Merge pull request #608 from SomtochiAma/getting-started-guide

Simplify the getting started guide

CONTRIBUTING.md

@@ -1,7 +1,6 @@
 # Contributing
 
-Flux is [Apache 2.0
-licensed](https://github.com/fluxcd/flux2/blob/main/LICENSE) and
+Flux is [Apache 2.0 licensed](https://github.com/fluxcd/flux2/blob/main/LICENSE) and
 accepts contributions via GitHub pull requests. This document outlines
 some of the conventions on to make it easier to get your contribution
 accepted.
@@ -14,9 +13,18 @@ code.
 By contributing to this project you agree to the Developer Certificate of
 Origin (DCO). This document was created by the Linux Kernel community and is a
 simple statement that you, as a contributor, have the legal right to make the
-contribution. No action from you is required, but it's a good idea to see the
-[DCO](DCO) file for details before you start contributing code to FluxCD
-organization.
+contribution.
+
+We require all commits to be signed. By signing off with your signature, you
+certify that you wrote the patch or otherwise have the right to contribute the
+material by the rules of the [DCO](DCO):
+
+`Signed-off-by: Jane Doe <jane.doe@example.com>`
+
+The signature must contain your real name
+(sorry, no pseudonyms or anonymous contributions)
+If your `user.name` and `user.email` are configured in your Git config,
+you can sign your commit automatically with `git commit -s`.
 
 ## Communications
 

cmd/flux/bootstrap.go

@@ -239,7 +239,7 @@ func shouldCreateDeployKey(ctx context.Context, kubeClient client.Client, namesp
 }
 
 func generateDeployKey(ctx context.Context, kubeClient client.Client, url *url.URL, namespace string) (string, error) {
-	pair, err := generateKeyPair(ctx)
+	pair, err := generateKeyPair(ctx, sourceGitKeyAlgorithm, sourceGitRSABits, sourceGitECDSACurve)
 	if err != nil {
 		return "", err
 	}
@@ -266,3 +266,20 @@ func generateDeployKey(ctx context.Context, kubeClient client.Client, url *url.U
 
 	return string(pair.PublicKey), nil
 }
+
+func checkIfBootstrapPathDiffers(ctx context.Context, kubeClient client.Client, namespace string, path string) (string, bool) {
+	namespacedName := types.NamespacedName{
+		Name:      namespace,
+		Namespace: namespace,
+	}
+	var fluxSystemKustomization kustomizev1.Kustomization
+	err := kubeClient.Get(ctx, namespacedName, &fluxSystemKustomization)
+	if err != nil {
+		return "", false
+	}
+	if fluxSystemKustomization.Spec.Path == path {
+		return "", false
+	}
+
+	return fluxSystemKustomization.Spec.Path, true
+}

cmd/flux/bootstrap_github.go

@@ -23,6 +23,7 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"path/filepath"
 	"time"
 
 	"github.com/spf13/cobra"
@@ -114,6 +115,20 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	usedPath, bootstrapPathDiffers := checkIfBootstrapPathDiffers(ctx, kubeClient, namespace, filepath.ToSlash(ghPath.String()))
+
+	if bootstrapPathDiffers {
+		return fmt.Errorf("cluster already bootstrapped to %v path", usedPath)
+	}
+
 	repository, err := git.NewRepository(ghRepository, ghOwner, ghHostname, ghToken, "flux", ghOwner+"@users.noreply.github.com")
 	if err != nil {
 		return err
@@ -134,9 +149,6 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	defer os.RemoveAll(tmpDir)
 
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
 	if ghDelete {
 		if err := provider.DeleteRepository(ctx, repository); err != nil {
 			return err
@@ -197,11 +209,6 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Successf("components are up to date")
 	}
 
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
-	if err != nil {
-		return err
-	}
-
 	// determine if repo synchronization is working
 	isInstall := shouldInstallManifests(ctx, kubeClient, namespace)
 
@@ -261,7 +268,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 
 	// configure repo synchronization
 	logger.Actionf("generating sync manifests")
-	syncManifests, err := generateSyncManifests(repoURL, bootstrapBranch, namespace, namespace, ghPath.String(), tmpDir, ghInterval)
+	syncManifests, err := generateSyncManifests(repoURL, bootstrapBranch, namespace, namespace, filepath.ToSlash(ghPath.String()), tmpDir, ghInterval)
 	if err != nil {
 		return err
 	}

cmd/flux/bootstrap_gitlab.go

@@ -23,6 +23,7 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"path/filepath"
 	"regexp"
 	"time"
 
@@ -114,6 +115,20 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	usedPath, bootstrapPathDiffers := checkIfBootstrapPathDiffers(ctx, kubeClient, namespace, filepath.ToSlash(glPath.String()))
+
+	if bootstrapPathDiffers {
+		return fmt.Errorf("cluster already bootstrapped to %v path", usedPath)
+	}
+
 	repository, err := git.NewRepository(glRepository, glOwner, glHostname, glToken, "flux", glOwner+"@users.noreply.gitlab.com")
 	if err != nil {
 		return err
@@ -128,20 +143,12 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		IsPersonal: glPersonal,
 	}
 
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
-	if err != nil {
-		return err
-	}
-
 	tmpDir, err := ioutil.TempDir("", namespace)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)
 
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
 	// create GitLab project if doesn't exists
 	logger.Actionf("connecting to %s", glHostname)
 	changed, err := provider.CreateRepository(ctx, repository)
@@ -240,7 +247,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 
 	// configure repo synchronization
 	logger.Actionf("generating sync manifests")
-	syncManifests, err := generateSyncManifests(repoURL, bootstrapBranch, namespace, namespace, glPath.String(), tmpDir, glInterval)
+	syncManifests, err := generateSyncManifests(repoURL, bootstrapBranch, namespace, namespace, filepath.ToSlash(glPath.String()), tmpDir, glInterval)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret.go

@@ -17,11 +17,15 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"fmt"
 
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 )
 
