Merge pull request #1755 from fluxcd/update-components

Update toolkit components
2026-03-01 19:26:55 +00:00 · 2021-08-26 15:35:01 +03:00 · 2021-08-26 12:11:29 +00:00 · 2021-08-26 15:10:58 +03:00 · 2021-08-26 10:56:25 +02:00 · 2021-08-25 22:10:47 +02:00
488 changed files with 13805 additions and 16297 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yaml
@@ -0,0 +1,85 @@
 ---
 name: Bug report
 description: Create a report to help us improve Flux
 body:
 - type: markdown
  attributes:
    value: |
      ## Support
      Find out more about your support options and getting help at: https://fluxcd.io/support/
 - type: textarea
  validations:
    required: true
  attributes:
    label: Describe the bug
    description: A clear description of what the bug is.
 - type: textarea
  validations:
    required: true
  attributes:
    label: Steps to reproduce
    description: |
      Steps to reproduce the problem.
    placeholder: |
      For example:
      1. Install Flux with the additional image automation controllers
      2. Run command '...'
      3. See error
 - type: textarea
  validations:
    required: true
  attributes:
    label: Expected behavior
    description: A brief description of what you expected to happen.
 - type: textarea
  attributes:
    label: Screenshots and recordings
    description: |
      If applicable, add screenshots to help explain your problem. You can also record an asciinema session: https://asciinema.org/
 - type: input
  validations:
    required: true
  attributes:
    label: OS / Distro
    description: The OS / distro you are executing `flux` on. If not applicable, write `N/A`.
    placeholder: e.g. Windows 10, Ubuntu 20.04, Arch Linux, macOS 10.15...
 - type: input
  validations:
    required: true
  attributes:
    label: Flux version
    description: Run `flux --version` to check. If not applicable, write `N/A`.
    placeholder: e.g. 0.16.1
 - type: textarea
  validations:
    required: true
  attributes:
    label: Flux check
    description: Run `flux check` to check. If not applicable, write `N/A`.
    placeholder: |
      For example:
      ► checking prerequisites
      ✔ kubectl 1.21.0 >=1.18.0-0
      ✔ Kubernetes 1.21.1 >=1.16.0-0
      ► checking controllers
      ✔ all checks passed
 - type: input
  attributes:
    label: Git provider
    description: If applicable, add the Git provider you are having problems with, e.g. GitHub (Enterprise), GitLab, etc.
 - type: input
  attributes:
    label: Container Registry provider
    description: If applicable, add the Container Registry provider you are having problems with, e.g. DockerHub, GitHub Packages, Quay.io, etc.
 - type: textarea
  attributes:
    label: Additional context
    description: Add any other context about the problem here. This can be logs (e.g. output from `flux logs`), environment specific caveats, etc.
 - type: checkboxes
  id: terms
  attributes:
    label: Code of Conduct
    description: By submitting this issue, you agree to follow our [Code of Conduct](https://github.com/fluxcd/.github/blob/main/CODE_OF_CONDUCT.md)
    options:
    - label: I agree to follow this project's Code of Conduct
      required: true
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,5 @@
 blank_issues_enabled: true
 contact_links:
  - name: Ask a question
    url: https://github.com/fluxcd/flux2/discussions
    about: Please ask and answer questions here.
--- a/.github/aur/flux-bin/PKGBUILD.template
+++ b/.github/aur/flux-bin/PKGBUILD.template
@@ -8,18 +8,20 @@ pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
 arch=("x86_64" "armv6h" "armv7h" "aarch64")
 license=("APACHE")
-optdepends=("kubectl")
+optdepends=('kubectl: for apply actions on the Kubernetes cluster',
 'bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source_x86_64=(
-  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_amd64.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_amd64.tar.gz"
 )
 source_armv6h=(
-  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
 )
 source_armv7h=(
-  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
 )
 source_aarch64=(
-  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm64.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm64.tar.gz"
 )
 sha256sums_x86_64=(
  ${SHA256SUM_AMD64}
@@ -33,7 +35,12 @@ sha256sums_armv7h=(
 sha256sums_aarch64=(
  ${SHA256SUM_ARM64}
 )
 _srcname=flux
 package() {
-	install -Dm755 flux "$pkgdir/usr/bin/flux"
+	install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
    "${pkgdir}/usr/bin/${_srcname}" completion bash | install -Dm644 /dev/stdin "${pkgdir}/usr/share/bash-completion/completions/${_srcname}"
    "${pkgdir}/usr/bin/${_srcname}" completion fish | install -Dm644 /dev/stdin "${pkgdir}/usr/share/fish/vendor_completions.d/${_srcname}.fish"
    "${pkgdir}/usr/bin/${_srcname}" completion zsh | install -Dm644 /dev/stdin "${pkgdir}/usr/share/zsh/site-functions/_${_srcname}"
 }
--- a/.github/aur/flux-go/PKGBUILD.template
+++ b/.github/aur/flux-go/PKGBUILD.template
@@ -12,32 +12,40 @@ provides=("flux-bin")
 conflicts=("flux-bin")
 replaces=("flux-cli")
 depends=("glibc")
-makedepends=("go")
+makedepends=('go>=1.16', 'kustomize>=3.0')
-optdepends=("kubectl")
+optdepends=('kubectl: for apply actions on the Kubernetes cluster',
 'bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
-  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/archive/v$pkgver.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/archive/v${pkgver}.tar.gz"
 )
 sha256sums=(
  ${SHA256SUM}
 )
 _srcname=flux
 build() {
-  cd "flux2-$pkgver"
+  cd "flux2-${pkgver}"
  export CGO_LDFLAGS="$LDFLAGS"
  export CGO_CFLAGS="$CFLAGS"
  export CGO_CXXFLAGS="$CXXFLAGS"
  export CGO_CPPFLAGS="$CPPFLAGS"
-  export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
+  export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
-  go build -ldflags "-X main.VERSION=$pkgver" -o flux-bin ./cmd/flux
+  ./manifests/scripts/bundle.sh "${PWD}/manifests" "${PWD}/cmd/flux/manifests"
  go build -ldflags "-linkmode=external -X main.VERSION=${pkgver}" -o ${_srcname} ./cmd/flux
 }
 check() {
-  cd "flux2-$pkgver"
+  cd "flux2-${pkgver}"
  make test
 }
 package() {
-  cd "flux2-$pkgver"
+  cd "flux2-${pkgver}"
-  install -Dm755 flux-bin "$pkgdir/usr/bin/flux"
+  install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
-  install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
+  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
  "${pkgdir}/usr/bin/${_srcname}" completion bash | install -Dm644 /dev/stdin "${pkgdir}/usr/share/bash-completion/completions/${_srcname}"
  "${pkgdir}/usr/bin/${_srcname}" completion fish | install -Dm644 /dev/stdin "${pkgdir}/usr/share/fish/vendor_completions.d/${_srcname}.fish"
  "${pkgdir}/usr/bin/${_srcname}" completion zsh | install -Dm644 /dev/stdin "${pkgdir}/usr/share/zsh/site-functions/_${_srcname}"
 }
--- a/.github/aur/flux-scm/PKGBUILD.template
+++ b/.github/aur/flux-scm/PKGBUILD.template
@@ -11,12 +11,15 @@ license=("APACHE")
 provides=("flux-bin")
 conflicts=("flux-bin")
 depends=("glibc")
-makedepends=("go")
+makedepends=('go>=1.16', 'kustomize>=3.0')
-optdepends=("kubectl")
+optdepends=('kubectl: for apply actions on the Kubernetes cluster',
 'bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
  "git+https://github.com/fluxcd/flux2.git"
 )
 md5sums=('SKIP')
 _srcname=flux
 pkgver() {
  cd "flux2"
@@ -29,8 +32,9 @@ build() {
  export CGO_CFLAGS="$CFLAGS"
  export CGO_CXXFLAGS="$CXXFLAGS"
  export CGO_CPPFLAGS="$CPPFLAGS"
-  export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
+  export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
-  go build -ldflags "-X main.VERSION=$pkgver" -o flux-bin ./cmd/flux
+  make cmd/flux/manifests
  go build -ldflags "-linkmode=external -X main.VERSION=${pkgver}" -o ${_srcname} ./cmd/flux
 }
 check() {
@@ -40,6 +44,10 @@ check() {
 package() {
  cd "flux2"
-  install -Dm755 flux-bin "$pkgdir/usr/bin/flux"
+  install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
-  install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
+  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
  "${pkgdir}/usr/bin/${_srcname}" completion bash | install -Dm644 /dev/stdin "${pkgdir}/usr/share/bash-completion/completions/${_srcname}"
  "${pkgdir}/usr/bin/${_srcname}" completion fish | install -Dm644 /dev/stdin "${pkgdir}/usr/share/fish/vendor_completions.d/${_srcname}.fish"
  "${pkgdir}/usr/bin/${_srcname}" completion zsh | install -Dm644 /dev/stdin "${pkgdir}/usr/share/zsh/site-functions/_${_srcname}"
 }
--- a/.github/kind/config.yaml
+++ b/.github/kind/config.yaml
@@ -0,0 +1,5 @@
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 networking:
  disableDefaultCNI: true   # disable kindnet
  podSubnet: 192.168.0.0/16 # set to Calico's default subnet
--- a/.github/runners/README.md
+++ b/.github/runners/README.md
@@ -0,0 +1,42 @@
 # Flux GitHub runners
 How to provision GitHub Actions self-hosted runners for Flux conformance testing.
 ## ARM64 Instance specs
 In order to add a new runner to the GitHub Actions pool,
 first create an instance on Oracle Cloud with the following configuration:
 - OS: Canonical Ubuntu 20.04
 - Shape: VM.Standard.A1.Flex
 - OCPU Count: 2 
 - Memory (GB): 12
 - Network Bandwidth (Gbps): 2
 - Local Disk: Block Storage Only  
 Note that the instance image source must be **Canonical Ubuntu** instead of the default Oracle Linux.
 ## ARM64 Instance setup
 - SSH into a newly created instance
 ```shell
 ssh ubuntu@<instance-public-IP>
 ``` 
 - Create the action runner dir
 ```shell
 mkdir -p actions-runner && cd actions-runner
 ```
 - Download the provisioning script
 ```shell
 curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/arm64.sh > arm64.sh \
  && chmod +x ./arm64.sh
 ```
 - Retrieve the GitHub runner token from the repository [settings page](https://github.com/fluxcd/flux2/settings/actions/runners/new?arch=arm64&os=linux)
 - Run the provisioning script passing the token as the first argument
 ```shell
 sudo ./arm64.sh <TOKEN>
 ```
 - Reboot the instance
 ```shell
 sudo reboot
 ```  
 - Navigate to the GitHub repository [runners page](https://github.com/fluxcd/flux2/settings/actions/runners) and check the runner status
--- a/.github/runners/arm64.sh
+++ b/.github/runners/arm64.sh
@@ -0,0 +1,73 @@
 #!/usr/bin/env bash
 # Copyright 2021 The Flux authors. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # This script is meant to be run locally and in CI to validate the Kubernetes
 # manifests (including Flux custom resources) before changes are merged into
 # the branch synced by Flux in-cluster.
 set -eu
 REPOSITORY_TOKEN=$1
 REPOSITORY_URL=${2:-https://github.com/fluxcd/flux2}
 KIND_VERSION=0.11.1
 KUBECTL_VERSION=1.21.2
 KUSTOMIZE_VERSION=4.1.3
 GITHUB_RUNNER_VERSION=2.278.0
 PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq"
 # install prerequisites
 apt-get update \
  && apt-get install -y -q ${PACKAGES} \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 # install docker
 curl -fsSL https://get.docker.com -o get-docker.sh \
  && chmod +x get-docker.sh
 ./get-docker.sh
 systemctl enable docker.service
 systemctl enable containerd.service
 usermod -aG docker ubuntu
 # install kind
 curl -Lo ./kind https://kind.sigs.k8s.io/dl/v${KIND_VERSION}/kind-linux-arm64
 install -o root -g root -m 0755 kind /usr/local/bin/kind
 # install kubectl
 curl -LO "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/arm64/kubectl"
 install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
 # install kustomize
 curl -Lo ./kustomize.tar.gz https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_arm64.tar.gz \
  && tar -zxvf kustomize.tar.gz \
  && rm kustomize.tar.gz
 install -o root -g root -m 0755 kustomize /usr/local/bin/kustomize
 # download runner
 curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
  && tar xzf actions-runner-linux-arm64.tar.gz \
  && rm actions-runner-linux-arm64.tar.gz
 # install runner dependencies
 ./bin/installdependencies.sh
 # register runner with GitHub
 sudo -u ubuntu ./config.sh --unattended --url ${REPOSITORY_URL} --token ${REPOSITORY_TOKEN}
 # start runner
 ./svc.sh install
 ./svc.sh start
--- a/.github/workflows/bootstrap.yaml
+++ b/.github/workflows/bootstrap.yaml
@@ -2,12 +2,14 @@ name: bootstrap
 on:
  push:
-    branches:
+    branches: [ main ]
-      - '*'
+  pull_request:
    branches: [ main ]
 jobs:
  github:
    runs-on: ubuntu-latest
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
    steps:
      - name: Checkout
        uses: actions/checkout@v2
@@ -15,58 +17,82 @@ jobs:
        uses: actions/cache@v1
        with:
          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go1.16-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-go-
+            ${{ runner.os }}-go1.16-
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
-          go-version: 1.15.x
+          go-version: 1.16.x
      - name: Setup Kubernetes
        uses: engineerd/setup-kind@v0.5.0
        with:
          version: v0.11.1
          image: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Build
        run: |
          make cmd/flux/manifests
          go build -o /tmp/flux ./cmd/flux
      - name: Set outputs
        id: vars
-        run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
+        run: |
-      - name: Build
+          REPOSITORY_NAME=${{ github.event.repository.name }}
-        run: sudo go build -o ./bin/flux ./cmd/flux
+          BRANCH_NAME=${GITHUB_REF##*/}
          COMMIT_SHA=$(git rev-parse HEAD)
          PSEUDO_RAND_SUFFIX=$(echo "${BRANCH_NAME}-${COMMIT_SHA}" | shasum | awk '{print $1}')
          TEST_REPO_NAME="${REPOSITORY_NAME}-${PSEUDO_RAND_SUFFIX}"
          echo "::set-output name=test_repo_name::$TEST_REPO_NAME"
      - name: bootstrap init
        run: |
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          /tmp/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
-          --repository=flux-test-${{ steps.vars.outputs.sha_short }} \
+          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
-          --path=test-cluster
+          --path=test-cluster \
          --team=team-z
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: bootstrap no-op
        run: |
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          /tmp/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
-          --repository=flux-test-${{ steps.vars.outputs.sha_short }} \
+          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
-          --path=test-cluster
+          --path=test-cluster \
          --team=team-z
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: libgit2
        run: |
          /tmp/flux create source git test-libgit2 \
          --url=ssh://git@github.com/fluxcd-testing/${{ steps.vars.outputs.test_repo_name }} \
          --git-implementation=libgit2 \
          --secret-ref=flux-system \
          --branch=main
      - name: uninstall
        run: |
-          ./bin/flux uninstall --resources --crds -s --timeout=10m
+          /tmp/flux uninstall -s --keep-namespace
          kubectl delete ns flux-system --timeout=10m --wait=true
      - name: bootstrap reinstall
        run: |
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          /tmp/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
-          --repository=flux-test-${{ steps.vars.outputs.sha_short }} \
+          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
-          --path=test-cluster
+          --path=test-cluster \
          --team=team-z
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: delete repository
        run: |
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          curl \
-          --owner=fluxcd-testing \
+            -X DELETE \
-          --repository=flux-test-${{ steps.vars.outputs.sha_short }} \
+            -H "Accept: application/vnd.github.v3+json" \
-          --branch=main \
+            -H "Authorization: token ${GITHUB_TOKEN}" \
-          --path=test-cluster \
+            --fail --silent \
-          --delete
+            https://api.github.com/repos/fluxcd-testing/${{ steps.vars.outputs.test_repo_name }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Debug failure
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -1,65 +0,0 @@
 name: Publish docs via GitHub Pages
 on:
  push:
    branches:
      - docs*
      - main
 jobs:
  build:
    name: Deploy docs
    runs-on: ubuntu-latest
    steps:
      - name: Checkout master
        uses: actions/checkout@v1
      - name: Copy assets
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          controller_version() {
            sed -n "s/.*$1\/archive\/\(.*\).zip.*/\1/p;n" manifests/bases/$1/kustomization.yaml
          }
          {
            # source-controller CRDs
            SOURCE_VER=$(controller_version source-controller)
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/api/source.md" > docs/components/source/api.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/spec/v1beta1/gitrepositories.md" > docs/components/source/gitrepositories.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/spec/v1beta1/helmrepositories.md" > docs/components/source/helmrepositories.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/spec/v1beta1/helmcharts.md" > docs/components/source/helmcharts.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/spec/v1beta1/buckets.md" > docs/components/source/buckets.md
          }
          {
            # kustomize-controller CRDs
            KUSTOMIZE_VER=$(controller_version kustomize-controller)
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/kustomize-controller/$KUSTOMIZE_VER/docs/api/kustomize.md" > docs/components/kustomize/api.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/kustomize-controller/$KUSTOMIZE_VER/docs/spec/v1beta1/kustomization.md" > docs/components/kustomize/kustomization.md
          }
          {
            # helm-controller CRDs
            HELM_VER=$(controller_version helm-controller)
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/helm-controller/$HELM_VER/docs/api/helmrelease.md" > docs/components/helm/api.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/helm-controller/$HELM_VER/docs/spec/v2beta1/helmreleases.md" > docs/components/helm/helmreleases.md
          }
          {
            # notification-controller CRDs
            NOTIFICATION_VER=$(controller_version notification-controller)
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/api/notification.md" > docs/components/notification/api.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/spec/v1beta1/event.md" > docs/components/notification/event.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/spec/v1beta1/alert.md" > docs/components/notification/alert.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/spec/v1beta1/provider.md" > docs/components/notification/provider.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/spec/v1beta1/receiver.md" > docs/components/notification/receiver.md
          }
          {
            # install script
            cp install/flux.sh docs/install.sh
          }
      - name: Deploy docs
        uses: mhausenblas/mkdocs-deploy-gh-pages@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CUSTOM_DOMAIN: toolkit.fluxcd.io
--- a/.github/workflows/e2e-arm64.yaml
+++ b/.github/workflows/e2e-arm64.yaml
@@ -0,0 +1,38 @@
 name: e2e-arm64
 on:
  workflow_dispatch:
  push:
    branches: [ main, update-components, arm64-e2e ]
 jobs:
  ampere:
    # Runner info
    # Owner: Stefan Prodan
    # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
    runs-on: [self-hosted, Linux, ARM64]
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
          go-version: 1.16.x
      - name: Prepare
        id: prep
        run: |
          echo ::set-output name=CLUSTER::arm64-${GITHUB_SHA:0:7}-$(date +%s)
          echo ::set-output name=CONTEXT::kind-arm64-${GITHUB_SHA:0:7}-$(date +%s)
      - name: Build
        run: |
          make build
      - name: Setup Kubernetes Kind
        run: |
          kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }}
      - name: Run e2e tests
        run: TEST_KUBECONFIG=/tmp/${{ steps.prep.outputs.CLUSTER }} make e2e
      - name: Cleanup
        if: always()
        run: |
          kind delete cluster --name ${{ steps.prep.outputs.CLUSTER }}
          rm /tmp/${{ steps.prep.outputs.CLUSTER }}
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -1,10 +1,10 @@
 name: e2e
 on:
  pull_request:
  push:
-    branches:
+    branches: [ main ]
-      - main
+  pull_request:
    branches: [ main ]
 jobs:
  kind:
@@ -16,19 +16,33 @@ jobs:
        uses: actions/cache@v1
        with:
          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go1.16-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-go-
+            ${{ runner.os }}-go1.16-
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
-          go-version: 1.15.x
+          go-version: 1.16.x
      - name: Setup Kubernetes
        uses: engineerd/setup-kind@v0.5.0
        with:
-          image: kindest/node:v1.16.9
+          version: v0.11.1
-      - name: Run test
+          image: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
          config: .github/kind/config.yaml # disable KIND-net
      - name: Setup envtest
        uses: fluxcd/pkg/actions/envtest@main
        with:
          version: "1.21.x"
      - name: Setup Calico for network policy
        run: |
          kubectl apply -f https://docs.projectcalico.org/v3.16/manifests/calico.yaml
          kubectl -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Run tests
        run: make test
      - name: Run e2e tests
        run: TEST_KUBECONFIG=$HOME/.kube/config make e2e
      - name: Check if working tree is dirty
        run: |
          if [[ $(git diff --stat) != '' ]]; then
@@ -37,34 +51,44 @@ jobs:
            exit 1
          fi
      - name: Build
-        run: sudo go build -o ./bin/flux ./cmd/flux
+        run: |
          go build -o /tmp/flux ./cmd/flux
      - name: flux check --pre
        run: |
-          ./bin/flux check --pre
+          /tmp/flux check --pre
      - name: flux install --manifests
        run: |
-          ./bin/flux install --manifests ./manifests/install/
+          /tmp/flux install --manifests ./manifests/install/
      - name: flux create secret
        run: |
          /tmp/flux create secret git git-ssh-test \
            --url ssh://git@github.com/stefanprodan/podinfo
          /tmp/flux create secret git git-https-test \
            --url https://github.com/stefanprodan/podinfo \
            --username=test --password=test
          /tmp/flux create secret helm helm-test \
            --username=test --password=test
      - name: flux create source git
        run: |
-          ./bin/flux create source git podinfo \
+          /tmp/flux create source git podinfo \
            --url https://github.com/stefanprodan/podinfo  \
            --tag-semver=">=3.2.3"
      - name: flux create source git export apply
        run: |
-          ./bin/flux create source git podinfo-export \
+          /tmp/flux create source git podinfo-export \
            --url https://github.com/stefanprodan/podinfo  \
            --tag-semver=">=3.2.3" \
            --export | kubectl apply -f -
-          ./bin/flux delete source git podinfo-export --silent
+          /tmp/flux delete source git podinfo-export --silent
      - name: flux get sources git
        run: |
-          ./bin/flux get sources git
+          /tmp/flux get sources git
      - name: flux get sources git --all-namespaces
        run: |
-          ./bin/flux get sources git --all-namespaces
+          /tmp/flux get sources git --all-namespaces
      - name: flux create kustomization
        run: |
-          ./bin/flux create kustomization podinfo \
+          /tmp/flux create kustomization podinfo \
            --source=podinfo \
            --path="./deploy/overlays/dev" \
            --prune=true \
@@ -73,99 +97,107 @@ jobs:
            --health-check="Deployment/frontend.dev" \
            --health-check="Deployment/backend.dev" \
            --health-check-timeout=3m
      - name: flux trace
        run: |
          /tmp/flux trace frontend \
            --kind=deployment \
            --api-version=apps/v1 \
            --namespace=dev
      - name: flux reconcile kustomization --with-source
        run: |
-          ./bin/flux reconcile kustomization podinfo --with-source
+          /tmp/flux reconcile kustomization podinfo --with-source
      - name: flux get kustomizations
        run: |
-          ./bin/flux get kustomizations
+          /tmp/flux get kustomizations
      - name: flux get kustomizations --all-namespaces
        run: |
-          ./bin/flux get kustomizations --all-namespaces
+          /tmp/flux get kustomizations --all-namespaces
      - name: flux suspend kustomization
        run: |
-          ./bin/flux suspend kustomization podinfo
+          /tmp/flux suspend kustomization podinfo
      - name: flux resume kustomization
        run: |
-          ./bin/flux resume kustomization podinfo
+          /tmp/flux resume kustomization podinfo
      - name: flux export
        run: |
-          ./bin/flux export source git --all
+          /tmp/flux export source git --all
-          ./bin/flux export kustomization --all
+          /tmp/flux export kustomization --all
      - name: flux delete kustomization
        run: |
-          ./bin/flux delete kustomization podinfo --silent
+          /tmp/flux delete kustomization podinfo --silent
      - name: flux create source helm
        run: |
-          ./bin/flux create source helm podinfo \
+          /tmp/flux create source helm podinfo \
            --url https://stefanprodan.github.io/podinfo
      - name: flux create helmrelease --source=HelmRepository/podinfo
        run: |
-          ./bin/flux create hr podinfo-helm \
+          /tmp/flux create hr podinfo-helm \
            --target-namespace=default \
-            --source=HelmRepository/podinfo \
+            --source=HelmRepository/podinfo.flux-system \
            --chart=podinfo \
            --chart-version=">4.0.0 <5.0.0"
      - name: flux create helmrelease --source=GitRepository/podinfo
        run: |
-          ./bin/flux create hr podinfo-git \
+          /tmp/flux create hr podinfo-git \
            --target-namespace=default \
            --source=GitRepository/podinfo \
            --chart=./charts/podinfo
      - name: flux reconcile helmrelease --with-source
        run: |
-          ./bin/flux reconcile helmrelease podinfo-git --with-source
+          /tmp/flux reconcile helmrelease podinfo-git --with-source
      - name: flux get helmreleases
        run: |
-          ./bin/flux get helmreleases
+          /tmp/flux get helmreleases
      - name: flux get helmreleases --all-namespaces
        run: |
-          ./bin/flux get helmreleases --all-namespaces
+          /tmp/flux get helmreleases --all-namespaces
      - name: flux export helmrelease
        run: |
-          ./bin/flux export hr --all
+          /tmp/flux export hr --all
      - name: flux delete helmrelease podinfo-helm
        run: |
-          ./bin/flux delete hr podinfo-helm --silent
+          /tmp/flux delete hr podinfo-helm --silent
      - name: flux delete helmrelease podinfo-git
        run: |
-          ./bin/flux delete hr podinfo-git --silent
+          /tmp/flux delete hr podinfo-git --silent
      - name: flux delete source helm
        run: |
-          ./bin/flux delete source helm podinfo --silent
+          /tmp/flux delete source helm podinfo --silent
      - name: flux delete source git
        run: |
-          ./bin/flux delete source git podinfo --silent
+          /tmp/flux delete source git podinfo --silent
      - name: flux create tenant
        run: |
-          ./bin/flux create tenant dev-team --with-namespace=apps
+          /tmp/flux create tenant dev-team --with-namespace=apps
-          ./bin/flux -n apps create source helm podinfo \
+          /tmp/flux -n apps create source helm podinfo \
            --url https://stefanprodan.github.io/podinfo
-          ./bin/flux -n apps create hr podinfo-helm \
+          /tmp/flux -n apps create hr podinfo-helm \
            --source=HelmRepository/podinfo \
            --chart=podinfo \
            --chart-version="5.0.x" \
            --service-account=dev-team
      - name: flux2-kustomize-helm-example
        run: |
-          ./bin/flux create source git flux-system \
+          /tmp/flux create source git flux-system \
          --url=https://github.com/fluxcd/flux2-kustomize-helm-example \
-          --branch=main
+          --branch=main \
-          ./bin/flux create kustomization flux-system \
+          --recurse-submodules
          /tmp/flux create kustomization flux-system \
          --source=flux-system \
          --path=./clusters/staging
-          kubectl -n flux-system wait kustomization/apps --for=condition=ready --timeout=2m
+          kubectl -n flux-system wait kustomization/apps --for=condition=ready --timeout=5m
      - name: flux check
        run: |
-          ./bin/flux check
+          /tmp/flux check
      - name: flux uninstall
        run: |
-          ./bin/flux uninstall --crds --silent --timeout=10m
+          /tmp/flux uninstall --silent
      - name: Debug failure
        if: failure()
        run: |
          kubectl version --client --short
          kubectl -n flux-system get all
          kubectl -n flux-system describe pods
          kubectl -n flux-system get kustomizations -oyaml
          kubectl -n flux-system logs deploy/source-controller
          kubectl -n flux-system logs deploy/kustomize-controller
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@@ -1,25 +0,0 @@
 name: FOSSA
 on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-go@v2
        with:
          go-version: "^1.14.x"
      - name: Add GOPATH to GITHUB_ENV
        run: echo "GOPATH=$(go env GOPATH)" >>"$GITHUB_ENV"
      - name: Add GOPATH to GITHUB_PATH
        run: echo "$GOPATH/bin" >>"$GITHUB_PATH"
      - name: Run FOSSA scan and upload build data
        uses: fossa-contrib/fossa-action@v1
        with:
          # FOSSA Push-Only API Token
          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
          github-token: ${{ github.token }}
--- a/.github/workflows/rebase.yaml
+++ b/.github/workflows/rebase.yaml
@@ -2,9 +2,9 @@ name: rebase
 on:
  pull_request:
-    types: [opened]
+    types: [ opened ]
  issue_comment:
-    types: [created]
+    types: [ created ]
 jobs:
  rebase:
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -2,8 +2,7 @@ name: release
 on:
  push:
-    tags:
+    tags: [ 'v*' ]
      - '*'
 jobs:
  goreleaser:
@@ -16,7 +15,27 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
-          go-version: 1.15.x
+          go-version: 1.16.x
      - name: Setup QEMU
        uses: docker/setup-qemu-action@v1
        with:
          platforms: all
      - name: Setup Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v1
        with:
          buildkitd-flags: "--debug"
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to Docker Hub
        uses: docker/login-action@v1
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
      - name: Download release notes utility
        env:
          GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
@@ -29,39 +48,22 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
-      - name: Generate manifests tarball
+      - name: Generate manifests
        run: |
          mkdir -p ./output
          files=""
          # build controllers
          for controller in ./manifests/bases/*/; do
              output_path="./output/$(basename $controller).yaml"
              echo "building $controller to $output_path"
              kustomize build $controller > $output_path
              files+=" $(basename $output_path)"
          done
          # build rbac
          rbac_path="./manifests/rbac"
          rbac_output_path="./output/rbac.yaml"
          echo "building $rbac_path to $rbac_output_path"
          kustomize build $rbac_path > $rbac_output_path
          files+=" $(basename $rbac_output_path)"
          # build policies
          policies_path="./manifests/policies"
          policies_output_path="./output/policies.yaml"
          echo "building $policies_path to $policies_output_path"
          kustomize build $policies_path > $policies_output_path
          files+=" $(basename $policies_output_path)"
          # create tarball
          cd ./output && tar -cvzf manifests.tar.gz $files
      - name: Generate install manifest
        run: |
          make cmd/flux/manifests
          ./manifests/scripts/bundle.sh "" ./output manifests.tar.gz
          kustomize build ./manifests/install > ./output/install.yaml
      - name: Build CRDs
        run: |
          kustomize build manifests/crds > all-crds.yaml
      - name: Generate OpenAPI JSON schemas from CRDs
        uses: fluxcd/pkg//actions/crdjsonschema@main
        with:
          crd: all-crds.yaml
          output: schemas
      - name: Archive the OpenAPI JSON schemas
        run: |
          tar -czvf ./output/crd-schemas.tar.gz -C schemas .
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v1
        with:
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -0,0 +1,60 @@
 name: Scan
 on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '18 10 * * 3'
 jobs:
  fossa:
    name: FOSSA
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run FOSSA scan and upload build data
        uses: fossa-contrib/fossa-action@v1
        with:
          # FOSSA Push-Only API Token
          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
          github-token: ${{ github.token }}
  snyk:
    name: Snyk
    runs-on: ubuntu-latest
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
    steps:
      - uses: actions/checkout@v2
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Build manifests
        run: |
          make cmd/flux/manifests
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/golang@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --sarif-file-output=snyk.sarif
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: snyk.sarif
  codeql:
    name: CodeQL
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v1
        with:
          languages: go
      - name: Autobuild
        uses: github/codeql-action/autobuild@v1
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v1
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@@ -0,0 +1,94 @@
 name: Update Components
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 * * * *"
  push:
    branches: [main]
 jobs:
  update-components:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v2
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
          go-version: 1.16.x
      - name: Update component versions
        id: update
        run: |
          PR_BODY=""
          bump_version() {
            local LATEST_VERSION=$(curl -s https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
            local CTRL_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p;n" manifests/bases/$1/kustomization.yaml)
            local CRD_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p" manifests/crds/kustomization.yaml)
            local MOD_VERSION=$(go list -m -f '{{ .Version }}' "github.com/fluxcd/$1/api")
            local changed=false
            if [[ "${CTRL_VERSION}" != "${LATEST_VERSION}" ]]; then
              sed -i "s/\($1\/releases\/download\/\)v.*\(\/.*\)/\1${LATEST_VERSION}\2/g" "manifests/bases/$1/kustomization.yaml"
              changed=true
            fi
            if [[ "${CRD_VERSION}" != "${LATEST_VERSION}" ]]; then
              sed -i "s/\($1\/releases\/download\/\)v.*\(\/.*\)/\1${LATEST_VERSION}\2/g" "manifests/crds/kustomization.yaml"
              changed=true
            fi
            if [[ "${MOD_VERSION}" != "${LATEST_VERSION}" ]]; then
              go mod edit -require="github.com/fluxcd/$1/api@${LATEST_VERSION}"
              rm go.sum
              go mod tidy
              changed=true
            fi
            if [[ "$changed" == true ]]; then
              PR_BODY="$PR_BODY- $1 to ${LATEST_VERSION}%0A  https://github.com/fluxcd/$1/blob/${LATEST_VERSION}/CHANGELOG.md%0A"
            fi
          }
          {
            # bump controller versions
            bump_version helm-controller
            bump_version kustomize-controller
            bump_version source-controller
            bump_version notification-controller
            bump_version image-reflector-controller
            bump_version image-automation-controller
            # diff change
            git diff
            # export PR_BODY for PR and commit
            echo "::set-output name=pr_body::$PR_BODY"
          }
      - name: Create Pull Request
        id: cpr
        uses: peter-evans/create-pull-request@v3
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
          commit-message: |
            Update toolkit components
            ${{ steps.update.outputs.pr_body }}
          committer: GitHub <noreply@github.com>
          author: fluxcdbot <fluxcdbot@users.noreply.github.com>
          signoff: true
          branch: update-components
          title: Update toolkit components
          body: |
            ${{ steps.update.outputs.pr_body }}
          labels: |
            area/build
          reviewers: ${{ secrets.ASSIGNEES }}
      - name: Check output
        run: |
          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -1,76 +0,0 @@
 name: Update Components
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 * * * *"
 jobs:
  update-components:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v2
      - name: Update component versions
        id: update
        run: |
          PR_BODY=""
          bump_version() {
            local RELEASE_VERSION=$(curl -s https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
            local CURRENT_VERSION=$(sed -n "s/.*$1\/archive\/\(.*\).zip.*/\1/p;n" manifests/bases/$1/kustomization.yaml)
            if [[ "${RELEASE_VERSION}" != "${CURRENT_VERSION}" ]]; then
              # bump kustomize
              sed -i "s/\($1\/archive\/\)v.*\(.zip\/\/$1-\).*\(\/config.*\)/\1${RELEASE_VERSION}\2${RELEASE_VERSION/v}\3/g" "manifests/bases/$1/kustomization.yaml"
              if [[ ! -z $(go list -m all | grep "github.com/fluxcd/$1/api" | awk '{print $2}') ]]; then
                # bump go mod
                go mod edit -require="github.com/fluxcd/$1/api@${RELEASE_VERSION}"
              fi
              PR_BODY="$PR_BODY- $1 to ${RELEASE_VERSION}%0A"
            fi
          }
          {
            # bump controller versions
            bump_version helm-controller
            bump_version kustomize-controller
            bump_version source-controller
            bump_version notification-controller
            bump_version image-reflector-controller
            bump_version image-automation-controller
            # add missing and remove unused modules
            go mod tidy
            # diff change
            git diff
            # export PR_BODY for PR
            echo "::set-output name=pr_body::$PR_BODY"
          }
      - name: Create Pull Request
        id: cpr
        uses: peter-evans/create-pull-request@v3
        with:
            token: ${{ secrets.BOT_GITHUB_TOKEN }}
            commit-message: Update toolkit components
            committer: GitHub <noreply@github.com>
            author: fluxcdbot <fluxcdbot@users.noreply.github.com>
            title: Update toolkit components
            body: |
              ${{ steps.update.outputs.pr_body }}
              Auto-generated by [create-pull-request][1]
              [1]: https://github.com/peter-evans/create-pull-request
            branch: update-components
            reviewers: ${{ secrets.ASSIGNEES }}
      - name: Check output
        run: |
          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
--- a/.gitignore
+++ b/.gitignore
@@ -11,7 +11,14 @@
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 # Release
 dist/
 # Dependency directories (remove the comment below to include it)
 # vendor/
 bin/
-output/
+output/
 cmd/flux/manifests/
 # Docs
 site/
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,3 +1,4 @@
 project_name: flux
 builds:
  - <<: &build_defaults
      binary: flux
@@ -19,6 +20,9 @@ builds:
    id: darwin
    goos:
      - darwin
    goarch:
      - amd64
      - arm64
  - <<: *build_defaults
    id: windows
    goos:
@@ -43,7 +47,7 @@ brews:
      name: homebrew-tap
      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
    folder: Formula
-    homepage: "https://toolkit.fluxcd.io/"
+    homepage: "https://fluxcd.io/"
    description: "Flux CLI"
    dependencies:
      - name: kubectl
@@ -68,5 +72,67 @@ publishers:
      .github/aur/flux-go/publish.sh {{ .Version }}
 release:
  extra_files:
    - glob: ./output/crd-schemas.tar.gz
    - glob: ./output/manifests.tar.gz
    - glob: ./output/install.yaml
 dockers:
 - image_templates:
    - 'fluxcd/flux-cli:{{ .Tag }}-amd64'
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-amd64'
  dockerfile: Dockerfile
  use_buildx: true
  goos: linux
  goarch: amd64
  build_flag_templates:
   - "--pull"
   - "--build-arg=ARCH=linux/amd64"
   - "--label=org.opencontainers.image.created={{ .Date }}"
   - "--label=org.opencontainers.image.name={{ .ProjectName }}"
   - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
   - "--label=org.opencontainers.image.version={{ .Version }}"
   - "--label=org.opencontainers.image.source={{ .GitURL }}"
   - "--platform=linux/amd64"
 - image_templates:
    - 'fluxcd/flux-cli:{{ .Tag }}-arm64'
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm64'
  dockerfile: Dockerfile
  use_buildx: true
  goos: linux
  goarch: arm64
  build_flag_templates:
    - "--pull"
    - "--build-arg=ARCH=linux/arm64"
    - "--label=org.opencontainers.image.created={{ .Date }}"
    - "--label=org.opencontainers.image.name={{ .ProjectName }}"
    - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
    - "--label=org.opencontainers.image.version={{ .Version }}"
    - "--label=org.opencontainers.image.source={{ .GitURL }}"
    - "--platform=linux/arm64"
 - image_templates:
    - 'fluxcd/flux-cli:{{ .Tag }}-arm'
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm'
  dockerfile: Dockerfile
  use_buildx: true
  goos: linux
  goarch: arm
  goarm: 7
  build_flag_templates:
    - "--pull"
    - "--build-arg=ARCH=linux/arm"
    - "--label=org.opencontainers.image.created={{ .Date }}"
    - "--label=org.opencontainers.image.name={{ .ProjectName }}"
    - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
    - "--label=org.opencontainers.image.version={{ .Version }}"
    - "--label=org.opencontainers.image.source={{ .GitURL }}"
    - "--platform=linux/arm/v7"
 docker_manifests:
 - name_template: 'fluxcd/flux-cli:{{ .Tag }}'
  image_templates:
    - 'fluxcd/flux-cli:{{ .Tag }}-amd64'
    - 'fluxcd/flux-cli:{{ .Tag }}-arm64'
    - 'fluxcd/flux-cli:{{ .Tag }}-arm'
 - name_template: 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}'
  image_templates:
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-amd64'
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm64'
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm'
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,7 +1,6 @@
 # Contributing
-Flux is [Apache 2.0
+Flux is [Apache 2.0 licensed](https://github.com/fluxcd/flux2/blob/main/LICENSE) and
 licensed](https://github.com/fluxcd/flux2/blob/main/LICENSE) and
 accepts contributions via GitHub pull requests. This document outlines
 some of the conventions on to make it easier to get your contribution
 accepted.
