Correct "sync" to "component" in log lines

Signed-off-by: Joel Bennett <Jaykul@HuddledMasses.org>

.github/aur/flux-bin/.SRCINFO.template

@@ -4,19 +4,16 @@ pkgbase = flux-bin
 	pkgrel = ${PKGREL}
 	url = https://fluxcd.io/
 	arch = x86_64
-	arch = armv6h
 	arch = armv7h
 	arch = aarch64
 	license = APACHE
 	optdepends = bash-completion: auto-completion for flux in Bash
 	optdepends = zsh-completions: auto-completion for flux in ZSH
-	source_x86_64 = flux-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_amd64.tar.gz
+	source_x86_64 = flux-bin-${PKGVER}_linux_amd64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_amd64.tar.gz
 	sha256sums_x86_64 = ${SHA256SUM_AMD64}
-	source_armv6h = flux-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_arm.tar.gz
-	sha256sums_armv6h = ${SHA256SUM_ARM}
-	source_armv7h = flux-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_arm.tar.gz
+	source_armv7h = flux-bin-${PKGVER}_linux_arm.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_arm.tar.gz
 	sha256sums_armv7h = ${SHA256SUM_ARM}
-	source_aarch64 = flux-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_arm64.tar.gz
+	source_aarch64 = flux-bin-${PKGVER}_linux_arm64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_arm64.tar.gz
 	sha256sums_aarch64 = ${SHA256SUM_ARM64}
 
 pkgname = flux-bin

.github/aur/flux-bin/PKGBUILD.template

@@ -8,28 +8,22 @@ _srcname=flux
 _srcver=${VERSION}
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
-arch=("x86_64" "armv6h" "armv7h" "aarch64")
+arch=("x86_64" "armv7h" "aarch64")
 license=("APACHE")
 optdepends=('bash-completion: auto-completion for flux in Bash'
             'zsh-completions: auto-completion for flux in ZSH')
 source_x86_64=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_amd64.tar.gz"
-)
-source_armv6h=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_arm.tar.gz"
+  "${pkgname}-${pkgver}_linux_amd64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_amd64.tar.gz"
 )
 source_armv7h=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_arm.tar.gz"
+  "${pkgname}-${pkgver}_linux_arm.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_arm.tar.gz"
 )
 source_aarch64=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_arm64.tar.gz"
+  "${pkgname}-${pkgver}_linux_arm64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_arm64.tar.gz"
 )
 sha256sums_x86_64=(
   ${SHA256SUM_AMD64}
 )
-sha256sums_armv6h=(
-  ${SHA256SUM_ARM}
-)
 sha256sums_armv7h=(
   ${SHA256SUM_ARM}
 )

.github/aur/flux-go/.SRCINFO.template

@@ -4,7 +4,6 @@ pkgbase = flux-go
 	pkgrel = ${PKGREL}
 	url = https://fluxcd.io/
 	arch = x86_64
-	arch = armv6h
 	arch = armv7h
 	arch = aarch64
 	license = APACHE

.github/aur/flux-go/PKGBUILD.template

@@ -8,13 +8,13 @@ _srcname=flux
 _srcver=${VERSION}
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
-arch=("x86_64" "armv6h" "armv7h" "aarch64")
+arch=("x86_64" "armv7h" "aarch64")
 license=("APACHE")
 provides=("flux-bin")
 conflicts=("flux-bin")
 replaces=("flux-cli")
 depends=("glibc")
-makedepends=('go>=1.17', 'kustomize>=3.0')
+makedepends=('go>=1.20', 'kustomize>=5.0')
 optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
@@ -41,7 +41,7 @@ check() {
     aarch64)
       export ENVTEST_ARCH=arm64
       ;;
-    armv6h|armv7h)
+    armv7h)
       export ENVTEST_ARCH=arm
       ;;
   esac

.github/aur/flux-scm/.SRCINFO.template

@@ -4,7 +4,6 @@ pkgbase = flux-scm
 	pkgrel = ${PKGREL}
 	url = https://fluxcd.io/
 	arch = x86_64
-	arch = armv6h
 	arch = armv7h
 	arch = aarch64
 	license = APACHE

.github/aur/flux-scm/PKGBUILD.template

@@ -7,12 +7,12 @@ pkgrel=${PKGREL}
 _srcname=flux
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
-arch=("x86_64" "armv6h" "armv7h" "aarch64")
+arch=("x86_64" "armv7h" "aarch64")
 license=("APACHE")
 provides=("flux-bin")
 conflicts=("flux-bin")
 depends=("glibc")
-makedepends=('go>=1.17', 'kustomize>=3.0', 'git')
+makedepends=('go>=1.20', 'kustomize>=5.0', 'git')
 optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
@@ -42,7 +42,7 @@ check() {
     aarch64)
       export ENVTEST_ARCH=arm64
       ;;
-    armv6h|armv7h)
+    armv7h)
       export ENVTEST_ARCH=arm
       ;;
   esac

.github/dependabot.yml

@@ -3,7 +3,14 @@ version: 2
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"
-    labels: ["area/build"]
+    labels: ["area/ci", "dependencies"]
+    groups:
+      # Group all updates together, so that they are all applied in a single PR.
+      # Grouped updates are currently in beta and is subject to change.
+      # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
+      ci:
+        patterns:
+          - "*"
     schedule:
-      # by default this will be on a monday.
+      # By default, this will be on a monday.
       interval: "weekly"

.github/labels.yaml

@@ -0,0 +1,52 @@
+# Configuration file to declaratively configure labels
+# Ref: https://github.com/EndBug/label-sync#Config-files
+
+- name: area/bootstrap
+  description: Bootstrap related issues and pull requests
+  color: '#86efc9'
+- name: area/install
+  description: Install and uninstall related issues and pull requests
+  color: '#86efc9'
+- name: area/diff
+  description: Diff related issues and pull requests
+  color: '#BA4192'
+- name: area/bucket
+  description: Bucket related issues and pull requests
+  color: '#00b140'
+- name: area/git
+  description: Git related issues and pull requests
+  color: '#863faf'
+- name: area/oci
+  description: OCI related issues and pull requests
+  color: '#c739ff'
+- name: area/kustomization
+  description: Kustomization related issues and pull requests
+  color: '#00e54d'
+- name: area/helm
+  description: Helm related issues and pull requests
+  color: '#1673b6'
+- name: area/image-automation
+  description: Automated image updates related issues and pull requests
+  color: '#c5def5'
+- name: area/monitoring
+  description: Monitoring related issues and pull requests
+  color: '#dd75ae'
+- name: area/multi-tenancy
+  description: Multi-tenancy related issues and pull requests
+  color: '#72CDBD'
+- name: area/notification
+  description: Notification API related issues and pull requests
+  color: '#434ec1'
+- name: area/source
+  description: Source API related issues and pull requests
+  color: '#863faf'
+- name: area/rfc
+  description: Feature request proposals in the RFC format
+  color: '#D621C3'
+  aliases: ['area/RFC']
+- name: backport:release/v2.0.x
+  description: To be backported to release/v2.0.x
+  color: '#ffd700'
+- name: backport:release/v2.1.x
+  description: To be backported to release/v2.1.x
+  color: '#ffd700'

.github/workflows/action.yaml

@@ -0,0 +1,29 @@
+name: test-gh-action
+
+on:
+  pull_request:
+    paths:
+      - 'action/**'
+  push:
+    paths:
+      - 'action/**'
+    branches:
+      - 'main'
+      - 'release/**'
+
+permissions: read-all
+
+jobs:
+  actions:
+    strategy:
+      fail-fast: false
+      matrix:
+        version: [ubuntu-latest, macos-latest, windows-latest]
+
+    runs-on: ${{ matrix.version }}
+    name: action on ${{ matrix.version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Setup flux
+        uses: ./action

.github/workflows/backport.yaml

@@ -0,0 +1,31 @@
+name: backport
+
+on:
+  pull_request_target:
+    types: [closed, labeled]
+
+jobs:
+  pull-request:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Create backport PRs
+        uses: korthout/backport-action@b982d297e31f500652b2246cf26714796312bd23 # v2.2.0
+        # xref: https://github.com/korthout/backport-action#inputs
+        with:
+          # Use token to allow workflows to be triggered for the created PR
+          github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          # Match labels with a pattern `backport:<target-branch>`
+          label_pattern: '^backport:([^ ]+)$'
+          # A bit shorter pull-request title than the default
+          pull_title: '[${target_branch}] ${pull_title}'
+          # Simpler PR description than default
+          pull_description: |-
+            Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.

.github/workflows/e2e-arm64.yaml

@@ -3,7 +3,7 @@ name: e2e-arm64
 on:
   workflow_dispatch:
   push:
-    branches: [ main, update-components, e2e-*, release-* ]
+    branches: [ 'main', 'update-components', 'e2e-*', 'release/**' ]
 
 permissions:
   contents: read
@@ -17,12 +17,13 @@ jobs:
       matrix:
         # Keep this list up-to-date with https://endoflife.date/kubernetes
         # Check which versions are available on DockerHub with 'crane ls kindest/node'
-        KUBERNETES_VERSION: [ 1.25.8, 1.26.3, 1.27.1 ]
+        KUBERNETES_VERSION: [ 1.25.11, 1.26.6, 1.27.3, 1.28.0 ]
+      fail-fast: false
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: 1.20.x
           cache-dependency-path: |

.github/workflows/e2e-azure.yaml

@@ -3,9 +3,19 @@ name: e2e-azure
 on:
   workflow_dispatch:
   schedule:
-    - cron:  '0 6 * * *'
+    - cron: '0 6 * * *'
   push:
-    branches: [ azure* ]
+    branches:
+      - main
+    paths:
+      - 'tests/**'
+      - '.github/workflows/e2e-azure.yaml'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'tests/**'
+      - '.github/workflows/e2e-azure.yaml'
 
 permissions:
   contents: read
@@ -13,29 +23,32 @@ permissions:
 jobs:
   e2e-amd64-aks:
     runs-on: ubuntu-22.04
+    defaults:
+      run:
+        working-directory: ./tests/azure
+    # This job is currently disabled. Remove the false check when Azure subscription is enabled.
+    if: false && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: 1.20.x
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
+          cache-dependency-path: tests/azure/go.sum
       - name: Setup Flux CLI
         run: |
           make build
           mkdir -p $HOME/.local/bin
           mv ./bin/flux $HOME/.local/bin
+        working-directory: ./
       - name: Setup SOPS
         run: |
-          wget https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux
-          chmod +x sops-v3.7.1.linux
           mkdir -p $HOME/.local/bin
-          mv sops-v3.7.1.linux $HOME/.local/bin/sops
+          wget https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux -O $HOME/.local/bin/sops
+          chmod +x $HOME/.local/bin/sops
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1  # v2
+        uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v2
         with:
           terraform_version: 1.2.8
           terraform_wrapper: false
@@ -49,9 +62,64 @@ jobs:
           ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
           ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
         run: |
-          echo $HOME
-          echo $PATH
           ls $HOME/.local/bin
           az login --service-principal -u ${ARM_CLIENT_ID} -p ${ARM_CLIENT_SECRET} -t ${ARM_TENANT_ID}
-          cd ./tests/azure
           go test -v -coverprofile cover.out -timeout 60m .
+
+  refactored-e2e-amd64-aks:
+    runs-on: ubuntu-22.04
+    defaults:
+      run:
+        working-directory: ./tests/integration
+    # This job is currently disabled. Remove the false check when Azure subscription is enabled.
+    if: false && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
+    steps:
+      - name: CheckoutD
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Setup Go
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version: 1.20.x
+          cache-dependency-path: tests/integration/go.sum
+      - name: Setup Flux CLI
+        run: make build
+        working-directory: ./
+      - name: Setup SOPS
+        run: |
+          mkdir -p $HOME/.local/bin
+          wget -O $HOME/.local/bin/sops https://github.com/mozilla/sops/releases/download/v$SOPS_VER/sops-v$SOPS_VER.linux
+          chmod +x $HOME/.local/bin/sops
+        env:
+          SOPS_VER: 3.7.1
+      - name: Authenticate to Azure
+        uses: Azure/login@de95379fe4dadc2defb305917eaa7e5dde727294 # v1.4.6
+        with:
+          creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}'
+      - name: Set dynamic variables in .env
+        run: |
+          cat > .env <<EOF
+          export TF_VAR_tags='{ "environment"="github", "ci"="true", "repo"="flux2", "createdat"="$(date -u +x%Y-%m-%d_%Hh%Mm%Ss)" }'
+          EOF
+      - name: Print .env for dynamic tag value reference
+        run: cat .env
+      - name: Run Azure e2e tests
+        env:
+          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
+          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
+          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
+          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
+          GITREPO_SSH_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_CONTENTS }}
+          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_PUB_CONTENTS }}
+        run: |
+          source .env
+          mkdir -p ./build/ssh
+          touch ./build/ssh/key
+          echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
+          export GITREPO_SSH_PATH=build/ssh/key
+          touch ./build/ssh/key.pub
+          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
+          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
+          make test-azure

.github/workflows/e2e-bootstrap.yaml

@@ -3,9 +3,10 @@ name: e2e-bootstrap
 on:
   workflow_dispatch:
   push:
-    branches: [ main, release-* ]
+    branches: [ 'main', 'release/**' ]
   pull_request:
-    branches: [ main, release-* ]
+    branches: [ 'main', 'release/**' ]
+    paths-ignore: [ 'docs/**', 'rfcs/**' ]
 
 permissions:
   contents: read
@@ -16,23 +17,23 @@ jobs:
     if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: 1.20.x
           cache-dependency-path: |
             **/go.sum
             **/go.mod
       - name: Setup Kubernetes
-        uses: helm/kind-action@fa81e57adff234b2908110485695db0f181f3c67 # v1.7.0
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
         with:
-          version: v0.17.0
+          version: v0.20.0
           cluster_name: kind
           # The versions below should target the newest Kubernetes version
           # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: kindest/node:v1.26.0
-          kubectl_version: v1.26.2
+          node_image: kindest/node:v1.28.0@sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c
+          kubectl_version: v1.28.0
       - name: Setup Kustomize
         uses: fluxcd/pkg/actions/kustomize@main
       - name: Build
@@ -98,7 +99,6 @@ jobs:
           --path=test-cluster \
           --read-write-key
           /tmp/flux reconcile image repository podinfo
-          /tmp/flux reconcile image update flux-system
           /tmp/flux get images all
           
           retries=10

.github/workflows/e2e-gcp.yaml

@@ -0,0 +1,92 @@
+name: e2e-gcp
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 6 * * *'
+  push:
+    branches:
+      - main
+    paths:
+      - 'tests/**'
+      - '.github/workflows/e2e-gcp.yaml'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'tests/**'
+      - '.github/workflows/e2e-gcp.yaml'
+
+permissions:
+  contents: read
+
+jobs:
+  e2e-gcp:
+    runs-on: ubuntu-22.04
+    defaults:
+      run:
+        working-directory: ./tests/integration
+    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Setup Go
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version: 1.20.x
+          cache-dependency-path: tests/integration/go.sum
+      - name: Setup Flux CLI
+        run: make build
+        working-directory: ./
+      - name: Setup SOPS
+        run: |
+          mkdir -p $HOME/.local/bin
+          wget -O $HOME/.local/bin/sops https://github.com/mozilla/sops/releases/download/v$SOPS_VER/sops-v$SOPS_VER.linux
+          chmod +x $HOME/.local/bin/sops
+        env:
+          SOPS_VER: 3.7.1
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@67e9c72af6e0492df856527b474995862b7b6591 # v2.0.0
+        id: 'auth'
+        with:
+          credentials_json: '${{ secrets.FLUX2_E2E_GOOGLE_CREDENTIALS }}'
+          token_format: 'access_token'
+      - name: Setup gcloud
+        uses: google-github-actions/setup-gcloud@825196879a077b7efa50db2e88409f44de4635c2 # v2.0.0
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+      - name: Log into us-central1-docker.pkg.dev
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: us-central1-docker.pkg.dev
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+      - name: Set dynamic variables in .env
+        run: |
+          cat > .env <<EOF
+          export TF_VAR_tags='{ "environment"="github", "ci"="true", "repo"="flux2", "createdat"="$(date -u +x%Y-%m-%d_%Hh%Mm%Ss)" }'
+          EOF
+      - name: Print .env for dynamic tag value reference
+        run: cat .env
+      - name: Run GCP e2e tests
+        env:
+          TF_VAR_gcp_project_id: ${{ vars.TF_VAR_gcp_project_id }}
+          TF_VAR_gcp_region: ${{ vars.TF_VAR_gcp_region }}
+          TF_VAR_gcp_zone: ${{ vars.TF_VAR_gcp_zone }}
+          TF_VAR_gcp_email: ${{ secrets.TF_VAR_gcp_email }}
+          TF_VAR_gcp_keyring: ${{ secrets.TF_VAR_gcp_keyring }}
+          TF_VAR_gcp_crypto_key: ${{ secrets.TF_VAR_gcp_crypto_key }}
+          GITREPO_SSH_CONTENTS: ${{ secrets.GCP_GITREPO_SSH_CONTENTS }}
+          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.GCP_GITREPO_SSH_PUB_CONTENTS }}
+        run: |
+          source .env
+          mkdir -p ./build/ssh
+          touch ./build/ssh/key
+          echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
+          export GITREPO_SSH_PATH=build/ssh/key
+          touch ./build/ssh/key.pub
+          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
+          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
+          make test-gcp

.github/workflows/e2e.yaml

@@ -3,9 +3,10 @@ name: e2e
 on:
   workflow_dispatch:
   push:
-    branches: [ main, release-* ]
+    branches: [ 'main', 'release/**' ]
   pull_request:
-    branches: [ main, release-* ]
+    branches: [ 'main', 'release/**' ]
+    paths-ignore: [ 'docs/**', 'rfcs/**' ]
 
 permissions:
   contents: read
@@ -20,24 +21,24 @@ jobs:
           - 5000:5000
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: 1.20.x
           cache-dependency-path: |
             **/go.sum
             **/go.mod
       - name: Setup Kubernetes
-        uses: helm/kind-action@fa81e57adff234b2908110485695db0f181f3c67 # v1.7.0
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
         with:
-          version: v0.17.0
+          version: v0.20.0
           cluster_name: kind
           config: .github/kind/config.yaml # disable KIND-net
           # The versions below should target the newest Kubernetes version
           # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: kindest/node:v1.26.0
-          kubectl_version: v1.26.2
+          node_image: kindest/node:v1.28.0@sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c
+          kubectl_version: v1.28.0
       - name: Setup Calico for network policy
         run: |
           kubectl apply -f https://docs.projectcalico.org/v3.25/manifests/calico.yaml

.github/workflows/ossf.yaml

@@ -19,21 +19,21 @@ jobs:
       actions: read
       contents: read
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Run analysis
-        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           publish_results: true
       - name: Upload artifact
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
       - name: Upload SARIF results
-        uses: github/codeql-action/upload-sarif@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
         with:
           sarif_file: results.sarif

.github/workflows/release.yaml

@@ -9,6 +9,10 @@ permissions:
 
 jobs:
   release-flux-cli:
+    outputs:
+      hashes: ${{ steps.slsa.outputs.hashes }}
+      image_url: ${{ steps.slsa.outputs.image_url }}
+      image_digest: ${{ steps.slsa.outputs.image_digest }}
     runs-on: ubuntu-latest
     permissions:
       contents: write # needed to write releases
@@ -16,33 +20,33 @@ jobs:
       packages: write # needed for ghcr access
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Unshallow
         run: git fetch --prune --unshallow
       - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: 1.20.x
           cache: false
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c  # v2.5.0
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226  # v3.0.0
       - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@4d571ad1038a9cc29d676154ef265ab8f9027042 # v0.14.2
+        uses: anchore/sbom-action/download-syft@5ecf649a417b8ae17dc8383dc32d46c03f2312df # v0.15.1
       - name: Setup Cosign
-        uses: sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9 # v3.0.5
+        uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
       - name: Setup Kustomize
         uses: fluxcd/pkg/actions/kustomize@main
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: ghcr.io
           username: fluxcdbot
           password: ${{ secrets.GHCR_TOKEN }}
       - name: Login to Docker Hub
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a  # v2.1.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d  # v3.0.0
         with:
           username: fluxcdbot
           password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -74,7 +78,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
+        id: run-goreleaser
+        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
         with:
           version: latest
           args: release --release-notes=output/notes.md --skip-validate
@@ -82,6 +87,22 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
           AUR_BOT_SSH_PRIVATE_KEY: ${{ secrets.AUR_BOT_SSH_PRIVATE_KEY }}
+      - name: Generate SLSA metadata
+        id: slsa
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+          
+          hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+          
+          image_url=fluxcd/flux-cli:$GITHUB_REF_NAME
+          echo "image_url=$image_url" >> $GITHUB_OUTPUT
+          
+          image_digest=$(docker buildx imagetools inspect ${image_url}  --format '{{json .}}' | jq -r .manifest.digest)
+          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
+
   release-flux-manifests:
     runs-on: ubuntu-latest
     needs: release-flux-cli
@@ -89,7 +110,7 @@ jobs:
       id-token: write
       packages: write
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Setup Kustomize
         uses: fluxcd/pkg/actions/kustomize@main
       - name: Setup Flux CLI
@@ -100,13 +121,13 @@ jobs:
           VERSION=$(flux version --client | awk '{ print $NF }')
           echo "version=${VERSION}" >> $GITHUB_OUTPUT
       - name: Login to GHCR
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: ghcr.io
           username: fluxcdbot
           password: ${{ secrets.GHCR_TOKEN }}
       - name: Login to DockerHub
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           username: fluxcdbot
           password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -134,7 +155,7 @@ jobs:
           --path="./flux-system" \
           --source=${{ github.repositoryUrl }} \
           --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
-      - uses: sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9 # v3.0.5
+      - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
       - name: Sign manifests
         env:
           COSIGN_EXPERIMENTAL: 1
@@ -148,3 +169,43 @@ jobs:
 
           flux tag artifact oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
           --tag latest
+
+  release-provenance:
+    needs: [release-flux-cli]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      contents: write # for uploading attestations to GitHub releases.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+    with:
+      provenance-name: "provenance.intoto.jsonl"
+      base64-subjects: "${{ needs.release-flux-cli.outputs.hashes }}"
+      upload-assets: true
+
+  dockerhub-provenance:
+    needs: [release-flux-cli]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: ${{ needs.release-flux-cli.outputs.image_url }}
+      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
+      registry-username: fluxcdbot
+    secrets:
+      registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+
+  ghcr-provenance:
+    needs: [release-flux-cli]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: ghcr.io/${{ needs.release-flux-cli.outputs.image_url }}
+      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
+      registry-username: fluxcdbot
+    secrets:
+      registry-password: ${{ secrets.GHCR_TOKEN }}

