Merge pull request #2291 from fluxcd/update-components

Update kustomize-controller to v0.19.1
Update toolkit components
2026-03-01 19:26:55 +00:00 · 2022-01-13 20:33:47 +02:00 · 2022-01-13 18:17:27 +00:00 · 2022-01-13 19:56:47 +02:00 · 2022-01-13 19:37:14 +02:00 · 2022-01-13 19:36:56 +02:00
570 changed files with 21463 additions and 17026 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yaml
@@ -0,0 +1,84 @@
 ---
 name: Bug report
 description: Create a report to help us improve Flux
 body:
 - type: markdown
  attributes:
    value: |
      ## Support
      Find out more about your support options and getting help at: https://fluxcd.io/support/
 - type: textarea
  validations:
    required: true
  attributes:
    label: Describe the bug
    description: A clear description of what the bug is.
 - type: textarea
  validations:
    required: true
  attributes:
    label: Steps to reproduce
    description: |
      Steps to reproduce the problem.
    placeholder: |
      For example:
      1. Install Flux with the additional image automation controllers
      2. Run command '...'
      3. See error
 - type: textarea
  validations:
    required: true
  attributes:
    label: Expected behavior
    description: A brief description of what you expected to happen.
 - type: textarea
  attributes:
    label: Screenshots and recordings
    description: |
      If applicable, add screenshots to help explain your problem. You can also record an asciinema session: https://asciinema.org/
 - type: input
  validations:
    required: true
  attributes:
    label: OS / Distro
    description: The OS / distro you are executing `flux` on. If not applicable, write `N/A`.
    placeholder: e.g. Windows 10, Ubuntu 20.04, Arch Linux, macOS 10.15...
 - type: input
  validations:
    required: true
  attributes:
    label: Flux version
    description: Run `flux version --client`. If not applicable, write `N/A`.
    placeholder: e.g. v0.20.1
 - type: textarea
  validations:
    required: true
  attributes:
    label: Flux check
    description: Run `flux check`. If not applicable, write `N/A`.
    placeholder: |
      For example:
      ► checking prerequisites
      ✔ Kubernetes 1.21.1 >=1.19.0-0
      ► checking controllers
      ✔ all checks passed
 - type: input
  attributes:
    label: Git provider
    description: If applicable, add the Git provider you are having problems with, e.g. GitHub (Enterprise), GitLab, etc.
 - type: input
  attributes:
    label: Container Registry provider
    description: If applicable, add the Container Registry provider you are having problems with, e.g. DockerHub, GitHub Packages, Quay.io, etc.
 - type: textarea
  attributes:
    label: Additional context
    description: Add any other context about the problem here. This can be logs (e.g. output from `flux logs`), environment specific caveats, etc.
 - type: checkboxes
  id: terms
  attributes:
    label: Code of Conduct
    description: By submitting this issue, you agree to follow our [Code of Conduct](https://github.com/fluxcd/.github/blob/main/CODE_OF_CONDUCT.md)
    options:
    - label: I agree to follow this project's Code of Conduct
      required: true
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,5 @@
 blank_issues_enabled: true
 contact_links:
  - name: Ask a question
    url: https://github.com/fluxcd/flux2/discussions
    about: Please ask and answer questions here.
--- a/.github/aur/flux-bin/.SRCINFO.template
+++ b/.github/aur/flux-bin/.SRCINFO.template
@@ -8,7 +8,6 @@ pkgbase = flux-bin
 	arch = armv7h
 	arch = aarch64
 	license = APACHE
 	optdepends = kubectl
 	source_x86_64 = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_amd64.tar.gz
 	source_armv6h = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm.tar.gz
 	source_armv7h = flux-bin-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v1/flux_${PKGVER}_linux_arm.tar.gz
--- a/.github/aur/flux-bin/PKGBUILD.template
+++ b/.github/aur/flux-bin/PKGBUILD.template
@@ -8,18 +8,19 @@ pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
 arch=("x86_64" "armv6h" "armv7h" "aarch64")
 license=("APACHE")
-optdepends=("kubectl")
+optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source_x86_64=(
-  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_amd64.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_amd64.tar.gz"
 )
 source_armv6h=(
-  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
 )
 source_armv7h=(
-  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
 )
 source_aarch64=(
-  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm64.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm64.tar.gz"
 )
 sha256sums_x86_64=(
  ${SHA256SUM_AMD64}
@@ -33,7 +34,12 @@ sha256sums_armv7h=(
 sha256sums_aarch64=(
  ${SHA256SUM_ARM64}
 )
 _srcname=flux
 package() {
-	install -Dm755 flux "$pkgdir/usr/bin/flux"
+	install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
    "${pkgdir}/usr/bin/${_srcname}" completion bash | install -Dm644 /dev/stdin "${pkgdir}/usr/share/bash-completion/completions/${_srcname}"
    "${pkgdir}/usr/bin/${_srcname}" completion fish | install -Dm644 /dev/stdin "${pkgdir}/usr/share/fish/vendor_completions.d/${_srcname}.fish"
    "${pkgdir}/usr/bin/${_srcname}" completion zsh | install -Dm644 /dev/stdin "${pkgdir}/usr/share/zsh/site-functions/_${_srcname}"
 }
--- a/.github/aur/flux-go/.SRCINFO.template
+++ b/.github/aur/flux-go/.SRCINFO.template
@@ -10,7 +10,6 @@ pkgbase = flux-go
 	license = APACHE
 	makedepends = go
 	depends = glibc
 	optdepends = kubectl
 	provides = flux-bin
 	conflicts = flux-bin
  replaces = flux-cli
--- a/.github/aur/flux-go/PKGBUILD.template
+++ b/.github/aur/flux-go/PKGBUILD.template
@@ -12,32 +12,39 @@ provides=("flux-bin")
 conflicts=("flux-bin")
 replaces=("flux-cli")
 depends=("glibc")
-makedepends=("go")
+makedepends=('go>=1.17', 'kustomize>=3.0')
-optdepends=("kubectl")
+optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
-  "$pkgname-$pkgver.tar.gz::https://github.com/fluxcd/flux2/archive/v$pkgver.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/archive/v${pkgver}.tar.gz"
 )
 sha256sums=(
  ${SHA256SUM}
 )
 _srcname=flux
 build() {
-  cd "flux2-$pkgver"
+  cd "flux2-${pkgver}"
  export CGO_LDFLAGS="$LDFLAGS"
  export CGO_CFLAGS="$CFLAGS"
  export CGO_CXXFLAGS="$CXXFLAGS"
  export CGO_CPPFLAGS="$CPPFLAGS"
-  export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
+  export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
-  go build -ldflags "-X main.VERSION=$pkgver" -o flux-bin ./cmd/flux
+  ./manifests/scripts/bundle.sh "${PWD}/manifests" "${PWD}/cmd/flux/manifests"
  go build -ldflags "-linkmode=external -X main.VERSION=${pkgver}" -o ${_srcname} ./cmd/flux
 }
 check() {
-  cd "flux2-$pkgver"
+  cd "flux2-${pkgver}"
  make test
 }
 package() {
-  cd "flux2-$pkgver"
+  cd "flux2-${pkgver}"
-  install -Dm755 flux-bin "$pkgdir/usr/bin/flux"
+  install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
-  install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
+  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
  "${pkgdir}/usr/bin/${_srcname}" completion bash | install -Dm644 /dev/stdin "${pkgdir}/usr/share/bash-completion/completions/${_srcname}"
  "${pkgdir}/usr/bin/${_srcname}" completion fish | install -Dm644 /dev/stdin "${pkgdir}/usr/share/fish/vendor_completions.d/${_srcname}.fish"
  "${pkgdir}/usr/bin/${_srcname}" completion zsh | install -Dm644 /dev/stdin "${pkgdir}/usr/share/zsh/site-functions/_${_srcname}"
 }
--- a/.github/aur/flux-scm/.SRCINFO.template
+++ b/.github/aur/flux-scm/.SRCINFO.template
@@ -10,7 +10,6 @@ pkgbase = flux-scm
 	license = APACHE
 	makedepends = go
 	depends = glibc
 	optdepends = kubectl
 	provides = flux-bin
 	conflicts = flux-bin
 	source = git+https://github.com/fluxcd/flux2.git
--- a/.github/aur/flux-scm/PKGBUILD.template
+++ b/.github/aur/flux-scm/PKGBUILD.template
@@ -11,12 +11,14 @@ license=("APACHE")
 provides=("flux-bin")
 conflicts=("flux-bin")
 depends=("glibc")
-makedepends=("go")
+makedepends=('go>=1.17', 'kustomize>=3.0', 'git')
-optdepends=("kubectl")
+optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
  "git+https://github.com/fluxcd/flux2.git"
 )
 md5sums=('SKIP')
 _srcname=flux
 pkgver() {
  cd "flux2"
@@ -29,8 +31,9 @@ build() {
  export CGO_CFLAGS="$CFLAGS"
  export CGO_CXXFLAGS="$CXXFLAGS"
  export CGO_CPPFLAGS="$CPPFLAGS"
-  export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
+  export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
-  go build -ldflags "-X main.VERSION=$pkgver" -o flux-bin ./cmd/flux
+  make cmd/flux/.manifests.done
  go build -ldflags "-linkmode=external -X main.VERSION=${pkgver}" -o ${_srcname} ./cmd/flux
 }
 check() {
@@ -40,6 +43,10 @@ check() {
 package() {
  cd "flux2"
-  install -Dm755 flux-bin "$pkgdir/usr/bin/flux"
+  install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
-  install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
+  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
  "${pkgdir}/usr/bin/${_srcname}" completion bash | install -Dm644 /dev/stdin "${pkgdir}/usr/share/bash-completion/completions/${_srcname}"
  "${pkgdir}/usr/bin/${_srcname}" completion fish | install -Dm644 /dev/stdin "${pkgdir}/usr/share/fish/vendor_completions.d/${_srcname}.fish"
  "${pkgdir}/usr/bin/${_srcname}" completion zsh | install -Dm644 /dev/stdin "${pkgdir}/usr/share/zsh/site-functions/_${_srcname}"
 }
--- a/.github/kind/config.yaml
+++ b/.github/kind/config.yaml
@@ -0,0 +1,5 @@
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 networking:
  disableDefaultCNI: true   # disable kindnet
  podSubnet: 192.168.0.0/16 # set to Calico's default subnet
--- a/.github/runners/README.md
+++ b/.github/runners/README.md
@@ -0,0 +1,72 @@
 # Flux ARM64 GitHub runners
 The Flux ARM64 end-to-end tests run on Equinix instances provisioned with Docker and GitHub self-hosted runners.
 ## Current instances
 | Runner        | Instance            | Region |
 |---------------|---------------------|--------|
 | equinix-arm-1 | flux-equinix-arm-01 | AMS1   |
 | equinix-arm-2 | flux-equinix-arm-01 | AMS1   |
 | equinix-arm-3 | flux-equinix-arm-01 | AMS1   |
 | equinix-arm-4 | flux-equinix-arm-02 | DFW2   |
 | equinix-arm-5 | flux-equinix-arm-02 | DFW2   |
 | equinix-arm-6 | flux-equinix-arm-02 | DFW2   |
 ## Instance setup
 In order to add a new runner to the GitHub Actions pool,
 first create a server on Equinix with the following configuration:
 - Type: c2.large.arm
 - OS: Ubuntu 20.04
 ### Install prerequisites
 - SSH into a newly created instance
 ```shell
 ssh root@<instance-public-IP>
 ``` 
 - Create the ubuntu user
 ```shell
 adduser ubuntu
 usermod -aG sudo ubuntu
 su - ubuntu
 ```
 - Create the prerequisites dir
 ```shell
 mkdir -p prereq && cd prereq
 ```
 - Download the prerequisites script
 ```shell
 curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/prereq.sh > prereq.sh \
  && chmod +x ./prereq.sh
 ```
 - Install the prerequisites
 ```shell
 sudo ./prereq.sh
 ```
 ### Install runners
 - Retrieve the GitHub runner token from the repository [settings page](https://github.com/fluxcd/flux2/settings/actions/runners/new?arch=arm64&os=linux)
 - Create 3 directories `runner1`, `runner2`, `runner3`
 - In each dir run:
 ```shell
 curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/runner-setup.sh > runner-setup.sh \
  && chmod +x ./runner-setup.sh
 ./runner-setup.sh equinix-arm-<NUMBER> <TOKEN>
 ```
 - Reboot the instance
 ```shell
 sudo reboot
 ```
 - Navigate to the GitHub repository [runners page](https://github.com/fluxcd/flux2/settings/actions/runners) and check the runner status
--- a/.github/runners/prereq.sh
+++ b/.github/runners/prereq.sh
@@ -0,0 +1,68 @@
 #!/usr/bin/env bash
 # Copyright 2021 The Flux authors. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # This script installs the prerequisites for running Flux end-to-end tests with Docker and GitHub self-hosted runners.
 set -eu
 KIND_VERSION=0.11.1
 KUBECTL_VERSION=1.21.2
 KUSTOMIZE_VERSION=4.1.3
 HELM_VERSION=3.7.2
 GITHUB_RUNNER_VERSION=2.285.1
 PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq"
 # install prerequisites
 apt-get update \
  && apt-get install -y -q ${PACKAGES} \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 # install docker
 curl -fsSL https://get.docker.com -o get-docker.sh \
  && chmod +x get-docker.sh
 ./get-docker.sh
 systemctl enable docker.service
 systemctl enable containerd.service
 usermod -aG docker ubuntu
 # install kind
 curl -Lo ./kind https://kind.sigs.k8s.io/dl/v${KIND_VERSION}/kind-linux-arm64
 install -o root -g root -m 0755 kind /usr/local/bin/kind
 # install kubectl
 curl -LO "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/arm64/kubectl"
 install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
 # install kustomize
 curl -Lo ./kustomize.tar.gz https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_arm64.tar.gz \
  && tar -zxvf kustomize.tar.gz \
  && rm kustomize.tar.gz
 install -o root -g root -m 0755 kustomize /usr/local/bin/kustomize
 # install helm
 curl -Lo ./helm.tar.gz https://get.helm.sh/helm-v${HELM_VERSION}-linux-arm64.tar.gz \
  && tar -zxvf helm.tar.gz \
  && rm helm.tar.gz
 install -o root -g root -m 0755 linux-arm64/helm /usr/local/bin/helm
 # download runner
 curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
  && tar xzf actions-runner-linux-arm64.tar.gz \
  && rm actions-runner-linux-arm64.tar.gz
 # install runner dependencies
 ./bin/installdependencies.sh
--- a/.github/runners/runner-setup.sh
+++ b/.github/runners/runner-setup.sh
@@ -0,0 +1,37 @@
 #!/usr/bin/env bash
 # Copyright 2021 The Flux authors. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # This script installs a GitHub self-hosted ARM64 runner for running Flux end-to-end tests.
 set -eu
 RUNNER_NAME=$1
 REPOSITORY_TOKEN=$2
 REPOSITORY_URL=${3:-https://github.com/fluxcd/flux2}
 GITHUB_RUNNER_VERSION=2.285.1
 # download runner
 curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
  && tar xzf actions-runner-linux-arm64.tar.gz \
  && rm actions-runner-linux-arm64.tar.gz
 # register runner with GitHub
 ./config.sh --unattended --url ${REPOSITORY_URL} --token ${REPOSITORY_TOKEN} --name ${RUNNER_NAME}
 # start runner
 sudo ./svc.sh install
 sudo ./svc.sh start
--- a/.github/workflows/bootstrap.yaml
+++ b/.github/workflows/bootstrap.yaml
@@ -2,12 +2,14 @@ name: bootstrap
 on:
  push:
-    branches:
+    branches: [ main ]
-      - '*'
+  pull_request:
    branches: [ main ]
 jobs:
  github:
    runs-on: ubuntu-latest
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
    steps:
      - name: Checkout
        uses: actions/checkout@v2
@@ -15,58 +17,106 @@ jobs:
        uses: actions/cache@v1
        with:
          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go1.17-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-go-
+            ${{ runner.os }}-go1.17-
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
-          go-version: 1.15.x
+          go-version: 1.17.x
      - name: Setup Kubernetes
        uses: engineerd/setup-kind@v0.5.0
        with:
          version: v0.11.1
          image: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Build
        run: |
          make cmd/flux/.manifests.done
          go build -o /tmp/flux ./cmd/flux
      - name: Set outputs
        id: vars
-        run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
+        run: |
-      - name: Build
+          REPOSITORY_NAME=${{ github.event.repository.name }}
-        run: sudo go build -o ./bin/flux ./cmd/flux
+          BRANCH_NAME=${GITHUB_REF##*/}
          COMMIT_SHA=$(git rev-parse HEAD)
          PSEUDO_RAND_SUFFIX=$(echo "${BRANCH_NAME}-${COMMIT_SHA}" | shasum | awk '{print $1}')
          TEST_REPO_NAME="${REPOSITORY_NAME}-${PSEUDO_RAND_SUFFIX}"
          echo "::set-output name=test_repo_name::$TEST_REPO_NAME"
      - name: bootstrap init
        run: |
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          /tmp/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
-          --repository=flux-test-${{ steps.vars.outputs.sha_short }} \
+          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
-          --path=test-cluster
+          --path=test-cluster \
          --team=team-z
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: bootstrap no-op
        run: |
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          /tmp/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
-          --repository=flux-test-${{ steps.vars.outputs.sha_short }} \
+          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: uninstall
        run: |
          ./bin/flux uninstall --resources --crds -s --timeout=10m
      - name: bootstrap reinstall
        run: |
          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --repository=flux-test-${{ steps.vars.outputs.sha_short }} \
          --branch=main \
          --path=test-cluster
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: delete repository
        run: |
          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --repository=flux-test-${{ steps.vars.outputs.sha_short }} \
          --branch=main \
          --path=test-cluster \
-          --delete
+          --team=team-z
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: bootstrap customize
        run: |
          make setup-bootstrap-patch
          /tmp/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
          --team=team-z
          if [ $(kubectl get deployments.apps source-controller -o jsonpath='{.spec.template.spec.securityContext.runAsUser}') != "10000" ]; then
          echo "Bootstrap not customized as controller is not running as user 10000" && exit 1
          fi
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
          GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
          GITHUB_ORG_NAME: fluxcd-testing
      - name: libgit2
        run: |
          /tmp/flux create source git test-libgit2 \
          --url=ssh://git@github.com/fluxcd-testing/${{ steps.vars.outputs.test_repo_name }} \
          --git-implementation=libgit2 \
          --secret-ref=flux-system \
          --branch=main
      - name: uninstall
        run: |
          /tmp/flux uninstall -s --keep-namespace
          kubectl delete ns flux-system --timeout=10m --wait=true
      - name: test image automation
        run: |
          make setup-image-automation
          /tmp/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
          --read-write-key
          /tmp/flux reconcile image repository podinfo
          /tmp/flux reconcile image update flux-system
          /tmp/flux get images all
          /tmp/flux get images policy podinfo | grep "5.2.1"
          /tmp/flux get image update flux-system | grep commit
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
          GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
          GITHUB_ORG_NAME: fluxcd-testing
      - name: delete repository
        run: |
          curl \
            -X DELETE \
            -H "Accept: application/vnd.github.v3+json" \
            -H "Authorization: token ${GITHUB_TOKEN}" \
            --fail --silent \
            https://api.github.com/repos/fluxcd-testing/${{ steps.vars.outputs.test_repo_name }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Debug failure
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -1,65 +0,0 @@
 name: Publish docs via GitHub Pages
 on:
  push:
    branches:
      - docs*
      - main
 jobs:
  build:
    name: Deploy docs
    runs-on: ubuntu-latest
    steps:
      - name: Checkout master
        uses: actions/checkout@v1
      - name: Copy assets
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          controller_version() {
            sed -n "s/.*$1\/archive\/\(.*\).zip.*/\1/p;n" manifests/bases/$1/kustomization.yaml
          }
          {
            # source-controller CRDs
            SOURCE_VER=$(controller_version source-controller)
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/api/source.md" > docs/components/source/api.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/spec/v1beta1/gitrepositories.md" > docs/components/source/gitrepositories.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/spec/v1beta1/helmrepositories.md" > docs/components/source/helmrepositories.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/spec/v1beta1/helmcharts.md" > docs/components/source/helmcharts.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/source-controller/$SOURCE_VER/docs/spec/v1beta1/buckets.md" > docs/components/source/buckets.md
          }
          {
            # kustomize-controller CRDs
            KUSTOMIZE_VER=$(controller_version kustomize-controller)
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/kustomize-controller/$KUSTOMIZE_VER/docs/api/kustomize.md" > docs/components/kustomize/api.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/kustomize-controller/$KUSTOMIZE_VER/docs/spec/v1beta1/kustomization.md" > docs/components/kustomize/kustomization.md
          }
          {
            # helm-controller CRDs
            HELM_VER=$(controller_version helm-controller)
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/helm-controller/$HELM_VER/docs/api/helmrelease.md" > docs/components/helm/api.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/helm-controller/$HELM_VER/docs/spec/v2beta1/helmreleases.md" > docs/components/helm/helmreleases.md
          }
          {
            # notification-controller CRDs
            NOTIFICATION_VER=$(controller_version notification-controller)
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/api/notification.md" > docs/components/notification/api.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/spec/v1beta1/event.md" > docs/components/notification/event.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/spec/v1beta1/alert.md" > docs/components/notification/alert.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/spec/v1beta1/provider.md" > docs/components/notification/provider.md
            curl -# -Lf "https://raw.githubusercontent.com/fluxcd/notification-controller/$NOTIFICATION_VER/docs/spec/v1beta1/receiver.md" > docs/components/notification/receiver.md
          }
          {
            # install script
            cp install/flux.sh docs/install.sh
          }
      - name: Deploy docs
        uses: mhausenblas/mkdocs-deploy-gh-pages@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CUSTOM_DOMAIN: toolkit.fluxcd.io
--- a/.github/workflows/e2e-arm64.yaml
+++ b/.github/workflows/e2e-arm64.yaml
@@ -0,0 +1,37 @@
 name: e2e-arm64
 on:
  workflow_dispatch:
  push:
    branches: [ main, update-components, equinix-runners ]
 jobs:
  test:
    # Hosted on Equinix
    # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
    runs-on: [self-hosted, Linux, ARM64, equinix]
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
          go-version: 1.17.x
      - name: Prepare
        id: prep
        run: |
          echo ::set-output name=CLUSTER::arm64-${GITHUB_SHA:0:7}-$(date +%s)
          echo ::set-output name=CONTEXT::kind-arm64-${GITHUB_SHA:0:7}-$(date +%s)
      - name: Build
        run: |
          make build
      - name: Setup Kubernetes Kind
        run: |
          kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }}
      - name: Run e2e tests
        run: TEST_KUBECONFIG=/tmp/${{ steps.prep.outputs.CLUSTER }} make e2e
      - name: Cleanup
        if: always()
        run: |
          kind delete cluster --name ${{ steps.prep.outputs.CLUSTER }}
          rm /tmp/${{ steps.prep.outputs.CLUSTER }}
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@@ -0,0 +1,66 @@
 name: e2e-azure
 on:
  workflow_dispatch:
  schedule:
    - cron:  '0 6 * * *'
  push:
    branches: [ azure* ]
 jobs:
  e2e:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Restore Go cache
        uses: actions/cache@v1
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go1.17-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go1.17-
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
          go-version: 1.17.x
      - name: Install libgit2
        run: |
          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138
          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9
          echo "deb http://deb.debian.org/debian unstable main" | sudo tee -a /etc/apt/sources.list
          echo "deb-src http://deb.debian.org/debian unstable main" | sudo tee -a /etc/apt/sources.list
          sudo apt-get update
          sudo apt-get install -y --allow-downgrades libgit2-dev/unstable zlib1g-dev/unstable libssh2-1-dev/unstable libpcre3-dev/unstable
      - name: Setup Flux CLI
        run: |
          make build
          mkdir -p $HOME/.local/bin
          mv ./bin/flux $HOME/.local/bin
      - name: Setup SOPS
        run: |
          wget https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux
          chmod +x sops-v3.7.1.linux
          mkdir -p $HOME/.local/bin
          mv sops-v3.7.1.linux $HOME/.local/bin/sops
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v1
        with:
          terraform_version: 1.0.7
          terraform_wrapper: false
      - name: Setup Azure CLI
        run: |
          curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
      - name: Run Azure e2e tests
        env:
          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
        run: |
          echo $HOME
          echo $PATH
          ls $HOME/.local/bin
          az login --service-principal -u ${ARM_CLIENT_ID} -p ${ARM_CLIENT_SECRET} -t ${ARM_TENANT_ID}
          cd ./tests/azure
          go test -v -coverprofile cover.out -timeout 60m .
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -1,10 +1,10 @@
 name: e2e
 on:
  pull_request:
  push:
-    branches:
+    branches: [ main, e2e* ]
-      - main
+  pull_request:
    branches: [ main ]
 jobs:
  kind:
@@ -16,19 +16,29 @@ jobs:
        uses: actions/cache@v1
        with:
          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go1.17-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-go-
+            ${{ runner.os }}-go1.17-
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
-          go-version: 1.15.x
+          go-version: 1.17.x
      - name: Setup Kubernetes
        uses: engineerd/setup-kind@v0.5.0
        with:
-          image: kindest/node:v1.16.9
+          version: v0.11.1
-      - name: Run test
+          image: kindest/node:v1.19.11@sha256:07db187ae84b4b7de440a73886f008cf903fcf5764ba8106a9fd5243d6f32729
          config: .github/kind/config.yaml # disable KIND-net
      - name: Setup Calico for network policy
        run: |
          kubectl apply -f https://docs.projectcalico.org/v3.20/manifests/calico.yaml
          kubectl -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Run tests
        run: make test
      - name: Run e2e tests
        run: TEST_KUBECONFIG=$HOME/.kube/config make e2e
      - name: Check if working tree is dirty
        run: |
          if [[ $(git diff --stat) != '' ]]; then
@@ -37,135 +47,166 @@ jobs:
            exit 1
          fi
      - name: Build
-        run: sudo go build -o ./bin/flux ./cmd/flux
+        run: |
          go build -o /tmp/flux ./cmd/flux
      - name: flux check --pre
        run: |
-          ./bin/flux check --pre
+          /tmp/flux check --pre
      - name: flux install --manifests
        run: |
-          ./bin/flux install --manifests ./manifests/install/
+          /tmp/flux install --manifests ./manifests/install/
      - name: flux create secret
        run: |
          /tmp/flux create secret git git-ssh-test \
            --url ssh://git@github.com/stefanprodan/podinfo
          /tmp/flux create secret git git-https-test \
            --url https://github.com/stefanprodan/podinfo \
            --username=test --password=test
          /tmp/flux create secret helm helm-test \
            --username=test --password=test
      - name: flux create source git
        run: |
-          ./bin/flux create source git podinfo \
+          /tmp/flux create source git podinfo \
            --url https://github.com/stefanprodan/podinfo  \
            --tag-semver=">=3.2.3"
      - name: flux create source git export apply
        run: |
-          ./bin/flux create source git podinfo-export \
+          /tmp/flux create source git podinfo-export \
            --url https://github.com/stefanprodan/podinfo  \
            --tag-semver=">=3.2.3" \
            --export | kubectl apply -f -
-          ./bin/flux delete source git podinfo-export --silent
+          /tmp/flux delete source git podinfo-export --silent
      - name: flux create source git libgit2 semver
        run: |
          /tmp/flux create source git podinfo-libgit2 \
            --url https://github.com/stefanprodan/podinfo  \
            --tag-semver=">=3.2.3" \
            --git-implementation=libgit2
          /tmp/flux delete source git podinfo-libgit2 --silent
      - name: flux get sources git
        run: |
-          ./bin/flux get sources git
+          /tmp/flux get sources git
      - name: flux get sources git --all-namespaces
        run: |
-          ./bin/flux get sources git --all-namespaces
+          /tmp/flux get sources git --all-namespaces
      - name: flux create kustomization
        run: |
-          ./bin/flux create kustomization podinfo \
+          /tmp/flux create kustomization podinfo \
            --source=podinfo \
            --path="./deploy/overlays/dev" \
            --prune=true \
            --interval=5m \
            --validation=client \
            --health-check="Deployment/frontend.dev" \
            --health-check="Deployment/backend.dev" \
            --health-check-timeout=3m
      - name: flux trace
        run: |
          /tmp/flux trace frontend \
            --kind=deployment \
            --api-version=apps/v1 \
            --namespace=dev
      - name: flux reconcile kustomization --with-source
        run: |
-          ./bin/flux reconcile kustomization podinfo --with-source
+          /tmp/flux reconcile kustomization podinfo --with-source
      - name: flux get kustomizations
        run: |
-          ./bin/flux get kustomizations
+          /tmp/flux get kustomizations
      - name: flux get kustomizations --all-namespaces
        run: |
-          ./bin/flux get kustomizations --all-namespaces
+          /tmp/flux get kustomizations --all-namespaces
      - name: flux suspend kustomization
        run: |
-          ./bin/flux suspend kustomization podinfo
+          /tmp/flux suspend kustomization podinfo
      - name: flux resume kustomization
        run: |
-          ./bin/flux resume kustomization podinfo
+          /tmp/flux resume kustomization podinfo
      - name: flux export
        run: |
-          ./bin/flux export source git --all
+          /tmp/flux export source git --all
-          ./bin/flux export kustomization --all
+          /tmp/flux export kustomization --all
      - name: flux delete kustomization
        run: |
-          ./bin/flux delete kustomization podinfo --silent
+          /tmp/flux delete kustomization podinfo --silent
      - name: flux create source helm
        run: |
-          ./bin/flux create source helm podinfo \
+          /tmp/flux create source helm podinfo \
            --url https://stefanprodan.github.io/podinfo
      - name: flux create helmrelease --source=HelmRepository/podinfo
        run: |
-          ./bin/flux create hr podinfo-helm \
+          /tmp/flux create hr podinfo-helm \
            --target-namespace=default \
-            --source=HelmRepository/podinfo \
+            --source=HelmRepository/podinfo.flux-system \
            --chart=podinfo \
            --chart-version=">4.0.0 <5.0.0"
      - name: flux create helmrelease --source=GitRepository/podinfo
        run: |
-          ./bin/flux create hr podinfo-git \
+          /tmp/flux create hr podinfo-git \
            --target-namespace=default \
            --source=GitRepository/podinfo \
            --chart=./charts/podinfo
      - name: flux reconcile helmrelease --with-source
        run: |
-          ./bin/flux reconcile helmrelease podinfo-git --with-source
+          /tmp/flux reconcile helmrelease podinfo-git --with-source
      - name: flux get helmreleases
        run: |
-          ./bin/flux get helmreleases
+          /tmp/flux get helmreleases
      - name: flux get helmreleases --all-namespaces
        run: |
-          ./bin/flux get helmreleases --all-namespaces
+          /tmp/flux get helmreleases --all-namespaces
      - name: flux export helmrelease
        run: |
-          ./bin/flux export hr --all
+          /tmp/flux export hr --all
      - name: flux delete helmrelease podinfo-helm
        run: |
-          ./bin/flux delete hr podinfo-helm --silent
+          /tmp/flux delete hr podinfo-helm --silent
      - name: flux delete helmrelease podinfo-git
        run: |
-          ./bin/flux delete hr podinfo-git --silent
+          /tmp/flux delete hr podinfo-git --silent
      - name: flux delete source helm
        run: |
-          ./bin/flux delete source helm podinfo --silent
+          /tmp/flux delete source helm podinfo --silent
      - name: flux delete source git
        run: |
-          ./bin/flux delete source git podinfo --silent
+          /tmp/flux delete source git podinfo --silent
      - name: flux create tenant
        run: |
-          ./bin/flux create tenant dev-team --with-namespace=apps
+          /tmp/flux create tenant dev-team --with-namespace=apps
-          ./bin/flux -n apps create source helm podinfo \
+          /tmp/flux -n apps create source helm podinfo \
            --url https://stefanprodan.github.io/podinfo
-          ./bin/flux -n apps create hr podinfo-helm \
+          /tmp/flux -n apps create hr podinfo-helm \
            --source=HelmRepository/podinfo \
            --chart=podinfo \
            --chart-version="5.0.x" \
            --service-account=dev-team
      - name: flux2-kustomize-helm-example
        run: |
-          ./bin/flux create source git flux-system \
+          /tmp/flux create source git flux-system \
          --url=https://github.com/fluxcd/flux2-kustomize-helm-example \
-          --branch=main
+          --branch=main \
-          ./bin/flux create kustomization flux-system \
+          --recurse-submodules
          /tmp/flux create kustomization flux-system \
          --source=flux-system \
          --path=./clusters/staging
-          kubectl -n flux-system wait kustomization/apps --for=condition=ready --timeout=2m
+          kubectl -n flux-system wait kustomization/infrastructure --for=condition=ready --timeout=5m
          kubectl -n flux-system wait kustomization/apps --for=condition=ready --timeout=5m
          kubectl -n nginx wait helmrelease/nginx --for=condition=ready --timeout=5m
          kubectl -n redis wait helmrelease/redis --for=condition=ready --timeout=5m
          kubectl -n podinfo wait helmrelease/podinfo --for=condition=ready --timeout=5m
      - name: flux tree
        run: |
          /tmp/flux tree kustomization flux-system | grep Service/podinfo
      - name: flux check
        run: |
-          ./bin/flux check
+          /tmp/flux check
      - name: flux uninstall
        run: |
-          ./bin/flux uninstall --crds --silent --timeout=10m
+          /tmp/flux uninstall --silent
      - name: Debug failure
        if: failure()
        run: |
          kubectl version --client --short
          kubectl -n flux-system get all
          kubectl -n flux-system describe pods
          kubectl -n flux-system get kustomizations -oyaml
          kubectl -n flux-system logs deploy/source-controller
          kubectl -n flux-system logs deploy/kustomize-controller
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@@ -1,25 +0,0 @@
 name: FOSSA
 on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-go@v2
        with:
          go-version: "^1.14.x"
      - name: Add GOPATH to GITHUB_ENV
        run: echo "GOPATH=$(go env GOPATH)" >>"$GITHUB_ENV"
      - name: Add GOPATH to GITHUB_PATH
        run: echo "$GOPATH/bin" >>"$GITHUB_PATH"
      - name: Run FOSSA scan and upload build data
        uses: fossa-contrib/fossa-action@v1
        with:
          # FOSSA Push-Only API Token
          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
          github-token: ${{ github.token }}
--- a/.github/workflows/rebase.yaml
+++ b/.github/workflows/rebase.yaml
@@ -2,9 +2,9 @@ name: rebase
 on:
  pull_request:
-    types: [opened]
+    types: [ opened ]
  issue_comment:
-    types: [created]
+    types: [ created ]
 jobs:
  rebase:
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -2,8 +2,7 @@ name: release
 on:
  push:
-    tags:
+    tags: [ 'v*' ]
      - '*'
 jobs:
  goreleaser:
@@ -16,7 +15,27 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
-          go-version: 1.15.x
+          go-version: 1.17.x
      - name: Setup QEMU
        uses: docker/setup-qemu-action@v1
        with:
          platforms: all
      - name: Setup Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v1
        with:
          buildkitd-flags: "--debug"
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to Docker Hub
        uses: docker/login-action@v1
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
      - name: Download release notes utility
        env:
          GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
@@ -29,39 +48,24 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
-      - name: Generate manifests tarball
+      - name: Generate manifests
        run: |
          mkdir -p ./output
          files=""
          # build controllers
          for controller in ./manifests/bases/*/; do
              output_path="./output/$(basename $controller).yaml"
              echo "building $controller to $output_path"
              kustomize build $controller > $output_path
              files+=" $(basename $output_path)"
          done
          # build rbac
          rbac_path="./manifests/rbac"
          rbac_output_path="./output/rbac.yaml"
          echo "building $rbac_path to $rbac_output_path"
          kustomize build $rbac_path > $rbac_output_path
          files+=" $(basename $rbac_output_path)"
          # build policies
          policies_path="./manifests/policies"
          policies_output_path="./output/policies.yaml"
          echo "building $policies_path to $policies_output_path"
          kustomize build $policies_path > $policies_output_path
          files+=" $(basename $policies_output_path)"
          # create tarball
          cd ./output && tar -cvzf manifests.tar.gz $files
      - name: Generate install manifest
        run: |
          make cmd/flux/.manifests.done
          ./manifests/scripts/bundle.sh "" ./output manifests.tar.gz
          kustomize build ./manifests/install > ./output/install.yaml
      - name: Build CRDs
        run: |
          kustomize build manifests/crds > all-crds.yaml
      # Pinned to commit before https://github.com/fluxcd/pkg/pull/189 due to
      # introduction faulty behavior.
      - name: Generate OpenAPI JSON schemas from CRDs
        uses: fluxcd/pkg//actions/crdjsonschema@49e26aa2ee9e734c3233c560253fd9542afe18ae
        with:
          crd: all-crds.yaml
          output: schemas
      - name: Archive the OpenAPI JSON schemas
        run: |
          tar -czvf ./output/crd-schemas.tar.gz -C schemas .
