+          image: kindest/node:v1.20.7
+          config: .github/kind/config.yaml # disable KIND-net
+      - name: Setup Calico for network policy
+        run: |
+          kubectl apply -f https://docs.projectcalico.org/v3.20/manifests/calico.yaml
+          kubectl -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
+      - name: Setup Kustomize
+        uses: fluxcd/pkg//actions/kustomize@main
+      - name: Run tests
        run: make test
+      - name: Run e2e tests
+        run: TEST_KUBECONFIG=$HOME/.kube/config make e2e
      - name: Check if working tree is dirty
        run: |
          if [[ $(git diff --stat) != '' ]]; then
@@ -37,116 +52,196 @@ jobs:
            exit 1
          fi
      - name: Build
-        run: sudo go build -o ./bin/flux ./cmd/flux
+        run: |
+          go build -o /tmp/flux ./cmd/flux
      - name: flux check --pre
        run: |
-          ./bin/flux check --pre
+          /tmp/flux check --pre
      - name: flux install --manifests
        run: |
-          ./bin/flux install --manifests ./manifests/install/
+          /tmp/flux install --manifests ./manifests/install/
+      - name: flux create secret
+        run: |
+          /tmp/flux create secret git git-ssh-test \
+            --url ssh://git@github.com/stefanprodan/podinfo
+          /tmp/flux create secret git git-https-test \
+            --url https://github.com/stefanprodan/podinfo \
+            --username=test --password=test
+          /tmp/flux create secret helm helm-test \
+            --username=test --password=test
      - name: flux create source git
        run: |
-          ./bin/flux create source git podinfo \
+          /tmp/flux create source git podinfo \
            --url https://github.com/stefanprodan/podinfo  \
            --tag-semver=">=3.2.3"
      - name: flux create source git export apply
        run: |
-          ./bin/flux create source git podinfo-export \
+          /tmp/flux create source git podinfo-export \
            --url https://github.com/stefanprodan/podinfo  \
            --tag-semver=">=3.2.3" \
            --export | kubectl apply -f -
-          ./bin/flux delete source git podinfo-export --silent
+          /tmp/flux delete source git podinfo-export --silent
+      - name: flux create source git libgit2 semver
+        run: |
+          /tmp/flux create source git podinfo-libgit2 \
+            --url https://github.com/stefanprodan/podinfo  \
+            --tag-semver=">=3.2.3" \
+            --git-implementation=libgit2
+          /tmp/flux delete source git podinfo-libgit2 --silent
      - name: flux get sources git
        run: |
-          ./bin/flux get sources git
+          /tmp/flux get sources git
      - name: flux get sources git --all-namespaces
        run: |
-          ./bin/flux get sources git --all-namespaces
+          /tmp/flux get sources git --all-namespaces
      - name: flux create kustomization
        run: |
-          ./bin/flux create kustomization podinfo \
+          /tmp/flux create kustomization podinfo \
            --source=podinfo \
            --path="./deploy/overlays/dev" \
            --prune=true \
            --interval=5m \
-            --validation=client \
            --health-check="Deployment/frontend.dev" \
            --health-check="Deployment/backend.dev" \
            --health-check-timeout=3m
+      - name: flux trace
+        run: |
+          /tmp/flux trace frontend \
+            --kind=deployment \
+            --api-version=apps/v1 \
+            --namespace=dev
      - name: flux reconcile kustomization --with-source
        run: |
-          ./bin/flux reconcile kustomization podinfo --with-source
+          /tmp/flux reconcile kustomization podinfo --with-source
      - name: flux get kustomizations
        run: |
-          ./bin/flux get kustomizations
+          /tmp/flux get kustomizations
      - name: flux get kustomizations --all-namespaces
        run: |
-          ./bin/flux get kustomizations --all-namespaces
+          /tmp/flux get kustomizations --all-namespaces
      - name: flux suspend kustomization
        run: |
-          ./bin/flux suspend kustomization podinfo
+          /tmp/flux suspend kustomization podinfo
      - name: flux resume kustomization
        run: |
-          ./bin/flux resume kustomization podinfo
+          /tmp/flux resume kustomization podinfo
      - name: flux export
        run: |
-          ./bin/flux export source git --all
-          ./bin/flux export kustomization --all
+          /tmp/flux export source git --all
+          /tmp/flux export kustomization --all
      - name: flux delete kustomization
        run: |
-          ./bin/flux delete kustomization podinfo --silent
+          /tmp/flux delete kustomization podinfo --silent
      - name: flux create source helm
        run: |
-          ./bin/flux create source helm podinfo \
+          /tmp/flux create source helm podinfo \
            --url https://stefanprodan.github.io/podinfo
      - name: flux create helmrelease --source=HelmRepository/podinfo
        run: |
-          ./bin/flux create hr podinfo-helm \
+          /tmp/flux create hr podinfo-helm \
            --target-namespace=default \
-            --source=HelmRepository/podinfo \
+            --source=HelmRepository/podinfo.flux-system \
            --chart=podinfo \
            --chart-version=">4.0.0 <5.0.0"
      - name: flux create helmrelease --source=GitRepository/podinfo
        run: |
-          ./bin/flux create hr podinfo-git \
+          /tmp/flux create hr podinfo-git \
            --target-namespace=default \
            --source=GitRepository/podinfo \
            --chart=./charts/podinfo
      - name: flux reconcile helmrelease --with-source
        run: |
-          ./bin/flux reconcile helmrelease podinfo-git --with-source
+          /tmp/flux reconcile helmrelease podinfo-git --with-source
      - name: flux get helmreleases
        run: |
-          ./bin/flux get helmreleases
+          /tmp/flux get helmreleases
      - name: flux get helmreleases --all-namespaces
        run: |
-          ./bin/flux get helmreleases --all-namespaces
+          /tmp/flux get helmreleases --all-namespaces
      - name: flux export helmrelease
        run: |
-          ./bin/flux export hr --all
+          /tmp/flux export hr --all
      - name: flux delete helmrelease podinfo-helm
        run: |
-          ./bin/flux delete hr podinfo-helm --silent
+          /tmp/flux delete hr podinfo-helm --silent
      - name: flux delete helmrelease podinfo-git
        run: |
-          ./bin/flux delete hr podinfo-git --silent
+          /tmp/flux delete hr podinfo-git --silent
      - name: flux delete source helm
        run: |
-          ./bin/flux delete source helm podinfo --silent
+          /tmp/flux delete source helm podinfo --silent
      - name: flux delete source git
        run: |
-          ./bin/flux delete source git podinfo --silent
+          /tmp/flux delete source git podinfo --silent
+      - name: flux oci artifacts
+        run: |
+          /tmp/flux push artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
+            --path="./manifests" \
+            --source="${{ github.repositoryUrl }}" \
+            --revision="${{ github.ref }}/${{ github.sha }}"
+          /tmp/flux tag artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
+            --tag latest
+          /tmp/flux list artifacts oci://localhost:5000/fluxcd/flux
+      - name: flux oci repositories
+        run: |
+          /tmp/flux create source oci podinfo-oci \
+            --url oci://ghcr.io/stefanprodan/manifests/podinfo \
+            --tag-semver 6.1.x \
+            --interval 10m
+          /tmp/flux create kustomization podinfo-oci \
+            --source=OCIRepository/podinfo-oci \
+            --path="./kustomize" \
+            --prune=true \
+            --interval=5m \
+            --target-namespace=default \
+            --wait=true \
+            --health-check-timeout=3m
+          /tmp/flux reconcile source oci podinfo-oci
+          /tmp/flux suspend source oci podinfo-oci
+          /tmp/flux get sources oci
+          /tmp/flux resume source oci podinfo-oci
+          /tmp/flux export source oci podinfo-oci
+          /tmp/flux delete ks podinfo-oci --silent
+          /tmp/flux delete source oci podinfo-oci --silent
+      - name: flux create tenant
+        run: |
+          /tmp/flux create tenant dev-team --with-namespace=apps
+          /tmp/flux -n apps create source helm podinfo \
+            --url https://stefanprodan.github.io/podinfo
+          /tmp/flux -n apps create hr podinfo-helm \
+            --source=HelmRepository/podinfo \
+            --chart=podinfo \
+            --chart-version="5.0.x" \
+            --service-account=dev-team
+      - name: flux2-kustomize-helm-example
+        run: |
+          /tmp/flux create source git flux-system \
+          --url=https://github.com/fluxcd/flux2-kustomize-helm-example \
+          --branch=main \
+          --recurse-submodules
+          /tmp/flux create kustomization flux-system \
+          --source=flux-system \
+          --path=./clusters/staging
+          kubectl -n flux-system wait kustomization/infrastructure --for=condition=ready --timeout=5m
+          kubectl -n flux-system wait kustomization/apps --for=condition=ready --timeout=5m
+          kubectl -n nginx wait helmrelease/nginx --for=condition=ready --timeout=5m
+          kubectl -n redis wait helmrelease/redis --for=condition=ready --timeout=5m
+          kubectl -n podinfo wait helmrelease/podinfo --for=condition=ready --timeout=5m
+      - name: flux tree
+        run: |
+          /tmp/flux tree kustomization flux-system | grep Service/podinfo
      - name: flux check
        run: |
-          ./bin/flux check
+          /tmp/flux check
      - name: flux uninstall
        run: |
-          ./bin/flux uninstall --crds --silent
+          /tmp/flux uninstall --silent
      - name: Debug failure
        if: failure()
        run: |
          kubectl version --client --short
          kubectl -n flux-system get all
+          kubectl -n flux-system describe pods
          kubectl -n flux-system get kustomizations -oyaml
          kubectl -n flux-system logs deploy/source-controller
          kubectl -n flux-system logs deploy/kustomize-controller
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@@ -1,25 +0,0 @@
-name: FOSSA
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
-        with:
-          go-version: "^1.14.x"
-      - name: Add GOPATH to GITHUB_ENV
-        run: echo "GOPATH=$(go env GOPATH)" >>"$GITHUB_ENV"
-      - name: Add GOPATH to GITHUB_PATH
-        run: echo "$GOPATH/bin" >>"$GITHUB_PATH"
-      - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@v1
-        with:
-          # FOSSA Push-Only API Token
-          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
-          github-token: ${{ github.token }}
--- a/.github/workflows/rebase.yml
+++ b/.github/workflows/rebase.yml
@@ -1,21 +0,0 @@
-name: rebase
-
-on:
-  pull_request:
-    types: [opened]
-  issue_comment:
-    types: [created]
-
-jobs:
-  rebase:
-    if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') && (github.event.comment.author_association == 'CONTRIBUTOR' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER')
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout the latest code
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - name: Automatic Rebase
-        uses: cirrus-actions/rebase@1.3.1
-        env:
-          GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -2,86 +2,82 @@ name: release

 on:
  push:
-    tags:
-      - '*'
+    tags: [ 'v*' ]
+
+permissions:
+  contents: write # needed to write releases
+  id-token: write # needed for keyless signing
+  packages: write # needed for ghcr access

 jobs:
  goreleaser:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Unshallow
        run: git fetch --prune --unshallow
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
-          go-version: 1.15.x
+          go-version: 1.18.x
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Setup Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Setup Syft
+        uses: anchore/sbom-action/download-syft@v0
+      - name: Setup Cosign
+        uses: sigstore/cosign-installer@main
+      - name: Setup Kustomize
+        uses: fluxcd/pkg//actions/kustomize@main
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: fluxcdbot
+          password: ${{ secrets.GHCR_TOKEN }}
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: fluxcdbot
+          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+      - name: Generate manifests
+        run: |
+          make cmd/flux/.manifests.done
+          ./manifests/scripts/bundle.sh "" ./output manifests.tar.gz
+          kustomize build ./manifests/install > ./output/install.yaml
+      - name: Build CRDs
+        run: |
+          kustomize build manifests/crds > all-crds.yaml
+      # Pinned to commit before https://github.com/fluxcd/pkg/pull/189 due to
+      # introduction faulty behavior.
+      - name: Generate OpenAPI JSON schemas from CRDs
+        uses: fluxcd/pkg//actions/crdjsonschema@49e26aa2ee9e734c3233c560253fd9542afe18ae
+        with:
+          crd: all-crds.yaml
+          output: schemas
+      - name: Archive the OpenAPI JSON schemas
+        run: |
+          tar -czvf ./output/crd-schemas.tar.gz -C schemas .
      - name: Download release notes utility
        env:
          GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
        run: cd /tmp && curl -sSL ${GH_REL_URL} | tar xz && sudo mv github-release-notes /usr/local/bin/
      - name: Generate release notes
        run: |
-          echo 'CHANGELOG' > /tmp/release.txt
-          github-release-notes -org fluxcd -repo toolkit -since-latest-release -include-author >> /tmp/release.txt
+          NOTES="./output/notes.md"
+          echo '## CLI Changelog' > ${NOTES}
+          github-release-notes -org fluxcd -repo flux2 -since-latest-release -include-author >> ${NOTES}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Setup Kustomize
-        uses: fluxcd/pkg//actions/kustomize@main
-      - name: Generate manifests tarball
-        run: |
-          mkdir -p ./output
-          files=""
-
-          # build controllers
-          for controller in ./manifests/bases/*/; do
-              output_path="./output/$(basename $controller).yaml"
-              echo "building $controller to $output_path"
-
-              kustomize build $controller > $output_path
-              files+=" $(basename $output_path)"
-          done
-
-          # build rbac
-          rbac_path="./manifests/rbac"
-          rbac_output_path="./output/rbac.yaml"
-          echo "building $rbac_path to $rbac_output_path"
-          kustomize build $rbac_path > $rbac_output_path
-          files+=" $(basename $rbac_output_path)"
-
-          # build policies
-          policies_path="./manifests/policies"
-          policies_output_path="./output/policies.yaml"
-          echo "building $policies_path to $policies_output_path"
-          kustomize build $policies_path > $policies_output_path
-          files+=" $(basename $policies_output_path)"
-
-          # create tarball
-          cd ./output && tar -cvzf manifests.tar.gz $files
-      - name: Create release
-        id: create_release
-        uses: actions/create-release@latest
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ github.ref }}
-          release_name: ${{ github.ref }}
-      - name: Upload artifacts
-        id: upload-release-asset
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./output/manifests.tar.gz
-          asset_name: manifests.tar.gz
-          asset_content_type: application/gzip
      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v1
+        uses: goreleaser/goreleaser-action@v3
        with:
          version: latest
-          args: release --release-notes=/tmp/release.txt --skip-validate
+          args: release --release-notes=output/notes.md --skip-validate
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
+          AUR_BOT_SSH_PRIVATE_KEY: ${{ secrets.AUR_BOT_SSH_PRIVATE_KEY }}
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -0,0 +1,64 @@
+name: scan
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '18 10 * * 3'
+
+permissions:
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for codeQL to write security events
+
+jobs:
+  fossa:
+    name: FOSSA
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run FOSSA scan and upload build data
+        uses: fossa-contrib/fossa-action@v1
+        with:
+          # FOSSA Push-Only API Token
+          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
+          github-token: ${{ github.token }}
+
+  snyk:
+    name: Snyk
+    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Kustomize
+        uses: fluxcd/pkg//actions/kustomize@main
+      - name: Build manifests
+        run: |
+          make cmd/flux/.manifests.done
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/golang@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --sarif-file-output=snyk.sarif
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: snyk.sarif
+
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: go
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@@ -0,0 +1,93 @@
+name: Update Components
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 * * * *"
+  push:
+    branches: [main]
+
+jobs:
+  update-components:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.18.x
+      - name: Update component versions
+        id: update
+        run: |
+          PR_BODY=""
+
+          bump_version() {
+            local LATEST_VERSION=$(curl -s https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
+            local CTRL_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p;n" manifests/bases/$1/kustomization.yaml)
+            local CRD_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p" manifests/crds/kustomization.yaml)
+            local MOD_VERSION=$(go list -m -f '{{ .Version }}' "github.com/fluxcd/$1/api")
+
+            local changed=false
+
+            if [[ "${CTRL_VERSION}" != "${LATEST_VERSION}" ]]; then
+              sed -i "s/\($1\/releases\/download\/\)v.*\(\/.*\)/\1${LATEST_VERSION}\2/g" "manifests/bases/$1/kustomization.yaml"
+              changed=true
+            fi
+
+            if [[ "${CRD_VERSION}" != "${LATEST_VERSION}" ]]; then
+              sed -i "s/\($1\/releases\/download\/\)v.*\(\/.*\)/\1${LATEST_VERSION}\2/g" "manifests/crds/kustomization.yaml"
+              changed=true
+            fi
+
+            if [[ "${MOD_VERSION}" != "${LATEST_VERSION}" ]]; then
+              go mod edit -require="github.com/fluxcd/$1/api@${LATEST_VERSION}"
+              make tidy
+              changed=true
+            fi
+
+            if [[ "$changed" == true ]]; then
+              PR_BODY="$PR_BODY- $1 to ${LATEST_VERSION}%0A  https://github.com/fluxcd/$1/blob/${LATEST_VERSION}/CHANGELOG.md%0A"
+            fi
+          }
+
+          {
+            # bump controller versions
+            bump_version helm-controller
+            bump_version kustomize-controller
+            bump_version source-controller
+            bump_version notification-controller
+            bump_version image-reflector-controller
+            bump_version image-automation-controller
+
+            # diff change
+            git diff
+
+            # export PR_BODY for PR and commit
+            echo "::set-output name=pr_body::$PR_BODY"
+          }
+
+      - name: Create Pull Request
+        id: cpr
+        uses: peter-evans/create-pull-request@v3
+        with:
+          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          commit-message: |
+            Update toolkit components
+
+            ${{ steps.update.outputs.pr_body }}
+          committer: GitHub <noreply@github.com>
+          author: fluxcdbot <fluxcdbot@users.noreply.github.com>
+          signoff: true
+          branch: update-components
+          title: Update toolkit components
+          body: |
+            ${{ steps.update.outputs.pr_body }}
+          labels: |
+            area/build
+          reviewers: ${{ secrets.ASSIGNEES }}
+
+      - name: Check output
+        run: |
+          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
+          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -1,74 +0,0 @@
-name: Update Components
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 * * * *"
-
-jobs:
-  update-components:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v2
-
-      - name: Update component versions
-        id: update
-        run: |
-          PR_BODY=""
-
-          bump_version() {
-            local RELEASE_VERSION=$(curl -s https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
-            local CURRENT_VERSION=$(sed -n "s/.*$1\/archive\/\(.*\).zip.*/\1/p;n" manifests/bases/$1/kustomization.yaml)
-
-            if [[ "${RELEASE_VERSION}" != "${CURRENT_VERSION}" ]]; then
-              # bump kustomize
-              sed -i "s/\($1\/archive\/\)v.*\(.zip\/\/$1-\).*\(\/config.*\)/\1${RELEASE_VERSION}\2${RELEASE_VERSION/v}\3/g" "manifests/bases/$1/kustomization.yaml"
-
-              if [[ ! -z $(go list -m all | grep "github.com/fluxcd/$1/api" | awk '{print $2}') ]]; then
-                # bump go mod
-                go mod edit -require="github.com/fluxcd/$1/api@${RELEASE_VERSION}"
-              fi
-
-              PR_BODY="$PR_BODY- $1 to ${RELEASE_VERSION}%0A"
-            fi
-          }
-
-          {
-            # bump controller versions
-            bump_version helm-controller
-            bump_version kustomize-controller
-            bump_version source-controller
-            bump_version notification-controller
-
-            # add missing and remove unused modules
-            go mod tidy
-
-            # diff change
-            git diff
-
-            # export PR_BODY for PR
-            echo "::set-output name=pr_body::$PR_BODY"
-          }
-
-      - name: Create Pull Request
-        id: cpr
-        uses: peter-evans/create-pull-request@v3
-        with:
-            token: ${{ secrets.BOT_GITHUB_TOKEN }}
-            commit-message: Update toolkit components
-            committer: GitHub <noreply@github.com>
-            author: fluxcdbot <fluxcdbot@users.noreply.github.com>
-            title: Update toolkit components
-            body: |
-              ${{ steps.update.outputs.pr_body }}
-
-              Auto-generated by [create-pull-request][1]
-
-              [1]: https://github.com/peter-evans/create-pull-request
-            branch: update-components
-            reviewers: ${{ secrets.ASSIGNEES }}
-
-      - name: Check output
-        run: |
-          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
--- a/.gitignore
+++ b/.gitignore
@@ -11,7 +11,16 @@
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out

+# Release
+dist/
+
 # Dependency directories (remove the comment below to include it)
 # vendor/
 bin/
-output/
+output/
+cmd/flux/manifests/
+cmd/flux/.manifests.done
+testbin/
+
+# Docs
+site/
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,3 +1,4 @@
+project_name: flux
 builds:
  - <<: &build_defaults
      binary: flux
@@ -19,6 +20,9 @@ builds:
    id: darwin
    goos:
      - darwin
+    goarch:
+      - amd64
+      - arm64
  - <<: *build_defaults
    id: windows
    goos:
@@ -36,6 +40,36 @@ archives:
    format: zip
    files:
      - none*
+source:
+  enabled: true
+  name_template: '{{ .ProjectName }}_{{ .Version }}_source_code'
+sboms:
+  - id: source
+    artifacts: source
+    documents:
+      - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
+release:
+  extra_files:
+    - glob: output/crd-schemas.tar.gz
+    - glob: output/manifests.tar.gz
+    - glob: output/install.yaml
+checksum:
+  extra_files:
+    - glob: output/crd-schemas.tar.gz
+    - glob: output/manifests.tar.gz
+    - glob: output/install.yaml
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    artifacts: checksum
+    output: true
 brews:
  - name: flux
    tap:
@@ -43,10 +77,104 @@ brews:
      name: homebrew-tap
      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
    folder: Formula
-    homepage: "https://toolkit.fluxcd.io/"
+    homepage: "https://fluxcd.io/"
    description: "Flux CLI"
-    dependencies:
-      - name: kubectl
-        type: optional
+    install: |
+      bin.install "flux"
+
+      bash_output = Utils.safe_popen_read(bin/"flux", "completion", "bash")
+      (bash_completion/"flux").write bash_output
+
+      zsh_output = Utils.safe_popen_read(bin/"flux", "completion", "zsh")
+      (zsh_completion/"_flux").write zsh_output
+
+      fish_output = Utils.safe_popen_read(bin/"flux", "completion", "fish")
+      (fish_completion/"flux.fish").write fish_output
    test: |
      system "#{bin}/flux --version"
+publishers:
+  - name: aur-pkg-bin
+    env:
+      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
+    cmd: |
+      .github/aur/flux-bin/publish.sh {{ .Version }}
+  - name: aur-pkg-scm
+    env:
+      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
+    cmd: |
+      .github/aur/flux-scm/publish.sh {{ .Version }}
+  - name: aur-pkg-go
+    env:
+      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
+    cmd: |
+      .github/aur/flux-go/publish.sh {{ .Version }}
+dockers:
+- image_templates:
+    - 'fluxcd/flux-cli:{{ .Tag }}-amd64'
+    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-amd64'
+  dockerfile: Dockerfile
+  use: buildx
+  goos: linux
+  goarch: amd64
+  build_flag_templates:
+   - "--pull"
+   - "--build-arg=ARCH=linux/amd64"
+   - "--label=org.opencontainers.image.created={{ .Date }}"
+   - "--label=org.opencontainers.image.name={{ .ProjectName }}"
+   - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+   - "--label=org.opencontainers.image.version={{ .Version }}"
+   - "--label=org.opencontainers.image.source={{ .GitURL }}"
+   - "--platform=linux/amd64"
+- image_templates:
+    - 'fluxcd/flux-cli:{{ .Tag }}-arm64'
+    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm64'
+  dockerfile: Dockerfile
+  use: buildx
+  goos: linux
+  goarch: arm64
+  build_flag_templates:
+    - "--pull"
+    - "--build-arg=ARCH=linux/arm64"
+    - "--label=org.opencontainers.image.created={{ .Date }}"
+    - "--label=org.opencontainers.image.name={{ .ProjectName }}"
+    - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+    - "--label=org.opencontainers.image.version={{ .Version }}"
+    - "--label=org.opencontainers.image.source={{ .GitURL }}"
+    - "--platform=linux/arm64"
+- image_templates:
+    - 'fluxcd/flux-cli:{{ .Tag }}-arm'
+    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm'
+  dockerfile: Dockerfile
+  use: buildx
+  goos: linux
+  goarch: arm
+  goarm: 7
+  build_flag_templates:
+    - "--pull"
+    - "--build-arg=ARCH=linux/arm"
+    - "--label=org.opencontainers.image.created={{ .Date }}"
+    - "--label=org.opencontainers.image.name={{ .ProjectName }}"
+    - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+    - "--label=org.opencontainers.image.version={{ .Version }}"
+    - "--label=org.opencontainers.image.source={{ .GitURL }}"
+    - "--platform=linux/arm/v7"
+docker_manifests:
+- name_template: 'fluxcd/flux-cli:{{ .Tag }}'
+  image_templates:
+    - 'fluxcd/flux-cli:{{ .Tag }}-amd64'
+    - 'fluxcd/flux-cli:{{ .Tag }}-arm64'
+    - 'fluxcd/flux-cli:{{ .Tag }}-arm'
+- name_template: 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}'
+  image_templates:
+    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-amd64'
+    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm64'
+    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm'
+docker_signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    args:
+      - sign
+      - '${artifact}'
+    artifacts: all
+    output: true
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,7 +1,6 @@
 # Contributing

-Flux is [Apache 2.0
-licensed](https://github.com/fluxcd/flux2/blob/main/LICENSE) and
+Flux is [Apache 2.0 licensed](https://github.com/fluxcd/flux2/blob/main/LICENSE) and
 accepts contributions via GitHub pull requests. This document outlines
 some of the conventions on to make it easier to get your contribution
 accepted.
@@ -14,15 +13,24 @@ code.
 By contributing to this project you agree to the Developer Certificate of
 Origin (DCO). This document was created by the Linux Kernel community and is a
 simple statement that you, as a contributor, have the legal right to make the
-contribution. No action from you is required, but it's a good idea to see the
-[DCO](DCO) file for details before you start contributing code to FluxCD
-organization.
+contribution.
+
+We require all commits to be signed. By signing off with your signature, you
+certify that you wrote the patch or otherwise have the right to contribute the
+material by the rules of the [DCO](DCO):
+
+`Signed-off-by: Jane Doe <jane.doe@example.com>`
+
+The signature must contain your real name
+(sorry, no pseudonyms or anonymous contributions)
+If your `user.name` and `user.email` are configured in your Git config,
+you can sign your commit automatically with `git commit -s`.

 ## Communications

 For realtime communications we use Slack: To join the conversation, simply
 join the [CNCF](https://slack.cncf.io/) Slack workspace and use the
-[#flux-dev](https://cloud-native.slack.com/messages/flux-dev/) channel.
+[#flux-contributors](https://cloud-native.slack.com/messages/flux-contributors/) channel.

 To discuss ideas and specifications we use [Github
 Discussions](https://github.com/fluxcd/flux2/discussions).
@@ -40,27 +48,80 @@ you might want to take a look at the [introductory talk and demo](https://www.yo

 This project is composed of:

- [/f/flux2](https://github.com/fluxcd/flux2): The Flux CLI
- [/f/source-manager](https://github.com/fluxcd/source-controller): Kubernetes operator for managing sources
- [/f/kustomize-controller](https://github.com/fluxcd/kustomize-controller): Kubernetes operator for building GitOps pipelines with Kustomize
- [/f/helm-controller](https://github.com/fluxcd/helm-controller): Kubernetes operator for building GitOps pipelines with Helm
- [/f/notification-controller](https://github.com/fluxcd/notification-controller): Kubernetes operator for handling inbound and outbound events
+- [flux2](https://github.com/fluxcd/flux2): The Flux CLI
+- [source-manager](https://github.com/fluxcd/source-controller): Kubernetes operator for managing sources (Git and Helm repositories, S3-compatible Buckets)
+- [kustomize-controller](https://github.com/fluxcd/kustomize-controller): Kubernetes operator for building GitOps pipelines with Kustomize
+- [helm-controller](https://github.com/fluxcd/helm-controller): Kubernetes operator for building GitOps pipelines with Helm
+- [notification-controller](https://github.com/fluxcd/notification-controller): Kubernetes operator for handling inbound and outbound events
+- [image-reflector-controller](https://github.com/fluxcd/image-reflector-controller): Kubernetes operator for scanning container registries
+- [image-automation-controller](https://github.com/fluxcd/image-automation-controller): Kubernetes operator for patches container image tags in Git

 ### Understanding the code

 To get started with developing controllers, you might want to review
-[our guide](https://toolkit.fluxcd.io/dev-guides/source-watcher/) which
+[our guide](https://fluxcd.io/docs/gitops-toolkit/source-watcher/) which
 walks you through writing a short and concise controller that watches out
 for source changes.

-### How to run the test suite
+## How to run the test suite

-You can run the unit tests by simply doing
+Prerequisites:
+
+* go >= 1.17
+* kubectl >= 1.20
+* kustomize >= 4.4
+* coreutils (on Mac OS)
+
+Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:
+
+```bash
+make install-envtest
+```
+
+Then you can run the unit tests with:

 ```bash
 make test
 ```

+After [installing Kubernetes kind](https://kind.sigs.k8s.io/docs/user/quick-start#installation) on your machine,
+create a cluster for testing with:
+
+```bash
+make setup-kind
+```
+
+Then you can run the end-to-end tests with:
+
+```bash
+make e2e
+```
+
+When the output of the Flux CLI changes, to automatically update the golden
+files used in the test, pass `-update` flag to the test as:
+
+```bash
+make e2e TEST_ARGS="-update"
+```
+
+Since not all packages use golden files for testing, `-update` argument must be
+passed only for the packages that use golden files. Use the variables
+`TEST_PKG_PATH` for unit tests and `E2E_TEST_PKG_PATH` for e2e tests, to set the
+path of the target test package:
+
+```bash
+# Unit test
+make test TEST_PKG_PATH="./cmd/flux" TEST_ARGS="-update"
+# e2e test
+make e2e E2E_TEST_PKG_PATH="./cmd/flux" TEST_ARGS="-update"
+```
+
+Teardown the e2e environment with:
+
+```bash
+make cleanup-kind
+```
+
 ## Acceptance policy

 These things will make a PR more likely to be accepted:
--- a/24
+++ b/24
@@ -0,0 +1,24 @@
+FROM alpine:3.16 as builder
+
+RUN apk add --no-cache ca-certificates curl
+
+ARG ARCH=linux/amd64
+ARG KUBECTL_VER=1.25.0
+
+RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
+    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
+    kubectl version --client=true
+
+FROM alpine:3.16 as flux-cli
+
+# Create minimal nsswitch.conf file to prioritize the usage of /etc/hosts over DNS queries.
+# https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-354316460
+RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
+
+RUN apk add --no-cache ca-certificates
+
+COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/
+COPY --chmod=755 flux /usr/local/bin/
+
+USER 65534:65534
+ENTRYPOINT [ "flux" ]
--- a/7
+++ b/7
@@ -2,8 +2,7 @@ The maintainers are generally available in Slack at
 https://cloud-native.slack.com in #flux (https://cloud-native.slack.com/messages/CLAJ40HV3)
 (obtain an invitation at https://slack.cncf.io/).

-In alphabetical order:
+The Flux2 maintainers team is identical with the core maintainers of the project
+as listed in

-Aurel Canciu, Sortlist <aurel@sortlist.com> (github: @relu, slack: relu)
-Hidde Beydals, Weaveworks <hidde@weave.works> (github: @hiddeco, slack: hidde)
-Stefan Prodan, Weaveworks <stefan@weave.works> (github: @stefanprodan, slack: stefanprodan)
+    https://github.com/fluxcd/community/blob/main/CORE-MAINTAINERS
--- a/93
+++ b/93
@@ -1,9 +1,24 @@
-VERSION?=$(shell grep 'VERSION' cmd/flux/main.go | awk '{ print $$4 }' | tr -d '"')
+VERSION?=$(shell grep 'VERSION' cmd/flux/main.go | awk '{ print $$4 }' | head -n 1 | tr -d '"')
+DEV_VERSION?=0.0.0-$(shell git rev-parse --abbrev-ref HEAD)-$(shell git rev-parse --short HEAD)-$(shell date +%s)
+EMBEDDED_MANIFESTS_TARGET=cmd/flux/.manifests.done
+TEST_KUBECONFIG?=/tmp/flux-e2e-test-kubeconfig
+# Architecture to use envtest with
+ENVTEST_ARCH ?= amd64
+
+# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
+ifeq (,$(shell go env GOBIN))
+GOBIN=$(shell go env GOPATH)/bin
+else
+GOBIN=$(shell go env GOBIN)
+endif
+
+rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2)) $(filter $(subst *,%,$(2)),$(d)))

 all: test build

 tidy:
-	go mod tidy
+	go mod tidy -compat=1.18
+	cd tests/azure && go mod tidy -compat=1.18

 fmt:
 	go fmt ./...
@@ -11,19 +26,73 @@ fmt:
 vet:
 	go vet ./...

-test: tidy fmt vet docs
-	go test ./... -coverprofile cover.out
+setup-kind:
+	kind create cluster --name=flux-e2e-test --kubeconfig=$(TEST_KUBECONFIG) --config=.github/kind/config.yaml
+	kubectl --kubeconfig=$(TEST_KUBECONFIG) apply -f https://docs.projectcalico.org/v3.16/manifests/calico.yaml
+	kubectl --kubeconfig=$(TEST_KUBECONFIG) -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true

-build:
-	CGO_ENABLED=0 go build -o ./bin/flux ./cmd/flux
+cleanup-kind:
+	kind delete cluster --name=flux-e2e-test
+	rm $(TEST_KUBECONFIG)

+KUBEBUILDER_ASSETS?="$(shell $(ENVTEST) --arch=$(ENVTEST_ARCH) use -i $(ENVTEST_KUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR) -p path)"
+TEST_PKG_PATH="./..."
+test: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet install-envtest
+	KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test $(TEST_PKG_PATH) -coverprofile cover.out --tags=unit $(TEST_ARGS)
+
+E2E_TEST_PKG_PATH="./cmd/flux/..."
+e2e: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet
+	TEST_KUBECONFIG=$(TEST_KUBECONFIG) go test $(E2E_TEST_PKG_PATH) -coverprofile e2e.cover.out --tags=e2e -v -failfast $(TEST_ARGS)
+
+test-with-kind: install-envtest
+	make setup-kind
+	make e2e
+	make cleanup-kind
+
+$(EMBEDDED_MANIFESTS_TARGET): $(call rwildcard,manifests/,*.yaml *.json)
+	./manifests/scripts/bundle.sh
+	touch $@
+
+build: $(EMBEDDED_MANIFESTS_TARGET)
+	CGO_ENABLED=0 go build -ldflags="-s -w -X main.VERSION=$(VERSION)" -o ./bin/flux ./cmd/flux
+
+build-dev: $(EMBEDDED_MANIFESTS_TARGET)
+	CGO_ENABLED=0 go build -ldflags="-s -w -X main.VERSION=$(DEV_VERSION)" -o ./bin/flux ./cmd/flux
+
+.PHONY: install
 install:
-	go install cmd/flux
-
-.PHONY: docs
-docs:
-	rm docs/cmd/*
-	mkdir -p ./docs/cmd && go run ./cmd/flux/ docgen
+	CGO_ENABLED=0 go install ./cmd/flux

 install-dev:
 	CGO_ENABLED=0 go build -o /usr/local/bin ./cmd/flux
+
+setup-bootstrap-patch:
+	go run ./tests/bootstrap/main.go
+
+setup-image-automation:
+	cd tests/image-automation && go run main.go
+
+ENVTEST_ASSETS_DIR=$(shell pwd)/testbin
+ENVTEST_KUBERNETES_VERSION?=latest
+install-envtest: setup-envtest
+	mkdir -p ${ENVTEST_ASSETS_DIR}
+	$(ENVTEST) use $(ENVTEST_KUBERNETES_VERSION) --arch=$(ENVTEST_ARCH) --bin-dir=$(ENVTEST_ASSETS_DIR)
+
+ENVTEST = $(shell pwd)/bin/setup-envtest
+.PHONY: envtest
+setup-envtest: ## Download envtest-setup locally if necessary.
+	$(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
+
+# go-install-tool will 'go install' any package $2 and install it to $1.
+PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
+define go-install-tool
+@[ -f $(1) ] || { \
+set -e ;\
+TMP_DIR=$$(mktemp -d) ;\
+cd $$TMP_DIR ;\
+go mod init tmp ;\
+echo "Downloading $(2)" ;\
+GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
+rm -rf $$TMP_DIR ;\
+}
+endef
--- a/README.md
+++ b/README.md
@@ -1,5 +1,6 @@
 # Flux version 2

+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4782/badge)](https://bestpractices.coreinfrastructure.org/projects/4782)
 [![e2e](https://github.com/fluxcd/flux2/workflows/e2e/badge.svg)](https://github.com/fluxcd/flux2/actions)
 [![report](https://goreportcard.com/badge/github.com/fluxcd/flux2)](https://goreportcard.com/report/github.com/fluxcd/flux2)
 [![license](https://img.shields.io/github/license/fluxcd/flux2.svg)](https://github.com/fluxcd/flux2/blob/main/LICENSE)
@@ -19,43 +20,20 @@ Flux v2 is constructed with the [GitOps Toolkit](#gitops-toolkit), a
 set of composable APIs and specialized tools for building Continuous
 Delivery on top of Kubernetes.