@@ -14,9 +13,18 @@ code.
 By contributing to this project you agree to the Developer Certificate of
 Origin (DCO). This document was created by the Linux Kernel community and is a
 simple statement that you, as a contributor, have the legal right to make the
-contribution. No action from you is required, but it's a good idea to see the
+contribution.
-[DCO](DCO) file for details before you start contributing code to FluxCD
+
-organization.
+We require all commits to be signed. By signing off with your signature, you
 certify that you wrote the patch or otherwise have the right to contribute the
 material by the rules of the [DCO](DCO):
 `Signed-off-by: Jane Doe <jane.doe@example.com>`
 The signature must contain your real name
 (sorry, no pseudonyms or anonymous contributions)
 If your `user.name` and `user.email` are configured in your Git config,
 you can sign your commit automatically with `git commit -s`.
 ## Communications
@@ -40,27 +48,45 @@ you might want to take a look at the [introductory talk and demo](https://www.yo
 This project is composed of:
- [/f/flux2](https://github.com/fluxcd/flux2): The Flux CLI
+- [flux2](https://github.com/fluxcd/flux2): The Flux CLI
- [/f/source-manager](https://github.com/fluxcd/source-controller): Kubernetes operator for managing sources
+- [source-manager](https://github.com/fluxcd/source-controller): Kubernetes operator for managing sources (Git and Helm repositories, S3-compatible Buckets)
- [/f/kustomize-controller](https://github.com/fluxcd/kustomize-controller): Kubernetes operator for building GitOps pipelines with Kustomize
+- [kustomize-controller](https://github.com/fluxcd/kustomize-controller): Kubernetes operator for building GitOps pipelines with Kustomize
- [/f/helm-controller](https://github.com/fluxcd/helm-controller): Kubernetes operator for building GitOps pipelines with Helm
+- [helm-controller](https://github.com/fluxcd/helm-controller): Kubernetes operator for building GitOps pipelines with Helm
- [/f/notification-controller](https://github.com/fluxcd/notification-controller): Kubernetes operator for handling inbound and outbound events
+- [notification-controller](https://github.com/fluxcd/notification-controller): Kubernetes operator for handling inbound and outbound events
 - [image-reflector-controller](https://github.com/fluxcd/image-reflector-controller): Kubernetes operator for scanning container registries
 - [image-automation-controller](https://github.com/fluxcd/image-automation-controller): Kubernetes operator for patches container image tags in Git
 ### Understanding the code
 To get started with developing controllers, you might want to review
-[our guide](https://toolkit.fluxcd.io/dev-guides/source-watcher/) which
+[our guide](https://fluxcd.io/docs/gitops-toolkit/source-watcher/) which
 walks you through writing a short and concise controller that watches out
 for source changes.
 ### How to run the test suite
 Prerequisites:
 * go >= 1.16
 * kubectl >= 1.18
 * kustomize >= 3.1
 You can run the unit tests by simply doing
 ```bash
 make test
 ```
 The e2e test suite uses [kind](https://kind.sigs.k8s.io/) for running kubernetes cluster inside docker containers. You can run the e2e tests by simply doing
 ```bash
 make setup-kind
 make e2e
 # When done
 make cleanup-kind
 ```
 ## Acceptance policy
 These things will make a PR more likely to be accepted:
--- a/23
+++ b/23
@@ -0,0 +1,23 @@
 FROM alpine:3.13 as builder
 RUN apk add --no-cache ca-certificates curl
 ARG ARCH=linux/amd64
 ARG KUBECTL_VER=1.20.4
 RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
    kubectl version --client=true
 FROM alpine:3.13 as flux-cli
 # Create minimal nsswitch.conf file to prioritize the usage of /etc/hosts over DNS queries.
 # https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-354316460
 RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
 RUN apk add --no-cache ca-certificates
 COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/
 COPY --chmod=755 flux /usr/local/bin/
 ENTRYPOINT [ "flux" ]
--- a/60
+++ b/60
@@ -1,4 +1,17 @@
 VERSION?=$(shell grep 'VERSION' cmd/flux/main.go | awk '{ print $$4 }' | tr -d '"')
 EMBEDDED_MANIFESTS_TARGET=cmd/flux/manifests
 TEST_KUBECONFIG?=/tmp/flux-e2e-test-kubeconfig
 ENVTEST_BIN_VERSION?=latest
 KUBEBUILDER_ASSETS?="$(shell $(SETUP_ENVTEST) use -i $(ENVTEST_BIN_VERSION) -p path)"
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
 else
 GOBIN=$(shell go env GOBIN)
 endif
 rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2)) $(filter $(subst *,%,$(2)),$(d)))
 all: test build
@@ -11,19 +24,50 @@ fmt:
 vet:
 	go vet ./...
-test: tidy fmt vet docs
+setup-kind:
-	go test ./... -coverprofile cover.out
+	kind create cluster --name=flux-e2e-test --kubeconfig=$(TEST_KUBECONFIG) --config=.github/kind/config.yaml
 	kubectl --kubeconfig=$(TEST_KUBECONFIG) apply -f https://docs.projectcalico.org/v3.16/manifests/calico.yaml
 	kubectl --kubeconfig=$(TEST_KUBECONFIG) -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
-build:
+cleanup-kind:
 	kind delete cluster --name=flux-e2e-test
 	rm $(TEST_KUBECONFIG)
 test: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet setup-envtest
 	KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS) go test ./... -coverprofile cover.out --tags=unit
 e2e: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet
 	TEST_KUBECONFIG=$(TEST_KUBECONFIG) go test ./cmd/flux/... -coverprofile e2e.cover.out --tags=e2e -v -failfast
 test-with-kind: setup-envtest
 	make setup-kind
 	make e2e
 	make cleanup-kind
 $(EMBEDDED_MANIFESTS_TARGET): $(call rwildcard,manifests/,*.yaml *.json)
 	./manifests/scripts/bundle.sh
 build: $(EMBEDDED_MANIFESTS_TARGET)
 	CGO_ENABLED=0 go build -o ./bin/flux ./cmd/flux
 install:
 	go install cmd/flux
 .PHONY: docs
 docs:
 	rm docs/cmd/*
 	mkdir -p ./docs/cmd && go run ./cmd/flux/ docgen
 install-dev:
 	CGO_ENABLED=0 go build -o /usr/local/bin ./cmd/flux
 # Find or download setup-envtest
 setup-envtest:
 ifeq (, $(shell which setup-envtest))
 	@{ \
 	set -e ;\
 	SETUP_ENVTEST_TMP_DIR=$$(mktemp -d) ;\
 	cd $$SETUP_ENVTEST_TMP_DIR ;\
 	go mod init tmp ;\
 	go get sigs.k8s.io/controller-runtime/tools/setup-envtest@latest ;\
 	rm -rf $$SETUP_ENVTEST_TMP_DIR ;\
 	}
 SETUP_ENVTEST=$(GOBIN)/setup-envtest
 else
 SETUP_ENVTEST=$(shell which setup-envtest)
 endif
--- a/README.md
+++ b/README.md
@@ -1,5 +1,6 @@
 # Flux version 2
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4782/badge)](https://bestpractices.coreinfrastructure.org/projects/4782)
 [![e2e](https://github.com/fluxcd/flux2/workflows/e2e/badge.svg)](https://github.com/fluxcd/flux2/actions)
 [![report](https://goreportcard.com/badge/github.com/fluxcd/flux2)](https://goreportcard.com/report/github.com/fluxcd/flux2)
 [![license](https://img.shields.io/github/license/fluxcd/flux2.svg)](https://github.com/fluxcd/flux2/blob/main/LICENSE)
@@ -21,16 +22,22 @@ Delivery on top of Kubernetes.
 ## Flux installation
-With Homebrew:
+With [Homebrew](https://brew.sh) for macOS and Linux:
 ```sh
 brew install fluxcd/tap/flux
 ```
-With Bash:
+With [GoFish](https://gofi.sh) for Windows, macOS and Linux:
 ```sh
-curl -s https://toolkit.fluxcd.io/install.sh | sudo bash
+gofish install flux
 ```
 With Bash for macOS and Linux:
 ```sh
 curl -s https://fluxcd.io/install.sh | sudo bash
 # enable completions in ~/.bash_profile
 . <(flux completion bash)
@@ -45,8 +52,13 @@ Arch Linux (AUR) packages:
 - [flux-scm](https://aur.archlinux.org/packages/flux-scm): build the latest
  (unstable) version from source code from our git `main` branch
-Binaries for macOS, Windows and Linux AMD64/ARM are available to download on the
+Binaries for macOS AMD64/ARM64, Linux AMD64/ARM/ARM64 and Windows are available to
-[release page](https://github.com/fluxcd/flux2/releases).
+download on the [release page](https://github.com/fluxcd/flux2/releases).
 A multi-arch container image with `kubectl` and `flux` is available on Docker Hub and GitHub:
 * `docker.io/fluxcd/flux-cli:<version>`
 * `ghcr.io/fluxcd/flux-cli:<version>`
 Verify that your cluster satisfies the prerequisites with:
@@ -57,14 +69,15 @@ flux check --pre
 ## Get started
 To get started with Flux, start [browsing the
-documentation](https://toolkit.fluxcd.io) or get started with one of
+documentation](https://fluxcd.io/docs/) or get started with one of
 the following guides:
- [Get started with Flux (deep dive)](https://toolkit.fluxcd.io/get-started/)
+- [Get started with Flux](https://fluxcd.io/docs/get-started/)
- [Installation](https://toolkit.fluxcd.io/guides/installation/)
+- [Manage Helm Releases](https://fluxcd.io/docs/guides/helmreleases/)
- [Manage Helm Releases](https://toolkit.fluxcd.io/guides/helmreleases/)
+- [Automate image updates to Git](https://fluxcd.io/docs/guides/image-update/)  
- [Setup Notifications](https://toolkit.fluxcd.io/guides/notifications/)
+- [Manage Kubernetes secrets with Mozilla SOPS](https://fluxcd.io/docs/guides/mozilla-sops/)  
- [Setup Webhook Receivers](https://toolkit.fluxcd.io/guides/webhook-receivers/)
+
 If you need help, please refer to our **[Support page](https://fluxcd.io/support/)**.
 ## GitOps Toolkit
@@ -73,52 +86,56 @@ runtime for Flux v2. The APIs comprise Kubernetes custom resources,
 which can be created and updated by a cluster user, or by other
 automation tooling.
-![overview](docs/diagrams/gitops-toolkit.png)
+![overview](docs/_files/gitops-toolkit.png)
 You can use the toolkit to extend Flux, or to build your own systems
 for continuous delivery -- see [the developer
-guides](https://toolkit.fluxcd.io/dev-guides/source-watcher/).
+guides](https://fluxcd.io/docs/gitops-toolkit/source-watcher/).
 ### Components
- [Source Controller](https://toolkit.fluxcd.io/components/source/controller/)
+- [Source Controller](https://fluxcd.io/docs/components/source/)
-    - [GitRepository CRD](https://toolkit.fluxcd.io/components/source/gitrepositories/)
+    - [GitRepository CRD](https://fluxcd.io/docs/components/source/gitrepositories/)
-    - [HelmRepository CRD](https://toolkit.fluxcd.io/components/source/helmrepositories/)
+    - [HelmRepository CRD](https://fluxcd.io/docs/components/source/helmrepositories/)
-    - [HelmChart CRD](https://toolkit.fluxcd.io/components/source/helmcharts/)
+    - [HelmChart CRD](https://fluxcd.io/docs/components/source/helmcharts/)
-    - [Bucket CRD](https://toolkit.fluxcd.io/components/source/buckets/)
+    - [Bucket CRD](https://fluxcd.io/docs/components/source/buckets/)
- [Kustomize Controller](https://toolkit.fluxcd.io/components/kustomize/controller/)
+- [Kustomize Controller](https://fluxcd.io/docs/components/kustomize/)
-    - [Kustomization CRD](https://toolkit.fluxcd.io/components/kustomize/kustomization/)
+    - [Kustomization CRD](https://fluxcd.io/docs/components/kustomize/kustomization/)
- [Helm Controller](https://toolkit.fluxcd.io/components/helm/controller/)
+- [Helm Controller](https://fluxcd.io/docs/components/helm/)
-    - [HelmRelease CRD](https://toolkit.fluxcd.io/components/helm/helmreleases/)
+    - [HelmRelease CRD](https://fluxcd.io/docs/components/helm/helmreleases/)
- [Notification Controller](https://toolkit.fluxcd.io/components/notification/controller/)
+- [Notification Controller](https://fluxcd.io/docs/components/notification/)
-    - [Provider CRD](https://toolkit.fluxcd.io/components/notification/provider/)
+    - [Provider CRD](https://fluxcd.io/docs/components/notification/provider/)
-    - [Alert CRD](https://toolkit.fluxcd.io/components/notification/alert/)
+    - [Alert CRD](https://fluxcd.io/docs/components/notification/alert/)
-    - [Receiver CRD](https://toolkit.fluxcd.io/components/notification/receiver/)
+    - [Receiver CRD](https://fluxcd.io/docs/components/notification/receiver/)
-
+- [Image Automation Controllers](https://fluxcd.io/docs/components/image/)
  - [ImageRepository CRD](https://fluxcd.io/docs/components/image/imagerepositories/)
  - [ImagePolicy CRD](https://fluxcd.io/docs/components/image/imagepolicies/)
  - [ImageUpdateAutomation CRD](https://fluxcd.io/docs/components/image/imageupdateautomations/)
 ## Community
-The Flux project is always looking for new contributors and there are a multitude of ways to get involved.
+Need help or want to contribute? Please see the links below. The Flux project is always looking for
-Depending on what you want to do, some of the following bits might be your first steps:
+new contributors and there are a multitude of ways to get involved.
- Join our upcoming dev meetings ([meeting access and agenda](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/view))
+- Getting Started?
- Talk to us in the #flux channel on [CNCF Slack](https://slack.cncf.io/)
+    - Look at our [Get Started guide](https://fluxcd.io/docs/get-started/) and give us feedback
- Join the [planning discussions](https://github.com/fluxcd/flux2/discussions)
+- Need help?
- And if you are completely new to Flux and the GitOps Toolkit, take a look at our [Get Started guide](https://toolkit.fluxcd.io/get-started/) and give us feedback
+    - First: Ask questions on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions)
- To be part of the conversation about Flux's development, [join the flux-dev mailing list](https://lists.cncf.io/g/cncf-flux-dev).
+    - Second: Talk to us in the #flux channel on [CNCF Slack](https://slack.cncf.io/)
- Check out [how to contribute](CONTRIBUTING.md) to the project
+    - Please follow our [Support Guidelines](https://fluxcd.io/support/)
      (in short: be nice, be respectful of volunteers' time, understand that maintainers and
      contributors cannot respond to all DMs, and keep discussions in the public #flux channel as much as possible).
 - Have feature proposals or want to contribute?
    - Propose features on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions)
    - Join our upcoming dev meetings ([meeting access and agenda](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/view))
    - [Join the flux-dev mailing list](https://lists.cncf.io/g/cncf-flux-dev).
    - Check out [how to contribute](CONTRIBUTING.md) to the project
-### Upcoming Events
+### Events
 - 11 Jan 2021 - [Helm + GitOps = ⚡️⚡️⚡️ with Scott Rigby](https://www.meetup.com/GitOps-Community/events/275348736/)
-### Featured Talks
+Check out our **[events calendar](https://fluxcd.io/#calendar)**,
- 14 Dec 2020 - [The Power of GitOps with Flux and Flagger (GitOps Hands-On) with Leigh Capili](https://youtu.be/cB7iXeNLteE)
+both with upcoming talks, events and meetings you can attend.
- 30 Nov 2020 - [The Power of GitOps with Flux 2 - Part 3 with Leigh Capili](https://youtu.be/N_K5g7o9JKg)
+Or view the **[resources section](https://fluxcd.io/resources)**
- 24 Nov 2020 - [Flux CD v2 with GitOps Toolkit - Kubernetes Deployment and Sync Mechanism](https://youtu.be/R6OeIgb7lUI)
+with past events videos you can watch.
 - 02 Nov 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 2 with Leigh Capili](https://youtu.be/fC2YCxQRUwU)
 - 28 Oct 2020 - [The Kubelist Podcast: Flux with Michael Bridgen](https://www.heavybit.com/library/podcasts/the-kubelist-podcast/ep-5-flux-with-michael-bridgen-of-weaveworks/)
 - 19 Oct 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 1 with Leigh Capili](https://youtu.be/0v5bjysXTL8)
 - 12 Oct 2020 - [Rawkode Live: Introduction to GitOps Toolkit with Stefan Prodan](https://youtu.be/HqTzuOBP0eY)
 - 04 Sep 2020 - [KubeCon Europe: The road to Flux v2 and Progressive Delivery with Stefan Prodan & Hidde Beydals](https://youtu.be/8v94nUkXsxU)
 - 25 Jun 2020 - [Cloud Native Nordics: Introduction to GitOps & GitOps Toolkit with Alexis Richardson & Stefan Prodan](https://youtu.be/qQBtSkgl7tI)
 We look forward to seeing you with us!
--- a/action/Dockerfile
+++ b/action/Dockerfile
@@ -1,6 +0,0 @@
 FROM stefanprodan/alpine-base:latest
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]
--- a/action/README.md
+++ b/action/README.md
@@ -10,19 +10,34 @@ Usage:
        run: flux -v
 ```
-This action places the `flux` binary inside your repository root under `bin/flux`.
+The latest stable version of the `flux` binary is downloaded from
-You should add `bin/flux` to your `.gitignore` file, as in the following example:
+GitHub [releases](https://github.com/fluxcd/flux2/releases)
 and placed at `/usr/local/bin/flux`.
-```gitignore
+Note that this action can only be used on GitHub **Linux** runners.
-# ignore flux binary
+You can change the arch (defaults to `amd64`) with:
-bin/flux
+
 ```yaml
    steps:
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
        with:
          arch: arm64 # can be amd64, arm64 or arm
 ```
-Note that this action can only be used on GitHub **Linux AMD64** runners.
+You can download a specific version with:
 ```yaml
    steps:
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
        with:
          version: 0.8.0
 ```
 ### Automate Flux updates
-Example workflow for updating Flux's components generated with `flux bootstrap --arch=amd64 --path=clusters/production`:
+Example workflow for updating Flux's components generated with `flux bootstrap --path=clusters/production`:
 ```yaml
 name: update-flux
@@ -43,7 +58,7 @@ jobs:
      - name: Check for updates
        id: update
        run: |
-          flux install --arch=amd64 \
+          flux install \
            --export > ./clusters/production/flux-system/gotk-components.yaml
          VERSION="$(flux -v)"
--- a/action/action.yml
+++ b/action/action.yml
@@ -1,15 +1,43 @@
-name: 'kustomize'
+name: Setup Flux CLI
-description: 'A GitHub Action for running Flux commands'
+description: A GitHub Action for running Flux commands
-author: 'Flux project'
+author: Stefan Prodan
 branding:
-  icon: 'command'
+  color: blue
-  color: 'blue'
+  icon: command
 inputs:
  version:
-    description: 'strict semver'
+    description: "Flux version e.g. 0.8.0 (defaults to latest stable release)"
    required: false
  arch:
    description: "arch can be amd64, arm64 or arm"
    required: true
    default: "amd64"
 runs:
-  using: 'docker'
+  using: composite
-  image: 'Dockerfile'
+  steps:
-  args:
+    - name: "Download flux binary to tmp"
-    - ${{ inputs.version }}
+      shell: bash
      run: |
        ARCH=${{ inputs.arch }}
        VERSION=${{ inputs.version }}
        if [ -z $VERSION ]; then
          VERSION=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
        fi
        BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_${ARCH}.tar.gz"
        curl -sL ${BIN_URL} -o /tmp/flux.tar.gz
        mkdir -p /tmp/flux
        tar -C /tmp/flux/ -zxvf /tmp/flux.tar.gz
    - name: "Add flux binary to /usr/local/bin"
      shell: bash
      run: |
        sudo cp /tmp/flux/flux /usr/local/bin
    - name: "Cleanup tmp"
      shell: bash
      run: |
        rm -rf /tmp/flux/ /tmp/flux.tar.gz
    - name: "Verify correct installation of binary"
      shell: bash
      run: |
        flux -v
--- a/action/entrypoint.sh
+++ b/action/entrypoint.sh
@@ -1,40 +0,0 @@
 #!/bin/bash
 #  Copyright 2020 The Flux authors
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
 #  You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 #  Unless required by applicable law or agreed to in writing, software
 #  distributed under the License is distributed on an "AS IS" BASIS,
 #  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 #  See the License for the specific language governing permissions and
 #  limitations under the License.
 set -e
 VERSION=$1
 if [ -z $VERSION ]; then
  # Find latest release if no version is specified
  VERSION=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
 fi
 # Download linux binary
 BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_amd64.tar.gz"
 curl -sL $BIN_URL | tar xz
 # Copy binary to GitHub runner
 mkdir -p $GITHUB_WORKSPACE/bin
 mv ./flux $GITHUB_WORKSPACE/bin
 chmod +x $GITHUB_WORKSPACE/bin/flux
 # Print version
 $GITHUB_WORKSPACE/bin/flux -v
 # Add binary to GitHub runner path
 echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
 echo "$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin" >> $GITHUB_PATH
--- a/cmd/flux/alert.go
+++ b/cmd/flux/alert.go
@@ -0,0 +1,56 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
 // notificationv1.Alert
 var alertType = apiType{
 	kind:      notificationv1.AlertKind,
 	humanKind: "alert",
 }
 type alertAdapter struct {
 	*notificationv1.Alert
 }
 func (a alertAdapter) asClientObject() client.Object {
 	return a.Alert
 }
 func (a alertAdapter) deepCopyClientObject() client.Object {
 	return a.Alert.DeepCopy()
 }
 // notificationv1.Alert
 type alertListAdapter struct {
 	*notificationv1.AlertList
 }
 func (a alertListAdapter) asClientList() client.ObjectList {
 	return a.AlertList
 }
 func (a alertListAdapter) len() int {
 	return len(a.AlertList.Items)
 }
--- a/cmd/flux/alert_provider.go
+++ b/cmd/flux/alert_provider.go
@@ -0,0 +1,56 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
 // notificationv1.Provider
 var alertProviderType = apiType{
 	kind:      notificationv1.ProviderKind,
 	humanKind: "alert provider",
 }
 type alertProviderAdapter struct {
 	*notificationv1.Provider
 }
 func (a alertProviderAdapter) asClientObject() client.Object {
 	return a.Provider
 }
 func (a alertProviderAdapter) deepCopyClientObject() client.Object {
 	return a.Provider.DeepCopy()
 }
 // notificationv1.Provider
 type alertProviderListAdapter struct {
 	*notificationv1.ProviderList
 }
 func (a alertProviderListAdapter) asClientList() client.ObjectList {
 	return a.ProviderList
 }
 func (a alertProviderListAdapter) len() int {
 	return len(a.ProviderList.Items)
 }
--- a/cmd/flux/bootstrap.go
+++ b/cmd/flux/bootstrap.go
@@ -17,26 +17,15 @@ limitations under the License.
 package main
 import (
-	"context"
+	"crypto/elliptic"
 	"fmt"
-	"net/url"
+	"os"
 	"path/filepath"
 	"time"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
 var bootstrapCmd = &cobra.Command{
@@ -45,61 +34,130 @@ var bootstrapCmd = &cobra.Command{
 	Long:  "The bootstrap sub-commands bootstrap the toolkit components on the targeted Git provider.",
 }
-var (
+type bootstrapFlags struct {
-	bootstrapVersion            string
+	version  string
-	bootstrapDefaultComponents  []string
+	arch     flags.Arch
-	bootstrapExtraComponents    []string
+	logLevel flags.LogLevel
-	bootstrapRegistry           string
+
-	bootstrapImagePullSecret    string
+	branch            string
-	bootstrapBranch             string
+	recurseSubmodules bool
-	bootstrapWatchAllNamespaces bool
+	manifestsPath     string
-	bootstrapNetworkPolicy      bool
+
-	bootstrapManifestsPath      string
+	defaultComponents  []string
-	bootstrapArch               = flags.Arch(defaults.Arch)
+	extraComponents    []string
-	bootstrapLogLevel           = flags.LogLevel(defaults.LogLevel)
+	requiredComponents []string
-	bootstrapRequiredComponents = []string{"source-controller", "kustomize-controller"}
+
-	bootstrapTokenAuth          bool
+	registry        string
-	bootstrapClusterDomain      string
+	imagePullSecret string
-)
+
 	secretName     string
 	tokenAuth      bool
 	keyAlgorithm   flags.PublicKeyAlgorithm
 	keyRSABits     flags.RSAKeyBits
 	keyECDSACurve  flags.ECDSACurve
 	sshHostname    string
 	caFile         string
 	privateKeyFile string
 	watchAllNamespaces bool
 	networkPolicy      bool
 	clusterDomain      string
 	tolerationKeys     []string
 	authorName  string
 	authorEmail string
 	commitMessageAppendix string
 }
 const (
 	bootstrapDefaultBranch = "main"
 )
 var bootstrapArgs = NewBootstrapFlags()
 func init() {
-	bootstrapCmd.PersistentFlags().StringVarP(&bootstrapVersion, "version", "v", defaults.Version,
+	bootstrapCmd.PersistentFlags().StringVarP(&bootstrapArgs.version, "version", "v", "",
-		"toolkit version")
+		"toolkit version, when specified the manifests are downloaded from https://github.com/fluxcd/flux2/releases")
-	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapDefaultComponents, "components", defaults.Components,
+
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.defaultComponents, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
-	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapExtraComponents, "components-extra", nil,
+	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.extraComponents, "components-extra", nil,
 		"list of components in addition to those supplied or defaulted, accepts comma-separated values")
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapRegistry, "registry", "ghcr.io/fluxcd",
+
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registry, "registry", "ghcr.io/fluxcd",
 		"container registry where the toolkit images are published")
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapImagePullSecret, "image-pull-secret", "",
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.imagePullSecret, "image-pull-secret", "",
 		"Kubernetes secret name used for pulling the toolkit images from a private registry")
-	bootstrapCmd.PersistentFlags().Var(&bootstrapArch, "arch", bootstrapArch.Description())
+
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapBranch, "branch", bootstrapDefaultBranch,
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.branch, "branch", bootstrapDefaultBranch, "Git branch")
-		"default branch (for GitHub this must match the default branch setting for the organization)")
+	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.recurseSubmodules, "recurse-submodules", false,
-	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapWatchAllNamespaces, "watch-all-namespaces", true,
+		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.manifestsPath, "manifests", "", "path to the manifest directory")
 	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.watchAllNamespaces, "watch-all-namespaces", true,
 		"watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed")
-	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapNetworkPolicy, "network-policy", true,
+	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.networkPolicy, "network-policy", true,
 		"deny ingress access to the toolkit controllers from other namespaces using network policies")
-	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapTokenAuth, "token-auth", false,
+	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.tokenAuth, "token-auth", false,
 		"when enabled, the personal access token will be used instead of SSH deploy key")
-	bootstrapCmd.PersistentFlags().Var(&bootstrapLogLevel, "log-level", bootstrapLogLevel.Description())
+	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.logLevel, "log-level", bootstrapArgs.logLevel.Description())
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapManifestsPath, "manifests", "", "path to the manifest directory")
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.clusterDomain, "cluster-domain", rootArgs.defaults.ClusterDomain, "internal cluster domain")
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapClusterDomain, "cluster-domain", defaults.ClusterDomain, "internal cluster domain")
+	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.tolerationKeys, "toleration-keys", nil,
 		"list of toleration keys used to schedule the components pods onto nodes with matching taints")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.secretName, "secret-name", rootArgs.defaults.Namespace, "name of the secret the sync credentials can be found in or stored to")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyAlgorithm, "ssh-key-algorithm", bootstrapArgs.keyAlgorithm.Description())
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyRSABits, "ssh-rsa-bits", bootstrapArgs.keyRSABits.Description())
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyECDSACurve, "ssh-ecdsa-curve", bootstrapArgs.keyECDSACurve.Description())
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.sshHostname, "ssh-hostname", "", "SSH hostname, to be used when the SSH host differs from the HTTPS one")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.privateKeyFile, "private-key-file", "", "path to a private key file used for authenticating to the Git SSH server")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.authorName, "author-name", "Flux", "author name for Git commits")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.authorEmail, "author-email", "", "author email for Git commits")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.commitMessageAppendix, "commit-message-appendix", "", "string to add to the commit messages, e.g. '[ci skip]'")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.arch, "arch", bootstrapArgs.arch.Description())
 	bootstrapCmd.PersistentFlags().MarkDeprecated("arch", "multi-arch container image is now available for AMD64, ARMv7 and ARM64")
 	bootstrapCmd.PersistentFlags().MarkHidden("manifests")
 	rootCmd.AddCommand(bootstrapCmd)
 }
 func NewBootstrapFlags() bootstrapFlags {
 	return bootstrapFlags{
 		logLevel:           flags.LogLevel(rootArgs.defaults.LogLevel),
 		requiredComponents: []string{"source-controller", "kustomize-controller"},
 		keyAlgorithm:       flags.PublicKeyAlgorithm(sourcesecret.RSAPrivateKeyAlgorithm),
 		keyRSABits:         2048,
 		keyECDSACurve:      flags.ECDSACurve{Curve: elliptic.P384()},
 	}
 }
 func bootstrapComponents() []string {
-	return append(bootstrapDefaultComponents, bootstrapExtraComponents...)
+	return append(bootstrapArgs.defaultComponents, bootstrapArgs.extraComponents...)
 }
 func buildEmbeddedManifestBase() (string, error) {
 	if !isEmbeddedVersion(bootstrapArgs.version) {
 		return "", nil
 	}
 	tmpBaseDir, err := os.MkdirTemp("", "flux-manifests-")
 	if err != nil {
 		return "", err
 	}
 	if err := writeEmbeddedManifests(tmpBaseDir); err != nil {
 		return "", err
 	}
 	return tmpBaseDir, nil
 }
 func bootstrapValidate() error {
 	components := bootstrapComponents()
-	for _, component := range bootstrapRequiredComponents {
+	for _, component := range bootstrapArgs.requiredComponents {
 		if !utils.ContainsItemString(components, component) {
 			return fmt.Errorf("component %s is required", component)
 		}
@@ -112,157 +170,10 @@ func bootstrapValidate() error {
 	return nil
 }
-func generateInstallManifests(targetPath, namespace, tmpDir string, localManifests string) (string, error) {
+func mapTeamSlice(s []string, defaultPermission string) map[string]string {
-	opts := install.Options{
+	m := make(map[string]string, len(s))
-		BaseURL:                localManifests,
+	for _, v := range s {
-		Version:                bootstrapVersion,
+		m[v] = defaultPermission
 		Namespace:              namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapRegistry,
 		ImagePullSecret:        bootstrapImagePullSecret,
 		Arch:                   bootstrapArch.String(),
 		WatchAllNamespaces:     bootstrapWatchAllNamespaces,
 		NetworkPolicy:          bootstrapNetworkPolicy,
 		LogLevel:               bootstrapLogLevel.String(),
 		NotificationController: defaults.NotificationController,
 		ManifestFile:           defaults.ManifestFile,
 		Timeout:                timeout,
 		TargetPath:             targetPath,
 		ClusterDomain:          bootstrapClusterDomain,
 	}
-
+	return m
 	if localManifests == "" {
 		opts.BaseURL = defaults.BaseURL
 	}
 	output, err := install.Generate(opts)
 	if err != nil {
 		return "", fmt.Errorf("generating install manifests failed: %w", err)
 	}
 	filePath, err := output.WriteFile(tmpDir)
 	if err != nil {
 		return "", fmt.Errorf("generating install manifests failed: %w", err)
 	}
 	return filePath, nil
 }
 func applyInstallManifests(ctx context.Context, manifestPath string, components []string) error {
 	kubectlArgs := []string{"apply", "-f", manifestPath}
 	if _, err := utils.ExecKubectlCommand(ctx, utils.ModeOS, kubeconfig, kubecontext, kubectlArgs...); err != nil {
 		return fmt.Errorf("install failed")
 	}
 	for _, deployment := range components {
 		kubectlArgs = []string{"-n", namespace, "rollout", "status", "deployment", deployment, "--timeout", timeout.String()}
 		if _, err := utils.ExecKubectlCommand(ctx, utils.ModeOS, kubeconfig, kubecontext, kubectlArgs...); err != nil {
 			return fmt.Errorf("install failed")
 		}
 	}
 	return nil
 }
 func generateSyncManifests(url, branch, name, namespace, targetPath, tmpDir string, interval time.Duration) (string, error) {
 	opts := sync.Options{
 		Name:         name,
 		Namespace:    namespace,
 		URL:          url,
 		Branch:       branch,
 		Interval:     interval,
 		TargetPath:   targetPath,
 		ManifestFile: sync.MakeDefaultOptions().ManifestFile,
 	}
 	manifest, err := sync.Generate(opts)
 	if err != nil {
 		return "", fmt.Errorf("generating install manifests failed: %w", err)
 	}
 	output, err := manifest.WriteFile(tmpDir)
 	if err != nil {
 		return "", err
 	}
 	outputDir := filepath.Dir(output)
 	if err := utils.GenerateKustomizationYaml(outputDir); err != nil {
 		return "", err
 	}
 	return outputDir, nil
 }
 func applySyncManifests(ctx context.Context, kubeClient client.Client, name, namespace, manifestsPath string) error {
 	kubectlArgs := []string{"apply", "-k", manifestsPath}
 	if _, err := utils.ExecKubectlCommand(ctx, utils.ModeStderrOS, kubeconfig, kubecontext, kubectlArgs...); err != nil {
 		return err
 	}
 	logger.Waitingf("waiting for cluster sync")
 	var gitRepository sourcev1.GitRepository
 	if err := wait.PollImmediate(pollInterval, timeout,
 		isGitRepositoryReady(ctx, kubeClient, types.NamespacedName{Name: name, Namespace: namespace}, &gitRepository)); err != nil {
 		return err
 	}
 	var kustomization kustomizev1.Kustomization
 	if err := wait.PollImmediate(pollInterval, timeout,
 		isKustomizationReady(ctx, kubeClient, types.NamespacedName{Name: name, Namespace: namespace}, &kustomization)); err != nil {
 		return err
 	}
 	return nil
 }
 func shouldInstallManifests(ctx context.Context, kubeClient client.Client, namespace string) bool {
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      namespace,
 	}
 	var kustomization kustomizev1.Kustomization
 	if err := kubeClient.Get(ctx, namespacedName, &kustomization); err != nil {
 		return true
 	}
 	return kustomization.Status.LastAppliedRevision == ""
 }
 func shouldCreateDeployKey(ctx context.Context, kubeClient client.Client, namespace string) bool {
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      namespace,
 	}
 	var existing corev1.Secret
 	if err := kubeClient.Get(ctx, namespacedName, &existing); err != nil {
 		return true
 	}
 	return false
 }
 func generateDeployKey(ctx context.Context, kubeClient client.Client, url *url.URL, namespace string) (string, error) {
 	pair, err := generateKeyPair(ctx)
 	if err != nil {
 		return "", err
 	}
 	hostKey, err := scanHostKey(ctx, url)
 	if err != nil {
 		return "", err
 	}
 	secret := corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      namespace,
 			Namespace: namespace,
 		},
 		StringData: map[string]string{
 			"identity":     string(pair.PrivateKey),
 			"identity.pub": string(pair.PublicKey),
 			"known_hosts":  string(hostKey),
 		},
 	}
 	if err := upsertSecret(ctx, kubeClient, secret); err != nil {
 		return "", err
 	}
 	return string(pair.PublicKey), nil
 }
--- a/cmd/flux/bootstrap_git.go
+++ b/cmd/flux/bootstrap_git.go
@@ -0,0 +1,263 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"net/url"
 	"os"
 	"strings"
 	"time"
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/go-git/go-git/v5/plumbing/transport/ssh"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"github.com/fluxcd/flux2/internal/bootstrap"
 	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
 var bootstrapGitCmd = &cobra.Command{
 	Use:   "git",
 	Short: "Bootstrap toolkit components in a Git repository",
 	Long: `The bootstrap git command commits the toolkit components manifests to the
 branch of a Git repository. It then configures the target cluster to synchronize with
 the repository. If the toolkit components are present on the cluster, the bootstrap
 command will perform an upgrade if needed.`,
 	Example: `  # Run bootstrap for a Git repository and authenticate with your SSH agent
  flux bootstrap git --url=ssh://git@example.com/repository.git
  # Run bootstrap for a Git repository and authenticate using a password
  flux bootstrap git --url=https://example.com/repository.git --password=<password>
  # Run bootstrap for a Git repository with a passwordless private key
  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key>
  # Run bootstrap for a Git repository with a private key and password
  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key> --password=<password>
 `,
 	RunE: bootstrapGitCmdRun,
 }
 type gitFlags struct {
 	url      string
 	interval time.Duration
 	path     flags.SafeRelativePath
 	username string
 	password string
 	silent   bool
 }
 var gitArgs gitFlags
 func init() {
 	bootstrapGitCmd.Flags().StringVar(&gitArgs.url, "url", "", "Git repository URL")
 	bootstrapGitCmd.Flags().DurationVar(&gitArgs.interval, "interval", time.Minute, "sync interval")
 	bootstrapGitCmd.Flags().Var(&gitArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.username, "username", "u", "git", "basic authentication username")
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.password, "password", "p", "", "basic authentication password")
 	bootstrapGitCmd.Flags().BoolVarP(&gitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
 	bootstrapCmd.AddCommand(bootstrapGitCmd)
 }
 func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
 	repositoryURL, err := url.Parse(gitArgs.url)
 	if err != nil {
 		return err
 	}
 	gitAuth, err := transportForURL(repositoryURL)
 	if err != nil {
 		return err
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
 	// Manifest base
 	if ver, err := getVersion(bootstrapArgs.version); err == nil {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(manifestsBase)
 	// Lazy go-git repository
 	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
 	gitClient := gogit.New(tmpDir, gitAuth)
 	// Install manifest config
 	installOptions := install.Options{
 		BaseURL:                rootArgs.defaults.BaseURL,
 		Version:                bootstrapArgs.version,
 		Namespace:              rootArgs.namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
 		LogLevel:               bootstrapArgs.logLevel.String(),
 		NotificationController: rootArgs.defaults.NotificationController,
 		ManifestFile:           rootArgs.defaults.ManifestFile,
 		Timeout:                rootArgs.timeout,
 		TargetPath:             gitArgs.path.ToSlash(),
 		ClusterDomain:          bootstrapArgs.clusterDomain,
 		TolerationKeys:         bootstrapArgs.tolerationKeys,
 	}
 	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
 		installOptions.BaseURL = customBaseURL
 	}
 	// Source generation and secret config
 	secretOpts := sourcesecret.Options{
 		Name:         bootstrapArgs.secretName,
 		Namespace:    rootArgs.namespace,
 		TargetPath:   gitArgs.path.String(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = gitArgs.username
 		secretOpts.Password = gitArgs.password
 		if bootstrapArgs.caFile != "" {
 			secretOpts.CAFilePath = bootstrapArgs.caFile
 		}
 		// Configure repository URL to match auth config for sync.