@@ -35,6 +39,32 @@ func init() {
 	createCmd.AddCommand(createSecretCmd)
 }
 
+func upsertSecret(ctx context.Context, kubeClient client.Client, secret corev1.Secret) error {
+	namespacedName := types.NamespacedName{
+		Namespace: secret.GetNamespace(),
+		Name:      secret.GetName(),
+	}
+
+	var existing corev1.Secret
+	err := kubeClient.Get(ctx, namespacedName, &existing)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			if err := kubeClient.Create(ctx, &secret); err != nil {
+				return err
+			} else {
+				return nil
+			}
+		}
+		return err
+	}
+
+	existing.StringData = secret.StringData
+	if err := kubeClient.Update(ctx, &existing); err != nil {
+		return err
+	}
+	return nil
+}
+
 func exportSecret(secret corev1.Secret) error {
 	secret.TypeMeta = metav1.TypeMeta{
 		APIVersion: "v1",

cmd/flux/create_secret_git.go

@@ -21,6 +21,7 @@ import (
 	"crypto/elliptic"
 	"fmt"
 	"net/url"
+	"time"
 
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
@@ -28,6 +29,7 @@ import (
 
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/pkg/ssh"
 )
 
 var createSecretGitCmd = &cobra.Command{
@@ -53,7 +55,7 @@ For Git over HTTP/S, the provided basic authentication credentials are stored in
   # Create a Git SSH secret on disk and print the deploy key
   flux create secret git podinfo-auth \
     --url=ssh://git@github.com/stefanprodan/podinfo \
-	--export > podinfo-auth.yaml
+    --export > podinfo-auth.yaml
 
   yq read podinfo-auth.yaml 'data."identity.pub"' | base64 --decode
 
@@ -61,7 +63,7 @@ For Git over HTTP/S, the provided basic authentication credentials are stored in
   flux create secret git podinfo-auth \
     --namespace=apps \
     --url=ssh://git@github.com/stefanprodan/podinfo \
-	--export > podinfo-auth.yaml
+    --export > podinfo-auth.yaml
 
   sops --encrypt --encrypted-regex '^(data|stringData)$' \
     --in-place podinfo-auth.yaml
@@ -82,9 +84,9 @@ func init() {
 	createSecretGitCmd.Flags().StringVar(&secretGitURL, "url", "", "git address, e.g. ssh://git@host/org/repository")
 	createSecretGitCmd.Flags().StringVarP(&secretGitUsername, "username", "u", "", "basic authentication username")
 	createSecretGitCmd.Flags().StringVarP(&secretGitPassword, "password", "p", "", "basic authentication password")
-	createSecretGitCmd.Flags().Var(&secretGitKeyAlgorithm, "ssh-key-algorithm", sourceGitKeyAlgorithm.Description())
-	createSecretGitCmd.Flags().Var(&secretGitRSABits, "ssh-rsa-bits", sourceGitRSABits.Description())
-	createSecretGitCmd.Flags().Var(&secretGitECDSACurve, "ssh-ecdsa-curve", sourceGitECDSACurve.Description())
+	createSecretGitCmd.Flags().Var(&secretGitKeyAlgorithm, "ssh-key-algorithm", secretGitKeyAlgorithm.Description())
+	createSecretGitCmd.Flags().Var(&secretGitRSABits, "ssh-rsa-bits", secretGitRSABits.Description())
+	createSecretGitCmd.Flags().Var(&secretGitECDSACurve, "ssh-ecdsa-curve", secretGitECDSACurve.Description())
 
 	createSecretCmd.AddCommand(createSecretGitCmd)
 }
@@ -122,7 +124,7 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 
 	switch u.Scheme {
 	case "ssh":
-		pair, err := generateKeyPair(ctx)
+		pair, err := generateKeyPair(ctx, secretGitKeyAlgorithm, secretGitRSABits, secretGitECDSACurve)
 		if err != nil {
 			return err
 		}
@@ -171,3 +173,34 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 
 	return nil
 }
+
+func generateKeyPair(ctx context.Context, alg flags.PublicKeyAlgorithm, rsa flags.RSAKeyBits, ecdsa flags.ECDSACurve) (*ssh.KeyPair, error) {
+	var keyGen ssh.KeyPairGenerator
+	switch algorithm := alg.String(); algorithm {
+	case "rsa":
+		keyGen = ssh.NewRSAGenerator(int(rsa))
+	case "ecdsa":
+		keyGen = ssh.NewECDSAGenerator(ecdsa.Curve)
+	case "ed25519":
+		keyGen = ssh.NewEd25519Generator()
+	default:
+		return nil, fmt.Errorf("unsupported public key algorithm: %s", algorithm)
+	}
+	pair, err := keyGen.Generate()
+	if err != nil {
+		return nil, fmt.Errorf("key pair generation failed, error: %w", err)
+	}
+	return pair, nil
+}
+
+func scanHostKey(ctx context.Context, url *url.URL) ([]byte, error) {
+	host := url.Host
+	if url.Port() == "" {
+		host = host + ":22"
+	}
+	hostKey, err := ssh.ScanHostKey(host, 30*time.Second)
+	if err != nil {
+		return nil, fmt.Errorf("SSH key scan for host %s failed, error: %w", host, err)
+	}
+	return hostKey, nil
+}

