Merge pull request #4082 from fluxcd/backport-4077-to-release/v2.0.x

[release/v2.0.x] build(deps): bump the ci group with 2 updates
build(deps): bump the ci group with 2 updates
2026-03-01 11:16:56 +00:00 · 2023-07-18 11:26:19 +03:00 · 2023-07-17 15:24:16 +00:00 · 2023-07-11 15:05:53 +03:00 · 2023-07-11 11:51:37 +00:00 · 2023-07-11 14:31:58 +03:00
314 changed files with 4051 additions and 2405 deletions
--- a/.github/aur/flux-bin/.SRCINFO.template
+++ b/.github/aur/flux-bin/.SRCINFO.template
@@ -10,13 +10,13 @@ pkgbase = flux-bin
 	license = APACHE
 	optdepends = bash-completion: auto-completion for flux in Bash
 	optdepends = zsh-completions: auto-completion for flux in ZSH
-	source_x86_64 = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_amd64.tar.gz
+	source_x86_64 = flux-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_amd64.tar.gz
 	sha256sums_x86_64 = ${SHA256SUM_AMD64}
-	source_armv6h = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm.tar.gz
+	source_armv6h = flux-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_arm.tar.gz
 	sha256sums_armv6h = ${SHA256SUM_ARM}
-	source_armv7h = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm.tar.gz
+	source_armv7h = flux-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_arm.tar.gz
 	sha256sums_armv7h = ${SHA256SUM_ARM}
-	source_aarch64 = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm64.tar.gz
+	source_aarch64 = flux-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_arm64.tar.gz
 	sha256sums_aarch64 = ${SHA256SUM_ARM64}

 pkgname = flux-bin
--- a/.github/aur/flux-bin/PKGBUILD.template
+++ b/.github/aur/flux-bin/PKGBUILD.template
@@ -4,6 +4,8 @@
 pkgname=flux-bin
 pkgver=${PKGVER}
 pkgrel=${PKGREL}
+_srcname=flux
+_srcver=${VERSION}
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
 arch=("x86_64" "armv6h" "armv7h" "aarch64")
@@ -11,16 +13,16 @@ license=("APACHE")
 optdepends=('bash-completion: auto-completion for flux in Bash'
            'zsh-completions: auto-completion for flux in ZSH')
 source_x86_64=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_amd64.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_amd64.tar.gz"
 )
 source_armv6h=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_arm.tar.gz"
 )
 source_armv7h=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_arm.tar.gz"
 )
 source_aarch64=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm64.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_arm64.tar.gz"
 )
 sha256sums_x86_64=(
  ${SHA256SUM_AMD64}
@@ -34,7 +36,6 @@ sha256sums_armv7h=(
 sha256sums_aarch64=(
  ${SHA256SUM_ARM64}
 )
-_srcname=flux

 package() {
 	install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
--- a/.github/aur/flux-bin/publish.sh
+++ b/.github/aur/flux-bin/publish.sh
@@ -28,6 +28,7 @@ git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
 CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
 CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')

+# Transform pre-release to AUR compatible version format
 export PKGVER=${VERSION/-/}

 if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
@@ -36,12 +37,12 @@ else
    export PKGREL=1
 fi

-export SHA256SUM_ARM=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_arm.tar.gz | awk '{ print $1 }')
-export SHA256SUM_ARM64=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_arm64.tar.gz | awk '{ print $1 }')
-export SHA256SUM_AMD64=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_amd64.tar.gz | awk '{ print $1 }')
+export SHA256SUM_ARM=$(sha256sum ${ROOT}/dist/flux_${VERSION}_linux_arm.tar.gz | awk '{ print $1 }')
+export SHA256SUM_ARM64=$(sha256sum ${ROOT}/dist/flux_${VERSION}_linux_arm64.tar.gz | awk '{ print $1 }')
+export SHA256SUM_AMD64=$(sha256sum ${ROOT}/dist/flux_${VERSION}_linux_amd64.tar.gz | awk '{ print $1 }')

-envsubst '$PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < .SRCINFO.template > $GITDIR/.SRCINFO
-envsubst '$PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < PKGBUILD.template > $GITDIR/PKGBUILD
+envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < PKGBUILD.template > $GITDIR/PKGBUILD

 cd $GITDIR
 git config user.name "fluxcdbot"
--- a/.github/aur/flux-go/.SRCINFO.template
+++ b/.github/aur/flux-go/.SRCINFO.template
@@ -13,6 +13,6 @@ pkgbase = flux-go
 	provides = flux-bin
 	conflicts = flux-bin
  replaces = flux-cli
-	source = flux-go-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/archive/v${PKGVER}.tar.gz
+	source = flux-go-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/archive/v${VERSION}.tar.gz

 pkgname = flux-go
--- a/.github/aur/flux-go/PKGBUILD.template
+++ b/.github/aur/flux-go/PKGBUILD.template
@@ -4,6 +4,8 @@
 pkgname=flux-go
 pkgver=${PKGVER}
 pkgrel=${PKGREL}
+_srcname=flux
+_srcver=${VERSION}
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
 arch=("x86_64" "armv6h" "armv7h" "aarch64")
@@ -12,30 +14,29 @@ provides=("flux-bin")
 conflicts=("flux-bin")
 replaces=("flux-cli")
 depends=("glibc")
-makedepends=('go>=1.17', 'kustomize>=3.0')
+makedepends=('go>=1.20', 'kustomize>=5.0')
 optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/archive/v${pkgver}.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/archive/v${_srcver}.tar.gz"
 )
 sha256sums=(
  ${SHA256SUM}
 )
-_srcname=flux

 build() {
-  cd "flux2-${pkgver}"
+  cd "flux2-${_srcver}"
  export CGO_LDFLAGS="$LDFLAGS"
  export CGO_CFLAGS="$CFLAGS"
  export CGO_CXXFLAGS="$CXXFLAGS"
  export CGO_CPPFLAGS="$CPPFLAGS"
  export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
  make cmd/flux/.manifests.done
-  go build -ldflags "-linkmode=external -X main.VERSION=${pkgver}" -o ${_srcname} ./cmd/flux
+  go build -ldflags "-linkmode=external -X main.VERSION=${_srcver}" -o ${_srcname} ./cmd/flux
 }

 check() {
-  cd "flux2-${pkgver}"
+  cd "flux2-${_srcver}"
  case $CARCH in
    aarch64)
      export ENVTEST_ARCH=arm64
@@ -48,7 +49,7 @@ check() {
 }

 package() {
-  cd "flux2-${pkgver}"
+  cd "flux2-${_srcver}"
  install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"

--- a/.github/aur/flux-go/publish.sh
+++ b/.github/aur/flux-go/publish.sh
@@ -28,6 +28,7 @@ git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
 CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
 CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')

+# Transform pre-release to AUR compatible version format
 export PKGVER=${VERSION/-/}

 if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
@@ -36,10 +37,10 @@ else
    export PKGREL=1
 fi

-export SHA256SUM=$(curl -sL https://github.com/fluxcd/flux2/archive/v$PKGVER.tar.gz | sha256sum | awk '{ print $1 }')
+export SHA256SUM=$(curl -sL https://github.com/fluxcd/flux2/archive/v${VERSION}.tar.gz | sha256sum | awk '{ print $1 }')

-envsubst '$PKGVER $PKGREL $SHA256SUM' < .SRCINFO.template > $GITDIR/.SRCINFO
-envsubst '$PKGVER $PKGREL $SHA256SUM' < PKGBUILD.template > $GITDIR/PKGBUILD
+envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM' < PKGBUILD.template > $GITDIR/PKGBUILD

 cd $GITDIR
 git config user.name "fluxcdbot"
--- a/.github/aur/flux-scm/PKGBUILD.template
+++ b/.github/aur/flux-scm/PKGBUILD.template
@@ -4,6 +4,7 @@
 pkgname=flux-scm
 pkgver=${PKGVER}
 pkgrel=${PKGREL}
+_srcname=flux
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
 arch=("x86_64" "armv6h" "armv7h" "aarch64")
@@ -11,14 +12,13 @@ license=("APACHE")
 provides=("flux-bin")
 conflicts=("flux-bin")
 depends=("glibc")
-makedepends=('go>=1.17', 'kustomize>=3.0', 'git')
+makedepends=('go>=1.20', 'kustomize>=5.0', 'git')
 optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
  "git+https://github.com/fluxcd/flux2.git"
 )
 md5sums=('SKIP')
-_srcname=flux

 pkgver() {
  cd "flux2"
--- a/.github/aur/flux-scm/publish.sh
+++ b/.github/aur/flux-scm/publish.sh
@@ -28,6 +28,7 @@ git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
 CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
 CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')

+# Transform pre-release to AUR compatible version format
 export PKGVER=${VERSION/-/}

 if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,7 +3,14 @@ version: 2
 updates:
  - package-ecosystem: "github-actions"
    directory: "/"
-    labels: ["area/build"]
+    labels: ["area/ci", "dependencies"]
+    groups:
+      # Group all updates together, so that they are all applied in a single PR.
+      # Grouped updates are currently in beta and is subject to change.
+      # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
+      ci:
+        patterns:
+          - "*"
    schedule:
-      # by default this will be on a monday.
+      # By default, this will be on a monday.
      interval: "weekly"
--- a/.github/labels.yaml
+++ b/.github/labels.yaml
@@ -0,0 +1,49 @@
+# Configuration file to declaratively configure labels
+# Ref: https://github.com/EndBug/label-sync#Config-files
+
+- name: area/bootstrap
+  description: Bootstrap related issues and pull requests
+  color: '#86efc9'
+- name: area/install
+  description: Install and uninstall related issues and pull requests
+  color: '#86efc9'
+- name: area/diff
+  description: Diff related issues and pull requests
+  color: '#BA4192'
+- name: area/bucket
+  description: Bucket related issues and pull requests
+  color: '#00b140'
+- name: area/git
+  description: Git related issues and pull requests
+  color: '#863faf'
+- name: area/oci
+  description: OCI related issues and pull requests
+  color: '#c739ff'
+- name: area/kustomization
+  description: Kustomization related issues and pull requests
+  color: '#00e54d'
+- name: area/helm
+  description: Helm related issues and pull requests
+  color: '#1673b6'
+- name: area/image-automation
+  description: Automated image updates related issues and pull requests
+  color: '#c5def5'
+- name: area/monitoring
+  description: Monitoring related issues and pull requests
+  color: '#dd75ae'
+- name: area/multi-tenancy
+  description: Multi-tenancy related issues and pull requests
+  color: '#72CDBD'
+- name: area/notification
+  description: Notification API related issues and pull requests
+  color: '#434ec1'
+- name: area/source
+  description: Source API related issues and pull requests
+  color: '#863faf'
+- name: area/rfc
+  description: Feature request proposals in the RFC format
+  color: '#D621C3'
+  aliases: ['area/RFC']
+- name: backport:release/v2.0.x
+  description: To be backported to release/v2.0.x
+  color: '#ffd700'
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@@ -0,0 +1,31 @@
+name: backport
+
+on:
+  pull_request_target:
+    types: [closed, labeled]
+
+jobs:
+  pull-request:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
+    steps:
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Create backport PRs
+        uses: korthout/backport-action@bf5fdd624b35f95d5b85991a728bd5744e8c6cf2 # v1.3.1
+        # xref: https://github.com/korthout/backport-action#inputs
+        with:
+          # Use token to allow workflows to be triggered for the created PR
+          github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          # Match labels with a pattern `backport:<target-branch>`
+          label_pattern: '^backport:([^ ]+)$'
+          # A bit shorter pull-request title than the default
+          pull_title: '[${target_branch}] ${pull_title}'
+          # Simpler PR description than default
+          pull_description: |-
+            Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.
--- a/.github/workflows/e2e-arm64.yaml
+++ b/.github/workflows/e2e-arm64.yaml
@@ -3,7 +3,7 @@ name: e2e-arm64
 on:
  workflow_dispatch:
  push:
-    branches: [ main, update-components, e2e-arm64* ]
+    branches: [ 'main', 'update-components', 'e2e-*', 'release/**' ]

 permissions:
  contents: read
@@ -16,14 +16,18 @@ jobs:
    strategy:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/kubernetes
-        KUBERNETES_VERSION: [ 1.23.13, 1.24.7, 1.25.3 ]
+        # Check which versions are available on DockerHub with 'crane ls kindest/node'
+        KUBERNETES_VERSION: [ 1.25.8, 1.26.3, 1.27.3 ]
    steps:
      - name: Checkout
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
-          go-version: 1.19.x
+          go-version: 1.20.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
      - name: Prepare
        id: prep
        run: |
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@@ -5,7 +5,17 @@ on:
  schedule:
    - cron:  '0 6 * * *'
  push:
-    branches: [ azure* ]
+    branches:
+      - main
+    paths:
+      - 'tests/**'
+      - '.github/workflows/e2e-azure.yaml'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'tests/**'
+      - '.github/workflows/e2e-azure.yaml'

 permissions:
  contents: read
@@ -13,20 +23,17 @@ permissions:
 jobs:
  e2e-amd64-aks:
    runs-on: ubuntu-22.04
+    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
-      - name: Restore Go cache
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go1.18-
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
-          go-version: 1.19.x
+          go-version: 1.20.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
      - name: Setup Flux CLI
        run: |
          make build
--- a/.github/workflows/e2e-bootstrap.yaml
+++ b/.github/workflows/e2e-bootstrap.yaml
@@ -3,9 +3,10 @@ name: e2e-bootstrap
 on:
  workflow_dispatch:
  push:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
  pull_request:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
+    paths-ignore: [ 'docs/**', 'rfcs/**' ]

 permissions:
  contents: read
@@ -16,26 +17,25 @@ jobs:
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
-      - name: Restore Go cache
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go1.18-
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
-          go-version: 1.19.x
+          go-version: 1.20.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
      - name: Setup Kubernetes
-        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
        with:
-          version: v0.17.0
+          version: v0.20.0
          cluster_name: kind
-          node_image: kindest/node:v1.25.2
+          # The versions below should target the newest Kubernetes version
+          # Keep this up-to-date with https://endoflife.date/kubernetes
+          node_image: kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72
+          kubectl_version: v1.27.3
      - name: Setup Kustomize
-        uses: fluxcd/pkg//actions/kustomize@main
+        uses: fluxcd/pkg/actions/kustomize@main
      - name: Build
        run: |
          make cmd/flux/.manifests.done
@@ -99,7 +99,6 @@ jobs:
          --path=test-cluster \
          --read-write-key
          /tmp/flux reconcile image repository podinfo
-          /tmp/flux reconcile image update flux-system
          /tmp/flux get images all
          