 		repositoryURL.User = nil
 		repositoryURL.Scheme = "https"
 		repositoryURL.Host = repositoryURL.Hostname()
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.Password = gitArgs.password
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
 		// Configure repository URL to match auth config for sync.
 		repositoryURL.User = url.User(gitArgs.username)
 		repositoryURL.Scheme = "ssh"
 		if bootstrapArgs.sshHostname != "" {
 			repositoryURL.Host = bootstrapArgs.sshHostname
 		}
 		if bootstrapArgs.privateKeyFile != "" {
 			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
 		}
 		// Configure last as it depends on the config above.
 		secretOpts.SSHHostname = repositoryURL.Host
 	}
 	// Sync manifest config
 	syncOpts := sync.Options{
 		Interval:          gitArgs.interval,
 		Name:              rootArgs.namespace,
 		Namespace:         rootArgs.namespace,
 		URL:               repositoryURL.String(),
 		Branch:            bootstrapArgs.branch,
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        gitArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
 		GitImplementation: sourceGitArgs.gitImplementation.String(),
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitOption{
 		bootstrap.WithRepositoryURL(gitArgs.url),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithKubeconfig(rootArgs.kubeconfig, rootArgs.kubecontext),
 		bootstrap.WithPostGenerateSecretFunc(promptPublicKey),
 		bootstrap.WithLogger(logger),
 	}
 	// Setup bootstrapper with constructed configs
 	b, err := bootstrap.NewPlainGitProvider(gitClient, kubeClient, bootstrapOpts...)
 	if err != nil {
 		return err
 	}
 	// Run
 	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 }
 // transportForURL constructs a transport.AuthMethod based on the scheme
 // of the given URL and the configured flags. If the protocol equals
 // "ssh" but no private key is configured, authentication using the local
 // SSH-agent is attempted.
 func transportForURL(u *url.URL) (transport.AuthMethod, error) {
 	switch u.Scheme {
 	case "https":
 		return &http.BasicAuth{
 			Username: gitArgs.username,
 			Password: gitArgs.password,
 		}, nil
 	case "ssh":
 		if bootstrapArgs.privateKeyFile != "" {
 			return ssh.NewPublicKeysFromFile(u.User.Username(), bootstrapArgs.privateKeyFile, gitArgs.password)
 		}
 		return nil, nil
 	default:
 		return nil, fmt.Errorf("scheme %q is not supported", u.Scheme)
 	}
 }
 func promptPublicKey(ctx context.Context, secret corev1.Secret, _ sourcesecret.Options) error {
 	ppk, ok := secret.StringData[sourcesecret.PublicKeySecretKey]
 	if !ok {
 		return nil
 	}
 	logger.Successf("public key: %s", strings.TrimSpace(ppk))
 	if !gitArgs.silent {
 		prompt := promptui.Prompt{
 			Label:     "Please give the key access to your repository",
 			IsConfirm: true,
 		}
 		_, err := prompt.Run()
 		if err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	return nil
 }
--- a/cmd/flux/bootstrap_github.go
+++ b/cmd/flux/bootstrap_github.go
@@ -19,20 +19,20 @@ package main
 import (
 	"context"
 	"fmt"
 	"io/ioutil"
 	"net/url"
 	"os"
 	"path"
 	"time"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/flux2/internal/bootstrap"
 	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
 	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
 var bootstrapGitHubCmd = &cobra.Command{
@@ -46,246 +46,206 @@ the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a GitHub personal access token and export it as an env var
  export GITHUB_TOKEN=<my-token>
-  # Run bootstrap for a private repo owned by a GitHub organization
+  # Run bootstrap for a private repository owned by a GitHub organization
-  flux bootstrap github --owner=<organization> --repository=<repo name>
+  flux bootstrap github --owner=<organization> --repository=<repository name>
-  # Run bootstrap for a private repo and assign organization teams to it
+  # Run bootstrap for a private repository and assign organization teams to it
-  flux bootstrap github --owner=<organization> --repository=<repo name> --team=<team1 slug> --team=<team2 slug>
+  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug> --team=<team2 slug>
  # Run bootstrap for a repository path
-  flux bootstrap github --owner=<organization> --repository=<repo name> --path=dev-cluster
+  flux bootstrap github --owner=<organization> --repository=<repository name> --path=dev-cluster
  # Run bootstrap for a public repository on a personal account
-  flux bootstrap github --owner=<user> --repository=<repo name> --private=false --personal=true 
+  flux bootstrap github --owner=<user> --repository=<repository name> --private=false --personal=true
-  # Run bootstrap for a private repo hosted on GitHub Enterprise using SSH auth
+  # Run bootstrap for a private repository hosted on GitHub Enterprise using SSH auth
-  flux bootstrap github --owner=<organization> --repository=<repo name> --hostname=<domain> --ssh-hostname=<domain>
+  flux bootstrap github --owner=<organization> --repository=<repository name> --hostname=<domain> --ssh-hostname=<domain>
-  # Run bootstrap for a private repo hosted on GitHub Enterprise using HTTPS auth
+  # Run bootstrap for a private repository hosted on GitHub Enterprise using HTTPS auth
-  flux bootstrap github --owner=<organization> --repository=<repo name> --hostname=<domain> --token-auth
+  flux bootstrap github --owner=<organization> --repository=<repository name> --hostname=<domain> --token-auth
-  # Run bootstrap for a an existing repository with a branch named main
+  # Run bootstrap for an existing repository with a branch named main
-  flux bootstrap github --owner=<organization> --repository=<repo name> --branch=main
+  flux bootstrap github --owner=<organization> --repository=<repository name> --branch=main`,
 `,
 	RunE: bootstrapGitHubCmdRun,
 }
-var (
+type githubFlags struct {
-	ghOwner       string
+	owner        string
-	ghRepository  string
+	repository   string
-	ghInterval    time.Duration
+	interval     time.Duration
-	ghPersonal    bool
+	personal     bool
-	ghPrivate     bool
+	private      bool
-	ghHostname    string
+	hostname     string
-	ghPath        flags.SafeRelativePath
+	path         flags.SafeRelativePath
-	ghTeams       []string
+	teams        []string
-	ghDelete      bool
+	readWriteKey bool
-	ghSSHHostname string
+	reconcile    bool
-)
+}
 const (
 	ghDefaultPermission = "maintain"
 	ghDefaultDomain     = "github.com"
 	ghTokenEnvVar       = "GITHUB_TOKEN"
 )
-func init() {
+var githubArgs githubFlags
 	bootstrapGitHubCmd.Flags().StringVar(&ghOwner, "owner", "", "GitHub user or organization name")
 	bootstrapGitHubCmd.Flags().StringVar(&ghRepository, "repository", "", "GitHub repository name")
 	bootstrapGitHubCmd.Flags().StringArrayVar(&ghTeams, "team", []string{}, "GitHub team to be given maintainer access")
 	bootstrapGitHubCmd.Flags().BoolVar(&ghPersonal, "personal", false, "is personal repository")
 	bootstrapGitHubCmd.Flags().BoolVar(&ghPrivate, "private", true, "is private repository")
 	bootstrapGitHubCmd.Flags().DurationVar(&ghInterval, "interval", time.Minute, "sync interval")
 	bootstrapGitHubCmd.Flags().StringVar(&ghHostname, "hostname", git.GitHubDefaultHostname, "GitHub hostname")
 	bootstrapGitHubCmd.Flags().StringVar(&ghSSHHostname, "ssh-hostname", "", "GitHub SSH hostname, to be used when the SSH host differs from the HTTPS one")
 	bootstrapGitHubCmd.Flags().Var(&ghPath, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
-	bootstrapGitHubCmd.Flags().BoolVar(&ghDelete, "delete", false, "delete repository (used for testing only)")
+func init() {
-	bootstrapGitHubCmd.Flags().MarkHidden("delete")
+	bootstrapGitHubCmd.Flags().StringVar(&githubArgs.owner, "owner", "", "GitHub user or organization name")
 	bootstrapGitHubCmd.Flags().StringVar(&githubArgs.repository, "repository", "", "GitHub repository name")
 	bootstrapGitHubCmd.Flags().StringSliceVar(&githubArgs.teams, "team", []string{}, "GitHub team to be given maintainer access (also accepts comma-separated values)")
 	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.personal, "personal", false, "if true, the owner is assumed to be a GitHub user; otherwise an org")
 	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.private, "private", true, "if true, the repository is setup or configured as private")
 	bootstrapGitHubCmd.Flags().DurationVar(&githubArgs.interval, "interval", time.Minute, "sync interval")
 	bootstrapGitHubCmd.Flags().StringVar(&githubArgs.hostname, "hostname", ghDefaultDomain, "GitHub hostname")
 	bootstrapGitHubCmd.Flags().Var(&githubArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
 	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
 	bootstrapCmd.AddCommand(bootstrapGitHubCmd)
 }
 func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
-	ghToken := os.Getenv(git.GitHubTokenName)
+	ghToken := os.Getenv(ghTokenEnvVar)
 	if ghToken == "" {
-		return fmt.Errorf("%s environment variable not found", git.GitHubTokenName)
+		return fmt.Errorf("%s environment variable not found", ghTokenEnvVar)
 	}
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
-	repository, err := git.NewRepository(ghRepository, ghOwner, ghHostname, ghToken, "flux", ghOwner+"@users.noreply.github.com")
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	if err != nil {
 		return err
 	}
 	if ghSSHHostname != "" {
 		repository.SSHHost = ghSSHHostname
 	}
 	provider := &git.GithubProvider{
 		IsPrivate:  ghPrivate,
 		IsPersonal: ghPersonal,
 	}
 	tmpDir, err := ioutil.TempDir("", namespace)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
-	if ghDelete {
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 		if err := provider.DeleteRepository(ctx, repository); err != nil {
 			return err
 		}
 		logger.Successf("repository deleted")
 		return nil
 	}
 	// create GitHub repository if doesn't exists
 	logger.Actionf("connecting to %s", ghHostname)
 	changed, err := provider.CreateRepository(ctx, repository)
 	if err != nil {
 		return err
 	}
 	if changed {
 		logger.Successf("repository created")
 	}
 	withErrors := false
 	// add teams to org repository
 	if !ghPersonal {
 		for _, team := range ghTeams {
 			if changed, err := provider.AddTeam(ctx, repository, team, ghDefaultPermission); err != nil {
 				logger.Failuref(err.Error())
 				withErrors = true
 			} else if changed {
 				logger.Successf("%s team access granted", team)
 			}
 		}
 	}
 	// clone repository and checkout the main branch
 	if err := repository.Checkout(ctx, bootstrapBranch, tmpDir); err != nil {
 		return err
 	}
 	logger.Successf("repository cloned")
 	// generate install manifests
 	logger.Generatef("generating manifests")
 	installManifest, err := generateInstallManifests(ghPath.String(), namespace, tmpDir, bootstrapManifestsPath)
 	if err != nil {
 		return err
 	}
-	// stage install manifests
+	// Manifest base
-	changed, err = repository.Commit(ctx, path.Join(ghPath.String(), namespace), "Add manifests")
+	if ver, err := getVersion(bootstrapArgs.version); err == nil {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(manifestsBase)
 	// Build GitHub provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderGitHub,
 		Hostname: githubArgs.hostname,
 		Token:    ghToken,
 	}
 	providerClient, err := provider.BuildGitProvider(providerCfg)
 	if err != nil {
 		return err
 	}
-	// push install manifests
+	// Lazy go-git repository
-	if changed {
+	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
 		if err := repository.Push(ctx); err != nil {
 			return err
 		}
 		logger.Successf("components manifests pushed")
 	} else {
 		logger.Successf("components are up to date")
 	}
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
 	gitClient := gogit.New(tmpDir, &http.BasicAuth{
 		Username: githubArgs.owner,
 		Password: ghToken,
 	})
 	// Install manifest config
 	installOptions := install.Options{
 		BaseURL:                rootArgs.defaults.BaseURL,
 		Version:                bootstrapArgs.version,
 		Namespace:              rootArgs.namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
 		LogLevel:               bootstrapArgs.logLevel.String(),
 		NotificationController: rootArgs.defaults.NotificationController,
 		ManifestFile:           rootArgs.defaults.ManifestFile,
 		Timeout:                rootArgs.timeout,
 		TargetPath:             githubArgs.path.ToSlash(),
 		ClusterDomain:          bootstrapArgs.clusterDomain,
 		TolerationKeys:         bootstrapArgs.tolerationKeys,
 	}
 	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
 		installOptions.BaseURL = customBaseURL
 	}
-	// determine if repo synchronization is working
+	// Source generation and secret config
-	isInstall := shouldInstallManifests(ctx, kubeClient, namespace)
+	secretOpts := sourcesecret.Options{
-
+		Name:         bootstrapArgs.secretName,
-	if isInstall {
+		Namespace:    rootArgs.namespace,
-		// apply install manifests
+		TargetPath:   githubArgs.path.ToSlash(),
-		logger.Actionf("installing components in %s namespace", namespace)
+		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		if err := applyInstallManifests(ctx, installManifest, bootstrapComponents()); err != nil {
 			return err
 		}
 		logger.Successf("install completed")
 	}
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = ghToken
-	repoURL := repository.GetURL()
+		if bootstrapArgs.caFile != "" {
-
+			secretOpts.CAFilePath = bootstrapArgs.caFile
 	if bootstrapTokenAuth {
 		// setup HTTPS token auth
 		secret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      namespace,
 				Namespace: namespace,
 			},
 			StringData: map[string]string{
 				"username": "git",
 				"password": ghToken,
 			},
 		}
 		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
 			return err
 		}
 	} else {
-		// setup SSH deploy key
+		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
-		repoURL = repository.GetSSH()
+		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
-		if shouldCreateDeployKey(ctx, kubeClient, namespace) {
+		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
-			logger.Actionf("configuring deploy key")
+		secretOpts.SSHHostname = githubArgs.hostname
 			u, err := url.Parse(repository.GetSSH())
 			if err != nil {
 				return fmt.Errorf("git URL parse failed: %w", err)
 			}
-			key, err := generateDeployKey(ctx, kubeClient, u, namespace)
+		if bootstrapArgs.sshHostname != "" {
-			if err != nil {
+			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 				return fmt.Errorf("generating deploy key failed: %w", err)
 			}
 			keyName := "flux"
 			if ghPath != "" {
 				keyName = fmt.Sprintf("flux-%s", ghPath)
 			}
 			if changed, err := provider.AddDeployKey(ctx, repository, key, keyName); err != nil {
 				return err
 			} else if changed {
 				logger.Successf("deploy key configured")
 			}
 		}
 	}
-	// configure repo synchronization
+	// Sync manifest config
-	logger.Actionf("generating sync manifests")
+	syncOpts := sync.Options{
-	syncManifests, err := generateSyncManifests(repoURL, bootstrapBranch, namespace, namespace, ghPath.String(), tmpDir, ghInterval)
+		Interval:          githubArgs.interval,
 		Name:              rootArgs.namespace,
 		Namespace:         rootArgs.namespace,
 		Branch:            bootstrapArgs.branch,
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        githubArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
 		GitImplementation: sourceGitArgs.gitImplementation.String(),
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(githubArgs.owner, githubArgs.repository, githubArgs.personal),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
 		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(githubArgs.teams, ghDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(githubArgs.readWriteKey),
 		bootstrap.WithKubeconfig(rootArgs.kubeconfig, rootArgs.kubecontext),
 		bootstrap.WithLogger(logger),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
 	}
 	if bootstrapArgs.tokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
 	}
 	if !githubArgs.private {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
 	}
 	if githubArgs.reconcile {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
 	}
 	// Setup bootstrapper with constructed configs
 	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
 	if err != nil {
 		return err
 	}
-	// commit and push manifests
+	// Run
-	if changed, err = repository.Commit(ctx, path.Join(ghPath.String(), namespace), "Add manifests"); err != nil {
+	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 		return err
 	} else if changed {
 		if err := repository.Push(ctx); err != nil {
 			return err
 		}
 		logger.Successf("sync manifests pushed")
 	}
 	// apply manifests and waiting for sync
 	logger.Actionf("applying sync manifests")
 	if err := applySyncManifests(ctx, kubeClient, namespace, namespace, syncManifests); err != nil {
 		return err
 	}
 	if withErrors {
 		return fmt.Errorf("bootstrap completed with errors")
 	}
 	logger.Successf("bootstrap finished")
 	return nil
 }
--- a/cmd/flux/bootstrap_gitlab.go
+++ b/cmd/flux/bootstrap_gitlab.go
@@ -19,21 +19,22 @@ package main
 import (
 	"context"
 	"fmt"
 	"io/ioutil"
 	"net/url"
 	"os"
 	"path"
 	"regexp"
 	"strings"
 	"time"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/flux2/internal/bootstrap"
 	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
 	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
 var bootstrapGitLabCmd = &cobra.Command{
@@ -47,220 +48,220 @@ the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a GitLab API token and export it as an env var
  export GITLAB_TOKEN=<my-token>
-  # Run bootstrap for a private repo using HTTPS token authentication 
+  # Run bootstrap for a private repository using HTTPS token authentication
-  flux bootstrap gitlab --owner=<group> --repository=<repo name> --token-auth
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --token-auth
-  # Run bootstrap for a private repo using SSH authentication
+  # Run bootstrap for a private repository using SSH authentication
-  flux bootstrap gitlab --owner=<group> --repository=<repo name>
+  flux bootstrap gitlab --owner=<group> --repository=<repository name>
  # Run bootstrap for a repository path
-  flux bootstrap gitlab --owner=<group> --repository=<repo name> --path=dev-cluster
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --path=dev-cluster
  # Run bootstrap for a public repository on a personal account
-  flux bootstrap gitlab --owner=<user> --repository=<repo name> --private=false --personal --token-auth
+  flux bootstrap gitlab --owner=<user> --repository=<repository name> --private=false --personal --token-auth
-  # Run bootstrap for a private repo hosted on a GitLab server 
+  # Run bootstrap for a private repository hosted on a GitLab server
-  flux bootstrap gitlab --owner=<group> --repository=<repo name> --hostname=<domain> --token-auth
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --hostname=<domain> --token-auth
  # Run bootstrap for a an existing repository with a branch named main
-  flux bootstrap gitlab --owner=<organization> --repository=<repo name> --branch=main --token-auth
+  flux bootstrap gitlab --owner=<organization> --repository=<repository name> --branch=main --token-auth`,
 `,
 	RunE: bootstrapGitLabCmdRun,
 }
 const (
-	gitlabProjectRegex = `\A[[:alnum:]\x{00A9}-\x{1f9ff}_][[:alnum:]\p{Pd}\x{00A9}-\x{1f9ff}_\.]*\z`
+	glDefaultPermission = "maintain"
 	glDefaultDomain     = "gitlab.com"
 	glTokenEnvVar       = "GITLAB_TOKEN"
 	gitlabProjectRegex  = `\A[[:alnum:]\x{00A9}-\x{1f9ff}_][[:alnum:]\p{Pd}\x{00A9}-\x{1f9ff}_\.]*\z`
 )
-var (
+type gitlabFlags struct {
-	glOwner       string
+	owner        string
-	glRepository  string
+	repository   string
-	glInterval    time.Duration
+	interval     time.Duration
-	glPersonal    bool
+	personal     bool
-	glPrivate     bool
+	private      bool
-	glHostname    string
+	hostname     string
-	glSSHHostname string
+	path         flags.SafeRelativePath
-	glPath        flags.SafeRelativePath
+	teams        []string
-)
+	readWriteKey bool
 	reconcile    bool
 }
 var gitlabArgs gitlabFlags
 func init() {
-	bootstrapGitLabCmd.Flags().StringVar(&glOwner, "owner", "", "GitLab user or group name")
+	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.owner, "owner", "", "GitLab user or group name")
-	bootstrapGitLabCmd.Flags().StringVar(&glRepository, "repository", "", "GitLab repository name")
+	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.repository, "repository", "", "GitLab repository name")
-	bootstrapGitLabCmd.Flags().BoolVar(&glPersonal, "personal", false, "is personal repository")
+	bootstrapGitLabCmd.Flags().StringSliceVar(&gitlabArgs.teams, "team", []string{}, "GitLab teams to be given maintainer access (also accepts comma-separated values)")
-	bootstrapGitLabCmd.Flags().BoolVar(&glPrivate, "private", true, "is private repository")
+	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.personal, "personal", false, "if true, the owner is assumed to be a GitLab user; otherwise a group")
-	bootstrapGitLabCmd.Flags().DurationVar(&glInterval, "interval", time.Minute, "sync interval")
+	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.private, "private", true, "if true, the repository is setup or configured as private")
-	bootstrapGitLabCmd.Flags().StringVar(&glHostname, "hostname", git.GitLabDefaultHostname, "GitLab hostname")
+	bootstrapGitLabCmd.Flags().DurationVar(&gitlabArgs.interval, "interval", time.Minute, "sync interval")
-	bootstrapGitLabCmd.Flags().StringVar(&glSSHHostname, "ssh-hostname", "", "GitLab SSH hostname, to be used when the SSH host differs from the HTTPS one")
+	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.hostname, "hostname", glDefaultDomain, "GitLab hostname")
-	bootstrapGitLabCmd.Flags().Var(&glPath, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
+	bootstrapGitLabCmd.Flags().Var(&gitlabArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
 	bootstrapCmd.AddCommand(bootstrapGitLabCmd)
 }
 func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
-	glToken := os.Getenv(git.GitLabTokenName)
+	glToken := os.Getenv(glTokenEnvVar)
 	if glToken == "" {
-		return fmt.Errorf("%s environment variable not found", git.GitLabTokenName)
+		return fmt.Errorf("%s environment variable not found", glTokenEnvVar)
 	}
-	projectNameIsValid, err := regexp.MatchString(gitlabProjectRegex, glRepository)
+	if projectNameIsValid, err := regexp.MatchString(gitlabProjectRegex, gitlabArgs.repository); err != nil || !projectNameIsValid {
-	if err != nil {
+		if err == nil {
 			err = fmt.Errorf("%s is an invalid project name for gitlab.\nIt can contain only letters, digits, emojis, '_', '.', dash, space. It must start with letter, digit, emoji or '_'.", gitlabArgs.repository)
 		}
 		return err
 	}
 	if !projectNameIsValid {
 		return fmt.Errorf("%s is an invalid project name for gitlab.\nIt can contain only letters, digits, emojis, '_', '.', dash, space. It must start with letter, digit, emoji or '_'.", glRepository)
 	}
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
-	repository, err := git.NewRepository(glRepository, glOwner, glHostname, glToken, "flux", glOwner+"@users.noreply.gitlab.com")
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	if err != nil {
 		return err
 	}
 	if glSSHHostname != "" {
 		repository.SSHHost = glSSHHostname
 	}
 	provider := &git.GitLabProvider{
 		IsPrivate:  glPrivate,
 		IsPersonal: glPersonal,
 	}
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	tmpDir, err := ioutil.TempDir("", namespace)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
-	// create GitLab project if doesn't exists
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	logger.Actionf("connecting to %s", glHostname)
 	changed, err := provider.CreateRepository(ctx, repository)
 	if err != nil {
 		return err
 	}
 	if changed {
 		logger.Successf("repository created")
 	}
 	// clone repository and checkout the master branch
 	if err := repository.Checkout(ctx, bootstrapBranch, tmpDir); err != nil {
 		return err
 	}
 	logger.Successf("repository cloned")
 	// generate install manifests
 	logger.Generatef("generating manifests")
 	installManifest, err := generateInstallManifests(glPath.String(), namespace, tmpDir, bootstrapManifestsPath)
 	if err != nil {
 		return err
 	}
-	// stage install manifests
+	// Manifest base
-	changed, err = repository.Commit(ctx, path.Join(glPath.String(), namespace), "Add manifests")
+	if ver, err := getVersion(bootstrapArgs.version); err == nil {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(manifestsBase)
 	// Build GitLab provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderGitLab,
 		Hostname: gitlabArgs.hostname,
 		Token:    glToken,
 	}
 	// Workaround for: https://github.com/fluxcd/go-git-providers/issues/55
 	if hostname := providerCfg.Hostname; hostname != glDefaultDomain &&
 		!strings.HasPrefix(hostname, "https://") &&
 		!strings.HasPrefix(hostname, "http://") {
 		providerCfg.Hostname = "https://" + providerCfg.Hostname
 	}
 	providerClient, err := provider.BuildGitProvider(providerCfg)
 	if err != nil {
 		return err
 	}
-	// push install manifests
+	// Lazy go-git repository
-	if changed {
+	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
-		if err := repository.Push(ctx); err != nil {
+	if err != nil {
-			return err
+		return fmt.Errorf("failed to create temporary working dir: %w", err)
-		}
+	}
-		logger.Successf("components manifests pushed")
+	defer os.RemoveAll(tmpDir)
-	} else {
+	gitClient := gogit.New(tmpDir, &http.BasicAuth{
-		logger.Successf("components are up to date")
+		Username: gitlabArgs.owner,
 		Password: glToken,
 	})
 	// Install manifest config
 	installOptions := install.Options{
 		BaseURL:                rootArgs.defaults.BaseURL,
 		Version:                bootstrapArgs.version,
 		Namespace:              rootArgs.namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
 		LogLevel:               bootstrapArgs.logLevel.String(),
 		NotificationController: rootArgs.defaults.NotificationController,
 		ManifestFile:           rootArgs.defaults.ManifestFile,
 		Timeout:                rootArgs.timeout,
 		TargetPath:             gitlabArgs.path.ToSlash(),
 		ClusterDomain:          bootstrapArgs.clusterDomain,
 		TolerationKeys:         bootstrapArgs.tolerationKeys,
 	}
 	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
 		installOptions.BaseURL = customBaseURL
 	}
-	// determine if repo synchronization is working
+	// Source generation and secret config
-	isInstall := shouldInstallManifests(ctx, kubeClient, namespace)
+	secretOpts := sourcesecret.Options{
-
+		Name:         bootstrapArgs.secretName,
-	if isInstall {
+		Namespace:    rootArgs.namespace,
-		// apply install manifests
+		TargetPath:   gitlabArgs.path.String(),
-		logger.Actionf("installing components in %s namespace", namespace)
+		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		if err := applyInstallManifests(ctx, installManifest, bootstrapComponents()); err != nil {
 			return err
 		}
 		logger.Successf("install completed")
 	}
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = glToken
-	repoURL := repository.GetURL()
+		if bootstrapArgs.caFile != "" {
-
+			secretOpts.CAFilePath = bootstrapArgs.caFile
 	if bootstrapTokenAuth {
 		// setup HTTPS token auth
 		secret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      namespace,
 				Namespace: namespace,
 			},
 			StringData: map[string]string{
 				"username": "git",
 				"password": glToken,
 			},
 		}
 		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
 			return err
 		}
 	} else {
-		// setup SSH deploy key
+		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
-		repoURL = repository.GetSSH()
+		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
-		if shouldCreateDeployKey(ctx, kubeClient, namespace) {
+		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
-			logger.Actionf("configuring deploy key")
+		secretOpts.SSHHostname = gitlabArgs.hostname
 			u, err := url.Parse(repoURL)
 			if err != nil {
 				return fmt.Errorf("git URL parse failed: %w", err)
 			}
-			key, err := generateDeployKey(ctx, kubeClient, u, namespace)
+		if bootstrapArgs.privateKeyFile != "" {
-			if err != nil {
+			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
-				return fmt.Errorf("generating deploy key failed: %w", err)
+		}
-			}
+		if bootstrapArgs.sshHostname != "" {
-
+			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 			keyName := "flux"
 			if glPath != "" {
 				keyName = fmt.Sprintf("flux-%s", glPath)
 			}
 			if changed, err := provider.AddDeployKey(ctx, repository, key, keyName); err != nil {
 				return err
 			} else if changed {
 				logger.Successf("deploy key configured")
 			}
 		}
 	}
-	// configure repo synchronization
+	// Sync manifest config
-	logger.Actionf("generating sync manifests")
+	syncOpts := sync.Options{
-	syncManifests, err := generateSyncManifests(repoURL, bootstrapBranch, namespace, namespace, glPath.String(), tmpDir, glInterval)
+		Interval:          gitlabArgs.interval,
 		Name:              rootArgs.namespace,
 		Namespace:         rootArgs.namespace,
 		Branch:            bootstrapArgs.branch,
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        gitlabArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
 		GitImplementation: sourceGitArgs.gitImplementation.String(),
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(gitlabArgs.owner, gitlabArgs.repository, gitlabArgs.personal),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
 		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(gitlabArgs.teams, glDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(gitlabArgs.readWriteKey),
 		bootstrap.WithKubeconfig(rootArgs.kubeconfig, rootArgs.kubecontext),
 		bootstrap.WithLogger(logger),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
 	}
 	if bootstrapArgs.tokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
 	}
 	if !gitlabArgs.private {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
 	}
 	if gitlabArgs.reconcile {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
 	}
 	// Setup bootstrapper with constructed configs
 	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
 	if err != nil {
 		return err
 	}
-	// commit and push manifests
+	// Run
-	if changed, err = repository.Commit(ctx, path.Join(glPath.String(), namespace), "Add manifests"); err != nil {
+	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 		return err
 	} else if changed {
 		if err := repository.Push(ctx); err != nil {
 			return err
 		}
 		logger.Successf("sync manifests pushed")
 	}
 	// apply manifests and waiting for sync
 	logger.Actionf("applying sync manifests")
 	if err := applySyncManifests(ctx, kubeClient, namespace, namespace, syncManifests); err != nil {
 		return err
 	}
 	logger.Successf("bootstrap finished")
 	return nil
 }
--- a/cmd/flux/check.go
+++ b/cmd/flux/check.go
@@ -21,13 +21,20 @@ import (
 	"encoding/json"
 	"os"
 	"os/exec"
-	"strings"
+	"time"
-	"github.com/blang/semver/v4"
+	"github.com/Masterminds/semver/v3"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/spf13/cobra"
 	v1 "k8s.io/api/apps/v1"
 	apimachineryversion "k8s.io/apimachinery/pkg/version"
 	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/pkg/version"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/status"
 )
 var checkCmd = &cobra.Command{
@@ -39,44 +46,50 @@ the local environment is configured correctly and if the installed components ar
  flux check --pre
  # Run installation checks
-  flux check
+  flux check`,
 `,
 	RunE: runCheckCmd,
 }
-var (
+type checkFlags struct {
-	checkPre        bool
+	pre             bool
-	checkComponents []string
+	components      []string
-)
+	extraComponents []string
 }
 type kubectlVersion struct {
 	ClientVersion *apimachineryversion.Info `json:"clientVersion"`
 }
 var checkArgs checkFlags
 func init() {
-	checkCmd.Flags().BoolVarP(&checkPre, "pre", "", false,
+	checkCmd.Flags().BoolVarP(&checkArgs.pre, "pre", "", false,
 		"only run pre-installation checks")
-	checkCmd.Flags().StringSliceVar(&checkComponents, "components", defaults.Components,
+	checkCmd.Flags().StringSliceVar(&checkArgs.components, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
 	checkCmd.Flags().StringSliceVar(&checkArgs.extraComponents, "components-extra", nil,
 		"list of components in addition to those supplied or defaulted, accepts comma-separated values")
 	rootCmd.AddCommand(checkCmd)
 }
 func runCheckCmd(cmd *cobra.Command, args []string) error {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	logger.Actionf("checking prerequisites")
 	checkFailed := false
-	if !kubectlCheck(ctx, ">=1.18.0") {
+	fluxCheck()
 	if !kubectlCheck(ctx, ">=1.18.0-0") {
 		checkFailed = true
 	}
-	if !kubernetesCheck(">=1.16.0") {
+	if !kubernetesCheck(">=1.16.0-0") {
 		checkFailed = true
 	}
-	if checkPre {
+	if checkArgs.pre {
 		if checkFailed {
 			os.Exit(1)
 		}
@@ -95,7 +108,29 @@ func runCheckCmd(cmd *cobra.Command, args []string) error {
 	return nil
 }
-func kubectlCheck(ctx context.Context, version string) bool {
+func fluxCheck() {
 	curSv, err := version.ParseVersion(VERSION)
 	if err != nil {
 		return
 	}
 	// Exclude development builds.
 	if curSv.Prerelease() != "" {
 		return
 	}
 	latest, err := install.GetLatestVersion()
 	if err != nil {
 		return
 	}
 	latestSv, err := version.ParseVersion(latest)
 	if err != nil {
 		return
 	}
 	if latestSv.GreaterThan(curSv) {
 		logger.Failuref("flux %s <%s (new version is available, please upgrade)", curSv, latestSv)
 	}
 }
 func kubectlCheck(ctx context.Context, constraint string) bool {
 	_, err := exec.LookPath("kubectl")
 	if err != nil {
 		logger.Failuref("kubectl not found")
@@ -103,7 +138,7 @@ func kubectlCheck(ctx context.Context, version string) bool {
 	}
 	kubectlArgs := []string{"version", "--client", "--output", "json"}
-	output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, kubeconfig, kubecontext, kubectlArgs...)