-## Flux installation
+Flux is a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/)) project.

-With Homebrew:
+## Quickstart and documentation

-```sh
-brew install fluxcd/tap/flux
-```
+To get started check out this [guide](https://fluxcd.io/docs/get-started/)
+on how to bootstrap Flux on Kubernetes and deploy a sample application in a GitOps manner.

-With Bash:
+For more comprehensive documentation, see the following guides:
+- [Ways of structuring your repositories](https://fluxcd.io/docs/guides/repository-structure/)
+- [Manage Helm Releases](https://fluxcd.io/docs/guides/helmreleases/)
+- [Automate image updates to Git](https://fluxcd.io/docs/guides/image-update/)  
+- [Manage Kubernetes secrets with Mozilla SOPS](https://fluxcd.io/docs/guides/mozilla-sops/)  

-```sh
-curl -s https://toolkit.fluxcd.io/install.sh | sudo bash
-
-# enable completions in ~/.bash_profile
-. <(flux completion bash)
-```
-
-Binaries for macOS, Windows and Linux AMD64/ARM are available to download on the
-[release page](https://github.com/fluxcd/flux2/releases).
-
-Verify that your cluster satisfies the prerequisites with:
-
-```sh
-flux check --pre
-```
-
-## Get started
-
-To get started with Flux, start [browsing the
-documentation](https://toolkit.fluxcd.io) or get started with one of
-the following guides:
-
- [Get started with Flux (deep dive)](https://toolkit.fluxcd.io/get-started/)
- [Installation](https://toolkit.fluxcd.io/guides/installation/)
- [Manage Helm Releases](https://toolkit.fluxcd.io/guides/helmreleases/)
- [Setup Notifications](https://toolkit.fluxcd.io/guides/notifications/)
- [Setup Webhook Receivers](https://toolkit.fluxcd.io/guides/webhook-receivers/)
+If you need help, please refer to our **[Support page](https://fluxcd.io/support/)**.

 ## GitOps Toolkit

@@ -64,51 +42,57 @@ runtime for Flux v2. The APIs comprise Kubernetes custom resources,
 which can be created and updated by a cluster user, or by other
 automation tooling.

-![overview](docs/diagrams/gitops-toolkit.png)
+![overview](docs/_files/gitops-toolkit.png)

 You can use the toolkit to extend Flux, or to build your own systems
 for continuous delivery -- see [the developer
-guides](https://toolkit.fluxcd.io/dev-guides/source-watcher/).
+guides](https://fluxcd.io/docs/gitops-toolkit/source-watcher/).

 ### Components

- [Source Controller](https://toolkit.fluxcd.io/components/source/controller/)
-    - [GitRepository CRD](https://toolkit.fluxcd.io/components/source/gitrepositories/)
-    - [HelmRepository CRD](https://toolkit.fluxcd.io/components/source/helmrepositories/)
-    - [HelmChart CRD](https://toolkit.fluxcd.io/components/source/helmcharts/)
-    - [Bucket CRD](https://toolkit.fluxcd.io/components/source/buckets/)
- [Kustomize Controller](https://toolkit.fluxcd.io/components/kustomize/controller/)
-    - [Kustomization CRD](https://toolkit.fluxcd.io/components/kustomize/kustomization/)
- [Helm Controller](https://toolkit.fluxcd.io/components/helm/controller/)
-    - [HelmRelease CRD](https://toolkit.fluxcd.io/components/helm/helmreleases/)
- [Notification Controller](https://toolkit.fluxcd.io/components/notification/controller/)
-    - [Provider CRD](https://toolkit.fluxcd.io/components/notification/provider/)
-    - [Alert CRD](https://toolkit.fluxcd.io/components/notification/alert/)
-    - [Receiver CRD](https://toolkit.fluxcd.io/components/notification/receiver/)
-
+- [Source Controller](https://fluxcd.io/docs/components/source/)
+    - [GitRepository CRD](https://fluxcd.io/docs/components/source/gitrepositories/)
+    - [OCIRepository CRD](https://fluxcd.io/docs/components/source/ocirepositories/)
+    - [HelmRepository CRD](https://fluxcd.io/docs/components/source/helmrepositories/)
+    - [HelmChart CRD](https://fluxcd.io/docs/components/source/helmcharts/)
+    - [Bucket CRD](https://fluxcd.io/docs/components/source/buckets/)
+- [Kustomize Controller](https://fluxcd.io/docs/components/kustomize/)
+    - [Kustomization CRD](https://fluxcd.io/docs/components/kustomize/kustomization/)
+- [Helm Controller](https://fluxcd.io/docs/components/helm/)
+    - [HelmRelease CRD](https://fluxcd.io/docs/components/helm/helmreleases/)
+- [Notification Controller](https://fluxcd.io/docs/components/notification/)
+    - [Provider CRD](https://fluxcd.io/docs/components/notification/provider/)
+    - [Alert CRD](https://fluxcd.io/docs/components/notification/alert/)
+    - [Receiver CRD](https://fluxcd.io/docs/components/notification/receiver/)
+- [Image Automation Controllers](https://fluxcd.io/docs/components/image/)
+  - [ImageRepository CRD](https://fluxcd.io/docs/components/image/imagerepositories/)
+  - [ImagePolicy CRD](https://fluxcd.io/docs/components/image/imagepolicies/)
+  - [ImageUpdateAutomation CRD](https://fluxcd.io/docs/components/image/imageupdateautomations/)
+  
 ## Community

-The Flux project is always looking for new contributors and there are a multitude of ways to get involved.
-Depending on what you want to do, some of the following bits might be your first steps:
+Need help or want to contribute? Please see the links below. The Flux project is always looking for
+new contributors and there are a multitude of ways to get involved.

- Join our upcoming dev meetings ([meeting access and agenda](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/view))
- Talk to us in the #flux channel on [CNCF Slack](https://slack.cncf.io/)
- Join the [planning discussions](https://github.com/fluxcd/flux2/discussions)
- And if you are completely new to Flux and the GitOps Toolkit, take a look at our [Get Started guide](https://toolkit.fluxcd.io/get-started/) and give us feedback
- To be part of the conversation about Flux's development, [join the flux-dev mailing list](https://lists.cncf.io/g/cncf-flux-dev).
- Check out [how to contribute](CONTRIBUTING.md) to the project
+- Getting Started?
+    - Look at our [Get Started guide](https://fluxcd.io/docs/get-started/) and give us feedback
+- Need help?
+    - First: Ask questions on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions)
+    - Second: Talk to us in the #flux channel on [CNCF Slack](https://slack.cncf.io/)
+    - Please follow our [Support Guidelines](https://fluxcd.io/support/)
+      (in short: be nice, be respectful of volunteers' time, understand that maintainers and
+      contributors cannot respond to all DMs, and keep discussions in the public #flux channel as much as possible).
+- Have feature proposals or want to contribute?
+    - Propose features on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions)
+    - Join our upcoming dev meetings ([meeting access and agenda](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/view))
+    - [Join the flux-dev mailing list](https://lists.cncf.io/g/cncf-flux-dev).
+    - Check out [how to contribute](CONTRIBUTING.md) to the project

-### Featured Talks
+### Events

- 28 Oct 2020 - [The Kubelist Podcast: Flux with Michael Bridgen](https://www.heavybit.com/library/podcasts/the-kubelist-podcast/ep-5-flux-with-michael-bridgen-of-weaveworks/)
- 19 Oct 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 1 with Leigh Capili](https://youtu.be/0v5bjysXTL8)
- 12 Oct 2020 - [Rawkode Live: Introduction to GitOps Toolkit with Stefan Prodan](https://youtu.be/HqTzuOBP0eY)
- 4 Sep 2020 - [KubeCon Europe: The road to Flux v2 and Progressive Delivery with Stefan Prodan & Hidde Beydals](https://youtu.be/8v94nUkXsxU)
- 25 June 2020 - [Cloud Native Nordics: Introduction to GitOps & GitOps Toolkit with Alexis Richardson & Stefan Prodan](https://youtu.be/qQBtSkgl7tI)
- 7 May 2020 - [GitOps Days - Community Special: GitOps Toolkit Experimentation with Stefan Prodan](https://youtu.be/WHzxunv4DKk?t=6521)
+Check out our **[events calendar](https://fluxcd.io/#calendar)**,
+both with upcoming talks, events and meetings you can attend.
+Or view the **[resources section](https://fluxcd.io/resources)**
+with past events videos you can watch.

-### Upcoming Events
-
- 30 Nov 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 3 with Leigh Capili](https://www.meetup.com/Weave-User-Group/events/274657228/)
-
-We are looking forward to seeing you with us!
+We look forward to seeing you with us!
--- a/action/Dockerfile
+++ b/action/Dockerfile
@@ -1,6 +0,0 @@
-FROM stefanprodan/alpine-base:latest
-
-COPY entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
-
-ENTRYPOINT ["/entrypoint.sh"]
--- a/action/README.md
+++ b/action/README.md
@@ -1,6 +1,168 @@
 # Flux GitHub Action

-Example workflow:
+Usage:
+
+```yaml
+    steps:
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Run Flux commands
+        run: flux -v
+```
+
+The latest stable version of the `flux` binary is downloaded from
+GitHub [releases](https://github.com/fluxcd/flux2/releases)
+and placed at `/usr/local/bin/flux`.
+
+Note that this action can only be used on GitHub **Linux** runners.
+You can change the arch (defaults to `amd64`) with:
+
+```yaml
+    steps:
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+        with:
+          arch: arm64 # can be amd64, arm64 or arm
+```
+
+You can download a specific version with:
+
+```yaml
+    steps:
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+        with:
+          version: 0.32.0
+```
+
+### Automate Flux updates
+
+Example workflow for updating Flux's components generated with `flux bootstrap --path=clusters/production`:
+
+```yaml
+name: update-flux
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 * * * *"
+
+jobs:
+  components:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Check for updates
+        id: update
+        run: |
+          flux install \
+            --export > ./clusters/production/flux-system/gotk-components.yaml
+
+          VERSION="$(flux -v)"
+          echo "::set-output name=flux_version::$VERSION"
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v3
+        with:
+            token: ${{ secrets.GITHUB_TOKEN }}
+            branch: update-flux
+            commit-message: Update to ${{ steps.update.outputs.flux_version }}
+            title: Update to ${{ steps.update.outputs.flux_version }}
+            body: |
+              ${{ steps.update.outputs.flux_version }}
+```
+
+### Push Kubernetes manifests to container registries
+
+Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to GitHub Container Registry:
+
+```yaml
+name: push-artifact-staging
+
+on:
+  push:
+    branches:
+      - 'main'
+
+permissions:
+  packages: write # needed for ghcr.io access
+
+env:
+  OCI_REPO: "oci://ghcr.io/my-org/manifests/${{ github.event.repository.name }}"
+
+jobs:
+  kubernetes:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate manifests
+        run: |
+          kustomize build ./manifests/staging > ./deploy/app.yaml
+      - name: Push manifests
+        run: |
+          flux push artifact $OCI_REPO:$(git rev-parse --short HEAD) \
+            --path="./deploy" \
+            --source="$(git config --get remote.origin.url)" \
+            --revision="$(git branch --show-current)/$(git rev-parse HEAD)"
+      - name: Deploy manifests to staging
+        run: |
+          flux tag artifact $OCI_REPO:$(git rev-parse --short HEAD) --tag staging
+```
+
+Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to Docker Hub:
+
+```yaml
+name: push-artifact-production
+
+on:
+  push:
+    tags:
+      - '*'
+
+env:
+  OCI_REPO: "oci://docker.io/my-org/app-config"
+
+jobs:
+  kubernetes:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Generate manifests
+        run: |
+          kustomize build ./manifests/production > ./deploy/app.yaml
+      - name: Push manifests
+        run: |
+          flux push artifact $OCI_REPO:$(git tag --points-at HEAD) \
+            --path="./deploy" \
+            --source="$(git config --get remote.origin.url)" \
+            --revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"
+      - name: Deploy manifests to production
+        run: |
+          flux tag artifact $OCI_REPO:$(git tag --points-at HEAD) --tag production
+```
+
+### End-to-end testing
+
+Example workflow for running Flux in Kubernetes Kind:

 ```yaml
 name: e2e
@@ -23,3 +185,6 @@ jobs:
      - name: Install Flux in Kubernetes Kind
        run: flux install
 ```
+
+A complete e2e testing workflow is available here
+[flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example/blob/main/.github/workflows/e2e.yaml)
--- a/action/action.yml
+++ b/action/action.yml
@@ -1,15 +1,52 @@
-name: 'kustomize'
-description: 'A GitHub Action for running Flux commands'
-author: 'Flux project'
+name: Setup Flux CLI
+description: A GitHub Action for running Flux commands
+author: Stefan Prodan
 branding:
-  icon: 'command'
-  color: 'blue'
+  color: blue
+  icon: command
 inputs:
  version:
-    description: 'strict semver'
+    description: "Flux version e.g. 0.8.0 (defaults to latest stable release)"
+    required: false
+  arch:
+    description: "arch can be amd64, arm64 or arm"
+    required: true
+    default: "amd64"
+  bindir:
+    description: "Optional location of the Flux binary. Will not use sudo if set. Updates System Path."
    required: false
 runs:
-  using: 'docker'
-  image: 'Dockerfile'
-  args:
-    - ${{ inputs.version }}
+  using: composite
+  steps:
+    - name: "Download flux binary to tmp"
+      shell: bash
+      run: |
+        ARCH=${{ inputs.arch }}
+        VERSION=${{ inputs.version }}
+
+        if [ -z $VERSION ]; then
+          VERSION=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
+        fi
+
+        BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_${ARCH}.tar.gz"
+        curl -sL ${BIN_URL} -o /tmp/flux.tar.gz
+        mkdir -p /tmp/flux
+        tar -C /tmp/flux/ -zxvf /tmp/flux.tar.gz
+    - name: "Copy Flux binary to execute location"
+      shell: bash
+      run: |
+        BINDIR=${{ inputs.bindir }}
+        if [ -z $BINDIR ]; then
+          sudo cp /tmp/flux/flux /usr/local/bin
+        else
+          cp /tmp/flux/flux "${BINDIR}"
+          echo "${BINDIR}" >> $GITHUB_PATH
+        fi
+    - name: "Cleanup tmp"
+      shell: bash
+      run: |
+        rm -rf /tmp/flux/ /tmp/flux.tar.gz
+    - name: "Verify correct installation of binary"
+      shell: bash
+      run: |
+        flux -v
--- a/action/entrypoint.sh
+++ b/action/entrypoint.sh
@@ -1,40 +0,0 @@
-#!/bin/bash
-
-#  Copyright 2020 The Flux authors
-#
-#  Licensed under the Apache License, Version 2.0 (the "License");
-#  you may not use this file except in compliance with the License.
-#  You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-#  Unless required by applicable law or agreed to in writing, software
-#  distributed under the License is distributed on an "AS IS" BASIS,
-#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-#  See the License for the specific language governing permissions and
-#  limitations under the License.
-
-set -e
-
-VERSION=$1
-
-if [ -z $VERSION ]; then
-  # Find latest release if no version is specified
-  VERSION=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
-fi
-
-# Download linux binary
-BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_amd64.tar.gz"
-curl -sL $BIN_URL | tar xz
-
-# Copy binary to GitHub runner
-mkdir -p $GITHUB_WORKSPACE/bin
-cp ./flux $GITHUB_WORKSPACE/bin
-chmod +x $GITHUB_WORKSPACE/bin/flux
-
-# Print version
-$GITHUB_WORKSPACE/bin/flux -v
-
-# Add binary to GitHub runner path
-echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
-echo "$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin" >> $GITHUB_PATH
--- a/cmd/flux/alert.go
+++ b/cmd/flux/alert.go
@@ -0,0 +1,57 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+)
+
+// notificationv1.Alert
+
+var alertType = apiType{
+	kind:         notificationv1.AlertKind,
+	humanKind:    "alert",
+	groupVersion: notificationv1.GroupVersion,
+}
+
+type alertAdapter struct {
+	*notificationv1.Alert
+}
+
+func (a alertAdapter) asClientObject() client.Object {
+	return a.Alert
+}
+
+func (a alertAdapter) deepCopyClientObject() client.Object {
+	return a.Alert.DeepCopy()
+}
+
+// notificationv1.Alert
+
+type alertListAdapter struct {
+	*notificationv1.AlertList
+}
+
+func (a alertListAdapter) asClientList() client.ObjectList {
+	return a.AlertList
+}
+
+func (a alertListAdapter) len() int {
+	return len(a.AlertList.Items)
+}
--- a/cmd/flux/alert_provider.go
+++ b/cmd/flux/alert_provider.go
@@ -0,0 +1,57 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+)
+
+// notificationv1.Provider
+
+var alertProviderType = apiType{
+	kind:         notificationv1.ProviderKind,
+	humanKind:    "alert provider",
+	groupVersion: notificationv1.GroupVersion,
+}
+
+type alertProviderAdapter struct {
+	*notificationv1.Provider
+}
+
+func (a alertProviderAdapter) asClientObject() client.Object {
+	return a.Provider
+}
+
+func (a alertProviderAdapter) deepCopyClientObject() client.Object {
+	return a.Provider.DeepCopy()
+}
+
+// notificationv1.Provider
+
+type alertProviderListAdapter struct {
+	*notificationv1.ProviderList
+}
+
+func (a alertProviderListAdapter) asClientList() client.ObjectList {
+	return a.ProviderList
+}
+
+func (a alertProviderListAdapter) len() int {
+	return len(a.ProviderList.Items)
+}
--- a/cmd/flux/bootstrap.go
+++ b/cmd/flux/bootstrap.go
@@ -17,26 +17,16 @@ limitations under the License.
 package main

 import (
-	"context"
+	"crypto/elliptic"
 	"fmt"
-	"net/url"
-	"path/filepath"
-	"time"
+	"strings"

 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/wait"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"

 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )

 var bootstrapCmd = &cobra.Command{
@@ -45,210 +35,158 @@ var bootstrapCmd = &cobra.Command{
 	Long:  "The bootstrap sub-commands bootstrap the toolkit components on the targeted Git provider.",
 }

-var (
-	bootstrapVersion            string
-	bootstrapComponents         []string
-	bootstrapRegistry           string
-	bootstrapImagePullSecret    string
-	bootstrapBranch             string
-	bootstrapWatchAllNamespaces bool
-	bootstrapNetworkPolicy      bool
-	bootstrapManifestsPath      string
-	bootstrapArch               = flags.Arch(defaults.Arch)
-	bootstrapLogLevel           = flags.LogLevel(defaults.LogLevel)
-	bootstrapRequiredComponents = []string{"source-controller", "kustomize-controller"}
-	bootstrapTokenAuth          bool
-)
+type bootstrapFlags struct {
+	version  string
+	arch     flags.Arch
+	logLevel flags.LogLevel
+
+	branch            string
+	recurseSubmodules bool
+	manifestsPath     string
+
+	defaultComponents  []string
+	extraComponents    []string
+	requiredComponents []string
+
+	registry        string
+	imagePullSecret string
+
+	secretName     string
+	tokenAuth      bool
+	keyAlgorithm   flags.PublicKeyAlgorithm
+	keyRSABits     flags.RSAKeyBits
+	keyECDSACurve  flags.ECDSACurve
+	sshHostname    string
+	caFile         string
+	privateKeyFile string
+
+	watchAllNamespaces bool
+	networkPolicy      bool
+	clusterDomain      string
+	tolerationKeys     []string
+
+	authorName  string
+	authorEmail string
+
+	gpgKeyRingPath string
+	gpgPassphrase  string
+	gpgKeyID       string
+
+	commitMessageAppendix string
+}

 const (
 	bootstrapDefaultBranch = "main"
 )

+var bootstrapArgs = NewBootstrapFlags()
+
 func init() {
-	bootstrapCmd.PersistentFlags().StringVarP(&bootstrapVersion, "version", "v", defaults.Version,
-		"toolkit version")
-	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapComponents, "components", defaults.Components,
+	bootstrapCmd.PersistentFlags().StringVarP(&bootstrapArgs.version, "version", "v", "",
+		"toolkit version, when specified the manifests are downloaded from https://github.com/fluxcd/flux2/releases")
+
+	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.defaultComponents, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapRegistry, "registry", "ghcr.io/fluxcd",
+	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.extraComponents, "components-extra", nil,
+		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller'")
+
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registry, "registry", "ghcr.io/fluxcd",
 		"container registry where the toolkit images are published")
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapImagePullSecret, "image-pull-secret", "",
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.imagePullSecret, "image-pull-secret", "",
 		"Kubernetes secret name used for pulling the toolkit images from a private registry")
-	bootstrapCmd.PersistentFlags().Var(&bootstrapArch, "arch", bootstrapArch.Description())
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapBranch, "branch", bootstrapDefaultBranch,
-		"default branch (for GitHub this must match the default branch setting for the organization)")
-	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapWatchAllNamespaces, "watch-all-namespaces", true,
+
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.branch, "branch", bootstrapDefaultBranch, "Git branch")
+	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.recurseSubmodules, "recurse-submodules", false,
+		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
+
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.manifestsPath, "manifests", "", "path to the manifest directory")
+
+	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.watchAllNamespaces, "watch-all-namespaces", true,
 		"watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed")
-	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapNetworkPolicy, "network-policy", true,
+	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.networkPolicy, "network-policy", true,
 		"deny ingress access to the toolkit controllers from other namespaces using network policies")
-	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapTokenAuth, "token-auth", false,
+	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.tokenAuth, "token-auth", false,
 		"when enabled, the personal access token will be used instead of SSH deploy key")
-	bootstrapCmd.PersistentFlags().Var(&bootstrapLogLevel, "log-level", bootstrapLogLevel.Description())
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapManifestsPath, "manifests", "", "path to the manifest directory")
+	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.logLevel, "log-level", bootstrapArgs.logLevel.Description())
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.clusterDomain, "cluster-domain", rootArgs.defaults.ClusterDomain, "internal cluster domain")
+	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.tolerationKeys, "toleration-keys", nil,
+		"list of toleration keys used to schedule the components pods onto nodes with matching taints")
+
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.secretName, "secret-name", rootArgs.defaults.Namespace, "name of the secret the sync credentials can be found in or stored to")
+	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyAlgorithm, "ssh-key-algorithm", bootstrapArgs.keyAlgorithm.Description())
+	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyRSABits, "ssh-rsa-bits", bootstrapArgs.keyRSABits.Description())
+	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyECDSACurve, "ssh-ecdsa-curve", bootstrapArgs.keyECDSACurve.Description())
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.sshHostname, "ssh-hostname", "", "SSH hostname, to be used when the SSH host differs from the HTTPS one")
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.privateKeyFile, "private-key-file", "", "path to a private key file used for authenticating to the Git SSH server")
+
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.authorName, "author-name", "Flux", "author name for Git commits")
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.authorEmail, "author-email", "", "author email for Git commits")
+
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.gpgKeyRingPath, "gpg-key-ring", "", "path to GPG key ring for signing commits")
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.gpgPassphrase, "gpg-passphrase", "", "passphrase for decrypting GPG private key")
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.gpgKeyID, "gpg-key-id", "", "key id for selecting a particular key")
+
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.commitMessageAppendix, "commit-message-appendix", "", "string to add to the commit messages, e.g. '[ci skip]'")
+
+	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.arch, "arch", bootstrapArgs.arch.Description())
+	bootstrapCmd.PersistentFlags().MarkDeprecated("arch", "multi-arch container image is now available for AMD64, ARMv7 and ARM64")
 	bootstrapCmd.PersistentFlags().MarkHidden("manifests")
+
 	rootCmd.AddCommand(bootstrapCmd)
 }

+func NewBootstrapFlags() bootstrapFlags {
+	return bootstrapFlags{
+		logLevel:           flags.LogLevel(rootArgs.defaults.LogLevel),
+		requiredComponents: []string{"source-controller", "kustomize-controller"},
+		keyAlgorithm:       flags.PublicKeyAlgorithm(sourcesecret.ECDSAPrivateKeyAlgorithm),
+		keyRSABits:         2048,
+		keyECDSACurve:      flags.ECDSACurve{Curve: elliptic.P384()},
+	}
+}
+
+func bootstrapComponents() []string {
+	return append(bootstrapArgs.defaultComponents, bootstrapArgs.extraComponents...)
+}
+
+func buildEmbeddedManifestBase() (string, error) {
+	if !isEmbeddedVersion(bootstrapArgs.version) {
+		return "", nil
+	}
+	tmpBaseDir, err := manifestgen.MkdirTempAbs("", "flux-manifests-")
+	if err != nil {
+		return "", err
+	}
+	if err := writeEmbeddedManifests(tmpBaseDir); err != nil {
+		return "", err
+	}
+	return tmpBaseDir, nil
+}
+
 func bootstrapValidate() error {
-	for _, component := range bootstrapRequiredComponents {
-		if !utils.ContainsItemString(bootstrapComponents, component) {
+	components := bootstrapComponents()
+	for _, component := range bootstrapArgs.requiredComponents {
+		if !utils.ContainsItemString(components, component) {
 			return fmt.Errorf("component %s is required", component)
 		}
 	}

+	if err := utils.ValidateComponents(components); err != nil {
+		return err
+	}
+
 	return nil
 }