          retries=10
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -3,9 +3,10 @@ name: e2e
 on:
  workflow_dispatch:
  push:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
  pull_request:
-    branches: [ main, oci ]
+    branches: [ 'main', 'release/**' ]
+    paths-ignore: [ 'docs/**', 'rfcs/**' ]

 permissions:
  contents: read
@@ -20,31 +21,30 @@ jobs:
          - 5000:5000
    steps:
      - name: Checkout
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
-      - name: Restore Go cache
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go1.18-
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
-          go-version: 1.19.x
+          go-version: 1.20.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
      - name: Setup Kubernetes
-        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
        with:
-          version: v0.17.0
+          version: v0.20.0
          cluster_name: kind
          config: .github/kind/config.yaml # disable KIND-net
-          node_image: kindest/node:v1.23.13
+          # The versions below should target the newest Kubernetes version
+          # Keep this up-to-date with https://endoflife.date/kubernetes
+          node_image: kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72
+          kubectl_version: v1.27.3
      - name: Setup Calico for network policy
        run: |
-          kubectl apply -f https://docs.projectcalico.org/v3.20/manifests/calico.yaml
+          kubectl apply -f https://docs.projectcalico.org/v3.25/manifests/calico.yaml
          kubectl -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
      - name: Setup Kustomize
-        uses: fluxcd/pkg//actions/kustomize@main
+        uses: fluxcd/pkg/actions/kustomize@main
      - name: Run tests
        run: make test
      - name: Run e2e tests
@@ -78,12 +78,12 @@ jobs:
        run: |
          /tmp/flux create source git podinfo \
            --url https://github.com/stefanprodan/podinfo  \
-            --tag-semver=">=3.2.3"
+            --tag-semver=">=6.3.5"
      - name: flux create source git export apply
        run: |
          /tmp/flux create source git podinfo-export \
            --url https://github.com/stefanprodan/podinfo  \
-            --tag-semver=">=3.2.3" \
+            --tag-semver=">=6.3.5" \
            --export | kubectl apply -f -
          /tmp/flux delete source git podinfo-export --silent
      - name: flux get sources git
@@ -140,7 +140,7 @@ jobs:
            --target-namespace=default \
            --source=HelmRepository/podinfo.flux-system \
            --chart=podinfo \
-            --chart-version=">4.0.0 <5.0.0"
+            --chart-version=">6.0.0 <7.0.0"
      - name: flux create helmrelease --source=GitRepository/podinfo
        run: |
          /tmp/flux create hr podinfo-git \
@@ -184,11 +184,11 @@ jobs:
        run: |
          /tmp/flux create source oci podinfo-oci \
            --url oci://ghcr.io/stefanprodan/manifests/podinfo \
-            --tag-semver 6.1.x \
+            --tag-semver 6.3.x \
            --interval 10m
          /tmp/flux create kustomization podinfo-oci \
            --source=OCIRepository/podinfo-oci \
-            --path="./kustomize" \
+            --path="./" \
            --prune=true \
            --interval=5m \
            --target-namespace=default \
@@ -209,7 +209,7 @@ jobs:
          /tmp/flux -n apps create hr podinfo-helm \
            --source=HelmRepository/podinfo \
            --chart=podinfo \
-            --chart-version="5.0.x" \
+            --chart-version="6.3.x" \
            --service-account=dev-team
      - name: flux2-kustomize-helm-example
        run: |
--- a/.github/workflows/ossf.yaml
+++ b/.github/workflows/ossf.yaml
@@ -0,0 +1,39 @@
+name: ossf
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+  schedule:
+    # Weekly on Saturdays.
+    - cron:  '30 1 * * 6'
+
+permissions: read-all
+
+jobs:
+  scorecard:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+      actions: read
+      contents: read
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Run analysis
+        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_results: true
+      - name: Upload artifact
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+      - name: Upload SARIF results
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        with:
+          sarif_file: results.sarif
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -9,6 +9,10 @@ permissions:

 jobs:
  release-flux-cli:
+    outputs:
+      hashes: ${{ steps.slsa.outputs.hashes }}
+      image_url: ${{ steps.slsa.outputs.image_url }}
+      image_digest: ${{ steps.slsa.outputs.image_digest }}
    runs-on: ubuntu-latest
    permissions:
      contents: write # needed to write releases
@@ -16,32 +20,33 @@ jobs:
      packages: write # needed for ghcr access
    steps:
      - name: Checkout
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - name: Unshallow
        run: git fetch --prune --unshallow
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
-          go-version: 1.19.x
+          go-version: 1.20.x
+          cache: false
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2
+        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
      - name: Setup Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7  # v2
+        uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1  # v2.9.1
      - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
+        uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
      - name: Setup Cosign
-        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
+        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
      - name: Setup Kustomize
-        uses: fluxcd/pkg//actions/kustomize@main
+        uses: fluxcd/pkg/actions/kustomize@main
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to Docker Hub
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a  # v2
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc  # v2.2.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -54,7 +59,7 @@ jobs:
        run: |
          kustomize build manifests/crds > all-crds.yaml
      - name: Generate OpenAPI JSON schemas from CRDs
-        uses: fluxcd/pkg//actions/crdjsonschema@main
+        uses: fluxcd/pkg/actions/crdjsonschema@main
        with:
          crd: all-crds.yaml
          output: schemas
@@ -73,7 +78,8 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v3
+        id: run-goreleaser
+        uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0
        with:
          version: latest
          args: release --release-notes=output/notes.md --skip-validate
@@ -81,6 +87,22 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
          AUR_BOT_SSH_PRIVATE_KEY: ${{ secrets.AUR_BOT_SSH_PRIVATE_KEY }}
+      - name: Generate SLSA metadata
+        id: slsa
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+          
+          hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+          
+          image_url=fluxcd/flux-cli:$GITHUB_REF_NAME
+          echo "image_url=$image_url" >> $GITHUB_OUTPUT
+          
+          image_digest=$(docker buildx imagetools inspect ${image_url}  --format '{{json .}}' | jq -r .manifest.digest)
+          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
+
  release-flux-manifests:
    runs-on: ubuntu-latest
    needs: release-flux-cli
@@ -88,7 +110,7 @@ jobs:
      id-token: write
      packages: write
    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@main
      - name: Setup Flux CLI
@@ -99,13 +121,13 @@ jobs:
          VERSION=$(flux version --client | awk '{ print $NF }')
          echo "version=${VERSION}" >> $GITHUB_OUTPUT
      - name: Login to GHCR
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to DockerHub
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -133,13 +155,13 @@ jobs:
          --path="./flux-system" \
          --source=${{ github.repositoryUrl }} \
          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
-      - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
+      - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
      - name: Sign manifests
        env:
          COSIGN_EXPERIMENTAL: 1
        run: |
-          cosign sign ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }}
-          cosign sign docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }}
+          cosign sign --yes ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }}
+          cosign sign --yes docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }}
      - name: Tag manifests
        run: |
          flux tag artifact oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
@@ -147,3 +169,43 @@ jobs:

          flux tag artifact oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
          --tag latest
+
+  release-provenance:
+    needs: [release-flux-cli]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      contents: write # for uploading attestations to GitHub releases.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0
+    with:
+      provenance-name: "provenance.intoto.jsonl"
+      base64-subjects: "${{ needs.release-flux-cli.outputs.hashes }}"
+      upload-assets: true
+
+  dockerhub-provenance:
+    needs: [release-flux-cli]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
+    with:
+      image: ${{ needs.release-flux-cli.outputs.image_url }}
+      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
+      registry-username: fluxcdbot
+    secrets:
+      registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+
+  ghcr-provenance:
+    needs: [release-flux-cli]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
+    with:
+      image: ghcr.io/${{ needs.release-flux-cli.outputs.image_url }}
+      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
+      registry-username: fluxcdbot
+    secrets:
+      registry-password: ${{ secrets.GHCR_TOKEN }}
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -3,9 +3,9 @@ name: scan
 on:
  workflow_dispatch:
  push:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
  pull_request:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
  schedule:
    - cron: '18 10 * * 3'

@@ -17,9 +17,9 @@ jobs:
    runs-on: ubuntu-latest
    if: github.actor != 'dependabot[bot]'
    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@6728dc6fe9a068c648d080c33829ffbe56565023 # v1
+        uses: fossa-contrib/fossa-action@6728dc6fe9a068c648d080c33829ffbe56565023 # v2.0.0
        with:
          # FOSSA Push-Only API Token
          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
@@ -31,18 +31,21 @@ jobs:
      security-events: write
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - name: Setup Kustomize
-        uses: fluxcd/pkg//actions/kustomize@main
+        uses: fluxcd/pkg/actions/kustomize@main
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
-          go-version: 1.19.x
+          go-version: 1.20.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
      - name: Download modules and build manifests
        run: |
          make tidy
          make cmd/flux/.manifests.done
-      - uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
+      - uses: snyk/actions/setup@b98d498629f1c368650224d6d212bf7dfa89e4bf
      - name:  Run Snyk to check for vulnerabilities
        continue-on-error: true
        run: |
@@ -50,7 +53,7 @@ jobs:
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
        with:
          sarif_file: snyk.sarif

@@ -61,16 +64,19 @@ jobs:
    if: github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout repository
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
-      - name: Set up Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Setup Go
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
-          go-version: 1.19.x
+          go-version: 1.20.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2
+        uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
        with:
          languages: go
      - name: Autobuild
-        uses: github/codeql-action/autobuild@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2
+        uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2
+        uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
--- a/.github/workflows/sync-labels.yaml
+++ b/.github/workflows/sync-labels.yaml
@@ -0,0 +1,28 @@
+name: sync-labels
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - .github/labels.yaml
+
+permissions:
+  contents: read
+
+jobs:
+  labels:
+    name: Run sync
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: EndBug/label-sync@da00f2c11fdb78e4fae44adac2fdd713778ea3e8 # v2.3.2
+        with:
+          # Configuration file
+          config-file: |
+            https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
+            .github/labels.yaml
+          # Strictly declarative
+          delete-other-labels: true
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@@ -18,11 +18,14 @@ jobs:
      pull-requests: write
    steps:
      - name: Check out code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
-          go-version: 1.19.x
+          go-version: 1.20.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
      - name: Update component versions
        id: update
        run: |
@@ -81,7 +84,7 @@ jobs:

      - name: Create Pull Request
        id: cpr
-        uses: peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04 # v4
+        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
          commit-message: |
@@ -96,7 +99,7 @@ jobs:
          body: |
            ${{ steps.update.outputs.pr_body }}
          labels: |
-            area/build
+            dependencies
          reviewers: ${{ secrets.ASSIGNEES }}

      - name: Check output
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -65,6 +65,7 @@ signs:
    certificate: '${artifact}.pem'
    args:
      - sign-blob
+      - "--yes"
      - '--output-certificate=${certificate}'
      - '--output-signature=${signature}'
      - '${artifact}'
@@ -82,14 +83,7 @@ brews:
    install: |
      bin.install "flux"

-      bash_output = Utils.safe_popen_read(bin/"flux", "completion", "bash")
-      (bash_completion/"flux").write bash_output
-
-      zsh_output = Utils.safe_popen_read(bin/"flux", "completion", "zsh")
-      (zsh_completion/"_flux").write zsh_output
-
-      fish_output = Utils.safe_popen_read(bin/"flux", "completion", "fish")
-      (fish_completion/"flux.fish").write fish_output
+      generate_completions_from_executable(bin/"flux", "completion")
    test: |
      system "#{bin}/flux --version"
 publishers:
@@ -175,6 +169,7 @@ docker_signs:
      - COSIGN_EXPERIMENTAL=1
    args:
      - sign
+      - "--yes"
      - '${artifact}'
    artifacts: all
    output: true
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -67,9 +67,9 @@ for source changes.

 Prerequisites:

-* go >= 1.19
-* kubectl >= 1.20
-* kustomize >= 4.4
+* go >= 1.20
+* kubectl >= 1.24
+* kustomize >= 5.0
 * coreutils (on Mac OS)

 Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:
--- a/6
+++ b/6
@@ -1,15 +1,15 @@
-FROM alpine:3.17 as builder
+FROM alpine:3.18 as builder

 RUN apk add --no-cache ca-certificates curl

 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.26.1
+ARG KUBECTL_VER=1.27.3

 RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
    kubectl version --client=true

-FROM alpine:3.17 as flux-cli
+FROM alpine:3.18 as flux-cli

 RUN apk add --no-cache ca-certificates

--- a/4
+++ b/4
@@ -17,8 +17,8 @@ rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2
 all: test build

 tidy:
-	go mod tidy -compat=1.19
-	cd tests/azure && go mod tidy -compat=1.19
+	go mod tidy -compat=1.20
+	cd tests/azure && go mod tidy -compat=1.20

 fmt:
 	go fmt ./...
--- a/README.md
+++ b/README.md
@@ -2,6 +2,7 @@

 [![release](https://img.shields.io/github/release/fluxcd/flux2/all.svg)](https://github.com/fluxcd/flux2/releases)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4782/badge)](https://bestpractices.coreinfrastructure.org/projects/4782)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/fluxcd/flux2/badge)](https://api.securityscorecards.dev/projects/github.com/fluxcd/flux2)
 [![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflux2.svg?type=shield)](https://app.fossa.com/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflux2?ref=badge_shield)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/flux2)](https://artifacthub.io/packages/helm/fluxcd-community/flux2)

@@ -42,7 +43,7 @@ runtime for Flux v2. The APIs comprise Kubernetes custom resources,
 which can be created and updated by a cluster user, or by other
 automation tooling.