+	output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, rootArgs.kubeconfig, rootArgs.kubecontext, kubectlArgs...)
 	if err != nil {
 		logger.Failuref("kubectl version can't be determined")
 		return false
@@ -111,77 +146,93 @@ func kubectlCheck(ctx context.Context, version string) bool {
 	kv := &kubectlVersion{}
 	if err = json.Unmarshal([]byte(output), kv); err != nil {
-		logger.Failuref("kubectl version output can't be unmarshaled")
+		logger.Failuref("kubectl version output can't be unmarshalled")
 		return false
 	}
-	v, err := semver.ParseTolerant(kv.ClientVersion.GitVersion)
+	v, err := version.ParseVersion(kv.ClientVersion.GitVersion)
 	if err != nil {
 		logger.Failuref("kubectl version can't be parsed")
 		return false
 	}
-	rng, _ := semver.ParseRange(version)
+	c, _ := semver.NewConstraint(constraint)
-	if !rng(v) {
+	if !c.Check(v) {
-		logger.Failuref("kubectl version must be %s", version)
+		logger.Failuref("kubectl version %s < %s", v.Original(), constraint)
 		return false
 	}
-	logger.Successf("kubectl %s %s", v.String(), version)
+	logger.Successf("kubectl %s %s", v.String(), constraint)
 	return true
 }
-func kubernetesCheck(version string) bool {
+func kubernetesCheck(constraint string) bool {
-	cfg, err := utils.KubeConfig(kubeconfig, kubecontext)
+	cfg, err := utils.KubeConfig(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
 		return false
 	}
-	client, err := kubernetes.NewForConfig(cfg)
+	clientSet, err := kubernetes.NewForConfig(cfg)
 	if err != nil {
 		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
 		return false
 	}
-	ver, err := client.Discovery().ServerVersion()
+	kv, err := clientSet.Discovery().ServerVersion()
 	if err != nil {
 		logger.Failuref("Kubernetes API call failed: %s", err.Error())
 		return false
 	}
-	v, err := semver.ParseTolerant(ver.String())
+	v, err := version.ParseVersion(kv.String())
 	if err != nil {
 		logger.Failuref("Kubernetes version can't be determined")
 		return false
 	}
-	rng, _ := semver.ParseRange(version)
+	c, _ := semver.NewConstraint(constraint)
-	if !rng(v) {
+	if !c.Check(v) {
-		logger.Failuref("Kubernetes version must be %s", version)
+		logger.Failuref("Kubernetes version %s < %s", v.Original(), constraint)
 		return false
 	}
-	logger.Successf("Kubernetes %s %s", v.String(), version)
+	logger.Successf("Kubernetes %s %s", v.String(), constraint)
 	return true
 }
 func componentsCheck() bool {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeConfig, err := utils.KubeConfig(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return false
 	}
 	statusChecker, err := status.NewStatusChecker(kubeConfig, time.Second, rootArgs.timeout, logger)
 	if err != nil {
 		return false
 	}
 	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return false
 	}
 	ok := true
-	for _, deployment := range checkComponents {
+	selector := client.MatchingLabels{"app.kubernetes.io/instance": rootArgs.namespace}
-		kubectlArgs := []string{"-n", namespace, "rollout", "status", "deployment", deployment, "--timeout", timeout.String()}
+	var list v1.DeploymentList
-		if output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, kubeconfig, kubecontext, kubectlArgs...); err != nil {
+	if err := kubeClient.List(ctx, &list, client.InNamespace(rootArgs.namespace), selector); err == nil {
-			logger.Failuref("%s: %s", deployment, strings.TrimSuffix(output, "\n"))
+		for _, d := range list.Items {
-			ok = false
+			if ref, err := buildComponentObjectRefs(d.Name); err == nil {
-		} else {
+				if err := statusChecker.Assess(ref...); err != nil {
-			logger.Successf("%s is healthy", deployment)
+					ok = false
-		}
+				}
-		kubectlArgs = []string{"-n", namespace, "get", "deployment", deployment, "-o", "jsonpath=\"{..image}\""}
+			}
-		if output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, kubeconfig, kubecontext, kubectlArgs...); err == nil {
+			for _, c := range d.Spec.Template.Spec.Containers {
-			logger.Actionf(strings.TrimPrefix(strings.TrimSuffix(output, "\""), "\""))
+				logger.Actionf(c.Image)
 			}
 		}
 	}
 	return ok
--- a/cmd/flux/check_test.go
+++ b/cmd/flux/check_test.go
@@ -0,0 +1,37 @@
 // +build e2e
 package main
 import (
 	"context"
 	"encoding/json"
 	"strings"
 	"testing"
 	"github.com/fluxcd/flux2/internal/utils"
 	"k8s.io/apimachinery/pkg/version"
 )
 func TestCheckPre(t *testing.T) {
 	jsonOutput, err := utils.ExecKubectlCommand(context.TODO(), utils.ModeCapture, rootArgs.kubeconfig, rootArgs.kubecontext, "version", "--output", "json")
 	if err != nil {
 		t.Fatalf("Error running utils.ExecKubectlCommand: %v", err.Error())
 	}
 	var versions map[string]version.Info
 	if err := json.Unmarshal([]byte(jsonOutput), &versions); err != nil {
 		t.Fatalf("Error unmarshalling: %v", err.Error())
 	}
 	clientVersion := strings.TrimPrefix(versions["clientVersion"].GitVersion, "v")
 	serverVersion := strings.TrimPrefix(versions["serverVersion"].GitVersion, "v")
 	cmd := cmdTestCase{
 		args: "check --pre",
 		assert: assertGoldenTemplateFile("testdata/check/check_pre.golden", map[string]string{
 			"clientVersion": clientVersion,
 			"serverVersion": serverVersion,
 		}),
 	}
 	cmd.runTestCmd(t)
 }
--- a/cmd/flux/completion_bash.go
+++ b/cmd/flux/completion_bash.go
@@ -32,8 +32,7 @@ var completionBashCmd = &cobra.Command{
 To configure your bash shell to load completions for each session add to your bashrc
 # ~/.bashrc or ~/.profile
-command -v flux >/dev/null && . <(flux completion bash)
+command -v flux >/dev/null && . <(flux completion bash)`,
 `,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenBashCompletion(os.Stdout)
 	},
--- a/cmd/flux/completion_fish.go
+++ b/cmd/flux/completion_fish.go
@@ -25,16 +25,11 @@ import (
 var completionFishCmd = &cobra.Command{
 	Use:   "fish",
 	Short: "Generates fish completion scripts",
-	Example: `To load completion run
+	Example: `To configure your fish shell to load completions for each session write this script to your completions dir:
-. <(flux completion fish)
+flux completion fish > ~/.config/fish/completions/flux.fish
-To configure your fish shell to load completions for each session write this script to your completions dir:
+See http://fishshell.com/docs/current/index.html#completion-own for more details`,
 flux completion fish > ~/.config/fish/completions/flux
 See http://fishshell.com/docs/current/index.html#completion-own for more details
 `,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenFishCompletion(os.Stdout, true)
 	},
--- a/cmd/flux/completion_powershell.go
+++ b/cmd/flux/completion_powershell.go
@@ -39,8 +39,7 @@ flux completion >> flux-completion.ps1
 Linux:
 cd "${XDG_CONFIG_HOME:-"$HOME/.config/"}/powershell/modules"
-flux completion >> flux-completions.ps1
+flux completion >> flux-completions.ps1`,
 `,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenPowerShellCompletion(os.Stdout)
 	},
--- a/cmd/flux/completion_zsh.go
+++ b/cmd/flux/completion_zsh.go
@@ -40,8 +40,7 @@ echo "${fpath// /\n}" | grep -i completion
 flux completion zsh > _flux
 mv _flux ~/.oh-my-zsh/completions  # oh-my-zsh
-mv _flux ~/.zprezto/modules/completion/external/src/  # zprezto
+mv _flux ~/.zprezto/modules/completion/external/src/  # zprezto`,
 `,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenZshCompletion(os.Stdout)
 	},
--- a/cmd/flux/create.go
+++ b/cmd/flux/create.go
@@ -38,16 +38,18 @@ var createCmd = &cobra.Command{
 	Long:  "The create sub-commands generate sources and resources.",
 }
-var (
+type createFlags struct {
 	interval time.Duration
 	export   bool
 	labels   []string
-)
+}
 var createArgs createFlags
 func init() {
-	createCmd.PersistentFlags().DurationVarP(&interval, "interval", "", time.Minute, "source sync interval")
+	createCmd.PersistentFlags().DurationVarP(&createArgs.interval, "interval", "", time.Minute, "source sync interval")
-	createCmd.PersistentFlags().BoolVar(&export, "export", false, "export in YAML format to stdout")
+	createCmd.PersistentFlags().BoolVar(&createArgs.export, "export", false, "export in YAML format to stdout")
-	createCmd.PersistentFlags().StringSliceVar(&labels, "label", nil,
+	createCmd.PersistentFlags().StringSliceVar(&createArgs.labels, "label", nil,
 		"set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)")
 	rootCmd.AddCommand(createCmd)
 }
@@ -76,7 +78,7 @@ func (names apiType) upsert(ctx context.Context, kubeClient client.Client, objec
 		Name:      object.GetName(),
 	}
-	op, err := controllerutil.CreateOrUpdate(ctx, kubeClient, object.asRuntimeObject(), mutate)
+	op, err := controllerutil.CreateOrUpdate(ctx, kubeClient, object.asClientObject(), mutate)
 	if err != nil {
 		return nsname, err
 	}
@@ -99,10 +101,10 @@ type upsertWaitable interface {
 // resource, then waiting for it to reconcile. See the note on
 // `upsert` for how to work with the `mutate` argument.
 func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) error {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext) // NB globals
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext) // NB globals
 	if err != nil {
 		return err
 	}
@@ -116,7 +118,7 @@ func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) e
 	}
 	logger.Waitingf("waiting for %s reconciliation", names.kind)
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isReady(ctx, kubeClient, namespacedName, object)); err != nil {
 		return err
 	}
@@ -126,7 +128,7 @@ func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) e
 func parseLabels() (map[string]string, error) {
 	result := make(map[string]string)
-	for _, label := range labels {
+	for _, label := range createArgs.labels {
 		// validate key value pair
 		parts := strings.Split(label, "=")
 		if len(parts) != 2 {
--- a/cmd/flux/create_alert.go
+++ b/cmd/flux/create_alert.go
@@ -20,11 +20,7 @@ import (
 	"context"
 	"fmt"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -33,6 +29,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/internal/utils"
 )
 var createAlertCmd = &cobra.Command{
@@ -44,21 +43,22 @@ var createAlertCmd = &cobra.Command{
  --event-severity info \
  --event-source Kustomization/flux-system \
  --provider-ref slack \
-  flux-system
+  flux-system`,
 `,
 	RunE: createAlertCmdRun,
 }
-var (
+type alertFlags struct {
-	aProviderRef   string
+	providerRef   string
-	aEventSeverity string
+	eventSeverity string
-	aEventSources  []string
+	eventSources  []string
-)
+}
 var alertArgs alertFlags
 func init() {
-	createAlertCmd.Flags().StringVar(&aProviderRef, "provider-ref", "", "reference to provider")
+	createAlertCmd.Flags().StringVar(&alertArgs.providerRef, "provider-ref", "", "reference to provider")
-	createAlertCmd.Flags().StringVar(&aEventSeverity, "event-severity", "", "severity of events to send alerts for")
+	createAlertCmd.Flags().StringVar(&alertArgs.eventSeverity, "event-severity", "", "severity of events to send alerts for")
-	createAlertCmd.Flags().StringArrayVar(&aEventSources, "event-source", []string{}, "sources that should generate alerts (<kind>/<name>)")
+	createAlertCmd.Flags().StringSliceVar(&alertArgs.eventSources, "event-source", []string{}, "sources that should generate alerts (<kind>/<name>), also accepts comma-separated values")
 	createCmd.AddCommand(createAlertCmd)
 }
@@ -68,20 +68,21 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	name := args[0]
-	if aProviderRef == "" {
+	if alertArgs.providerRef == "" {
 		return fmt.Errorf("provider ref is required")
 	}
 	eventSources := []notificationv1.CrossNamespaceObjectReference{}
-	for _, eventSource := range aEventSources {
+	for _, eventSource := range alertArgs.eventSources {
-		kind, name := utils.ParseObjectKindName(eventSource)
+		kind, name, namespace := utils.ParseObjectKindNameNamespace(eventSource)
 		if kind == "" {
 			return fmt.Errorf("invalid event source '%s', must be in format <kind>/<name>", eventSource)
 		}
 		eventSources = append(eventSources, notificationv1.CrossNamespaceObjectReference{
-			Kind: kind,
+			Kind:      kind,
-			Name: name,
+			Name:      name,
 			Namespace: namespace,
 		})
 	}
@@ -94,34 +95,34 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	if !export {
+	if !createArgs.export {
 		logger.Generatef("generating Alert")
 	}
 	alert := notificationv1.Alert{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: rootArgs.namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: notificationv1.AlertSpec{
-			ProviderRef: corev1.LocalObjectReference{
+			ProviderRef: meta.LocalObjectReference{
-				Name: aProviderRef,
+				Name: alertArgs.providerRef,
 			},
-			EventSeverity: aEventSeverity,
+			EventSeverity: alertArgs.eventSeverity,
 			EventSources:  eventSources,
 			Suspend:       false,
 		},
 	}
-	if export {
+	if createArgs.export {
-		return exportAlert(alert)
+		return printExport(exportAlert(&alert))
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
@@ -133,7 +134,7 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Waitingf("waiting for Alert reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isAlertReady(ctx, kubeClient, namespacedName, &alert)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_alertprovider.go
+++ b/cmd/flux/create_alertprovider.go
@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -29,9 +28,10 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/internal/utils"
 )
 var createAlertProviderCmd = &cobra.Command{
@@ -49,25 +49,26 @@ var createAlertProviderCmd = &cobra.Command{
  flux create alert-provider github-podinfo \
  --type github \
  --address https://github.com/stefanprodan/podinfo \
-  --secret-ref github-token
+  --secret-ref github-token`,
 `,
 	RunE: createAlertProviderCmdRun,
 }
-var (
+type alertProviderFlags struct {
-	apType      string
+	alertType string
-	apChannel   string
+	channel   string
-	apUsername  string
+	username  string
-	apAddress   string
+	address   string
-	apSecretRef string
+	secretRef string
-)
+}
 var alertProviderArgs alertProviderFlags
 func init() {
-	createAlertProviderCmd.Flags().StringVar(&apType, "type", "", "type of provider")
+	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.alertType, "type", "", "type of provider")
-	createAlertProviderCmd.Flags().StringVar(&apChannel, "channel", "", "channel to send messages to in the case of a chat provider")
+	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.channel, "channel", "", "channel to send messages to in the case of a chat provider")
-	createAlertProviderCmd.Flags().StringVar(&apUsername, "username", "", "bot username used by the provider")
+	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.username, "username", "", "bot username used by the provider")
-	createAlertProviderCmd.Flags().StringVar(&apAddress, "address", "", "path to either the git repository, chat provider or webhook")
+	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.address, "address", "", "path to either the git repository, chat provider or webhook")
-	createAlertProviderCmd.Flags().StringVar(&apSecretRef, "secret-ref", "", "name of secret containing authentication token")
+	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.secretRef, "secret-ref", "", "name of secret containing authentication token")
 	createCmd.AddCommand(createAlertProviderCmd)
 }
@@ -77,7 +78,7 @@ func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	name := args[0]
-	if apType == "" {
+	if alertProviderArgs.alertType == "" {
 		return fmt.Errorf("Provider type is required")
 	}
@@ -86,38 +87,38 @@ func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	if !export {
+	if !createArgs.export {
 		logger.Generatef("generating Provider")
 	}
 	provider := notificationv1.Provider{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: rootArgs.namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: notificationv1.ProviderSpec{
-			Type:     apType,
+			Type:     alertProviderArgs.alertType,
-			Channel:  apChannel,
+			Channel:  alertProviderArgs.channel,
-			Username: apUsername,
+			Username: alertProviderArgs.username,
-			Address:  apAddress,
+			Address:  alertProviderArgs.address,
 		},
 	}
-	if apSecretRef != "" {
+	if alertProviderArgs.secretRef != "" {
-		provider.Spec.SecretRef = &corev1.LocalObjectReference{
+		provider.Spec.SecretRef = &meta.LocalObjectReference{
-			Name: apSecretRef,
+			Name: alertProviderArgs.secretRef,
 		}
 	}
-	if export {
+	if createArgs.export {
-		return exportAlertProvider(provider)
+		return printExport(exportAlertProvider(&provider))
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
@@ -129,7 +130,7 @@ func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Waitingf("waiting for Provider reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isAlertProviderReady(ctx, kubeClient, namespacedName, &provider)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_helmrelease.go
+++ b/cmd/flux/create_helmrelease.go
@@ -18,12 +18,14 @@ package main
 import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/transform"
 	"github.com/spf13/cobra"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -62,11 +64,12 @@ var createHelmReleaseCmd = &cobra.Command{
    --source=Bucket/podinfo \
    --chart=./charts/podinfo
-  # Create a HelmRelease with values from a local YAML file
+  # Create a HelmRelease with values from local YAML files
  flux create hr podinfo \
    --source=HelmRepository/podinfo \
    --chart=podinfo \
-    --values=./my-values.yaml
+    --values=./my-values1.yaml \
    --values=./my-values2.yaml
  # Create a HelmRelease with values from a Kubernetes secret
  kubectl -n app create secret generic my-secret-values \
@@ -84,42 +87,54 @@ var createHelmReleaseCmd = &cobra.Command{
  # Create a HelmRelease targeting another namespace than the resource
  flux create hr podinfo \
-    --target-namespace=default \
+    --target-namespace=test \
    --create-target-namespace=true \
    --source=HelmRepository/podinfo \
    --chart=podinfo
  # Create a HelmRelease using a source from a different namespace
  flux create hr podinfo \
    --namespace=default \
    --source=HelmRepository/podinfo.flux-system \
    --chart=podinfo
  # Create a HelmRelease definition on disk without applying it on the cluster
  flux create hr podinfo \
    --source=HelmRepository/podinfo \
    --chart=podinfo \
    --values=./values.yaml \
-    --export > podinfo-release.yaml
+    --export > podinfo-release.yaml`,
 `,
 	RunE: createHelmReleaseCmdRun,
 }
-var (
+type helmReleaseFlags struct {
-	hrName            string
+	name            string
-	hrSource          flags.HelmChartSource
+	source          flags.HelmChartSource
-	hrDependsOn       []string
+	dependsOn       []string
-	hrChart           string
+	chart           string
-	hrChartVersion    string
+	chartVersion    string
-	hrTargetNamespace string
+	targetNamespace string
-	hrValuesFile      string
+	createNamespace bool
-	hrValuesFrom      flags.HelmReleaseValuesFrom
+	valuesFiles     []string
-	hrSAName          string
+	valuesFrom      flags.HelmReleaseValuesFrom
-)
+	saName          string
 	crds            flags.CRDsPolicy
 }
 var helmReleaseArgs helmReleaseFlags
 func init() {
-	createHelmReleaseCmd.Flags().StringVar(&hrName, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.name, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
-	createHelmReleaseCmd.Flags().Var(&hrSource, "source", hrSource.Description())
+	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.source, "source", helmReleaseArgs.source.Description())
-	createHelmReleaseCmd.Flags().StringVar(&hrChart, "chart", "", "Helm chart name or path")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chart, "chart", "", "Helm chart name or path")
-	createHelmReleaseCmd.Flags().StringVar(&hrChartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
-	createHelmReleaseCmd.Flags().StringArrayVar(&hrDependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
+	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.dependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
-	createHelmReleaseCmd.Flags().StringVar(&hrTargetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.targetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
-	createHelmReleaseCmd.Flags().StringVar(&hrSAName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
+	createHelmReleaseCmd.Flags().BoolVar(&helmReleaseArgs.createNamespace, "create-target-namespace", false, "create the target namespace if it does not exist")
-	createHelmReleaseCmd.Flags().StringVar(&hrValuesFile, "values", "", "local path to the values.yaml file")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
-	createHelmReleaseCmd.Flags().Var(&hrValuesFrom, "values-from", hrValuesFrom.Description())
+	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFiles, "values", nil, "local path to values.yaml files, also accepts comma-separated values")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.valuesFrom, "values-from", helmReleaseArgs.valuesFrom.Description())
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.crds, "crds", helmReleaseArgs.crds.Description())
 	createCmd.AddCommand(createHelmReleaseCmd)
 }
@@ -129,7 +144,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	name := args[0]
-	if hrChart == "" {
+	if helmReleaseArgs.chart == "" {
 		return fmt.Errorf("chart name or path is required")
 	}
@@ -138,70 +153,95 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	if !export {
+	if !createArgs.export {
 		logger.Generatef("generating HelmRelease")
 	}
 	helmRelease := helmv2.HelmRelease{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: rootArgs.namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: helmv2.HelmReleaseSpec{
-			ReleaseName: hrName,
+			ReleaseName: helmReleaseArgs.name,
-			DependsOn:   utils.MakeDependsOn(hrDependsOn),
+			DependsOn:   utils.MakeDependsOn(helmReleaseArgs.dependsOn),
 			Interval: metav1.Duration{
-				Duration: interval,
+				Duration: createArgs.interval,
 			},
-			TargetNamespace: hrTargetNamespace,
+			TargetNamespace: helmReleaseArgs.targetNamespace,
 			Chart: helmv2.HelmChartTemplate{
 				Spec: helmv2.HelmChartTemplateSpec{
-					Chart:   hrChart,
+					Chart:   helmReleaseArgs.chart,
-					Version: hrChartVersion,
+					Version: helmReleaseArgs.chartVersion,
 					SourceRef: helmv2.CrossNamespaceObjectReference{
-						Kind: hrSource.Kind,
+						Kind:      helmReleaseArgs.source.Kind,
-						Name: hrSource.Name,
+						Name:      helmReleaseArgs.source.Name,
 						Namespace: helmReleaseArgs.source.Namespace,
 					},
 				},
 			},
 			Install: &helmv2.Install{
 				CreateNamespace: helmReleaseArgs.createNamespace,
 			},
 			Suspend: false,
 		},
 	}
-	if hrSAName != "" {
+	if helmReleaseArgs.saName != "" {
-		helmRelease.Spec.ServiceAccountName = hrSAName
+		helmRelease.Spec.ServiceAccountName = helmReleaseArgs.saName
 	}
-	if hrValuesFile != "" {
+	if helmReleaseArgs.crds != "" {
-		data, err := ioutil.ReadFile(hrValuesFile)
+		helmRelease.Spec.Install.CRDs = helmv2.Create
-		if err != nil {
+		helmRelease.Spec.Upgrade = &helmv2.Upgrade{CRDs: helmv2.CRDsPolicy(helmReleaseArgs.crds.String())}
 			return fmt.Errorf("reading values from %s failed: %w", hrValuesFile, err)
 		}
 		json, err := yaml.YAMLToJSON(data)
 		if err != nil {
 			return fmt.Errorf("converting values to JSON from %s failed: %w", hrValuesFile, err)
 		}
 		helmRelease.Spec.Values = &apiextensionsv1.JSON{Raw: json}
 	}
-	if hrValuesFrom.String() != "" {
+	if len(helmReleaseArgs.valuesFiles) > 0 {
 		valuesMap := make(map[string]interface{})
 		for _, v := range helmReleaseArgs.valuesFiles {
 			data, err := os.ReadFile(v)
 			if err != nil {
 				return fmt.Errorf("reading values from %s failed: %w", v, err)
 			}
 			jsonBytes, err := yaml.YAMLToJSON(data)
 			if err != nil {
 				return fmt.Errorf("converting values to JSON from %s failed: %w", v, err)
 			}
 			jsonMap := make(map[string]interface{})
 			if err := json.Unmarshal(jsonBytes, &jsonMap); err != nil {
 				return fmt.Errorf("unmarshaling values from %s failed: %w", v, err)
 			}
 			valuesMap = transform.MergeMaps(valuesMap, jsonMap)
 		}
 		jsonRaw, err := json.Marshal(valuesMap)
 		if err != nil {
 			return fmt.Errorf("marshaling values failed: %w", err)
 		}
 		helmRelease.Spec.Values = &apiextensionsv1.JSON{Raw: jsonRaw}
 	}
 	if helmReleaseArgs.valuesFrom.String() != "" {
 		helmRelease.Spec.ValuesFrom = []helmv2.ValuesReference{{
-			Kind: hrValuesFrom.Kind,
+			Kind: helmReleaseArgs.valuesFrom.Kind,
-			Name: hrValuesFrom.Name,
+			Name: helmReleaseArgs.valuesFrom.Name,
 		}}
 	}
-	if export {
+	if createArgs.export {
-		return exportHelmRelease(helmRelease)
+		return printExport(exportHelmRelease(&helmRelease))
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
@@ -213,7 +253,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Waitingf("waiting for HelmRelease reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isHelmReleaseReady(ctx, kubeClient, namespacedName, &helmRelease)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_image.go
+++ b/cmd/flux/create_image.go
@@ -17,20 +17,17 @@ limitations under the License.
 package main
 import (
 	"strings"
 	"github.com/spf13/cobra"
 )
-const createImageLong = `
+const createImageLong = `The create image sub-commands work with image automation objects; that is,
 The create image sub-commands work with image automation objects; that is,
 object controlling updates to git based on e.g., new container images
 being available.`
 var createImageCmd = &cobra.Command{
 	Use:   "image",
 	Short: "Create or update resources dealing with image automation",
-	Long:  strings.TrimSpace(createImageLong),
+	Long:  createImageLong,
 }
 func init() {
--- a/cmd/flux/create_image_policy.go
+++ b/cmd/flux/create_image_policy.go
@@ -18,16 +18,21 @@ package main
 import (
 	"fmt"
 	"regexp/syntax"
 	"strings"
 	"unicode"
 	"unicode/utf8"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+	"github.com/fluxcd/pkg/apis/meta"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 var createImagePolicyCmd = &cobra.Command{
-	Use:   "policy <name>",
+	Use:   "policy [name]",
 	Short: "Create or update an ImagePolicy object",
 	Long: `The create image policy command generates an ImagePolicy resource.
 An ImagePolicy object calculates a "latest image" given an image
@@ -35,11 +40,27 @@ repository and a policy, e.g., semver.
 The image that sorts highest according to the policy is recorded in
 the status of the object.`,
 	Example: `  # Create an ImagePolicy to select the latest stable release
  flux create image policy podinfo \
    --image-ref=podinfo \
    --select-semver=">=1.0.0"
  # Create an ImagePolicy to select the latest main branch build tagged as "${GIT_BRANCH}-${GIT_SHA:0:7}-$(date +%s)"
  flux create image policy podinfo \
    --image-ref=podinfo \
    --select-numeric=asc \
 	--filter-regex='^main-[a-f0-9]+-(?P<ts>[0-9]+)' \
 	--filter-extract='$ts'`,
 	RunE: createImagePolicyRun}
 type imagePolicyFlags struct {
-	imageRef string
+	imageRef        string
-	semver   string
+	semver          string
 	alpha           string
 	numeric         string
 	filterRegex     string
 	filterExtract   string
 	filterNumerical string
 }
 var imagePolicyArgs = imagePolicyFlags{}
@@ -47,7 +68,11 @@ var imagePolicyArgs = imagePolicyFlags{}
 func init() {
 	flags := createImagePolicyCmd.Flags()
 	flags.StringVar(&imagePolicyArgs.imageRef, "image-ref", "", "the name of an image repository object")
-	flags.StringVar(&imagePolicyArgs.semver, "semver", "", "a semver range to apply to tags; e.g., '1.x'")
+	flags.StringVar(&imagePolicyArgs.semver, "select-semver", "", "a semver range to apply to tags; e.g., '1.x'")
 	flags.StringVar(&imagePolicyArgs.alpha, "select-alpha", "", "use alphabetical sorting to select image; either \"asc\" meaning select the last, or \"desc\" meaning select the first")
 	flags.StringVar(&imagePolicyArgs.numeric, "select-numeric", "", "use numeric sorting to select image; either \"asc\" meaning select the last, or \"desc\" meaning select the first")
 	flags.StringVar(&imagePolicyArgs.filterRegex, "filter-regex", "", "regular expression pattern used to filter the image tags")
 	flags.StringVar(&imagePolicyArgs.filterExtract, "filter-extract", "", "replacement pattern (using capture groups from --filter-regex) to use for sorting")
 	createImageCmd.AddCommand(createImagePolicyCmd)
 }
@@ -76,26 +101,63 @@ func createImagePolicyRun(cmd *cobra.Command, args []string) error {
 	var policy = imagev1.ImagePolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      objectName,
-			Namespace: namespace,
+			Namespace: rootArgs.namespace,
 			Labels:    labels,
 		},
 		Spec: imagev1.ImagePolicySpec{
-			ImageRepositoryRef: corev1.LocalObjectReference{
+			ImageRepositoryRef: meta.LocalObjectReference{
 				Name: imagePolicyArgs.imageRef,
 			},
 		},
 	}
 	switch {
 	case imagePolicyArgs.semver != "" && imagePolicyArgs.alpha != "":
 	case imagePolicyArgs.semver != "" && imagePolicyArgs.numeric != "":
 	case imagePolicyArgs.alpha != "" && imagePolicyArgs.numeric != "":
 		return fmt.Errorf("only one of --select-semver, --select-alpha or --select-numeric can be specified")
 	case imagePolicyArgs.semver != "":
 		policy.Spec.Policy.SemVer = &imagev1.SemVerPolicy{
 			Range: imagePolicyArgs.semver,
 		}
 	case imagePolicyArgs.alpha != "":
 		if imagePolicyArgs.alpha != "desc" && imagePolicyArgs.alpha != "asc" {
 			return fmt.Errorf("--select-alpha must be one of [\"asc\", \"desc\"]")
 		}
 		policy.Spec.Policy.Alphabetical = &imagev1.AlphabeticalPolicy{
 			Order: imagePolicyArgs.alpha,
 		}
 	case imagePolicyArgs.numeric != "":
 		if imagePolicyArgs.numeric != "desc" && imagePolicyArgs.numeric != "asc" {
 			return fmt.Errorf("--select-numeric must be one of [\"asc\", \"desc\"]")
 		}
 		policy.Spec.Policy.Numerical = &imagev1.NumericalPolicy{
 			Order: imagePolicyArgs.numeric,
 		}
 	default:
-		return fmt.Errorf("a policy must be provided with --semver")
+		return fmt.Errorf("a policy must be provided with either --select-semver or --select-alpha")
 	}
-	if export {
+	if imagePolicyArgs.filterRegex != "" {
 		exp, err := syntax.Parse(imagePolicyArgs.filterRegex, syntax.Perl)
 		if err != nil {
 			return fmt.Errorf("--filter-regex is an invalid regex pattern")
 		}
 		policy.Spec.FilterTags = &imagev1.TagFilter{
 			Pattern: imagePolicyArgs.filterRegex,
 		}
 		if imagePolicyArgs.filterExtract != "" {
 			if err := validateExtractStr(imagePolicyArgs.filterExtract, exp.CapNames()); err != nil {
 				return err
 			}
 			policy.Spec.FilterTags.Extract = imagePolicyArgs.filterExtract
 		}
 	} else if imagePolicyArgs.filterExtract != "" {
 		return fmt.Errorf("cannot specify --filter-extract without specifying --filter-regex")
 	}
 	if createArgs.export {
 		return printExport(exportImagePolicy(&policy))
 	}
@@ -108,3 +170,94 @@ func createImagePolicyRun(cmd *cobra.Command, args []string) error {
 	})
 	return err
 }
 // Performs a dry-run of the extract function in Regexp to validate the template
 func validateExtractStr(template string, capNames []string) error {
 	for len(template) > 0 {
 		i := strings.Index(template, "$")
 		if i < 0 {
 			return nil
 		}
 		template = template[i:]
 		if len(template) > 1 && template[1] == '$' {
 			template = template[2:]
 			continue
 		}
 		name, num, rest, ok := extract(template)
 		if !ok {
 			// Malformed extract string, assume user didn't want this
 			template = template[1:]
 			return fmt.Errorf("--filter-extract is malformed")
 		}
 		template = rest
 		if num >= 0 {
 			// we won't worry about numbers as we can't validate these
 			continue
 		} else {
 			found := false
 			for _, capName := range capNames {
 				if name == capName {
 					found = true
 				}
 			}
 			if !found {
 				return fmt.Errorf("capture group $%s used in --filter-extract not found in --filter-regex", name)
 			}
 		}
 	}
 	return nil
 }
 // extract method from the regexp package
 // returns the name or number of the value prepended by $
 func extract(str string) (name string, num int, rest string, ok bool) {
 	if len(str) < 2 || str[0] != '$' {
 		return
 	}
 	brace := false
 	if str[1] == '{' {
 		brace = true
 		str = str[2:]
 	} else {
 		str = str[1:]
 	}
 	i := 0
 	for i < len(str) {
 		rune, size := utf8.DecodeRuneInString(str[i:])
 		if !unicode.IsLetter(rune) && !unicode.IsDigit(rune) && rune != '_' {
 			break
 		}
 		i += size
 	}
 	if i == 0 {
 		// empty name is not okay
 		return
 	}
 	name = str[:i]
 	if brace {
 		if i >= len(str) || str[i] != '}' {
 			// missing closing brace
 			return
 		}
 		i++
 	}
 	// Parse number.
 	num = 0
 	for i := 0; i < len(name); i++ {
 		if name[i] < '0' || '9' < name[i] || num >= 1e8 {
 			num = -1
 			break
 		}
 		num = num*10 + int(name[i]) - '0'
 	}
 	// Disallow leading zeros.
 	if name[0] == '0' && len(name) > 1 {
 		num = -1
 	}
 	rest = str[i:]
 	ok = true
 	return
 }
--- a/cmd/flux/create_image_repository.go
+++ b/cmd/flux/create_image_repository.go
@@ -22,24 +22,50 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+	"github.com/fluxcd/pkg/apis/meta"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 var createImageRepositoryCmd = &cobra.Command{
-	Use:   "repository <name>",
+	Use:   "repository [name]",
 	Short: "Create or update an ImageRepository object",
 	Long: `The create image repository command generates an ImageRepository resource.
 An ImageRepository object specifies an image repository to scan.`,
 	Example: `  # Create an ImageRepository object to scan the alpine image repository:
  flux create image repository alpine-repo --image alpine --interval 20m
  # Create an image repository that uses an image pull secret (assumed to
  # have been created already):
  flux create image repository myapp-repo \
    --secret-ref image-pull \
    --image ghcr.io/example.com/myapp --interval 5m
  # Create a TLS secret for a local image registry using a self-signed
  # host certificate, and use it to scan an image. ca.pem is a file
  # containing the CA certificate used to sign the host certificate.
  flux create secret tls local-registry-cert --ca-file ./ca.pem
  flux create image repository app-repo \
    --cert-secret-ref local-registry-cert \
    --image local-registry:5000/app --interval 5m
  # Create a TLS secret with a client certificate and key, and use it
  # to scan a private image registry.
  flux create secret tls client-cert \
    --cert-file client.crt --key-file client.key
  flux create image repository app-repo \
    --cert-secret-ref client-cert \
    --image registry.example.com/private/app --interval 5m`,
 	RunE: createImageRepositoryRun,
 }
 type imageRepoFlags struct {
-	image     string
+	image         string
-	secretRef string
+	secretRef     string
-	timeout   time.Duration
+	certSecretRef string
 	timeout       time.Duration
 }
 var imageRepoArgs = imageRepoFlags{}
@@ -48,6 +74,7 @@ func init() {
 	flags := createImageRepositoryCmd.Flags()
 	flags.StringVar(&imageRepoArgs.image, "image", "", "the image repository to scan; e.g., library/alpine")
 	flags.StringVar(&imageRepoArgs.secretRef, "secret-ref", "", "the name of a docker-registry secret to use for credentials")
 	flags.StringVar(&imageRepoArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
 	// NB there is already a --timeout in the global flags, for
 	// controlling timeout on operations while e.g., creating objects.
 	flags.DurationVar(&imageRepoArgs.timeout, "scan-timeout", 0, "a timeout for scanning; this defaults to the interval if not set")
@@ -77,24 +104,29 @@ func createImageRepositoryRun(cmd *cobra.Command, args []string) error {
 	var repo = imagev1.ImageRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      objectName,
-			Namespace: namespace,
+			Namespace: rootArgs.namespace,
 			Labels:    labels,
 		},
 		Spec: imagev1.ImageRepositorySpec{
 			Image:    imageRepoArgs.image,
-			Interval: metav1.Duration{Duration: interval},
+			Interval: metav1.Duration{Duration: createArgs.interval},
 		},
 	}
 	if imageRepoArgs.timeout != 0 {
 		repo.Spec.Timeout = &metav1.Duration{Duration: imageRepoArgs.timeout}
 	}
 	if imageRepoArgs.secretRef != "" {
-		repo.Spec.SecretRef = &corev1.LocalObjectReference{
+		repo.Spec.SecretRef = &meta.LocalObjectReference{
 			Name: imageRepoArgs.secretRef,
 		}
 	}
 	if imageRepoArgs.certSecretRef != "" {
 		repo.Spec.CertSecretRef = &meta.LocalObjectReference{
 			Name: imageRepoArgs.certSecretRef,
 		}
 	}
-	if export {
+	if createArgs.export {
 		return printExport(exportImageRepository(&repo))
 	}
--- a/cmd/flux/create_image_update.go
+++ b/cmd/flux/create_image_update.go
@@ -0,0 +1,165 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"fmt"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var createImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Create or update an ImageUpdateAutomation object",
 	Long: `The create image update command generates an ImageUpdateAutomation resource.
 An ImageUpdateAutomation object specifies an automated update to images
 mentioned in YAMLs in a git repository.`,
 	Example: `  # Configure image updates for the main repository created by flux bootstrap
  flux create image update flux-system \
    --git-repo-ref=flux-system \
    --git-repo-path="./clusters/my-cluster" \
    --checkout-branch=main \
    --author-name=flux \
    --author-email=flux@example.com \
    --commit-template="{{range .Updated.Images}}{{println .}}{{end}}"
  # Configure image updates to push changes to a different branch, if the branch doesn't exists it will be created
  flux create image update flux-system \
    --git-repo-ref=flux-system \
    --git-repo-path="./clusters/my-cluster" \
    --checkout-branch=main \
    --push-branch=image-updates \
    --author-name=flux \
    --author-email=flux@example.com \
    --commit-template="{{range .Updated.Images}}{{println .}}{{end}}"`,
 	RunE: createImageUpdateRun,
 }
 type imageUpdateFlags struct {
 	gitRepoRef     string
 	gitRepoPath    string
 	checkoutBranch string
 	pushBranch     string
 	commitTemplate string
 	authorName     string
 	authorEmail    string
 }
 var imageUpdateArgs = imageUpdateFlags{}
 func init() {
 	flags := createImageUpdateCmd.Flags()
 	flags.StringVar(&imageUpdateArgs.gitRepoRef, "git-repo-ref", "", "the name of a GitRepository resource with details of the upstream Git repository")
 	flags.StringVar(&imageUpdateArgs.gitRepoPath, "git-repo-path", "", "path to the directory containing the manifests to be updated, defaults to the repository root")
 	flags.StringVar(&imageUpdateArgs.checkoutBranch, "checkout-branch", "", "the branch to checkout")
 	flags.StringVar(&imageUpdateArgs.pushBranch, "push-branch", "", "the branch to push commits to, defaults to the checkout branch if not specified")
 	flags.StringVar(&imageUpdateArgs.commitTemplate, "commit-template", "", "a template for commit messages")
 	flags.StringVar(&imageUpdateArgs.authorName, "author-name", "", "the name to use for commit author")
 	flags.StringVar(&imageUpdateArgs.authorEmail, "author-email", "", "the email to use for commit author")
 	createImageCmd.AddCommand(createImageUpdateCmd)
 }
 func createImageUpdateRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("ImageUpdateAutomation name is required")
 	}
 	objectName := args[0]
 	if imageUpdateArgs.gitRepoRef == "" {
 		return fmt.Errorf("a reference to a GitRepository is required (--git-repo-ref)")
 	}
 	if imageUpdateArgs.checkoutBranch == "" {
 		return fmt.Errorf("the Git repository branch is required (--checkout-branch)")
 	}
 	if imageUpdateArgs.authorName == "" {
 		return fmt.Errorf("the author name is required (--author-name)")
 	}
 	if imageUpdateArgs.authorEmail == "" {
 		return fmt.Errorf("the author email is required (--author-email)")
 	}
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	var update = autov1.ImageUpdateAutomation{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      objectName,
 			Namespace: rootArgs.namespace,
 			Labels:    labels,
 		},
 		Spec: autov1.ImageUpdateAutomationSpec{
 			SourceRef: autov1.SourceReference{
 				Kind: sourcev1.GitRepositoryKind,
 				Name: imageUpdateArgs.gitRepoRef,
 			},
 			GitSpec: &autov1.GitSpec{
 				Checkout: &autov1.GitCheckoutSpec{
 					Reference: sourcev1.GitRepositoryRef{
 						Branch: imageUpdateArgs.checkoutBranch,
 					},
 				},
 				Commit: autov1.CommitSpec{
 					Author: autov1.CommitUser{
 						Name:  imageUpdateArgs.authorName,
 						Email: imageUpdateArgs.authorEmail,
 					},
 					MessageTemplate: imageUpdateArgs.commitTemplate,
 				},
 			},
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
 		},
 	}
 	if imageUpdateArgs.pushBranch != "" {
 		update.Spec.GitSpec.Push = &autov1.PushSpec{
 			Branch: imageUpdateArgs.pushBranch,
 		}
 	}
 	if imageUpdateArgs.gitRepoPath != "" {
 		update.Spec.Update = &autov1.UpdateStrategy{
 			Path:     imageUpdateArgs.gitRepoPath,
 			Strategy: autov1.UpdateStrategySetters,
 		}
 	}
 	if createArgs.export {
 		return printExport(exportImageUpdate(&update))
 	}
 	var existing autov1.ImageUpdateAutomation
 	copyName(&existing, &update)
 	err = imageUpdateAutomationType.upsertAndWait(imageUpdateAutomationAdapter{&existing}, func() error {
 		existing.Spec = update.Spec
 		existing.Labels = update.Labels
 		return nil
 	})
 	return err
 }
--- a/cmd/flux/create_image_updateauto.go
+++ b/cmd/flux/create_image_updateauto.go
@@ -1,113 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"fmt"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
 )
 var createImageUpdateCmd = &cobra.Command{
 	Use:   "update <name>",
 	Short: "Create or update an ImageUpdateAutomation object",
 	Long: `The create image update command generates an ImageUpdateAutomation resource.
