Merge pull request #5219 from niveau0/allow-recursive-dry-run

fix: allow recursive dry-run over local sources
284 changed files with 8458 additions and 7761 deletions
--- a/.github/kind/config.yaml
+++ b/.github/kind/config.yaml
@ -1,5 +1,9 @@
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 nodes:
  - role: control-plane
  - role: worker
  - role: worker
 networking:
  disableDefaultCNI: true   # disable kindnet
  podSubnet: 192.168.0.0/16 # set to Calico's default subnet
--- a/.github/labels.yaml
+++ b/.github/labels.yaml
@ -44,9 +44,12 @@
  description: Feature request proposals in the RFC format
  color: '#D621C3'
  aliases: ['area/RFC']
- name: backport:release/v2.0.x
+- name: backport:release/v2.3.x
-  description: To be backported to release/v2.0.x
+  description: To be backported to release/v2.3.x
  color: '#ffd700'
- name: backport:release/v2.1.x
+- name: backport:release/v2.4.x
-  description: To be backported to release/v2.1.x
+  description: To be backported to release/v2.4.x
  color: '#ffd700'
 - name: backport:release/v2.5.x
  description: To be backported to release/v2.5.x
  color: '#ffd700'
--- a/.github/runners/README.md
+++ b/.github/runners/README.md
@ -4,16 +4,18 @@ The Flux ARM64 end-to-end tests run on Equinix Metal instances provisioned with
 ## Current instances
-| Repository                  | Runner           | Instance               | Location      |
+| Repository                  | Runner           | Instance       | Location      |
-|-----------------------------|------------------|------------------------|---------------|
+|-----------------------------|------------------|----------------|---------------|
-| flux2                       | equinix-arm-dc-1 | flux-equinix-arm-dc-01 | Washington DC |
+| flux2                       | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
-| flux2                       | equinix-arm-dc-2 | flux-equinix-arm-dc-01 | Washington DC |
+| flux2                       | equinix-arm-dc-2 | flux-arm-dc-01 | Washington DC |
-| flux2                       | equinix-arm-da-1 | flux-equinix-arm-da-01 | Dallas        |
+| flux2                       | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
-| flux2                       | equinix-arm-da-2 | flux-equinix-arm-da-01 | Dallas        |
+| flux2                       | equinix-arm-da-2 | flux-arm-da-01 | Dallas        |
-| source-controller           | equinix-arm-dc-1 | flux-equinix-arm-dc-01 | Washington DC |
+| flux-benchmark              | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
-| source-controller           | equinix-arm-da-1 | flux-equinix-arm-da-01 | Dallas        |
+| flux-benchmark              | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
-| image-automation-controller | equinix-arm-dc-1 | flux-equinix-arm-dc-01 | Washington DC |
+| source-controller           | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
-| image-automation-controller | equinix-arm-da-1 | flux-equinix-arm-da-01 | Dallas        |
+| source-controller           | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
 | image-automation-controller | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
 | image-automation-controller | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
 Instance spec:
 - Ampere Altra Q80-30 80-core processor @ 2.8GHz
--- a/.github/runners/prereq.sh
+++ b/.github/runners/prereq.sh
@ -18,11 +18,11 @@
 set -eu
-KIND_VERSION=0.17.0
+KIND_VERSION=0.22.0
-KUBECTL_VERSION=1.24.0
+KUBECTL_VERSION=1.29.0
-KUSTOMIZE_VERSION=4.5.7
+KUSTOMIZE_VERSION=5.3.0
-HELM_VERSION=3.10.1
+HELM_VERSION=3.14.1
-GITHUB_RUNNER_VERSION=2.298.2
+GITHUB_RUNNER_VERSION=2.313.0
 PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq pkg-config"
 # install prerequisites
--- a/.github/runners/runner-setup.sh
+++ b/.github/runners/runner-setup.sh
@ -22,7 +22,7 @@ RUNNER_NAME=$1
 REPOSITORY_TOKEN=$2
 REPOSITORY_URL=${3:-https://github.com/fluxcd/flux2}
-GITHUB_RUNNER_VERSION=2.298.2
+GITHUB_RUNNER_VERSION=2.313.0
 # download runner
 curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
--- a/.github/workflows/action.yaml
+++ b/.github/workflows/action.yaml
@ -24,6 +24,6 @@ jobs:
    name: action on ${{ matrix.version }}
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup flux
        uses: ./action
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@ -4,6 +4,9 @@ on:
  pull_request_target:
    types: [closed, labeled]
 permissions: 
  contents: read
 jobs:
  pull-request:
    runs-on: ubuntu-latest
@ -13,11 +16,11 @@ jobs:
    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Create backport PRs
-        uses: korthout/backport-action@b982d297e31f500652b2246cf26714796312bd23 # v2.2.0
+        uses: korthout/backport-action@be567af183754f6a5d831ae90f648954763f17f5 # v3.1.0
        # xref: https://github.com/korthout/backport-action#inputs
        with:
          # Use token to allow workflows to be triggered for the created PR
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@ -0,0 +1,256 @@
 name: conformance
 on:
  workflow_dispatch:
  push:
    branches: [ 'main', 'update-components', 'release/**', 'conform*' ]
 permissions:
  contents: read
 env:
  GO_VERSION: 1.23.x
 jobs:
  conform-kubernetes:
    runs-on:
      group: "ARM64"
    strategy:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/kubernetes
        # Build images with https://github.com/fluxcd/flux-benchmark/actions/workflows/build-kind.yaml
        KUBERNETES_VERSION: [1.30.9, 1.31.5, 1.32.1 ]
      fail-fast: false
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Prepare
        id: prep
        run: |
          ID=${GITHUB_SHA:0:7}-${{ matrix.KUBERNETES_VERSION }}-$(date +%s)
          echo "CLUSTER=arm64-${ID}" >> $GITHUB_OUTPUT
      - name: Build
        run: |
          make build
      - name: Setup Kubernetes