-func generateInstallManifests(targetPath, namespace, tmpDir string, localManifests string) (string, error) {
-	opts := install.Options{
-		BaseURL:                localManifests,
-		Version:                bootstrapVersion,
-		Namespace:              namespace,
-		Components:             bootstrapComponents,
-		Registry:               bootstrapRegistry,
-		ImagePullSecret:        bootstrapImagePullSecret,
-		Arch:                   bootstrapArch.String(),
-		WatchAllNamespaces:     bootstrapWatchAllNamespaces,
-		NetworkPolicy:          bootstrapNetworkPolicy,
-		LogLevel:               bootstrapLogLevel.String(),
-		NotificationController: defaults.NotificationController,
-		ManifestFile:           defaults.ManifestFile,
-		Timeout:                timeout,
-		TargetPath:             targetPath,
-	}
-
-	if localManifests == "" {
-		opts.BaseURL = defaults.BaseURL
-	}
-
-	output, err := install.Generate(opts)
-	if err != nil {
-		return "", fmt.Errorf("generating install manifests failed: %w", err)
-	}
-
-	if filePath, err := output.WriteFile(tmpDir); err != nil {
-		return "", fmt.Errorf("generating install manifests failed: %w", err)
-	} else {
-		return filePath, nil
-	}
-
-}
-
-func applyInstallManifests(ctx context.Context, manifestPath string, components []string) error {
-	kubectlArgs := []string{"apply", "-f", manifestPath}
-	if _, err := utils.ExecKubectlCommand(ctx, utils.ModeOS, kubeconfig, kubecontext, kubectlArgs...); err != nil {
-		return fmt.Errorf("install failed")
-	}
-
-	for _, deployment := range components {
-		kubectlArgs = []string{"-n", namespace, "rollout", "status", "deployment", deployment, "--timeout", timeout.String()}
-		if _, err := utils.ExecKubectlCommand(ctx, utils.ModeOS, kubeconfig, kubecontext, kubectlArgs...); err != nil {
-			return fmt.Errorf("install failed")
+func mapTeamSlice(s []string, defaultPermission string) map[string]string {
+	m := make(map[string]string, len(s))
+	for _, v := range s {
+		m[v] = defaultPermission
+		if s := strings.Split(v, ":"); len(s) == 2 {
+			m[s[0]] = s[1]
 		}
 	}
-	return nil
-}
-
-func generateSyncManifests(url, branch, name, namespace, targetPath, tmpDir string, interval time.Duration) error {
-	opts := sync.Options{
-		Name:         name,
-		Namespace:    namespace,
-		URL:          url,
-		Branch:       branch,
-		Interval:     interval,
-		TargetPath:   targetPath,
-		ManifestFile: sync.MakeDefaultOptions().ManifestFile,
-	}
-
-	manifest, err := sync.Generate(opts)
-	if err != nil {
-		return fmt.Errorf("generating install manifests failed: %w", err)
-	}
-
-	if _, err := manifest.WriteFile(tmpDir); err != nil {
-		return err
-	}
-
-	if err := utils.GenerateKustomizationYaml(filepath.Join(tmpDir, targetPath, namespace)); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func applySyncManifests(ctx context.Context, kubeClient client.Client, name, namespace, targetPath, tmpDir string) error {
-	kubectlArgs := []string{"apply", "-k", filepath.Join(tmpDir, targetPath, namespace)}
-	if _, err := utils.ExecKubectlCommand(ctx, utils.ModeStderrOS, kubeconfig, kubecontext, kubectlArgs...); err != nil {
-		return err
-	}
-
-	logger.Waitingf("waiting for cluster sync")
-
-	var gitRepository sourcev1.GitRepository
-	if err := wait.PollImmediate(pollInterval, timeout,
-		isGitRepositoryReady(ctx, kubeClient, types.NamespacedName{Name: name, Namespace: namespace}, &gitRepository)); err != nil {
-		return err
-	}
-
-	var kustomization kustomizev1.Kustomization
-	if err := wait.PollImmediate(pollInterval, timeout,
-		isKustomizationReady(ctx, kubeClient, types.NamespacedName{Name: name, Namespace: namespace}, &kustomization)); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func shouldInstallManifests(ctx context.Context, kubeClient client.Client, namespace string) bool {
-	namespacedName := types.NamespacedName{
-		Namespace: namespace,
-		Name:      namespace,
-	}
-	var kustomization kustomizev1.Kustomization
-	if err := kubeClient.Get(ctx, namespacedName, &kustomization); err != nil {
-		return true
-	}
-
-	return kustomization.Status.LastAppliedRevision == ""
-}
-
-func shouldCreateDeployKey(ctx context.Context, kubeClient client.Client, namespace string) bool {
-	namespacedName := types.NamespacedName{
-		Namespace: namespace,
-		Name:      namespace,
-	}
-
-	var existing corev1.Secret
-	if err := kubeClient.Get(ctx, namespacedName, &existing); err != nil {
-		return true
-	}
-	return false
-}
-
-func generateDeployKey(ctx context.Context, kubeClient client.Client, url *url.URL, namespace string) (string, error) {
-	pair, err := generateKeyPair(ctx)
-	if err != nil {
-		return "", err
-	}
-
-	hostKey, err := scanHostKey(ctx, url)
-	if err != nil {
-		return "", err
-	}
-
-	secret := corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      namespace,
-			Namespace: namespace,
-		},
-		StringData: map[string]string{
-			"identity":     string(pair.PrivateKey),
-			"identity.pub": string(pair.PublicKey),
-			"known_hosts":  string(hostKey),
-		},
-	}
-	if err := upsertSecret(ctx, kubeClient, secret); err != nil {
-		return "", err
-	}
-
-	return string(pair.PublicKey), nil
+
+	return m
 }
--- a/cmd/flux/bootstrap_bitbucket_server.go
+++ b/cmd/flux/bootstrap_bitbucket_server.go
@@ -0,0 +1,281 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	"github.com/spf13/cobra"
+
+	"github.com/fluxcd/flux2/internal/bootstrap"
+	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
+	"github.com/fluxcd/flux2/internal/bootstrap/provider"
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+)
+
+var bootstrapBServerCmd = &cobra.Command{
+	Use:   "bitbucket-server",
+	Short: "Bootstrap toolkit components in a Bitbucket Server repository",
+	Long: `The bootstrap bitbucket-server command creates the Bitbucket Server repository if it doesn't exists and
+commits the toolkit components manifests to the master branch.
+Then it configures the target cluster to synchronize with the repository.
+If the toolkit components are present on the cluster,
+the bootstrap command will perform an upgrade if needed.`,
+	Example: `  # Create a Bitbucket Server API token and export it as an env var
+  export BITBUCKET_TOKEN=<my-token>
+
+  # Run bootstrap for a private repository using HTTPS token authentication
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --token-auth
+
+  # Run bootstrap for a private repository using SSH authentication
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain>
+
+  # Run bootstrap for a repository path
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --path=dev-cluster --hostname=<domain>
+
+  # Run bootstrap for a public repository on a personal account
+  flux bootstrap bitbucket-server --owner=<user> --repository=<repository name> --private=false --personal --hostname=<domain> --token-auth
+
+  # Run bootstrap for a an existing repository with a branch named main
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --branch=main --hostname=<domain> --token-auth`,
+	RunE: bootstrapBServerCmdRun,
+}
+
+const (
+	bServerDefaultPermission = "push"
+	bServerTokenEnvVar       = "BITBUCKET_TOKEN"
+)
+
+type bServerFlags struct {
+	owner        string
+	repository   string
+	interval     time.Duration
+	personal     bool
+	username     string
+	private      bool
+	hostname     string
+	path         flags.SafeRelativePath
+	teams        []string
+	readWriteKey bool
+	reconcile    bool
+}
+
+var bServerArgs bServerFlags
+
+func init() {
+	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.owner, "owner", "", "Bitbucket Server user or project name")
+	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.repository, "repository", "", "Bitbucket Server repository name")
+	bootstrapBServerCmd.Flags().StringSliceVar(&bServerArgs.teams, "group", []string{}, "Bitbucket Server groups to be given write access (also accepts comma-separated values)")
+	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.personal, "personal", false, "if true, the owner is assumed to be a Bitbucket Server user; otherwise a group")
+	bootstrapBServerCmd.Flags().StringVarP(&bServerArgs.username, "username", "u", "git", "authentication username")
+	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.private, "private", true, "if true, the repository is setup or configured as private")
+	bootstrapBServerCmd.Flags().DurationVar(&bServerArgs.interval, "interval", time.Minute, "sync interval")
+	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.hostname, "hostname", "", "Bitbucket Server hostname")
+	bootstrapBServerCmd.Flags().Var(&bServerArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
+	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
+	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
+
+	bootstrapCmd.AddCommand(bootstrapBServerCmd)
+}
+
+func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
+	bitbucketToken := os.Getenv(bServerTokenEnvVar)
+	if bitbucketToken == "" {
+		var err error
+		bitbucketToken, err = readPasswordFromStdin("Please enter your Bitbucket personal access token (PAT): ")
+		if err != nil {
+			return fmt.Errorf("could not read token: %w", err)
+		}
+	}
+
+	if bServerArgs.hostname == "" {
+		return fmt.Errorf("invalid hostname %q", bServerArgs.hostname)
+	}
+
+	if err := bootstrapValidate(); err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+
+	// Manifest base
+	if ver, err := getVersion(bootstrapArgs.version); err == nil {
+		bootstrapArgs.version = ver
+	}
+	manifestsBase, err := buildEmbeddedManifestBase()
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(manifestsBase)
+
+	user := bServerArgs.username
+	if bServerArgs.personal {
+		user = bServerArgs.owner
+	}
+
+	var caBundle []byte
+	if bootstrapArgs.caFile != "" {
+		var err error
+		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	}
+
+	// Build Bitbucket Server provider
+	providerCfg := provider.Config{
+		Provider: provider.GitProviderStash,
+		Hostname: bServerArgs.hostname,
+		Username: user,
+		Token:    bitbucketToken,
+		CaBundle: caBundle,
+	}
+
+	providerClient, err := provider.BuildGitProvider(providerCfg)
+	if err != nil {
+		return err
+	}
+
+	// Lazy go-git repository
+	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
+	if err != nil {
+		return fmt.Errorf("failed to create temporary working dir: %w", err)
+	}
+	defer os.RemoveAll(tmpDir)
+	gitClient := gogit.New(tmpDir, &http.BasicAuth{
+		Username: user,
+		Password: bitbucketToken,
+	})
+
+	// Install manifest config
+	installOptions := install.Options{
+		BaseURL:                rootArgs.defaults.BaseURL,
+		Version:                bootstrapArgs.version,
+		Namespace:              *kubeconfigArgs.Namespace,
+		Components:             bootstrapComponents(),
+		Registry:               bootstrapArgs.registry,
+		ImagePullSecret:        bootstrapArgs.imagePullSecret,
+		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
+		NetworkPolicy:          bootstrapArgs.networkPolicy,
+		LogLevel:               bootstrapArgs.logLevel.String(),
+		NotificationController: rootArgs.defaults.NotificationController,
+		ManifestFile:           rootArgs.defaults.ManifestFile,
+		Timeout:                rootArgs.timeout,
+		TargetPath:             bServerArgs.path.ToSlash(),
+		ClusterDomain:          bootstrapArgs.clusterDomain,
+		TolerationKeys:         bootstrapArgs.tolerationKeys,
+	}
+	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
+		installOptions.BaseURL = customBaseURL
+	}
+
+	// Source generation and secret config
+	secretOpts := sourcesecret.Options{
+		Name:         bootstrapArgs.secretName,
+		Namespace:    *kubeconfigArgs.Namespace,
+		TargetPath:   bServerArgs.path.String(),
+		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
+	}
+	if bootstrapArgs.tokenAuth {
+		if bServerArgs.personal {
+			secretOpts.Username = bServerArgs.owner
+		} else {
+			secretOpts.Username = bServerArgs.username
+		}
+		secretOpts.Password = bitbucketToken
+
+		if bootstrapArgs.caFile != "" {
+			secretOpts.CAFilePath = bootstrapArgs.caFile
+		}
+	} else {
+		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
+		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
+		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
+		secretOpts.SSHHostname = bServerArgs.hostname
+
+		if bootstrapArgs.privateKeyFile != "" {
+			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
+		}
+		if bootstrapArgs.sshHostname != "" {
+			secretOpts.SSHHostname = bootstrapArgs.sshHostname
+		}
+	}
+
+	// Sync manifest config
+	syncOpts := sync.Options{
+		Interval:          bServerArgs.interval,
+		Name:              *kubeconfigArgs.Namespace,
+		Namespace:         *kubeconfigArgs.Namespace,
+		Branch:            bootstrapArgs.branch,
+		Secret:            bootstrapArgs.secretName,
+		TargetPath:        bServerArgs.path.ToSlash(),
+		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
+		GitImplementation: sourceGitArgs.gitImplementation.String(),
+		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
+	}
+
+	// Bootstrap config
+	bootstrapOpts := []bootstrap.GitProviderOption{
+		bootstrap.WithProviderRepository(bServerArgs.owner, bServerArgs.repository, bServerArgs.personal),
+		bootstrap.WithBranch(bootstrapArgs.branch),
+		bootstrap.WithBootstrapTransportType("https"),
+		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
+		bootstrap.WithProviderTeamPermissions(mapTeamSlice(bServerArgs.teams, bServerDefaultPermission)),
+		bootstrap.WithReadWriteKeyPermissions(bServerArgs.readWriteKey),
+		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
+		bootstrap.WithLogger(logger),
+		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
+	}
+	if bootstrapArgs.sshHostname != "" {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
+	}
+	if bootstrapArgs.tokenAuth {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
+	}
+	if !bServerArgs.private {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
+	}
+	if bServerArgs.reconcile {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
+	}
+
+	// Setup bootstrapper with constructed configs
+	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
+	if err != nil {
+		return err
+	}
+
+	// Run
+	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
+}
--- a/cmd/flux/bootstrap_git.go
+++ b/cmd/flux/bootstrap_git.go
@@ -0,0 +1,316 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/go-git/go-git/v5/plumbing/transport"
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	"github.com/go-git/go-git/v5/plumbing/transport/ssh"
+	"github.com/manifoldco/promptui"
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+
+	"github.com/fluxcd/flux2/internal/bootstrap"
+	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+)
+
+var bootstrapGitCmd = &cobra.Command{
+	Use:   "git",
+	Short: "Bootstrap toolkit components in a Git repository",
+	Long: `The bootstrap git command commits the toolkit components manifests to the
+branch of a Git repository. It then configures the target cluster to synchronize with
+the repository. If the toolkit components are present on the cluster, the bootstrap
+command will perform an upgrade if needed.`,
+	Example: `  # Run bootstrap for a Git repository and authenticate with your SSH agent
+  flux bootstrap git --url=ssh://git@example.com/repository.git
+
+  # Run bootstrap for a Git repository and authenticate using a password
+  flux bootstrap git --url=https://example.com/repository.git --password=<password>
+
+  # Run bootstrap for a Git repository and authenticate using a password from environment variable
+  GIT_PASSWORD=<password> && flux bootstrap git --url=https://example.com/repository.git
+
+  # Run bootstrap for a Git repository with a passwordless private key
+  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key>
+
+  # Run bootstrap for a Git repository with a private key and password
+  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key> --password=<password>
+`,
+	RunE: bootstrapGitCmdRun,
+}
+
+type gitFlags struct {
+	url                 string
+	interval            time.Duration
+	path                flags.SafeRelativePath
+	username            string
+	password            string
+	silent              bool
+	insecureHttpAllowed bool
+}
+
+const (
+	gitPasswordEnvVar = "GIT_PASSWORD"
+)
+
+var gitArgs gitFlags
+
+func init() {
+	bootstrapGitCmd.Flags().StringVar(&gitArgs.url, "url", "", "Git repository URL")
+	bootstrapGitCmd.Flags().DurationVar(&gitArgs.interval, "interval", time.Minute, "sync interval")
+	bootstrapGitCmd.Flags().Var(&gitArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
+	bootstrapGitCmd.Flags().StringVarP(&gitArgs.username, "username", "u", "git", "basic authentication username")
+	bootstrapGitCmd.Flags().StringVarP(&gitArgs.password, "password", "p", "", "basic authentication password")
+	bootstrapGitCmd.Flags().BoolVarP(&gitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
+	bootstrapGitCmd.Flags().BoolVar(&gitArgs.insecureHttpAllowed, "allow-insecure-http", false, "allows http git url connections")
+
+	bootstrapCmd.AddCommand(bootstrapGitCmd)
+}
+
+func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
+	gitPassword := os.Getenv(gitPasswordEnvVar)
+	if gitPassword != "" && gitArgs.password == "" {
+		gitArgs.password = gitPassword
+	}
+	if bootstrapArgs.tokenAuth && gitArgs.password == "" {
+		var err error
+		gitPassword, err = readPasswordFromStdin("Please enter your Git repository password: ")
+		if err != nil {
+			return fmt.Errorf("could not read token: %w", err)
+		}
+		gitArgs.password = gitPassword
+	}
+
+	if err := bootstrapValidate(); err != nil {
+		return err
+	}
+
+	repositoryURL, err := url.Parse(gitArgs.url)
+	if err != nil {
+		return err
+	}
+	gitAuth, err := transportForURL(repositoryURL)
+	if err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+
+	// Manifest base
+	if ver, err := getVersion(bootstrapArgs.version); err == nil {
+		bootstrapArgs.version = ver
+	}
+	manifestsBase, err := buildEmbeddedManifestBase()
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(manifestsBase)
+
+	// Lazy go-git repository
+	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
+	if err != nil {
+		return fmt.Errorf("failed to create temporary working dir: %w", err)
+	}
+	defer os.RemoveAll(tmpDir)
+	gitClient := gogit.New(tmpDir, gitAuth)
+
+	// Install manifest config
+	installOptions := install.Options{
+		BaseURL:                rootArgs.defaults.BaseURL,
+		Version:                bootstrapArgs.version,
+		Namespace:              *kubeconfigArgs.Namespace,
+		Components:             bootstrapComponents(),
+		Registry:               bootstrapArgs.registry,
+		ImagePullSecret:        bootstrapArgs.imagePullSecret,
+		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
+		NetworkPolicy:          bootstrapArgs.networkPolicy,
+		LogLevel:               bootstrapArgs.logLevel.String(),
+		NotificationController: rootArgs.defaults.NotificationController,
+		ManifestFile:           rootArgs.defaults.ManifestFile,
+		Timeout:                rootArgs.timeout,
+		TargetPath:             gitArgs.path.ToSlash(),
+		ClusterDomain:          bootstrapArgs.clusterDomain,
+		TolerationKeys:         bootstrapArgs.tolerationKeys,
+	}
+	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
+		installOptions.BaseURL = customBaseURL
+	}
+
+	// Source generation and secret config
+	secretOpts := sourcesecret.Options{
+		Name:         bootstrapArgs.secretName,
+		Namespace:    *kubeconfigArgs.Namespace,
+		TargetPath:   gitArgs.path.String(),
+		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
+	}
+	if bootstrapArgs.tokenAuth {
+		secretOpts.Username = gitArgs.username
+		secretOpts.Password = gitArgs.password
+
+		if bootstrapArgs.caFile != "" {
+			secretOpts.CAFilePath = bootstrapArgs.caFile
+		}
+
+		// Remove port of the given host when not syncing over HTTP/S to not assume port for protocol
+		// This _might_ be overwritten later on by e.g. --ssh-hostname
+		if repositoryURL.Scheme != "https" && repositoryURL.Scheme != "http" {
+			repositoryURL.Host = repositoryURL.Hostname()
+		}
+
+		// Configure repository URL to match auth config for sync.
+		repositoryURL.User = nil
+		repositoryURL.Scheme = "https"
+	} else {
+		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
+		secretOpts.Password = gitArgs.password
+		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
+		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
+
+		// Configure repository URL to match auth config for sync
+
+		// Override existing user when user is not already set
+		// or when a username was passed in
+		if repositoryURL.User == nil || gitArgs.username != "git" {
+			repositoryURL.User = url.User(gitArgs.username)
+		}
+
+		repositoryURL.Scheme = "ssh"
+		if bootstrapArgs.sshHostname != "" {
+			repositoryURL.Host = bootstrapArgs.sshHostname
+		}
+		if bootstrapArgs.privateKeyFile != "" {
+			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
+		}
+
+		// Configure last as it depends on the config above.
+		secretOpts.SSHHostname = repositoryURL.Host
+	}
+
+	// Sync manifest config
+	syncOpts := sync.Options{
+		Interval:          gitArgs.interval,
+		Name:              *kubeconfigArgs.Namespace,
+		Namespace:         *kubeconfigArgs.Namespace,
+		URL:               repositoryURL.String(),
+		Branch:            bootstrapArgs.branch,
+		Secret:            bootstrapArgs.secretName,
+		TargetPath:        gitArgs.path.ToSlash(),
+		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
+		GitImplementation: sourceGitArgs.gitImplementation.String(),
+		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
+	}
+
+	var caBundle []byte
+	if bootstrapArgs.caFile != "" {
+		var err error
+		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	}
+
+	// Bootstrap config
+	bootstrapOpts := []bootstrap.GitOption{
+		bootstrap.WithRepositoryURL(gitArgs.url),
+		bootstrap.WithBranch(bootstrapArgs.branch),
+		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
+		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
+		bootstrap.WithPostGenerateSecretFunc(promptPublicKey),
+		bootstrap.WithLogger(logger),
+		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
+	}
+
+	// Setup bootstrapper with constructed configs
+	b, err := bootstrap.NewPlainGitProvider(gitClient, kubeClient, bootstrapOpts...)
+	if err != nil {
+		return err
+	}
+
+	// Run
+	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
+}
+
+// transportForURL constructs a transport.AuthMethod based on the scheme
+// of the given URL and the configured flags. If the protocol equals
+// "ssh" but no private key is configured, authentication using the local
+// SSH-agent is attempted.
+func transportForURL(u *url.URL) (transport.AuthMethod, error) {
+	switch u.Scheme {
+	case "http":
+		if !gitArgs.insecureHttpAllowed {
+			return nil, fmt.Errorf("scheme http is insecure, pass --allow-insecure-http=true to allow it")
+		}
+		return &http.BasicAuth{
+			Username: gitArgs.username,
+			Password: gitArgs.password,
+		}, nil
+	case "https":
+		return &http.BasicAuth{
+			Username: gitArgs.username,
+			Password: gitArgs.password,
+		}, nil
+	case "ssh":
+		if bootstrapArgs.privateKeyFile != "" {
+			return ssh.NewPublicKeysFromFile(u.User.Username(), bootstrapArgs.privateKeyFile, gitArgs.password)
+		}
+		return nil, nil
+	default:
+		return nil, fmt.Errorf("scheme %q is not supported", u.Scheme)
+	}
+}
+
+func promptPublicKey(ctx context.Context, secret corev1.Secret, _ sourcesecret.Options) error {
+	ppk, ok := secret.StringData[sourcesecret.PublicKeySecretKey]
+	if !ok {
+		return nil
+	}
+
+	logger.Successf("public key: %s", strings.TrimSpace(ppk))
+
+	if !gitArgs.silent {
+		prompt := promptui.Prompt{
+			Label:     "Please give the key access to your repository",
+			IsConfirm: true,
+		}
+		_, err := prompt.Run()
+		if err != nil {
+			return fmt.Errorf("aborting")
+		}
+	}
+	return nil
+}
--- a/cmd/flux/bootstrap_github.go
+++ b/cmd/flux/bootstrap_github.go
@@ -19,18 +19,21 @@ package main
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
-	"net/url"
 	"os"
-	"path"
 	"time"

+	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

+	"github.com/fluxcd/flux2/internal/bootstrap"
+	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
+	"github.com/fluxcd/flux2/internal/bootstrap/provider"
+	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/pkg/git"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )

 var bootstrapGitHubCmd = &cobra.Command{
@@ -44,245 +47,224 @@ the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a GitHub personal access token and export it as an env var
  export GITHUB_TOKEN=<my-token>

-  # Run bootstrap for a private repo owned by a GitHub organization
-  flux bootstrap github --owner=<organization> --repository=<repo name>
+  # Run bootstrap for a private repository owned by a GitHub organization
+  flux bootstrap github --owner=<organization> --repository=<repository name>

-  # Run bootstrap for a private repo and assign organization teams to it
-  flux bootstrap github --owner=<organization> --repository=<repo name> --team=<team1 slug> --team=<team2 slug>
+  # Run bootstrap for a private repository and assign organization teams to it
+  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug> --team=<team2 slug>
+
+  # Run bootstrap for a private repository and assign organization teams with their access level(e.g maintain, admin) to it
+  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug>:<access-level>

  # Run bootstrap for a repository path
-  flux bootstrap github --owner=<organization> --repository=<repo name> --path=dev-cluster
+  flux bootstrap github --owner=<organization> --repository=<repository name> --path=dev-cluster

  # Run bootstrap for a public repository on a personal account
-  flux bootstrap github --owner=<user> --repository=<repo name> --private=false --personal=true 
+  flux bootstrap github --owner=<user> --repository=<repository name> --private=false --personal=true

-  # Run bootstrap for a private repo hosted on GitHub Enterprise using SSH auth
-  flux bootstrap github --owner=<organization> --repository=<repo name> --hostname=<domain> --ssh-hostname=<domain>
+  # Run bootstrap for a private repository hosted on GitHub Enterprise using SSH auth
+  flux bootstrap github --owner=<organization> --repository=<repository name> --hostname=<domain> --ssh-hostname=<domain>

-  # Run bootstrap for a private repo hosted on GitHub Enterprise using HTTPS auth
-  flux bootstrap github --owner=<organization> --repository=<repo name> --hostname=<domain> --token-auth
+  # Run bootstrap for a private repository hosted on GitHub Enterprise using HTTPS auth
+  flux bootstrap github --owner=<organization> --repository=<repository name> --hostname=<domain> --token-auth

-  # Run bootstrap for a an existing repository with a branch named main
-  flux bootstrap github --owner=<organization> --repository=<repo name> --branch=main
-`,
+  # Run bootstrap for an existing repository with a branch named main
+  flux bootstrap github --owner=<organization> --repository=<repository name> --branch=main`,
 	RunE: bootstrapGitHubCmdRun,
 }

-var (
-	ghOwner       string
-	ghRepository  string
-	ghInterval    time.Duration
-	ghPersonal    bool
-	ghPrivate     bool
-	ghHostname    string
-	ghPath        string
-	ghTeams       []string
-	ghDelete      bool
-	ghSSHHostname string
-)
+type githubFlags struct {
+	owner        string
+	repository   string
+	interval     time.Duration
+	personal     bool
+	private      bool
+	hostname     string
+	path         flags.SafeRelativePath
+	teams        []string
+	readWriteKey bool
+	reconcile    bool
+}

 const (
 	ghDefaultPermission = "maintain"
+	ghDefaultDomain     = "github.com"
+	ghTokenEnvVar       = "GITHUB_TOKEN"
 )

-func init() {
-	bootstrapGitHubCmd.Flags().StringVar(&ghOwner, "owner", "", "GitHub user or organization name")
-	bootstrapGitHubCmd.Flags().StringVar(&ghRepository, "repository", "", "GitHub repository name")
-	bootstrapGitHubCmd.Flags().StringArrayVar(&ghTeams, "team", []string{}, "GitHub team to be given maintainer access")
-	bootstrapGitHubCmd.Flags().BoolVar(&ghPersonal, "personal", false, "is personal repository")
-	bootstrapGitHubCmd.Flags().BoolVar(&ghPrivate, "private", true, "is private repository")
-	bootstrapGitHubCmd.Flags().DurationVar(&ghInterval, "interval", time.Minute, "sync interval")
-	bootstrapGitHubCmd.Flags().StringVar(&ghHostname, "hostname", git.GitHubDefaultHostname, "GitHub hostname")
-	bootstrapGitHubCmd.Flags().StringVar(&ghSSHHostname, "ssh-hostname", "", "GitHub SSH hostname, to be used when the SSH host differs from the HTTPS one")
-	bootstrapGitHubCmd.Flags().StringVar(&ghPath, "path", "", "repository path, when specified the cluster sync will be scoped to this path")
+var githubArgs githubFlags

-	bootstrapGitHubCmd.Flags().BoolVar(&ghDelete, "delete", false, "delete repository (used for testing only)")
-	bootstrapGitHubCmd.Flags().MarkHidden("delete")
+func init() {
+	bootstrapGitHubCmd.Flags().StringVar(&githubArgs.owner, "owner", "", "GitHub user or organization name")
+	bootstrapGitHubCmd.Flags().StringVar(&githubArgs.repository, "repository", "", "GitHub repository name")
+	bootstrapGitHubCmd.Flags().StringSliceVar(&githubArgs.teams, "team", []string{}, "GitHub team and the access to be given to it(team:maintain). Defaults to maintainer access if no access level is specified (also accepts comma-separated values)")
+	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.personal, "personal", false, "if true, the owner is assumed to be a GitHub user; otherwise an org")
+	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.private, "private", true, "if true, the repository is setup or configured as private")
+	bootstrapGitHubCmd.Flags().DurationVar(&githubArgs.interval, "interval", time.Minute, "sync interval")
+	bootstrapGitHubCmd.Flags().StringVar(&githubArgs.hostname, "hostname", ghDefaultDomain, "GitHub hostname")
+	bootstrapGitHubCmd.Flags().Var(&githubArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
+	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
+	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")

 	bootstrapCmd.AddCommand(bootstrapGitHubCmd)
 }

 func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
-	ghToken := os.Getenv(git.GitHubTokenName)
+	ghToken := os.Getenv(ghTokenEnvVar)
 	if ghToken == "" {
-		return fmt.Errorf("%s environment variable not found", git.GitHubTokenName)
+		var err error
+		ghToken, err = readPasswordFromStdin("Please enter your GitHub personal access token (PAT): ")
+		if err != nil {
+			return fmt.Errorf("could not read token: %w", err)
+		}
 	}

 	if err := bootstrapValidate(); err != nil {
 		return err
 	}

-	repository, err := git.NewRepository(ghRepository, ghOwner, ghHostname, ghToken, "flux", ghOwner+"@users.noreply.github.com")
-	if err != nil {
-		return err
-	}
-
-	if ghSSHHostname != "" {
-		repository.SSHHost = ghSSHHostname
-	}
-
-	provider := &git.GithubProvider{
-		IsPrivate:  ghPrivate,
-		IsPersonal: ghPersonal,
-	}
-
-	tmpDir, err := ioutil.TempDir("", namespace)
-	if err != nil {
-		return err
-	}
-	defer os.RemoveAll(tmpDir)
-
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

-	if ghDelete {
-		if err := provider.DeleteRepository(ctx, repository); err != nil {
-			return err
-		}
-		logger.Successf("repository deleted")
-		return nil
-	}
-
-	// create GitHub repository if doesn't exists
-	logger.Actionf("connecting to %s", ghHostname)
-	changed, err := provider.CreateRepository(ctx, repository)
-	if err != nil {
-		return err
-	}
-	if changed {
-		logger.Successf("repository created")
-	}
-
-	withErrors := false
-	// add teams to org repository
-	if !ghPersonal {
-		for _, team := range ghTeams {
-			if changed, err := provider.AddTeam(ctx, repository, team, ghDefaultPermission); err != nil {
-				logger.Failuref(err.Error())
-				withErrors = true
-			} else if changed {
-				logger.Successf("%s team access granted", team)
-			}
-		}
-	}
-
-	// clone repository and checkout the main branch
-	if err := repository.Checkout(ctx, bootstrapBranch, tmpDir); err != nil {
-		return err
-	}
-	logger.Successf("repository cloned")
-
-	// generate install manifests
-	logger.Generatef("generating manifests")
-	manifest, err := generateInstallManifests(ghPath, namespace, tmpDir, bootstrapManifestsPath)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

-	// stage install manifests
-	changed, err = repository.Commit(ctx, path.Join(ghPath, namespace), "Add manifests")
+	// Manifest base
+	if ver, err := getVersion(bootstrapArgs.version); err == nil {
+		bootstrapArgs.version = ver
+	}
+	manifestsBase, err := buildEmbeddedManifestBase()
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(manifestsBase)
+
+	var caBundle []byte
+	if bootstrapArgs.caFile != "" {
+		var err error
+		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	}
+	// Build GitHub provider
+	providerCfg := provider.Config{
+		Provider: provider.GitProviderGitHub,
+		Hostname: githubArgs.hostname,
+		Token:    ghToken,
+		CaBundle: caBundle,
+	}
+	providerClient, err := provider.BuildGitProvider(providerCfg)
 	if err != nil {
 		return err
 	}

-	// push install manifests
-	if changed {
-		if err := repository.Push(ctx); err != nil {
-			return err
-		}
-		logger.Successf("components manifests pushed")
-	} else {
-		logger.Successf("components are up to date")
-	}
-
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	// Lazy go-git repository
+	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to create temporary working dir: %w", err)
+	}
+	defer os.RemoveAll(tmpDir)
+	gitClient := gogit.New(tmpDir, &http.BasicAuth{
+		Username: githubArgs.owner,
+		Password: ghToken,
+	})
+
+	// Install manifest config
+	installOptions := install.Options{
+		BaseURL:                rootArgs.defaults.BaseURL,
+		Version:                bootstrapArgs.version,
+		Namespace:              *kubeconfigArgs.Namespace,
+		Components:             bootstrapComponents(),
+		Registry:               bootstrapArgs.registry,
+		ImagePullSecret:        bootstrapArgs.imagePullSecret,
+		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
+		NetworkPolicy:          bootstrapArgs.networkPolicy,
+		LogLevel:               bootstrapArgs.logLevel.String(),
+		NotificationController: rootArgs.defaults.NotificationController,
+		ManifestFile:           rootArgs.defaults.ManifestFile,
+		Timeout:                rootArgs.timeout,
+		TargetPath:             githubArgs.path.ToSlash(),
+		ClusterDomain:          bootstrapArgs.clusterDomain,
+		TolerationKeys:         bootstrapArgs.tolerationKeys,
+	}
+	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
+		installOptions.BaseURL = customBaseURL
 	}

-	// determine if repo synchronization is working
-	isInstall := shouldInstallManifests(ctx, kubeClient, namespace)
-
-	if isInstall {
-		// apply install manifests
-		logger.Actionf("installing components in %s namespace", namespace)
-		if err := applyInstallManifests(ctx, manifest, bootstrapComponents); err != nil {
-			return err
-		}
-		logger.Successf("install completed")
+	// Source generation and secret config
+	secretOpts := sourcesecret.Options{
+		Name:         bootstrapArgs.secretName,
+		Namespace:    *kubeconfigArgs.Namespace,
+		TargetPath:   githubArgs.path.ToSlash(),
+		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
+	if bootstrapArgs.tokenAuth {
+		secretOpts.Username = "git"
+		secretOpts.Password = ghToken

-	repoURL := repository.GetURL()
-
-	if bootstrapTokenAuth {
-		// setup HTTPS token auth
-		secret := corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      namespace,
-				Namespace: namespace,
-			},
-			StringData: map[string]string{
-				"username": "git",
-				"password": ghToken,
-			},
-		}
-		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
-			return err
+		if bootstrapArgs.caFile != "" {
+			secretOpts.CAFilePath = bootstrapArgs.caFile
 		}
 	} else {
-		// setup SSH deploy key
-		repoURL = repository.GetSSH()
-		if shouldCreateDeployKey(ctx, kubeClient, namespace) {
-			logger.Actionf("configuring deploy key")
-			u, err := url.Parse(repository.GetSSH())
-			if err != nil {
-				return fmt.Errorf("git URL parse failed: %w", err)
-			}
+		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
+		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
+		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
+		secretOpts.SSHHostname = githubArgs.hostname

-			key, err := generateDeployKey(ctx, kubeClient, u, namespace)
-			if err != nil {
-				return fmt.Errorf("generating deploy key failed: %w", err)
-			}
-
-			keyName := "flux"
-			if ghPath != "" {
-				keyName = fmt.Sprintf("flux-%s", ghPath)
-			}
-
-			if changed, err := provider.AddDeployKey(ctx, repository, key, keyName); err != nil {
-				return err
-			} else if changed {
-				logger.Successf("deploy key configured")
-			}
+		if bootstrapArgs.sshHostname != "" {
+			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
 	}

-	// configure repo synchronization
-	logger.Actionf("generating sync manifests")
-	if err := generateSyncManifests(repoURL, bootstrapBranch, namespace, namespace, ghPath, tmpDir, ghInterval); err != nil {
+	// Sync manifest config
+	syncOpts := sync.Options{
+		Interval:          githubArgs.interval,
+		Name:              *kubeconfigArgs.Namespace,
+		Namespace:         *kubeconfigArgs.Namespace,
+		Branch:            bootstrapArgs.branch,
+		Secret:            bootstrapArgs.secretName,
+		TargetPath:        githubArgs.path.ToSlash(),
+		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
+		GitImplementation: sourceGitArgs.gitImplementation.String(),
+		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
+	}
+
+	// Bootstrap config
+	bootstrapOpts := []bootstrap.GitProviderOption{
+		bootstrap.WithProviderRepository(githubArgs.owner, githubArgs.repository, githubArgs.personal),
+		bootstrap.WithBranch(bootstrapArgs.branch),
+		bootstrap.WithBootstrapTransportType("https"),
+		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
+		bootstrap.WithProviderTeamPermissions(mapTeamSlice(githubArgs.teams, ghDefaultPermission)),
+		bootstrap.WithReadWriteKeyPermissions(githubArgs.readWriteKey),
+		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
+		bootstrap.WithLogger(logger),
+		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
+	}
+	if bootstrapArgs.sshHostname != "" {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
+	}
+	if bootstrapArgs.tokenAuth {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
+	}
+	if !githubArgs.private {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
+	}
+	if githubArgs.reconcile {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
+	}
+
+	// Setup bootstrapper with constructed configs
+	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
+	if err != nil {
 		return err
 	}

-	// commit and push manifests
-	if changed, err = repository.Commit(ctx, path.Join(ghPath, namespace), "Add manifests"); err != nil {
-		return err
-	} else if changed {
-		if err := repository.Push(ctx); err != nil {
-			return err
-		}
-		logger.Successf("sync manifests pushed")
-	}
-
-	// apply manifests and waiting for sync
-	logger.Actionf("applying sync manifests")
-	if err := applySyncManifests(ctx, kubeClient, namespace, namespace, ghPath, tmpDir); err != nil {
-		return err
-	}
-
-	if withErrors {
-		return fmt.Errorf("bootstrap completed with errors")
-	}
-
-	logger.Successf("bootstrap finished")
-	return nil
+	// Run
+	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 }
--- a/cmd/flux/bootstrap_gitlab.go
+++ b/cmd/flux/bootstrap_gitlab.go
@@ -19,18 +19,23 @@ package main
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
-	"net/url"
 	"os"
-	"path"
+	"regexp"
+	"strings"
 	"time"

+	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

+	"github.com/fluxcd/flux2/internal/bootstrap"
+	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
+	"github.com/fluxcd/flux2/internal/bootstrap/provider"
+	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/pkg/git"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )

 var bootstrapGitLabCmd = &cobra.Command{
@@ -44,207 +49,236 @@ the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a GitLab API token and export it as an env var
  export GITLAB_TOKEN=<my-token>

-  # Run bootstrap for a private repo using HTTPS token authentication 
-  flux bootstrap gitlab --owner=<group> --repository=<repo name> --token-auth
+  # Run bootstrap for a private repository using HTTPS token authentication
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --token-auth

-  # Run bootstrap for a private repo using SSH authentication
-  flux bootstrap gitlab --owner=<group> --repository=<repo name>
+  # Run bootstrap for a private repository using SSH authentication
+  flux bootstrap gitlab --owner=<group> --repository=<repository name>

  # Run bootstrap for a repository path
-  flux bootstrap gitlab --owner=<group> --repository=<repo name> --path=dev-cluster
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --path=dev-cluster

  # Run bootstrap for a public repository on a personal account
-  flux bootstrap gitlab --owner=<user> --repository=<repo name> --private=false --personal --token-auth
+  flux bootstrap gitlab --owner=<user> --repository=<repository name> --private=false --personal --token-auth

-  # Run bootstrap for a private repo hosted on a GitLab server 
-  flux bootstrap gitlab --owner=<group> --repository=<repo name> --hostname=<domain> --token-auth
+  # Run bootstrap for a private repository hosted on a GitLab server
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --hostname=<domain> --token-auth

  # Run bootstrap for a an existing repository with a branch named main
-  flux bootstrap gitlab --owner=<organization> --repository=<repo name> --branch=main --token-auth
-`,
+  flux bootstrap gitlab --owner=<organization> --repository=<repository name> --branch=main --token-auth`,
 	RunE: bootstrapGitLabCmdRun,
 }

-var (
-	glOwner       string
-	glRepository  string
-	glInterval    time.Duration
-	glPersonal    bool
-	glPrivate     bool
-	glHostname    string
-	glSSHHostname string
-	glPath        string
+const (
+	glDefaultPermission = "maintain"
+	glDefaultDomain     = "gitlab.com"
+	glTokenEnvVar       = "GITLAB_TOKEN"
+	gitlabProjectRegex  = `\A[[:alnum:]\x{00A9}-\x{1f9ff}_][[:alnum:]\p{Pd}\x{00A9}-\x{1f9ff}_\.]*\z`
 )

+type gitlabFlags struct {
+	owner        string
+	repository   string
+	interval     time.Duration
+	personal     bool
+	private      bool
+	hostname     string
+	path         flags.SafeRelativePath
+	teams        []string
+	readWriteKey bool
+	reconcile    bool
+}
+
+var gitlabArgs gitlabFlags
+
 func init() {
-	bootstrapGitLabCmd.Flags().StringVar(&glOwner, "owner", "", "GitLab user or group name")
-	bootstrapGitLabCmd.Flags().StringVar(&glRepository, "repository", "", "GitLab repository name")
-	bootstrapGitLabCmd.Flags().BoolVar(&glPersonal, "personal", false, "is personal repository")
-	bootstrapGitLabCmd.Flags().BoolVar(&glPrivate, "private", true, "is private repository")
-	bootstrapGitLabCmd.Flags().DurationVar(&glInterval, "interval", time.Minute, "sync interval")
-	bootstrapGitLabCmd.Flags().StringVar(&glHostname, "hostname", git.GitLabDefaultHostname, "GitLab hostname")
-	bootstrapGitLabCmd.Flags().StringVar(&glSSHHostname, "ssh-hostname", "", "GitLab SSH hostname, to be used when the SSH host differs from the HTTPS one")
-	bootstrapGitLabCmd.Flags().StringVar(&glPath, "path", "", "repository path, when specified the cluster sync will be scoped to this path")
+	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.owner, "owner", "", "GitLab user or group name")
+	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.repository, "repository", "", "GitLab repository name")
+	bootstrapGitLabCmd.Flags().StringSliceVar(&gitlabArgs.teams, "team", []string{}, "GitLab teams to be given maintainer access (also accepts comma-separated values)")
+	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.personal, "personal", false, "if true, the owner is assumed to be a GitLab user; otherwise a group")
+	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.private, "private", true, "if true, the repository is setup or configured as private")
+	bootstrapGitLabCmd.Flags().DurationVar(&gitlabArgs.interval, "interval", time.Minute, "sync interval")
+	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.hostname, "hostname", glDefaultDomain, "GitLab hostname")
+	bootstrapGitLabCmd.Flags().Var(&gitlabArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
+	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
+	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")

 	bootstrapCmd.AddCommand(bootstrapGitLabCmd)
 }

 func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
-	glToken := os.Getenv(git.GitLabTokenName)
+	glToken := os.Getenv(glTokenEnvVar)
 	if glToken == "" {
-		return fmt.Errorf("%s environment variable not found", git.GitLabTokenName)
+		var err error
+		glToken, err = readPasswordFromStdin("Please enter your GitLab personal access token (PAT): ")
+		if err != nil {
+			return fmt.Errorf("could not read token: %w", err)
+		}
+	}
+
+	if projectNameIsValid, err := regexp.MatchString(gitlabProjectRegex, gitlabArgs.repository); err != nil || !projectNameIsValid {
+		if err == nil {
+			err = fmt.Errorf("%s is an invalid project name for gitlab.\nIt can contain only letters, digits, emojis, '_', '.', dash, space. It must start with letter, digit, emoji or '_'.", gitlabArgs.repository)
+		}
+		return err
 	}

 	if err := bootstrapValidate(); err != nil {
 		return err
 	}

-	repository, err := git.NewRepository(glRepository, glOwner, glHostname, glToken, "flux", glOwner+"@users.noreply.gitlab.com")
-	if err != nil {
-		return err
-	}
-
-	if glSSHHostname != "" {
-		repository.SSHHost = glSSHHostname
-	}
-
-	provider := &git.GitLabProvider{
-		IsPrivate:  glPrivate,
-		IsPersonal: glPersonal,
-	}
-
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
-	if err != nil {
-		return err
-	}
-
-	tmpDir, err := ioutil.TempDir("", namespace)
-	if err != nil {
-		return err
-	}
-	defer os.RemoveAll(tmpDir)
-
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