cmd/flux/create_secret_helm.go

@@ -0,0 +1,141 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/flux2/internal/utils"
+)
+
+var createSecretHelmCmd = &cobra.Command{
+	Use:   "helm [name]",
+	Short: "Create or update a Kubernetes secret for Helm repository authentication",
+	Long: `
+The create secret helm command generates a Kubernetes secret with basic authentication credentials.`,
+	Example: `    # Create a Helm authentication secret on disk and encrypt it with Mozilla SOPS
+
+  flux create secret helm repo-auth \
+    --namespace=my-namespace \
+    --username=my-username \
+    --password=my-password \
+    --export > repo-auth.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place repo-auth.yaml
+
+  # Create an authentication secret using a custom TLS cert
+  flux create secret helm repo-auth \
+    --username=username \
+    --password=password \
+    --cert-file=./cert.crt \
+    --key-file=./key.crt \
+    --ca-file=./ca.crt
+`,
+	RunE: createSecretHelmCmdRun,
+}
+
+var (
+	secretHelmUsername string
+	secretHelmPassword string
+	secretHelmCertFile string
+	secretHelmKeyFile  string
+	secretHelmCAFile   string
+)
+
+func init() {
+	createSecretHelmCmd.Flags().StringVarP(&secretHelmUsername, "username", "u", "", "basic authentication username")
+	createSecretHelmCmd.Flags().StringVarP(&secretHelmPassword, "password", "p", "", "basic authentication password")
+	createSecretHelmCmd.Flags().StringVar(&secretHelmCertFile, "cert-file", "", "TLS authentication cert file path")
+	createSecretHelmCmd.Flags().StringVar(&secretHelmKeyFile, "key-file", "", "TLS authentication key file path")
+	createSecretHelmCmd.Flags().StringVar(&secretHelmCAFile, "ca-file", "", "TLS authentication CA file path")
+
+	createSecretCmd.AddCommand(createSecretHelmCmd)
+}
+
+func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("secret name is required")
+	}
+	name := args[0]
+
+	secretLabels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	secret := corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			Labels:    secretLabels,
+		},
+		StringData: map[string]string{},
+	}
+
+	if secretHelmUsername != "" && secretHelmPassword != "" {
+		secret.StringData["username"] = secretHelmUsername
+		secret.StringData["password"] = secretHelmPassword
+	}
+
+	if secretHelmCertFile != "" && secretHelmKeyFile != "" {
+		cert, err := ioutil.ReadFile(secretHelmCertFile)
+		if err != nil {
+			return fmt.Errorf("failed to read repository cert file '%s': %w", secretHelmCertFile, err)
+		}
+		secret.StringData["certFile"] = string(cert)
+
+		key, err := ioutil.ReadFile(secretHelmKeyFile)
+		if err != nil {
+			return fmt.Errorf("failed to read repository key file '%s': %w", secretHelmKeyFile, err)
+		}
+		secret.StringData["keyFile"] = string(key)
+	}
+
+	if secretHelmCAFile != "" {
+		ca, err := ioutil.ReadFile(secretHelmCAFile)
+		if err != nil {
+			return fmt.Errorf("failed to read repository CA file '%s': %w", secretHelmCAFile, err)
+		}
+		secret.StringData["caFile"] = string(ca)
+	}
+
+	if export {
+		return exportSecret(secret)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	if err != nil {
+		return err
+	}
+
+	if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+		return err
+	}
+	logger.Actionf("secret '%s' created in '%s' namespace", name, namespace)
+
+	return nil
+}

cmd/flux/create_source_git.go

@@ -23,13 +23,7 @@ import (
 	"io/ioutil"
 	"net/url"
 	"os"
-	"time"
 
-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/pkg/apis/meta"
-
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
@@ -40,7 +34,10 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	"github.com/fluxcd/pkg/ssh"
+	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/pkg/apis/meta"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 
 var createSourceGitCmd = &cobra.Command{
@@ -195,7 +192,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		withAuth = true
 	} else if u.Scheme == "ssh" {
 		logger.Generatef("generating deploy key pair")
-		pair, err := generateKeyPair(ctx)
+		pair, err := generateKeyPair(ctx, sourceGitKeyAlgorithm, sourceGitRSABits, sourceGitECDSACurve)
 		if err != nil {
 			return err
 		}
@@ -288,63 +285,6 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
-func generateKeyPair(ctx context.Context) (*ssh.KeyPair, error) {
-	var keyGen ssh.KeyPairGenerator
-	switch algorithm := sourceGitKeyAlgorithm.String(); algorithm {
-	case "rsa":
-		keyGen = ssh.NewRSAGenerator(int(sourceGitRSABits))
-	case "ecdsa":
-		keyGen = ssh.NewECDSAGenerator(sourceGitECDSACurve.Curve)
-	case "ed25519":
-		keyGen = ssh.NewEd25519Generator()
-	default:
-		return nil, fmt.Errorf("unsupported public key algorithm: %s", algorithm)
-	}
-	pair, err := keyGen.Generate()
-	if err != nil {
-		return nil, fmt.Errorf("key pair generation failed, error: %w", err)
-	}
-	return pair, nil
-}
-
-func scanHostKey(ctx context.Context, url *url.URL) ([]byte, error) {
-	host := url.Host
-	if url.Port() == "" {
-		host = host + ":22"
-	}
-	hostKey, err := ssh.ScanHostKey(host, 30*time.Second)
-	if err != nil {
-		return nil, fmt.Errorf("SSH key scan for host %s failed, error: %w", host, err)
-	}
-	return hostKey, nil
-}
-
-func upsertSecret(ctx context.Context, kubeClient client.Client, secret corev1.Secret) error {
-	namespacedName := types.NamespacedName{
-		Namespace: secret.GetNamespace(),
-		Name:      secret.GetName(),
-	}
-
-	var existing corev1.Secret
-	err := kubeClient.Get(ctx, namespacedName, &existing)
-	if err != nil {
-		if errors.IsNotFound(err) {
-			if err := kubeClient.Create(ctx, &secret); err != nil {
-				return err
-			} else {
-				return nil
-			}
-		}
-		return err
-	}
-
-	existing.StringData = secret.StringData
-	if err := kubeClient.Update(ctx, &existing); err != nil {
-		return err
-	}
-	return nil
-}
-
 func upsertGitRepository(ctx context.Context, kubeClient client.Client,
 	gitRepository *sourcev1.GitRepository) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{

docs/cmd/flux_create_secret.md

@@ -29,4 +29,5 @@ The create source sub-commands generate Kubernetes secrets specific to Flux.
 
 * [flux create](flux_create.md)	 - Create or update sources and resources
 * [flux create secret git](flux_create_secret_git.md)	 - Create or update a Kubernetes secret for Git authentication
+* [flux create secret helm](flux_create_secret_helm.md)	 - Create or update a Kubernetes secret for Helm repository authentication
 

docs/cmd/flux_create_secret_git.md

@@ -32,7 +32,7 @@ flux create secret git [name] [flags]
   # Create a Git SSH secret on disk and print the deploy key
   flux create secret git podinfo-auth \
     --url=ssh://git@github.com/stefanprodan/podinfo \
-	--export > podinfo-auth.yaml
+    --export > podinfo-auth.yaml
 
   yq read podinfo-auth.yaml 'data."identity.pub"' | base64 --decode
 
@@ -40,7 +40,7 @@ flux create secret git [name] [flags]
   flux create secret git podinfo-auth \
     --namespace=apps \
     --url=ssh://git@github.com/stefanprodan/podinfo \
-	--export > podinfo-auth.yaml
+    --export > podinfo-auth.yaml
 
   sops --encrypt --encrypted-regex '^(data|stringData)$' \
     --in-place podinfo-auth.yaml