        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
        with:
          version: v0.22.0
          cluster_name: ${{ steps.prep.outputs.CLUSTER }}
          node_image: ghcr.io/fluxcd/kindest/node:v${{ matrix.KUBERNETES_VERSION }}-arm64
      - name: Run e2e tests
        run: TEST_KUBECONFIG=$HOME/.kube/config make e2e
      - name: Run multi-tenancy tests
        run: |
          ./bin/flux install
          ./bin/flux create source git flux-system \
          --interval=15m \
          --url=https://github.com/fluxcd/flux2-multi-tenancy \
          --branch=main \
          --ignore-paths="./clusters/**/flux-system/"
          ./bin/flux create kustomization flux-system \
          --interval=15m \
          --source=flux-system \
          --path=./clusters/staging
          kubectl -n flux-system wait kustomization/tenants --for=condition=ready --timeout=5m
          kubectl -n apps wait kustomization/dev-team --for=condition=ready --timeout=1m
          kubectl -n apps wait helmrelease/podinfo --for=condition=ready --timeout=1m
      - name: Debug failure
        if: failure()
        run: |
          kubectl -n flux-system get all
          kubectl -n flux-system describe po 
          kubectl -n flux-system logs deploy/source-controller
          kubectl -n flux-system logs deploy/kustomize-controller
  conform-k3s:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/kubernetes
        # Available versions can be found with "replicated cluster versions"
        K3S_VERSION: [ 1.30.9, 1.31.5, 1.32.1 ]
      fail-fast: false
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Prepare
        id: prep
        run: |
          ID=${GITHUB_SHA:0:7}-${{ matrix.K3S_VERSION }}-$(date +%s)
          PSEUDO_RAND_SUFFIX=$(echo "${ID}" | shasum | awk '{print $1}')
          echo "cluster=flux2-k3s-${PSEUDO_RAND_SUFFIX}" >> $GITHUB_OUTPUT
          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Build
        run: make build-dev
      - name: Create repository
        run: |
          gh repo create --private --add-readme fluxcd-testing/${{ steps.prep.outputs.cluster }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Create cluster
        id: create-cluster
        uses: replicatedhq/replicated-actions/create-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
          kubernetes-distribution: "k3s"
          kubernetes-version: ${{ matrix.K3S_VERSION }}
          ttl: 20m
          cluster-name: "${{ steps.prep.outputs.cluster }}"
          kubeconfig-path: ${{ steps.prep.outputs.kubeconfig-path }}
          export-kubeconfig: true
      - name: Run e2e tests
        run: TEST_KUBECONFIG=${{ steps.prep.outputs.kubeconfig-path }} make e2e
      - name: Run flux bootstrap
        run: |
          ./bin/flux bootstrap git --manifests ./manifests/install/ \
          --components-extra=image-reflector-controller,image-automation-controller \
          --url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
          --branch=main \
          --path=clusters/k3s \
          --token-auth
        env:
          GIT_PASSWORD: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Run flux check
        run: |
          ./bin/flux check
      - name: Run flux reconcile
        run: |
          ./bin/flux reconcile ks flux-system --with-source
          ./bin/flux get all
          ./bin/flux events
      - name: Collect reconcile logs
        if: ${{ always() }}
        continue-on-error: true
        run: |
          kubectl -n flux-system get all
          kubectl -n flux-system describe pods
          kubectl -n flux-system logs deploy/source-controller
          kubectl -n flux-system logs deploy/kustomize-controller
          kubectl -n flux-system logs deploy/notification-controller
      - name: Delete flux
        run: |
          ./bin/flux uninstall -s --keep-namespace
          kubectl delete ns flux-system --wait
      - name: Delete cluster
        if: ${{ always() }}
        uses: replicatedhq/replicated-actions/remove-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
        continue-on-error: true
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
          cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
      - name: Delete repository
        if: ${{ always() }}
        continue-on-error: true
        run: |
          gh repo delete fluxcd-testing/${{ steps.prep.outputs.cluster }} --yes
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
  conform-openshift:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/red-hat-openshift
        OPENSHIFT_VERSION: [ 4.17.0-okd ]
      fail-fast: false
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Prepare
        id: prep
        run: |
          ID=${GITHUB_SHA:0:7}-${{ matrix.OPENSHIFT_VERSION }}-$(date +%s)
          PSEUDO_RAND_SUFFIX=$(echo "${ID}" | shasum | awk '{print $1}')
          echo "cluster=flux2-openshift-${PSEUDO_RAND_SUFFIX}" >> $GITHUB_OUTPUT
          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Build
        run: make build-dev
      - name: Create repository
        run: |
          gh repo create --private --add-readme fluxcd-testing/${{ steps.prep.outputs.cluster }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Create cluster
        id: create-cluster
        uses: replicatedhq/replicated-actions/create-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
          kubernetes-distribution: "openshift"
          kubernetes-version: ${{ matrix.OPENSHIFT_VERSION }}
          ttl: 20m
          cluster-name: "${{ steps.prep.outputs.cluster }}"
          kubeconfig-path: ${{ steps.prep.outputs.kubeconfig-path }}
          export-kubeconfig: true
      - name: Run flux bootstrap
        run: |
          ./bin/flux bootstrap git --manifests ./manifests/openshift/ \
          --components-extra=image-reflector-controller,image-automation-controller \