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v1
        with:
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -0,0 +1,60 @@
 name: Scan
 on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '18 10 * * 3'
 jobs:
  fossa:
    name: FOSSA
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run FOSSA scan and upload build data
        uses: fossa-contrib/fossa-action@v1
        with:
          # FOSSA Push-Only API Token
          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
          github-token: ${{ github.token }}
  snyk:
    name: Snyk
    runs-on: ubuntu-latest
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
    steps:
      - uses: actions/checkout@v2
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Build manifests
        run: |
          make cmd/flux/.manifests.done
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/golang@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --sarif-file-output=snyk.sarif
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: snyk.sarif
  codeql:
    name: CodeQL
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v1
        with:
          languages: go
      - name: Autobuild
        uses: github/codeql-action/autobuild@v1
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v1
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@@ -0,0 +1,94 @@
 name: Update Components
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 * * * *"
  push:
    branches: [main]
 jobs:
  update-components:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v2
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
          go-version: 1.17.x
      - name: Update component versions
        id: update
        run: |
          PR_BODY=""
          bump_version() {
            local LATEST_VERSION=$(curl -s https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
            local CTRL_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p;n" manifests/bases/$1/kustomization.yaml)
            local CRD_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p" manifests/crds/kustomization.yaml)
            local MOD_VERSION=$(go list -m -f '{{ .Version }}' "github.com/fluxcd/$1/api")
            local changed=false
            if [[ "${CTRL_VERSION}" != "${LATEST_VERSION}" ]]; then
              sed -i "s/\($1\/releases\/download\/\)v.*\(\/.*\)/\1${LATEST_VERSION}\2/g" "manifests/bases/$1/kustomization.yaml"
              changed=true
            fi
            if [[ "${CRD_VERSION}" != "${LATEST_VERSION}" ]]; then
              sed -i "s/\($1\/releases\/download\/\)v.*\(\/.*\)/\1${LATEST_VERSION}\2/g" "manifests/crds/kustomization.yaml"
              changed=true
            fi
            if [[ "${MOD_VERSION}" != "${LATEST_VERSION}" ]]; then
              go mod edit -require="github.com/fluxcd/$1/api@${LATEST_VERSION}"
              rm go.sum
              go mod tidy
              changed=true
            fi
            if [[ "$changed" == true ]]; then
              PR_BODY="$PR_BODY- $1 to ${LATEST_VERSION}%0A  https://github.com/fluxcd/$1/blob/${LATEST_VERSION}/CHANGELOG.md%0A"
            fi
          }
          {
            # bump controller versions
            bump_version helm-controller
            bump_version kustomize-controller
            bump_version source-controller
            bump_version notification-controller
            bump_version image-reflector-controller
            bump_version image-automation-controller
            # diff change
            git diff
            # export PR_BODY for PR and commit
            echo "::set-output name=pr_body::$PR_BODY"
          }
      - name: Create Pull Request
        id: cpr
        uses: peter-evans/create-pull-request@v3
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
          commit-message: |
            Update toolkit components
            ${{ steps.update.outputs.pr_body }}
          committer: GitHub <noreply@github.com>
          author: fluxcdbot <fluxcdbot@users.noreply.github.com>
          signoff: true
          branch: update-components
          title: Update toolkit components
          body: |
            ${{ steps.update.outputs.pr_body }}
          labels: |
            area/build
          reviewers: ${{ secrets.ASSIGNEES }}
      - name: Check output
        run: |
          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -1,76 +0,0 @@
 name: Update Components
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 * * * *"
 jobs:
  update-components:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v2
      - name: Update component versions
        id: update
        run: |
          PR_BODY=""
          bump_version() {
            local RELEASE_VERSION=$(curl -s https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
            local CURRENT_VERSION=$(sed -n "s/.*$1\/archive\/\(.*\).zip.*/\1/p;n" manifests/bases/$1/kustomization.yaml)
            if [[ "${RELEASE_VERSION}" != "${CURRENT_VERSION}" ]]; then
              # bump kustomize
              sed -i "s/\($1\/archive\/\)v.*\(.zip\/\/$1-\).*\(\/config.*\)/\1${RELEASE_VERSION}\2${RELEASE_VERSION/v}\3/g" "manifests/bases/$1/kustomization.yaml"
              if [[ ! -z $(go list -m all | grep "github.com/fluxcd/$1/api" | awk '{print $2}') ]]; then
                # bump go mod
                go mod edit -require="github.com/fluxcd/$1/api@${RELEASE_VERSION}"
              fi
              PR_BODY="$PR_BODY- $1 to ${RELEASE_VERSION}%0A"
            fi
          }
          {
            # bump controller versions
            bump_version helm-controller
            bump_version kustomize-controller
            bump_version source-controller
            bump_version notification-controller
            bump_version image-reflector-controller
            bump_version image-automation-controller
            # add missing and remove unused modules
            go mod tidy
            # diff change
            git diff
            # export PR_BODY for PR
            echo "::set-output name=pr_body::$PR_BODY"
          }
      - name: Create Pull Request
        id: cpr
        uses: peter-evans/create-pull-request@v3
        with:
            token: ${{ secrets.BOT_GITHUB_TOKEN }}
            commit-message: Update toolkit components
            committer: GitHub <noreply@github.com>
            author: fluxcdbot <fluxcdbot@users.noreply.github.com>
            title: Update toolkit components
            body: |
              ${{ steps.update.outputs.pr_body }}
              Auto-generated by [create-pull-request][1]
              [1]: https://github.com/peter-evans/create-pull-request
            branch: update-components
            reviewers: ${{ secrets.ASSIGNEES }}
      - name: Check output
        run: |
          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
--- a/.gitignore
+++ b/.gitignore
@@ -11,7 +11,16 @@
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 # Release
 dist/
 # Dependency directories (remove the comment below to include it)
 # vendor/
 bin/
-output/
+output/
 cmd/flux/manifests/
 cmd/flux/.manifests.done
 testbin/
 # Docs
 site/
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,3 +1,4 @@
 project_name: flux
 builds:
  - <<: &build_defaults
      binary: flux
@@ -19,6 +20,9 @@ builds:
    id: darwin
    goos:
      - darwin
    goarch:
      - amd64
      - arm64
  - <<: *build_defaults
    id: windows
    goos:
@@ -43,11 +47,19 @@ brews:
      name: homebrew-tap
      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
    folder: Formula
-    homepage: "https://toolkit.fluxcd.io/"
+    homepage: "https://fluxcd.io/"
    description: "Flux CLI"
-    dependencies:
+    install: |
-      - name: kubectl
+      bin.install "flux"
-        type: optional
+
      bash_output = Utils.safe_popen_read(bin/"flux", "completion", "bash")
      (bash_completion/"flux").write bash_output
      zsh_output = Utils.safe_popen_read(bin/"flux", "completion", "zsh")
      (zsh_completion/"_flux").write zsh_output
      fish_output = Utils.safe_popen_read(bin/"flux", "completion", "fish")
      (fish_completion/"flux.fish").write fish_output
    test: |
      system "#{bin}/flux --version"
 publishers:
@@ -68,5 +80,67 @@ publishers:
      .github/aur/flux-go/publish.sh {{ .Version }}
 release:
  extra_files:
    - glob: ./output/crd-schemas.tar.gz
    - glob: ./output/manifests.tar.gz
    - glob: ./output/install.yaml
 dockers:
 - image_templates:
    - 'fluxcd/flux-cli:{{ .Tag }}-amd64'
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-amd64'
  dockerfile: Dockerfile
  use_buildx: true
  goos: linux
  goarch: amd64
  build_flag_templates:
   - "--pull"
   - "--build-arg=ARCH=linux/amd64"
   - "--label=org.opencontainers.image.created={{ .Date }}"
   - "--label=org.opencontainers.image.name={{ .ProjectName }}"
   - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
   - "--label=org.opencontainers.image.version={{ .Version }}"
   - "--label=org.opencontainers.image.source={{ .GitURL }}"
   - "--platform=linux/amd64"
 - image_templates:
    - 'fluxcd/flux-cli:{{ .Tag }}-arm64'
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm64'
  dockerfile: Dockerfile
  use_buildx: true
  goos: linux
  goarch: arm64
  build_flag_templates:
    - "--pull"
    - "--build-arg=ARCH=linux/arm64"
    - "--label=org.opencontainers.image.created={{ .Date }}"
    - "--label=org.opencontainers.image.name={{ .ProjectName }}"
    - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
    - "--label=org.opencontainers.image.version={{ .Version }}"
    - "--label=org.opencontainers.image.source={{ .GitURL }}"
    - "--platform=linux/arm64"
 - image_templates:
    - 'fluxcd/flux-cli:{{ .Tag }}-arm'
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm'
  dockerfile: Dockerfile
  use_buildx: true
  goos: linux
  goarch: arm
  goarm: 7
  build_flag_templates:
    - "--pull"
    - "--build-arg=ARCH=linux/arm"
    - "--label=org.opencontainers.image.created={{ .Date }}"
    - "--label=org.opencontainers.image.name={{ .ProjectName }}"
    - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
    - "--label=org.opencontainers.image.version={{ .Version }}"
    - "--label=org.opencontainers.image.source={{ .GitURL }}"
    - "--platform=linux/arm/v7"
 docker_manifests:
 - name_template: 'fluxcd/flux-cli:{{ .Tag }}'
  image_templates:
    - 'fluxcd/flux-cli:{{ .Tag }}-amd64'
    - 'fluxcd/flux-cli:{{ .Tag }}-arm64'
    - 'fluxcd/flux-cli:{{ .Tag }}-arm'
 - name_template: 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}'
  image_templates:
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-amd64'
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm64'
    - 'ghcr.io/fluxcd/flux-cli:{{ .Tag }}-arm'
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -30,7 +30,7 @@ you can sign your commit automatically with `git commit -s`.
 For realtime communications we use Slack: To join the conversation, simply
 join the [CNCF](https://slack.cncf.io/) Slack workspace and use the
-[#flux-dev](https://cloud-native.slack.com/messages/flux-dev/) channel.
+[#flux-contributors](https://cloud-native.slack.com/messages/flux-contributors/) channel.
 To discuss ideas and specifications we use [Github
 Discussions](https://github.com/fluxcd/flux2/discussions).
@@ -48,27 +48,60 @@ you might want to take a look at the [introductory talk and demo](https://www.yo
 This project is composed of:
- [/f/flux2](https://github.com/fluxcd/flux2): The Flux CLI
+- [flux2](https://github.com/fluxcd/flux2): The Flux CLI
- [/f/source-manager](https://github.com/fluxcd/source-controller): Kubernetes operator for managing sources
+- [source-manager](https://github.com/fluxcd/source-controller): Kubernetes operator for managing sources (Git and Helm repositories, S3-compatible Buckets)
- [/f/kustomize-controller](https://github.com/fluxcd/kustomize-controller): Kubernetes operator for building GitOps pipelines with Kustomize
+- [kustomize-controller](https://github.com/fluxcd/kustomize-controller): Kubernetes operator for building GitOps pipelines with Kustomize
- [/f/helm-controller](https://github.com/fluxcd/helm-controller): Kubernetes operator for building GitOps pipelines with Helm
+- [helm-controller](https://github.com/fluxcd/helm-controller): Kubernetes operator for building GitOps pipelines with Helm
- [/f/notification-controller](https://github.com/fluxcd/notification-controller): Kubernetes operator for handling inbound and outbound events
+- [notification-controller](https://github.com/fluxcd/notification-controller): Kubernetes operator for handling inbound and outbound events
 - [image-reflector-controller](https://github.com/fluxcd/image-reflector-controller): Kubernetes operator for scanning container registries
 - [image-automation-controller](https://github.com/fluxcd/image-automation-controller): Kubernetes operator for patches container image tags in Git
 ### Understanding the code
 To get started with developing controllers, you might want to review
-[our guide](https://toolkit.fluxcd.io/dev-guides/source-watcher/) which
+[our guide](https://fluxcd.io/docs/gitops-toolkit/source-watcher/) which
 walks you through writing a short and concise controller that watches out
 for source changes.
-### How to run the test suite
+## How to run the test suite
-You can run the unit tests by simply doing
+Prerequisites:
 * go >= 1.16
 * kubectl >= 1.19
 * kustomize >= 4.0
 Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:
 ```bash
 make install-envtest
 ```
 Then you can run the unit tests with:
 ```bash
 make test
 ```
 After [installing Kubernetes kind](https://kind.sigs.k8s.io/docs/user/quick-start#installation) on your machine,
 create a cluster for testing with:
 ```bash
 make setup-kind
 ```
 Then you can run the end-to-end tests with:
 ```bash
 make e2e
 ```
 Teardown the e2e environment with:
 ```bash
 make cleanup-kind
 ```
 ## Acceptance policy
 These things will make a PR more likely to be accepted:
--- a/23
+++ b/23
@@ -0,0 +1,23 @@
 FROM alpine:3.15 as builder
 RUN apk add --no-cache ca-certificates curl
 ARG ARCH=linux/amd64
 ARG KUBECTL_VER=1.22.2
 RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
    kubectl version --client=true
 FROM alpine:3.15 as flux-cli
 # Create minimal nsswitch.conf file to prioritize the usage of /etc/hosts over DNS queries.
 # https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-354316460
 RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
 RUN apk add --no-cache ca-certificates
 COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/
 COPY --chmod=755 flux /usr/local/bin/
 ENTRYPOINT [ "flux" ]
--- a/4
+++ b/4
@@ -12,7 +12,9 @@ should.
 In alphabetical order:
-Aurel Canciu, Sortlist <aurel@sortlist.com> (github: @relu, slack: relu)
+Aurel Canciu, NexHealth <aurel.canciu@nexhealth.com> (github: @relu, slack: relu)
 Hidde Beydals, Weaveworks <hidde@weave.works> (github: @hiddeco, slack: hidde)
 Max Jonas Werner, D2iQ <max@e13.dev> (github: @makkes, slack: max)
 Philip Laine, Xenit <philip.laine@xenit.se> (github: @phillebaba, slack: phillebaba)
 Stefan Prodan, Weaveworks <stefan@weave.works> (github: @stefanprodan, slack: stefanprodan)
 Sunny, Weaveworks <sunny@weave.works> (github: @darkowlzz, slack: darkowlzz)
--- a/85
+++ b/85
@@ -1,9 +1,23 @@
-VERSION?=$(shell grep 'VERSION' cmd/flux/main.go | awk '{ print $$4 }' | tr -d '"')
+VERSION?=$(shell grep 'VERSION' cmd/flux/main.go | awk '{ print $$4 }' | head -n 1 | tr -d '"')
 EMBEDDED_MANIFESTS_TARGET=cmd/flux/.manifests.done
 TEST_KUBECONFIG?=/tmp/flux-e2e-test-kubeconfig
 # Architecture to use envtest with
 ENVTEST_ARCH ?= amd64
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
 else
 GOBIN=$(shell go env GOBIN)
 endif
 rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2)) $(filter $(subst *,%,$(2)),$(d)))
 all: test build
 tidy:
 	go mod tidy
 	cd tests/azure && go mod tidy
 fmt:
 	go fmt ./...
@@ -11,19 +25,68 @@ fmt:
 vet:
 	go vet ./...
-test: tidy fmt vet docs
+setup-kind:
-	go test ./... -coverprofile cover.out
+	kind create cluster --name=flux-e2e-test --kubeconfig=$(TEST_KUBECONFIG) --config=.github/kind/config.yaml
 	kubectl --kubeconfig=$(TEST_KUBECONFIG) apply -f https://docs.projectcalico.org/v3.16/manifests/calico.yaml
 	kubectl --kubeconfig=$(TEST_KUBECONFIG) -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
-build:
+cleanup-kind:
-	CGO_ENABLED=0 go build -o ./bin/flux ./cmd/flux
+	kind delete cluster --name=flux-e2e-test
 	rm $(TEST_KUBECONFIG)
 KUBEBUILDER_ASSETS?="$(shell $(ENVTEST) --arch=$(ENVTEST_ARCH) use -i $(ENVTEST_KUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR) -p path)"
 test: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet install-envtest
 	KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test ./... -coverprofile cover.out --tags=unit
 e2e: $(EMBEDDED_MANIFESTS_TARGET) tidy fmt vet
 	TEST_KUBECONFIG=$(TEST_KUBECONFIG) go test ./cmd/flux/... -coverprofile e2e.cover.out --tags=e2e -v -failfast
 test-with-kind: install-envtest
 	make setup-kind
 	make e2e
 	make cleanup-kind
 $(EMBEDDED_MANIFESTS_TARGET): $(call rwildcard,manifests/,*.yaml *.json)
 	./manifests/scripts/bundle.sh
 	touch $@
 build: $(EMBEDDED_MANIFESTS_TARGET)
 	CGO_ENABLED=0 go build -ldflags="-s -w -X main.VERSION=$(VERSION)" -o ./bin/flux ./cmd/flux
 .PHONY: install
 install:
-	go install cmd/flux
+	CGO_ENABLED=0 go install ./cmd/flux
 .PHONY: docs
 docs:
 	rm docs/cmd/*
 	mkdir -p ./docs/cmd && go run ./cmd/flux/ docgen
 install-dev:
 	CGO_ENABLED=0 go build -o /usr/local/bin ./cmd/flux
 setup-bootstrap-patch:
 	go run ./tests/bootstrap/main.go
 setup-image-automation:
 	cd tests/image-automation && go run main.go
 ENVTEST_ASSETS_DIR=$(shell pwd)/testbin
 ENVTEST_KUBERNETES_VERSION?=latest
 install-envtest: setup-envtest
 	mkdir -p ${ENVTEST_ASSETS_DIR}
 	$(ENVTEST) use $(ENVTEST_KUBERNETES_VERSION) --arch=$(ENVTEST_ARCH) --bin-dir=$(ENVTEST_ASSETS_DIR)
 ENVTEST = $(shell pwd)/bin/setup-envtest
 .PHONY: envtest
 setup-envtest: ## Download envtest-setup locally if necessary.
 	$(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
 # go-install-tool will 'go install' any package $2 and install it to $1.
 PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 define go-install-tool
@[ -f $(1) ] || { \
 set -e ;\
 TMP_DIR=$$(mktemp -d) ;\
 cd $$TMP_DIR ;\
 go mod init tmp ;\
 echo "Downloading $(2)" ;\
 GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
 rm -rf $$TMP_DIR ;\
 }
 endef
--- a/README.md
+++ b/README.md
@@ -1,5 +1,6 @@
 # Flux version 2
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4782/badge)](https://bestpractices.coreinfrastructure.org/projects/4782)
 [![e2e](https://github.com/fluxcd/flux2/workflows/e2e/badge.svg)](https://github.com/fluxcd/flux2/actions)
 [![report](https://goreportcard.com/badge/github.com/fluxcd/flux2)](https://goreportcard.com/report/github.com/fluxcd/flux2)
 [![license](https://img.shields.io/github/license/fluxcd/flux2.svg)](https://github.com/fluxcd/flux2/blob/main/LICENSE)
@@ -19,52 +20,20 @@ Flux v2 is constructed with the [GitOps Toolkit](#gitops-toolkit), a
 set of composable APIs and specialized tools for building Continuous
 Delivery on top of Kubernetes.
-## Flux installation
+Flux is a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/)) project.
-With Homebrew:
+## Quickstart and documentation
-```sh
+To get started check out this [guide](https://fluxcd.io/docs/get-started/)
-brew install fluxcd/tap/flux
+on how to bootstrap Flux on Kubernetes and deploy a sample application in a GitOps manner.
 ```
-With Bash:
+For more comprehensive documentation, see the following guides:
 - [Ways of structuring your repositories](https://fluxcd.io/docs/guides/repository-structure/)
 - [Manage Helm Releases](https://fluxcd.io/docs/guides/helmreleases/)
 - [Automate image updates to Git](https://fluxcd.io/docs/guides/image-update/)  
 - [Manage Kubernetes secrets with Mozilla SOPS](https://fluxcd.io/docs/guides/mozilla-sops/)  
-```sh
+If you need help, please refer to our **[Support page](https://fluxcd.io/support/)**.
 curl -s https://toolkit.fluxcd.io/install.sh | sudo bash
 # enable completions in ~/.bash_profile
 . <(flux completion bash)
 ```
 Arch Linux (AUR) packages:
 - [flux-bin](https://aur.archlinux.org/packages/flux-bin): install the latest
  stable version using a pre-build binary (recommended)
 - [flux-go](https://aur.archlinux.org/packages/flux-go): build the latest
  stable version from source code
 - [flux-scm](https://aur.archlinux.org/packages/flux-scm): build the latest
  (unstable) version from source code from our git `main` branch
 Binaries for macOS, Windows and Linux AMD64/ARM are available to download on the
 [release page](https://github.com/fluxcd/flux2/releases).
 Verify that your cluster satisfies the prerequisites with:
 ```sh
 flux check --pre
 ```
 ## Get started
 To get started with Flux, start [browsing the
 documentation](https://toolkit.fluxcd.io) or get started with one of
 the following guides:
 - [Get started with Flux (deep dive)](https://toolkit.fluxcd.io/get-started/)
 - [Installation](https://toolkit.fluxcd.io/guides/installation/)
 - [Manage Helm Releases](https://toolkit.fluxcd.io/guides/helmreleases/)
 - [Setup Notifications](https://toolkit.fluxcd.io/guides/notifications/)
 - [Setup Webhook Receivers](https://toolkit.fluxcd.io/guides/webhook-receivers/)
 ## GitOps Toolkit
@@ -73,52 +42,56 @@ runtime for Flux v2. The APIs comprise Kubernetes custom resources,
 which can be created and updated by a cluster user, or by other
 automation tooling.
-![overview](docs/diagrams/gitops-toolkit.png)
+![overview](docs/_files/gitops-toolkit.png)
 You can use the toolkit to extend Flux, or to build your own systems
 for continuous delivery -- see [the developer
-guides](https://toolkit.fluxcd.io/dev-guides/source-watcher/).
+guides](https://fluxcd.io/docs/gitops-toolkit/source-watcher/).
 ### Components
- [Source Controller](https://toolkit.fluxcd.io/components/source/controller/)
+- [Source Controller](https://fluxcd.io/docs/components/source/)
-    - [GitRepository CRD](https://toolkit.fluxcd.io/components/source/gitrepositories/)
+    - [GitRepository CRD](https://fluxcd.io/docs/components/source/gitrepositories/)
-    - [HelmRepository CRD](https://toolkit.fluxcd.io/components/source/helmrepositories/)
+    - [HelmRepository CRD](https://fluxcd.io/docs/components/source/helmrepositories/)
-    - [HelmChart CRD](https://toolkit.fluxcd.io/components/source/helmcharts/)
+    - [HelmChart CRD](https://fluxcd.io/docs/components/source/helmcharts/)
-    - [Bucket CRD](https://toolkit.fluxcd.io/components/source/buckets/)
+    - [Bucket CRD](https://fluxcd.io/docs/components/source/buckets/)
- [Kustomize Controller](https://toolkit.fluxcd.io/components/kustomize/controller/)
+- [Kustomize Controller](https://fluxcd.io/docs/components/kustomize/)
-    - [Kustomization CRD](https://toolkit.fluxcd.io/components/kustomize/kustomization/)
+    - [Kustomization CRD](https://fluxcd.io/docs/components/kustomize/kustomization/)
- [Helm Controller](https://toolkit.fluxcd.io/components/helm/controller/)
+- [Helm Controller](https://fluxcd.io/docs/components/helm/)
-    - [HelmRelease CRD](https://toolkit.fluxcd.io/components/helm/helmreleases/)
+    - [HelmRelease CRD](https://fluxcd.io/docs/components/helm/helmreleases/)
- [Notification Controller](https://toolkit.fluxcd.io/components/notification/controller/)
+- [Notification Controller](https://fluxcd.io/docs/components/notification/)
-    - [Provider CRD](https://toolkit.fluxcd.io/components/notification/provider/)
+    - [Provider CRD](https://fluxcd.io/docs/components/notification/provider/)
-    - [Alert CRD](https://toolkit.fluxcd.io/components/notification/alert/)
+    - [Alert CRD](https://fluxcd.io/docs/components/notification/alert/)
-    - [Receiver CRD](https://toolkit.fluxcd.io/components/notification/receiver/)
+    - [Receiver CRD](https://fluxcd.io/docs/components/notification/receiver/)
-
+- [Image Automation Controllers](https://fluxcd.io/docs/components/image/)
  - [ImageRepository CRD](https://fluxcd.io/docs/components/image/imagerepositories/)
  - [ImagePolicy CRD](https://fluxcd.io/docs/components/image/imagepolicies/)
  - [ImageUpdateAutomation CRD](https://fluxcd.io/docs/components/image/imageupdateautomations/)
 ## Community
-The Flux project is always looking for new contributors and there are a multitude of ways to get involved.
+Need help or want to contribute? Please see the links below. The Flux project is always looking for
-Depending on what you want to do, some of the following bits might be your first steps:
+new contributors and there are a multitude of ways to get involved.
- Join our upcoming dev meetings ([meeting access and agenda](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/view))
+- Getting Started?
- Talk to us in the #flux channel on [CNCF Slack](https://slack.cncf.io/)
+    - Look at our [Get Started guide](https://fluxcd.io/docs/get-started/) and give us feedback
- Join the [planning discussions](https://github.com/fluxcd/flux2/discussions)
+- Need help?
- And if you are completely new to Flux and the GitOps Toolkit, take a look at our [Get Started guide](https://toolkit.fluxcd.io/get-started/) and give us feedback
+    - First: Ask questions on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions)
- To be part of the conversation about Flux's development, [join the flux-dev mailing list](https://lists.cncf.io/g/cncf-flux-dev).
+    - Second: Talk to us in the #flux channel on [CNCF Slack](https://slack.cncf.io/)
- Check out [how to contribute](CONTRIBUTING.md) to the project
+    - Please follow our [Support Guidelines](https://fluxcd.io/support/)
      (in short: be nice, be respectful of volunteers' time, understand that maintainers and
      contributors cannot respond to all DMs, and keep discussions in the public #flux channel as much as possible).
 - Have feature proposals or want to contribute?
    - Propose features on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions)
    - Join our upcoming dev meetings ([meeting access and agenda](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/view))
    - [Join the flux-dev mailing list](https://lists.cncf.io/g/cncf-flux-dev).
    - Check out [how to contribute](CONTRIBUTING.md) to the project
-### Upcoming Events
+### Events
 - 11 Jan 2021 - [Helm + GitOps = ⚡️⚡️⚡️ with Scott Rigby](https://www.meetup.com/GitOps-Community/events/275348736/)
-### Featured Talks
+Check out our **[events calendar](https://fluxcd.io/#calendar)**,
- 14 Dec 2020 - [The Power of GitOps with Flux and Flagger (GitOps Hands-On) with Leigh Capili](https://youtu.be/cB7iXeNLteE)
+both with upcoming talks, events and meetings you can attend.
- 30 Nov 2020 - [The Power of GitOps with Flux 2 - Part 3 with Leigh Capili](https://youtu.be/N_K5g7o9JKg)
+Or view the **[resources section](https://fluxcd.io/resources)**
- 24 Nov 2020 - [Flux CD v2 with GitOps Toolkit - Kubernetes Deployment and Sync Mechanism](https://youtu.be/R6OeIgb7lUI)
+with past events videos you can watch.
 - 02 Nov 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 2 with Leigh Capili](https://youtu.be/fC2YCxQRUwU)
 - 28 Oct 2020 - [The Kubelist Podcast: Flux with Michael Bridgen](https://www.heavybit.com/library/podcasts/the-kubelist-podcast/ep-5-flux-with-michael-bridgen-of-weaveworks/)
 - 19 Oct 2020 - [The Power of GitOps with Flux & GitOps Toolkit - Part 1 with Leigh Capili](https://youtu.be/0v5bjysXTL8)
 - 12 Oct 2020 - [Rawkode Live: Introduction to GitOps Toolkit with Stefan Prodan](https://youtu.be/HqTzuOBP0eY)
 - 04 Sep 2020 - [KubeCon Europe: The road to Flux v2 and Progressive Delivery with Stefan Prodan & Hidde Beydals](https://youtu.be/8v94nUkXsxU)
 - 25 Jun 2020 - [Cloud Native Nordics: Introduction to GitOps & GitOps Toolkit with Alexis Richardson & Stefan Prodan](https://youtu.be/qQBtSkgl7tI)
 We look forward to seeing you with us!
--- a/action/Dockerfile
+++ b/action/Dockerfile
@@ -1,6 +0,0 @@
 FROM stefanprodan/alpine-base:latest
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]
--- a/action/README.md
+++ b/action/README.md
@@ -10,19 +10,34 @@ Usage:
        run: flux -v
 ```
-This action places the `flux` binary inside your repository root under `bin/flux`.
+The latest stable version of the `flux` binary is downloaded from
-You should add `bin/flux` to your `.gitignore` file, as in the following example:
+GitHub [releases](https://github.com/fluxcd/flux2/releases)
 and placed at `/usr/local/bin/flux`.
-```gitignore
+Note that this action can only be used on GitHub **Linux** runners.
-# ignore flux binary
+You can change the arch (defaults to `amd64`) with:
-bin/flux
+
 ```yaml
    steps:
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
        with:
          arch: arm64 # can be amd64, arm64 or arm
 ```
-Note that this action can only be used on GitHub **Linux AMD64** runners.
+You can download a specific version with:
 ```yaml
    steps:
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
        with:
          version: 0.8.0
 ```
 ### Automate Flux updates
-Example workflow for updating Flux's components generated with `flux bootstrap --arch=amd64 --path=clusters/production`:
+Example workflow for updating Flux's components generated with `flux bootstrap --path=clusters/production`:
 ```yaml
 name: update-flux
@@ -43,7 +58,7 @@ jobs:
      - name: Check for updates
        id: update
        run: |
-          flux install --arch=amd64 \
+          flux install \
            --export > ./clusters/production/flux-system/gotk-components.yaml
          VERSION="$(flux -v)"
--- a/action/action.yml
+++ b/action/action.yml
@@ -1,15 +1,52 @@
-name: 'kustomize'
+name: Setup Flux CLI
-description: 'A GitHub Action for running Flux commands'
+description: A GitHub Action for running Flux commands
-author: 'Flux project'
+author: Stefan Prodan
 branding:
-  icon: 'command'
+  color: blue
-  color: 'blue'
+  icon: command
 inputs:
  version:
-    description: 'strict semver'
+    description: "Flux version e.g. 0.8.0 (defaults to latest stable release)"
    required: false
  arch:
    description: "arch can be amd64, arm64 or arm"
    required: true
    default: "amd64"
  bindir:
    description: "Optional location of the Flux binary. Will not use sudo if set. Updates System Path."
    required: false
 runs:
-  using: 'docker'
+  using: composite
-  image: 'Dockerfile'
+  steps:
-  args:
+    - name: "Download flux binary to tmp"
-    - ${{ inputs.version }}
+      shell: bash
      run: |
        ARCH=${{ inputs.arch }}
        VERSION=${{ inputs.version }}
        if [ -z $VERSION ]; then
          VERSION=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
        fi
        BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_${ARCH}.tar.gz"
        curl -sL ${BIN_URL} -o /tmp/flux.tar.gz
        mkdir -p /tmp/flux
        tar -C /tmp/flux/ -zxvf /tmp/flux.tar.gz
    - name: "Copy Flux binary to execute location"
      shell: bash
      run: |
        BINDIR=${{ inputs.bindir }}
        if [ -z $BINDIR ]; then
          sudo cp /tmp/flux/flux /usr/local/bin
        else
          cp /tmp/flux/flux "${BINDIR}"
          echo "${BINDIR}" >> $GITHUB_PATH
        fi
    - name: "Cleanup tmp"
      shell: bash
      run: |
        rm -rf /tmp/flux/ /tmp/flux.tar.gz
    - name: "Verify correct installation of binary"
      shell: bash
      run: |
        flux -v
--- a/action/entrypoint.sh
+++ b/action/entrypoint.sh
@@ -1,40 +0,0 @@
 #!/bin/bash
 #  Copyright 2020 The Flux authors
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
 #  You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 #  Unless required by applicable law or agreed to in writing, software
 #  distributed under the License is distributed on an "AS IS" BASIS,
 #  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 #  See the License for the specific language governing permissions and
 #  limitations under the License.
 set -e
 VERSION=$1
 if [ -z $VERSION ]; then
  # Find latest release if no version is specified
  VERSION=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
 fi
 # Download linux binary
 BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_amd64.tar.gz"
 curl -sL $BIN_URL | tar xz
 # Copy binary to GitHub runner
 mkdir -p $GITHUB_WORKSPACE/bin
 mv ./flux $GITHUB_WORKSPACE/bin
 chmod +x $GITHUB_WORKSPACE/bin/flux
 # Print version
 $GITHUB_WORKSPACE/bin/flux -v
 # Add binary to GitHub runner path
 echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
 echo "$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin" >> $GITHUB_PATH
--- a/cmd/flux/alert.go
+++ b/cmd/flux/alert.go
@@ -0,0 +1,56 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
 // notificationv1.Alert
 var alertType = apiType{
 	kind:      notificationv1.AlertKind,
 	humanKind: "alert",
 }
 type alertAdapter struct {
 	*notificationv1.Alert
 }
 func (a alertAdapter) asClientObject() client.Object {
 	return a.Alert
 }
 func (a alertAdapter) deepCopyClientObject() client.Object {
 	return a.Alert.DeepCopy()
 }
 // notificationv1.Alert
 type alertListAdapter struct {
 	*notificationv1.AlertList
 }
 func (a alertListAdapter) asClientList() client.ObjectList {
 	return a.AlertList
 }
 func (a alertListAdapter) len() int {
 	return len(a.AlertList.Items)
 }
--- a/cmd/flux/alert_provider.go
+++ b/cmd/flux/alert_provider.go
@@ -0,0 +1,56 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
 // notificationv1.Provider
 var alertProviderType = apiType{
 	kind:      notificationv1.ProviderKind,
 	humanKind: "alert provider",
 }
 type alertProviderAdapter struct {
 	*notificationv1.Provider
 }
 func (a alertProviderAdapter) asClientObject() client.Object {
 	return a.Provider
 }
 func (a alertProviderAdapter) deepCopyClientObject() client.Object {
 	return a.Provider.DeepCopy()
 }
 // notificationv1.Provider
 type alertProviderListAdapter struct {
 	*notificationv1.ProviderList
 }
 func (a alertProviderListAdapter) asClientList() client.ObjectList {
 	return a.ProviderList
 }
 func (a alertProviderListAdapter) len() int {
 	return len(a.ProviderList.Items)
 }
--- a/cmd/flux/bootstrap.go
+++ b/cmd/flux/bootstrap.go
@@ -17,26 +17,16 @@ limitations under the License.
 package main
 import (
-	"context"
+	"crypto/elliptic"
 	"fmt"
-	"net/url"
+	"os"
-	"path/filepath"
+	"strings"
 	"time"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
 var bootstrapCmd = &cobra.Command{
@@ -45,61 +35,138 @@ var bootstrapCmd = &cobra.Command{
 	Long:  "The bootstrap sub-commands bootstrap the toolkit components on the targeted Git provider.",
 }
-var (
+type bootstrapFlags struct {
-	bootstrapVersion            string
+	version  string
-	bootstrapDefaultComponents  []string
+	arch     flags.Arch
-	bootstrapExtraComponents    []string
+	logLevel flags.LogLevel
-	bootstrapRegistry           string
+
-	bootstrapImagePullSecret    string
+	branch            string
-	bootstrapBranch             string
+	recurseSubmodules bool
-	bootstrapWatchAllNamespaces bool
+	manifestsPath     string
-	bootstrapNetworkPolicy      bool
+
-	bootstrapManifestsPath      string
+	defaultComponents  []string
-	bootstrapArch               = flags.Arch(defaults.Arch)
+	extraComponents    []string
-	bootstrapLogLevel           = flags.LogLevel(defaults.LogLevel)
+	requiredComponents []string
-	bootstrapRequiredComponents = []string{"source-controller", "kustomize-controller"}
+
-	bootstrapTokenAuth          bool
+	registry        string
-	bootstrapClusterDomain      string
+	imagePullSecret string
-)
+
 	secretName     string
 	tokenAuth      bool
 	keyAlgorithm   flags.PublicKeyAlgorithm
 	keyRSABits     flags.RSAKeyBits
 	keyECDSACurve  flags.ECDSACurve
 	sshHostname    string
 	caFile         string
 	privateKeyFile string
 	watchAllNamespaces bool
 	networkPolicy      bool
 	clusterDomain      string
 	tolerationKeys     []string
 	authorName  string
 	authorEmail string
 	gpgKeyRingPath string
 	gpgPassphrase  string
 	gpgKeyID       string
 	commitMessageAppendix string
 }
 const (
 	bootstrapDefaultBranch = "main"
 )
 var bootstrapArgs = NewBootstrapFlags()
 func init() {
-	bootstrapCmd.PersistentFlags().StringVarP(&bootstrapVersion, "version", "v", defaults.Version,
+	bootstrapCmd.PersistentFlags().StringVarP(&bootstrapArgs.version, "version", "v", "",
-		"toolkit version")
+		"toolkit version, when specified the manifests are downloaded from https://github.com/fluxcd/flux2/releases")
-	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapDefaultComponents, "components", defaults.Components,
+
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.defaultComponents, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
-	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapExtraComponents, "components-extra", nil,
+	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.extraComponents, "components-extra", nil,
 		"list of components in addition to those supplied or defaulted, accepts comma-separated values")
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapRegistry, "registry", "ghcr.io/fluxcd",
+
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registry, "registry", "ghcr.io/fluxcd",
 		"container registry where the toolkit images are published")
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapImagePullSecret, "image-pull-secret", "",
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.imagePullSecret, "image-pull-secret", "",
 		"Kubernetes secret name used for pulling the toolkit images from a private registry")
-	bootstrapCmd.PersistentFlags().Var(&bootstrapArch, "arch", bootstrapArch.Description())
+
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapBranch, "branch", bootstrapDefaultBranch,
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.branch, "branch", bootstrapDefaultBranch, "Git branch")
-		"default branch (for GitHub this must match the default branch setting for the organization)")
+	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.recurseSubmodules, "recurse-submodules", false,
-	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapWatchAllNamespaces, "watch-all-namespaces", true,
+		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.manifestsPath, "manifests", "", "path to the manifest directory")
 	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.watchAllNamespaces, "watch-all-namespaces", true,
 		"watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed")
-	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapNetworkPolicy, "network-policy", true,
+	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.networkPolicy, "network-policy", true,
 		"deny ingress access to the toolkit controllers from other namespaces using network policies")
-	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapTokenAuth, "token-auth", false,
+	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.tokenAuth, "token-auth", false,
 		"when enabled, the personal access token will be used instead of SSH deploy key")
-	bootstrapCmd.PersistentFlags().Var(&bootstrapLogLevel, "log-level", bootstrapLogLevel.Description())
+	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.logLevel, "log-level", bootstrapArgs.logLevel.Description())
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapManifestsPath, "manifests", "", "path to the manifest directory")
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.clusterDomain, "cluster-domain", rootArgs.defaults.ClusterDomain, "internal cluster domain")
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapClusterDomain, "cluster-domain", defaults.ClusterDomain, "internal cluster domain")
+	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.tolerationKeys, "toleration-keys", nil,
 		"list of toleration keys used to schedule the components pods onto nodes with matching taints")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.secretName, "secret-name", rootArgs.defaults.Namespace, "name of the secret the sync credentials can be found in or stored to")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyAlgorithm, "ssh-key-algorithm", bootstrapArgs.keyAlgorithm.Description())
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyRSABits, "ssh-rsa-bits", bootstrapArgs.keyRSABits.Description())
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyECDSACurve, "ssh-ecdsa-curve", bootstrapArgs.keyECDSACurve.Description())
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.sshHostname, "ssh-hostname", "", "SSH hostname, to be used when the SSH host differs from the HTTPS one")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.privateKeyFile, "private-key-file", "", "path to a private key file used for authenticating to the Git SSH server")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.authorName, "author-name", "Flux", "author name for Git commits")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.authorEmail, "author-email", "", "author email for Git commits")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.gpgKeyRingPath, "gpg-key-ring", "", "path to GPG key ring for signing commits")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.gpgPassphrase, "gpg-passphrase", "", "passphrase for decrypting GPG private key")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.gpgKeyID, "gpg-key-id", "", "key id for selecting a particular key")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.commitMessageAppendix, "commit-message-appendix", "", "string to add to the commit messages, e.g. '[ci skip]'")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.arch, "arch", bootstrapArgs.arch.Description())
 	bootstrapCmd.PersistentFlags().MarkDeprecated("arch", "multi-arch container image is now available for AMD64, ARMv7 and ARM64")
 	bootstrapCmd.PersistentFlags().MarkHidden("manifests")
 	rootCmd.AddCommand(bootstrapCmd)
 }
 func NewBootstrapFlags() bootstrapFlags {
 	return bootstrapFlags{
 		logLevel:           flags.LogLevel(rootArgs.defaults.LogLevel),
 		requiredComponents: []string{"source-controller", "kustomize-controller"},
 		keyAlgorithm:       flags.PublicKeyAlgorithm(sourcesecret.ECDSAPrivateKeyAlgorithm),
 		keyRSABits:         2048,
 		keyECDSACurve:      flags.ECDSACurve{Curve: elliptic.P384()},
 	}
 }
 func bootstrapComponents() []string {
-	return append(bootstrapDefaultComponents, bootstrapExtraComponents...)
