Merge pull request #720 from fluxcd/update-components

Update kustomize-controller to v0.6.2
Update toolkit components
2026-03-01 11:16:56 +00:00 · 2021-01-15 17:16:50 +01:00 · 2021-01-15 16:02:02 +00:00 · 2021-01-15 17:01:08 +01:00 · 2021-01-15 16:50:23 +01:00 · 2021-01-15 16:49:26 +01:00
187 changed files with 7100 additions and 775 deletions
--- a/.github/aur/flux-bin/.SRCINFO.template
+++ b/.github/aur/flux-bin/.SRCINFO.template
@@ -0,0 +1,17 @@
+pkgbase = flux-bin
+	pkgdesc = Open and extensible continuous delivery solution for Kubernetes
+	pkgver = ${PKGVER}
+	pkgrel = ${PKGREL}
+	url = https://fluxcd.io/
+	arch = x86_64
+	arch = armv6h
+	arch = armv7h
+	arch = aarch64
+	license = APACHE
+	optdepends = kubectl
+	source_x86_64 = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_amd64.tar.gz
+	source_armv6h = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm.tar.gz
+	source_armv7h = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm.tar.gz
+	source_aarch64 = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm64.tar.gz
+
+pkgname = flux-bin
--- a/.github/aur/flux-bin/.gitignore
+++ b/.github/aur/flux-bin/.gitignore
@@ -0,0 +1 @@
+.pkg
--- a/.github/aur/flux-bin/PKGBUILD.template
+++ b/.github/aur/flux-bin/PKGBUILD.template
@@ -0,0 +1,39 @@
+# Maintainer: Aurel Canciu <aurelcanciu@gmail.com>
+# Maintainer: Hidde Beydals <hello@hidde.co>
+
+pkgname=flux-bin
+pkgver=${PKGVER}
+pkgrel=${PKGREL}
+pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
+url="https://fluxcd.io/"
+arch=("x86_64" "armv6h" "armv7h" "aarch64")
+license=("APACHE")
+optdepends=("kubectl")
+source_x86_64=(
+  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_amd64.tar.gz"
+)
+source_armv6h=(
+  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+)
+source_armv7h=(
+  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+)
+source_aarch64=(
+  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm64.tar.gz"
+)
+sha256sums_x86_64=(
+  ${SHA256SUM_AMD64}
+)
+sha256sums_armv6h=(
+  ${SHA256SUM_ARM}
+)
+sha256sums_armv7h=(
+  ${SHA256SUM_ARM}
+)
+sha256sums_aarch64=(
+  ${SHA256SUM_ARM64}
+)
+
+package() {
+	install -Dm755 flux "$pkgdir/usr/bin/flux"
+}
--- a/.github/aur/flux-bin/publish.sh
+++ b/.github/aur/flux-bin/publish.sh
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+set -e
+
+WD=$(cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)
+PKGNAME=$(basename $WD)
+ROOT=${WD%/.github/aur/$PKGNAME}
+
+LOCKFILE=/tmp/aur-$PKGNAME.lock
+exec 100>$LOCKFILE || exit 0
+flock -n 100 || exit 0
+trap "rm -f $LOCKFILE" EXIT
+
+export VERSION=$1
+echo "Publishing to AUR as version ${VERSION}"
+
+cd $WD
+
+export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+eval $(ssh-agent -s)
+ssh-add <(echo "$AUR_BOT_SSH_PRIVATE_KEY")
+
+GITDIR=$(mktemp -d /tmp/aur-$PKGNAME-XXX)
+trap "rm -rf $GITDIR" EXIT
+git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
+
+CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
+CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
+
+export PKGVER=${VERSION/-/}
+
+if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
+    export PKGREL=$((CURRENT_PKGREL+1))
+else
+    export PKGREL=1
+fi
+
+export SHA256SUM_ARM=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_arm.tar.gz | awk '{ print $1 }')
+export SHA256SUM_ARM64=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_arm64.tar.gz | awk '{ print $1 }')
+export SHA256SUM_AMD64=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_amd64.tar.gz | awk '{ print $1 }')
+
+envsubst '$PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < PKGBUILD.template > $GITDIR/PKGBUILD
+
+cd $GITDIR
+git config user.name "fluxcdbot"
+git config user.email "fluxcdbot@users.noreply.github.com"
+git add -A
+if [ -z "$(git status --porcelain)" ]; then
+  echo "No changes."
+else
+  git commit -m "Updated to version v${PKGVER} release ${PKGREL}"
+  git push origin master
+fi
--- a/.github/aur/flux-go/.SRCINFO.template
+++ b/.github/aur/flux-go/.SRCINFO.template
@@ -0,0 +1,19 @@
+pkgbase = flux-go
+	pkgdesc = Open and extensible continuous delivery solution for Kubernetes
+	pkgver = ${PKGVER}
+	pkgrel = ${PKGREL}
+	url = https://fluxcd.io/
+	arch = x86_64
+	arch = armv6h
+	arch = armv7h
+	arch = aarch64
+	license = APACHE
+	makedepends = go
+	depends = glibc
+	optdepends = kubectl
+	provides = flux-bin
+	conflicts = flux-bin
+  replaces = flux-cli
+	source = flux-go-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/archive/v${PKGVER}.tar.gz
+
+pkgname = flux-go
--- a/.github/aur/flux-go/.gitignore
+++ b/.github/aur/flux-go/.gitignore
@@ -0,0 +1 @@
+.pkg
--- a/.github/aur/flux-go/PKGBUILD.template
+++ b/.github/aur/flux-go/PKGBUILD.template
@@ -0,0 +1,43 @@
+# Maintainer: Aurel Canciu <aurelcanciu@gmail.com>
+# Maintainer: Hidde Beydals <hello@hidde.co>
+
+pkgname=flux-go
+pkgver=${PKGVER}
+pkgrel=${PKGREL}
+pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
+url="https://fluxcd.io/"
+arch=("x86_64" "armv6h" "armv7h" "aarch64")
+license=("APACHE")
+provides=("flux-bin")
+conflicts=("flux-bin")
+replaces=("flux-cli")
+depends=("glibc")
+makedepends=("go")
+optdepends=("kubectl")
+source=(
+  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/archive/v$pkgver.tar.gz"
+)
+sha256sums=(
+  ${SHA256SUM}
+)
+
+build() {
+  cd "flux2-$pkgver"
+  export CGO_LDFLAGS="$LDFLAGS"
+  export CGO_CFLAGS="$CFLAGS"
+  export CGO_CXXFLAGS="$CXXFLAGS"
+  export CGO_CPPFLAGS="$CPPFLAGS"
+  export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
+  go build -ldflags "-X main.VERSION=$pkgver" -o flux-bin ./cmd/flux
+}
+
+check() {
+  cd "flux2-$pkgver"
+  make test
+}
+
+package() {
+  cd "flux2-$pkgver"
+  install -Dm755 flux-bin "$pkgdir/usr/bin/flux"
+  install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
+}
--- a/.github/aur/flux-go/publish.sh
+++ b/.github/aur/flux-go/publish.sh
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+set -e
+
+WD=$(cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)
+PKGNAME=$(basename $WD)
+ROOT=${WD%/.github/aur/$PKGNAME}
+
+LOCKFILE=/tmp/aur-$PKGNAME.lock
+exec 100>$LOCKFILE || exit 0
+flock -n 100 || exit 0
+trap "rm -f $LOCKFILE" EXIT
+
+export VERSION=$1
+echo "Publishing to AUR as version ${VERSION}"
+
+cd $WD
+
+export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+eval $(ssh-agent -s)
+ssh-add <(echo "$AUR_BOT_SSH_PRIVATE_KEY")
+
+GITDIR=$(mktemp -d /tmp/aur-$PKGNAME-XXX)
+trap "rm -rf $GITDIR" EXIT
+git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
+
+CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
+CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
+
+export PKGVER=${VERSION/-/}
+
+if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
+    export PKGREL=$((CURRENT_PKGREL+1))
+else
+    export PKGREL=1
+fi
+
+export SHA256SUM=$(curl -sL https://github.com/fluxcd/flux2/archive/v$PKGVER.tar.gz | sha256sum | awk '{ print $1 }')
+
+envsubst '$PKGVER $PKGREL $SHA256SUM' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$PKGVER $PKGREL $SHA256SUM' < PKGBUILD.template > $GITDIR/PKGBUILD
+
+cd $GITDIR
+git config user.name "fluxcdbot"
+git config user.email "fluxcdbot@users.noreply.github.com"
+git add -A
+if [ -z "$(git status --porcelain)" ]; then
+  echo "No changes."
+else
+  git commit -m "Updated to version v${PKGVER} release ${PKGREL}"
+  git push origin master
+fi
--- a/.github/aur/flux-scm/.SRCINFO.template
+++ b/.github/aur/flux-scm/.SRCINFO.template
@@ -0,0 +1,19 @@
+pkgbase = flux-scm
+	pkgdesc = Open and extensible continuous delivery solution for Kubernetes
+	pkgver = ${PKGVER}
+	pkgrel = ${PKGREL}
+	url = https://fluxcd.io/
+	arch = x86_64
+	arch = armv6h
+	arch = armv7h
+	arch = aarch64
+	license = APACHE
+	makedepends = go
+	depends = glibc
+	optdepends = kubectl
+	provides = flux-bin
+	conflicts = flux-bin
+	source = git+https://github.com/fluxcd/flux2.git
+	md5sums = SKIP
+
+pkgname = flux-scm
--- a/.github/aur/flux-scm/.gitignore
+++ b/.github/aur/flux-scm/.gitignore
@@ -0,0 +1 @@
+.pkg
--- a/.github/aur/flux-scm/PKGBUILD.template
+++ b/.github/aur/flux-scm/PKGBUILD.template
@@ -0,0 +1,45 @@
+# Maintainer: Aurel Canciu <aurelcanciu@gmail.com>
+# Maintainer: Hidde Beydals <hello@hidde.co>
+
+pkgname=flux-scm
+pkgver=${PKGVER}
+pkgrel=${PKGREL}
+pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
+url="https://fluxcd.io/"
+arch=("x86_64" "armv6h" "armv7h" "aarch64")
+license=("APACHE")
+provides=("flux-bin")
+conflicts=("flux-bin")
+depends=("glibc")
+makedepends=("go")
+optdepends=("kubectl")
+source=(
+  "git+https://github.com/fluxcd/flux2.git"
+)
+md5sums=('SKIP')
+
+pkgver() {
+  cd "flux2"
+  printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
+}
+
+build() {
+  cd "flux2"
+  export CGO_LDFLAGS="$LDFLAGS"
+  export CGO_CFLAGS="$CFLAGS"
+  export CGO_CXXFLAGS="$CXXFLAGS"
+  export CGO_CPPFLAGS="$CPPFLAGS"
+  export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
+  go build -ldflags "-X main.VERSION=$pkgver" -o flux-bin ./cmd/flux
+}
+
+check() {
+  cd "flux2"
+  make test
+}
+
+package() {
+  cd "flux2"
+  install -Dm755 flux-bin "$pkgdir/usr/bin/flux"
+  install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
+}
--- a/.github/aur/flux-scm/publish.sh
+++ b/.github/aur/flux-scm/publish.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+set -e
+
+WD=$(cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)
+PKGNAME=$(basename $WD)
+ROOT=${WD%/.github/aur/$PKGNAME}
+
+LOCKFILE=/tmp/aur-$PKGNAME.lock
+exec 100>$LOCKFILE || exit 0
+flock -n 100 || exit 0
+trap "rm -f $LOCKFILE" EXIT
+
+export VERSION=$1
+echo "Publishing to AUR as version ${VERSION}"
+
+cd $WD
+
+export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+eval $(ssh-agent -s)
+ssh-add <(echo "$AUR_BOT_SSH_PRIVATE_KEY")
+
+GITDIR=$(mktemp -d /tmp/aur-$PKGNAME-XXX)
+trap "rm -rf $GITDIR" EXIT
+git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
+
+CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
+CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
+
+export PKGVER=${VERSION/-/}
+
+if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
+    export PKGREL=$((CURRENT_PKGREL+1))
+else
+    export PKGREL=1
+fi
+
+envsubst '$PKGVER $PKGREL' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$PKGVER $PKGREL' < PKGBUILD.template > $GITDIR/PKGBUILD
+
+cd $GITDIR
+git config user.name "fluxcdbot"
+git config user.email "fluxcdbot@users.noreply.github.com"
+git add -A
+if [ -z "$(git status --porcelain)" ]; then
+  echo "No changes."
+else
+  git commit -m "Updated to version v${PKGVER} release ${PKGREL}"
+  git push origin master
+fi
--- a/.github/workflows/bootstrap.yaml
+++ b/.github/workflows/bootstrap.yaml
@@ -49,8 +49,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: uninstall
        run: |
-          ./bin/flux suspend kustomization flux-system
-          ./bin/flux uninstall --resources --crds -s
+          ./bin/flux uninstall --resources --crds -s --timeout=10m
      - name: bootstrap reinstall
        run: |
          ./bin/flux bootstrap github --manifests ./manifests/install/ \
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -136,12 +136,45 @@ jobs:
      - name: flux delete source git
        run: |
          ./bin/flux delete source git podinfo --silent
+      - name: flux create tenant
+        run: |
+          ./bin/flux create tenant dev-team --with-namespace=apps
+          ./bin/flux -n apps create source helm podinfo \
+            --url https://stefanprodan.github.io/podinfo
+          ./bin/flux -n apps create hr podinfo-helm \
+            --source=HelmRepository/podinfo \
+            --chart=podinfo \
+            --chart-version="5.0.x" \
+            --service-account=dev-team
+      - name: flux create image repository
+        run: |
+          ./bin/flux create image repository podinfo \
+            --image=ghcr.io/stefanprodan/podinfo \
+            --interval=1m
+      - name: flux create image policy
+        run: |
+          ./bin/flux create image policy podinfo \
+            --image-ref=podinfo \
+            --interval=1m \
+            --semver=5.0.x
+      - name: flux get image policy
+        run: |
+          ./bin/flux get image policy podinfo | grep '5.0.3'
+      - name: flux2-kustomize-helm-example
+        run: |
+          ./bin/flux create source git flux-system \
+          --url=https://github.com/fluxcd/flux2-kustomize-helm-example \
+          --branch=main
+          ./bin/flux create kustomization flux-system \
+          --source=flux-system \
+          --path=./clusters/staging
+          kubectl -n flux-system wait kustomization/apps --for=condition=ready --timeout=2m
      - name: flux check
        run: |
          ./bin/flux check
      - name: flux uninstall
        run: |
-          ./bin/flux uninstall --crds --silent
+          ./bin/flux uninstall --crds --silent --timeout=10m
      - name: Debug failure
        if: failure()
        run: |
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -59,24 +59,9 @@ jobs:

          # create tarball
          cd ./output && tar -cvzf manifests.tar.gz $files
-      - name: Create release
-        id: create_release
-        uses: actions/create-release@latest
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ github.ref }}
-          release_name: ${{ github.ref }}
-      - name: Upload artifacts
-        id: upload-release-asset
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./output/manifests.tar.gz
-          asset_name: manifests.tar.gz
-          asset_content_type: application/gzip
+      - name: Generate install manifest
+        run: |
+          kustomize build ./manifests/install > ./output/install.yaml
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v1
        with:
@@ -85,3 +70,4 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
+          AUR_BOT_SSH_PRIVATE_KEY: ${{ secrets.AUR_BOT_SSH_PRIVATE_KEY }}
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -40,6 +40,8 @@ jobs:
            bump_version kustomize-controller
            bump_version source-controller
            bump_version notification-controller
+            bump_version image-reflector-controller
+            bump_version image-automation-controller

            # add missing and remove unused modules
            go mod tidy
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,3 +1,4 @@
+project_name: flux
 builds:
  - <<: &build_defaults
      binary: flux
@@ -50,3 +51,23 @@ brews:
        type: optional
    test: |
      system "#{bin}/flux --version"
+publishers:
+  - name: aur-pkg-bin
+    env:
+      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
+    cmd: |
+      .github/aur/flux-bin/publish.sh {{ .Version }}
+  - name: aur-pkg-scm
+    env:
+      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
+    cmd: |
+      .github/aur/flux-scm/publish.sh {{ .Version }}
+  - name: aur-pkg-go
+    env:
+      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
+    cmd: |
+      .github/aur/flux-go/publish.sh {{ .Version }}
+release:
+  extra_files:
+    - glob: ./output/manifests.tar.gz
+    - glob: ./output/install.yaml
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,7 +1,6 @@
 # Contributing

-Flux is [Apache 2.0
-licensed](https://github.com/fluxcd/flux2/blob/main/LICENSE) and
+Flux is [Apache 2.0 licensed](https://github.com/fluxcd/flux2/blob/main/LICENSE) and
 accepts contributions via GitHub pull requests. This document outlines
 some of the conventions on to make it easier to get your contribution
 accepted.
@@ -14,9 +13,18 @@ code.
 By contributing to this project you agree to the Developer Certificate of
 Origin (DCO). This document was created by the Linux Kernel community and is a
 simple statement that you, as a contributor, have the legal right to make the
-contribution. No action from you is required, but it's a good idea to see the
-[DCO](DCO) file for details before you start contributing code to FluxCD
-organization.
+contribution.
+
+We require all commits to be signed. By signing off with your signature, you
+certify that you wrote the patch or otherwise have the right to contribute the
+material by the rules of the [DCO](DCO):
+
+`Signed-off-by: Jane Doe <jane.doe@example.com>`
+
+The signature must contain your real name
+(sorry, no pseudonyms or anonymous contributions)
+If your `user.name` and `user.email` are configured in your Git config,
+you can sign your commit automatically with `git commit -s`.

 ## Communications

--- a/9
+++ b/9
@@ -2,8 +2,17 @@ The maintainers are generally available in Slack at
 https://cloud-native.slack.com in #flux (https://cloud-native.slack.com/messages/CLAJ40HV3)
 (obtain an invitation at https://slack.cncf.io/).