          --url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
          --branch=main \
          --path=clusters/openshift \
          --token-auth
        env:
          GIT_PASSWORD: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Run flux check
        run: |
          ./bin/flux check
      - name: Run flux reconcile
        run: |
          ./bin/flux reconcile ks flux-system --with-source
          ./bin/flux get all
          ./bin/flux events
      - name: Collect reconcile logs
        if: ${{ always() }}
        continue-on-error: true
        run: |
          kubectl -n flux-system get all
          kubectl -n flux-system describe pods
          kubectl -n flux-system logs deploy/source-controller
          kubectl -n flux-system logs deploy/kustomize-controller
          kubectl -n flux-system logs deploy/notification-controller
      - name: Delete flux
        run: |
          ./bin/flux uninstall -s --keep-namespace
          kubectl delete ns flux-system --wait
      - name: Delete cluster
        if: ${{ always() }}
        uses: replicatedhq/replicated-actions/remove-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
        continue-on-error: true
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
          cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
      - name: Delete repository
        if: ${{ always() }}
        continue-on-error: true
        run: |
          gh repo delete fluxcd-testing/${{ steps.prep.outputs.cluster }} --yes
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
--- a/.github/workflows/e2e-arm64.yaml
+++ b/.github/workflows/e2e-arm64.yaml
@ -1,106 +0,0 @@
 name: e2e-arm64
 on:
  workflow_dispatch:
  push:
    branches: [ 'main', 'update-components', 'e2e-*', 'release/**' ]
 permissions:
  contents: read
 jobs:
  e2e-arm64-kubernetes:
    # Hosted on Equinix
    # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
    runs-on: [self-hosted, Linux, ARM64, equinix]
    strategy:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/kubernetes
        # Check which versions are available on DockerHub with 'crane ls kindest/node'
        KUBERNETES_VERSION: [ 1.26.6, 1.27.3, 1.28.0 ]
      fail-fast: false
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Setup Go
        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
        with:
          go-version: 1.20.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Prepare
        id: prep
        run: |
          ID=${GITHUB_SHA:0:7}-${{ matrix.KUBERNETES_VERSION }}-$(date +%s)
          echo "CLUSTER=arm64-${ID}" >> $GITHUB_OUTPUT
      - name: Build
        run: |
          make build
      - name: Setup Kubernetes Kind
        run: |
          kind create cluster \
          --wait 5m \
          --name ${{ steps.prep.outputs.CLUSTER }} \
          --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }} \
          --image=kindest/node:v${{ matrix.KUBERNETES_VERSION }}
      - name: Run e2e tests
        run: TEST_KUBECONFIG=/tmp/${{ steps.prep.outputs.CLUSTER }} make e2e
      - name: Run multi-tenancy tests
        env:
          KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
        run: |
          ./bin/flux install
          ./bin/flux create source git flux-system \
          --interval=15m \
          --url=https://github.com/fluxcd/flux2-multi-tenancy \
          --branch=main \
          --ignore-paths="./clusters/**/flux-system/"
          ./bin/flux create kustomization flux-system \
          --interval=15m \
          --source=flux-system \
          --path=./clusters/staging
          kubectl -n flux-system wait kustomization/tenants --for=condition=ready --timeout=5m
          kubectl -n apps wait kustomization/dev-team --for=condition=ready --timeout=1m
          kubectl -n apps wait helmrelease/podinfo --for=condition=ready --timeout=1m
      - name: Run monitoring tests
        # Keep this test in sync with https://fluxcd.io/flux/guides/monitoring/
        env:
          KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
        run: |
          ./bin/flux create source git flux-monitoring \
          --interval=30m \
          --url=https://github.com/fluxcd/flux2 \
          --branch=${GITHUB_REF#refs/heads/}
          ./bin/flux create kustomization kube-prometheus-stack \
          --interval=1h \
          --prune \
          --source=flux-monitoring \
          --path="./manifests/monitoring/kube-prometheus-stack" \
          --health-check-timeout=5m \
          --wait
          ./bin/flux create kustomization monitoring-config \
          --depends-on=kube-prometheus-stack \
          --interval=1h \
          --prune=true \
          --source=flux-monitoring \
          --path="./manifests/monitoring/monitoring-config" \
          --health-check-timeout=1m \
          --wait
          kubectl -n flux-system wait kustomization/kube-prometheus-stack --for=condition=ready --timeout=5m
          kubectl -n flux-system wait kustomization/monitoring-config --for=condition=ready --timeout=5m
          kubectl -n monitoring wait helmrelease/kube-prometheus-stack --for=condition=ready --timeout=1m
      - name: Debug failure
        if: failure()
        env:
          KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
        run: |
          kubectl -n flux-system get all
          kubectl -n flux-system describe po 
          kubectl -n flux-system logs deploy/source-controller
          kubectl -n flux-system logs deploy/kustomize-controller
      - name: Cleanup
        if: always()
        run: |
          kind delete cluster --name ${{ steps.prep.outputs.CLUSTER }}
          rm /tmp/${{ steps.prep.outputs.CLUSTER }}
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@ -21,52 +21,7 @@ permissions:
  contents: read
 jobs:
-  e2e-amd64-aks:
+  e2e-aks:
    runs-on: ubuntu-22.04
    defaults:
      run:
        working-directory: ./tests/azure
    # This job is currently disabled. Remove the false check when Azure subscription is enabled.
    if: false && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Setup Go
        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
        with:
          go-version: 1.20.x
          cache-dependency-path: tests/azure/go.sum
      - name: Setup Flux CLI
        run: |
          make build
          mkdir -p $HOME/.local/bin
          mv ./bin/flux $HOME/.local/bin
        working-directory: ./
      - name: Setup SOPS
        run: |
          mkdir -p $HOME/.local/bin
          wget https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux -O $HOME/.local/bin/sops
          chmod +x $HOME/.local/bin/sops
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v2
        with:
          terraform_version: 1.2.8
          terraform_wrapper: false
      - name: Setup Azure CLI
        run: |
          curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
      - name: Run Azure e2e tests
        env:
          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
        run: |
          ls $HOME/.local/bin
          az login --service-principal -u ${ARM_CLIENT_ID} -p ${ARM_CLIENT_SECRET} -t ${ARM_TENANT_ID}
          go test -v -coverprofile cover.out -timeout 60m .
  refactored-e2e-amd64-aks:
    runs-on: ubuntu-22.04
    defaults:
      run:
@ -75,12 +30,14 @@ jobs:
    if: false && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: CheckoutD
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
-          go-version: 1.20.x
+          go-version: 1.23.x
          cache-dependency-path: tests/integration/go.sum
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
      - name: Setup Flux CLI
        run: make build
        working-directory: ./
@ -92,7 +49,7 @@ jobs:
        env:
          SOPS_VER: 3.7.1
      - name: Authenticate to Azure
-        uses: Azure/login@de95379fe4dadc2defb305917eaa7e5dde727294 # v1.4.6
+        uses: Azure/login@a65d910e8af852a8061c627c456678983e180302 # v1.4.6
        with:
          creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}'
      - name: Set dynamic variables in .env
@ -123,3 +80,14 @@ jobs:
          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
          make test-azure
      - name: Ensure resource cleanup
        if: ${{ always() }}
        env:
          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
        run: source .env && make destroy-azure
--- a/.github/workflows/e2e-bootstrap.yaml
+++ b/.github/workflows/e2e-bootstrap.yaml
@ -17,29 +17,29 @@ jobs:
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
-          go-version: 1.20.x
+          go-version: 1.23.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Setup Kubernetes
-        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
        with:
-          version: v0.20.0
+          version: v0.24.0
          cluster_name: kind
          # The versions below should target the newest Kubernetes version
          # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: kindest/node:v1.28.0@sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c
+          node_image: ghcr.io/fluxcd/kindest/node:v1.31.0-amd64
-          kubectl_version: v1.28.0
+          kubectl_version: v1.31.0
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@main
+        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Setup yq
        uses: fluxcd/pkg/actions/yq@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Build
-        run: |
+        run: make build-dev
          make cmd/flux/.manifests.done
          go build -o /tmp/flux ./cmd/flux
      - name: Set outputs
        id: vars
        run: |
@ -51,18 +51,24 @@ jobs:
          echo "test_repo_name=$TEST_REPO_NAME" >> $GITHUB_OUTPUT
      - name: bootstrap init
        run: |
-          /tmp/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --image-pull-secret=ghcr-auth \
          --registry-creds=fluxcd:$GITHUB_TOKEN \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
          --team=team-z
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: verify image pull secret
        run: |
          kubectl -n flux-system get secret ghcr-auth | grep dockerconfigjson
      - name: bootstrap no-op
        run: |
-          /tmp/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --image-pull-secret=ghcr-auth \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
@ -72,7 +78,7 @@ jobs:
      - name: bootstrap customize
        run: |
          make setup-bootstrap-patch
-          /tmp/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
@ -87,46 +93,31 @@ jobs:
          GITHUB_ORG_NAME: fluxcd-testing
      - name: uninstall
        run: |
-          /tmp/flux uninstall -s --keep-namespace
+          ./bin/flux uninstall -s --keep-namespace
          kubectl delete ns flux-system --timeout=10m --wait=true
      - name: test image automation
        run: |
          make setup-image-automation
-          /tmp/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
          --read-write-key
-          /tmp/flux reconcile image repository podinfo
+          ./bin/flux reconcile image repository podinfo
-          /tmp/flux get images all
+          ./bin/flux reconcile image update flux-system
-          
+          ./bin/flux get images all
-          retries=10
+          kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system | \
-          count=0
+           yq '.status.lastPushCommit | length > 1' | grep 'true'
          ok=false
          until ${ok}; do
              /tmp/flux get image update flux-system | grep 'commit' && ok=true || ok=false