.github/workflows/scan.yaml

@@ -3,9 +3,9 @@ name: scan
 on:
   workflow_dispatch:
   push:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
   pull_request:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
   schedule:
     - cron: '18 10 * * 3'
 
@@ -17,9 +17,9 @@ jobs:
     runs-on: ubuntu-latest
     if: github.actor != 'dependabot[bot]'
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@6728dc6fe9a068c648d080c33829ffbe56565023 # v2.0.0
+        uses: fossa-contrib/fossa-action@cdc5065bcdee31a32e47d4585df72d66e8e941c2 # v3.0.0
         with:
           # FOSSA Push-Only API Token
           fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
@@ -31,11 +31,11 @@ jobs:
       security-events: write
     if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Setup Kustomize
         uses: fluxcd/pkg/actions/kustomize@main
       - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: 1.20.x
           cache-dependency-path: |
@@ -53,7 +53,7 @@ jobs:
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
         with:
           sarif_file: snyk.sarif
 
@@ -64,19 +64,22 @@ jobs:
     if: github.actor != 'dependabot[bot]'
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: 1.20.x
           cache-dependency-path: |
             **/go.sum
             **/go.mod
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5
+        uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
         with:
           languages: go
+          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # xref: https://codeql.github.com/codeql-query-help/go/
+          queries: security-and-quality
       - name: Autobuild
-        uses: github/codeql-action/autobuild@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5
+        uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5
+        uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4

.github/workflows/sync-labels.yaml

@@ -0,0 +1,28 @@
+name: sync-labels
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - .github/labels.yaml
+
+permissions:
+  contents: read
+
+jobs:
+  labels:
+    name: Run sync
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: EndBug/label-sync@da00f2c11fdb78e4fae44adac2fdd713778ea3e8 # v2.3.2
+        with:
+          # Configuration file
+          config-file: |
+            https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
+            .github/labels.yaml
+          # Strictly declarative
+          delete-other-labels: true

.github/workflows/update.yaml

@@ -18,9 +18,9 @@ jobs:
       pull-requests: write
     steps:
       - name: Check out code
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: 1.20.x
           cache-dependency-path: |
@@ -84,7 +84,7 @@ jobs:
 
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 # v5.0.1
+        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
         with:
           token: ${{ secrets.BOT_GITHUB_TOKEN }}
           commit-message: |
@@ -99,7 +99,7 @@ jobs:
           body: |
             ${{ steps.update.outputs.pr_body }}
           labels: |
-            area/build
+            dependencies
           reviewers: ${{ secrets.ASSIGNEES }}
 
       - name: Check output

.goreleaser.yml

@@ -83,14 +83,7 @@ brews:
     install: |
       bin.install "flux"
 
-      bash_output = Utils.safe_popen_read(bin/"flux", "completion", "bash")
-      (bash_completion/"flux").write bash_output
-
-      zsh_output = Utils.safe_popen_read(bin/"flux", "completion", "zsh")
-      (zsh_completion/"_flux").write zsh_output
-
-      fish_output = Utils.safe_popen_read(bin/"flux", "completion", "fish")
-      (fish_completion/"flux.fish").write fish_output
+      generate_completions_from_executable(bin/"flux", "completion")
     test: |
       system "#{bin}/flux --version"
 publishers:

CONTRIBUTING.md

@@ -68,8 +68,8 @@ for source changes.
 Prerequisites:
 
 * go >= 1.20
-* kubectl >= 1.20
-* kustomize >= 4.4
+* kubectl >= 1.24
+* kustomize >= 5.0
 * coreutils (on Mac OS)
 
 Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:

Dockerfile

@@ -3,7 +3,7 @@ FROM alpine:3.18 as builder
 RUN apk add --no-cache ca-certificates curl
 
 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.27.2
+ARG KUBECTL_VER=1.27.3
 
 RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
     -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \

Makefile

@@ -19,6 +19,7 @@ all: test build
 tidy:
 	go mod tidy -compat=1.20
 	cd tests/azure && go mod tidy -compat=1.20
+	cd tests/integration && go mod tidy -compat=1.20
 
 fmt:
 	go fmt ./...

README.md

@@ -5,6 +5,7 @@
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/fluxcd/flux2/badge)](https://api.securityscorecards.dev/projects/github.com/fluxcd/flux2)
 [![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflux2.svg?type=shield)](https://app.fossa.com/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflux2?ref=badge_shield)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/flux2)](https://artifacthub.io/packages/helm/fluxcd-community/flux2)
+[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://fluxcd.io/flux/security/slsa-assessment)
 
 Flux is a tool for keeping Kubernetes clusters in sync with sources of
 configuration (like Git repositories and OCI artifacts),
@@ -32,7 +33,7 @@ For more comprehensive documentation, see the following guides:
 - [Ways of structuring your repositories](https://fluxcd.io/flux/guides/repository-structure/)
 - [Manage Helm Releases](https://fluxcd.io/flux/guides/helmreleases/)
 - [Automate image updates to Git](https://fluxcd.io/flux/guides/image-update/)  
-- [Manage Kubernetes secrets with Mozilla SOPS](https://fluxcd.io/flux/guides/mozilla-sops/)  
+- [Manage Kubernetes secrets with Flux and SOPS](https://fluxcd.io/flux/guides/mozilla-sops/)  
 
 If you need help, please refer to our **[Support page](https://fluxcd.io/support/)**.
 
@@ -43,7 +44,7 @@ runtime for Flux v2. The APIs comprise Kubernetes custom resources,
 which can be created and updated by a cluster user, or by other
 automation tooling.
 
-![overview](docs/_files/gitops-toolkit.png)
+![overview](https://fluxcd.io/img/diagrams/gitops-toolkit.png)
 
 You can use the toolkit to extend Flux, or to build your own systems
 for continuous delivery -- see [the developer
@@ -58,18 +59,18 @@ guides](https://fluxcd.io/flux/gitops-toolkit/source-watcher/).
     - [HelmChart CRD](https://fluxcd.io/flux/components/source/helmcharts/)
     - [Bucket CRD](https://fluxcd.io/flux/components/source/buckets/)
 - [Kustomize Controller](https://fluxcd.io/flux/components/kustomize/)
-    - [Kustomization CRD](https://fluxcd.io/flux/components/kustomize/kustomization/)
+    - [Kustomization CRD](https://fluxcd.io/flux/components/kustomize/kustomizations/)
 - [Helm Controller](https://fluxcd.io/flux/components/helm/)
     - [HelmRelease CRD](https://fluxcd.io/flux/components/helm/helmreleases/)
 - [Notification Controller](https://fluxcd.io/flux/components/notification/)
-    - [Provider CRD](https://fluxcd.io/flux/components/notification/provider/)
-    - [Alert CRD](https://fluxcd.io/flux/components/notification/alert/)
-    - [Receiver CRD](https://fluxcd.io/flux/components/notification/receiver/)
+    - [Provider CRD](https://fluxcd.io/flux/components/notification/providers/)
+    - [Alert CRD](https://fluxcd.io/flux/components/notification/alerts/)
+    - [Receiver CRD](https://fluxcd.io/flux/components/notification/receivers/)
 - [Image Automation Controllers](https://fluxcd.io/flux/components/image/)
   - [ImageRepository CRD](https://fluxcd.io/flux/components/image/imagerepositories/)
   - [ImagePolicy CRD](https://fluxcd.io/flux/components/image/imagepolicies/)
   - [ImageUpdateAutomation CRD](https://fluxcd.io/flux/components/image/imageupdateautomations/)
-  
+
 ## Community
 
 Need help or want to contribute? Please see the links below. The Flux project is always looking for

action/README.md

@@ -1,216 +1,22 @@
 # Flux GitHub Action
 
-Usage:
+To install the latest Flux CLI on Linux, macOS or Windows GitHub runners:
 
 ```yaml
-    steps:
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Run Flux commands
-        run: flux -v
+steps:
+  - name: Setup Flux CLI
+    uses: fluxcd/flux2/action@main
+    with:
+      version: 'latest'
+  - name: Run Flux CLI
+    run: flux version --client
 ```
 
-The latest stable version of the `flux` binary is downloaded from
-GitHub [releases](https://github.com/fluxcd/flux2/releases)
-and placed at `/usr/local/bin/flux`.
+The Flux GitHub Action can be used to automate various tasks in CI, such as:
 
-Note that this action can only be used on GitHub **Linux** runners.
-You can change the arch (defaults to `amd64`) with:
+- [Automate Flux upgrades on clusters via Pull Requests](https://fluxcd.io/flux/flux-gh-action/#automate-flux-updates)
+- [Push Kubernetes manifests to container registries](https://fluxcd.io/flux/flux-gh-action/#push-kubernetes-manifests-to-container-registries)
+- [Run end-to-end testing with Flux and Kubernetes Kind](https://fluxcd.io/flux/flux-gh-action/#end-to-end-testing)
 
-```yaml
-    steps:
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-        with:
-          arch: arm64 # can be amd64, arm64 or arm
-```
+For more information, please see the [Flux GitHub Action documentation](https://fluxcd.io/flux/flux-gh-action/).
 
-You can download a specific version with:
-
-```yaml
-    steps:
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-        with:
-          version: 0.32.0
-```
-
-You can also authenticate against the GitHub API using GitHub Actions' `GITHUB_TOKEN` secret.
-
-For more information, please [read about the GitHub token secret](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret).
-
-```yaml
-    steps:
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-```
-
-This is useful if you are seeing failures on shared runners, those failures are usually API limits being hit.
-
-### Automate Flux updates
-
-Example workflow for updating Flux's components generated with `flux bootstrap --path=clusters/production`:
-
-```yaml
-name: update-flux
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 * * * *"
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  components:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Check for updates
-        id: update
-        run: |
-          flux install \
-            --export > ./clusters/production/flux-system/gotk-components.yaml
-
-          VERSION="$(flux -v)"
-          echo "flux_version=$VERSION" >> $GITHUB_OUTPUT
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
-        with:
-            token: ${{ secrets.GITHUB_TOKEN }}
-            branch: update-flux
-            commit-message: Update to ${{ steps.update.outputs.flux_version }}
-            title: Update to ${{ steps.update.outputs.flux_version }}
-            body: |
-              ${{ steps.update.outputs.flux_version }}
-```
-
-### Push Kubernetes manifests to container registries
-
-Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to GitHub Container Registry:
-
-```yaml
-name: push-artifact-staging
-
-on:
-  push:
-    branches:
-      - 'main'
-
-permissions:
-  packages: write # needed for ghcr.io access
-
-env:
-  OCI_REPO: "oci://ghcr.io/my-org/manifests/${{ github.event.repository.name }}"
-
-jobs:
-  kubernetes:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Login to GHCR
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Generate manifests
-        run: |
-          kustomize build ./manifests/staging > ./deploy/app.yaml
-      - name: Push manifests
-        run: |
-          flux push artifact $OCI_REPO:$(git rev-parse --short HEAD) \
-            --path="./deploy" \
-            --source="$(git config --get remote.origin.url)" \
-            --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"
-      - name: Deploy manifests to staging
-        run: |
-          flux tag artifact $OCI_REPO:$(git rev-parse --short HEAD) --tag staging
-```
-
-### Push and sign Kubernetes manifests to container registries
-
-Example workflow for publishing Kubernetes manifests bundled as OCI artifacts
-which are signed with Cosign and GitHub OIDC:
-
-```yaml
-name: push-sign-artifact
-
-on:
-  push:
-    branches:
-      - 'main'
-
-permissions:
-  packages: write # needed for ghcr.io access
-  id-token: write # needed for keyless signing
-
-env:
-  OCI_REPO: "oci://ghcr.io/my-org/manifests/${{ github.event.repository.name }}"
-
-jobs:
-  kubernetes:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Setup Cosign
-        uses: sigstore/cosign-installer@main
-      - name: Login to GHCR
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Push and sign manifests
-        run: |
-          digest_url=$(flux push artifact \
-          $OCI_REPO:$(git rev-parse --short HEAD) \
-          --path="./manifests" \
-          --source="$(git config --get remote.origin.url)" \
-          --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" |\
-          jq -r '. | .repository + "@" + .digest')
-
-          cosign sign $digest_url
-```
-
-### End-to-end testing
-
-Example workflow for running Flux in Kubernetes Kind:
-
-```yaml
-name: e2e
-
-on:
-  push:
-    branches:
-      - '*'
-
-jobs:
-  kubernetes:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Setup Kubernetes Kind
-        uses: engineerd/setup-kind@v0.5.0
-      - name: Install Flux in Kubernetes Kind
-        run: flux install
-```
-
-A complete e2e testing workflow is available here
-[flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example/blob/main/.github/workflows/e2e.yaml)

action/action.yml

@@ -1,64 +1,120 @@
 name: Setup Flux CLI
-description: A GitHub Action for running Flux commands
-author: Stefan Prodan
+description: A GitHub Action for installing the Flux CLI
+author: Flux project
 branding:
   color: blue
   icon: command
 inputs:
   version:
-    description: "Flux version e.g. 0.8.0 (defaults to latest stable release)"
+    description: "Flux version e.g. 2.0.0 (defaults to latest stable release)"
     required: false
   arch:
     description: "arch can be amd64, arm64 or arm"
-    required: true
-    default: "amd64"
+    required: false
+    deprecationMessage: "No longer required, action will now detect runner arch."
   bindir:
-    description: "Optional location of the Flux binary. Will not use sudo if set. Updates System Path."
+    description: "Alternative location for the Flux binary, defaults to path relative to $RUNNER_TOOL_CACHE."
     required: false
   token:
-    description: "GitHub Token used to authentication against the API (generally only needed to prevent quota limit errors)"
+    description: "Token used to authentication against the GitHub.com API. Defaults to the token from the GitHub context of the workflow."
     required: false
 runs:
   using: composite
   steps:
-    - name: "Download flux binary to tmp"
+    - name: "Download the binary to the runner's cache dir"
       shell: bash
       run: |
-        ARCH=${{ inputs.arch }}
         VERSION=${{ inputs.version }}
-        TOKEN=${{ inputs.token }}
 
-        if [ -z "${VERSION}" ]; then
-          if [ -n "${TOKEN}" ]; then
-            VERSION_SLUG=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest --silent --location --header "Authorization: token ${TOKEN}" | grep tag_name)
-          else
-            # With no GITHUB_TOKEN you will experience occasional failures due to rate limiting
-            # Ref: https://github.com/fluxcd/flux2/issues/3509#issuecomment-1400820992
-            VERSION_SLUG=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest --silent --location | grep tag_name)
+        TOKEN=${{ inputs.token }}
+        if [[ -z "$TOKEN" ]]; then
+          TOKEN=${{ github.token }}
+        fi
+
+        if [[ -z "$VERSION" ]] || [[ "$VERSION" = "latest" ]]; then
+          VERSION=$(curl -fsSL -H "Authorization: token ${TOKEN}" https://api.github.com/repos/fluxcd/flux2/releases/latest | grep tag_name | cut -d '"' -f 4)
+        fi
+        if [[ -z "$VERSION" ]]; then
+          echo "Unable to determine Flux CLI version"
+          exit 1
+        fi
+        if [[ $VERSION = v* ]]; then
+          VERSION="${VERSION:1}"
+        fi
+
+        OS=$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$OS" == "macos" ]]; then
+          OS="darwin"
+        fi
+
+        ARCH=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ARCH" == "x64" ]]; then
+          ARCH="amd64"
+        elif [[ "$ARCH" == "x86" ]]; then
+          ARCH="386"
+        fi
+
+        FLUX_EXEC_FILE="flux"
+        if [[ "$OS" == "windows" ]]; then
+            FLUX_EXEC_FILE="${FLUX_EXEC_FILE}.exe"
+        fi
+
+        FLUX_TOOL_DIR=${{ inputs.bindir }}
+        if [[ -z "$FLUX_TOOL_DIR" ]]; then
+          FLUX_TOOL_DIR="${RUNNER_TOOL_CACHE}/flux2/${VERSION}/${OS}/${ARCH}"
+        fi
+        if [[ ! -x "$FLUX_TOOL_DIR/FLUX_EXEC_FILE" ]]; then
+          DL_DIR="$(mktemp -dt flux2-XXXXXX)"
+          trap 'rm -rf $DL_DIR' EXIT
+
+          echo "Downloading flux ${VERSION} for ${OS}/${ARCH}"
+          FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.tar.gz"
+          if [[ "$OS" == "windows" ]]; then
+            FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.zip"
           fi
 
-          VERSION=$(echo "${VERSION_SLUG}" | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
+          FLUX_CHECKSUMS_FILE="flux_${VERSION}_checksums.txt"
+
+          FLUX_DOWNLOAD_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/"
+
+          curl -fsSL -o "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_TARGET_FILE"
+          curl -fsSL -o "$DL_DIR/$FLUX_CHECKSUMS_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_CHECKSUMS_FILE"
+
+          echo "Verifying checksum"
+          sum=""
+          if command -v openssl > /dev/null; then
+            sum=$(openssl sha256 "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $2}')
+          elif command -v sha256sum > /dev/null; then
+            sum=$(sha256sum "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $1}')
+          fi
+
+          if [[ -z "$sum" ]]; then
+            echo "Neither openssl nor sha256sum found. Cannot calculate checksum."
+            exit 1
+          fi
+
+          expected_sum=$(grep " $FLUX_TARGET_FILE\$" "$DL_DIR/$FLUX_CHECKSUMS_FILE" | awk '{print $1}')
+          if [ "$sum" != "$expected_sum" ]; then
+            echo "SHA sum of ${FLUX_TARGET_FILE} does not match. Aborting."
+            exit 1
+          fi
+
+          echo "Installing flux to ${FLUX_TOOL_DIR}"
+          mkdir -p "$FLUX_TOOL_DIR"
+        
+          if [[ "$OS" == "windows" ]]; then
+            unzip "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_EXEC_FILE" -d "$FLUX_TOOL_DIR"
+          else
+            tar xzf "$DL_DIR/$FLUX_TARGET_FILE" -C "$FLUX_TOOL_DIR" $FLUX_EXEC_FILE
+          fi
+
+          chmod +x "$FLUX_TOOL_DIR/$FLUX_EXEC_FILE"
         fi
 
-        BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_${ARCH}.tar.gz"
-        curl --silent --fail --location "${BIN_URL}" --output /tmp/flux.tar.gz
-        mkdir -p /tmp/flux
-        tar -C /tmp/flux/ -zxvf /tmp/flux.tar.gz
-    - name: "Copy Flux binary to execute location"
-      shell: bash
-      run: |
-        BINDIR=${{ inputs.bindir }}
-        if [ -z "${BINDIR}" ]; then
-          sudo cp /tmp/flux/flux /usr/local/bin
-        else
-          cp /tmp/flux/flux "${BINDIR}"
-          echo "${BINDIR}" >> $GITHUB_PATH
-        fi
-    - name: "Cleanup tmp"
-      shell: bash
-      run: |
-        rm -rf /tmp/flux/ /tmp/flux.tar.gz
-    - name: "Verify correct installation of binary"
+        echo "Adding flux to path"
+        echo "$FLUX_TOOL_DIR" >> "$GITHUB_PATH"
+
+    - name: "Print installed flux version"
       shell: bash
       run: |
         flux -v

cmd/flux/alert.go

@@ -19,7 +19,7 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )
 
 // notificationv1.Alert

cmd/flux/alert_provider.go

@@ -19,7 +19,7 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )
 
 // notificationv1.Provider

cmd/flux/bootstrap.go

@@ -17,11 +17,15 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"crypto/elliptic"
 	"fmt"
 	"strings"
 
+	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -72,6 +76,8 @@ type bootstrapFlags struct {
 	gpgPassphrase  string
 	gpgKeyID       string
 
+	force bool
+
 	commitMessageAppendix string
 }
 
@@ -129,6 +135,7 @@ func init() {
 
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.commitMessageAppendix, "commit-message-appendix", "", "string to add to the commit messages, e.g. '[ci skip]'")
 