-![overview](docs/_files/gitops-toolkit.png)
+![overview](https://fluxcd.io/img/diagrams/gitops-toolkit.png)

 You can use the toolkit to extend Flux, or to build your own systems
 for continuous delivery -- see [the developer
--- a/cmd/flux/bootstrap.go
+++ b/cmd/flux/bootstrap.go
@@ -23,10 +23,10 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )

 var bootstrapCmd = &cobra.Command{
--- a/cmd/flux/bootstrap_bitbucket_server.go
+++ b/cmd/flux/bootstrap_bitbucket_server.go
@@ -26,14 +26,14 @@ import (
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/bootstrap"
-	"github.com/fluxcd/flux2/pkg/bootstrap/provider"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 )

 var bootstrapBServerCmd = &cobra.Command{
--- a/cmd/flux/bootstrap_git.go
+++ b/cmd/flux/bootstrap_git.go
@@ -28,13 +28,13 @@ import (
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/bootstrap"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
 )
@@ -134,7 +134,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 			}
 		}
 		if repositoryURL.Scheme == string(git.HTTPS) && !bootstrapArgs.tokenAuth {
-			return fmt.Errorf("--token-auth=true must be specified for using a HTTPS AWS CodeCommit url")
+			return fmt.Errorf("--token-auth=true must be specified for using an HTTPS AWS CodeCommit url")
 		}
 	}

--- a/cmd/flux/bootstrap_github.go
+++ b/cmd/flux/bootstrap_github.go
@@ -26,14 +26,14 @@ import (
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/bootstrap"
-	"github.com/fluxcd/flux2/pkg/bootstrap/provider"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 )

 var bootstrapGitHubCmd = &cobra.Command{
--- a/cmd/flux/bootstrap_gitlab.go
+++ b/cmd/flux/bootstrap_gitlab.go
@@ -28,14 +28,14 @@ import (
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/bootstrap"
-	"github.com/fluxcd/flux2/pkg/bootstrap/provider"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 )

 var bootstrapGitLabCmd = &cobra.Command{
@@ -65,7 +65,11 @@ the bootstrap command will perform an upgrade if needed.`,
  flux bootstrap gitlab --owner=<group> --repository=<repository name> --hostname=<domain> --token-auth

  # Run bootstrap for a an existing repository with a branch named main
-  flux bootstrap gitlab --owner=<organization> --repository=<repository name> --branch=main --token-auth`,
+  flux bootstrap gitlab --owner=<organization> --repository=<repository name> --branch=main --token-auth
+
+  # Run bootstrap for a private repository using Deploy Token authentication
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --deploy-token-auth
+  `,
 	RunE: bootstrapGitLabCmdRun,
 }

@@ -77,16 +81,17 @@ const (
 )

 type gitlabFlags struct {
-	owner        string
-	repository   string
-	interval     time.Duration
-	personal     bool
-	private      bool
-	hostname     string
-	path         flags.SafeRelativePath
-	teams        []string
-	readWriteKey bool
-	reconcile    bool
+	owner           string
+	repository      string
+	interval        time.Duration
+	personal        bool
+	private         bool
+	hostname        string
+	path            flags.SafeRelativePath
+	teams           []string
+	readWriteKey    bool
+	reconcile       bool
+	deployTokenAuth bool
 }

 var gitlabArgs gitlabFlags
@@ -102,6 +107,7 @@ func init() {
 	bootstrapGitLabCmd.Flags().Var(&gitlabArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
+	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.deployTokenAuth, "deploy-token-auth", false, "when enabled, a Project Deploy Token is generated and will be used instead of the SSH deploy token")

 	bootstrapCmd.AddCommand(bootstrapGitLabCmd)
 }
@@ -123,6 +129,10 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	if bootstrapArgs.tokenAuth && gitlabArgs.deployTokenAuth {
+		return fmt.Errorf("--token-auth and --deploy-token-auth cannot be set both.")
+	}
+
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
@@ -225,6 +235,9 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		secretOpts.Username = "git"
 		secretOpts.Password = glToken
 		secretOpts.CAFile = caBundle
+	} else if gitlabArgs.deployTokenAuth {
+		// the actual deploy token will be reconciled later
+		secretOpts.CAFile = caBundle
 	} else {
 		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
 		if err != nil {
@@ -274,9 +287,12 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
 	}
-	if bootstrapArgs.tokenAuth {
+	if bootstrapArgs.tokenAuth || gitlabArgs.deployTokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
 	}
+	if gitlabArgs.deployTokenAuth {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithDeployTokenAuth())
+	}
 	if !gitlabArgs.private {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
 	}
--- a/cmd/flux/build.go
+++ b/cmd/flux/build.go
@@ -23,7 +23,7 @@ import (
 var buildCmd = &cobra.Command{
 	Use:   "build",
 	Short: "Build a flux resource",
-	Long:  "The build command is used to build flux resources.",
+	Long:  `The build command is used to build flux resources.`,
 }

 func init() {
--- a/cmd/flux/build_artifact.go
+++ b/cmd/flux/build_artifact.go
@@ -33,7 +33,8 @@ import (
 var buildArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Build artifact",
-	Long:  `The build artifact command creates a tgz file with the manifests from the given directory or a single manifest file.`,
+	Long: withPreviewNote(`The build artifact command creates a tgz file with the manifests
+from the given directory or a single manifest file.`),
 	Example: `  # Build the given manifests directory into an artifact
  flux build artifact --path ./path/to/local/manifests --output ./path/to/artifact.tgz

@@ -86,7 +87,7 @@ func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {

 	logger.Actionf("building artifact from %s", path)

-	ociClient := oci.NewLocalClient()
+	ociClient := oci.NewClient(oci.DefaultOptions())
 	if err := ociClient.Build(buildArtifactArgs.output, path, buildArtifactArgs.ignorePaths); err != nil {
 		return fmt.Errorf("bulding artifact failed, error: %w", err)
 	}
--- a/cmd/flux/build_kustomization.go
+++ b/cmd/flux/build_kustomization.go
@@ -21,10 +21,12 @@ import (
 	"os"
 	"os/signal"

+	"github.com/fluxcd/pkg/ssa"
 	"github.com/spf13/cobra"

-	"github.com/fluxcd/flux2/internal/build"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+
+	"github.com/fluxcd/flux2/v2/internal/build"
 )

 var buildKsCmd = &cobra.Command{
@@ -44,7 +46,14 @@ flux build kustomization my-app --path ./path/to/local/manifests --kustomization

 # Build in dry-run mode without connecting to the cluster.
 # Note that variable substitutions from Secrets and ConfigMaps are skipped in dry-run mode.
-flux build kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml --dry-run`,
+flux build kustomization my-app --path ./path/to/local/manifests \
+	--kustomization-file ./path/to/local/my-app.yaml \
+	--dry-run
+
+# Exclude files by providing a comma separated list of entries that follow the .gitignore pattern fromat.
+flux build kustomization my-app --path ./path/to/local/manifests \
+	--kustomization-file ./path/to/local/my-app.yaml \
+	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              buildKsCmdRun,
 }
@@ -52,6 +61,7 @@ flux build kustomization my-app --path ./path/to/local/manifests --kustomization
 type buildKsFlags struct {
 	kustomizationFile string
 	path              string
+	ignorePaths       []string
 	dryRun            bool
 }

@@ -60,6 +70,7 @@ var buildKsArgs buildKsFlags
 func init() {
 	buildKsCmd.Flags().StringVar(&buildKsArgs.path, "path", "", "Path to the manifests location.")
 	buildKsCmd.Flags().StringVar(&buildKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
+	buildKsCmd.Flags().StringSliceVar(&buildKsArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in .gitignore format")
 	buildKsCmd.Flags().BoolVar(&buildKsArgs.dryRun, "dry-run", false, "Dry run mode.")
 	buildCmd.AddCommand(buildKsCmd)
 }
@@ -95,12 +106,14 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 			build.WithKustomizationFile(buildKsArgs.kustomizationFile),
 			build.WithDryRun(buildKsArgs.dryRun),
 			build.WithNamespace(*kubeconfigArgs.Namespace),
+			build.WithIgnore(buildKsArgs.ignorePaths),
 		)
 	} else {
 		builder, err = build.NewBuilder(name, buildKsArgs.path,
 			build.WithClientConfig(kubeconfigArgs, kubeclientOptions),
 			build.WithTimeout(rootArgs.timeout),
 			build.WithKustomizationFile(buildKsArgs.kustomizationFile),
+			build.WithIgnore(buildKsArgs.ignorePaths),
 		)
 	}

@@ -114,12 +127,17 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {

 	errChan := make(chan error)
 	go func() {
-		manifests, err := builder.Build()
+		objects, err := builder.Build()
 		if err != nil {
 			errChan <- err
 		}

-		cmd.Print(string(manifests))
+		manifests, err := ssa.ObjectsToYAML(objects)
+		if err != nil {
+			errChan <- err
+		}
+
+		cmd.Print(manifests)
 		errChan <- nil
 	}()

--- a/cmd/flux/build_kustomization_test.go
+++ b/cmd/flux/build_kustomization_test.go
@@ -63,6 +63,12 @@ func TestBuildKustomization(t *testing.T) {
 			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
+		{
+			name:       "build ignore",
+			args:       "build kustomization podinfo --path ./testdata/build-kustomization/ignore --ignore-paths \"!configmap.yaml,!secret.yaml\"",
+			resultFile: "./testdata/build-kustomization/podinfo-with-ignore-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
 	}

 	tmpl := map[string]string{
@@ -92,7 +98,7 @@ func TestBuildKustomization(t *testing.T) {
 }

 func TestBuildLocalKustomization(t *testing.T) {
-	podinfo := `apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+	podinfo := `apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: podinfo
@@ -153,6 +159,7 @@ spec:
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
+	setup(t, tmpl)

 	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-source.yaml", tmpl, t)

--- a/cmd/flux/check.go
+++ b/cmd/flux/check.go
@@ -30,17 +30,17 @@ import (

 	"github.com/fluxcd/pkg/version"

-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/pkg/status"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/status"
 )

 var checkCmd = &cobra.Command{
 	Use:   "check",
 	Short: "Check requirements and installation",
-	Long: `The check command will perform a series of checks to validate that
-the local environment is configured correctly and if the installed components are healthy.`,
+	Long: withPreviewNote(`The check command will perform a series of checks to validate that
+the local environment is configured correctly and if the installed components are healthy.`),
 	Example: `  # Run pre-installation checks
  flux check --pre

@@ -57,7 +57,7 @@ type checkFlags struct {
 }

 var kubernetesConstraints = []string{
-	">=1.20.6-0",
+	">=1.24.0-0",
 }

 var checkArgs checkFlags
--- a/cmd/flux/check_test.go
+++ b/cmd/flux/check_test.go
@@ -25,7 +25,7 @@ import (
 	"strings"
 	"testing"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 func TestCheckPre(t *testing.T) {
--- a/cmd/flux/completion.go
+++ b/cmd/flux/completion.go
@@ -20,7 +20,7 @@ import (
 	"context"
 	"strings"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -31,7 +31,7 @@ import (
 var completionCmd = &cobra.Command{
 	Use:   "completion",
 	Short: "Generates completion scripts for various shells",
-	Long:  "The completion sub-command generates completion scripts for various shells",
+	Long:  `The completion sub-command generates completion scripts for various shells.`,
 }

 func init() {
--- a/cmd/flux/completion_bash.go
+++ b/cmd/flux/completion_bash.go
@@ -25,6 +25,7 @@ import (
 var completionBashCmd = &cobra.Command{
 	Use:   "bash",
 	Short: "Generates bash completion scripts",
+	Long:  `The completion sub-command generates completion scripts for bash.`,
 	Example: `To load completion run

 . <(flux completion bash)
--- a/cmd/flux/completion_fish.go
+++ b/cmd/flux/completion_fish.go
@@ -25,6 +25,7 @@ import (
 var completionFishCmd = &cobra.Command{
 	Use:   "fish",
 	Short: "Generates fish completion scripts",
+	Long:  `The completion sub-command generates completion scripts for fish.`,
 	Example: `To configure your fish shell to load completions for each session write this script to your completions dir:

 flux completion fish > ~/.config/fish/completions/flux.fish
--- a/cmd/flux/completion_powershell.go
+++ b/cmd/flux/completion_powershell.go
@@ -25,6 +25,7 @@ import (
 var completionPowerShellCmd = &cobra.Command{
 	Use:   "powershell",
 	Short: "Generates powershell completion scripts",
+	Long:  `The completion sub-command generates completion scripts for powershell.`,
 	Example: `To load completion run

 . <(flux completion powershell)
--- a/cmd/flux/completion_zsh.go
+++ b/cmd/flux/completion_zsh.go
@@ -26,6 +26,7 @@ import (
 var completionZshCmd = &cobra.Command{
 	Use:   "zsh",
 	Short: "Generates zsh completion scripts",
+	Long:  `The completion sub-command generates completion scripts for zsh.`,
 	Example: `To load completion run

 . <(flux completion zsh)
--- a/cmd/flux/create.go
+++ b/cmd/flux/create.go
@@ -30,13 +30,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createCmd = &cobra.Command{
 	Use:   "create",
 	Short: "Create or update sources and resources",
-	Long:  "The create sub-commands generate sources and resources.",
+	Long:  `The create sub-commands generate sources and resources.`,
 }

 type createFlags struct {
--- a/cmd/flux/create_alert.go
+++ b/cmd/flux/create_alert.go
@@ -28,16 +28,17 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
+	notificationv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createAlertCmd = &cobra.Command{
 	Use:   "alert [name]",
 	Short: "Create or update a Alert resource",
-	Long:  "The create alert command generates a Alert resource.",
+	Long:  withPreviewNote(`The create alert command generates a Alert resource.`),
 	Example: `  # Create an Alert for kustomization events
  flux create alert \
  --event-severity info \
@@ -96,13 +97,13 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Generatef("generating Alert")
 	}

-	alert := notificationv1.Alert{
+	alert := notificationv1b2.Alert{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
-		Spec: notificationv1.AlertSpec{
+		Spec: notificationv1b2.AlertSpec{
 			ProviderRef: meta.LocalObjectReference{
 				Name: alertArgs.providerRef,
 			},
@@ -140,13 +141,13 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 }

 func upsertAlert(ctx context.Context, kubeClient client.Client,
-	alert *notificationv1.Alert) (types.NamespacedName, error) {
+	alert *notificationv1b2.Alert) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: alert.GetNamespace(),
 		Name:      alert.GetName(),
 	}