-	// create GitLab project if doesn't exists
-	logger.Actionf("connecting to %s", glHostname)
-	changed, err := provider.CreateRepository(ctx, repository)
-	if err != nil {
-		return err
-	}
-	if changed {
-		logger.Successf("repository created")
-	}
-
-	// clone repository and checkout the master branch
-	if err := repository.Checkout(ctx, bootstrapBranch, tmpDir); err != nil {
-		return err
-	}
-	logger.Successf("repository cloned")
-
-	// generate install manifests
-	logger.Generatef("generating manifests")
-	manifest, err := generateInstallManifests(glPath, namespace, tmpDir, bootstrapManifestsPath)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

-	// stage install manifests
-	changed, err = repository.Commit(ctx, path.Join(glPath, namespace), "Add manifests")
+	// Manifest base
+	if ver, err := getVersion(bootstrapArgs.version); err == nil {
+		bootstrapArgs.version = ver
+	}
+	manifestsBase, err := buildEmbeddedManifestBase()
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(manifestsBase)
+
+	var caBundle []byte
+	if bootstrapArgs.caFile != "" {
+		var err error
+		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	}
+
+	// Build GitLab provider
+	providerCfg := provider.Config{
+		Provider: provider.GitProviderGitLab,
+		Hostname: gitlabArgs.hostname,
+		Token:    glToken,
+		CaBundle: caBundle,
+	}
+	// Workaround for: https://github.com/fluxcd/go-git-providers/issues/55
+	if hostname := providerCfg.Hostname; hostname != glDefaultDomain &&
+		!strings.HasPrefix(hostname, "https://") &&
+		!strings.HasPrefix(hostname, "http://") {
+		providerCfg.Hostname = "https://" + providerCfg.Hostname
+	}
+	providerClient, err := provider.BuildGitProvider(providerCfg)
 	if err != nil {
 		return err
 	}

-	// push install manifests
-	if changed {
-		if err := repository.Push(ctx); err != nil {
-			return err
-		}
-		logger.Successf("components manifests pushed")
-	} else {
-		logger.Successf("components are up to date")
+	// Lazy go-git repository
+	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
+	if err != nil {
+		return fmt.Errorf("failed to create temporary working dir: %w", err)
+	}
+	defer os.RemoveAll(tmpDir)
+	gitClient := gogit.New(tmpDir, &http.BasicAuth{
+		Username: gitlabArgs.owner,
+		Password: glToken,
+	})
+
+	// Install manifest config
+	installOptions := install.Options{
+		BaseURL:                rootArgs.defaults.BaseURL,
+		Version:                bootstrapArgs.version,
+		Namespace:              *kubeconfigArgs.Namespace,
+		Components:             bootstrapComponents(),
+		Registry:               bootstrapArgs.registry,
+		ImagePullSecret:        bootstrapArgs.imagePullSecret,
+		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
+		NetworkPolicy:          bootstrapArgs.networkPolicy,
+		LogLevel:               bootstrapArgs.logLevel.String(),
+		NotificationController: rootArgs.defaults.NotificationController,
+		ManifestFile:           rootArgs.defaults.ManifestFile,
+		Timeout:                rootArgs.timeout,
+		TargetPath:             gitlabArgs.path.ToSlash(),
+		ClusterDomain:          bootstrapArgs.clusterDomain,
+		TolerationKeys:         bootstrapArgs.tolerationKeys,
+	}
+	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
+		installOptions.BaseURL = customBaseURL
 	}

-	// determine if repo synchronization is working
-	isInstall := shouldInstallManifests(ctx, kubeClient, namespace)
-
-	if isInstall {
-		// apply install manifests
-		logger.Actionf("installing components in %s namespace", namespace)
-		if err := applyInstallManifests(ctx, manifest, bootstrapComponents); err != nil {
-			return err
-		}
-		logger.Successf("install completed")
+	// Source generation and secret config
+	secretOpts := sourcesecret.Options{
+		Name:         bootstrapArgs.secretName,
+		Namespace:    *kubeconfigArgs.Namespace,
+		TargetPath:   gitlabArgs.path.String(),
+		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
+	if bootstrapArgs.tokenAuth {
+		secretOpts.Username = "git"
+		secretOpts.Password = glToken

-	repoURL := repository.GetURL()
-
-	if bootstrapTokenAuth {
-		// setup HTTPS token auth
-		secret := corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      namespace,
-				Namespace: namespace,
-			},
-			StringData: map[string]string{
-				"username": "git",
-				"password": glToken,
-			},
-		}
-		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
-			return err
+		if bootstrapArgs.caFile != "" {
+			secretOpts.CAFilePath = bootstrapArgs.caFile
 		}
 	} else {
-		// setup SSH deploy key
-		repoURL = repository.GetSSH()
-		if shouldCreateDeployKey(ctx, kubeClient, namespace) {
-			logger.Actionf("configuring deploy key")
-			u, err := url.Parse(repoURL)
-			if err != nil {
-				return fmt.Errorf("git URL parse failed: %w", err)
-			}
+		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
+		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
+		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
+		secretOpts.SSHHostname = gitlabArgs.hostname

-			key, err := generateDeployKey(ctx, kubeClient, u, namespace)
-			if err != nil {
-				return fmt.Errorf("generating deploy key failed: %w", err)
-			}
-
-			keyName := "flux"
-			if glPath != "" {
-				keyName = fmt.Sprintf("flux-%s", glPath)
-			}
-
-			if changed, err := provider.AddDeployKey(ctx, repository, key, keyName); err != nil {
-				return err
-			} else if changed {
-				logger.Successf("deploy key configured")
-			}
+		if bootstrapArgs.privateKeyFile != "" {
+			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
+		}
+		if bootstrapArgs.sshHostname != "" {
+			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
 	}

-	// configure repo synchronization
-	logger.Actionf("generating sync manifests")
-	if err := generateSyncManifests(repoURL, bootstrapBranch, namespace, namespace, glPath, tmpDir, glInterval); err != nil {
+	// Sync manifest config
+	syncOpts := sync.Options{
+		Interval:          gitlabArgs.interval,
+		Name:              *kubeconfigArgs.Namespace,
+		Namespace:         *kubeconfigArgs.Namespace,
+		Branch:            bootstrapArgs.branch,
+		Secret:            bootstrapArgs.secretName,
+		TargetPath:        gitlabArgs.path.ToSlash(),
+		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
+		GitImplementation: sourceGitArgs.gitImplementation.String(),
+		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
+	}
+
+	// Bootstrap config
+	bootstrapOpts := []bootstrap.GitProviderOption{
+		bootstrap.WithProviderRepository(gitlabArgs.owner, gitlabArgs.repository, gitlabArgs.personal),
+		bootstrap.WithBranch(bootstrapArgs.branch),
+		bootstrap.WithBootstrapTransportType("https"),
+		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
+		bootstrap.WithProviderTeamPermissions(mapTeamSlice(gitlabArgs.teams, glDefaultPermission)),
+		bootstrap.WithReadWriteKeyPermissions(gitlabArgs.readWriteKey),
+		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
+		bootstrap.WithLogger(logger),
+		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
+	}
+	if bootstrapArgs.sshHostname != "" {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
+	}
+	if bootstrapArgs.tokenAuth {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
+	}
+	if !gitlabArgs.private {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
+	}
+	if gitlabArgs.reconcile {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
+	}
+
+	// Setup bootstrapper with constructed configs
+	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
+	if err != nil {
 		return err
 	}

-	// commit and push manifests
-	if changed, err = repository.Commit(ctx, path.Join(glPath, namespace), "Add manifests"); err != nil {
-		return err
-	} else if changed {
-		if err := repository.Push(ctx); err != nil {
-			return err
-		}
-		logger.Successf("sync manifests pushed")
-	}
-
-	// apply manifests and waiting for sync
-	logger.Actionf("applying sync manifests")
-	if err := applySyncManifests(ctx, kubeClient, namespace, namespace, glPath, tmpDir); err != nil {
-		return err
-	}
-
-	logger.Successf("bootstrap finished")
-	return nil
+	// Run
+	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 }
--- a/cmd/flux/build.go
+++ b/cmd/flux/build.go
@@ -0,0 +1,31 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var buildCmd = &cobra.Command{
+	Use:   "build",
+	Short: "Build a flux resource",
+	Long:  "The build command is used to build flux resources.",
+}
+
+func init() {
+	rootCmd.AddCommand(buildCmd)
+}
--- a/cmd/flux/build_artifact.go
+++ b/cmd/flux/build_artifact.go
@@ -0,0 +1,80 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	oci "github.com/fluxcd/pkg/oci/client"
+	"github.com/fluxcd/pkg/sourceignore"
+)
+
+var buildArtifactCmd = &cobra.Command{
+	Use:   "artifact",
+	Short: "Build artifact",
+	Long:  `The build artifact command creates a tgz file with the manifests from the given directory.`,
+	Example: `  # Build the given manifests directory into an artifact
+  flux build artifact --path ./path/to/local/manifests --output ./path/to/artifact.tgz
+
+  # List the files bundled in the artifact
+  tar -ztvf ./path/to/artifact.tgz
+`,
+	RunE: buildArtifactCmdRun,
+}
+
+type buildArtifactFlags struct {
+	output      string
+	path        string
+	ignorePaths []string
+}
+
+var excludeOCI = append(strings.Split(sourceignore.ExcludeVCS, ","), strings.Split(sourceignore.ExcludeExt, ",")...)
+
+var buildArtifactArgs buildArtifactFlags
+
+func init() {
+	buildArtifactCmd.Flags().StringVar(&buildArtifactArgs.path, "path", "", "Path to the directory where the Kubernetes manifests are located.")
+	buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.output, "output", "o", "artifact.tgz", "Path to where the artifact tgz file should be written.")
+	buildArtifactCmd.Flags().StringSliceVar(&buildArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
+
+	buildCmd.AddCommand(buildArtifactCmd)
+}
+
+func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {
+	if buildArtifactArgs.path == "" {
+		return fmt.Errorf("invalid path %q", buildArtifactArgs.path)
+	}
+
+	if fs, err := os.Stat(buildArtifactArgs.path); err != nil || !fs.IsDir() {
+		return fmt.Errorf("invalid path '%s', must point to an existing directory", buildArtifactArgs.path)
+	}
+
+	logger.Actionf("building artifact from %s", buildArtifactArgs.path)
+
+	ociClient := oci.NewLocalClient()
+	if err := ociClient.Build(buildArtifactArgs.output, buildArtifactArgs.path, buildArtifactArgs.ignorePaths); err != nil {
+		return fmt.Errorf("bulding artifact failed, error: %w", err)
+	}
+
+	logger.Successf("artifact created at %s", buildArtifactArgs.output)
+
+	return nil
+}
--- a/cmd/flux/build_kustomization.go
+++ b/cmd/flux/build_kustomization.go
@@ -0,0 +1,113 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"os/signal"
+
+	"github.com/spf13/cobra"
+
+	"github.com/fluxcd/flux2/internal/build"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+)
+
+var buildKsCmd = &cobra.Command{
+	Use:     "kustomization",
+	Aliases: []string{"ks"},
+	Short:   "Build Kustomization",
+	Long: `The build command queries the Kubernetes API and fetches the specified Flux Kustomization. 
+It then uses the fetched in cluster flux kustomization to perform needed transformation on the local kustomization.yaml
+pointed at by --path. The local kustomization.yaml is generated if it does not exist. Finally it builds the overlays using the local kustomization.yaml, and write the resulting multi-doc YAML to stdout.
+
+It is possible to specify a Flux kustomization file using --kustomization-file.`,
+	Example: `# Build the local manifests as they were built on the cluster
+flux build kustomization my-app --path ./path/to/local/manifests
+
+# Build using a local flux kustomization file
+flux build kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml`,
+	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
+	RunE:              buildKsCmdRun,
+}
+
+type buildKsFlags struct {
+	kustomizationFile string
+	path              string
+}
+
+var buildKsArgs buildKsFlags
+
+func init() {
+	buildKsCmd.Flags().StringVar(&buildKsArgs.path, "path", "", "Path to the manifests location.")
+	buildKsCmd.Flags().StringVar(&buildKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
+	buildCmd.AddCommand(buildKsCmd)
+}
+
+func buildKsCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("%s name is required", kustomizationType.humanKind)
+	}
+	name := args[0]
+
+	if buildKsArgs.path == "" {
+		return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
+	}
+
+	if fs, err := os.Stat(buildKsArgs.path); err != nil || !fs.IsDir() {
+		return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
+	}
+
+	if buildKsArgs.kustomizationFile != "" {
+		if fs, err := os.Stat(buildKsArgs.kustomizationFile); os.IsNotExist(err) || fs.IsDir() {
+			return fmt.Errorf("invalid kustomization file %q", buildKsArgs.kustomizationFile)
+		}
+	}
+
+	builder, err := build.NewBuilder(kubeconfigArgs, kubeclientOptions, name, buildKsArgs.path, build.WithTimeout(rootArgs.timeout), build.WithKustomizationFile(buildKsArgs.kustomizationFile))
+	if err != nil {
+		return err
+	}
+
+	// create a signal channel
+	sigc := make(chan os.Signal, 1)
+	signal.Notify(sigc, os.Interrupt)
+
+	errChan := make(chan error)
+	go func() {
+		manifests, err := builder.Build()
+		if err != nil {
+			errChan <- err
+		}
+
+		cmd.Print(string(manifests))
+		errChan <- nil
+	}()
+
+	select {
+	case <-sigc:
+		fmt.Println("Build cancelled... exiting.")
+		return builder.Cancel()
+	case err := <-errChan:
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+
+}
--- a/cmd/flux/build_kustomization_test.go
+++ b/cmd/flux/build_kustomization_test.go
@@ -0,0 +1,190 @@
+//go:build unit
+// +build unit
+
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"bytes"
+	"os"
+	"testing"
+	"text/template"
+)
+
+func setup(t *testing.T, tmpl map[string]string) {
+	t.Helper()
+	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-source.yaml", tmpl, t)
+	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-kustomization.yaml", tmpl, t)
+}
+
+func TestBuildKustomization(t *testing.T) {
+	tests := []struct {
+		name       string
+		args       string
+		resultFile string
+		assertFunc string
+	}{
+		{
+			name:       "no args",
+			args:       "build kustomization podinfo",
+			resultFile: "invalid resource path \"\"",
+			assertFunc: "assertError",
+		},
+		{
+			name:       "build podinfo",
+			args:       "build kustomization podinfo --path ./testdata/build-kustomization/podinfo",
+			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build podinfo without service",
+			args:       "build kustomization podinfo --path ./testdata/build-kustomization/delete-service",
+			resultFile: "./testdata/build-kustomization/podinfo-without-service-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build deployment and configmap with var substitution",
+			args:       "build kustomization podinfo --path ./testdata/build-kustomization/var-substitution",
+			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+	}
+
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	setup(t, tmpl)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var assert assertFunc
+
+			switch tt.assertFunc {
+			case "assertGoldenTemplateFile":
+				assert = assertGoldenTemplateFile(tt.resultFile, tmpl)
+			case "assertError":
+				assert = assertError(tt.resultFile)
+			}
+
+			cmd := cmdTestCase{
+				args:   tt.args + " -n " + tmpl["fluxns"],
+				assert: assert,
+			}
+
+			cmd.runTestCmd(t)
+		})
+	}
+}
+
+func TestBuildLocalKustomization(t *testing.T) {
+	podinfo := `apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: podinfo
+  namespace: {{ .fluxns }}
+spec:
+  interval: 5m0s
+  path: ./kustomize
+  force: true
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: podinfo
+  targetNamespace: default
+  postBuild:
+    substitute:
+      cluster_env: "prod"
+      cluster_region: "eu-central-1"
+`
+
+	tests := []struct {
+		name       string
+		args       string
+		resultFile string
+		assertFunc string
+	}{
+		{
+			name:       "no args",
+			args:       "build kustomization podinfo --kustomization-file ./wrongfile/ --path ./testdata/build-kustomization/podinfo",
+			resultFile: "invalid kustomization file \"./wrongfile/\"",
+			assertFunc: "assertError",
+		},
+		{
+			name:       "build podinfo",
+			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/podinfo",
+			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build podinfo without service",
+			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/delete-service",
+			resultFile: "./testdata/build-kustomization/podinfo-without-service-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build deployment and configmap with var substitution",
+			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/var-substitution",
+			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+	}
+
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+
+	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-source.yaml", tmpl, t)
+
+	temp, err := template.New("podinfo").Parse(podinfo)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var b bytes.Buffer
+	err = temp.Execute(&b, tmpl)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = os.WriteFile("./testdata/build-kustomization/podinfo.yaml", b.Bytes(), 0666)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	defer os.Remove("./testdata/build-kustomization/podinfo.yaml")
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var assert assertFunc
+
+			switch tt.assertFunc {
+			case "assertGoldenTemplateFile":
+				assert = assertGoldenTemplateFile(tt.resultFile, tmpl)
+			case "assertError":
+				assert = assertError(tt.resultFile)
+			}
+
+			cmd := cmdTestCase{
+				args:   tt.args + " -n " + tmpl["fluxns"],
+				assert: assert,
+			}
+
+			cmd.runTestCmd(t)
+		})
+	}
+}
--- a/cmd/flux/check.go
+++ b/cmd/flux/check.go
@@ -18,17 +18,22 @@ package main

 import (
 	"context"
-	"encoding/json"
 	"os"
-	"os/exec"
-	"strings"
+	"time"

-	"github.com/blang/semver/v4"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/Masterminds/semver/v3"
 	"github.com/spf13/cobra"
-	apimachineryversion "k8s.io/apimachinery/pkg/version"
+	v1 "k8s.io/api/apps/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/tools/clientcmd"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/version"
+
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/pkg/status"
 )

 var checkCmd = &cobra.Command{
@@ -40,44 +45,46 @@ the local environment is configured correctly and if the installed components ar
  flux check --pre

  # Run installation checks
-  flux check
-`,
+  flux check`,
 	RunE: runCheckCmd,
 }

-var (
-	checkPre        bool
-	checkComponents []string
-)
-
-type kubectlVersion struct {
-	ClientVersion *apimachineryversion.Info `json:"clientVersion"`
+type checkFlags struct {
+	pre             bool
+	components      []string
+	extraComponents []string
+	pollInterval    time.Duration
 }

+var kubernetesConstraints = []string{
+	">=1.20.6-0",
+}
+
+var checkArgs checkFlags
+
 func init() {
-	checkCmd.Flags().BoolVarP(&checkPre, "pre", "", false,
+	checkCmd.Flags().BoolVarP(&checkArgs.pre, "pre", "", false,
 		"only run pre-installation checks")
-	checkCmd.Flags().StringSliceVar(&checkComponents, "components", defaults.Components,
+	checkCmd.Flags().StringSliceVar(&checkArgs.components, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
+	checkCmd.Flags().StringSliceVar(&checkArgs.extraComponents, "components-extra", nil,
+		"list of components in addition to those supplied or defaulted, accepts comma-separated values")
+	checkCmd.Flags().DurationVar(&checkArgs.pollInterval, "poll-interval", 5*time.Second,
+		"how often the health checker should poll the cluster for the latest state of the resources.")
 	rootCmd.AddCommand(checkCmd)
 }

 func runCheckCmd(cmd *cobra.Command, args []string) error {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
 	logger.Actionf("checking prerequisites")
 	checkFailed := false

-	if !kubectlCheck(ctx, ">=1.18.0") {
+	fluxCheck()
+
+	if !kubernetesCheck(kubernetesConstraints) {
 		checkFailed = true
 	}

-	if !kubernetesCheck(">=1.16.0") {
-		checkFailed = true
-	}
-
-	if checkPre {
+	if checkArgs.pre {
 		if checkFailed {
 			os.Exit(1)
 		}
@@ -89,100 +96,158 @@ func runCheckCmd(cmd *cobra.Command, args []string) error {
 	if !componentsCheck() {
 		checkFailed = true
 	}
+
+	logger.Actionf("checking crds")
+	if !crdsCheck() {
+		checkFailed = true
+	}
+
 	if checkFailed {
+		logger.Failuref("check failed")
 		os.Exit(1)
 	}
+
 	logger.Successf("all checks passed")
 	return nil
 }

-func kubectlCheck(ctx context.Context, version string) bool {
-	_, err := exec.LookPath("kubectl")
+func fluxCheck() {
+	curSv, err := version.ParseVersion(VERSION)
 	if err != nil {
-		logger.Failuref("kubectl not found")
-		return false
+		return
 	}
-
-	kubectlArgs := []string{"version", "--client", "--output", "json"}
-	output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, kubeconfig, kubecontext, kubectlArgs...)
+	// Exclude development builds.
+	if curSv.Prerelease() != "" {
+		return
+	}
+	latest, err := install.GetLatestVersion()
 	if err != nil {
-		logger.Failuref("kubectl version can't be determined")
-		return false
+		return
 	}
-
-	kv := &kubectlVersion{}
-	if err = json.Unmarshal([]byte(output), kv); err != nil {
-		logger.Failuref("kubectl version output can't be unmarshaled")
-		return false
-	}
-
-	v, err := semver.ParseTolerant(kv.ClientVersion.GitVersion)
+	latestSv, err := version.ParseVersion(latest)
 	if err != nil {
-		logger.Failuref("kubectl version can't be parsed")
-		return false
+		return
 	}
-
-	rng, _ := semver.ParseRange(version)
-	if !rng(v) {
-		logger.Failuref("kubectl version must be %s", version)
-		return false
+	if latestSv.GreaterThan(curSv) {
+		logger.Failuref("flux %s <%s (new version is available, please upgrade)", curSv, latestSv)
 	}
-
-	logger.Successf("kubectl %s %s", v.String(), version)
-	return true
 }

-func kubernetesCheck(version string) bool {
-	cfg, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
+func kubernetesCheck(constraints []string) bool {
+	cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
 		return false
 	}

-	client, err := kubernetes.NewForConfig(cfg)
+	clientSet, err := kubernetes.NewForConfig(cfg)
 	if err != nil {
 		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
 		return false
 	}

-	ver, err := client.Discovery().ServerVersion()
+	kv, err := clientSet.Discovery().ServerVersion()
 	if err != nil {
 		logger.Failuref("Kubernetes API call failed: %s", err.Error())
 		return false
 	}

-	v, err := semver.ParseTolerant(ver.String())
+	v, err := version.ParseVersion(kv.String())
 	if err != nil {
 		logger.Failuref("Kubernetes version can't be determined")
 		return false
 	}

-	rng, _ := semver.ParseRange(version)
-	if !rng(v) {
-		logger.Failuref("Kubernetes version must be %s", version)
+	var valid bool
+	var vrange string
+	for _, constraint := range constraints {
+		c, _ := semver.NewConstraint(constraint)
+		if c.Check(v) {
+			valid = true
+			vrange = constraint
+			break
+		}
+	}
+
+	if !valid {
+		logger.Failuref("Kubernetes version %s does not match %s", v.Original(), constraints[0])
 		return false
 	}

-	logger.Successf("Kubernetes %s %s", v.String(), version)
+	logger.Successf("Kubernetes %s %s", v.String(), vrange)
 	return true
 }

 func componentsCheck() bool {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

+	kubeConfig, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return false
+	}
+
+	statusChecker, err := status.NewStatusChecker(kubeConfig, checkArgs.pollInterval, rootArgs.timeout, logger)
+	if err != nil {
+		return false
+	}
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return false
+	}
+
 	ok := true
-	for _, deployment := range checkComponents {
-		kubectlArgs := []string{"-n", namespace, "rollout", "status", "deployment", deployment, "--timeout", timeout.String()}
-		if output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, kubeconfig, kubecontext, kubectlArgs...); err != nil {
-			logger.Failuref("%s: %s", deployment, strings.TrimSuffix(output, "\n"))
-			ok = false
-		} else {
-			logger.Successf("%s is healthy", deployment)
+	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
+	var list v1.DeploymentList
+	ns := *kubeconfigArgs.Namespace
+	if err := kubeClient.List(ctx, &list, client.InNamespace(ns), selector); err == nil {
+		if len(list.Items) == 0 {
+			logger.Failuref("no controllers found in the '%s' namespace with the label selector '%s=%s'",
+				ns, manifestgen.PartOfLabelKey, manifestgen.PartOfLabelValue)
+			return false
 		}
-		kubectlArgs = []string{"-n", namespace, "get", "deployment", deployment, "-o", "jsonpath=\"{..image}\""}
-		if output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, kubeconfig, kubecontext, kubectlArgs...); err == nil {
-			logger.Actionf(strings.TrimPrefix(strings.TrimSuffix(output, "\""), "\""))
+
+		for _, d := range list.Items {
+			if ref, err := buildComponentObjectRefs(d.Name); err == nil {
+				if err := statusChecker.Assess(ref...); err != nil {
+					ok = false
+				}
+			}
+			for _, c := range d.Spec.Template.Spec.Containers {
+				logger.Actionf(c.Image)
+			}
+		}
+	}
+	return ok
+}
+
+func crdsCheck() bool {
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return false
+	}
+
+	ok := true
+	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
+	var list apiextensionsv1.CustomResourceDefinitionList
+	if err := kubeClient.List(ctx, &list, client.InNamespace(*kubeconfigArgs.Namespace), selector); err == nil {
+		if len(list.Items) == 0 {
+			logger.Failuref("no crds found with the label selector '%s=%s'",
+				manifestgen.PartOfLabelKey, manifestgen.PartOfLabelValue)
+			return false
+		}
+
+		for _, crd := range list.Items {
+			if len(crd.Status.StoredVersions) > 0 {
+				logger.Successf(crd.Name + "/" + crd.Status.StoredVersions[0])
+			} else {
+				ok = false
+				logger.Failuref("no stored versions for %s", crd.Name)
+			}
 		}
 	}
 	return ok
--- a/cmd/flux/check_test.go
+++ b/cmd/flux/check_test.go
@@ -0,0 +1,53 @@
+//go:build e2e
+// +build e2e
+
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"strings"
+	"testing"
+
+	"github.com/fluxcd/flux2/internal/utils"
+)
+
+func TestCheckPre(t *testing.T) {
+	jsonOutput, err := utils.ExecKubectlCommand(context.TODO(), utils.ModeCapture, *kubeconfigArgs.KubeConfig, *kubeconfigArgs.Context, "version", "--output", "json")
+	if err != nil {
+		t.Fatalf("Error running utils.ExecKubectlCommand: %v", err.Error())
+	}
+
+	var versions map[string]interface{}
+	if err := json.Unmarshal([]byte(jsonOutput), &versions); err != nil {
+		t.Fatalf("Error unmarshalling '%s': %v", jsonOutput, err.Error())
+	}
+
+	serverGitVersion := strings.TrimPrefix(
+		versions["serverVersion"].(map[string]interface{})["gitVersion"].(string),
+		"v")
+
+	cmd := cmdTestCase{
+		args: "check --pre",
+		assert: assertGoldenTemplateFile("testdata/check/check_pre.golden", map[string]string{
+			"serverVersion": serverGitVersion,
+		}),
+	}
+	cmd.runTestCmd(t)
+}
--- a/cmd/flux/completion.go
+++ b/cmd/flux/completion.go
@@ -17,7 +17,15 @@ limitations under the License.
 package main

 import (
+	"context"
+	"strings"
+
+	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/dynamic"
 )

 var completionCmd = &cobra.Command{
@@ -29,3 +37,76 @@ var completionCmd = &cobra.Command{
 func init() {
 	rootCmd.AddCommand(completionCmd)
 }
+
+func contextsCompletionFunc(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	rawConfig, err := kubeconfigArgs.ToRawKubeConfigLoader().RawConfig()
+	if err != nil {
+		return completionError(err)
+	}
+
+	var comps []string
+
+	for name := range rawConfig.Contexts {
+		if strings.HasPrefix(name, toComplete) {
+			comps = append(comps, name)
+		}
+	}
+
+	return comps, cobra.ShellCompDirectiveNoFileComp
+}
+
+func resourceNamesCompletionFunc(gvk schema.GroupVersionKind) func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+		ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+		defer cancel()
+
+		cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
+		if err != nil {
+			return completionError(err)
+		}
+
+		mapper, err := kubeconfigArgs.ToRESTMapper()
+		if err != nil {
+			return completionError(err)
+		}
+
+		mapping, err := mapper.RESTMapping(gvk.GroupKind(), gvk.Version)
+		if err != nil {
+			return completionError(err)
+		}
+
+		client, err := dynamic.NewForConfig(cfg)
+		if err != nil {
+			return completionError(err)
+		}
+
+		var dr dynamic.ResourceInterface
+		if mapping.Scope.Name() == meta.RESTScopeNameNamespace {
+			dr = client.Resource(mapping.Resource).Namespace(*kubeconfigArgs.Namespace)
+		} else {
+			dr = client.Resource(mapping.Resource)
+		}
+
+		list, err := dr.List(ctx, metav1.ListOptions{})
+		if err != nil {
+			return completionError(err)
+		}
+
+		var comps []string
+
+		for _, item := range list.Items {
+			name := item.GetName()
+
+			if strings.HasPrefix(name, toComplete) {
+				comps = append(comps, name)
+			}
+		}
+
+		return comps, cobra.ShellCompDirectiveNoFileComp
+	}
+}
+
+func completionError(err error) ([]string, cobra.ShellCompDirective) {
+	cobra.CompError(err.Error())
+	return nil, cobra.ShellCompDirectiveError
+}
--- a/cmd/flux/completion_bash.go
+++ b/cmd/flux/completion_bash.go
@@ -32,8 +32,7 @@ var completionBashCmd = &cobra.Command{
 To configure your bash shell to load completions for each session add to your bashrc

 # ~/.bashrc or ~/.profile
-command -v flux >/dev/null && . <(flux completion bash)
-`,
+command -v flux >/dev/null && . <(flux completion bash)`,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenBashCompletion(os.Stdout)
 	},
--- a/cmd/flux/completion_fish.go
+++ b/cmd/flux/completion_fish.go
@@ -25,16 +25,11 @@ import (
 var completionFishCmd = &cobra.Command{
 	Use:   "fish",
 	Short: "Generates fish completion scripts",
-	Example: `To load completion run
+	Example: `To configure your fish shell to load completions for each session write this script to your completions dir:

-. <(flux completion fish)
+flux completion fish > ~/.config/fish/completions/flux.fish

-To configure your fish shell to load completions for each session write this script to your completions dir:
-
-flux completion fish > ~/.config/fish/completions/flux
-
-See http://fishshell.com/docs/current/index.html#completion-own for more details
-`,
+See http://fishshell.com/docs/current/index.html#completion-own for more details`,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenFishCompletion(os.Stdout, true)
 	},
--- a/cmd/flux/completion_powershell.go
+++ b/cmd/flux/completion_powershell.go
@@ -39,8 +39,7 @@ flux completion >> flux-completion.ps1
 Linux:

 cd "${XDG_CONFIG_HOME:-"$HOME/.config/"}/powershell/modules"
-flux completion >> flux-completions.ps1
-`,
+flux completion >> flux-completions.ps1`,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenPowerShellCompletion(os.Stdout)
 	},
--- a/cmd/flux/completion_zsh.go
+++ b/cmd/flux/completion_zsh.go
@@ -17,6 +17,7 @@ limitations under the License.
 package main

 import (
+	"fmt"
 	"os"

 	"github.com/spf13/cobra"
@@ -27,23 +28,24 @@ var completionZshCmd = &cobra.Command{
 	Short: "Generates zsh completion scripts",
 	Example: `To load completion run

-. <(flux completion zsh) && compdef _flux flux
+. <(flux completion zsh)

 To configure your zsh shell to load completions for each session add to your zshrc

 # ~/.zshrc or ~/.profile
-command -v flux >/dev/null && . <(flux completion zsh) && compdef _flux flux
+command -v flux >/dev/null && . <(flux completion zsh)

 or write a cached file in one of the completion directories in your ${fpath}:

 echo "${fpath// /\n}" | grep -i completion
-flux completions zsh > _flux
+flux completion zsh > _flux

 mv _flux ~/.oh-my-zsh/completions  # oh-my-zsh
-mv _flux ~/.zprezto/modules/completion/external/src/  # zprezto
-`,
+mv _flux ~/.zprezto/modules/completion/external/src/  # zprezto`,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenZshCompletion(os.Stdout)
+		// Cobra doesn't source zsh completion file, explicitly doing it here
+		fmt.Println("compdef _flux flux")
 	},
 }

--- a/cmd/flux/create.go
+++ b/cmd/flux/create.go
@@ -17,13 +17,20 @@ limitations under the License.
 package main

 import (
+	"context"
 	"fmt"
+	"regexp"
 	"strings"
 	"time"

-	"k8s.io/apimachinery/pkg/util/validation"
-
 	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	"github.com/fluxcd/flux2/internal/utils"
 )

 var createCmd = &cobra.Command{
@@ -32,23 +39,109 @@ var createCmd = &cobra.Command{
 	Long:  "The create sub-commands generate sources and resources.",
 }

-var (
+type createFlags struct {
 	interval time.Duration
 	export   bool
 	labels   []string
-)
+}
+
+var createArgs createFlags

 func init() {
-	createCmd.PersistentFlags().DurationVarP(&interval, "interval", "", time.Minute, "source sync interval")
-	createCmd.PersistentFlags().BoolVar(&export, "export", false, "export in YAML format to stdout")
-	createCmd.PersistentFlags().StringSliceVar(&labels, "label", nil,
+	createCmd.PersistentFlags().DurationVarP(&createArgs.interval, "interval", "", time.Minute, "source sync interval")
+	createCmd.PersistentFlags().BoolVar(&createArgs.export, "export", false, "export in YAML format to stdout")
+	createCmd.PersistentFlags().StringSliceVar(&createArgs.labels, "label", nil,
 		"set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)")
+	createCmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 {
+			return fmt.Errorf("name is required")
+		}
+
+		name := args[0]
+		if !validateObjectName(name) {
+			return fmt.Errorf("name '%s' is invalid, it should adhere to standard defined in RFC 1123, the name can only contain alphanumeric characters or '-'", name)
+		}
+
+		return nil
+	}
 	rootCmd.AddCommand(createCmd)
 }

+// upsertable is an interface for values that can be used in `upsert`.
+type upsertable interface {
+	adapter
+	named
+}
+
+// upsert updates or inserts an object. Instead of providing the
+// object itself, you provide a named (as in Name and Namespace)
+// template value, and a mutate function which sets the values you
+// want to update. The mutate function is nullary -- you mutate a
+// value in the closure, e.g., by doing this:
+//
+//     var existing Value
+//     existing.Name = name
+//     existing.Namespace = ns
+//     upsert(ctx, client, valueAdapter{&value}, func() error {
+//       value.Spec = onePreparedEarlier
+//     })
+func (names apiType) upsert(ctx context.Context, kubeClient client.Client, object upsertable, mutate func() error) (types.NamespacedName, error) {
+	nsname := types.NamespacedName{
+		Namespace: object.GetNamespace(),
+		Name:      object.GetName(),
+	}
+
+	op, err := controllerutil.CreateOrUpdate(ctx, kubeClient, object.asClientObject(), mutate)
+	if err != nil {
+		return nsname, err
+	}
+
+	switch op {
+	case controllerutil.OperationResultCreated:
+		logger.Successf("%s created", names.kind)
+	case controllerutil.OperationResultUpdated:
+		logger.Successf("%s updated", names.kind)
+	}
+	return nsname, nil
+}
+
+type upsertWaitable interface {
+	upsertable
+	statusable
+}
+
+// upsertAndWait encodes the pattern of creating or updating a
+// resource, then waiting for it to reconcile. See the note on
+// `upsert` for how to work with the `mutate` argument.
+func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) error {
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions) // NB globals
+	if err != nil {
+		return err
+	}
+
+	logger.Generatef("generating %s", names.kind)
+	logger.Actionf("applying %s", names.kind)
+
+	namespacedName, err := imageRepositoryType.upsert(ctx, kubeClient, object, mutate)
+	if err != nil {
+		return err
+	}
+
+	logger.Waitingf("waiting for %s reconciliation", names.kind)
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
+		isReady(ctx, kubeClient, namespacedName, object)); err != nil {
+		return err
+	}
+	logger.Successf("%s reconciliation completed", names.kind)
+	return nil
+}
+
 func parseLabels() (map[string]string, error) {
 	result := make(map[string]string)
-	for _, label := range labels {
+	for _, label := range createArgs.labels {
 		// validate key value pair
 		parts := strings.Split(label, "=")
 		if len(parts) != 2 {
@@ -70,3 +163,8 @@ func parseLabels() (map[string]string, error) {

 	return result, nil
 }
+
+func validateObjectName(name string) bool {
+	r := regexp.MustCompile("^[a-z0-9]([a-z0-9\\-]){0,61}[a-z0-9]$")
+	return r.MatchString(name)
+}
--- a/cmd/flux/create_alert.go
+++ b/cmd/flux/create_alert.go
@@ -20,11 +20,7 @@ import (
 	"context"
 	"fmt"