+These maintainers are shared with other Flux v2-related git
+repositories under https://github.com/fluxcd, as noted in their
+respective MAINTAINERS files.
+
+For convenience, they are reflected in the GitHub team
+@fluxcd/flux2-maintainers -- if the list here changes, that team also
+should.
+
 In alphabetical order:

 Aurel Canciu, Sortlist <aurel@sortlist.com> (github: @relu, slack: relu)
 Hidde Beydals, Weaveworks <hidde@weave.works> (github: @hiddeco, slack: hidde)
+Philip Laine, Xenit <philip.laine@xenit.se> (github: @phillebaba, slack: phillebaba)
 Stefan Prodan, Weaveworks <stefan@weave.works> (github: @stefanprodan, slack: stefanprodan)
--- a/README.md
+++ b/README.md
@@ -36,6 +36,15 @@ curl -s https://toolkit.fluxcd.io/install.sh | sudo bash
 . <(flux completion bash)
 ```

+Arch Linux (AUR) packages:
+
+- [flux-bin](https://aur.archlinux.org/packages/flux-bin): install the latest
+  stable version using a pre-build binary (recommended)
+- [flux-go](https://aur.archlinux.org/packages/flux-go): build the latest
+  stable version from source code
+- [flux-scm](https://aur.archlinux.org/packages/flux-scm): build the latest
+  (unstable) version from source code from our git `main` branch
+
 Binaries for macOS, Windows and Linux AMD64/ARM are available to download on the
 [release page](https://github.com/fluxcd/flux2/releases).

@@ -98,17 +107,19 @@ Depending on what you want to do, some of the following bits might be your first
 - To be part of the conversation about Flux's development, [join the flux-dev mailing list](https://lists.cncf.io/g/cncf-flux-dev).
 - Check out [how to contribute](CONTRIBUTING.md) to the project

-### Featured Talks
+### Upcoming Events
+- 11 Jan 2021 - [Helm + GitOps = ⚡️⚡️⚡️ with Scott Rigby](https://www.meetup.com/GitOps-Community/events/275348736/)
+- 25 Jan 2021 - [GitOps Core Concepts & How to Teach Your Teams with Leigh Capili](https://www.meetup.com/GitOps-Community/events/275625806/)

+### Featured Talks
+- 14 Dec 2020 - [The Power of GitOps with Flux and Flagger (GitOps Hands-On) with Leigh Capili](https://youtu.be/cB7iXeNLteE)
+- 30 Nov 2020 - [The Power of GitOps with Flux 2 - Part 3 with Leigh Capili](https://youtu.be/N_K5g7o9JKg)
+- 24 Nov 2020 - [Flux CD v2 with GitOps Toolkit - Kubernetes Deployment and Sync Mechanism](https://youtu.be/R6OeIgb7lUI)
+- 02 Nov 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 2 with Leigh Capili](https://youtu.be/fC2YCxQRUwU)
 - 28 Oct 2020 - [The Kubelist Podcast: Flux with Michael Bridgen](https://www.heavybit.com/library/podcasts/the-kubelist-podcast/ep-5-flux-with-michael-bridgen-of-weaveworks/)
 - 19 Oct 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 1 with Leigh Capili](https://youtu.be/0v5bjysXTL8)
 - 12 Oct 2020 - [Rawkode Live: Introduction to GitOps Toolkit with Stefan Prodan](https://youtu.be/HqTzuOBP0eY)
- 4 Sep 2020 - [KubeCon Europe: The road to Flux v2 and Progressive Delivery with Stefan Prodan & Hidde Beydals](https://youtu.be/8v94nUkXsxU)
- 25 June 2020 - [Cloud Native Nordics: Introduction to GitOps & GitOps Toolkit with Alexis Richardson & Stefan Prodan](https://youtu.be/qQBtSkgl7tI)
- 7 May 2020 - [GitOps Days - Community Special: GitOps Toolkit Experimentation with Stefan Prodan](https://youtu.be/WHzxunv4DKk?t=6521)
+- 04 Sep 2020 - [KubeCon Europe: The road to Flux v2 and Progressive Delivery with Stefan Prodan & Hidde Beydals](https://youtu.be/8v94nUkXsxU)
+- 25 Jun 2020 - [Cloud Native Nordics: Introduction to GitOps & GitOps Toolkit with Alexis Richardson & Stefan Prodan](https://youtu.be/qQBtSkgl7tI)

-### Upcoming Events
-
- 30 Nov 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 3 with Leigh Capili](https://www.meetup.com/Weave-User-Group/events/274657228/)
-
-We are looking forward to seeing you with us!
+We look forward to seeing you with us!
--- a/action/README.md
+++ b/action/README.md
@@ -1,6 +1,67 @@
 # Flux GitHub Action

-Example workflow:
+Usage:
+
+```yaml
+    steps:
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Run Flux commands
+        run: flux -v
+```
+
+This action places the `flux` binary inside your repository root under `bin/flux`.
+You should add `bin/flux` to your `.gitignore` file, as in the following example:
+
+```gitignore
+# ignore flux binary
+bin/flux
+```
+
+Note that this action can only be used on GitHub **Linux AMD64** runners.
+
+### Automate Flux updates
+
+Example workflow for updating Flux's components generated with `flux bootstrap --arch=amd64 --path=clusters/production`:
+
+```yaml
+name: update-flux
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 * * * *"
+
+jobs:
+  components:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+      - name: Check for updates
+        id: update
+        run: |
+          flux install --arch=amd64 \
+            --export > ./clusters/production/flux-system/gotk-components.yaml
+
+          VERSION="$(flux -v)"
+          echo "::set-output name=flux_version::$VERSION"
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v3
+        with:
+            token: ${{ secrets.GITHUB_TOKEN }}
+            branch: update-flux
+            commit-message: Update to ${{ steps.update.outputs.flux_version }}
+            title: Update to ${{ steps.update.outputs.flux_version }}
+            body: |
+              ${{ steps.update.outputs.flux_version }}
+```
+
+### End-to-end testing
+
+Example workflow for running Flux in Kubernetes Kind:

 ```yaml
 name: e2e
@@ -23,3 +84,6 @@ jobs:
      - name: Install Flux in Kubernetes Kind
        run: flux install
 ```
+
+A complete e2e testing workflow is available here
+[flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example/blob/main/.github/workflows/e2e.yaml)
--- a/action/entrypoint.sh
+++ b/action/entrypoint.sh
@@ -29,7 +29,7 @@ curl -sL $BIN_URL | tar xz

 # Copy binary to GitHub runner
 mkdir -p $GITHUB_WORKSPACE/bin
-cp ./flux $GITHUB_WORKSPACE/bin
+mv ./flux $GITHUB_WORKSPACE/bin
 chmod +x $GITHUB_WORKSPACE/bin/flux

 # Print version
--- a/cmd/flux/bootstrap.go
+++ b/cmd/flux/bootstrap.go
@@ -47,17 +47,19 @@ var bootstrapCmd = &cobra.Command{

 var (
 	bootstrapVersion            string
-	bootstrapComponents         []string
+	bootstrapDefaultComponents  []string
+	bootstrapExtraComponents    []string
 	bootstrapRegistry           string
 	bootstrapImagePullSecret    string
 	bootstrapBranch             string
 	bootstrapWatchAllNamespaces bool
 	bootstrapNetworkPolicy      bool
 	bootstrapManifestsPath      string
-	bootstrapArch               = flags.Arch(defaults.Arch)
+	bootstrapArch               flags.Arch
 	bootstrapLogLevel           = flags.LogLevel(defaults.LogLevel)
 	bootstrapRequiredComponents = []string{"source-controller", "kustomize-controller"}
 	bootstrapTokenAuth          bool
+	bootstrapClusterDomain      string
 )

 const (
@@ -67,8 +69,10 @@ const (
 func init() {
 	bootstrapCmd.PersistentFlags().StringVarP(&bootstrapVersion, "version", "v", defaults.Version,
 		"toolkit version")
-	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapComponents, "components", defaults.Components,
+	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapDefaultComponents, "components", defaults.Components,
 		"list of components, accepts comma-separated values")
+	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapExtraComponents, "components-extra", nil,
+		"list of components in addition to those supplied or defaulted, accepts comma-separated values")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapRegistry, "registry", "ghcr.io/fluxcd",
 		"container registry where the toolkit images are published")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapImagePullSecret, "image-pull-secret", "",
@@ -84,17 +88,28 @@ func init() {
 		"when enabled, the personal access token will be used instead of SSH deploy key")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapLogLevel, "log-level", bootstrapLogLevel.Description())
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapManifestsPath, "manifests", "", "path to the manifest directory")
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapClusterDomain, "cluster-domain", defaults.ClusterDomain, "internal cluster domain")
 	bootstrapCmd.PersistentFlags().MarkHidden("manifests")
+	bootstrapCmd.PersistentFlags().MarkDeprecated("arch", "multi-arch container image is now available for AMD64, ARMv7 and ARM64")
 	rootCmd.AddCommand(bootstrapCmd)
 }

+func bootstrapComponents() []string {
+	return append(bootstrapDefaultComponents, bootstrapExtraComponents...)
+}
+
 func bootstrapValidate() error {
+	components := bootstrapComponents()
 	for _, component := range bootstrapRequiredComponents {
-		if !utils.ContainsItemString(bootstrapComponents, component) {
+		if !utils.ContainsItemString(components, component) {
 			return fmt.Errorf("component %s is required", component)
 		}
 	}

+	if err := utils.ValidateComponents(components); err != nil {
+		return err
+	}
+
 	return nil
 }

@@ -103,10 +118,9 @@ func generateInstallManifests(targetPath, namespace, tmpDir string, localManifes
 		BaseURL:                localManifests,
 		Version:                bootstrapVersion,
 		Namespace:              namespace,
-		Components:             bootstrapComponents,
+		Components:             bootstrapComponents(),
 		Registry:               bootstrapRegistry,
 		ImagePullSecret:        bootstrapImagePullSecret,
-		Arch:                   bootstrapArch.String(),
 		WatchAllNamespaces:     bootstrapWatchAllNamespaces,
 		NetworkPolicy:          bootstrapNetworkPolicy,
 		LogLevel:               bootstrapLogLevel.String(),
@@ -114,6 +128,7 @@ func generateInstallManifests(targetPath, namespace, tmpDir string, localManifes
 		ManifestFile:           defaults.ManifestFile,
 		Timeout:                timeout,
 		TargetPath:             targetPath,
+		ClusterDomain:          bootstrapClusterDomain,
 	}

 	if localManifests == "" {
@@ -125,12 +140,11 @@ func generateInstallManifests(targetPath, namespace, tmpDir string, localManifes
 		return "", fmt.Errorf("generating install manifests failed: %w", err)
 	}

-	if filePath, err := output.WriteFile(tmpDir); err != nil {
+	filePath, err := output.WriteFile(tmpDir)
+	if err != nil {
 		return "", fmt.Errorf("generating install manifests failed: %w", err)
-	} else {
-		return filePath, nil
 	}
-
+	return filePath, nil
 }

 func applyInstallManifests(ctx context.Context, manifestPath string, components []string) error {
@@ -148,7 +162,7 @@ func applyInstallManifests(ctx context.Context, manifestPath string, components
 	return nil
 }

-func generateSyncManifests(url, branch, name, namespace, targetPath, tmpDir string, interval time.Duration) error {
+func generateSyncManifests(url, branch, name, namespace, targetPath, tmpDir string, interval time.Duration) (string, error) {
 	opts := sync.Options{
 		Name:         name,
 		Namespace:    namespace,
@@ -161,22 +175,22 @@ func generateSyncManifests(url, branch, name, namespace, targetPath, tmpDir stri

 	manifest, err := sync.Generate(opts)
 	if err != nil {
-		return fmt.Errorf("generating install manifests failed: %w", err)
+		return "", fmt.Errorf("generating install manifests failed: %w", err)
 	}

-	if _, err := manifest.WriteFile(tmpDir); err != nil {
-		return err
+	output, err := manifest.WriteFile(tmpDir)
+	if err != nil {
+		return "", err
 	}
-
-	if err := utils.GenerateKustomizationYaml(filepath.Join(tmpDir, targetPath, namespace)); err != nil {
-		return err
+	outputDir := filepath.Dir(output)
+	if err := utils.GenerateKustomizationYaml(outputDir); err != nil {
+		return "", err
 	}
-
-	return nil
+	return outputDir, nil
 }

-func applySyncManifests(ctx context.Context, kubeClient client.Client, name, namespace, targetPath, tmpDir string) error {
-	kubectlArgs := []string{"apply", "-k", filepath.Join(tmpDir, targetPath, namespace)}
+func applySyncManifests(ctx context.Context, kubeClient client.Client, name, namespace, manifestsPath string) error {
+	kubectlArgs := []string{"apply", "-k", manifestsPath}
 	if _, err := utils.ExecKubectlCommand(ctx, utils.ModeStderrOS, kubeconfig, kubecontext, kubectlArgs...); err != nil {
 		return err
 	}
@@ -225,7 +239,7 @@ func shouldCreateDeployKey(ctx context.Context, kubeClient client.Client, namesp
 }

 func generateDeployKey(ctx context.Context, kubeClient client.Client, url *url.URL, namespace string) (string, error) {
-	pair, err := generateKeyPair(ctx)
+	pair, err := generateKeyPair(ctx, sourceGitKeyAlgorithm, sourceGitRSABits, sourceGitECDSACurve)
 	if err != nil {
 		return "", err
 	}
@@ -252,3 +266,20 @@ func generateDeployKey(ctx context.Context, kubeClient client.Client, url *url.U

 	return string(pair.PublicKey), nil
 }
+
+func checkIfBootstrapPathDiffers(ctx context.Context, kubeClient client.Client, namespace string, path string) (string, bool) {
+	namespacedName := types.NamespacedName{
+		Name:      namespace,
+		Namespace: namespace,
+	}
+	var fluxSystemKustomization kustomizev1.Kustomization
+	err := kubeClient.Get(ctx, namespacedName, &fluxSystemKustomization)
+	if err != nil {
+		return "", false
+	}
+	if fluxSystemKustomization.Spec.Path == path {
+		return "", false
+	}
+
+	return fluxSystemKustomization.Spec.Path, true
+}
--- a/cmd/flux/bootstrap_github.go
+++ b/cmd/flux/bootstrap_github.go
@@ -23,14 +23,17 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"path/filepath"
 	"time"

 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/pkg/git"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
 )

 var bootstrapGitHubCmd = &cobra.Command{
@@ -54,7 +57,7 @@ the bootstrap command will perform an upgrade if needed.`,
  flux bootstrap github --owner=<organization> --repository=<repo name> --path=dev-cluster

  # Run bootstrap for a public repository on a personal account
-  flux bootstrap github --owner=<user> --repository=<repo name> --private=false --personal=true 
+  flux bootstrap github --owner=<user> --repository=<repo name> --private=false --personal=true

  # Run bootstrap for a private repo hosted on GitHub Enterprise using SSH auth
  flux bootstrap github --owner=<organization> --repository=<repo name> --hostname=<domain> --ssh-hostname=<domain>
@@ -75,7 +78,7 @@ var (
 	ghPersonal    bool
 	ghPrivate     bool
 	ghHostname    string
-	ghPath        string
+	ghPath        flags.SafeRelativePath
 	ghTeams       []string
 	ghDelete      bool
 	ghSSHHostname string
@@ -94,7 +97,7 @@ func init() {
 	bootstrapGitHubCmd.Flags().DurationVar(&ghInterval, "interval", time.Minute, "sync interval")
 	bootstrapGitHubCmd.Flags().StringVar(&ghHostname, "hostname", git.GitHubDefaultHostname, "GitHub hostname")
 	bootstrapGitHubCmd.Flags().StringVar(&ghSSHHostname, "ssh-hostname", "", "GitHub SSH hostname, to be used when the SSH host differs from the HTTPS one")
-	bootstrapGitHubCmd.Flags().StringVar(&ghPath, "path", "", "repository path, when specified the cluster sync will be scoped to this path")
+	bootstrapGitHubCmd.Flags().Var(&ghPath, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")

 	bootstrapGitHubCmd.Flags().BoolVar(&ghDelete, "delete", false, "delete repository (used for testing only)")
 	bootstrapGitHubCmd.Flags().MarkHidden("delete")
@@ -112,6 +115,20 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	usedPath, bootstrapPathDiffers := checkIfBootstrapPathDiffers(ctx, kubeClient, namespace, filepath.ToSlash(ghPath.String()))
+
+	if bootstrapPathDiffers {
+		return fmt.Errorf("cluster already bootstrapped to %v path", usedPath)
+	}
+
 	repository, err := git.NewRepository(ghRepository, ghOwner, ghHostname, ghToken, "flux", ghOwner+"@users.noreply.github.com")
 	if err != nil {
 		return err
@@ -132,9 +149,6 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	defer os.RemoveAll(tmpDir)

-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
 	if ghDelete {
 		if err := provider.DeleteRepository(ctx, repository); err != nil {
 			return err
@@ -174,13 +188,13 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {

 	// generate install manifests
 	logger.Generatef("generating manifests")
-	manifest, err := generateInstallManifests(ghPath, namespace, tmpDir, bootstrapManifestsPath)
+	installManifest, err := generateInstallManifests(ghPath.String(), namespace, tmpDir, bootstrapManifestsPath)
 	if err != nil {
 		return err
 	}

 	// stage install manifests
-	changed, err = repository.Commit(ctx, path.Join(ghPath, namespace), "Add manifests")
+	changed, err = repository.Commit(ctx, path.Join(ghPath.String(), namespace), "Add manifests")
 	if err != nil {
 		return err
 	}
@@ -195,18 +209,13 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Successf("components are up to date")
 	}

-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
-	if err != nil {
-		return err
-	}
-
 	// determine if repo synchronization is working
 	isInstall := shouldInstallManifests(ctx, kubeClient, namespace)

 	if isInstall {
 		// apply install manifests
 		logger.Actionf("installing components in %s namespace", namespace)
-		if err := applyInstallManifests(ctx, manifest, bootstrapComponents); err != nil {
+		if err := applyInstallManifests(ctx, installManifest, bootstrapComponents()); err != nil {
 			return err
 		}
 		logger.Successf("install completed")
@@ -259,12 +268,13 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {

 	// configure repo synchronization
 	logger.Actionf("generating sync manifests")
-	if err := generateSyncManifests(repoURL, bootstrapBranch, namespace, namespace, ghPath, tmpDir, ghInterval); err != nil {
+	syncManifests, err := generateSyncManifests(repoURL, bootstrapBranch, namespace, namespace, filepath.ToSlash(ghPath.String()), tmpDir, ghInterval)
+	if err != nil {
 		return err
 	}

 	// commit and push manifests
-	if changed, err = repository.Commit(ctx, path.Join(ghPath, namespace), "Add manifests"); err != nil {
+	if changed, err = repository.Commit(ctx, path.Join(ghPath.String(), namespace), "Add manifests"); err != nil {
 		return err
 	} else if changed {
 		if err := repository.Push(ctx); err != nil {
@@ -275,7 +285,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {

 	// apply manifests and waiting for sync
 	logger.Actionf("applying sync manifests")
-	if err := applySyncManifests(ctx, kubeClient, namespace, namespace, ghPath, tmpDir); err != nil {
+	if err := applySyncManifests(ctx, kubeClient, namespace, namespace, syncManifests); err != nil {
 		return err
 	}

--- a/cmd/flux/bootstrap_gitlab.go
+++ b/cmd/flux/bootstrap_gitlab.go
@@ -23,14 +23,18 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"path/filepath"
+	"regexp"
 	"time"

 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/pkg/git"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
 )

 var bootstrapGitLabCmd = &cobra.Command{
@@ -44,7 +48,7 @@ the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a GitLab API token and export it as an env var
  export GITLAB_TOKEN=<my-token>

-  # Run bootstrap for a private repo using HTTPS token authentication 
+  # Run bootstrap for a private repo using HTTPS token authentication
  flux bootstrap gitlab --owner=<group> --repository=<repo name> --token-auth

  # Run bootstrap for a private repo using SSH authentication
@@ -56,7 +60,7 @@ the bootstrap command will perform an upgrade if needed.`,
  # Run bootstrap for a public repository on a personal account
  flux bootstrap gitlab --owner=<user> --repository=<repo name> --private=false --personal --token-auth

-  # Run bootstrap for a private repo hosted on a GitLab server 
+  # Run bootstrap for a private repo hosted on a GitLab server
  flux bootstrap gitlab --owner=<group> --repository=<repo name> --hostname=<domain> --token-auth

  # Run bootstrap for a an existing repository with a branch named main
@@ -65,6 +69,10 @@ the bootstrap command will perform an upgrade if needed.`,
 	RunE: bootstrapGitLabCmdRun,
 }

+const (
+	gitlabProjectRegex = `\A[[:alnum:]\x{00A9}-\x{1f9ff}_][[:alnum:]\p{Pd}\x{00A9}-\x{1f9ff}_\.]*\z`
+)
+
 var (
 	glOwner       string
 	glRepository  string
@@ -73,7 +81,7 @@ var (
 	glPrivate     bool
 	glHostname    string
 	glSSHHostname string
-	glPath        string
+	glPath        flags.SafeRelativePath
 )

 func init() {
@@ -84,7 +92,7 @@ func init() {
 	bootstrapGitLabCmd.Flags().DurationVar(&glInterval, "interval", time.Minute, "sync interval")
 	bootstrapGitLabCmd.Flags().StringVar(&glHostname, "hostname", git.GitLabDefaultHostname, "GitLab hostname")
 	bootstrapGitLabCmd.Flags().StringVar(&glSSHHostname, "ssh-hostname", "", "GitLab SSH hostname, to be used when the SSH host differs from the HTTPS one")
-	bootstrapGitLabCmd.Flags().StringVar(&glPath, "path", "", "repository path, when specified the cluster sync will be scoped to this path")
+	bootstrapGitLabCmd.Flags().Var(&glPath, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")

 	bootstrapCmd.AddCommand(bootstrapGitLabCmd)
 }
@@ -95,10 +103,32 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("%s environment variable not found", git.GitLabTokenName)
 	}

+	projectNameIsValid, err := regexp.MatchString(gitlabProjectRegex, glRepository)
+	if err != nil {
+		return err
+	}
+	if !projectNameIsValid {
+		return fmt.Errorf("%s is an invalid project name for gitlab.\nIt can contain only letters, digits, emojis, '_', '.', dash, space. It must start with letter, digit, emoji or '_'.", glRepository)
+	}
+
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}

+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	usedPath, bootstrapPathDiffers := checkIfBootstrapPathDiffers(ctx, kubeClient, namespace, filepath.ToSlash(glPath.String()))
+
+	if bootstrapPathDiffers {
+		return fmt.Errorf("cluster already bootstrapped to %v path", usedPath)
+	}
+
 	repository, err := git.NewRepository(glRepository, glOwner, glHostname, glToken, "flux", glOwner+"@users.noreply.gitlab.com")
 	if err != nil {
 		return err
@@ -108,24 +138,16 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		repository.SSHHost = glSSHHostname
 	}

-	provider := &git.GitLabProvider{
-		IsPrivate:  glPrivate,
-		IsPersonal: glPersonal,
-	}
-
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
-	if err != nil {
-		return err
-	}
-
 	tmpDir, err := ioutil.TempDir("", namespace)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)

-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
+	provider := &git.GitLabProvider{
+		IsPrivate:  glPrivate,
+		IsPersonal: glPersonal,
+	}

 	// create GitLab project if doesn't exists
 	logger.Actionf("connecting to %s", glHostname)
@@ -145,13 +167,13 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {

 	// generate install manifests
 	logger.Generatef("generating manifests")
-	manifest, err := generateInstallManifests(glPath, namespace, tmpDir, bootstrapManifestsPath)
+	installManifest, err := generateInstallManifests(glPath.String(), namespace, tmpDir, bootstrapManifestsPath)
 	if err != nil {
 		return err
 	}

 	// stage install manifests
-	changed, err = repository.Commit(ctx, path.Join(glPath, namespace), "Add manifests")
+	changed, err = repository.Commit(ctx, path.Join(glPath.String(), namespace), "Add manifests")
 	if err != nil {
 		return err
 	}
@@ -172,7 +194,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	if isInstall {
 		// apply install manifests
 		logger.Actionf("installing components in %s namespace", namespace)
-		if err := applyInstallManifests(ctx, manifest, bootstrapComponents); err != nil {
+		if err := applyInstallManifests(ctx, installManifest, bootstrapComponents()); err != nil {
 			return err
 		}
 		logger.Successf("install completed")
@@ -225,12 +247,13 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {

 	// configure repo synchronization
 	logger.Actionf("generating sync manifests")
-	if err := generateSyncManifests(repoURL, bootstrapBranch, namespace, namespace, glPath, tmpDir, glInterval); err != nil {
+	syncManifests, err := generateSyncManifests(repoURL, bootstrapBranch, namespace, namespace, filepath.ToSlash(glPath.String()), tmpDir, glInterval)
+	if err != nil {
 		return err
 	}

 	// commit and push manifests
-	if changed, err = repository.Commit(ctx, path.Join(glPath, namespace), "Add manifests"); err != nil {
+	if changed, err = repository.Commit(ctx, path.Join(glPath.String(), namespace), "Add manifests"); err != nil {
 		return err
 	} else if changed {
 		if err := repository.Push(ctx); err != nil {
@@ -241,7 +264,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {

 	// apply manifests and waiting for sync
 	logger.Actionf("applying sync manifests")
-	if err := applySyncManifests(ctx, kubeClient, namespace, namespace, glPath, tmpDir); err != nil {
+	if err := applySyncManifests(ctx, kubeClient, namespace, namespace, syncManifests); err != nil {
 		return err
 	}

--- a/cmd/flux/check.go
+++ b/cmd/flux/check.go
@@ -28,7 +28,6 @@ import (
 	"github.com/spf13/cobra"
 	apimachineryversion "k8s.io/apimachinery/pkg/version"
 	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/tools/clientcmd"
 )

 var checkCmd = &cobra.Command{
@@ -133,7 +132,7 @@ func kubectlCheck(ctx context.Context, version string) bool {
 }

 func kubernetesCheck(version string) bool {
-	cfg, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
+	cfg, err := utils.KubeConfig(kubeconfig, kubecontext)
 	if err != nil {
 		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
 		return false
--- a/cmd/flux/completion_zsh.go
+++ b/cmd/flux/completion_zsh.go
@@ -37,7 +37,7 @@ command -v flux >/dev/null && . <(flux completion zsh) && compdef _flux flux
 or write a cached file in one of the completion directories in your ${fpath}:

 echo "${fpath// /\n}" | grep -i completion
-flux completions zsh > _flux
+flux completion zsh > _flux

 mv _flux ~/.oh-my-zsh/completions  # oh-my-zsh
 mv _flux ~/.zprezto/modules/completion/external/src/  # zprezto
--- a/cmd/flux/create.go
+++ b/cmd/flux/create.go
@@ -17,13 +17,19 @@ limitations under the License.
 package main

 import (
+	"context"
 	"fmt"
 	"strings"
 	"time"

-	"k8s.io/apimachinery/pkg/util/validation"
-
 	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	"github.com/fluxcd/flux2/internal/utils"
 )

 var createCmd = &cobra.Command{
@@ -46,6 +52,78 @@ func init() {
 	rootCmd.AddCommand(createCmd)
 }

+// upsertable is an interface for values that can be used in `upsert`.
+type upsertable interface {
+	adapter
+	named
+}
+
+// upsert updates or inserts an object. Instead of providing the
+// object itself, you provide a named (as in Name and Namespace)
+// template value, and a mutate function which sets the values you
+// want to update. The mutate function is nullary -- you mutate a
+// value in the closure, e.g., by doing this:
+//
+//     var existing Value
+//     existing.Name = name
+//     existing.Namespace = ns
+//     upsert(ctx, client, valueAdapter{&value}, func() error {
+//       value.Spec = onePreparedEarlier
+//     })
+func (names apiType) upsert(ctx context.Context, kubeClient client.Client, object upsertable, mutate func() error) (types.NamespacedName, error) {
+	nsname := types.NamespacedName{
+		Namespace: object.GetNamespace(),
+		Name:      object.GetName(),
+	}
+
+	op, err := controllerutil.CreateOrUpdate(ctx, kubeClient, object.asClientObject(), mutate)
+	if err != nil {
+		return nsname, err
+	}
+
+	switch op {
+	case controllerutil.OperationResultCreated:
+		logger.Successf("%s created", names.kind)
+	case controllerutil.OperationResultUpdated:
+		logger.Successf("%s updated", names.kind)
+	}
+	return nsname, nil
+}
+
+type upsertWaitable interface {
+	upsertable
+	statusable
+}
+
+// upsertAndWait encodes the pattern of creating or updating a
+// resource, then waiting for it to reconcile. See the note on
+// `upsert` for how to work with the `mutate` argument.
+func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) error {
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext) // NB globals
+	if err != nil {
+		return err
+	}
+
+	logger.Generatef("generating %s", names.kind)
+	logger.Actionf("applying %s", names.kind)
+
+	namespacedName, err := imageRepositoryType.upsert(ctx, kubeClient, object, mutate)
+	if err != nil {
+		return err
+	}
+
+	logger.Waitingf("waiting for %s reconciliation", names.kind)
+	if err := wait.PollImmediate(pollInterval, timeout,
+		isReady(ctx, kubeClient, namespacedName, object)); err != nil {
+		return err
+	}
+	logger.Successf("%s reconciliation completed", names.kind)
+	return nil
+}
+
 func parseLabels() (map[string]string, error) {
 	result := make(map[string]string)
 	for _, label := range labels {
--- a/cmd/flux/create_image.go
+++ b/cmd/flux/create_image.go
@@ -0,0 +1,38 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"strings"
+
+	"github.com/spf13/cobra"
+)
+
+const createImageLong = `
+The create image sub-commands work with image automation objects; that is,
+object controlling updates to git based on e.g., new container images
+being available.`
+
+var createImageCmd = &cobra.Command{
+	Use:   "image",
+	Short: "Create or update resources dealing with image automation",
+	Long:  strings.TrimSpace(createImageLong),
+}
+
+func init() {
+	createCmd.AddCommand(createImageCmd)
+}
--- a/cmd/flux/create_image_policy.go
+++ b/cmd/flux/create_image_policy.go
@@ -0,0 +1,118 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+)
+
+var createImagePolicyCmd = &cobra.Command{
+	Use:   "policy <name>",
+	Short: "Create or update an ImagePolicy object",
+	Long: `The create image policy command generates an ImagePolicy resource.
+An ImagePolicy object calculates a "latest image" given an image
+repository and a policy, e.g., semver.
+
+The image that sorts highest according to the policy is recorded in
+the status of the object.`,
+	RunE: createImagePolicyRun}
+
+type imagePolicyFlags struct {
+	imageRef    string
+	semver      string
+	filterRegex string
+}
+
+var imagePolicyArgs = imagePolicyFlags{}
+
+func init() {
+	flags := createImagePolicyCmd.Flags()
+	flags.StringVar(&imagePolicyArgs.imageRef, "image-ref", "", "the name of an image repository object")
+	flags.StringVar(&imagePolicyArgs.semver, "semver", "", "a semver range to apply to tags; e.g., '1.x'")
+	flags.StringVar(&imagePolicyArgs.filterRegex, "filter-regex", "", " regular expression pattern used to filter the image tags")
+
+	createImageCmd.AddCommand(createImagePolicyCmd)
+}
+
+// getObservedGeneration is implemented here, since it's not
+// (presently) needed elsewhere.
+func (obj imagePolicyAdapter) getObservedGeneration() int64 {
+	return obj.ImagePolicy.Status.ObservedGeneration
+}
+
+func createImagePolicyRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("ImagePolicy name is required")
+	}
+	objectName := args[0]
+
+	if imagePolicyArgs.imageRef == "" {
+		return fmt.Errorf("the name of an ImageRepository in the namespace is required (--image-ref)")
+	}
+
+	labels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	var policy = imagev1.ImagePolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      objectName,
+			Namespace: namespace,
+			Labels:    labels,
+		},
+		Spec: imagev1.ImagePolicySpec{
+			ImageRepositoryRef: corev1.LocalObjectReference{
+				Name: imagePolicyArgs.imageRef,
+			},
+		},
+	}
+
+	switch {
+	case imagePolicyArgs.semver != "":
+		policy.Spec.Policy.SemVer = &imagev1.SemVerPolicy{
+			Range: imagePolicyArgs.semver,
+		}
+	default:
+		return fmt.Errorf("a policy must be provided with --semver")
+	}
+
+	if imagePolicyArgs.filterRegex != "" {
+		policy.Spec.FilterTags = &imagev1.TagFilter{
+			Pattern: imagePolicyArgs.filterRegex,
+		}
+	}
+
+	if export {
+		return printExport(exportImagePolicy(&policy))
+	}
+
+	var existing imagev1.ImagePolicy
+	copyName(&existing, &policy)
+	err = imagePolicyType.upsertAndWait(imagePolicyAdapter{&existing}, func() error {
+		existing.Spec = policy.Spec
+		existing.SetLabels(policy.Labels)
+		return nil
+	})
+	return err
+}
--- a/cmd/flux/create_image_repository.go
+++ b/cmd/flux/create_image_repository.go
@@ -0,0 +1,110 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+)
+
+var createImageRepositoryCmd = &cobra.Command{
+	Use:   "repository <name>",
+	Short: "Create or update an ImageRepository object",
+	Long: `The create image repository command generates an ImageRepository resource.
+An ImageRepository object specifies an image repository to scan.`,
+	RunE: createImageRepositoryRun,
+}
+
+type imageRepoFlags struct {
+	image     string
+	secretRef string
+	timeout   time.Duration
+}
+
+var imageRepoArgs = imageRepoFlags{}
+
+func init() {
+	flags := createImageRepositoryCmd.Flags()
+	flags.StringVar(&imageRepoArgs.image, "image", "", "the image repository to scan; e.g., library/alpine")
+	flags.StringVar(&imageRepoArgs.secretRef, "secret-ref", "", "the name of a docker-registry secret to use for credentials")
+	// NB there is already a --timeout in the global flags, for
+	// controlling timeout on operations while e.g., creating objects.
+	flags.DurationVar(&imageRepoArgs.timeout, "scan-timeout", 0, "a timeout for scanning; this defaults to the interval if not set")
+
+	createImageCmd.AddCommand(createImageRepositoryCmd)
+}
+
+func createImageRepositoryRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("ImageRepository name is required")
+	}
+	objectName := args[0]
+
+	if imageRepoArgs.image == "" {
+		return fmt.Errorf("an image repository (--image) is required")
+	}
+
+	if _, err := name.NewRepository(imageRepoArgs.image); err != nil {
+		return fmt.Errorf("unable to parse image value: %w", err)
+	}
+
+	labels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	var repo = imagev1.ImageRepository{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      objectName,
+			Namespace: namespace,
+			Labels:    labels,
+		},
+		Spec: imagev1.ImageRepositorySpec{
+			Image:    imageRepoArgs.image,
+			Interval: metav1.Duration{Duration: interval},
+		},
+	}
+	if imageRepoArgs.timeout != 0 {
+		repo.Spec.Timeout = &metav1.Duration{Duration: imageRepoArgs.timeout}
+	}
+	if imageRepoArgs.secretRef != "" {
+		repo.Spec.SecretRef = &corev1.LocalObjectReference{
+			Name: imageRepoArgs.secretRef,
+		}
+	}
+
+	if export {
+		return printExport(exportImageRepository(&repo))
+	}
+
+	// a temp value for use with the rest
+	var existing imagev1.ImageRepository
+	copyName(&existing, &repo)
+	err = imageRepositoryType.upsertAndWait(imageRepositoryAdapter{&existing}, func() error {
+		existing.Spec = repo.Spec
+		existing.Labels = repo.Labels
+		return nil
+	})
+	return err
+}
--- a/cmd/flux/create_image_updateauto.go
+++ b/cmd/flux/create_image_updateauto.go
@@ -0,0 +1,117 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
+)
+
+var createImageUpdateCmd = &cobra.Command{
+	Use:   "update <name>",
+	Short: "Create or update an ImageUpdateAutomation object",
+	Long: `The create image update command generates an ImageUpdateAutomation resource.
+An ImageUpdateAutomation object specifies an automated update to images
+mentioned in YAMLs in a git repository.`,
+	RunE: createImageUpdateRun,
+}
+
+type imageUpdateFlags struct {
+	// git checkout spec
+	gitRepoRef string
+	branch     string
+	// commit spec
+	commitTemplate string
+	authorName     string
+	authorEmail    string
+}
+
+var imageUpdateArgs = imageUpdateFlags{}
+
+func init() {
+	flags := createImageUpdateCmd.Flags()
+	flags.StringVar(&imageUpdateArgs.gitRepoRef, "git-repo-ref", "", "the name of a GitRepository resource with details of the upstream git repository")
+	flags.StringVar(&imageUpdateArgs.branch, "branch", "", "the branch to checkout and push commits to")
+	flags.StringVar(&imageUpdateArgs.commitTemplate, "commit-template", "", "a template for commit messages")
+	flags.StringVar(&imageUpdateArgs.authorName, "author-name", "", "the name to use for commit author")
+	flags.StringVar(&imageUpdateArgs.authorEmail, "author-email", "", "the email to use for commit author")
+
+	createImageCmd.AddCommand(createImageUpdateCmd)
+}
+
+func createImageUpdateRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("ImageUpdateAutomation name is required")
+	}
+	objectName := args[0]
+
+	if imageUpdateArgs.gitRepoRef == "" {
+		return fmt.Errorf("a reference to a GitRepository is required (--git-repo-ref)")
+	}
+
+	if imageUpdateArgs.branch == "" {
+		return fmt.Errorf("the Git repoistory branch is required (--branch)")
+	}
+
+	labels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	var update = autov1.ImageUpdateAutomation{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      objectName,
+			Namespace: namespace,
+			Labels:    labels,
+		},
+		Spec: autov1.ImageUpdateAutomationSpec{
+			Checkout: autov1.GitCheckoutSpec{
+				GitRepositoryRef: corev1.LocalObjectReference{
+					Name: imageUpdateArgs.gitRepoRef,
+				},
+				Branch: imageUpdateArgs.branch,
+			},
+			Interval: metav1.Duration{Duration: interval},
+			Update: autov1.UpdateStrategy{
+				Setters: &autov1.SettersStrategy{},
+			},
+			Commit: autov1.CommitSpec{
+				AuthorName:      imageUpdateArgs.authorName,
+				AuthorEmail:     imageUpdateArgs.authorEmail,
+				MessageTemplate: imageUpdateArgs.commitTemplate,
+			},
+		},
+	}
+
+	if export {
+		return printExport(exportImageUpdate(&update))
+	}
+
+	var existing autov1.ImageUpdateAutomation
+	copyName(&existing, &update)
+	err = imageUpdateAutomationType.upsertAndWait(imageUpdateAutomationAdapter{&existing}, func() error {
+		existing.Spec = update.Spec
+		existing.Labels = update.Labels
+		return nil
+	})
+	return err
+}
--- a/cmd/flux/create_kustomization.go
+++ b/cmd/flux/create_kustomization.go
@@ -74,7 +74,7 @@ var createKsCmd = &cobra.Command{

 var (
 	ksSource             flags.KustomizationSource
-	ksPath               string
+	ksPath               flags.SafeRelativePath = "./"
 	ksPrune              bool
 	ksDependsOn          []string
 	ksValidation         string
@@ -88,7 +88,7 @@ var (

 func init() {
 	createKsCmd.Flags().Var(&ksSource, "source", ksSource.Description())
-	createKsCmd.Flags().StringVar(&ksPath, "path", "./", "path to the directory containing a kustomization.yaml file")
+	createKsCmd.Flags().Var(&ksPath, "path", "path to the directory containing a kustomization.yaml file")
 	createKsCmd.Flags().BoolVar(&ksPrune, "prune", false, "enable garbage collection")
 	createKsCmd.Flags().StringArrayVar(&ksHealthCheck, "health-check", nil, "workload to be included in the health assessment, in the format '<kind>/<name>.<namespace>'")
 	createKsCmd.Flags().DurationVar(&ksHealthTimeout, "health-check-timeout", 2*time.Minute, "timeout of health checking operations")
@@ -110,7 +110,7 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	if ksPath == "" {
 		return fmt.Errorf("path is required")
 	}
-	if !strings.HasPrefix(ksPath, "./") {
+	if !strings.HasPrefix(ksPath.String(), "./") {
 		return fmt.Errorf("path must begin with ./")
 	}

@@ -134,7 +134,7 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 			Interval: metav1.Duration{
 				Duration: interval,
 			},
-			Path:  ksPath,
+			Path:  ksPath.String(),
 			Prune: ksPrune,
 			SourceRef: kustomizev1.CrossNamespaceSourceReference{
 				Kind: ksSource.Kind,
--- a/cmd/flux/create_secret.go
+++ b/cmd/flux/create_secret.go
@@ -0,0 +1,82 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/yaml"
+)
+
+var createSecretCmd = &cobra.Command{
+	Use:   "secret",
+	Short: "Create or update Kubernetes secrets",