-	var existing notificationv1.Alert
+	var existing notificationv1b2.Alert
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
@@ -171,7 +172,7 @@ func upsertAlert(ctx context.Context, kubeClient client.Client,
 }

 func isAlertReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, alert *notificationv1.Alert) wait.ConditionFunc {
+	namespacedName types.NamespacedName, alert *notificationv1b2.Alert) wait.ConditionFunc {
 	return func() (bool, error) {
 		err := kubeClient.Get(ctx, namespacedName, alert)
 		if err != nil {
--- a/cmd/flux/create_alertprovider.go
+++ b/cmd/flux/create_alertprovider.go
@@ -31,13 +31,13 @@ import (
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createAlertProviderCmd = &cobra.Command{
 	Use:   "alert-provider [name]",
 	Short: "Create or update a Provider resource",
-	Long:  "The create alert-provider command generates a Provider resource.",
+	Long:  withPreviewNote(`The create alert-provider command generates a Provider resource.`),
 	Example: `  # Create a Provider for a Slack channel
  flux create alert-provider slack \
  --type slack \
--- a/cmd/flux/create_helmrelease.go
+++ b/cmd/flux/create_helmrelease.go
@@ -24,8 +24,8 @@ import (
 	"strings"
 	"time"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/transform"

@@ -46,7 +46,7 @@ var createHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Create or update a HelmRelease resource",
-	Long:    "The helmrelease create command generates a HelmRelease resource for a given HelmRepository source.",
+	Long:    withPreviewNote(`The helmrelease create command generates a HelmRelease resource for a given HelmRepository source.`),
 	Example: `  # Create a HelmRelease with a chart from a HelmRepository source
  flux create hr podinfo \
    --interval=10m \
@@ -83,9 +83,9 @@ var createHelmReleaseCmd = &cobra.Command{

  # Create a HelmRelease with a custom release name
  flux create hr podinfo \
-    --release-name=podinfo-dev
+    --release-name=podinfo-dev \
    --source=HelmRepository/podinfo \
-    --chart=podinfo \
+    --chart=podinfo

  # Create a HelmRelease targeting another namespace than the resource
  flux create hr podinfo \
@@ -200,7 +200,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	if helmReleaseArgs.kubeConfigSecretRef != "" {
-		helmRelease.Spec.KubeConfig = &helmv2.KubeConfig{
+		helmRelease.Spec.KubeConfig = &meta.KubeConfigReference{
 			SecretRef: meta.SecretKeyReference{
 				Name: helmReleaseArgs.kubeConfigSecretRef,
 			},
--- a/cmd/flux/create_image.go
+++ b/cmd/flux/create_image.go
@@ -20,14 +20,12 @@ import (
 	"github.com/spf13/cobra"
 )

-const createImageLong = `The create image sub-commands work with image automation objects; that is,
-object controlling updates to git based on e.g., new container images
-being available.`
-
 var createImageCmd = &cobra.Command{
 	Use:   "image",
 	Short: "Create or update resources dealing with image automation",
-	Long:  createImageLong,
+	Long: `The create image sub-commands work with image automation objects;
+that is, object controlling updates to git based on e.g., new container images
+being available.`,
 }

 func init() {
--- a/cmd/flux/create_image_policy.go
+++ b/cmd/flux/create_image_policy.go
@@ -34,12 +34,12 @@ import (
 var createImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Create or update an ImagePolicy object",
-	Long: `The create image policy command generates an ImagePolicy resource.
+	Long: withPreviewNote(`The create image policy command generates an ImagePolicy resource.
 An ImagePolicy object calculates a "latest image" given an image
 repository and a policy, e.g., semver.

 The image that sorts highest according to the policy is recorded in
-the status of the object.`,
+the status of the object.`),
 	Example: `  # Create an ImagePolicy to select the latest stable release
  flux create image policy podinfo \
    --image-ref=podinfo \
--- a/cmd/flux/create_image_repository.go
+++ b/cmd/flux/create_image_repository.go
@@ -32,8 +32,8 @@ import (
 var createImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Create or update an ImageRepository object",
-	Long: `The create image repository command generates an ImageRepository resource.
-An ImageRepository object specifies an image repository to scan.`,
+	Long: withPreviewNote(`The create image repository command generates an ImageRepository resource.
+An ImageRepository object specifies an image repository to scan.`),
 	Example: `  # Create an ImageRepository object to scan the alpine image repository:
  flux create image repository alpine-repo --image alpine --interval 20m

--- a/cmd/flux/create_image_update.go
+++ b/cmd/flux/create_image_update.go
@@ -23,15 +23,15 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )

 var createImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Create or update an ImageUpdateAutomation object",
-	Long: `The create image update command generates an ImageUpdateAutomation resource.
+	Long: withPreviewNote(`The create image update command generates an ImageUpdateAutomation resource.
 An ImageUpdateAutomation object specifies an automated update to images
-mentioned in YAMLs in a git repository.`,
+mentioned in YAMLs in a git repository.`),
 	Example: `  # Configure image updates for the main repository created by flux bootstrap
  flux create image update flux-system \
    --git-repo-ref=flux-system \
--- a/cmd/flux/create_kustomization.go
+++ b/cmd/flux/create_kustomization.go
@@ -31,18 +31,18 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	"github.com/fluxcd/pkg/apis/meta"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createKsCmd = &cobra.Command{
 	Use:     "kustomization [name]",
 	Aliases: []string{"ks"},
 	Short:   "Create or update a Kustomization resource",
-	Long:    "The create command generates a Kustomization resource for a given source.",
+	Long:    `The create command generates a Kustomization resource for a given source.`,
 	Example: `  # Create a Kustomization resource from a source at a given path
  flux create kustomization kyverno \
    --source=GitRepository/kyverno \
@@ -97,6 +97,7 @@ type kustomizationFlags struct {
 	targetNamespace     string
 	wait                bool
 	kubeConfigSecretRef string
+	retryInterval       time.Duration
 }

 var kustomizationArgs = NewKustomizationFlags()
@@ -116,6 +117,7 @@ func init() {
 	createKsCmd.Flags().StringVar(&kustomizationArgs.targetNamespace, "target-namespace", "", "overrides the namespace of all Kustomization objects reconciled by this Kustomization")
 	createKsCmd.Flags().StringVar(&kustomizationArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
 	createKsCmd.Flags().MarkDeprecated("validation", "this arg is no longer used, all resources are validated using server-side apply dry-run")
+	createKsCmd.Flags().DurationVar(&kustomizationArgs.retryInterval, "retry-interval", 0, "the interval at which to retry a previously failed reconciliation")

 	createCmd.AddCommand(createKsCmd)
 }
@@ -238,6 +240,10 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}

+	if kustomizationArgs.retryInterval > 0 {
+		kustomization.Spec.RetryInterval = &metav1.Duration{Duration: kustomizationArgs.retryInterval}
+	}
+
 	if createArgs.export {
 		return printExport(exportKs(&kustomization))
 	}
--- a/cmd/flux/create_receiver.go
+++ b/cmd/flux/create_receiver.go
@@ -28,16 +28,16 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 	"github.com/fluxcd/pkg/apis/meta"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createReceiverCmd = &cobra.Command{
 	Use:   "receiver [name]",
 	Short: "Create or update a Receiver resource",
-	Long:  "The create receiver command generates a Receiver resource.",
+	Long:  `The create receiver command generates a Receiver resource.`,
 	Example: `  # Create a Receiver
  flux create receiver github-receiver \
 	--type github \
@@ -145,7 +145,7 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Successf("Receiver %s is ready", name)

-	logger.Successf("generated webhook URL %s", receiver.Status.URL)
+	logger.Successf("generated webhook URL %s", receiver.Status.WebhookPath)
 	return nil
 }

--- a/cmd/flux/create_secret.go
+++ b/cmd/flux/create_secret.go
@@ -29,7 +29,7 @@ import (
 var createSecretCmd = &cobra.Command{
 	Use:   "secret",
 	Short: "Create or update Kubernetes secrets",
-	Long:  "The create source sub-commands generate Kubernetes secrets specific to Flux.",
+	Long:  `The create source sub-commands generate Kubernetes secrets specific to Flux.`,
 }

 func init() {
--- a/cmd/flux/create_secret_git.go
+++ b/cmd/flux/create_secret_git.go
@@ -27,17 +27,19 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )

 var createSecretGitCmd = &cobra.Command{
 	Use:   "git [name]",
 	Short: "Create or update a Kubernetes secret for Git authentication",
 	Long: `The create secret git command generates a Kubernetes secret with Git credentials.
-For Git over SSH, the host and SSH keys are automatically generated and stored in the secret.
-For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.`,
+For Git over SSH, the host and SSH keys are automatically generated and stored
+in the secret.
+For Git over HTTP/S, the provided basic authentication credentials or bearer
+authentication token are stored in the secret.`,
 	Example: `  # Create a Git SSH authentication secret using an ECDSA P-521 curve public key

  flux create secret git podinfo-auth \
@@ -87,6 +89,7 @@ type secretGitFlags struct {
 	ecdsaCurve     flags.ECDSACurve
 	caFile         string
 	privateKeyFile string
+	bearerToken    string
 }

 var secretGitArgs = NewSecretGitFlags()
@@ -100,6 +103,7 @@ func init() {
 	createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
+	createSecretGitCmd.Flags().StringVar(&secretGitArgs.bearerToken, "bearer-token", "", "bearer authentication token")

 	createSecretCmd.AddCommand(createSecretGitCmd)
 }
@@ -147,11 +151,15 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 		opts.ECDSACurve = secretGitArgs.ecdsaCurve.Curve
 		opts.Password = secretGitArgs.password
 	case "http", "https":
-		if secretGitArgs.username == "" || secretGitArgs.password == "" {
-			return fmt.Errorf("for Git over HTTP/S the username and password are required")
+		if (secretGitArgs.username == "" || secretGitArgs.password == "") && secretGitArgs.bearerToken == "" {
+			return fmt.Errorf("for Git over HTTP/S the username and password, or a bearer token is required")
 		}
 		opts.Username = secretGitArgs.username
 		opts.Password = secretGitArgs.password
+		opts.BearerToken = secretGitArgs.bearerToken
+		if secretGitArgs.username != "" && secretGitArgs.password != "" && secretGitArgs.bearerToken != "" {
+			return fmt.Errorf("user credentials and bearer token cannot be used together")
+		}
 		if secretGitArgs.caFile != "" {
 			caBundle, err := os.ReadFile(secretGitArgs.caFile)
 			if err != nil {
--- a/cmd/flux/create_secret_git_test.go
+++ b/cmd/flux/create_secret_git_test.go
@@ -30,6 +30,16 @@ func TestCreateGitSecret(t *testing.T) {
 			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa-password.private --password=password --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret-password.yaml"),
 		},
+		{
+			name:   "git authentication with bearer token",
+			args:   "create secret git bearer-token-auth --url=https://github.com/stefanprodan/podinfo --bearer-token=ghp_baR2qnFF0O41WlucePL3udt2N9vVZS4R0hAS --namespace=my-namespace --export",
+			assert: assertGoldenFile("testdata/create_secret/git/git-bearer-token.yaml"),
+		},
+		{
+			name:   "git authentication with basic auth and bearer token",
+			args:   "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=aaa --password=zzzz --bearer-token=aaaa --namespace=my-namespace --export",
+			assert: assertError("user credentials and bearer token cannot be used together"),
+		},
 	}

 	for _, tt := range tests {
--- a/cmd/flux/create_secret_helm.go
+++ b/cmd/flux/create_secret_helm.go
@@ -25,14 +25,14 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"

-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )

 var createSecretHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Create or update a Kubernetes secret for Helm repository authentication",
-	Long:  `The create secret helm command generates a Kubernetes secret with basic authentication credentials.`,
+	Long:  withPreviewNote(`The create secret helm command generates a Kubernetes secret with basic authentication credentials.`),
 	Example: ` # Create a Helm authentication secret on disk and encrypt it with Mozilla SOPS
  flux create secret helm repo-auth \
    --namespace=my-namespace \
--- a/cmd/flux/create_secret_oci.go
+++ b/cmd/flux/create_secret_oci.go
@@ -20,8 +20,8 @@ import (
 	"context"
 	"fmt"

-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
@@ -31,7 +31,7 @@ import (
 var createSecretOCICmd = &cobra.Command{
 	Use:   "oci [name]",
 	Short: "Create or update a Kubernetes image pull secret",
-	Long:  `The create secret oci command generates a Kubernetes secret that can be used for OCIRepository authentication`,
+	Long:  withPreviewNote(`The create secret oci command generates a Kubernetes secret that can be used for OCIRepository authentication`),
 	Example: `  # Create an OCI authentication secret on disk and encrypt it with Mozilla SOPS
  flux create secret oci podinfo-auth \
    --url=ghcr.io \
--- a/cmd/flux/create_secret_tls.go
+++ b/cmd/flux/create_secret_tls.go
@@ -26,14 +26,14 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"

-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )

 var createSecretTLSCmd = &cobra.Command{
 	Use:   "tls [name]",
 	Short: "Create or update a Kubernetes secret with TLS certificates",
-	Long:  `The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`,
+	Long:  withPreviewNote(`The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`),
 	Example: ` # Create a TLS secret on disk and encrypt it with Mozilla SOPS.
  # Files are expected to be PEM-encoded.
  flux create secret tls certs \
--- a/cmd/flux/create_source.go
+++ b/cmd/flux/create_source.go
@@ -25,7 +25,7 @@ import (
 var createSourceCmd = &cobra.Command{
 	Use:   "source",
 	Short: "Create or update sources",
-	Long:  "The create source sub-commands generate sources.",
+	Long:  `The create source sub-commands generate sources.`,
 }

 type createSourceFlags struct {
--- a/cmd/flux/create_source_bucket.go
+++ b/cmd/flux/create_source_bucket.go
@@ -35,15 +35,15 @@ import (