+	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.force, "force", false, "override existing Flux installation if it's managed by a diffrent tool such as Helm")
 	bootstrapCmd.PersistentFlags().MarkHidden("manifests")
 
 	rootCmd.AddCommand(bootstrapCmd)
@@ -188,3 +195,27 @@ func mapTeamSlice(s []string, defaultPermission string) map[string]string {
 
 	return m
 }
+
+// confirmBootstrap gets a confirmation for running bootstrap over an existing Flux installation.
+// It returns a nil error if Flux is not installed or the user confirms overriding an existing installation
+func confirmBootstrap(ctx context.Context, kubeClient client.Client) error {
+	installed := true
+	info, err := getFluxClusterInfo(ctx, kubeClient)
+	if err != nil {
+		if !errors.IsNotFound(err) {
+			return fmt.Errorf("cluster info unavailable: %w", err)
+		}
+		installed = false
+	}
+
+	if installed {
+		err = confirmFluxInstallOverride(info)
+		if err != nil {
+			if err == promptui.ErrAbort {
+				return fmt.Errorf("bootstrap cancelled")
+			}
+			return err
+		}
+	}
+	return nil
+}

cmd/flux/bootstrap_bitbucket_server.go

@@ -56,7 +56,7 @@ the bootstrap command will perform an upgrade if needed.`,
   # Run bootstrap for a public repository on a personal account
   flux bootstrap bitbucket-server --owner=<user> --repository=<repository name> --private=false --personal --hostname=<domain> --token-auth --path=clusters/my-cluster
 
-  # Run bootstrap for a an existing repository with a branch named main
+  # Run bootstrap for an existing repository with a branch named main
   flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --branch=main --hostname=<domain> --token-auth --path=clusters/my-cluster`,
 	RunE: bootstrapBServerCmdRun,
 }
@@ -124,6 +124,13 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if !bootstrapArgs.force {
+		err = confirmBootstrap(ctx, kubeClient)
+		if err != nil {
+			return err
+		}
+	}
+
 	// Manifest base
 	if ver, err := getVersion(bootstrapArgs.version); err != nil {
 		return err

cmd/flux/bootstrap_git.go

@@ -146,6 +146,13 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if !bootstrapArgs.force {
+		err = confirmBootstrap(ctx, kubeClient)
+		if err != nil {
+			return err
+		}
+	}
+
 	// Manifest base
 	if ver, err := getVersion(bootstrapArgs.version); err != nil {
 		return err

cmd/flux/bootstrap_gitea.go

@@ -0,0 +1,275 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/fluxcd/pkg/git"
+	"github.com/fluxcd/pkg/git/gogit"
+	"github.com/spf13/cobra"
+
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
+)
+
+var bootstrapGiteaCmd = &cobra.Command{
+	Use:   "gitea",
+	Short: "Deploy Flux on a cluster connected to a Gitea repository",
+	Long: `The bootstrap gitea command creates the Gitea repository if it doesn't exists and
+commits the Flux manifests to the specified branch.
+Then it configures the target cluster to synchronize with that repository.
+If the Flux components are present on the cluster,
+the bootstrap command will perform an upgrade if needed.`,
+	Example: `  # Create a Gitea personal access token and export it as an env var
+  export GITEA_TOKEN=<my-token>
+
+  # Run bootstrap for a private repository owned by a Gitea organization
+  flux bootstrap gitea --owner=<organization> --repository=<repository name> --path=clusters/my-cluster
+
+  # Run bootstrap for a private repository and assign organization teams to it
+  flux bootstrap gitea --owner=<organization> --repository=<repository name> --team=<team1 slug> --team=<team2 slug> --path=clusters/my-cluster
+
+  # Run bootstrap for a private repository and assign organization teams with their access level(e.g maintain, admin) to it
+  flux bootstrap gitea --owner=<organization> --repository=<repository name> --team=<team1 slug>:<access-level> --path=clusters/my-cluster
+
+  # Run bootstrap for a public repository on a personal account
+  flux bootstrap gitea --owner=<user> --repository=<repository name> --private=false --personal=true --path=clusters/my-cluster
+
+  # Run bootstrap for a private repository hosted on Gitea Enterprise using SSH auth
+  flux bootstrap gitea --owner=<organization> --repository=<repository name> --hostname=<domain> --ssh-hostname=<domain> --path=clusters/my-cluster
+
+  # Run bootstrap for a private repository hosted on Gitea Enterprise using HTTPS auth
+  flux bootstrap gitea --owner=<organization> --repository=<repository name> --hostname=<domain> --token-auth --path=clusters/my-cluster
+
+  # Run bootstrap for an existing repository with a branch named main
+  flux bootstrap gitea --owner=<organization> --repository=<repository name> --branch=main --path=clusters/my-cluster`,
+	RunE: bootstrapGiteaCmdRun,
+}
+
+type giteaFlags struct {
+	owner        string
+	repository   string
+	interval     time.Duration
+	personal     bool
+	private      bool
+	hostname     string
+	path         flags.SafeRelativePath
+	teams        []string
+	readWriteKey bool
+	reconcile    bool
+}
+
+const (
+	gtDefaultPermission = "maintain"
+	gtDefaultDomain     = "gitea.com"
+	gtTokenEnvVar       = "GITEA_TOKEN"
+)
+
+var giteaArgs giteaFlags
+
+func init() {
+	bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.owner, "owner", "", "Gitea user or organization name")
+	bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.repository, "repository", "", "Gitea repository name")
+	bootstrapGiteaCmd.Flags().StringSliceVar(&giteaArgs.teams, "team", []string{}, "Gitea team and the access to be given to it(team:maintain). Defaults to maintainer access if no access level is specified (also accepts comma-separated values)")
+	bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.personal, "personal", false, "if true, the owner is assumed to be a Gitea user; otherwise an org")
+	bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.private, "private", true, "if true, the repository is setup or configured as private")
+	bootstrapGiteaCmd.Flags().DurationVar(&giteaArgs.interval, "interval", time.Minute, "sync interval")
+	bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.hostname, "hostname", gtDefaultDomain, "Gitea hostname")
+	bootstrapGiteaCmd.Flags().Var(&giteaArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
+	bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
+	bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
+
+	bootstrapCmd.AddCommand(bootstrapGiteaCmd)
+}
+
+func bootstrapGiteaCmdRun(cmd *cobra.Command, args []string) error {
+	gtToken := os.Getenv(gtTokenEnvVar)
+	if gtToken == "" {
+		var err error
+		gtToken, err = readPasswordFromStdin("Please enter your Gitea personal access token (PAT): ")
+		if err != nil {
+			return fmt.Errorf("could not read token: %w", err)
+		}
+	}
+
+	if err := bootstrapValidate(); err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+
+	// Manifest base
+	if ver, err := getVersion(bootstrapArgs.version); err != nil {
+		return err
+	} else {
+		bootstrapArgs.version = ver
+	}
+	manifestsBase, err := buildEmbeddedManifestBase()
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(manifestsBase)
+
+	var caBundle []byte
+	if bootstrapArgs.caFile != "" {
+		var err error
+		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	}
+	// Build Gitea provider
+	providerCfg := provider.Config{
+		Provider: provider.GitProviderGitea,
+		Hostname: giteaArgs.hostname,
+		Token:    gtToken,
+		CaBundle: caBundle,
+	}
+	providerClient, err := provider.BuildGitProvider(providerCfg)
+	if err != nil {
+		return err
+	}
+
+	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
+	if err != nil {
+		return fmt.Errorf("failed to create temporary working dir: %w", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
+	gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
+		Transport: git.HTTPS,
+		Username:  giteaArgs.owner,
+		Password:  gtToken,
+		CAFile:    caBundle,
+	}, clientOpts...)
+	if err != nil {
+		return fmt.Errorf("failed to create a Git client: %w", err)
+	}
+
+	// Install manifest config
+	installOptions := install.Options{
+		BaseURL:                rootArgs.defaults.BaseURL,
+		Version:                bootstrapArgs.version,
+		Namespace:              *kubeconfigArgs.Namespace,
+		Components:             bootstrapComponents(),
+		Registry:               bootstrapArgs.registry,
+		ImagePullSecret:        bootstrapArgs.imagePullSecret,
+		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
+		NetworkPolicy:          bootstrapArgs.networkPolicy,
+		LogLevel:               bootstrapArgs.logLevel.String(),
+		NotificationController: rootArgs.defaults.NotificationController,
+		ManifestFile:           rootArgs.defaults.ManifestFile,
+		Timeout:                rootArgs.timeout,
+		TargetPath:             giteaArgs.path.ToSlash(),
+		ClusterDomain:          bootstrapArgs.clusterDomain,
+		TolerationKeys:         bootstrapArgs.tolerationKeys,
+	}
+	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
+		installOptions.BaseURL = customBaseURL
+	}
+
+	// Source generation and secret config
+	secretOpts := sourcesecret.Options{
+		Name:         bootstrapArgs.secretName,
+		Namespace:    *kubeconfigArgs.Namespace,
+		TargetPath:   giteaArgs.path.ToSlash(),
+		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
+	}
+	if bootstrapArgs.tokenAuth {
+		secretOpts.Username = "git"
+		secretOpts.Password = gtToken
+		secretOpts.CAFile = caBundle
+	} else {
+		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
+		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
+		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
+
+		secretOpts.SSHHostname = giteaArgs.hostname
+		if bootstrapArgs.sshHostname != "" {
+			secretOpts.SSHHostname = bootstrapArgs.sshHostname
+		}
+	}
+
+	// Sync manifest config
+	syncOpts := sync.Options{
+		Interval:          giteaArgs.interval,
+		Name:              *kubeconfigArgs.Namespace,
+		Namespace:         *kubeconfigArgs.Namespace,
+		Branch:            bootstrapArgs.branch,
+		Secret:            bootstrapArgs.secretName,
+		TargetPath:        giteaArgs.path.ToSlash(),
+		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
+		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
+	}
+
+	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
+	if err != nil {
+		return err
+	}
+
+	// Bootstrap config
+	bootstrapOpts := []bootstrap.GitProviderOption{
+		bootstrap.WithProviderRepository(giteaArgs.owner, giteaArgs.repository, giteaArgs.personal),
+		bootstrap.WithBranch(bootstrapArgs.branch),
+		bootstrap.WithBootstrapTransportType("https"),
+		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
+		bootstrap.WithProviderTeamPermissions(mapTeamSlice(giteaArgs.teams, gtDefaultPermission)),
+		bootstrap.WithReadWriteKeyPermissions(giteaArgs.readWriteKey),
+		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
+		bootstrap.WithLogger(logger),
+		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
+	}
+	if bootstrapArgs.sshHostname != "" {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
+	}
+	if bootstrapArgs.tokenAuth {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
+	}
+	if !giteaArgs.private {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
+	}
+	if giteaArgs.reconcile {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
+	}
+
+	// Setup bootstrapper with constructed configs
+	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
+	if err != nil {
+		return err
+	}
+
+	// Run
+	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
+}

cmd/flux/bootstrap_github.go

@@ -128,6 +128,13 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if !bootstrapArgs.force {
+		err = confirmBootstrap(ctx, kubeClient)
+		if err != nil {
+			return err
+		}
+	}
+
 	// Manifest base
 	if ver, err := getVersion(bootstrapArgs.version); err != nil {
 		return err

cmd/flux/bootstrap_gitlab.go

@@ -64,7 +64,7 @@ the bootstrap command will perform an upgrade if needed.`,
   # Run bootstrap for a private repository hosted on a GitLab server
   flux bootstrap gitlab --owner=<group> --repository=<repository name> --hostname=<domain> --token-auth
 
-  # Run bootstrap for a an existing repository with a branch named main
+  # Run bootstrap for an existing repository with a branch named main
   flux bootstrap gitlab --owner=<organization> --repository=<repository name> --branch=main --token-auth
 
   # Run bootstrap for a private repository using Deploy Token authentication
@@ -145,6 +145,13 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if !bootstrapArgs.force {
+		err = confirmBootstrap(ctx, kubeClient)
+		if err != nil {
+			return err
+		}
+	}
+
 	// Manifest base
 	if ver, err := getVersion(bootstrapArgs.version); err != nil {
 		return err

cmd/flux/build_artifact.go

@@ -89,7 +89,7 @@ func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {
 
 	ociClient := oci.NewClient(oci.DefaultOptions())
 	if err := ociClient.Build(buildArtifactArgs.output, path, buildArtifactArgs.ignorePaths); err != nil {
-		return fmt.Errorf("bulding artifact failed, error: %w", err)
+		return fmt.Errorf("building artifact failed, error: %w", err)
 	}
 
 	logger.Successf("artifact created at %s", buildArtifactArgs.output)

cmd/flux/build_kustomization_test.go

@@ -159,6 +159,7 @@ spec:
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
+	setup(t, tmpl)
 
 	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-source.yaml", tmpl, t)
 

cmd/flux/check.go

@@ -18,6 +18,7 @@ package main
 
 import (
 	"context"
+	"fmt"
 	"os"
 	"time"
 
@@ -26,6 +27,7 @@ import (
 	v1 "k8s.io/api/apps/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/pkg/version"
@@ -57,7 +59,7 @@ type checkFlags struct {
 }
 
 var kubernetesConstraints = []string{
-	">=1.20.6-0",
+	">=1.25.0-0",
 }
 
 var checkArgs checkFlags
@@ -80,7 +82,20 @@ func runCheckCmd(cmd *cobra.Command, args []string) error {
 
 	fluxCheck()
 
-	if !kubernetesCheck(kubernetesConstraints) {
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return fmt.Errorf("Kubernetes client initialization failed: %s", err.Error())
+	}
+
+	kubeClient, err := client.New(cfg, client.Options{Scheme: utils.NewScheme()})
+	if err != nil {
+		return err
+	}
+
+	if !kubernetesCheck(cfg, kubernetesConstraints) {
 		checkFailed = true
 	}
 
@@ -92,13 +107,18 @@ func runCheckCmd(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
+	logger.Actionf("checking version in cluster")
+	if !fluxClusterVersionCheck(ctx, kubeClient) {
+		checkFailed = true
+	}
+
 	logger.Actionf("checking controllers")
-	if !componentsCheck() {
+	if !componentsCheck(ctx, kubeClient) {
 		checkFailed = true
 	}
 
 	logger.Actionf("checking crds")
-	if !crdsCheck() {
+	if !crdsCheck(ctx, kubeClient) {
 		checkFailed = true
 	}
 
@@ -129,17 +149,11 @@ func fluxCheck() {
 		return
 	}
 	if latestSv.GreaterThan(curSv) {
-		logger.Failuref("flux %s <%s (new version is available, please upgrade)", curSv, latestSv)
+		logger.Failuref("flux %s <%s (new CLI version is available, please upgrade)", curSv, latestSv)
 	}
 }
 
-func kubernetesCheck(constraints []string) bool {
-	cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
-		return false
-	}
-
+func kubernetesCheck(cfg *rest.Config, constraints []string) bool {
 	clientSet, err := kubernetes.NewForConfig(cfg)
 	if err != nil {
 		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
@@ -178,21 +192,8 @@ func kubernetesCheck(constraints []string) bool {
 	return true
 }
 
-func componentsCheck() bool {
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-
-	kubeConfig, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return false
-	}
-
-	statusChecker, err := status.NewStatusChecker(kubeConfig, checkArgs.pollInterval, rootArgs.timeout, logger)
-	if err != nil {
-		return false
-	}
-
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+func componentsCheck(ctx context.Context, kubeClient client.Client) bool {
+	statusChecker, err := status.NewStatusCheckerWithClient(kubeClient, checkArgs.pollInterval, rootArgs.timeout, logger)
 	if err != nil {
 		return false
 	}
@@ -222,15 +223,7 @@ func componentsCheck() bool {
 	return ok
 }
 
-func crdsCheck() bool {
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return false
-	}
-
+func crdsCheck(ctx context.Context, kubeClient client.Client) bool {
 	ok := true
 	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 	var list apiextensionsv1.CustomResourceDefinitionList
@@ -253,3 +246,17 @@ func crdsCheck() bool {
 	}
 	return ok
 }
+
+func fluxClusterVersionCheck(ctx context.Context, kubeClient client.Client) bool {
+	clusterInfo, err := getFluxClusterInfo(ctx, kubeClient)
+	if err != nil {
+		logger.Failuref("checking failed: %s", err.Error())
+		return false
+	}
+
+	if clusterInfo.distribution() != "" {
+		logger.Successf("distribution: %s", clusterInfo.distribution())
+	}
+	logger.Successf("bootstrapped: %t", clusterInfo.bootstrapped)
+	return true
+}

cmd/flux/cluster_info.go

@@ -0,0 +1,126 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/manifoldco/promptui"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+)
+
+// bootstrapLabels are labels put on a resource by kustomize-controller. These labels on the CRD indicates
+// that flux has been bootstrapped.
+var bootstrapLabels = []string{
+	fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group),
+	fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group),
+}
+
+// fluxClusterInfo contains information about an existing flux installation on a cluster.
+type fluxClusterInfo struct {
+	// bootstrapped indicates that Flux was installed using the `flux bootstrap` command.
+	bootstrapped bool
+	// managedBy is the name of the tool being used to manage the installation of Flux.
+	managedBy string
+	// partOf indicates which distribution the instance is a part of.
+	partOf string
+	// version is the Flux version number in semver format.
+	version string
+}
+
+// getFluxClusterInfo returns information on the Flux installation running on the cluster.
+// If an error occurred, the returned error will be non-nil.
+//
+// This function retrieves the GitRepository CRD from the cluster and checks it
+// for a set of labels used to determine the Flux version and how Flux was installed.
+// It returns the NotFound error from the underlying library if it was unable to find
+// the GitRepository CRD and this can be used to check if Flux is installed.
+func getFluxClusterInfo(ctx context.Context, c client.Client) (fluxClusterInfo, error) {
+	var info fluxClusterInfo
+	crdMetadata := &metav1.PartialObjectMetadata{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: apiextensionsv1.SchemeGroupVersion.String(),
+			Kind:       "CustomResourceDefinition",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: fmt.Sprintf("gitrepositories.%s", sourcev1.GroupVersion.Group),
+		},
+	}
+	if err := c.Get(ctx, client.ObjectKeyFromObject(crdMetadata), crdMetadata); err != nil {
+		return info, err
+	}
+
+	info.version = crdMetadata.Labels[manifestgen.VersionLabelKey]
+
+	var present bool
+	for _, l := range bootstrapLabels {
+		_, present = crdMetadata.Labels[l]
+	}
+	if present {
+		info.bootstrapped = true
+	}
+
+	// the `app.kubernetes.io/managed-by` label is not set by flux but might be set by other
+	// tools used to install Flux e.g Helm.
+	if manager, ok := crdMetadata.Labels["app.kubernetes.io/managed-by"]; ok {
+		info.managedBy = manager
+	}
+
+	if partOf, ok := crdMetadata.Labels[manifestgen.PartOfLabelKey]; ok {
+		info.partOf = partOf
+	}
+	return info, nil
+}
+
+// confirmFluxInstallOverride displays a prompt to the user so that they can confirm before overriding
+// a Flux installation. It returns nil if the installation should continue,
+// promptui.ErrAbort if the user doesn't confirm, or an error encountered.
+func confirmFluxInstallOverride(info fluxClusterInfo) error {
+	// no need to display prompt if installation is managed by Flux
+	if installManagedByFlux(info.managedBy) {
+		return nil
+	}
+
+	display := fmt.Sprintf("Flux %s has been installed on this cluster with %s!", info.version, info.managedBy)
+	fmt.Fprintln(rootCmd.ErrOrStderr(), display)
+	prompt := promptui.Prompt{
+		Label:     fmt.Sprintf("Are you sure you want to override the %s installation? Y/N", info.managedBy),
+		IsConfirm: true,
+	}
+	_, err := prompt.Run()
+	return err
+}
+
+func (info fluxClusterInfo) distribution() string {
+	distribution := info.version
+	if info.partOf != "" {
+		distribution = fmt.Sprintf("%s-%s", info.partOf, info.version)
+	}
+	return distribution
+}
+
+func installManagedByFlux(manager string) bool {
+	return manager == "" || manager == "flux"
+}

cmd/flux/cluster_info_test.go

@@ -0,0 +1,141 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"testing"
+
+	. "github.com/onsi/gomega"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	"github.com/fluxcd/pkg/ssa"
+)
+
+func Test_getFluxClusterInfo(t *testing.T) {
+	g := NewWithT(t)
+	f, err := os.Open("./testdata/cluster_info/gitrepositories.yaml")
+	g.Expect(err).To(BeNil())
+
+	objs, err := ssa.ReadObjects(f)
+	g.Expect(err).To(Not(HaveOccurred()))
+	gitrepo := objs[0]
+
+	tests := []struct {
+		name     string
+		labels   map[string]string
+		wantErr  bool
+		wantInfo fluxClusterInfo
+	}{
+		{
+			name:    "no git repository CRD present",
+			wantErr: true,
+		},
+		{
+			name: "CRD with kustomize-controller labels",
+			labels: map[string]string{
+				fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group):      "flux-system",
+				fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group): "flux-system",
+				"app.kubernetes.io/version":                                 "v2.1.0",
+			},
+			wantInfo: fluxClusterInfo{
+				version:      "v2.1.0",
+				bootstrapped: true,
+			},
+		},
+		{
+			name: "CRD with kustomize-controller labels and managed-by label",
+			labels: map[string]string{
+				fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group):      "flux-system",
+				fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group): "flux-system",
+				"app.kubernetes.io/version":                                 "v2.1.0",
+				"app.kubernetes.io/managed-by":                              "flux",
+			},
+			wantInfo: fluxClusterInfo{
+				version:      "v2.1.0",
+				bootstrapped: true,
+				managedBy:    "flux",
+			},
+		},
+		{
+			name: "CRD with only managed-by label",
+			labels: map[string]string{
+				"app.kubernetes.io/version":    "v2.1.0",
+				"app.kubernetes.io/managed-by": "helm",
+			},
+			wantInfo: fluxClusterInfo{
+				version:   "v2.1.0",
+				managedBy: "helm",
+			},
+		},
+		{
+			name:     "CRD with no labels",
+			labels:   map[string]string{},
+			wantInfo: fluxClusterInfo{},
+		},
+		{
+			name: "CRD with only version label",
+			labels: map[string]string{
+				"app.kubernetes.io/version": "v2.1.0",
+			},
+			wantInfo: fluxClusterInfo{
+				version: "v2.1.0",
+			},
+		},
+		{
+			name: "CRD with version and part-of labels",
+			labels: map[string]string{
+				"app.kubernetes.io/version": "v2.1.0",
+				"app.kubernetes.io/part-of": "flux",
+			},
+			wantInfo: fluxClusterInfo{
+				version: "v2.1.0",
+				partOf:  "flux",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+			newscheme := runtime.NewScheme()
+			apiextensionsv1.AddToScheme(newscheme)
+			builder := fake.NewClientBuilder().WithScheme(newscheme)
+			if tt.labels != nil {
+				gitrepo.SetLabels(tt.labels)
+				builder = builder.WithRuntimeObjects(gitrepo)
+			}
+
+			client := builder.Build()
+			info, err := getFluxClusterInfo(context.Background(), client)
+			if tt.wantErr {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(errors.IsNotFound(err)).To(BeTrue())
+			} else {
+				g.Expect(err).To(Not(HaveOccurred()))
+			}
+
+			g.Expect(info).To(BeEquivalentTo(tt.wantInfo))
+		})
+	}
+}

cmd/flux/create.go

@@ -131,8 +131,8 @@ func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) e
 	}
 
 	logger.Waitingf("waiting for %s reconciliation", names.kind)
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isReady(ctx, kubeClient, namespacedName, object)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isObjectReadyConditionFunc(kubeClient, namespacedName, object.asClientObject())); err != nil {
 		return err
 	}
 	logger.Successf("%s reconciliation completed", names.kind)
@@ -165,6 +165,6 @@ func parseLabels() (map[string]string, error) {
 }
 
 func validateObjectName(name string) bool {
-	r := regexp.MustCompile("^[a-z0-9]([a-z0-9\\-]){0,61}[a-z0-9]$")
+	r := regexp.MustCompile(`^[a-z0-9]([a-z0-9\-]){0,61}[a-z0-9]$`)
 	return r.MatchString(name)
 }

cmd/flux/create_alert.go

@@ -22,14 +22,13 @@ import (
 
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
-	notificationv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
 	"github.com/fluxcd/pkg/apis/meta"
 