 An ImageUpdateAutomation object specifies an automated update to images
 mentioned in YAMLs in a git repository.`,
 	RunE: createImageUpdateRun,
 }
 type imageUpdateFlags struct {
 	// git checkout spec
 	gitRepoRef string
 	branch     string
 	// commit spec
 	commitTemplate string
 	authorName     string
 	authorEmail    string
 }
 var imageUpdateArgs = imageUpdateFlags{}
 func init() {
 	flags := createImageUpdateCmd.Flags()
 	flags.StringVar(&imageUpdateArgs.gitRepoRef, "git-repo-ref", "", "the name of a GitRepository resource with details of the upstream git repository")
 	flags.StringVar(&imageUpdateArgs.branch, "branch", "", "the branch to push commits to")
 	flags.StringVar(&imageUpdateArgs.commitTemplate, "commit-template", "", "a template for commit messages")
 	flags.StringVar(&imageUpdateArgs.authorName, "author-name", "", "the name to use for commit author")
 	flags.StringVar(&imageUpdateArgs.authorEmail, "author-email", "", "the email to use for commit author")
 	createImageCmd.AddCommand(createImageUpdateCmd)
 }
 func createImageUpdateRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("ImageUpdateAutomation name is required")
 	}
 	objectName := args[0]
 	if imageUpdateArgs.gitRepoRef == "" {
 		return fmt.Errorf("a reference to a GitRepository is required (--git-repo-ref)")
 	}
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	var update = autov1.ImageUpdateAutomation{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      objectName,
 			Namespace: namespace,
 			Labels:    labels,
 		},
 		Spec: autov1.ImageUpdateAutomationSpec{
 			Checkout: autov1.GitCheckoutSpec{
 				GitRepositoryRef: corev1.LocalObjectReference{
 					Name: imageUpdateArgs.gitRepoRef,
 				},
 				Branch: imageUpdateArgs.branch,
 			},
 			Interval: metav1.Duration{Duration: interval},
 			Update: autov1.UpdateStrategy{
 				Setters: &autov1.SettersStrategy{},
 			},
 			Commit: autov1.CommitSpec{
 				AuthorName:      imageUpdateArgs.authorName,
 				AuthorEmail:     imageUpdateArgs.authorEmail,
 				MessageTemplate: imageUpdateArgs.commitTemplate,
 			},
 		},
 	}
 	if export {
 		return printExport(exportImageUpdate(&update))
 	}
 	var existing autov1.ImageUpdateAutomation
 	copyName(&existing, &update)
 	err = imageUpdateAutomationType.upsertAndWait(imageUpdateAutomationAdapter{&existing}, func() error {
 		existing.Spec = update.Spec
 		existing.Labels = update.Labels
 		return nil
 	})
 	return err
 }
--- a/cmd/flux/create_kustomization.go
+++ b/cmd/flux/create_kustomization.go
@@ -23,7 +23,6 @@ import (
 	"time"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -31,11 +30,12 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 )
 var createKsCmd = &cobra.Command{
@@ -45,7 +45,7 @@ var createKsCmd = &cobra.Command{
 	Long:    "The kustomization source create command generates a Kustomize resource for a given source.",
 	Example: `  # Create a Kustomization resource from a source at a given path
  flux create kustomization contour \
-    --source=contour \
+    --source=GitRepository/contour \
    --path="./examples/contour/" \
    --prune=true \
    --interval=10m \
@@ -57,7 +57,16 @@ var createKsCmd = &cobra.Command{
  # Create a Kustomization resource that depends on the previous one
  flux create kustomization webapp \
    --depends-on=contour \
-    --source=webapp \
+    --source=GitRepository/webapp \
    --path="./deploy/overlays/dev" \
    --prune=true \
    --interval=5m \
    --validation=client
  # Create a Kustomization using a source from a different namespace
  flux create kustomization podinfo \
    --namespace=default \
    --source=GitRepository/podinfo.flux-system \
    --path="./deploy/overlays/dev" \
    --prune=true \
    --interval=5m \
@@ -67,58 +76,65 @@ var createKsCmd = &cobra.Command{
  flux create kustomization secrets \
    --source=Bucket/secrets \
    --prune=true \
-    --interval=5m
+    --interval=5m`,
 `,
 	RunE: createKsCmdRun,
 }
-var (
+type kustomizationFlags struct {
-	ksSource             flags.KustomizationSource
+	source             flags.KustomizationSource
-	ksPath               flags.SafeRelativePath = "./"
+	path               flags.SafeRelativePath
-	ksPrune              bool
+	prune              bool
-	ksDependsOn          []string
+	dependsOn          []string
-	ksValidation         string
+	validation         string
-	ksHealthCheck        []string
+	healthCheck        []string
-	ksHealthTimeout      time.Duration
+	healthTimeout      time.Duration
-	ksSAName             string
+	saName             string
-	ksDecryptionProvider flags.DecryptionProvider
+	decryptionProvider flags.DecryptionProvider
-	ksDecryptionSecret   string
+	decryptionSecret   string
-	ksTargetNamespace    string
+	targetNamespace    string
-)
+}
 var kustomizationArgs = NewKustomizationFlags()
 func init() {
-	createKsCmd.Flags().Var(&ksSource, "source", ksSource.Description())
+	createKsCmd.Flags().Var(&kustomizationArgs.source, "source", kustomizationArgs.source.Description())
-	createKsCmd.Flags().Var(&ksPath, "path", "path to the directory containing a kustomization.yaml file")
+	createKsCmd.Flags().Var(&kustomizationArgs.path, "path", "path to the directory containing a kustomization.yaml file")
-	createKsCmd.Flags().BoolVar(&ksPrune, "prune", false, "enable garbage collection")
+	createKsCmd.Flags().BoolVar(&kustomizationArgs.prune, "prune", false, "enable garbage collection")
-	createKsCmd.Flags().StringArrayVar(&ksHealthCheck, "health-check", nil, "workload to be included in the health assessment, in the format '<kind>/<name>.<namespace>'")
+	createKsCmd.Flags().StringSliceVar(&kustomizationArgs.healthCheck, "health-check", nil, "workload to be included in the health assessment, in the format '<kind>/<name>.<namespace>'")
-	createKsCmd.Flags().DurationVar(&ksHealthTimeout, "health-check-timeout", 2*time.Minute, "timeout of health checking operations")
+	createKsCmd.Flags().DurationVar(&kustomizationArgs.healthTimeout, "health-check-timeout", 2*time.Minute, "timeout of health checking operations")
-	createKsCmd.Flags().StringVar(&ksValidation, "validation", "", "validate the manifests before applying them on the cluster, can be 'client' or 'server'")
+	createKsCmd.Flags().StringVar(&kustomizationArgs.validation, "validation", "", "validate the manifests before applying them on the cluster, can be 'client' or 'server'")
-	createKsCmd.Flags().StringArrayVar(&ksDependsOn, "depends-on", nil, "Kustomization that must be ready before this Kustomization can be applied, supported formats '<name>' and '<namespace>/<name>'")
+	createKsCmd.Flags().StringSliceVar(&kustomizationArgs.dependsOn, "depends-on", nil, "Kustomization that must be ready before this Kustomization can be applied, supported formats '<name>' and '<namespace>/<name>', also accepts comma-separated values")
-	createKsCmd.Flags().StringVar(&ksSAName, "service-account", "", "the name of the service account to impersonate when reconciling this Kustomization")
+	createKsCmd.Flags().StringVar(&kustomizationArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this Kustomization")
-	createKsCmd.Flags().Var(&ksDecryptionProvider, "decryption-provider", ksDecryptionProvider.Description())
+	createKsCmd.Flags().Var(&kustomizationArgs.decryptionProvider, "decryption-provider", kustomizationArgs.decryptionProvider.Description())
-	createKsCmd.Flags().StringVar(&ksDecryptionSecret, "decryption-secret", "", "set the Kubernetes secret name that contains the OpenPGP private keys used for sops decryption")
+	createKsCmd.Flags().StringVar(&kustomizationArgs.decryptionSecret, "decryption-secret", "", "set the Kubernetes secret name that contains the OpenPGP private keys used for sops decryption")
-	createKsCmd.Flags().StringVar(&ksTargetNamespace, "target-namespace", "", "overrides the namespace of all Kustomization objects reconciled by this Kustomization")
+	createKsCmd.Flags().StringVar(&kustomizationArgs.targetNamespace, "target-namespace", "", "overrides the namespace of all Kustomization objects reconciled by this Kustomization")
 	createCmd.AddCommand(createKsCmd)
 }
 func NewKustomizationFlags() kustomizationFlags {
 	return kustomizationFlags{
 		path: "./",
 	}
 }
 func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("Kustomization name is required")
 	}
 	name := args[0]
-	if ksPath == "" {
+	if kustomizationArgs.path == "" {
 		return fmt.Errorf("path is required")
 	}
-	if !strings.HasPrefix(ksPath.String(), "./") {
+	if !strings.HasPrefix(kustomizationArgs.path.String(), "./") {
 		return fmt.Errorf("path must begin with ./")
 	}
-	if !export {
+	if !createArgs.export {
 		logger.Generatef("generating Kustomization")
 	}
-	ksLabels, err := parseLabels()
+	kslabels, err := parseLabels()
 	if err != nil {
 		return err
 	}
@@ -126,29 +142,30 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	kustomization := kustomizev1.Kustomization{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: rootArgs.namespace,
-			Labels:    ksLabels,
+			Labels:    kslabels,
 		},
 		Spec: kustomizev1.KustomizationSpec{
-			DependsOn: utils.MakeDependsOn(ksDependsOn),
+			DependsOn: utils.MakeDependsOn(kustomizationArgs.dependsOn),
 			Interval: metav1.Duration{
-				Duration: interval,
+				Duration: createArgs.interval,
 			},
-			Path:  ksPath.String(),
+			Path:  kustomizationArgs.path.ToSlash(),
-			Prune: ksPrune,
+			Prune: kustomizationArgs.prune,
 			SourceRef: kustomizev1.CrossNamespaceSourceReference{
-				Kind: ksSource.Kind,
+				Kind:      kustomizationArgs.source.Kind,
-				Name: ksSource.Name,
+				Name:      kustomizationArgs.source.Name,
 				Namespace: kustomizationArgs.source.Namespace,
 			},
 			Suspend:         false,
-			Validation:      ksValidation,
+			Validation:      kustomizationArgs.validation,
-			TargetNamespace: ksTargetNamespace,
+			TargetNamespace: kustomizationArgs.targetNamespace,
 		},
 	}
-	if len(ksHealthCheck) > 0 {
+	if len(kustomizationArgs.healthCheck) > 0 {
-		healthChecks := make([]kustomizev1.CrossNamespaceObjectReference, 0)
+		healthChecks := make([]meta.NamespacedObjectKindReference, 0)
-		for _, w := range ksHealthCheck {
+		for _, w := range kustomizationArgs.healthCheck {
 			kindObj := strings.Split(w, "/")
 			if len(kindObj) != 2 {
 				return fmt.Errorf("invalid health check '%s' must be in the format 'kind/name.namespace' %v", w, kindObj)
@@ -170,7 +187,7 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 				return fmt.Errorf("invalid health check '%s' must be in the format 'kind/name.namespace'", w)
 			}
-			check := kustomizev1.CrossNamespaceObjectReference{
+			check := meta.NamespacedObjectKindReference{
 				Kind:      kind,
 				Name:      nameNs[0],
 				Namespace: nameNs[1],
@@ -183,32 +200,32 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 		}
 		kustomization.Spec.HealthChecks = healthChecks
 		kustomization.Spec.Timeout = &metav1.Duration{
-			Duration: ksHealthTimeout,
+			Duration: kustomizationArgs.healthTimeout,
 		}
 	}
-	if ksSAName != "" {
+	if kustomizationArgs.saName != "" {
-		kustomization.Spec.ServiceAccountName = ksSAName
+		kustomization.Spec.ServiceAccountName = kustomizationArgs.saName
 	}
-	if ksDecryptionProvider != "" {
+	if kustomizationArgs.decryptionProvider != "" {
 		kustomization.Spec.Decryption = &kustomizev1.Decryption{
-			Provider: ksDecryptionProvider.String(),
+			Provider: kustomizationArgs.decryptionProvider.String(),
 		}
-		if ksDecryptionSecret != "" {
+		if kustomizationArgs.decryptionSecret != "" {
-			kustomization.Spec.Decryption.SecretRef = &corev1.LocalObjectReference{Name: ksDecryptionSecret}
+			kustomization.Spec.Decryption.SecretRef = &meta.LocalObjectReference{Name: kustomizationArgs.decryptionSecret}
 		}
 	}
-	if export {
+	if createArgs.export {
-		return exportKs(kustomization)
+		return printExport(exportKs(&kustomization))
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
@@ -220,7 +237,7 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Waitingf("waiting for Kustomization reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isKustomizationReady(ctx, kubeClient, namespacedName, &kustomization)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_receiver.go
+++ b/cmd/flux/create_receiver.go
@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -29,9 +28,10 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/internal/utils"
 )
 var createReceiverCmd = &cobra.Command{
@@ -45,23 +45,24 @@ var createReceiverCmd = &cobra.Command{
 	--event push \
 	--secret-ref webhook-token \
 	--resource GitRepository/webapp \
-	--resource HelmRepository/webapp
+	--resource HelmRepository/webapp`,
 `,
 	RunE: createReceiverCmdRun,
 }
-var (
+type receiverFlags struct {
-	rcvType      string
+	receiverType string
-	rcvSecretRef string
+	secretRef    string
-	rcvEvents    []string
+	events       []string
-	rcvResources []string
+	resources    []string
-)
+}
 var receiverArgs receiverFlags
 func init() {
-	createReceiverCmd.Flags().StringVar(&rcvType, "type", "", "")
+	createReceiverCmd.Flags().StringVar(&receiverArgs.receiverType, "type", "", "")
-	createReceiverCmd.Flags().StringVar(&rcvSecretRef, "secret-ref", "", "")
+	createReceiverCmd.Flags().StringVar(&receiverArgs.secretRef, "secret-ref", "", "")
-	createReceiverCmd.Flags().StringArrayVar(&rcvEvents, "event", []string{}, "")
+	createReceiverCmd.Flags().StringSliceVar(&receiverArgs.events, "event", []string{}, "also accepts comma-separated values")
-	createReceiverCmd.Flags().StringArrayVar(&rcvResources, "resource", []string{}, "")
+	createReceiverCmd.Flags().StringSliceVar(&receiverArgs.resources, "resource", []string{}, "also accepts comma-separated values")
 	createCmd.AddCommand(createReceiverCmd)
 }
@@ -71,16 +72,16 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	name := args[0]
-	if rcvType == "" {
+	if receiverArgs.receiverType == "" {
 		return fmt.Errorf("Receiver type is required")
 	}
-	if rcvSecretRef == "" {
+	if receiverArgs.secretRef == "" {
 		return fmt.Errorf("secret ref is required")
 	}
 	resources := []notificationv1.CrossNamespaceObjectReference{}
-	for _, resource := range rcvResources {
+	for _, resource := range receiverArgs.resources {
 		kind, name := utils.ParseObjectKindName(resource)
 		if kind == "" {
 			return fmt.Errorf("invalid event source '%s', must be in format <kind>/<name>", resource)
@@ -101,35 +102,35 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	if !export {
+	if !createArgs.export {
 		logger.Generatef("generating Receiver")
 	}
 	receiver := notificationv1.Receiver{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: rootArgs.namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: notificationv1.ReceiverSpec{
-			Type:      rcvType,
+			Type:      receiverArgs.receiverType,
-			Events:    rcvEvents,
+			Events:    receiverArgs.events,
 			Resources: resources,
-			SecretRef: corev1.LocalObjectReference{
+			SecretRef: meta.LocalObjectReference{
-				Name: rcvSecretRef,
+				Name: receiverArgs.secretRef,
 			},
 			Suspend: false,
 		},
 	}
-	if export {
+	if createArgs.export {
-		return exportReceiver(receiver)
+		return printExport(exportReceiver(&receiver))
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
@@ -141,7 +142,7 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Waitingf("waiting for Receiver reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isReceiverReady(ctx, kubeClient, namespacedName, &receiver)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret.go
+++ b/cmd/flux/create_secret.go
@@ -17,12 +17,13 @@ limitations under the License.
 package main
 import (
-	"fmt"
+	"context"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
-	"sigs.k8s.io/yaml"
+	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 var createSecretCmd = &cobra.Command{
@@ -35,18 +36,28 @@ func init() {
 	createCmd.AddCommand(createSecretCmd)
 }
-func exportSecret(secret corev1.Secret) error {
+func upsertSecret(ctx context.Context, kubeClient client.Client, secret corev1.Secret) error {
-	secret.TypeMeta = metav1.TypeMeta{
+	namespacedName := types.NamespacedName{
-		APIVersion: "v1",
+		Namespace: secret.GetNamespace(),
-		Kind:       "Secret",
+		Name:      secret.GetName(),
 	}
-	data, err := yaml.Marshal(secret)
+	var existing corev1.Secret
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			if err := kubeClient.Create(ctx, &secret); err != nil {
 				return err
 			} else {
 				return nil
 			}
 		}
 		return err
 	}
-	fmt.Println("---")
+	existing.StringData = secret.StringData
-	fmt.Println(resourceToString(data))
+	if err := kubeClient.Update(ctx, &existing); err != nil {
 		return err
 	}
 	return nil
 }
--- a/cmd/flux/create_secret_git.go
+++ b/cmd/flux/create_secret_git.go
@@ -24,17 +24,17 @@ import (
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 var createSecretGitCmd = &cobra.Command{
 	Use:   "git [name]",
 	Short: "Create or update a Kubernetes secret for Git authentication",
-	Long: `
+	Long: `The create secret git command generates a Kubernetes secret with Git credentials.
 The create secret git command generates a Kubernetes secret with Git credentials.
 For Git over SSH, the host and SSH keys are automatically generated and stored in the secret.
 For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.`,
 	Example: `  # Create a Git SSH authentication secret using an ECDSA P-521 curve public key
@@ -44,130 +44,146 @@ For Git over HTTP/S, the provided basic authentication credentials are stored in
    --ssh-key-algorithm=ecdsa \
    --ssh-ecdsa-curve=p521
  # Create a Git SSH authentication secret with a passwordless private key from file
  # The public SSH host key will still be gathered from the host
  flux create secret git podinfo-auth \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --private-key-file=./private.key
  # Create a Git SSH authentication secret with a passworded private key from file
  # The public SSH host key will still be gathered from the host
  flux create secret git podinfo-auth \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --private-key-file=./private.key \
    --password=<password>
  # Create a secret for a Git repository using basic authentication
  flux create secret git podinfo-auth \
    --url=https://github.com/stefanprodan/podinfo \
    --username=username \
    --password=password
-  # Create a Git SSH secret on disk and print the deploy key
+  # Create a Git SSH secret on disk
  flux create secret git podinfo-auth \
    --url=ssh://git@github.com/stefanprodan/podinfo \
-	--export > podinfo-auth.yaml
+    --export > podinfo-auth.yaml
-  yq read podinfo-auth.yaml 'data."identity.pub"' | base64 --decode
+  # Print the deploy key
-
+  yq eval '.stringData."identity.pub"' podinfo-auth.yaml
  # Create a Git SSH secret on disk and encrypt it with Mozilla SOPS
  flux create secret git podinfo-auth \
    --namespace=apps \
    --url=ssh://git@github.com/stefanprodan/podinfo \
 	--export > podinfo-auth.yaml
  # Encrypt the secret on disk with Mozilla SOPS
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
-    --in-place podinfo-auth.yaml
+    --in-place podinfo-auth.yaml`,
 `,
 	RunE: createSecretGitCmdRun,
 }
-var (
+type secretGitFlags struct {
-	secretGitURL          string
+	url            string
-	secretGitUsername     string
+	username       string
-	secretGitPassword     string
+	password       string
-	secretGitKeyAlgorithm flags.PublicKeyAlgorithm = "rsa"
+	keyAlgorithm   flags.PublicKeyAlgorithm
-	secretGitRSABits      flags.RSAKeyBits         = 2048
+	rsaBits        flags.RSAKeyBits
-	secretGitECDSACurve                            = flags.ECDSACurve{Curve: elliptic.P384()}
+	ecdsaCurve     flags.ECDSACurve
-)
+	caFile         string
 	privateKeyFile string
 }
 var secretGitArgs = NewSecretGitFlags()
 func init() {
-	createSecretGitCmd.Flags().StringVar(&secretGitURL, "url", "", "git address, e.g. ssh://git@host/org/repository")
+	createSecretGitCmd.Flags().StringVar(&secretGitArgs.url, "url", "", "git address, e.g. ssh://git@host/org/repository")
-	createSecretGitCmd.Flags().StringVarP(&secretGitUsername, "username", "u", "", "basic authentication username")
+	createSecretGitCmd.Flags().StringVarP(&secretGitArgs.username, "username", "u", "", "basic authentication username")
-	createSecretGitCmd.Flags().StringVarP(&secretGitPassword, "password", "p", "", "basic authentication password")
+	createSecretGitCmd.Flags().StringVarP(&secretGitArgs.password, "password", "p", "", "basic authentication password")
-	createSecretGitCmd.Flags().Var(&secretGitKeyAlgorithm, "ssh-key-algorithm", sourceGitKeyAlgorithm.Description())
+	createSecretGitCmd.Flags().Var(&secretGitArgs.keyAlgorithm, "ssh-key-algorithm", secretGitArgs.keyAlgorithm.Description())
-	createSecretGitCmd.Flags().Var(&secretGitRSABits, "ssh-rsa-bits", sourceGitRSABits.Description())
+	createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description())
-	createSecretGitCmd.Flags().Var(&secretGitECDSACurve, "ssh-ecdsa-curve", sourceGitECDSACurve.Description())
+	createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSecretCmd.AddCommand(createSecretGitCmd)
 }
 func NewSecretGitFlags() secretGitFlags {
 	return secretGitFlags{
 		keyAlgorithm: flags.PublicKeyAlgorithm(sourcesecret.RSAPrivateKeyAlgorithm),
 		rsaBits:      2048,
 		ecdsaCurve:   flags.ECDSACurve{Curve: elliptic.P384()},
 	}
 }
 func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("secret name is required")
 	}
 	name := args[0]
-
+	if secretGitArgs.url == "" {
 	if secretGitURL == "" {
 		return fmt.Errorf("url is required")
 	}
-	u, err := url.Parse(secretGitURL)
+	u, err := url.Parse(secretGitArgs.url)
 	if err != nil {
 		return fmt.Errorf("git URL parse failed: %w", err)
 	}
-	secretLabels, err := parseLabels()
+	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	opts := sourcesecret.Options{
-	defer cancel()
+		Name:         name,
-
+		Namespace:    rootArgs.namespace,
-	secret := corev1.Secret{
+		Labels:       labels,
-		ObjectMeta: metav1.ObjectMeta{
+		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 			Name:      name,
 			Namespace: namespace,
 			Labels:    secretLabels,
 		},
 	}
 	switch u.Scheme {
 	case "ssh":
-		pair, err := generateKeyPair(ctx)
+		opts.SSHHostname = u.Host
-		if err != nil {
+		opts.PrivateKeyPath = secretGitArgs.privateKeyFile
-			return err
+		opts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(secretGitArgs.keyAlgorithm)
-		}
+		opts.RSAKeyBits = int(secretGitArgs.rsaBits)
-
+		opts.ECDSACurve = secretGitArgs.ecdsaCurve.Curve
-		hostKey, err := scanHostKey(ctx, u)
+		opts.Password = secretGitArgs.password
 		if err != nil {
 			return err
 		}
 		secret.Data = map[string][]byte{
 			"identity":     pair.PrivateKey,
 			"identity.pub": pair.PublicKey,
 			"known_hosts":  hostKey,
 		}
 		if !export {
 			logger.Generatef("deploy key: %s", string(pair.PublicKey))
 		}
 	case "http", "https":
-		if secretGitUsername == "" || secretGitPassword == "" {
+		if secretGitArgs.username == "" || secretGitArgs.password == "" {
 			return fmt.Errorf("for Git over HTTP/S the username and password are required")
 		}
-
+		opts.Username = secretGitArgs.username
-		// TODO: add cert data when it's implemented in source-controller
+		opts.Password = secretGitArgs.password
-		secret.Data = map[string][]byte{
+		opts.CAFilePath = secretGitArgs.caFile
 			"username": []byte(secretGitUsername),
 			"password": []byte(secretGitPassword),
 		}
 	default:
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}
-	if export {
+	secret, err := sourcesecret.Generate(opts)
 		return exportSecret(secret)
 	}
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
-	if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+	if createArgs.export {
 		fmt.Println(secret.Content)
 		return nil
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
-	logger.Actionf("secret '%s' created in '%s' namespace", name, namespace)
+
 	if ppk, ok := s.StringData[sourcesecret.PublicKeySecretKey]; ok {
 		logger.Generatef("deploy key: %s", ppk)
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("git secret '%s' created in '%s' namespace", name, rootArgs.namespace)
 	return nil
 }
--- a/cmd/flux/create_secret_helm.go
+++ b/cmd/flux/create_secret_helm.go
@@ -0,0 +1,117 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 var createSecretHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Create or update a Kubernetes secret for Helm repository authentication",
 	Long:  `The create secret helm command generates a Kubernetes secret with basic authentication credentials.`,
 	Example: ` # Create a Helm authentication secret on disk and encrypt it with Mozilla SOPS
  flux create secret helm repo-auth \
    --namespace=my-namespace \
    --username=my-username \
    --password=my-password \
    --export > repo-auth.yaml
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
    --in-place repo-auth.yaml
  # Create a Helm authentication secret using a custom TLS cert
  flux create secret helm repo-auth \
    --username=username \
    --password=password \
    --cert-file=./cert.crt \
    --key-file=./key.crt \
    --ca-file=./ca.crt`,
 	RunE: createSecretHelmCmdRun,
 }
 type secretHelmFlags struct {
 	username string
 	password string
 	secretTLSFlags
 }
 var secretHelmArgs secretHelmFlags
 func init() {
 	createSecretHelmCmd.Flags().StringVarP(&secretHelmArgs.username, "username", "u", "", "basic authentication username")
 	createSecretHelmCmd.Flags().StringVarP(&secretHelmArgs.password, "password", "p", "", "basic authentication password")
 	initSecretTLSFlags(createSecretHelmCmd.Flags(), &secretHelmArgs.secretTLSFlags)
 	createSecretCmd.AddCommand(createSecretHelmCmd)
 }
 func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("secret name is required")
 	}
 	name := args[0]
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	opts := sourcesecret.Options{
 		Name:         name,
 		Namespace:    rootArgs.namespace,
 		Labels:       labels,
 		Username:     secretHelmArgs.username,
 		Password:     secretHelmArgs.password,
 		CAFilePath:   secretHelmArgs.caFile,
 		CertFilePath: secretHelmArgs.certFile,
 		KeyFilePath:  secretHelmArgs.keyFile,
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
 	if createArgs.export {
 		fmt.Println(secret.Content)
 		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("helm secret '%s' created in '%s' namespace", name, rootArgs.namespace)
 	return nil
 }
--- a/cmd/flux/create_secret_tls.go
+++ b/cmd/flux/create_secret_tls.go
@@ -0,0 +1,114 @@
 /*
 Copyright 2020, 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 var createSecretTLSCmd = &cobra.Command{
 	Use:   "tls [name]",
 	Short: "Create or update a Kubernetes secret with TLS certificates",
 	Long:  `The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`,
 	Example: ` # Create a TLS secret on disk and encrypt it with Mozilla SOPS.
  # Files are expected to be PEM-encoded.
  flux create secret tls certs \
    --namespace=my-namespace \
    --cert-file=./client.crt \
    --key-file=./client.key \
    --export > certs.yaml
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
    --in-place certs.yaml`,
 	RunE: createSecretTLSCmdRun,
 }
 type secretTLSFlags struct {
 	certFile string
 	keyFile  string
 	caFile   string
 }
 var secretTLSArgs secretTLSFlags
 func initSecretTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
 	flags.StringVar(&args.certFile, "cert-file", "", "TLS authentication cert file path")
 	flags.StringVar(&args.keyFile, "key-file", "", "TLS authentication key file path")
 	flags.StringVar(&args.caFile, "ca-file", "", "TLS authentication CA file path")
 }
 func init() {
 	flags := createSecretTLSCmd.Flags()
 	initSecretTLSFlags(flags, &secretTLSArgs)
 	createSecretCmd.AddCommand(createSecretTLSCmd)
 }
 func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("secret name is required")
 	}
 	name := args[0]
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	opts := sourcesecret.Options{
 		Name:         name,
 		Namespace:    rootArgs.namespace,
 		Labels:       labels,
 		CAFilePath:   secretTLSArgs.caFile,
 		CertFilePath: secretTLSArgs.certFile,
 		KeyFilePath:  secretTLSArgs.keyFile,
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
 	if createArgs.export {
 		fmt.Println(secret.Content)
 		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("tls secret '%s' created in '%s' namespace", name, rootArgs.namespace)
 	return nil
 }
--- a/cmd/flux/create_source_bucket.go
+++ b/cmd/flux/create_source_bucket.go
@@ -19,7 +19,6 @@ package main
 import (
 	"context"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"github.com/spf13/cobra"
@@ -30,18 +29,19 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var createSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Create or update a Bucket source",
-	Long: `
+	Long: `The create source bucket command generates a Bucket resource and waits for it to be downloaded.
 The create source bucket command generates a Bucket resource and waits for it to be downloaded.
 For Buckets with static authentication, the credentials are stored in a Kubernetes secret.`,
-	Example: `  # Create a source from a Buckets using static authentication
+	Example: `  # Create a source for a Bucket using static authentication
  flux create source bucket podinfo \
 	--bucket-name=podinfo \
    --endpoint=minio.minio.svc.cluster.local:9000 \
@@ -50,52 +50,59 @@ For Buckets with static authentication, the credentials are stored in a Kubernet
 	--secret-key=mysecretkey \
    --interval=10m
-  # Create a source from an Amazon S3 Bucket using IAM authentication
+  # Create a source for an Amazon S3 Bucket using IAM authentication
  flux create source bucket podinfo \
 	--bucket-name=podinfo \
 	--provider=aws \
    --endpoint=s3.amazonaws.com \
 	--region=us-east-1 \
-    --interval=10m
+    --interval=10m`,
 `,
 	RunE: createSourceBucketCmdRun,
 }
-var (
+type sourceBucketFlags struct {
-	sourceBucketName      string
+	name      string
-	sourceBucketProvider  = flags.SourceBucketProvider(sourcev1.GenericBucketProvider)
+	provider  flags.SourceBucketProvider
-	sourceBucketEndpoint  string
+	endpoint  string
-	sourceBucketAccessKey string
+	accessKey string
-	sourceBucketSecretKey string
+	secretKey string
-	sourceBucketRegion    string
+	region    string
-	sourceBucketInsecure  bool
+	insecure  bool
-	sourceBucketSecretRef string
+	secretRef string
-)
+}
 var sourceBucketArgs = NewSourceBucketFlags()
 func init() {
-	createSourceBucketCmd.Flags().Var(&sourceBucketProvider, "provider", sourceBucketProvider.Description())
+	createSourceBucketCmd.Flags().Var(&sourceBucketArgs.provider, "provider", sourceBucketArgs.provider.Description())
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketName, "bucket-name", "", "the bucket name")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.name, "bucket-name", "", "the bucket name")
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketEndpoint, "endpoint", "", "the bucket endpoint address")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.endpoint, "endpoint", "", "the bucket endpoint address")
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketAccessKey, "access-key", "", "the bucket access key")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.accessKey, "access-key", "", "the bucket access key")
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketSecretKey, "secret-key", "", "the bucket secret key")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.secretKey, "secret-key", "", "the bucket secret key")
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketRegion, "region", "", "the bucket region")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.region, "region", "", "the bucket region")
-	createSourceBucketCmd.Flags().BoolVar(&sourceBucketInsecure, "insecure", false, "for when connecting to a non-TLS S3 HTTP endpoint")
+	createSourceBucketCmd.Flags().BoolVar(&sourceBucketArgs.insecure, "insecure", false, "for when connecting to a non-TLS S3 HTTP endpoint")
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketSecretRef, "secret-ref", "", "the name of an existing secret containing credentials")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.secretRef, "secret-ref", "", "the name of an existing secret containing credentials")
 	createSourceCmd.AddCommand(createSourceBucketCmd)
 }
 func NewSourceBucketFlags() sourceBucketFlags {
 	return sourceBucketFlags{
 		provider: flags.SourceBucketProvider(sourcev1.GenericBucketProvider),
 	}
 }
 func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("Bucket source name is required")
 	}
 	name := args[0]
-	if sourceBucketName == "" {
+	if sourceBucketArgs.name == "" {
 		return fmt.Errorf("bucket-name is required")
 	}
-	if sourceBucketEndpoint == "" {
+	if sourceBucketArgs.endpoint == "" {
 		return fmt.Errorf("endpoint is required")
 	}
@@ -104,7 +111,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	tmpDir, err := ioutil.TempDir("", name)
+	tmpDir, err := os.MkdirTemp("", name)
 	if err != nil {
 		return err
 	}
@@ -113,55 +120,55 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	bucket := &sourcev1.Bucket{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: rootArgs.namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: sourcev1.BucketSpec{
-			BucketName: sourceBucketName,
+			BucketName: sourceBucketArgs.name,
-			Provider:   sourceBucketProvider.String(),
+			Provider:   sourceBucketArgs.provider.String(),
-			Insecure:   sourceBucketInsecure,
+			Insecure:   sourceBucketArgs.insecure,
-			Endpoint:   sourceBucketEndpoint,
+			Endpoint:   sourceBucketArgs.endpoint,
-			Region:     sourceBucketRegion,
+			Region:     sourceBucketArgs.region,
 			Interval: metav1.Duration{
-				Duration: interval,
+				Duration: createArgs.interval,
 			},
 		},
 	}
-	if sourceHelmSecretRef != "" {
+	if sourceHelmArgs.secretRef != "" {
-		bucket.Spec.SecretRef = &corev1.LocalObjectReference{
+		bucket.Spec.SecretRef = &meta.LocalObjectReference{
-			Name: sourceBucketSecretRef,
+			Name: sourceBucketArgs.secretRef,
 		}
 	}
-	if export {
+	if createArgs.export {
-		return exportBucket(*bucket)
+		return printExport(exportBucket(bucket))
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
 	logger.Generatef("generating Bucket source")
-	if sourceBucketSecretRef == "" {
+	if sourceBucketArgs.secretRef == "" {
 		secretName := fmt.Sprintf("bucket-%s", name)
 		secret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      secretName,
-				Namespace: namespace,
+				Namespace: rootArgs.namespace,
 				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{},
 		}
-		if sourceBucketAccessKey != "" && sourceBucketSecretKey != "" {
+		if sourceBucketArgs.accessKey != "" && sourceBucketArgs.secretKey != "" {
-			secret.StringData["accesskey"] = sourceBucketAccessKey
+			secret.StringData["accesskey"] = sourceBucketArgs.accessKey
-			secret.StringData["secretkey"] = sourceBucketSecretKey
+			secret.StringData["secretkey"] = sourceBucketArgs.secretKey
 		}
 		if len(secret.StringData) > 0 {
@@ -169,7 +176,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 			if err := upsertSecret(ctx, kubeClient, secret); err != nil {
 				return err
 			}
-			bucket.Spec.SecretRef = &corev1.LocalObjectReference{
+			bucket.Spec.SecretRef = &meta.LocalObjectReference{
 				Name: secretName,
 			}
 			logger.Successf("authentication configured")
@@ -183,7 +190,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Waitingf("waiting for Bucket source reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isBucketReady(ctx, kubeClient, namespacedName, bucket)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_source_git.go
+++ b/cmd/flux/create_source_git.go
@@ -20,15 +20,10 @@ import (
 	"context"
 	"crypto/elliptic"
 	"fmt"
 	"io/ioutil"
 	"net/url"
 	"os"
 	"time"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
@@ -39,15 +34,34 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
-	"github.com/fluxcd/pkg/ssh"
+	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 type sourceGitFlags struct {
 	url               string
 	branch            string
 	tag               string
 	semver            string
 	username          string
 	password          string
 	keyAlgorithm      flags.PublicKeyAlgorithm
 	keyRSABits        flags.RSAKeyBits
 	keyECDSACurve     flags.ECDSACurve
 	secretRef         string
 	gitImplementation flags.GitImplementation
 	caFile            string
 	privateKeyFile    string
 	recurseSubmodules bool
 }
 var createSourceGitCmd = &cobra.Command{
 	Use:   "git [name]",
 	Short: "Create or update a GitRepository source",
-	Long: `
+	Long: `The create source git command generates a GitRepository resource and waits for it to sync.
 The create source git command generates a GitRepository resource and waits for it to sync.
 For Git over SSH, host and SSH keys are automatically generated and stored in a Kubernetes secret.