 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Create or update a Bucket source",
-	Long: `The create source bucket command generates a Bucket resource and waits for it to be downloaded.
-For Buckets with static authentication, the credentials are stored in a Kubernetes secret.`,
+	Long: withPreviewNote(`The create source bucket command generates a Bucket resource and waits for it to be downloaded.
+For Buckets with static authentication, the credentials are stored in a Kubernetes secret.`),
 	Example: `  # Create a source for a Bucket using static authentication
  flux create source bucket podinfo \
 	--bucket-name=podinfo \
--- a/cmd/flux/create_source_git.go
+++ b/cmd/flux/create_source_git.go
@@ -37,11 +37,11 @@ import (
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/conditions"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )

 type sourceGitFlags struct {
@@ -49,6 +49,8 @@ type sourceGitFlags struct {
 	branch            string
 	tag               string
 	semver            string
+	refName           string
+	commit            string
 	username          string
 	password          string
 	keyAlgorithm      flags.PublicKeyAlgorithm
@@ -129,6 +131,8 @@ func init() {
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.branch, "branch", "", "git branch")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.tag, "tag", "", "git tag")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.semver, "tag-semver", "", "git tag semver range")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", " git reference name")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.commit, "commit", "", "git commit")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.username, "username", "u", "", "basic authentication username")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.password, "password", "p", "", "basic authentication password")
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyAlgorithm, "ssh-key-algorithm", sourceGitArgs.keyAlgorithm.Description())
@@ -168,8 +172,8 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}

-	if sourceGitArgs.branch == "" && sourceGitArgs.tag == "" && sourceGitArgs.semver == "" {
-		return fmt.Errorf("a Git ref is required, use one of the following: --branch, --tag or --tag-semver")
+	if sourceGitArgs.branch == "" && sourceGitArgs.tag == "" && sourceGitArgs.semver == "" && sourceGitArgs.commit == "" && sourceGitArgs.refName == "" {
+		return fmt.Errorf("a Git ref is required, use one of the following: --branch, --tag, --commit, --ref-name or --tag-semver")
 	}

 	if sourceGitArgs.caFile != "" && u.Scheme == "ssh" {
@@ -214,7 +218,12 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		gitRepository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
 	}

-	if sourceGitArgs.semver != "" {
+	if sourceGitArgs.commit != "" {
+		gitRepository.Spec.Reference.Commit = sourceGitArgs.commit
+		gitRepository.Spec.Reference.Branch = sourceGitArgs.branch
+	} else if sourceGitArgs.refName != "" {
+		gitRepository.Spec.Reference.Name = sourceGitArgs.refName
+	} else if sourceGitArgs.semver != "" {
 		gitRepository.Spec.Reference.SemVer = sourceGitArgs.semver
 	} else if sourceGitArgs.tag != "" {
 		gitRepository.Spec.Reference.Tag = sourceGitArgs.tag
--- a/cmd/flux/create_source_git_test.go
+++ b/cmd/flux/create_source_git_test.go
@@ -24,14 +24,15 @@ import (
 	"testing"
 	"time"

-	"github.com/fluxcd/pkg/apis/meta"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )

 var pollInterval = 50 * time.Millisecond
@@ -98,6 +99,41 @@ func TestCreateSourceGitExport(t *testing.T) {
 			command,
 			assertGoldenFile("testdata/create_source_git/export.golden"),
 		},
+		{
+			name:   "no args",
+			args:   "create secret git",
+			assert: assertError("name is required"),
+		},
+		{
+			name:   "source with commit",
+			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --commit=c88a2f41 --interval=1m0s --export",
+			assert: assertGoldenFile("./testdata/create_source_git/source-git-commit.yaml"),
+		},
+		{
+			name:   "source with ref name",
+			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --ref-name=refs/heads/main --interval=1m0s --export",
+			assert: assertGoldenFile("testdata/create_source_git/source-git-refname.yaml"),
+		},
+		{
+			name:   "source with branch name and commit",
+			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --branch=main --commit=c88a2f41 --interval=1m0s --export",
+			assert: assertGoldenFile("testdata/create_source_git/source-git-branch-commit.yaml"),
+		},
+		{
+			name:   "source with semver",
+			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --tag-semver=v1.01 --interval=1m0s --export",
+			assert: assertGoldenFile("testdata/create_source_git/source-git-semver.yaml"),
+		},
+		{
+			name:   "source with git tag",
+			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --tag=test --interval=1m0s --export",
+			assert: assertGoldenFile("testdata/create_source_git/source-git-tag.yaml"),
+		},
+		{
+			name:   "source with git branch",
+			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --branch=test --interval=1m0s --export",
+			assert: assertGoldenFile("testdata/create_source_git/source-git-branch.yaml"),
+		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -141,6 +177,9 @@ func TestCreateSourceGit(t *testing.T) {
 				repo.Status.Artifact = &sourcev1.Artifact{
 					Path:     "some-path",
 					Revision: "v1",
+					LastUpdateTime: metav1.Time{
+						Time: time.Now(),
+					},
 				}
 			},
 		}, {
--- a/cmd/flux/create_source_helm.go
+++ b/cmd/flux/create_source_helm.go
@@ -35,15 +35,15 @@ import (

 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"

-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )

 var createSourceHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Create or update a HelmRepository source",
-	Long: `The create source helm command generates a HelmRepository resource and waits for it to fetch the index.
-For private Helm repositories, the basic authentication credentials are stored in a Kubernetes secret.`,
+	Long: withPreviewNote(`The create source helm command generates a HelmRepository resource and waits for it to fetch the index.
+For private Helm repositories, the basic authentication credentials are stored in a Kubernetes secret.`),
 	Example: `  # Create a source for an HTTPS public Helm repository
  flux create source helm podinfo \
    --url=https://stefanprodan.github.io/podinfo \
@@ -64,13 +64,13 @@ For private Helm repositories, the basic authentication credentials are stored i

  # Create a source for an OCI Helm repository
  flux create source helm podinfo \
-    --url=oci://ghcr.io/stefanprodan/charts/podinfo
+    --url=oci://ghcr.io/stefanprodan/charts/podinfo \
    --username=username \
    --password=password

  # Create a source for an OCI Helm repository using an existing secret with basic auth or dockerconfig credentials
  flux create source helm podinfo \
-    --url=oci://ghcr.io/stefanprodan/charts/podinfo
+    --url=oci://ghcr.io/stefanprodan/charts/podinfo \
    --secret-ref=docker-config`,
 	RunE: createSourceHelmCmdRun,
 }
@@ -83,6 +83,7 @@ type sourceHelmFlags struct {
 	keyFile         string
 	caFile          string
 	secretRef       string
+	ociProvider     string
 	passCredentials bool
 }

@@ -96,6 +97,7 @@ func init() {
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.keyFile, "key-file", "", "TLS authentication key file path")
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.caFile, "ca-file", "", "TLS authentication CA file path")
 	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.secretRef, "secret-ref", "", "", "the name of an existing secret containing TLS, basic auth or docker-config credentials")
+	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.ociProvider, "oci-provider", "", "OCI provider for authentication")
 	createSourceHelmCmd.Flags().BoolVarP(&sourceHelmArgs.passCredentials, "pass-credentials", "", false, "pass credentials to all domains")

 	createSourceCmd.AddCommand(createSourceHelmCmd)
@@ -143,6 +145,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	if url.Scheme == sourcev1.HelmRepositoryTypeOCI {
 		helmRepository.Spec.Type = sourcev1.HelmRepositoryTypeOCI
+		helmRepository.Spec.Provider = sourceHelmArgs.ociProvider
 	}

 	if createSourceArgs.fetchTimeout > 0 {
--- a/cmd/flux/create_source_oci.go
+++ b/cmd/flux/create_source_oci.go
@@ -33,14 +33,14 @@ import (

 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createSourceOCIRepositoryCmd = &cobra.Command{
 	Use:   "oci [name]",
 	Short: "Create or update an OCIRepository",
-	Long:  `The create source oci command generates an OCIRepository resource and waits for it to be ready.`,
+	Long:  withPreviewNote(`The create source oci command generates an OCIRepository resource and waits for it to be ready.`),
 	Example: `  # Create an OCIRepository for a public container image
  flux create source oci podinfo \
    --url=oci://ghcr.io/stefanprodan/manifests/podinfo \
--- a/cmd/flux/create_source_oci_test.go
+++ b/cmd/flux/create_source_oci_test.go
@@ -38,12 +38,12 @@ func TestCreateSourceOCI(t *testing.T) {
 		},
 		{
 			name:       "export manifest",
-			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.1.6 --interval 10m --export",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --interval 10m --export",
 			assertFunc: assertGoldenFile("./testdata/oci/export.golden"),
 		},
 		{
 			name:       "export manifest with secret",
-			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.1.6 --interval 10m --secret-ref=creds --export",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --interval 10m --secret-ref=creds --export",
 			assertFunc: assertGoldenFile("./testdata/oci/export_with_secret.golden"),
 		},
 	}
--- a/cmd/flux/create_tenant.go
+++ b/cmd/flux/create_tenant.go
@@ -21,7 +21,7 @@ import (
 	"context"
 	"fmt"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -37,8 +37,8 @@ import (
 var createTenantCmd = &cobra.Command{
 	Use:   "tenant",
 	Short: "Create or update a tenant",
-	Long: `The create tenant command generates namespaces, service accounts and role bindings to limit the
-reconcilers scope to the tenant namespaces.`,
+	Long: withPreviewNote(`The create tenant command generates namespaces, service accounts and role bindings to limit the
+reconcilers scope to the tenant namespaces.`),
 	Example: `  # Create a tenant with access to a namespace 
  flux create tenant dev-team \
    --with-namespace=frontend \
--- a/cmd/flux/delete.go
+++ b/cmd/flux/delete.go
@@ -24,13 +24,13 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var deleteCmd = &cobra.Command{
 	Use:   "delete",
 	Short: "Delete sources and resources",
-	Long:  "The delete sub-commands delete sources and resources.",
+	Long:  `The delete sub-commands delete sources and resources.`,
 }

 type deleteFlags struct {
--- a/cmd/flux/delete_alert.go
+++ b/cmd/flux/delete_alert.go
@@ -25,7 +25,7 @@ import (
 var deleteAlertCmd = &cobra.Command{
 	Use:   "alert [name]",
 	Short: "Delete a Alert resource",
-	Long:  "The delete alert command removes the given Alert from the cluster.",
+	Long:  withPreviewNote("The delete alert command removes the given Alert from the cluster."),
 	Example: `  # Delete an Alert and the Kubernetes resources created by it
  flux delete alert main`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.AlertKind)),
--- a/cmd/flux/delete_alertprovider.go
+++ b/cmd/flux/delete_alertprovider.go
@@ -25,7 +25,7 @@ import (
 var deleteAlertProviderCmd = &cobra.Command{
 	Use:   "alert-provider [name]",
 	Short: "Delete a Provider resource",
-	Long:  "The delete alert-provider command removes the given Provider from the cluster.",
+	Long:  withPreviewNote("The delete alert-provider command removes the given Provider from the cluster."),
 	Example: `  # Delete a Provider and the Kubernetes resources created by it
  flux delete alert-provider slack`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ProviderKind)),
--- a/cmd/flux/delete_helmrelease.go
+++ b/cmd/flux/delete_helmrelease.go
@@ -26,7 +26,7 @@ var deleteHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Delete a HelmRelease resource",
-	Long:    "The delete helmrelease command removes the given HelmRelease from the cluster.",
+	Long:    withPreviewNote("The delete helmrelease command removes the given HelmRelease from the cluster."),
 	Example: `  # Delete a Helm release and the Kubernetes resources created by it
  flux delete hr podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
--- a/cmd/flux/delete_image.go
+++ b/cmd/flux/delete_image.go
@@ -23,7 +23,7 @@ import (
 var deleteImageCmd = &cobra.Command{
 	Use:   "image",
 	Short: "Delete image automation objects",
-	Long:  "The delete image sub-commands delete image automation objects.",
+	Long:  `The delete image sub-commands delete image automation objects.`,
 }

 func init() {
--- a/cmd/flux/delete_image_policy.go
+++ b/cmd/flux/delete_image_policy.go
@@ -25,7 +25,7 @@ import (
 var deleteImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Delete an ImagePolicy object",
-	Long:  "The delete image policy command deletes the given ImagePolicy from the cluster.",
+	Long:  withPreviewNote(`The delete image policy command deletes the given ImagePolicy from the cluster.`),
 	Example: `  # Delete an image policy
  flux delete image policy alpine3.x`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)),
--- a/cmd/flux/delete_image_repository.go
+++ b/cmd/flux/delete_image_repository.go
@@ -25,7 +25,7 @@ import (
 var deleteImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Delete an ImageRepository object",
-	Long:  "The delete image repository command deletes the given ImageRepository from the cluster.",
+	Long:  withPreviewNote("The delete image repository command deletes the given ImageRepository from the cluster."),
 	Example: `  # Delete an image repository
  flux delete image repository alpine`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)),
--- a/cmd/flux/delete_image_update.go
+++ b/cmd/flux/delete_image_update.go
@@ -25,7 +25,7 @@ import (
 var deleteImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Delete an ImageUpdateAutomation object",
-	Long:  "The delete image update command deletes the given ImageUpdateAutomation from the cluster.",
+	Long:  withPreviewNote(`The delete image update command deletes the given ImageUpdateAutomation from the cluster.`),
 	Example: `  # Delete an image update automation
  flux delete image update latest-images`,
 	ValidArgsFunction: resourceNamesCompletionFunc(autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)),
--- a/cmd/flux/delete_kustomization.go
+++ b/cmd/flux/delete_kustomization.go
@@ -19,14 +19,14 @@ package main
 import (
 	"github.com/spf13/cobra"