docs/cmd/flux_create_secret_helm.md

@@ -0,0 +1,65 @@
+## flux create secret helm
+
+Create or update a Kubernetes secret for Helm repository authentication
+
+### Synopsis
+
+
+The create secret helm command generates a Kubernetes secret with basic authentication credentials.
+
+```
+flux create secret helm [name] [flags]
+```
+
+### Examples
+
+```
+    # Create a Helm authentication secret on disk and encrypt it with Mozilla SOPS
+
+  flux create secret helm repo-auth \
+    --namespace=my-namespace \
+    --username=my-username \
+    --password=my-password \
+    --export > repo-auth.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place repo-auth.yaml
+
+  # Create an authentication secret using a custom TLS cert
+  flux create secret helm repo-auth \
+    --username=username \
+    --password=password \
+    --cert-file=./cert.crt \
+    --key-file=./key.crt \
+    --ca-file=./ca.crt
+
+```
+
+### Options
+
+```
+      --ca-file string     TLS authentication CA file path
+      --cert-file string   TLS authentication cert file path
+  -h, --help               help for helm
+      --key-file string    TLS authentication key file path
+  -p, --password string    basic authentication password
+  -u, --username string    basic authentication username
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --export              export in YAML format to stdout
+      --interval duration   source sync interval (default 1m0s)
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+      --label strings       set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux create secret](flux_create_secret.md)	 - Create or update Kubernetes secrets
+

docs/core-concepts/index.md

@@ -32,7 +32,7 @@ For more information, take a look at [the source controller documentation](../co
 
 ## Reconciliation
 
-Reconciliation refers to ensuring that a given state(e.g application running in the cluster, infrasatructure) matches a desired state declaratively defined somewhere(e.g a git repository). There are various examples of these in flux e.g:
+Reconciliation refers to ensuring that a given state (e.g application running in the cluster, infrastructure) matches a desired state declaratively defined somewhere (e.g a git repository). There are various examples of these in flux e.g:
 
 - HelmRelease reconciliation: ensures the state of the Helm release matches what is defined in the resource, performs a release if this is not the case (including revision changes of a HelmChart resource).
 - Bucket reconciliation: downloads and archives the contents of the declared bucket on a given interval and stores this as an artifact, records the observed revision of the artifact and the artifact itself in the status of resource.
@@ -40,13 +40,13 @@ Reconciliation refers to ensuring that a given state(e.g application running in
 
 ## Kustomization
 
-The kustomization represents an local set of Kubernetes resources that Flux is supposed to reconcile in the cluster. The reconciliation every one minute by default but this can be specified in the kustomization. If you make any changes to the cluster using `kubectl edit` or `kubectl patch`, it will be promptly reverted. You either suspend the reconciliation or push your changes to a Git repository.
+The kustomization represents a local set of Kubernetes resources that Flux is supposed to reconcile in the cluster. The reconciliation runs every one minute by default but this can be specified in the kustomization. If you make any changes to the cluster using `kubectl edit` or `kubectl patch`, it will be promptly reverted. You either suspend the reconciliation or push your changes to a Git repository.
 
 For more information, take a look at [this documentation](../components/kustomize/kustomization.md).
 
 ## Bootstrap
 
-The process of installing the Flux components in a complete GitOps way is called a bootstrap. The manifests are applied to the cluster, a `GitRepository` and `Kustomization` are created for the Flux components, and the manifests are pushed to an existing Git repository(or a new one is created). Flux can manage itself just as it manages other resources. 
+The process of installing the Flux components in a complete GitOps way is called a bootstrap. The manifests are applied to the cluster, a `GitRepository` and `Kustomization` are created for the Flux components, and the manifests are pushed to an existing Git repository (or a new one is created). Flux can manage itself just as it manages other resources. 
 The bootstrap is done using the `flux` CLI `flux bootstrap`.
 
-For more information, take a look at [the documentation for the bootstrap command](../cmd/flux_bootstrap.md).
+For more information, take a look at [the documentation for the bootstrap command](../cmd/flux_bootstrap.md).

docs/dev-guides/source-watcher.md

@@ -17,7 +17,7 @@ On your dev machine install the following tools:
 * kustomize >= 3.5
 * docker >= 19.03
 
-## Install the GitOps Toolkit
+## Install Flux
 
 Create a cluster for testing:
 
@@ -25,7 +25,7 @@ Create a cluster for testing:
 kind create cluster --name dev
 ```
 
-Install the toolkit CLI:
+Install the Flux CLI:
 
 ```sh
 curl -s https://toolkit.fluxcd.io/install.sh | sudo bash
@@ -37,7 +37,7 @@ Verify that your dev machine satisfies the prerequisites with:
 flux check --pre
 ```
 
-Install the toolkit controllers on the dev cluster:
+Install source-controller on the dev cluster:
 
 ```sh
 flux install
@@ -45,13 +45,13 @@ flux install
 
 ## Clone the sample controller
 
-You'll be using [stefanprodan/source-watcher](https://github.com/stefanprodan/source-watcher) as
+You'll be using [fluxcd/source-watcher](https://github.com/fluxcd/source-watcher) as
 a template for developing your own controller. The source-watcher was scaffolded with `kubebuilder init`.
 
-Clone the source-watcher repo:
+Clone the source-watcher repository:
 
 ```sh
-git clone https://github.com/stefanprodan/source-watcher
+git clone https://github.com/fluxcd/source-watcher
 cd source-watcher
 ```
 
@@ -115,7 +115,7 @@ The source-controller reports the revision under `GitRepository.Status.Artifact.
 
 ## How it works
 
-The [GitRepositoryWatcher](https://github.com/stefanprodan/source-watcher/blob/master/controllers/gitrepository_watcher.go)
+The [GitRepositoryWatcher](https://github.com/fluxcd/source-watcher/blob/main/controllers/gitrepository_watcher.go)
 controller does the following:
 
 * subscribes to `GitRepository` events
@@ -186,8 +186,8 @@ func (r *GitRepositoryWatcher) SetupWithManager(mgr ctrl.Manager) error {
 
 To add the watcher to an existing project, copy the controller and the revision change predicate to your `controllers` dir:
 
-* [gitrepository_watcher.go](https://github.com/stefanprodan/source-watcher/blob/master/controllers/gitrepository_watcher.go)
-* [gitrepository_predicate.go](https://github.com/stefanprodan/source-watcher/blob/master/controllers/gitrepository_predicate.go)
+* [gitrepository_watcher.go](https://github.com/fluxcd/source-watcher/blob/main/controllers/gitrepository_watcher.go)
+* [gitrepository_predicate.go](https://github.com/fluxcd/source-watcher/blob/main/controllers/gitrepository_predicate.go)
 
 In your `main.go` init function, register the Source API schema:
 