+	return append(bootstrapArgs.defaultComponents, bootstrapArgs.extraComponents...)
 }
 func buildEmbeddedManifestBase() (string, error) {
 	if !isEmbeddedVersion(bootstrapArgs.version) {
 		return "", nil
 	}
 	tmpBaseDir, err := os.MkdirTemp("", "flux-manifests-")
 	if err != nil {
 		return "", err
 	}
 	if err := writeEmbeddedManifests(tmpBaseDir); err != nil {
 		return "", err
 	}
 	return tmpBaseDir, nil
 }
 func bootstrapValidate() error {
 	components := bootstrapComponents()
-	for _, component := range bootstrapRequiredComponents {
+	for _, component := range bootstrapArgs.requiredComponents {
 		if !utils.ContainsItemString(components, component) {
 			return fmt.Errorf("component %s is required", component)
 		}
@@ -112,174 +179,14 @@ func bootstrapValidate() error {
 	return nil
 }
-func generateInstallManifests(targetPath, namespace, tmpDir string, localManifests string) (string, error) {
+func mapTeamSlice(s []string, defaultPermission string) map[string]string {
-	opts := install.Options{
+	m := make(map[string]string, len(s))
-		BaseURL:                localManifests,
+	for _, v := range s {
-		Version:                bootstrapVersion,
+		m[v] = defaultPermission
-		Namespace:              namespace,
+		if s := strings.Split(v, ":"); len(s) == 2 {
-		Components:             bootstrapComponents(),
+			m[s[0]] = s[1]
 		Registry:               bootstrapRegistry,
 		ImagePullSecret:        bootstrapImagePullSecret,
 		Arch:                   bootstrapArch.String(),
 		WatchAllNamespaces:     bootstrapWatchAllNamespaces,
 		NetworkPolicy:          bootstrapNetworkPolicy,
 		LogLevel:               bootstrapLogLevel.String(),
 		NotificationController: defaults.NotificationController,
 		ManifestFile:           defaults.ManifestFile,
 		Timeout:                timeout,
 		TargetPath:             targetPath,
 		ClusterDomain:          bootstrapClusterDomain,
 	}
 	if localManifests == "" {
 		opts.BaseURL = defaults.BaseURL
 	}
 	output, err := install.Generate(opts)
 	if err != nil {
 		return "", fmt.Errorf("generating install manifests failed: %w", err)
 	}
 	filePath, err := output.WriteFile(tmpDir)
 	if err != nil {
 		return "", fmt.Errorf("generating install manifests failed: %w", err)
 	}
 	return filePath, nil
 }
 func applyInstallManifests(ctx context.Context, manifestPath string, components []string) error {
 	kubectlArgs := []string{"apply", "-f", manifestPath}
 	if _, err := utils.ExecKubectlCommand(ctx, utils.ModeOS, kubeconfig, kubecontext, kubectlArgs...); err != nil {
 		return fmt.Errorf("install failed")
 	}
 	for _, deployment := range components {
 		kubectlArgs = []string{"-n", namespace, "rollout", "status", "deployment", deployment, "--timeout", timeout.String()}
 		if _, err := utils.ExecKubectlCommand(ctx, utils.ModeOS, kubeconfig, kubecontext, kubectlArgs...); err != nil {
 			return fmt.Errorf("install failed")
 		}
 	}
-	return nil
+
-}
+	return m
 func generateSyncManifests(url, branch, name, namespace, targetPath, tmpDir string, interval time.Duration) (string, error) {
 	opts := sync.Options{
 		Name:         name,
 		Namespace:    namespace,
 		URL:          url,
 		Branch:       branch,
 		Interval:     interval,
 		TargetPath:   targetPath,
 		ManifestFile: sync.MakeDefaultOptions().ManifestFile,
 	}
 	manifest, err := sync.Generate(opts)
 	if err != nil {
 		return "", fmt.Errorf("generating install manifests failed: %w", err)
 	}
 	output, err := manifest.WriteFile(tmpDir)
 	if err != nil {
 		return "", err
 	}
 	outputDir := filepath.Dir(output)
 	if err := utils.GenerateKustomizationYaml(outputDir); err != nil {
 		return "", err
 	}
 	return outputDir, nil
 }
 func applySyncManifests(ctx context.Context, kubeClient client.Client, name, namespace, manifestsPath string) error {
 	kubectlArgs := []string{"apply", "-k", manifestsPath}
 	if _, err := utils.ExecKubectlCommand(ctx, utils.ModeStderrOS, kubeconfig, kubecontext, kubectlArgs...); err != nil {
 		return err
 	}
 	logger.Waitingf("waiting for cluster sync")
 	var gitRepository sourcev1.GitRepository
 	if err := wait.PollImmediate(pollInterval, timeout,
 		isGitRepositoryReady(ctx, kubeClient, types.NamespacedName{Name: name, Namespace: namespace}, &gitRepository)); err != nil {
 		return err
 	}
 	var kustomization kustomizev1.Kustomization
 	if err := wait.PollImmediate(pollInterval, timeout,
 		isKustomizationReady(ctx, kubeClient, types.NamespacedName{Name: name, Namespace: namespace}, &kustomization)); err != nil {
 		return err
 	}
 	return nil
 }
 func shouldInstallManifests(ctx context.Context, kubeClient client.Client, namespace string) bool {
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      namespace,
 	}
 	var kustomization kustomizev1.Kustomization
 	if err := kubeClient.Get(ctx, namespacedName, &kustomization); err != nil {
 		return true
 	}
 	return kustomization.Status.LastAppliedRevision == ""
 }
 func shouldCreateDeployKey(ctx context.Context, kubeClient client.Client, namespace string) bool {
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      namespace,
 	}
 	var existing corev1.Secret
 	if err := kubeClient.Get(ctx, namespacedName, &existing); err != nil {
 		return true
 	}
 	return false
 }
 func generateDeployKey(ctx context.Context, kubeClient client.Client, url *url.URL, namespace string) (string, error) {
 	pair, err := generateKeyPair(ctx, sourceGitKeyAlgorithm, sourceGitRSABits, sourceGitECDSACurve)
 	if err != nil {
 		return "", err
 	}
 	hostKey, err := scanHostKey(ctx, url)
 	if err != nil {
 		return "", err
 	}
 	secret := corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      namespace,
 			Namespace: namespace,
 		},
 		StringData: map[string]string{
 			"identity":     string(pair.PrivateKey),
 			"identity.pub": string(pair.PublicKey),
 			"known_hosts":  string(hostKey),
 		},
 	}
 	if err := upsertSecret(ctx, kubeClient, secret); err != nil {
 		return "", err
 	}
 	return string(pair.PublicKey), nil
 }
 func checkIfBootstrapPathDiffers(ctx context.Context, kubeClient client.Client, namespace string, path string) (string, bool) {
 	namespacedName := types.NamespacedName{
 		Name:      namespace,
 		Namespace: namespace,
 	}
 	var fluxSystemKustomization kustomizev1.Kustomization
 	err := kubeClient.Get(ctx, namespacedName, &fluxSystemKustomization)
 	if err != nil {
 		return "", false
 	}
 	if fluxSystemKustomization.Spec.Path == path {
 		return "", false
 	}
 	return fluxSystemKustomization.Spec.Path, true
 }
--- a/cmd/flux/bootstrap_bitbucket_server.go
+++ b/cmd/flux/bootstrap_bitbucket_server.go
@@ -0,0 +1,279 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"time"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/internal/bootstrap"
 	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
 	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
 var bootstrapBServerCmd = &cobra.Command{
 	Use:   "bitbucket-server",
 	Short: "Bootstrap toolkit components in a Bitbucket Server repository",
 	Long: `The bootstrap bitbucket-server command creates the Bitbucket Server repository if it doesn't exists and
 commits the toolkit components manifests to the master branch.
 Then it configures the target cluster to synchronize with the repository.
 If the toolkit components are present on the cluster,
 the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a Bitbucket Server API token and export it as an env var
  export BITBUCKET_TOKEN=<my-token>
  # Run bootstrap for a private repository using HTTPS token authentication
  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --token-auth
  # Run bootstrap for a private repository using SSH authentication
  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain>
  # Run bootstrap for a repository path
  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --path=dev-cluster --hostname=<domain>
  # Run bootstrap for a public repository on a personal account
  flux bootstrap bitbucket-server --owner=<user> --repository=<repository name> --private=false --personal --hostname=<domain> --token-auth
  # Run bootstrap for a an existing repository with a branch named main
  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --branch=main --hostname=<domain> --token-auth`,
 	RunE: bootstrapBServerCmdRun,
 }
 const (
 	bServerDefaultPermission = "push"
 	bServerTokenEnvVar       = "BITBUCKET_TOKEN"
 )
 type bServerFlags struct {
 	owner        string
 	repository   string
 	interval     time.Duration
 	personal     bool
 	username     string
 	private      bool
 	hostname     string
 	path         flags.SafeRelativePath
 	teams        []string
 	readWriteKey bool
 	reconcile    bool
 }
 var bServerArgs bServerFlags
 func init() {
 	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.owner, "owner", "", "Bitbucket Server user or project name")
 	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.repository, "repository", "", "Bitbucket Server repository name")
 	bootstrapBServerCmd.Flags().StringSliceVar(&bServerArgs.teams, "group", []string{}, "Bitbucket Server groups to be given write access (also accepts comma-separated values)")
 	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.personal, "personal", false, "if true, the owner is assumed to be a Bitbucket Server user; otherwise a group")
 	bootstrapBServerCmd.Flags().StringVarP(&bServerArgs.username, "username", "u", "git", "authentication username")
 	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.private, "private", true, "if true, the repository is setup or configured as private")
 	bootstrapBServerCmd.Flags().DurationVar(&bServerArgs.interval, "interval", time.Minute, "sync interval")
 	bootstrapBServerCmd.Flags().StringVar(&bServerArgs.hostname, "hostname", "", "Bitbucket Server hostname")
 	bootstrapBServerCmd.Flags().Var(&bServerArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
 	bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
 	bootstrapCmd.AddCommand(bootstrapBServerCmd)
 }
 func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 	bitbucketToken := os.Getenv(bServerTokenEnvVar)
 	if bitbucketToken == "" {
 		var err error
 		bitbucketToken, err = readPasswordFromStdin("Please enter your Bitbucket personal access token (PAT): ")
 		if err != nil {
 			return fmt.Errorf("could not read token: %w", err)
 		}
 	}
 	if bServerArgs.hostname == "" {
 		return fmt.Errorf("invalid hostname %q", bServerArgs.hostname)
 	}
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 	// Manifest base
 	if ver, err := getVersion(bootstrapArgs.version); err == nil {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(manifestsBase)
 	user := bServerArgs.username
 	if bServerArgs.personal {
 		user = bServerArgs.owner
 	}
 	var caBundle []byte
 	if bootstrapArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	// Build Bitbucket Server provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderStash,
 		Hostname: bServerArgs.hostname,
 		Username: user,
 		Token:    bitbucketToken,
 		CaBundle: caBundle,
 	}
 	providerClient, err := provider.BuildGitProvider(providerCfg)
 	if err != nil {
 		return err
 	}
 	// Lazy go-git repository
 	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
 	gitClient := gogit.New(tmpDir, &http.BasicAuth{
 		Username: user,
 		Password: bitbucketToken,
 	})
 	// Install manifest config
 	installOptions := install.Options{
 		BaseURL:                rootArgs.defaults.BaseURL,
 		Version:                bootstrapArgs.version,
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
 		LogLevel:               bootstrapArgs.logLevel.String(),
 		NotificationController: rootArgs.defaults.NotificationController,
 		ManifestFile:           rootArgs.defaults.ManifestFile,
 		Timeout:                rootArgs.timeout,
 		TargetPath:             bServerArgs.path.ToSlash(),
 		ClusterDomain:          bootstrapArgs.clusterDomain,
 		TolerationKeys:         bootstrapArgs.tolerationKeys,
 	}
 	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
 		installOptions.BaseURL = customBaseURL
 	}
 	// Source generation and secret config
 	secretOpts := sourcesecret.Options{
 		Name:         bootstrapArgs.secretName,
 		Namespace:    *kubeconfigArgs.Namespace,
 		TargetPath:   bServerArgs.path.String(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
 	if bootstrapArgs.tokenAuth {
 		if bServerArgs.personal {
 			secretOpts.Username = bServerArgs.owner
 		} else {
 			secretOpts.Username = bServerArgs.username
 		}
 		secretOpts.Password = bitbucketToken
 		if bootstrapArgs.caFile != "" {
 			secretOpts.CAFilePath = bootstrapArgs.caFile
 		}
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
 		secretOpts.SSHHostname = bServerArgs.hostname
 		if bootstrapArgs.privateKeyFile != "" {
 			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
 		}
 		if bootstrapArgs.sshHostname != "" {
 			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
 	}
 	// Sync manifest config
 	syncOpts := sync.Options{
 		Interval:          bServerArgs.interval,
 		Name:              *kubeconfigArgs.Namespace,
 		Namespace:         *kubeconfigArgs.Namespace,
 		Branch:            bootstrapArgs.branch,
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        bServerArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
 		GitImplementation: sourceGitArgs.gitImplementation.String(),
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(bServerArgs.owner, bServerArgs.repository, bServerArgs.personal),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
 		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(bServerArgs.teams, bServerDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(bServerArgs.readWriteKey),
 		bootstrap.WithKubeconfig(kubeconfigArgs),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
 	}
 	if bootstrapArgs.tokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
 	}
 	if !bServerArgs.private {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
 	}
 	if bServerArgs.reconcile {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
 	}
 	// Setup bootstrapper with constructed configs
 	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
 	if err != nil {
 		return err
 	}
 	// Run
 	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 }
--- a/cmd/flux/bootstrap_git.go
+++ b/cmd/flux/bootstrap_git.go
@@ -0,0 +1,285 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"net/url"
 	"os"
 	"strings"
 	"time"
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/go-git/go-git/v5/plumbing/transport/ssh"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"github.com/fluxcd/flux2/internal/bootstrap"
 	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
 var bootstrapGitCmd = &cobra.Command{
 	Use:   "git",
 	Short: "Bootstrap toolkit components in a Git repository",
 	Long: `The bootstrap git command commits the toolkit components manifests to the
 branch of a Git repository. It then configures the target cluster to synchronize with
 the repository. If the toolkit components are present on the cluster, the bootstrap
 command will perform an upgrade if needed.`,
 	Example: `  # Run bootstrap for a Git repository and authenticate with your SSH agent
  flux bootstrap git --url=ssh://git@example.com/repository.git
  # Run bootstrap for a Git repository and authenticate using a password
  flux bootstrap git --url=https://example.com/repository.git --password=<password>
  # Run bootstrap for a Git repository with a passwordless private key
  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key>
  # Run bootstrap for a Git repository with a private key and password
  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key> --password=<password>
 `,
 	RunE: bootstrapGitCmdRun,
 }
 type gitFlags struct {
 	url      string
 	interval time.Duration
 	path     flags.SafeRelativePath
 	username string
 	password string
 	silent   bool
 }
 var gitArgs gitFlags
 func init() {
 	bootstrapGitCmd.Flags().StringVar(&gitArgs.url, "url", "", "Git repository URL")
 	bootstrapGitCmd.Flags().DurationVar(&gitArgs.interval, "interval", time.Minute, "sync interval")
 	bootstrapGitCmd.Flags().Var(&gitArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.username, "username", "u", "git", "basic authentication username")
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.password, "password", "p", "", "basic authentication password")
 	bootstrapGitCmd.Flags().BoolVarP(&gitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
 	bootstrapCmd.AddCommand(bootstrapGitCmd)
 }
 func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
 	repositoryURL, err := url.Parse(gitArgs.url)
 	if err != nil {
 		return err
 	}
 	gitAuth, err := transportForURL(repositoryURL)
 	if err != nil {
 		return err
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 	// Manifest base
 	if ver, err := getVersion(bootstrapArgs.version); err == nil {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(manifestsBase)
 	// Lazy go-git repository
 	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
 	gitClient := gogit.New(tmpDir, gitAuth)
 	// Install manifest config
 	installOptions := install.Options{
 		BaseURL:                rootArgs.defaults.BaseURL,
 		Version:                bootstrapArgs.version,
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
 		LogLevel:               bootstrapArgs.logLevel.String(),
 		NotificationController: rootArgs.defaults.NotificationController,
 		ManifestFile:           rootArgs.defaults.ManifestFile,
 		Timeout:                rootArgs.timeout,
 		TargetPath:             gitArgs.path.ToSlash(),
 		ClusterDomain:          bootstrapArgs.clusterDomain,
 		TolerationKeys:         bootstrapArgs.tolerationKeys,
 	}
 	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
 		installOptions.BaseURL = customBaseURL
 	}
 	// Source generation and secret config
 	secretOpts := sourcesecret.Options{
 		Name:         bootstrapArgs.secretName,
 		Namespace:    *kubeconfigArgs.Namespace,
 		TargetPath:   gitArgs.path.String(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = gitArgs.username
 		secretOpts.Password = gitArgs.password
 		if bootstrapArgs.caFile != "" {
 			secretOpts.CAFilePath = bootstrapArgs.caFile
 		}
 		// Remove port of the given host when not syncing over HTTP/S to not assume port for protocol
 		// This _might_ be overwritten later on by e.g. --ssh-hostname
 		if repositoryURL.Scheme != "https" && repositoryURL.Scheme != "http" {
 			repositoryURL.Host = repositoryURL.Hostname()
 		}
 		// Configure repository URL to match auth config for sync.
 		repositoryURL.User = nil
 		repositoryURL.Scheme = "https"
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.Password = gitArgs.password
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
 		// Configure repository URL to match auth config for sync
 		// Override existing user when user is not already set
 		// or when a username was passed in
 		if repositoryURL.User == nil || gitArgs.username != "git" {
 			repositoryURL.User = url.User(gitArgs.username)
 		}
 		repositoryURL.Scheme = "ssh"
 		if bootstrapArgs.sshHostname != "" {
 			repositoryURL.Host = bootstrapArgs.sshHostname
 		}
 		if bootstrapArgs.privateKeyFile != "" {
 			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
 		}
 		// Configure last as it depends on the config above.
 		secretOpts.SSHHostname = repositoryURL.Host
 	}
 	// Sync manifest config
 	syncOpts := sync.Options{
 		Interval:          gitArgs.interval,
 		Name:              *kubeconfigArgs.Namespace,
 		Namespace:         *kubeconfigArgs.Namespace,
 		URL:               repositoryURL.String(),
 		Branch:            bootstrapArgs.branch,
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        gitArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
 		GitImplementation: sourceGitArgs.gitImplementation.String(),
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	var caBundle []byte
 	if bootstrapArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitOption{
 		bootstrap.WithRepositoryURL(gitArgs.url),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithKubeconfig(kubeconfigArgs),
 		bootstrap.WithPostGenerateSecretFunc(promptPublicKey),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
 		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	// Setup bootstrapper with constructed configs
 	b, err := bootstrap.NewPlainGitProvider(gitClient, kubeClient, bootstrapOpts...)
 	if err != nil {
 		return err
 	}
 	// Run
 	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 }
 // transportForURL constructs a transport.AuthMethod based on the scheme
 // of the given URL and the configured flags. If the protocol equals
 // "ssh" but no private key is configured, authentication using the local
 // SSH-agent is attempted.
 func transportForURL(u *url.URL) (transport.AuthMethod, error) {
 	switch u.Scheme {
 	case "https":
 		return &http.BasicAuth{
 			Username: gitArgs.username,
 			Password: gitArgs.password,
 		}, nil
 	case "ssh":
 		if bootstrapArgs.privateKeyFile != "" {
 			return ssh.NewPublicKeysFromFile(u.User.Username(), bootstrapArgs.privateKeyFile, gitArgs.password)
 		}
 		return nil, nil
 	default:
 		return nil, fmt.Errorf("scheme %q is not supported", u.Scheme)
 	}
 }
 func promptPublicKey(ctx context.Context, secret corev1.Secret, _ sourcesecret.Options) error {
 	ppk, ok := secret.StringData[sourcesecret.PublicKeySecretKey]
 	if !ok {
 		return nil
 	}
 	logger.Successf("public key: %s", strings.TrimSpace(ppk))
 	if !gitArgs.silent {
 		prompt := promptui.Prompt{
 			Label:     "Please give the key access to your repository",
 			IsConfirm: true,
 		}
 		_, err := prompt.Run()
 		if err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	return nil
 }
--- a/cmd/flux/bootstrap_github.go
+++ b/cmd/flux/bootstrap_github.go
@@ -19,21 +19,20 @@ package main
 import (
 	"context"
 	"fmt"
 	"io/ioutil"
 	"net/url"
 	"os"
 	"path"
 	"path/filepath"
 	"time"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/flux2/internal/bootstrap"
 	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
 	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
 var bootstrapGitHubCmd = &cobra.Command{
@@ -47,252 +46,223 @@ the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a GitHub personal access token and export it as an env var
  export GITHUB_TOKEN=<my-token>
-  # Run bootstrap for a private repo owned by a GitHub organization
+  # Run bootstrap for a private repository owned by a GitHub organization
-  flux bootstrap github --owner=<organization> --repository=<repo name>
+  flux bootstrap github --owner=<organization> --repository=<repository name>
-  # Run bootstrap for a private repo and assign organization teams to it
+  # Run bootstrap for a private repository and assign organization teams to it
-  flux bootstrap github --owner=<organization> --repository=<repo name> --team=<team1 slug> --team=<team2 slug>
+  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug> --team=<team2 slug>
  # Run bootstrap for a private repository and assign organization teams with their access level(e.g maintain, admin) to it
  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug>:<access-level>
  # Run bootstrap for a repository path
-  flux bootstrap github --owner=<organization> --repository=<repo name> --path=dev-cluster
+  flux bootstrap github --owner=<organization> --repository=<repository name> --path=dev-cluster
  # Run bootstrap for a public repository on a personal account
-  flux bootstrap github --owner=<user> --repository=<repo name> --private=false --personal=true 
+  flux bootstrap github --owner=<user> --repository=<repository name> --private=false --personal=true
-  # Run bootstrap for a private repo hosted on GitHub Enterprise using SSH auth
+  # Run bootstrap for a private repository hosted on GitHub Enterprise using SSH auth
-  flux bootstrap github --owner=<organization> --repository=<repo name> --hostname=<domain> --ssh-hostname=<domain>
+  flux bootstrap github --owner=<organization> --repository=<repository name> --hostname=<domain> --ssh-hostname=<domain>
-  # Run bootstrap for a private repo hosted on GitHub Enterprise using HTTPS auth
+  # Run bootstrap for a private repository hosted on GitHub Enterprise using HTTPS auth
-  flux bootstrap github --owner=<organization> --repository=<repo name> --hostname=<domain> --token-auth
+  flux bootstrap github --owner=<organization> --repository=<repository name> --hostname=<domain> --token-auth
-  # Run bootstrap for a an existing repository with a branch named main
+  # Run bootstrap for an existing repository with a branch named main
-  flux bootstrap github --owner=<organization> --repository=<repo name> --branch=main
+  flux bootstrap github --owner=<organization> --repository=<repository name> --branch=main`,
 `,
 	RunE: bootstrapGitHubCmdRun,
 }
-var (
+type githubFlags struct {
-	ghOwner       string
+	owner        string
-	ghRepository  string
+	repository   string
-	ghInterval    time.Duration
+	interval     time.Duration
-	ghPersonal    bool
+	personal     bool
-	ghPrivate     bool
+	private      bool
-	ghHostname    string
+	hostname     string
-	ghPath        flags.SafeRelativePath
+	path         flags.SafeRelativePath
-	ghTeams       []string
+	teams        []string
-	ghDelete      bool
+	readWriteKey bool
-	ghSSHHostname string
+	reconcile    bool
-)
+}
 const (
 	ghDefaultPermission = "maintain"
 	ghDefaultDomain     = "github.com"
 	ghTokenEnvVar       = "GITHUB_TOKEN"
 )
-func init() {
+var githubArgs githubFlags
 	bootstrapGitHubCmd.Flags().StringVar(&ghOwner, "owner", "", "GitHub user or organization name")
 	bootstrapGitHubCmd.Flags().StringVar(&ghRepository, "repository", "", "GitHub repository name")
 	bootstrapGitHubCmd.Flags().StringArrayVar(&ghTeams, "team", []string{}, "GitHub team to be given maintainer access")
 	bootstrapGitHubCmd.Flags().BoolVar(&ghPersonal, "personal", false, "is personal repository")
 	bootstrapGitHubCmd.Flags().BoolVar(&ghPrivate, "private", true, "is private repository")
 	bootstrapGitHubCmd.Flags().DurationVar(&ghInterval, "interval", time.Minute, "sync interval")
 	bootstrapGitHubCmd.Flags().StringVar(&ghHostname, "hostname", git.GitHubDefaultHostname, "GitHub hostname")
 	bootstrapGitHubCmd.Flags().StringVar(&ghSSHHostname, "ssh-hostname", "", "GitHub SSH hostname, to be used when the SSH host differs from the HTTPS one")
 	bootstrapGitHubCmd.Flags().Var(&ghPath, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
-	bootstrapGitHubCmd.Flags().BoolVar(&ghDelete, "delete", false, "delete repository (used for testing only)")
+func init() {
-	bootstrapGitHubCmd.Flags().MarkHidden("delete")
+	bootstrapGitHubCmd.Flags().StringVar(&githubArgs.owner, "owner", "", "GitHub user or organization name")
 	bootstrapGitHubCmd.Flags().StringVar(&githubArgs.repository, "repository", "", "GitHub repository name")
 	bootstrapGitHubCmd.Flags().StringSliceVar(&githubArgs.teams, "team", []string{}, "GitHub team and the access to be given to it(team:maintain). Defaults to maintainer access if no access level is specified (also accepts comma-separated values)")
 	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.personal, "personal", false, "if true, the owner is assumed to be a GitHub user; otherwise an org")
 	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.private, "private", true, "if true, the repository is setup or configured as private")
 	bootstrapGitHubCmd.Flags().DurationVar(&githubArgs.interval, "interval", time.Minute, "sync interval")
 	bootstrapGitHubCmd.Flags().StringVar(&githubArgs.hostname, "hostname", ghDefaultDomain, "GitHub hostname")
 	bootstrapGitHubCmd.Flags().Var(&githubArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
 	bootstrapGitHubCmd.Flags().BoolVar(&githubArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
 	bootstrapCmd.AddCommand(bootstrapGitHubCmd)
 }
 func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
-	ghToken := os.Getenv(git.GitHubTokenName)
+	ghToken := os.Getenv(ghTokenEnvVar)
 	if ghToken == "" {
-		return fmt.Errorf("%s environment variable not found", git.GitHubTokenName)
+		var err error
 		ghToken, err = readPasswordFromStdin("Please enter your GitHub personal access token (PAT): ")
 		if err != nil {
 			return fmt.Errorf("could not read token: %w", err)
 		}
 	}
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
-	usedPath, bootstrapPathDiffers := checkIfBootstrapPathDiffers(ctx, kubeClient, namespace, filepath.ToSlash(ghPath.String()))
+	// Manifest base
-
+	if ver, err := getVersion(bootstrapArgs.version); err == nil {
-	if bootstrapPathDiffers {
+		bootstrapArgs.version = ver
 		return fmt.Errorf("cluster already bootstrapped to %v path", usedPath)
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(manifestsBase)
-	repository, err := git.NewRepository(ghRepository, ghOwner, ghHostname, ghToken, "flux", ghOwner+"@users.noreply.github.com")
+	var caBundle []byte
 	if bootstrapArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	// Build GitHub provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderGitHub,
 		Hostname: githubArgs.hostname,
 		Token:    ghToken,
 		CaBundle: caBundle,
 	}
 	providerClient, err := provider.BuildGitProvider(providerCfg)
 	if err != nil {
 		return err
 	}
-	if ghSSHHostname != "" {
+	// Lazy go-git repository
-		repository.SSHHost = ghSSHHostname
+	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
 	}
 	provider := &git.GithubProvider{
 		IsPrivate:  ghPrivate,
 		IsPersonal: ghPersonal,
 	}
 	tmpDir, err := ioutil.TempDir("", namespace)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
 	gitClient := gogit.New(tmpDir, &http.BasicAuth{
 		Username: githubArgs.owner,
 		Password: ghToken,
 	})
-	if ghDelete {
+	// Install manifest config
-		if err := provider.DeleteRepository(ctx, repository); err != nil {
+	installOptions := install.Options{
-			return err
+		BaseURL:                rootArgs.defaults.BaseURL,
-		}
+		Version:                bootstrapArgs.version,
-		logger.Successf("repository deleted")
+		Namespace:              *kubeconfigArgs.Namespace,
-		return nil
+		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
 		LogLevel:               bootstrapArgs.logLevel.String(),
 		NotificationController: rootArgs.defaults.NotificationController,
 		ManifestFile:           rootArgs.defaults.ManifestFile,
 		Timeout:                rootArgs.timeout,
 		TargetPath:             githubArgs.path.ToSlash(),
 		ClusterDomain:          bootstrapArgs.clusterDomain,
 		TolerationKeys:         bootstrapArgs.tolerationKeys,
 	}
 	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
 		installOptions.BaseURL = customBaseURL
 	}
-	// create GitHub repository if doesn't exists
+	// Source generation and secret config
-	logger.Actionf("connecting to %s", ghHostname)
+	secretOpts := sourcesecret.Options{
-	changed, err := provider.CreateRepository(ctx, repository)
+		Name:         bootstrapArgs.secretName,
-	if err != nil {
+		Namespace:    *kubeconfigArgs.Namespace,
-		return err
+		TargetPath:   githubArgs.path.ToSlash(),
-	}
+		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	if changed {
 		logger.Successf("repository created")
 	}
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = ghToken
-	withErrors := false
+		if bootstrapArgs.caFile != "" {
-	// add teams to org repository
+			secretOpts.CAFilePath = bootstrapArgs.caFile
 	if !ghPersonal {
 		for _, team := range ghTeams {
 			if changed, err := provider.AddTeam(ctx, repository, team, ghDefaultPermission); err != nil {
 				logger.Failuref(err.Error())
 				withErrors = true
 			} else if changed {
 				logger.Successf("%s team access granted", team)
 			}
 		}
 	}
 	// clone repository and checkout the main branch
 	if err := repository.Checkout(ctx, bootstrapBranch, tmpDir); err != nil {
 		return err
 	}
 	logger.Successf("repository cloned")
 	// generate install manifests
 	logger.Generatef("generating manifests")
 	installManifest, err := generateInstallManifests(ghPath.String(), namespace, tmpDir, bootstrapManifestsPath)
 	if err != nil {
 		return err
 	}
 	// stage install manifests
 	changed, err = repository.Commit(ctx, path.Join(ghPath.String(), namespace), "Add manifests")
 	if err != nil {
 		return err
 	}
 	// push install manifests
 	if changed {
 		if err := repository.Push(ctx); err != nil {
 			return err
 		}
 		logger.Successf("components manifests pushed")
 	} else {
 		logger.Successf("components are up to date")
 	}
 	// determine if repo synchronization is working