              count=$(($count + 1))
              if [[ ${count} -eq ${retries} ]]; then
                  echo "No more retries left"
                  exit 1
              fi
              sleep 6
              /tmp/flux reconcile image update flux-system
          done
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
          GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
          GITHUB_ORG_NAME: fluxcd-testing
      - name: delete repository
        if: ${{ always() }}
        continue-on-error: true
        run: |
-          curl \
+          gh repo delete fluxcd-testing/${{ steps.vars.outputs.test_repo_name }} --yes
            -X DELETE \
            -H "Accept: application/vnd.github.v3+json" \
            -H "Authorization: token ${GITHUB_TOKEN}" \
            --fail --silent \
            https://api.github.com/repos/fluxcd-testing/${{ steps.vars.outputs.test_repo_name }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Debug failure
--- a/.github/workflows/e2e-gcp.yaml
+++ b/.github/workflows/e2e-gcp.yaml
@ -29,12 +29,14 @@ jobs:
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
-          go-version: 1.20.x
+          go-version: 1.23.x
          cache-dependency-path: tests/integration/go.sum
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
      - name: Setup Flux CLI
        run: make build
        working-directory: ./
@ -46,19 +48,19 @@ jobs:
        env:
          SOPS_VER: 3.7.1
      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@67e9c72af6e0492df856527b474995862b7b6591 # v2.0.0
+        uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
        id: 'auth'
        with:
          credentials_json: '${{ secrets.FLUX2_E2E_GOOGLE_CREDENTIALS }}'
          token_format: 'access_token'
      - name: Setup gcloud
-        uses: google-github-actions/setup-gcloud@825196879a077b7efa50db2e88409f44de4635c2 # v2.0.0
+        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
      - name: Log into us-central1-docker.pkg.dev
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: us-central1-docker.pkg.dev
          username: oauth2accesstoken
@ -90,3 +92,13 @@ jobs:
          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
          make test-gcp
      - name: Ensure resource cleanup
        if: ${{ always() }}
        env:
          TF_VAR_gcp_project_id: ${{ vars.TF_VAR_gcp_project_id }}
          TF_VAR_gcp_region: ${{ vars.TF_VAR_gcp_region }}
          TF_VAR_gcp_zone: ${{ vars.TF_VAR_gcp_zone }}
          TF_VAR_gcp_email: ${{ secrets.TF_VAR_gcp_email }}
          TF_VAR_gcp_keyring: ${{ secrets.TF_VAR_gcp_keyring }}
          TF_VAR_gcp_crypto_key: ${{ secrets.TF_VAR_gcp_crypto_key }}
        run: source .env && make destroy-gcp
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@ -13,7 +13,9 @@ permissions:
 jobs:
  e2e-amd64-kubernetes:
-    runs-on: ubuntu-latest
+    runs-on:
      group: "Default Larger Runners"
      labels: ubuntu-latest-16-cores
    services:
      registry:
        image: registry:2
@ -21,30 +23,30 @@ jobs:
          - 5000:5000
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
-          go-version: 1.20.x
+          go-version: 1.23.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Setup Kubernetes
-        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
        with:
-          version: v0.20.0
+          version: v0.24.0
          cluster_name: kind
          wait: 5s
          config: .github/kind/config.yaml # disable KIND-net
-          # The versions below should target the newest Kubernetes version
+          # The versions below should target the oldest supported Kubernetes version
          # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: kindest/node:v1.28.0@sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c
+          node_image: ghcr.io/fluxcd/kindest/node:v1.30.9-amd64
-          kubectl_version: v1.28.0
+          kubectl_version: v1.30.9
      - name: Setup Calico for network policy
        run: |
-          kubectl apply -f https://docs.projectcalico.org/v3.25/manifests/calico.yaml
+          kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.3/manifests/calico.yaml
          kubectl -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@main
+        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Run tests
        run: make test
      - name: Run e2e tests
@ -57,44 +59,43 @@ jobs:
            exit 1
          fi
      - name: Build
-        run: |
+        run: make build-dev
          go build -o /tmp/flux ./cmd/flux
      - name: flux check --pre
        run: |
-          /tmp/flux check --pre
+          ./bin/flux check --pre
      - name: flux install --manifests
        run: |
-          /tmp/flux install --manifests ./manifests/install/
+          ./bin/flux install --manifests ./manifests/install/
      - name: flux create secret
        run: |
-          /tmp/flux create secret git git-ssh-test \
+          ./bin/flux create secret git git-ssh-test \
            --url ssh://git@github.com/stefanprodan/podinfo
-          /tmp/flux create secret git git-https-test \
+          ./bin/flux create secret git git-https-test \
            --url https://github.com/stefanprodan/podinfo \
            --username=test --password=test
-          /tmp/flux create secret helm helm-test \
+          ./bin/flux create secret helm helm-test \
            --username=test --password=test
      - name: flux create source git
        run: |
-          /tmp/flux create source git podinfo \
+          ./bin/flux create source git podinfo \
            --url https://github.com/stefanprodan/podinfo  \