+	Long:  "The create source sub-commands generate Kubernetes secrets specific to Flux.",
+}
+
+func init() {
+	createCmd.AddCommand(createSecretCmd)
+}
+
+func upsertSecret(ctx context.Context, kubeClient client.Client, secret corev1.Secret) error {
+	namespacedName := types.NamespacedName{
+		Namespace: secret.GetNamespace(),
+		Name:      secret.GetName(),
+	}
+
+	var existing corev1.Secret
+	err := kubeClient.Get(ctx, namespacedName, &existing)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			if err := kubeClient.Create(ctx, &secret); err != nil {
+				return err
+			} else {
+				return nil
+			}
+		}
+		return err
+	}
+
+	existing.StringData = secret.StringData
+	if err := kubeClient.Update(ctx, &existing); err != nil {
+		return err
+	}
+	return nil
+}
+
+func exportSecret(secret corev1.Secret) error {
+	secret.TypeMeta = metav1.TypeMeta{
+		APIVersion: "v1",
+		Kind:       "Secret",
+	}
+
+	data, err := yaml.Marshal(secret)
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("---")
+	fmt.Println(resourceToString(data))
+	return nil
+}
--- a/cmd/flux/create_secret_git.go
+++ b/cmd/flux/create_secret_git.go
@@ -0,0 +1,206 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"crypto/elliptic"
+	"fmt"
+	"net/url"
+	"time"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/pkg/ssh"
+)
+
+var createSecretGitCmd = &cobra.Command{
+	Use:   "git [name]",
+	Short: "Create or update a Kubernetes secret for Git authentication",
+	Long: `
+The create secret git command generates a Kubernetes secret with Git credentials.
+For Git over SSH, the host and SSH keys are automatically generated and stored in the secret.
+For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.`,
+	Example: `  # Create a Git SSH authentication secret using an ECDSA P-521 curve public key
+
+  flux create secret git podinfo-auth \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+    --ssh-key-algorithm=ecdsa \
+    --ssh-ecdsa-curve=p521
+
+  # Create a secret for a Git repository using basic authentication
+  flux create secret git podinfo-auth \
+    --url=https://github.com/stefanprodan/podinfo \
+    --username=username \
+    --password=password
+
+  # Create a Git SSH secret on disk and print the deploy key
+  flux create secret git podinfo-auth \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+    --export > podinfo-auth.yaml
+
+  yq read podinfo-auth.yaml 'data."identity.pub"' | base64 --decode
+
+  # Create a Git SSH secret on disk and encrypt it with Mozilla SOPS
+  flux create secret git podinfo-auth \
+    --namespace=apps \
+    --url=ssh://git@github.com/stefanprodan/podinfo \
+    --export > podinfo-auth.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place podinfo-auth.yaml
+`,
+	RunE: createSecretGitCmdRun,
+}
+
+var (
+	secretGitURL          string
+	secretGitUsername     string
+	secretGitPassword     string
+	secretGitKeyAlgorithm flags.PublicKeyAlgorithm = "rsa"
+	secretGitRSABits      flags.RSAKeyBits         = 2048
+	secretGitECDSACurve                            = flags.ECDSACurve{Curve: elliptic.P384()}
+)
+
+func init() {
+	createSecretGitCmd.Flags().StringVar(&secretGitURL, "url", "", "git address, e.g. ssh://git@host/org/repository")
+	createSecretGitCmd.Flags().StringVarP(&secretGitUsername, "username", "u", "", "basic authentication username")
+	createSecretGitCmd.Flags().StringVarP(&secretGitPassword, "password", "p", "", "basic authentication password")
+	createSecretGitCmd.Flags().Var(&secretGitKeyAlgorithm, "ssh-key-algorithm", secretGitKeyAlgorithm.Description())
+	createSecretGitCmd.Flags().Var(&secretGitRSABits, "ssh-rsa-bits", secretGitRSABits.Description())
+	createSecretGitCmd.Flags().Var(&secretGitECDSACurve, "ssh-ecdsa-curve", secretGitECDSACurve.Description())
+
+	createSecretCmd.AddCommand(createSecretGitCmd)
+}
+
+func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("secret name is required")
+	}
+	name := args[0]
+
+	if secretGitURL == "" {
+		return fmt.Errorf("url is required")
+	}
+
+	u, err := url.Parse(secretGitURL)
+	if err != nil {
+		return fmt.Errorf("git URL parse failed: %w", err)
+	}
+
+	secretLabels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	secret := corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			Labels:    secretLabels,
+		},
+	}
+
+	switch u.Scheme {
+	case "ssh":
+		pair, err := generateKeyPair(ctx, secretGitKeyAlgorithm, secretGitRSABits, secretGitECDSACurve)
+		if err != nil {
+			return err
+		}
+
+		hostKey, err := scanHostKey(ctx, u)
+		if err != nil {
+			return err
+		}
+
+		secret.Data = map[string][]byte{
+			"identity":     pair.PrivateKey,
+			"identity.pub": pair.PublicKey,
+			"known_hosts":  hostKey,
+		}
+
+		if !export {
+			logger.Generatef("deploy key: %s", string(pair.PublicKey))
+		}
+	case "http", "https":
+		if secretGitUsername == "" || secretGitPassword == "" {
+			return fmt.Errorf("for Git over HTTP/S the username and password are required")
+		}
+
+		// TODO: add cert data when it's implemented in source-controller
+		secret.Data = map[string][]byte{
+			"username": []byte(secretGitUsername),
+			"password": []byte(secretGitPassword),
+		}
+	default:
+		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
+	}
+
+	if export {
+		return exportSecret(secret)
+	}
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+		return err
+	}
+	logger.Actionf("secret '%s' created in '%s' namespace", name, namespace)
+
+	return nil
+}
+
+func generateKeyPair(ctx context.Context, alg flags.PublicKeyAlgorithm, rsa flags.RSAKeyBits, ecdsa flags.ECDSACurve) (*ssh.KeyPair, error) {
+	var keyGen ssh.KeyPairGenerator
+	switch algorithm := alg.String(); algorithm {
+	case "rsa":
+		keyGen = ssh.NewRSAGenerator(int(rsa))
+	case "ecdsa":
+		keyGen = ssh.NewECDSAGenerator(ecdsa.Curve)
+	case "ed25519":
+		keyGen = ssh.NewEd25519Generator()
+	default:
+		return nil, fmt.Errorf("unsupported public key algorithm: %s", algorithm)
+	}
+	pair, err := keyGen.Generate()
+	if err != nil {
+		return nil, fmt.Errorf("key pair generation failed, error: %w", err)
+	}
+	return pair, nil
+}
+
+func scanHostKey(ctx context.Context, url *url.URL) ([]byte, error) {
+	host := url.Host
+	if url.Port() == "" {
+		host = host + ":22"
+	}
+	hostKey, err := ssh.ScanHostKey(host, 30*time.Second)
+	if err != nil {
+		return nil, fmt.Errorf("SSH key scan for host %s failed, error: %w", host, err)
+	}
+	return hostKey, nil
+}
--- a/cmd/flux/create_secret_helm.go
+++ b/cmd/flux/create_secret_helm.go
@@ -0,0 +1,141 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/flux2/internal/utils"
+)
+
+var createSecretHelmCmd = &cobra.Command{
+	Use:   "helm [name]",
+	Short: "Create or update a Kubernetes secret for Helm repository authentication",
+	Long: `
+The create secret helm command generates a Kubernetes secret with basic authentication credentials.`,
+	Example: `    # Create a Helm authentication secret on disk and encrypt it with Mozilla SOPS
+
+  flux create secret helm repo-auth \
+    --namespace=my-namespace \
+    --username=my-username \
+    --password=my-password \
+    --export > repo-auth.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place repo-auth.yaml
+
+  # Create an authentication secret using a custom TLS cert
+  flux create secret helm repo-auth \
+    --username=username \
+    --password=password \
+    --cert-file=./cert.crt \
+    --key-file=./key.crt \
+    --ca-file=./ca.crt
+`,
+	RunE: createSecretHelmCmdRun,
+}
+
+var (
+	secretHelmUsername string
+	secretHelmPassword string
+	secretHelmCertFile string
+	secretHelmKeyFile  string
+	secretHelmCAFile   string
+)
+
+func init() {
+	createSecretHelmCmd.Flags().StringVarP(&secretHelmUsername, "username", "u", "", "basic authentication username")
+	createSecretHelmCmd.Flags().StringVarP(&secretHelmPassword, "password", "p", "", "basic authentication password")
+	createSecretHelmCmd.Flags().StringVar(&secretHelmCertFile, "cert-file", "", "TLS authentication cert file path")
+	createSecretHelmCmd.Flags().StringVar(&secretHelmKeyFile, "key-file", "", "TLS authentication key file path")
+	createSecretHelmCmd.Flags().StringVar(&secretHelmCAFile, "ca-file", "", "TLS authentication CA file path")
+
+	createSecretCmd.AddCommand(createSecretHelmCmd)
+}
+
+func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("secret name is required")
+	}
+	name := args[0]
+
+	secretLabels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	secret := corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			Labels:    secretLabels,
+		},
+		StringData: map[string]string{},
+	}
+
+	if secretHelmUsername != "" && secretHelmPassword != "" {
+		secret.StringData["username"] = secretHelmUsername
+		secret.StringData["password"] = secretHelmPassword
+	}
+
+	if secretHelmCertFile != "" && secretHelmKeyFile != "" {
+		cert, err := ioutil.ReadFile(secretHelmCertFile)
+		if err != nil {
+			return fmt.Errorf("failed to read repository cert file '%s': %w", secretHelmCertFile, err)
+		}
+		secret.StringData["certFile"] = string(cert)
+
+		key, err := ioutil.ReadFile(secretHelmKeyFile)
+		if err != nil {
+			return fmt.Errorf("failed to read repository key file '%s': %w", secretHelmKeyFile, err)
+		}
+		secret.StringData["keyFile"] = string(key)
+	}
+
+	if secretHelmCAFile != "" {
+		ca, err := ioutil.ReadFile(secretHelmCAFile)
+		if err != nil {
+			return fmt.Errorf("failed to read repository CA file '%s': %w", secretHelmCAFile, err)
+		}
+		secret.StringData["caFile"] = string(ca)
+	}
+
+	if export {
+		return exportSecret(secret)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+		return err
+	}
+	logger.Actionf("secret '%s' created in '%s' namespace", name, namespace)
+
+	return nil
+}
--- a/cmd/flux/create_source_bucket.go
+++ b/cmd/flux/create_source_bucket.go
@@ -154,6 +154,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      secretName,
 				Namespace: namespace,
+				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{},
 		}
--- a/cmd/flux/create_source_git.go
+++ b/cmd/flux/create_source_git.go
@@ -23,13 +23,7 @@ import (
 	"io/ioutil"
 	"net/url"
 	"os"
-	"time"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/pkg/apis/meta"
-
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
@@ -40,7 +34,10 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	"github.com/fluxcd/pkg/ssh"
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/pkg/apis/meta"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )

 var createSourceGitCmd = &cobra.Command{
@@ -95,10 +92,11 @@ var (
 	sourceGitUsername string
 	sourceGitPassword string

-	sourceGitKeyAlgorithm flags.PublicKeyAlgorithm = "rsa"
-	sourceGitRSABits      flags.RSAKeyBits         = 2048
-	sourceGitECDSACurve                            = flags.ECDSACurve{Curve: elliptic.P384()}
-	sourceGitSecretRef    string
+	sourceGitKeyAlgorithm   flags.PublicKeyAlgorithm = "rsa"
+	sourceGitRSABits        flags.RSAKeyBits         = 2048
+	sourceGitECDSACurve                              = flags.ECDSACurve{Curve: elliptic.P384()}
+	sourceGitSecretRef      string
+	sourceGitImplementation flags.GitImplementation
 )

 func init() {
@@ -112,6 +110,7 @@ func init() {
 	createSourceGitCmd.Flags().Var(&sourceGitRSABits, "ssh-rsa-bits", sourceGitRSABits.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitECDSACurve, "ssh-ecdsa-curve", sourceGitECDSACurve.Description())
 	createSourceGitCmd.Flags().StringVarP(&sourceGitSecretRef, "secret-ref", "", "", "the name of an existing secret containing SSH or basic credentials")
+	createSourceGitCmd.Flags().Var(&sourceGitImplementation, "git-implementation", sourceGitImplementation.Description())

 	createSourceCmd.AddCommand(createSourceGitCmd)
 }
@@ -157,6 +156,10 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}

+	if sourceGitImplementation != "" {
+		gitRepository.Spec.GitImplementation = sourceGitImplementation.String()
+	}
+
 	if sourceGitSemver != "" {
 		gitRepository.Spec.Reference.SemVer = sourceGitSemver
 	} else if sourceGitTag != "" {
@@ -187,13 +190,13 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	if sourceGitSecretRef != "" {
 		withAuth = true
 	} else if u.Scheme == "ssh" {
-		logger.Actionf("generating deploy key pair")
-		pair, err := generateKeyPair(ctx)
+		logger.Generatef("generating deploy key pair")
+		pair, err := generateKeyPair(ctx, sourceGitKeyAlgorithm, sourceGitRSABits, sourceGitECDSACurve)
 		if err != nil {
 			return err
 		}

-		fmt.Printf("%s", pair.PublicKey)
+		logger.Successf("deploy key: %s", pair.PublicKey)
 		prompt := promptui.Prompt{
 			Label:     "Have you added the deploy key to your repository",
 			IsConfirm: true,
@@ -207,14 +210,14 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		if err != nil {
 			return err
 		}
-		logger.Successf("collected public key from SSH server:")
-		fmt.Printf("%s", hostKey)
+		logger.Successf("collected public key from SSH server:\n%s", hostKey)

 		logger.Actionf("applying secret with keys")
 		secret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: namespace,
+				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{
 				"identity":     string(pair.PrivateKey),
@@ -232,6 +235,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: namespace,
+				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{
 				"username": sourceGitUsername,
@@ -280,63 +284,6 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	return nil
 }

-func generateKeyPair(ctx context.Context) (*ssh.KeyPair, error) {
-	var keyGen ssh.KeyPairGenerator
-	switch algorithm := sourceGitKeyAlgorithm.String(); algorithm {
-	case "rsa":
-		keyGen = ssh.NewRSAGenerator(int(sourceGitRSABits))
-	case "ecdsa":
-		keyGen = ssh.NewECDSAGenerator(sourceGitECDSACurve.Curve)
-	case "ed25519":
-		keyGen = ssh.NewEd25519Generator()
-	default:
-		return nil, fmt.Errorf("unsupported public key algorithm: %s", algorithm)
-	}
-	pair, err := keyGen.Generate()
-	if err != nil {
-		return nil, fmt.Errorf("key pair generation failed, error: %w", err)
-	}
-	return pair, nil
-}
-
-func scanHostKey(ctx context.Context, url *url.URL) ([]byte, error) {
-	host := url.Host
-	if url.Port() == "" {
-		host = host + ":22"
-	}
-	hostKey, err := ssh.ScanHostKey(host, 30*time.Second)
-	if err != nil {
-		return nil, fmt.Errorf("SSH key scan for host %s failed, error: %w", host, err)
-	}
-	return hostKey, nil
-}
-
-func upsertSecret(ctx context.Context, kubeClient client.Client, secret corev1.Secret) error {
-	namespacedName := types.NamespacedName{
-		Namespace: secret.GetNamespace(),
-		Name:      secret.GetName(),
-	}
-
-	var existing corev1.Secret
-	err := kubeClient.Get(ctx, namespacedName, &existing)
-	if err != nil {
-		if errors.IsNotFound(err) {
-			if err := kubeClient.Create(ctx, &secret); err != nil {
-				return err
-			} else {
-				return nil
-			}
-		}
-		return err
-	}
-
-	existing.StringData = secret.StringData
-	if err := kubeClient.Update(ctx, &existing); err != nil {
-		return err
-	}
-	return nil
-}
-
 func upsertGitRepository(ctx context.Context, kubeClient client.Client,
 	gitRepository *sourcev1.GitRepository) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
--- a/cmd/flux/create_source_helm.go
+++ b/cmd/flux/create_source_helm.go
@@ -151,6 +151,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      secretName,
 				Namespace: namespace,
+				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{},
 		}
--- a/cmd/flux/create_tenant.go
+++ b/cmd/flux/create_tenant.go
@@ -55,8 +55,7 @@ reconcilers scope to the tenant namespaces.`,
 }

 const (
-	tenantLabel       = "toolkit.fluxcd.io/tenant"
-	tenantRoleBinding = "gotk-reconciler"
+	tenantLabel = "toolkit.fluxcd.io/tenant"
 )

 var (
@@ -123,18 +122,20 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {

 		roleBinding := rbacv1.RoleBinding{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      tenantRoleBinding,
+				Name:      fmt.Sprintf("%s-reconciler", tenant),
 				Namespace: ns,
 				Labels:    objLabels,
 			},
 			Subjects: []rbacv1.Subject{
 				{
-					Kind: "User",
-					Name: fmt.Sprintf("gotk:%s:reconciler", ns),
+					APIGroup: "rbac.authorization.k8s.io",
+					Kind:     "User",
+					Name:     fmt.Sprintf("gotk:%s:reconciler", ns),
 				},
 				{
-					Kind: "ServiceAccount",
-					Name: tenant,
+					Kind:      "ServiceAccount",
+					Name:      tenant,
+					Namespace: ns,
 				},
 			},
 			RoleRef: rbacv1.RoleRef{
@@ -290,7 +291,7 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 	fmt.Println(resourceToString(data))

 	account.TypeMeta = metav1.TypeMeta{
-		APIVersion: "",
+		APIVersion: "v1",
 		Kind:       "ServiceAccount",
 	}
 	data, err = yaml.Marshal(account)
--- a/cmd/flux/delete.go
+++ b/cmd/flux/delete.go
@@ -17,7 +17,14 @@ limitations under the License.
 package main

 import (
+	"context"
+	"fmt"
+
+	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/types"
+
+	"github.com/fluxcd/flux2/internal/utils"
 )

 var deleteCmd = &cobra.Command{
@@ -36,3 +43,52 @@ func init() {

 	rootCmd.AddCommand(deleteCmd)
 }
+
+type deleteCommand struct {
+	apiType
+	object adapter // for getting the value, and later deleting it
+}
+
+func (del deleteCommand) run(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("%s name is required", del.humanKind)
+	}
+	name := args[0]
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	namespacedName := types.NamespacedName{
+		Namespace: namespace,
+		Name:      name,
+	}
+
+	err = kubeClient.Get(ctx, namespacedName, del.object.asClientObject())
+	if err != nil {
+		return err
+	}
+
+	if !deleteSilent {
+		prompt := promptui.Prompt{
+			Label:     "Are you sure you want to delete this " + del.humanKind,
+			IsConfirm: true,
+		}
+		if _, err := prompt.Run(); err != nil {
+			return fmt.Errorf("aborting")
+		}
+	}
+
+	logger.Actionf("deleting %s %s in %s namespace", del.humanKind, name, namespace)
+	err = kubeClient.Delete(ctx, del.object.asClientObject())
+	if err != nil {
+		return err
+	}
+	logger.Successf("%s deleted", del.humanKind)
+
+	return nil
+}
--- a/cmd/flux/delete_image.go
+++ b/cmd/flux/delete_image.go
@@ -0,0 +1,31 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var deleteAutoCmd = &cobra.Command{
+	Use:   "auto",
+	Short: "Delete automation objects",
+	Long:  "The delete auto sub-commands delete automation objects.",
+}
+
+func init() {
+	deleteCmd.AddCommand(deleteAutoCmd)
+}
--- a/cmd/flux/delete_image_policy.go
+++ b/cmd/flux/delete_image_policy.go
@@ -0,0 +1,40 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+)
+
+var deleteImagePolicyCmd = &cobra.Command{
+	Use:   "image-policy [name]",
+	Short: "Delete an ImagePolicy object",
+	Long:  "The delete auto image-policy command deletes the given ImagePolicy from the cluster.",
+	Example: `  # Delete an image policy
+  flux delete auto image-policy alpine3.x
+`,
+	RunE: deleteCommand{
+		apiType: imagePolicyType,
+		object:  universalAdapter{&imagev1.ImagePolicy{}},
+	}.run,
+}
+
+func init() {
+	deleteAutoCmd.AddCommand(deleteImagePolicyCmd)
+}
--- a/cmd/flux/delete_image_repository.go
+++ b/cmd/flux/delete_image_repository.go
@@ -0,0 +1,40 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+)
+
+var deleteImageRepositoryCmd = &cobra.Command{
+	Use:   "image-repository [name]",
+	Short: "Delete an ImageRepository object",
+	Long:  "The delete auto image-repository command deletes the given ImageRepository from the cluster.",
+	Example: `  # Delete an image repository
+  flux delete auto image-repository alpine
+`,
+	RunE: deleteCommand{
+		apiType: imageRepositoryType,
+		object:  universalAdapter{&imagev1.ImageRepository{}},
+	}.run,
+}
+
+func init() {
+	deleteAutoCmd.AddCommand(deleteImageRepositoryCmd)
+}
--- a/cmd/flux/delete_image_updateauto.go
+++ b/cmd/flux/delete_image_updateauto.go
@@ -0,0 +1,40 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
+)
+
+var deleteImageUpdateCmd = &cobra.Command{
+	Use:   "image-update [name]",
+	Short: "Delete an ImageUpdateAutomation object",
+	Long:  "The delete auto image-update command deletes the given ImageUpdateAutomation from the cluster.",
+	Example: `  # Delete an image update automation
+  flux delete auto image-update latest-images
+`,
+	RunE: deleteCommand{
+		apiType: imageUpdateAutomationType,
+		object:  universalAdapter{&autov1.ImageUpdateAutomation{}},
+	}.run,
+}
+
+func init() {
+	deleteAutoCmd.AddCommand(deleteImageUpdateCmd)
+}
--- a/cmd/flux/export.go
+++ b/cmd/flux/export.go
@@ -18,8 +18,15 @@ package main

 import (
 	"bytes"
+	"context"
+	"fmt"

 	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/yaml"
+
+	"github.com/fluxcd/flux2/internal/utils"
 )

 var exportCmd = &cobra.Command{
@@ -38,6 +45,79 @@ func init() {
 	rootCmd.AddCommand(exportCmd)
 }

+// exportable represents a type that you can fetch from the Kubernetes
+// API, then tidy up for serialising.
+type exportable interface {
+	adapter
+	export() interface{}
+}
+
+// exportableList represents a type that has a list of values, each of
+// which is exportable.
+type exportableList interface {
+	listAdapter
+	exportItem(i int) interface{}
+}
+
+type exportCommand struct {
+	object exportable
+	list   exportableList
+}
+
+func (export exportCommand) run(cmd *cobra.Command, args []string) error {
+	if !exportAll && len(args) < 1 {
+		return fmt.Errorf("name is required")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	if exportAll {
+		err = kubeClient.List(ctx, export.list.asClientList(), client.InNamespace(namespace))
+		if err != nil {
+			return err
+		}
+
+		if export.list.len() == 0 {
+			logger.Failuref("no objects found in %s namespace", namespace)
+			return nil
+		}
+
+		for i := 0; i < export.list.len(); i++ {
+			if err = printExport(export.list.exportItem(i)); err != nil {
+				return err
+			}
+		}
+	} else {
+		name := args[0]
+		namespacedName := types.NamespacedName{
+			Namespace: namespace,
+			Name:      name,
+		}
+		err = kubeClient.Get(ctx, namespacedName, export.object.asClientObject())
+		if err != nil {
+			return err
+		}
+		return printExport(export.object.export())
+	}
+	return nil
+}
+
+func printExport(export interface{}) error {
+	data, err := yaml.Marshal(export)
+	if err != nil {
+		return err
+	}
+	fmt.Println("---")
+	fmt.Println(resourceToString(data))
+	return nil
+}
+
 func resourceToString(data []byte) string {
 	data = bytes.Replace(data, []byte("  creationTimestamp: null\n"), []byte(""), 1)
 	data = bytes.Replace(data, []byte("status: {}\n"), []byte(""), 1)
--- a/cmd/flux/export_image.go
+++ b/cmd/flux/export_image.go
@@ -0,0 +1,31 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var exportImageCmd = &cobra.Command{
+	Use:   "image",
+	Short: "Export image automation objects",
+	Long:  "The export image sub-commands export image automation objects in YAML format.",
+}
+
+func init() {
+	exportCmd.AddCommand(exportImageCmd)
+}
--- a/cmd/flux/export_image_policy.go
+++ b/cmd/flux/export_image_policy.go
@@ -0,0 +1,72 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+)
+
+var exportImagePolicyCmd = &cobra.Command{
+	Use:   "policy [name]",
+	Short: "Export ImagePolicy resources in YAML format",
+	Long:  "The export image policy command exports one or all ImagePolicy resources in YAML format.",
+	Example: `  # Export all ImagePolicy resources
+  flux export image policy --all > image-policies.yaml
+
+  # Export a specific policy
+  flux export image policy alpine1x > alpine1x.yaml
+`,
+	RunE: exportCommand{
+		object: imagePolicyAdapter{&imagev1.ImagePolicy{}},
+		list:   imagePolicyListAdapter{&imagev1.ImagePolicyList{}},
+	}.run,
+}
+
+func init() {
+	exportImageCmd.AddCommand(exportImagePolicyCmd)
+}
+
+// Export returns a ImagePolicy value which has extraneous information
+// stripped out.
+func exportImagePolicy(item *imagev1.ImagePolicy) interface{} {
+	gvk := imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)
+	export := imagev1.ImagePolicy{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       gvk.Kind,
+			APIVersion: gvk.GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        item.Name,
+			Namespace:   item.Namespace,
+			Labels:      item.Labels,
+			Annotations: item.Annotations,
+		},
+		Spec: item.Spec,
+	}
+	return export
+}
+
+func (ex imagePolicyAdapter) export() interface{} {
+	return exportImagePolicy(ex.ImagePolicy)
+}
+
+func (ex imagePolicyListAdapter) exportItem(i int) interface{} {
+	return exportImagePolicy(&ex.ImagePolicyList.Items[i])
+}
--- a/cmd/flux/export_image_repository.go
+++ b/cmd/flux/export_image_repository.go
@@ -0,0 +1,70 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+)
+
+var exportImageRepositoryCmd = &cobra.Command{
+	Use:   "repository [name]",
+	Short: "Export ImageRepository resources in YAML format",
+	Long:  "The export image repository command exports one or all ImageRepository resources in YAML format.",
+	Example: `  # Export all ImageRepository resources
+  flux export image repository --all > image-repositories.yaml
+
+  # Export a specific ImageRepository resource
+  flux export image repository alpine > alpine.yaml
+`,
+	RunE: exportCommand{
+		object: imageRepositoryAdapter{&imagev1.ImageRepository{}},
+		list:   imageRepositoryListAdapter{&imagev1.ImageRepositoryList{}},
+	}.run,
+}
+
+func init() {
+	exportImageCmd.AddCommand(exportImageRepositoryCmd)
+}
+
+func exportImageRepository(repo *imagev1.ImageRepository) interface{} {
+	gvk := imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)
+	export := imagev1.ImageRepository{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       gvk.Kind,
+			APIVersion: gvk.GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        repo.Name,
+			Namespace:   repo.Namespace,
+			Labels:      repo.Labels,
+			Annotations: repo.Annotations,
+		},
+		Spec: repo.Spec,
+	}
+	return export
+}
+
+func (ex imageRepositoryAdapter) export() interface{} {
+	return exportImageRepository(ex.ImageRepository)
+}
+
+func (ex imageRepositoryListAdapter) exportItem(i int) interface{} {
+	return exportImageRepository(&ex.ImageRepositoryList.Items[i])
+}
--- a/cmd/flux/export_image_updateauto.go
+++ b/cmd/flux/export_image_updateauto.go
@@ -0,0 +1,72 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
+)
+
+var exportImageUpdateCmd = &cobra.Command{
+	Use:   "update [name]",
+	Short: "Export ImageUpdateAutomation resources in YAML format",
+	Long:  "The export image update command exports one or all ImageUpdateAutomation resources in YAML format.",
+	Example: `  # Export all ImageUpdateAutomation resources
+  flux export image update --all > updates.yaml
+
+  # Export a specific automation
+  flux export image update latest-images > latest.yaml
+`,
+	RunE: exportCommand{
+		object: imageUpdateAutomationAdapter{&autov1.ImageUpdateAutomation{}},
+		list:   imageUpdateAutomationListAdapter{&autov1.ImageUpdateAutomationList{}},
+	}.run,
+}
+
+func init() {
+	exportImageCmd.AddCommand(exportImageUpdateCmd)
+}
+
+// exportImageUpdate returns a value which has extraneous information
+// stripped out.
+func exportImageUpdate(item *autov1.ImageUpdateAutomation) interface{} {
+	gvk := autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)
+	export := autov1.ImageUpdateAutomation{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       gvk.Kind,
+			APIVersion: gvk.GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        item.Name,
+			Namespace:   item.Namespace,
+			Labels:      item.Labels,
+			Annotations: item.Annotations,
+		},
+		Spec: item.Spec,
+	}
+	return export
+}
+
+func (ex imageUpdateAutomationAdapter) export() interface{} {
+	return exportImageUpdate(ex.ImageUpdateAutomation)
+}
+
+func (ex imageUpdateAutomationListAdapter) exportItem(i int) interface{} {
+	return exportImageUpdate(&ex.ImageUpdateAutomationList.Items[i])
+}
--- a/cmd/flux/get.go
+++ b/cmd/flux/get.go
@@ -17,7 +17,17 @@ limitations under the License.
 package main

 import (
+	"context"
+	"os"
+
 	"github.com/spf13/cobra"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/apis/meta"
+
+	"github.com/fluxcd/flux2/internal/utils"
 )

 var getCmd = &cobra.Command{
@@ -33,3 +43,65 @@ func init() {
 		"list the requested object(s) across all namespaces")
 	rootCmd.AddCommand(getCmd)
 }
+
+type summarisable interface {
+	listAdapter
+	summariseItem(i int, includeNamespace bool) []string
+	headers(includeNamespace bool) []string
+}
+
+// --- these help with implementations of summarisable
+
+func statusAndMessage(conditions []metav1.Condition) (string, string) {
+	if c := apimeta.FindStatusCondition(conditions, meta.ReadyCondition); c != nil {
+		return string(c.Status), c.Message
+	}
+	return string(metav1.ConditionFalse), "waiting to be reconciled"
+}
+
+func nameColumns(item named, includeNamespace bool) []string {
+	if includeNamespace {
+		return []string{item.GetNamespace(), item.GetName()}
+	}
+	return []string{item.GetName()}
+}
+
+var namespaceHeader = []string{"Namespace"}
+
+type getCommand struct {
+	apiType
+	list summarisable
+}
+
+func (get getCommand) run(cmd *cobra.Command, args []string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	var listOpts []client.ListOption
+	if !allNamespaces {
+		listOpts = append(listOpts, client.InNamespace(namespace))
+	}
+	err = kubeClient.List(ctx, get.list.asClientList(), listOpts...)
+	if err != nil {
+		return err
+	}
+
+	if get.list.len() == 0 {
+		logger.Failuref("no %s objects found in %s namespace", get.kind, namespace)
+		return nil
+	}
+
+	header := get.list.headers(allNamespaces)
+	var rows [][]string
+	for i := 0; i < get.list.len(); i++ {
+		row := get.list.summariseItem(i, allNamespaces)
+		rows = append(rows, row)
+	}
+	utils.PrintTable(os.Stdout, header, rows)
+	return nil
+}
--- a/cmd/flux/get_image.go
+++ b/cmd/flux/get_image.go
@@ -0,0 +1,31 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var getImageCmd = &cobra.Command{
+	Use:   "image",
+	Short: "Get image automation object status",
+	Long:  "The get image sub-commands print the status of image automation objects.",
+}
+
+func init() {
+	getCmd.AddCommand(getImageCmd)
+}
--- a/cmd/flux/get_image_policy.go
+++ b/cmd/flux/get_image_policy.go
@@ -0,0 +1,57 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+)
+
+var getImagePolicyCmd = &cobra.Command{
+	Use:   "policy",
+	Short: "Get ImagePolicy status",
+	Long:  "The get image policy command prints the status of ImagePolicy objects.",
+	Example: `  # List all image policies and their status
+  flux get image policy
+
+ # List image policies from all namespaces
+  flux get image policy --all-namespaces
+`,
+	RunE: getCommand{
+		apiType: imagePolicyType,
+		list:    &imagePolicyListAdapter{&imagev1.ImagePolicyList{}},
+	}.run,
+}
+
+func init() {
+	getImageCmd.AddCommand(getImagePolicyCmd)
+}
+
+func (s imagePolicyListAdapter) summariseItem(i int, includeNamespace bool) []string {
+	item := s.Items[i]
+	status, msg := statusAndMessage(item.Status.Conditions)
+	return append(nameColumns(&item, includeNamespace), status, msg, item.Status.LatestImage)
+}
+
+func (s imagePolicyListAdapter) headers(includeNamespace bool) []string {
+	headers := []string{"Name", "Ready", "Message", "Latest image"}
+	if includeNamespace {
+		return append(namespaceHeader, headers...)
+	}
+	return headers
+}
--- a/cmd/flux/get_image_repository.go
+++ b/cmd/flux/get_image_repository.go
@@ -0,0 +1,66 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+)
+
+var getImageRepositoryCmd = &cobra.Command{
+	Use:   "repository",
+	Short: "Get ImageRepository status",
+	Long:  "The get image repository command prints the status of ImageRepository objects.",
+	Example: `  # List all image repositories and their status
+  flux get image repository
+
+ # List image repositories from all namespaces
+  flux get image repository --all-namespaces
+`,
+	RunE: getCommand{
+		apiType: imageRepositoryType,
+		list:    imageRepositoryListAdapter{&imagev1.ImageRepositoryList{}},
+	}.run,
+}
+
+func init() {
+	getImageCmd.AddCommand(getImageRepositoryCmd)
+}
+
+func (s imageRepositoryListAdapter) summariseItem(i int, includeNamespace bool) []string {
+	item := s.Items[i]
+	status, msg := statusAndMessage(item.Status.Conditions)
+	var lastScan string
+	if item.Status.LastScanResult != nil {
+		lastScan = item.Status.LastScanResult.ScanTime.Time.Format(time.RFC3339)
+	}
+	return append(nameColumns(&item, includeNamespace),
+		status, msg, lastScan, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
+}
+
+func (s imageRepositoryListAdapter) headers(includeNamespace bool) []string {
+	headers := []string{"Name", "Ready", "Message", "Last scan", "Suspended"}
+	if includeNamespace {
+		return append(namespaceHeader, headers...)
+	}
+	return headers
+}
--- a/cmd/flux/get_image_updateauto.go
+++ b/cmd/flux/get_image_updateauto.go
@@ -0,0 +1,65 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
+)
+
+var getImageUpdateCmd = &cobra.Command{
+	Use:   "update",
+	Short: "Get ImageUpdateAutomation status",
+	Long:  "The get image update command prints the status of ImageUpdateAutomation objects.",
+	Example: `  # List all image update automation object and their status
+  flux get image update
+
+ # List image update automations from all namespaces
+  flux get image update --all-namespaces
+`,
+	RunE: getCommand{
+		apiType: imageUpdateAutomationType,
+		list:    &imageUpdateAutomationListAdapter{&autov1.ImageUpdateAutomationList{}},
+	}.run,
+}
+
+func init() {
+	getImageCmd.AddCommand(getImageUpdateCmd)
+}
+
+func (s imageUpdateAutomationListAdapter) summariseItem(i int, includeNamespace bool) []string {
+	item := s.Items[i]
+	status, msg := statusAndMessage(item.Status.Conditions)
+	var lastRun string
+	if item.Status.LastAutomationRunTime != nil {
+		lastRun = item.Status.LastAutomationRunTime.Time.Format(time.RFC3339)
+	}
+	return append(nameColumns(&item, includeNamespace), status, msg, lastRun, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
+}
+
+func (s imageUpdateAutomationListAdapter) headers(includeNamespace bool) []string {