@@ -224,9 +224,9 @@ Your `go.mod` should require controller-runtime v0.6 or newer:
 
 ```go
 require (
-	k8s.io/apimachinery v0.18.4
-	k8s.io/client-go v0.18.4
-	sigs.k8s.io/controller-runtime v0.6.0
+    k8s.io/apimachinery v0.19.4
+    k8s.io/client-go v0.19.4
+    sigs.k8s.io/controller-runtime v0.6.4
 )
 ```
 

docs/get-started/index.md

@@ -1,14 +1,20 @@
 # Get started with Flux v2
 
+!!! note "Basic knowledge"
+    This guide assumes you have some understanding of the core concepts and have read the introduction to Flux.
+    The core concepts used in this guide are [GitOps](../core-concepts/index.md#gitops), [Sources](../core-concepts/index.md#sources), [Kustomization](../core-concepts/index.md#kustomization).
+
+In this tutorial, you will deploy an application to a kubernetes cluster with Flux and manage the cluster in a complete GitOps manner. You'll be using a dedicated Git repository e.g. `fleet-infra` to manage the Kubernetes clusters. All the manifest will be pushed to this repository and then applied by Flux.
+
 ## Prerequisites
 
-You will need two Kubernetes clusters version 1.16 or newer and kubectl version 1.18.
+In order to follow the guide, you will need one Kubernetes cluster version 1.16 or newer and kubectl version 1.18.
 For a quick local test, you can use [Kubernetes kind](https://kind.sigs.k8s.io/docs/user/quick-start/).
 Any other Kubernetes setup will work as well though.
 
-In order to follow the guide you'll need a GitHub account and a
+Flux is installed in a complete GitOps way and its manifest will be pushed to the repository, so you will also need a GitHub account and a
 [personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line)
-that can create repositories (check all permissions under `repo`).
+that can create repositories (check all permissions under `repo`) to enable Flux do this.
 
 Export your GitHub personal access token and username:
 
@@ -52,24 +58,13 @@ profile:
 
 `zsh`, `fish`, and `powershell` are also supported with their own sub-commands.
 
-## GitOps workflow
+## Install Flux components
 
-You'll be using a dedicated Git repository e.g. `fleet-infra` to manage one or more Kubernetes clusters.
-This guide assumes that you have two clusters, one for staging and one for production.
-
-Using the Flux CLI you'll do the following:
-
-- configure each cluster to synchronise with a directory inside the fleet repository
-- register app sources (git repositories) that contain plain Kubernetes manifests or Kustomize overlays
-- configure app deployments on both clusters (pre-releases on staging, semver releases on production)
-
-## Staging bootstrap
-
-Create the staging cluster using Kubernetes kind or set the kubectl context to an existing cluster:
+Create the cluster using Kubernetes kind or set the kubectl context to an existing cluster:
 
 ```sh
-kind create cluster --name staging
-kubectl cluster-info --context kind-staging
+kind create cluster
+kubectl cluster-info --context kind-kind
 ```
 
 Verify that your staging cluster satisfies the prerequisites with:
@@ -89,7 +84,7 @@ flux bootstrap github \
   --owner=$GITHUB_USER \
   --repository=fleet-infra \
   --branch=main \
-  --path=staging-cluster \
+  --path=./clusters/my-cluster \
   --personal
 ```
 
@@ -98,8 +93,8 @@ flux bootstrap github \
     you can use `--arch=arm` for ARMv7 32-bit container images
     and `--arch=arm64` for ARMv8 64-bit container images.
 
-The bootstrap command creates a repository if one doesn't exist, and
-commits the manifests for the Flux components to the default branch at the specified path.
+The bootstrap command creates a repository if one doesn't exist,
+commits the manifests for the Flux components to the default branch at the specified path, and installs the Flux components.
 Then it configures the target cluster to synchronize with the specified path inside the repository.
 
 If you wish to create the repository under a GitHub organization:
@@ -111,7 +106,7 @@ flux bootstrap github \
   --branch=<organization default branch> \
   --team=<team1-slug> \
   --team=<team2-slug> \
-  --path=staging-cluster
+  --path=./clusters/my-cluster
 ```
 
 Example output:
@@ -148,102 +143,104 @@ If you prefer GitLab, export `GITLAB_TOKEN` env var and use the command [flux bo
     You can target a specific Flux [version](https://github.com/fluxcd/flux2/releases)
     with `flux bootstrap --version=<semver>`.
 
-## Staging workflow
+## Clone the git repository
 
-Clone the repository with:
+We are going to be managing the application in a GitOps manner with the git repository. The Flux manifests generated by the CLI will be pushed to the git repository. Instead of applying the manifests directly to the cluster, Flux will apply it for us instead :).
+
+Therefore, we need to clone the repository to our local machine.
 
 ```sh
 git clone https://github.com/$GITHUB_USER/fleet-infra
 cd fleet-infra
 ```
 
-Create a git source pointing to a public repository master branch:
+
+## Add podinfo repository to Flux
+
+We will be using a public repository [github.com/stefanprodan/podinfo](https://github.com/stefanprodan/podinfo), podinfo is a tiny web application made with Go.
+
+Create a GitRepository manifest pointing to the repository's master branch with Flux CLI.
 
 ```sh
-flux create source git webapp \
+flux create source git podinfo \
   --url=https://github.com/stefanprodan/podinfo \
   --branch=master \
   --interval=30s \
-  --export > ./staging-cluster/webapp-source.yaml
+  --export > ./clusters/my-cluster/podinfo-source.yaml
 ```
 
-Create a kustomization for synchronizing the common manifests on the cluster:
+Commit and push it to the `fleet-infra` repository, then Flux applies it to the cluster.
 
 ```sh
-flux create kustomization webapp-common \
-  --source=webapp \
-  --path="./deploy/webapp/common" \
+git add -A && git commit -m "Adds podinfo git source"
+git push
+```
+
+## Deploy podinfo application
+
+We will create a kustomization manifest for podinfo. This will apply the manifest in the `kustomize` directory in the podinfo repository.
+
+```sh
+flux create kustomization podinfo \
+  --source=podinfo \
+  --path="./kustomize" \
   --prune=true \
   --validation=client \
-  --interval=1h \
-  --export > ./staging-cluster/webapp-common.yaml
+  --interval=5m \
+  --export > ./clusters/my-cluster/podinfo-kustomization.yaml
 ```
 