 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -97,13 +96,13 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Generatef("generating Alert")
 	}
 
-	alert := notificationv1b2.Alert{
+	alert := notificationv1b3.Alert{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
-		Spec: notificationv1b2.AlertSpec{
+		Spec: notificationv1b3.AlertSpec{
 			ProviderRef: meta.LocalObjectReference{
 				Name: alertArgs.providerRef,
 			},
@@ -132,8 +131,8 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for Alert reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isAlertReady(ctx, kubeClient, namespacedName, &alert)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isStaticObjectReadyConditionFunc(kubeClient, namespacedName, &alert)); err != nil {
 		return err
 	}
 	logger.Successf("Alert %s is ready", name)
@@ -141,13 +140,13 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 }
 
 func upsertAlert(ctx context.Context, kubeClient client.Client,
-	alert *notificationv1b2.Alert) (types.NamespacedName, error) {
+	alert *notificationv1b3.Alert) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: alert.GetNamespace(),
 		Name:      alert.GetName(),
 	}
 
-	var existing notificationv1b2.Alert
+	var existing notificationv1b3.Alert
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
@@ -170,23 +169,3 @@ func upsertAlert(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Alert updated")
 	return namespacedName, nil
 }
-
-func isAlertReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, alert *notificationv1b2.Alert) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, alert)
-		if err != nil {
-			return false, err
-		}
-
-		if c := apimeta.FindStatusCondition(alert.Status.Conditions, meta.ReadyCondition); c != nil {
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}

cmd/flux/create_alertprovider.go

@@ -22,13 +22,12 @@ import (
 
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 	"github.com/fluxcd/pkg/apis/meta"
 
 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -127,8 +126,8 @@ func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for Provider reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isAlertProviderReady(ctx, kubeClient, namespacedName, &provider)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isStaticObjectReadyConditionFunc(kubeClient, namespacedName, &provider)); err != nil {
 		return err
 	}
 
@@ -167,23 +166,3 @@ func upsertAlertProvider(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Provider updated")
 	return namespacedName, nil
 }
-
-func isAlertProviderReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, provider *notificationv1.Provider) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, provider)
-		if err != nil {
-			return false, err
-		}
-
-		if c := apimeta.FindStatusCondition(provider.Status.Conditions, meta.ReadyCondition); c != nil {
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}

cmd/flux/create_helmrelease.go

@@ -32,7 +32,6 @@ import (
 	"github.com/spf13/cobra"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -303,8 +302,8 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for HelmRelease reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isHelmReleaseReady(ctx, kubeClient, namespacedName, &helmRelease)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isObjectReadyConditionFunc(kubeClient, namespacedName, &helmRelease)); err != nil {
 		return err
 	}
 	logger.Successf("HelmRelease %s is ready", name)
@@ -344,23 +343,6 @@ func upsertHelmRelease(ctx context.Context, kubeClient client.Client,
 	return namespacedName, nil
 }
 
-func isHelmReleaseReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, helmRelease *helmv2.HelmRelease) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, helmRelease)
-		if err != nil {
-			return false, err
-		}
-
-		// Confirm the state we are observing is for the current generation
-		if helmRelease.Generation != helmRelease.Status.ObservedGeneration {
-			return false, nil
-		}
-
-		return apimeta.IsStatusConditionTrue(helmRelease.Status.Conditions, meta.ReadyCondition), nil
-	}
-}
-
 func validateStrategy(input string) bool {
 	allowedStrategy := []string{"Revision", "ChartVersion"}
 

cmd/flux/create_image_policy.go

@@ -54,13 +54,12 @@ the status of the object.`),
 	RunE: createImagePolicyRun}
 
 type imagePolicyFlags struct {
-	imageRef        string
-	semver          string
-	alpha           string
-	numeric         string
-	filterRegex     string
-	filterExtract   string
-	filterNumerical string
+	imageRef      string
+	semver        string
+	alpha         string
+	numeric       string
+	filterRegex   string
+	filterExtract string
 }
 
 var imagePolicyArgs = imagePolicyFlags{}
@@ -183,7 +182,6 @@ func validateExtractStr(template string, capNames []string) error {
 		name, num, rest, ok := extract(template)
 		if !ok {
 			// Malformed extract string, assume user didn't want this
-			template = template[1:]
 			return fmt.Errorf("--filter-extract is malformed")
 		}
 		template = rest

cmd/flux/create_kustomization.go

@@ -24,7 +24,6 @@ import (
 
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -263,8 +262,8 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for Kustomization reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isKustomizationReady(ctx, kubeClient, namespacedName, &kustomization)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isObjectReadyConditionFunc(kubeClient, namespacedName, &kustomization)); err != nil {
 		return err
 	}
 	logger.Successf("Kustomization %s is ready", name)
@@ -303,28 +302,3 @@ func upsertKustomization(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Kustomization updated")
 	return namespacedName, nil
 }
-
-func isKustomizationReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, kustomization *kustomizev1.Kustomization) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, kustomization)
-		if err != nil {
-			return false, err
-		}
-
-		// Confirm the state we are observing is for the current generation
-		if kustomization.Generation != kustomization.Status.ObservedGeneration {
-			return false, nil
-		}
-
-		if c := apimeta.FindStatusCondition(kustomization.Status.Conditions, meta.ReadyCondition); c != nil {
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}

cmd/flux/create_receiver.go

@@ -22,7 +22,6 @@ import (
 
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -139,8 +138,8 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for Receiver reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isReceiverReady(ctx, kubeClient, namespacedName, &receiver)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isObjectReadyConditionFunc(kubeClient, namespacedName, &receiver)); err != nil {
 		return err
 	}
 	logger.Successf("Receiver %s is ready", name)
@@ -179,23 +178,3 @@ func upsertReceiver(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Receiver updated")
 	return namespacedName, nil
 }
-
-func isReceiverReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, receiver *notificationv1.Receiver) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, receiver)
-		if err != nil {
-			return false, err
-		}
-
-		if c := apimeta.FindStatusCondition(receiver.Status.Conditions, meta.ReadyCondition); c != nil {
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}

cmd/flux/create_secret_git.go

@@ -88,6 +88,7 @@ type secretGitFlags struct {
 	rsaBits        flags.RSAKeyBits
 	ecdsaCurve     flags.ECDSACurve
 	caFile         string
+	caCrtFile      string
 	privateKeyFile string
 	bearerToken    string
 }
@@ -102,6 +103,7 @@ func init() {
 	createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description())
 	createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
+	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caCrtFile, "ca-crt-file", "", "path to TLS CA certificate file used for validating self-signed certificates; takes precedence over --ca-file")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.bearerToken, "bearer-token", "", "bearer authentication token")
 
@@ -160,12 +162,18 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 		if secretGitArgs.username != "" && secretGitArgs.password != "" && secretGitArgs.bearerToken != "" {
 			return fmt.Errorf("user credentials and bearer token cannot be used together")
 		}
-		if secretGitArgs.caFile != "" {
-			caBundle, err := os.ReadFile(secretGitArgs.caFile)
+
+		// --ca-crt-file takes precedence over --ca-file.
+		if secretGitArgs.caCrtFile != "" {
+			opts.CACrt, err = os.ReadFile(secretGitArgs.caCrtFile)
+			if err != nil {
+				return fmt.Errorf("unable to read TLS CA file: %w", err)
+			}
+		} else if secretGitArgs.caFile != "" {
+			opts.CAFile, err = os.ReadFile(secretGitArgs.caFile)
 			if err != nil {
 				return fmt.Errorf("unable to read TLS CA file: %w", err)
 			}
-			opts.CAFile = caBundle
 		}
 	default:
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)

cmd/flux/create_secret_git_test.go

@@ -1,10 +1,21 @@
 package main
 
 import (
+	"fmt"
+	"os"
 	"testing"
 )
 
 func TestCreateGitSecret(t *testing.T) {
+	file, err := os.CreateTemp(t.TempDir(), "ca-crt")
+	if err != nil {
+		t.Fatal("could not create CA certificate file")
+	}
+	_, err = file.Write([]byte("ca-data"))
+	if err != nil {
+		t.Fatal("could not write to CA certificate file")
+	}
+
 	tests := []struct {
 		name   string
 		args   string
@@ -35,6 +46,11 @@ func TestCreateGitSecret(t *testing.T) {
 			args:   "create secret git bearer-token-auth --url=https://github.com/stefanprodan/podinfo --bearer-token=ghp_baR2qnFF0O41WlucePL3udt2N9vVZS4R0hAS --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-bearer-token.yaml"),
 		},
+		{
+			name:   "git authentication with CA certificate",
+			args:   fmt.Sprintf("create secret git ca-crt --url=https://github.com/stefanprodan/podinfo --password=my-password --username=my-username --ca-crt-file=%s --namespace=my-namespace --export", file.Name()),
+			assert: assertGoldenFile("testdata/create_secret/git/secret-ca-crt.yaml"),
+		},
 		{
 			name:   "git authentication with basic auth and bearer token",
 			args:   "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=aaa --password=zzzz --bearer-token=aaaa --namespace=my-namespace --export",

cmd/flux/create_secret_helm.go

@@ -41,15 +41,8 @@ var createSecretHelmCmd = &cobra.Command{
     --export > repo-auth.yaml
 
   sops --encrypt --encrypted-regex '^(data|stringData)$' \
-    --in-place repo-auth.yaml
+    --in-place repo-auth.yaml`,
 
-  # Create a Helm authentication secret using a custom TLS cert
-  flux create secret helm repo-auth \
-    --username=username \
-    --password=password \
-    --cert-file=./cert.crt \
-    --key-file=./key.crt \
-    --ca-file=./ca.crt`,
 	RunE: createSecretHelmCmdRun,
 }
 
@@ -62,9 +55,16 @@ type secretHelmFlags struct {
 var secretHelmArgs secretHelmFlags
 
 func init() {
-	createSecretHelmCmd.Flags().StringVarP(&secretHelmArgs.username, "username", "u", "", "basic authentication username")
-	createSecretHelmCmd.Flags().StringVarP(&secretHelmArgs.password, "password", "p", "", "basic authentication password")
-	initSecretTLSFlags(createSecretHelmCmd.Flags(), &secretHelmArgs.secretTLSFlags)
+	flags := createSecretHelmCmd.Flags()
+	flags.StringVarP(&secretHelmArgs.username, "username", "u", "", "basic authentication username")
+	flags.StringVarP(&secretHelmArgs.password, "password", "p", "", "basic authentication password")
+
+	initSecretDeprecatedTLSFlags(flags, &secretHelmArgs.secretTLSFlags)
+	deprecationMsg := "please use the command `flux create secret tls` to generate TLS secrets"
+	flags.MarkDeprecated("cert-file", deprecationMsg)
+	flags.MarkDeprecated("key-file", deprecationMsg)
+	flags.MarkDeprecated("ca-file", deprecationMsg)
+
 	createSecretCmd.AddCommand(createSecretHelmCmd)
 }
 

cmd/flux/create_secret_tls.go

@@ -38,8 +38,9 @@ var createSecretTLSCmd = &cobra.Command{
   # Files are expected to be PEM-encoded.
   flux create secret tls certs \
     --namespace=my-namespace \
-    --cert-file=./client.crt \
-    --key-file=./client.key \
+    --tls-crt-file=./client.crt \
+    --tls-key-file=./client.key \
+    --ca-crt-file=./ca.crt \
     --export > certs.yaml
 
   sops --encrypt --encrypted-regex '^(data|stringData)$' \
@@ -48,22 +49,37 @@ var createSecretTLSCmd = &cobra.Command{
 }
 
 type secretTLSFlags struct {
-	certFile string
-	keyFile  string
-	caFile   string
+	certFile   string
+	keyFile    string
+	caFile     string
+	caCrtFile  string
+	tlsKeyFile string
+	tlsCrtFile string
 }
 
 var secretTLSArgs secretTLSFlags
 
-func initSecretTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
+func initSecretDeprecatedTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
 	flags.StringVar(&args.certFile, "cert-file", "", "TLS authentication cert file path")
 	flags.StringVar(&args.keyFile, "key-file", "", "TLS authentication key file path")
 	flags.StringVar(&args.caFile, "ca-file", "", "TLS authentication CA file path")
 }
 
+func initSecretTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
+	flags.StringVar(&args.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
+	flags.StringVar(&args.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
+	flags.StringVar(&args.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
+}
+
 func init() {
 	flags := createSecretTLSCmd.Flags()
+	initSecretDeprecatedTLSFlags(flags, &secretTLSArgs)
 	initSecretTLSFlags(flags, &secretTLSArgs)
+
+	flags.MarkDeprecated("cert-file", "please use --tls-crt-file instead")
+	flags.MarkDeprecated("key-file", "please use --tls-key-file instead")
+	flags.MarkDeprecated("ca-file", "please use --ca-crt-file instead")
+
 	createSecretCmd.AddCommand(createSecretTLSCmd)
 }
 
@@ -75,33 +91,40 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	caBundle := []byte{}
-	if secretTLSArgs.caFile != "" {
-		var err error
-		caBundle, err = os.ReadFile(secretTLSArgs.caFile)
+	opts := sourcesecret.Options{
+		Name:      name,
+		Namespace: *kubeconfigArgs.Namespace,
+		Labels:    labels,
+	}
+
+	if secretTLSArgs.caCrtFile != "" {
+		opts.CACrt, err = os.ReadFile(secretTLSArgs.caCrtFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	} else if secretTLSArgs.caFile != "" {
+		opts.CAFile, err = os.ReadFile(secretTLSArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 
-	var certFile, keyFile []byte
-	if secretTLSArgs.certFile != "" && secretTLSArgs.keyFile != "" {
-		if certFile, err = os.ReadFile(secretTLSArgs.certFile); err != nil {
+	if secretTLSArgs.tlsCrtFile != "" && secretTLSArgs.tlsKeyFile != "" {
+		if opts.TLSCrt, err = os.ReadFile(secretTLSArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
-		if keyFile, err = os.ReadFile(secretTLSArgs.keyFile); err != nil {
+		if opts.TLSKey, err = os.ReadFile(secretTLSArgs.tlsKeyFile); err != nil {
+			return fmt.Errorf("failed to read key file: %w", err)
+		}
+	} else if secretTLSArgs.certFile != "" && secretTLSArgs.keyFile != "" {
+		if opts.CertFile, err = os.ReadFile(secretTLSArgs.certFile); err != nil {
+			return fmt.Errorf("failed to read cert file: %w", err)
+		}
+		if opts.KeyFile, err = os.ReadFile(secretTLSArgs.keyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}
 
-	opts := sourcesecret.Options{
-		Name:      name,
-		Namespace: *kubeconfigArgs.Namespace,
-		Labels:    labels,
-		CAFile:    caBundle,
-		CertFile:  certFile,
-		KeyFile:   keyFile,
-	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err

cmd/flux/create_secret_tls_test.go

@@ -4,7 +4,7 @@ import (
 	"testing"
 )
 
-func TestCreateTlsSecretNoArgs(t *testing.T) {
+func TestCreateTlsSecret(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
@@ -15,9 +15,13 @@ func TestCreateTlsSecretNoArgs(t *testing.T) {
 			assert: assertError("name is required"),
 		},
 		{
-			args:   "create secret tls certs --namespace=my-namespace --cert-file=./testdata/create_secret/tls/test-cert.pem --key-file=./testdata/create_secret/tls/test-key.pem --export",
+			args:   "create secret tls certs --namespace=my-namespace --tls-crt-file=./testdata/create_secret/tls/test-cert.pem --tls-key-file=./testdata/create_secret/tls/test-key.pem --ca-crt-file=./testdata/create_secret/tls/test-ca.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/tls/secret-tls.yaml"),
 		},
+		{
+			args:   "create secret tls certs --namespace=my-namespace --cert-file=./testdata/create_secret/tls/test-cert.pem --key-file=./testdata/create_secret/tls/test-key.pem --ca-file=./testdata/create_secret/tls/test-ca.pem --export",
+			assert: assertGoldenFile("testdata/create_secret/tls/deprecated-secret-tls.yaml"),
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

cmd/flux/create_source_bucket.go

@@ -31,7 +31,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/conditions"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 
@@ -204,8 +203,8 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for Bucket source reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isBucketReady(ctx, kubeClient, namespacedName, bucket)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isObjectReadyConditionFunc(kubeClient, namespacedName, bucket)); err != nil {
 		return err
 	}
 	logger.Successf("Bucket source reconciliation completed")
@@ -247,30 +246,3 @@ func upsertBucket(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Bucket source updated")
 	return namespacedName, nil
 }
-
-func isBucketReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, bucket *sourcev1.Bucket) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, bucket)
-		if err != nil {
-			return false, err
-		}
-
-		if c := conditions.Get(bucket, meta.ReadyCondition); c != nil {
-			// Confirm the Ready condition we are observing is for the
-			// current generation
-			if c.ObservedGeneration != bucket.GetGeneration() {
-				return false, nil
-			}
-
-			// Further check the Status
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}

cmd/flux/create_source_git.go

@@ -35,7 +35,6 @@ import (
 	"sigs.k8s.io/yaml"
 
 	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/conditions"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 
@@ -325,8 +324,8 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for GitRepository source reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isGitRepositoryReady(ctx, kubeClient, namespacedName, &gitRepository)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isObjectReadyConditionFunc(kubeClient, namespacedName, &gitRepository)); err != nil {
 		return err
 	}
 	logger.Successf("GitRepository source reconciliation completed")
@@ -368,30 +367,3 @@ func upsertGitRepository(ctx context.Context, kubeClient client.Client,
 	logger.Successf("GitRepository source updated")
 	return namespacedName, nil
 }
-
-func isGitRepositoryReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, gitRepository *sourcev1.GitRepository) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, gitRepository)
-		if err != nil {
-			return false, err
-		}
-
-		if c := conditions.Get(gitRepository, meta.ReadyCondition); c != nil {
-			// Confirm the Ready condition we are observing is for the
-			// current generation
-			if c.ObservedGeneration != gitRepository.GetGeneration() {
-				return false, nil
-			}
-
-			// Further check the Status
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}

cmd/flux/create_source_git_test.go

@@ -181,12 +181,21 @@ func TestCreateSourceGit(t *testing.T) {
 						Time: time.Now(),
 					},
 				}
+				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
 		}, {
 			"Failed",
 			command,
 			assertError("failed message"),
 			func(repo *sourcev1.GitRepository) {
+				stalledCondition := metav1.Condition{
+					Type:               meta.StalledCondition,
+					Status:             metav1.ConditionTrue,
+					Reason:             sourcev1.URLInvalidReason,
+					Message:            "failed message",
+					ObservedGeneration: repo.GetGeneration(),
+				}
+				apimeta.SetStatusCondition(&repo.Status.Conditions, stalledCondition)
 				newCondition := metav1.Condition{
 					Type:               meta.ReadyCondition,
 					Status:             metav1.ConditionFalse,
@@ -195,6 +204,7 @@ func TestCreateSourceGit(t *testing.T) {
 					ObservedGeneration: repo.GetGeneration(),
 				}
 				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
+				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
 		}, {
 			"NoArtifact",
@@ -210,6 +220,7 @@ func TestCreateSourceGit(t *testing.T) {
 					ObservedGeneration: repo.GetGeneration(),
 				}
 				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
+				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
 		},
 	}

cmd/flux/create_source_helm.go

@@ -23,7 +23,6 @@ import (
 	"os"
 