+	headers := []string{"Name", "Ready", "Message", "Last run", "Suspended"}
+	if includeNamespace {
+		return append(namespaceHeader, headers...)
+	}
+	return headers
+}
--- a/cmd/flux/image.go
+++ b/cmd/flux/image.go
@@ -0,0 +1,115 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+)
+
+// These are general-purpose adapters for attaching methods to, for
+// the various commands. The *List adapters implement len(), since
+// it's used in at least a couple of commands.
+
+// imagev1.ImageRepository
+
+var imageRepositoryType = apiType{
+	kind:      imagev1.ImageRepositoryKind,
+	humanKind: "image repository",
+}
+
+type imageRepositoryAdapter struct {
+	*imagev1.ImageRepository
+}
+
+func (a imageRepositoryAdapter) asClientObject() client.Object {
+	return a.ImageRepository
+}
+
+// imagev1.ImageRepositoryList
+
+type imageRepositoryListAdapter struct {
+	*imagev1.ImageRepositoryList
+}
+
+func (a imageRepositoryListAdapter) asClientList() client.ObjectList {
+	return a.ImageRepositoryList
+}
+
+func (a imageRepositoryListAdapter) len() int {
+	return len(a.ImageRepositoryList.Items)
+}
+
+// imagev1.ImagePolicy
+
+var imagePolicyType = apiType{
+	kind:      imagev1.ImagePolicyKind,
+	humanKind: "image policy",
+}
+
+type imagePolicyAdapter struct {
+	*imagev1.ImagePolicy
+}
+
+func (a imagePolicyAdapter) asClientObject() client.Object {
+	return a.ImagePolicy
+}
+
+// imagev1.ImagePolicyList
+
+type imagePolicyListAdapter struct {
+	*imagev1.ImagePolicyList
+}
+
+func (a imagePolicyListAdapter) asClientList() client.ObjectList {
+	return a.ImagePolicyList
+}
+
+func (a imagePolicyListAdapter) len() int {
+	return len(a.ImagePolicyList.Items)
+}
+
+// autov1.ImageUpdateAutomation
+
+var imageUpdateAutomationType = apiType{
+	kind:      autov1.ImageUpdateAutomationKind,
+	humanKind: "image update automation",
+}
+
+type imageUpdateAutomationAdapter struct {
+	*autov1.ImageUpdateAutomation
+}
+
+func (a imageUpdateAutomationAdapter) asClientObject() client.Object {
+	return a.ImageUpdateAutomation
+}
+
+// autov1.ImageUpdateAutomationList
+
+type imageUpdateAutomationListAdapter struct {
+	*autov1.ImageUpdateAutomationList
+}
+
+func (a imageUpdateAutomationListAdapter) asClientList() client.ObjectList {
+	return a.ImageUpdateAutomationList
+}
+
+func (a imageUpdateAutomationListAdapter) len() int {
+	return len(a.ImageUpdateAutomationList.Items)
+}
--- a/cmd/flux/install.go
+++ b/cmd/flux/install.go
@@ -56,13 +56,15 @@ var (
 	installDryRun             bool
 	installManifestsPath      string
 	installVersion            string
-	installComponents         []string
+	installDefaultComponents  []string
+	installExtraComponents    []string
 	installRegistry           string
 	installImagePullSecret    string
 	installWatchAllNamespaces bool
 	installNetworkPolicy      bool
-	installArch               = flags.Arch(defaults.Arch)
+	installArch               flags.Arch
 	installLogLevel           = flags.LogLevel(defaults.LogLevel)
+	installClusterDomain      string
 )

 func init() {
@@ -72,10 +74,11 @@ func init() {
 		"only print the object that would be applied")
 	installCmd.Flags().StringVarP(&installVersion, "version", "v", defaults.Version,
 		"toolkit version")
-	installCmd.Flags().StringSliceVar(&installComponents, "components", defaults.Components,
+	installCmd.Flags().StringSliceVar(&installDefaultComponents, "components", defaults.Components,
 		"list of components, accepts comma-separated values")
+	installCmd.Flags().StringSliceVar(&installExtraComponents, "components-extra", nil,
+		"list of components in addition to those supplied or defaulted, accepts comma-separated values")
 	installCmd.Flags().StringVar(&installManifestsPath, "manifests", "", "path to the manifest directory")
-	installCmd.Flags().MarkHidden("manifests")
 	installCmd.Flags().StringVar(&installRegistry, "registry", defaults.Registry,
 		"container registry where the toolkit images are published")
 	installCmd.Flags().StringVar(&installImagePullSecret, "image-pull-secret", "",
@@ -86,6 +89,9 @@ func init() {
 	installCmd.Flags().Var(&installLogLevel, "log-level", installLogLevel.Description())
 	installCmd.Flags().BoolVar(&installNetworkPolicy, "network-policy", defaults.NetworkPolicy,
 		"deny ingress access to the toolkit controllers from other namespaces using network policies")
+	installCmd.Flags().StringVar(&installClusterDomain, "cluster-domain", defaults.ClusterDomain, "internal cluster domain")
+	installCmd.Flags().MarkHidden("manifests")
+	installCmd.Flags().MarkDeprecated("arch", "multi-arch container image is now available for AMD64, ARMv7 and ARM64")
 	rootCmd.AddCommand(installCmd)
 }

@@ -103,20 +109,26 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Generatef("generating manifests")
 	}

+	components := append(installDefaultComponents, installExtraComponents...)
+
+	if err := utils.ValidateComponents(components); err != nil {
+		return err
+	}
+
 	opts := install.Options{
 		BaseURL:                installManifestsPath,
 		Version:                installVersion,
 		Namespace:              namespace,
-		Components:             installComponents,
+		Components:             components,
 		Registry:               installRegistry,
 		ImagePullSecret:        installImagePullSecret,
-		Arch:                   installArch.String(),
 		WatchAllNamespaces:     installWatchAllNamespaces,
 		NetworkPolicy:          installNetworkPolicy,
 		LogLevel:               installLogLevel.String(),
 		NotificationController: defaults.NotificationController,
 		ManifestFile:           fmt.Sprintf("%s.yaml", namespace),
 		Timeout:                timeout,
+		ClusterDomain:          installClusterDomain,
 	}

 	if installManifestsPath == "" {
@@ -137,7 +149,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	} else if installExport {
 		fmt.Println("---")
 		fmt.Println("# GitOps Toolkit revision", installVersion)
-		fmt.Println("# Components:", strings.Join(installComponents, ","))
+		fmt.Println("# Components:", strings.Join(components, ","))
 		fmt.Print(manifest.Content)
 		fmt.Println("---")
 		return nil
@@ -167,7 +179,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("verifying installation")
-	for _, deployment := range installComponents {
+	for _, deployment := range components {
 		kubectlArgs = []string{"-n", namespace, "rollout", "status", "deployment", deployment, "--timeout", timeout.String()}
 		if _, err := utils.ExecKubectlCommand(ctx, applyOutput, kubeconfig, kubecontext, kubectlArgs...); err != nil {
 			return fmt.Errorf("install failed")
--- a/cmd/flux/log.go
+++ b/cmd/flux/log.go
@@ -16,26 +16,31 @@ limitations under the License.

 package main

-import "fmt"
+import (
+	"fmt"
+	"io"
+)

-type printLogger struct{}
-
-func (l printLogger) Actionf(format string, a ...interface{}) {
-	fmt.Println(`►`, fmt.Sprintf(format, a...))
+type stderrLogger struct {
+	stderr io.Writer
 }

-func (l printLogger) Generatef(format string, a ...interface{}) {
-	fmt.Println(`✚`, fmt.Sprintf(format, a...))
+func (l stderrLogger) Actionf(format string, a ...interface{}) {
+	fmt.Fprintln(l.stderr, `►`, fmt.Sprintf(format, a...))
 }

-func (l printLogger) Waitingf(format string, a ...interface{}) {
-	fmt.Println(`◎`, fmt.Sprintf(format, a...))
+func (l stderrLogger) Generatef(format string, a ...interface{}) {
+	fmt.Fprintln(l.stderr, `✚`, fmt.Sprintf(format, a...))
 }

-func (l printLogger) Successf(format string, a ...interface{}) {
-	fmt.Println(`✔`, fmt.Sprintf(format, a...))
+func (l stderrLogger) Waitingf(format string, a ...interface{}) {
+	fmt.Fprintln(l.stderr, `◎`, fmt.Sprintf(format, a...))
 }

-func (l printLogger) Failuref(format string, a ...interface{}) {
-	fmt.Println(`✗`, fmt.Sprintf(format, a...))
+func (l stderrLogger) Successf(format string, a ...interface{}) {
+	fmt.Fprintln(l.stderr, `✔`, fmt.Sprintf(format, a...))
+}
+
+func (l stderrLogger) Failuref(format string, a ...interface{}) {
+	fmt.Fprintln(l.stderr, `✗`, fmt.Sprintf(format, a...))
 }
--- a/cmd/flux/main.go
+++ b/cmd/flux/main.go
@@ -101,7 +101,7 @@ var (
 	timeout      time.Duration
 	verbose      bool
 	pollInterval                = 2 * time.Second
-	logger       fluxlog.Logger = printLogger{}
+	logger       fluxlog.Logger = stderrLogger{stderr: os.Stderr}
 	defaults                    = install.MakeDefaultOptions()
 )

--- a/cmd/flux/object.go
+++ b/cmd/flux/object.go
@@ -0,0 +1,72 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// Most commands need one or both of the kind (e.g.,
+// `"ImageRepository"`) and a human-palatable name for the kind (e.g.,
+// `"image repository"`), to be interpolated into output. It's
+// convenient to package these up ahead of time, then the command
+// implementation can pick whichever it wants to use.
+type apiType struct {
+	kind, humanKind string
+}
+
+// adapter is an interface for a wrapper or alias from which we can
+// get a controller-runtime deserialisable value. This is used so that
+// you can wrap an API type to give it other useful methods, but still
+// use values of the wrapper with `client.Client`, which only deals
+// with types that have been added to the schema.
+type adapter interface {
+	asClientObject() client.Object
+}
+
+// listAdapater is the analogue to adapter, but for lists; the
+// controller runtime distinguishes between methods dealing with
+// objects and lists.
+type listAdapter interface {
+	asClientList() client.ObjectList
+	len() int
+}
+
+// universalAdapter is an adapter for any client.Object. Use this if
+// there are no other methods needed.
+type universalAdapter struct {
+	obj client.Object
+}
+
+func (c universalAdapter) asClientObject() client.Object {
+	return c.obj
+}
+
+// named is for adapters that have Name and Namespace fields, which
+// are sometimes handy to get hold of. ObjectMeta implements these, so
+// they shouldn't need any extra work.
+type named interface {
+	GetName() string
+	GetNamespace() string
+	SetName(string)
+	SetNamespace(string)
+}
+
+func copyName(target, source named) {
+	target.SetName(source.GetName())
+	target.SetNamespace(source.GetNamespace())
+}
--- a/cmd/flux/reconcile.go
+++ b/cmd/flux/reconcile.go
@@ -17,7 +17,20 @@ limitations under the License.
 package main

 import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/spf13/cobra"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/client-go/util/retry"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/flux2/internal/utils"
 )

 var reconcileCmd = &cobra.Command{
@@ -29,3 +42,101 @@ var reconcileCmd = &cobra.Command{
 func init() {
 	rootCmd.AddCommand(reconcileCmd)
 }
+
+type reconcileCommand struct {
+	apiType
+	object reconcilable
+}
+
+type reconcilable interface {
+	adapter     // to be able to load from the cluster
+	suspendable // to tell if it's suspended
+
+	// these are implemented by anything embedding metav1.ObjectMeta
+	GetAnnotations() map[string]string
+	SetAnnotations(map[string]string)
+
+	// this is usually implemented by GOTK types, since it's used for meta.SetResourceCondition
+	GetStatusConditions() *[]metav1.Condition
+
+	lastHandledReconcileRequest() string // what was the last handled reconcile request?
+	successMessage() string              // what do you want to tell people when successfully reconciled?
+}
+
+func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("%s name is required", reconcile.kind)
+	}
+	name := args[0]
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	namespacedName := types.NamespacedName{
+		Namespace: namespace,
+		Name:      name,
+	}
+
+	err = kubeClient.Get(ctx, namespacedName, reconcile.object.asClientObject())
+	if err != nil {
+		return err
+	}
+
+	if reconcile.object.isSuspended() {
+		return fmt.Errorf("resource is suspended")
+	}
+
+	logger.Actionf("annotating %s %s in %s namespace", reconcile.kind, name, namespace)
+	if err := requestReconciliation(ctx, kubeClient, namespacedName, reconcile.object); err != nil {
+		return err
+	}
+	logger.Successf("%s annotated", reconcile.kind)
+
+	lastHandledReconcileAt := reconcile.object.lastHandledReconcileRequest()
+	logger.Waitingf("waiting for %s reconciliation", reconcile.kind)
+	if err := wait.PollImmediate(pollInterval, timeout,
+		reconciliationHandled(ctx, kubeClient, namespacedName, reconcile.object, lastHandledReconcileAt)); err != nil {
+		return err
+	}
+	logger.Successf("%s reconciliation completed", reconcile.kind)
+
+	if apimeta.IsStatusConditionFalse(*reconcile.object.GetStatusConditions(), meta.ReadyCondition) {
+		return fmt.Errorf("%s reconciliation failed", reconcile.kind)
+	}
+	logger.Successf(reconcile.object.successMessage())
+	return nil
+}
+
+func reconciliationHandled(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, obj reconcilable, lastHandledReconcileAt string) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, obj.asClientObject())
+		if err != nil {
+			return false, err
+		}
+		return obj.lastHandledReconcileRequest() != lastHandledReconcileAt, nil
+	}
+}
+
+func requestReconciliation(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, obj reconcilable) error {
+	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
+		if err := kubeClient.Get(ctx, namespacedName, obj.asClientObject()); err != nil {
+			return err
+		}
+		if ann := obj.GetAnnotations(); ann == nil {
+			obj.SetAnnotations(map[string]string{
+				meta.ReconcileRequestAnnotation: time.Now().Format(time.RFC3339Nano),
+			})
+		} else {
+			ann[meta.ReconcileRequestAnnotation] = time.Now().Format(time.RFC3339Nano)
+			obj.SetAnnotations(ann)
+		}
+		return kubeClient.Update(ctx, obj.asClientObject())
+	})
+}
--- a/cmd/flux/reconcile_alert.go
+++ b/cmd/flux/reconcile_alert.go
@@ -64,20 +64,25 @@ func reconcileAlertCmdRun(cmd *cobra.Command, args []string) error {
 		Name:      name,
 	}

-	logger.Actionf("annotating Alert %s in %s namespace", name, namespace)
 	var alert notificationv1.Alert
 	err = kubeClient.Get(ctx, namespacedName, &alert)
 	if err != nil {
 		return err
 	}

+	if alert.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
+	logger.Actionf("annotating Alert %s in %s namespace", name, namespace)
 	if alert.Annotations == nil {
 		alert.Annotations = map[string]string{
-			meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),
+			meta.ReconcileRequestAnnotation: time.Now().Format(time.RFC3339Nano),
 		}
 	} else {
-		alert.Annotations[meta.ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
+		alert.Annotations[meta.ReconcileRequestAnnotation] = time.Now().Format(time.RFC3339Nano)
 	}
+
 	if err := kubeClient.Update(ctx, &alert); err != nil {
 		return err
 	}
--- a/cmd/flux/reconcile_alertprovider.go
+++ b/cmd/flux/reconcile_alertprovider.go
@@ -73,10 +73,10 @@ func reconcileAlertProviderCmdRun(cmd *cobra.Command, args []string) error {

 	if alertProvider.Annotations == nil {
 		alertProvider.Annotations = map[string]string{
-			meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),
+			meta.ReconcileRequestAnnotation: time.Now().Format(time.RFC3339Nano),
 		}
 	} else {
-		alertProvider.Annotations[meta.ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
+		alertProvider.Annotations[meta.ReconcileRequestAnnotation] = time.Now().Format(time.RFC3339Nano)
 	}
 	if err := kubeClient.Update(ctx, &alertProvider); err != nil {
 		return err
--- a/cmd/flux/reconcile_helmrelease.go
+++ b/cmd/flux/reconcile_helmrelease.go
@@ -86,6 +86,10 @@ func reconcileHrCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	if helmRelease.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
 	if syncHrWithSource {
 		switch helmRelease.Spec.Chart.Spec.SourceRef.Kind {
 		case sourcev1.HelmRepositoryKind:
@@ -149,10 +153,10 @@ func requestHelmReleaseReconciliation(ctx context.Context, kubeClient client.Cli
 		}
 		if helmRelease.Annotations == nil {
 			helmRelease.Annotations = map[string]string{
-				meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),
+				meta.ReconcileRequestAnnotation: time.Now().Format(time.RFC3339Nano),
 			}
 		} else {
-			helmRelease.Annotations[meta.ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
+			helmRelease.Annotations[meta.ReconcileRequestAnnotation] = time.Now().Format(time.RFC3339Nano)
 		}
 		return kubeClient.Update(ctx, helmRelease)
 	})
--- a/cmd/flux/reconcile_image.go
+++ b/cmd/flux/reconcile_image.go
@@ -0,0 +1,31 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var reconcileImageCmd = &cobra.Command{
+	Use:   "image",
+	Short: "Reconcile image automation objects",
+	Long:  "The reconcile sub-commands trigger a reconciliation of image automation objects.",
+}
+
+func init() {
+	reconcileCmd.AddCommand(reconcileImageCmd)
+}
--- a/cmd/flux/reconcile_image_repository.go
+++ b/cmd/flux/reconcile_image_repository.go
@@ -0,0 +1,50 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+)
+
+var reconcileImageRepositoryCmd = &cobra.Command{
+	Use:   "repository [name]",
+	Short: "Reconcile an ImageRepository",
+	Long:  `The reconcile image repository command triggers a reconciliation of an ImageRepository resource and waits for it to finish.`,
+	Example: `  # Trigger an scan for an existing image repository
+  flux reconcile image repository alpine
+`,
+	RunE: reconcileCommand{
+		apiType: imageRepositoryType,
+		object:  imageRepositoryAdapter{&imagev1.ImageRepository{}},
+	}.run,
+}
+
+func init() {
+	reconcileImageCmd.AddCommand(reconcileImageRepositoryCmd)
+}
+
+func (obj imageRepositoryAdapter) lastHandledReconcileRequest() string {
+	return obj.Status.GetLastHandledReconcileRequest()
+}
+
+func (obj imageRepositoryAdapter) successMessage() string {
+	return fmt.Sprintf("scan fetched %d tags", obj.Status.LastScanResult.TagCount)
+}
--- a/cmd/flux/reconcile_image_updateauto.go
+++ b/cmd/flux/reconcile_image_updateauto.go
@@ -0,0 +1,62 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"time"
+
+	"github.com/spf13/cobra"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
+	meta "github.com/fluxcd/pkg/apis/meta"
+)
+
+var reconcileImageUpdateCmd = &cobra.Command{
+	Use:   "update [name]",
+	Short: "Reconcile an ImageUpdateAutomation",
+	Long:  `The reconcile image update command triggers a reconciliation of an ImageUpdateAutomation resource and waits for it to finish.`,
+	Example: `  # Trigger an automation run for an existing image update automation
+  flux reconcile image update latest-images
+`,
+	RunE: reconcileCommand{
+		apiType: imageUpdateAutomationType,
+		object:  imageUpdateAutomationAdapter{&autov1.ImageUpdateAutomation{}},
+	}.run,
+}
+
+func init() {
+	reconcileImageCmd.AddCommand(reconcileImageUpdateCmd)
+}
+
+func (obj imageUpdateAutomationAdapter) suspended() bool {
+	return obj.ImageUpdateAutomation.Spec.Suspend
+}
+
+func (obj imageUpdateAutomationAdapter) lastHandledReconcileRequest() string {
+	return obj.Status.GetLastHandledReconcileRequest()
+}
+
+func (obj imageUpdateAutomationAdapter) successMessage() string {
+	if rc := apimeta.FindStatusCondition(obj.Status.Conditions, meta.ReadyCondition); rc != nil {
+		return rc.Message
+	}
+	if obj.Status.LastAutomationRunTime != nil {
+		return "last run " + obj.Status.LastAutomationRunTime.Time.Format(time.RFC3339)
+	}
+	return "automation not yet run"
+}
--- a/cmd/flux/reconcile_kustomization.go
+++ b/cmd/flux/reconcile_kustomization.go
@@ -84,6 +84,10 @@ func reconcileKsCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	if kustomization.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
 	if syncKsWithSource {
 		switch kustomization.Spec.SourceRef.Kind {
 		case sourcev1.GitRepositoryKind:
@@ -138,10 +142,10 @@ func requestKustomizeReconciliation(ctx context.Context, kubeClient client.Clien
 		}
 		if kustomization.Annotations == nil {
 			kustomization.Annotations = map[string]string{
-				meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),
+				meta.ReconcileRequestAnnotation: time.Now().Format(time.RFC3339Nano),
 			}
 		} else {
-			kustomization.Annotations[meta.ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
+			kustomization.Annotations[meta.ReconcileRequestAnnotation] = time.Now().Format(time.RFC3339Nano)
 		}
 		return kubeClient.Update(ctx, kustomization)
 	})
--- a/cmd/flux/reconcile_receiver.go
+++ b/cmd/flux/reconcile_receiver.go
@@ -64,19 +64,23 @@ func reconcileReceiverCmdRun(cmd *cobra.Command, args []string) error {
 		Name:      name,
 	}

-	logger.Actionf("annotating Receiver %s in %s namespace", name, namespace)
 	var receiver notificationv1.Receiver
 	err = kubeClient.Get(ctx, namespacedName, &receiver)
 	if err != nil {
 		return err
 	}

+	if receiver.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
+	logger.Actionf("annotating Receiver %s in %s namespace", name, namespace)
 	if receiver.Annotations == nil {
 		receiver.Annotations = map[string]string{
-			meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),
+			meta.ReconcileRequestAnnotation: time.Now().Format(time.RFC3339Nano),
 		}
 	} else {
-		receiver.Annotations[meta.ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
+		receiver.Annotations[meta.ReconcileRequestAnnotation] = time.Now().Format(time.RFC3339Nano)
 	}
 	if err := kubeClient.Update(ctx, &receiver); err != nil {
 		return err
--- a/cmd/flux/reconcile_source_bucket.go
+++ b/cmd/flux/reconcile_source_bucket.go
@@ -74,6 +74,10 @@ func reconcileSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	if bucket.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
 	lastHandledReconcileAt := bucket.Status.LastHandledReconcileAt
 	logger.Actionf("annotating Bucket source %s in %s namespace", name, namespace)
 	if err := requestBucketReconciliation(ctx, kubeClient, namespacedName, &bucket); err != nil {
@@ -141,10 +145,10 @@ func requestBucketReconciliation(ctx context.Context, kubeClient client.Client,
 		}
 		if bucket.Annotations == nil {
 			bucket.Annotations = map[string]string{
-				meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),
+				meta.ReconcileRequestAnnotation: time.Now().Format(time.RFC3339Nano),
 			}
 		} else {
-			bucket.Annotations[meta.ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
+			bucket.Annotations[meta.ReconcileRequestAnnotation] = time.Now().Format(time.RFC3339Nano)
 		}
 		return kubeClient.Update(ctx, bucket)
 	})
--- a/cmd/flux/reconcile_source_git.go
+++ b/cmd/flux/reconcile_source_git.go
@@ -72,6 +72,10 @@ func reconcileSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	if repository.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
 	logger.Actionf("annotating GitRepository source %s in %s namespace", name, namespace)
 	if err := requestGitRepositoryReconciliation(ctx, kubeClient, namespacedName, &repository); err != nil {
 		return err
@@ -112,10 +116,10 @@ func requestGitRepositoryReconciliation(ctx context.Context, kubeClient client.C
 		}
 		if repository.Annotations == nil {
 			repository.Annotations = map[string]string{
-				meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),
+				meta.ReconcileRequestAnnotation: time.Now().Format(time.RFC3339Nano),
 			}
 		} else {
-			repository.Annotations[meta.ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
+			repository.Annotations[meta.ReconcileRequestAnnotation] = time.Now().Format(time.RFC3339Nano)
 		}
 		return kubeClient.Update(ctx, repository)
 	})
--- a/cmd/flux/reconcile_source_helm.go
+++ b/cmd/flux/reconcile_source_helm.go
@@ -73,6 +73,10 @@ func reconcileSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	if repository.Spec.Suspend {
+		return fmt.Errorf("resource is suspended")
+	}
+
 	logger.Actionf("annotating HelmRepository source %s in %s namespace", name, namespace)
 	if err := requestHelmRepositoryReconciliation(ctx, kubeClient, namespacedName, &repository); err != nil {
 		return err
@@ -113,10 +117,10 @@ func requestHelmRepositoryReconciliation(ctx context.Context, kubeClient client.
 		}
 		if repository.Annotations == nil {
 			repository.Annotations = map[string]string{
-				meta.ReconcileAtAnnotation: time.Now().Format(time.RFC3339Nano),
+				meta.ReconcileRequestAnnotation: time.Now().Format(time.RFC3339Nano),
 			}
 		} else {
-			repository.Annotations[meta.ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
+			repository.Annotations[meta.ReconcileRequestAnnotation] = time.Now().Format(time.RFC3339Nano)
 		}
 		return kubeClient.Update(ctx, repository)
 	})
--- a/cmd/flux/resume.go
+++ b/cmd/flux/resume.go
@@ -17,7 +17,14 @@ limitations under the License.
 package main

 import (
+	"context"
+	"fmt"
+
 	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+
+	"github.com/fluxcd/flux2/internal/utils"
 )

 var resumeCmd = &cobra.Command{
@@ -29,3 +36,56 @@ var resumeCmd = &cobra.Command{
 func init() {
 	rootCmd.AddCommand(resumeCmd)
 }
+
+type resumable interface {
+	adapter
+	statusable
+	setUnsuspended()
+	successMessage() string
+}
+
+type resumeCommand struct {
+	apiType
+	object resumable
+}
+
+func (resume resumeCommand) run(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("%s name is required", resume.humanKind)
+	}
+	name := args[0]
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	namespacedName := types.NamespacedName{
+		Namespace: namespace,
+		Name:      name,
+	}
+
+	err = kubeClient.Get(ctx, namespacedName, resume.object.asClientObject())
+	if err != nil {
+		return err
+	}
+
+	logger.Actionf("resuming %s %s in %s namespace", resume.humanKind, name, namespace)
+	resume.object.setUnsuspended()
+	if err := kubeClient.Update(ctx, resume.object.asClientObject()); err != nil {
+		return err
+	}
+	logger.Successf("%s resumed", resume.humanKind)
+
+	logger.Waitingf("waiting for %s reconciliation", resume.kind)
+	if err := wait.PollImmediate(pollInterval, timeout,
+		isReady(ctx, kubeClient, namespacedName, resume.object)); err != nil {
+		return err
+	}
+	logger.Successf("%s reconciliation completed", resume.kind)
+	logger.Successf(resume.object.successMessage())
+	return nil
+}
--- a/cmd/flux/resume_image.go
+++ b/cmd/flux/resume_image.go
@@ -0,0 +1,31 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var resumeImageCmd = &cobra.Command{
+	Use:   "image",
+	Short: "Resume image automation objects",
+	Long:  "The resume image sub-commands resume suspended image automation objects.",
+}
+
+func init() {
+	resumeCmd.AddCommand(resumeImageCmd)
+}
--- a/cmd/flux/resume_image_repository.go
+++ b/cmd/flux/resume_image_repository.go
@@ -0,0 +1,48 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+)
+
+var resumeImageRepositoryCmd = &cobra.Command{
+	Use:   "repository [name]",
+	Short: "Resume a suspended ImageRepository",
+	Long:  `The resume command marks a previously suspended ImageRepository resource for reconciliation and waits for it to finish.`,
+	Example: `  # Resume reconciliation for an existing ImageRepository
+  flux resume image repository alpine
+`,
+	RunE: resumeCommand{
+		apiType: imageRepositoryType,
+		object:  imageRepositoryAdapter{&imagev1.ImageRepository{}},
+	}.run,
+}
+
+func init() {
+	resumeImageCmd.AddCommand(resumeImageRepositoryCmd)
+}
+
+func (obj imageRepositoryAdapter) getObservedGeneration() int64 {
+	return obj.ImageRepository.Status.ObservedGeneration
+}
+
+func (obj imageRepositoryAdapter) setUnsuspended() {
+	obj.ImageRepository.Spec.Suspend = false
+}
--- a/cmd/flux/resume_image_updateauto.go
+++ b/cmd/flux/resume_image_updateauto.go
@@ -0,0 +1,48 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
+)
+
+var resumeImageUpdateCmd = &cobra.Command{
+	Use:   "update [name]",
+	Short: "Resume a suspended ImageUpdateAutomation",
+	Long:  `The resume command marks a previously suspended ImageUpdateAutomation resource for reconciliation and waits for it to finish.`,
+	Example: `  # Resume reconciliation for an existing ImageUpdateAutomation
+  flux resume image update latest-images
+`,
+	RunE: resumeCommand{
+		apiType: imageUpdateAutomationType,
+		object:  imageUpdateAutomationAdapter{&autov1.ImageUpdateAutomation{}},
+	}.run,
+}
+
+func init() {
+	resumeImageCmd.AddCommand(resumeImageUpdateCmd)
+}
+
+func (obj imageUpdateAutomationAdapter) setUnsuspended() {
+	obj.ImageUpdateAutomation.Spec.Suspend = false
+}
+
+func (obj imageUpdateAutomationAdapter) getObservedGeneration() int64 {
+	return obj.ImageUpdateAutomation.Status.ObservedGeneration
+}
--- a/cmd/flux/status.go
+++ b/cmd/flux/status.go
@@ -0,0 +1,65 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/apis/meta"
+)
+
+// statusable is used to see if a resource is considered ready in the usual way
+type statusable interface {
+	adapter
+	// this is implemented by ObjectMeta
+	GetGeneration() int64
+	getObservedGeneration() int64
+	// this is usually implemented by GOTK API objects because it's used by pkg/apis/meta
+	GetStatusConditions() *[]metav1.Condition
+}
+
+func isReady(ctx context.Context, kubeClient client.Client,
+	namespacedName types.NamespacedName, object statusable) wait.ConditionFunc {
+	return func() (bool, error) {
+		err := kubeClient.Get(ctx, namespacedName, object.asClientObject())
+		if err != nil {
+			return false, err
+		}
+
+		// Confirm the state we are observing is for the current generation
+		if object.GetGeneration() != object.getObservedGeneration() {
+			return false, nil
+		}
+
+		if c := apimeta.FindStatusCondition(*object.GetStatusConditions(), meta.ReadyCondition); c != nil {
+			switch c.Status {
+			case metav1.ConditionTrue:
+				return true, nil
+			case metav1.ConditionFalse:
+				return false, fmt.Errorf(c.Message)
+			}
+		}
+		return false, nil
+	}
+}
--- a/cmd/flux/suspend.go
+++ b/cmd/flux/suspend.go
@@ -17,7 +17,13 @@ limitations under the License.
 package main

 import (
+	"context"
+	"fmt"
+
 	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/types"
+
+	"github.com/fluxcd/flux2/internal/utils"
 )

 var suspendCmd = &cobra.Command{
@@ -29,3 +35,47 @@ var suspendCmd = &cobra.Command{
 func init() {
 	rootCmd.AddCommand(suspendCmd)
 }
+
+type suspendable interface {
+	adapter
+	isSuspended() bool
+	setSuspended()
+}
+
+type suspendCommand struct {
+	apiType
+	object suspendable
+}
+
+func (suspend suspendCommand) run(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("%s name is required", suspend.humanKind)
+	}
+	name := args[0]
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	namespacedName := types.NamespacedName{
+		Namespace: namespace,
+		Name:      name,
+	}
+	err = kubeClient.Get(ctx, namespacedName, suspend.object.asClientObject())
+	if err != nil {
+		return err
+	}
+
+	logger.Actionf("suspending %s %s in %s namespace", suspend.humanKind, name, namespace)
+	suspend.object.setSuspended()
+	if err := kubeClient.Update(ctx, suspend.object.asClientObject()); err != nil {
+		return err
+	}
+	logger.Successf("%s suspended", suspend.humanKind)
+
+	return nil
+}
--- a/cmd/flux/suspend_image.go
+++ b/cmd/flux/suspend_image.go
@@ -0,0 +1,31 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var suspendImageCmd = &cobra.Command{
+	Use:   "image",
+	Short: "Suspend image automation objects",
+	Long:  "The suspend image sub-commands suspend the reconciliation of an image automation object.",
+}
+
+func init() {
+	suspendCmd.AddCommand(suspendImageCmd)
+}
--- a/cmd/flux/suspend_image_repository.go
+++ b/cmd/flux/suspend_image_repository.go
@@ -0,0 +1,48 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+)
+
+var suspendImageRepositoryCmd = &cobra.Command{
+	Use:   "repository [name]",
+	Short: "Suspend reconciliation of an ImageRepository",
+	Long:  "The suspend image repository command disables the reconciliation of a ImageRepository resource.",
+	Example: `  # Suspend reconciliation for an existing ImageRepository
+  flux suspend image repository alpine
+`,
+	RunE: suspendCommand{
+		apiType: imageRepositoryType,
+		object:  imageRepositoryAdapter{&imagev1.ImageRepository{}},
+	}.run,
+}
+
+func init() {
+	suspendImageCmd.AddCommand(suspendImageRepositoryCmd)
+}
+
+func (obj imageRepositoryAdapter) isSuspended() bool {
+	return obj.ImageRepository.Spec.Suspend
+}
+
+func (obj imageRepositoryAdapter) setSuspended() {
+	obj.ImageRepository.Spec.Suspend = true
+}
--- a/cmd/flux/suspend_image_updateauto.go
+++ b/cmd/flux/suspend_image_updateauto.go
@@ -0,0 +1,48 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
+)
+
+var suspendImageUpdateCmd = &cobra.Command{
+	Use:   "update [name]",
+	Short: "Suspend reconciliation of an ImageUpdateAutomation",
+	Long:  "The suspend image update command disables the reconciliation of a ImageUpdateAutomation resource.",
+	Example: `  # Suspend reconciliation for an existing ImageUpdateAutomation
+  flux suspend image update latest-images
+`,
+	RunE: suspendCommand{
+		apiType: imageUpdateAutomationType,
+		object:  imageUpdateAutomationAdapter{&autov1.ImageUpdateAutomation{}},
+	}.run,
+}
+
+func init() {
+	suspendImageCmd.AddCommand(suspendImageUpdateCmd)
+}
+
+func (update imageUpdateAutomationAdapter) isSuspended() bool {
+	return update.ImageUpdateAutomation.Spec.Suspend
+}
+
+func (update imageUpdateAutomationAdapter) setSuspended() {
+	update.ImageUpdateAutomation.Spec.Suspend = true
+}
--- a/docs/_files/commit-status-flow.png
+++ b/docs/_files/commit-status-flow.png
--- a/docs/_files/commit-status-github-failure.png
+++ b/docs/_files/commit-status-github-failure.png
--- a/docs/_files/commit-status-github-overview.png
+++ b/docs/_files/commit-status-github-overview.png
--- a/docs/_files/commit-status-github-success.png
+++ b/docs/_files/commit-status-github-success.png
--- a/docs/_files/commit-status-gitlab-failure.png
+++ b/docs/_files/commit-status-gitlab-failure.png
--- a/docs/_files/commit-status-gitlab-success.png
+++ b/docs/_files/commit-status-gitlab-success.png
--- a/docs/_files/github-commit-status.png
+++ b/docs/_files/github-commit-status.png
--- a/docs/_files/gitlab-commit-status.png
+++ b/docs/_files/gitlab-commit-status.png
--- a/docs/cmd/flux_bootstrap.md
+++ b/docs/cmd/flux_bootstrap.md
@@ -9,9 +9,10 @@ The bootstrap sub-commands bootstrap the toolkit components on the targeted Git
 ### Options