-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 )

 var deleteKsCmd = &cobra.Command{
 	Use:     "kustomization [name]",
 	Aliases: []string{"ks"},
 	Short:   "Delete a Kustomization resource",
-	Long:    "The delete kustomization command deletes the given Kustomization from the cluster.",
+	Long:    `The delete kustomization command deletes the given Kustomization from the cluster.`,
 	Example: `  # Delete a kustomization and the Kubernetes resources created by it when prune is enabled
  flux delete kustomization podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
--- a/cmd/flux/delete_receiver.go
+++ b/cmd/flux/delete_receiver.go
@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 )

 var deleteReceiverCmd = &cobra.Command{
 	Use:   "receiver [name]",
 	Short: "Delete a Receiver resource",
-	Long:  "The delete receiver command removes the given Receiver from the cluster.",
+	Long:  `The delete receiver command removes the given Receiver from the cluster.`,
 	Example: `  # Delete an Receiver and the Kubernetes resources created by it
  flux delete receiver main`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ReceiverKind)),
--- a/cmd/flux/delete_source.go
+++ b/cmd/flux/delete_source.go
@@ -23,7 +23,7 @@ import (
 var deleteSourceCmd = &cobra.Command{
 	Use:   "source",
 	Short: "Delete sources",
-	Long:  "The delete source sub-commands delete sources.",
+	Long:  `The delete source sub-commands delete sources.`,
 }

 func init() {
--- a/cmd/flux/delete_source_bucket.go
+++ b/cmd/flux/delete_source_bucket.go
@@ -25,7 +25,7 @@ import (
 var deleteSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Delete a Bucket source",
-	Long:  "The delete source bucket command deletes the given Bucket from the cluster.",
+	Long:  withPreviewNote("The delete source bucket command deletes the given Bucket from the cluster."),
 	Example: `  # Delete a Bucket source
  flux delete source bucket podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)),
--- a/cmd/flux/delete_source_git.go
+++ b/cmd/flux/delete_source_git.go
@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )

 var deleteSourceGitCmd = &cobra.Command{
 	Use:   "git [name]",
 	Short: "Delete a GitRepository source",
-	Long:  "The delete source git command deletes the given GitRepository from the cluster.",
+	Long:  `The delete source git command deletes the given GitRepository from the cluster.`,
 	Example: `  # Delete a Git repository
  flux delete source git podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)),
--- a/cmd/flux/delete_source_helm.go
+++ b/cmd/flux/delete_source_helm.go
@@ -25,7 +25,7 @@ import (
 var deleteSourceHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Delete a HelmRepository source",
-	Long:  "The delete source helm command deletes the given HelmRepository from the cluster.",
+	Long:  withPreviewNote("The delete source helm command deletes the given HelmRepository from the cluster."),
 	Example: `  # Delete a Helm repository
  flux delete source helm podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)),
--- a/cmd/flux/delete_source_oci.go
+++ b/cmd/flux/delete_source_oci.go
@@ -25,7 +25,7 @@ import (
 var deleteSourceOCIRepositoryCmd = &cobra.Command{
 	Use:   "oci [name]",
 	Short: "Delete an OCIRepository source",
-	Long:  "The delete source oci command deletes the given OCIRepository from the cluster.",
+	Long:  withPreviewNote("The delete source oci command deletes the given OCIRepository from the cluster."),
 	Example: `  # Delete an OCIRepository 
  flux delete source oci podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
--- a/cmd/flux/diff.go
+++ b/cmd/flux/diff.go
@@ -23,7 +23,7 @@ import (
 var diffCmd = &cobra.Command{
 	Use:   "diff",
 	Short: "Diff a flux resource",
-	Long:  "The diff command is used to do a server-side dry-run on flux resources, then prints the diff.",
+	Long:  `The diff command is used to do a server-side dry-run on flux resources, then prints the diff.`,
 }

 func init() {
--- a/cmd/flux/diff_artifact.go
+++ b/cmd/flux/diff_artifact.go
@@ -21,16 +21,17 @@ import (
 	"fmt"
 	"os"

-	"github.com/fluxcd/flux2/internal/flags"
 	oci "github.com/fluxcd/pkg/oci/client"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/spf13/cobra"
+
+	"github.com/fluxcd/flux2/v2/internal/flags"
 )

 var diffArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Diff Artifact",
-	Long:  `The diff artifact command computes the diff between the remote OCI artifact and a local directory or file`,
+	Long:  withPreviewNote(`The diff artifact command computes the diff between the remote OCI artifact and a local directory or file`),
 	Example: `# Check if local files differ from remote
 flux diff artifact oci://ghcr.io/stefanprodan/manifests:podinfo:6.2.0 --path=./kustomize`,
 	RunE: diffArtifactCmdRun,
@@ -81,7 +82,7 @@ func diffArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

-	ociClient := oci.NewLocalClient()
+	ociClient := oci.NewClient(oci.DefaultOptions())

 	if diffArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && diffArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
--- a/cmd/flux/diff_kustomization.go
+++ b/cmd/flux/diff_kustomization.go
@@ -23,8 +23,8 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/fluxcd/flux2/internal/build"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	"github.com/fluxcd/flux2/v2/internal/build"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 )

 var diffKsCmd = &cobra.Command{
@@ -37,7 +37,13 @@ Exit status: 0 No differences were found. 1 Differences were found. >1 diff fail
 flux diff kustomization my-app --path ./path/to/local/manifests

 # Preview using a local flux kustomization file
-flux diff kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml`,
+flux diff kustomization my-app --path ./path/to/local/manifests \
+	--kustomization-file ./path/to/local/my-app.yaml
+
+# Exclude files by providing a comma separated list of entries that follow the .gitignore pattern fromat.
+flux diff kustomization my-app --path ./path/to/local/manifests \
+	--kustomization-file ./path/to/local/my-app.yaml \
+	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              diffKsCmdRun,
 }
@@ -45,6 +51,7 @@ flux diff kustomization my-app --path ./path/to/local/manifests --kustomization-
 type diffKsFlags struct {
 	kustomizationFile string
 	path              string
+	ignorePaths       []string
 	progressBar       bool
 }

@@ -53,6 +60,7 @@ var diffKsArgs diffKsFlags
 func init() {
 	diffKsCmd.Flags().StringVar(&diffKsArgs.path, "path", "", "Path to a local directory that matches the specified Kustomization.spec.path.")
 	diffKsCmd.Flags().BoolVar(&diffKsArgs.progressBar, "progress-bar", true, "Boolean to set the progress bar. The default value is true.")
+	diffKsCmd.Flags().StringSliceVar(&diffKsArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in .gitignore format")
 	diffKsCmd.Flags().StringVar(&diffKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
 	diffCmd.AddCommand(diffKsCmd)
 }
@@ -86,12 +94,16 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 			build.WithClientConfig(kubeconfigArgs, kubeclientOptions),
 			build.WithTimeout(rootArgs.timeout),
 			build.WithKustomizationFile(diffKsArgs.kustomizationFile),
-			build.WithProgressBar())
+			build.WithProgressBar(),
+			build.WithIgnore(diffKsArgs.ignorePaths),
+		)
 	} else {
 		builder, err = build.NewBuilder(name, diffKsArgs.path,
 			build.WithClientConfig(kubeconfigArgs, kubeclientOptions),
 			build.WithTimeout(rootArgs.timeout),
-			build.WithKustomizationFile(diffKsArgs.kustomizationFile))
+			build.WithKustomizationFile(diffKsArgs.kustomizationFile),
+			build.WithIgnore(diffKsArgs.ignorePaths),
+		)
 	}

 	if err != nil {
--- a/cmd/flux/diff_kustomization_test.go
+++ b/cmd/flux/diff_kustomization_test.go
@@ -25,7 +25,7 @@ import (
 	"strings"
 	"testing"