 	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/conditions"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -231,8 +230,12 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for HelmRepository source reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isHelmRepositoryReady(ctx, kubeClient, namespacedName, helmRepository)); err != nil {
+	readyConditionFunc := isObjectReadyConditionFunc(kubeClient, namespacedName, helmRepository)
+	if helmRepository.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
+		// HelmRepository type OCI is a static object.
+		readyConditionFunc = isStaticObjectReadyConditionFunc(kubeClient, namespacedName, helmRepository)
+	}
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true, readyConditionFunc); err != nil {
 		return err
 	}
 	logger.Successf("HelmRepository source reconciliation completed")
@@ -279,30 +282,3 @@ func upsertHelmRepository(ctx context.Context, kubeClient client.Client,
 	logger.Successf("source updated")
 	return namespacedName, nil
 }
-
-func isHelmRepositoryReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, helmRepository *sourcev1.HelmRepository) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, helmRepository)
-		if err != nil {
-			return false, err
-		}
-
-		if c := conditions.Get(helmRepository, meta.ReadyCondition); c != nil {
-			// Confirm the Ready condition we are observing is for the
-			// current generation
-			if c.ObservedGeneration != helmRepository.GetGeneration() {
-				return false, nil
-			}
-
-			// Further check the Status
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}

cmd/flux/create_source_oci.go

@@ -29,7 +29,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/conditions"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 
@@ -51,16 +50,18 @@ var createSourceOCIRepositoryCmd = &cobra.Command{
 }
 
 type sourceOCIRepositoryFlags struct {
-	url            string
-	tag            string
-	semver         string
-	digest         string
-	secretRef      string
-	serviceAccount string
-	certSecretRef  string
-	ignorePaths    []string
-	provider       flags.SourceOCIProvider
-	insecure       bool
+	url             string
+	tag             string
+	semver          string
+	digest          string
+	secretRef       string
+	serviceAccount  string
+	certSecretRef   string
+	verifyProvider  flags.SourceOCIVerifyProvider
+	verifySecretRef string
+	ignorePaths     []string
+	provider        flags.SourceOCIProvider
+	insecure        bool
 }
 
 var sourceOCIRepositoryArgs = newSourceOCIFlags()
@@ -80,6 +81,8 @@ func init() {
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.secretRef, "secret-ref", "", "the name of the Kubernetes image pull secret (type 'kubernetes.io/dockerconfigjson')")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.serviceAccount, "service-account", "", "the name of the Kubernetes service account that refers to an image pull secret")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
+	createSourceOCIRepositoryCmd.Flags().Var(&sourceOCIRepositoryArgs.verifyProvider, "verify-provider", sourceOCIRepositoryArgs.verifyProvider.Description())
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifySecretRef, "verify-secret-ref", "", "the name of a secret to use for signature verification")
 	createSourceOCIRepositoryCmd.Flags().StringSliceVar(&sourceOCIRepositoryArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore resources (can specify multiple paths with commas: path1,path2)")
 	createSourceOCIRepositoryCmd.Flags().BoolVar(&sourceOCIRepositoryArgs.insecure, "insecure", false, "for when connecting to a non-TLS registries over plain HTTP")
 
@@ -156,6 +159,19 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 
+	if provider := sourceOCIRepositoryArgs.verifyProvider.String(); provider != "" {
+		repository.Spec.Verify = &sourcev1.OCIRepositoryVerification{
+			Provider: provider,
+		}
+		if secretName := sourceOCIRepositoryArgs.verifySecretRef; secretName != "" {
+			repository.Spec.Verify.SecretRef = &meta.LocalObjectReference{
+				Name: secretName,
+			}
+		}
+	} else if sourceOCIRepositoryArgs.verifySecretRef != "" {
+		return fmt.Errorf("a verification provider must be specified when a secret is specified")
+	}
+
 	if createArgs.export {
 		return printExport(exportOCIRepository(repository))
 	}
@@ -175,8 +191,8 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Waitingf("waiting for OCIRepository reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isOCIRepositoryReady(ctx, kubeClient, namespacedName, repository)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isObjectReadyConditionFunc(kubeClient, namespacedName, repository)); err != nil {
 		return err
 	}
 	logger.Successf("OCIRepository reconciliation completed")
@@ -218,30 +234,3 @@ func upsertOCIRepository(ctx context.Context, kubeClient client.Client,
 	logger.Successf("OCIRepository updated")
 	return namespacedName, nil
 }
-
-func isOCIRepositoryReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, ociRepository *sourcev1.OCIRepository) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, ociRepository)
-		if err != nil {
-			return false, err
-		}
-
-		if c := conditions.Get(ociRepository, meta.ReadyCondition); c != nil {
-			// Confirm the Ready condition we are observing is for the
-			// current generation
-			if c.ObservedGeneration != ociRepository.GetGeneration() {
-				return false, nil
-			}
-
-			// Further check the Status
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}

cmd/flux/create_source_oci_test.go

@@ -36,6 +36,11 @@ func TestCreateSourceOCI(t *testing.T) {
 			args:       "create source oci podinfo",
 			assertFunc: assertError("url is required"),
 		},
+		{
+			name:       "verify provider not specified",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-secret-ref=cosign-pub",
+			assertFunc: assertError("a verification provider must be specified when a secret is specified"),
+		},
 		{
 			name:       "export manifest",
 			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --interval 10m --export",
@@ -46,6 +51,11 @@ func TestCreateSourceOCI(t *testing.T) {
 			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --interval 10m --secret-ref=creds --export",
 			assertFunc: assertGoldenFile("./testdata/oci/export_with_secret.golden"),
 		},
+		{
+			name:       "export manifest with verify secret",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --interval 10m --verify-provider=cosign --verify-secret-ref=cosign-pub --export",
+			assertFunc: assertGoldenFile("./testdata/oci/export_with_verify_secret.golden"),
+		},
 	}
 
 	for _, tt := range tests {

cmd/flux/delete_alert.go

@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )
 
 var deleteAlertCmd = &cobra.Command{

cmd/flux/delete_alertprovider.go

@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )
 
 var deleteAlertProviderCmd = &cobra.Command{

cmd/flux/diff_kustomization_test.go

@@ -91,6 +91,12 @@ func TestDiffKustomization(t *testing.T) {
 			objectFile: "./testdata/diff-kustomization/stringdata-sops-secret.yaml",
 			assert:     assertGoldenFile("./testdata/diff-kustomization/diff-with-drifted-stringdata-sops-secret.golden"),
 		},
+		{
+			name:       "diff where kustomization file has multiple objects with the same name",
+			args:       "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo --progress-bar=false --kustomization-file ./testdata/diff-kustomization/flux-kustomization-multiobj.yaml",
+			objectFile: "",
+			assert:     assertGoldenFile("./testdata/diff-kustomization/nothing-is-deployed.golden"),
+		},
 	}
 
 	tmpl := map[string]string{

cmd/flux/events.go

@@ -44,7 +44,7 @@ import (
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
-	notificationv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 
@@ -62,8 +62,14 @@ var eventsCmd = &cobra.Command{
 	# Display events for flux resources in all namespaces
 	flux events -A
 
-	# Display events for flux resources
+	# Display events for a Kustomization named podinfo
 	flux events --for Kustomization/podinfo
+
+	# Display events for all Kustomizations in default namespace
+	flux events --for Kustomization -n default
+
+	# Display warning events for alert resources
+	flux events --for Alert/podinfo --types warning
 `,
 	RunE: eventsCmdRun,
 }
@@ -84,7 +90,7 @@ func init() {
 		"indicate if the events should be streamed")
 	eventsCmd.Flags().StringVar(&eventArgs.forSelector, "for", "",
 		"get events for a particular object")
-	eventsCmd.Flags().StringSliceVar(&eventArgs.filterTypes, "types", []string{}, "filter events for certain types")
+	eventsCmd.Flags().StringSliceVar(&eventArgs.filterTypes, "types", []string{}, "filter events for certain types (valid types are: Normal, Warning)")
 	rootCmd.AddCommand(eventsCmd)
 }
 
@@ -92,6 +98,10 @@ func eventsCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
+	if err := validateEventTypes(eventArgs.filterTypes); err != nil {
+		return err
+	}
+
 	kubeclient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
@@ -103,21 +113,33 @@ func eventsCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	var diffRefNs bool
-	clientListOpts := getListOpt(namespace, eventArgs.forSelector)
+	clientListOpts := []client.ListOption{client.InNamespace(*kubeconfigArgs.Namespace)}
 	var refListOpts [][]client.ListOption
 	if eventArgs.forSelector != "" {
-		refs, err := getObjectRef(ctx, kubeclient, eventArgs.forSelector, *kubeconfigArgs.Namespace)
+		kind, name := getKindNameFromSelector(eventArgs.forSelector)
+		if kind == "" {
+			return fmt.Errorf("--for selector must be of format <kind>[/<name>]")
+		}
+
+		refInfoKind, err := fluxKindMap.getRefInfo(kind)
 		if err != nil {
 			return err
 		}
-
-		for _, ref := range refs {
-			kind, name, refNs := utils.ParseObjectKindNameNamespace(ref)
-			if refNs != namespace {
-				diffRefNs = true
+		clientListOpts = append(clientListOpts, getListOpt(refInfoKind.gvk.Kind, name))
+		if name != "" {
+			refs, err := getObjectRef(ctx, kubeclient, refInfoKind, name, *kubeconfigArgs.Namespace)
+			if err != nil {
+				return err
+			}
+
+			for _, ref := range refs {
+				refKind, refName, refNs := utils.ParseObjectKindNameNamespace(ref)
+				if refNs != namespace {
+					diffRefNs = true
+				}
+				refOpt := []client.ListOption{getListOpt(refKind, refName), client.InNamespace(refNs)}
+				refListOpts = append(refListOpts, refOpt)
 			}
-			refSelector := fmt.Sprintf("%s/%s", kind, name)
-			refListOpts = append(refListOpts, getListOpt(refNs, refSelector))
 		}
 	}
 
@@ -127,6 +149,9 @@ func eventsCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	rows, err := getRows(ctx, kubeclient, clientListOpts, refListOpts, showNamespace)
+	if err != nil {
+		return err
+	}
 	if len(rows) == 0 {
 		if eventArgs.allNamespaces {
 			logger.Failuref("No events found.")
@@ -137,8 +162,7 @@ func eventsCmdRun(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 	headers := getHeaders(showNamespace)
-	err = printers.TablePrinter(headers).Print(cmd.OutOrStdout(), rows)
-	return err
+	return printers.TablePrinter(headers).Print(cmd.OutOrStdout(), rows)
 }
 
 func getRows(ctx context.Context, kubeclient client.Client, clientListOpts []client.ListOption, refListOpts [][]client.ListOption, showNs bool) ([][]string, error) {
@@ -168,11 +192,11 @@ func getRows(ctx context.Context, kubeclient client.Client, clientListOpts []cli
 
 func addEventsToList(ctx context.Context, kubeclient client.Client, el *corev1.EventList, clientListOpts []client.ListOption) error {
 	listOpts := &metav1.ListOptions{}
+	clientListOpts = append(clientListOpts, client.Limit(cmdutil.DefaultChunkSize))
 	err := runtimeresource.FollowContinue(listOpts,
 		func(options metav1.ListOptions) (runtime.Object, error) {
 			newEvents := &corev1.EventList{}
-			err := kubeclient.List(ctx, newEvents, clientListOpts...)
-			if err != nil {
+			if err := kubeclient.List(ctx, newEvents, clientListOpts...); err != nil {
 				return nil, fmt.Errorf("error getting events: %w", err)
 			}
 			el.Items = append(el.Items, newEvents.Items...)
@@ -182,21 +206,22 @@ func addEventsToList(ctx context.Context, kubeclient client.Client, el *corev1.E
 	return err
 }
 
-func getListOpt(namespace, selector string) []client.ListOption {
-	clientListOpts := []client.ListOption{client.Limit(cmdutil.DefaultChunkSize), client.InNamespace(namespace)}
-	if selector != "" {
-		kind, name := utils.ParseObjectKindName(selector)
-		sel := fields.AndSelectors(
+func getListOpt(kind, name string) client.ListOption {
+	var sel fields.Selector
+	if name == "" {
+		sel = fields.OneTermEqualSelector("involvedObject.kind", kind)
+	} else {
+		sel = fields.AndSelectors(
 			fields.OneTermEqualSelector("involvedObject.kind", kind),
 			fields.OneTermEqualSelector("involvedObject.name", name))
-		clientListOpts = append(clientListOpts, client.MatchingFieldsSelector{Selector: sel})
 	}
 
-	return clientListOpts
+	return client.MatchingFieldsSelector{Selector: sel}
 }
 
 func eventsCmdWatchRun(ctx context.Context, kubeclient client.WithWatch, listOpts []client.ListOption, refListOpts [][]client.ListOption, showNs bool) error {
 	event := &corev1.EventList{}
+	listOpts = append(listOpts, client.Limit(cmdutil.DefaultChunkSize))
 	eventWatch, err := kubeclient.Watch(ctx, event, listOpts...)
 	if err != nil {
 		return err
@@ -222,12 +247,7 @@ func eventsCmdWatchRun(ctx context.Context, kubeclient client.WithWatch, listOpt
 			hdr = getHeaders(showNs)
 			firstIteration = false
 		}
-		err = printers.TablePrinter(hdr).Print(os.Stdout, [][]string{rows})
-		if err != nil {
-			return err
-		}
-
-		return nil
+		return printers.TablePrinter(hdr).Print(os.Stdout, [][]string{rows})
 	}
 
 	for _, refOpts := range refListOpts {
@@ -236,8 +256,7 @@ func eventsCmdWatchRun(ctx context.Context, kubeclient client.WithWatch, listOpt
 			return err
 		}
 		go func() {
-			err := receiveEventChan(ctx, refEventWatch, handleEvent)
-			if err != nil {
+			if err := receiveEventChan(ctx, refEventWatch, handleEvent); err != nil {
 				logger.Failuref("error watching events: %s", err.Error())
 			}
 		}()
@@ -286,13 +305,7 @@ func getEventRow(e corev1.Event, showNs bool) []string {
 // getObjectRef is used to get the metadata of a resource that the selector(in the format <kind/name>) references.
 // It returns an empty string if the resource doesn't reference any resource
 // and a string with the format `<kind>/<name>.<namespace>` if it does.
-func getObjectRef(ctx context.Context, kubeclient client.Client, selector string, ns string) ([]string, error) {
-	kind, name := utils.ParseObjectKindName(selector)
-	ref, err := fluxKindMap.getRefInfo(kind)
-	if err != nil {
-		return nil, fmt.Errorf("error getting groupversion: %w", err)
-	}
-
+func getObjectRef(ctx context.Context, kubeclient client.Client, ref refInfo, name, ns string) ([]string, error) {
 	// the resource has no source ref
 	if len(ref.field) == 0 {
 		return nil, nil
@@ -300,31 +313,30 @@ func getObjectRef(ctx context.Context, kubeclient client.Client, selector string
 
 	obj := &unstructured.Unstructured{}
 	obj.SetGroupVersionKind(schema.GroupVersionKind{
-		Kind:    kind,
-		Version: ref.gv.Version,
-		Group:   ref.gv.Group,
+		Kind:    ref.gvk.Kind,
+		Version: ref.gvk.Version,
+		Group:   ref.gvk.Group,
 	})
 	objName := types.NamespacedName{
 		Namespace: ns,
 		Name:      name,
 	}
 
-	err = kubeclient.Get(ctx, objName, obj)
-	if err != nil {
+	if err := kubeclient.Get(ctx, objName, obj); err != nil {
 		return nil, err
 	}
 
-	var ok bool
 	refKind := ref.kind
 	if refKind == "" {
 		kindField := append(ref.field, "kind")
-		refKind, ok, err = unstructured.NestedString(obj.Object, kindField...)
+		specKind, ok, err := unstructured.NestedString(obj.Object, kindField...)
 		if err != nil {
 			return nil, err
 		}
 		if !ok {
 			return nil, fmt.Errorf("field '%s' for '%s' not found", strings.Join(kindField, "."), objName)
 		}
+		refKind = specKind
 	}
 
 	nameField := append(ref.field, "name")
@@ -374,49 +386,71 @@ func (r refMap) hasKind(kind string) bool {
 	return err == nil
 }
 
+// validateEventTypes checks that the event types passed into the function
+// is either equal to `Normal` or `Warning` which are currently the two supported types.
+// https://github.com/kubernetes/kubernetes/blob/a8a1abc25cad87333840cd7d54be2efaf31a3177/staging/src/k8s.io/api/core/v1/types.go#L6212
+func validateEventTypes(eventTypes []string) error {
+	for _, t := range eventTypes {
+		if !strings.EqualFold(corev1.EventTypeWarning, t) && !strings.EqualFold(corev1.EventTypeNormal, t) {
+			return fmt.Errorf("type '%s' not supported. Supported types are Normal, Warning", t)
+		}
+	}
+
+	return nil
+}
+
 type refInfo struct {
-	gv              schema.GroupVersion
-	kind            string
+	// gvk is the group version kind of the resource
+	gvk schema.GroupVersionKind
+	// kind is the kind that the resource references if it's not static
+	kind string
+	// crossNamespaced indicates if this resource uses cross namespaced references
 	crossNamespaced bool
-	otherRefs       func(namespace, name string) []string
-	field           []string
+	// otherRefs returns other reference that might not be directly accessible
+	// from the spec of the object
+	otherRefs func(namespace, name string) []string
+	field     []string
 }
 
 var fluxKindMap = refMap{
 	kustomizev1.KustomizationKind: {
-		gv:              kustomizev1.GroupVersion,
+		gvk:             kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind),
 		crossNamespaced: true,
 		field:           []string{"spec", "sourceRef"},
 	},
 	helmv2.HelmReleaseKind: {
-		gv:              helmv2.GroupVersion,
+		gvk:             helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind),
 		crossNamespaced: true,
 		otherRefs: func(namespace, name string) []string {
 			return []string{fmt.Sprintf("%s/%s-%s", sourcev1b2.HelmChartKind, namespace, name)}
 		},
 		field: []string{"spec", "chart", "spec", "sourceRef"},
 	},
-	notificationv1b2.AlertKind: {
-		gv:              notificationv1b2.GroupVersion,
-		kind:            notificationv1b2.ProviderKind,
+	notificationv1b3.AlertKind: {
+		gvk:             notificationv1b3.GroupVersion.WithKind(notificationv1b3.AlertKind),
+		kind:            notificationv1b3.ProviderKind,
 		crossNamespaced: false,
 		field:           []string{"spec", "providerRef"},
 	},
-	notificationv1.ReceiverKind:   {gv: notificationv1.GroupVersion},
-	notificationv1b2.ProviderKind: {gv: notificationv1b2.GroupVersion},
+	notificationv1.ReceiverKind:   {gvk: notificationv1.GroupVersion.WithKind(notificationv1.ReceiverKind)},
+	notificationv1b3.ProviderKind: {gvk: notificationv1b3.GroupVersion.WithKind(notificationv1b3.ProviderKind)},
 	imagev1.ImagePolicyKind: {
-		gv:              imagev1.GroupVersion,
+		gvk:             imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind),
 		kind:            imagev1.ImageRepositoryKind,
 		crossNamespaced: true,
 		field:           []string{"spec", "imageRepositoryRef"},
 	},
-	sourcev1.GitRepositoryKind:       {gv: sourcev1.GroupVersion},
-	sourcev1b2.OCIRepositoryKind:     {gv: sourcev1b2.GroupVersion},
-	sourcev1b2.BucketKind:            {gv: sourcev1b2.GroupVersion},
-	sourcev1b2.HelmRepositoryKind:    {gv: sourcev1b2.GroupVersion},
-	sourcev1b2.HelmChartKind:         {gv: sourcev1b2.GroupVersion},
-	autov1.ImageUpdateAutomationKind: {gv: autov1.GroupVersion},
-	imagev1.ImageRepositoryKind:      {gv: imagev1.GroupVersion},
+	sourcev1b2.HelmChartKind: {
+		gvk:             sourcev1b2.GroupVersion.WithKind(sourcev1b2.HelmChartKind),
+		crossNamespaced: true,
+		field:           []string{"spec", "sourceRef"},
+	},
+	sourcev1.GitRepositoryKind:       {gvk: sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)},
+	sourcev1b2.OCIRepositoryKind:     {gvk: sourcev1b2.GroupVersion.WithKind(sourcev1b2.OCIRepositoryKind)},
+	sourcev1b2.BucketKind:            {gvk: sourcev1b2.GroupVersion.WithKind(sourcev1b2.BucketKind)},
+	sourcev1b2.HelmRepositoryKind:    {gvk: sourcev1b2.GroupVersion.WithKind(sourcev1b2.HelmRepositoryKind)},
+	autov1.ImageUpdateAutomationKind: {gvk: autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)},
+	imagev1.ImageRepositoryKind:      {gvk: imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)},
 }
 
 func ignoreEvent(e corev1.Event) bool {
@@ -434,7 +468,19 @@ func ignoreEvent(e corev1.Event) bool {
 	return false
 }
 