-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/pkg/apis/meta"
-
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -33,6 +29,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	"github.com/fluxcd/pkg/apis/meta"
+
+	"github.com/fluxcd/flux2/internal/utils"
 )

 var createAlertCmd = &cobra.Command{
@@ -44,44 +43,43 @@ var createAlertCmd = &cobra.Command{
  --event-severity info \
  --event-source Kustomization/flux-system \
  --provider-ref slack \
-  flux-system
-`,
+  flux-system`,
 	RunE: createAlertCmdRun,
 }

-var (
-	aProviderRef   string
-	aEventSeverity string
-	aEventSources  []string
-)
+type alertFlags struct {
+	providerRef   string
+	eventSeverity string
+	eventSources  []string
+}
+
+var alertArgs alertFlags

 func init() {
-	createAlertCmd.Flags().StringVar(&aProviderRef, "provider-ref", "", "reference to provider")
-	createAlertCmd.Flags().StringVar(&aEventSeverity, "event-severity", "", "severity of events to send alerts for")
-	createAlertCmd.Flags().StringArrayVar(&aEventSources, "event-source", []string{}, "sources that should generate alerts (<kind>/<name>)")
+	createAlertCmd.Flags().StringVar(&alertArgs.providerRef, "provider-ref", "", "reference to provider")
+	createAlertCmd.Flags().StringVar(&alertArgs.eventSeverity, "event-severity", "", "severity of events to send alerts for")
+	createAlertCmd.Flags().StringSliceVar(&alertArgs.eventSources, "event-source", []string{}, "sources that should generate alerts (<kind>/<name>), also accepts comma-separated values")
 	createCmd.AddCommand(createAlertCmd)
 }

 func createAlertCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("Alert name is required")
-	}
 	name := args[0]

-	if aProviderRef == "" {
+	if alertArgs.providerRef == "" {
 		return fmt.Errorf("provider ref is required")
 	}

 	eventSources := []notificationv1.CrossNamespaceObjectReference{}
-	for _, eventSource := range aEventSources {
-		kind, name := utils.ParseObjectKindName(eventSource)
+	for _, eventSource := range alertArgs.eventSources {
+		kind, name, namespace := utils.ParseObjectKindNameNamespace(eventSource)
 		if kind == "" {
 			return fmt.Errorf("invalid event source '%s', must be in format <kind>/<name>", eventSource)
 		}

 		eventSources = append(eventSources, notificationv1.CrossNamespaceObjectReference{
-			Kind: kind,
-			Name: name,
+			Kind:      kind,
+			Name:      name,
+			Namespace: namespace,
 		})
 	}

@@ -94,34 +92,34 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	if !export {
+	if !createArgs.export {
 		logger.Generatef("generating Alert")
 	}

 	alert := notificationv1.Alert{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: notificationv1.AlertSpec{
-			ProviderRef: corev1.LocalObjectReference{
-				Name: aProviderRef,
+			ProviderRef: meta.LocalObjectReference{
+				Name: alertArgs.providerRef,
 			},
-			EventSeverity: aEventSeverity,
+			EventSeverity: alertArgs.eventSeverity,
 			EventSources:  eventSources,
 			Suspend:       false,
 		},
 	}

-	if export {
-		return exportAlert(alert)
+	if createArgs.export {
+		return printExport(exportAlert(&alert))
 	}

-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
@@ -133,7 +131,7 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for Alert reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isAlertReady(ctx, kubeClient, namespacedName, &alert)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_alertprovider.go
+++ b/cmd/flux/create_alertprovider.go
@@ -21,7 +21,6 @@ import (
 	"fmt"

 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -29,9 +28,10 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
+
+	"github.com/fluxcd/flux2/internal/utils"
 )

 var createAlertProviderCmd = &cobra.Command{
@@ -49,35 +49,33 @@ var createAlertProviderCmd = &cobra.Command{
  flux create alert-provider github-podinfo \
  --type github \
  --address https://github.com/stefanprodan/podinfo \
-  --secret-ref github-token
-`,
+  --secret-ref github-token`,
 	RunE: createAlertProviderCmdRun,
 }

-var (
-	apType      string
-	apChannel   string
-	apUsername  string
-	apAddress   string
-	apSecretRef string
-)
+type alertProviderFlags struct {
+	alertType string
+	channel   string
+	username  string
+	address   string
+	secretRef string
+}
+
+var alertProviderArgs alertProviderFlags

 func init() {
-	createAlertProviderCmd.Flags().StringVar(&apType, "type", "", "type of provider")
-	createAlertProviderCmd.Flags().StringVar(&apChannel, "channel", "", "channel to send messages to in the case of a chat provider")
-	createAlertProviderCmd.Flags().StringVar(&apUsername, "username", "", "bot username used by the provider")
-	createAlertProviderCmd.Flags().StringVar(&apAddress, "address", "", "path to either the git repository, chat provider or webhook")
-	createAlertProviderCmd.Flags().StringVar(&apSecretRef, "secret-ref", "", "name of secret containing authentication token")
+	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.alertType, "type", "", "type of provider")
+	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.channel, "channel", "", "channel to send messages to in the case of a chat provider")
+	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.username, "username", "", "bot username used by the provider")
+	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.address, "address", "", "path to either the git repository, chat provider or webhook")
+	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.secretRef, "secret-ref", "", "name of secret containing authentication token")
 	createCmd.AddCommand(createAlertProviderCmd)
 }

 func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("Provider name is required")
-	}
 	name := args[0]

-	if apType == "" {
+	if alertProviderArgs.alertType == "" {
 		return fmt.Errorf("Provider type is required")
 	}

@@ -86,38 +84,38 @@ func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	if !export {
+	if !createArgs.export {
 		logger.Generatef("generating Provider")
 	}

 	provider := notificationv1.Provider{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: notificationv1.ProviderSpec{
-			Type:     apType,
-			Channel:  apChannel,
-			Username: apUsername,
-			Address:  apAddress,
+			Type:     alertProviderArgs.alertType,
+			Channel:  alertProviderArgs.channel,
+			Username: alertProviderArgs.username,
+			Address:  alertProviderArgs.address,
 		},
 	}

-	if apSecretRef != "" {
-		provider.Spec.SecretRef = &corev1.LocalObjectReference{
-			Name: apSecretRef,
+	if alertProviderArgs.secretRef != "" {
+		provider.Spec.SecretRef = &meta.LocalObjectReference{
+			Name: alertProviderArgs.secretRef,
 		}
 	}

-	if export {
-		return exportAlertProvider(provider)
+	if createArgs.export {
+		return printExport(exportAlertProvider(&provider))
 	}

-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
@@ -129,7 +127,7 @@ func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for Provider reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isAlertProviderReady(ctx, kubeClient, namespacedName, &provider)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_helmrelease.go
+++ b/cmd/flux/create_helmrelease.go
@@ -18,12 +18,16 @@ package main

 import (
 	"context"
+	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"os"
+	"strings"
+	"time"

 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/transform"

 	"github.com/spf13/cobra"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -62,11 +66,12 @@ var createHelmReleaseCmd = &cobra.Command{
    --source=Bucket/podinfo \
    --chart=./charts/podinfo

-  # Create a HelmRelease with values from a local YAML file
+  # Create a HelmRelease with values from local YAML files
  flux create hr podinfo \
    --source=HelmRepository/podinfo \
    --chart=podinfo \
-    --values=./my-values.yaml
+    --values=./my-values1.yaml \
+    --values=./my-values2.yaml

  # Create a HelmRelease with values from a Kubernetes secret
  kubectl -n app create secret generic my-secret-values \
@@ -84,50 +89,69 @@ var createHelmReleaseCmd = &cobra.Command{

  # Create a HelmRelease targeting another namespace than the resource
  flux create hr podinfo \
-    --target-namespace=default \
+    --target-namespace=test \
+    --create-target-namespace=true \
    --source=HelmRepository/podinfo \
    --chart=podinfo

+  # Create a HelmRelease using a source from a different namespace
+  flux create hr podinfo \
+    --namespace=default \
+    --source=HelmRepository/podinfo.flux-system \
+    --chart=podinfo
+
  # Create a HelmRelease definition on disk without applying it on the cluster
  flux create hr podinfo \
    --source=HelmRepository/podinfo \
    --chart=podinfo \
    --values=./values.yaml \
-    --export > podinfo-release.yaml
-`,
+    --export > podinfo-release.yaml`,
 	RunE: createHelmReleaseCmdRun,
 }

-var (
-	hrName            string
-	hrSource          flags.HelmChartSource
-	hrDependsOn       []string
-	hrChart           string
-	hrChartVersion    string
-	hrTargetNamespace string
-	hrValuesFile      string
-	hrValuesFrom      flags.HelmReleaseValuesFrom
-)
+type helmReleaseFlags struct {
+	name                string
+	source              flags.HelmChartSource
+	dependsOn           []string
+	chart               string
+	chartVersion        string
+	targetNamespace     string
+	createNamespace     bool
+	valuesFiles         []string
+	valuesFrom          []string
+	saName              string
+	crds                flags.CRDsPolicy
+	reconcileStrategy   string
+	chartInterval       time.Duration
+	kubeConfigSecretRef string
+}
+
+var helmReleaseArgs helmReleaseFlags
+
+var supportedHelmReleaseValuesFromKinds = []string{"Secret", "ConfigMap"}

 func init() {
-	createHelmReleaseCmd.Flags().StringVar(&hrName, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
-	createHelmReleaseCmd.Flags().Var(&hrSource, "source", hrSource.Description())
-	createHelmReleaseCmd.Flags().StringVar(&hrChart, "chart", "", "Helm chart name or path")
-	createHelmReleaseCmd.Flags().StringVar(&hrChartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
-	createHelmReleaseCmd.Flags().StringArrayVar(&hrDependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
-	createHelmReleaseCmd.Flags().StringVar(&hrTargetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
-	createHelmReleaseCmd.Flags().StringVar(&hrValuesFile, "values", "", "local path to the values.yaml file")
-	createHelmReleaseCmd.Flags().Var(&hrValuesFrom, "values-from", hrValuesFrom.Description())
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.name, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
+	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.source, "source", helmReleaseArgs.source.Description())
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chart, "chart", "", "Helm chart name or path")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
+	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.dependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.targetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
+	createHelmReleaseCmd.Flags().BoolVar(&helmReleaseArgs.createNamespace, "create-target-namespace", false, "create the target namespace if it does not exist")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart created by the helm release(accepted values: Revision and ChartRevision)")
+	createHelmReleaseCmd.Flags().DurationVarP(&helmReleaseArgs.chartInterval, "chart-interval", "", 0, "the interval of which to check for new chart versions")
+	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFiles, "values", nil, "local path to values.yaml files, also accepts comma-separated values")
+	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFrom, "values-from", nil, "a Kubernetes object reference that contains the values.yaml data key in the format '<kind>/<name>', where kind must be one of: (Secret,ConfigMap)")
+	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.crds, "crds", helmReleaseArgs.crds.Description())
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
 	createCmd.AddCommand(createHelmReleaseCmd)
 }

 func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("HelmRelease name is required")
-	}
 	name := args[0]

-	if hrChart == "" {
+	if helmReleaseArgs.chart == "" {
 		return fmt.Errorf("chart name or path is required")
 	}

@@ -136,66 +160,138 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	if !export {
+	if !createArgs.export {
 		logger.Generatef("generating HelmRelease")
 	}

+	if !validateStrategy(helmReleaseArgs.reconcileStrategy) {
+		return fmt.Errorf("'%s' is an invalid reconcile strategy(valid: Revision, ChartVersion)",
+			helmReleaseArgs.reconcileStrategy)
+	}
+
 	helmRelease := helmv2.HelmRelease{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: helmv2.HelmReleaseSpec{
-			ReleaseName: hrName,
-			DependsOn:   utils.MakeDependsOn(hrDependsOn),
+			ReleaseName: helmReleaseArgs.name,
+			DependsOn:   utils.MakeDependsOn(helmReleaseArgs.dependsOn),
 			Interval: metav1.Duration{
-				Duration: interval,
+				Duration: createArgs.interval,
 			},
-			TargetNamespace: hrTargetNamespace,
+			TargetNamespace: helmReleaseArgs.targetNamespace,
+
 			Chart: helmv2.HelmChartTemplate{
 				Spec: helmv2.HelmChartTemplateSpec{
-					Chart:   hrChart,
-					Version: hrChartVersion,
+					Chart:   helmReleaseArgs.chart,
+					Version: helmReleaseArgs.chartVersion,
 					SourceRef: helmv2.CrossNamespaceObjectReference{
-						Kind: hrSource.Kind,
-						Name: hrSource.Name,
+						Kind:      helmReleaseArgs.source.Kind,
+						Name:      helmReleaseArgs.source.Name,
+						Namespace: helmReleaseArgs.source.Namespace,
 					},
+					ReconcileStrategy: helmReleaseArgs.reconcileStrategy,
 				},
 			},
 			Suspend: false,
 		},
 	}

-	if hrValuesFile != "" {
-		data, err := ioutil.ReadFile(hrValuesFile)
-		if err != nil {
-			return fmt.Errorf("reading values from %s failed: %w", hrValuesFile, err)
+	if helmReleaseArgs.kubeConfigSecretRef != "" {
+		helmRelease.Spec.KubeConfig = &helmv2.KubeConfig{
+			SecretRef: meta.SecretKeyReference{
+				Name: helmReleaseArgs.kubeConfigSecretRef,
+			},
+		}
+	}
+
+	if helmReleaseArgs.chartInterval != 0 {
+		helmRelease.Spec.Chart.Spec.Interval = &metav1.Duration{
+			Duration: helmReleaseArgs.chartInterval,
+		}
+	}
+
+	if helmReleaseArgs.createNamespace {
+		if helmRelease.Spec.Install == nil {
+			helmRelease.Spec.Install = &helmv2.Install{}
 		}

-		json, err := yaml.YAMLToJSON(data)
-		if err != nil {
-			return fmt.Errorf("converting values to JSON from %s failed: %w", hrValuesFile, err)
+		helmRelease.Spec.Install.CreateNamespace = helmReleaseArgs.createNamespace
+	}
+
+	if helmReleaseArgs.saName != "" {
+		helmRelease.Spec.ServiceAccountName = helmReleaseArgs.saName
+	}
+
+	if helmReleaseArgs.crds != "" {
+		if helmRelease.Spec.Install == nil {
+			helmRelease.Spec.Install = &helmv2.Install{}
 		}

-		helmRelease.Spec.Values = &apiextensionsv1.JSON{Raw: json}
+		helmRelease.Spec.Install.CRDs = helmv2.Create
+		helmRelease.Spec.Upgrade = &helmv2.Upgrade{CRDs: helmv2.CRDsPolicy(helmReleaseArgs.crds.String())}
 	}

-	if hrValuesFrom.String() != "" {
-		helmRelease.Spec.ValuesFrom = []helmv2.ValuesReference{{
-			Kind: hrValuesFrom.Kind,
-			Name: hrValuesFrom.Name,
-		}}
+	if len(helmReleaseArgs.valuesFiles) > 0 {
+		valuesMap := make(map[string]interface{})
+		for _, v := range helmReleaseArgs.valuesFiles {
+			data, err := os.ReadFile(v)
+			if err != nil {
+				return fmt.Errorf("reading values from %s failed: %w", v, err)
+			}
+
+			jsonBytes, err := yaml.YAMLToJSON(data)
+			if err != nil {
+				return fmt.Errorf("converting values to JSON from %s failed: %w", v, err)
+			}
+
+			jsonMap := make(map[string]interface{})
+			if err := json.Unmarshal(jsonBytes, &jsonMap); err != nil {
+				return fmt.Errorf("unmarshaling values from %s failed: %w", v, err)
+			}
+
+			valuesMap = transform.MergeMaps(valuesMap, jsonMap)
+		}
+
+		jsonRaw, err := json.Marshal(valuesMap)
+		if err != nil {
+			return fmt.Errorf("marshaling values failed: %w", err)
+		}
+
+		helmRelease.Spec.Values = &apiextensionsv1.JSON{Raw: jsonRaw}
 	}

-	if export {
-		return exportHelmRelease(helmRelease)
+	if len(helmReleaseArgs.valuesFrom) != 0 {
+		values := []helmv2.ValuesReference{}
+		for _, value := range helmReleaseArgs.valuesFrom {
+			sourceKind, sourceName := utils.ParseObjectKindName(value)
+			if sourceKind == "" {
+				return fmt.Errorf("invalid Kubernetes object reference '%s', must be in format <kind>/<name>", value)
+			}
+			cleanSourceKind, ok := utils.ContainsEqualFoldItemString(supportedHelmReleaseValuesFromKinds, sourceKind)
+			if !ok {
+				return fmt.Errorf("reference kind '%s' is not supported, must be one of: %s",
+					sourceKind, strings.Join(supportedHelmReleaseValuesFromKinds, ", "))
+			}
+
+			values = append(values, helmv2.ValuesReference{
+				Name: sourceName,
+				Kind: cleanSourceKind,
+			})
+		}
+		helmRelease.Spec.ValuesFrom = values
 	}

-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	if createArgs.export {
+		return printExport(exportHelmRelease(&helmRelease))
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
@@ -207,7 +303,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for HelmRelease reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isHelmReleaseReady(ctx, kubeClient, namespacedName, &helmRelease)); err != nil {
 		return err
 	}
@@ -264,3 +360,15 @@ func isHelmReleaseReady(ctx context.Context, kubeClient client.Client,
 		return apimeta.IsStatusConditionTrue(helmRelease.Status.Conditions, meta.ReadyCondition), nil
 	}
 }
+
+func validateStrategy(input string) bool {
+	allowedStrategy := []string{"Revision", "ChartVersion"}
+
+	for _, strategy := range allowedStrategy {
+		if strategy == input {
+			return true
+		}
+	}
+
+	return false
+}
--- a/cmd/flux/create_image.go
+++ b/cmd/flux/create_image.go
@@ -0,0 +1,35 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+const createImageLong = `The create image sub-commands work with image automation objects; that is,
+object controlling updates to git based on e.g., new container images
+being available.`
+
+var createImageCmd = &cobra.Command{
+	Use:   "image",
+	Short: "Create or update resources dealing with image automation",
+	Long:  createImageLong,
+}
+
+func init() {
+	createCmd.AddCommand(createImageCmd)
+}
--- a/cmd/flux/create_image_policy.go
+++ b/cmd/flux/create_image_policy.go
@@ -0,0 +1,260 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"regexp/syntax"
+	"strings"
+	"unicode"
+	"unicode/utf8"
+
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/pkg/apis/meta"
+
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
+)
+
+var createImagePolicyCmd = &cobra.Command{
+	Use:   "policy [name]",
+	Short: "Create or update an ImagePolicy object",
+	Long: `The create image policy command generates an ImagePolicy resource.
+An ImagePolicy object calculates a "latest image" given an image
+repository and a policy, e.g., semver.
+
+The image that sorts highest according to the policy is recorded in
+the status of the object.`,
+	Example: `  # Create an ImagePolicy to select the latest stable release
+  flux create image policy podinfo \
+    --image-ref=podinfo \
+    --select-semver=">=1.0.0"
+
+  # Create an ImagePolicy to select the latest main branch build tagged as "${GIT_BRANCH}-${GIT_SHA:0:7}-$(date +%s)"
+  flux create image policy podinfo \
+    --image-ref=podinfo \
+    --select-numeric=asc \
+	--filter-regex='^main-[a-f0-9]+-(?P<ts>[0-9]+)' \
+	--filter-extract='$ts'`,
+	RunE: createImagePolicyRun}
+
+type imagePolicyFlags struct {
+	imageRef        string
+	semver          string
+	alpha           string
+	numeric         string
+	filterRegex     string
+	filterExtract   string
+	filterNumerical string
+}
+
+var imagePolicyArgs = imagePolicyFlags{}
+
+func init() {
+	flags := createImagePolicyCmd.Flags()
+	flags.StringVar(&imagePolicyArgs.imageRef, "image-ref", "", "the name of an image repository object")
+	flags.StringVar(&imagePolicyArgs.semver, "select-semver", "", "a semver range to apply to tags; e.g., '1.x'")
+	flags.StringVar(&imagePolicyArgs.alpha, "select-alpha", "", "use alphabetical sorting to select image; either \"asc\" meaning select the last, or \"desc\" meaning select the first")
+	flags.StringVar(&imagePolicyArgs.numeric, "select-numeric", "", "use numeric sorting to select image; either \"asc\" meaning select the last, or \"desc\" meaning select the first")
+	flags.StringVar(&imagePolicyArgs.filterRegex, "filter-regex", "", "regular expression pattern used to filter the image tags")
+	flags.StringVar(&imagePolicyArgs.filterExtract, "filter-extract", "", "replacement pattern (using capture groups from --filter-regex) to use for sorting")
+
+	createImageCmd.AddCommand(createImagePolicyCmd)
+}
+
+// getObservedGeneration is implemented here, since it's not
+// (presently) needed elsewhere.
+func (obj imagePolicyAdapter) getObservedGeneration() int64 {
+	return obj.ImagePolicy.Status.ObservedGeneration
+}
+
+func createImagePolicyRun(cmd *cobra.Command, args []string) error {
+	objectName := args[0]
+
+	if imagePolicyArgs.imageRef == "" {
+		return fmt.Errorf("the name of an ImageRepository in the namespace is required (--image-ref)")
+	}
+
+	labels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	var policy = imagev1.ImagePolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      objectName,
+			Namespace: *kubeconfigArgs.Namespace,
+			Labels:    labels,
+		},
+		Spec: imagev1.ImagePolicySpec{
+			ImageRepositoryRef: meta.NamespacedObjectReference{
+				Name: imagePolicyArgs.imageRef,
+			},
+		},
+	}
+
+	switch {
+	case imagePolicyArgs.semver != "" && imagePolicyArgs.alpha != "":
+	case imagePolicyArgs.semver != "" && imagePolicyArgs.numeric != "":
+	case imagePolicyArgs.alpha != "" && imagePolicyArgs.numeric != "":
+		return fmt.Errorf("only one of --select-semver, --select-alpha or --select-numeric can be specified")
+	case imagePolicyArgs.semver != "":
+		policy.Spec.Policy.SemVer = &imagev1.SemVerPolicy{
+			Range: imagePolicyArgs.semver,
+		}
+	case imagePolicyArgs.alpha != "":
+		if imagePolicyArgs.alpha != "desc" && imagePolicyArgs.alpha != "asc" {
+			return fmt.Errorf("--select-alpha must be one of [\"asc\", \"desc\"]")
+		}
+		policy.Spec.Policy.Alphabetical = &imagev1.AlphabeticalPolicy{
+			Order: imagePolicyArgs.alpha,
+		}
+	case imagePolicyArgs.numeric != "":
+		if imagePolicyArgs.numeric != "desc" && imagePolicyArgs.numeric != "asc" {
+			return fmt.Errorf("--select-numeric must be one of [\"asc\", \"desc\"]")
+		}
+		policy.Spec.Policy.Numerical = &imagev1.NumericalPolicy{
+			Order: imagePolicyArgs.numeric,
+		}
+	default:
+		return fmt.Errorf("a policy must be provided with either --select-semver or --select-alpha")
+	}
+
+	if imagePolicyArgs.filterRegex != "" {
+		exp, err := syntax.Parse(imagePolicyArgs.filterRegex, syntax.Perl)
+		if err != nil {
+			return fmt.Errorf("--filter-regex is an invalid regex pattern")
+		}
+		policy.Spec.FilterTags = &imagev1.TagFilter{
+			Pattern: imagePolicyArgs.filterRegex,
+		}
+
+		if imagePolicyArgs.filterExtract != "" {
+			if err := validateExtractStr(imagePolicyArgs.filterExtract, exp.CapNames()); err != nil {
+				return err
+			}
+			policy.Spec.FilterTags.Extract = imagePolicyArgs.filterExtract
+		}
+	} else if imagePolicyArgs.filterExtract != "" {
+		return fmt.Errorf("cannot specify --filter-extract without specifying --filter-regex")
+	}
+
+	if createArgs.export {
+		return printExport(exportImagePolicy(&policy))
+	}
+
+	var existing imagev1.ImagePolicy
+	copyName(&existing, &policy)
+	err = imagePolicyType.upsertAndWait(imagePolicyAdapter{&existing}, func() error {
+		existing.Spec = policy.Spec
+		existing.SetLabels(policy.Labels)
+		return nil
+	})
+	return err
+}
+
+// Performs a dry-run of the extract function in Regexp to validate the template
+func validateExtractStr(template string, capNames []string) error {
+	for len(template) > 0 {
+		i := strings.Index(template, "$")
+		if i < 0 {
+			return nil
+		}
+		template = template[i:]
+		if len(template) > 1 && template[1] == '$' {
+			template = template[2:]
+			continue
+		}
+		name, num, rest, ok := extract(template)
+		if !ok {
+			// Malformed extract string, assume user didn't want this
+			template = template[1:]
+			return fmt.Errorf("--filter-extract is malformed")
+		}
+		template = rest
+		if num >= 0 {
+			// we won't worry about numbers as we can't validate these
+			continue
+		} else {
+			found := false
+			for _, capName := range capNames {
+				if name == capName {
+					found = true
+				}
+			}
+			if !found {
+				return fmt.Errorf("capture group $%s used in --filter-extract not found in --filter-regex", name)
+			}
+		}
+
+	}
+	return nil
+}
+
+// extract method from the regexp package
+// returns the name or number of the value prepended by $
+func extract(str string) (name string, num int, rest string, ok bool) {
+	if len(str) < 2 || str[0] != '$' {
+		return
+	}
+	brace := false
+	if str[1] == '{' {
+		brace = true
+		str = str[2:]
+	} else {
+		str = str[1:]
+	}
+	i := 0
+	for i < len(str) {
+		rune, size := utf8.DecodeRuneInString(str[i:])
+		if !unicode.IsLetter(rune) && !unicode.IsDigit(rune) && rune != '_' {
+			break
+		}
+		i += size
+	}
+	if i == 0 {
+		// empty name is not okay
+		return
+	}
+	name = str[:i]
+	if brace {
+		if i >= len(str) || str[i] != '}' {
+			// missing closing brace
+			return
+		}
+		i++
+	}
+
+	// Parse number.
+	num = 0
+	for i := 0; i < len(name); i++ {
+		if name[i] < '0' || '9' < name[i] || num >= 1e8 {
+			num = -1
+			break
+		}
+		num = num*10 + int(name[i]) - '0'
+	}
+	// Disallow leading zeros.
+	if name[0] == '0' && len(name) > 1 {
+		num = -1
+	}
+
+	rest = str[i:]
+	ok = true
+	return
+}
--- a/cmd/flux/create_image_repository.go
+++ b/cmd/flux/create_image_repository.go
@@ -0,0 +1,139 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/pkg/apis/meta"
+
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
+)
+
+var createImageRepositoryCmd = &cobra.Command{
+	Use:   "repository [name]",
+	Short: "Create or update an ImageRepository object",
+	Long: `The create image repository command generates an ImageRepository resource.
+An ImageRepository object specifies an image repository to scan.`,
+	Example: `  # Create an ImageRepository object to scan the alpine image repository:
+  flux create image repository alpine-repo --image alpine --interval 20m
+
+  # Create an image repository that uses an image pull secret (assumed to
+  # have been created already):
+  flux create image repository myapp-repo \
+    --secret-ref image-pull \
+    --image ghcr.io/example.com/myapp --interval 5m
+
+  # Create a TLS secret for a local image registry using a self-signed
+  # host certificate, and use it to scan an image. ca.pem is a file
+  # containing the CA certificate used to sign the host certificate.
+  flux create secret tls local-registry-cert --ca-file ./ca.pem
+  flux create image repository app-repo \
+    --cert-secret-ref local-registry-cert \
+    --image local-registry:5000/app --interval 5m
+
+  # Create a TLS secret with a client certificate and key, and use it
+  # to scan a private image registry.
+  flux create secret tls client-cert \
+    --cert-file client.crt --key-file client.key
+  flux create image repository app-repo \
+    --cert-secret-ref client-cert \
+    --image registry.example.com/private/app --interval 5m`,
+	RunE: createImageRepositoryRun,
+}
+
+type imageRepoFlags struct {
+	image         string
+	secretRef     string
+	certSecretRef string
+	timeout       time.Duration
+}
+
+var imageRepoArgs = imageRepoFlags{}
+
+func init() {
+	flags := createImageRepositoryCmd.Flags()
+	flags.StringVar(&imageRepoArgs.image, "image", "", "the image repository to scan; e.g., library/alpine")
+	flags.StringVar(&imageRepoArgs.secretRef, "secret-ref", "", "the name of a docker-registry secret to use for credentials")
+	flags.StringVar(&imageRepoArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
+	// NB there is already a --timeout in the global flags, for
+	// controlling timeout on operations while e.g., creating objects.
+	flags.DurationVar(&imageRepoArgs.timeout, "scan-timeout", 0, "a timeout for scanning; this defaults to the interval if not set")
+
+	createImageCmd.AddCommand(createImageRepositoryCmd)
+}
+
+func createImageRepositoryRun(cmd *cobra.Command, args []string) error {
+	objectName := args[0]
+
+	if imageRepoArgs.image == "" {
+		return fmt.Errorf("an image repository (--image) is required")
+	}
+
+	if _, err := name.NewRepository(imageRepoArgs.image); err != nil {
+		return fmt.Errorf("unable to parse image value: %w", err)
+	}
+
+	labels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	var repo = imagev1.ImageRepository{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      objectName,
+			Namespace: *kubeconfigArgs.Namespace,
+			Labels:    labels,
+		},
+		Spec: imagev1.ImageRepositorySpec{
+			Image:    imageRepoArgs.image,
+			Interval: metav1.Duration{Duration: createArgs.interval},
+		},
+	}
+	if imageRepoArgs.timeout != 0 {
+		repo.Spec.Timeout = &metav1.Duration{Duration: imageRepoArgs.timeout}
+	}
+	if imageRepoArgs.secretRef != "" {
+		repo.Spec.SecretRef = &meta.LocalObjectReference{
+			Name: imageRepoArgs.secretRef,
+		}
+	}
+	if imageRepoArgs.certSecretRef != "" {
+		repo.Spec.CertSecretRef = &meta.LocalObjectReference{
+			Name: imageRepoArgs.certSecretRef,
+		}
+	}
+
+	if createArgs.export {
+		return printExport(exportImageRepository(&repo))
+	}
+
+	// a temp value for use with the rest
+	var existing imagev1.ImageRepository
+	copyName(&existing, &repo)
+	err = imageRepositoryType.upsertAndWait(imageRepositoryAdapter{&existing}, func() error {
+		existing.Spec = repo.Spec
+		existing.Labels = repo.Labels
+		return nil
+	})
+	return err
+}
--- a/cmd/flux/create_image_update.go
+++ b/cmd/flux/create_image_update.go
@@ -0,0 +1,178 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+)
+
+var createImageUpdateCmd = &cobra.Command{
+	Use:   "update [name]",
+	Short: "Create or update an ImageUpdateAutomation object",
+	Long: `The create image update command generates an ImageUpdateAutomation resource.
+An ImageUpdateAutomation object specifies an automated update to images
+mentioned in YAMLs in a git repository.`,
+	Example: `  # Configure image updates for the main repository created by flux bootstrap
+  flux create image update flux-system \
+    --git-repo-ref=flux-system \
+    --git-repo-path="./clusters/my-cluster" \
+    --checkout-branch=main \
+    --author-name=flux \
+    --author-email=flux@example.com \
+    --commit-template="{{range .Updated.Images}}{{println .}}{{end}}"
+
+  # Configure image updates to push changes to a different branch, if the branch doesn't exists it will be created
+  flux create image update flux-system \
+    --git-repo-ref=flux-system \
+    --git-repo-path="./clusters/my-cluster" \
+    --checkout-branch=main \
+    --push-branch=image-updates \
+    --author-name=flux \
+    --author-email=flux@example.com \
+    --commit-template="{{range .Updated.Images}}{{println .}}{{end}}"
+
+  # Configure image updates for a Git repository in a different namespace
+  flux create image update apps \
+    --namespace=apps \
+    --git-repo-ref=flux-system \
+    --git-repo-namespace=flux-system \
+    --git-repo-path="./clusters/my-cluster" \
+    --checkout-branch=main \
+    --push-branch=image-updates \
+    --author-name=flux \
+    --author-email=flux@example.com \
+    --commit-template="{{range .Updated.Images}}{{println .}}{{end}}"
+`,
+	RunE: createImageUpdateRun,
+}
+
+type imageUpdateFlags struct {
+	gitRepoName      string
+	gitRepoNamespace string
+	gitRepoPath      string
+	checkoutBranch   string
+	pushBranch       string
+	commitTemplate   string
+	authorName       string
+	authorEmail      string
+}
+
+var imageUpdateArgs = imageUpdateFlags{}
+
+func init() {
+	flags := createImageUpdateCmd.Flags()
+	flags.StringVar(&imageUpdateArgs.gitRepoName, "git-repo-ref", "", "the name of a GitRepository resource with details of the upstream Git repository")
+	flags.StringVar(&imageUpdateArgs.gitRepoNamespace, "git-repo-namespace", "", "the namespace of the GitRepository resource, defaults to the ImageUpdateAutomation namespace")
+	flags.StringVar(&imageUpdateArgs.gitRepoPath, "git-repo-path", "", "path to the directory containing the manifests to be updated, defaults to the repository root")
+	flags.StringVar(&imageUpdateArgs.checkoutBranch, "checkout-branch", "", "the branch to checkout")
+	flags.StringVar(&imageUpdateArgs.pushBranch, "push-branch", "", "the branch to push commits to, defaults to the checkout branch if not specified")
+	flags.StringVar(&imageUpdateArgs.commitTemplate, "commit-template", "", "a template for commit messages")
+	flags.StringVar(&imageUpdateArgs.authorName, "author-name", "", "the name to use for commit author")
+	flags.StringVar(&imageUpdateArgs.authorEmail, "author-email", "", "the email to use for commit author")
+
+	createImageCmd.AddCommand(createImageUpdateCmd)
+}
+
+func createImageUpdateRun(cmd *cobra.Command, args []string) error {
+	objectName := args[0]
+
+	if imageUpdateArgs.gitRepoName == "" {
+		return fmt.Errorf("a reference to a GitRepository is required (--git-repo-ref)")
+	}
+
+	if imageUpdateArgs.checkoutBranch == "" {
+		return fmt.Errorf("the Git repository branch is required (--checkout-branch)")
+	}
+
+	if imageUpdateArgs.authorName == "" {
+		return fmt.Errorf("the author name is required (--author-name)")
+	}
+
+	if imageUpdateArgs.authorEmail == "" {
+		return fmt.Errorf("the author email is required (--author-email)")
+	}
+
+	labels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	var update = autov1.ImageUpdateAutomation{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      objectName,
+			Namespace: *kubeconfigArgs.Namespace,
+			Labels:    labels,
+		},
+		Spec: autov1.ImageUpdateAutomationSpec{
+			SourceRef: autov1.CrossNamespaceSourceReference{
+				Kind:      sourcev1.GitRepositoryKind,
+				Name:      imageUpdateArgs.gitRepoName,
+				Namespace: imageUpdateArgs.gitRepoNamespace,
+			},
+
+			GitSpec: &autov1.GitSpec{
+				Checkout: &autov1.GitCheckoutSpec{
+					Reference: sourcev1.GitRepositoryRef{
+						Branch: imageUpdateArgs.checkoutBranch,
+					},
+				},
+				Commit: autov1.CommitSpec{
+					Author: autov1.CommitUser{
+						Name:  imageUpdateArgs.authorName,
+						Email: imageUpdateArgs.authorEmail,
+					},
+					MessageTemplate: imageUpdateArgs.commitTemplate,
+				},
+			},
+			Interval: metav1.Duration{
+				Duration: createArgs.interval,
+			},
+		},
+	}
+
+	if imageUpdateArgs.pushBranch != "" {
+		update.Spec.GitSpec.Push = &autov1.PushSpec{
+			Branch: imageUpdateArgs.pushBranch,
+		}
+	}
+
+	if imageUpdateArgs.gitRepoPath != "" {
+		update.Spec.Update = &autov1.UpdateStrategy{
+			Path:     imageUpdateArgs.gitRepoPath,
+			Strategy: autov1.UpdateStrategySetters,
+		}
+	}
+
+	if createArgs.export {
+		return printExport(exportImageUpdate(&update))
+	}
+
+	var existing autov1.ImageUpdateAutomation
+	copyName(&existing, &update)
+	err = imageUpdateAutomationType.upsertAndWait(imageUpdateAutomationAdapter{&existing}, func() error {
+		existing.Spec = update.Spec
+		existing.Labels = update.Labels
+		return nil
+	})
+	return err
+}
--- a/cmd/flux/create_kustomization.go
+++ b/cmd/flux/create_kustomization.go
@@ -23,7 +23,6 @@ import (
 	"time"