 For private Git repositories, the basic authentication credentials are stored in a Kubernetes secret.`,
 	Example: `  # Create a source from a public Git repository master branch
@@ -55,7 +69,7 @@ For private Git repositories, the basic authentication credentials are stored in
    --url=https://github.com/stefanprodan/podinfo \
    --branch=master
-  # Create a source from a Git repository pinned to specific git tag
+  # Create a source for a Git repository pinned to specific git tag
  flux create source git podinfo \
    --url=https://github.com/stefanprodan/podinfo \
    --tag="3.2.3"
@@ -65,12 +79,12 @@ For private Git repositories, the basic authentication credentials are stored in
    --url=https://github.com/stefanprodan/podinfo \
    --tag-semver=">=3.2.0 <3.3.0"
-  # Create a source from a Git repository using SSH authentication
+  # Create a source for a Git repository using SSH authentication
  flux create source git podinfo \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --branch=master
-  # Create a source from a Git repository using SSH authentication and an
+  # Create a source for a Git repository using SSH authentication and an
  # ECDSA P-521 curve public key
  flux create source git podinfo \
    --url=ssh://git@github.com/stefanprodan/podinfo \
@@ -78,193 +92,202 @@ For private Git repositories, the basic authentication credentials are stored in
    --ssh-key-algorithm=ecdsa \
    --ssh-ecdsa-curve=p521
-  # Create a source from a Git repository using basic authentication
+  # Create a source for a Git repository using SSH authentication and a
  #	passwordless private key from file
  # The public SSH host key will still be gathered from the host
  flux create source git podinfo \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --branch=master \
    --private-key-file=./private.key
  # Create a source for a Git repository using SSH authentication and a
  # private key with a password from file
  # The public SSH host key will still be gathered from the host
  flux create source git podinfo \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --branch=master \
    --private-key-file=./private.key \
    --password=<password>
  # Create a source for a Git repository using basic authentication
  flux create source git podinfo \
    --url=https://github.com/stefanprodan/podinfo \
    --username=username \
-    --password=password
+    --password=password`,
 `,
 	RunE: createSourceGitCmdRun,
 }
-var (
+var sourceGitArgs = newSourceGitFlags()
 	sourceGitURL      string
 	sourceGitBranch   string
 	sourceGitTag      string
 	sourceGitSemver   string
 	sourceGitUsername string
 	sourceGitPassword string
 	sourceGitKeyAlgorithm   flags.PublicKeyAlgorithm = "rsa"
 	sourceGitRSABits        flags.RSAKeyBits         = 2048
 	sourceGitECDSACurve                              = flags.ECDSACurve{Curve: elliptic.P384()}
 	sourceGitSecretRef      string
 	sourceGitImplementation string
 )
 func init() {
-	createSourceGitCmd.Flags().StringVar(&sourceGitURL, "url", "", "git address, e.g. ssh://git@host/org/repository")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.url, "url", "", "git address, e.g. ssh://git@host/org/repository")
-	createSourceGitCmd.Flags().StringVar(&sourceGitBranch, "branch", "master", "git branch")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.branch, "branch", "", "git branch")
-	createSourceGitCmd.Flags().StringVar(&sourceGitTag, "tag", "", "git tag")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.tag, "tag", "", "git tag")
-	createSourceGitCmd.Flags().StringVar(&sourceGitSemver, "tag-semver", "", "git tag semver range")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.semver, "tag-semver", "", "git tag semver range")
-	createSourceGitCmd.Flags().StringVarP(&sourceGitUsername, "username", "u", "", "basic authentication username")
+	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.username, "username", "u", "", "basic authentication username")
-	createSourceGitCmd.Flags().StringVarP(&sourceGitPassword, "password", "p", "", "basic authentication password")
+	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.password, "password", "p", "", "basic authentication password")
-	createSourceGitCmd.Flags().Var(&sourceGitKeyAlgorithm, "ssh-key-algorithm", sourceGitKeyAlgorithm.Description())
+	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyAlgorithm, "ssh-key-algorithm", sourceGitArgs.keyAlgorithm.Description())
-	createSourceGitCmd.Flags().Var(&sourceGitRSABits, "ssh-rsa-bits", sourceGitRSABits.Description())
+	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyRSABits, "ssh-rsa-bits", sourceGitArgs.keyRSABits.Description())
-	createSourceGitCmd.Flags().Var(&sourceGitECDSACurve, "ssh-ecdsa-curve", sourceGitECDSACurve.Description())
+	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyECDSACurve, "ssh-ecdsa-curve", sourceGitArgs.keyECDSACurve.Description())
-	createSourceGitCmd.Flags().StringVarP(&sourceGitSecretRef, "secret-ref", "", "", "the name of an existing secret containing SSH or basic credentials")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials")
-	createSourceGitCmd.Flags().StringVar(&sourceGitImplementation, "git-implementation", "", "the git implementation to use, can be 'go-git' or 'libgit2'")
+	createSourceGitCmd.Flags().Var(&sourceGitArgs.gitImplementation, "git-implementation", sourceGitArgs.gitImplementation.Description())
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSourceGitCmd.Flags().BoolVar(&sourceGitArgs.recurseSubmodules, "recurse-submodules", false,
 		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
 	createSourceCmd.AddCommand(createSourceGitCmd)
 }
 func newSourceGitFlags() sourceGitFlags {
 	return sourceGitFlags{
 		keyAlgorithm:  flags.PublicKeyAlgorithm(sourcesecret.RSAPrivateKeyAlgorithm),
 		keyRSABits:    2048,
 		keyECDSACurve: flags.ECDSACurve{Curve: elliptic.P384()},
 	}
 }
 func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("GitRepository source name is required")
 	}
 	name := args[0]
-	if sourceGitURL == "" {
+	if sourceGitArgs.url == "" {
 		return fmt.Errorf("url is required")
 	}
-	tmpDir, err := ioutil.TempDir("", name)
+	u, err := url.Parse(sourceGitArgs.url)
 	if err != nil {
 		return fmt.Errorf("git URL parse failed: %w", err)
 	}
 	if u.Scheme != "ssh" && u.Scheme != "http" && u.Scheme != "https" {
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}
 	if sourceGitArgs.branch == "" && sourceGitArgs.tag == "" && sourceGitArgs.semver == "" {
 		return fmt.Errorf("a Git ref is required, use one of the following: --branch, --tag or --tag-semver")
 	}
 	if sourceGitArgs.caFile != "" && u.Scheme == "ssh" {
 		return fmt.Errorf("specifing a CA file is not supported for Git over SSH")
 	}
 	if sourceGitArgs.recurseSubmodules && sourceGitArgs.gitImplementation == sourcev1.LibGit2Implementation {
 		return fmt.Errorf("recurse submodules requires --git-implementation=%s", sourcev1.GoGitImplementation)
 	}
 	tmpDir, err := os.MkdirTemp("", name)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)
 	u, err := url.Parse(sourceGitURL)
 	if err != nil {
 		return fmt.Errorf("git URL parse failed: %w", err)
 	}
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	if !utils.ContainsItemString([]string{sourcev1.GoGitImplementation, sourcev1.LibGit2Implementation, ""}, sourceGitImplementation) {
 		return fmt.Errorf("Invalid git implementation %q", sourceGitImplementation)
 	}
 	gitRepository := sourcev1.GitRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: rootArgs.namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: sourcev1.GitRepositorySpec{
-			URL: sourceGitURL,
+			URL: sourceGitArgs.url,
 			Interval: metav1.Duration{
-				Duration: interval,
+				Duration: createArgs.interval,
 			},
 			RecurseSubmodules: sourceGitArgs.recurseSubmodules,
 			Reference:         &sourcev1.GitRepositoryRef{},
 			GitImplementation: sourceGitImplementation,
 		},
 	}
-	if sourceGitSemver != "" {
+	if sourceGitArgs.gitImplementation != "" {
-		gitRepository.Spec.Reference.SemVer = sourceGitSemver
+		gitRepository.Spec.GitImplementation = sourceGitArgs.gitImplementation.String()
-	} else if sourceGitTag != "" {
+	}
-		gitRepository.Spec.Reference.Tag = sourceGitTag
+
 	if sourceGitArgs.semver != "" {
 		gitRepository.Spec.Reference.SemVer = sourceGitArgs.semver
 	} else if sourceGitArgs.tag != "" {
 		gitRepository.Spec.Reference.Tag = sourceGitArgs.tag
 	} else {
-		gitRepository.Spec.Reference.Branch = sourceGitBranch
+		gitRepository.Spec.Reference.Branch = sourceGitArgs.branch
 	}
-	if export {
+	if sourceGitArgs.secretRef != "" {
-		if sourceGitSecretRef != "" {
+		gitRepository.Spec.SecretRef = &meta.LocalObjectReference{
-			gitRepository.Spec.SecretRef = &corev1.LocalObjectReference{
+			Name: sourceGitArgs.secretRef,
 				Name: sourceGitSecretRef,
 			}
 		}
 		return exportGit(gitRepository)
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	if createArgs.export {
 		return printExport(exportGit(&gitRepository))
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
 	withAuth := false
 	// TODO(hidde): move all auth prep to separate func?
 	if sourceGitSecretRef != "" {
 		withAuth = true
 	} else if u.Scheme == "ssh" {
 		logger.Generatef("generating deploy key pair")
 		pair, err := generateKeyPair(ctx)
 		if err != nil {
 			return err
 		}
 		logger.Successf("deploy key: %s", pair.PublicKey)
 		prompt := promptui.Prompt{
 			Label:     "Have you added the deploy key to your repository",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 		logger.Actionf("collecting preferred public key from SSH server")
 		hostKey, err := scanHostKey(ctx, u)
 		if err != nil {
 			return err
 		}
 		logger.Successf("collected public key from SSH server:\n%s", hostKey)
 		logger.Actionf("applying secret with keys")
 		secret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: namespace,
 				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{
 				"identity":     string(pair.PrivateKey),
 				"identity.pub": string(pair.PublicKey),
 				"known_hosts":  string(hostKey),
 			},
 		}
 		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
 			return err
 		}
 		withAuth = true
 	} else if sourceGitUsername != "" && sourceGitPassword != "" {
 		logger.Actionf("applying secret with basic auth credentials")
 		secret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: namespace,
 				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{
 				"username": sourceGitUsername,
 				"password": sourceGitPassword,
 			},
 		}
 		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
 			return err
 		}
 		withAuth = true
 	}
 	if withAuth {
 		logger.Successf("authentication configured")
 	}
 	logger.Generatef("generating GitRepository source")
-
+	if sourceGitArgs.secretRef == "" {
-	if withAuth {
+		secretOpts := sourcesecret.Options{
-		secretName := name
+			Name:         name,
-		if sourceGitSecretRef != "" {
+			Namespace:    rootArgs.namespace,
-			secretName = sourceGitSecretRef
+			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
-		gitRepository.Spec.SecretRef = &corev1.LocalObjectReference{
+		switch u.Scheme {
-			Name: secretName,
+		case "ssh":
 			secretOpts.SSHHostname = u.Host
 			secretOpts.PrivateKeyPath = sourceGitArgs.privateKeyFile
 			secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(sourceGitArgs.keyAlgorithm)
 			secretOpts.RSAKeyBits = int(sourceGitArgs.keyRSABits)
 			secretOpts.ECDSACurve = sourceGitArgs.keyECDSACurve.Curve
 			secretOpts.Password = sourceGitArgs.password
 		case "https":
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
 			secretOpts.CAFilePath = sourceGitArgs.caFile
 		case "http":
 			logger.Warningf("insecure configuration: credentials configured for an HTTP URL")
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
 		}
 		secret, err := sourcesecret.Generate(secretOpts)
 		if err != nil {
 			return err
 		}
 		var s corev1.Secret
 		if err = yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 			return err
 		}
 		if len(s.StringData) > 0 {
 			if hk, ok := s.StringData[sourcesecret.KnownHostsSecretKey]; ok {
 				logger.Successf("collected public key from SSH server:\n%s", hk)
 			}
 			if ppk, ok := s.StringData[sourcesecret.PublicKeySecretKey]; ok {
 				logger.Generatef("deploy key: %s", ppk)
 				prompt := promptui.Prompt{
 					Label:     "Have you added the deploy key to your repository",
 					IsConfirm: true,
 				}
 				if _, err := prompt.Run(); err != nil {
 					return fmt.Errorf("aborting")
 				}
 			}
 			logger.Actionf("applying secret with repository credentials")
 			if err := upsertSecret(ctx, kubeClient, s); err != nil {
 				return err
 			}
 			gitRepository.Spec.SecretRef = &meta.LocalObjectReference{
 				Name: s.Name,
 			}
 			logger.Successf("authentication configured")
 		}
 	}
@@ -275,7 +298,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Waitingf("waiting for GitRepository source reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isGitRepositoryReady(ctx, kubeClient, namespacedName, &gitRepository)); err != nil {
 		return err
 	}
@@ -288,63 +311,6 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	return nil
 }
 func generateKeyPair(ctx context.Context) (*ssh.KeyPair, error) {
 	var keyGen ssh.KeyPairGenerator
 	switch algorithm := sourceGitKeyAlgorithm.String(); algorithm {
 	case "rsa":
 		keyGen = ssh.NewRSAGenerator(int(sourceGitRSABits))
 	case "ecdsa":
 		keyGen = ssh.NewECDSAGenerator(sourceGitECDSACurve.Curve)
 	case "ed25519":
 		keyGen = ssh.NewEd25519Generator()
 	default:
 		return nil, fmt.Errorf("unsupported public key algorithm: %s", algorithm)
 	}
 	pair, err := keyGen.Generate()
 	if err != nil {
 		return nil, fmt.Errorf("key pair generation failed, error: %w", err)
 	}
 	return pair, nil
 }
 func scanHostKey(ctx context.Context, url *url.URL) ([]byte, error) {
 	host := url.Host
 	if url.Port() == "" {
 		host = host + ":22"
 	}
 	hostKey, err := ssh.ScanHostKey(host, 30*time.Second)
 	if err != nil {
 		return nil, fmt.Errorf("SSH key scan for host %s failed, error: %w", host, err)
 	}
 	return hostKey, nil
 }
 func upsertSecret(ctx context.Context, kubeClient client.Client, secret corev1.Secret) error {
 	namespacedName := types.NamespacedName{
 		Namespace: secret.GetNamespace(),
 		Name:      secret.GetName(),
 	}
 	var existing corev1.Secret
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			if err := kubeClient.Create(ctx, &secret); err != nil {
 				return err
 			} else {
 				return nil
 			}
 		}
 		return err
 	}
 	existing.StringData = secret.StringData
 	if err := kubeClient.Update(ctx, &existing); err != nil {
 		return err
 	}
 	return nil
 }
 func upsertGitRepository(ctx context.Context, kubeClient client.Client,
 	gitRepository *sourcev1.GitRepository) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
--- a/cmd/flux/create_source_helm.go
+++ b/cmd/flux/create_source_helm.go
@@ -19,7 +19,6 @@ package main
 import (
 	"context"
 	"fmt"
 	"io/ioutil"
 	"net/url"
 	"os"
@@ -32,56 +31,61 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/fluxcd/flux2/internal/utils"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 var createSourceHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Create or update a HelmRepository source",
-	Long: `
+	Long: `The create source helm command generates a HelmRepository resource and waits for it to fetch the index.
 The create source helm command generates a HelmRepository resource and waits for it to fetch the index.
 For private Helm repositories, the basic authentication credentials are stored in a Kubernetes secret.`,
-	Example: `  # Create a source from a public Helm repository
+	Example: `  # Create a source for a public Helm repository
  flux create source helm podinfo \
    --url=https://stefanprodan.github.io/podinfo \
    --interval=10m
-  # Create a source from a Helm repository using basic authentication
+  # Create a source for a Helm repository using basic authentication
  flux create source helm podinfo \
    --url=https://stefanprodan.github.io/podinfo \
    --username=username \
    --password=password
-  # Create a source from a Helm repository using TLS authentication
+  # Create a source for a Helm repository using TLS authentication
  flux create source helm podinfo \
    --url=https://stefanprodan.github.io/podinfo \
    --cert-file=./cert.crt \
    --key-file=./key.crt \
-    --ca-file=./ca.crt
+    --ca-file=./ca.crt`,
 `,
 	RunE: createSourceHelmCmdRun,
 }
-var (
+type sourceHelmFlags struct {
-	sourceHelmURL       string
+	url             string
-	sourceHelmUsername  string
+	username        string
-	sourceHelmPassword  string
+	password        string
-	sourceHelmCertFile  string
+	certFile        string
-	sourceHelmKeyFile   string
+	keyFile         string
-	sourceHelmCAFile    string
+	caFile          string
-	sourceHelmSecretRef string
+	secretRef       string
-)
+	passCredentials bool
 }
 var sourceHelmArgs sourceHelmFlags
 func init() {
-	createSourceHelmCmd.Flags().StringVar(&sourceHelmURL, "url", "", "Helm repository address")
+	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.url, "url", "", "Helm repository address")
-	createSourceHelmCmd.Flags().StringVarP(&sourceHelmUsername, "username", "u", "", "basic authentication username")
+	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.username, "username", "u", "", "basic authentication username")
-	createSourceHelmCmd.Flags().StringVarP(&sourceHelmPassword, "password", "p", "", "basic authentication password")
+	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.password, "password", "p", "", "basic authentication password")
-	createSourceHelmCmd.Flags().StringVar(&sourceHelmCertFile, "cert-file", "", "TLS authentication cert file path")
+	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.certFile, "cert-file", "", "TLS authentication cert file path")
-	createSourceHelmCmd.Flags().StringVar(&sourceHelmKeyFile, "key-file", "", "TLS authentication key file path")
+	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.keyFile, "key-file", "", "TLS authentication key file path")
-	createSourceHelmCmd.Flags().StringVar(&sourceHelmCAFile, "ca-file", "", "TLS authentication CA file path")
+	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.caFile, "ca-file", "", "TLS authentication CA file path")
-	createSourceHelmCmd.Flags().StringVarP(&sourceHelmSecretRef, "secret-ref", "", "", "the name of an existing secret containing TLS or basic auth credentials")
+	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.secretRef, "secret-ref", "", "", "the name of an existing secret containing TLS or basic auth credentials")
 	createSourceHelmCmd.Flags().BoolVarP(&sourceHelmArgs.passCredentials, "pass-credentials", "", false, "pass credentials to all domains")
 	createSourceCmd.AddCommand(createSourceHelmCmd)
 }
@@ -92,7 +96,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	name := args[0]
-	if sourceHelmURL == "" {
+	if sourceHelmArgs.url == "" {
 		return fmt.Errorf("url is required")
 	}
@@ -101,96 +105,79 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	tmpDir, err := ioutil.TempDir("", name)
+	tmpDir, err := os.MkdirTemp("", name)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)
-	if _, err := url.Parse(sourceHelmURL); err != nil {
+	if _, err := url.Parse(sourceHelmArgs.url); err != nil {
 		return fmt.Errorf("url parse failed: %w", err)
 	}
 	helmRepository := &sourcev1.HelmRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: rootArgs.namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: sourcev1.HelmRepositorySpec{
-			URL: sourceHelmURL,
+			URL: sourceHelmArgs.url,
 			Interval: metav1.Duration{
-				Duration: interval,
+				Duration: createArgs.interval,
 			},
 		},
 	}
-	if sourceHelmSecretRef != "" {
+	if sourceHelmArgs.secretRef != "" {
-		helmRepository.Spec.SecretRef = &corev1.LocalObjectReference{
+		helmRepository.Spec.SecretRef = &meta.LocalObjectReference{
-			Name: sourceHelmSecretRef,
+			Name: sourceHelmArgs.secretRef,
 		}
 		helmRepository.Spec.PassCredentials = sourceHelmArgs.passCredentials
 	}
-	if export {
+	if createArgs.export {
-		return exportHelmRepository(*helmRepository)
+		return printExport(exportHelmRepository(helmRepository))
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
 	logger.Generatef("generating HelmRepository source")
-	if sourceHelmSecretRef == "" {
+	if sourceHelmArgs.secretRef == "" {
 		secretName := fmt.Sprintf("helm-%s", name)
-
+		secretOpts := sourcesecret.Options{
-		secret := corev1.Secret{
+			Name:         secretName,
-			ObjectMeta: metav1.ObjectMeta{
+			Namespace:    rootArgs.namespace,
-				Name:      secretName,
+			Username:     sourceHelmArgs.username,
-				Namespace: namespace,
+			Password:     sourceHelmArgs.password,
-				Labels:    sourceLabels,
+			CertFilePath: sourceHelmArgs.certFile,
-			},
+			KeyFilePath:  sourceHelmArgs.keyFile,
-			StringData: map[string]string{},
+			CAFilePath:   sourceHelmArgs.caFile,
 			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
-
+		secret, err := sourcesecret.Generate(secretOpts)
-		if sourceHelmUsername != "" && sourceHelmPassword != "" {
+		if err != nil {
-			secret.StringData["username"] = sourceHelmUsername
+			return err
 			secret.StringData["password"] = sourceHelmPassword
 		}
-
+		var s corev1.Secret
-		if sourceHelmCertFile != "" && sourceHelmKeyFile != "" {
+		if err = yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
-			cert, err := ioutil.ReadFile(sourceHelmCertFile)
+			return err
 			if err != nil {
 				return fmt.Errorf("failed to read repository cert file '%s': %w", sourceHelmCertFile, err)
 			}
 			secret.StringData["certFile"] = string(cert)
 			key, err := ioutil.ReadFile(sourceHelmKeyFile)
 			if err != nil {
 				return fmt.Errorf("failed to read repository key file '%s': %w", sourceHelmKeyFile, err)
 			}
 			secret.StringData["keyFile"] = string(key)
 		}
-
+		if len(s.StringData) > 0 {
 		if sourceHelmCAFile != "" {
 			ca, err := ioutil.ReadFile(sourceHelmCAFile)
 			if err != nil {
 				return fmt.Errorf("failed to read repository CA file '%s': %w", sourceHelmCAFile, err)
 			}
 			secret.StringData["caFile"] = string(ca)
 		}
 		if len(secret.StringData) > 0 {
 			logger.Actionf("applying secret with repository credentials")
-			if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+			if err := upsertSecret(ctx, kubeClient, s); err != nil {
 				return err
 			}
-			helmRepository.Spec.SecretRef = &corev1.LocalObjectReference{
+			helmRepository.Spec.SecretRef = &meta.LocalObjectReference{
 				Name: secretName,
 			}
 			helmRepository.Spec.PassCredentials = sourceHelmArgs.passCredentials
 			logger.Successf("authentication configured")
 		}
 	}
@@ -202,7 +189,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Waitingf("waiting for HelmRepository source reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isHelmRepositoryReady(ctx, kubeClient, namespacedName, helmRepository)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_tenant.go
+++ b/cmd/flux/create_tenant.go
@@ -37,8 +37,7 @@ import (
 var createTenantCmd = &cobra.Command{
 	Use:   "tenant",
 	Short: "Create or update a tenant",
-	Long: `
+	Long: `The create tenant command generates namespaces, service accounts and role bindings to limit the
 The create tenant command generates namespaces, service accounts and role bindings to limit the
 reconcilers scope to the tenant namespaces.`,
 	Example: `  # Create a tenant with access to a namespace 
  flux create tenant dev-team \
@@ -49,8 +48,7 @@ reconcilers scope to the tenant namespaces.`,
  flux create tenant dev-team \
    --with-namespace=frontend \
    --with-namespace=backend \
-	--export > dev-team.yaml
+	--export > dev-team.yaml`,
 `,
 	RunE: createTenantCmdRun,
 }
@@ -58,14 +56,16 @@ const (
 	tenantLabel = "toolkit.fluxcd.io/tenant"
 )
-var (
+type tenantFlags struct {
-	tenantNamespaces  []string
+	namespaces  []string
-	tenantClusterRole string
+	clusterRole string
-)
+}
 var tenantArgs tenantFlags
 func init() {
-	createTenantCmd.Flags().StringSliceVar(&tenantNamespaces, "with-namespace", nil, "namespace belonging to this tenant")
+	createTenantCmd.Flags().StringSliceVar(&tenantArgs.namespaces, "with-namespace", nil, "namespace belonging to this tenant")
-	createTenantCmd.Flags().StringVar(&tenantClusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
+	createTenantCmd.Flags().StringVar(&tenantArgs.clusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
 	createCmd.AddCommand(createTenantCmd)
 }
@@ -78,11 +78,11 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid tenant name '%s': %v", tenant, err)
 	}
-	if tenantClusterRole == "" {
+	if tenantArgs.clusterRole == "" {
 		return fmt.Errorf("cluster-role is required")
 	}
-	if tenantNamespaces == nil {
+	if tenantArgs.namespaces == nil {
 		return fmt.Errorf("with-namespace is required")
 	}
@@ -90,7 +90,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 	var accounts []corev1.ServiceAccount
 	var roleBindings []rbacv1.RoleBinding
-	for _, ns := range tenantNamespaces {
+	for _, ns := range tenantArgs.namespaces {
 		if err := validation.IsQualifiedName(ns); len(err) > 0 {
 			return fmt.Errorf("invalid namespace '%s': %v", ns, err)
 		}
@@ -141,14 +141,14 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 			RoleRef: rbacv1.RoleRef{
 				APIGroup: "rbac.authorization.k8s.io",
 				Kind:     "ClusterRole",
-				Name:     tenantClusterRole,
+				Name:     tenantArgs.clusterRole,
 			},
 		}
 		roleBindings = append(roleBindings, roleBinding)
 	}
-	if export {
+	if createArgs.export {
-		for i, _ := range tenantNamespaces {
+		for i := range tenantArgs.namespaces {
 			if err := exportTenant(namespaces[i], accounts[i], roleBindings[i]); err != nil {
 				return err
 			}
@@ -156,15 +156,15 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 		return nil
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
-	for i, _ := range tenantNamespaces {
+	for i := range tenantArgs.namespaces {
 		logger.Actionf("applying namespace %s", namespaces[i].Name)
 		if err := upsertNamespace(ctx, kubeClient, namespaces[i]); err != nil {
 			return err
--- a/cmd/flux/delete.go
+++ b/cmd/flux/delete.go
@@ -33,12 +33,14 @@ var deleteCmd = &cobra.Command{
 	Long:  "The delete sub-commands delete sources and resources.",
 }
-var (
+type deleteFlags struct {
-	deleteSilent bool
+	silent bool
-)
+}
 var deleteArgs deleteFlags
 func init() {
-	deleteCmd.PersistentFlags().BoolVarP(&deleteSilent, "silent", "s", false,
+	deleteCmd.PersistentFlags().BoolVarP(&deleteArgs.silent, "silent", "s", false,
 		"delete resource without asking for confirmation")
 	rootCmd.AddCommand(deleteCmd)
@@ -55,25 +57,25 @@ func (del deleteCommand) run(cmd *cobra.Command, args []string) error {
 	}
 	name := args[0]
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
-		Namespace: namespace,
+		Namespace: rootArgs.namespace,
 		Name:      name,
 	}
-	err = kubeClient.Get(ctx, namespacedName, del.object.asRuntimeObject())
+	err = kubeClient.Get(ctx, namespacedName, del.object.asClientObject())
 	if err != nil {
 		return err
 	}
-	if !deleteSilent {
+	if !deleteArgs.silent {
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this " + del.humanKind,
 			IsConfirm: true,
@@ -83,8 +85,8 @@ func (del deleteCommand) run(cmd *cobra.Command, args []string) error {
 		}
 	}
-	logger.Actionf("deleting %s %s in %s namespace", del.humanKind, name, namespace)
+	logger.Actionf("deleting %s %s in %s namespace", del.humanKind, name, rootArgs.namespace)
-	err = kubeClient.Delete(ctx, del.object.asRuntimeObject())
+	err = kubeClient.Delete(ctx, del.object.asClientObject())
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/delete_alert.go
+++ b/cmd/flux/delete_alert.go
@@ -17,14 +17,8 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
@@ -33,56 +27,13 @@ var deleteAlertCmd = &cobra.Command{
 	Short: "Delete a Alert resource",
 	Long:  "The delete alert command removes the given Alert from the cluster.",
 	Example: `  # Delete an Alert and the Kubernetes resources created by it
-  flux delete alert main
+  flux delete alert main`,
-`,
+	RunE: deleteCommand{
-	RunE: deleteAlertCmdRun,
+		apiType: alertType,
 		object:  universalAdapter{&notificationv1.Alert{}},
 	}.run,
 }
 func init() {
 	deleteCmd.AddCommand(deleteAlertCmd)
 }
 func deleteAlertCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("alert name is required")
 	}
 	name := args[0]
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
 	var alert notificationv1.Alert
 	err = kubeClient.Get(ctx, namespacedName, &alert)
 	if err != nil {
 		return err
 	}
 	if !deleteSilent {
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this Alert",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	logger.Actionf("deleting alert %s in %s namespace", name, namespace)
 	err = kubeClient.Delete(ctx, &alert)
 	if err != nil {
 		return err
 	}
 	logger.Successf("alert deleted")
 	return nil
 }
--- a/cmd/flux/delete_alertprovider.go
+++ b/cmd/flux/delete_alertprovider.go
@@ -17,14 +17,8 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
@@ -33,56 +27,13 @@ var deleteAlertProviderCmd = &cobra.Command{
 	Short: "Delete a Provider resource",
 	Long:  "The delete alert-provider command removes the given Provider from the cluster.",
 	Example: `  # Delete a Provider and the Kubernetes resources created by it
-  flux delete alert-provider slack
+  flux delete alert-provider slack`,
-`,
+	RunE: deleteCommand{
-	RunE: deleteAlertProviderCmdRun,
+		apiType: alertProviderType,
 		object:  universalAdapter{&notificationv1.Provider{}},
 	}.run,
 }
 func init() {
 	deleteCmd.AddCommand(deleteAlertProviderCmd)
 }
 func deleteAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("provider name is required")
 	}
 	name := args[0]
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
 	var alertProvider notificationv1.Provider
 	err = kubeClient.Get(ctx, namespacedName, &alertProvider)
 	if err != nil {
 		return err
 	}
 	if !deleteSilent {
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this Provider",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	logger.Actionf("deleting provider %s in %s namespace", name, namespace)
 	err = kubeClient.Delete(ctx, &alertProvider)
 	if err != nil {
 		return err
 	}
 	logger.Successf("provider deleted")
 	return nil
 }
--- a/cmd/flux/delete_helmrelease.go
+++ b/cmd/flux/delete_helmrelease.go
@@ -17,14 +17,8 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
 	"github.com/fluxcd/flux2/internal/utils"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
 )
@@ -34,59 +28,13 @@ var deleteHelmReleaseCmd = &cobra.Command{
 	Short:   "Delete a HelmRelease resource",
 	Long:    "The delete helmrelease command removes the given HelmRelease from the cluster.",
 	Example: `  # Delete a Helm release and the Kubernetes resources created by it
-  flux delete hr podinfo
+  flux delete hr podinfo`,
-`,
+	RunE: deleteCommand{
-	RunE: deleteHelmReleaseCmdRun,
+		apiType: helmReleaseType,
 		object:  universalAdapter{&helmv2.HelmRelease{}},
 	}.run,
 }
 func init() {
 	deleteCmd.AddCommand(deleteHelmReleaseCmd)
 }
 func deleteHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("release name is required")
 	}
 	name := args[0]
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
 	var helmRelease helmv2.HelmRelease
 	err = kubeClient.Get(ctx, namespacedName, &helmRelease)
 	if err != nil {
 		return err
 	}
 	if !deleteSilent {
 		if !helmRelease.Spec.Suspend {
 			logger.Waitingf("This action will remove the Kubernetes objects previously applied by the %s Helm release!", name)
 		}
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this Helm release",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	logger.Actionf("deleting release %s in %s namespace", name, namespace)
 	err = kubeClient.Delete(ctx, &helmRelease)
 	if err != nil {
 		return err
 	}
 	logger.Successf("release deleted")
 	return nil
 }
--- a/cmd/flux/delete_image.go
+++ b/cmd/flux/delete_image.go
@@ -20,12 +20,12 @@ import (
 	"github.com/spf13/cobra"
 )
-var deleteAutoCmd = &cobra.Command{
+var deleteImageCmd = &cobra.Command{
-	Use:   "auto",
+	Use:   "image",
-	Short: "Delete automation objects",
+	Short: "Delete image automation objects",
-	Long:  "The delete auto sub-commands delete automation objects.",
+	Long:  "The delete image sub-commands delete image automation objects.",
 }
 func init() {
-	deleteCmd.AddCommand(deleteAutoCmd)
+	deleteCmd.AddCommand(deleteImageCmd)
 }
--- a/cmd/flux/delete_image_policy.go
+++ b/cmd/flux/delete_image_policy.go
@@ -19,16 +19,15 @@ package main
 import (
 	"github.com/spf13/cobra"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 var deleteImagePolicyCmd = &cobra.Command{
-	Use:   "image-policy [name]",
+	Use:   "policy [name]",
 	Short: "Delete an ImagePolicy object",
-	Long:  "The delete auto image-policy command deletes the given ImagePolicy from the cluster.",
+	Long:  "The delete image policy command deletes the given ImagePolicy from the cluster.",
 	Example: `  # Delete an image policy
-  flux delete auto image-policy alpine3.x
+  flux delete image policy alpine3.x`,
 `,
 	RunE: deleteCommand{
 		apiType: imagePolicyType,
 		object:  universalAdapter{&imagev1.ImagePolicy{}},
@@ -36,5 +35,5 @@ var deleteImagePolicyCmd = &cobra.Command{
 }
 func init() {
-	deleteAutoCmd.AddCommand(deleteImagePolicyCmd)
+	deleteImageCmd.AddCommand(deleteImagePolicyCmd)
 }
--- a/cmd/flux/delete_image_repository.go
+++ b/cmd/flux/delete_image_repository.go
@@ -19,16 +19,15 @@ package main
 import (
 	"github.com/spf13/cobra"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 var deleteImageRepositoryCmd = &cobra.Command{
-	Use:   "image-repository [name]",
+	Use:   "repository [name]",
 	Short: "Delete an ImageRepository object",
-	Long:  "The delete auto image-repository command deletes the given ImageRepository from the cluster.",
+	Long:  "The delete image repository command deletes the given ImageRepository from the cluster.",
 	Example: `  # Delete an image repository
-  flux delete auto image-repository alpine
+  flux delete image repository alpine`,
 `,
 	RunE: deleteCommand{
 		apiType: imageRepositoryType,
 		object:  universalAdapter{&imagev1.ImageRepository{}},
@@ -36,5 +35,5 @@ var deleteImageRepositoryCmd = &cobra.Command{
 }
 func init() {
-	deleteAutoCmd.AddCommand(deleteImageRepositoryCmd)
+	deleteImageCmd.AddCommand(deleteImageRepositoryCmd)
 }
--- a/cmd/flux/delete_image_updateauto.go
+++ b/cmd/flux/delete_image_updateauto.go
@@ -19,16 +19,15 @@ package main
 import (
 	"github.com/spf13/cobra"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 )
 var deleteImageUpdateCmd = &cobra.Command{
-	Use:   "image-update [name]",
+	Use:   "update [name]",
 	Short: "Delete an ImageUpdateAutomation object",
-	Long:  "The delete auto image-update command deletes the given ImageUpdateAutomation from the cluster.",
+	Long:  "The delete image update command deletes the given ImageUpdateAutomation from the cluster.",
 	Example: `  # Delete an image update automation
-  flux delete auto image-update latest-images
+  flux delete image update latest-images`,
 `,
 	RunE: deleteCommand{
 		apiType: imageUpdateAutomationType,
 		object:  universalAdapter{&autov1.ImageUpdateAutomation{}},
@@ -36,5 +35,5 @@ var deleteImageUpdateCmd = &cobra.Command{
 }
 func init() {
-	deleteAutoCmd.AddCommand(deleteImageUpdateCmd)
+	deleteImageCmd.AddCommand(deleteImageUpdateCmd)
 }
--- a/cmd/flux/delete_kustomization.go
+++ b/cmd/flux/delete_kustomization.go
@@ -17,14 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/fluxcd/flux2/internal/utils"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
+
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
 )
 var deleteKsCmd = &cobra.Command{
@@ -33,59 +28,13 @@ var deleteKsCmd = &cobra.Command{
 	Short:   "Delete a Kustomization resource",
 	Long:    "The delete kustomization command deletes the given Kustomization from the cluster.",
 	Example: `  # Delete a kustomization and the Kubernetes resources created by it
-  flux delete kustomization podinfo
+  flux delete kustomization podinfo`,
-`,
+	RunE: deleteCommand{
-	RunE: deleteKsCmdRun,
+		apiType: kustomizationType,
 		object:  universalAdapter{&kustomizev1.Kustomization{}},
 	}.run,
 }
 func init() {
 	deleteCmd.AddCommand(deleteKsCmd)
 }
 func deleteKsCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("kustomization name is required")
 	}
 	name := args[0]
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
 	var kustomization kustomizev1.Kustomization
 	err = kubeClient.Get(ctx, namespacedName, &kustomization)
 	if err != nil {
 		return err
 	}
 	if !deleteSilent {
 		if !kustomization.Spec.Suspend {
 			logger.Waitingf("This action will remove the Kubernetes objects previously applied by the %s kustomization!", name)
 		}
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this kustomization",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	logger.Actionf("deleting kustomization %s in %s namespace", name, namespace)
 	err = kubeClient.Delete(ctx, &kustomization)
 	if err != nil {
 		return err
 	}
 	logger.Successf("kustomization deleted")
 	return nil
 }
--- a/cmd/flux/delete_receiver.go
+++ b/cmd/flux/delete_receiver.go
@@ -17,14 +17,8 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
@@ -33,56 +27,13 @@ var deleteReceiverCmd = &cobra.Command{
 	Short: "Delete a Receiver resource",
 	Long:  "The delete receiver command removes the given Receiver from the cluster.",
 	Example: `  # Delete an Receiver and the Kubernetes resources created by it
-  flux delete receiver main
+  flux delete receiver main`,
-`,
+	RunE: deleteCommand{
-	RunE: deleteReceiverCmdRun,
+		apiType: receiverType,
 		object:  universalAdapter{&notificationv1.Receiver{}},
 	}.run,
 }
 func init() {
 	deleteCmd.AddCommand(deleteReceiverCmd)
 }
 func deleteReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("receiver name is required")
 	}
 	name := args[0]
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
 	var receiver notificationv1.Receiver
 	err = kubeClient.Get(ctx, namespacedName, &receiver)
 	if err != nil {
 		return err
 	}
 	if !deleteSilent {
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this Receiver",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	logger.Actionf("deleting receiver %s in %s namespace", name, namespace)
 	err = kubeClient.Delete(ctx, &receiver)
 	if err != nil {
 		return err
 	}
 	logger.Successf("receiver deleted")
 	return nil
 }
--- a/cmd/flux/delete_source_bucket.go
+++ b/cmd/flux/delete_source_bucket.go
@@ -17,14 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/fluxcd/flux2/internal/utils"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
+
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var deleteSourceBucketCmd = &cobra.Command{
@@ -32,56 +27,13 @@ var deleteSourceBucketCmd = &cobra.Command{
 	Short: "Delete a Bucket source",
 	Long:  "The delete source bucket command deletes the given Bucket from the cluster.",
 	Example: `  # Delete a Bucket source
-  flux delete source bucket podinfo
+  flux delete source bucket podinfo`,
-`,
+	RunE: deleteCommand{
-	RunE: deleteSourceBucketCmdRun,
+		apiType: bucketType,
 		object:  universalAdapter{&sourcev1.Bucket{}},
 	}.run,
 }
 func init() {
 	deleteSourceCmd.AddCommand(deleteSourceBucketCmd)
 }
 func deleteSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	name := args[0]
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
 	var bucket sourcev1.Bucket
 	err = kubeClient.Get(ctx, namespacedName, &bucket)
 	if err != nil {
 		return err
 	}
 	if !deleteSilent {
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this source",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	logger.Actionf("deleting source %s in %s namespace", name, namespace)
 	err = kubeClient.Delete(ctx, &bucket)
 	if err != nil {
 		return err
 	}
 	logger.Successf("source deleted")
 	return nil
 }
--- a/cmd/flux/delete_source_git.go
+++ b/cmd/flux/delete_source_git.go
@@ -17,14 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/fluxcd/flux2/internal/utils"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
+
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var deleteSourceGitCmd = &cobra.Command{
@@ -32,56 +27,13 @@ var deleteSourceGitCmd = &cobra.Command{
 	Short: "Delete a GitRepository source",
 	Long:  "The delete source git command deletes the given GitRepository from the cluster.",
 	Example: `  # Delete a Git repository
-  flux delete source git podinfo
+  flux delete source git podinfo`,
-`,
+	RunE: deleteCommand{
-	RunE: deleteSourceGitCmdRun,
+		apiType: gitRepositoryType,
 		object:  universalAdapter{&sourcev1.GitRepository{}},
 	}.run,
 }
 func init() {
 	deleteSourceCmd.AddCommand(deleteSourceGitCmd)
 }
 func deleteSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("git name is required")
 	}
 	name := args[0]
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
 	var git sourcev1.GitRepository
 	err = kubeClient.Get(ctx, namespacedName, &git)
 	if err != nil {
 		return err
 	}
 	if !deleteSilent {
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this source",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	logger.Actionf("deleting source %s in %s namespace", name, namespace)
 	err = kubeClient.Delete(ctx, &git)
 	if err != nil {
 		return err
 	}
 	logger.Successf("source deleted")
 	return nil
 }
--- a/cmd/flux/delete_source_helm.go
+++ b/cmd/flux/delete_source_helm.go
@@ -17,14 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/fluxcd/flux2/internal/utils"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
+
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var deleteSourceHelmCmd = &cobra.Command{
@@ -32,56 +27,13 @@ var deleteSourceHelmCmd = &cobra.Command{
 	Short: "Delete a HelmRepository source",
 	Long:  "The delete source helm command deletes the given HelmRepository from the cluster.",
 	Example: `  # Delete a Helm repository
-  flux delete source helm podinfo
+  flux delete source helm podinfo`,
-`,
+	RunE: deleteCommand{
-	RunE: deleteSourceHelmCmdRun,
+		apiType: helmRepositoryType,
 		object:  universalAdapter{&sourcev1.HelmRepository{}},
 	}.run,
 }
 func init() {
 	deleteSourceCmd.AddCommand(deleteSourceHelmCmd)
 }
 func deleteSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	name := args[0]
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
 	var helmRepository sourcev1.HelmRepository
 	err = kubeClient.Get(ctx, namespacedName, &helmRepository)
 	if err != nil {
 		return err
 	}
 	if !deleteSilent {
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this source",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	logger.Actionf("deleting source %s in %s namespace", name, namespace)
 	err = kubeClient.Delete(ctx, &helmRepository)
 	if err != nil {
 		return err
 	}
 	logger.Successf("source deleted")
 	return nil
 }
--- a/cmd/flux/docgen.go
+++ b/cmd/flux/docgen.go
@@ -0,0 +1,69 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"fmt"
 	"path"
 	"path/filepath"
 	"strings"
 	"github.com/spf13/cobra"
 	"github.com/spf13/cobra/doc"
 )
 const fmTemplate = `---
 title: "%s"
 ---
 `
 var (
 	cmdDocPath string
 )
 var docgenCmd = &cobra.Command{
 	Use:    "docgen",
 	Short:  "Generate the documentation for the CLI commands.",
 	Hidden: true,
 	RunE:   docgenCmdRun,
 }
 func init() {
 	docgenCmd.Flags().StringVar(&cmdDocPath, "path", "./docs/cmd", "path to write the generated documentation to")
 	rootCmd.AddCommand(docgenCmd)
 }
 func docgenCmdRun(cmd *cobra.Command, args []string) error {
 	err := doc.GenMarkdownTreeCustom(rootCmd, cmdDocPath, frontmatterPrepender, linkHandler)
 	if err != nil {
 		return err
 	}
 	return nil
 }
 func frontmatterPrepender(filename string) string {
 	name := filepath.Base(filename)
 	base := strings.TrimSuffix(name, path.Ext(name))
 	title := strings.Replace(base, "_", " ", -1)
 	return fmt.Sprintf(fmTemplate, title)
 }
 func linkHandler(name string) string {
 	base := strings.TrimSuffix(name, path.Ext(name))
 	return "../" + strings.ToLower(base) + "/"
 }
--- a/cmd/flux/export.go
+++ b/cmd/flux/export.go
@@ -20,7 +20,6 @@ import (
 	"bytes"
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -35,12 +34,14 @@ var exportCmd = &cobra.Command{
 	Long:  "The export sub-commands export resources in YAML format.",
 }
-var (
+type exportFlags struct {
-	exportAll bool
+	all bool
-)
+}
 var exportArgs exportFlags
 func init() {
-	exportCmd.PersistentFlags().BoolVar(&exportAll, "all", false, "select all resources")
+	exportCmd.PersistentFlags().BoolVar(&exportArgs.all, "all", false, "select all resources")
 	rootCmd.AddCommand(exportCmd)
 }
@@ -55,8 +56,7 @@ type exportable interface {
 // exportableList represents a type that has a list of values, each of
 // which is exportable.