 	isInstall := shouldInstallManifests(ctx, kubeClient, namespace)
 	if isInstall {
 		// apply install manifests
 		logger.Actionf("installing components in %s namespace", namespace)
 		if err := applyInstallManifests(ctx, installManifest, bootstrapComponents()); err != nil {
 			return err
 		}
 		logger.Successf("install completed")
 	}
 	repoURL := repository.GetURL()
 	if bootstrapTokenAuth {
 		// setup HTTPS token auth
 		secret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      namespace,
 				Namespace: namespace,
 			},
 			StringData: map[string]string{
 				"username": "git",
 				"password": ghToken,
 			},
 		}
 		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
 			return err
 		}
 	} else {
-		// setup SSH deploy key
+		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
-		repoURL = repository.GetSSH()
+		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
-		if shouldCreateDeployKey(ctx, kubeClient, namespace) {
+		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
-			logger.Actionf("configuring deploy key")
+		secretOpts.SSHHostname = githubArgs.hostname
 			u, err := url.Parse(repository.GetSSH())
 			if err != nil {
 				return fmt.Errorf("git URL parse failed: %w", err)
 			}
-			key, err := generateDeployKey(ctx, kubeClient, u, namespace)
+		if bootstrapArgs.sshHostname != "" {
-			if err != nil {
+			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 				return fmt.Errorf("generating deploy key failed: %w", err)
 			}
 			keyName := "flux"
 			if ghPath != "" {
 				keyName = fmt.Sprintf("flux-%s", ghPath)
 			}
 			if changed, err := provider.AddDeployKey(ctx, repository, key, keyName); err != nil {
 				return err
 			} else if changed {
 				logger.Successf("deploy key configured")
 			}
 		}
 	}
-	// configure repo synchronization
+	// Sync manifest config
-	logger.Actionf("generating sync manifests")
+	syncOpts := sync.Options{
-	syncManifests, err := generateSyncManifests(repoURL, bootstrapBranch, namespace, namespace, filepath.ToSlash(ghPath.String()), tmpDir, ghInterval)
+		Interval:          githubArgs.interval,
 		Name:              *kubeconfigArgs.Namespace,
 		Namespace:         *kubeconfigArgs.Namespace,
 		Branch:            bootstrapArgs.branch,
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        githubArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
 		GitImplementation: sourceGitArgs.gitImplementation.String(),
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(githubArgs.owner, githubArgs.repository, githubArgs.personal),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
 		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(githubArgs.teams, ghDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(githubArgs.readWriteKey),
 		bootstrap.WithKubeconfig(kubeconfigArgs),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
 	}
 	if bootstrapArgs.tokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
 	}
 	if !githubArgs.private {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
 	}
 	if githubArgs.reconcile {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
 	}
 	// Setup bootstrapper with constructed configs
 	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
 	if err != nil {
 		return err
 	}
-	// commit and push manifests
+	// Run
-	if changed, err = repository.Commit(ctx, path.Join(ghPath.String(), namespace), "Add manifests"); err != nil {
+	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 		return err
 	} else if changed {
 		if err := repository.Push(ctx); err != nil {
 			return err
 		}
 		logger.Successf("sync manifests pushed")
 	}
 	// apply manifests and waiting for sync
 	logger.Actionf("applying sync manifests")
 	if err := applySyncManifests(ctx, kubeClient, namespace, namespace, syncManifests); err != nil {
 		return err
 	}
 	if withErrors {
 		return fmt.Errorf("bootstrap completed with errors")
 	}
 	logger.Successf("bootstrap finished")
 	return nil
 }
--- a/cmd/flux/bootstrap_gitlab.go
+++ b/cmd/flux/bootstrap_gitlab.go
@@ -19,22 +19,22 @@ package main
 import (
 	"context"
 	"fmt"
 	"io/ioutil"
 	"net/url"
 	"os"
 	"path"
 	"path/filepath"
 	"regexp"
 	"strings"
 	"time"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/flux2/internal/bootstrap"
 	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
 	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
 var bootstrapGitLabCmd = &cobra.Command{
@@ -48,226 +48,235 @@ the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a GitLab API token and export it as an env var
  export GITLAB_TOKEN=<my-token>
-  # Run bootstrap for a private repo using HTTPS token authentication 
+  # Run bootstrap for a private repository using HTTPS token authentication
-  flux bootstrap gitlab --owner=<group> --repository=<repo name> --token-auth
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --token-auth
-  # Run bootstrap for a private repo using SSH authentication
+  # Run bootstrap for a private repository using SSH authentication
-  flux bootstrap gitlab --owner=<group> --repository=<repo name>
+  flux bootstrap gitlab --owner=<group> --repository=<repository name>
  # Run bootstrap for a repository path
-  flux bootstrap gitlab --owner=<group> --repository=<repo name> --path=dev-cluster
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --path=dev-cluster
  # Run bootstrap for a public repository on a personal account
-  flux bootstrap gitlab --owner=<user> --repository=<repo name> --private=false --personal --token-auth
+  flux bootstrap gitlab --owner=<user> --repository=<repository name> --private=false --personal --token-auth
-  # Run bootstrap for a private repo hosted on a GitLab server 
+  # Run bootstrap for a private repository hosted on a GitLab server
-  flux bootstrap gitlab --owner=<group> --repository=<repo name> --hostname=<domain> --token-auth
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --hostname=<domain> --token-auth
  # Run bootstrap for a an existing repository with a branch named main
-  flux bootstrap gitlab --owner=<organization> --repository=<repo name> --branch=main --token-auth
+  flux bootstrap gitlab --owner=<organization> --repository=<repository name> --branch=main --token-auth`,
 `,
 	RunE: bootstrapGitLabCmdRun,
 }
 const (
-	gitlabProjectRegex = `\A[[:alnum:]\x{00A9}-\x{1f9ff}_][[:alnum:]\p{Pd}\x{00A9}-\x{1f9ff}_\.]*\z`
+	glDefaultPermission = "maintain"
 	glDefaultDomain     = "gitlab.com"
 	glTokenEnvVar       = "GITLAB_TOKEN"
 	gitlabProjectRegex  = `\A[[:alnum:]\x{00A9}-\x{1f9ff}_][[:alnum:]\p{Pd}\x{00A9}-\x{1f9ff}_\.]*\z`
 )
-var (
+type gitlabFlags struct {
-	glOwner       string
+	owner        string
-	glRepository  string
+	repository   string
-	glInterval    time.Duration
+	interval     time.Duration
-	glPersonal    bool
+	personal     bool
-	glPrivate     bool
+	private      bool
-	glHostname    string
+	hostname     string
-	glSSHHostname string
+	path         flags.SafeRelativePath
-	glPath        flags.SafeRelativePath
+	teams        []string
-)
+	readWriteKey bool
 	reconcile    bool
 }
 var gitlabArgs gitlabFlags
 func init() {
-	bootstrapGitLabCmd.Flags().StringVar(&glOwner, "owner", "", "GitLab user or group name")
+	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.owner, "owner", "", "GitLab user or group name")
-	bootstrapGitLabCmd.Flags().StringVar(&glRepository, "repository", "", "GitLab repository name")
+	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.repository, "repository", "", "GitLab repository name")
-	bootstrapGitLabCmd.Flags().BoolVar(&glPersonal, "personal", false, "is personal repository")
+	bootstrapGitLabCmd.Flags().StringSliceVar(&gitlabArgs.teams, "team", []string{}, "GitLab teams to be given maintainer access (also accepts comma-separated values)")
-	bootstrapGitLabCmd.Flags().BoolVar(&glPrivate, "private", true, "is private repository")
+	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.personal, "personal", false, "if true, the owner is assumed to be a GitLab user; otherwise a group")
-	bootstrapGitLabCmd.Flags().DurationVar(&glInterval, "interval", time.Minute, "sync interval")
+	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.private, "private", true, "if true, the repository is setup or configured as private")
-	bootstrapGitLabCmd.Flags().StringVar(&glHostname, "hostname", git.GitLabDefaultHostname, "GitLab hostname")
+	bootstrapGitLabCmd.Flags().DurationVar(&gitlabArgs.interval, "interval", time.Minute, "sync interval")
-	bootstrapGitLabCmd.Flags().StringVar(&glSSHHostname, "ssh-hostname", "", "GitLab SSH hostname, to be used when the SSH host differs from the HTTPS one")
+	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.hostname, "hostname", glDefaultDomain, "GitLab hostname")
-	bootstrapGitLabCmd.Flags().Var(&glPath, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
+	bootstrapGitLabCmd.Flags().Var(&gitlabArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
 	bootstrapCmd.AddCommand(bootstrapGitLabCmd)
 }
 func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
-	glToken := os.Getenv(git.GitLabTokenName)
+	glToken := os.Getenv(glTokenEnvVar)
 	if glToken == "" {
-		return fmt.Errorf("%s environment variable not found", git.GitLabTokenName)
+		var err error
 		glToken, err = readPasswordFromStdin("Please enter your GitLab personal access token (PAT): ")
 		if err != nil {
 			return fmt.Errorf("could not read token: %w", err)
 		}
 	}
-	projectNameIsValid, err := regexp.MatchString(gitlabProjectRegex, glRepository)
+	if projectNameIsValid, err := regexp.MatchString(gitlabProjectRegex, gitlabArgs.repository); err != nil || !projectNameIsValid {
-	if err != nil {
+		if err == nil {
 			err = fmt.Errorf("%s is an invalid project name for gitlab.\nIt can contain only letters, digits, emojis, '_', '.', dash, space. It must start with letter, digit, emoji or '_'.", gitlabArgs.repository)
 		}
 		return err
 	}
 	if !projectNameIsValid {
 		return fmt.Errorf("%s is an invalid project name for gitlab.\nIt can contain only letters, digits, emojis, '_', '.', dash, space. It must start with letter, digit, emoji or '_'.", glRepository)
 	}
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
-	usedPath, bootstrapPathDiffers := checkIfBootstrapPathDiffers(ctx, kubeClient, namespace, filepath.ToSlash(glPath.String()))
+	// Manifest base
 	if ver, err := getVersion(bootstrapArgs.version); err == nil {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(manifestsBase)
-	if bootstrapPathDiffers {
+	var caBundle []byte
-		return fmt.Errorf("cluster already bootstrapped to %v path", usedPath)
+	if bootstrapArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
-	repository, err := git.NewRepository(glRepository, glOwner, glHostname, glToken, "flux", glOwner+"@users.noreply.gitlab.com")
+	// Build GitLab provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderGitLab,
 		Hostname: gitlabArgs.hostname,
 		Token:    glToken,
 		CaBundle: caBundle,
 	}
 	// Workaround for: https://github.com/fluxcd/go-git-providers/issues/55
 	if hostname := providerCfg.Hostname; hostname != glDefaultDomain &&
 		!strings.HasPrefix(hostname, "https://") &&
 		!strings.HasPrefix(hostname, "http://") {
 		providerCfg.Hostname = "https://" + providerCfg.Hostname
 	}
 	providerClient, err := provider.BuildGitProvider(providerCfg)
 	if err != nil {
 		return err
 	}
-	if glSSHHostname != "" {
+	// Lazy go-git repository
-		repository.SSHHost = glSSHHostname
+	tmpDir, err := os.MkdirTemp("", "flux-bootstrap-")
 	}
 	provider := &git.GitLabProvider{
 		IsPrivate:  glPrivate,
 		IsPersonal: glPersonal,
 	}
 	tmpDir, err := ioutil.TempDir("", namespace)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
 	gitClient := gogit.New(tmpDir, &http.BasicAuth{
 		Username: gitlabArgs.owner,
 		Password: glToken,
 	})
-	// create GitLab project if doesn't exists
+	// Install manifest config
-	logger.Actionf("connecting to %s", glHostname)
+	installOptions := install.Options{
-	changed, err := provider.CreateRepository(ctx, repository)
+		BaseURL:                rootArgs.defaults.BaseURL,
-	if err != nil {
+		Version:                bootstrapArgs.version,
-		return err
+		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
 		LogLevel:               bootstrapArgs.logLevel.String(),
 		NotificationController: rootArgs.defaults.NotificationController,
 		ManifestFile:           rootArgs.defaults.ManifestFile,
 		Timeout:                rootArgs.timeout,
 		TargetPath:             gitlabArgs.path.ToSlash(),
 		ClusterDomain:          bootstrapArgs.clusterDomain,
 		TolerationKeys:         bootstrapArgs.tolerationKeys,
 	}
-	if changed {
+	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
-		logger.Successf("repository created")
+		installOptions.BaseURL = customBaseURL
 	}
-	// clone repository and checkout the master branch
+	// Source generation and secret config
-	if err := repository.Checkout(ctx, bootstrapBranch, tmpDir); err != nil {
+	secretOpts := sourcesecret.Options{
-		return err
+		Name:         bootstrapArgs.secretName,
 		Namespace:    *kubeconfigArgs.Namespace,
 		TargetPath:   gitlabArgs.path.String(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
-	logger.Successf("repository cloned")
+	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = glToken
-	// generate install manifests
+		if bootstrapArgs.caFile != "" {
-	logger.Generatef("generating manifests")
+			secretOpts.CAFilePath = bootstrapArgs.caFile
 	installManifest, err := generateInstallManifests(glPath.String(), namespace, tmpDir, bootstrapManifestsPath)
 	if err != nil {
 		return err
 	}
 	// stage install manifests
 	changed, err = repository.Commit(ctx, path.Join(glPath.String(), namespace), "Add manifests")
 	if err != nil {
 		return err
 	}
 	// push install manifests
 	if changed {
 		if err := repository.Push(ctx); err != nil {
 			return err
 		}
 		logger.Successf("components manifests pushed")
 	} else {
 		logger.Successf("components are up to date")
 	}
 	// determine if repo synchronization is working
 	isInstall := shouldInstallManifests(ctx, kubeClient, namespace)
 	if isInstall {
 		// apply install manifests
 		logger.Actionf("installing components in %s namespace", namespace)
 		if err := applyInstallManifests(ctx, installManifest, bootstrapComponents()); err != nil {
 			return err
 		}
 		logger.Successf("install completed")
 	}
 	repoURL := repository.GetURL()
 	if bootstrapTokenAuth {
 		// setup HTTPS token auth
 		secret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      namespace,
 				Namespace: namespace,
 			},
 			StringData: map[string]string{
 				"username": "git",
 				"password": glToken,
 			},
 		}
 		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
 			return err
 		}
 	} else {
-		// setup SSH deploy key
+		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
-		repoURL = repository.GetSSH()
+		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
-		if shouldCreateDeployKey(ctx, kubeClient, namespace) {
+		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
-			logger.Actionf("configuring deploy key")
+		secretOpts.SSHHostname = gitlabArgs.hostname
 			u, err := url.Parse(repoURL)
 			if err != nil {
 				return fmt.Errorf("git URL parse failed: %w", err)
 			}
-			key, err := generateDeployKey(ctx, kubeClient, u, namespace)
+		if bootstrapArgs.privateKeyFile != "" {
-			if err != nil {
+			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
-				return fmt.Errorf("generating deploy key failed: %w", err)
+		}
-			}
+		if bootstrapArgs.sshHostname != "" {
-
+			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 			keyName := "flux"
 			if glPath != "" {
 				keyName = fmt.Sprintf("flux-%s", glPath)
 			}
 			if changed, err := provider.AddDeployKey(ctx, repository, key, keyName); err != nil {
 				return err
 			} else if changed {
 				logger.Successf("deploy key configured")
 			}
 		}
 	}
-	// configure repo synchronization
+	// Sync manifest config
-	logger.Actionf("generating sync manifests")
+	syncOpts := sync.Options{
-	syncManifests, err := generateSyncManifests(repoURL, bootstrapBranch, namespace, namespace, filepath.ToSlash(glPath.String()), tmpDir, glInterval)
+		Interval:          gitlabArgs.interval,
 		Name:              *kubeconfigArgs.Namespace,
 		Namespace:         *kubeconfigArgs.Namespace,
 		Branch:            bootstrapArgs.branch,
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        gitlabArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
 		GitImplementation: sourceGitArgs.gitImplementation.String(),
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(gitlabArgs.owner, gitlabArgs.repository, gitlabArgs.personal),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
 		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(gitlabArgs.teams, glDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(gitlabArgs.readWriteKey),
 		bootstrap.WithKubeconfig(kubeconfigArgs),
 		bootstrap.WithLogger(logger),
 		bootstrap.WithCABundle(caBundle),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
 	}
 	if bootstrapArgs.tokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
 	}
 	if !gitlabArgs.private {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
 	}
 	if gitlabArgs.reconcile {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
 	}
 	// Setup bootstrapper with constructed configs
 	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
 	if err != nil {
 		return err
 	}
-	// commit and push manifests
+	// Run
-	if changed, err = repository.Commit(ctx, path.Join(glPath.String(), namespace), "Add manifests"); err != nil {
+	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 		return err
 	} else if changed {
 		if err := repository.Push(ctx); err != nil {
 			return err
 		}
 		logger.Successf("sync manifests pushed")
 	}
 	// apply manifests and waiting for sync
 	logger.Actionf("applying sync manifests")
 	if err := applySyncManifests(ctx, kubeClient, namespace, namespace, syncManifests); err != nil {
 		return err
 	}
 	logger.Successf("bootstrap finished")
 	return nil
 }
--- a/cmd/flux/check.go
+++ b/cmd/flux/check.go
@@ -18,16 +18,21 @@ package main
 import (
 	"context"
 	"encoding/json"
 	"os"
-	"os/exec"
+	"time"
 	"strings"
-	"github.com/blang/semver/v4"
+	"github.com/Masterminds/semver/v3"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/spf13/cobra"
-	apimachineryversion "k8s.io/apimachinery/pkg/version"
+	v1 "k8s.io/api/apps/v1"
 	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/pkg/version"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/status"
 )
 var checkCmd = &cobra.Command{
@@ -39,44 +44,49 @@ the local environment is configured correctly and if the installed components ar
  flux check --pre
  # Run installation checks
-  flux check
+  flux check`,
 `,
 	RunE: runCheckCmd,
 }
-var (
+type checkFlags struct {
-	checkPre        bool
+	pre             bool
-	checkComponents []string
+	components      []string
-)
+	extraComponents []string
-
+	pollInterval    time.Duration
 type kubectlVersion struct {
 	ClientVersion *apimachineryversion.Info `json:"clientVersion"`
 }
 var kubernetesConstraints = []string{
 	">=1.19.0-0",
 	">=1.16.11-0 <=1.16.15-0",
 	">=1.17.7-0 <=1.17.17-0",
 	">=1.18.4-0 <=1.18.20-0",
 }
 var checkArgs checkFlags
 func init() {
-	checkCmd.Flags().BoolVarP(&checkPre, "pre", "", false,
+	checkCmd.Flags().BoolVarP(&checkArgs.pre, "pre", "", false,
 		"only run pre-installation checks")
-	checkCmd.Flags().StringSliceVar(&checkComponents, "components", defaults.Components,
+	checkCmd.Flags().StringSliceVar(&checkArgs.components, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
 	checkCmd.Flags().StringSliceVar(&checkArgs.extraComponents, "components-extra", nil,
 		"list of components in addition to those supplied or defaulted, accepts comma-separated values")
 	checkCmd.Flags().DurationVar(&checkArgs.pollInterval, "poll-interval", 5*time.Second,
 		"how often the health checker should poll the cluster for the latest state of the resources.")
 	rootCmd.AddCommand(checkCmd)
 }
 func runCheckCmd(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	logger.Actionf("checking prerequisites")
 	checkFailed := false
-	if !kubectlCheck(ctx, ">=1.18.0") {
+	fluxCheck()
 	if !kubernetesCheck(kubernetesConstraints) {
 		checkFailed = true
 	}
-	if !kubernetesCheck(">=1.16.0") {
+	if checkArgs.pre {
 		checkFailed = true
 	}
 	if checkPre {
 		if checkFailed {
 			os.Exit(1)
 		}
@@ -95,93 +105,105 @@ func runCheckCmd(cmd *cobra.Command, args []string) error {
 	return nil
 }
-func kubectlCheck(ctx context.Context, version string) bool {
+func fluxCheck() {
-	_, err := exec.LookPath("kubectl")
+	curSv, err := version.ParseVersion(VERSION)
 	if err != nil {
-		logger.Failuref("kubectl not found")
+		return
 		return false
 	}
-
+	// Exclude development builds.
-	kubectlArgs := []string{"version", "--client", "--output", "json"}
+	if curSv.Prerelease() != "" {
-	output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, kubeconfig, kubecontext, kubectlArgs...)
+		return
 	}
 	latest, err := install.GetLatestVersion()
 	if err != nil {
-		logger.Failuref("kubectl version can't be determined")
+		return
 		return false
 	}
-
+	latestSv, err := version.ParseVersion(latest)
 	kv := &kubectlVersion{}
 	if err = json.Unmarshal([]byte(output), kv); err != nil {
 		logger.Failuref("kubectl version output can't be unmarshaled")
 		return false
 	}
 	v, err := semver.ParseTolerant(kv.ClientVersion.GitVersion)
 	if err != nil {
-		logger.Failuref("kubectl version can't be parsed")
+		return
 		return false
 	}
-
+	if latestSv.GreaterThan(curSv) {
-	rng, _ := semver.ParseRange(version)
+		logger.Failuref("flux %s <%s (new version is available, please upgrade)", curSv, latestSv)
 	if !rng(v) {
 		logger.Failuref("kubectl version must be %s", version)
 		return false
 	}
 	logger.Successf("kubectl %s %s", v.String(), version)
 	return true
 }
-func kubernetesCheck(version string) bool {
+func kubernetesCheck(constraints []string) bool {
-	cfg, err := utils.KubeConfig(kubeconfig, kubecontext)
+	cfg, err := utils.KubeConfig(kubeconfigArgs)
 	if err != nil {
 		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
 		return false
 	}
-	client, err := kubernetes.NewForConfig(cfg)
+	clientSet, err := kubernetes.NewForConfig(cfg)
 	if err != nil {
 		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
 		return false
 	}
-	ver, err := client.Discovery().ServerVersion()
+	kv, err := clientSet.Discovery().ServerVersion()
 	if err != nil {
 		logger.Failuref("Kubernetes API call failed: %s", err.Error())
 		return false
 	}
-	v, err := semver.ParseTolerant(ver.String())
+	v, err := version.ParseVersion(kv.String())
 	if err != nil {
 		logger.Failuref("Kubernetes version can't be determined")
 		return false
 	}
-	rng, _ := semver.ParseRange(version)
+	var valid bool
-	if !rng(v) {
+	var vrange string
-		logger.Failuref("Kubernetes version must be %s", version)
+	for _, constraint := range constraints {
 		c, _ := semver.NewConstraint(constraint)
 		if c.Check(v) {
 			valid = true
 			vrange = constraint
 			break
 		}
 	}
 	if !valid {
 		logger.Failuref("Kubernetes version %s does not match %s", v.Original(), constraints[0])
 		return false
 	}
-	logger.Successf("Kubernetes %s %s", v.String(), version)
+	logger.Successf("Kubernetes %s %s", v.String(), vrange)
 	return true
 }
 func componentsCheck() bool {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeConfig, err := utils.KubeConfig(kubeconfigArgs)
 	if err != nil {
 		return false
 	}
 	statusChecker, err := status.NewStatusChecker(kubeConfig, checkArgs.pollInterval, rootArgs.timeout, logger)
 	if err != nil {
 		return false
 	}
 	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return false
 	}
 	ok := true
-	for _, deployment := range checkComponents {
+	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
-		kubectlArgs := []string{"-n", namespace, "rollout", "status", "deployment", deployment, "--timeout", timeout.String()}
+	var list v1.DeploymentList
-		if output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, kubeconfig, kubecontext, kubectlArgs...); err != nil {
+	if err := kubeClient.List(ctx, &list, client.InNamespace(*kubeconfigArgs.Namespace), selector); err == nil {
-			logger.Failuref("%s: %s", deployment, strings.TrimSuffix(output, "\n"))
+		for _, d := range list.Items {
-			ok = false
+			if ref, err := buildComponentObjectRefs(d.Name); err == nil {
-		} else {
+				if err := statusChecker.Assess(ref...); err != nil {
-			logger.Successf("%s is healthy", deployment)
+					ok = false
-		}
+				}
-		kubectlArgs = []string{"-n", namespace, "get", "deployment", deployment, "-o", "jsonpath=\"{..image}\""}
+			}
-		if output, err := utils.ExecKubectlCommand(ctx, utils.ModeCapture, kubeconfig, kubecontext, kubectlArgs...); err == nil {
+			for _, c := range d.Spec.Template.Spec.Containers {
-			logger.Actionf(strings.TrimPrefix(strings.TrimSuffix(output, "\""), "\""))
+				logger.Actionf(c.Image)
 			}
 		}
 	}
 	return ok
--- a/cmd/flux/check_test.go
+++ b/cmd/flux/check_test.go
@@ -0,0 +1,52 @@
 //go:build e2e
 // +build e2e
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"encoding/json"
 	"strings"
 	"testing"
 	"github.com/fluxcd/flux2/internal/utils"
 	"k8s.io/apimachinery/pkg/version"
 )
 func TestCheckPre(t *testing.T) {
 	jsonOutput, err := utils.ExecKubectlCommand(context.TODO(), utils.ModeCapture, *kubeconfigArgs.KubeConfig, *kubeconfigArgs.Context, "version", "--output", "json")
 	if err != nil {
 		t.Fatalf("Error running utils.ExecKubectlCommand: %v", err.Error())
 	}
 	var versions map[string]version.Info
 	if err := json.Unmarshal([]byte(jsonOutput), &versions); err != nil {
 		t.Fatalf("Error unmarshalling: %v", err.Error())
 	}
 	serverVersion := strings.TrimPrefix(versions["serverVersion"].GitVersion, "v")
 	cmd := cmdTestCase{
 		args: "check --pre",
 		assert: assertGoldenTemplateFile("testdata/check/check_pre.golden", map[string]string{
 			"serverVersion": serverVersion,
 		}),
 	}
 	cmd.runTestCmd(t)
 }
--- a/cmd/flux/completion.go
+++ b/cmd/flux/completion.go
@@ -17,7 +17,15 @@ limitations under the License.
 package main
 import (
 	"context"
 	"strings"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/dynamic"
 )
 var completionCmd = &cobra.Command{
@@ -29,3 +37,76 @@ var completionCmd = &cobra.Command{
 func init() {
 	rootCmd.AddCommand(completionCmd)
 }
 func contextsCompletionFunc(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 	rawConfig, err := kubeconfigArgs.ToRawKubeConfigLoader().RawConfig()
 	if err != nil {
 		return completionError(err)
 	}
 	var comps []string
 	for name := range rawConfig.Contexts {
 		if strings.HasPrefix(name, toComplete) {
 			comps = append(comps, name)
 		}
 	}
 	return comps, cobra.ShellCompDirectiveNoFileComp
 }
 func resourceNamesCompletionFunc(gvk schema.GroupVersionKind) func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 		defer cancel()
 		cfg, err := utils.KubeConfig(kubeconfigArgs)
 		if err != nil {
 			return completionError(err)
 		}
 		mapper, err := kubeconfigArgs.ToRESTMapper()
 		if err != nil {
 			return completionError(err)
 		}
 		mapping, err := mapper.RESTMapping(gvk.GroupKind(), gvk.Version)
 		if err != nil {
 			return completionError(err)
 		}
 		client, err := dynamic.NewForConfig(cfg)
 		if err != nil {
 			return completionError(err)
 		}
 		var dr dynamic.ResourceInterface
 		if mapping.Scope.Name() == meta.RESTScopeNameNamespace {
 			dr = client.Resource(mapping.Resource).Namespace(*kubeconfigArgs.Namespace)
 		} else {
 			dr = client.Resource(mapping.Resource)
 		}
 		list, err := dr.List(ctx, metav1.ListOptions{})
 		if err != nil {
 			return completionError(err)
 		}
 		var comps []string
 		for _, item := range list.Items {
 			name := item.GetName()
 			if strings.HasPrefix(name, toComplete) {
 				comps = append(comps, name)
 			}
 		}
 		return comps, cobra.ShellCompDirectiveNoFileComp
 	}
 }
 func completionError(err error) ([]string, cobra.ShellCompDirective) {
 	cobra.CompError(err.Error())
 	return nil, cobra.ShellCompDirectiveError
 }
--- a/cmd/flux/completion_bash.go
+++ b/cmd/flux/completion_bash.go
@@ -32,8 +32,7 @@ var completionBashCmd = &cobra.Command{
 To configure your bash shell to load completions for each session add to your bashrc
 # ~/.bashrc or ~/.profile
-command -v flux >/dev/null && . <(flux completion bash)
+command -v flux >/dev/null && . <(flux completion bash)`,
 `,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenBashCompletion(os.Stdout)
 	},
--- a/cmd/flux/completion_fish.go
+++ b/cmd/flux/completion_fish.go
@@ -25,16 +25,11 @@ import (
 var completionFishCmd = &cobra.Command{
 	Use:   "fish",
 	Short: "Generates fish completion scripts",
-	Example: `To load completion run
+	Example: `To configure your fish shell to load completions for each session write this script to your completions dir:
-. <(flux completion fish)
+flux completion fish > ~/.config/fish/completions/flux.fish
-To configure your fish shell to load completions for each session write this script to your completions dir:
+See http://fishshell.com/docs/current/index.html#completion-own for more details`,
 flux completion fish > ~/.config/fish/completions/flux
 See http://fishshell.com/docs/current/index.html#completion-own for more details
 `,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenFishCompletion(os.Stdout, true)
 	},
--- a/cmd/flux/completion_powershell.go
+++ b/cmd/flux/completion_powershell.go
@@ -39,8 +39,7 @@ flux completion >> flux-completion.ps1
 Linux:
 cd "${XDG_CONFIG_HOME:-"$HOME/.config/"}/powershell/modules"
-flux completion >> flux-completions.ps1
+flux completion >> flux-completions.ps1`,
 `,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenPowerShellCompletion(os.Stdout)
 	},
--- a/cmd/flux/completion_zsh.go
+++ b/cmd/flux/completion_zsh.go
@@ -17,6 +17,7 @@ limitations under the License.
 package main
 import (
 	"fmt"
 	"os"
 	"github.com/spf13/cobra"
@@ -27,12 +28,12 @@ var completionZshCmd = &cobra.Command{
 	Short: "Generates zsh completion scripts",
 	Example: `To load completion run
-. <(flux completion zsh) && compdef _flux flux
+. <(flux completion zsh)
 To configure your zsh shell to load completions for each session add to your zshrc
 # ~/.zshrc or ~/.profile
-command -v flux >/dev/null && . <(flux completion zsh) && compdef _flux flux
+command -v flux >/dev/null && . <(flux completion zsh)
 or write a cached file in one of the completion directories in your ${fpath}:
@@ -40,10 +41,11 @@ echo "${fpath// /\n}" | grep -i completion
 flux completion zsh > _flux
 mv _flux ~/.oh-my-zsh/completions  # oh-my-zsh
-mv _flux ~/.zprezto/modules/completion/external/src/  # zprezto
+mv _flux ~/.zprezto/modules/completion/external/src/  # zprezto`,
 `,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenZshCompletion(os.Stdout)
 		// Cobra doesn't source zsh completion file, explicitly doing it here
 		fmt.Println("compdef _flux flux")
 	},
 }
--- a/cmd/flux/create.go
+++ b/cmd/flux/create.go
@@ -38,16 +38,18 @@ var createCmd = &cobra.Command{
 	Long:  "The create sub-commands generate sources and resources.",
 }
-var (
+type createFlags struct {
 	interval time.Duration
 	export   bool
 	labels   []string
-)
+}
 var createArgs createFlags
 func init() {
-	createCmd.PersistentFlags().DurationVarP(&interval, "interval", "", time.Minute, "source sync interval")
+	createCmd.PersistentFlags().DurationVarP(&createArgs.interval, "interval", "", time.Minute, "source sync interval")
-	createCmd.PersistentFlags().BoolVar(&export, "export", false, "export in YAML format to stdout")
+	createCmd.PersistentFlags().BoolVar(&createArgs.export, "export", false, "export in YAML format to stdout")
-	createCmd.PersistentFlags().StringSliceVar(&labels, "label", nil,
+	createCmd.PersistentFlags().StringSliceVar(&createArgs.labels, "label", nil,
 		"set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)")
 	rootCmd.AddCommand(createCmd)
 }
@@ -76,7 +78,7 @@ func (names apiType) upsert(ctx context.Context, kubeClient client.Client, objec
 		Name:      object.GetName(),
 	}
-	op, err := controllerutil.CreateOrUpdate(ctx, kubeClient, object.asRuntimeObject(), mutate)
+	op, err := controllerutil.CreateOrUpdate(ctx, kubeClient, object.asClientObject(), mutate)
 	if err != nil {
 		return nsname, err
 	}
@@ -99,10 +101,10 @@ type upsertWaitable interface {
 // resource, then waiting for it to reconcile. See the note on
 // `upsert` for how to work with the `mutate` argument.