 ```
-      --arch arch                  cluster architecture, available options are: (amd64, arm, arm64) (default amd64)
      --branch string              default branch (for GitHub this must match the default branch setting for the organization) (default "main")
+      --cluster-domain string      internal cluster domain (default "cluster.local")
      --components strings         list of components, accepts comma-separated values (default [source-controller,kustomize-controller,helm-controller,notification-controller])
+      --components-extra strings   list of components in addition to those supplied or defaulted, accepts comma-separated values
  -h, --help                       help for bootstrap
      --image-pull-secret string   Kubernetes secret name used for pulling the toolkit images from a private registry
      --log-level logLevel         log level, available options are: (debug, info, error) (default info)
--- a/docs/cmd/flux_bootstrap_github.md
+++ b/docs/cmd/flux_bootstrap_github.md
@@ -30,7 +30,7 @@ flux bootstrap github [flags]
  flux bootstrap github --owner=<organization> --repository=<repo name> --path=dev-cluster

  # Run bootstrap for a public repository on a personal account
-  flux bootstrap github --owner=<user> --repository=<repo name> --private=false --personal=true 
+  flux bootstrap github --owner=<user> --repository=<repo name> --private=false --personal=true

  # Run bootstrap for a private repo hosted on GitHub Enterprise using SSH auth
  flux bootstrap github --owner=<organization> --repository=<repo name> --hostname=<domain> --ssh-hostname=<domain>
@@ -46,24 +46,25 @@ flux bootstrap github [flags]
 ### Options

 ```
-  -h, --help                  help for github
-      --hostname string       GitHub hostname (default "github.com")
-      --interval duration     sync interval (default 1m0s)
-      --owner string          GitHub user or organization name
-      --path string           repository path, when specified the cluster sync will be scoped to this path
-      --personal              is personal repository
-      --private               is private repository (default true)
-      --repository string     GitHub repository name
-      --ssh-hostname string   GitHub SSH hostname, to be used when the SSH host differs from the HTTPS one
-      --team stringArray      GitHub team to be given maintainer access
+  -h, --help                    help for github
+      --hostname string         GitHub hostname (default "github.com")
+      --interval duration       sync interval (default 1m0s)
+      --owner string            GitHub user or organization name
+      --path safeRelativePath   path relative to the repository root, when specified the cluster sync will be scoped to this path
+      --personal                is personal repository
+      --private                 is private repository (default true)
+      --repository string       GitHub repository name
+      --ssh-hostname string     GitHub SSH hostname, to be used when the SSH host differs from the HTTPS one
+      --team stringArray        GitHub team to be given maintainer access
 ```