 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -31,94 +30,117 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"

+	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	"github.com/fluxcd/pkg/apis/meta"
+
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
-	"github.com/fluxcd/pkg/apis/meta"
 )

 var createKsCmd = &cobra.Command{
 	Use:     "kustomization [name]",
 	Aliases: []string{"ks"},
 	Short:   "Create or update a Kustomization resource",
-	Long:    "The kustomization source create command generates a Kustomize resource for a given source.",
+	Long:    "The create command generates a Kustomization resource for a given source.",
 	Example: `  # Create a Kustomization resource from a source at a given path
-  flux create kustomization contour \
-    --source=contour \
-    --path="./examples/contour/" \
+  flux create kustomization kyverno \
+    --source=GitRepository/kyverno \
+    --path="./config/release" \
    --prune=true \
-    --interval=10m \
-    --validation=client \
-    --health-check="Deployment/contour.projectcontour" \
-    --health-check="DaemonSet/envoy.projectcontour" \
+    --interval=60m \
+    --wait=true \
    --health-check-timeout=3m

  # Create a Kustomization resource that depends on the previous one
-  flux create kustomization webapp \
-    --depends-on=contour \
-    --source=webapp \
-    --path="./deploy/overlays/dev" \
+  flux create kustomization kyverno-policies \
+    --depends-on=kyverno \
+    --source=GitRepository/kyverno-policies \
+    --path="./policies/flux" \
    --prune=true \
-    --interval=5m \
-    --validation=client
+    --interval=5m
+
+  # Create a Kustomization using a source from a different namespace
+  flux create kustomization podinfo \
+    --namespace=default \
+    --source=GitRepository/podinfo.flux-system \
+    --path="./kustomize" \
+    --prune=true \
+    --interval=5m
+
+  # Create a Kustomization resource that references an OCIRepository
+  flux create kustomization podinfo \
+    --source=OCIRepository/podinfo \
+    --target-namespace=default \
+    --prune=true \
+    --interval=5m

  # Create a Kustomization resource that references a Bucket
  flux create kustomization secrets \
    --source=Bucket/secrets \
    --prune=true \
-    --interval=5m
-`,
+    --interval=5m`,
 	RunE: createKsCmdRun,
 }

-var (
-	ksSource             flags.KustomizationSource
-	ksPath               string
-	ksPrune              bool
-	ksDependsOn          []string
-	ksValidation         string
-	ksHealthCheck        []string
-	ksHealthTimeout      time.Duration
-	ksSAName             string
-	ksDecryptionProvider flags.DecryptionProvider
-	ksDecryptionSecret   string
-	ksTargetNamespace    string
-)
+type kustomizationFlags struct {
+	source              flags.KustomizationSource
+	path                flags.SafeRelativePath
+	prune               bool
+	dependsOn           []string
+	validation          string
+	healthCheck         []string
+	healthTimeout       time.Duration
+	saName              string
+	decryptionProvider  flags.DecryptionProvider
+	decryptionSecret    string
+	targetNamespace     string
+	wait                bool
+	kubeConfigSecretRef string
+}
+
+var kustomizationArgs = NewKustomizationFlags()

 func init() {
-	createKsCmd.Flags().Var(&ksSource, "source", ksSource.Description())
-	createKsCmd.Flags().StringVar(&ksPath, "path", "./", "path to the directory containing the Kustomization file")
-	createKsCmd.Flags().BoolVar(&ksPrune, "prune", false, "enable garbage collection")
-	createKsCmd.Flags().StringArrayVar(&ksHealthCheck, "health-check", nil, "workload to be included in the health assessment, in the format '<kind>/<name>.<namespace>'")
-	createKsCmd.Flags().DurationVar(&ksHealthTimeout, "health-check-timeout", 2*time.Minute, "timeout of health checking operations")
-	createKsCmd.Flags().StringVar(&ksValidation, "validation", "", "validate the manifests before applying them on the cluster, can be 'client' or 'server'")
-	createKsCmd.Flags().StringArrayVar(&ksDependsOn, "depends-on", nil, "Kustomization that must be ready before this Kustomization can be applied, supported formats '<name>' and '<namespace>/<name>'")
-	createKsCmd.Flags().StringVar(&ksSAName, "sa-name", "", "service account name")
-	createKsCmd.Flags().Var(&ksDecryptionProvider, "decryption-provider", ksDecryptionProvider.Description())
-	createKsCmd.Flags().StringVar(&ksDecryptionSecret, "decryption-secret", "", "set the Kubernetes secret name that contains the OpenPGP private keys used for sops decryption")
-	createKsCmd.Flags().StringVar(&ksTargetNamespace, "target-namespace", "", "overrides the namespace of all Kustomization objects reconciled by this Kustomization")
+	createKsCmd.Flags().Var(&kustomizationArgs.source, "source", kustomizationArgs.source.Description())
+	createKsCmd.Flags().Var(&kustomizationArgs.path, "path", "path to the directory containing a kustomization.yaml file")
+	createKsCmd.Flags().BoolVar(&kustomizationArgs.prune, "prune", false, "enable garbage collection")
+	createKsCmd.Flags().BoolVar(&kustomizationArgs.wait, "wait", false, "enable health checking of all the applied resources")
+	createKsCmd.Flags().StringSliceVar(&kustomizationArgs.healthCheck, "health-check", nil, "workload to be included in the health assessment, in the format '<kind>/<name>.<namespace>'")
+	createKsCmd.Flags().DurationVar(&kustomizationArgs.healthTimeout, "health-check-timeout", 2*time.Minute, "timeout of health checking operations")
+	createKsCmd.Flags().StringVar(&kustomizationArgs.validation, "validation", "", "validate the manifests before applying them on the cluster, can be 'client' or 'server'")
+	createKsCmd.Flags().StringSliceVar(&kustomizationArgs.dependsOn, "depends-on", nil, "Kustomization that must be ready before this Kustomization can be applied, supported formats '<name>' and '<namespace>/<name>', also accepts comma-separated values")
+	createKsCmd.Flags().StringVar(&kustomizationArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this Kustomization")
+	createKsCmd.Flags().Var(&kustomizationArgs.decryptionProvider, "decryption-provider", kustomizationArgs.decryptionProvider.Description())
+	createKsCmd.Flags().StringVar(&kustomizationArgs.decryptionSecret, "decryption-secret", "", "set the Kubernetes secret name that contains the OpenPGP private keys used for sops decryption")
+	createKsCmd.Flags().StringVar(&kustomizationArgs.targetNamespace, "target-namespace", "", "overrides the namespace of all Kustomization objects reconciled by this Kustomization")
+	createKsCmd.Flags().StringVar(&kustomizationArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
+	createKsCmd.Flags().MarkDeprecated("validation", "this arg is no longer used, all resources are validated using server-side apply dry-run")
+
 	createCmd.AddCommand(createKsCmd)
 }

-func createKsCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("Kustomization name is required")
+func NewKustomizationFlags() kustomizationFlags {
+	return kustomizationFlags{
+		path: "./",
 	}
+}
+
+func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]

-	if ksPath == "" {
+	if kustomizationArgs.path == "" {
 		return fmt.Errorf("path is required")
 	}
-	if !strings.HasPrefix(ksPath, "./") {
+	if !strings.HasPrefix(kustomizationArgs.path.String(), "./") {
 		return fmt.Errorf("path must begin with ./")
 	}

-	if !export {
+	if !createArgs.export {
 		logger.Generatef("generating Kustomization")
 	}

-	ksLabels, err := parseLabels()
+	kslabels, err := parseLabels()
 	if err != nil {
 		return err
 	}
@@ -126,29 +148,37 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	kustomization := kustomizev1.Kustomization{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
-			Labels:    ksLabels,
+			Namespace: *kubeconfigArgs.Namespace,
+			Labels:    kslabels,
 		},
 		Spec: kustomizev1.KustomizationSpec{
-			DependsOn: utils.MakeDependsOn(ksDependsOn),
+			DependsOn: utils.MakeDependsOn(kustomizationArgs.dependsOn),
 			Interval: metav1.Duration{
-				Duration: interval,
+				Duration: createArgs.interval,
 			},
-			Path:  ksPath,
-			Prune: ksPrune,
+			Path:  kustomizationArgs.path.ToSlash(),
+			Prune: kustomizationArgs.prune,
 			SourceRef: kustomizev1.CrossNamespaceSourceReference{
-				Kind: ksSource.Kind,
-				Name: ksSource.Name,
+				Kind:      kustomizationArgs.source.Kind,
+				Name:      kustomizationArgs.source.Name,
+				Namespace: kustomizationArgs.source.Namespace,
 			},
 			Suspend:         false,
-			Validation:      ksValidation,
-			TargetNamespace: ksTargetNamespace,
+			TargetNamespace: kustomizationArgs.targetNamespace,
 		},
 	}

-	if len(ksHealthCheck) > 0 {
-		healthChecks := make([]kustomizev1.CrossNamespaceObjectReference, 0)
-		for _, w := range ksHealthCheck {
+	if kustomizationArgs.kubeConfigSecretRef != "" {
+		kustomization.Spec.KubeConfig = &kustomizev1.KubeConfig{
+			SecretRef: meta.SecretKeyReference{
+				Name: kustomizationArgs.kubeConfigSecretRef,
+			},
+		}
+	}
+
+	if len(kustomizationArgs.healthCheck) > 0 && !kustomizationArgs.wait {
+		healthChecks := make([]meta.NamespacedObjectKindReference, 0)
+		for _, w := range kustomizationArgs.healthCheck {
 			kindObj := strings.Split(w, "/")
 			if len(kindObj) != 2 {
 				return fmt.Errorf("invalid health check '%s' must be in the format 'kind/name.namespace' %v", w, kindObj)
@@ -170,7 +200,7 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 				return fmt.Errorf("invalid health check '%s' must be in the format 'kind/name.namespace'", w)
 			}

-			check := kustomizev1.CrossNamespaceObjectReference{
+			check := meta.NamespacedObjectKindReference{
 				Kind:      kind,
 				Name:      nameNs[0],
 				Namespace: nameNs[1],
@@ -183,32 +213,39 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 		}
 		kustomization.Spec.HealthChecks = healthChecks
 		kustomization.Spec.Timeout = &metav1.Duration{
-			Duration: ksHealthTimeout,
+			Duration: kustomizationArgs.healthTimeout,
 		}
 	}

-	if ksSAName != "" {
-		kustomization.Spec.ServiceAccountName = ksSAName
+	if kustomizationArgs.wait {
+		kustomization.Spec.Wait = true
+		kustomization.Spec.Timeout = &metav1.Duration{
+			Duration: kustomizationArgs.healthTimeout,
+		}
 	}

-	if ksDecryptionProvider != "" {
+	if kustomizationArgs.saName != "" {
+		kustomization.Spec.ServiceAccountName = kustomizationArgs.saName
+	}
+
+	if kustomizationArgs.decryptionProvider != "" {
 		kustomization.Spec.Decryption = &kustomizev1.Decryption{
-			Provider: ksDecryptionProvider.String(),
+			Provider: kustomizationArgs.decryptionProvider.String(),
 		}

-		if ksDecryptionSecret != "" {
-			kustomization.Spec.Decryption.SecretRef = &corev1.LocalObjectReference{Name: ksDecryptionSecret}
+		if kustomizationArgs.decryptionSecret != "" {
+			kustomization.Spec.Decryption.SecretRef = &meta.LocalObjectReference{Name: kustomizationArgs.decryptionSecret}
 		}
 	}

-	if export {
-		return exportKs(kustomization)
+	if createArgs.export {
+		return printExport(exportKs(&kustomization))
 	}

-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
@@ -220,7 +257,7 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for Kustomization reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isKustomizationReady(ctx, kubeClient, namespacedName, &kustomization)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_receiver.go
+++ b/cmd/flux/create_receiver.go
@@ -21,7 +21,6 @@ import (
 	"fmt"

 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -29,9 +28,10 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
+
+	"github.com/fluxcd/flux2/internal/utils"
 )

 var createReceiverCmd = &cobra.Command{
@@ -45,42 +45,40 @@ var createReceiverCmd = &cobra.Command{
 	--event push \
 	--secret-ref webhook-token \
 	--resource GitRepository/webapp \
-	--resource HelmRepository/webapp
-`,
+	--resource HelmRepository/webapp`,
 	RunE: createReceiverCmdRun,
 }

-var (
-	rcvType      string
-	rcvSecretRef string
-	rcvEvents    []string
-	rcvResources []string
-)
+type receiverFlags struct {
+	receiverType string
+	secretRef    string
+	events       []string
+	resources    []string
+}
+
+var receiverArgs receiverFlags

 func init() {
-	createReceiverCmd.Flags().StringVar(&rcvType, "type", "", "")
-	createReceiverCmd.Flags().StringVar(&rcvSecretRef, "secret-ref", "", "")
-	createReceiverCmd.Flags().StringArrayVar(&rcvEvents, "event", []string{}, "")
-	createReceiverCmd.Flags().StringArrayVar(&rcvResources, "resource", []string{}, "")
+	createReceiverCmd.Flags().StringVar(&receiverArgs.receiverType, "type", "", "")
+	createReceiverCmd.Flags().StringVar(&receiverArgs.secretRef, "secret-ref", "", "")
+	createReceiverCmd.Flags().StringSliceVar(&receiverArgs.events, "event", []string{}, "also accepts comma-separated values")
+	createReceiverCmd.Flags().StringSliceVar(&receiverArgs.resources, "resource", []string{}, "also accepts comma-separated values")
 	createCmd.AddCommand(createReceiverCmd)
 }

 func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("Receiver name is required")
-	}
 	name := args[0]

-	if rcvType == "" {
+	if receiverArgs.receiverType == "" {
 		return fmt.Errorf("Receiver type is required")
 	}

-	if rcvSecretRef == "" {
+	if receiverArgs.secretRef == "" {
 		return fmt.Errorf("secret ref is required")
 	}

 	resources := []notificationv1.CrossNamespaceObjectReference{}
-	for _, resource := range rcvResources {
+	for _, resource := range receiverArgs.resources {
 		kind, name := utils.ParseObjectKindName(resource)
 		if kind == "" {
 			return fmt.Errorf("invalid event source '%s', must be in format <kind>/<name>", resource)
@@ -101,35 +99,35 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	if !export {
+	if !createArgs.export {
 		logger.Generatef("generating Receiver")
 	}

 	receiver := notificationv1.Receiver{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: notificationv1.ReceiverSpec{
-			Type:      rcvType,
-			Events:    rcvEvents,
+			Type:      receiverArgs.receiverType,
+			Events:    receiverArgs.events,
 			Resources: resources,
-			SecretRef: corev1.LocalObjectReference{
-				Name: rcvSecretRef,
+			SecretRef: meta.LocalObjectReference{
+				Name: receiverArgs.secretRef,
 			},
 			Suspend: false,
 		},
 	}

-	if export {
-		return exportReceiver(receiver)
+	if createArgs.export {
+		return printExport(exportReceiver(&receiver))
 	}

-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
@@ -141,7 +139,7 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for Receiver reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isReceiverReady(ctx, kubeClient, namespacedName, &receiver)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret.go
+++ b/cmd/flux/create_secret.go
@@ -0,0 +1,63 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+var createSecretCmd = &cobra.Command{
+	Use:   "secret",
+	Short: "Create or update Kubernetes secrets",
+	Long:  "The create source sub-commands generate Kubernetes secrets specific to Flux.",
+}
+
+func init() {
+	createCmd.AddCommand(createSecretCmd)
+}
+
+func upsertSecret(ctx context.Context, kubeClient client.Client, secret corev1.Secret) error {
+	namespacedName := types.NamespacedName{
+		Namespace: secret.GetNamespace(),
+		Name:      secret.GetName(),
+	}
+
+	var existing corev1.Secret
+	err := kubeClient.Get(ctx, namespacedName, &existing)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			if err := kubeClient.Create(ctx, &secret); err != nil {
+				return err
+			} else {
+				return nil
+			}
+		}
+		return err
+	}
+
+	existing.StringData = secret.StringData
+	if err := kubeClient.Update(ctx, &existing); err != nil {
+		return err
+	}
+	return nil
+}
--- a/cmd/flux/create_secret_git.go
+++ b/cmd/flux/create_secret_git.go
@@ -0,0 +1,186 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"crypto/elliptic"
+	"fmt"
+	"net/url"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+)
+
+var createSecretGitCmd = &cobra.Command{
+	Use:   "git [name]",
+	Short: "Create or update a Kubernetes secret for Git authentication",
+	Long: `The create secret git command generates a Kubernetes secret with Git credentials.
+For Git over SSH, the host and SSH keys are automatically generated and stored in the secret.
+For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.`,
+	Example: `  # Create a Git SSH authentication secret using an ECDSA P-521 curve public key
+
+  flux create secret git podinfo-auth \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+    --ssh-key-algorithm=ecdsa \
+    --ssh-ecdsa-curve=p521
+
+  # Create a Git SSH authentication secret with a passwordless private key from file
+  # The public SSH host key will still be gathered from the host
+  flux create secret git podinfo-auth \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+    --private-key-file=./private.key
+
+  # Create a Git SSH authentication secret with a passworded private key from file
+  # The public SSH host key will still be gathered from the host
+  flux create secret git podinfo-auth \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+    --private-key-file=./private.key \
+    --password=<password>
+
+  # Create a secret for a Git repository using basic authentication
+  flux create secret git podinfo-auth \
+    --url=https://github.com/stefanprodan/podinfo \
+    --username=username \
+    --password=password
+
+  # Create a Git SSH secret on disk
+  flux create secret git podinfo-auth \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+    --export > podinfo-auth.yaml
+
+  # Print the deploy key
+  yq eval '.stringData."identity.pub"' podinfo-auth.yaml
+
+  # Encrypt the secret on disk with Mozilla SOPS
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place podinfo-auth.yaml`,
+	RunE: createSecretGitCmdRun,
+}
+
+type secretGitFlags struct {
+	url            string
+	username       string
+	password       string
+	keyAlgorithm   flags.PublicKeyAlgorithm
+	rsaBits        flags.RSAKeyBits
+	ecdsaCurve     flags.ECDSACurve
+	caFile         string
+	privateKeyFile string
+}
+
+var secretGitArgs = NewSecretGitFlags()
+
+func init() {
+	createSecretGitCmd.Flags().StringVar(&secretGitArgs.url, "url", "", "git address, e.g. ssh://git@host/org/repository")
+	createSecretGitCmd.Flags().StringVarP(&secretGitArgs.username, "username", "u", "", "basic authentication username")
+	createSecretGitCmd.Flags().StringVarP(&secretGitArgs.password, "password", "p", "", "basic authentication password")
+	createSecretGitCmd.Flags().Var(&secretGitArgs.keyAlgorithm, "ssh-key-algorithm", secretGitArgs.keyAlgorithm.Description())
+	createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description())
+	createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
+	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
+	createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
+
+	createSecretCmd.AddCommand(createSecretGitCmd)
+}
+
+func NewSecretGitFlags() secretGitFlags {
+	return secretGitFlags{
+		keyAlgorithm: flags.PublicKeyAlgorithm(sourcesecret.ECDSAPrivateKeyAlgorithm),
+		rsaBits:      2048,
+		ecdsaCurve:   flags.ECDSACurve{Curve: elliptic.P384()},
+	}
+}
+
+func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
+	name := args[0]
+	if secretGitArgs.url == "" {
+		return fmt.Errorf("url is required")
+	}
+
+	u, err := url.Parse(secretGitArgs.url)
+	if err != nil {
+		return fmt.Errorf("git URL parse failed: %w", err)
+	}
+
+	labels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	opts := sourcesecret.Options{
+		Name:         name,
+		Namespace:    *kubeconfigArgs.Namespace,
+		Labels:       labels,
+		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
+	}
+	switch u.Scheme {
+	case "ssh":
+		opts.SSHHostname = u.Host
+		opts.PrivateKeyPath = secretGitArgs.privateKeyFile
+		opts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(secretGitArgs.keyAlgorithm)
+		opts.RSAKeyBits = int(secretGitArgs.rsaBits)
+		opts.ECDSACurve = secretGitArgs.ecdsaCurve.Curve
+		opts.Password = secretGitArgs.password
+	case "http", "https":
+		if secretGitArgs.username == "" || secretGitArgs.password == "" {
+			return fmt.Errorf("for Git over HTTP/S the username and password are required")
+		}
+		opts.Username = secretGitArgs.username
+		opts.Password = secretGitArgs.password
+		opts.CAFilePath = secretGitArgs.caFile
+	default:
+		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
+	}
+
+	secret, err := sourcesecret.Generate(opts)
+	if err != nil {
+		return err
+	}
+
+	if createArgs.export {
+		rootCmd.Println(secret.Content)
+		return nil
+	}
+
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+
+	if ppk, ok := s.StringData[sourcesecret.PublicKeySecretKey]; ok {
+		logger.Generatef("deploy key: %s", ppk)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+	if err := upsertSecret(ctx, kubeClient, s); err != nil {
+		return err
+	}
+	logger.Actionf("git secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
+
+	return nil
+}
--- a/cmd/flux/create_secret_git_test.go
+++ b/cmd/flux/create_secret_git_test.go
@@ -0,0 +1,44 @@
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateGitSecret(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "no args",
+			args:   "create secret git",
+			assert: assertError("name is required"),
+		},
+		{
+			name:   "basic secret",
+			args:   "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=my-username --password=my-password --namespace=my-namespace --export",
+			assert: assertGoldenFile("./testdata/create_secret/git/secret-git-basic.yaml"),
+		},
+		{
+			name:   "ssh key",
+			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa.private --namespace=my-namespace --export",
+			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret.yaml"),
+		},
+		{
+			name:   "ssh key with password",
+			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa-password.private --password=password --namespace=my-namespace --export",
+			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret-password.yaml"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
--- a/cmd/flux/create_secret_helm.go
+++ b/cmd/flux/create_secret_helm.go
@@ -0,0 +1,113 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
+
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+)
+
+var createSecretHelmCmd = &cobra.Command{
+	Use:   "helm [name]",
+	Short: "Create or update a Kubernetes secret for Helm repository authentication",
+	Long:  `The create secret helm command generates a Kubernetes secret with basic authentication credentials.`,
+	Example: ` # Create a Helm authentication secret on disk and encrypt it with Mozilla SOPS
+  flux create secret helm repo-auth \
+    --namespace=my-namespace \
+    --username=my-username \
+    --password=my-password \
+    --export > repo-auth.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place repo-auth.yaml
+
+  # Create a Helm authentication secret using a custom TLS cert
+  flux create secret helm repo-auth \
+    --username=username \
+    --password=password \
+    --cert-file=./cert.crt \
+    --key-file=./key.crt \
+    --ca-file=./ca.crt`,
+	RunE: createSecretHelmCmdRun,
+}
+
+type secretHelmFlags struct {
+	username string
+	password string
+	secretTLSFlags
+}
+
+var secretHelmArgs secretHelmFlags
+
+func init() {
+	createSecretHelmCmd.Flags().StringVarP(&secretHelmArgs.username, "username", "u", "", "basic authentication username")
+	createSecretHelmCmd.Flags().StringVarP(&secretHelmArgs.password, "password", "p", "", "basic authentication password")
+	initSecretTLSFlags(createSecretHelmCmd.Flags(), &secretHelmArgs.secretTLSFlags)
+	createSecretCmd.AddCommand(createSecretHelmCmd)
+}
+
+func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	labels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	opts := sourcesecret.Options{
+		Name:         name,
+		Namespace:    *kubeconfigArgs.Namespace,
+		Labels:       labels,
+		Username:     secretHelmArgs.username,
+		Password:     secretHelmArgs.password,
+		CAFilePath:   secretHelmArgs.caFile,
+		CertFilePath: secretHelmArgs.certFile,
+		KeyFilePath:  secretHelmArgs.keyFile,
+	}
+	secret, err := sourcesecret.Generate(opts)
+	if err != nil {
+		return err
+	}
+
+	if createArgs.export {
+		rootCmd.Println(secret.Content)
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+	if err := upsertSecret(ctx, kubeClient, s); err != nil {
+		return err
+	}
+
+	logger.Actionf("helm secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
+	return nil
+}
--- a/cmd/flux/create_secret_helm_test.go
+++ b/cmd/flux/create_secret_helm_test.go
@@ -0,0 +1,47 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateHelmSecret(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			args:   "create secret helm",
+			assert: assertError("name is required"),
+		},
+		{
+			args:   "create secret helm helm-secret --username=my-username --password=my-password --namespace=my-namespace --export",
+			assert: assertGoldenFile("testdata/create_secret/helm/secret-helm.yaml"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
--- a/cmd/flux/create_secret_oci.go
+++ b/cmd/flux/create_secret_oci.go
@@ -0,0 +1,121 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
+)
+
+var createSecretOCICmd = &cobra.Command{
+	Use:   "oci [name]",
+	Short: "Create or update a Kubernetes image pull secret",
+	Long:  `The create secret oci command generates a Kubernetes secret that can be used for OCIRepository authentication`,
+	Example: `  # Create an OCI authentication secret on disk and encrypt it with Mozilla SOPS
+  flux create secret oci podinfo-auth \
+    --url=ghcr.io \
+    --username=username \
+    --password=password \
+    --export > repo-auth.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place repo-auth.yaml
+	`,
+	RunE: createSecretOCICmdRun,
+}
+
+type secretOCIFlags struct {
+	url      string
+	password string
+	username string
+}
+
+var secretOCIArgs = secretOCIFlags{}
+
+func init() {
+	createSecretOCICmd.Flags().StringVar(&secretOCIArgs.url, "url", "", "oci repository address e.g ghcr.io/stefanprodan/charts")
+	createSecretOCICmd.Flags().StringVarP(&secretOCIArgs.username, "username", "u", "", "basic authentication username")
+	createSecretOCICmd.Flags().StringVarP(&secretOCIArgs.password, "password", "p", "", "basic authentication password")
+
+	createSecretCmd.AddCommand(createSecretOCICmd)
+}
+
+func createSecretOCICmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("name is required")
+	}
+
+	secretName := args[0]
+
+	if secretOCIArgs.url == "" {
+		return fmt.Errorf("--url is required")
+	}
+
+	if secretOCIArgs.username == "" {
+		return fmt.Errorf("--username is required")
+	}
+
+	if secretOCIArgs.password == "" {
+		return fmt.Errorf("--password is required")
+	}
+
+	if _, err := name.ParseReference(secretOCIArgs.url); err != nil {
+		return fmt.Errorf("error parsing url: '%s'", err)
+	}
+
+	opts := sourcesecret.Options{
+		Name:      secretName,
+		Namespace: *kubeconfigArgs.Namespace,
+		Registry:  secretOCIArgs.url,
+		Password:  secretOCIArgs.password,
+		Username:  secretOCIArgs.username,
+	}
+
+	secret, err := sourcesecret.Generate(opts)
+	if err != nil {
+		return err
+	}
+
+	if createArgs.export {
+		rootCmd.Println(secret.Content)
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+	if err := upsertSecret(ctx, kubeClient, s); err != nil {
+		return err
+	}
+
+	logger.Actionf("oci secret '%s' created in '%s' namespace", secretName, *kubeconfigArgs.Namespace)
+	return nil
+}
--- a/cmd/flux/create_secret_oci_test.go
+++ b/cmd/flux/create_secret_oci_test.go
@@ -0,0 +1,51 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateSecretOCI(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			args:   "create secret oci",
+			assert: assertError("name is required"),
+		},
+		{
+			args:   "create secret oci ghcr",
+			assert: assertError("--url is required"),
+		},
+		{
+			args:   "create secret oci ghcr --namespace=my-namespace --url ghcr.io --username stefanprodan --password=password --export",
+			assert: assertGoldenFile("testdata/create_secret/oci/create-secret.yaml"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
--- a/cmd/flux/create_secret_tls.go
+++ b/cmd/flux/create_secret_tls.go
@@ -0,0 +1,110 @@
+/*
+Copyright 2020, 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
+
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+)
+
+var createSecretTLSCmd = &cobra.Command{
+	Use:   "tls [name]",
+	Short: "Create or update a Kubernetes secret with TLS certificates",
+	Long:  `The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`,
+	Example: ` # Create a TLS secret on disk and encrypt it with Mozilla SOPS.
+  # Files are expected to be PEM-encoded.
+  flux create secret tls certs \
+    --namespace=my-namespace \
+    --cert-file=./client.crt \
+    --key-file=./client.key \
+    --export > certs.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place certs.yaml`,
+	RunE: createSecretTLSCmdRun,
+}
+
+type secretTLSFlags struct {
+	certFile string
+	keyFile  string
+	caFile   string
+}
+
+var secretTLSArgs secretTLSFlags
+
+func initSecretTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
+	flags.StringVar(&args.certFile, "cert-file", "", "TLS authentication cert file path")
+	flags.StringVar(&args.keyFile, "key-file", "", "TLS authentication key file path")
+	flags.StringVar(&args.caFile, "ca-file", "", "TLS authentication CA file path")
+}
+
+func init() {
+	flags := createSecretTLSCmd.Flags()
+	initSecretTLSFlags(flags, &secretTLSArgs)
+	createSecretCmd.AddCommand(createSecretTLSCmd)
+}
+
+func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	labels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	opts := sourcesecret.Options{
+		Name:         name,
+		Namespace:    *kubeconfigArgs.Namespace,
+		Labels:       labels,
+		CAFilePath:   secretTLSArgs.caFile,
+		CertFilePath: secretTLSArgs.certFile,
+		KeyFilePath:  secretTLSArgs.keyFile,
+	}
+	secret, err := sourcesecret.Generate(opts)
+	if err != nil {
+		return err
+	}
+
+	if createArgs.export {
+		rootCmd.Print(secret.Content)
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+	if err := upsertSecret(ctx, kubeClient, s); err != nil {
+		return err
+	}
+
+	logger.Actionf("tls secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
+	return nil
+}
--- a/cmd/flux/create_secret_tls_test.go
+++ b/cmd/flux/create_secret_tls_test.go
@@ -0,0 +1,31 @@
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateTlsSecretNoArgs(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			args:   "create secret tls",
+			assert: assertError("name is required"),
+		},
+		{
+			args:   "create secret tls certs --namespace=my-namespace --cert-file=./testdata/create_secret/tls/test-cert.pem --key-file=./testdata/create_secret/tls/test-key.pem --export",
+			assert: assertGoldenFile("testdata/create_secret/tls/secret-tls.yaml"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
--- a/cmd/flux/create_source.go
+++ b/cmd/flux/create_source.go
@@ -17,6 +17,8 @@ limitations under the License.
 package main

 import (
+	"time"
+
 	"github.com/spf13/cobra"
 )

@@ -26,6 +28,14 @@ var createSourceCmd = &cobra.Command{
 	Long:  "The create source sub-commands generate sources.",
 }

+type createSourceFlags struct {
+	fetchTimeout time.Duration
+}
+
+var createSourceArgs createSourceFlags
+
 func init() {
+	createSourceCmd.PersistentFlags().DurationVar(&createSourceArgs.fetchTimeout, "fetch-timeout", createSourceArgs.fetchTimeout,
+		"set a timeout for fetch operations performed by source-controller (e.g. 'git clone' or 'helm repo update')")
 	createCmd.AddCommand(createSourceCmd)
 }
--- a/cmd/flux/create_source_bucket.go
+++ b/cmd/flux/create_source_bucket.go
@@ -19,8 +19,8 @@ package main
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"os"
+	"strings"

 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
@@ -30,18 +30,21 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"

+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )

 var createSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Create or update a Bucket source",
-	Long: `
-The create source bucket command generates a Bucket resource and waits for it to be downloaded.
+	Long: `The create source bucket command generates a Bucket resource and waits for it to be downloaded.
 For Buckets with static authentication, the credentials are stored in a Kubernetes secret.`,
-	Example: `  # Create a source from a Buckets using static authentication
+	Example: `  # Create a source for a Bucket using static authentication
  flux create source bucket podinfo \
 	--bucket-name=podinfo \
    --endpoint=minio.minio.svc.cluster.local:9000 \
@@ -50,52 +53,58 @@ For Buckets with static authentication, the credentials are stored in a Kubernet
 	--secret-key=mysecretkey \
    --interval=10m

-  # Create a source from an Amazon S3 Bucket using IAM authentication
+  # Create a source for an Amazon S3 Bucket using IAM authentication
  flux create source bucket podinfo \
 	--bucket-name=podinfo \
 	--provider=aws \
    --endpoint=s3.amazonaws.com \
 	--region=us-east-1 \
-    --interval=10m
-`,
+    --interval=10m`,
 	RunE: createSourceBucketCmdRun,
 }

-var (
-	sourceBucketName      string
-	sourceBucketProvider  = flags.SourceBucketProvider(sourcev1.GenericBucketProvider)
-	sourceBucketEndpoint  string
-	sourceBucketAccessKey string
-	sourceBucketSecretKey string
-	sourceBucketRegion    string
-	sourceBucketInsecure  bool
-	sourceBucketSecretRef string
-)
+type sourceBucketFlags struct {
+	name        string
+	provider    flags.SourceBucketProvider
+	endpoint    string
+	accessKey   string
+	secretKey   string
+	region      string
+	insecure    bool
+	secretRef   string
+	ignorePaths []string
+}
+
+var sourceBucketArgs = newSourceBucketFlags()

 func init() {
-	createSourceBucketCmd.Flags().Var(&sourceBucketProvider, "provider", sourceBucketProvider.Description())
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketName, "bucket-name", "", "the bucket name")
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketEndpoint, "endpoint", "", "the bucket endpoint address")
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketAccessKey, "access-key", "", "the bucket access key")
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketSecretKey, "secret-key", "", "the bucket secret key")
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketRegion, "region", "", "the bucket region")
-	createSourceBucketCmd.Flags().BoolVar(&sourceBucketInsecure, "insecure", false, "for when connecting to a non-TLS S3 HTTP endpoint")
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketSecretRef, "secret-ref", "", "the name of an existing secret containing credentials")
+	createSourceBucketCmd.Flags().Var(&sourceBucketArgs.provider, "provider", sourceBucketArgs.provider.Description())
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.name, "bucket-name", "", "the bucket name")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.endpoint, "endpoint", "", "the bucket endpoint address")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.accessKey, "access-key", "", "the bucket access key")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.secretKey, "secret-key", "", "the bucket secret key")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.region, "region", "", "the bucket region")
+	createSourceBucketCmd.Flags().BoolVar(&sourceBucketArgs.insecure, "insecure", false, "for when connecting to a non-TLS S3 HTTP endpoint")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.secretRef, "secret-ref", "", "the name of an existing secret containing credentials")
+	createSourceBucketCmd.Flags().StringSliceVar(&sourceBucketArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in bucket resource (can specify multiple paths with commas: path1,path2)")

 	createSourceCmd.AddCommand(createSourceBucketCmd)
 }

-func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("Bucket source name is required")
+func newSourceBucketFlags() sourceBucketFlags {
+	return sourceBucketFlags{
+		provider: flags.SourceBucketProvider(sourcev1.GenericBucketProvider),
 	}
+}
+
+func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]