 func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) error {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext) // NB globals
+	kubeClient, err := utils.KubeClient(kubeconfigArgs) // NB globals
 	if err != nil {
 		return err
 	}
@@ -116,7 +118,7 @@ func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) e
 	}
 	logger.Waitingf("waiting for %s reconciliation", names.kind)
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isReady(ctx, kubeClient, namespacedName, object)); err != nil {
 		return err
 	}
@@ -126,7 +128,7 @@ func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) e
 func parseLabels() (map[string]string, error) {
 	result := make(map[string]string)
-	for _, label := range labels {
+	for _, label := range createArgs.labels {
 		// validate key value pair
 		parts := strings.Split(label, "=")
 		if len(parts) != 2 {
--- a/cmd/flux/create_alert.go
+++ b/cmd/flux/create_alert.go
@@ -20,11 +20,7 @@ import (
 	"context"
 	"fmt"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -33,6 +29,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/internal/utils"
 )
 var createAlertCmd = &cobra.Command{
@@ -44,21 +43,22 @@ var createAlertCmd = &cobra.Command{
  --event-severity info \
  --event-source Kustomization/flux-system \
  --provider-ref slack \
-  flux-system
+  flux-system`,
 `,
 	RunE: createAlertCmdRun,
 }
-var (
+type alertFlags struct {
-	aProviderRef   string
+	providerRef   string
-	aEventSeverity string
+	eventSeverity string
-	aEventSources  []string
+	eventSources  []string
-)
+}
 var alertArgs alertFlags
 func init() {
-	createAlertCmd.Flags().StringVar(&aProviderRef, "provider-ref", "", "reference to provider")
+	createAlertCmd.Flags().StringVar(&alertArgs.providerRef, "provider-ref", "", "reference to provider")
-	createAlertCmd.Flags().StringVar(&aEventSeverity, "event-severity", "", "severity of events to send alerts for")
+	createAlertCmd.Flags().StringVar(&alertArgs.eventSeverity, "event-severity", "", "severity of events to send alerts for")
-	createAlertCmd.Flags().StringArrayVar(&aEventSources, "event-source", []string{}, "sources that should generate alerts (<kind>/<name>)")
+	createAlertCmd.Flags().StringSliceVar(&alertArgs.eventSources, "event-source", []string{}, "sources that should generate alerts (<kind>/<name>), also accepts comma-separated values")
 	createCmd.AddCommand(createAlertCmd)
 }
@@ -68,20 +68,21 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	name := args[0]
-	if aProviderRef == "" {
+	if alertArgs.providerRef == "" {
 		return fmt.Errorf("provider ref is required")
 	}
 	eventSources := []notificationv1.CrossNamespaceObjectReference{}
-	for _, eventSource := range aEventSources {
+	for _, eventSource := range alertArgs.eventSources {
-		kind, name := utils.ParseObjectKindName(eventSource)
+		kind, name, namespace := utils.ParseObjectKindNameNamespace(eventSource)
 		if kind == "" {
 			return fmt.Errorf("invalid event source '%s', must be in format <kind>/<name>", eventSource)
 		}
 		eventSources = append(eventSources, notificationv1.CrossNamespaceObjectReference{
-			Kind: kind,
+			Kind:      kind,
-			Name: name,
+			Name:      name,
 			Namespace: namespace,
 		})
 	}
@@ -94,34 +95,34 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	if !export {
+	if !createArgs.export {
 		logger.Generatef("generating Alert")
 	}
 	alert := notificationv1.Alert{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: notificationv1.AlertSpec{
-			ProviderRef: corev1.LocalObjectReference{
+			ProviderRef: meta.LocalObjectReference{
-				Name: aProviderRef,
+				Name: alertArgs.providerRef,
 			},
-			EventSeverity: aEventSeverity,
+			EventSeverity: alertArgs.eventSeverity,
 			EventSources:  eventSources,
 			Suspend:       false,
 		},
 	}
-	if export {
+	if createArgs.export {
-		return exportAlert(alert)
+		return printExport(exportAlert(&alert))
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
@@ -133,7 +134,7 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Waitingf("waiting for Alert reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isAlertReady(ctx, kubeClient, namespacedName, &alert)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_alertprovider.go
+++ b/cmd/flux/create_alertprovider.go
@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -29,9 +28,10 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/internal/utils"
 )
 var createAlertProviderCmd = &cobra.Command{
@@ -49,25 +49,26 @@ var createAlertProviderCmd = &cobra.Command{
  flux create alert-provider github-podinfo \
  --type github \
  --address https://github.com/stefanprodan/podinfo \
-  --secret-ref github-token
+  --secret-ref github-token`,
 `,
 	RunE: createAlertProviderCmdRun,
 }
-var (
+type alertProviderFlags struct {
-	apType      string
+	alertType string
-	apChannel   string
+	channel   string
-	apUsername  string
+	username  string
-	apAddress   string
+	address   string
-	apSecretRef string
+	secretRef string
-)
+}
 var alertProviderArgs alertProviderFlags
 func init() {
-	createAlertProviderCmd.Flags().StringVar(&apType, "type", "", "type of provider")
+	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.alertType, "type", "", "type of provider")
-	createAlertProviderCmd.Flags().StringVar(&apChannel, "channel", "", "channel to send messages to in the case of a chat provider")
+	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.channel, "channel", "", "channel to send messages to in the case of a chat provider")
-	createAlertProviderCmd.Flags().StringVar(&apUsername, "username", "", "bot username used by the provider")
+	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.username, "username", "", "bot username used by the provider")
-	createAlertProviderCmd.Flags().StringVar(&apAddress, "address", "", "path to either the git repository, chat provider or webhook")
+	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.address, "address", "", "path to either the git repository, chat provider or webhook")
-	createAlertProviderCmd.Flags().StringVar(&apSecretRef, "secret-ref", "", "name of secret containing authentication token")
+	createAlertProviderCmd.Flags().StringVar(&alertProviderArgs.secretRef, "secret-ref", "", "name of secret containing authentication token")
 	createCmd.AddCommand(createAlertProviderCmd)
 }
@@ -77,7 +78,7 @@ func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	name := args[0]
-	if apType == "" {
+	if alertProviderArgs.alertType == "" {
 		return fmt.Errorf("Provider type is required")
 	}
@@ -86,38 +87,38 @@ func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	if !export {
+	if !createArgs.export {
 		logger.Generatef("generating Provider")
 	}
 	provider := notificationv1.Provider{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: notificationv1.ProviderSpec{
-			Type:     apType,
+			Type:     alertProviderArgs.alertType,
-			Channel:  apChannel,
+			Channel:  alertProviderArgs.channel,
-			Username: apUsername,
+			Username: alertProviderArgs.username,
-			Address:  apAddress,
+			Address:  alertProviderArgs.address,
 		},
 	}
-	if apSecretRef != "" {
+	if alertProviderArgs.secretRef != "" {
-		provider.Spec.SecretRef = &corev1.LocalObjectReference{
+		provider.Spec.SecretRef = &meta.LocalObjectReference{
-			Name: apSecretRef,
+			Name: alertProviderArgs.secretRef,
 		}
 	}
-	if export {
+	if createArgs.export {
-		return exportAlertProvider(provider)
+		return printExport(exportAlertProvider(&provider))
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
@@ -129,7 +130,7 @@ func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Waitingf("waiting for Provider reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isAlertProviderReady(ctx, kubeClient, namespacedName, &provider)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_helmrelease.go
+++ b/cmd/flux/create_helmrelease.go
@@ -18,12 +18,14 @@ package main
 import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/transform"
 	"github.com/spf13/cobra"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -62,11 +64,12 @@ var createHelmReleaseCmd = &cobra.Command{
    --source=Bucket/podinfo \
    --chart=./charts/podinfo
-  # Create a HelmRelease with values from a local YAML file
+  # Create a HelmRelease with values from local YAML files
  flux create hr podinfo \
    --source=HelmRepository/podinfo \
    --chart=podinfo \
-    --values=./my-values.yaml
+    --values=./my-values1.yaml \
    --values=./my-values2.yaml
  # Create a HelmRelease with values from a Kubernetes secret
  kubectl -n app create secret generic my-secret-values \
@@ -84,42 +87,54 @@ var createHelmReleaseCmd = &cobra.Command{
  # Create a HelmRelease targeting another namespace than the resource
  flux create hr podinfo \
-    --target-namespace=default \
+    --target-namespace=test \
    --create-target-namespace=true \
    --source=HelmRepository/podinfo \
    --chart=podinfo
  # Create a HelmRelease using a source from a different namespace
  flux create hr podinfo \
    --namespace=default \
    --source=HelmRepository/podinfo.flux-system \
    --chart=podinfo
  # Create a HelmRelease definition on disk without applying it on the cluster
  flux create hr podinfo \
    --source=HelmRepository/podinfo \
    --chart=podinfo \
    --values=./values.yaml \
-    --export > podinfo-release.yaml
+    --export > podinfo-release.yaml`,
 `,
 	RunE: createHelmReleaseCmdRun,
 }
-var (
+type helmReleaseFlags struct {
-	hrName            string
+	name            string
-	hrSource          flags.HelmChartSource
+	source          flags.HelmChartSource
-	hrDependsOn       []string
+	dependsOn       []string
-	hrChart           string
+	chart           string
-	hrChartVersion    string
+	chartVersion    string
-	hrTargetNamespace string
+	targetNamespace string
-	hrValuesFile      string
+	createNamespace bool
-	hrValuesFrom      flags.HelmReleaseValuesFrom
+	valuesFiles     []string
-	hrSAName          string
+	valuesFrom      flags.HelmReleaseValuesFrom
-)
+	saName          string
 	crds            flags.CRDsPolicy
 }
 var helmReleaseArgs helmReleaseFlags
 func init() {
-	createHelmReleaseCmd.Flags().StringVar(&hrName, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.name, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
-	createHelmReleaseCmd.Flags().Var(&hrSource, "source", hrSource.Description())
+	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.source, "source", helmReleaseArgs.source.Description())
-	createHelmReleaseCmd.Flags().StringVar(&hrChart, "chart", "", "Helm chart name or path")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chart, "chart", "", "Helm chart name or path")
-	createHelmReleaseCmd.Flags().StringVar(&hrChartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
-	createHelmReleaseCmd.Flags().StringArrayVar(&hrDependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
+	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.dependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
-	createHelmReleaseCmd.Flags().StringVar(&hrTargetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.targetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
-	createHelmReleaseCmd.Flags().StringVar(&hrSAName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
+	createHelmReleaseCmd.Flags().BoolVar(&helmReleaseArgs.createNamespace, "create-target-namespace", false, "create the target namespace if it does not exist")
-	createHelmReleaseCmd.Flags().StringVar(&hrValuesFile, "values", "", "local path to the values.yaml file")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
-	createHelmReleaseCmd.Flags().Var(&hrValuesFrom, "values-from", hrValuesFrom.Description())
+	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFiles, "values", nil, "local path to values.yaml files, also accepts comma-separated values")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.valuesFrom, "values-from", helmReleaseArgs.valuesFrom.Description())
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.crds, "crds", helmReleaseArgs.crds.Description())
 	createCmd.AddCommand(createHelmReleaseCmd)
 }
@@ -129,7 +144,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	name := args[0]
-	if hrChart == "" {
+	if helmReleaseArgs.chart == "" {
 		return fmt.Errorf("chart name or path is required")
 	}
@@ -138,30 +153,32 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	if !export {
+	if !createArgs.export {
 		logger.Generatef("generating HelmRelease")
 	}
 	helmRelease := helmv2.HelmRelease{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: helmv2.HelmReleaseSpec{
-			ReleaseName: hrName,
+			ReleaseName: helmReleaseArgs.name,
-			DependsOn:   utils.MakeDependsOn(hrDependsOn),
+			DependsOn:   utils.MakeDependsOn(helmReleaseArgs.dependsOn),
 			Interval: metav1.Duration{
-				Duration: interval,
+				Duration: createArgs.interval,
 			},
-			TargetNamespace: hrTargetNamespace,
+			TargetNamespace: helmReleaseArgs.targetNamespace,
 			Chart: helmv2.HelmChartTemplate{
 				Spec: helmv2.HelmChartTemplateSpec{
-					Chart:   hrChart,
+					Chart:   helmReleaseArgs.chart,
-					Version: hrChartVersion,
+					Version: helmReleaseArgs.chartVersion,
 					SourceRef: helmv2.CrossNamespaceObjectReference{
-						Kind: hrSource.Kind,
+						Kind:      helmReleaseArgs.source.Kind,
-						Name: hrSource.Name,
+						Name:      helmReleaseArgs.source.Name,
 						Namespace: helmReleaseArgs.source.Namespace,
 					},
 				},
 			},
@@ -169,39 +186,71 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}
-	if hrSAName != "" {
+	if helmReleaseArgs.createNamespace {
-		helmRelease.Spec.ServiceAccountName = hrSAName
+		if helmRelease.Spec.Install == nil {
-	}
+			helmRelease.Spec.Install = &helmv2.Install{}
 	if hrValuesFile != "" {
 		data, err := ioutil.ReadFile(hrValuesFile)
 		if err != nil {
 			return fmt.Errorf("reading values from %s failed: %w", hrValuesFile, err)
 		}
-		json, err := yaml.YAMLToJSON(data)
+		helmRelease.Spec.Install.CreateNamespace = helmReleaseArgs.createNamespace
 		if err != nil {
 			return fmt.Errorf("converting values to JSON from %s failed: %w", hrValuesFile, err)
 		}
 		helmRelease.Spec.Values = &apiextensionsv1.JSON{Raw: json}
 	}
-	if hrValuesFrom.String() != "" {
+	if helmReleaseArgs.saName != "" {
 		helmRelease.Spec.ServiceAccountName = helmReleaseArgs.saName
 	}
 	if helmReleaseArgs.crds != "" {
 		if helmRelease.Spec.Install == nil {
 			helmRelease.Spec.Install = &helmv2.Install{}
 		}
 		helmRelease.Spec.Install.CRDs = helmv2.Create
 		helmRelease.Spec.Upgrade = &helmv2.Upgrade{CRDs: helmv2.CRDsPolicy(helmReleaseArgs.crds.String())}
 	}
 	if len(helmReleaseArgs.valuesFiles) > 0 {
 		valuesMap := make(map[string]interface{})
 		for _, v := range helmReleaseArgs.valuesFiles {
 			data, err := os.ReadFile(v)
 			if err != nil {
 				return fmt.Errorf("reading values from %s failed: %w", v, err)
 			}
 			jsonBytes, err := yaml.YAMLToJSON(data)
 			if err != nil {
 				return fmt.Errorf("converting values to JSON from %s failed: %w", v, err)
 			}
 			jsonMap := make(map[string]interface{})
 			if err := json.Unmarshal(jsonBytes, &jsonMap); err != nil {
 				return fmt.Errorf("unmarshaling values from %s failed: %w", v, err)
 			}
 			valuesMap = transform.MergeMaps(valuesMap, jsonMap)
 		}
 		jsonRaw, err := json.Marshal(valuesMap)
 		if err != nil {
 			return fmt.Errorf("marshaling values failed: %w", err)
 		}
 		helmRelease.Spec.Values = &apiextensionsv1.JSON{Raw: jsonRaw}
 	}
 	if helmReleaseArgs.valuesFrom.String() != "" {
 		helmRelease.Spec.ValuesFrom = []helmv2.ValuesReference{{
-			Kind: hrValuesFrom.Kind,
+			Kind: helmReleaseArgs.valuesFrom.Kind,
-			Name: hrValuesFrom.Name,
+			Name: helmReleaseArgs.valuesFrom.Name,
 		}}
 	}
-	if export {
+	if createArgs.export {
-		return exportHelmRelease(helmRelease)
+		return printExport(exportHelmRelease(&helmRelease))
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
@@ -213,7 +262,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Waitingf("waiting for HelmRelease reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isHelmReleaseReady(ctx, kubeClient, namespacedName, &helmRelease)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_image.go
+++ b/cmd/flux/create_image.go
@@ -17,20 +17,17 @@ limitations under the License.
 package main
 import (
 	"strings"
 	"github.com/spf13/cobra"
 )
-const createImageLong = `
+const createImageLong = `The create image sub-commands work with image automation objects; that is,
 The create image sub-commands work with image automation objects; that is,
 object controlling updates to git based on e.g., new container images
 being available.`
 var createImageCmd = &cobra.Command{
 	Use:   "image",
 	Short: "Create or update resources dealing with image automation",
-	Long:  strings.TrimSpace(createImageLong),
+	Long:  createImageLong,
 }
 func init() {
--- a/cmd/flux/create_image_policy.go
+++ b/cmd/flux/create_image_policy.go
@@ -18,16 +18,21 @@ package main
 import (
 	"fmt"
 	"regexp/syntax"
 	"strings"
 	"unicode"
 	"unicode/utf8"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+	"github.com/fluxcd/pkg/apis/meta"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 var createImagePolicyCmd = &cobra.Command{
-	Use:   "policy <name>",
+	Use:   "policy [name]",
 	Short: "Create or update an ImagePolicy object",
 	Long: `The create image policy command generates an ImagePolicy resource.
 An ImagePolicy object calculates a "latest image" given an image
@@ -35,11 +40,27 @@ repository and a policy, e.g., semver.
 The image that sorts highest according to the policy is recorded in
 the status of the object.`,
 	Example: `  # Create an ImagePolicy to select the latest stable release
  flux create image policy podinfo \
    --image-ref=podinfo \
    --select-semver=">=1.0.0"
  # Create an ImagePolicy to select the latest main branch build tagged as "${GIT_BRANCH}-${GIT_SHA:0:7}-$(date +%s)"
  flux create image policy podinfo \
    --image-ref=podinfo \
    --select-numeric=asc \
 	--filter-regex='^main-[a-f0-9]+-(?P<ts>[0-9]+)' \
 	--filter-extract='$ts'`,
 	RunE: createImagePolicyRun}
 type imagePolicyFlags struct {
-	imageRef string
+	imageRef        string
-	semver   string
+	semver          string
 	alpha           string
 	numeric         string
 	filterRegex     string
 	filterExtract   string
 	filterNumerical string
 }
 var imagePolicyArgs = imagePolicyFlags{}
@@ -47,7 +68,11 @@ var imagePolicyArgs = imagePolicyFlags{}
 func init() {
 	flags := createImagePolicyCmd.Flags()
 	flags.StringVar(&imagePolicyArgs.imageRef, "image-ref", "", "the name of an image repository object")
-	flags.StringVar(&imagePolicyArgs.semver, "semver", "", "a semver range to apply to tags; e.g., '1.x'")
+	flags.StringVar(&imagePolicyArgs.semver, "select-semver", "", "a semver range to apply to tags; e.g., '1.x'")
 	flags.StringVar(&imagePolicyArgs.alpha, "select-alpha", "", "use alphabetical sorting to select image; either \"asc\" meaning select the last, or \"desc\" meaning select the first")
 	flags.StringVar(&imagePolicyArgs.numeric, "select-numeric", "", "use numeric sorting to select image; either \"asc\" meaning select the last, or \"desc\" meaning select the first")
 	flags.StringVar(&imagePolicyArgs.filterRegex, "filter-regex", "", "regular expression pattern used to filter the image tags")
 	flags.StringVar(&imagePolicyArgs.filterExtract, "filter-extract", "", "replacement pattern (using capture groups from --filter-regex) to use for sorting")
 	createImageCmd.AddCommand(createImagePolicyCmd)
 }
@@ -76,26 +101,63 @@ func createImagePolicyRun(cmd *cobra.Command, args []string) error {
 	var policy = imagev1.ImagePolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      objectName,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    labels,
 		},
 		Spec: imagev1.ImagePolicySpec{
-			ImageRepositoryRef: corev1.LocalObjectReference{
+			ImageRepositoryRef: meta.NamespacedObjectReference{
 				Name: imagePolicyArgs.imageRef,
 			},
 		},
 	}
 	switch {
 	case imagePolicyArgs.semver != "" && imagePolicyArgs.alpha != "":
 	case imagePolicyArgs.semver != "" && imagePolicyArgs.numeric != "":
 	case imagePolicyArgs.alpha != "" && imagePolicyArgs.numeric != "":
 		return fmt.Errorf("only one of --select-semver, --select-alpha or --select-numeric can be specified")
 	case imagePolicyArgs.semver != "":
 		policy.Spec.Policy.SemVer = &imagev1.SemVerPolicy{
 			Range: imagePolicyArgs.semver,
 		}
 	case imagePolicyArgs.alpha != "":
 		if imagePolicyArgs.alpha != "desc" && imagePolicyArgs.alpha != "asc" {
 			return fmt.Errorf("--select-alpha must be one of [\"asc\", \"desc\"]")
 		}
 		policy.Spec.Policy.Alphabetical = &imagev1.AlphabeticalPolicy{
 			Order: imagePolicyArgs.alpha,
 		}
 	case imagePolicyArgs.numeric != "":
 		if imagePolicyArgs.numeric != "desc" && imagePolicyArgs.numeric != "asc" {
 			return fmt.Errorf("--select-numeric must be one of [\"asc\", \"desc\"]")
 		}
 		policy.Spec.Policy.Numerical = &imagev1.NumericalPolicy{
 			Order: imagePolicyArgs.numeric,
 		}
 	default:
-		return fmt.Errorf("a policy must be provided with --semver")
+		return fmt.Errorf("a policy must be provided with either --select-semver or --select-alpha")
 	}
-	if export {
+	if imagePolicyArgs.filterRegex != "" {
 		exp, err := syntax.Parse(imagePolicyArgs.filterRegex, syntax.Perl)
 		if err != nil {
 			return fmt.Errorf("--filter-regex is an invalid regex pattern")
 		}
 		policy.Spec.FilterTags = &imagev1.TagFilter{
 			Pattern: imagePolicyArgs.filterRegex,
 		}
 		if imagePolicyArgs.filterExtract != "" {
 			if err := validateExtractStr(imagePolicyArgs.filterExtract, exp.CapNames()); err != nil {
 				return err
 			}
 			policy.Spec.FilterTags.Extract = imagePolicyArgs.filterExtract
 		}
 	} else if imagePolicyArgs.filterExtract != "" {
 		return fmt.Errorf("cannot specify --filter-extract without specifying --filter-regex")
 	}
 	if createArgs.export {
 		return printExport(exportImagePolicy(&policy))
 	}
@@ -108,3 +170,94 @@ func createImagePolicyRun(cmd *cobra.Command, args []string) error {
 	})
 	return err
 }
 // Performs a dry-run of the extract function in Regexp to validate the template
 func validateExtractStr(template string, capNames []string) error {
 	for len(template) > 0 {
 		i := strings.Index(template, "$")
 		if i < 0 {
 			return nil
 		}
 		template = template[i:]
 		if len(template) > 1 && template[1] == '$' {
 			template = template[2:]
 			continue
 		}
 		name, num, rest, ok := extract(template)
 		if !ok {
 			// Malformed extract string, assume user didn't want this
 			template = template[1:]
 			return fmt.Errorf("--filter-extract is malformed")
 		}
 		template = rest
 		if num >= 0 {
 			// we won't worry about numbers as we can't validate these
 			continue
 		} else {
 			found := false
 			for _, capName := range capNames {
 				if name == capName {
 					found = true
 				}
 			}
 			if !found {
 				return fmt.Errorf("capture group $%s used in --filter-extract not found in --filter-regex", name)
 			}
 		}
 	}
 	return nil
 }
 // extract method from the regexp package
 // returns the name or number of the value prepended by $
 func extract(str string) (name string, num int, rest string, ok bool) {
 	if len(str) < 2 || str[0] != '$' {
 		return
 	}
 	brace := false
 	if str[1] == '{' {
 		brace = true
 		str = str[2:]
 	} else {
 		str = str[1:]
 	}
 	i := 0
 	for i < len(str) {
 		rune, size := utf8.DecodeRuneInString(str[i:])
 		if !unicode.IsLetter(rune) && !unicode.IsDigit(rune) && rune != '_' {
 			break
 		}
 		i += size
 	}
 	if i == 0 {
 		// empty name is not okay
 		return
 	}
 	name = str[:i]
 	if brace {
 		if i >= len(str) || str[i] != '}' {
 			// missing closing brace
 			return
 		}
 		i++
 	}
 	// Parse number.
 	num = 0
 	for i := 0; i < len(name); i++ {
 		if name[i] < '0' || '9' < name[i] || num >= 1e8 {
 			num = -1
 			break
 		}
 		num = num*10 + int(name[i]) - '0'
 	}
 	// Disallow leading zeros.
 	if name[0] == '0' && len(name) > 1 {
 		num = -1
 	}
 	rest = str[i:]
 	ok = true
 	return
 }
--- a/cmd/flux/create_image_repository.go
+++ b/cmd/flux/create_image_repository.go
@@ -22,24 +22,50 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+	"github.com/fluxcd/pkg/apis/meta"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 var createImageRepositoryCmd = &cobra.Command{
-	Use:   "repository <name>",
+	Use:   "repository [name]",
 	Short: "Create or update an ImageRepository object",
 	Long: `The create image repository command generates an ImageRepository resource.
 An ImageRepository object specifies an image repository to scan.`,
 	Example: `  # Create an ImageRepository object to scan the alpine image repository:
  flux create image repository alpine-repo --image alpine --interval 20m
  # Create an image repository that uses an image pull secret (assumed to
  # have been created already):
  flux create image repository myapp-repo \
    --secret-ref image-pull \
    --image ghcr.io/example.com/myapp --interval 5m
  # Create a TLS secret for a local image registry using a self-signed
  # host certificate, and use it to scan an image. ca.pem is a file
  # containing the CA certificate used to sign the host certificate.
  flux create secret tls local-registry-cert --ca-file ./ca.pem
  flux create image repository app-repo \
    --cert-secret-ref local-registry-cert \
    --image local-registry:5000/app --interval 5m
  # Create a TLS secret with a client certificate and key, and use it
  # to scan a private image registry.
  flux create secret tls client-cert \
    --cert-file client.crt --key-file client.key
  flux create image repository app-repo \
    --cert-secret-ref client-cert \
    --image registry.example.com/private/app --interval 5m`,
 	RunE: createImageRepositoryRun,
 }
 type imageRepoFlags struct {
-	image     string
+	image         string
-	secretRef string
+	secretRef     string
-	timeout   time.Duration
+	certSecretRef string
 	timeout       time.Duration
 }
 var imageRepoArgs = imageRepoFlags{}
@@ -48,6 +74,7 @@ func init() {
 	flags := createImageRepositoryCmd.Flags()
 	flags.StringVar(&imageRepoArgs.image, "image", "", "the image repository to scan; e.g., library/alpine")
 	flags.StringVar(&imageRepoArgs.secretRef, "secret-ref", "", "the name of a docker-registry secret to use for credentials")
 	flags.StringVar(&imageRepoArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
 	// NB there is already a --timeout in the global flags, for
 	// controlling timeout on operations while e.g., creating objects.
 	flags.DurationVar(&imageRepoArgs.timeout, "scan-timeout", 0, "a timeout for scanning; this defaults to the interval if not set")
@@ -77,24 +104,29 @@ func createImageRepositoryRun(cmd *cobra.Command, args []string) error {
 	var repo = imagev1.ImageRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      objectName,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    labels,
 		},
 		Spec: imagev1.ImageRepositorySpec{
 			Image:    imageRepoArgs.image,
-			Interval: metav1.Duration{Duration: interval},
+			Interval: metav1.Duration{Duration: createArgs.interval},
 		},
 	}
 	if imageRepoArgs.timeout != 0 {
 		repo.Spec.Timeout = &metav1.Duration{Duration: imageRepoArgs.timeout}
 	}
 	if imageRepoArgs.secretRef != "" {
-		repo.Spec.SecretRef = &corev1.LocalObjectReference{
+		repo.Spec.SecretRef = &meta.LocalObjectReference{
 			Name: imageRepoArgs.secretRef,
 		}
 	}
 	if imageRepoArgs.certSecretRef != "" {
 		repo.Spec.CertSecretRef = &meta.LocalObjectReference{
 			Name: imageRepoArgs.certSecretRef,
 		}
 	}
-	if export {
+	if createArgs.export {
 		return printExport(exportImageRepository(&repo))
 	}
--- a/cmd/flux/create_image_update.go
+++ b/cmd/flux/create_image_update.go
@@ -0,0 +1,165 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"fmt"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var createImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Create or update an ImageUpdateAutomation object",
 	Long: `The create image update command generates an ImageUpdateAutomation resource.
 An ImageUpdateAutomation object specifies an automated update to images
 mentioned in YAMLs in a git repository.`,
 	Example: `  # Configure image updates for the main repository created by flux bootstrap
  flux create image update flux-system \
    --git-repo-ref=flux-system \
    --git-repo-path="./clusters/my-cluster" \
    --checkout-branch=main \
    --author-name=flux \
    --author-email=flux@example.com \
    --commit-template="{{range .Updated.Images}}{{println .}}{{end}}"
  # Configure image updates to push changes to a different branch, if the branch doesn't exists it will be created
  flux create image update flux-system \
    --git-repo-ref=flux-system \
    --git-repo-path="./clusters/my-cluster" \
    --checkout-branch=main \
    --push-branch=image-updates \
    --author-name=flux \
    --author-email=flux@example.com \
    --commit-template="{{range .Updated.Images}}{{println .}}{{end}}"`,
 	RunE: createImageUpdateRun,
 }
 type imageUpdateFlags struct {
 	gitRepoRef     string
 	gitRepoPath    string
 	checkoutBranch string
 	pushBranch     string
 	commitTemplate string
 	authorName     string
 	authorEmail    string
 }
 var imageUpdateArgs = imageUpdateFlags{}
 func init() {
 	flags := createImageUpdateCmd.Flags()
 	flags.StringVar(&imageUpdateArgs.gitRepoRef, "git-repo-ref", "", "the name of a GitRepository resource with details of the upstream Git repository")
 	flags.StringVar(&imageUpdateArgs.gitRepoPath, "git-repo-path", "", "path to the directory containing the manifests to be updated, defaults to the repository root")
 	flags.StringVar(&imageUpdateArgs.checkoutBranch, "checkout-branch", "", "the branch to checkout")
 	flags.StringVar(&imageUpdateArgs.pushBranch, "push-branch", "", "the branch to push commits to, defaults to the checkout branch if not specified")
 	flags.StringVar(&imageUpdateArgs.commitTemplate, "commit-template", "", "a template for commit messages")
 	flags.StringVar(&imageUpdateArgs.authorName, "author-name", "", "the name to use for commit author")
 	flags.StringVar(&imageUpdateArgs.authorEmail, "author-email", "", "the email to use for commit author")
 	createImageCmd.AddCommand(createImageUpdateCmd)
 }
 func createImageUpdateRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("ImageUpdateAutomation name is required")
 	}
 	objectName := args[0]
 	if imageUpdateArgs.gitRepoRef == "" {
 		return fmt.Errorf("a reference to a GitRepository is required (--git-repo-ref)")
 	}
 	if imageUpdateArgs.checkoutBranch == "" {
 		return fmt.Errorf("the Git repository branch is required (--checkout-branch)")
 	}
 	if imageUpdateArgs.authorName == "" {
 		return fmt.Errorf("the author name is required (--author-name)")
 	}
 	if imageUpdateArgs.authorEmail == "" {
 		return fmt.Errorf("the author email is required (--author-email)")
 	}
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	var update = autov1.ImageUpdateAutomation{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      objectName,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    labels,
 		},
 		Spec: autov1.ImageUpdateAutomationSpec{
 			SourceRef: autov1.SourceReference{
 				Kind: sourcev1.GitRepositoryKind,
 				Name: imageUpdateArgs.gitRepoRef,
 			},
 			GitSpec: &autov1.GitSpec{
 				Checkout: &autov1.GitCheckoutSpec{
 					Reference: sourcev1.GitRepositoryRef{
 						Branch: imageUpdateArgs.checkoutBranch,
 					},
 				},
 				Commit: autov1.CommitSpec{
 					Author: autov1.CommitUser{
 						Name:  imageUpdateArgs.authorName,
 						Email: imageUpdateArgs.authorEmail,
 					},
 					MessageTemplate: imageUpdateArgs.commitTemplate,
 				},
 			},
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
 		},
 	}
 	if imageUpdateArgs.pushBranch != "" {
 		update.Spec.GitSpec.Push = &autov1.PushSpec{
 			Branch: imageUpdateArgs.pushBranch,
 		}
 	}
 	if imageUpdateArgs.gitRepoPath != "" {
 		update.Spec.Update = &autov1.UpdateStrategy{
 			Path:     imageUpdateArgs.gitRepoPath,
 			Strategy: autov1.UpdateStrategySetters,
 		}
 	}
 	if createArgs.export {
 		return printExport(exportImageUpdate(&update))
 	}
 	var existing autov1.ImageUpdateAutomation
 	copyName(&existing, &update)
 	err = imageUpdateAutomationType.upsertAndWait(imageUpdateAutomationAdapter{&existing}, func() error {
 		existing.Spec = update.Spec
 		existing.Labels = update.Labels
 		return nil
 	})
 	return err
 }
--- a/cmd/flux/create_image_updateauto.go
+++ b/cmd/flux/create_image_updateauto.go
@@ -1,113 +0,0 @@
 /*
 Copyright 2020 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"fmt"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
 )
 var createImageUpdateCmd = &cobra.Command{
 	Use:   "update <name>",
 	Short: "Create or update an ImageUpdateAutomation object",
 	Long: `The create image update command generates an ImageUpdateAutomation resource.
 An ImageUpdateAutomation object specifies an automated update to images
 mentioned in YAMLs in a git repository.`,
 	RunE: createImageUpdateRun,
 }
 type imageUpdateFlags struct {
 	// git checkout spec
 	gitRepoRef string
 	branch     string
 	// commit spec
 	commitTemplate string
 	authorName     string
 	authorEmail    string
 }
 var imageUpdateArgs = imageUpdateFlags{}
 func init() {
 	flags := createImageUpdateCmd.Flags()
 	flags.StringVar(&imageUpdateArgs.gitRepoRef, "git-repo-ref", "", "the name of a GitRepository resource with details of the upstream git repository")
 	flags.StringVar(&imageUpdateArgs.branch, "branch", "", "the branch to push commits to")
 	flags.StringVar(&imageUpdateArgs.commitTemplate, "commit-template", "", "a template for commit messages")
 	flags.StringVar(&imageUpdateArgs.authorName, "author-name", "", "the name to use for commit author")
 	flags.StringVar(&imageUpdateArgs.authorEmail, "author-email", "", "the email to use for commit author")
 	createImageCmd.AddCommand(createImageUpdateCmd)
 }
 func createImageUpdateRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("ImageUpdateAutomation name is required")
 	}
 	objectName := args[0]
 	if imageUpdateArgs.gitRepoRef == "" {
 		return fmt.Errorf("a reference to a GitRepository is required (--git-repo-ref)")
 	}
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	var update = autov1.ImageUpdateAutomation{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      objectName,
 			Namespace: namespace,
 			Labels:    labels,
 		},
 		Spec: autov1.ImageUpdateAutomationSpec{
 			Checkout: autov1.GitCheckoutSpec{
 				GitRepositoryRef: corev1.LocalObjectReference{
 					Name: imageUpdateArgs.gitRepoRef,
 				},
 				Branch: imageUpdateArgs.branch,
 			},
 			Interval: metav1.Duration{Duration: interval},
 			Update: autov1.UpdateStrategy{
 				Setters: &autov1.SettersStrategy{},
 			},
 			Commit: autov1.CommitSpec{
 				AuthorName:      imageUpdateArgs.authorName,
 				AuthorEmail:     imageUpdateArgs.authorEmail,
 				MessageTemplate: imageUpdateArgs.commitTemplate,
 			},
 		},
 	}
 	if export {
 		return printExport(exportImageUpdate(&update))
 	}
 	var existing autov1.ImageUpdateAutomation
 	copyName(&existing, &update)
 	err = imageUpdateAutomationType.upsertAndWait(imageUpdateAutomationAdapter{&existing}, func() error {
 		existing.Spec = update.Spec
 		existing.Labels = update.Labels
 		return nil
 	})
 	return err
 }
--- a/cmd/flux/create_kustomization.go
+++ b/cmd/flux/create_kustomization.go
@@ -23,7 +23,6 @@ import (
 	"time"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -31,11 +30,12 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
 )
 var createKsCmd = &cobra.Command{
@@ -45,11 +45,10 @@ var createKsCmd = &cobra.Command{
 	Long:    "The kustomization source create command generates a Kustomize resource for a given source.",
 	Example: `  # Create a Kustomization resource from a source at a given path
  flux create kustomization contour \
-    --source=contour \
+    --source=GitRepository/contour \
    --path="./examples/contour/" \
    --prune=true \
    --interval=10m \
    --validation=client \
    --health-check="Deployment/contour.projectcontour" \
    --health-check="DaemonSet/envoy.projectcontour" \
    --health-check-timeout=3m
@@ -57,68 +56,86 @@ var createKsCmd = &cobra.Command{
  # Create a Kustomization resource that depends on the previous one
  flux create kustomization webapp \
    --depends-on=contour \
-    --source=webapp \
+    --source=GitRepository/webapp \
    --path="./deploy/overlays/dev" \
    --prune=true \
-    --interval=5m \
+    --interval=5m
-    --validation=client
+
  # Create a Kustomization using a source from a different namespace
  flux create kustomization podinfo \
    --namespace=default \
    --source=GitRepository/podinfo.flux-system \
    --path="./deploy/overlays/dev" \
    --prune=true \
    --interval=5m
  # Create a Kustomization resource that references a Bucket
  flux create kustomization secrets \
    --source=Bucket/secrets \
    --prune=true \
-    --interval=5m
+    --interval=5m`,
 `,
 	RunE: createKsCmdRun,
 }
-var (
+type kustomizationFlags struct {
-	ksSource             flags.KustomizationSource
+	source             flags.KustomizationSource
-	ksPath               flags.SafeRelativePath = "./"
+	path               flags.SafeRelativePath
-	ksPrune              bool
+	prune              bool
-	ksDependsOn          []string
+	dependsOn          []string
-	ksValidation         string
+	validation         string
-	ksHealthCheck        []string
+	healthCheck        []string
-	ksHealthTimeout      time.Duration
+	healthTimeout      time.Duration
-	ksSAName             string
+	saName             string
-	ksDecryptionProvider flags.DecryptionProvider
+	decryptionProvider flags.DecryptionProvider
-	ksDecryptionSecret   string
+	decryptionSecret   string
-	ksTargetNamespace    string
+	targetNamespace    string
-)
+	wait               bool
 }
 var kustomizationArgs = NewKustomizationFlags()
 func init() {
-	createKsCmd.Flags().Var(&ksSource, "source", ksSource.Description())
+	createKsCmd.Flags().Var(&kustomizationArgs.source, "source", kustomizationArgs.source.Description())
-	createKsCmd.Flags().Var(&ksPath, "path", "path to the directory containing a kustomization.yaml file")
+	createKsCmd.Flags().Var(&kustomizationArgs.path, "path", "path to the directory containing a kustomization.yaml file")
-	createKsCmd.Flags().BoolVar(&ksPrune, "prune", false, "enable garbage collection")
+	createKsCmd.Flags().BoolVar(&kustomizationArgs.prune, "prune", false, "enable garbage collection")
-	createKsCmd.Flags().StringArrayVar(&ksHealthCheck, "health-check", nil, "workload to be included in the health assessment, in the format '<kind>/<name>.<namespace>'")
+	createKsCmd.Flags().BoolVar(&kustomizationArgs.wait, "wait", false, "enable health checking of all the applied resources")
-	createKsCmd.Flags().DurationVar(&ksHealthTimeout, "health-check-timeout", 2*time.Minute, "timeout of health checking operations")
+	createKsCmd.Flags().StringSliceVar(&kustomizationArgs.healthCheck, "health-check", nil, "workload to be included in the health assessment, in the format '<kind>/<name>.<namespace>'")
-	createKsCmd.Flags().StringVar(&ksValidation, "validation", "", "validate the manifests before applying them on the cluster, can be 'client' or 'server'")
+	createKsCmd.Flags().DurationVar(&kustomizationArgs.healthTimeout, "health-check-timeout", 2*time.Minute, "timeout of health checking operations")
-	createKsCmd.Flags().StringArrayVar(&ksDependsOn, "depends-on", nil, "Kustomization that must be ready before this Kustomization can be applied, supported formats '<name>' and '<namespace>/<name>'")
+	createKsCmd.Flags().StringVar(&kustomizationArgs.validation, "validation", "", "validate the manifests before applying them on the cluster, can be 'client' or 'server'")
-	createKsCmd.Flags().StringVar(&ksSAName, "service-account", "", "the name of the service account to impersonate when reconciling this Kustomization")
+	createKsCmd.Flags().StringSliceVar(&kustomizationArgs.dependsOn, "depends-on", nil, "Kustomization that must be ready before this Kustomization can be applied, supported formats '<name>' and '<namespace>/<name>', also accepts comma-separated values")
-	createKsCmd.Flags().Var(&ksDecryptionProvider, "decryption-provider", ksDecryptionProvider.Description())
+	createKsCmd.Flags().StringVar(&kustomizationArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this Kustomization")
-	createKsCmd.Flags().StringVar(&ksDecryptionSecret, "decryption-secret", "", "set the Kubernetes secret name that contains the OpenPGP private keys used for sops decryption")
+	createKsCmd.Flags().Var(&kustomizationArgs.decryptionProvider, "decryption-provider", kustomizationArgs.decryptionProvider.Description())
-	createKsCmd.Flags().StringVar(&ksTargetNamespace, "target-namespace", "", "overrides the namespace of all Kustomization objects reconciled by this Kustomization")
+	createKsCmd.Flags().StringVar(&kustomizationArgs.decryptionSecret, "decryption-secret", "", "set the Kubernetes secret name that contains the OpenPGP private keys used for sops decryption")
 	createKsCmd.Flags().StringVar(&kustomizationArgs.targetNamespace, "target-namespace", "", "overrides the namespace of all Kustomization objects reconciled by this Kustomization")
 	createKsCmd.Flags().MarkDeprecated("validation", "this arg is no longer used, all resources are validated using server-side apply dry-run")
 	createCmd.AddCommand(createKsCmd)
 }
 func NewKustomizationFlags() kustomizationFlags {
 	return kustomizationFlags{
 		path: "./",
 	}
 }
 func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("Kustomization name is required")
 	}
 	name := args[0]
-	if ksPath == "" {
+	if kustomizationArgs.path == "" {
 		return fmt.Errorf("path is required")
 	}
-	if !strings.HasPrefix(ksPath.String(), "./") {
+	if !strings.HasPrefix(kustomizationArgs.path.String(), "./") {
 		return fmt.Errorf("path must begin with ./")
 	}
-	if !export {
+	if !createArgs.export {
 		logger.Generatef("generating Kustomization")
 	}
-	ksLabels, err := parseLabels()
+	kslabels, err := parseLabels()
 	if err != nil {
 		return err
 	}
@@ -126,29 +143,29 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	kustomization := kustomizev1.Kustomization{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
-			Labels:    ksLabels,
+			Labels:    kslabels,
 		},
 		Spec: kustomizev1.KustomizationSpec{
-			DependsOn: utils.MakeDependsOn(ksDependsOn),
+			DependsOn: utils.MakeDependsOn(kustomizationArgs.dependsOn),
 			Interval: metav1.Duration{
-				Duration: interval,
+				Duration: createArgs.interval,
 			},
-			Path:  ksPath.String(),
+			Path:  kustomizationArgs.path.ToSlash(),
-			Prune: ksPrune,
+			Prune: kustomizationArgs.prune,
 			SourceRef: kustomizev1.CrossNamespaceSourceReference{
-				Kind: ksSource.Kind,
+				Kind:      kustomizationArgs.source.Kind,
-				Name: ksSource.Name,
+				Name:      kustomizationArgs.source.Name,
 				Namespace: kustomizationArgs.source.Namespace,
 			},
 			Suspend:         false,
-			Validation:      ksValidation,
+			TargetNamespace: kustomizationArgs.targetNamespace,
 			TargetNamespace: ksTargetNamespace,
 		},
 	}
-	if len(ksHealthCheck) > 0 {
+	if len(kustomizationArgs.healthCheck) > 0 && !kustomizationArgs.wait {
-		healthChecks := make([]kustomizev1.CrossNamespaceObjectReference, 0)
+		healthChecks := make([]meta.NamespacedObjectKindReference, 0)
-		for _, w := range ksHealthCheck {
+		for _, w := range kustomizationArgs.healthCheck {
 			kindObj := strings.Split(w, "/")
 			if len(kindObj) != 2 {
 				return fmt.Errorf("invalid health check '%s' must be in the format 'kind/name.namespace' %v", w, kindObj)
@@ -170,7 +187,7 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 				return fmt.Errorf("invalid health check '%s' must be in the format 'kind/name.namespace'", w)
 			}
-			check := kustomizev1.CrossNamespaceObjectReference{
+			check := meta.NamespacedObjectKindReference{
 				Kind:      kind,
 				Name:      nameNs[0],
 				Namespace: nameNs[1],
@@ -183,32 +200,39 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 		}
 		kustomization.Spec.HealthChecks = healthChecks
 		kustomization.Spec.Timeout = &metav1.Duration{
-			Duration: ksHealthTimeout,
+			Duration: kustomizationArgs.healthTimeout,
 		}
 	}
-	if ksSAName != "" {
+	if kustomizationArgs.wait {
-		kustomization.Spec.ServiceAccountName = ksSAName
+		kustomization.Spec.Wait = true
 		kustomization.Spec.Timeout = &metav1.Duration{
 			Duration: kustomizationArgs.healthTimeout,
 		}
 	}
-	if ksDecryptionProvider != "" {
+	if kustomizationArgs.saName != "" {
 		kustomization.Spec.ServiceAccountName = kustomizationArgs.saName
 	}
 	if kustomizationArgs.decryptionProvider != "" {
 		kustomization.Spec.Decryption = &kustomizev1.Decryption{
-			Provider: ksDecryptionProvider.String(),
+			Provider: kustomizationArgs.decryptionProvider.String(),
 		}
-		if ksDecryptionSecret != "" {
+		if kustomizationArgs.decryptionSecret != "" {
-			kustomization.Spec.Decryption.SecretRef = &corev1.LocalObjectReference{Name: ksDecryptionSecret}
+			kustomization.Spec.Decryption.SecretRef = &meta.LocalObjectReference{Name: kustomizationArgs.decryptionSecret}
 		}
 	}
-	if export {
+	if createArgs.export {
-		return exportKs(kustomization)
+		return printExport(exportKs(&kustomization))
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
@@ -220,7 +244,7 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Waitingf("waiting for Kustomization reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isKustomizationReady(ctx, kubeClient, namespacedName, &kustomization)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_receiver.go
+++ b/cmd/flux/create_receiver.go
@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -29,9 +28,10 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/internal/utils"
 )
 var createReceiverCmd = &cobra.Command{
@@ -45,23 +45,24 @@ var createReceiverCmd = &cobra.Command{
 	--event push \
 	--secret-ref webhook-token \
 	--resource GitRepository/webapp \
-	--resource HelmRepository/webapp
+	--resource HelmRepository/webapp`,
 `,
 	RunE: createReceiverCmdRun,
 }
-var (
+type receiverFlags struct {
-	rcvType      string
+	receiverType string
-	rcvSecretRef string
+	secretRef    string
-	rcvEvents    []string
+	events       []string
-	rcvResources []string
+	resources    []string
-)
+}
 var receiverArgs receiverFlags
 func init() {
-	createReceiverCmd.Flags().StringVar(&rcvType, "type", "", "")
+	createReceiverCmd.Flags().StringVar(&receiverArgs.receiverType, "type", "", "")
-	createReceiverCmd.Flags().StringVar(&rcvSecretRef, "secret-ref", "", "")
+	createReceiverCmd.Flags().StringVar(&receiverArgs.secretRef, "secret-ref", "", "")
-	createReceiverCmd.Flags().StringArrayVar(&rcvEvents, "event", []string{}, "")
+	createReceiverCmd.Flags().StringSliceVar(&receiverArgs.events, "event", []string{}, "also accepts comma-separated values")
-	createReceiverCmd.Flags().StringArrayVar(&rcvResources, "resource", []string{}, "")
+	createReceiverCmd.Flags().StringSliceVar(&receiverArgs.resources, "resource", []string{}, "also accepts comma-separated values")
 	createCmd.AddCommand(createReceiverCmd)
 }
@@ -71,16 +72,16 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	name := args[0]
-	if rcvType == "" {
+	if receiverArgs.receiverType == "" {
 		return fmt.Errorf("Receiver type is required")
 	}
-	if rcvSecretRef == "" {
+	if receiverArgs.secretRef == "" {
 		return fmt.Errorf("secret ref is required")
 	}
 	resources := []notificationv1.CrossNamespaceObjectReference{}
-	for _, resource := range rcvResources {
+	for _, resource := range receiverArgs.resources {
 		kind, name := utils.ParseObjectKindName(resource)
 		if kind == "" {
 			return fmt.Errorf("invalid event source '%s', must be in format <kind>/<name>", resource)
@@ -101,35 +102,35 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	if !export {
+	if !createArgs.export {
 		logger.Generatef("generating Receiver")
 	}
 	receiver := notificationv1.Receiver{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: notificationv1.ReceiverSpec{
-			Type:      rcvType,
+			Type:      receiverArgs.receiverType,
-			Events:    rcvEvents,
+			Events:    receiverArgs.events,
 			Resources: resources,
-			SecretRef: corev1.LocalObjectReference{
+			SecretRef: meta.LocalObjectReference{
-				Name: rcvSecretRef,
+				Name: receiverArgs.secretRef,
 			},
 			Suspend: false,
 		},
 	}
-	if export {
+	if createArgs.export {
-		return exportReceiver(receiver)
+		return printExport(exportReceiver(&receiver))
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
@@ -141,7 +142,7 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Waitingf("waiting for Receiver reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isReceiverReady(ctx, kubeClient, namespacedName, &receiver)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret.go
+++ b/cmd/flux/create_secret.go
@@ -18,15 +18,12 @@ package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 )
 var createSecretCmd = &cobra.Command{
@@ -64,19 +61,3 @@ func upsertSecret(ctx context.Context, kubeClient client.Client, secret corev1.S
 	}
 	return nil
 }
 func exportSecret(secret corev1.Secret) error {
 	secret.TypeMeta = metav1.TypeMeta{
 		APIVersion: "v1",
 		Kind:       "Secret",
 	}
 	data, err := yaml.Marshal(secret)
 	if err != nil {
 		return err
 	}
 	fmt.Println("---")
 	fmt.Println(resourceToString(data))
 	return nil
 }
--- a/cmd/flux/create_secret_git.go
+++ b/cmd/flux/create_secret_git.go
@@ -21,22 +21,20 @@ import (
 	"crypto/elliptic"
 	"fmt"
 	"net/url"
 	"time"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/pkg/ssh"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 var createSecretGitCmd = &cobra.Command{
 	Use:   "git [name]",
 	Short: "Create or update a Kubernetes secret for Git authentication",
-	Long: `
+	Long: `The create secret git command generates a Kubernetes secret with Git credentials.