            --tag-semver=">=6.3.5"
      - name: flux create source git export apply
        run: |
-          /tmp/flux create source git podinfo-export \
+          ./bin/flux create source git podinfo-export \
            --url https://github.com/stefanprodan/podinfo  \
            --tag-semver=">=6.3.5" \
            --export | kubectl apply -f -
-          /tmp/flux delete source git podinfo-export --silent
+          ./bin/flux delete source git podinfo-export --silent
      - name: flux get sources git
        run: |
-          /tmp/flux get sources git
+          ./bin/flux get sources git
      - name: flux get sources git --all-namespaces
        run: |
-          /tmp/flux get sources git --all-namespaces
+          ./bin/flux get sources git --all-namespaces
      - name: flux create kustomization
        run: |
-          /tmp/flux create kustomization podinfo \
+          ./bin/flux create kustomization podinfo \
            --source=podinfo \
            --path="./deploy/overlays/dev" \
            --prune=true \
@ -104,89 +105,89 @@ jobs:
            --health-check-timeout=3m
      - name: flux trace
        run: |
-          /tmp/flux trace frontend \
+          ./bin/flux trace frontend \
            --kind=deployment \
            --api-version=apps/v1 \
            --namespace=dev
      - name: flux reconcile kustomization --with-source
        run: |
-          /tmp/flux reconcile kustomization podinfo --with-source
+          ./bin/flux reconcile kustomization podinfo --with-source
      - name: flux get kustomizations
        run: |
-          /tmp/flux get kustomizations
+          ./bin/flux get kustomizations
      - name: flux get kustomizations --all-namespaces
        run: |
-          /tmp/flux get kustomizations --all-namespaces
+          ./bin/flux get kustomizations --all-namespaces
      - name: flux suspend kustomization
        run: |
-          /tmp/flux suspend kustomization podinfo
+          ./bin/flux suspend kustomization podinfo
      - name: flux resume kustomization
        run: |
-          /tmp/flux resume kustomization podinfo
+          ./bin/flux resume kustomization podinfo
      - name: flux export
        run: |
-          /tmp/flux export source git --all
+          ./bin/flux export source git --all
-          /tmp/flux export kustomization --all
+          ./bin/flux export kustomization --all
      - name: flux delete kustomization
        run: |
-          /tmp/flux delete kustomization podinfo --silent
+          ./bin/flux delete kustomization podinfo --silent
      - name: flux create source helm
        run: |
-          /tmp/flux create source helm podinfo \
+          ./bin/flux create source helm podinfo \
            --url https://stefanprodan.github.io/podinfo
      - name: flux create helmrelease --source=HelmRepository/podinfo
        run: |
-          /tmp/flux create hr podinfo-helm \
+          ./bin/flux create hr podinfo-helm \
            --target-namespace=default \
            --source=HelmRepository/podinfo.flux-system \
            --chart=podinfo \
            --chart-version=">6.0.0 <7.0.0"
      - name: flux create helmrelease --source=GitRepository/podinfo
        run: |
-          /tmp/flux create hr podinfo-git \
+          ./bin/flux create hr podinfo-git \
            --target-namespace=default \
            --source=GitRepository/podinfo \
            --chart=./charts/podinfo
      - name: flux reconcile helmrelease --with-source
        run: |
-          /tmp/flux reconcile helmrelease podinfo-git --with-source
+          ./bin/flux reconcile helmrelease podinfo-git --with-source
      - name: flux get helmreleases
        run: |
-          /tmp/flux get helmreleases
+          ./bin/flux get helmreleases
      - name: flux get helmreleases --all-namespaces
        run: |
-          /tmp/flux get helmreleases --all-namespaces
+          ./bin/flux get helmreleases --all-namespaces
      - name: flux export helmrelease
        run: |
-          /tmp/flux export hr --all
+          ./bin/flux export hr --all
      - name: flux delete helmrelease podinfo-helm
        run: |
-          /tmp/flux delete hr podinfo-helm --silent
+          ./bin/flux delete hr podinfo-helm --silent
      - name: flux delete helmrelease podinfo-git
        run: |
-          /tmp/flux delete hr podinfo-git --silent
+          ./bin/flux delete hr podinfo-git --silent
      - name: flux delete source helm
        run: |
-          /tmp/flux delete source helm podinfo --silent
+          ./bin/flux delete source helm podinfo --silent
      - name: flux delete source git
        run: |
-          /tmp/flux delete source git podinfo --silent
+          ./bin/flux delete source git podinfo --silent
      - name: flux oci artifacts
        run: |
-          /tmp/flux push artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
+          ./bin/flux push artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
            --path="./manifests" \
            --source="${{ github.repositoryUrl }}" \
            --revision="${{ github.ref }}@sha1:${{ github.sha }}"
-          /tmp/flux tag artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
+          ./bin/flux tag artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
            --tag latest
-          /tmp/flux list artifacts oci://localhost:5000/fluxcd/flux
+          ./bin/flux list artifacts oci://localhost:5000/fluxcd/flux
      - name: flux oci repositories
        run: |
-          /tmp/flux create source oci podinfo-oci \
+          ./bin/flux create source oci podinfo-oci \
            --url oci://ghcr.io/stefanprodan/manifests/podinfo \