-// The functions below are copied from: https://github.com/kubernetes/kubectl/blob/master/pkg/cmd/events/events.go#L347
+func getKindNameFromSelector(selector string) (string, string) {
+	kind, name := utils.ParseObjectKindName(selector)
+	// if there's no slash in the selector utils.ParseObjectKindName returns the
+	// input string as the name but here we want it as the kind instead
+	if kind == "" && name != "" {
+		kind = name
+		name = ""
+	}
+
+	return kind, name
+}
+
+// The functions below are copied from: https://github.com/kubernetes/kubectl/blob/4ecd7bd0f0799f191335a331ca3c6a397a888233/pkg/cmd/events/events.go#L294
 
 // SortableEvents implements sort.Interface for []api.Event by time
 type SortableEvents []corev1.Event

cmd/flux/events_test.go

@@ -27,21 +27,11 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
-	"k8s.io/apimachinery/pkg/runtime"
-	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
-	helmv2beta1 "github.com/fluxcd/helm-controller/api/v2beta1"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
-	notificationv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
 	eventv1 "github.com/fluxcd/pkg/apis/event/v1beta1"
 	"github.com/fluxcd/pkg/ssa"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
@@ -128,7 +118,7 @@ spec:
     name: podinfo-chart
   version: '*'
 ---
-apiVersion: notification.toolkit.fluxcd.io/v1beta2
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Alert
 metadata:
   name: webapp
@@ -141,7 +131,7 @@ spec:
   providerRef:
     name: slack
 ---
-apiVersion: notification.toolkit.fluxcd.io/v1beta2
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Provider
 metadata:
   name: slack
@@ -173,7 +163,7 @@ func Test_getObjectRef(t *testing.T) {
 	objs, err := ssa.ReadObjects(strings.NewReader(objects))
 	g.Expect(err).To(Not(HaveOccurred()))
 
-	builder := fake.NewClientBuilder().WithScheme(getScheme())
+	builder := fake.NewClientBuilder().WithScheme(utils.NewScheme())
 	for _, obj := range objs {
 		builder = builder.WithObjects(obj)
 	}
@@ -216,6 +206,12 @@ func Test_getObjectRef(t *testing.T) {
 			namespace: "default",
 			want:      []string{"ImageRepository/acr-podinfo.flux-system"},
 		},
+		{
+			name:      "Source Ref for ImagePolicy (lowercased)",
+			selector:  "imagepolicy/podinfo",
+			namespace: "default",
+			want:      []string{"ImageRepository/acr-podinfo.flux-system"},
+		},
 		{
 			name:      "Empty Ref for Provider",
 			selector:  "Provider/slack",
@@ -232,11 +228,13 @@ func Test_getObjectRef(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			g := NewWithT(t)
-			got, err := getObjectRef(context.Background(), c, tt.selector, tt.namespace)
+			kind, name := getKindNameFromSelector(tt.selector)
+			infoRef, err := fluxKindMap.getRefInfo(kind)
 			if tt.wantErr {
 				g.Expect(err).To(HaveOccurred())
 				return
 			}
+			got, err := getObjectRef(context.Background(), c, infoRef, name, tt.namespace)
 
 			g.Expect(err).To(Not(HaveOccurred()))
 			g.Expect(got).To(Equal(tt.want))
@@ -249,7 +247,7 @@ func Test_getRows(t *testing.T) {
 	objs, err := ssa.ReadObjects(strings.NewReader(objects))
 	g.Expect(err).To(Not(HaveOccurred()))
 
-	builder := fake.NewClientBuilder().WithScheme(getScheme())
+	builder := fake.NewClientBuilder().WithScheme(utils.NewScheme())
 	for _, obj := range objs {
 		builder = builder.WithObjects(obj)
 	}
@@ -261,6 +259,7 @@ func Test_getRows(t *testing.T) {
 	}
 	builder = builder.WithLists(eventList)
 	builder.WithIndex(&corev1.Event{}, "involvedObject.kind/name", kindNameIndexer)
+	builder.WithIndex(&corev1.Event{}, "involvedObject.kind", kindIndexer)
 	c := builder.Build()
 
 	tests := []struct {
@@ -320,6 +319,16 @@ func Test_getRows(t *testing.T) {
 				{"flux-system", "<unknown>", "info", "Info Reason", "GitRepository/flux-system", "Info Message"},
 			},
 		},
+		{
+			name:     "All Kustomization (lowercased selector)",
+			selector: "kustomization",
+			expected: [][]string{
+				{"default", "<unknown>", "error", "Error Reason", "Kustomization/podinfo", "Error Message"},
+				{"default", "<unknown>", "info", "Info Reason", "Kustomization/podinfo", "Info Message"},
+				{"flux-system", "<unknown>", "error", "Error Reason", "Kustomization/flux-system", "Error Message"},
+				{"flux-system", "<unknown>", "info", "Info Reason", "Kustomization/flux-system", "Info Message"},
+			},
+		},
 		{
 			name:      "HelmRelease with crossnamespaced HelmRepository",
 			selector:  "HelmRelease/podinfo",
@@ -333,6 +342,19 @@ func Test_getRows(t *testing.T) {
 				{"flux-system", "<unknown>", "info", "Info Reason", "HelmChart/default-podinfo", "Info Message"},
 			},
 		},
+		{
+			name:      "HelmRelease with crossnamespaced HelmRepository (lowercased)",
+			selector:  "helmrelease/podinfo",
+			namespace: "default",
+			expected: [][]string{
+				{"default", "<unknown>", "error", "Error Reason", "HelmRelease/podinfo", "Error Message"},
+				{"default", "<unknown>", "info", "Info Reason", "HelmRelease/podinfo", "Info Message"},
+				{"flux-system", "<unknown>", "error", "Error Reason", "HelmRepository/podinfo", "Error Message"},
+				{"flux-system", "<unknown>", "info", "Info Reason", "HelmRepository/podinfo", "Info Message"},
+				{"flux-system", "<unknown>", "error", "Error Reason", "HelmChart/default-podinfo", "Error Message"},
+				{"flux-system", "<unknown>", "info", "Info Reason", "HelmChart/default-podinfo", "Info Message"},
+			},
+		},
 	}
 
 	for _, tt := range tests {
@@ -341,59 +363,49 @@ func Test_getRows(t *testing.T) {
 
 			var refs []string
 			var refNs, refKind, refName string
+			var clientOpts = []client.ListOption{client.InNamespace(tt.namespace)}
 			if tt.selector != "" {
-				refs, err = getObjectRef(context.Background(), c, tt.selector, tt.namespace)
-				g.Expect(err).To(Not(HaveOccurred()))
+				kind, name := getKindNameFromSelector(tt.selector)
+				infoRef, err := fluxKindMap.getRefInfo(kind)
+				clientOpts = append(clientOpts, getTestListOpt(infoRef.gvk.Kind, name))
+				if name != "" {
+					g.Expect(err).To(Not(HaveOccurred()))
+					refs, err = getObjectRef(context.Background(), c, infoRef, name, tt.namespace)
+					g.Expect(err).To(Not(HaveOccurred()))
+				}
 			}
 
 			g.Expect(err).To(Not(HaveOccurred()))
 
-			clientOpts := getTestListOpt(tt.namespace, tt.selector)
 			var refOpts [][]client.ListOption
 			for _, ref := range refs {
 				refKind, refName, refNs = utils.ParseObjectKindNameNamespace(ref)
-				refSelector := fmt.Sprintf("%s/%s", refKind, refName)
-				refOpts = append(refOpts, getTestListOpt(refNs, refSelector))
+				refOpts = append(refOpts, []client.ListOption{client.InNamespace(refNs), getTestListOpt(refKind, refName)})
 			}
 
 			showNs := tt.namespace == "" || (refNs != "" && refNs != tt.namespace)
 			rows, err := getRows(context.Background(), c, clientOpts, refOpts, showNs)
 			g.Expect(err).To(Not(HaveOccurred()))
-			g.Expect(rows).To(Equal(tt.expected))
+			g.Expect(rows).To(ConsistOf(tt.expected))
 		})
 	}
 }
 
-func getTestListOpt(namespace, selector string) []client.ListOption {
-	clientListOpts := []client.ListOption{client.Limit(cmdutil.DefaultChunkSize), client.InNamespace(namespace)}
-	if selector != "" {
-		sel := fields.OneTermEqualSelector("involvedObject.kind/name", selector)
-		clientListOpts = append(clientListOpts, client.MatchingFieldsSelector{Selector: sel})
+func getTestListOpt(kind, name string) client.ListOption {
+	var sel fields.Selector
+	if name == "" {
+		sel = fields.OneTermEqualSelector("involvedObject.kind", kind)
+	} else {
+		sel = fields.OneTermEqualSelector("involvedObject.kind/name", fmt.Sprintf("%s/%s", kind, name))
 	}
-
-	return clientListOpts
-}
-
-func getScheme() *runtime.Scheme {
-	newscheme := runtime.NewScheme()
-	corev1.AddToScheme(newscheme)
-	kustomizev1.AddToScheme(newscheme)
-	helmv2beta1.AddToScheme(newscheme)
-	notificationv1.AddToScheme(newscheme)
-	notificationv1b2.AddToScheme(newscheme)
-	imagev1.AddToScheme(newscheme)
-	autov1.AddToScheme(newscheme)
-	sourcev1.AddToScheme(newscheme)
-	sourcev1b2.AddToScheme(newscheme)
-
-	return newscheme
+	return client.MatchingFieldsSelector{Selector: sel}
 }
 
 func createEvent(obj client.Object, eventType, msg, reason string) corev1.Event {
 	return corev1.Event{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: obj.GetNamespace(),
-			// name of event needs to be unique so fak
+			// name of event needs to be unique
 			Name: obj.GetNamespace() + obj.GetNamespace() + obj.GetObjectKind().GroupVersionKind().Kind + eventType,
 		},
 		Reason:  reason,
@@ -415,3 +427,12 @@ func kindNameIndexer(obj client.Object) []string {
 
 	return []string{fmt.Sprintf("%s/%s", e.InvolvedObject.Kind, e.InvolvedObject.Name)}
 }
+
+func kindIndexer(obj client.Object) []string {
+	e, ok := obj.(*corev1.Event)
+	if !ok {
+		panic(fmt.Sprintf("Expected a Event, got %T", e))
+	}
+
+	return []string{e.InvolvedObject.Kind}
+}

cmd/flux/export_alert.go

@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )
 
 var exportAlertCmd = &cobra.Command{

cmd/flux/export_alertprovider.go

@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )
 
 var exportAlertProviderCmd = &cobra.Command{

cmd/flux/export_secret.go

@@ -46,7 +46,6 @@ type exportableWithSecretList interface {
 }
 
 type exportWithSecretCommand struct {
-	apiType
 	object exportableWithSecret
 	list   exportableWithSecretList
 }

cmd/flux/get.go

@@ -18,6 +18,7 @@ package main
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"strings"
@@ -27,6 +28,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/discovery"
 	watchtools "k8s.io/client-go/tools/watch"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -176,6 +178,10 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 
 	err = kubeClient.List(ctx, get.list.asClientList(), listOpts...)
 	if err != nil {
+		var discErr *discovery.ErrGroupDiscoveryFailed
+		if getAll && (strings.Contains(err.Error(), "no matches for kind") || errors.As(err, &discErr)) {
+			return nil
+		}
 		return err
 	}
 

cmd/flux/get_alert.go

@@ -19,12 +19,14 @@ package main
 import (
 	"fmt"
 	"strconv"
-	"strings"
 
 	"github.com/spf13/cobra"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )
 
 var getAlertCmd = &cobra.Command{
@@ -76,8 +78,9 @@ func init() {
 
 func (s alertListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := s.Items[i]
-	status, msg := statusAndMessage(item.Status.Conditions)
-	return append(nameColumns(&item, includeNamespace, includeKind), strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
+	status, msg := string(metav1.ConditionTrue), "Alert is Ready"
+	return append(nameColumns(&item, includeNamespace, includeKind),
+		cases.Title(language.English).String(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (s alertListAdapter) headers(includeNamespace bool) []string {
@@ -89,6 +92,5 @@ func (s alertListAdapter) headers(includeNamespace bool) []string {
 }
 
 func (s alertListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
-	item := s.Items[i]
-	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+	return false
 }

cmd/flux/get_alertprovider.go

@@ -20,9 +20,10 @@ import (
 	"fmt"
 
 	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )
 
 var getAlertProviderCmd = &cobra.Command{
@@ -74,7 +75,7 @@ func init() {
 
 func (s alertProviderListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := s.Items[i]
-	status, msg := statusAndMessage(item.Status.Conditions)
+	status, msg := string(metav1.ConditionTrue), "Provider is Ready"
 	return append(nameColumns(&item, includeNamespace, includeKind), status, msg)
 }
 
@@ -87,6 +88,5 @@ func (s alertProviderListAdapter) headers(includeNamespace bool) []string {
 }
 
 func (s alertProviderListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
-	item := s.Items[i]
-	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+	return false
 }

cmd/flux/get_all.go

@@ -24,7 +24,7 @@ import (
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
-	notificationv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
 )
 
 var getAllCmd = &cobra.Command{
@@ -63,11 +63,11 @@ var getAllCmd = &cobra.Command{
 			},
 			{
 				apiType: alertProviderType,
-				list:    alertProviderListAdapter{&notificationv1b2.ProviderList{}},
+				list:    alertProviderListAdapter{&notificationv1b3.ProviderList{}},
 			},
 			{
 				apiType: alertType,
-				list:    &alertListAdapter{&notificationv1b2.AlertList{}},
+				list:    &alertListAdapter{&notificationv1b3.AlertList{}},
 			},
 		}
 

cmd/flux/get_helmrelease.go

@@ -19,11 +19,13 @@ package main
 import (
 	"fmt"
 	"strconv"
-	"strings"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
+	"k8s.io/apimachinery/pkg/runtime"
 
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
-	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/runtime"
 )
 
 var getHelmReleaseCmd = &cobra.Command{
@@ -75,7 +77,7 @@ func (a helmReleaseListAdapter) summariseItem(i int, includeNamespace bool, incl
 	revision := item.Status.LastAppliedRevision
 	status, msg := statusAndMessage(item.Status.Conditions)
 	return append(nameColumns(&item, includeNamespace, includeKind),
-		revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
+		revision, cases.Title(language.English).String(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (a helmReleaseListAdapter) headers(includeNamespace bool) []string {

cmd/flux/get_image_all.go

@@ -17,8 +17,6 @@ limitations under the License.
 package main
 
 import (
-	"strings"
-
 	"github.com/spf13/cobra"
 
 	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
@@ -57,9 +55,7 @@ var getImageAllCmd = &cobra.Command{
 
 		for _, c := range allImageCmd {
 			if err := c.run(cmd, args); err != nil {
-				if !strings.Contains(err.Error(), "no matches for kind") {
-					logger.Failuref(err.Error())
-				}
+				logger.Failuref(err.Error())
 			}
 		}
 

cmd/flux/get_image_repository.go

@@ -19,10 +19,11 @@ package main
 import (
 	"fmt"
 	"strconv"
-	"strings"
 	"time"
 
 	"github.com/spf13/cobra"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
 
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
@@ -82,7 +83,7 @@ func (s imageRepositoryListAdapter) summariseItem(i int, includeNamespace bool,
 		lastScan = item.Status.LastScanResult.ScanTime.Time.Format(time.RFC3339)
 	}
 	return append(nameColumns(&item, includeNamespace, includeKind),
-		lastScan, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
+		lastScan, cases.Title(language.English).String(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (s imageRepositoryListAdapter) headers(includeNamespace bool) []string {

cmd/flux/get_image_update.go

@@ -19,10 +19,11 @@ package main
 import (
 	"fmt"
 	"strconv"
-	"strings"
 	"time"
 
 	"github.com/spf13/cobra"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
 
 	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
@@ -81,7 +82,8 @@ func (s imageUpdateAutomationListAdapter) summariseItem(i int, includeNamespace
 	if item.Status.LastAutomationRunTime != nil {
 		lastRun = item.Status.LastAutomationRunTime.Time.Format(time.RFC3339)
 	}
-	return append(nameColumns(&item, includeNamespace, includeKind), lastRun, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
+	return append(nameColumns(&item, includeNamespace, includeKind), lastRun,
+		cases.Title(language.English).String(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (s imageUpdateAutomationListAdapter) headers(includeNamespace bool) []string {

cmd/flux/get_kustomization.go

@@ -19,9 +19,10 @@ package main
 import (
 	"fmt"
 	"strconv"
-	"strings"
 
 	"github.com/spf13/cobra"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
@@ -83,7 +84,7 @@ func (a kustomizationListAdapter) summariseItem(i int, includeNamespace bool, in
 	revision = utils.TruncateHex(revision)
 	msg = utils.TruncateHex(msg)
 	return append(nameColumns(&item, includeNamespace, includeKind),
-		revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
+		revision, cases.Title(language.English).String(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (a kustomizationListAdapter) headers(includeNamespace bool) []string {

cmd/flux/get_receiver.go

@@ -19,9 +19,10 @@ package main
 import (
 	"fmt"
 	"strconv"
-	"strings"
 
 	"github.com/spf13/cobra"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
 
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
@@ -74,7 +75,8 @@ func init() {
 func (s receiverListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := s.Items[i]
 	status, msg := statusAndMessage(item.Status.Conditions)
-	return append(nameColumns(&item, includeNamespace, includeKind), strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
+	return append(nameColumns(&item, includeNamespace, includeKind),
+		cases.Title(language.English).String(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (s receiverListAdapter) headers(includeNamespace bool) []string {

cmd/flux/get_source_bucket.go

@@ -19,9 +19,10 @@ package main
 import (
 	"fmt"
 	"strconv"
-	"strings"
 
 	"github.com/spf13/cobra"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
@@ -85,7 +86,7 @@ func (a *bucketListAdapter) summariseItem(i int, includeNamespace bool, includeK
 	revision = utils.TruncateHex(revision)
 	msg = utils.TruncateHex(msg)
 	return append(nameColumns(&item, includeNamespace, includeKind),
-		revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
+		revision, cases.Title(language.English).String(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (a bucketListAdapter) headers(includeNamespace bool) []string {

cmd/flux/get_source_chart.go

@@ -19,9 +19,10 @@ package main
 import (
 	"fmt"
 	"strconv"
-	"strings"
 
 	"github.com/spf13/cobra"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
@@ -86,7 +87,7 @@ func (a *helmChartListAdapter) summariseItem(i int, includeNamespace bool, inclu
 	// Message may still contain reference of e.g. commit chart was build from
 	msg = utils.TruncateHex(msg)
 	return append(nameColumns(&item, includeNamespace, includeKind),
-		revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
+		revision, cases.Title(language.English).String(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (a helmChartListAdapter) headers(includeNamespace bool) []string {

cmd/flux/get_source_git.go

@@ -19,9 +19,10 @@ package main
 import (
 	"fmt"
 	"strconv"
-	"strings"
 
 	"github.com/spf13/cobra"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
@@ -85,7 +86,7 @@ func (a *gitRepositoryListAdapter) summariseItem(i int, includeNamespace bool, i
 	revision = utils.TruncateHex(revision)
 	msg = utils.TruncateHex(msg)
 	return append(nameColumns(&item, includeNamespace, includeKind),
-		revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
+		revision, cases.Title(language.English).String(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (a gitRepositoryListAdapter) headers(includeNamespace bool) []string {

cmd/flux/get_source_helm.go

@@ -19,9 +19,11 @@ package main
 import (
 	"fmt"
 	"strconv"
-	"strings"
 
 	"github.com/spf13/cobra"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
@@ -81,11 +83,16 @@ func (a *helmRepositoryListAdapter) summariseItem(i int, includeNamespace bool,
 	if item.GetArtifact() != nil {
 		revision = item.GetArtifact().Revision
 	}
-	status, msg := statusAndMessage(item.Status.Conditions)
+	var status, msg string
+	if item.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
+		status, msg = string(metav1.ConditionTrue), "Helm repository is Ready"
+	} else {
+		status, msg = statusAndMessage(item.Status.Conditions)
+	}
 	revision = utils.TruncateHex(revision)
 	msg = utils.TruncateHex(msg)
 	return append(nameColumns(&item, includeNamespace, includeKind),
-		revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
+		revision, cases.Title(language.English).String(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (a helmRepositoryListAdapter) headers(includeNamespace bool) []string {

cmd/flux/get_source_oci.go

@@ -19,9 +19,10 @@ package main
 import (
 	"fmt"
 	"strconv"
-	"strings"
 