-Create a kustomization for the backend service that depends on common:
+Commit and push the kustomization manifest to the git repository so that Flux applies it to the cluster.
 
 ```sh
-flux create kustomization webapp-backend \
-  --depends-on=webapp-common \
-  --source=webapp \
-  --path="./deploy/webapp/backend" \
-  --prune=true \
-  --validation=client \
-  --interval=10m \
-  --health-check="Deployment/backend.webapp" \
-  --health-check-timeout=2m \
-  --export > ./staging-cluster/webapp-backend.yaml
+git add -A && git commit -m "Adds podinfo kustomization"
+git push
 ```
 
-Create a kustomization for the frontend service that depends on backend:
-
-```sh
-flux create kustomization webapp-frontend \
-  --depends-on=webapp-backend \
-  --source=webapp \
-  --path="./deploy/webapp/frontend" \
-  --prune=true \
-  --validation=client \
-  --interval=10m \
-  --health-check="Deployment/frontend.webapp" \
-  --health-check-timeout=2m \
-  --export > ./staging-cluster/webapp-frontend.yaml
+The structure of your repository should look like this:
+```
+fleet-infra
+└── clusters/
+    └── my-cluster/
+        ├── flux-system/                        
+        │   ├── gotk-components.yaml/
+        │   ├── gotk-sync.yaml/
+        │   └── kustomization.yaml/
+        ├── podinfo-kustomization.yaml
+        └── podinfo-source.yaml
 ```
 
-Push changes to origin:
 
-```sh
-git add -A && git commit -m "add staging webapp" && git push
-```
+## Watch Flux sync the application
 
 In about 30s the synchronization should start:
 
 ```console
 $ watch flux get kustomizations
 NAME            READY   MESSAGE
-flux-system     True    Applied revision: main/6eea299fe9997c8561b826b67950afaf9a476cf8
-webapp-backend  False   dependency 'flux-system/webapp-common' is not ready
-webapp-common   True    Applied revision: master/7411da595c25183daba255068814b83843fe3395
-webapp-frontend False   dependency 'flux-system/webapp-backend' is not ready
+flux-system     main/fc07af652d3168be329539b30a4c3943a7d12dd8   False           True    Applied revision: main/fc07af652d3168be329539b30a4c3943a7d12dd8
+podinfo         master/855f7724be13f6146f61a893851522837ad5b634 False           True    Applied revision: master/855f7724be13f6146f61a893851522837ad5b634
 ```
 
-When the synchronization finishes you can check that the webapp services are running:
+When the synchronization finishes you can check that the podinfo has been deployed on your cluster:
 
 ```console
-$ kubectl -n webapp get deployments,services
-NAME                       READY   UP-TO-DATE   AVAILABLE   AGE
-deployment.apps/backend    1/1     1            1           4m1s
-deployment.apps/frontend   1/1     1            1           3m31s
+$ kubectl -n default get deployments,services
+NAME                      READY   UP-TO-DATE   AVAILABLE   AGE
+deployment.apps/podinfo   2/2     2            2           108s
 