            --tag-semver 6.3.x \
            --interval 10m
-          /tmp/flux create kustomization podinfo-oci \
+          ./bin/flux create kustomization podinfo-oci \
            --source=OCIRepository/podinfo-oci \
            --path="./" \
            --prune=true \
@ -194,31 +195,31 @@ jobs:
            --target-namespace=default \
            --wait=true \
            --health-check-timeout=3m
-          /tmp/flux reconcile source oci podinfo-oci
+          ./bin/flux reconcile source oci podinfo-oci
-          /tmp/flux suspend source oci podinfo-oci
+          ./bin/flux suspend source oci podinfo-oci
-          /tmp/flux get sources oci
+          ./bin/flux get sources oci
-          /tmp/flux resume source oci podinfo-oci
+          ./bin/flux resume source oci podinfo-oci
-          /tmp/flux export source oci podinfo-oci
+          ./bin/flux export source oci podinfo-oci
-          /tmp/flux delete ks podinfo-oci --silent
+          ./bin/flux delete ks podinfo-oci --silent
-          /tmp/flux delete source oci podinfo-oci --silent
+          ./bin/flux delete source oci podinfo-oci --silent
      - name: flux create tenant
        run: |
-          /tmp/flux create tenant dev-team --with-namespace=apps
+          ./bin/flux create tenant dev-team --with-namespace=apps
-          /tmp/flux -n apps create source helm podinfo \
+          ./bin/flux -n apps create source helm podinfo \
            --url https://stefanprodan.github.io/podinfo
-          /tmp/flux -n apps create hr podinfo-helm \
+          ./bin/flux -n apps create hr podinfo-helm \
            --source=HelmRepository/podinfo \
            --chart=podinfo \
            --chart-version="6.3.x" \
            --service-account=dev-team
      - name: flux2-kustomize-helm-example
        run: |
-          /tmp/flux create source git flux-system \
+          ./bin/flux create source git flux-system \
          --url=https://github.com/fluxcd/flux2-kustomize-helm-example \
          --branch=main \
          --ignore-paths="./clusters/**/flux-system/" \
          --recurse-submodules
-          /tmp/flux create kustomization flux-system \
+          ./bin/flux create kustomization flux-system \
          --source=flux-system \
          --path=./clusters/staging
          kubectl -n flux-system wait kustomization/infra-controllers --for=condition=ready --timeout=5m
@ -226,13 +227,23 @@ jobs:
          kubectl -n podinfo wait helmrelease/podinfo --for=condition=ready --timeout=5m
      - name: flux tree
        run: |
-          /tmp/flux tree kustomization flux-system | grep Service/podinfo
+          ./bin/flux tree kustomization flux-system | grep Service/podinfo
      - name: flux events
        run: |
          ./bin/flux -n flux-system events --for Kustomization/apps | grep 'HelmRelease/podinfo'
          ./bin/flux -n podinfo events --for HelmRelease/podinfo | grep 'podinfo.v1'
      - name: flux stats
        run: |
          ./bin/flux stats -A
      - name: flux check
        run: |
-          /tmp/flux check
+          ./bin/flux check
      - name: flux version
        run: |
          ./bin/flux version
      - name: flux uninstall
        run: |
-          /tmp/flux uninstall --silent
+          ./bin/flux uninstall --silent
      - name: Debug failure
        if: failure()
        run: |
--- a/.github/workflows/ossf.yaml
+++ b/.github/workflows/ossf.yaml
@ -19,21 +19,21 @@ jobs:
      actions: read
      contents: read
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run analysis
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          publish_results: true
      - name: Upload artifact
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
      - name: Upload SARIF results
-        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
        with:
          sarif_file: results.sarif
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -2,7 +2,7 @@ name: release
 on:
  push:
-    tags: [ 'v*' ]
+    tags: ["v*"]
 permissions:
  contents: read
@ -20,33 +20,33 @@ jobs:
      packages: write # needed for ghcr access
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Unshallow
        run: git fetch --prune --unshallow
      - name: Setup Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
-          go-version: 1.20.x
+          go-version: 1.23.x
          cache: false
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
      - name: Setup Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226  # v3.0.0
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
      - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@5ecf649a417b8ae17dc8383dc32d46c03f2312df # v0.15.1
+        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
      - name: Setup Cosign
-        uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
+        uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@main
+        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: fluxcdbot
-          password: ${{ secrets.GHCR_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to Docker Hub
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d  # v3.0.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@ -59,30 +59,19 @@ jobs:
        run: |
          kustomize build manifests/crds > all-crds.yaml
      - name: Generate OpenAPI JSON schemas from CRDs
-        uses: fluxcd/pkg/actions/crdjsonschema@main
+        uses: fluxcd/pkg/actions/crdjsonschema@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
        with:
          crd: all-crds.yaml
          output: schemas
      - name: Archive the OpenAPI JSON schemas
        run: |
          tar -czvf ./output/crd-schemas.tar.gz -C schemas .