 type exportableList interface {
-	adapter
+	listAdapter
 	len() int
 	exportItem(i int) interface{}
 }
@@ -66,27 +66,26 @@ type exportCommand struct {
 }
 func (export exportCommand) run(cmd *cobra.Command, args []string) error {
-	if !exportAll && len(args) < 1 {
+	if !exportArgs.all && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
-	if exportAll {
+	if exportArgs.all {
-		err = kubeClient.List(ctx, export.list.asRuntimeObject(), client.InNamespace(namespace))
+		err = kubeClient.List(ctx, export.list.asClientList(), client.InNamespace(rootArgs.namespace))
 		if err != nil {
 			return err
 		}
 		if export.list.len() == 0 {
-			logger.Failuref("no objects found in %s namespace", namespace)
+			return fmt.Errorf("no objects found in %s namespace", rootArgs.namespace)
 			return nil
 		}
 		for i := 0; i < export.list.len(); i++ {
@@ -97,10 +96,10 @@ func (export exportCommand) run(cmd *cobra.Command, args []string) error {
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
-			Namespace: namespace,
+			Namespace: rootArgs.namespace,
 			Name:      name,
 		}
-		err = kubeClient.Get(ctx, namespacedName, export.object.asRuntimeObject())
+		err = kubeClient.Get(ctx, namespacedName, export.object.asClientObject())
 		if err != nil {
 			return err
 		}
--- a/cmd/flux/export_alert.go
+++ b/cmd/flux/export_alert.go
@@ -17,16 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
@@ -38,62 +31,18 @@ var exportAlertCmd = &cobra.Command{
  flux export alert --all > alerts.yaml
  # Export a Alert
-  flux export alert main > main.yaml
+  flux export alert main > main.yaml`,
-`,
+	RunE: exportCommand{
-	RunE: exportAlertCmdRun,
+		object: alertAdapter{&notificationv1.Alert{}},
 		list:   alertListAdapter{&notificationv1.AlertList{}},
 	}.run,
 }
 func init() {
 	exportCmd.AddCommand(exportAlertCmd)
 }
-func exportAlertCmdRun(cmd *cobra.Command, args []string) error {
+func exportAlert(alert *notificationv1.Alert) interface{} {
 	if !exportAll && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportAll {
 		var list notificationv1.AlertList
 		err = kubeClient.List(ctx, &list, client.InNamespace(namespace))
 		if err != nil {
 			return err
 		}
 		if len(list.Items) == 0 {
 			logger.Failuref("no alerts found in %s namespace", namespace)
 			return nil
 		}
 		for _, alert := range list.Items {
 			if err := exportAlert(alert); err != nil {
 				return err
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}
 		var alert notificationv1.Alert
 		err = kubeClient.Get(ctx, namespacedName, &alert)
 		if err != nil {
 			return err
 		}
 		return exportAlert(alert)
 	}
 	return nil
 }
 func exportAlert(alert notificationv1.Alert) error {
 	gvk := notificationv1.GroupVersion.WithKind("Alert")
 	export := notificationv1.Alert{
 		TypeMeta: metav1.TypeMeta{
@@ -109,12 +58,13 @@ func exportAlert(alert notificationv1.Alert) error {
 		Spec: alert.Spec,
 	}
-	data, err := yaml.Marshal(export)
+	return export
-	if err != nil {
+}
-		return err
+
-	}
+func (ex alertAdapter) export() interface{} {
-
+	return exportAlert(ex.Alert)
-	fmt.Println("---")
+}
-	fmt.Println(resourceToString(data))
+
-	return nil
+func (ex alertListAdapter) exportItem(i int) interface{} {
 	return exportAlert(&ex.AlertList.Items[i])
 }
--- a/cmd/flux/export_alertprovider.go
+++ b/cmd/flux/export_alertprovider.go
@@ -17,16 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
@@ -38,62 +31,18 @@ var exportAlertProviderCmd = &cobra.Command{
  flux export alert-provider --all > alert-providers.yaml
  # Export a Provider
-  flux export alert-provider slack > slack.yaml
+  flux export alert-provider slack > slack.yaml`,
-`,
+	RunE: exportCommand{
-	RunE: exportAlertProviderCmdRun,
+		object: alertProviderAdapter{&notificationv1.Provider{}},
 		list:   alertProviderListAdapter{&notificationv1.ProviderList{}},
 	}.run,
 }
 func init() {
 	exportCmd.AddCommand(exportAlertProviderCmd)
 }
-func exportAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
+func exportAlertProvider(alertProvider *notificationv1.Provider) interface{} {
 	if !exportAll && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportAll {
 		var list notificationv1.ProviderList
 		err = kubeClient.List(ctx, &list, client.InNamespace(namespace))
 		if err != nil {
 			return err
 		}
 		if len(list.Items) == 0 {
 			logger.Failuref("no alertproviders found in %s namespace", namespace)
 			return nil
 		}
 		for _, alertProvider := range list.Items {
 			if err := exportAlertProvider(alertProvider); err != nil {
 				return err
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}
 		var alertProvider notificationv1.Provider
 		err = kubeClient.Get(ctx, namespacedName, &alertProvider)
 		if err != nil {
 			return err
 		}
 		return exportAlertProvider(alertProvider)
 	}
 	return nil
 }
 func exportAlertProvider(alertProvider notificationv1.Provider) error {
 	gvk := notificationv1.GroupVersion.WithKind("Provider")
 	export := notificationv1.Provider{
 		TypeMeta: metav1.TypeMeta{
@@ -108,13 +57,13 @@ func exportAlertProvider(alertProvider notificationv1.Provider) error {
 		},
 		Spec: alertProvider.Spec,
 	}
-
+	return export
-	data, err := yaml.Marshal(export)
+}
-	if err != nil {
+
-		return err
+func (ex alertProviderAdapter) export() interface{} {
-	}
+	return exportAlertProvider(ex.Provider)
-
+}
-	fmt.Println("---")
+
-	fmt.Println(resourceToString(data))
+func (ex alertProviderListAdapter) exportItem(i int) interface{} {
-	return nil
+	return exportAlertProvider(&ex.ProviderList.Items[i])
 }
--- a/cmd/flux/export_helmrelease.go
+++ b/cmd/flux/export_helmrelease.go
@@ -17,16 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
 )
@@ -39,62 +32,18 @@ var exportHelmReleaseCmd = &cobra.Command{
  flux export helmrelease --all > kustomizations.yaml
  # Export a HelmRelease
-  flux export hr my-app > app-release.yaml
+  flux export hr my-app > app-release.yaml`,
-`,
+	RunE: exportCommand{
-	RunE: exportHelmReleaseCmdRun,
+		object: helmReleaseAdapter{&helmv2.HelmRelease{}},
 		list:   helmReleaseListAdapter{&helmv2.HelmReleaseList{}},
 	}.run,
 }
 func init() {
 	exportCmd.AddCommand(exportHelmReleaseCmd)
 }
-func exportHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
+func exportHelmRelease(helmRelease *helmv2.HelmRelease) interface{} {
 	if !exportAll && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportAll {
 		var list helmv2.HelmReleaseList
 		err = kubeClient.List(ctx, &list, client.InNamespace(namespace))
 		if err != nil {
 			return err
 		}
 		if len(list.Items) == 0 {
 			logger.Failuref("no helmrelease found in %s namespace", namespace)
 			return nil
 		}
 		for _, helmRelease := range list.Items {
 			if err := exportHelmRelease(helmRelease); err != nil {
 				return err
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}
 		var helmRelease helmv2.HelmRelease
 		err = kubeClient.Get(ctx, namespacedName, &helmRelease)
 		if err != nil {
 			return err
 		}
 		return exportHelmRelease(helmRelease)
 	}
 	return nil
 }
 func exportHelmRelease(helmRelease helmv2.HelmRelease) error {
 	gvk := helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)
 	export := helmv2.HelmRelease{
 		TypeMeta: metav1.TypeMeta{
@@ -109,13 +58,13 @@ func exportHelmRelease(helmRelease helmv2.HelmRelease) error {
 		},
 		Spec: helmRelease.Spec,
 	}
-
+	return export
-	data, err := yaml.Marshal(export)
+}
-	if err != nil {
+
-		return err
+func (ex helmReleaseAdapter) export() interface{} {
-	}
+	return exportHelmRelease(ex.HelmRelease)
-
+}
-	fmt.Println("---")
+
-	fmt.Println(resourceToString(data))
+func (ex helmReleaseListAdapter) exportItem(i int) interface{} {
-	return nil
+	return exportHelmRelease(&ex.HelmReleaseList.Items[i])
 }
--- a/cmd/flux/export_image_policy.go
+++ b/cmd/flux/export_image_policy.go
@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 var exportImagePolicyCmd = &cobra.Command{
@@ -31,8 +31,7 @@ var exportImagePolicyCmd = &cobra.Command{
  flux export image policy --all > image-policies.yaml
  # Export a specific policy
-  flux export image policy alpine1x > alpine1x.yaml
+  flux export image policy alpine1x > alpine1x.yaml`,
 `,
 	RunE: exportCommand{
 		object: imagePolicyAdapter{&imagev1.ImagePolicy{}},
 		list:   imagePolicyListAdapter{&imagev1.ImagePolicyList{}},
--- a/cmd/flux/export_image_repository.go
+++ b/cmd/flux/export_image_repository.go
@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 var exportImageRepositoryCmd = &cobra.Command{
@@ -31,8 +31,7 @@ var exportImageRepositoryCmd = &cobra.Command{
  flux export image repository --all > image-repositories.yaml
  # Export a specific ImageRepository resource
-  flux export image repository alpine > alpine.yaml
+  flux export image repository alpine > alpine.yaml`,
 `,
 	RunE: exportCommand{
 		object: imageRepositoryAdapter{&imagev1.ImageRepository{}},
 		list:   imageRepositoryListAdapter{&imagev1.ImageRepositoryList{}},
--- a/cmd/flux/export_image_updateauto.go
+++ b/cmd/flux/export_image_updateauto.go
@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 )
 var exportImageUpdateCmd = &cobra.Command{
@@ -31,8 +31,7 @@ var exportImageUpdateCmd = &cobra.Command{
  flux export image update --all > updates.yaml
  # Export a specific automation
-  flux export image update latest-images > latest.yaml
+  flux export image update latest-images > latest.yaml`,
 `,
 	RunE: exportCommand{
 		object: imageUpdateAutomationAdapter{&autov1.ImageUpdateAutomation{}},
 		list:   imageUpdateAutomationListAdapter{&autov1.ImageUpdateAutomationList{}},
--- a/cmd/flux/export_kustomization.go
+++ b/cmd/flux/export_kustomization.go
@@ -17,16 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
 )
@@ -39,62 +32,18 @@ var exportKsCmd = &cobra.Command{
  flux export kustomization --all > kustomizations.yaml
  # Export a Kustomization
-  flux export kustomization my-app > kustomization.yaml
+  flux export kustomization my-app > kustomization.yaml`,
-`,
+	RunE: exportCommand{
-	RunE: exportKsCmdRun,
+		object: kustomizationAdapter{&kustomizev1.Kustomization{}},
 		list:   kustomizationListAdapter{&kustomizev1.KustomizationList{}},
 	}.run,
 }
 func init() {
 	exportCmd.AddCommand(exportKsCmd)
 }
-func exportKsCmdRun(cmd *cobra.Command, args []string) error {
+func exportKs(kustomization *kustomizev1.Kustomization) interface{} {
 	if !exportAll && len(args) < 1 {
 		return fmt.Errorf("kustomization name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportAll {
 		var list kustomizev1.KustomizationList
 		err = kubeClient.List(ctx, &list, client.InNamespace(namespace))
 		if err != nil {
 			return err
 		}
 		if len(list.Items) == 0 {
 			logger.Failuref("no kustomizations found in %s namespace", namespace)
 			return nil
 		}
 		for _, kustomization := range list.Items {
 			if err := exportKs(kustomization); err != nil {
 				return err
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}
 		var kustomization kustomizev1.Kustomization
 		err = kubeClient.Get(ctx, namespacedName, &kustomization)
 		if err != nil {
 			return err
 		}
 		return exportKs(kustomization)
 	}
 	return nil
 }
 func exportKs(kustomization kustomizev1.Kustomization) error {
 	gvk := kustomizev1.GroupVersion.WithKind("Kustomization")
 	export := kustomizev1.Kustomization{
 		TypeMeta: metav1.TypeMeta{
@@ -110,12 +59,13 @@ func exportKs(kustomization kustomizev1.Kustomization) error {
 		Spec: kustomization.Spec,
 	}
-	data, err := yaml.Marshal(export)
+	return export
-	if err != nil {
+}
-		return err
+
-	}
+func (ex kustomizationAdapter) export() interface{} {
-
+	return exportKs(ex.Kustomization)
-	fmt.Println("---")
+}
-	fmt.Println(resourceToString(data))
+
-	return nil
+func (ex kustomizationListAdapter) exportItem(i int) interface{} {
 	return exportKs(&ex.KustomizationList.Items[i])
 }
--- a/cmd/flux/export_receiver.go
+++ b/cmd/flux/export_receiver.go
@@ -17,16 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
@@ -38,62 +31,18 @@ var exportReceiverCmd = &cobra.Command{
  flux export receiver --all > receivers.yaml
  # Export a Receiver
-  flux export receiver main > main.yaml
+  flux export receiver main > main.yaml`,
-`,
+	RunE: exportCommand{
-	RunE: exportReceiverCmdRun,
+		list:   receiverListAdapter{&notificationv1.ReceiverList{}},
 		object: receiverAdapter{&notificationv1.Receiver{}},
 	}.run,
 }
 func init() {
 	exportCmd.AddCommand(exportReceiverCmd)
 }
-func exportReceiverCmdRun(cmd *cobra.Command, args []string) error {
+func exportReceiver(receiver *notificationv1.Receiver) interface{} {
 	if !exportAll && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportAll {
 		var list notificationv1.ReceiverList
 		err = kubeClient.List(ctx, &list, client.InNamespace(namespace))
 		if err != nil {
 			return err
 		}
 		if len(list.Items) == 0 {
 			logger.Failuref("no receivers found in %s namespace", namespace)
 			return nil
 		}
 		for _, receiver := range list.Items {
 			if err := exportReceiver(receiver); err != nil {
 				return err
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}
 		var receiver notificationv1.Receiver
 		err = kubeClient.Get(ctx, namespacedName, &receiver)
 		if err != nil {
 			return err
 		}
 		return exportReceiver(receiver)
 	}
 	return nil
 }
 func exportReceiver(receiver notificationv1.Receiver) error {
 	gvk := notificationv1.GroupVersion.WithKind("Receiver")
 	export := notificationv1.Receiver{
 		TypeMeta: metav1.TypeMeta{
@@ -109,12 +58,13 @@ func exportReceiver(receiver notificationv1.Receiver) error {
 		Spec: receiver.Spec,
 	}
-	data, err := yaml.Marshal(export)
+	return export
-	if err != nil {
+}
-		return err
+
-	}
+func (ex receiverAdapter) export() interface{} {
-
+	return exportReceiver(ex.Receiver)
-	fmt.Println("---")
+}
-	fmt.Println(resourceToString(data))
+
-	return nil
+func (ex receiverListAdapter) exportItem(i int) interface{} {
 	return exportReceiver(&ex.ReceiverList.Items[i])
 }
--- a/cmd/flux/export_secret.go
+++ b/cmd/flux/export_secret.go
@@ -0,0 +1,134 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/flux2/internal/utils"
 )
 // exportableWithSecret represents a type that you can fetch from the Kubernetes
 // API, get a secretRef from the spec, then tidy up for serialising.
 type exportableWithSecret interface {
 	adapter
 	exportable
 	secret() *types.NamespacedName
 }
 // exportableWithSecretList represents a type that has a list of values, each of
 // which is exportableWithSecret.
 type exportableWithSecretList interface {
 	listAdapter
 	exportableList
 	secretItem(i int) *types.NamespacedName
 }
 type exportWithSecretCommand struct {
 	apiType
 	object exportableWithSecret
 	list   exportableWithSecretList
 }
 func (export exportWithSecretCommand) run(cmd *cobra.Command, args []string) error {
 	if !exportArgs.all && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportArgs.all {
 		err = kubeClient.List(ctx, export.list.asClientList(), client.InNamespace(rootArgs.namespace))
 		if err != nil {
 			return err
 		}
 		if export.list.len() == 0 {
 			return fmt.Errorf("no objects found in %s namespace", rootArgs.namespace)
 		}
 		for i := 0; i < export.list.len(); i++ {
 			if err = printExport(export.list.exportItem(i)); err != nil {
 				return err
 			}
 			if exportSourceWithCred {
 				if export.list.secretItem(i) != nil {
 					namespacedName := *export.list.secretItem(i)
 					return printSecretCredentials(ctx, kubeClient, namespacedName)
 				}
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: rootArgs.namespace,
 			Name:      name,
 		}
 		err = kubeClient.Get(ctx, namespacedName, export.object.asClientObject())
 		if err != nil {
 			return err
 		}
 		if err := printExport(export.object.export()); err != nil {
 			return err
 		}
 		if exportSourceWithCred {
 			if export.object.secret() != nil {
 				namespacedName := *export.object.secret()
 				return printSecretCredentials(ctx, kubeClient, namespacedName)
 			}
 		}
 	}
 	return nil
 }
 func printSecretCredentials(ctx context.Context, kubeClient client.Client, nsName types.NamespacedName) error {
 	var cred corev1.Secret
 	err := kubeClient.Get(ctx, nsName, &cred)
 	if err != nil {
 		return fmt.Errorf("failed to retrieve secret %s, error: %w", nsName.Name, err)
 	}
 	exported := corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "v1",
 			Kind:       "Secret",
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      nsName.Name,
 			Namespace: nsName.Namespace,
 		},
 		Data: cred.Data,
 		Type: cred.Type,
 	}
 	return printExport(exported)
 }
--- a/cmd/flux/export_source_bucket.go
+++ b/cmd/flux/export_source_bucket.go
@@ -17,94 +17,33 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var exportSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Export Bucket sources in YAML format",
-	Long:  "The export source git command exports on or all Bucket sources in YAML format.",
+	Long:  "The export source git command exports one or all Bucket sources in YAML format.",
 	Example: `  # Export all Bucket sources
  flux export source bucket --all > sources.yaml
  # Export a Bucket source including the static credentials
-  flux export source bucket my-bucket --with-credentials > source.yaml
+  flux export source bucket my-bucket --with-credentials > source.yaml`,
-`,
+	RunE: exportWithSecretCommand{
-	RunE: exportSourceBucketCmdRun,
+		list:   bucketListAdapter{&sourcev1.BucketList{}},
 		object: bucketAdapter{&sourcev1.Bucket{}},
 	}.run,
 }
 func init() {
 	exportSourceCmd.AddCommand(exportSourceBucketCmd)
 }
-func exportSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
+func exportBucket(source *sourcev1.Bucket) interface{} {
 	if !exportAll && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportAll {
 		var list sourcev1.BucketList
 		err = kubeClient.List(ctx, &list, client.InNamespace(namespace))
 		if err != nil {
 			return err
 		}
 		if len(list.Items) == 0 {
 			logger.Failuref("no source found in %s namespace", namespace)
 			return nil
 		}
 		for _, bucket := range list.Items {
 			if err := exportBucket(bucket); err != nil {
 				return err
 			}
 			if exportSourceWithCred {
 				if err := exportBucketCredentials(ctx, kubeClient, bucket); err != nil {
 					return err
 				}
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}
 		var bucket sourcev1.Bucket
 		err = kubeClient.Get(ctx, namespacedName, &bucket)
 		if err != nil {
 			return err
 		}
 		if err := exportBucket(bucket); err != nil {
 			return err
 		}
 		if exportSourceWithCred {
 			return exportBucketCredentials(ctx, kubeClient, bucket)
 		}
 	}
 	return nil
 }
 func exportBucket(source sourcev1.Bucket) error {
 	gvk := sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)
 	export := sourcev1.Bucket{
 		TypeMeta: metav1.TypeMeta{
@@ -119,49 +58,34 @@ func exportBucket(source sourcev1.Bucket) error {
 		},
 		Spec: source.Spec,
 	}
-
+	return export
 	data, err := yaml.Marshal(export)
 	if err != nil {
 		return err
 	}
 	fmt.Println("---")
 	fmt.Println(resourceToString(data))
 	return nil
 }
-func exportBucketCredentials(ctx context.Context, kubeClient client.Client, source sourcev1.Bucket) error {
+func getBucketSecret(source *sourcev1.Bucket) *types.NamespacedName {
 	if source.Spec.SecretRef != nil {
 		namespacedName := types.NamespacedName{
 			Namespace: source.Namespace,
 			Name:      source.Spec.SecretRef.Name,
 		}
 		var cred corev1.Secret
 		err := kubeClient.Get(ctx, namespacedName, &cred)
 		if err != nil {
 			return fmt.Errorf("failed to retrieve secret %s, error: %w", namespacedName.Name, err)
 		}
-		exported := corev1.Secret{
+		return &namespacedName
 			TypeMeta: metav1.TypeMeta{
 				APIVersion: "v1",
 				Kind:       "Secret",
 			},
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      namespacedName.Name,
 				Namespace: namespacedName.Namespace,
 			},
 			Data: cred.Data,
 			Type: cred.Type,
 		}
 		data, err := yaml.Marshal(exported)
 		if err != nil {
 			return err
 		}
 		fmt.Println("---")
 		fmt.Println(resourceToString(data))
 	}
 	return nil
 }
 func (ex bucketAdapter) secret() *types.NamespacedName {
 	return getBucketSecret(ex.Bucket)
 }
 func (ex bucketListAdapter) secretItem(i int) *types.NamespacedName {
 	return getBucketSecret(&ex.BucketList.Items[i])
 }
 func (ex bucketAdapter) export() interface{} {
 	return exportBucket(ex.Bucket)
 }
 func (ex bucketListAdapter) exportItem(i int) interface{} {
 	return exportBucket(&ex.BucketList.Items[i])
 }
--- a/cmd/flux/export_source_git.go
+++ b/cmd/flux/export_source_git.go
@@ -17,94 +17,33 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var exportSourceGitCmd = &cobra.Command{
 	Use:   "git [name]",
 	Short: "Export GitRepository sources in YAML format",
-	Long:  "The export source git command exports on or all GitRepository sources in YAML format.",
+	Long:  "The export source git command exports one or all GitRepository sources in YAML format.",
 	Example: `  # Export all GitRepository sources
  flux export source git --all > sources.yaml
  # Export a GitRepository source including the SSH key pair or basic auth credentials
-  flux export source git my-private-repo --with-credentials > source.yaml
+  flux export source git my-private-repo --with-credentials > source.yaml`,
-`,
+	RunE: exportWithSecretCommand{
-	RunE: exportSourceGitCmdRun,
+		object: gitRepositoryAdapter{&sourcev1.GitRepository{}},
 		list:   gitRepositoryListAdapter{&sourcev1.GitRepositoryList{}},
 	}.run,
 }
 func init() {
 	exportSourceCmd.AddCommand(exportSourceGitCmd)
 }
-func exportSourceGitCmdRun(cmd *cobra.Command, args []string) error {
+func exportGit(source *sourcev1.GitRepository) interface{} {
 	if !exportAll && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportAll {
 		var list sourcev1.GitRepositoryList
 		err = kubeClient.List(ctx, &list, client.InNamespace(namespace))
 		if err != nil {
 			return err
 		}
 		if len(list.Items) == 0 {
 			logger.Failuref("no source found in %s namespace", namespace)
 			return nil
 		}
 		for _, repository := range list.Items {
 			if err := exportGit(repository); err != nil {
 				return err
 			}
 			if exportSourceWithCred {
 				if err := exportGitCredentials(ctx, kubeClient, repository); err != nil {
 					return err
 				}
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}
 		var repository sourcev1.GitRepository
 		err = kubeClient.Get(ctx, namespacedName, &repository)
 		if err != nil {
 			return err
 		}
 		if err := exportGit(repository); err != nil {
 			return err
 		}
 		if exportSourceWithCred {
 			return exportGitCredentials(ctx, kubeClient, repository)
 		}
 	}
 	return nil
 }
 func exportGit(source sourcev1.GitRepository) error {
 	gvk := sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)
 	export := sourcev1.GitRepository{
 		TypeMeta: metav1.TypeMeta{
@@ -120,48 +59,33 @@ func exportGit(source sourcev1.GitRepository) error {
 		Spec: source.Spec,
 	}
-	data, err := yaml.Marshal(export)
+	return export
 	if err != nil {
 		return err
 	}
 	fmt.Println("---")
 	fmt.Println(resourceToString(data))
 	return nil
 }
-func exportGitCredentials(ctx context.Context, kubeClient client.Client, source sourcev1.GitRepository) error {
+func getGitSecret(source *sourcev1.GitRepository) *types.NamespacedName {
 	if source.Spec.SecretRef != nil {
 		namespacedName := types.NamespacedName{
 			Namespace: source.Namespace,
 			Name:      source.Spec.SecretRef.Name,
 		}
-		var cred corev1.Secret
+		return &namespacedName
 		err := kubeClient.Get(ctx, namespacedName, &cred)
 		if err != nil {
 			return fmt.Errorf("failed to retrieve secret %s, error: %w", namespacedName.Name, err)
 		}
 		exported := corev1.Secret{
 			TypeMeta: metav1.TypeMeta{
 				APIVersion: "v1",
 				Kind:       "Secret",
 			},
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      namespacedName.Name,
 				Namespace: namespacedName.Namespace,
 			},
 			Data: cred.Data,
 			Type: cred.Type,
 		}
 		data, err := yaml.Marshal(exported)
 		if err != nil {
 			return err
 		}
 		fmt.Println("---")
 		fmt.Println(resourceToString(data))
 	}
 	return nil
 }
 func (ex gitRepositoryAdapter) secret() *types.NamespacedName {
 	return getGitSecret(ex.GitRepository)
 }
 func (ex gitRepositoryListAdapter) secretItem(i int) *types.NamespacedName {
 	return getGitSecret(&ex.GitRepositoryList.Items[i])
 }
 func (ex gitRepositoryAdapter) export() interface{} {
 	return exportGit(ex.GitRepository)
 }
 func (ex gitRepositoryListAdapter) exportItem(i int) interface{} {
 	return exportGit(&ex.GitRepositoryList.Items[i])
 }
--- a/cmd/flux/export_source_helm.go
+++ b/cmd/flux/export_source_helm.go
@@ -17,94 +17,33 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var exportSourceHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Export HelmRepository sources in YAML format",
-	Long:  "The export source git command exports on or all HelmRepository sources in YAML format.",
+	Long:  "The export source git command exports one or all HelmRepository sources in YAML format.",
 	Example: `  # Export all HelmRepository sources
  flux export source helm --all > sources.yaml
  # Export a HelmRepository source including the basic auth credentials
-  flux export source helm my-private-repo --with-credentials > source.yaml
+  flux export source helm my-private-repo --with-credentials > source.yaml`,
-`,
+	RunE: exportWithSecretCommand{
-	RunE: exportSourceHelmCmdRun,
+		list:   helmRepositoryListAdapter{&sourcev1.HelmRepositoryList{}},
 		object: helmRepositoryAdapter{&sourcev1.HelmRepository{}},
 	}.run,
 }
 func init() {
 	exportSourceCmd.AddCommand(exportSourceHelmCmd)
 }
-func exportSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
+func exportHelmRepository(source *sourcev1.HelmRepository) interface{} {
 	if !exportAll && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportAll {
 		var list sourcev1.HelmRepositoryList
 		err = kubeClient.List(ctx, &list, client.InNamespace(namespace))
 		if err != nil {
 			return err
 		}
 		if len(list.Items) == 0 {
 			logger.Failuref("no source found in %s namespace", namespace)
 			return nil
 		}
 		for _, repository := range list.Items {
 			if err := exportHelmRepository(repository); err != nil {
 				return err
 			}
 			if exportSourceWithCred {
 				if err := exportHelmCredentials(ctx, kubeClient, repository); err != nil {
 					return err
 				}
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}
 		var repository sourcev1.HelmRepository
 		err = kubeClient.Get(ctx, namespacedName, &repository)
 		if err != nil {
 			return err
 		}
 		if err := exportHelmRepository(repository); err != nil {
 			return err
 		}
 		if exportSourceWithCred {
 			return exportHelmCredentials(ctx, kubeClient, repository)
 		}
 	}
 	return nil
 }
 func exportHelmRepository(source sourcev1.HelmRepository) error {
 	gvk := sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)
 	export := sourcev1.HelmRepository{
 		TypeMeta: metav1.TypeMeta{
@@ -119,49 +58,32 @@ func exportHelmRepository(source sourcev1.HelmRepository) error {
 		},
 		Spec: source.Spec,
 	}
-
+	return export
 	data, err := yaml.Marshal(export)
 	if err != nil {
 		return err
 	}
 	fmt.Println("---")
 	fmt.Println(resourceToString(data))
 	return nil
 }
-func exportHelmCredentials(ctx context.Context, kubeClient client.Client, source sourcev1.HelmRepository) error {
+func getHelmSecret(source *sourcev1.HelmRepository) *types.NamespacedName {
 	if source.Spec.SecretRef != nil {
 		namespacedName := types.NamespacedName{
 			Namespace: source.Namespace,
 			Name:      source.Spec.SecretRef.Name,
 		}
-		var cred corev1.Secret
+		return &namespacedName
 		err := kubeClient.Get(ctx, namespacedName, &cred)
 		if err != nil {
 			return fmt.Errorf("failed to retrieve secret %s, error: %w", namespacedName.Name, err)
 		}
 		exported := corev1.Secret{
 			TypeMeta: metav1.TypeMeta{
 				APIVersion: "v1",
 				Kind:       "Secret",
 			},
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      namespacedName.Name,
 				Namespace: namespacedName.Namespace,
 			},
 			Data: cred.Data,
 			Type: cred.Type,
 		}
 		data, err := yaml.Marshal(exported)
 		if err != nil {
 			return err
 		}
 		fmt.Println("---")
 		fmt.Println(resourceToString(data))
 	}
 	return nil
 }
 func (ex helmRepositoryAdapter) secret() *types.NamespacedName {
 	return getHelmSecret(ex.HelmRepository)
 }
 func (ex helmRepositoryListAdapter) secretItem(i int) *types.NamespacedName {
 	return getHelmSecret(&ex.HelmRepositoryList.Items[i])
 }
 func (ex helmRepositoryAdapter) export() interface{} {
 	return exportHelmRepository(ex.HelmRepository)
 }
 func (ex helmRepositoryListAdapter) exportItem(i int) interface{} {
 	return exportHelmRepository(&ex.HelmRepositoryList.Items[i])
 }
--- a/cmd/flux/get.go
+++ b/cmd/flux/get.go
@@ -18,11 +18,16 @@ package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"strings"
 	"github.com/spf13/cobra"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/watch"
 	watchtools "k8s.io/client-go/tools/watch"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/pkg/apis/meta"
@@ -30,25 +35,56 @@ import (
 	"github.com/fluxcd/flux2/internal/utils"
 )
-var getCmd = &cobra.Command{
+type deriveType func(runtime.Object) (summarisable, error)
-	Use:   "get",
+
-	Short: "Get sources and resources",
+type typeMap map[string]deriveType
-	Long:  "The get sub-commands print the statuses of sources and resources.",
+
 func (m typeMap) registerCommand(t string, f deriveType) error {
 	if _, ok := m[t]; ok {
 		return fmt.Errorf("duplicate type function %s", t)
 	}
 	m[t] = f
 	return nil
 }
-var allNamespaces bool
+func (m typeMap) execute(t string, obj runtime.Object) (summarisable, error) {
 	f, ok := m[t]
 	if !ok {
 		return nil, fmt.Errorf("unsupported type %s", t)
 	}
 	return f(obj)
 }
 var getCmd = &cobra.Command{
 	Use:   "get",
 	Short: "Get the resources and their status",
 	Long:  "The get sub-commands print the statuses of Flux resources.",
 }
 type GetFlags struct {
 	allNamespaces  bool
 	noHeader       bool
 	statusSelector string
 	watch          bool
 }
 var getArgs GetFlags
 func init() {
-	getCmd.PersistentFlags().BoolVarP(&allNamespaces, "all-namespaces", "A", false,
+	getCmd.PersistentFlags().BoolVarP(&getArgs.allNamespaces, "all-namespaces", "A", false,
 		"list the requested object(s) across all namespaces")
 	getCmd.PersistentFlags().BoolVarP(&getArgs.noHeader, "no-header", "", false, "skip the header when printing the results")
 	getCmd.PersistentFlags().BoolVarP(&getArgs.watch, "watch", "w", false, "After listing/getting the requested object, watch for changes.")
 	getCmd.PersistentFlags().StringVar(&getArgs.statusSelector, "status-selector", "",
 		"specify the status condition name and the desired state to filter the get result, e.g. ready=false")
 	rootCmd.AddCommand(getCmd)
 }
 type summarisable interface {
-	adapter
+	listAdapter
-	len() int
+	summariseItem(i int, includeNamespace bool, includeKind bool) []string
 	summariseItem(i int, includeNamespace bool) []string
 	headers(includeNamespace bool) []string
 	statusSelectorMatches(i int, conditionType, conditionStatus string) bool
 }
 // --- these help with implementations of summarisable
@@ -60,49 +96,168 @@ func statusAndMessage(conditions []metav1.Condition) (string, string) {
 	return string(metav1.ConditionFalse), "waiting to be reconciled"
 }
-func nameColumns(item named, includeNamespace bool) []string {
+func statusMatches(conditionType, conditionStatus string, conditions []metav1.Condition) bool {
-	if includeNamespace {
+	// we don't use apimeta.FindStatusCondition because we'd like to use EqualFold to compare two strings
-		return []string{item.GetNamespace(), item.GetName()}
+	var c *metav1.Condition
 	for i := range conditions {
 		if strings.EqualFold(conditions[i].Type, conditionType) {
 			c = &conditions[i]
 		}
 	}
-	return []string{item.GetName()}
+	if c != nil {
 		return strings.EqualFold(string(c.Status), conditionStatus)
 	}
 	return false
 }
 func nameColumns(item named, includeNamespace bool, includeKind bool) []string {
 	name := item.GetName()
 	if includeKind {
 		name = fmt.Sprintf("%s/%s",
 			strings.ToLower(item.GetObjectKind().GroupVersionKind().Kind),
 			item.GetName())
 	}
 	if includeNamespace {
 		return []string{item.GetNamespace(), name}
 	}
 	return []string{name}
 }
 var namespaceHeader = []string{"Namespace"}
 type getCommand struct {
 	apiType
-	list summarisable
+	list    summarisable
 	funcMap typeMap
 }
 func (get getCommand) run(cmd *cobra.Command, args []string) error {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
 	var listOpts []client.ListOption
-	if !allNamespaces {
+	if !getArgs.allNamespaces {
-		listOpts = append(listOpts, client.InNamespace(namespace))
+		listOpts = append(listOpts, client.InNamespace(rootArgs.namespace))
 	}
-	err = kubeClient.List(ctx, get.list.asRuntimeObject(), listOpts...)