-NAME               TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)             AGE
-service/backend    ClusterIP   10.52.10.22   <none>        9898/TCP,9999/TCP   4m1s
-service/frontend   ClusterIP   10.52.9.85    <none>        80/TCP              3m31s
+NAME                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)             AGE
+service/podinfo      ClusterIP   10.100.149.126   <none>        9898/TCP,9999/TCP   108s
 ```
 
 !!! tip
     From this moment forward, any changes made to the webapp
-    Kubernetes manifests in the master branch will be synchronised with the staging cluster.
+    Kubernetes manifests in the master branch will be synchronised with your cluster.
 
 If a Kubernetes manifest is removed from the webapp repository, the reconciler will remove it from your cluster.
+If you delete a kustomization from the cluster, the reconciler will remove all Kubernetes objects that
+were previously applied from that kustomization.
+
 If you delete a kustomization from the `fleet-infra` repo, the reconciler will remove all Kubernetes objects that
 were previously applied from that kustomization.
 
@@ -252,121 +249,10 @@ the state described in git. When dealing with an incident, you can pause the rec
 kustomization with `flux suspend kustomization <name>`. Once the debugging session
 is over, you can re-enable the reconciliation with `flux resume kustomization <name>`.
 
-## Production bootstrap 
+## Multi-cluster Setup
 
-On production clusters, you may wish to deploy stable releases of an application.
-When creating a git source instead of a branch, you can specify a git tag or a semver expression. 
+To use Flux to manage more than one cluster or promote deployments from staging to production, take a look at the 
+two approaches in the repositories listed below.
 
-Create the production cluster using Kubernetes kind or set the kubectl context to an existing cluster:
-
-```sh
-kind create cluster --name production
-kubectl cluster-info --context kind-production
-```
-
-Run the bootstrap for the production environment:
-
-```sh
-flux bootstrap github \
-  --owner=$GITHUB_USER \
-  --repository=fleet-infra \
-  --path=prod-cluster \
-  --personal
-```
-Pull the changes locally:
-
-```sh
-git pull
-```
-
-## Production workflow
-
-Create a git source using a semver range to target stable releases:
-
-```sh
-flux create source git webapp \
-  --url=https://github.com/stefanprodan/podinfo \
-  --tag-semver=">=4.0.0 <4.0.2" \
-  --interval=30s \
-  --export > ./prod-cluster/webapp-source.yaml
-```
-
-Create a kustomization for webapp pointing to the production overlay:
-
-```sh
-flux create kustomization webapp \
-  --source=webapp \
-  --path="./deploy/overlays/production" \
-  --prune=true \
-  --validation=client \
-  --interval=10m \
-  --health-check="Deployment/frontend.production" \
-  --health-check="Deployment/backend.production" \
-  --health-check-timeout=2m \
-  --export > ./prod-cluster/webapp-production.yaml
-``` 
-
-Push changes to origin:
-
-```sh
-git add -A && git commit -m "add prod webapp" && git push
-```
-
-List git sources:
-
-```console
-$ flux get sources git
-NAME            REVISION                                        READY   MESSAGE
-flux-system     main/5ae055e24b2c8a78f981708b61507a97a30bd7a6   True    Fetched revision: main/113360052b3153e439a0cf8de76b8e3d2a7bdf27
-webapp          4.0.1/113360052b3153e439a0cf8de76b8e3d2a7bdf27  True    Fetched revision: 4.0.1/113360052b3153e439a0cf8de76b8e3d2a7bdf27
-```
-
-The kubectl equivalent is `kubectl -n flux-system get gitrepositories`.
-
-List kustomization:
-
-```console
-$ flux get kustomizations
-NAME            REVISION                                        SUSPENDED       READY   MESSAGE
-flux-system     main/5ae055e24b2c8a78f981708b61507a97a30bd7a6   False           True    Applied revision: main/5ae055e24b2c8a78f981708b61507a97a30bd7a6
-webapp          4.0.1/113360052b3153e439a0cf8de76b8e3d2a7bdf27  False           True    Applied revision: 4.0.1/113360052b3153e439a0cf8de76b8e3d2a7bdf27
-```
-
-The kubectl equivalent is `kubectl -n flux-system get kustomizations`.
-
-If you want to upgrade to the latest 4.x version, you can change the semver expression to:
-
-```sh
-flux create source git webapp \
-  --url=https://github.com/stefanprodan/podinfo \
-  --tag-semver=">=4.0.0 <5.0.0" \
-  --interval=30s \
-  --export > ./prod-cluster/webapp-source.yaml
-
-git add -A && git commit -m "update prod webapp" && git push
-```
-
-Trigger a git sync:
-
-```console
-$ flux reconcile ks flux-system --with-source 
-► annotating source flux-system
-✔ source annotated
-◎ waiting for reconcilitation
-✔ git reconciliation completed
-✔ fetched revision main/d751ea264d48bf0db8b588d1d08184834ac8fec9
-◎ waiting for kustomization reconcilitation
-✔ kustomization reconcilitation completed
-✔ applied revision main/d751ea264d48bf0db8b588d1d08184834ac8fec9
-```
-
-The kubectl equivalent is `kubectl -n flux-system annotate gitrepository/flux-system fluxcd.io/reconcileAt="$(date +%s)"`.
-
-Wait for the webapp to be upgraded:
-
-```console
-$ watch flux get kustomizations
-NAME            REVISION                                        SUSPENDED       READY   MESSAGE
-flux-system     main/d751ea264d48bf0db8b588d1d08184834ac8fec9   False           True    Applied revision: main/d751ea264d48bf0db8b588d1d08184834ac8fec9
-webapp          4.0.6/26a630c0b4b3452833d96c511d93f6f2d2e90a99  False           True    Applied revision: 4.0.6/26a630c0b4b3452833d96c511d93f6f2d2e90a99
-```
+1. [https://github.com/fluxcd/flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example)
+2. [https://github.com/fluxcd/flux2-multi-tenancy](https://github.com/fluxcd/flux2-multi-tenancy)

docs/guides/helmreleases.md

@@ -117,52 +117,79 @@ repository and omits all other files.
     HTTP/S basic and SSH authentication can be configured for private
     Git repositories. See the [`GitRepository` CRD docs](../components/source/gitrepositories.md)
     for more details.
-    
-### Bucket
 
-Charts from S3 compatible storage buckets can be released by declaring
-a `Bucket`, the source-controller will fetch the contents of the bucket
-on an interval and expose it as an artifact.
+### Cloud Storage
 
-**There is one caveat you should be aware of:** to make the
-source-controller produce a new chart artifact, the `version` in the
-`Chart.yaml` of the chart must be bumped.
+It is inadvisable while still possible to use a `Bucket` as a source for a `HelmRelease`,
+as the whole storage bucket will be downloaded by source controller at each sync. The
+bucket can easily become very large if there are frequent releases of multiple charts
+that are stored in the same bucket.
 
-An example `Bucket`:
+A better option is to use [Chartmuseum](https://github.com/helm/chartmuseum) and run a cluster
+local Helm repository that can be used by source controller. Chartmuseum has support
+for multiple different cloud storage solutions such as S3, GCS, and Azure Blob Storage,
+meaning that you are not limited to only using storage providers that support the S3 protocol.
+
+You can deploy a Chartmuseum instance with a `HelmRelease` that exposes a Helm repository stored
+in a S3 bucket. Please refer to [Chartmuseums how to run documentation](https://chartmuseum.com/docs/#how-to-run)
+for details about how to use other storage backends.
 