 ### Options inherited from parent commands

 ```
-      --arch arch                  cluster architecture, available options are: (amd64, arm, arm64) (default amd64)
      --branch string              default branch (for GitHub this must match the default branch setting for the organization) (default "main")
+      --cluster-domain string      internal cluster domain (default "cluster.local")
      --components strings         list of components, accepts comma-separated values (default [source-controller,kustomize-controller,helm-controller,notification-controller])
+      --components-extra strings   list of components in addition to those supplied or defaulted, accepts comma-separated values
      --context string             kubernetes context to use
      --image-pull-secret string   Kubernetes secret name used for pulling the toolkit images from a private registry
      --kubeconfig string          path to the kubeconfig file (default "~/.kube/config")
--- a/docs/cmd/flux_bootstrap_gitlab.md
+++ b/docs/cmd/flux_bootstrap_gitlab.md
@@ -20,7 +20,7 @@ flux bootstrap gitlab [flags]
  # Create a GitLab API token and export it as an env var
  export GITLAB_TOKEN=<my-token>

-  # Run bootstrap for a private repo using HTTPS token authentication 
+  # Run bootstrap for a private repo using HTTPS token authentication
  flux bootstrap gitlab --owner=<group> --repository=<repo name> --token-auth

  # Run bootstrap for a private repo using SSH authentication
@@ -32,7 +32,7 @@ flux bootstrap gitlab [flags]
  # Run bootstrap for a public repository on a personal account
  flux bootstrap gitlab --owner=<user> --repository=<repo name> --private=false --personal --token-auth

-  # Run bootstrap for a private repo hosted on a GitLab server 
+  # Run bootstrap for a private repo hosted on a GitLab server
  flux bootstrap gitlab --owner=<group> --repository=<repo name> --hostname=<domain> --token-auth

  # Run bootstrap for a an existing repository with a branch named main
@@ -43,23 +43,24 @@ flux bootstrap gitlab [flags]
 ### Options