 	"github.com/spf13/cobra"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
@@ -85,7 +86,7 @@ func (a *ociRepositoryListAdapter) summariseItem(i int, includeNamespace bool, i
 	revision = utils.TruncateHex(revision)
 	msg = utils.TruncateHex(msg)
 	return append(nameColumns(&item, includeNamespace, includeKind),
-		revision, strings.Title(strconv.FormatBool(item.Spec.Suspend)), status, msg)
+		revision, cases.Title(language.English).String(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }
 
 func (a ociRepositoryListAdapter) headers(includeNamespace bool) []string {

cmd/flux/install.go

@@ -23,7 +23,9 @@ import (
 	"path/filepath"
 	"time"
 
+	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/api/errors"
 
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -34,6 +36,7 @@ import (
 
 var installCmd = &cobra.Command{
 	Use:   "install",
+	Args:  cobra.NoArgs,
 	Short: "Install or upgrade Flux",
 	Long: `The install command deploys Flux in the specified namespace.
 If a previous version is installed, then an in-place upgrade will be performed.`,
@@ -72,6 +75,7 @@ type installFlags struct {
 	tokenAuth          bool
 	clusterDomain      string
 	tolerationKeys     []string
+	force              bool
 }
 
 var installArgs = NewInstallFlags()
@@ -98,6 +102,7 @@ func init() {
 	installCmd.Flags().StringVar(&installArgs.clusterDomain, "cluster-domain", rootArgs.defaults.ClusterDomain, "internal cluster domain")
 	installCmd.Flags().StringSliceVar(&installArgs.tolerationKeys, "toleration-keys", nil,
 		"list of toleration keys used to schedule the components pods onto nodes with matching taints")
+	installCmd.Flags().BoolVar(&installArgs.force, "force", false, "override existing Flux installation if it's managed by a diffrent tool such as Helm")
 	installCmd.Flags().MarkHidden("manifests")
 
 	rootCmd.AddCommand(installCmd)
@@ -183,6 +188,35 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	logger.Successf("manifests build completed")
 	logger.Actionf("installing components in %s namespace", *kubeconfigArgs.Namespace)
 
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+
+	installed := true
+	info, err := getFluxClusterInfo(ctx, kubeClient)
+	if err != nil {
+		if !errors.IsNotFound(err) {
+			return fmt.Errorf("cluster info unavailable: %w", err)
+		}
+		installed = false
+	}
+
+	if info.bootstrapped {
+		return fmt.Errorf("this cluster has already been bootstrapped with Flux %s! Please use 'flux bootstrap' to upgrade",
+			info.version)
+	}
+
+	if installed && !installArgs.force {
+		err := confirmFluxInstallOverride(info)
+		if err != nil {
+			if err == promptui.ErrAbort {
+				return fmt.Errorf("installation cancelled")
+			}
+			return err
+		}
+	}
+
 	applyOutput, err := utils.Apply(ctx, kubeconfigArgs, kubeclientOptions, tmpDir, filepath.Join(tmpDir, manifest.Path))
 	if err != nil {
 		return fmt.Errorf("install failed: %w", err)

cmd/flux/install_test.go

@@ -37,6 +37,11 @@ func TestInstall(t *testing.T) {
 			args:   "install --namespace='@#[]'",
 			assert: assertError("namespace must be a valid DNS label: \"@#[]\""),
 		},
+		{
+			name:   "invalid sub-command",
+			args:   "install unexpectedPosArg --namespace=example",
+			assert: assertError(`unknown command "unexpectedPosArg" for "flux install"`),
+		},
 	}
 
 	for _, tt := range tests {

cmd/flux/kustomization_test.go

@@ -61,11 +61,26 @@ func TestKustomizationFromGit(t *testing.T) {
 			"testdata/kustomization/suspend_kustomization_from_git.golden",
 			tmpl,
 		},
+		{
+			"suspend kustomization tkfg foo tkfg bar",
+			"testdata/kustomization/suspend_kustomization_from_git_multiple_args.golden",
+			tmpl,
+		},
+		{
+			"resume kustomization tkfg foo --wait",
+			"testdata/kustomization/resume_kustomization_from_git_multiple_args_wait.golden",
+			tmpl,
+		},
 		{
 			"resume kustomization tkfg",
 			"testdata/kustomization/resume_kustomization_from_git.golden",
 			tmpl,
 		},
+		{
+			"resume kustomization tkfg tkfg",
+			"testdata/kustomization/resume_kustomization_from_git_multiple_args.golden",
+			tmpl,
+		},
 		{
 			"delete kustomization tkfg --silent",
 			"testdata/kustomization/delete_kustomization_from_git.golden",

cmd/flux/logs.go

@@ -20,6 +20,7 @@ import (
 	"bufio"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -73,10 +74,10 @@ type logsFlags struct {
 	fluxNamespace string
 	allNamespaces bool
 	sinceTime     string
-	sinceSeconds  time.Duration
+	sinceDuration time.Duration
 }
 
-var logsArgs = &logsFlags{
+var logsArgs = logsFlags{
 	tail: -1,
 }
 
@@ -90,7 +91,7 @@ func init() {
 	logsCmd.Flags().Int64VarP(&logsArgs.tail, "tail", "", logsArgs.tail, "lines of recent log file to display")
 	logsCmd.Flags().StringVarP(&logsArgs.fluxNamespace, "flux-namespace", "", rootArgs.defaults.Namespace, "the namespace where the Flux components are running")
 	logsCmd.Flags().BoolVarP(&logsArgs.allNamespaces, "all-namespaces", "A", false, "displays logs for objects across all namespaces")
-	logsCmd.Flags().DurationVar(&logsArgs.sinceSeconds, "since", logsArgs.sinceSeconds, "Only return logs newer than a relative duration like 5s, 2m, or 3h. Defaults to all logs. Only one of since-time / since may be used.")
+	logsCmd.Flags().DurationVar(&logsArgs.sinceDuration, "since", logsArgs.sinceDuration, "Only return logs newer than a relative duration like 5s, 2m, or 3h. Defaults to all logs. Only one of since-time / since may be used.")
 	logsCmd.Flags().StringVar(&logsArgs.sinceTime, "since-time", logsArgs.sinceTime, "Only return logs after a specific date (RFC3339). Defaults to all logs. Only one of since-time / since may be used.")
 	rootCmd.AddCommand(logsCmd)
 }
@@ -115,7 +116,7 @@ func logsCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("no argument required")
 	}
 
-	pods, err := getPods(ctx, clientset, fluxSelector)
+	pods, err := getPods(ctx, clientset, logsArgs.fluxNamespace, fluxSelector)
 	if err != nil {
 		return err
 	}
@@ -128,8 +129,8 @@ func logsCmdRun(cmd *cobra.Command, args []string) error {
 		logOpts.TailLines = &logsArgs.tail
 	}
 
-	if len(logsArgs.sinceTime) > 0 && logsArgs.sinceSeconds != 0 {
-		return fmt.Errorf("at most one of `sinceTime` or `sinceSeconds` may be specified")
+	if len(logsArgs.sinceTime) > 0 && logsArgs.sinceDuration != 0 {
+		return fmt.Errorf("at most one of `sinceTime` or `sinceDuration` may be specified")
 	}
 
 	if len(logsArgs.sinceTime) > 0 {
@@ -140,9 +141,9 @@ func logsCmdRun(cmd *cobra.Command, args []string) error {
 		logOpts.SinceTime = &t
 	}
 
-	if logsArgs.sinceSeconds != 0 {
+	if logsArgs.sinceDuration != 0 {
 		// round up to the nearest second
-		sec := int64(logsArgs.sinceSeconds.Round(time.Second).Seconds())
+		sec := int64(logsArgs.sinceDuration.Round(time.Second).Seconds())
 		logOpts.SinceSeconds = &sec
 	}
 
@@ -163,13 +164,16 @@ func logsCmdRun(cmd *cobra.Command, args []string) error {
 	return podLogs(ctx, requests)
 }
 
-func getPods(ctx context.Context, c *kubernetes.Clientset, label string) ([]corev1.Pod, error) {
+// getPods searches for all Deployments in the given namespace that match the given label and returns a list of Pods
+// from these Deployments. For each Deployment a single Pod is chosen (based on various factors such as the running
+// state). If no Pod is found, an error is returned.
+func getPods(ctx context.Context, c *kubernetes.Clientset, ns string, label string) ([]corev1.Pod, error) {
 	var ret []corev1.Pod
 
 	opts := metav1.ListOptions{
 		LabelSelector: label,
 	}
-	deployList, err := c.AppsV1().Deployments(logsArgs.fluxNamespace).List(ctx, opts)
+	deployList, err := c.AppsV1().Deployments(ns).List(ctx, opts)
 	if err != nil {
 		return ret, err
 	}
@@ -179,7 +183,7 @@ func getPods(ctx context.Context, c *kubernetes.Clientset, label string) ([]core
 		opts := metav1.ListOptions{
 			LabelSelector: createLabelStringFromMap(label),
 		}
-		podList, err := c.CoreV1().Pods(logsArgs.fluxNamespace).List(ctx, opts)
+		podList, err := c.CoreV1().Pods(ns).List(ctx, opts)
 		if err != nil {
 			return ret, err
 		}
@@ -196,11 +200,16 @@ func getPods(ctx context.Context, c *kubernetes.Clientset, label string) ([]core
 		}
 	}
 
+	if len(ret) == 0 {
+		return nil, fmt.Errorf("no Flux pods found in namespace %q", ns)
+	}
+
 	return ret, nil
 }
 
 func parallelPodLogs(ctx context.Context, requests []rest.ResponseWrapper) error {
 	reader, writer := io.Pipe()
+	errReader, errWriter := io.Pipe()
 	wg := &sync.WaitGroup{}
 	wg.Add(len(requests))
 
@@ -208,7 +217,7 @@ func parallelPodLogs(ctx context.Context, requests []rest.ResponseWrapper) error
 		go func(req rest.ResponseWrapper) {
 			defer wg.Done()
 			if err := logRequest(ctx, req, writer); err != nil {
-				writer.CloseWithError(err)
+				fmt.Fprintf(errWriter, "failed getting logs: %s\n", err)
 				return
 			}
 		}(request)
@@ -217,20 +226,40 @@ func parallelPodLogs(ctx context.Context, requests []rest.ResponseWrapper) error
 	go func() {
 		wg.Wait()
 		writer.Close()
+		errWriter.Close()
 	}()
 
-	_, err := io.Copy(os.Stdout, reader)
-	return err
+	stdoutErrCh := asyncCopy(os.Stdout, reader)
+	stderrErrCh := asyncCopy(os.Stderr, errReader)
+
+	return errors.Join(<-stdoutErrCh, <-stderrErrCh)
+}
+
+// asyncCopy copies all data from from dst to src asynchronously and returns a channel for reading an error value.
+// This is basically an asynchronous wrapper around `io.Copy`. The returned channel is unbuffered and always is sent
+// a value (either nil or the error from `io.Copy`) as soon as `io.Copy` returns.
+// This function lets you copy from multiple sources into multiple destinations in parallel.
+func asyncCopy(dst io.Writer, src io.Reader) <-chan error {
+	errCh := make(chan error)
+	go func(errCh chan error) {
+		_, err := io.Copy(dst, src)
+		errCh <- err
+	}(errCh)
+
+	return errCh
 }
 
 func podLogs(ctx context.Context, requests []rest.ResponseWrapper) error {
+	var retErr error
 	for _, req := range requests {
 		if err := logRequest(ctx, req, os.Stdout); err != nil {
-			return err
+			fmt.Fprintf(os.Stderr, "failed getting logs: %s\n", err)
+			retErr = fmt.Errorf("failed to collect logs from all Flux pods")
+			continue
 		}
 	}
 
-	return nil
+	return retErr
 }
 
 func createLabelStringFromMap(m map[string]string) string {

cmd/flux/logs_e2e_test.go

@@ -0,0 +1,88 @@
+//go:build e2e
+// +build e2e
+
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestLogsNoArgs(t *testing.T) {
+	cmd := cmdTestCase{
+		args:   "logs",
+		assert: assertSuccess(),
+	}
+	cmd.runTestCmd(t)
+}
+
+func TestLogsWrongNamespace(t *testing.T) {
+	cmd := cmdTestCase{
+		args:   "logs --flux-namespace=default",
+		assert: assertError(`no Flux pods found in namespace "default"`),
+	}
+	cmd.runTestCmd(t)
+}
+
+func TestLogsAllNamespaces(t *testing.T) {
+	cmd := cmdTestCase{
+		args:   "logs --all-namespaces",
+		assert: assertSuccess(),
+	}
+	cmd.runTestCmd(t)
+}
+
+func TestLogsSince(t *testing.T) {
+	cmd := cmdTestCase{
+		args:   "logs --since=2m",
+		assert: assertSuccess(),
+	}
+	cmd.runTestCmd(t)
+}
+
+func TestLogsSinceInvalid(t *testing.T) {
+	cmd := cmdTestCase{
+		args:   "logs --since=XXX",
+		assert: assertError(`invalid argument "XXX" for "--since" flag: time: invalid duration "XXX"`),
+	}
+	cmd.runTestCmd(t)
+}
+
+func TestLogsSinceTime(t *testing.T) {
+	cmd := cmdTestCase{
+		args:   "logs --since-time=2021-08-06T14:26:25.546Z",
+		assert: assertSuccess(),
+	}
+	cmd.runTestCmd(t)
+}
+
+func TestLogsSinceTimeInvalid(t *testing.T) {
+	cmd := cmdTestCase{
+		args:   "logs --since-time=XXX",
+		assert: assertError("XXX is not a valid (RFC3339) time"),
+	}
+	cmd.runTestCmd(t)
+}
+
+func TestLogsSinceOnlyOneAllowed(t *testing.T) {
+	cmd := cmdTestCase{
+		args:   "logs --since=2m --since-time=2021-08-06T14:26:25.546Z",
+		assert: assertError("at most one of `sinceTime` or `sinceDuration` may be specified"),
+	}
+	cmd.runTestCmd(t)
+}

cmd/flux/logs_unit_test.go

@@ -30,73 +30,17 @@ import (
 	. "github.com/onsi/gomega"
 )
 
-func TestLogsNoArgs(t *testing.T) {
-	cmd := cmdTestCase{
-		args:   "logs",
-		assert: assertSuccess(),
-	}
-	cmd.runTestCmd(t)
-}
-
-func TestLogsAllNamespaces(t *testing.T) {
-	cmd := cmdTestCase{
-		args:   "logs --all-namespaces",
-		assert: assertSuccess(),
-	}
-	cmd.runTestCmd(t)
-}
-
-func TestLogsSince(t *testing.T) {
-	cmd := cmdTestCase{
-		args:   "logs --since=2m",
-		assert: assertSuccess(),
-	}
-	cmd.runTestCmd(t)
-}
-
-func TestLogsSinceInvalid(t *testing.T) {
-	cmd := cmdTestCase{
-		args:   "logs --since=XXX",
-		assert: assertError(`invalid argument "XXX" for "--since" flag: time: invalid duration "XXX"`),
-	}
-	cmd.runTestCmd(t)
-}
-
-func TestLogsSinceTime(t *testing.T) {
-	cmd := cmdTestCase{
-		args:   "logs --since-time=2021-08-06T14:26:25.546Z",
-		assert: assertSuccess(),
-	}
-	cmd.runTestCmd(t)
-}
-
-func TestLogsSinceTimeInvalid(t *testing.T) {
-	cmd := cmdTestCase{
-		args:   "logs --since-time=XXX",
-		assert: assertError("XXX is not a valid (RFC3339) time"),
-	}
-	cmd.runTestCmd(t)
-}
-
-func TestLogsSinceOnlyOneAllowed(t *testing.T) {
-	cmd := cmdTestCase{
-		args:   "logs --since=2m --since-time=2021-08-06T14:26:25.546Z",
-		assert: assertError("at most one of `sinceTime` or `sinceSeconds` may be specified"),
-	}
-	cmd.runTestCmd(t)
-}
-
 func TestLogRequest(t *testing.T) {
 	mapper := &testResponseMapper{}
 	tests := []struct {
 		name       string
 		namespace  string
-		flags      *logsFlags
+		flags      logsFlags
 		assertFile string
 	}{
 		{
 			name: "all logs",
-			flags: &logsFlags{
+			flags: logsFlags{
 				tail:          -1,
 				allNamespaces: true,
 			},
@@ -105,14 +49,14 @@ func TestLogRequest(t *testing.T) {
 		{
 			name:      "filter by namespace",
 			namespace: "default",
-			flags: &logsFlags{
+			flags: logsFlags{
 				tail: -1,
 			},
 			assertFile: "testdata/logs/namespace.txt",
 		},
 		{
 			name: "filter by kind and namespace",
-			flags: &logsFlags{
+			flags: logsFlags{
 				tail: -1,
 				kind: "Kustomization",
 			},
@@ -120,7 +64,7 @@ func TestLogRequest(t *testing.T) {
 		},
 		{
 			name: "filter by loglevel",
-			flags: &logsFlags{
+			flags: logsFlags{
 				tail:          -1,
 				logLevel:      "error",
 				allNamespaces: true,
@@ -130,7 +74,7 @@ func TestLogRequest(t *testing.T) {
 		{
 			name:      "filter by namespace, name, loglevel and kind",
 			namespace: "flux-system",
-			flags: &logsFlags{
+			flags: logsFlags{
 				tail:     -1,
 				logLevel: "error",
 				kind:     "Kustomization",
@@ -163,7 +107,7 @@ func TestLogRequest(t *testing.T) {
 
 			// reset flags to default
 			*kubeconfigArgs.Namespace = rootArgs.defaults.Namespace
-			logsArgs = &logsFlags{
+			logsArgs = logsFlags{
 				tail: -1,
 			}
 		})

cmd/flux/main.go

@@ -24,12 +24,14 @@ import (
 	"strings"
 	"time"
 
+	"github.com/go-logr/logr"
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
+	ctrllog "sigs.k8s.io/controller-runtime/pkg/log"
 
 	runclient "github.com/fluxcd/pkg/runtime/client"
 
@@ -149,6 +151,11 @@ func init() {
 	apiServer := ""
 	kubeconfigArgs.APIServer = &apiServer
 	rootCmd.PersistentFlags().StringVar(kubeconfigArgs.APIServer, "server", *kubeconfigArgs.APIServer, "The address and port of the Kubernetes API server")
+	// Update the description for kubeconfig TLS flags so that user's don't mistake it for a Flux specific flag
+	rootCmd.Flag("insecure-skip-tls-verify").Usage = "If true, the Kubernetes API server's certificate will not be checked for validity. This will make your HTTPS connections insecure"
+	rootCmd.Flag("client-certificate").Usage = "Path to a client certificate file for TLS authentication to the Kubernetes API server"
+	rootCmd.Flag("certificate-authority").Usage = "Path to a cert file for the certificate authority to authenticate the Kubernetes API server"
+	rootCmd.Flag("client-key").Usage = "Path to a client key file for TLS authentication to the Kubernetes API server"
 
 	kubeclientOptions.BindFlags(rootCmd.PersistentFlags())
 
@@ -170,6 +177,15 @@ func NewRootFlags() rootFlags {
 
 func main() {
 	log.SetFlags(0)
+
+	// This is required because controller-runtime expects its consumers to
+	// set a logger through log.SetLogger within 30 seconds of the program's
+	// initalization. If not set, the entire debug stack is printed as an
+	// error, see: https://github.com/kubernetes-sigs/controller-runtime/blob/ed8be90/pkg/log/log.go#L59
+	// Since we have our own logging and don't care about controller-runtime's
+	// logger, we configure it's logger to do nothing.
+	ctrllog.SetLogger(logr.New(ctrllog.NullLogSink{}))
+
 	if err := rootCmd.Execute(); err != nil {
 
 		if err, ok := err.(*RequestError); ok {

cmd/flux/main_e2e_test.go

@@ -25,10 +25,15 @@ import (
 	"os"
 	"testing"
 
+	"github.com/go-logr/logr"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 
 func TestMain(m *testing.M) {
+	log.SetLogger(logr.New(log.NullLogSink{}))
+
 	// Ensure tests print consistent timestamps regardless of timezone
 	os.Setenv("TZ", "UTC")
 
@@ -41,7 +46,7 @@ func TestMain(m *testing.M) {
 	// Install Flux.
 	output, err := executeCommand("install --components-extra=image-reflector-controller,image-automation-controller")
 	if err != nil {
-		panic(fmt.Errorf("install falied: %s error:'%w'", output, err))
+		panic(fmt.Errorf("install failed: %s error:'%w'", output, err))
 	}
 
 	// Run tests
@@ -50,7 +55,7 @@ func TestMain(m *testing.M) {
 	// Uninstall Flux
 	output, err = executeCommand("uninstall -s --keep-namespace")
 	if err != nil {
-		panic(fmt.Errorf("uninstall falied: %s error:'%w'", output, err))
+		panic(fmt.Errorf("uninstall failed: %s error:'%w'", output, err))
 	}
 