 ```yaml
 apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: Bucket
+kind: HelmRepository
 metadata:
-  name: podinfo
-  namespace: gotk-system
+  name: chartmuseum
+  namespace: flux-system
 spec:
-  interval: 1m
-  provider: generic
-  bucketName: podinfo
-  endpoint: minio.minio.svc.cluster.local:9000
-  ignore: |
-    # exclude all
-    /*
-    # include charts directory
-    !/charts/
+  url: https://chartmuseum.github.io/charts
+  interval: 10m
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: chartmuseum
+  namespace: flux-system
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: chartmuseum
+      version: "2.14.2"
+      sourceRef:
+        kind: HelmRepository
+        name: chartmuseum
+        namespace: flux-system
+      interval: 1m
+  values:
+    env:
+      open:
+        AWS_SDK_LOAD_CONFIG: true
+        STORAGE: amazon
+        STORAGE_AMAZON_BUCKET: "bucket-name"
+        STORAGE_AMAZON_PREFIX: ""
+        STORAGE_AMAZON_REGION: "region-name"
+    serviceAccount:
+      create: true
+      annotations:
+        eks.amazonaws.com/role-arn: "role-arn"
+    securityContext:
+      enabled: true
+      fsGroup: 65534
 ```
 
-The `interval` defines at which interval the Git repository contents
-are fetched, and should be at least `1m`. Setting this to a higher
-value means newer chart versions will be detected at a slower pace,
-a push-based fetch can be introduced using [webhook receivers](webhook-receivers.md)
+After Chartmuseum is up and running it should be possible to use the accompanying
+service as the url for the `HelmRepository`.
 
-The `provider`, `bucketName` and `endpoint` together define what
-S3 compatible storage should be connected to. For more information,
-see the [`Bucket` CRD docs](../components/source/buckets.md).
-
-
-The `ignore` defines file and folder exclusion for the
-artifact produced, and follows the [`.gitignore` pattern
-format](https://git-scm.com/docs/gitignore#_pattern_format).
-The above example only includes the `charts` directory of the
-repository and omits all other files.
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: helm-charts
+  namespace: flux-system
+spec:
+  interval: 1m
+  url: http://chartmuseum-chartmuseum:8080
+```
 
 ## Define a Helm release
 

docs/guides/image-update.md

@@ -358,3 +358,145 @@ images:
   newName: ghcr.io/stefanprodan/podinfo
   newTag: 5.0.0 # {"$imagepolicy": "flux-system:podinfo:tag"}
 ```
+
+## ImageRepository cloud providers authentication
+
+If relying on a cloud provider image repository, you might need to do some extra
+work in order to configure the ImageRepository resource credentials. Here are
+some common examples for the most popular cloud provider docker registries.
+
+!!! warning "Workarounds"
+    The examples below are intended as workaround solutions until native
+    authentication mechanisms are implemented in Flux itself to support this in
+    a more straightforward manner.
+
+### AWS Elastic Container Registry
+
+The registry authentication credentials for ECR expire every 12 hours.
+Considering this limitation, one needs to ensure the credentials are being
+refreshed before expiration so that the controller can rely on them for
+authentication.
+
+The solution proposed is to create a cronjob that runs every 6 hours which would
+re-create the `docker-registry` secret using a new token.
+
+Edit and save the following snippet to a file
+`./clusters/my-cluster/ecr-sync.yaml`, commit and push it to git.
+
+```yaml
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ecr-credentials-sync
+  namespace: flux-system
+rules:
+- apiGroups: [""]
+  resources:
+  - secrets
+  verbs:
+  - delete
+  - create
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ecr-credentials-sync
+  namespace: flux-system
+subjects:
+- kind: ServiceAccount
+  name: ecr-credentials-sync
+roleRef:
+  kind: Role
+  name: ecr-credentials-sync
+  apiGroup: ""
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ecr-credentials-sync
+  # Uncomment and edit if using IRSA
+  # annotations:
+  #   eks.amazonaws.com/role-arn: <role arn>
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: ecr-credentials-sync
+  namespace: flux-system
+spec:
+  suspend: false
+  schedule: 0 */6 * * *
+  failedJobsHistoryLimit: 1
+  successfulJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: ecr-credentials-sync
+          restartPolicy: Never
+          volumes:
+          - name: token
+            emptyDir:
+              medium: Memory
+          initContainers:
+          - image: amazon/aws-cli
+            name: get-token
+            imagePullPolicy: IfNotPresent
+            # You will need to set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables if not using
+            # IRSA. It is recommended to store the values in a Secret and load them in the container using envFrom.
+            # envFrom:
+            # - secretRef:
+            #     name: aws-credentials
+            env:
+            - name: REGION
+              value: us-east-1 # change this if ECR repo is in a different region
+            volumeMounts:
+            - mountPath: /token
+              name: token
+            command:
+            - /bin/sh
+            - -ce
+            - aws ecr get-login-password --region ${REGION} > /token/ecr-token
+          containers:
+          - image: bitnami/kubectl
+            name: create-secret
+            imagePullPolicy: IfNotPresent
+            env:
+            - name: SECRET_NAME
+              value: <secret name> # this is the generated Secret name
+            - name:
+              value: <account id>.dkr.ecr.<region>.amazonaws.com # fill in the account id and region
+            volumeMounts:
+            - mountPath: /token
+              name: token
+            command:
+            - /bin/bash
+            - -ce
+            - |-
+              kubectl delete secret --ignore-not-found $SECRET_NAME
+              kubectl create secret docker-registry $SECRET_NAME \
+                --docker-server="$ECR_REGISTRY" \
+                --docker-username=AWS \
+                --docker-password="$(</token/ecr-token)"
+```
+
+!!! hint "Using IAM Roles for Service Accounts (IRSA)"
+    If using IRSA, make sure the role attached to the service account has
+    readonly access to ECR. The AWS managed policy
+    `arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly` can be attached
+    to the role.
+
+Since the cronjob will not create a job right away, after applying the manifest,
+you can manually create an init job using the following command:
+
+```console
+$ kubectl create job --from=cronjob/ecr-credentials-sync -n flux-system ecr-credentials-sync-init
+```
+
+## GCP Container Registry
+
+TODO
+
+### Azure Container Registry
+
+TODO

docs/roadmap/index.md

@@ -48,11 +48,11 @@ Tasks
 
 ### Flux image update feature parity
 
-[= 70% "70%"]
+[= 80% "80%"]
 
-Image automation is available as a prerelease. See [the
-README](https://github.com/fluxcd/image-automation-controller#readme)
-for instructions on installing it.
+Image automation is available as a prerelease. See [this
+guide](https://toolkit.fluxcd.io/guides/image-update/) for how to
+install and use it.
 
 Goals
 
@@ -73,7 +73,8 @@ Tasks
 - [ ] Azure-specific support [fluxcd/image-reflector-controller#11](https://github.com/fluxcd/image-reflector-controller/issues/11)
 - [x] <span style="color:grey">Design the automation component</span>
 - [x] <span style="color:grey">Implement the image scan/patch/push workflow</span>
-- [ ] Integrate the new components in the Flux CLI [fluxcd/flux2#538](https://github.com/fluxcd/flux2/pull/538)
+- [x] <span style="color:grey">Integrate the new components in the Flux CLI [fluxcd/flux2#538](https://github.com/fluxcd/flux2/pull/538)</span>
+- [x] <span style="color:grey">Write a guide for how to use image automation ([guide here](https://toolkit.fluxcd.io/guides/image-update/))</span>
 - [ ] Write a migration guide from Flux annotations
 
 ## The road to Helm Operator v2

mkdocs.yml

@@ -101,6 +101,7 @@ nav:
     - Create tenant: cmd/flux_create_tenant.md
     - Create secret: cmd/flux_create_secret.md
     - Create secret git: cmd/flux_create_secret_git.md
+    - Create secret helm: cmd/flux_create_secret_helm.md
     - Delete: cmd/flux_delete.md
     - Delete kustomization: cmd/flux_delete_kustomization.md
     - Delete helmrelease: cmd/flux_delete_helmrelease.md

pkg/manifestgen/sync/sync.go

@@ -19,7 +19,7 @@ package sync
 import (
 	"bytes"
 	"fmt"
-	"path/filepath"
+	"path"
 	"strings"
 	"time"
 
@@ -93,7 +93,7 @@ func Generate(options Options) (*manifestgen.Manifest, error) {
 	}
 
 	return &manifestgen.Manifest{
-		Path:    filepath.Join(options.TargetPath, options.Namespace, options.ManifestFile),
+		Path:    path.Join(options.TargetPath, options.Namespace, options.ManifestFile),
 		Content: fmt.Sprintf("---\n%s---\n%s", resourceToString(gitData), resourceToString(ksData)),
 	}, nil
 }