-	"github.com/fluxcd/flux2/internal/build"
+	"github.com/fluxcd/flux2/v2/internal/build"
 	"github.com/fluxcd/pkg/ssa"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
--- a/cmd/flux/events.go
+++ b/cmd/flux/events.go
@@ -0,0 +1,501 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/duration"
+	"k8s.io/apimachinery/pkg/watch"
+	runtimeresource "k8s.io/cli-runtime/pkg/resource"
+	cmdutil "k8s.io/kubectl/pkg/cmd/util"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
+	notificationv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/printers"
+)
+
+var eventsCmd = &cobra.Command{
+	Use:   "events",
+	Short: "Display Kubernetes events for Flux resources",
+	Long:  withPreviewNote("The events sub-command shows Kubernetes events from Flux resources"),
+	Example: ` # Display events for flux resources in default namespace
+	flux events -n default
+	
+	# Display events for flux resources in all namespaces
+	flux events -A
+
+	# Display events for flux resources
+	flux events --for Kustomization/podinfo
+`,
+	RunE: eventsCmdRun,
+}
+
+type eventFlags struct {
+	allNamespaces bool
+	watch         bool
+	forSelector   string
+	filterTypes   []string
+}
+
+var eventArgs eventFlags
+
+func init() {
+	eventsCmd.Flags().BoolVarP(&eventArgs.allNamespaces, "all-namespaces", "A", false,
+		"display events from Flux resources across all namespaces")
+	eventsCmd.Flags().BoolVarP(&eventArgs.watch, "watch", "w", false,
+		"indicate if the events should be streamed")
+	eventsCmd.Flags().StringVar(&eventArgs.forSelector, "for", "",
+		"get events for a particular object")
+	eventsCmd.Flags().StringSliceVar(&eventArgs.filterTypes, "types", []string{}, "filter events for certain types")
+	rootCmd.AddCommand(eventsCmd)
+}
+
+func eventsCmdRun(cmd *cobra.Command, args []string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeclient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+
+	namespace := *kubeconfigArgs.Namespace
+	if eventArgs.allNamespaces {
+		namespace = ""
+	}
+
+	var diffRefNs bool
+	clientListOpts := getListOpt(namespace, eventArgs.forSelector)
+	var refListOpts [][]client.ListOption
+	if eventArgs.forSelector != "" {
+		refs, err := getObjectRef(ctx, kubeclient, eventArgs.forSelector, *kubeconfigArgs.Namespace)
+		if err != nil {
+			return err
+		}
+
+		for _, ref := range refs {
+			kind, name, refNs := utils.ParseObjectKindNameNamespace(ref)
+			if refNs != namespace {
+				diffRefNs = true
+			}
+			refSelector := fmt.Sprintf("%s/%s", kind, name)
+			refListOpts = append(refListOpts, getListOpt(refNs, refSelector))
+		}
+	}
+
+	showNamespace := namespace == "" || diffRefNs
+	if eventArgs.watch {
+		return eventsCmdWatchRun(ctx, kubeclient, clientListOpts, refListOpts, showNamespace)
+	}
+
+	rows, err := getRows(ctx, kubeclient, clientListOpts, refListOpts, showNamespace)
+	if len(rows) == 0 {
+		if eventArgs.allNamespaces {
+			logger.Failuref("No events found.")
+		} else {
+			logger.Failuref("No events found in %s namespace.", *kubeconfigArgs.Namespace)
+		}
+
+		return nil
+	}
+	headers := getHeaders(showNamespace)
+	err = printers.TablePrinter(headers).Print(cmd.OutOrStdout(), rows)
+	return err
+}
+
+func getRows(ctx context.Context, kubeclient client.Client, clientListOpts []client.ListOption, refListOpts [][]client.ListOption, showNs bool) ([][]string, error) {
+	el := &corev1.EventList{}
+	if err := addEventsToList(ctx, kubeclient, el, clientListOpts); err != nil {
+		return nil, err
+	}
+
+	for _, refOpts := range refListOpts {
+		if err := addEventsToList(ctx, kubeclient, el, refOpts); err != nil {
+			return nil, err
+		}
+	}
+
+	sort.Sort(SortableEvents(el.Items))
+
+	var rows [][]string
+	for _, item := range el.Items {
+		if ignoreEvent(item) {
+			continue
+		}
+		rows = append(rows, getEventRow(item, showNs))
+	}
+
+	return rows, nil
+}
+
+func addEventsToList(ctx context.Context, kubeclient client.Client, el *corev1.EventList, clientListOpts []client.ListOption) error {
+	listOpts := &metav1.ListOptions{}
+	err := runtimeresource.FollowContinue(listOpts,
+		func(options metav1.ListOptions) (runtime.Object, error) {
+			newEvents := &corev1.EventList{}
+			err := kubeclient.List(ctx, newEvents, clientListOpts...)
+			if err != nil {
+				return nil, fmt.Errorf("error getting events: %w", err)
+			}
+			el.Items = append(el.Items, newEvents.Items...)
+			return newEvents, nil
+		})
+
+	return err
+}
+
+func getListOpt(namespace, selector string) []client.ListOption {
+	clientListOpts := []client.ListOption{client.Limit(cmdutil.DefaultChunkSize), client.InNamespace(namespace)}
+	if selector != "" {
+		kind, name := utils.ParseObjectKindName(selector)
+		sel := fields.AndSelectors(
+			fields.OneTermEqualSelector("involvedObject.kind", kind),
+			fields.OneTermEqualSelector("involvedObject.name", name))
+		clientListOpts = append(clientListOpts, client.MatchingFieldsSelector{Selector: sel})
+	}
+
+	return clientListOpts
+}
+
+func eventsCmdWatchRun(ctx context.Context, kubeclient client.WithWatch, listOpts []client.ListOption, refListOpts [][]client.ListOption, showNs bool) error {
+	event := &corev1.EventList{}
+	eventWatch, err := kubeclient.Watch(ctx, event, listOpts...)
+	if err != nil {
+		return err
+	}
+
+	firstIteration := true
+
+	handleEvent := func(e watch.Event) error {
+		if e.Type == watch.Deleted {
+			return nil
+		}
+
+		event, ok := e.Object.(*corev1.Event)
+		if !ok {
+			return nil
+		}
+		if ignoreEvent(*event) {
+			return nil
+		}
+		rows := getEventRow(*event, showNs)
+		var hdr []string
+		if firstIteration {
+			hdr = getHeaders(showNs)
+			firstIteration = false
+		}
+		err = printers.TablePrinter(hdr).Print(os.Stdout, [][]string{rows})
+		if err != nil {
+			return err
+		}
+
+		return nil
+	}
+
+	for _, refOpts := range refListOpts {
+		refEventWatch, err := kubeclient.Watch(ctx, event, refOpts...)
+		if err != nil {
+			return err
+		}
+		go func() {
+			err := receiveEventChan(ctx, refEventWatch, handleEvent)
+			if err != nil {
+				logger.Failuref("error watching events: %s", err.Error())
+			}
+		}()
+	}
+
+	return receiveEventChan(ctx, eventWatch, handleEvent)
+}
+
+func receiveEventChan(ctx context.Context, eventWatch watch.Interface, f func(e watch.Event) error) error {
+	defer eventWatch.Stop()
+	for {
+		select {
+		case e, ok := <-eventWatch.ResultChan():
+			if !ok {
+				return nil
+			}
+			err := f(e)
+			if err != nil {
+				return err
+			}
+		case <-ctx.Done():
+			return nil
+		}
+	}
+}
+
+func getHeaders(showNs bool) []string {
+	headers := []string{"Last seen", "Type", "Reason", "Object", "Message"}
+	if showNs {
+		headers = append(namespaceHeader, headers...)
+	}
+
+	return headers
+}
+
+func getEventRow(e corev1.Event, showNs bool) []string {
+	var row []string
+	if showNs {
+		row = []string{e.Namespace}
+	}
+	row = append(row, getLastSeen(e), e.Type, e.Reason, fmt.Sprintf("%s/%s", e.InvolvedObject.Kind, e.InvolvedObject.Name), e.Message)
+
+	return row
+}
+
+// getObjectRef is used to get the metadata of a resource that the selector(in the format <kind/name>) references.
+// It returns an empty string if the resource doesn't reference any resource
+// and a string with the format `<kind>/<name>.<namespace>` if it does.
+func getObjectRef(ctx context.Context, kubeclient client.Client, selector string, ns string) ([]string, error) {
+	kind, name := utils.ParseObjectKindName(selector)
+	ref, err := fluxKindMap.getRefInfo(kind)
+	if err != nil {
+		return nil, fmt.Errorf("error getting groupversion: %w", err)
+	}
+
+	// the resource has no source ref
+	if len(ref.field) == 0 {
+		return nil, nil
+	}
+
+	obj := &unstructured.Unstructured{}
+	obj.SetGroupVersionKind(schema.GroupVersionKind{
+		Kind:    kind,
+		Version: ref.gv.Version,
+		Group:   ref.gv.Group,
+	})
+	objName := types.NamespacedName{
+		Namespace: ns,
+		Name:      name,
+	}
+
+	err = kubeclient.Get(ctx, objName, obj)
+	if err != nil {
+		return nil, err
+	}
+
+	var ok bool
+	refKind := ref.kind
+	if refKind == "" {
+		kindField := append(ref.field, "kind")
+		refKind, ok, err = unstructured.NestedString(obj.Object, kindField...)
+		if err != nil {
+			return nil, err
+		}
+		if !ok {
+			return nil, fmt.Errorf("field '%s' for '%s' not found", strings.Join(kindField, "."), objName)
+		}
+	}
+
+	nameField := append(ref.field, "name")
+	refName, ok, err := unstructured.NestedString(obj.Object, nameField...)
+	if err != nil {
+		return nil, err
+	}
+	if !ok {
+		return nil, fmt.Errorf("field '%s' for '%s' not found", strings.Join(nameField, "."), objName)
+	}
+
+	var allRefs []string
+	refNamespace := ns
+	if ref.crossNamespaced {
+		namespaceField := append(ref.field, "namespace")
+		namespace, ok, err := unstructured.NestedString(obj.Object, namespaceField...)
+		if err != nil {
+			return nil, err
+		}
+		if ok {
+			refNamespace = namespace
+		}
+	}
+
+	allRefs = append(allRefs, fmt.Sprintf("%s/%s.%s", refKind, refName, refNamespace))
+	if ref.otherRefs != nil {
+		for _, otherRef := range ref.otherRefs(ns, name) {
+			allRefs = append(allRefs, fmt.Sprintf("%s.%s", otherRef, refNamespace))
+		}
+	}
+	return allRefs, nil
+}
+
+type refMap map[string]refInfo
+
+func (r refMap) getRefInfo(kind string) (refInfo, error) {
+	for key, ref := range r {
+		if strings.EqualFold(key, kind) {
+			return ref, nil
+		}
+	}
+	return refInfo{}, fmt.Errorf("'%s' is not a recognized Flux kind", kind)
+}
+
+func (r refMap) hasKind(kind string) bool {
+	_, err := r.getRefInfo(kind)
+	return err == nil
+}
+
+type refInfo struct {
+	gv              schema.GroupVersion
+	kind            string
+	crossNamespaced bool
+	otherRefs       func(namespace, name string) []string
+	field           []string
+}
+
+var fluxKindMap = refMap{
+	kustomizev1.KustomizationKind: {
+		gv:              kustomizev1.GroupVersion,
+		crossNamespaced: true,
+		field:           []string{"spec", "sourceRef"},
+	},
+	helmv2.HelmReleaseKind: {
+		gv:              helmv2.GroupVersion,
+		crossNamespaced: true,
+		otherRefs: func(namespace, name string) []string {
+			return []string{fmt.Sprintf("%s/%s-%s", sourcev1b2.HelmChartKind, namespace, name)}
+		},
+		field: []string{"spec", "chart", "spec", "sourceRef"},
+	},
+	notificationv1b2.AlertKind: {
+		gv:              notificationv1b2.GroupVersion,
+		kind:            notificationv1b2.ProviderKind,
+		crossNamespaced: false,
+		field:           []string{"spec", "providerRef"},
+	},
+	notificationv1.ReceiverKind:   {gv: notificationv1.GroupVersion},
+	notificationv1b2.ProviderKind: {gv: notificationv1b2.GroupVersion},
+	imagev1.ImagePolicyKind: {
+		gv:              imagev1.GroupVersion,
+		kind:            imagev1.ImageRepositoryKind,
+		crossNamespaced: true,
+		field:           []string{"spec", "imageRepositoryRef"},
+	},
+	sourcev1.GitRepositoryKind:       {gv: sourcev1.GroupVersion},
+	sourcev1b2.OCIRepositoryKind:     {gv: sourcev1b2.GroupVersion},
+	sourcev1b2.BucketKind:            {gv: sourcev1b2.GroupVersion},
+	sourcev1b2.HelmRepositoryKind:    {gv: sourcev1b2.GroupVersion},
+	sourcev1b2.HelmChartKind:         {gv: sourcev1b2.GroupVersion},
+	autov1.ImageUpdateAutomationKind: {gv: autov1.GroupVersion},
+	imagev1.ImageRepositoryKind:      {gv: imagev1.GroupVersion},
+}
+
+func ignoreEvent(e corev1.Event) bool {
+	if !fluxKindMap.hasKind(e.InvolvedObject.Kind) {
+		return true
+	}
+
+	if len(eventArgs.filterTypes) > 0 {
+		_, equal := utils.ContainsEqualFoldItemString(eventArgs.filterTypes, e.Type)
+		if !equal {
+			return true
+		}
+	}
+
+	return false
+}
+
+// The functions below are copied from: https://github.com/kubernetes/kubectl/blob/master/pkg/cmd/events/events.go#L347
+
+// SortableEvents implements sort.Interface for []api.Event by time
+type SortableEvents []corev1.Event
+
+func (list SortableEvents) Len() int {
+	return len(list)
+}
+
+func (list SortableEvents) Swap(i, j int) {
+	list[i], list[j] = list[j], list[i]
+}
+
+// Return the time that should be used for sorting, which can come from
+// various places in corev1.Event.
+func eventTime(event corev1.Event) time.Time {
+	if event.Series != nil {
+		return event.Series.LastObservedTime.Time
+	}
+	if !event.LastTimestamp.Time.IsZero() {
+		return event.LastTimestamp.Time
+	}
+	return event.EventTime.Time
+}
+
+func (list SortableEvents) Less(i, j int) bool {
+	return eventTime(list[i]).Before(eventTime(list[j]))
+}
+
+func getLastSeen(e corev1.Event) string {
+	var interval string
+	firstTimestampSince := translateMicroTimestampSince(e.EventTime)
+	if e.EventTime.IsZero() {
+		firstTimestampSince = translateTimestampSince(e.FirstTimestamp)
+	}
+	if e.Series != nil {
+		interval = fmt.Sprintf("%s (x%d over %s)", translateMicroTimestampSince(e.Series.LastObservedTime), e.Series.Count, firstTimestampSince)
+	} else if e.Count > 1 {
+		interval = fmt.Sprintf("%s (x%d over %s)", translateTimestampSince(e.LastTimestamp), e.Count, firstTimestampSince)
+	} else {
+		interval = firstTimestampSince
+	}
+
+	return interval
+}
+
+// translateMicroTimestampSince returns the elapsed time since timestamp in
+// human-readable approximation.
+func translateMicroTimestampSince(timestamp metav1.MicroTime) string {
+	if timestamp.IsZero() {
+		return "<unknown>"
+	}
+
+	return duration.HumanDuration(time.Since(timestamp.Time))
+}
+
+// translateTimestampSince returns the elapsed time since timestamp in
+// human-readable approximation.
+func translateTimestampSince(timestamp metav1.Time) string {
+	if timestamp.IsZero() {
+		return "<unknown>"
+	}
+
+	return duration.HumanDuration(time.Since(timestamp.Time))
+}
--- a/cmd/flux/events_test.go
+++ b/cmd/flux/events_test.go
@@ -0,0 +1,417 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"testing"
+
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/runtime"
+	cmdutil "k8s.io/kubectl/pkg/cmd/util"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	helmv2beta1 "github.com/fluxcd/helm-controller/api/v2beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
+	notificationv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
+	eventv1 "github.com/fluxcd/pkg/apis/event/v1beta1"
+	"github.com/fluxcd/pkg/ssa"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+)
+
+var objects = `
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 5m0s
+  path: ./infrastructure/
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 5m0s
+  path: ./infrastructure/
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 5m0s
+  ref:
+    branch: main
+  secretRef:
+    name: flux-system
+  timeout: 1m0s
+  url: ssh://git@github.com/example/repo
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  chart:
+    spec:
+      chart: podinfo
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: podinfo
+        namespace: flux-system
+      version: '*'
+  interval: 5m0s
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: podinfo
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  url: https://stefanprodan.github.io/podinfo
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmChart
+metadata:
+  name: default-podinfo
+  namespace: flux-system
+spec:
+  chart: podinfo
+  interval: 1m0s
+  reconcileStrategy: ChartVersion
+  sourceRef:
+    kind: HelmRepository
+    name: podinfo-chart
+  version: '*'
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta2
+kind: Alert
+metadata:
+  name: webapp
+  namespace: flux-system
+spec:
+  eventSeverity: info
+  eventSources:
+  - kind: GitRepository
+    name: '*'
+  providerRef:
+    name: slack
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta2
+kind: Provider
+metadata:
+  name: slack
+  namespace: flux-system
+spec:
+  address: https://hooks.slack.com/services/mock
+  type: slack
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImagePolicy
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  imageRepositoryRef:
+    name: acr-podinfo
+    namespace: flux-system
+  policy:
+    semver:
+      range: 5.0.x
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: flux-system`
+
+func Test_getObjectRef(t *testing.T) {
+	g := NewWithT(t)
+	objs, err := ssa.ReadObjects(strings.NewReader(objects))
+	g.Expect(err).To(Not(HaveOccurred()))
+
+	builder := fake.NewClientBuilder().WithScheme(getScheme())
+	for _, obj := range objs {
+		builder = builder.WithObjects(obj)
+	}
+	c := builder.Build()
+
+	tests := []struct {
+		name      string
+		selector  string
+		namespace string
+		want      []string
+		wantErr   bool
+	}{
+		{
+			name:      "Source Ref for Kustomization",
+			selector:  "Kustomization/flux-system",
+			namespace: "flux-system",
+			want:      []string{"GitRepository/flux-system.flux-system"},
+		},
+		{
+			name:      "Crossnamespace Source Ref for Kustomization",
+			selector:  "Kustomization/podinfo",
+			namespace: "default",
+			want:      []string{"GitRepository/flux-system.flux-system"},
+		},
+		{
+			name:      "Source Ref for HelmRelease",
+			selector:  "HelmRelease/podinfo",
+			namespace: "default",
+			want:      []string{"HelmRepository/podinfo.flux-system", "HelmChart/default-podinfo.flux-system"},
+		},
+		{
+			name:      "Source Ref for Alert",
+			selector:  "Alert/webapp",
+			namespace: "flux-system",
+			want:      []string{"Provider/slack.flux-system"},
+		},
+		{
+			name:      "Source Ref for ImagePolicy",
+			selector:  "ImagePolicy/podinfo",
+			namespace: "default",
+			want:      []string{"ImageRepository/acr-podinfo.flux-system"},
+		},
+		{
+			name:      "Empty Ref for Provider",
+			selector:  "Provider/slack",
+			namespace: "flux-system",
+			want:      nil,
+		},
+		{
+			name:     "Non flux resource",
+			selector: "Namespace/flux-system",
+			wantErr:  true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+			got, err := getObjectRef(context.Background(), c, tt.selector, tt.namespace)
+			if tt.wantErr {
+				g.Expect(err).To(HaveOccurred())
+				return
+			}
+
+			g.Expect(err).To(Not(HaveOccurred()))
+			g.Expect(got).To(Equal(tt.want))
+		})
+	}
+}
+
+func Test_getRows(t *testing.T) {
+	g := NewWithT(t)
+	objs, err := ssa.ReadObjects(strings.NewReader(objects))
+	g.Expect(err).To(Not(HaveOccurred()))
+
+	builder := fake.NewClientBuilder().WithScheme(getScheme())
+	for _, obj := range objs {
+		builder = builder.WithObjects(obj)
+	}
+	eventList := &corev1.EventList{}
+	for _, obj := range objs {
+		infoEvent := createEvent(obj, eventv1.EventSeverityInfo, "Info Message", "Info Reason")
+		warningEvent := createEvent(obj, eventv1.EventSeverityError, "Error Message", "Error Reason")
+		eventList.Items = append(eventList.Items, infoEvent, warningEvent)
+	}
+	builder = builder.WithLists(eventList)
+	builder.WithIndex(&corev1.Event{}, "involvedObject.kind/name", kindNameIndexer)
+	c := builder.Build()
+
+	tests := []struct {
+		name        string
+		selector    string
+		refSelector string
+		namespace   string
+		refNs       string
+		expected    [][]string
+	}{
+		{
+			name:      "events from all namespaces",
+			selector:  "",
+			namespace: "",
+			expected: [][]string{
+				{"default", "<unknown>", "error", "Error Reason", "HelmRelease/podinfo", "Error Message"},
+				{"default", "<unknown>", "info", "Info Reason", "HelmRelease/podinfo", "Info Message"},
+				{"default", "<unknown>", "error", "Error Reason", "ImagePolicy/podinfo", "Error Message"},
+				{"default", "<unknown>", "info", "Info Reason", "ImagePolicy/podinfo", "Info Message"},
+				{"default", "<unknown>", "error", "Error Reason", "Kustomization/podinfo", "Error Message"},
+				{"default", "<unknown>", "info", "Info Reason", "Kustomization/podinfo", "Info Message"},
+				{"flux-system", "<unknown>", "error", "Error Reason", "Alert/webapp", "Error Message"},
+				{"flux-system", "<unknown>", "info", "Info Reason", "Alert/webapp", "Info Message"},
+				{"flux-system", "<unknown>", "error", "Error Reason", "GitRepository/flux-system", "Error Message"},
+				{"flux-system", "<unknown>", "info", "Info Reason", "GitRepository/flux-system", "Info Message"},
+				{"flux-system", "<unknown>", "error", "Error Reason", "HelmChart/default-podinfo", "Error Message"},
+				{"flux-system", "<unknown>", "info", "Info Reason", "HelmChart/default-podinfo", "Info Message"},
+				{"flux-system", "<unknown>", "error", "Error Reason", "HelmRepository/podinfo", "Error Message"},
+				{"flux-system", "<unknown>", "info", "Info Reason", "HelmRepository/podinfo", "Info Message"},
+				{"flux-system", "<unknown>", "error", "Error Reason", "Kustomization/flux-system", "Error Message"},
+				{"flux-system", "<unknown>", "info", "Info Reason", "Kustomization/flux-system", "Info Message"},
+				{"flux-system", "<unknown>", "error", "Error Reason", "Provider/slack", "Error Message"},
+				{"flux-system", "<unknown>", "info", "Info Reason", "Provider/slack", "Info Message"},
+			},
+		},
+		{
+			name:      "events from default namespaces",
+			selector:  "",
+			namespace: "default",
+			expected: [][]string{
+				{"<unknown>", "error", "Error Reason", "HelmRelease/podinfo", "Error Message"},
+				{"<unknown>", "info", "Info Reason", "HelmRelease/podinfo", "Info Message"},
+				{"<unknown>", "error", "Error Reason", "ImagePolicy/podinfo", "Error Message"},
+				{"<unknown>", "info", "Info Reason", "ImagePolicy/podinfo", "Info Message"},
+				{"<unknown>", "error", "Error Reason", "Kustomization/podinfo", "Error Message"},
+				{"<unknown>", "info", "Info Reason", "Kustomization/podinfo", "Info Message"},
+			},
+		},
+		{
+			name:      "Kustomization with crossnamespaced GitRepository",
+			selector:  "Kustomization/podinfo",
+			namespace: "default",
+			expected: [][]string{
+				{"default", "<unknown>", "error", "Error Reason", "Kustomization/podinfo", "Error Message"},
+				{"default", "<unknown>", "info", "Info Reason", "Kustomization/podinfo", "Info Message"},
+				{"flux-system", "<unknown>", "error", "Error Reason", "GitRepository/flux-system", "Error Message"},
+				{"flux-system", "<unknown>", "info", "Info Reason", "GitRepository/flux-system", "Info Message"},
+			},
+		},
+		{
+			name:      "HelmRelease with crossnamespaced HelmRepository",
+			selector:  "HelmRelease/podinfo",
+			namespace: "default",
+			expected: [][]string{
+				{"default", "<unknown>", "error", "Error Reason", "HelmRelease/podinfo", "Error Message"},
+				{"default", "<unknown>", "info", "Info Reason", "HelmRelease/podinfo", "Info Message"},
+				{"flux-system", "<unknown>", "error", "Error Reason", "HelmRepository/podinfo", "Error Message"},
+				{"flux-system", "<unknown>", "info", "Info Reason", "HelmRepository/podinfo", "Info Message"},
+				{"flux-system", "<unknown>", "error", "Error Reason", "HelmChart/default-podinfo", "Error Message"},
+				{"flux-system", "<unknown>", "info", "Info Reason", "HelmChart/default-podinfo", "Info Message"},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			var refs []string
+			var refNs, refKind, refName string
+			if tt.selector != "" {
+				refs, err = getObjectRef(context.Background(), c, tt.selector, tt.namespace)
+				g.Expect(err).To(Not(HaveOccurred()))
+			}
+
+			g.Expect(err).To(Not(HaveOccurred()))
+
+			clientOpts := getTestListOpt(tt.namespace, tt.selector)
+			var refOpts [][]client.ListOption
+			for _, ref := range refs {
+				refKind, refName, refNs = utils.ParseObjectKindNameNamespace(ref)
+				refSelector := fmt.Sprintf("%s/%s", refKind, refName)
+				refOpts = append(refOpts, getTestListOpt(refNs, refSelector))
+			}
+
+			showNs := tt.namespace == "" || (refNs != "" && refNs != tt.namespace)
+			rows, err := getRows(context.Background(), c, clientOpts, refOpts, showNs)
+			g.Expect(err).To(Not(HaveOccurred()))
+			g.Expect(rows).To(Equal(tt.expected))
+		})
+	}
+}
+
+func getTestListOpt(namespace, selector string) []client.ListOption {
+	clientListOpts := []client.ListOption{client.Limit(cmdutil.DefaultChunkSize), client.InNamespace(namespace)}
+	if selector != "" {
+		sel := fields.OneTermEqualSelector("involvedObject.kind/name", selector)
+		clientListOpts = append(clientListOpts, client.MatchingFieldsSelector{Selector: sel})
+	}
+
+	return clientListOpts
+}
+
+func getScheme() *runtime.Scheme {
+	newscheme := runtime.NewScheme()
+	corev1.AddToScheme(newscheme)
+	kustomizev1.AddToScheme(newscheme)
+	helmv2beta1.AddToScheme(newscheme)
+	notificationv1.AddToScheme(newscheme)
+	notificationv1b2.AddToScheme(newscheme)
+	imagev1.AddToScheme(newscheme)
+	autov1.AddToScheme(newscheme)
+	sourcev1.AddToScheme(newscheme)
+	sourcev1b2.AddToScheme(newscheme)
+
+	return newscheme
+}
+
+func createEvent(obj client.Object, eventType, msg, reason string) corev1.Event {
+	return corev1.Event{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: obj.GetNamespace(),
+			// name of event needs to be unique so fak
+			Name: obj.GetNamespace() + obj.GetNamespace() + obj.GetObjectKind().GroupVersionKind().Kind + eventType,
+		},
+		Reason:  reason,
+		Message: msg,
+		Type:    eventType,
+		InvolvedObject: corev1.ObjectReference{
+			Kind:      obj.GetObjectKind().GroupVersionKind().Kind,
+			Namespace: obj.GetNamespace(),
+			Name:      obj.GetName(),
+		},
+	}
+}
+
+func kindNameIndexer(obj client.Object) []string {
+	e, ok := obj.(*corev1.Event)
+	if !ok {
+		panic(fmt.Sprintf("Expected a Event, got %T", e))
+	}
+
+	return []string{fmt.Sprintf("%s/%s", e.InvolvedObject.Kind, e.InvolvedObject.Name)}
+}
--- a/cmd/flux/export.go
+++ b/cmd/flux/export.go
@@ -26,13 +26,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var exportCmd = &cobra.Command{
 	Use:   "export",
 	Short: "Export resources in YAML format",
-	Long:  "The export sub-commands export resources in YAML format.",
+	Long:  `The export sub-commands export resources in YAML format.`,
 }