-	if sourceBucketName == "" {
+	if sourceBucketArgs.name == "" {
 		return fmt.Errorf("bucket-name is required")
 	}

-	if sourceBucketEndpoint == "" {
+	if sourceBucketArgs.endpoint == "" {
 		return fmt.Errorf("endpoint is required")
 	}

@@ -104,63 +113,76 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	tmpDir, err := ioutil.TempDir("", name)
+	tmpDir, err := os.MkdirTemp("", name)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)

+	var ignorePaths *string
+	if len(sourceBucketArgs.ignorePaths) > 0 {
+		ignorePathsStr := strings.Join(sourceBucketArgs.ignorePaths, "\n")
+		ignorePaths = &ignorePathsStr
+	}
+
 	bucket := &sourcev1.Bucket{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: sourcev1.BucketSpec{
-			BucketName: sourceBucketName,
-			Provider:   sourceBucketProvider.String(),
-			Insecure:   sourceBucketInsecure,
-			Endpoint:   sourceBucketEndpoint,
-			Region:     sourceBucketRegion,
+			BucketName: sourceBucketArgs.name,
+			Provider:   sourceBucketArgs.provider.String(),
+			Insecure:   sourceBucketArgs.insecure,
+			Endpoint:   sourceBucketArgs.endpoint,
+			Region:     sourceBucketArgs.region,
 			Interval: metav1.Duration{
-				Duration: interval,
+				Duration: createArgs.interval,
 			},
+			Ignore: ignorePaths,
 		},
 	}
-	if sourceHelmSecretRef != "" {
-		bucket.Spec.SecretRef = &corev1.LocalObjectReference{
-			Name: sourceBucketSecretRef,
+
+	if createSourceArgs.fetchTimeout > 0 {
+		bucket.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
+	}
+
+	if sourceBucketArgs.secretRef != "" {
+		bucket.Spec.SecretRef = &meta.LocalObjectReference{
+			Name: sourceBucketArgs.secretRef,
 		}
 	}

-	if export {
-		return exportBucket(*bucket)
+	if createArgs.export {
+		return printExport(exportBucket(bucket))
 	}

-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

 	logger.Generatef("generating Bucket source")

-	if sourceBucketSecretRef == "" {
+	if sourceBucketArgs.secretRef == "" {
 		secretName := fmt.Sprintf("bucket-%s", name)

 		secret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      secretName,
-				Namespace: namespace,
+				Namespace: *kubeconfigArgs.Namespace,
+				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{},
 		}

-		if sourceBucketAccessKey != "" && sourceBucketSecretKey != "" {
-			secret.StringData["accesskey"] = sourceBucketAccessKey
-			secret.StringData["secretkey"] = sourceBucketSecretKey
+		if sourceBucketArgs.accessKey != "" && sourceBucketArgs.secretKey != "" {
+			secret.StringData["accesskey"] = sourceBucketArgs.accessKey
+			secret.StringData["secretkey"] = sourceBucketArgs.secretKey
 		}

 		if len(secret.StringData) > 0 {
@@ -168,7 +190,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 			if err := upsertSecret(ctx, kubeClient, secret); err != nil {
 				return err
 			}
-			bucket.Spec.SecretRef = &corev1.LocalObjectReference{
+			bucket.Spec.SecretRef = &meta.LocalObjectReference{
 				Name: secretName,
 			}
 			logger.Successf("authentication configured")
@@ -182,7 +204,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for Bucket source reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isBucketReady(ctx, kubeClient, namespacedName, bucket)); err != nil {
 		return err
 	}
@@ -225,3 +247,30 @@ func upsertBucket(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Bucket source updated")
 	return namespacedName, nil
 }
+
+func isBucketReady(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, bucket *sourcev1.Bucket) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, bucket)
+		if err != nil {
+			return false, err
+		}
+
+		if c := conditions.Get(bucket, meta.ReadyCondition); c != nil {
+			// Confirm the Ready condition we are observing is for the
+			// current generation
+			if c.ObservedGeneration != bucket.GetGeneration() {
+				return false, nil
+			}
+
+			// Further check the Status
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}
--- a/cmd/flux/create_source_git.go
+++ b/cmd/flux/create_source_git.go
@@ -20,34 +20,53 @@ import (
 	"context"
 	"crypto/elliptic"
 	"fmt"
-	"io/ioutil"
 	"net/url"
 	"os"
-	"time"
+	"strings"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/pkg/apis/meta"
-
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/yaml"

-	"github.com/fluxcd/pkg/ssh"
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )

+type sourceGitFlags struct {
+	url               string
+	branch            string
+	tag               string
+	semver            string
+	username          string
+	password          string
+	keyAlgorithm      flags.PublicKeyAlgorithm
+	keyRSABits        flags.RSAKeyBits
+	keyECDSACurve     flags.ECDSACurve
+	secretRef         string
+	gitImplementation flags.GitImplementation
+	caFile            string
+	privateKeyFile    string
+	recurseSubmodules bool
+	silent            bool
+	ignorePaths       []string
+}
+
 var createSourceGitCmd = &cobra.Command{
 	Use:   "git [name]",
 	Short: "Create or update a GitRepository source",
-	Long: `
-The create source git command generates a GitRepository resource and waits for it to sync.
+	Long: `The create source git command generates a GitRepository resource and waits for it to sync.
 For Git over SSH, host and SSH keys are automatically generated and stored in a Kubernetes secret.
 For private Git repositories, the basic authentication credentials are stored in a Kubernetes secret.`,
 	Example: `  # Create a source from a public Git repository master branch
@@ -55,7 +74,7 @@ For private Git repositories, the basic authentication credentials are stored in
    --url=https://github.com/stefanprodan/podinfo \
    --branch=master

-  # Create a source from a Git repository pinned to specific git tag
+  # Create a source for a Git repository pinned to specific git tag
  flux create source git podinfo \
    --url=https://github.com/stefanprodan/podinfo \
    --tag="3.2.3"
@@ -65,12 +84,12 @@ For private Git repositories, the basic authentication credentials are stored in
    --url=https://github.com/stefanprodan/podinfo \
    --tag-semver=">=3.2.0 <3.3.0"

-  # Create a source from a Git repository using SSH authentication
+  # Create a source for a Git repository using SSH authentication
  flux create source git podinfo \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --branch=master

-  # Create a source from a Git repository using SSH authentication and an
+  # Create a source for a Git repository using SSH authentication and an
  # ECDSA P-521 curve public key
  flux create source git podinfo \
    --url=ssh://git@github.com/stefanprodan/podinfo \
@@ -78,185 +97,215 @@ For private Git repositories, the basic authentication credentials are stored in
    --ssh-key-algorithm=ecdsa \
    --ssh-ecdsa-curve=p521

-  # Create a source from a Git repository using basic authentication
+  # Create a source for a Git repository using SSH authentication and a
+  #	passwordless private key from file
+  # The public SSH host key will still be gathered from the host
+  flux create source git podinfo \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+    --branch=master \
+    --private-key-file=./private.key
+
+  # Create a source for a Git repository using SSH authentication and a
+  # private key with a password from file
+  # The public SSH host key will still be gathered from the host
+  flux create source git podinfo \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+    --branch=master \
+    --private-key-file=./private.key \
+    --password=<password>
+
+  # Create a source for a Git repository using basic authentication
  flux create source git podinfo \
    --url=https://github.com/stefanprodan/podinfo \
+    --branch=master \
    --username=username \
-    --password=password
-`,
+    --password=password`,
 	RunE: createSourceGitCmdRun,
 }

-var (
-	sourceGitURL      string
-	sourceGitBranch   string
-	sourceGitTag      string
-	sourceGitSemver   string
-	sourceGitUsername string
-	sourceGitPassword string
-
-	sourceGitKeyAlgorithm flags.PublicKeyAlgorithm = "rsa"
-	sourceGitRSABits      flags.RSAKeyBits         = 2048
-	sourceGitECDSACurve                            = flags.ECDSACurve{Curve: elliptic.P384()}
-	sourceGitSecretRef    string
-)
+var sourceGitArgs = newSourceGitFlags()

 func init() {
-	createSourceGitCmd.Flags().StringVar(&sourceGitURL, "url", "", "git address, e.g. ssh://git@host/org/repository")
-	createSourceGitCmd.Flags().StringVar(&sourceGitBranch, "branch", "master", "git branch")
-	createSourceGitCmd.Flags().StringVar(&sourceGitTag, "tag", "", "git tag")
-	createSourceGitCmd.Flags().StringVar(&sourceGitSemver, "tag-semver", "", "git tag semver range")
-	createSourceGitCmd.Flags().StringVarP(&sourceGitUsername, "username", "u", "", "basic authentication username")
-	createSourceGitCmd.Flags().StringVarP(&sourceGitPassword, "password", "p", "", "basic authentication password")
-	createSourceGitCmd.Flags().Var(&sourceGitKeyAlgorithm, "ssh-key-algorithm", sourceGitKeyAlgorithm.Description())
-	createSourceGitCmd.Flags().Var(&sourceGitRSABits, "ssh-rsa-bits", sourceGitRSABits.Description())
-	createSourceGitCmd.Flags().Var(&sourceGitECDSACurve, "ssh-ecdsa-curve", sourceGitECDSACurve.Description())
-	createSourceGitCmd.Flags().StringVarP(&sourceGitSecretRef, "secret-ref", "", "", "the name of an existing secret containing SSH or basic credentials")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.url, "url", "", "git address, e.g. ssh://git@host/org/repository")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.branch, "branch", "", "git branch")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.tag, "tag", "", "git tag")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.semver, "tag-semver", "", "git tag semver range")
+	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.username, "username", "u", "", "basic authentication username")
+	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.password, "password", "p", "", "basic authentication password")
+	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyAlgorithm, "ssh-key-algorithm", sourceGitArgs.keyAlgorithm.Description())
+	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyRSABits, "ssh-rsa-bits", sourceGitArgs.keyRSABits.Description())
+	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyECDSACurve, "ssh-ecdsa-curve", sourceGitArgs.keyECDSACurve.Description())
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials")
+	createSourceGitCmd.Flags().Var(&sourceGitArgs.gitImplementation, "git-implementation", sourceGitArgs.gitImplementation.Description())
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
+	createSourceGitCmd.Flags().BoolVar(&sourceGitArgs.recurseSubmodules, "recurse-submodules", false,
+		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
+	createSourceGitCmd.Flags().BoolVarP(&sourceGitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
+	createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in git resource (can specify multiple paths with commas: path1,path2)")

 	createSourceCmd.AddCommand(createSourceGitCmd)
 }

-func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("GitRepository source name is required")
+func newSourceGitFlags() sourceGitFlags {
+	return sourceGitFlags{
+		keyAlgorithm:  flags.PublicKeyAlgorithm(sourcesecret.ECDSAPrivateKeyAlgorithm),
+		keyRSABits:    2048,
+		keyECDSACurve: flags.ECDSACurve{Curve: elliptic.P384()},
 	}
+}
+
+func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]

-	if sourceGitURL == "" {
+	if sourceGitArgs.url == "" {
 		return fmt.Errorf("url is required")
 	}

-	tmpDir, err := ioutil.TempDir("", name)
+	u, err := url.Parse(sourceGitArgs.url)
+	if err != nil {
+		return fmt.Errorf("git URL parse failed: %w", err)
+	}
+	if u.Scheme != "ssh" && u.Scheme != "http" && u.Scheme != "https" {
+		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
+	}
+
+	if sourceGitArgs.branch == "" && sourceGitArgs.tag == "" && sourceGitArgs.semver == "" {
+		return fmt.Errorf("a Git ref is required, use one of the following: --branch, --tag or --tag-semver")
+	}
+
+	if sourceGitArgs.caFile != "" && u.Scheme == "ssh" {
+		return fmt.Errorf("specifying a CA file is not supported for Git over SSH")
+	}
+
+	if sourceGitArgs.recurseSubmodules && sourceGitArgs.gitImplementation == sourcev1.LibGit2Implementation {
+		return fmt.Errorf("recurse submodules requires --git-implementation=%s", sourcev1.GoGitImplementation)
+	}
+
+	tmpDir, err := os.MkdirTemp("", name)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)

-	u, err := url.Parse(sourceGitURL)
-	if err != nil {
-		return fmt.Errorf("git URL parse failed: %w", err)
-	}
-
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
 	}

+	var ignorePaths *string
+	if len(sourceGitArgs.ignorePaths) > 0 {
+		ignorePathsStr := strings.Join(sourceGitArgs.ignorePaths, "\n")
+		ignorePaths = &ignorePathsStr
+	}
+
 	gitRepository := sourcev1.GitRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: sourcev1.GitRepositorySpec{
-			URL: sourceGitURL,
+			URL: sourceGitArgs.url,
 			Interval: metav1.Duration{
-				Duration: interval,
+				Duration: createArgs.interval,
 			},
-			Reference: &sourcev1.GitRepositoryRef{},
+			RecurseSubmodules: sourceGitArgs.recurseSubmodules,
+			Reference:         &sourcev1.GitRepositoryRef{},
+			Ignore:            ignorePaths,
 		},
 	}

-	if sourceGitSemver != "" {
-		gitRepository.Spec.Reference.SemVer = sourceGitSemver
-	} else if sourceGitTag != "" {
-		gitRepository.Spec.Reference.Tag = sourceGitTag
+	if createSourceArgs.fetchTimeout > 0 {
+		gitRepository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
+	}
+
+	if sourceGitArgs.gitImplementation != "" {
+		gitRepository.Spec.GitImplementation = sourceGitArgs.gitImplementation.String()
+	}
+
+	if sourceGitArgs.semver != "" {
+		gitRepository.Spec.Reference.SemVer = sourceGitArgs.semver
+	} else if sourceGitArgs.tag != "" {
+		gitRepository.Spec.Reference.Tag = sourceGitArgs.tag
 	} else {
-		gitRepository.Spec.Reference.Branch = sourceGitBranch
+		gitRepository.Spec.Reference.Branch = sourceGitArgs.branch
 	}

-	if export {
-		if sourceGitSecretRef != "" {
-			gitRepository.Spec.SecretRef = &corev1.LocalObjectReference{
-				Name: sourceGitSecretRef,
-			}
+	if sourceGitArgs.secretRef != "" {
+		gitRepository.Spec.SecretRef = &meta.LocalObjectReference{
+			Name: sourceGitArgs.secretRef,
 		}
-		return exportGit(gitRepository)
 	}

-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	if createArgs.export {
+		return printExport(exportGit(&gitRepository))
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

-	withAuth := false
-	// TODO(hidde): move all auth prep to separate func?
-	if sourceGitSecretRef != "" {
-		withAuth = true
-	} else if u.Scheme == "ssh" {
-		logger.Actionf("generating deploy key pair")
-		pair, err := generateKeyPair(ctx)
-		if err != nil {
-			return err
-		}
-
-		fmt.Printf("%s", pair.PublicKey)
-		prompt := promptui.Prompt{
-			Label:     "Have you added the deploy key to your repository",
-			IsConfirm: true,
-		}
-		if _, err := prompt.Run(); err != nil {
-			return fmt.Errorf("aborting")
-		}
-
-		logger.Actionf("collecting preferred public key from SSH server")
-		hostKey, err := scanHostKey(ctx, u)
-		if err != nil {
-			return err
-		}
-		logger.Successf("collected public key from SSH server:")
-		fmt.Printf("%s", hostKey)
-
-		logger.Actionf("applying secret with keys")
-		secret := corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      name,
-				Namespace: namespace,
-			},
-			StringData: map[string]string{
-				"identity":     string(pair.PrivateKey),
-				"identity.pub": string(pair.PublicKey),
-				"known_hosts":  string(hostKey),
-			},
-		}
-		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
-			return err
-		}
-		withAuth = true
-	} else if sourceGitUsername != "" && sourceGitPassword != "" {
-		logger.Actionf("applying secret with basic auth credentials")
-		secret := corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      name,
-				Namespace: namespace,
-			},
-			StringData: map[string]string{
-				"username": sourceGitUsername,
-				"password": sourceGitPassword,
-			},
-		}
-		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
-			return err
-		}
-		withAuth = true
-	}
-
-	if withAuth {
-		logger.Successf("authentication configured")
-	}
-
 	logger.Generatef("generating GitRepository source")
-
-	if withAuth {
-		secretName := name
-		if sourceGitSecretRef != "" {
-			secretName = sourceGitSecretRef
+	if sourceGitArgs.secretRef == "" {
+		secretOpts := sourcesecret.Options{
+			Name:         name,
+			Namespace:    *kubeconfigArgs.Namespace,
+			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
-		gitRepository.Spec.SecretRef = &corev1.LocalObjectReference{
-			Name: secretName,
+		switch u.Scheme {
+		case "ssh":
+			secretOpts.SSHHostname = u.Host
+			secretOpts.PrivateKeyPath = sourceGitArgs.privateKeyFile
+			secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(sourceGitArgs.keyAlgorithm)
+			secretOpts.RSAKeyBits = int(sourceGitArgs.keyRSABits)
+			secretOpts.ECDSACurve = sourceGitArgs.keyECDSACurve.Curve
+			secretOpts.Password = sourceGitArgs.password
+		case "https":
+			secretOpts.Username = sourceGitArgs.username
+			secretOpts.Password = sourceGitArgs.password
+			secretOpts.CAFilePath = sourceGitArgs.caFile
+		case "http":
+			logger.Warningf("insecure configuration: credentials configured for an HTTP URL")
+			secretOpts.Username = sourceGitArgs.username
+			secretOpts.Password = sourceGitArgs.password
+		}
+		secret, err := sourcesecret.Generate(secretOpts)
+		if err != nil {
+			return err
+		}
+		var s corev1.Secret
+		if err = yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+			return err
+		}
+		if len(s.StringData) > 0 {
+			if hk, ok := s.StringData[sourcesecret.KnownHostsSecretKey]; ok {
+				logger.Successf("collected public key from SSH server:\n%s", hk)
+			}
+			if ppk, ok := s.StringData[sourcesecret.PublicKeySecretKey]; ok {
+				logger.Generatef("deploy key: %s", ppk)
+				if !sourceGitArgs.silent {
+					prompt := promptui.Prompt{
+						Label:     "Have you added the deploy key to your repository",
+						IsConfirm: true,
+					}
+					if _, err := prompt.Run(); err != nil {
+						return fmt.Errorf("aborting")
+					}
+				}
+			}
+			logger.Actionf("applying secret with repository credentials")
+			if err := upsertSecret(ctx, kubeClient, s); err != nil {
+				return err
+			}
+			gitRepository.Spec.SecretRef = &meta.LocalObjectReference{
+				Name: s.Name,
+			}
+			logger.Successf("authentication configured")
 		}
 	}

@@ -267,7 +316,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for GitRepository source reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isGitRepositoryReady(ctx, kubeClient, namespacedName, &gitRepository)); err != nil {
 		return err
 	}
@@ -280,63 +329,6 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	return nil
 }

-func generateKeyPair(ctx context.Context) (*ssh.KeyPair, error) {
-	var keyGen ssh.KeyPairGenerator
-	switch algorithm := sourceGitKeyAlgorithm.String(); algorithm {
-	case "rsa":
-		keyGen = ssh.NewRSAGenerator(int(sourceGitRSABits))
-	case "ecdsa":
-		keyGen = ssh.NewECDSAGenerator(sourceGitECDSACurve.Curve)
-	case "ed25519":
-		keyGen = ssh.NewEd25519Generator()
-	default:
-		return nil, fmt.Errorf("unsupported public key algorithm: %s", algorithm)
-	}
-	pair, err := keyGen.Generate()
-	if err != nil {
-		return nil, fmt.Errorf("key pair generation failed, error: %w", err)
-	}
-	return pair, nil
-}
-
-func scanHostKey(ctx context.Context, url *url.URL) ([]byte, error) {
-	host := url.Host
-	if url.Port() == "" {
-		host = host + ":22"
-	}
-	hostKey, err := ssh.ScanHostKey(host, 30*time.Second)
-	if err != nil {
-		return nil, fmt.Errorf("SSH key scan for host %s failed, error: %w", host, err)
-	}
-	return hostKey, nil
-}
-
-func upsertSecret(ctx context.Context, kubeClient client.Client, secret corev1.Secret) error {
-	namespacedName := types.NamespacedName{
-		Namespace: secret.GetNamespace(),
-		Name:      secret.GetName(),
-	}
-
-	var existing corev1.Secret
-	err := kubeClient.Get(ctx, namespacedName, &existing)
-	if err != nil {
-		if errors.IsNotFound(err) {
-			if err := kubeClient.Create(ctx, &secret); err != nil {
-				return err
-			} else {
-				return nil
-			}
-		}
-		return err
-	}
-
-	existing.StringData = secret.StringData
-	if err := kubeClient.Update(ctx, &existing); err != nil {
-		return err
-	}
-	return nil
-}
-
 func upsertGitRepository(ctx context.Context, kubeClient client.Client,
 	gitRepository *sourcev1.GitRepository) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
@@ -376,7 +368,14 @@ func isGitRepositoryReady(ctx context.Context, kubeClient client.Client,
 			return false, err
 		}

-		if c := apimeta.FindStatusCondition(gitRepository.Status.Conditions, meta.ReadyCondition); c != nil {
+		if c := conditions.Get(gitRepository, meta.ReadyCondition); c != nil {
+			// Confirm the Ready condition we are observing is for the
+			// current generation
+			if c.ObservedGeneration != gitRepository.GetGeneration() {
+				return false, nil
+			}
+
+			// Further check the Status
 			switch c.Status {
 			case metav1.ConditionTrue:
 				return true, nil
--- a/cmd/flux/create_source_git_test.go
+++ b/cmd/flux/create_source_git_test.go
@@ -0,0 +1,196 @@
+//go:build unit
+// +build unit
+
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"k8s.io/apimachinery/pkg/api/errors"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+var pollInterval = 50 * time.Millisecond
+var testTimeout = 10 * time.Second
+
+// Update the GitRepository once created to exercise test specific behavior
+type reconcileFunc func(repo *sourcev1.GitRepository)
+
+// reconciler waits for an object to be created, then invokes a test supplied
+// function to mutate that object, simulating a controller.
+// Test should invoke run() to run the background reconciler task which
+// polls to wait for the object to exist before applying the update function.
+// Any errors from the reconciler are asserted on test completion.
+type reconciler struct {
+	client    client.Client
+	name      types.NamespacedName
+	reconcile reconcileFunc
+}
+
+// Start the background task that waits for the object to exist then applies
+// the update function.
+func (r *reconciler) run(t *testing.T) {
+	result := make(chan error)
+	go func() {
+		defer close(result)
+		err := wait.PollImmediate(
+			pollInterval,
+			testTimeout,
+			r.conditionFunc)
+		result <- err
+	}()
+	t.Cleanup(func() {
+		if err := <-result; err != nil {
+			t.Errorf("Failure from test reconciler: '%v':", err.Error())
+		}
+	})
+}
+
+// A ConditionFunction that waits for the named GitRepository to be created,
+// then sets the ready condition to true.
+func (r *reconciler) conditionFunc() (bool, error) {
+	var repo sourcev1.GitRepository
+	if err := r.client.Get(context.Background(), r.name, &repo); err != nil {
+		if errors.IsNotFound(err) {
+			return false, nil // Keep polling until object is created
+		}
+		return true, err
+	}
+	r.reconcile(&repo)
+	err := r.client.Status().Update(context.Background(), &repo)
+	return true, err
+}
+
+func TestCreateSourceGitExport(t *testing.T) {
+	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String()
+
+	cases := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			"ExportSucceeded",
+			command,
+			assertGoldenFile("testdata/create_source_git/export.golden"),
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tc.args,
+				assert: tc.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
+
+func TestCreateSourceGit(t *testing.T) {
+	// Default command used for multiple tests
+	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --timeout=" + testTimeout.String()
+
+	cases := []struct {
+		name      string
+		args      string
+		assert    assertFunc
+		reconcile reconcileFunc
+	}{
+		{
+			"NoArgs",
+			"create source git",
+			assertError("name is required"),
+			nil,
+		}, {
+			"Succeeded",
+			command,
+			assertGoldenFile("testdata/create_source_git/success.golden"),
+			func(repo *sourcev1.GitRepository) {
+				newCondition := metav1.Condition{
+					Type:               meta.ReadyCondition,
+					Status:             metav1.ConditionTrue,
+					Reason:             sourcev1.GitOperationSucceedReason,
+					Message:            "succeeded message",
+					ObservedGeneration: repo.GetGeneration(),
+				}
+				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
+				repo.Status.Artifact = &sourcev1.Artifact{
+					Path:     "some-path",
+					Revision: "v1",
+				}
+			},
+		}, {
+			"Failed",
+			command,
+			assertError("failed message"),
+			func(repo *sourcev1.GitRepository) {
+				newCondition := metav1.Condition{
+					Type:               meta.ReadyCondition,
+					Status:             metav1.ConditionFalse,
+					Reason:             sourcev1.URLInvalidReason,
+					Message:            "failed message",
+					ObservedGeneration: repo.GetGeneration(),
+				}
+				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
+			},
+		}, {
+			"NoArtifact",
+			command,
+			assertError("GitRepository source reconciliation completed but no artifact was found"),
+			func(repo *sourcev1.GitRepository) {
+				// Updated with no artifact
+				newCondition := metav1.Condition{
+					Type:               meta.ReadyCondition,
+					Status:             metav1.ConditionTrue,
+					Reason:             sourcev1.GitOperationSucceedReason,
+					Message:            "succeeded message",
+					ObservedGeneration: repo.GetGeneration(),
+				}
+				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
+			},
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			ns := allocateNamespace("podinfo")
+			setupTestNamespace(ns, t)
+			if tc.reconcile != nil {
+				r := reconciler{
+					client:    testEnv.client,
+					name:      types.NamespacedName{Namespace: ns, Name: "podinfo"},
+					reconcile: tc.reconcile,
+				}
+				r.run(t)
+			}
+			cmd := cmdTestCase{
+				args:   tc.args + " -n=" + ns,
+				assert: tc.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
--- a/cmd/flux/create_source_helm.go
+++ b/cmd/flux/create_source_helm.go
@@ -19,80 +19,92 @@ package main
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"net/url"
 	"os"

 	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/yaml"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"

 	"github.com/fluxcd/flux2/internal/utils"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )

 var createSourceHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Create or update a HelmRepository source",
-	Long: `
-The create source helm command generates a HelmRepository resource and waits for it to fetch the index.
+	Long: `The create source helm command generates a HelmRepository resource and waits for it to fetch the index.
 For private Helm repositories, the basic authentication credentials are stored in a Kubernetes secret.`,
-	Example: `  # Create a source from a public Helm repository
+	Example: `  # Create a source for an HTTPS public Helm repository
  flux create source helm podinfo \
    --url=https://stefanprodan.github.io/podinfo \
    --interval=10m

-  # Create a source from a Helm repository using basic authentication
+  # Create a source for an HTTPS Helm repository using basic authentication
  flux create source helm podinfo \
    --url=https://stefanprodan.github.io/podinfo \
    --username=username \
    --password=password

-  # Create a source from a Helm repository using TLS authentication
+  # Create a source for an HTTPS Helm repository using TLS authentication
  flux create source helm podinfo \
    --url=https://stefanprodan.github.io/podinfo \
    --cert-file=./cert.crt \
    --key-file=./key.crt \
    --ca-file=./ca.crt
-`,
+
+  # Create a source for an OCI Helm repository
+  flux create source helm podinfo \
+    --url=oci://ghcr.io/stefanprodan/charts/podinfo
+    --username=username \
+    --password=password
+
+  # Create a source for an OCI Helm repository using an existing secret with basic auth or dockerconfig credentials
+  flux create source helm podinfo \
+    --url=oci://ghcr.io/stefanprodan/charts/podinfo
+    --secret-ref=docker-config`,
 	RunE: createSourceHelmCmdRun,
 }

-var (
-	sourceHelmURL       string
-	sourceHelmUsername  string
-	sourceHelmPassword  string
-	sourceHelmCertFile  string
-	sourceHelmKeyFile   string
-	sourceHelmCAFile    string
-	sourceHelmSecretRef string
-)
+type sourceHelmFlags struct {
+	url             string
+	username        string
+	password        string
+	certFile        string
+	keyFile         string
+	caFile          string
+	secretRef       string
+	passCredentials bool
+}
+
+var sourceHelmArgs sourceHelmFlags

 func init() {
-	createSourceHelmCmd.Flags().StringVar(&sourceHelmURL, "url", "", "Helm repository address")
-	createSourceHelmCmd.Flags().StringVarP(&sourceHelmUsername, "username", "u", "", "basic authentication username")
-	createSourceHelmCmd.Flags().StringVarP(&sourceHelmPassword, "password", "p", "", "basic authentication password")
-	createSourceHelmCmd.Flags().StringVar(&sourceHelmCertFile, "cert-file", "", "TLS authentication cert file path")
-	createSourceHelmCmd.Flags().StringVar(&sourceHelmKeyFile, "key-file", "", "TLS authentication key file path")
-	createSourceHelmCmd.Flags().StringVar(&sourceHelmCAFile, "ca-file", "", "TLS authentication CA file path")
-	createSourceHelmCmd.Flags().StringVarP(&sourceHelmSecretRef, "secret-ref", "", "", "the name of an existing secret containing TLS or basic auth credentials")
+	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.url, "url", "", "Helm repository address")
+	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.username, "username", "u", "", "basic authentication username")
+	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.password, "password", "p", "", "basic authentication password")
+	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.certFile, "cert-file", "", "TLS authentication cert file path")
+	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.keyFile, "key-file", "", "TLS authentication key file path")
+	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.caFile, "ca-file", "", "TLS authentication CA file path")
+	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.secretRef, "secret-ref", "", "", "the name of an existing secret containing TLS, basic auth or docker-config credentials")
+	createSourceHelmCmd.Flags().BoolVarP(&sourceHelmArgs.passCredentials, "pass-credentials", "", false, "pass credentials to all domains")

 	createSourceCmd.AddCommand(createSourceHelmCmd)
 }

 func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("HelmRepository source name is required")
-	}
 	name := args[0]

-	if sourceHelmURL == "" {
+	if sourceHelmArgs.url == "" {
 		return fmt.Errorf("url is required")
 	}

@@ -101,95 +113,91 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	tmpDir, err := ioutil.TempDir("", name)
+	tmpDir, err := os.MkdirTemp("", name)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)

-	if _, err := url.Parse(sourceHelmURL); err != nil {
+	if _, err := url.Parse(sourceHelmArgs.url); err != nil {
 		return fmt.Errorf("url parse failed: %w", err)
 	}

 	helmRepository := &sourcev1.HelmRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: sourcev1.HelmRepositorySpec{
-			URL: sourceHelmURL,
+			URL: sourceHelmArgs.url,
 			Interval: metav1.Duration{
-				Duration: interval,
+				Duration: createArgs.interval,
 			},
 		},
 	}

-	if sourceHelmSecretRef != "" {
-		helmRepository.Spec.SecretRef = &corev1.LocalObjectReference{
-			Name: sourceHelmSecretRef,
+	url, err := url.Parse(sourceHelmArgs.url)
+	if err != nil {
+		return fmt.Errorf("failed to parse URL: %w", err)
+	}
+	if url.Scheme == sourcev1.HelmRepositoryTypeOCI {
+		helmRepository.Spec.Type = sourcev1.HelmRepositoryTypeOCI
+	}
+
+	if createSourceArgs.fetchTimeout > 0 {
+		helmRepository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
+	}
+
+	if sourceHelmArgs.secretRef != "" {
+		helmRepository.Spec.SecretRef = &meta.LocalObjectReference{
+			Name: sourceHelmArgs.secretRef,
 		}
+		helmRepository.Spec.PassCredentials = sourceHelmArgs.passCredentials
 	}

-	if export {
-		return exportHelmRepository(*helmRepository)
+	if createArgs.export {
+		return printExport(exportHelmRepository(helmRepository))
 	}

-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

 	logger.Generatef("generating HelmRepository source")
-	if sourceHelmSecretRef == "" {
+	if sourceHelmArgs.secretRef == "" {
 		secretName := fmt.Sprintf("helm-%s", name)
-
-		secret := corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      secretName,
-				Namespace: namespace,
-			},
-			StringData: map[string]string{},
+		secretOpts := sourcesecret.Options{
+			Name:         secretName,
+			Namespace:    *kubeconfigArgs.Namespace,
+			Username:     sourceHelmArgs.username,
+			Password:     sourceHelmArgs.password,
+			CertFilePath: sourceHelmArgs.certFile,
+			KeyFilePath:  sourceHelmArgs.keyFile,
+			CAFilePath:   sourceHelmArgs.caFile,
+			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
-
-		if sourceHelmUsername != "" && sourceHelmPassword != "" {
-			secret.StringData["username"] = sourceHelmUsername
-			secret.StringData["password"] = sourceHelmPassword
+		secret, err := sourcesecret.Generate(secretOpts)
+		if err != nil {
+			return err
 		}
-
-		if sourceHelmCertFile != "" && sourceHelmKeyFile != "" {
-			cert, err := ioutil.ReadFile(sourceHelmCertFile)
-			if err != nil {
-				return fmt.Errorf("failed to read repository cert file '%s': %w", sourceHelmCertFile, err)
-			}
-			secret.StringData["certFile"] = string(cert)
-
-			key, err := ioutil.ReadFile(sourceHelmKeyFile)
-			if err != nil {
-				return fmt.Errorf("failed to read repository key file '%s': %w", sourceHelmKeyFile, err)
-			}
-			secret.StringData["keyFile"] = string(key)
+		var s corev1.Secret
+		if err = yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+			return err
 		}
-
-		if sourceHelmCAFile != "" {
-			ca, err := ioutil.ReadFile(sourceHelmCAFile)
-			if err != nil {
-				return fmt.Errorf("failed to read repository CA file '%s': %w", sourceHelmCAFile, err)
-			}
-			secret.StringData["caFile"] = string(ca)
-		}
-
-		if len(secret.StringData) > 0 {
+		if len(s.StringData) > 0 {
 			logger.Actionf("applying secret with repository credentials")
-			if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+			if err := upsertSecret(ctx, kubeClient, s); err != nil {
 				return err
 			}
-			helmRepository.Spec.SecretRef = &corev1.LocalObjectReference{
+			helmRepository.Spec.SecretRef = &meta.LocalObjectReference{
 				Name: secretName,
 			}
+			helmRepository.Spec.PassCredentials = sourceHelmArgs.passCredentials
 			logger.Successf("authentication configured")
 		}
 	}
@@ -201,12 +209,17 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for HelmRepository source reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isHelmRepositoryReady(ctx, kubeClient, namespacedName, helmRepository)); err != nil {
 		return err
 	}
 	logger.Successf("HelmRepository source reconciliation completed")

+	if helmRepository.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
+		// OCI repos don't expose any artifact so we just return early here
+		return nil
+	}
+
 	if helmRepository.Status.Artifact == nil {
 		return fmt.Errorf("HelmRepository source reconciliation completed but no artifact was found")
 	}
@@ -253,12 +266,14 @@ func isHelmRepositoryReady(ctx context.Context, kubeClient client.Client,
 			return false, err
 		}