+
 	if len(args) > 0 {
 		listOpts = append(listOpts, client.MatchingFields{"metadata.name": args[0]})
 	}
 	getAll := cmd.Use == "all"
 	if getArgs.watch {
 		return get.watch(ctx, kubeClient, cmd, args, listOpts)
 	}
 	err = kubeClient.List(ctx, get.list.asClientList(), listOpts...)
 	if err != nil {
 		return err
 	}
 	if get.list.len() == 0 {
-		logger.Failuref("no %s objects found in %s namespace", get.kind, namespace)
+		if !getAll {
 			logger.Failuref("no %s objects found in %s namespace", get.kind, rootArgs.namespace)
 		}
 		return nil
 	}
-	header := get.list.headers(allNamespaces)
+	var header []string
-	var rows [][]string
+	if !getArgs.noHeader {
-	for i := 0; i < get.list.len(); i++ {
+		header = get.list.headers(getArgs.allNamespaces)
-		row := get.list.summariseItem(i, allNamespaces)
+	}
-		rows = append(rows, row)
+
 	rows, err := getRowsToPrint(getAll, get.list)
 	if err != nil {
 		return err
 	}
 	utils.PrintTable(cmd.OutOrStderr(), header, rows)
 	if getAll {
 		fmt.Println()
 	}
 	return nil
 }
 func getRowsToPrint(getAll bool, list summarisable) ([][]string, error) {
 	noFilter := true
 	var conditionType, conditionStatus string
 	if getArgs.statusSelector != "" {
 		parts := strings.SplitN(getArgs.statusSelector, "=", 2)
 		if len(parts) != 2 {
 			return nil, fmt.Errorf("expected status selector in type=status format, but found: %s", getArgs.statusSelector)
 		}
 		conditionType = parts[0]
 		conditionStatus = parts[1]
 		noFilter = false
 	}
 	var rows [][]string
 	for i := 0; i < list.len(); i++ {
 		if noFilter || list.statusSelectorMatches(i, conditionType, conditionStatus) {
 			row := list.summariseItem(i, getArgs.allNamespaces, getAll)
 			rows = append(rows, row)
 		}
 	}
 	return rows, nil
 }
 //
 // watch starts a client-side watch of one or more resources.
 func (get *getCommand) watch(ctx context.Context, kubeClient client.WithWatch, cmd *cobra.Command, args []string, listOpts []client.ListOption) error {
 	w, err := kubeClient.Watch(ctx, get.list.asClientList(), listOpts...)
 	if err != nil {
 		return err
 	}
 	_, err = watchUntil(ctx, w, get)
 	if err != nil {
 		return err
 	}
 	return nil
 }
 func watchUntil(ctx context.Context, w watch.Interface, get *getCommand) (bool, error) {
 	firstIteration := true
 	_, error := watchtools.UntilWithoutRetry(ctx, w, func(e watch.Event) (bool, error) {
 		objToPrint := e.Object
 		sink, err := get.funcMap.execute(get.apiType.kind, objToPrint)
 		if err != nil {
 			return false, err
 		}
 		var header []string
 		if !getArgs.noHeader {
 			header = sink.headers(getArgs.allNamespaces)
 		}
 		rows, err := getRowsToPrint(false, sink)
 		if err != nil {
 			return false, err
 		}
 		if firstIteration {
 			utils.PrintTable(os.Stdout, header, rows)
 			firstIteration = false
 		} else {
 			utils.PrintTable(os.Stdout, []string{}, rows)
 		}
 		return false, nil
 	})
 	return false, error
 }
 func validateWatchOption(cmd *cobra.Command, toMatch string) error {
 	w, _ := cmd.Flags().GetBool("watch")
 	if cmd.Use == toMatch && w {
 		return fmt.Errorf("expected a single resource type, but found %s", cmd.Use)
 	}
 	utils.PrintTable(os.Stdout, header, rows)
 	return nil
 }
--- a/cmd/flux/get_alert.go
+++ b/cmd/flux/get_alert.go
@@ -17,86 +17,77 @@ limitations under the License.
 package main
 import (
-	"context"
+	"fmt"
 	"os"
 	"strconv"
 	"strings"
 	"github.com/spf13/cobra"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
 )
 var getAlertCmd = &cobra.Command{
-	Use:   "alerts",
+	Use:     "alerts",
-	Short: "Get Alert statuses",
+	Aliases: []string{"alert"},
-	Long:  "The get alert command prints the statuses of the resources.",
+	Short:   "Get Alert statuses",
 	Long:    "The get alert command prints the statuses of the resources.",
 	Example: `  # List all Alerts and their status
-  flux get alerts
+  flux get alerts`,
-`,
+	RunE: func(cmd *cobra.Command, args []string) error {
-	RunE: getAlertCmdRun,
+		get := getCommand{
 			apiType: alertType,
 			list:    &alertListAdapter{&notificationv1.AlertList{}},
 			funcMap: make(typeMap),
 		}
 		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
 			o, ok := obj.(*notificationv1.Alert)
 			if !ok {
 				return nil, fmt.Errorf("Impossible to cast type %#v alert", obj)
 			}
 			sink := alertListAdapter{
 				&notificationv1.AlertList{
 					Items: []notificationv1.Alert{
 						*o,
 					},
 				},
 			}
 			return sink, nil
 		})
 		if err != nil {
 			return err
 		}
 		if err := get.run(cmd, args); err != nil {
 			return err
 		}
 		return nil
 	},
 }
 func init() {
 	getCmd.AddCommand(getAlertCmd)
 }
-func getAlertCmdRun(cmd *cobra.Command, args []string) error {
+func (s alertListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	item := s.Items[i]
-	defer cancel()
+	status, msg := statusAndMessage(item.Status.Conditions)
-
+	return append(nameColumns(&item, includeNamespace, includeKind), status, msg, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+}
-	if err != nil {
+
-		return err
+func (s alertListAdapter) headers(includeNamespace bool) []string {
-	}
+	headers := []string{"Name", "Ready", "Message", "Suspended"}
-
+	if includeNamespace {
-	var listOpts []client.ListOption
+		return append(namespaceHeader, headers...)
-	if !allNamespaces {
+	}
-		listOpts = append(listOpts, client.InNamespace(namespace))
+	return headers
-	}
+}
-	var list notificationv1.AlertList
+
-	err = kubeClient.List(ctx, &list, listOpts...)
+func (s alertListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
-	if err != nil {
+	item := s.Items[i]
-		return err
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
 	}
 	if len(list.Items) == 0 {
 		logger.Failuref("no alerts found in %s namespace", namespace)
 		return nil
 	}
 	header := []string{"Name", "Ready", "Message", "Suspended"}
 	if allNamespaces {
 		header = append([]string{"Namespace"}, header...)
 	}
 	var rows [][]string
 	for _, alert := range list.Items {
 		row := []string{}
 		if c := apimeta.FindStatusCondition(alert.Status.Conditions, meta.ReadyCondition); c != nil {
 			row = []string{
 				alert.GetName(),
 				string(c.Status),
 				c.Message,
 				strings.Title(strconv.FormatBool(alert.Spec.Suspend)),
 			}
 		} else {
 			row = []string{
 				alert.GetName(),
 				string(metav1.ConditionFalse),
 				"waiting to be reconciled",
 				strings.Title(strconv.FormatBool(alert.Spec.Suspend)),
 			}
 		}
 		if allNamespaces {
 			row = append([]string{alert.Namespace}, row...)
 		}
 		rows = append(rows, row)
 	}
 	utils.PrintTable(os.Stdout, header, rows)
 	return nil
 }
--- a/cmd/flux/get_alertprovider.go
+++ b/cmd/flux/get_alertprovider.go
@@ -17,82 +17,75 @@ limitations under the License.
 package main
 import (
-	"context"
+	"fmt"
 	"os"
 	"github.com/spf13/cobra"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
 )
 var getAlertProviderCmd = &cobra.Command{
-	Use:   "alert-providers",
+	Use:     "alert-providers",
-	Short: "Get Provider statuses",
+	Aliases: []string{"alert-provider"},
-	Long:  "The get alert-provider command prints the statuses of the resources.",
+	Short:   "Get Provider statuses",
 	Long:    "The get alert-provider command prints the statuses of the resources.",
 	Example: `  # List all Providers and their status
-  flux get alert-providers
+  flux get alert-providers`,
-`,
+	RunE: func(cmd *cobra.Command, args []string) error {
-	RunE: getAlertProviderCmdRun,
+		get := getCommand{
 			apiType: alertProviderType,
 			list:    alertProviderListAdapter{&notificationv1.ProviderList{}},
 			funcMap: make(typeMap),
 		}
 		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
 			o, ok := obj.(*notificationv1.Provider)
 			if !ok {
 				return nil, fmt.Errorf("Impossible to cast type %#v alert-provider", obj)
 			}
 			sink := alertProviderListAdapter{
 				&notificationv1.ProviderList{
 					Items: []notificationv1.Provider{
 						*o,
 					},
 				},
 			}
 			return sink, nil
 		})
 		if err != nil {
 			return err
 		}
 		if err := get.run(cmd, args); err != nil {
 			return err
 		}
 		return nil
 	},
 }
 func init() {
 	getCmd.AddCommand(getAlertProviderCmd)
 }
-func getAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
+func (s alertProviderListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	item := s.Items[i]
-	defer cancel()
+	status, msg := statusAndMessage(item.Status.Conditions)
-
+	return append(nameColumns(&item, includeNamespace, includeKind), status, msg)
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+}
-	if err != nil {
+
-		return err
+func (s alertProviderListAdapter) headers(includeNamespace bool) []string {
-	}
+	headers := []string{"Name", "Ready", "Message"}
-
+	if includeNamespace {
-	var listOpts []client.ListOption
+		return append(namespaceHeader, headers...)
-	if !allNamespaces {
+	}
-		listOpts = append(listOpts, client.InNamespace(namespace))
+	return headers
-	}
+}
-	var list notificationv1.ProviderList
+
-	err = kubeClient.List(ctx, &list, listOpts...)
+func (s alertProviderListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
-	if err != nil {
+	item := s.Items[i]
-		return err
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
 	}
 	if len(list.Items) == 0 {
 		logger.Failuref("no providers found in %s namespace", namespace)
 		return nil
 	}
 	header := []string{"Name", "Ready", "Message"}
 	if allNamespaces {
 		header = append([]string{"Namespace"}, header...)
 	}
 	var rows [][]string
 	for _, provider := range list.Items {
 		row := []string{}
 		if c := apimeta.FindStatusCondition(provider.Status.Conditions, meta.ReadyCondition); c != nil {
 			row = []string{
 				provider.GetName(),
 				string(c.Status),
 				c.Message,
 			}
 		} else {
 			row = []string{
 				provider.GetName(),
 				string(metav1.ConditionFalse),
 				"waiting to be reconciled",
 			}
 		}
 		if allNamespaces {
 			row = append([]string{provider.Namespace}, row...)
 		}
 		rows = append(rows, row)
 	}
 	utils.PrintTable(os.Stdout, header, rows)
 	return nil
 }
--- a/cmd/flux/get_all.go
+++ b/cmd/flux/get_all.go
@@ -0,0 +1,96 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"strings"
 	"github.com/spf13/cobra"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
 var getAllCmd = &cobra.Command{
 	Use:   "all",
 	Short: "Get all resources and statuses",
 	Long:  "The get all command print the statuses of all resources.",
 	Example: `  # List all resources in a namespace
  flux get all --namespace=flux-system
  # List all resources in all namespaces
  flux get all --all-namespaces`,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		err := validateWatchOption(cmd, "all")
 		if err != nil {
 			return err
 		}
 		err = getSourceAllCmd.RunE(cmd, args)
 		if err != nil {
 			logError(err)
 		}
 		// all get command
 		var allCmd = []getCommand{
 			{
 				apiType: helmReleaseType,
 				list:    &helmReleaseListAdapter{&helmv2.HelmReleaseList{}},
 			},
 			{
 				apiType: kustomizationType,
 				list:    &kustomizationListAdapter{&kustomizev1.KustomizationList{}},
 			},
 			{
 				apiType: receiverType,
 				list:    receiverListAdapter{&notificationv1.ReceiverList{}},
 			},
 			{
 				apiType: alertProviderType,
 				list:    alertProviderListAdapter{&notificationv1.ProviderList{}},
 			},
 			{
 				apiType: alertType,
 				list:    &alertListAdapter{&notificationv1.AlertList{}},
 			},
 		}
 		err = getImageAllCmd.RunE(cmd, args)
 		if err != nil {
 			logError(err)
 		}
 		for _, c := range allCmd {
 			if err := c.run(cmd, args); err != nil {
 				logError(err)
 			}
 		}
 		return nil
 	},
 }
 func logError(err error) {
 	if !strings.Contains(err.Error(), "no matches for kind") {
 		logger.Failuref(err.Error())
 	}
 }
 func init() {
 	getCmd.AddCommand(getAllCmd)
 }
--- a/cmd/flux/get_helmrelease.go
+++ b/cmd/flux/get_helmrelease.go
@@ -17,90 +17,75 @@ limitations under the License.
 package main
 import (
-	"context"
+	"fmt"
 	"os"
 	"strconv"
 	"strings"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/spf13/cobra"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"
 )
 var getHelmReleaseCmd = &cobra.Command{
 	Use:     "helmreleases",
-	Aliases: []string{"hr"},
+	Aliases: []string{"hr", "helmrelease"},
 	Short:   "Get HelmRelease statuses",
 	Long:    "The get helmreleases command prints the statuses of the resources.",
 	Example: `  # List all Helm releases and their status
-  flux get helmreleases
+  flux get helmreleases`,
-`,
+	RunE: func(cmd *cobra.Command, args []string) error {
-	RunE: getHelmReleaseCmdRun,
+		get := getCommand{
 			apiType: helmReleaseType,
 			list:    &helmReleaseListAdapter{&helmv2.HelmReleaseList{}},
 			funcMap: make(typeMap),
 		}
 		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
 			o, ok := obj.(*helmv2.HelmRelease)
 			if !ok {
 				return nil, fmt.Errorf("Impossible to cast type %#v helmrelease", obj)
 			}
 			sink := helmReleaseListAdapter{&helmv2.HelmReleaseList{
 				Items: []helmv2.HelmRelease{
 					*o,
 				}}}
 			return sink, nil
 		})
 		if err != nil {
 			return err
 		}
 		if err := get.run(cmd, args); err != nil {
 			return err
 		}
 		return nil
 	},
 }
 func init() {
 	getCmd.AddCommand(getHelmReleaseCmd)
 }
-func getHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
+func (a helmReleaseListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	item := a.Items[i]
-	defer cancel()
+	revision := item.Status.LastAppliedRevision
-
+	status, msg := statusAndMessage(item.Status.Conditions)
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	return append(nameColumns(&item, includeNamespace, includeKind),
-	if err != nil {
+		status, msg, revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
-		return err
+}
-	}
+
-
+func (a helmReleaseListAdapter) headers(includeNamespace bool) []string {
-	var listOpts []client.ListOption
+	headers := []string{"Name", "Ready", "Message", "Revision", "Suspended"}
-	if !allNamespaces {
+	if includeNamespace {
-		listOpts = append(listOpts, client.InNamespace(namespace))
+		headers = append([]string{"Namespace"}, headers...)
-	}
+	}
-	var list helmv2.HelmReleaseList
+	return headers
-	err = kubeClient.List(ctx, &list, listOpts...)
+}
-	if err != nil {
+
-		return err
+func (a helmReleaseListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
-	}
+	item := a.Items[i]
-
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
 	if len(list.Items) == 0 {
 		logger.Failuref("no releases found in %s namespace", namespace)
 		return nil
 	}
 	header := []string{"Name", "Ready", "Message", "Revision", "Suspended"}
 	if allNamespaces {
 		header = append([]string{"Namespace"}, header...)
 	}
 	var rows [][]string
 	for _, helmRelease := range list.Items {
 		row := []string{}
 		if c := apimeta.FindStatusCondition(helmRelease.Status.Conditions, meta.ReadyCondition); c != nil {
 			row = []string{
 				helmRelease.GetName(),
 				string(c.Status),
 				c.Message,
 				helmRelease.Status.LastAppliedRevision,
 				strings.Title(strconv.FormatBool(helmRelease.Spec.Suspend)),
 			}
 		} else {
 			row = []string{
 				helmRelease.GetName(),
 				string(metav1.ConditionFalse),
 				"waiting to be reconciled",
 				helmRelease.Status.LastAppliedRevision,
 				strings.Title(strconv.FormatBool(helmRelease.Spec.Suspend)),
 			}
 		}
 		if allNamespaces {
 			row = append([]string{helmRelease.Namespace}, row...)
 		}
 		rows = append(rows, row)
 	}
 	utils.PrintTable(os.Stdout, header, rows)
 	return nil
 }
--- a/cmd/flux/get_image.go
+++ b/cmd/flux/get_image.go
@@ -21,9 +21,13 @@ import (
 )
 var getImageCmd = &cobra.Command{
-	Use:   "image",
+	Use:     "images",
-	Short: "Get image automation object status",
+	Aliases: []string{"image"},
-	Long:  "The get image sub-commands print the status of image automation objects.",
+	Short:   "Get image automation object status",
 	Long:    "The get image sub-commands print the status of image automation objects.",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		return validateWatchOption(cmd, "images")
 	},
 }
 func init() {
--- a/cmd/flux/get_image_all.go
+++ b/cmd/flux/get_image_all.go
@@ -0,0 +1,72 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"strings"
 	"github.com/spf13/cobra"
 	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 var getImageAllCmd = &cobra.Command{
 	Use:   "all",
 	Short: "Get all image statuses",
 	Long:  "The get image sub-commands print the statuses of all image objects.",
 	Example: `  # List all image objects in a namespace
  flux get images all --namespace=flux-system
  # List all image objects in all namespaces
  flux get images all --all-namespaces`,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		err := validateWatchOption(cmd, "all")
 		if err != nil {
 			return err
 		}
 		var allImageCmd = []getCommand{
 			{
 				apiType: imageRepositoryType,
 				list:    imageRepositoryListAdapter{&imagev1.ImageRepositoryList{}},
 			},
 			{
 				apiType: imagePolicyType,
 				list:    &imagePolicyListAdapter{&imagev1.ImagePolicyList{}},
 			},
 			{
 				apiType: imageUpdateAutomationType,
 				list:    &imageUpdateAutomationListAdapter{&autov1.ImageUpdateAutomationList{}},
 			},
 		}
 		for _, c := range allImageCmd {
 			if err := c.run(cmd, args); err != nil {
 				if !strings.Contains(err.Error(), "no matches for kind") {
 					logger.Failuref(err.Error())
 				}
 			}
 		}
 		return nil
 	},
 }
 func init() {
 	getImageCmd.AddCommand(getImageAllCmd)
 }
--- a/cmd/flux/get_image_policy.go
+++ b/cmd/flux/get_image_policy.go
@@ -17,9 +17,12 @@ limitations under the License.
 package main
 import (
-	"github.com/spf13/cobra"
+	"fmt"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 var getImagePolicyCmd = &cobra.Command{
@@ -30,22 +33,47 @@ var getImagePolicyCmd = &cobra.Command{
  flux get image policy
 # List image policies from all namespaces
-  flux get image policy --all-namespaces
+  flux get image policy --all-namespaces`,
-`,
+	RunE: func(cmd *cobra.Command, args []string) error {
-	RunE: getCommand{
+		get := getCommand{
-		apiType: imagePolicyType,
+			apiType: imagePolicyType,
-		list:    &imagePolicyListAdapter{&imagev1.ImagePolicyList{}},
+			list:    &imagePolicyListAdapter{&imagev1.ImagePolicyList{}},
-	}.run,
+			funcMap: make(typeMap),
 		}
 		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
 			o, ok := obj.(*imagev1.ImagePolicy)
 			if !ok {
 				return nil, fmt.Errorf("Impossible to cast type %#v policy", obj)
 			}
 			sink := imagePolicyListAdapter{&imagev1.ImagePolicyList{
 				Items: []imagev1.ImagePolicy{
 					*o,
 				}}}
 			return sink, nil
 		})
 		if err != nil {
 			return err
 		}
 		if err := get.run(cmd, args); err != nil {
 			return err
 		}
 		return nil
 	},
 }
 func init() {
 	getImageCmd.AddCommand(getImagePolicyCmd)
 }
-func (s imagePolicyListAdapter) summariseItem(i int, includeNamespace bool) []string {
+func (s imagePolicyListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := s.Items[i]
 	status, msg := statusAndMessage(item.Status.Conditions)
-	return append(nameColumns(&item, includeNamespace), status, msg, item.Status.LatestImage)
+	return append(nameColumns(&item, includeNamespace, includeKind), status, msg, item.Status.LatestImage)
 }
 func (s imagePolicyListAdapter) headers(includeNamespace bool) []string {
@@ -55,3 +83,8 @@ func (s imagePolicyListAdapter) headers(includeNamespace bool) []string {
 	}
 	return headers
 }
 func (s imagePolicyListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
 	item := s.Items[i]
 	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
 }
--- a/cmd/flux/get_image_repository.go
+++ b/cmd/flux/get_image_repository.go
@@ -17,13 +17,15 @@ limitations under the License.
 package main
 import (
 	"fmt"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 var getImageRepositoryCmd = &cobra.Command{
@@ -34,26 +36,51 @@ var getImageRepositoryCmd = &cobra.Command{
  flux get image repository
 # List image repositories from all namespaces
-  flux get image repository --all-namespaces
+  flux get image repository --all-namespaces`,
-`,
+	RunE: func(cmd *cobra.Command, args []string) error {
-	RunE: getCommand{
+		get := getCommand{
-		apiType: imageRepositoryType,
+			apiType: imageRepositoryType,
-		list:    imageRepositoryListAdapter{&imagev1.ImageRepositoryList{}},
+			list:    imageRepositoryListAdapter{&imagev1.ImageRepositoryList{}},
-	}.run,
+			funcMap: make(typeMap),
 		}
 		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
 			o, ok := obj.(*imagev1.ImageRepository)
 			if !ok {
 				return nil, fmt.Errorf("Impossible to cast type %#v repository", obj)
 			}
 			sink := imageRepositoryListAdapter{&imagev1.ImageRepositoryList{
 				Items: []imagev1.ImageRepository{
 					*o,
 				}}}
 			return sink, nil
 		})
 		if err != nil {
 			return err
 		}
 		if err := get.run(cmd, args); err != nil {
 			return err
 		}
 		return nil
 	},
 }
 func init() {
 	getImageCmd.AddCommand(getImageRepositoryCmd)
 }
-func (s imageRepositoryListAdapter) summariseItem(i int, includeNamespace bool) []string {
+func (s imageRepositoryListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := s.Items[i]
 	status, msg := statusAndMessage(item.Status.Conditions)
 	var lastScan string
 	if item.Status.LastScanResult != nil {
 		lastScan = item.Status.LastScanResult.ScanTime.Time.Format(time.RFC3339)
 	}
-	return append(nameColumns(&item, includeNamespace),
+	return append(nameColumns(&item, includeNamespace, includeKind),
 		status, msg, lastScan, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
 }
@@ -64,3 +91,8 @@ func (s imageRepositoryListAdapter) headers(includeNamespace bool) []string {
 	}
 	return headers
 }
 func (s imageRepositoryListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
 	item := s.Items[i]
 	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
 }
--- a/cmd/flux/get_image_updateauto.go
+++ b/cmd/flux/get_image_updateauto.go
@@ -17,13 +17,15 @@ limitations under the License.
 package main
 import (
 	"fmt"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 )
 var getImageUpdateCmd = &cobra.Command{
@@ -34,26 +36,51 @@ var getImageUpdateCmd = &cobra.Command{
  flux get image update
 # List image update automations from all namespaces
-  flux get image update --all-namespaces
+  flux get image update --all-namespaces`,
-`,
+	RunE: func(cmd *cobra.Command, args []string) error {
-	RunE: getCommand{
+		get := getCommand{
-		apiType: imageUpdateAutomationType,
+			apiType: imageUpdateAutomationType,
-		list:    &imageUpdateAutomationListAdapter{&autov1.ImageUpdateAutomationList{}},
+			list:    &imageUpdateAutomationListAdapter{&autov1.ImageUpdateAutomationList{}},
-	}.run,
+			funcMap: make(typeMap),
 		}
 		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
 			o, ok := obj.(*autov1.ImageUpdateAutomation)
 			if !ok {
 				return nil, fmt.Errorf("Impossible to cast type %#v update", obj)
 			}
 			sink := imageUpdateAutomationListAdapter{&autov1.ImageUpdateAutomationList{
 				Items: []autov1.ImageUpdateAutomation{
 					*o,
 				}}}
 			return sink, nil
 		})
 		if err != nil {
 			return err
 		}
 		if err := get.run(cmd, args); err != nil {
 			return err
 		}
 		return nil
 	},
 }
 func init() {
 	getImageCmd.AddCommand(getImageUpdateCmd)
 }
-func (s imageUpdateAutomationListAdapter) summariseItem(i int, includeNamespace bool) []string {
+func (s imageUpdateAutomationListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := s.Items[i]
 	status, msg := statusAndMessage(item.Status.Conditions)
 	var lastRun string
 	if item.Status.LastAutomationRunTime != nil {
 		lastRun = item.Status.LastAutomationRunTime.Time.Format(time.RFC3339)
 	}
-	return append(nameColumns(&item, includeNamespace), status, msg, lastRun, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
+	return append(nameColumns(&item, includeNamespace, includeKind), status, msg, lastRun, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
 }
 func (s imageUpdateAutomationListAdapter) headers(includeNamespace bool) []string {
@@ -63,3 +90,8 @@ func (s imageUpdateAutomationListAdapter) headers(includeNamespace bool) []strin
 	}
 	return headers
 }
 func (s imageUpdateAutomationListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
 	item := s.Items[i]
 	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
 }
--- a/cmd/flux/get_kustomization.go
+++ b/cmd/flux/get_kustomization.go
@@ -17,89 +17,79 @@ limitations under the License.
 package main
 import (
-	"context"
+	"fmt"
 	"os"
 	"strconv"
 	"strings"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/spf13/cobra"
-	"github.com/fluxcd/pkg/apis/meta"
+	"k8s.io/apimachinery/pkg/runtime"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
 	"github.com/spf13/cobra"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 var getKsCmd = &cobra.Command{
 	Use:     "kustomizations",
-	Aliases: []string{"ks"},
+	Aliases: []string{"ks", "kustomization"},
 	Short:   "Get Kustomization statuses",
 	Long:    "The get kustomizations command prints the statuses of the resources.",
 	Example: `  # List all kustomizations and their status
-  flux get kustomizations
+  flux get kustomizations`,
-`,
+	RunE: func(cmd *cobra.Command, args []string) error {
-	RunE: getKsCmdRun,
+		get := getCommand{
 			apiType: kustomizationType,
 			list:    &kustomizationListAdapter{&kustomizev1.KustomizationList{}},
 			funcMap: make(typeMap),
 		}
 		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
 			o, ok := obj.(*kustomizev1.Kustomization)
 			if !ok {
 				return nil, fmt.Errorf("Impossible to cast type %#v kustomization", obj)
 			}
 			sink := kustomizationListAdapter{
 				&kustomizev1.KustomizationList{
 					Items: []kustomizev1.Kustomization{
 						*o,
 					},
 				},
 			}
 			return sink, nil
 		})
 		if err != nil {
 			return err
 		}
 		if err := get.run(cmd, args); err != nil {
 			return err
 		}
 		return nil
 	},
 }
 func init() {
 	getCmd.AddCommand(getKsCmd)
 }
-func getKsCmdRun(cmd *cobra.Command, args []string) error {
+func (a kustomizationListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	item := a.Items[i]
-	defer cancel()
+	revision := item.Status.LastAppliedRevision
-
+	status, msg := statusAndMessage(item.Status.Conditions)
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	return append(nameColumns(&item, includeNamespace, includeKind),
-	if err != nil {
+		status, msg, revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
-		return err
+}
-	}
+
-
+func (a kustomizationListAdapter) headers(includeNamespace bool) []string {
-	var listOpts []client.ListOption
+	headers := []string{"Name", "Ready", "Message", "Revision", "Suspended"}
-	if !allNamespaces {
+	if includeNamespace {
-		listOpts = append(listOpts, client.InNamespace(namespace))
+		headers = append([]string{"Namespace"}, headers...)
-	}
+	}
-	var list kustomizev1.KustomizationList
+	return headers
-	err = kubeClient.List(ctx, &list, listOpts...)
+}
-	if err != nil {
+
-		return err
+func (a kustomizationListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
-	}
+	item := a.Items[i]
-
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
 	if len(list.Items) == 0 {
 		logger.Failuref("no kustomizations found in %s namespace", namespace)
 		return nil
 	}
 	header := []string{"Name", "Ready", "Message", "Revision", "Suspended"}
 	if allNamespaces {
 		header = append([]string{"Namespace"}, header...)
 	}
 	var rows [][]string
 	for _, kustomization := range list.Items {
 		row := []string{}
 		if c := apimeta.FindStatusCondition(kustomization.Status.Conditions, meta.ReadyCondition); c != nil {
 			row = []string{
 				kustomization.GetName(),
 				string(c.Status),
 				c.Message,
 				kustomization.Status.LastAppliedRevision,
 				strings.Title(strconv.FormatBool(kustomization.Spec.Suspend)),
 			}
 		} else {
 			row = []string{
 				kustomization.GetName(),
 				string(metav1.ConditionFalse),
 				"waiting to be reconciled",
 				kustomization.Status.LastAppliedRevision,
 				strings.Title(strconv.FormatBool(kustomization.Spec.Suspend)),
 			}
 		}
 		if allNamespaces {
 			row = append([]string{kustomization.Namespace}, row...)
 		}
 		rows = append(rows, row)
 	}
 	utils.PrintTable(os.Stdout, header, rows)
 	return nil
 }
--- a/cmd/flux/get_receiver.go
+++ b/cmd/flux/get_receiver.go
@@ -17,83 +17,74 @@ limitations under the License.
 package main
 import (
-	"context"
+	"fmt"
 	"os"
 	"strconv"
 	"strings"
 	"github.com/spf13/cobra"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
 )
 var getReceiverCmd = &cobra.Command{
-	Use:   "receivers",
+	Use:     "receivers",
-	Short: "Get Receiver statuses",
+	Aliases: []string{"receiver"},
-	Long:  "The get receiver command prints the statuses of the resources.",
+	Short:   "Get Receiver statuses",
 	Long:    "The get receiver command prints the statuses of the resources.",
 	Example: `  # List all Receiver and their status
-  flux get receivers
+  flux get receivers`,
-`,
+	RunE: func(cmd *cobra.Command, args []string) error {
-	RunE: getReceiverCmdRun,
+		get := getCommand{
 			apiType: receiverType,
 			list:    receiverListAdapter{&notificationv1.ReceiverList{}},
 			funcMap: make(typeMap),
 		}
 		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
 			o, ok := obj.(*notificationv1.Receiver)
 			if !ok {
 				return nil, fmt.Errorf("Impossible to cast type %#v receiver", obj)
 			}
 			sink := receiverListAdapter{&notificationv1.ReceiverList{
 				Items: []notificationv1.Receiver{
 					*o,
 				}}}
 			return sink, nil
 		})
 		if err != nil {
 			return err
 		}
 		if err := get.run(cmd, args); err != nil {
 			return err
 		}
 		return nil
 	},
 }
 func init() {
 	getCmd.AddCommand(getReceiverCmd)
 }
-func getReceiverCmdRun(cmd *cobra.Command, args []string) error {
+func (s receiverListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	item := s.Items[i]
-	defer cancel()
+	status, msg := statusAndMessage(item.Status.Conditions)
-
+	return append(nameColumns(&item, includeNamespace, includeKind), status, msg, strings.Title(strconv.FormatBool(item.Spec.Suspend)))
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+}
-	if err != nil {
+
-		return err
+func (s receiverListAdapter) headers(includeNamespace bool) []string {
-	}
+	headers := []string{"Name", "Ready", "Message", "Suspended"}
-
+	if includeNamespace {
-	var listOpts []client.ListOption
+		return append(namespaceHeader, headers...)
-	if !allNamespaces {
+	}
-		listOpts = append(listOpts, client.InNamespace(namespace))
+	return headers
-	}
+}
-	var list notificationv1.ReceiverList
+
-	err = kubeClient.List(ctx, &list, listOpts...)
+func (s receiverListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
-	if err != nil {
+	item := s.Items[i]
-		return err
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
 	}
 	if len(list.Items) == 0 {
 		logger.Failuref("no receivers found in %s namespace", namespace)
 		return nil
 	}
 	header := []string{"Name", "Ready", "Message", "Suspended"}
 	if allNamespaces {
 		header = append([]string{"Namespace"}, header...)
 	}
 	var rows [][]string
 	for _, receiver := range list.Items {
 		row := []string{}
 		if c := apimeta.FindStatusCondition(receiver.Status.Conditions, meta.ReadyCondition); c != nil {
 			row = []string{
 				receiver.GetName(),
 				string(c.Status),
 				c.Message,
 				strings.Title(strconv.FormatBool(receiver.Spec.Suspend)),
 			}
 		} else {
 			row = []string{
 				receiver.GetName(),
 				string(metav1.ConditionFalse),
 				"waiting to be reconciled",
 				strings.Title(strconv.FormatBool(receiver.Spec.Suspend)),
 			}
 		}
 		rows = append(rows, row)
 	}
 	utils.PrintTable(os.Stdout, header, rows)
 	return nil
 }
--- a/cmd/flux/get_source.go
+++ b/cmd/flux/get_source.go
@@ -21,9 +21,14 @@ import (
 )
 var getSourceCmd = &cobra.Command{
-	Use:   "sources",
+	Use:     "sources",
-	Short: "Get source statuses",
+	Aliases: []string{"source"},
-	Long:  "The get source sub-commands print the statuses of the sources.",
+	Short:   "Get source statuses",
 	Long:    "The get source sub-commands print the statuses of the sources.",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		return validateWatchOption(cmd, "sources")
 	},
 }
 func init() {
--- a/cmd/flux/get_source_all.go
+++ b/cmd/flux/get_source_all.go
@@ -0,0 +1,75 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"strings"
 	"github.com/spf13/cobra"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var getSourceAllCmd = &cobra.Command{
 	Use:   "all",
 	Short: "Get all source statuses",
 	Long:  "The get sources all command print the statuses of all sources.",
 	Example: `  # List all sources in a namespace
  flux get sources all --namespace=flux-system
  # List all sources in all namespaces
  flux get sources all --all-namespaces`,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		err := validateWatchOption(cmd, "all")
 		if err != nil {
 			return err
 		}
 		var allSourceCmd = []getCommand{
 			{
 				apiType: bucketType,
 				list:    &bucketListAdapter{&sourcev1.BucketList{}},
 			},
 			{
 				apiType: gitRepositoryType,
 				list:    &gitRepositoryListAdapter{&sourcev1.GitRepositoryList{}},
 			},
 			{
 				apiType: helmRepositoryType,
 				list:    &helmRepositoryListAdapter{&sourcev1.HelmRepositoryList{}},
 			},
 			{
 				apiType: helmChartType,
 				list:    &helmChartListAdapter{&sourcev1.HelmChartList{}},
 			},
 		}
 		for _, c := range allSourceCmd {
 			if err := c.run(cmd, args); err != nil {
 				if !strings.Contains(err.Error(), "no matches for kind") {
 					logger.Failuref(err.Error())
 				}
 			}
 		}
 		return nil
 	},
 }
 func init() {
 	getSourceCmd.AddCommand(getSourceAllCmd)
 }
--- a/Show More
+++ b/Show More