 type exportFlags struct {
@@ -122,5 +122,6 @@ func printExport(export interface{}) error {
 func resourceToString(data []byte) string {
 	data = bytes.Replace(data, []byte("  creationTimestamp: null\n"), []byte(""), 1)
 	data = bytes.Replace(data, []byte("status: {}\n"), []byte(""), 1)
+	data = bytes.TrimSpace(data)
 	return string(data)
 }
--- a/cmd/flux/export_alert.go
+++ b/cmd/flux/export_alert.go
@@ -26,7 +26,7 @@ import (
 var exportAlertCmd = &cobra.Command{
 	Use:   "alert [name]",
 	Short: "Export Alert resources in YAML format",
-	Long:  "The export alert command exports one or all Alert resources in YAML format.",
+	Long:  withPreviewNote("The export alert command exports one or all Alert resources in YAML format."),
 	Example: `  # Export all Alert resources
  flux export alert --all > alerts.yaml

--- a/cmd/flux/export_alertprovider.go
+++ b/cmd/flux/export_alertprovider.go
@@ -26,7 +26,7 @@ import (
 var exportAlertProviderCmd = &cobra.Command{
 	Use:   "alert-provider [name]",
 	Short: "Export Provider resources in YAML format",
-	Long:  "The export alert-provider command exports one or all Provider resources in YAML format.",
+	Long:  withPreviewNote("The export alert-provider command exports one or all Provider resources in YAML format."),
 	Example: `  # Export all Provider resources
  flux export alert-provider --all > alert-providers.yaml

--- a/cmd/flux/export_helmrelease.go
+++ b/cmd/flux/export_helmrelease.go
@@ -27,7 +27,7 @@ var exportHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Export HelmRelease resources in YAML format",
-	Long:    "The export helmrelease command exports one or all HelmRelease resources in YAML format.",
+	Long:    withPreviewNote("The export helmrelease command exports one or all HelmRelease resources in YAML format."),
 	Example: `  # Export all HelmRelease resources
  flux export helmrelease --all > kustomizations.yaml

--- a/cmd/flux/export_image.go
+++ b/cmd/flux/export_image.go
@@ -23,7 +23,7 @@ import (
 var exportImageCmd = &cobra.Command{
 	Use:   "image",
 	Short: "Export image automation objects",
-	Long:  "The export image sub-commands export image automation objects in YAML format.",
+	Long:  `The export image sub-commands export image automation objects in YAML format.`,
 }

 func init() {
--- a/cmd/flux/export_image_policy.go
+++ b/cmd/flux/export_image_policy.go
@@ -26,7 +26,7 @@ import (
 var exportImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Export ImagePolicy resources in YAML format",
-	Long:  "The export image policy command exports one or all ImagePolicy resources in YAML format.",
+	Long:  withPreviewNote("The export image policy command exports one or all ImagePolicy resources in YAML format."),
 	Example: `  # Export all ImagePolicy resources
  flux export image policy --all > image-policies.yaml

--- a/cmd/flux/export_image_repository.go
+++ b/cmd/flux/export_image_repository.go
@@ -26,7 +26,7 @@ import (
 var exportImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Export ImageRepository resources in YAML format",
-	Long:  "The export image repository command exports one or all ImageRepository resources in YAML format.",
+	Long:  withPreviewNote("The export image repository command exports one or all ImageRepository resources in YAML format."),
 	Example: `  # Export all ImageRepository resources
  flux export image repository --all > image-repositories.yaml

--- a/cmd/flux/export_image_update.go
+++ b/cmd/flux/export_image_update.go
@@ -26,7 +26,7 @@ import (
 var exportImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Export ImageUpdateAutomation resources in YAML format",
-	Long:  "The export image update command exports one or all ImageUpdateAutomation resources in YAML format.",
+	Long:  withPreviewNote("The export image update command exports one or all ImageUpdateAutomation resources in YAML format."),
 	Example: `  # Export all ImageUpdateAutomation resources
  flux export image update --all > updates.yaml

--- a/cmd/flux/export_kustomization.go
+++ b/cmd/flux/export_kustomization.go
@@ -20,14 +20,14 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 )

 var exportKsCmd = &cobra.Command{
 	Use:     "kustomization [name]",
 	Aliases: []string{"ks"},
 	Short:   "Export Kustomization resources in YAML format",
-	Long:    "The export kustomization command exports one or all Kustomization resources in YAML format.",
+	Long:    `The export kustomization command exports one or all Kustomization resources in YAML format.`,
 	Example: `  # Export all Kustomization resources
  flux export kustomization --all > kustomizations.yaml

--- a/cmd/flux/export_receiver.go
+++ b/cmd/flux/export_receiver.go
@@ -20,13 +20,13 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 )

 var exportReceiverCmd = &cobra.Command{
 	Use:   "receiver [name]",
 	Short: "Export Receiver resources in YAML format",
-	Long:  "The export receiver command exports one or all Receiver resources in YAML format.",
+	Long:  `The export receiver command exports one or all Receiver resources in YAML format.`,
 	Example: `  # Export all Receiver resources
  flux export receiver --all > receivers.yaml

@@ -44,7 +44,7 @@ func init() {
 }

 func exportReceiver(receiver *notificationv1.Receiver) interface{} {
-	gvk := notificationv1.GroupVersion.WithKind("Receiver")
+	gvk := notificationv1.GroupVersion.WithKind(notificationv1.ReceiverKind)
 	export := notificationv1.Receiver{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       gvk.Kind,
--- a/cmd/flux/export_secret.go
+++ b/cmd/flux/export_secret.go
@@ -26,7 +26,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 // exportableWithSecret represents a type that you can fetch from the Kubernetes
--- a/cmd/flux/export_source.go
+++ b/cmd/flux/export_source.go
@@ -23,7 +23,7 @@ import (
 var exportSourceCmd = &cobra.Command{
 	Use:   "source",
 	Short: "Export sources",
-	Long:  "The export source sub-commands export sources in YAML format.",
+	Long:  `The export source sub-commands export sources in YAML format.`,
 }

 var (
--- a/cmd/flux/export_source_bucket.go
+++ b/cmd/flux/export_source_bucket.go
@@ -27,7 +27,7 @@ import (
 var exportSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Export Bucket sources in YAML format",
-	Long:  "The export source git command exports one or all Bucket sources in YAML format.",
+	Long:  withPreviewNote("The export source git command exports one or all Bucket sources in YAML format."),
 	Example: `  # Export all Bucket sources
  flux export source bucket --all > sources.yaml

--- a/cmd/flux/export_source_git.go
+++ b/cmd/flux/export_source_git.go
@@ -21,13 +21,13 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )

 var exportSourceGitCmd = &cobra.Command{
 	Use:   "git [name]",
 	Short: "Export GitRepository sources in YAML format",
-	Long:  "The export source git command exports one or all GitRepository sources in YAML format.",
+	Long:  `The export source git command exports one or all GitRepository sources in YAML format.`,
 	Example: `  # Export all GitRepository sources
  flux export source git --all > sources.yaml

--- a/Show More
+++ b/Show More