-		// Confirm the state we are observing is for the current generation
-		if helmRepository.Generation != helmRepository.Status.ObservedGeneration {
-			return false, nil
-		}
+		if c := conditions.Get(helmRepository, meta.ReadyCondition); c != nil {
+			// Confirm the Ready condition we are observing is for the
+			// current generation
+			if c.ObservedGeneration != helmRepository.GetGeneration() {
+				return false, nil
+			}

-		if c := apimeta.FindStatusCondition(helmRepository.Status.Conditions, meta.ReadyCondition); c != nil {
+			// Further check the Status
 			switch c.Status {
 			case metav1.ConditionTrue:
 				return true, nil
--- a/cmd/flux/create_source_helm_test.go
+++ b/cmd/flux/create_source_helm_test.go
@@ -0,0 +1,81 @@
+//go:build unit
+// +build unit
+
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateSourceHelm(t *testing.T) {
+	tests := []struct {
+		name       string
+		args       string
+		resultFile string
+		assertFunc string
+	}{
+		{
+			name:       "no args",
+			args:       "create source helm",
+			resultFile: "name is required",
+			assertFunc: "assertError",
+		},
+		{
+			name:       "OCI repo",
+			args:       "create source helm podinfo --url=oci://ghcr.io/stefanprodan/charts/podinfo --interval 5m --export",
+			resultFile: "./testdata/create_source_helm/oci.golden",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "OCI repo with Secret ref",
+			args:       "create source helm podinfo --url=oci://ghcr.io/stefanprodan/charts/podinfo --interval 5m --secret-ref=creds --export",
+			resultFile: "./testdata/create_source_helm/oci-with-secret.golden",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "HTTPS repo",
+			args:       "create source helm podinfo --url=https://stefanprodan.github.io/charts/podinfo --interval 5m --export",
+			resultFile: "./testdata/create_source_helm/https.golden",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+	}
+
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	setup(t, tmpl)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var assert assertFunc
+			switch tt.assertFunc {
+			case "assertGoldenTemplateFile":
+				assert = assertGoldenTemplateFile(tt.resultFile, tmpl)
+			case "assertError":
+				assert = assertError(tt.resultFile)
+			}
+
+			cmd := cmdTestCase{
+				args:   tt.args + " -n " + tmpl["fluxns"],
+				assert: assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
--- a/cmd/flux/create_source_oci.go
+++ b/cmd/flux/create_source_oci.go
@@ -0,0 +1,244 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
+)
+
+var createSourceOCIRepositoryCmd = &cobra.Command{
+	Use:   "oci [name]",
+	Short: "Create or update an OCIRepository",
+	Long:  `The create source oci command generates an OCIRepository resource and waits for it to be ready.`,
+	Example: `  # Create an OCIRepository for a public container image
+  flux create source oci podinfo \
+    --url=oci://ghcr.io/stefanprodan/manifests/podinfo \
+    --tag=6.1.6 \
+    --interval=10m
+`,
+	RunE: createSourceOCIRepositoryCmdRun,
+}
+
+type sourceOCIRepositoryFlags struct {
+	url            string
+	tag            string
+	semver         string
+	digest         string
+	secretRef      string
+	serviceAccount string
+	certSecretRef  string
+	ignorePaths    []string
+	provider       flags.SourceOCIProvider
+}
+
+var sourceOCIRepositoryArgs = newSourceOCIFlags()
+
+func newSourceOCIFlags() sourceOCIRepositoryFlags {
+	return sourceOCIRepositoryFlags{
+		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
+	}
+}
+
+func init() {
+	createSourceOCIRepositoryCmd.Flags().Var(&sourceOCIRepositoryArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.url, "url", "", "the OCI repository URL")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.tag, "tag", "", "the OCI artifact tag")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.semver, "tag-semver", "", "the OCI artifact tag semver range")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.digest, "digest", "", "the OCI artifact digest")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.secretRef, "secret-ref", "", "the name of the Kubernetes image pull secret (type 'kubernetes.io/dockerconfigjson')")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.serviceAccount, "service-account", "", "the name of the Kubernetes service account that refers to an image pull secret")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
+	createSourceOCIRepositoryCmd.Flags().StringSliceVar(&sourceOCIRepositoryArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore resources (can specify multiple paths with commas: path1,path2)")
+
+	createSourceCmd.AddCommand(createSourceOCIRepositoryCmd)
+}
+
+func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	if sourceOCIRepositoryArgs.url == "" {
+		return fmt.Errorf("url is required")
+	}
+
+	if sourceOCIRepositoryArgs.semver == "" && sourceOCIRepositoryArgs.tag == "" && sourceOCIRepositoryArgs.digest == "" {
+		return fmt.Errorf("--tag, --tag-semver or --digest is required")
+	}
+
+	sourceLabels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	var ignorePaths *string
+	if len(sourceOCIRepositoryArgs.ignorePaths) > 0 {
+		ignorePathsStr := strings.Join(sourceOCIRepositoryArgs.ignorePaths, "\n")
+		ignorePaths = &ignorePathsStr
+	}
+
+	repository := &sourcev1.OCIRepository{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: *kubeconfigArgs.Namespace,
+			Labels:    sourceLabels,
+		},
+		Spec: sourcev1.OCIRepositorySpec{
+			Provider: sourceOCIRepositoryArgs.provider.String(),
+			URL:      sourceOCIRepositoryArgs.url,
+			Interval: metav1.Duration{
+				Duration: createArgs.interval,
+			},
+			Reference: &sourcev1.OCIRepositoryRef{},
+			Ignore:    ignorePaths,
+		},
+	}
+
+	if digest := sourceOCIRepositoryArgs.digest; digest != "" {
+		repository.Spec.Reference.Digest = digest
+	}
+	if semver := sourceOCIRepositoryArgs.semver; semver != "" {
+		repository.Spec.Reference.SemVer = semver
+	}
+	if tag := sourceOCIRepositoryArgs.tag; tag != "" {
+		repository.Spec.Reference.Tag = tag
+	}
+
+	if createSourceArgs.fetchTimeout > 0 {
+		repository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
+	}
+
+	if saName := sourceOCIRepositoryArgs.serviceAccount; saName != "" {
+		repository.Spec.ServiceAccountName = saName
+	}
+
+	if secretName := sourceOCIRepositoryArgs.secretRef; secretName != "" {
+		repository.Spec.SecretRef = &meta.LocalObjectReference{
+			Name: secretName,
+		}
+	}
+
+	if secretName := sourceOCIRepositoryArgs.certSecretRef; secretName != "" {
+		repository.Spec.CertSecretRef = &meta.LocalObjectReference{
+			Name: secretName,
+		}
+	}
+
+	if createArgs.export {
+		return printExport(exportOCIRepository(repository))
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+
+	logger.Actionf("applying OCIRepository")
+	namespacedName, err := upsertOCIRepository(ctx, kubeClient, repository)
+	if err != nil {
+		return err
+	}
+
+	logger.Waitingf("waiting for OCIRepository reconciliation")
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
+		isOCIRepositoryReady(ctx, kubeClient, namespacedName, repository)); err != nil {
+		return err
+	}
+	logger.Successf("OCIRepository reconciliation completed")
+
+	if repository.Status.Artifact == nil {
+		return fmt.Errorf("no artifact was found")
+	}
+	logger.Successf("fetched revision: %s", repository.Status.Artifact.Revision)
+	return nil
+}
+
+func upsertOCIRepository(ctx context.Context, kubeClient client.Client,
+	ociRepository *sourcev1.OCIRepository) (types.NamespacedName, error) {
+	namespacedName := types.NamespacedName{
+		Namespace: ociRepository.GetNamespace(),
+		Name:      ociRepository.GetName(),
+	}
+
+	var existing sourcev1.OCIRepository
+	err := kubeClient.Get(ctx, namespacedName, &existing)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			if err := kubeClient.Create(ctx, ociRepository); err != nil {
+				return namespacedName, err
+			} else {
+				logger.Successf("OCIRepository created")
+				return namespacedName, nil
+			}
+		}
+		return namespacedName, err
+	}
+
+	existing.Labels = ociRepository.Labels
+	existing.Spec = ociRepository.Spec
+	if err := kubeClient.Update(ctx, &existing); err != nil {
+		return namespacedName, err
+	}
+	ociRepository = &existing
+	logger.Successf("OCIRepository updated")
+	return namespacedName, nil
+}
+
+func isOCIRepositoryReady(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, ociRepository *sourcev1.OCIRepository) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, ociRepository)
+		if err != nil {
+			return false, err
+		}
+
+		if c := conditions.Get(ociRepository, meta.ReadyCondition); c != nil {
+			// Confirm the Ready condition we are observing is for the
+			// current generation
+			if c.ObservedGeneration != ociRepository.GetGeneration() {
+				return false, nil
+			}
+
+			// Further check the Status
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}
--- a/cmd/flux/create_source_oci_test.go
+++ b/cmd/flux/create_source_oci_test.go
@@ -0,0 +1,61 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateSourceOCI(t *testing.T) {
+	tests := []struct {
+		name       string
+		args       string
+		assertFunc assertFunc
+	}{
+		{
+			name:       "NoArgs",
+			args:       "create source oci",
+			assertFunc: assertError("name is required"),
+		},
+		{
+			name:       "NoURL",
+			args:       "create source oci podinfo",
+			assertFunc: assertError("url is required"),
+		},
+		{
+			name:       "export manifest",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.1.6 --interval 10m --export",
+			assertFunc: assertGoldenFile("./testdata/oci/export.golden"),
+		},
+		{
+			name:       "export manifest with secret",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.1.6 --interval 10m --secret-ref=creds --export",
+			assertFunc: assertGoldenFile("./testdata/oci/export_with_secret.golden"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assertFunc,
+			}
+
+			cmd.runTestCmd(t)
+		})
+	}
+}
--- a/cmd/flux/create_tenant.go
+++ b/cmd/flux/create_tenant.go
@@ -37,8 +37,7 @@ import (
 var createTenantCmd = &cobra.Command{
 	Use:   "tenant",
 	Short: "Create or update a tenant",
-	Long: `
-The create tenant command generates namespaces, service accounts and role bindings to limit the
+	Long: `The create tenant command generates namespaces, service accounts and role bindings to limit the
 reconcilers scope to the tenant namespaces.`,
 	Example: `  # Create a tenant with access to a namespace 
  flux create tenant dev-team \
@@ -49,41 +48,38 @@ reconcilers scope to the tenant namespaces.`,
  flux create tenant dev-team \
    --with-namespace=frontend \
    --with-namespace=backend \
-	--export > dev-team.yaml
-`,
+	--export > dev-team.yaml`,
 	RunE: createTenantCmdRun,
 }

 const (
-	tenantLabel       = "toolkit.fluxcd.io/tenant"
-	tenantRoleBinding = "gotk-reconciler"
+	tenantLabel = "toolkit.fluxcd.io/tenant"
 )

-var (
-	tenantNamespaces  []string
-	tenantClusterRole string
-)
+type tenantFlags struct {
+	namespaces  []string
+	clusterRole string
+}
+
+var tenantArgs tenantFlags

 func init() {
-	createTenantCmd.Flags().StringSliceVar(&tenantNamespaces, "with-namespace", nil, "namespace belonging to this tenant")
-	createTenantCmd.Flags().StringVar(&tenantClusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
+	createTenantCmd.Flags().StringSliceVar(&tenantArgs.namespaces, "with-namespace", nil, "namespace belonging to this tenant")
+	createTenantCmd.Flags().StringVar(&tenantArgs.clusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
 	createCmd.AddCommand(createTenantCmd)
 }

 func createTenantCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("tenant name is required")
-	}
 	tenant := args[0]
 	if err := validation.IsQualifiedName(tenant); len(err) > 0 {
 		return fmt.Errorf("invalid tenant name '%s': %v", tenant, err)
 	}

-	if tenantClusterRole == "" {
+	if tenantArgs.clusterRole == "" {
 		return fmt.Errorf("cluster-role is required")
 	}

-	if tenantNamespaces == nil {
+	if tenantArgs.namespaces == nil {
 		return fmt.Errorf("with-namespace is required")
 	}

@@ -91,7 +87,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 	var accounts []corev1.ServiceAccount
 	var roleBindings []rbacv1.RoleBinding

-	for _, ns := range tenantNamespaces {
+	for _, ns := range tenantArgs.namespaces {
 		if err := validation.IsQualifiedName(ns); len(err) > 0 {
 			return fmt.Errorf("invalid namespace '%s': %v", ns, err)
 		}
@@ -123,31 +119,33 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {

 		roleBinding := rbacv1.RoleBinding{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      tenantRoleBinding,
+				Name:      fmt.Sprintf("%s-reconciler", tenant),
 				Namespace: ns,
 				Labels:    objLabels,
 			},
 			Subjects: []rbacv1.Subject{
 				{
-					Kind: "User",
-					Name: fmt.Sprintf("gotk:%s:reconciler", ns),
+					APIGroup: "rbac.authorization.k8s.io",
+					Kind:     "User",
+					Name:     fmt.Sprintf("gotk:%s:reconciler", ns),
 				},
 				{
-					Kind: "ServiceAccount",
-					Name: tenant,
+					Kind:      "ServiceAccount",
+					Name:      tenant,
+					Namespace: ns,
 				},
 			},
 			RoleRef: rbacv1.RoleRef{
 				APIGroup: "rbac.authorization.k8s.io",
 				Kind:     "ClusterRole",
-				Name:     tenantClusterRole,
+				Name:     tenantArgs.clusterRole,
 			},
 		}
 		roleBindings = append(roleBindings, roleBinding)
 	}

-	if export {
-		for i, _ := range tenantNamespaces {
+	if createArgs.export {
+		for i := range tenantArgs.namespaces {
 			if err := exportTenant(namespaces[i], accounts[i], roleBindings[i]); err != nil {
 				return err
 			}
@@ -155,15 +153,15 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 		return nil
 	}

-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}

-	for i, _ := range tenantNamespaces {
+	for i := range tenantArgs.namespaces {
 		logger.Actionf("applying namespace %s", namespaces[i].Name)
 		if err := upsertNamespace(ctx, kubeClient, namespaces[i]); err != nil {
 			return err
@@ -290,7 +288,7 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 	fmt.Println(resourceToString(data))

 	account.TypeMeta = metav1.TypeMeta{
-		APIVersion: "",
+		APIVersion: "v1",
 		Kind:       "ServiceAccount",
 	}
 	data, err = yaml.Marshal(account)
--- a/cmd/flux/create_test.go
+++ b/cmd/flux/create_test.go
@@ -0,0 +1,55 @@
+package main
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/rand"
+)
+
+func Test_validateObjectName(t *testing.T) {
+	tests := []struct {
+		name  string
+		valid bool
+	}{
+		{
+			name:  "flux-system",
+			valid: true,
+		},
+		{
+			name:  "-flux-system",
+			valid: false,
+		},
+		{
+			name:  "-flux-system-",
+			valid: false,
+		},
+		{
+			name:  "third.first",
+			valid: false,
+		},
+		{
+			name:  "THirdfirst",
+			valid: false,
+		},
+		{
+			name:  "THirdfirst",
+			valid: false,
+		},
+		{
+			name:  rand.String(63),
+			valid: true,
+		},
+		{
+			name:  rand.String(64),
+			valid: false,
+		},
+	}
+
+	for _, tt := range tests {
+		valid := validateObjectName(tt.name)
+		if valid != tt.valid {
+			t.Errorf("expected name %q to return %t for validateObjectName func but got %t",
+				tt.name, tt.valid, valid)
+		}
+	}
+}
--- a/cmd/flux/delete.go
+++ b/cmd/flux/delete.go
@@ -17,7 +17,14 @@ limitations under the License.
 package main

 import (
+	"context"
+	"fmt"
+
+	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/types"
+
+	"github.com/fluxcd/flux2/internal/utils"
 )

 var deleteCmd = &cobra.Command{
@@ -26,13 +33,64 @@ var deleteCmd = &cobra.Command{
 	Long:  "The delete sub-commands delete sources and resources.",
 }

-var (
-	deleteSilent bool
-)
+type deleteFlags struct {
+	silent bool
+}
+
+var deleteArgs deleteFlags

 func init() {
-	deleteCmd.PersistentFlags().BoolVarP(&deleteSilent, "silent", "s", false,
+	deleteCmd.PersistentFlags().BoolVarP(&deleteArgs.silent, "silent", "s", false,
 		"delete resource without asking for confirmation")

 	rootCmd.AddCommand(deleteCmd)
 }
+
+type deleteCommand struct {
+	apiType
+	object adapter // for getting the value, and later deleting it
+}
+
+func (del deleteCommand) run(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("%s name is required", del.humanKind)
+	}
+	name := args[0]
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+
+	namespacedName := types.NamespacedName{
+		Namespace: *kubeconfigArgs.Namespace,
+		Name:      name,
+	}
+
+	err = kubeClient.Get(ctx, namespacedName, del.object.asClientObject())
+	if err != nil {
+		return err
+	}
+
+	if !deleteArgs.silent {
+		prompt := promptui.Prompt{
+			Label:     "Are you sure you want to delete this " + del.humanKind,
+			IsConfirm: true,
+		}
+		if _, err := prompt.Run(); err != nil {
+			return fmt.Errorf("aborting")
+		}
+	}
+
+	logger.Actionf("deleting %s %s in %s namespace", del.humanKind, name, *kubeconfigArgs.Namespace)
+	err = kubeClient.Delete(ctx, del.object.asClientObject())
+	if err != nil {
+		return err
+	}
+	logger.Successf("%s deleted", del.humanKind)
+
+	return nil
+}
--- a/cmd/flux/delete_alert.go
+++ b/cmd/flux/delete_alert.go
@@ -17,14 +17,8 @@ limitations under the License.
 package main

 import (
-	"context"
-	"fmt"
-
-	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"

-	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )

@@ -33,56 +27,14 @@ var deleteAlertCmd = &cobra.Command{
 	Short: "Delete a Alert resource",
 	Long:  "The delete alert command removes the given Alert from the cluster.",
 	Example: `  # Delete an Alert and the Kubernetes resources created by it
-  flux delete alert main
-`,
-	RunE: deleteAlertCmdRun,
+  flux delete alert main`,
+	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.AlertKind)),
+	RunE: deleteCommand{
+		apiType: alertType,
+		object:  universalAdapter{&notificationv1.Alert{}},
+	}.run,
 }

 func init() {
 	deleteCmd.AddCommand(deleteAlertCmd)
 }
-
-func deleteAlertCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("alert name is required")
-	}
-	name := args[0]
-
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
-	if err != nil {
-		return err
-	}
-
-	namespacedName := types.NamespacedName{
-		Namespace: namespace,
-		Name:      name,
-	}
-
-	var alert notificationv1.Alert
-	err = kubeClient.Get(ctx, namespacedName, &alert)
-	if err != nil {
-		return err
-	}
-
-	if !deleteSilent {
-		prompt := promptui.Prompt{
-			Label:     "Are you sure you want to delete this Alert",
-			IsConfirm: true,
-		}
-		if _, err := prompt.Run(); err != nil {
-			return fmt.Errorf("aborting")
-		}
-	}
-
-	logger.Actionf("deleting alert %s in %s namespace", name, namespace)
-	err = kubeClient.Delete(ctx, &alert)
-	if err != nil {
-		return err
-	}
-	logger.Successf("alert deleted")
-
-	return nil
-}
--- a/cmd/flux/delete_alertprovider.go
+++ b/cmd/flux/delete_alertprovider.go
@@ -17,14 +17,8 @@ limitations under the License.
 package main

 import (
-	"context"
-	"fmt"
-
-	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"

-	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )

@@ -33,56 +27,14 @@ var deleteAlertProviderCmd = &cobra.Command{
 	Short: "Delete a Provider resource",
 	Long:  "The delete alert-provider command removes the given Provider from the cluster.",
 	Example: `  # Delete a Provider and the Kubernetes resources created by it
-  flux delete alert-provider slack
-`,
-	RunE: deleteAlertProviderCmdRun,
+  flux delete alert-provider slack`,
+	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ProviderKind)),
+	RunE: deleteCommand{
+		apiType: alertProviderType,
+		object:  universalAdapter{&notificationv1.Provider{}},
+	}.run,
 }

 func init() {
 	deleteCmd.AddCommand(deleteAlertProviderCmd)
 }
-
-func deleteAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("provider name is required")
-	}
-	name := args[0]
-
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
-	if err != nil {
-		return err
-	}
-
-	namespacedName := types.NamespacedName{
-		Namespace: namespace,
-		Name:      name,
-	}
-
-	var alertProvider notificationv1.Provider
-	err = kubeClient.Get(ctx, namespacedName, &alertProvider)
-	if err != nil {
-		return err
-	}
-
-	if !deleteSilent {
-		prompt := promptui.Prompt{
-			Label:     "Are you sure you want to delete this Provider",
-			IsConfirm: true,
-		}
-		if _, err := prompt.Run(); err != nil {
-			return fmt.Errorf("aborting")
-		}
-	}
-
-	logger.Actionf("deleting provider %s in %s namespace", name, namespace)
-	err = kubeClient.Delete(ctx, &alertProvider)
-	if err != nil {
-		return err
-	}
-	logger.Successf("provider deleted")
-
-	return nil
-}
--- a/cmd/flux/delete_helmrelease.go
+++ b/cmd/flux/delete_helmrelease.go
@@ -17,14 +17,8 @@ limitations under the License.
 package main

 import (
-	"context"
-	"fmt"
-
-	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"

-	"github.com/fluxcd/flux2/internal/utils"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
 )

@@ -34,59 +28,14 @@ var deleteHelmReleaseCmd = &cobra.Command{
 	Short:   "Delete a HelmRelease resource",
 	Long:    "The delete helmrelease command removes the given HelmRelease from the cluster.",
 	Example: `  # Delete a Helm release and the Kubernetes resources created by it
-  flux delete hr podinfo
-`,
-	RunE: deleteHelmReleaseCmdRun,
+  flux delete hr podinfo`,
+	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
+	RunE: deleteCommand{
+		apiType: helmReleaseType,
+		object:  universalAdapter{&helmv2.HelmRelease{}},
+	}.run,
 }

 func init() {
 	deleteCmd.AddCommand(deleteHelmReleaseCmd)
 }
-
-func deleteHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("release name is required")
-	}
-	name := args[0]
-
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
-	if err != nil {
-		return err
-	}
-
-	namespacedName := types.NamespacedName{
-		Namespace: namespace,
-		Name:      name,
-	}
-
-	var helmRelease helmv2.HelmRelease
-	err = kubeClient.Get(ctx, namespacedName, &helmRelease)
-	if err != nil {
-		return err
-	}
-
-	if !deleteSilent {
-		if !helmRelease.Spec.Suspend {
-			logger.Waitingf("This action will remove the Kubernetes objects previously applied by the %s Helm release!", name)
-		}
-		prompt := promptui.Prompt{
-			Label:     "Are you sure you want to delete this Helm release",
-			IsConfirm: true,
-		}
-		if _, err := prompt.Run(); err != nil {
-			return fmt.Errorf("aborting")
-		}
-	}
-
-	logger.Actionf("deleting release %s in %s namespace", name, namespace)
-	err = kubeClient.Delete(ctx, &helmRelease)
-	if err != nil {
-		return err
-	}
-	logger.Successf("release deleted")
-
-	return nil
-}
--- a/cmd/flux/delete_image.go
+++ b/cmd/flux/delete_image.go
@@ -0,0 +1,31 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var deleteImageCmd = &cobra.Command{
+	Use:   "image",
+	Short: "Delete image automation objects",
+	Long:  "The delete image sub-commands delete image automation objects.",
+}
+
+func init() {
+	deleteCmd.AddCommand(deleteImageCmd)
+}
--- a/cmd/flux/delete_image_policy.go
+++ b/cmd/flux/delete_image_policy.go
@@ -0,0 +1,40 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
+)
+
+var deleteImagePolicyCmd = &cobra.Command{
+	Use:   "policy [name]",
+	Short: "Delete an ImagePolicy object",
+	Long:  "The delete image policy command deletes the given ImagePolicy from the cluster.",
+	Example: `  # Delete an image policy
+  flux delete image policy alpine3.x`,
+	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)),
+	RunE: deleteCommand{
+		apiType: imagePolicyType,
+		object:  universalAdapter{&imagev1.ImagePolicy{}},
+	}.run,
+}
+
+func init() {
+	deleteImageCmd.AddCommand(deleteImagePolicyCmd)
+}
--- a/cmd/flux/delete_image_repository.go
+++ b/cmd/flux/delete_image_repository.go
@@ -0,0 +1,40 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
+)
+
+var deleteImageRepositoryCmd = &cobra.Command{
+	Use:   "repository [name]",
+	Short: "Delete an ImageRepository object",
+	Long:  "The delete image repository command deletes the given ImageRepository from the cluster.",
+	Example: `  # Delete an image repository
+  flux delete image repository alpine`,
+	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)),
+	RunE: deleteCommand{
+		apiType: imageRepositoryType,
+		object:  universalAdapter{&imagev1.ImageRepository{}},
+	}.run,
+}
+
+func init() {
+	deleteImageCmd.AddCommand(deleteImageRepositoryCmd)
+}
--- a/cmd/flux/delete_image_update.go
+++ b/cmd/flux/delete_image_update.go
@@ -0,0 +1,40 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+)
+
+var deleteImageUpdateCmd = &cobra.Command{
+	Use:   "update [name]",
+	Short: "Delete an ImageUpdateAutomation object",
+	Long:  "The delete image update command deletes the given ImageUpdateAutomation from the cluster.",
+	Example: `  # Delete an image update automation
+  flux delete image update latest-images`,
+	ValidArgsFunction: resourceNamesCompletionFunc(autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)),
+	RunE: deleteCommand{
+		apiType: imageUpdateAutomationType,
+		object:  universalAdapter{&autov1.ImageUpdateAutomation{}},
+	}.run,
+}
+
+func init() {
+	deleteImageCmd.AddCommand(deleteImageUpdateCmd)
+}
--- a/cmd/flux/delete_kustomization.go
+++ b/cmd/flux/delete_kustomization.go
@@ -17,14 +17,9 @@ limitations under the License.
 package main

 import (
-	"context"
-	"fmt"
-
-	"github.com/fluxcd/flux2/internal/utils"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
-	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 )

 var deleteKsCmd = &cobra.Command{
@@ -32,60 +27,15 @@ var deleteKsCmd = &cobra.Command{
 	Aliases: []string{"ks"},
 	Short:   "Delete a Kustomization resource",
 	Long:    "The delete kustomization command deletes the given Kustomization from the cluster.",
-	Example: `  # Delete a kustomization and the Kubernetes resources created by it
-  flux delete kustomization podinfo
-`,
-	RunE: deleteKsCmdRun,
+	Example: `  # Delete a kustomization and the Kubernetes resources created by it when prune is enabled
+  flux delete kustomization podinfo`,
+	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
+	RunE: deleteCommand{
+		apiType: kustomizationType,
+		object:  universalAdapter{&kustomizev1.Kustomization{}},
+	}.run,
 }

 func init() {
 	deleteCmd.AddCommand(deleteKsCmd)
 }
-
-func deleteKsCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("kustomization name is required")
-	}
-	name := args[0]
-
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
-	if err != nil {
-		return err
-	}
-
-	namespacedName := types.NamespacedName{
-		Namespace: namespace,
-		Name:      name,
-	}
-
-	var kustomization kustomizev1.Kustomization
-	err = kubeClient.Get(ctx, namespacedName, &kustomization)
-	if err != nil {
-		return err
-	}
-
-	if !deleteSilent {
-		if !kustomization.Spec.Suspend {
-			logger.Waitingf("This action will remove the Kubernetes objects previously applied by the %s kustomization!", name)
-		}
-		prompt := promptui.Prompt{
-			Label:     "Are you sure you want to delete this kustomization",
-			IsConfirm: true,
-		}
-		if _, err := prompt.Run(); err != nil {
-			return fmt.Errorf("aborting")
-		}
-	}
-
-	logger.Actionf("deleting kustomization %s in %s namespace", name, namespace)
-	err = kubeClient.Delete(ctx, &kustomization)
-	if err != nil {
-		return err
-	}
-	logger.Successf("kustomization deleted")
-
-	return nil
-}
--- a/cmd/flux/delete_receiver.go
+++ b/cmd/flux/delete_receiver.go
@@ -17,14 +17,8 @@ limitations under the License.
 package main

 import (
-	"context"
-	"fmt"
-
-	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"

-	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )

@@ -33,56 +27,14 @@ var deleteReceiverCmd = &cobra.Command{
 	Short: "Delete a Receiver resource",
 	Long:  "The delete receiver command removes the given Receiver from the cluster.",
 	Example: `  # Delete an Receiver and the Kubernetes resources created by it
-  flux delete receiver main
-`,
-	RunE: deleteReceiverCmdRun,
+  flux delete receiver main`,
+	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ReceiverKind)),
+	RunE: deleteCommand{
+		apiType: receiverType,
+		object:  universalAdapter{&notificationv1.Receiver{}},
+	}.run,
 }

 func init() {
 	deleteCmd.AddCommand(deleteReceiverCmd)
 }
-
-func deleteReceiverCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("receiver name is required")
-	}
-	name := args[0]
-
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
-	if err != nil {
-		return err
-	}
-
-	namespacedName := types.NamespacedName{
-		Namespace: namespace,
-		Name:      name,
-	}
-
-	var receiver notificationv1.Receiver
-	err = kubeClient.Get(ctx, namespacedName, &receiver)
-	if err != nil {
-		return err
-	}
-
-	if !deleteSilent {
-		prompt := promptui.Prompt{
-			Label:     "Are you sure you want to delete this Receiver",
-			IsConfirm: true,
-		}
-		if _, err := prompt.Run(); err != nil {
-			return fmt.Errorf("aborting")
-		}
-	}
-
-	logger.Actionf("deleting receiver %s in %s namespace", name, namespace)
-	err = kubeClient.Delete(ctx, &receiver)
-	if err != nil {
-		return err
-	}
-	logger.Successf("receiver deleted")
-
-	return nil
-}
--- a/cmd/flux/delete_source_bucket.go
+++ b/cmd/flux/delete_source_bucket.go
@@ -17,14 +17,9 @@ limitations under the License.
 package main

 import (
-	"context"
-	"fmt"
-
-	"github.com/fluxcd/flux2/internal/utils"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
-	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )

 var deleteSourceBucketCmd = &cobra.Command{
@@ -32,56 +27,14 @@ var deleteSourceBucketCmd = &cobra.Command{
 	Short: "Delete a Bucket source",
 	Long:  "The delete source bucket command deletes the given Bucket from the cluster.",
 	Example: `  # Delete a Bucket source
-  flux delete source bucket podinfo
-`,
-	RunE: deleteSourceBucketCmdRun,
+  flux delete source bucket podinfo`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)),
+	RunE: deleteCommand{
+		apiType: bucketType,
+		object:  universalAdapter{&sourcev1.Bucket{}},
+	}.run,
 }

 func init() {
 	deleteSourceCmd.AddCommand(deleteSourceBucketCmd)
 }
-
-func deleteSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("name is required")
-	}
-	name := args[0]
-
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
-	if err != nil {
-		return err
-	}
-
-	namespacedName := types.NamespacedName{
-		Namespace: namespace,
-		Name:      name,
-	}
-
-	var bucket sourcev1.Bucket
-	err = kubeClient.Get(ctx, namespacedName, &bucket)
-	if err != nil {
-		return err
-	}
-
-	if !deleteSilent {
-		prompt := promptui.Prompt{
-			Label:     "Are you sure you want to delete this source",
-			IsConfirm: true,
-		}
-		if _, err := prompt.Run(); err != nil {
-			return fmt.Errorf("aborting")
-		}
-	}
-
-	logger.Actionf("deleting source %s in %s namespace", name, namespace)
-	err = kubeClient.Delete(ctx, &bucket)
-	if err != nil {
-		return err
-	}
-	logger.Successf("source deleted")
-
-	return nil
-}
--- a/cmd/flux/delete_source_git.go
+++ b/cmd/flux/delete_source_git.go
@@ -17,14 +17,9 @@ limitations under the License.
 package main

 import (
-	"context"
-	"fmt"
-
-	"github.com/fluxcd/flux2/internal/utils"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
-	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )

 var deleteSourceGitCmd = &cobra.Command{
@@ -32,56 +27,14 @@ var deleteSourceGitCmd = &cobra.Command{
 	Short: "Delete a GitRepository source",
 	Long:  "The delete source git command deletes the given GitRepository from the cluster.",
 	Example: `  # Delete a Git repository
-  flux delete source git podinfo
-`,
-	RunE: deleteSourceGitCmdRun,
+  flux delete source git podinfo`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)),
+	RunE: deleteCommand{
+		apiType: gitRepositoryType,
+		object:  universalAdapter{&sourcev1.GitRepository{}},
+	}.run,
 }

 func init() {
 	deleteSourceCmd.AddCommand(deleteSourceGitCmd)
 }
-
-func deleteSourceGitCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("git name is required")
-	}
-	name := args[0]
-
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
-	if err != nil {
-		return err
-	}
-
-	namespacedName := types.NamespacedName{
-		Namespace: namespace,
-		Name:      name,
-	}
-
-	var git sourcev1.GitRepository
-	err = kubeClient.Get(ctx, namespacedName, &git)
-	if err != nil {
-		return err
-	}
-
-	if !deleteSilent {
-		prompt := promptui.Prompt{
-			Label:     "Are you sure you want to delete this source",
-			IsConfirm: true,
-		}
-		if _, err := prompt.Run(); err != nil {
-			return fmt.Errorf("aborting")
-		}
-	}
-
-	logger.Actionf("deleting source %s in %s namespace", name, namespace)
-	err = kubeClient.Delete(ctx, &git)
-	if err != nil {
-		return err
-	}
-	logger.Successf("source deleted")
-
-	return nil
-}
--- a/cmd/flux/delete_source_helm.go
+++ b/cmd/flux/delete_source_helm.go
@@ -17,14 +17,9 @@ limitations under the License.
 package main

 import (
-	"context"
-	"fmt"
-
-	"github.com/fluxcd/flux2/internal/utils"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
-	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )

 var deleteSourceHelmCmd = &cobra.Command{
@@ -32,56 +27,14 @@ var deleteSourceHelmCmd = &cobra.Command{
 	Short: "Delete a HelmRepository source",
 	Long:  "The delete source helm command deletes the given HelmRepository from the cluster.",
 	Example: `  # Delete a Helm repository
-  flux delete source helm podinfo
-`,
-	RunE: deleteSourceHelmCmdRun,
+  flux delete source helm podinfo`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)),
+	RunE: deleteCommand{
+		apiType: helmRepositoryType,
+		object:  universalAdapter{&sourcev1.HelmRepository{}},
+	}.run,
 }

 func init() {
 	deleteSourceCmd.AddCommand(deleteSourceHelmCmd)
 }
-
-func deleteSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("name is required")
-	}
-	name := args[0]
-
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
-	if err != nil {
-		return err
-	}
-
-	namespacedName := types.NamespacedName{
-		Namespace: namespace,
-		Name:      name,
-	}
-
-	var helmRepository sourcev1.HelmRepository
-	err = kubeClient.Get(ctx, namespacedName, &helmRepository)
-	if err != nil {
-		return err
-	}
-
-	if !deleteSilent {
-		prompt := promptui.Prompt{
-			Label:     "Are you sure you want to delete this source",
-			IsConfirm: true,
-		}
-		if _, err := prompt.Run(); err != nil {
-			return fmt.Errorf("aborting")
-		}
-	}
-
-	logger.Actionf("deleting source %s in %s namespace", name, namespace)
-	err = kubeClient.Delete(ctx, &helmRepository)
-	if err != nil {
-		return err
-	}
-	logger.Successf("source deleted")
-
-	return nil
-}
--- a/Show More
+++ b/Show More