 ```
-  -h, --help                  help for gitlab
-      --hostname string       GitLab hostname (default "gitlab.com")
-      --interval duration     sync interval (default 1m0s)
-      --owner string          GitLab user or group name
-      --path string           repository path, when specified the cluster sync will be scoped to this path
-      --personal              is personal repository
-      --private               is private repository (default true)
-      --repository string     GitLab repository name
-      --ssh-hostname string   GitLab SSH hostname, to be used when the SSH host differs from the HTTPS one
+  -h, --help                    help for gitlab
+      --hostname string         GitLab hostname (default "gitlab.com")
+      --interval duration       sync interval (default 1m0s)
+      --owner string            GitLab user or group name
+      --path safeRelativePath   path relative to the repository root, when specified the cluster sync will be scoped to this path
+      --personal                is personal repository
+      --private                 is private repository (default true)
+      --repository string       GitLab repository name
+      --ssh-hostname string     GitLab SSH hostname, to be used when the SSH host differs from the HTTPS one
 ```

 ### Options inherited from parent commands

 ```
-      --arch arch                  cluster architecture, available options are: (amd64, arm, arm64) (default amd64)
      --branch string              default branch (for GitHub this must match the default branch setting for the organization) (default "main")
+      --cluster-domain string      internal cluster domain (default "cluster.local")
      --components strings         list of components, accepts comma-separated values (default [source-controller,kustomize-controller,helm-controller,notification-controller])
+      --components-extra strings   list of components in addition to those supplied or defaulted, accepts comma-separated values
      --context string             kubernetes context to use
      --image-pull-secret string   Kubernetes secret name used for pulling the toolkit images from a private registry
      --kubeconfig string          path to the kubeconfig file (default "~/.kube/config")
--- a/docs/cmd/flux_completion_zsh.md
+++ b/docs/cmd/flux_completion_zsh.md
@@ -25,7 +25,7 @@ command -v flux >/dev/null && . <(flux completion zsh) && compdef _flux flux
 or write a cached file in one of the completion directories in your ${fpath}:

 echo "${fpath// /\n}" | grep -i completion
-flux completions zsh > _flux
+flux completion zsh > _flux

 mv _flux ~/.oh-my-zsh/completions  # oh-my-zsh
 mv _flux ~/.zprezto/modules/completion/external/src/  # zprezto
--- a/docs/cmd/flux_create.md
+++ b/docs/cmd/flux_create.md
@@ -31,8 +31,10 @@ The create sub-commands generate sources and resources.
 * [flux create alert](flux_create_alert.md)	 - Create or update a Alert resource
 * [flux create alert-provider](flux_create_alert-provider.md)	 - Create or update a Provider resource
 * [flux create helmrelease](flux_create_helmrelease.md)	 - Create or update a HelmRelease resource
+* [flux create image](flux_create_image.md)	 - Create or update resources dealing with image automation
 * [flux create kustomization](flux_create_kustomization.md)	 - Create or update a Kustomization resource
 * [flux create receiver](flux_create_receiver.md)	 - Create or update a Receiver resource
+* [flux create secret](flux_create_secret.md)	 - Create or update Kubernetes secrets
 * [flux create source](flux_create_source.md)	 - Create or update sources
 * [flux create tenant](flux_create_tenant.md)	 - Create or update a tenant

--- a/docs/cmd/flux_create_helmrelease.md
+++ b/docs/cmd/flux_create_helmrelease.md
@@ -76,10 +76,10 @@ flux create helmrelease [name] [flags]
  -h, --help                                help for helmrelease
      --release-name string                 name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'
      --service-account string              the name of the service account to impersonate when reconciling this HelmRelease
-      --source helmChartSource              source that contains the chart in the format '<kind>/<name>',where kind can be one of: (HelmRepository, GitRepository, Bucket)
+      --source helmChartSource              source that contains the chart in the format '<kind>/<name>', where kind must be one of: (HelmRepository, GitRepository, Bucket)
      --target-namespace string             namespace to install this release, defaults to the HelmRelease namespace
      --values string                       local path to the values.yaml file
-      --values-from helmReleaseValuesFrom   Kubernetes object reference that contains the values.yaml data key in the format '<kind>/<name>',where kind can be one of: (Secret, ConfigMap)
+      --values-from helmReleaseValuesFrom   Kubernetes object reference that contains the values.yaml data key in the format '<kind>/<name>', where kind must be one of: (Secret, ConfigMap)
 ```

 ### Options inherited from parent commands
--- a/docs/cmd/flux_create_image.md
+++ b/docs/cmd/flux_create_image.md
@@ -0,0 +1,36 @@
+## flux create image
+
+Create or update resources dealing with image automation
+
+### Synopsis
+
+The create image sub-commands work with image automation objects; that is,
+object controlling updates to git based on e.g., new container images
+being available.
+
+### Options
+
+```
+  -h, --help   help for image
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --export              export in YAML format to stdout
+      --interval duration   source sync interval (default 1m0s)
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+      --label strings       set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux create](flux_create.md)	 - Create or update sources and resources
+* [flux create image policy](flux_create_image_policy.md)	 - Create or update an ImagePolicy object
+* [flux create image repository](flux_create_image_repository.md)	 - Create or update an ImageRepository object
+* [flux create image update](flux_create_image_update.md)	 - Create or update an ImageUpdateAutomation object
+
--- a/docs/cmd/flux_create_image_policy.md
+++ b/docs/cmd/flux_create_image_policy.md
@@ -0,0 +1,43 @@
+## flux create image policy
+
+Create or update an ImagePolicy object
+
+### Synopsis
+
+The create image policy command generates an ImagePolicy resource.
+An ImagePolicy object calculates a "latest image" given an image
+repository and a policy, e.g., semver.
+
+The image that sorts highest according to the policy is recorded in
+the status of the object.
+
+```
+flux create image policy <name> [flags]
+```
+
+### Options
+
+```
+      --filter-regex string    regular expression pattern used to filter the image tags
+  -h, --help                  help for policy
+      --image-ref string      the name of an image repository object
+      --semver string         a semver range to apply to tags; e.g., '1.x'
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --export              export in YAML format to stdout
+      --interval duration   source sync interval (default 1m0s)
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+      --label strings       set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux create image](flux_create_image.md)	 - Create or update resources dealing with image automation
+
--- a/docs/cmd/flux_create_image_repository.md
+++ b/docs/cmd/flux_create_image_repository.md
@@ -0,0 +1,39 @@
+## flux create image repository
+
+Create or update an ImageRepository object
+
+### Synopsis
+
+The create image repository command generates an ImageRepository resource.
+An ImageRepository object specifies an image repository to scan.
+
+```
+flux create image repository <name> [flags]
+```
+
+### Options
+
+```
+  -h, --help                    help for repository
+      --image string            the image repository to scan; e.g., library/alpine
+      --scan-timeout duration   a timeout for scanning; this defaults to the interval if not set
+      --secret-ref string       the name of a docker-registry secret to use for credentials
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --export              export in YAML format to stdout
+      --interval duration   source sync interval (default 1m0s)
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+      --label strings       set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux create image](flux_create_image.md)	 - Create or update resources dealing with image automation
+
--- a/docs/cmd/flux_create_image_update.md
+++ b/docs/cmd/flux_create_image_update.md
@@ -0,0 +1,42 @@
+## flux create image update
+
+Create or update an ImageUpdateAutomation object
+
+### Synopsis
+
+The create image update command generates an ImageUpdateAutomation resource.
+An ImageUpdateAutomation object specifies an automated update to images
+mentioned in YAMLs in a git repository.
+
+```
+flux create image update <name> [flags]
+```
+
+### Options
+
+```
+      --author-email string      the email to use for commit author
+      --author-name string       the name to use for commit author
+      --branch string            the branch to checkout and push commits to
+      --commit-template string   a template for commit messages
+      --git-repo-ref string      the name of a GitRepository resource with details of the upstream git repository
+  -h, --help                     help for update
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --export              export in YAML format to stdout
+      --interval duration   source sync interval (default 1m0s)
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+      --label strings       set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux create image](flux_create_image.md)	 - Create or update resources dealing with image automation
+
--- a/docs/cmd/flux_create_kustomization.md
+++ b/docs/cmd/flux_create_kustomization.md
@@ -50,10 +50,10 @@ flux create kustomization [name] [flags]
      --health-check stringArray                 workload to be included in the health assessment, in the format '<kind>/<name>.<namespace>'
      --health-check-timeout duration            timeout of health checking operations (default 2m0s)
  -h, --help                                     help for kustomization
-      --path string                              path to the directory containing a kustomization.yaml file (default "./")
+      --path safeRelativePath                    path to the directory containing a kustomization.yaml file (default ./)
      --prune                                    enable garbage collection
      --service-account string                   the name of the service account to impersonate when reconciling this Kustomization
-      --source kustomizationSource               source that contains the Kubernetes manifests in the format '[<kind>/]<name>',where kind can be one of: (GitRepository, Bucket), if kind is not specified it defaults to GitRepository
+      --source kustomizationSource               source that contains the Kubernetes manifests in the format '[<kind>/]<name>', where kind must be one of: (GitRepository, Bucket), if kind is not specified it defaults to GitRepository
      --target-namespace string                  overrides the namespace of all Kustomization objects reconciled by this Kustomization
      --validation string                        validate the manifests before applying them on the cluster, can be 'client' or 'server'
 ```
--- a/Show More
+++ b/Show More