 The create secret git command generates a Kubernetes secret with Git credentials.
 For Git over SSH, the host and SSH keys are automatically generated and stored in the secret.
 For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.`,
 	Example: `  # Create a Git SSH authentication secret using an ECDSA P-521 curve public key
@@ -46,161 +44,146 @@ For Git over HTTP/S, the provided basic authentication credentials are stored in
    --ssh-key-algorithm=ecdsa \
    --ssh-ecdsa-curve=p521
  # Create a Git SSH authentication secret with a passwordless private key from file
  # The public SSH host key will still be gathered from the host
  flux create secret git podinfo-auth \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --private-key-file=./private.key
  # Create a Git SSH authentication secret with a passworded private key from file
  # The public SSH host key will still be gathered from the host
  flux create secret git podinfo-auth \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --private-key-file=./private.key \
    --password=<password>
  # Create a secret for a Git repository using basic authentication
  flux create secret git podinfo-auth \
    --url=https://github.com/stefanprodan/podinfo \
    --username=username \
    --password=password
-  # Create a Git SSH secret on disk and print the deploy key
+  # Create a Git SSH secret on disk
  flux create secret git podinfo-auth \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --export > podinfo-auth.yaml
-  yq read podinfo-auth.yaml 'data."identity.pub"' | base64 --decode
+  # Print the deploy key
-
+  yq eval '.stringData."identity.pub"' podinfo-auth.yaml
  # Create a Git SSH secret on disk and encrypt it with Mozilla SOPS
  flux create secret git podinfo-auth \
    --namespace=apps \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --export > podinfo-auth.yaml
  # Encrypt the secret on disk with Mozilla SOPS
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
-    --in-place podinfo-auth.yaml
+    --in-place podinfo-auth.yaml`,
 `,
 	RunE: createSecretGitCmdRun,
 }
-var (
+type secretGitFlags struct {
-	secretGitURL          string
+	url            string
-	secretGitUsername     string
+	username       string
-	secretGitPassword     string
+	password       string
-	secretGitKeyAlgorithm flags.PublicKeyAlgorithm = "rsa"
+	keyAlgorithm   flags.PublicKeyAlgorithm
-	secretGitRSABits      flags.RSAKeyBits         = 2048
+	rsaBits        flags.RSAKeyBits
-	secretGitECDSACurve                            = flags.ECDSACurve{Curve: elliptic.P384()}
+	ecdsaCurve     flags.ECDSACurve
-)
+	caFile         string
 	privateKeyFile string
 }
 var secretGitArgs = NewSecretGitFlags()
 func init() {
-	createSecretGitCmd.Flags().StringVar(&secretGitURL, "url", "", "git address, e.g. ssh://git@host/org/repository")
+	createSecretGitCmd.Flags().StringVar(&secretGitArgs.url, "url", "", "git address, e.g. ssh://git@host/org/repository")
-	createSecretGitCmd.Flags().StringVarP(&secretGitUsername, "username", "u", "", "basic authentication username")
+	createSecretGitCmd.Flags().StringVarP(&secretGitArgs.username, "username", "u", "", "basic authentication username")
-	createSecretGitCmd.Flags().StringVarP(&secretGitPassword, "password", "p", "", "basic authentication password")
+	createSecretGitCmd.Flags().StringVarP(&secretGitArgs.password, "password", "p", "", "basic authentication password")
-	createSecretGitCmd.Flags().Var(&secretGitKeyAlgorithm, "ssh-key-algorithm", secretGitKeyAlgorithm.Description())
+	createSecretGitCmd.Flags().Var(&secretGitArgs.keyAlgorithm, "ssh-key-algorithm", secretGitArgs.keyAlgorithm.Description())
-	createSecretGitCmd.Flags().Var(&secretGitRSABits, "ssh-rsa-bits", secretGitRSABits.Description())
+	createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description())
-	createSecretGitCmd.Flags().Var(&secretGitECDSACurve, "ssh-ecdsa-curve", secretGitECDSACurve.Description())
+	createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSecretCmd.AddCommand(createSecretGitCmd)
 }
 func NewSecretGitFlags() secretGitFlags {
 	return secretGitFlags{
 		keyAlgorithm: flags.PublicKeyAlgorithm(sourcesecret.ECDSAPrivateKeyAlgorithm),
 		rsaBits:      2048,
 		ecdsaCurve:   flags.ECDSACurve{Curve: elliptic.P384()},
 	}
 }
 func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("secret name is required")
 	}
 	name := args[0]
-
+	if secretGitArgs.url == "" {
 	if secretGitURL == "" {
 		return fmt.Errorf("url is required")
 	}
-	u, err := url.Parse(secretGitURL)
+	u, err := url.Parse(secretGitArgs.url)
 	if err != nil {
 		return fmt.Errorf("git URL parse failed: %w", err)
 	}
-	secretLabels, err := parseLabels()
+	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	opts := sourcesecret.Options{
-	defer cancel()
+		Name:         name,
-
+		Namespace:    *kubeconfigArgs.Namespace,
-	secret := corev1.Secret{
+		Labels:       labels,
-		ObjectMeta: metav1.ObjectMeta{
+		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 			Name:      name,
 			Namespace: namespace,
 			Labels:    secretLabels,
 		},
 	}
 	switch u.Scheme {
 	case "ssh":
-		pair, err := generateKeyPair(ctx, secretGitKeyAlgorithm, secretGitRSABits, secretGitECDSACurve)
+		opts.SSHHostname = u.Host
-		if err != nil {
+		opts.PrivateKeyPath = secretGitArgs.privateKeyFile
-			return err
+		opts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(secretGitArgs.keyAlgorithm)
-		}
+		opts.RSAKeyBits = int(secretGitArgs.rsaBits)
-
+		opts.ECDSACurve = secretGitArgs.ecdsaCurve.Curve
-		hostKey, err := scanHostKey(ctx, u)
+		opts.Password = secretGitArgs.password
 		if err != nil {
 			return err
 		}
 		secret.Data = map[string][]byte{
 			"identity":     pair.PrivateKey,
 			"identity.pub": pair.PublicKey,
 			"known_hosts":  hostKey,
 		}
 		if !export {
 			logger.Generatef("deploy key: %s", string(pair.PublicKey))
 		}
 	case "http", "https":
-		if secretGitUsername == "" || secretGitPassword == "" {
+		if secretGitArgs.username == "" || secretGitArgs.password == "" {
 			return fmt.Errorf("for Git over HTTP/S the username and password are required")
 		}
-
+		opts.Username = secretGitArgs.username
-		// TODO: add cert data when it's implemented in source-controller
+		opts.Password = secretGitArgs.password
-		secret.Data = map[string][]byte{
+		opts.CAFilePath = secretGitArgs.caFile
 			"username": []byte(secretGitUsername),
 			"password": []byte(secretGitPassword),
 		}
 	default:
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}
-	if export {
+	secret, err := sourcesecret.Generate(opts)
 		return exportSecret(secret)
 	}
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
-	if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+	if createArgs.export {
 		rootCmd.Println(secret.Content)
 		return nil
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
-	logger.Actionf("secret '%s' created in '%s' namespace", name, namespace)
+
 	if ppk, ok := s.StringData[sourcesecret.PublicKeySecretKey]; ok {
 		logger.Generatef("deploy key: %s", ppk)
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("git secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
 	return nil
 }
 func generateKeyPair(ctx context.Context, alg flags.PublicKeyAlgorithm, rsa flags.RSAKeyBits, ecdsa flags.ECDSACurve) (*ssh.KeyPair, error) {
 	var keyGen ssh.KeyPairGenerator
 	switch algorithm := alg.String(); algorithm {
 	case "rsa":
 		keyGen = ssh.NewRSAGenerator(int(rsa))
 	case "ecdsa":
 		keyGen = ssh.NewECDSAGenerator(ecdsa.Curve)
 	case "ed25519":
 		keyGen = ssh.NewEd25519Generator()
 	default:
 		return nil, fmt.Errorf("unsupported public key algorithm: %s", algorithm)
 	}
 	pair, err := keyGen.Generate()
 	if err != nil {
 		return nil, fmt.Errorf("key pair generation failed, error: %w", err)
 	}
 	return pair, nil
 }
 func scanHostKey(ctx context.Context, url *url.URL) ([]byte, error) {
 	host := url.Host
 	if url.Port() == "" {
 		host = host + ":22"
 	}
 	hostKey, err := ssh.ScanHostKey(host, 30*time.Second)
 	if err != nil {
 		return nil, fmt.Errorf("SSH key scan for host %s failed, error: %w", host, err)
 	}
 	return hostKey, nil
 }
--- a/cmd/flux/create_secret_git_test.go
+++ b/cmd/flux/create_secret_git_test.go
@@ -0,0 +1,44 @@
 package main
 import (
 	"testing"
 )
 func TestCreateGitSecret(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "no args",
 			args:   "create secret git",
 			assert: assertError("secret name is required"),
 		},
 		{
 			name:   "basic secret",
 			args:   "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=my-username --password=my-password --namespace=my-namespace --export",
 			assert: assertGoldenFile("./testdata/create_secret/git/secret-git-basic.yaml"),
 		},
 		{
 			name:   "ssh key",
 			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa.private --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret.yaml"),
 		},
 		{
 			name:   "ssh key with password",
 			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa-password.private --password=password --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret-password.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_secret_helm.go
+++ b/cmd/flux/create_secret_helm.go
@@ -19,22 +19,20 @@ package main
 import (
 	"context"
 	"fmt"
 	"io/ioutil"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 var createSecretHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Create or update a Kubernetes secret for Helm repository authentication",
-	Long: `
+	Long:  `The create secret helm command generates a Kubernetes secret with basic authentication credentials.`,
-The create secret helm command generates a Kubernetes secret with basic authentication credentials.`,
+	Example: ` # Create a Helm authentication secret on disk and encrypt it with Mozilla SOPS
 	Example: `    # Create a Helm authentication secret on disk and encrypt it with Mozilla SOPS
  flux create secret helm repo-auth \
    --namespace=my-namespace \
    --username=my-username \
@@ -44,32 +42,28 @@ The create secret helm command generates a Kubernetes secret with basic authenti
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
    --in-place repo-auth.yaml
-  # Create an authentication secret using a custom TLS cert
+  # Create a Helm authentication secret using a custom TLS cert
  flux create secret helm repo-auth \
    --username=username \
    --password=password \
    --cert-file=./cert.crt \
    --key-file=./key.crt \
-    --ca-file=./ca.crt
+    --ca-file=./ca.crt`,
 `,
 	RunE: createSecretHelmCmdRun,
 }
-var (
+type secretHelmFlags struct {
-	secretHelmUsername string
+	username string
-	secretHelmPassword string
+	password string
-	secretHelmCertFile string
+	secretTLSFlags
-	secretHelmKeyFile  string
+}
-	secretHelmCAFile   string
+
-)
+var secretHelmArgs secretHelmFlags
 func init() {
-	createSecretHelmCmd.Flags().StringVarP(&secretHelmUsername, "username", "u", "", "basic authentication username")
+	createSecretHelmCmd.Flags().StringVarP(&secretHelmArgs.username, "username", "u", "", "basic authentication username")
-	createSecretHelmCmd.Flags().StringVarP(&secretHelmPassword, "password", "p", "", "basic authentication password")
+	createSecretHelmCmd.Flags().StringVarP(&secretHelmArgs.password, "password", "p", "", "basic authentication password")
-	createSecretHelmCmd.Flags().StringVar(&secretHelmCertFile, "cert-file", "", "TLS authentication cert file path")
+	initSecretTLSFlags(createSecretHelmCmd.Flags(), &secretHelmArgs.secretTLSFlags)
 	createSecretHelmCmd.Flags().StringVar(&secretHelmKeyFile, "key-file", "", "TLS authentication key file path")
 	createSecretHelmCmd.Flags().StringVar(&secretHelmCAFile, "ca-file", "", "TLS authentication CA file path")
 	createSecretCmd.AddCommand(createSecretHelmCmd)
 }
@@ -79,63 +73,45 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	name := args[0]
-	secretLabels, err := parseLabels()
+	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
-	secret := corev1.Secret{
+	opts := sourcesecret.Options{
-		ObjectMeta: metav1.ObjectMeta{
+		Name:         name,
-			Name:      name,
+		Namespace:    *kubeconfigArgs.Namespace,
-			Namespace: namespace,
+		Labels:       labels,
-			Labels:    secretLabels,
+		Username:     secretHelmArgs.username,
-		},
+		Password:     secretHelmArgs.password,
-		StringData: map[string]string{},
+		CAFilePath:   secretHelmArgs.caFile,
 		CertFilePath: secretHelmArgs.certFile,
 		KeyFilePath:  secretHelmArgs.keyFile,
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
-	if secretHelmUsername != "" && secretHelmPassword != "" {
+	if createArgs.export {
-		secret.StringData["username"] = secretHelmUsername
+		rootCmd.Println(secret.Content)
-		secret.StringData["password"] = secretHelmPassword
+		return nil
 	}
-	if secretHelmCertFile != "" && secretHelmKeyFile != "" {
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 		cert, err := ioutil.ReadFile(secretHelmCertFile)
 		if err != nil {
 			return fmt.Errorf("failed to read repository cert file '%s': %w", secretHelmCertFile, err)
 		}
 		secret.StringData["certFile"] = string(cert)
 		key, err := ioutil.ReadFile(secretHelmKeyFile)
 		if err != nil {
 			return fmt.Errorf("failed to read repository key file '%s': %w", secretHelmKeyFile, err)
 		}
 		secret.StringData["keyFile"] = string(key)
 	}
 	if secretHelmCAFile != "" {
 		ca, err := ioutil.ReadFile(secretHelmCAFile)
 		if err != nil {
 			return fmt.Errorf("failed to read repository CA file '%s': %w", secretHelmCAFile, err)
 		}
 		secret.StringData["caFile"] = string(ca)
 	}
 	if export {
 		return exportSecret(secret)
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
-
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
-
+	var s corev1.Secret
-	if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("secret '%s' created in '%s' namespace", name, namespace)
 	logger.Actionf("helm secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
 	return nil
 }
--- a/cmd/flux/create_secret_helm_test.go
+++ b/cmd/flux/create_secret_helm_test.go
@@ -0,0 +1,31 @@
 package main
 import (
 	"testing"
 )
 func TestCreateHelmSecret(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			args:   "create secret helm",
 			assert: assertError("secret name is required"),
 		},
 		{
 			args:   "create secret helm helm-secret --username=my-username --password=my-password --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/helm/secret-helm.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_secret_tls.go
+++ b/cmd/flux/create_secret_tls.go
@@ -0,0 +1,114 @@
 /*
 Copyright 2020, 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 var createSecretTLSCmd = &cobra.Command{
 	Use:   "tls [name]",
 	Short: "Create or update a Kubernetes secret with TLS certificates",
 	Long:  `The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`,
 	Example: ` # Create a TLS secret on disk and encrypt it with Mozilla SOPS.
  # Files are expected to be PEM-encoded.
  flux create secret tls certs \
    --namespace=my-namespace \
    --cert-file=./client.crt \
    --key-file=./client.key \
    --export > certs.yaml
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
    --in-place certs.yaml`,
 	RunE: createSecretTLSCmdRun,
 }
 type secretTLSFlags struct {
 	certFile string
 	keyFile  string
 	caFile   string
 }
 var secretTLSArgs secretTLSFlags
 func initSecretTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
 	flags.StringVar(&args.certFile, "cert-file", "", "TLS authentication cert file path")
 	flags.StringVar(&args.keyFile, "key-file", "", "TLS authentication key file path")
 	flags.StringVar(&args.caFile, "ca-file", "", "TLS authentication CA file path")
 }
 func init() {
 	flags := createSecretTLSCmd.Flags()
 	initSecretTLSFlags(flags, &secretTLSArgs)
 	createSecretCmd.AddCommand(createSecretTLSCmd)
 }
 func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("secret name is required")
 	}
 	name := args[0]
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	opts := sourcesecret.Options{
 		Name:         name,
 		Namespace:    *kubeconfigArgs.Namespace,
 		Labels:       labels,
 		CAFilePath:   secretTLSArgs.caFile,
 		CertFilePath: secretTLSArgs.certFile,
 		KeyFilePath:  secretTLSArgs.keyFile,
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
 	if createArgs.export {
 		rootCmd.Print(secret.Content)
 		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("tls secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
 	return nil
 }
--- a/cmd/flux/create_secret_tls_test.go
+++ b/cmd/flux/create_secret_tls_test.go
@@ -0,0 +1,31 @@
 package main
 import (
 	"testing"
 )
 func TestCreateTlsSecretNoArgs(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			args:   "create secret tls",
 			assert: assertError("secret name is required"),
 		},
 		{
 			args:   "create secret tls certs --namespace=my-namespace --cert-file=./testdata/create_secret/tls/test-cert.pem --key-file=./testdata/create_secret/tls/test-key.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/tls/secret-tls.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_source.go
+++ b/cmd/flux/create_source.go
@@ -17,6 +17,8 @@ limitations under the License.
 package main
 import (
 	"time"
 	"github.com/spf13/cobra"
 )
@@ -26,6 +28,14 @@ var createSourceCmd = &cobra.Command{
 	Long:  "The create source sub-commands generate sources.",
 }
 type createSourceFlags struct {
 	fetchTimeout time.Duration
 }
 var createSourceArgs createSourceFlags
 func init() {
 	createSourceCmd.PersistentFlags().DurationVar(&createSourceArgs.fetchTimeout, "fetch-timeout", createSourceArgs.fetchTimeout,
 		"set a timeout for fetch operations performed by source-controller (e.g. 'git clone' or 'helm repo update')")
 	createCmd.AddCommand(createSourceCmd)
 }
--- a/cmd/flux/create_source_bucket.go
+++ b/cmd/flux/create_source_bucket.go
@@ -19,7 +19,6 @@ package main
 import (
 	"context"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"github.com/spf13/cobra"
@@ -30,18 +29,19 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var createSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Create or update a Bucket source",
-	Long: `
+	Long: `The create source bucket command generates a Bucket resource and waits for it to be downloaded.
 The create source bucket command generates a Bucket resource and waits for it to be downloaded.
 For Buckets with static authentication, the credentials are stored in a Kubernetes secret.`,
-	Example: `  # Create a source from a Buckets using static authentication
+	Example: `  # Create a source for a Bucket using static authentication
  flux create source bucket podinfo \
 	--bucket-name=podinfo \
    --endpoint=minio.minio.svc.cluster.local:9000 \
@@ -50,52 +50,59 @@ For Buckets with static authentication, the credentials are stored in a Kubernet
 	--secret-key=mysecretkey \
    --interval=10m
-  # Create a source from an Amazon S3 Bucket using IAM authentication
+  # Create a source for an Amazon S3 Bucket using IAM authentication
  flux create source bucket podinfo \
 	--bucket-name=podinfo \
 	--provider=aws \
    --endpoint=s3.amazonaws.com \
 	--region=us-east-1 \
-    --interval=10m
+    --interval=10m`,
 `,
 	RunE: createSourceBucketCmdRun,
 }
-var (
+type sourceBucketFlags struct {
-	sourceBucketName      string
+	name      string
-	sourceBucketProvider  = flags.SourceBucketProvider(sourcev1.GenericBucketProvider)
+	provider  flags.SourceBucketProvider
-	sourceBucketEndpoint  string
+	endpoint  string
-	sourceBucketAccessKey string
+	accessKey string
-	sourceBucketSecretKey string
+	secretKey string
-	sourceBucketRegion    string
+	region    string
-	sourceBucketInsecure  bool
+	insecure  bool
-	sourceBucketSecretRef string
+	secretRef string
-)
+}
 var sourceBucketArgs = NewSourceBucketFlags()
 func init() {
-	createSourceBucketCmd.Flags().Var(&sourceBucketProvider, "provider", sourceBucketProvider.Description())
+	createSourceBucketCmd.Flags().Var(&sourceBucketArgs.provider, "provider", sourceBucketArgs.provider.Description())
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketName, "bucket-name", "", "the bucket name")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.name, "bucket-name", "", "the bucket name")
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketEndpoint, "endpoint", "", "the bucket endpoint address")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.endpoint, "endpoint", "", "the bucket endpoint address")
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketAccessKey, "access-key", "", "the bucket access key")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.accessKey, "access-key", "", "the bucket access key")
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketSecretKey, "secret-key", "", "the bucket secret key")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.secretKey, "secret-key", "", "the bucket secret key")
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketRegion, "region", "", "the bucket region")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.region, "region", "", "the bucket region")
-	createSourceBucketCmd.Flags().BoolVar(&sourceBucketInsecure, "insecure", false, "for when connecting to a non-TLS S3 HTTP endpoint")
+	createSourceBucketCmd.Flags().BoolVar(&sourceBucketArgs.insecure, "insecure", false, "for when connecting to a non-TLS S3 HTTP endpoint")
-	createSourceBucketCmd.Flags().StringVar(&sourceBucketSecretRef, "secret-ref", "", "the name of an existing secret containing credentials")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.secretRef, "secret-ref", "", "the name of an existing secret containing credentials")
 	createSourceCmd.AddCommand(createSourceBucketCmd)
 }
 func NewSourceBucketFlags() sourceBucketFlags {
 	return sourceBucketFlags{
 		provider: flags.SourceBucketProvider(sourcev1.GenericBucketProvider),
 	}
 }
 func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("Bucket source name is required")
 	}
 	name := args[0]
-	if sourceBucketName == "" {
+	if sourceBucketArgs.name == "" {
 		return fmt.Errorf("bucket-name is required")
 	}
-	if sourceBucketEndpoint == "" {
+	if sourceBucketArgs.endpoint == "" {
 		return fmt.Errorf("endpoint is required")
 	}
@@ -104,7 +111,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	tmpDir, err := ioutil.TempDir("", name)
+	tmpDir, err := os.MkdirTemp("", name)
 	if err != nil {
 		return err
 	}
@@ -113,55 +120,60 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	bucket := &sourcev1.Bucket{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: sourcev1.BucketSpec{
-			BucketName: sourceBucketName,
+			BucketName: sourceBucketArgs.name,
-			Provider:   sourceBucketProvider.String(),
+			Provider:   sourceBucketArgs.provider.String(),
-			Insecure:   sourceBucketInsecure,
+			Insecure:   sourceBucketArgs.insecure,
-			Endpoint:   sourceBucketEndpoint,
+			Endpoint:   sourceBucketArgs.endpoint,
-			Region:     sourceBucketRegion,
+			Region:     sourceBucketArgs.region,
 			Interval: metav1.Duration{
-				Duration: interval,
+				Duration: createArgs.interval,
 			},
 		},
 	}
-	if sourceHelmSecretRef != "" {
+
-		bucket.Spec.SecretRef = &corev1.LocalObjectReference{
+	if createSourceArgs.fetchTimeout > 0 {
-			Name: sourceBucketSecretRef,
+		bucket.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
 	}
 	if sourceBucketArgs.secretRef != "" {
 		bucket.Spec.SecretRef = &meta.LocalObjectReference{
 			Name: sourceBucketArgs.secretRef,
 		}
 	}
-	if export {
+	if createArgs.export {
-		return exportBucket(*bucket)
+		return printExport(exportBucket(bucket))
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 	logger.Generatef("generating Bucket source")
-	if sourceBucketSecretRef == "" {
+	if sourceBucketArgs.secretRef == "" {
 		secretName := fmt.Sprintf("bucket-%s", name)
 		secret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      secretName,
-				Namespace: namespace,
+				Namespace: *kubeconfigArgs.Namespace,
 				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{},
 		}
-		if sourceBucketAccessKey != "" && sourceBucketSecretKey != "" {
+		if sourceBucketArgs.accessKey != "" && sourceBucketArgs.secretKey != "" {
-			secret.StringData["accesskey"] = sourceBucketAccessKey
+			secret.StringData["accesskey"] = sourceBucketArgs.accessKey
-			secret.StringData["secretkey"] = sourceBucketSecretKey
+			secret.StringData["secretkey"] = sourceBucketArgs.secretKey
 		}
 		if len(secret.StringData) > 0 {
@@ -169,7 +181,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 			if err := upsertSecret(ctx, kubeClient, secret); err != nil {
 				return err
 			}
-			bucket.Spec.SecretRef = &corev1.LocalObjectReference{
+			bucket.Spec.SecretRef = &meta.LocalObjectReference{
 				Name: secretName,
 			}
 			logger.Successf("authentication configured")
@@ -183,7 +195,7 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Waitingf("waiting for Bucket source reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isBucketReady(ctx, kubeClient, namespacedName, bucket)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_source_git.go
+++ b/cmd/flux/create_source_git.go
@@ -20,10 +20,11 @@ import (
 	"context"
 	"crypto/elliptic"
 	"fmt"
 	"io/ioutil"
 	"net/url"
 	"os"
 	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
@@ -33,18 +34,35 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 type sourceGitFlags struct {
 	url               string
 	branch            string
 	tag               string
 	semver            string
 	username          string
 	password          string
 	keyAlgorithm      flags.PublicKeyAlgorithm
 	keyRSABits        flags.RSAKeyBits
 	keyECDSACurve     flags.ECDSACurve
 	secretRef         string
 	gitImplementation flags.GitImplementation
 	caFile            string
 	privateKeyFile    string
 	recurseSubmodules bool
 	silent            bool
 }
 var createSourceGitCmd = &cobra.Command{
 	Use:   "git [name]",
 	Short: "Create or update a GitRepository source",
-	Long: `
+	Long: `The create source git command generates a GitRepository resource and waits for it to sync.
 The create source git command generates a GitRepository resource and waits for it to sync.
 For Git over SSH, host and SSH keys are automatically generated and stored in a Kubernetes secret.
 For private Git repositories, the basic authentication credentials are stored in a Kubernetes secret.`,
 	Example: `  # Create a source from a public Git repository master branch
@@ -52,7 +70,7 @@ For private Git repositories, the basic authentication credentials are stored in
    --url=https://github.com/stefanprodan/podinfo \
    --branch=master
-  # Create a source from a Git repository pinned to specific git tag
+  # Create a source for a Git repository pinned to specific git tag
  flux create source git podinfo \
    --url=https://github.com/stefanprodan/podinfo \
    --tag="3.2.3"
@@ -62,12 +80,12 @@ For private Git repositories, the basic authentication credentials are stored in
    --url=https://github.com/stefanprodan/podinfo \
    --tag-semver=">=3.2.0 <3.3.0"
-  # Create a source from a Git repository using SSH authentication
+  # Create a source for a Git repository using SSH authentication
  flux create source git podinfo \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --branch=master
-  # Create a source from a Git repository using SSH authentication and an
+  # Create a source for a Git repository using SSH authentication and an
  # ECDSA P-521 curve public key
  flux create source git podinfo \
    --url=ssh://git@github.com/stefanprodan/podinfo \
@@ -75,193 +93,209 @@ For private Git repositories, the basic authentication credentials are stored in
    --ssh-key-algorithm=ecdsa \
    --ssh-ecdsa-curve=p521
-  # Create a source from a Git repository using basic authentication
+  # Create a source for a Git repository using SSH authentication and a
  #	passwordless private key from file
  # The public SSH host key will still be gathered from the host
  flux create source git podinfo \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --branch=master \
    --private-key-file=./private.key
  # Create a source for a Git repository using SSH authentication and a
  # private key with a password from file
  # The public SSH host key will still be gathered from the host
  flux create source git podinfo \
    --url=ssh://git@github.com/stefanprodan/podinfo \
    --branch=master \
    --private-key-file=./private.key \
    --password=<password>
  # Create a source for a Git repository using basic authentication
  flux create source git podinfo \
    --url=https://github.com/stefanprodan/podinfo \
    --username=username \
-    --password=password
+    --password=password`,
 `,
 	RunE: createSourceGitCmdRun,
 }
-var (
+var sourceGitArgs = newSourceGitFlags()
 	sourceGitURL      string
 	sourceGitBranch   string
 	sourceGitTag      string
 	sourceGitSemver   string
 	sourceGitUsername string
 	sourceGitPassword string
 	sourceGitKeyAlgorithm   flags.PublicKeyAlgorithm = "rsa"
 	sourceGitRSABits        flags.RSAKeyBits         = 2048
 	sourceGitECDSACurve                              = flags.ECDSACurve{Curve: elliptic.P384()}
 	sourceGitSecretRef      string
 	sourceGitImplementation string
 )
 func init() {
-	createSourceGitCmd.Flags().StringVar(&sourceGitURL, "url", "", "git address, e.g. ssh://git@host/org/repository")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.url, "url", "", "git address, e.g. ssh://git@host/org/repository")
-	createSourceGitCmd.Flags().StringVar(&sourceGitBranch, "branch", "master", "git branch")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.branch, "branch", "", "git branch")
-	createSourceGitCmd.Flags().StringVar(&sourceGitTag, "tag", "", "git tag")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.tag, "tag", "", "git tag")
-	createSourceGitCmd.Flags().StringVar(&sourceGitSemver, "tag-semver", "", "git tag semver range")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.semver, "tag-semver", "", "git tag semver range")
-	createSourceGitCmd.Flags().StringVarP(&sourceGitUsername, "username", "u", "", "basic authentication username")
+	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.username, "username", "u", "", "basic authentication username")
-	createSourceGitCmd.Flags().StringVarP(&sourceGitPassword, "password", "p", "", "basic authentication password")
+	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.password, "password", "p", "", "basic authentication password")
-	createSourceGitCmd.Flags().Var(&sourceGitKeyAlgorithm, "ssh-key-algorithm", sourceGitKeyAlgorithm.Description())
+	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyAlgorithm, "ssh-key-algorithm", sourceGitArgs.keyAlgorithm.Description())
-	createSourceGitCmd.Flags().Var(&sourceGitRSABits, "ssh-rsa-bits", sourceGitRSABits.Description())
+	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyRSABits, "ssh-rsa-bits", sourceGitArgs.keyRSABits.Description())
-	createSourceGitCmd.Flags().Var(&sourceGitECDSACurve, "ssh-ecdsa-curve", sourceGitECDSACurve.Description())
+	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyECDSACurve, "ssh-ecdsa-curve", sourceGitArgs.keyECDSACurve.Description())
-	createSourceGitCmd.Flags().StringVarP(&sourceGitSecretRef, "secret-ref", "", "", "the name of an existing secret containing SSH or basic credentials")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials")
-	createSourceGitCmd.Flags().StringVar(&sourceGitImplementation, "git-implementation", "", "the git implementation to use, can be 'go-git' or 'libgit2'")
+	createSourceGitCmd.Flags().Var(&sourceGitArgs.gitImplementation, "git-implementation", sourceGitArgs.gitImplementation.Description())
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSourceGitCmd.Flags().BoolVar(&sourceGitArgs.recurseSubmodules, "recurse-submodules", false,
 		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
 	createSourceGitCmd.Flags().BoolVarP(&sourceGitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
 	createSourceCmd.AddCommand(createSourceGitCmd)
 }
 func newSourceGitFlags() sourceGitFlags {
 	return sourceGitFlags{
 		keyAlgorithm:  flags.PublicKeyAlgorithm(sourcesecret.ECDSAPrivateKeyAlgorithm),
 		keyRSABits:    2048,
 		keyECDSACurve: flags.ECDSACurve{Curve: elliptic.P384()},
 	}
 }
 func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("GitRepository source name is required")
 	}
 	name := args[0]
-	if sourceGitURL == "" {
+	if sourceGitArgs.url == "" {
 		return fmt.Errorf("url is required")
 	}
-	tmpDir, err := ioutil.TempDir("", name)
+	u, err := url.Parse(sourceGitArgs.url)
 	if err != nil {
 		return fmt.Errorf("git URL parse failed: %w", err)
 	}
 	if u.Scheme != "ssh" && u.Scheme != "http" && u.Scheme != "https" {
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}
 	if sourceGitArgs.branch == "" && sourceGitArgs.tag == "" && sourceGitArgs.semver == "" {
 		return fmt.Errorf("a Git ref is required, use one of the following: --branch, --tag or --tag-semver")
 	}
 	if sourceGitArgs.caFile != "" && u.Scheme == "ssh" {
 		return fmt.Errorf("specifing a CA file is not supported for Git over SSH")
 	}
 	if sourceGitArgs.recurseSubmodules && sourceGitArgs.gitImplementation == sourcev1.LibGit2Implementation {
 		return fmt.Errorf("recurse submodules requires --git-implementation=%s", sourcev1.GoGitImplementation)
 	}
 	tmpDir, err := os.MkdirTemp("", name)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)
 	u, err := url.Parse(sourceGitURL)
 	if err != nil {
 		return fmt.Errorf("git URL parse failed: %w", err)
 	}
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	if !utils.ContainsItemString([]string{sourcev1.GoGitImplementation, sourcev1.LibGit2Implementation, ""}, sourceGitImplementation) {
 		return fmt.Errorf("Invalid git implementation %q", sourceGitImplementation)
 	}
 	gitRepository := sourcev1.GitRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: sourcev1.GitRepositorySpec{
-			URL: sourceGitURL,
+			URL: sourceGitArgs.url,
 			Interval: metav1.Duration{
-				Duration: interval,
+				Duration: createArgs.interval,
 			},
 			RecurseSubmodules: sourceGitArgs.recurseSubmodules,
 			Reference:         &sourcev1.GitRepositoryRef{},
 			GitImplementation: sourceGitImplementation,
 		},
 	}
-	if sourceGitSemver != "" {
+	if createSourceArgs.fetchTimeout > 0 {
-		gitRepository.Spec.Reference.SemVer = sourceGitSemver
+		gitRepository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
-	} else if sourceGitTag != "" {
+	}
-		gitRepository.Spec.Reference.Tag = sourceGitTag
+
 	if sourceGitArgs.gitImplementation != "" {
 		gitRepository.Spec.GitImplementation = sourceGitArgs.gitImplementation.String()
 	}
 	if sourceGitArgs.semver != "" {
 		gitRepository.Spec.Reference.SemVer = sourceGitArgs.semver
 	} else if sourceGitArgs.tag != "" {
 		gitRepository.Spec.Reference.Tag = sourceGitArgs.tag
 	} else {
-		gitRepository.Spec.Reference.Branch = sourceGitBranch
+		gitRepository.Spec.Reference.Branch = sourceGitArgs.branch
 	}
-	if export {
+	if sourceGitArgs.secretRef != "" {
-		if sourceGitSecretRef != "" {
+		gitRepository.Spec.SecretRef = &meta.LocalObjectReference{
-			gitRepository.Spec.SecretRef = &corev1.LocalObjectReference{
+			Name: sourceGitArgs.secretRef,
 				Name: sourceGitSecretRef,
 			}
 		}
 		return exportGit(gitRepository)
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	if createArgs.export {
 		return printExport(exportGit(&gitRepository))
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 	withAuth := false
 	// TODO(hidde): move all auth prep to separate func?