 	// Delete namespace and wait for finalisation

cmd/flux/main_test.go

@@ -34,6 +34,7 @@ import (
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/google/go-cmp/cmp"
 	"github.com/mattn/go-shellwords"
+	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	k8syaml "k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/client-go/tools/clientcmd"
@@ -112,7 +113,8 @@ func (m *testEnvKubeManager) CreateObjects(clientObjects []*unstructured.Unstruc
 		}
 		obj.SetResourceVersion(createObj.GetResourceVersion())
 		err = m.client.Status().Update(context.Background(), obj)
-		if err != nil {
+		// Updating status of static objects results in not found error.
+		if err != nil && !errors.IsNotFound(err) {
 			return err
 		}
 	}
@@ -182,7 +184,7 @@ func NewTestEnvKubeManager(testClusterMode TestClusterMode) (*testEnvKubeManager
 		}
 
 		tmpFilename := filepath.Join("/tmp", "kubeconfig-"+time.Nanosecond.String())
-		os.WriteFile(tmpFilename, kubeConfig, 0644)
+		os.WriteFile(tmpFilename, kubeConfig, 0o600)
 		k8sClient, err := client.NewWithWatch(cfg, client.Options{
 			Scheme: utils.NewScheme(),
 		})
@@ -203,6 +205,9 @@ func NewTestEnvKubeManager(testClusterMode TestClusterMode) (*testEnvKubeManager
 
 		useExistingCluster := true
 		config, err := clientcmd.BuildConfigFromFlags("", testKubeConfig)
+		if err != nil {
+			return nil, err
+		}
 		testEnv := &envtest.Environment{
 			UseExistingCluster: &useExistingCluster,
 			Config:             config,
@@ -310,7 +315,7 @@ func assertGoldenTemplateFile(goldenFile string, templateValues map[string]strin
 					if len(templateValues) > 0 {
 						fmt.Println("NOTE: -update flag passed but golden template files can't be updated, please update it manually")
 					} else {
-						if err := os.WriteFile(goldenFile, []byte(output), 0644); err != nil {
+						if err := os.WriteFile(goldenFile, []byte(output), 0o600); err != nil {
 							return fmt.Errorf("failed to update golden file '%s': %v", goldenFile, err)
 						}
 						return nil
@@ -337,8 +342,6 @@ type cmdTestCase struct {
 	// Tests use assertFunc to assert on an output, success or failure. This
 	// can be a function defined by the test or existing function above.
 	assert assertFunc
-	// Filename that contains yaml objects to load into Kubernetes
-	objectFile string
 }
 
 func (cmd *cmdTestCase) runTestCmd(t *testing.T) {
@@ -365,6 +368,12 @@ func executeTemplate(content string, templateValues map[string]string) (string,
 // Run the command and return the captured output.
 func executeCommand(cmd string) (string, error) {
 	defer resetCmdArgs()
+	defer func() {
+		// need to set this explicitly because apparently its value isn't changed
+		// in subsequent executions which causes tests to fail that rely on the value
+		// of "Changed".
+		resumeCmd.PersistentFlags().Lookup("wait").Changed = false
+	}()
 	args, err := shellwords.Parse(cmd)
 	if err != nil {
 		return "", err
@@ -392,6 +401,10 @@ func resetCmdArgs() {
 	alertProviderArgs = alertProviderFlags{}
 	bootstrapArgs = NewBootstrapFlags()
 	bServerArgs = bServerFlags{}
+	logsArgs = logsFlags{
+		tail:          -1,
+		fluxNamespace: rootArgs.defaults.Namespace,
+	}
 	buildKsArgs = buildKsFlags{}
 	checkArgs = checkFlags{}
 	createArgs = createFlags{}

cmd/flux/main_unit_test.go

@@ -22,10 +22,13 @@ package main
 import (
 	"context"
 	"fmt"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"os"
 	"testing"
+
+	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // The test environment is long running process shared between tests, initialized
@@ -34,6 +37,8 @@ import (
 var testEnv *testEnvKubeManager
 
 func TestMain(m *testing.M) {
+	log.SetLogger(logr.New(log.NullLogSink{}))
+
 	// Ensure tests print consistent timestamps regardless of timezone
 	os.Setenv("TZ", "UTC")
 

cmd/flux/object.go

@@ -47,7 +47,7 @@ type copyable interface {
 	deepCopyClientObject() client.Object
 }
 
-// listAdapater is the analogue to adapter, but for lists; the
+// listAdapter is the analogue to adapter, but for lists; the
 // controller runtime distinguishes between methods dealing with
 // objects and lists.
 type listAdapter interface {

cmd/flux/pull_artifact.go

@@ -111,8 +111,12 @@ func pullArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	logger.Successf("source %s", meta.Source)
-	logger.Successf("revision %s", meta.Revision)
+	if meta.Source != "" {
+		logger.Successf("source %s", meta.Source)
+	}
+	if meta.Revision != "" {
+		logger.Successf("revision %s", meta.Revision)
+	}
 	logger.Successf("digest %s", meta.Digest)
 	logger.Successf("artifact content extracted to %s", pullArtifactArgs.output)
 

cmd/flux/push_artifact.go

@@ -28,7 +28,6 @@ import (
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/google/go-containerregistry/pkg/logs"
 	"github.com/google/go-containerregistry/pkg/name"
-	reg "github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/google/go-containerregistry/pkg/v1/remote/transport"
 	"github.com/spf13/cobra"
@@ -36,7 +35,7 @@ import (
 
 	"github.com/fluxcd/pkg/oci"
 	"github.com/fluxcd/pkg/oci/auth/login"
-	client "github.com/fluxcd/pkg/oci/client"
+	"github.com/fluxcd/pkg/oci/client"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 
 	"github.com/fluxcd/flux2/v2/internal/flags"
@@ -89,7 +88,7 @@ The command can read the credentials from '~/.docker/config.json' but they can a
   # Login directly to the registry provider
   # You might need to export the following variable if you use local config files for AWS:
   # export AWS_SDK_LOAD_CONFIG=1
-  flux push artifact oci://<account>.dkr.ecr.<region>.amazonaws.com/foo:v1:$(git tag --points-at HEAD) \
+  flux push artifact oci://<account>.dkr.ecr.<region>.amazonaws.com/app-config:$(git tag --points-at HEAD) \
 	--path="./path/to/local/manifests" \
 	--source="$(git config --get remote.origin.url)" \
 	--revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)" \
@@ -261,17 +260,20 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	ociClient := client.NewClient(opts)
-	digestURL, err := ociClient.Push(ctx, url, path, meta, pushArtifactArgs.ignorePaths)
+	digestURL, err := ociClient.Push(ctx, url, path,
+		client.WithPushMetadata(meta),
+		client.WithPushIgnorePaths(pushArtifactArgs.ignorePaths...),
+	)
 	if err != nil {
 		return fmt.Errorf("pushing artifact failed: %w", err)
 	}
 
-	digest, err := reg.NewDigest(digestURL)
+	digest, err := name.NewDigest(digestURL)
 	if err != nil {
 		return fmt.Errorf("artifact digest parsing failed: %w", err)
 	}
 
-	tag, err := reg.NewTag(url)
+	tag, err := name.NewTag(url)
 	if err != nil {
 		return fmt.Errorf("artifact tag parsing failed: %w", err)
 	}

cmd/flux/readiness.go

@@ -0,0 +1,149 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	kstatus "github.com/fluxcd/cli-utils/pkg/kstatus/status"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/object"
+	"github.com/fluxcd/pkg/runtime/patch"
+)
+
+// objectStatusType is the type of object in terms of status when computing the
+// readiness of an object. Readiness check method depends on the type of object.
+// For a dynamic object, Ready status condition is considered only for the
+// latest generation of the object. For a static object that don't have any
+// condition, the object generation is not considered.
+type objectStatusType int
+
+const (
+	objectStatusDynamic objectStatusType = iota
+	objectStatusStatic
+)
+
+// isObjectReady determines if an object is ready using the kstatus.Compute()
+// result. statusType helps differenciate between static and dynamic objects to
+// accurately check the object's readiness. A dynamic object may have some extra
+// considerations depending on the object.
+func isObjectReady(obj client.Object, statusType objectStatusType) (bool, error) {
+	observedGen, err := object.GetStatusObservedGeneration(obj)
+	if err != nil && err != object.ErrObservedGenerationNotFound {
+		return false, err
+	}
+
+	if statusType == objectStatusDynamic {
+		// Object not reconciled yet.
+		if observedGen < 1 {
+			return false, nil
+		}
+
+		cobj, ok := obj.(meta.ObjectWithConditions)
+		if !ok {
+			return false, fmt.Errorf("unable to get conditions from object")
+		}
+
+		if c := apimeta.FindStatusCondition(cobj.GetConditions(), meta.ReadyCondition); c != nil {
+			// Ensure that the ready condition is for the latest generation of
+			// the object.
+			// NOTE: Some APIs like ImageUpdateAutomation and HelmRelease don't
+			// support per condition observed generation yet. Per condition
+			// observed generation for them are always zero.
+			// There are two strategies used across different object kinds to
+			// check the latest ready condition:
+			//   - check that the ready condition's generation matches the
+			//     object's generation.
+			//   - check that the observed generation of the object in the
+			//     status matches the object's generation.
+			//
+			// TODO: Once ImageUpdateAutomation and HelmRelease APIs have per
+			// condition observed generation, remove the object's observed
+			// generation and object's generation check (the second condition
+			// below). Also, try replacing this readiness check function with
+			// fluxcd/pkg/ssa's ResourceManager.Wait(), which uses kstatus
+			// internally to check readiness of the objects.
+			if c.ObservedGeneration != 0 && c.ObservedGeneration != obj.GetGeneration() {
+				return false, nil
+			}
+			if c.ObservedGeneration == 0 && observedGen != obj.GetGeneration() {
+				return false, nil
+			}
+		} else {
+			return false, nil
+		}
+	}
+
+	u, err := patch.ToUnstructured(obj)
+	if err != nil {
+		return false, err
+	}
+	result, err := kstatus.Compute(u)
+	if err != nil {
+		return false, err
+	}
+	switch result.Status {
+	case kstatus.CurrentStatus:
+		return true, nil
+	case kstatus.InProgressStatus:
+		return false, nil
+	default:
+		return false, fmt.Errorf(result.Message)
+	}
+}
+
+// isObjectReadyConditionFunc returns a wait.ConditionFunc to be used with
+// wait.Poll* while polling for an object with dynamic status to be ready.
+func isObjectReadyConditionFunc(kubeClient client.Client, namespaceName types.NamespacedName, obj client.Object) wait.ConditionWithContextFunc {
+	return func(ctx context.Context) (bool, error) {
+		err := kubeClient.Get(ctx, namespaceName, obj)
+		if err != nil {
+			return false, err
+		}
+
+		return isObjectReady(obj, objectStatusDynamic)
+	}
+}
+
+// isStaticObjectReadyConditionFunc returns a wait.ConditionFunc to be used with
+// wait.Poll* while polling for an object with static or no status to be
+// ready.
+func isStaticObjectReadyConditionFunc(kubeClient client.Client, namespaceName types.NamespacedName, obj client.Object) wait.ConditionWithContextFunc {
+	return func(ctx context.Context) (bool, error) {
+		err := kubeClient.Get(ctx, namespaceName, obj)
+		if err != nil {
+			return false, err
+		}
+
+		return isObjectReady(obj, objectStatusStatic)
+	}
+}
+
+// kstatusCompute returns the kstatus computed result of a given object.
+func kstatusCompute(obj client.Object) (result *kstatus.Result, err error) {
+	u, err := patch.ToUnstructured(obj)
+	if err != nil {
+		return result, err
+	}
+	return kstatus.Compute(u)
+}

cmd/flux/readiness_test.go

@@ -0,0 +1,139 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+)
+
+func Test_isObjectReady(t *testing.T) {
+	// Ready object.
+	readyObj := &sourcev1.GitRepository{}
+	readyObj.Generation = 1
+	readyObj.Status.ObservedGeneration = 1
+	conditions.MarkTrue(readyObj, meta.ReadyCondition, "foo1", "bar1")
+
+	// Not ready object.
+	notReadyObj := readyObj.DeepCopy()
+	conditions.MarkFalse(notReadyObj, meta.ReadyCondition, "foo2", "bar2")
+
+	// Not reconciled object.
+	notReconciledObj := readyObj.DeepCopy()
+	notReconciledObj.Status = sourcev1.GitRepositoryStatus{ObservedGeneration: -1}
+
+	// No condition.
+	noConditionObj := readyObj.DeepCopy()
+	noConditionObj.Status = sourcev1.GitRepositoryStatus{ObservedGeneration: 1}
+
+	// Outdated condition.
+	readyObjOutdated := readyObj.DeepCopy()
+	readyObjOutdated.Generation = 2
+
+	// Object without per condition observed generation.
+	oldObj := readyObj.DeepCopy()
+	readyTrueCondn := conditions.TrueCondition(meta.ReadyCondition, "foo3", "bar3")
+	oldObj.Status.Conditions = []metav1.Condition{*readyTrueCondn}
+
+	// Outdated object without per condition observed generation.
+	oldObjOutdated := oldObj.DeepCopy()
+	oldObjOutdated.Generation = 2
+
+	// Empty status object.
+	staticObj := readyObj.DeepCopy()
+	staticObj.Status = sourcev1.GitRepositoryStatus{}
+
+	// No status object.
+	noStatusObj := &notificationv1.Provider{}
+	noStatusObj.Generation = 1
+
+	type args struct {
+		obj        client.Object
+		statusType objectStatusType
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    bool
+		wantErr bool
+	}{
+		{
+			name: "dynamic ready",
+			args: args{obj: readyObj, statusType: objectStatusDynamic},
+			want: true,
+		},
+		{
+			name: "dynamic not ready",
+			args: args{obj: notReadyObj, statusType: objectStatusDynamic},
+			want: false,
+		},
+		{
+			name: "dynamic not reconciled",
+			args: args{obj: notReconciledObj, statusType: objectStatusDynamic},
+			want: false,
+		},
+		{
+			name: "dynamic not condition",
+			args: args{obj: noConditionObj, statusType: objectStatusDynamic},
+			want: false,
+		},
+		{
+			name: "dynamic ready outdated",
+			args: args{obj: readyObjOutdated, statusType: objectStatusDynamic},
+			want: false,
+		},
+		{
+			name: "dynamic ready without per condition gen",
+			args: args{obj: oldObj, statusType: objectStatusDynamic},
+			want: true,
+		},
+		{
+			name: "dynamic outdated ready status without per condition gen",
+			args: args{obj: oldObjOutdated, statusType: objectStatusDynamic},
+			want: false,
+		},
+		{
+			name: "static empty status",
+			args: args{obj: staticObj, statusType: objectStatusStatic},
+			want: true,
+		},
+		{
+			name: "static no status",
+			args: args{obj: noStatusObj, statusType: objectStatusStatic},
+			want: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := isObjectReady(tt.args.obj, tt.args.statusType)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("isObjectReady() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("isObjectReady() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

cmd/flux/reconcile.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"time"
 
+	kstatus "github.com/fluxcd/cli-utils/pkg/kstatus/status"
 	"github.com/spf13/cobra"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -30,8 +31,6 @@ import (
 	"k8s.io/client-go/util/retry"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
-	notificationv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"
 
 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -61,6 +60,7 @@ type reconcilable interface {
 	GetAnnotations() map[string]string
 	SetAnnotations(map[string]string)
 
+	isStatic() bool                      // is it a static object that does not have a reconciler?
 	lastHandledReconcileRequest() string // what was the last handled reconcile request?
 	successMessage() string              // what do you want to tell people when successfully reconciled?
 }
@@ -101,6 +101,11 @@ func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if reconcile.object.isStatic() {
+		logger.Successf("reconciliation not supported by the object")
+		return nil
+	}
+
 	if reconcile.object.isSuspended() {
 		return fmt.Errorf("resource is suspended")
 	}
@@ -112,20 +117,10 @@ func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
 	}
 	logger.Successf("%s annotated", reconcile.kind)
 
-	if reconcile.kind == notificationv1b2.AlertKind || reconcile.kind == notificationv1.ReceiverKind {
-		if err = wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-			isReconcileReady(ctx, kubeClient, namespacedName, reconcile.object)); err != nil {
-			return err
-		}
-
-		logger.Successf(reconcile.object.successMessage())
-		return nil
-	}
-
 	lastHandledReconcileAt := reconcile.object.lastHandledReconcileRequest()
 	logger.Waitingf("waiting for %s reconciliation", reconcile.kind)
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		reconciliationHandled(ctx, kubeClient, namespacedName, reconcile.object, lastHandledReconcileAt)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		reconciliationHandled(kubeClient, namespacedName, reconcile.object, lastHandledReconcileAt)); err != nil {
 		return err
 	}
 	readyCond := apimeta.FindStatusCondition(reconcilableConditions(reconcile.object), meta.ReadyCondition)
@@ -140,16 +135,23 @@ func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
-func reconciliationHandled(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, obj reconcilable, lastHandledReconcileAt string) wait.ConditionFunc {
-	return func() (bool, error) {
+func reconciliationHandled(kubeClient client.Client, namespacedName types.NamespacedName, obj reconcilable, lastHandledReconcileAt string) wait.ConditionWithContextFunc {
+	return func(ctx context.Context) (bool, error) {
 		err := kubeClient.Get(ctx, namespacedName, obj.asClientObject())
 		if err != nil {
 			return false, err
 		}
-		isProgressing := apimeta.IsStatusConditionPresentAndEqual(reconcilableConditions(obj),
-			meta.ReadyCondition, metav1.ConditionUnknown)
-		return obj.lastHandledReconcileRequest() != lastHandledReconcileAt && !isProgressing, nil
+
+		if obj.lastHandledReconcileRequest() == lastHandledReconcileAt {
+			return false, nil
+		}
+
+		result, err := kstatusCompute(obj.asClientObject())
+		if err != nil {
+			return false, err
+		}
+
+		return result.Status == kstatus.CurrentStatus, nil
 	}
 }
 
@@ -175,23 +177,3 @@ func requestReconciliation(ctx context.Context, kubeClient client.Client,
 		return kubeClient.Patch(ctx, object, patch)
 	})
 }
-
-func isReconcileReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, obj reconcilable) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, obj.asClientObject())
-		if err != nil {
-			return false, err
-		}
-
-		if c := apimeta.FindStatusCondition(reconcilableConditions(obj), meta.ReadyCondition); c != nil {
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}

cmd/flux/reconcile_alert.go

@@ -1,44 +0,0 @@
-/*
-Copyright 2020 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"github.com/spf13/cobra"
-
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
-)
-
-var reconcileAlertCmd = &cobra.Command{
-	Use:   "alert [name]",
-	Short: "Reconcile an Alert",
-	Long:  `The reconcile alert command triggers a reconciliation of an Alert resource and waits for it to finish.`,
-	Example: `  # Trigger a reconciliation for an existing alert
-  flux reconcile alert main`,
-	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.AlertKind)),
-	RunE: reconcileCommand{
-		apiType: alertType,
-		object:  alertAdapter{&notificationv1.Alert{}},
-	}.run,
-}
-
-func init() {
-	reconcileCmd.AddCommand(reconcileAlertCmd)
-}
-
-func (obj alertAdapter) lastHandledReconcileRequest() string {
-	return ""
-}

cmd/flux/reconcile_alertprovider.go

@@ -1,93 +0,0 @@
-/*
-Copyright 2020 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/wait"
-
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
-	"github.com/fluxcd/pkg/apis/meta"
-
-	"github.com/fluxcd/flux2/v2/internal/utils"
-)
-
-var reconcileAlertProviderCmd = &cobra.Command{
-	Use:   "alert-provider [name]",
-	Short: "Reconcile a Provider",
-	Long:  `The reconcile alert-provider command triggers a reconciliation of a Provider resource and waits for it to finish.`,
-	Example: `  # Trigger a reconciliation for an existing provider
-  flux reconcile alert-provider slack`,
-	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ProviderKind)),
-	RunE:              reconcileAlertProviderCmdRun,
-}
-
-func init() {
-	reconcileCmd.AddCommand(reconcileAlertProviderCmd)
-}
-
-func reconcileAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return fmt.Errorf("Provider name is required")
-	}
-	name := args[0]
-
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return err
-	}
-
-	namespacedName := types.NamespacedName{
-		Namespace: *kubeconfigArgs.Namespace,
-		Name:      name,
-	}
-
-	logger.Actionf("annotating Provider %s in %s namespace", name, *kubeconfigArgs.Namespace)
-	var alertProvider notificationv1.Provider
-	err = kubeClient.Get(ctx, namespacedName, &alertProvider)
-	if err != nil {
-		return err
-	}
-
-	if alertProvider.Annotations == nil {
-		alertProvider.Annotations = map[string]string{
-			meta.ReconcileRequestAnnotation: time.Now().Format(time.RFC3339Nano),
-		}
-	} else {
-		alertProvider.Annotations[meta.ReconcileRequestAnnotation] = time.Now().Format(time.RFC3339Nano)
-	}
-	if err := kubeClient.Update(ctx, &alertProvider); err != nil {
-		return err
-	}
-	logger.Successf("Provider annotated")
-
-	logger.Waitingf("waiting for reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isAlertProviderReady(ctx, kubeClient, namespacedName, &alertProvider)); err != nil {
-		return err
-	}
-	logger.Successf("Provider reconciliation completed")
-	return nil
-}

cmd/flux/reconcile_helmrelease.go

@@ -81,3 +81,7 @@ func (obj helmReleaseAdapter) getSource() (reconcileSource, types.NamespacedName
 		Namespace: ns,
 	}
 }
+
+func (obj helmReleaseAdapter) isStatic() bool {
+	return false
+}