 	if sourceGitSecretRef != "" {
 		withAuth = true
 	} else if u.Scheme == "ssh" {
 		logger.Generatef("generating deploy key pair")
 		pair, err := generateKeyPair(ctx, sourceGitKeyAlgorithm, sourceGitRSABits, sourceGitECDSACurve)
 		if err != nil {
 			return err
 		}
 		logger.Successf("deploy key: %s", pair.PublicKey)
 		prompt := promptui.Prompt{
 			Label:     "Have you added the deploy key to your repository",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 		logger.Actionf("collecting preferred public key from SSH server")
 		hostKey, err := scanHostKey(ctx, u)
 		if err != nil {
 			return err
 		}
 		logger.Successf("collected public key from SSH server:\n%s", hostKey)
 		logger.Actionf("applying secret with keys")
 		secret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: namespace,
 				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{
 				"identity":     string(pair.PrivateKey),
 				"identity.pub": string(pair.PublicKey),
 				"known_hosts":  string(hostKey),
 			},
 		}
 		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
 			return err
 		}
 		withAuth = true
 	} else if sourceGitUsername != "" && sourceGitPassword != "" {
 		logger.Actionf("applying secret with basic auth credentials")
 		secret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: namespace,
 				Labels:    sourceLabels,
 			},
 			StringData: map[string]string{
 				"username": sourceGitUsername,
 				"password": sourceGitPassword,
 			},
 		}
 		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
 			return err
 		}
 		withAuth = true
 	}
 	if withAuth {
 		logger.Successf("authentication configured")
 	}
 	logger.Generatef("generating GitRepository source")
-
+	if sourceGitArgs.secretRef == "" {
-	if withAuth {
+		secretOpts := sourcesecret.Options{
-		secretName := name
+			Name:         name,
-		if sourceGitSecretRef != "" {
+			Namespace:    *kubeconfigArgs.Namespace,
-			secretName = sourceGitSecretRef
+			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
-		gitRepository.Spec.SecretRef = &corev1.LocalObjectReference{
+		switch u.Scheme {
-			Name: secretName,
+		case "ssh":
 			secretOpts.SSHHostname = u.Host
 			secretOpts.PrivateKeyPath = sourceGitArgs.privateKeyFile
 			secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(sourceGitArgs.keyAlgorithm)
 			secretOpts.RSAKeyBits = int(sourceGitArgs.keyRSABits)
 			secretOpts.ECDSACurve = sourceGitArgs.keyECDSACurve.Curve
 			secretOpts.Password = sourceGitArgs.password
 		case "https":
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
 			secretOpts.CAFilePath = sourceGitArgs.caFile
 		case "http":
 			logger.Warningf("insecure configuration: credentials configured for an HTTP URL")
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
 		}
 		secret, err := sourcesecret.Generate(secretOpts)
 		if err != nil {
 			return err
 		}
 		var s corev1.Secret
 		if err = yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 			return err
 		}
 		if len(s.StringData) > 0 {
 			if hk, ok := s.StringData[sourcesecret.KnownHostsSecretKey]; ok {
 				logger.Successf("collected public key from SSH server:\n%s", hk)
 			}
 			if ppk, ok := s.StringData[sourcesecret.PublicKeySecretKey]; ok {
 				logger.Generatef("deploy key: %s", ppk)
 				if !sourceGitArgs.silent {
 					prompt := promptui.Prompt{
 						Label:     "Have you added the deploy key to your repository",
 						IsConfirm: true,
 					}
 					if _, err := prompt.Run(); err != nil {
 						return fmt.Errorf("aborting")
 					}
 				}
 			}
 			logger.Actionf("applying secret with repository credentials")
 			if err := upsertSecret(ctx, kubeClient, s); err != nil {
 				return err
 			}
 			gitRepository.Spec.SecretRef = &meta.LocalObjectReference{
 				Name: s.Name,
 			}
 			logger.Successf("authentication configured")
 		}
 	}
@@ -272,7 +306,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Waitingf("waiting for GitRepository source reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isGitRepositoryReady(ctx, kubeClient, namespacedName, &gitRepository)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_source_git_test.go
+++ b/cmd/flux/create_source_git_test.go
@@ -0,0 +1,148 @@
 //go:build unit
 // +build unit
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"testing"
 	"time"
 )
 var pollInterval = 50 * time.Millisecond
 var testTimeout = 10 * time.Second
 // Update the GitRepository once created to exercise test specific behavior
 type reconcileFunc func(repo *sourcev1.GitRepository)
 // reconciler waits for an object to be created, then invokes a test supplied
 // function to mutate that object, simulating a controller.
 // Test should invoke run() to run the background reconciler task which
 // polls to wait for the object to exist before applying the update function.
 // Any errors from the reconciler are asserted on test completion.
 type reconciler struct {
 	client    client.Client
 	name      types.NamespacedName
 	reconcile reconcileFunc
 }
 // Start the background task that waits for the object to exist then applies
 // the update function.
 func (r *reconciler) run(t *testing.T) {
 	result := make(chan error)
 	go func() {
 		defer close(result)
 		err := wait.PollImmediate(
 			pollInterval,
 			testTimeout,
 			r.conditionFunc)
 		result <- err
 	}()
 	t.Cleanup(func() {
 		if err := <-result; err != nil {
 			t.Errorf("Failure from test reconciler: '%v':", err.Error())
 		}
 	})
 }
 // A ConditionFunction that waits for the named GitRepository to be created,
 // then sets the ready condition to true.
 func (r *reconciler) conditionFunc() (bool, error) {
 	var repo sourcev1.GitRepository
 	if err := r.client.Get(context.Background(), r.name, &repo); err != nil {
 		if errors.IsNotFound(err) {
 			return false, nil // Keep polling until object is created
 		}
 		return true, err
 	}
 	r.reconcile(&repo)
 	err := r.client.Status().Update(context.Background(), &repo)
 	return true, err
 }
 func TestCreateSourceGit(t *testing.T) {
 	// Default command used for multiple tests
 	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --timeout=" + testTimeout.String()
 	cases := []struct {
 		name      string
 		args      string
 		assert    assertFunc
 		reconcile reconcileFunc
 	}{
 		{
 			"NoArgs",
 			"create source git",
 			assertError("GitRepository source name is required"),
 			nil,
 		}, {
 			"Succeeded",
 			command,
 			assertGoldenFile("testdata/create_source_git/success.golden"),
 			func(repo *sourcev1.GitRepository) {
 				meta.SetResourceCondition(repo, meta.ReadyCondition, metav1.ConditionTrue, sourcev1.GitOperationSucceedReason, "succeeded message")
 				repo.Status.Artifact = &sourcev1.Artifact{
 					Path:     "some-path",
 					Revision: "v1",
 				}
 			},
 		}, {
 			"Failed",
 			command,
 			assertError("failed message"),
 			func(repo *sourcev1.GitRepository) {
 				meta.SetResourceCondition(repo, meta.ReadyCondition, metav1.ConditionFalse, sourcev1.URLInvalidReason, "failed message")
 			},
 		}, {
 			"NoArtifact",
 			command,
 			assertError("GitRepository source reconciliation completed but no artifact was found"),
 			func(repo *sourcev1.GitRepository) {
 				// Updated with no artifact
 				meta.SetResourceCondition(repo, meta.ReadyCondition, metav1.ConditionTrue, sourcev1.GitOperationSucceedReason, "succeeded message")
 			},
 		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			ns := allocateNamespace("podinfo")
 			setupTestNamespace(ns, t)
 			if tc.reconcile != nil {
 				r := reconciler{
 					client:    testEnv.client,
 					name:      types.NamespacedName{Namespace: ns, Name: "podinfo"},
 					reconcile: tc.reconcile,
 				}
 				r.run(t)
 			}
 			cmd := cmdTestCase{
 				args:   tc.args + " -n=" + ns,
 				assert: tc.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_source_helm.go
+++ b/cmd/flux/create_source_helm.go
@@ -19,7 +19,6 @@ package main
 import (
 	"context"
 	"fmt"
 	"io/ioutil"
 	"net/url"
 	"os"
@@ -32,56 +31,61 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/fluxcd/flux2/internal/utils"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 var createSourceHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Create or update a HelmRepository source",
-	Long: `
+	Long: `The create source helm command generates a HelmRepository resource and waits for it to fetch the index.
 The create source helm command generates a HelmRepository resource and waits for it to fetch the index.
 For private Helm repositories, the basic authentication credentials are stored in a Kubernetes secret.`,
-	Example: `  # Create a source from a public Helm repository
+	Example: `  # Create a source for a public Helm repository
  flux create source helm podinfo \
    --url=https://stefanprodan.github.io/podinfo \
    --interval=10m
-  # Create a source from a Helm repository using basic authentication
+  # Create a source for a Helm repository using basic authentication
  flux create source helm podinfo \
    --url=https://stefanprodan.github.io/podinfo \
    --username=username \
    --password=password
-  # Create a source from a Helm repository using TLS authentication
+  # Create a source for a Helm repository using TLS authentication
  flux create source helm podinfo \
    --url=https://stefanprodan.github.io/podinfo \
    --cert-file=./cert.crt \
    --key-file=./key.crt \
-    --ca-file=./ca.crt
+    --ca-file=./ca.crt`,
 `,
 	RunE: createSourceHelmCmdRun,
 }
-var (
+type sourceHelmFlags struct {
-	sourceHelmURL       string
+	url             string
-	sourceHelmUsername  string
+	username        string
-	sourceHelmPassword  string
+	password        string
-	sourceHelmCertFile  string
+	certFile        string
-	sourceHelmKeyFile   string
+	keyFile         string
-	sourceHelmCAFile    string
+	caFile          string
-	sourceHelmSecretRef string
+	secretRef       string
-)
+	passCredentials bool
 }
 var sourceHelmArgs sourceHelmFlags
 func init() {
-	createSourceHelmCmd.Flags().StringVar(&sourceHelmURL, "url", "", "Helm repository address")
+	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.url, "url", "", "Helm repository address")
-	createSourceHelmCmd.Flags().StringVarP(&sourceHelmUsername, "username", "u", "", "basic authentication username")
+	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.username, "username", "u", "", "basic authentication username")
-	createSourceHelmCmd.Flags().StringVarP(&sourceHelmPassword, "password", "p", "", "basic authentication password")
+	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.password, "password", "p", "", "basic authentication password")
-	createSourceHelmCmd.Flags().StringVar(&sourceHelmCertFile, "cert-file", "", "TLS authentication cert file path")
+	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.certFile, "cert-file", "", "TLS authentication cert file path")
-	createSourceHelmCmd.Flags().StringVar(&sourceHelmKeyFile, "key-file", "", "TLS authentication key file path")
+	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.keyFile, "key-file", "", "TLS authentication key file path")
-	createSourceHelmCmd.Flags().StringVar(&sourceHelmCAFile, "ca-file", "", "TLS authentication CA file path")
+	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.caFile, "ca-file", "", "TLS authentication CA file path")
-	createSourceHelmCmd.Flags().StringVarP(&sourceHelmSecretRef, "secret-ref", "", "", "the name of an existing secret containing TLS or basic auth credentials")
+	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.secretRef, "secret-ref", "", "", "the name of an existing secret containing TLS or basic auth credentials")
 	createSourceHelmCmd.Flags().BoolVarP(&sourceHelmArgs.passCredentials, "pass-credentials", "", false, "pass credentials to all domains")
 	createSourceCmd.AddCommand(createSourceHelmCmd)
 }
@@ -92,7 +96,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	name := args[0]
-	if sourceHelmURL == "" {
+	if sourceHelmArgs.url == "" {
 		return fmt.Errorf("url is required")
 	}
@@ -101,96 +105,83 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	tmpDir, err := ioutil.TempDir("", name)
+	tmpDir, err := os.MkdirTemp("", name)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)
-	if _, err := url.Parse(sourceHelmURL); err != nil {
+	if _, err := url.Parse(sourceHelmArgs.url); err != nil {
 		return fmt.Errorf("url parse failed: %w", err)
 	}
 	helmRepository := &sourcev1.HelmRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: sourcev1.HelmRepositorySpec{
-			URL: sourceHelmURL,
+			URL: sourceHelmArgs.url,
 			Interval: metav1.Duration{
-				Duration: interval,
+				Duration: createArgs.interval,
 			},
 		},
 	}
-	if sourceHelmSecretRef != "" {
+	if createSourceArgs.fetchTimeout > 0 {
-		helmRepository.Spec.SecretRef = &corev1.LocalObjectReference{
+		helmRepository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
-			Name: sourceHelmSecretRef,
+	}
 	if sourceHelmArgs.secretRef != "" {
 		helmRepository.Spec.SecretRef = &meta.LocalObjectReference{
 			Name: sourceHelmArgs.secretRef,
 		}
 		helmRepository.Spec.PassCredentials = sourceHelmArgs.passCredentials
 	}
-	if export {
+	if createArgs.export {
-		return exportHelmRepository(*helmRepository)
+		return printExport(exportHelmRepository(helmRepository))
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 	logger.Generatef("generating HelmRepository source")
-	if sourceHelmSecretRef == "" {
+	if sourceHelmArgs.secretRef == "" {
 		secretName := fmt.Sprintf("helm-%s", name)
-
+		secretOpts := sourcesecret.Options{
-		secret := corev1.Secret{
+			Name:         secretName,
-			ObjectMeta: metav1.ObjectMeta{
+			Namespace:    *kubeconfigArgs.Namespace,
-				Name:      secretName,
+			Username:     sourceHelmArgs.username,
-				Namespace: namespace,
+			Password:     sourceHelmArgs.password,
-				Labels:    sourceLabels,
+			CertFilePath: sourceHelmArgs.certFile,
-			},
+			KeyFilePath:  sourceHelmArgs.keyFile,
-			StringData: map[string]string{},
+			CAFilePath:   sourceHelmArgs.caFile,
 			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
-
+		secret, err := sourcesecret.Generate(secretOpts)
-		if sourceHelmUsername != "" && sourceHelmPassword != "" {
+		if err != nil {
-			secret.StringData["username"] = sourceHelmUsername
+			return err
 			secret.StringData["password"] = sourceHelmPassword
 		}
-
+		var s corev1.Secret
-		if sourceHelmCertFile != "" && sourceHelmKeyFile != "" {
+		if err = yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
-			cert, err := ioutil.ReadFile(sourceHelmCertFile)
+			return err
 			if err != nil {
 				return fmt.Errorf("failed to read repository cert file '%s': %w", sourceHelmCertFile, err)
 			}
 			secret.StringData["certFile"] = string(cert)
 			key, err := ioutil.ReadFile(sourceHelmKeyFile)
 			if err != nil {
 				return fmt.Errorf("failed to read repository key file '%s': %w", sourceHelmKeyFile, err)
 			}
 			secret.StringData["keyFile"] = string(key)
 		}
-
+		if len(s.StringData) > 0 {
 		if sourceHelmCAFile != "" {
 			ca, err := ioutil.ReadFile(sourceHelmCAFile)
 			if err != nil {
 				return fmt.Errorf("failed to read repository CA file '%s': %w", sourceHelmCAFile, err)
 			}
 			secret.StringData["caFile"] = string(ca)
 		}
 		if len(secret.StringData) > 0 {
 			logger.Actionf("applying secret with repository credentials")
-			if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+			if err := upsertSecret(ctx, kubeClient, s); err != nil {
 				return err
 			}
-			helmRepository.Spec.SecretRef = &corev1.LocalObjectReference{
+			helmRepository.Spec.SecretRef = &meta.LocalObjectReference{
 				Name: secretName,
 			}
 			helmRepository.Spec.PassCredentials = sourceHelmArgs.passCredentials
 			logger.Successf("authentication configured")
 		}
 	}
@@ -202,7 +193,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Waitingf("waiting for HelmRepository source reconciliation")
-	if err := wait.PollImmediate(pollInterval, timeout,
+	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 		isHelmRepositoryReady(ctx, kubeClient, namespacedName, helmRepository)); err != nil {
 		return err
 	}
--- a/cmd/flux/create_tenant.go
+++ b/cmd/flux/create_tenant.go
@@ -37,8 +37,7 @@ import (
 var createTenantCmd = &cobra.Command{
 	Use:   "tenant",
 	Short: "Create or update a tenant",
-	Long: `
+	Long: `The create tenant command generates namespaces, service accounts and role bindings to limit the
 The create tenant command generates namespaces, service accounts and role bindings to limit the
 reconcilers scope to the tenant namespaces.`,
 	Example: `  # Create a tenant with access to a namespace 
  flux create tenant dev-team \
@@ -49,8 +48,7 @@ reconcilers scope to the tenant namespaces.`,
  flux create tenant dev-team \
    --with-namespace=frontend \
    --with-namespace=backend \
-	--export > dev-team.yaml
+	--export > dev-team.yaml`,
 `,
 	RunE: createTenantCmdRun,
 }
@@ -58,14 +56,16 @@ const (
 	tenantLabel = "toolkit.fluxcd.io/tenant"
 )
-var (
+type tenantFlags struct {
-	tenantNamespaces  []string
+	namespaces  []string
-	tenantClusterRole string
+	clusterRole string
-)
+}
 var tenantArgs tenantFlags
 func init() {
-	createTenantCmd.Flags().StringSliceVar(&tenantNamespaces, "with-namespace", nil, "namespace belonging to this tenant")
+	createTenantCmd.Flags().StringSliceVar(&tenantArgs.namespaces, "with-namespace", nil, "namespace belonging to this tenant")
-	createTenantCmd.Flags().StringVar(&tenantClusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
+	createTenantCmd.Flags().StringVar(&tenantArgs.clusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
 	createCmd.AddCommand(createTenantCmd)
 }
@@ -78,11 +78,11 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid tenant name '%s': %v", tenant, err)
 	}
-	if tenantClusterRole == "" {
+	if tenantArgs.clusterRole == "" {
 		return fmt.Errorf("cluster-role is required")
 	}
-	if tenantNamespaces == nil {
+	if tenantArgs.namespaces == nil {
 		return fmt.Errorf("with-namespace is required")
 	}
@@ -90,7 +90,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 	var accounts []corev1.ServiceAccount
 	var roleBindings []rbacv1.RoleBinding
-	for _, ns := range tenantNamespaces {
+	for _, ns := range tenantArgs.namespaces {
 		if err := validation.IsQualifiedName(ns); len(err) > 0 {
 			return fmt.Errorf("invalid namespace '%s': %v", ns, err)
 		}
@@ -141,14 +141,14 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 			RoleRef: rbacv1.RoleRef{
 				APIGroup: "rbac.authorization.k8s.io",
 				Kind:     "ClusterRole",
-				Name:     tenantClusterRole,
+				Name:     tenantArgs.clusterRole,
 			},
 		}
 		roleBindings = append(roleBindings, roleBinding)
 	}
-	if export {
+	if createArgs.export {
-		for i, _ := range tenantNamespaces {
+		for i := range tenantArgs.namespaces {
 			if err := exportTenant(namespaces[i], accounts[i], roleBindings[i]); err != nil {
 				return err
 			}
@@ -156,15 +156,15 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 		return nil
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
-	for i, _ := range tenantNamespaces {
+	for i := range tenantArgs.namespaces {
 		logger.Actionf("applying namespace %s", namespaces[i].Name)
 		if err := upsertNamespace(ctx, kubeClient, namespaces[i]); err != nil {
 			return err
--- a/cmd/flux/delete.go
+++ b/cmd/flux/delete.go
@@ -33,12 +33,14 @@ var deleteCmd = &cobra.Command{
 	Long:  "The delete sub-commands delete sources and resources.",
 }
-var (
+type deleteFlags struct {
-	deleteSilent bool
+	silent bool
-)
+}
 var deleteArgs deleteFlags
 func init() {
-	deleteCmd.PersistentFlags().BoolVarP(&deleteSilent, "silent", "s", false,
+	deleteCmd.PersistentFlags().BoolVarP(&deleteArgs.silent, "silent", "s", false,
 		"delete resource without asking for confirmation")
 	rootCmd.AddCommand(deleteCmd)
@@ -55,25 +57,25 @@ func (del deleteCommand) run(cmd *cobra.Command, args []string) error {
 	}
 	name := args[0]
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
-		Namespace: namespace,
+		Namespace: *kubeconfigArgs.Namespace,
 		Name:      name,
 	}
-	err = kubeClient.Get(ctx, namespacedName, del.object.asRuntimeObject())
+	err = kubeClient.Get(ctx, namespacedName, del.object.asClientObject())
 	if err != nil {
 		return err
 	}
-	if !deleteSilent {
+	if !deleteArgs.silent {
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this " + del.humanKind,
 			IsConfirm: true,
@@ -83,8 +85,8 @@ func (del deleteCommand) run(cmd *cobra.Command, args []string) error {
 		}
 	}
-	logger.Actionf("deleting %s %s in %s namespace", del.humanKind, name, namespace)
+	logger.Actionf("deleting %s %s in %s namespace", del.humanKind, name, *kubeconfigArgs.Namespace)
-	err = kubeClient.Delete(ctx, del.object.asRuntimeObject())
+	err = kubeClient.Delete(ctx, del.object.asClientObject())
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/delete_alert.go
+++ b/cmd/flux/delete_alert.go
@@ -17,14 +17,8 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
@@ -33,56 +27,14 @@ var deleteAlertCmd = &cobra.Command{
 	Short: "Delete a Alert resource",
 	Long:  "The delete alert command removes the given Alert from the cluster.",
 	Example: `  # Delete an Alert and the Kubernetes resources created by it
-  flux delete alert main
+  flux delete alert main`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.AlertKind)),
-	RunE: deleteAlertCmdRun,
+	RunE: deleteCommand{
 		apiType: alertType,
 		object:  universalAdapter{&notificationv1.Alert{}},
 	}.run,
 }
 func init() {
 	deleteCmd.AddCommand(deleteAlertCmd)
 }
 func deleteAlertCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("alert name is required")
 	}
 	name := args[0]
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
 	var alert notificationv1.Alert
 	err = kubeClient.Get(ctx, namespacedName, &alert)
 	if err != nil {
 		return err
 	}
 	if !deleteSilent {
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this Alert",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	logger.Actionf("deleting alert %s in %s namespace", name, namespace)
 	err = kubeClient.Delete(ctx, &alert)
 	if err != nil {
 		return err
 	}
 	logger.Successf("alert deleted")
 	return nil
 }
--- a/cmd/flux/delete_alertprovider.go
+++ b/cmd/flux/delete_alertprovider.go
@@ -17,14 +17,8 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
@@ -33,56 +27,14 @@ var deleteAlertProviderCmd = &cobra.Command{
 	Short: "Delete a Provider resource",
 	Long:  "The delete alert-provider command removes the given Provider from the cluster.",
 	Example: `  # Delete a Provider and the Kubernetes resources created by it
-  flux delete alert-provider slack
+  flux delete alert-provider slack`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ProviderKind)),
-	RunE: deleteAlertProviderCmdRun,
+	RunE: deleteCommand{
 		apiType: alertProviderType,
 		object:  universalAdapter{&notificationv1.Provider{}},
 	}.run,
 }
 func init() {
 	deleteCmd.AddCommand(deleteAlertProviderCmd)
 }
 func deleteAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("provider name is required")
 	}
 	name := args[0]
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
 	var alertProvider notificationv1.Provider
 	err = kubeClient.Get(ctx, namespacedName, &alertProvider)
 	if err != nil {
 		return err
 	}
 	if !deleteSilent {
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this Provider",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	logger.Actionf("deleting provider %s in %s namespace", name, namespace)
 	err = kubeClient.Delete(ctx, &alertProvider)
 	if err != nil {
 		return err
 	}
 	logger.Successf("provider deleted")
 	return nil
 }
--- a/cmd/flux/delete_helmrelease.go
+++ b/cmd/flux/delete_helmrelease.go
@@ -17,14 +17,8 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
 	"github.com/fluxcd/flux2/internal/utils"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
 )
@@ -34,59 +28,14 @@ var deleteHelmReleaseCmd = &cobra.Command{
 	Short:   "Delete a HelmRelease resource",
 	Long:    "The delete helmrelease command removes the given HelmRelease from the cluster.",
 	Example: `  # Delete a Helm release and the Kubernetes resources created by it
-  flux delete hr podinfo
+  flux delete hr podinfo`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
-	RunE: deleteHelmReleaseCmdRun,
+	RunE: deleteCommand{
 		apiType: helmReleaseType,
 		object:  universalAdapter{&helmv2.HelmRelease{}},
 	}.run,
 }
 func init() {
 	deleteCmd.AddCommand(deleteHelmReleaseCmd)
 }
 func deleteHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("release name is required")
 	}
 	name := args[0]
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
 	var helmRelease helmv2.HelmRelease
 	err = kubeClient.Get(ctx, namespacedName, &helmRelease)
 	if err != nil {
 		return err
 	}
 	if !deleteSilent {
 		if !helmRelease.Spec.Suspend {
 			logger.Waitingf("This action will remove the Kubernetes objects previously applied by the %s Helm release!", name)
 		}
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this Helm release",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	logger.Actionf("deleting release %s in %s namespace", name, namespace)
 	err = kubeClient.Delete(ctx, &helmRelease)
 	if err != nil {
 		return err
 	}
 	logger.Successf("release deleted")
 	return nil
 }
--- a/cmd/flux/delete_image.go
+++ b/cmd/flux/delete_image.go
@@ -20,12 +20,12 @@ import (
 	"github.com/spf13/cobra"
 )
-var deleteAutoCmd = &cobra.Command{
+var deleteImageCmd = &cobra.Command{
-	Use:   "auto",
+	Use:   "image",
-	Short: "Delete automation objects",
+	Short: "Delete image automation objects",
-	Long:  "The delete auto sub-commands delete automation objects.",
+	Long:  "The delete image sub-commands delete image automation objects.",
 }
 func init() {
-	deleteCmd.AddCommand(deleteAutoCmd)
+	deleteCmd.AddCommand(deleteImageCmd)
 }
--- a/cmd/flux/delete_image_policy.go
+++ b/cmd/flux/delete_image_policy.go
@@ -19,16 +19,16 @@ package main
 import (
 	"github.com/spf13/cobra"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 var deleteImagePolicyCmd = &cobra.Command{
-	Use:   "image-policy [name]",
+	Use:   "policy [name]",
 	Short: "Delete an ImagePolicy object",
-	Long:  "The delete auto image-policy command deletes the given ImagePolicy from the cluster.",
+	Long:  "The delete image policy command deletes the given ImagePolicy from the cluster.",
 	Example: `  # Delete an image policy
-  flux delete auto image-policy alpine3.x
+  flux delete image policy alpine3.x`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)),
 	RunE: deleteCommand{
 		apiType: imagePolicyType,
 		object:  universalAdapter{&imagev1.ImagePolicy{}},
@@ -36,5 +36,5 @@ var deleteImagePolicyCmd = &cobra.Command{
 }
 func init() {
-	deleteAutoCmd.AddCommand(deleteImagePolicyCmd)
+	deleteImageCmd.AddCommand(deleteImagePolicyCmd)
 }
--- a/cmd/flux/delete_image_repository.go
+++ b/cmd/flux/delete_image_repository.go
@@ -19,16 +19,16 @@ package main
 import (
 	"github.com/spf13/cobra"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 var deleteImageRepositoryCmd = &cobra.Command{
-	Use:   "image-repository [name]",
+	Use:   "repository [name]",
 	Short: "Delete an ImageRepository object",
-	Long:  "The delete auto image-repository command deletes the given ImageRepository from the cluster.",
+	Long:  "The delete image repository command deletes the given ImageRepository from the cluster.",
 	Example: `  # Delete an image repository
-  flux delete auto image-repository alpine
+  flux delete image repository alpine`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)),
 	RunE: deleteCommand{
 		apiType: imageRepositoryType,
 		object:  universalAdapter{&imagev1.ImageRepository{}},
@@ -36,5 +36,5 @@ var deleteImageRepositoryCmd = &cobra.Command{
 }
 func init() {
-	deleteAutoCmd.AddCommand(deleteImageRepositoryCmd)
+	deleteImageCmd.AddCommand(deleteImageRepositoryCmd)
 }
--- a/cmd/flux/delete_image_updateauto.go
+++ b/cmd/flux/delete_image_updateauto.go
@@ -19,16 +19,16 @@ package main
 import (
 	"github.com/spf13/cobra"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 )
 var deleteImageUpdateCmd = &cobra.Command{
-	Use:   "image-update [name]",
+	Use:   "update [name]",
 	Short: "Delete an ImageUpdateAutomation object",
-	Long:  "The delete auto image-update command deletes the given ImageUpdateAutomation from the cluster.",
+	Long:  "The delete image update command deletes the given ImageUpdateAutomation from the cluster.",
 	Example: `  # Delete an image update automation
-  flux delete auto image-update latest-images
+  flux delete image update latest-images`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)),
 	RunE: deleteCommand{
 		apiType: imageUpdateAutomationType,
 		object:  universalAdapter{&autov1.ImageUpdateAutomation{}},
@@ -36,5 +36,5 @@ var deleteImageUpdateCmd = &cobra.Command{
 }
 func init() {
-	deleteAutoCmd.AddCommand(deleteImageUpdateCmd)
+	deleteImageCmd.AddCommand(deleteImageUpdateCmd)
 }
--- a/cmd/flux/delete_kustomization.go
+++ b/cmd/flux/delete_kustomization.go
@@ -17,14 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/fluxcd/flux2/internal/utils"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
+
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 )
 var deleteKsCmd = &cobra.Command{
@@ -33,59 +28,14 @@ var deleteKsCmd = &cobra.Command{
 	Short:   "Delete a Kustomization resource",
 	Long:    "The delete kustomization command deletes the given Kustomization from the cluster.",
 	Example: `  # Delete a kustomization and the Kubernetes resources created by it
-  flux delete kustomization podinfo
+  flux delete kustomization podinfo`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
-	RunE: deleteKsCmdRun,
+	RunE: deleteCommand{
 		apiType: kustomizationType,
 		object:  universalAdapter{&kustomizev1.Kustomization{}},
 	}.run,
 }
 func init() {
 	deleteCmd.AddCommand(deleteKsCmd)
 }
 func deleteKsCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("kustomization name is required")
 	}
 	name := args[0]
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
 	var kustomization kustomizev1.Kustomization
 	err = kubeClient.Get(ctx, namespacedName, &kustomization)
 	if err != nil {
 		return err
 	}
 	if !deleteSilent {
 		if !kustomization.Spec.Suspend {
 			logger.Waitingf("This action will remove the Kubernetes objects previously applied by the %s kustomization!", name)
 		}
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this kustomization",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	logger.Actionf("deleting kustomization %s in %s namespace", name, namespace)
 	err = kubeClient.Delete(ctx, &kustomization)
 	if err != nil {
 		return err
 	}
 	logger.Successf("kustomization deleted")
 	return nil
 }
--- a/cmd/flux/delete_receiver.go
+++ b/cmd/flux/delete_receiver.go
@@ -17,14 +17,8 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
@@ -33,56 +27,14 @@ var deleteReceiverCmd = &cobra.Command{
 	Short: "Delete a Receiver resource",
 	Long:  "The delete receiver command removes the given Receiver from the cluster.",
 	Example: `  # Delete an Receiver and the Kubernetes resources created by it
-  flux delete receiver main
+  flux delete receiver main`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ReceiverKind)),
-	RunE: deleteReceiverCmdRun,
+	RunE: deleteCommand{
 		apiType: receiverType,
 		object:  universalAdapter{&notificationv1.Receiver{}},
 	}.run,
 }
 func init() {
 	deleteCmd.AddCommand(deleteReceiverCmd)
 }
 func deleteReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("receiver name is required")
 	}
 	name := args[0]
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
 	var receiver notificationv1.Receiver
 	err = kubeClient.Get(ctx, namespacedName, &receiver)
 	if err != nil {
 		return err
 	}
 	if !deleteSilent {
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this Receiver",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	logger.Actionf("deleting receiver %s in %s namespace", name, namespace)
 	err = kubeClient.Delete(ctx, &receiver)
 	if err != nil {
 		return err
 	}
 	logger.Successf("receiver deleted")
 	return nil
 }
--- a/cmd/flux/delete_source_bucket.go
+++ b/cmd/flux/delete_source_bucket.go
@@ -17,14 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/fluxcd/flux2/internal/utils"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
+
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var deleteSourceBucketCmd = &cobra.Command{
@@ -32,56 +27,14 @@ var deleteSourceBucketCmd = &cobra.Command{
 	Short: "Delete a Bucket source",
 	Long:  "The delete source bucket command deletes the given Bucket from the cluster.",
 	Example: `  # Delete a Bucket source
-  flux delete source bucket podinfo
+  flux delete source bucket podinfo`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)),
-	RunE: deleteSourceBucketCmdRun,
+	RunE: deleteCommand{
 		apiType: bucketType,
 		object:  universalAdapter{&sourcev1.Bucket{}},
 	}.run,
 }
 func init() {
 	deleteSourceCmd.AddCommand(deleteSourceBucketCmd)
 }
 func deleteSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	name := args[0]
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
 	var bucket sourcev1.Bucket
 	err = kubeClient.Get(ctx, namespacedName, &bucket)
 	if err != nil {
 		return err
 	}
 	if !deleteSilent {
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this source",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	logger.Actionf("deleting source %s in %s namespace", name, namespace)
 	err = kubeClient.Delete(ctx, &bucket)
 	if err != nil {
 		return err
 	}
 	logger.Successf("source deleted")
 	return nil
 }
--- a/cmd/flux/delete_source_git.go
+++ b/cmd/flux/delete_source_git.go
@@ -17,14 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/fluxcd/flux2/internal/utils"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
+
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var deleteSourceGitCmd = &cobra.Command{
@@ -32,56 +27,14 @@ var deleteSourceGitCmd = &cobra.Command{
 	Short: "Delete a GitRepository source",
 	Long:  "The delete source git command deletes the given GitRepository from the cluster.",
 	Example: `  # Delete a Git repository
-  flux delete source git podinfo
+  flux delete source git podinfo`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)),
-	RunE: deleteSourceGitCmdRun,
+	RunE: deleteCommand{
 		apiType: gitRepositoryType,
 		object:  universalAdapter{&sourcev1.GitRepository{}},
 	}.run,
 }
 func init() {
 	deleteSourceCmd.AddCommand(deleteSourceGitCmd)
 }
 func deleteSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("git name is required")
 	}
 	name := args[0]
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
 	var git sourcev1.GitRepository
 	err = kubeClient.Get(ctx, namespacedName, &git)
 	if err != nil {
 		return err
 	}
 	if !deleteSilent {
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this source",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	logger.Actionf("deleting source %s in %s namespace", name, namespace)
 	err = kubeClient.Delete(ctx, &git)
 	if err != nil {
 		return err
 	}
 	logger.Successf("source deleted")
 	return nil
 }
--- a/cmd/flux/delete_source_helm.go
+++ b/cmd/flux/delete_source_helm.go
@@ -17,14 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/fluxcd/flux2/internal/utils"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
+
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var deleteSourceHelmCmd = &cobra.Command{
@@ -32,56 +27,14 @@ var deleteSourceHelmCmd = &cobra.Command{
 	Short: "Delete a HelmRepository source",
 	Long:  "The delete source helm command deletes the given HelmRepository from the cluster.",
 	Example: `  # Delete a Helm repository
-  flux delete source helm podinfo
+  flux delete source helm podinfo`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)),
-	RunE: deleteSourceHelmCmdRun,
+	RunE: deleteCommand{
 		apiType: helmRepositoryType,
 		object:  universalAdapter{&sourcev1.HelmRepository{}},
 	}.run,
 }
 func init() {
 	deleteSourceCmd.AddCommand(deleteSourceHelmCmd)
 }
 func deleteSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	name := args[0]
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	namespacedName := types.NamespacedName{
 		Namespace: namespace,
 		Name:      name,
 	}
 	var helmRepository sourcev1.HelmRepository
 	err = kubeClient.Get(ctx, namespacedName, &helmRepository)
 	if err != nil {
 		return err
 	}
 	if !deleteSilent {
 		prompt := promptui.Prompt{
 			Label:     "Are you sure you want to delete this source",
 			IsConfirm: true,
 		}
 		if _, err := prompt.Run(); err != nil {
 			return fmt.Errorf("aborting")
 		}
 	}
 	logger.Actionf("deleting source %s in %s namespace", name, namespace)
 	err = kubeClient.Delete(ctx, &helmRepository)
 	if err != nil {
 		return err
 	}
 	logger.Successf("source deleted")
 	return nil
 }
--- a/cmd/flux/docgen.go
+++ b/cmd/flux/docgen.go
@@ -0,0 +1,69 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"fmt"
 	"path"
 	"path/filepath"
 	"strings"
 	"github.com/spf13/cobra"
 	"github.com/spf13/cobra/doc"
 )
 const fmTemplate = `---
 title: "%s"
 ---
 `
 var (
 	cmdDocPath string
 )
 var docgenCmd = &cobra.Command{
 	Use:    "docgen",
 	Short:  "Generate the documentation for the CLI commands.",
 	Hidden: true,
 	RunE:   docgenCmdRun,
 }
 func init() {
 	docgenCmd.Flags().StringVar(&cmdDocPath, "path", "./docs/cmd", "path to write the generated documentation to")
 	rootCmd.AddCommand(docgenCmd)
 }
 func docgenCmdRun(cmd *cobra.Command, args []string) error {
 	err := doc.GenMarkdownTreeCustom(rootCmd, cmdDocPath, frontmatterPrepender, linkHandler)
 	if err != nil {
 		return err
 	}
 	return nil
 }
 func frontmatterPrepender(filename string) string {
 	name := filepath.Base(filename)
 	base := strings.TrimSuffix(name, path.Ext(name))
 	title := strings.Replace(base, "_", " ", -1)
 	return fmt.Sprintf(fmTemplate, title)
 }
 func linkHandler(name string) string {
 	base := strings.TrimSuffix(name, path.Ext(name))
 	return "../" + strings.ToLower(base) + "/"
 }
--- a/cmd/flux/export.go
+++ b/cmd/flux/export.go
@@ -35,12 +35,14 @@ var exportCmd = &cobra.Command{
 	Long:  "The export sub-commands export resources in YAML format.",
 }
-var (
+type exportFlags struct {
-	exportAll bool
+	all bool
-)
+}
 var exportArgs exportFlags
 func init() {
-	exportCmd.PersistentFlags().BoolVar(&exportAll, "all", false, "select all resources")
+	exportCmd.PersistentFlags().BoolVar(&exportArgs.all, "all", false, "select all resources")
 	rootCmd.AddCommand(exportCmd)
 }
@@ -55,8 +57,7 @@ type exportable interface {
 // exportableList represents a type that has a list of values, each of
 // which is exportable.
 type exportableList interface {
-	adapter
+	listAdapter
 	len() int
 	exportItem(i int) interface{}
 }
@@ -66,27 +67,26 @@ type exportCommand struct {
 }
 func (export exportCommand) run(cmd *cobra.Command, args []string) error {
-	if !exportAll && len(args) < 1 {
+	if !exportArgs.all && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
+	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
-	if exportAll {
+	if exportArgs.all {
-		err = kubeClient.List(ctx, export.list.asRuntimeObject(), client.InNamespace(namespace))
+		err = kubeClient.List(ctx, export.list.asClientList(), client.InNamespace(*kubeconfigArgs.Namespace))
 		if err != nil {
 			return err
 		}
 		if export.list.len() == 0 {
-			logger.Failuref("no objects found in %s namespace", namespace)
+			return fmt.Errorf("no objects found in %s namespace", *kubeconfigArgs.Namespace)
 			return nil
 		}
 		for i := 0; i < export.list.len(); i++ {
@@ -97,10 +97,10 @@ func (export exportCommand) run(cmd *cobra.Command, args []string) error {
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
-			Namespace: namespace,
+			Namespace: *kubeconfigArgs.Namespace,
 			Name:      name,
 		}
-		err = kubeClient.Get(ctx, namespacedName, export.object.asRuntimeObject())
+		err = kubeClient.Get(ctx, namespacedName, export.object.asClientObject())
 		if err != nil {
 			return err
 		}
@@ -114,8 +114,8 @@ func printExport(export interface{}) error {
 	if err != nil {
 		return err
 	}
-	fmt.Println("---")
+	rootCmd.Println("---")
-	fmt.Println(resourceToString(data))
+	rootCmd.Println(resourceToString(data))
 	return nil
 }
--- a/cmd/flux/export_alert.go
+++ b/cmd/flux/export_alert.go
@@ -17,16 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
@@ -38,62 +31,19 @@ var exportAlertCmd = &cobra.Command{
  flux export alert --all > alerts.yaml
  # Export a Alert
-  flux export alert main > main.yaml
+  flux export alert main > main.yaml`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.AlertKind)),
-	RunE: exportAlertCmdRun,
+	RunE: exportCommand{
 		object: alertAdapter{&notificationv1.Alert{}},
 		list:   alertListAdapter{&notificationv1.AlertList{}},
 	}.run,
 }
 func init() {
 	exportCmd.AddCommand(exportAlertCmd)
 }
-func exportAlertCmdRun(cmd *cobra.Command, args []string) error {
+func exportAlert(alert *notificationv1.Alert) interface{} {
 	if !exportAll && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportAll {
 		var list notificationv1.AlertList
 		err = kubeClient.List(ctx, &list, client.InNamespace(namespace))
 		if err != nil {
 			return err
 		}
 		if len(list.Items) == 0 {
 			logger.Failuref("no alerts found in %s namespace", namespace)
 			return nil
 		}
 		for _, alert := range list.Items {
 			if err := exportAlert(alert); err != nil {
 				return err
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}
 		var alert notificationv1.Alert
 		err = kubeClient.Get(ctx, namespacedName, &alert)
 		if err != nil {
 			return err
 		}
 		return exportAlert(alert)
 	}
 	return nil
 }
 func exportAlert(alert notificationv1.Alert) error {
 	gvk := notificationv1.GroupVersion.WithKind("Alert")
 	export := notificationv1.Alert{
 		TypeMeta: metav1.TypeMeta{
@@ -109,12 +59,13 @@ func exportAlert(alert notificationv1.Alert) error {
 		Spec: alert.Spec,
 	}
-	data, err := yaml.Marshal(export)
+	return export
-	if err != nil {
+}
-		return err
+
-	}
+func (ex alertAdapter) export() interface{} {
-
+	return exportAlert(ex.Alert)
-	fmt.Println("---")
+}
-	fmt.Println(resourceToString(data))
+
-	return nil
+func (ex alertListAdapter) exportItem(i int) interface{} {
 	return exportAlert(&ex.AlertList.Items[i])
 }
--- a/cmd/flux/export_alertprovider.go
+++ b/cmd/flux/export_alertprovider.go
@@ -17,16 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
@@ -38,62 +31,19 @@ var exportAlertProviderCmd = &cobra.Command{
  flux export alert-provider --all > alert-providers.yaml
  # Export a Provider
-  flux export alert-provider slack > slack.yaml
+  flux export alert-provider slack > slack.yaml`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ProviderKind)),
-	RunE: exportAlertProviderCmdRun,
+	RunE: exportCommand{
 		object: alertProviderAdapter{&notificationv1.Provider{}},
 		list:   alertProviderListAdapter{&notificationv1.ProviderList{}},
 	}.run,
 }
 func init() {
 	exportCmd.AddCommand(exportAlertProviderCmd)
 }
-func exportAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
+func exportAlertProvider(alertProvider *notificationv1.Provider) interface{} {
 	if !exportAll && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportAll {
 		var list notificationv1.ProviderList
 		err = kubeClient.List(ctx, &list, client.InNamespace(namespace))
 		if err != nil {
 			return err
 		}
 		if len(list.Items) == 0 {
 			logger.Failuref("no alertproviders found in %s namespace", namespace)
 			return nil
 		}
 		for _, alertProvider := range list.Items {
 			if err := exportAlertProvider(alertProvider); err != nil {
 				return err
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}
 		var alertProvider notificationv1.Provider
 		err = kubeClient.Get(ctx, namespacedName, &alertProvider)
 		if err != nil {
 			return err
 		}
 		return exportAlertProvider(alertProvider)
 	}
 	return nil
 }
 func exportAlertProvider(alertProvider notificationv1.Provider) error {
 	gvk := notificationv1.GroupVersion.WithKind("Provider")
 	export := notificationv1.Provider{
 		TypeMeta: metav1.TypeMeta{
@@ -108,13 +58,13 @@ func exportAlertProvider(alertProvider notificationv1.Provider) error {
 		},
 		Spec: alertProvider.Spec,
 	}
-
+	return export
-	data, err := yaml.Marshal(export)
+}
-	if err != nil {
+
-		return err
+func (ex alertProviderAdapter) export() interface{} {
-	}
+	return exportAlertProvider(ex.Provider)
-
+}
-	fmt.Println("---")
+
-	fmt.Println(resourceToString(data))
+func (ex alertProviderListAdapter) exportItem(i int) interface{} {
-	return nil
+	return exportAlertProvider(&ex.ProviderList.Items[i])
 }
--- a/cmd/flux/export_helmrelease.go
+++ b/cmd/flux/export_helmrelease.go
@@ -17,16 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
 )
@@ -39,62 +32,19 @@ var exportHelmReleaseCmd = &cobra.Command{
  flux export helmrelease --all > kustomizations.yaml
  # Export a HelmRelease
-  flux export hr my-app > app-release.yaml
+  flux export hr my-app > app-release.yaml`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
-	RunE: exportHelmReleaseCmdRun,
+	RunE: exportCommand{
 		object: helmReleaseAdapter{&helmv2.HelmRelease{}},
 		list:   helmReleaseListAdapter{&helmv2.HelmReleaseList{}},
 	}.run,
 }
 func init() {
 	exportCmd.AddCommand(exportHelmReleaseCmd)
 }
-func exportHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
+func exportHelmRelease(helmRelease *helmv2.HelmRelease) interface{} {
 	if !exportAll && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportAll {
 		var list helmv2.HelmReleaseList
 		err = kubeClient.List(ctx, &list, client.InNamespace(namespace))
 		if err != nil {
 			return err
 		}
 		if len(list.Items) == 0 {
 			logger.Failuref("no helmrelease found in %s namespace", namespace)
 			return nil
 		}
 		for _, helmRelease := range list.Items {
 			if err := exportHelmRelease(helmRelease); err != nil {
 				return err
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}
 		var helmRelease helmv2.HelmRelease
 		err = kubeClient.Get(ctx, namespacedName, &helmRelease)
 		if err != nil {
 			return err
 		}
 		return exportHelmRelease(helmRelease)
 	}
 	return nil
 }
 func exportHelmRelease(helmRelease helmv2.HelmRelease) error {
 	gvk := helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)
 	export := helmv2.HelmRelease{
 		TypeMeta: metav1.TypeMeta{
@@ -109,13 +59,13 @@ func exportHelmRelease(helmRelease helmv2.HelmRelease) error {
 		},
 		Spec: helmRelease.Spec,
 	}
-
+	return export
-	data, err := yaml.Marshal(export)
+}
-	if err != nil {
+
-		return err
+func (ex helmReleaseAdapter) export() interface{} {
-	}
+	return exportHelmRelease(ex.HelmRelease)
-
+}
-	fmt.Println("---")
+
-	fmt.Println(resourceToString(data))
+func (ex helmReleaseListAdapter) exportItem(i int) interface{} {
-	return nil
+	return exportHelmRelease(&ex.HelmReleaseList.Items[i])
 }
--- a/cmd/flux/export_image_policy.go
+++ b/cmd/flux/export_image_policy.go
@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 var exportImagePolicyCmd = &cobra.Command{
@@ -31,8 +31,8 @@ var exportImagePolicyCmd = &cobra.Command{
  flux export image policy --all > image-policies.yaml
  # Export a specific policy
-  flux export image policy alpine1x > alpine1x.yaml
+  flux export image policy alpine1x > alpine1x.yaml`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)),
 	RunE: exportCommand{
 		object: imagePolicyAdapter{&imagev1.ImagePolicy{}},
 		list:   imagePolicyListAdapter{&imagev1.ImagePolicyList{}},
--- a/cmd/flux/export_image_repository.go
+++ b/cmd/flux/export_image_repository.go
@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 )
 var exportImageRepositoryCmd = &cobra.Command{
@@ -31,8 +31,8 @@ var exportImageRepositoryCmd = &cobra.Command{
  flux export image repository --all > image-repositories.yaml
  # Export a specific ImageRepository resource
-  flux export image repository alpine > alpine.yaml
+  flux export image repository alpine > alpine.yaml`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)),
 	RunE: exportCommand{
 		object: imageRepositoryAdapter{&imagev1.ImageRepository{}},
 		list:   imageRepositoryListAdapter{&imagev1.ImageRepositoryList{}},
--- a/cmd/flux/export_image_updateauto.go
+++ b/cmd/flux/export_image_updateauto.go
@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 )
 var exportImageUpdateCmd = &cobra.Command{
@@ -31,8 +31,8 @@ var exportImageUpdateCmd = &cobra.Command{
  flux export image update --all > updates.yaml
  # Export a specific automation
-  flux export image update latest-images > latest.yaml
+  flux export image update latest-images > latest.yaml`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)),
 	RunE: exportCommand{
 		object: imageUpdateAutomationAdapter{&autov1.ImageUpdateAutomation{}},
 		list:   imageUpdateAutomationListAdapter{&autov1.ImageUpdateAutomationList{}},
--- a/cmd/flux/export_kustomization.go
+++ b/cmd/flux/export_kustomization.go
@@ -17,17 +17,10 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
-	"github.com/fluxcd/flux2/internal/utils"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
 )
 var exportKsCmd = &cobra.Command{
@@ -39,62 +32,19 @@ var exportKsCmd = &cobra.Command{
  flux export kustomization --all > kustomizations.yaml
  # Export a Kustomization
-  flux export kustomization my-app > kustomization.yaml
+  flux export kustomization my-app > kustomization.yaml`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
-	RunE: exportKsCmdRun,
+	RunE: exportCommand{
 		object: kustomizationAdapter{&kustomizev1.Kustomization{}},
 		list:   kustomizationListAdapter{&kustomizev1.KustomizationList{}},
 	}.run,
 }
 func init() {
 	exportCmd.AddCommand(exportKsCmd)
 }
-func exportKsCmdRun(cmd *cobra.Command, args []string) error {
+func exportKs(kustomization *kustomizev1.Kustomization) interface{} {
 	if !exportAll && len(args) < 1 {
 		return fmt.Errorf("kustomization name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportAll {
 		var list kustomizev1.KustomizationList
 		err = kubeClient.List(ctx, &list, client.InNamespace(namespace))
 		if err != nil {
 			return err
 		}
 		if len(list.Items) == 0 {
 			logger.Failuref("no kustomizations found in %s namespace", namespace)
 			return nil
 		}
 		for _, kustomization := range list.Items {
 			if err := exportKs(kustomization); err != nil {
 				return err
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}
 		var kustomization kustomizev1.Kustomization
 		err = kubeClient.Get(ctx, namespacedName, &kustomization)
 		if err != nil {
 			return err
 		}
 		return exportKs(kustomization)
 	}
 	return nil
 }
 func exportKs(kustomization kustomizev1.Kustomization) error {
 	gvk := kustomizev1.GroupVersion.WithKind("Kustomization")
 	export := kustomizev1.Kustomization{
 		TypeMeta: metav1.TypeMeta{
@@ -110,12 +60,13 @@ func exportKs(kustomization kustomizev1.Kustomization) error {
 		Spec: kustomization.Spec,
 	}
-	data, err := yaml.Marshal(export)
+	return export
-	if err != nil {
+}
-		return err
+
-	}
+func (ex kustomizationAdapter) export() interface{} {
-
+	return exportKs(ex.Kustomization)
-	fmt.Println("---")
+}
-	fmt.Println(resourceToString(data))
+
-	return nil
+func (ex kustomizationListAdapter) exportItem(i int) interface{} {
 	return exportKs(&ex.KustomizationList.Items[i])
 }
--- a/cmd/flux/export_receiver.go
+++ b/cmd/flux/export_receiver.go
@@ -17,16 +17,9 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 )
@@ -38,62 +31,19 @@ var exportReceiverCmd = &cobra.Command{
  flux export receiver --all > receivers.yaml
  # Export a Receiver
-  flux export receiver main > main.yaml
+  flux export receiver main > main.yaml`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ReceiverKind)),
-	RunE: exportReceiverCmdRun,
+	RunE: exportCommand{
 		list:   receiverListAdapter{&notificationv1.ReceiverList{}},
 		object: receiverAdapter{&notificationv1.Receiver{}},
 	}.run,
 }
 func init() {
 	exportCmd.AddCommand(exportReceiverCmd)
 }
-func exportReceiverCmdRun(cmd *cobra.Command, args []string) error {
+func exportReceiver(receiver *notificationv1.Receiver) interface{} {
 	if !exportAll && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportAll {
 		var list notificationv1.ReceiverList
 		err = kubeClient.List(ctx, &list, client.InNamespace(namespace))
 		if err != nil {
 			return err
 		}
 		if len(list.Items) == 0 {
 			logger.Failuref("no receivers found in %s namespace", namespace)
 			return nil
 		}
 		for _, receiver := range list.Items {
 			if err := exportReceiver(receiver); err != nil {
 				return err
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}
 		var receiver notificationv1.Receiver
 		err = kubeClient.Get(ctx, namespacedName, &receiver)
 		if err != nil {
 			return err
 		}
 		return exportReceiver(receiver)
 	}
 	return nil
 }
 func exportReceiver(receiver notificationv1.Receiver) error {
 	gvk := notificationv1.GroupVersion.WithKind("Receiver")
 	export := notificationv1.Receiver{
 		TypeMeta: metav1.TypeMeta{
@@ -109,12 +59,13 @@ func exportReceiver(receiver notificationv1.Receiver) error {
 		Spec: receiver.Spec,
 	}
-	data, err := yaml.Marshal(export)
+	return export
-	if err != nil {
+}
-		return err
+
-	}
+func (ex receiverAdapter) export() interface{} {
-
+	return exportReceiver(ex.Receiver)
-	fmt.Println("---")
+}
-	fmt.Println(resourceToString(data))
+
-	return nil
+func (ex receiverListAdapter) exportItem(i int) interface{} {
 	return exportReceiver(&ex.ReceiverList.Items[i])
 }
--- a/cmd/flux/export_secret.go
+++ b/cmd/flux/export_secret.go
@@ -0,0 +1,135 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/flux2/internal/utils"
 )
 // exportableWithSecret represents a type that you can fetch from the Kubernetes
 // API, get a secretRef from the spec, then tidy up for serialising.
 type exportableWithSecret interface {
 	adapter
 	exportable
 	secret() *types.NamespacedName
 }
 // exportableWithSecretList represents a type that has a list of values, each of
 // which is exportableWithSecret.
 type exportableWithSecretList interface {
 	listAdapter
 	exportableList
 	secretItem(i int) *types.NamespacedName
 }
 type exportWithSecretCommand struct {
 	apiType
 	object exportableWithSecret
 	list   exportableWithSecretList
 }
 func (export exportWithSecretCommand) run(cmd *cobra.Command, args []string) error {
 	if !exportArgs.all && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs)
 	if err != nil {
 		return err
 	}
 	if exportArgs.all {
 		err = kubeClient.List(ctx, export.list.asClientList(), client.InNamespace(*kubeconfigArgs.Namespace))
 		if err != nil {
 			return err
 		}
 		if export.list.len() == 0 {
 			return fmt.Errorf("no objects found in %s namespace", *kubeconfigArgs.Namespace)
 		}
 		for i := 0; i < export.list.len(); i++ {
 			if err = printExport(export.list.exportItem(i)); err != nil {
 				return err
 			}
 			if exportSourceWithCred {
 				if export.list.secretItem(i) != nil {
 					namespacedName := *export.list.secretItem(i)
 					return printSecretCredentials(ctx, kubeClient, namespacedName)
 				}
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: *kubeconfigArgs.Namespace,
 			Name:      name,
 		}
 		err = kubeClient.Get(ctx, namespacedName, export.object.asClientObject())
 		if err != nil {
 			return err
 		}
 		if err := printExport(export.object.export()); err != nil {
 			return err
 		}
 		if exportSourceWithCred {
 			if export.object.secret() != nil {
 				namespacedName := *export.object.secret()
 				return printSecretCredentials(ctx, kubeClient, namespacedName)
 			}
 		}
 	}
 	return nil
 }
 func printSecretCredentials(ctx context.Context, kubeClient client.Client, nsName types.NamespacedName) error {
 	var cred corev1.Secret
 	err := kubeClient.Get(ctx, nsName, &cred)
 	if err != nil {
 		return fmt.Errorf("failed to retrieve secret %s, error: %w", nsName.Name, err)
 	}
 	exported := corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "v1",
 			Kind:       "Secret",
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      nsName.Name,
 			Namespace: nsName.Namespace,
 		},
 		Data: cred.Data,
 		Type: cred.Type,
 	}
 	return printExport(exported)
 }
--- a/cmd/flux/export_source_bucket.go
+++ b/cmd/flux/export_source_bucket.go
@@ -17,94 +17,34 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var exportSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Export Bucket sources in YAML format",
-	Long:  "The export source git command exports on or all Bucket sources in YAML format.",
+	Long:  "The export source git command exports one or all Bucket sources in YAML format.",
 	Example: `  # Export all Bucket sources
  flux export source bucket --all > sources.yaml
  # Export a Bucket source including the static credentials
-  flux export source bucket my-bucket --with-credentials > source.yaml
+  flux export source bucket my-bucket --with-credentials > source.yaml`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)),
-	RunE: exportSourceBucketCmdRun,
+	RunE: exportWithSecretCommand{
 		list:   bucketListAdapter{&sourcev1.BucketList{}},
 		object: bucketAdapter{&sourcev1.Bucket{}},
 	}.run,
 }
 func init() {
 	exportSourceCmd.AddCommand(exportSourceBucketCmd)
 }
-func exportSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
+func exportBucket(source *sourcev1.Bucket) interface{} {
 	if !exportAll && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportAll {
 		var list sourcev1.BucketList
 		err = kubeClient.List(ctx, &list, client.InNamespace(namespace))
 		if err != nil {
 			return err
 		}
 		if len(list.Items) == 0 {
 			logger.Failuref("no source found in %s namespace", namespace)
 			return nil
 		}
 		for _, bucket := range list.Items {
 			if err := exportBucket(bucket); err != nil {
 				return err
 			}
 			if exportSourceWithCred {
 				if err := exportBucketCredentials(ctx, kubeClient, bucket); err != nil {
 					return err
 				}
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}
 		var bucket sourcev1.Bucket
 		err = kubeClient.Get(ctx, namespacedName, &bucket)
 		if err != nil {
 			return err
 		}
 		if err := exportBucket(bucket); err != nil {
 			return err
 		}
 		if exportSourceWithCred {
 			return exportBucketCredentials(ctx, kubeClient, bucket)
 		}
 	}
 	return nil
 }
 func exportBucket(source sourcev1.Bucket) error {
 	gvk := sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)
 	export := sourcev1.Bucket{
 		TypeMeta: metav1.TypeMeta{
@@ -119,49 +59,34 @@ func exportBucket(source sourcev1.Bucket) error {
 		},
 		Spec: source.Spec,
 	}
-
+	return export
 	data, err := yaml.Marshal(export)
 	if err != nil {
 		return err
 	}
 	fmt.Println("---")
 	fmt.Println(resourceToString(data))
 	return nil
 }
-func exportBucketCredentials(ctx context.Context, kubeClient client.Client, source sourcev1.Bucket) error {
+func getBucketSecret(source *sourcev1.Bucket) *types.NamespacedName {
 	if source.Spec.SecretRef != nil {
 		namespacedName := types.NamespacedName{
 			Namespace: source.Namespace,
 			Name:      source.Spec.SecretRef.Name,
 		}
 		var cred corev1.Secret
 		err := kubeClient.Get(ctx, namespacedName, &cred)
 		if err != nil {
 			return fmt.Errorf("failed to retrieve secret %s, error: %w", namespacedName.Name, err)
 		}
-		exported := corev1.Secret{
+		return &namespacedName
 			TypeMeta: metav1.TypeMeta{
 				APIVersion: "v1",
 				Kind:       "Secret",
 			},
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      namespacedName.Name,
 				Namespace: namespacedName.Namespace,
 			},
 			Data: cred.Data,
 			Type: cred.Type,
 		}
 		data, err := yaml.Marshal(exported)
 		if err != nil {
 			return err
 		}
 		fmt.Println("---")
 		fmt.Println(resourceToString(data))
 	}
 	return nil
 }
 func (ex bucketAdapter) secret() *types.NamespacedName {
 	return getBucketSecret(ex.Bucket)
 }
 func (ex bucketListAdapter) secretItem(i int) *types.NamespacedName {
 	return getBucketSecret(&ex.BucketList.Items[i])
 }
 func (ex bucketAdapter) export() interface{} {
 	return exportBucket(ex.Bucket)
 }
 func (ex bucketListAdapter) exportItem(i int) interface{} {
 	return exportBucket(&ex.BucketList.Items[i])
 }
--- a/cmd/flux/export_source_git.go
+++ b/cmd/flux/export_source_git.go
@@ -17,94 +17,34 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var exportSourceGitCmd = &cobra.Command{
 	Use:   "git [name]",
 	Short: "Export GitRepository sources in YAML format",
-	Long:  "The export source git command exports on or all GitRepository sources in YAML format.",
+	Long:  "The export source git command exports one or all GitRepository sources in YAML format.",
 	Example: `  # Export all GitRepository sources
  flux export source git --all > sources.yaml
  # Export a GitRepository source including the SSH key pair or basic auth credentials
-  flux export source git my-private-repo --with-credentials > source.yaml
+  flux export source git my-private-repo --with-credentials > source.yaml`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)),
-	RunE: exportSourceGitCmdRun,
+	RunE: exportWithSecretCommand{
 		object: gitRepositoryAdapter{&sourcev1.GitRepository{}},
 		list:   gitRepositoryListAdapter{&sourcev1.GitRepositoryList{}},
 	}.run,
 }
 func init() {
 	exportSourceCmd.AddCommand(exportSourceGitCmd)
 }
-func exportSourceGitCmdRun(cmd *cobra.Command, args []string) error {
+func exportGit(source *sourcev1.GitRepository) interface{} {
 	if !exportAll && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportAll {
 		var list sourcev1.GitRepositoryList
 		err = kubeClient.List(ctx, &list, client.InNamespace(namespace))
 		if err != nil {
 			return err
 		}
 		if len(list.Items) == 0 {
 			logger.Failuref("no source found in %s namespace", namespace)
 			return nil
 		}
 		for _, repository := range list.Items {
 			if err := exportGit(repository); err != nil {
 				return err
 			}
 			if exportSourceWithCred {
 				if err := exportGitCredentials(ctx, kubeClient, repository); err != nil {
 					return err
 				}
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}
 		var repository sourcev1.GitRepository
 		err = kubeClient.Get(ctx, namespacedName, &repository)
 		if err != nil {
 			return err
 		}
 		if err := exportGit(repository); err != nil {
 			return err
 		}
 		if exportSourceWithCred {
 			return exportGitCredentials(ctx, kubeClient, repository)
 		}
 	}
 	return nil
 }
 func exportGit(source sourcev1.GitRepository) error {
 	gvk := sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)
 	export := sourcev1.GitRepository{
 		TypeMeta: metav1.TypeMeta{
@@ -120,48 +60,33 @@ func exportGit(source sourcev1.GitRepository) error {
 		Spec: source.Spec,
 	}
-	data, err := yaml.Marshal(export)
+	return export
 	if err != nil {
 		return err
 	}
 	fmt.Println("---")
 	fmt.Println(resourceToString(data))
 	return nil
 }
-func exportGitCredentials(ctx context.Context, kubeClient client.Client, source sourcev1.GitRepository) error {
+func getGitSecret(source *sourcev1.GitRepository) *types.NamespacedName {
 	if source.Spec.SecretRef != nil {
 		namespacedName := types.NamespacedName{
 			Namespace: source.Namespace,
 			Name:      source.Spec.SecretRef.Name,
 		}
-		var cred corev1.Secret
+		return &namespacedName
 		err := kubeClient.Get(ctx, namespacedName, &cred)
 		if err != nil {
 			return fmt.Errorf("failed to retrieve secret %s, error: %w", namespacedName.Name, err)
 		}
 		exported := corev1.Secret{
 			TypeMeta: metav1.TypeMeta{
 				APIVersion: "v1",
 				Kind:       "Secret",
 			},
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      namespacedName.Name,
 				Namespace: namespacedName.Namespace,
 			},
 			Data: cred.Data,
 			Type: cred.Type,
 		}
 		data, err := yaml.Marshal(exported)
 		if err != nil {
 			return err
 		}
 		fmt.Println("---")
 		fmt.Println(resourceToString(data))
 	}
 	return nil
 }
 func (ex gitRepositoryAdapter) secret() *types.NamespacedName {
 	return getGitSecret(ex.GitRepository)
 }
 func (ex gitRepositoryListAdapter) secretItem(i int) *types.NamespacedName {
 	return getGitSecret(&ex.GitRepositoryList.Items[i])
 }
 func (ex gitRepositoryAdapter) export() interface{} {
 	return exportGit(ex.GitRepository)
 }
 func (ex gitRepositoryListAdapter) exportItem(i int) interface{} {
 	return exportGit(&ex.GitRepositoryList.Items[i])
 }
--- a/cmd/flux/export_source_helm.go
+++ b/cmd/flux/export_source_helm.go
@@ -17,94 +17,34 @@ limitations under the License.
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/internal/utils"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 )
 var exportSourceHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Export HelmRepository sources in YAML format",
-	Long:  "The export source git command exports on or all HelmRepository sources in YAML format.",
+	Long:  "The export source git command exports one or all HelmRepository sources in YAML format.",
 	Example: `  # Export all HelmRepository sources
  flux export source helm --all > sources.yaml
  # Export a HelmRepository source including the basic auth credentials
-  flux export source helm my-private-repo --with-credentials > source.yaml
+  flux export source helm my-private-repo --with-credentials > source.yaml`,
-`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)),
-	RunE: exportSourceHelmCmdRun,
+	RunE: exportWithSecretCommand{
 		list:   helmRepositoryListAdapter{&sourcev1.HelmRepositoryList{}},
 		object: helmRepositoryAdapter{&sourcev1.HelmRepository{}},
 	}.run,
 }
 func init() {
 	exportSourceCmd.AddCommand(exportSourceHelmCmd)
 }
-func exportSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
+func exportHelmRepository(source *sourcev1.HelmRepository) interface{} {
 	if !exportAll && len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfig, kubecontext)
 	if err != nil {
 		return err
 	}
 	if exportAll {
 		var list sourcev1.HelmRepositoryList
 		err = kubeClient.List(ctx, &list, client.InNamespace(namespace))
 		if err != nil {
 			return err
 		}
 		if len(list.Items) == 0 {
 			logger.Failuref("no source found in %s namespace", namespace)
 			return nil
 		}
 		for _, repository := range list.Items {
 			if err := exportHelmRepository(repository); err != nil {
 				return err
 			}
 			if exportSourceWithCred {
 				if err := exportHelmCredentials(ctx, kubeClient, repository); err != nil {
 					return err
 				}
 			}
 		}
 	} else {
 		name := args[0]
 		namespacedName := types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}
 		var repository sourcev1.HelmRepository
 		err = kubeClient.Get(ctx, namespacedName, &repository)
 		if err != nil {
 			return err
 		}
 		if err := exportHelmRepository(repository); err != nil {
 			return err
 		}
 		if exportSourceWithCred {
 			return exportHelmCredentials(ctx, kubeClient, repository)
 		}
 	}
 	return nil
 }
 func exportHelmRepository(source sourcev1.HelmRepository) error {
 	gvk := sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)
 	export := sourcev1.HelmRepository{
 		TypeMeta: metav1.TypeMeta{
@@ -119,49 +59,32 @@ func exportHelmRepository(source sourcev1.HelmRepository) error {
 		},
 		Spec: source.Spec,
 	}
-
+	return export
 	data, err := yaml.Marshal(export)
 	if err != nil {
 		return err
 	}
 	fmt.Println("---")
 	fmt.Println(resourceToString(data))
 	return nil
 }
-func exportHelmCredentials(ctx context.Context, kubeClient client.Client, source sourcev1.HelmRepository) error {
+func getHelmSecret(source *sourcev1.HelmRepository) *types.NamespacedName {
 	if source.Spec.SecretRef != nil {
 		namespacedName := types.NamespacedName{
 			Namespace: source.Namespace,
 			Name:      source.Spec.SecretRef.Name,
 		}
-		var cred corev1.Secret
+		return &namespacedName
 		err := kubeClient.Get(ctx, namespacedName, &cred)
 		if err != nil {
 			return fmt.Errorf("failed to retrieve secret %s, error: %w", namespacedName.Name, err)
 		}
 		exported := corev1.Secret{
 			TypeMeta: metav1.TypeMeta{
 				APIVersion: "v1",
 				Kind:       "Secret",
 			},
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      namespacedName.Name,
 				Namespace: namespacedName.Namespace,
 			},
 			Data: cred.Data,
 			Type: cred.Type,
 		}
 		data, err := yaml.Marshal(exported)
 		if err != nil {
 			return err
 		}
 		fmt.Println("---")
 		fmt.Println(resourceToString(data))
 	}
 	return nil
 }
 func (ex helmRepositoryAdapter) secret() *types.NamespacedName {
 	return getHelmSecret(ex.HelmRepository)
 }
 func (ex helmRepositoryListAdapter) secretItem(i int) *types.NamespacedName {
 	return getHelmSecret(&ex.HelmRepositoryList.Items[i])
 }
 func (ex helmRepositoryAdapter) export() interface{} {
 	return exportHelmRepository(ex.HelmRepository)
 }
 func (ex helmRepositoryListAdapter) exportItem(i int) interface{} {
 	return exportHelmRepository(&ex.HelmRepositoryList.Items[i])
 }
--- a/cmd/flux/export_test.go
+++ b/cmd/flux/export_test.go
@@ -0,0 +1,89 @@
 //go:build unit
 // +build unit
 package main
 import (
 	"testing"
 )
 func TestExport(t *testing.T) {
 	cases := []struct {
 		name       string
 		arg        string
 		goldenFile string
 	}{
 		{
 			"alert-provider",
 			"export alert-provider slack",
 			"testdata/export/provider.yaml",
 		},
 		{
 			"alert",
 			"export alert flux-system",
 			"testdata/export/alert.yaml",
 		},
 		{
 			"image policy",
 			"export image policy flux-system",
 			"testdata/export/image-policy.yaml",
 		},
 		{
 			"image repository",
 			"export image repository flux-system",
 			"testdata/export/image-repo.yaml",
 		},
 		{
 			"image update",
 			"export image update flux-system",
 			"testdata/export/image-update.yaml",
 		},
 		{
 			"source git",
 			"export source git flux-system",
 			"testdata/export/git-repo.yaml",
 		},
 		{
 			"source helm",
 			"export source helm flux-system",
 			"testdata/export/helm-repo.yaml",
 		},
 		{
 			"receiver",
 			"export receiver flux-system",
 			"testdata/export/receiver.yaml",
 		},
 		{
 			"kustomization",
 			"export kustomization flux-system",
 			"testdata/export/ks.yaml",
 		},
 		{
 			"helmrelease",
 			"export helmrelease flux-system",
 			"testdata/export/helm-release.yaml",
 		},
 		{
 			"bucket",
 			"export source bucket flux-system",
 			"testdata/export/bucket.yaml",
 		},
 	}
 	objectFile := "testdata/export/objects.yaml"
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
 	testEnv.CreateObjectFile(objectFile, tmpl, t)
 	for _, tt := range cases {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.arg + " -n=" + tmpl["fluxns"],
 				assert: assertGoldenTemplateFile(tt.goldenFile, tmpl),
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/Show More
+++ b/Show More