      - name: Download release notes utility
        env:
          GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
        run: cd /tmp && curl -sSL ${GH_REL_URL} | tar xz && sudo mv github-release-notes /usr/local/bin/
      - name: Generate release notes
        run: |
          NOTES="./output/notes.md"
          echo '## CLI Changelog' > ${NOTES}
          github-release-notes -org fluxcd -repo flux2 -since-latest-release -include-author >> ${NOTES}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Run GoReleaser
        id: run-goreleaser
-        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
        with:
          version: latest
-          args: release --release-notes=output/notes.md --skip-validate
+          args: release --skip=validate
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
@ -93,13 +82,13 @@ jobs:
          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
        run: |
          set -euo pipefail
-          
+
          hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
          echo "hashes=$hashes" >> $GITHUB_OUTPUT
-          
+
          image_url=fluxcd/flux-cli:$GITHUB_REF_NAME
          echo "image_url=$image_url" >> $GITHUB_OUTPUT
-          
+
          image_digest=$(docker buildx imagetools inspect ${image_url}  --format '{{json .}}' | jq -r .manifest.digest)
          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
@ -110,9 +99,9 @@ jobs:
      id-token: write
      packages: write
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@main
+        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Setup Flux CLI
        uses: ./action/
      - name: Prepare
@ -121,13 +110,13 @@ jobs:
          VERSION=$(flux version --client | awk '{ print $NF }')
          echo "version=${VERSION}" >> $GITHUB_OUTPUT
      - name: Login to GHCR
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: fluxcdbot
-          password: ${{ secrets.GHCR_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to DockerHub
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@ -137,7 +126,7 @@ jobs:
          flux install --registry=ghcr.io/fluxcd \
          --components-extra=image-reflector-controller,image-automation-controller \
          --export > ./ghcr.io/flux-system/gotk-components.yaml
-          
+
          cd ./ghcr.io && flux push artifact \
          oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
          --path="./flux-system" \
@ -149,13 +138,13 @@ jobs:
          flux install --registry=docker.io/fluxcd \
          --components-extra=image-reflector-controller,image-automation-controller \
          --export > ./docker.io/flux-system/gotk-components.yaml
-          
+
          cd ./docker.io && flux push artifact \
          oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
          --path="./flux-system" \
          --source=${{ github.repositoryUrl }} \
          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
-      - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
+      - uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
      - name: Sign manifests
        env:
          COSIGN_EXPERIMENTAL: 1
@ -176,7 +165,7 @@ jobs:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      contents: write # for uploading attestations to GitHub releases.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      provenance-name: "provenance.intoto.jsonl"
      base64-subjects: "${{ needs.release-flux-cli.outputs.hashes }}"
@ -188,7 +177,7 @@ jobs:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: ${{ needs.release-flux-cli.outputs.image_url }}
      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
@ -202,10 +191,10 @@ jobs:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: ghcr.io/${{ needs.release-flux-cli.outputs.image_url }}
      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
      registry-username: fluxcdbot
    secrets:
-      registry-password: ${{ secrets.GHCR_TOKEN }}
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-latest
    if: github.actor != 'dependabot[bot]'
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run FOSSA scan and upload build data
        uses: fossa-contrib/fossa-action@cdc5065bcdee31a32e47d4585df72d66e8e941c2 # v3.0.0
        with:
@ -31,13 +31,13 @@ jobs:
      security-events: write
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@main
+        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Setup Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
-          go-version: 1.20.x
+          go-version-file: 'go.mod'
          cache-dependency-path: |
            **/go.sum
            **/go.mod
@ -49,11 +49,12 @@ jobs:
      - name:  Run Snyk to check for vulnerabilities
        continue-on-error: true
        run: |
-          snyk test --sarif-file-output=snyk.sarif
+          snyk test --all-projects --sarif-file-output=snyk.sarif
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        continue-on-error: true
        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
        with:
          sarif_file: snyk.sarif
@ -64,22 +65,22 @@ jobs:
    if: github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
-          go-version: 1.20.x
+          go-version-file: 'go.mod'
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
        with:
          languages: go
          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
          # xref: https://codeql.github.com/codeql-query-help/go/
          queries: security-and-quality
      - name: Autobuild
-        uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/autobuild@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
--- a/.github/workflows/sync-labels.yaml
+++ b/.github/workflows/sync-labels.yaml
@ -17,8 +17,8 @@ jobs:
    permissions:
      issues: write
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: EndBug/label-sync@da00f2c11fdb78e4fae44adac2fdd713778ea3e8 # v2.3.2
+      - uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
        with:
          # Configuration file
          config-file: |
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@ -18,11 +18,11 @@ jobs:
      pull-requests: write
    steps:
      - name: Check out code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
-          go-version: 1.20.x
+          go-version: 1.23.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
@ -84,7 +84,7 @@ jobs:
      - name: Create Pull Request
        id: cpr
-        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
          commit-message: |
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -1,4 +1,6 @@
 project_name: flux
 changelog:
  use: github-native
 builds:
  - <<: &build_defaults
      binary: flux
@ -15,7 +17,7 @@ builds:
      - arm64
      - arm
    goarm:
-      - 7
+      - "7"
  - <<: *build_defaults
    id: darwin
    goos:
@ -73,11 +75,11 @@ signs:
    output: true
 brews:
  - name: flux
-    tap:
+    repository:
      owner: fluxcd
      name: homebrew-tap
      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
-    folder: Formula
+    directory: Formula
    homepage: "https://fluxcd.io/"
    description: "Flux CLI"
    install: |
--- a/.scorecard.yml
+++ b/.scorecard.yml
@ -0,0 +1,5 @@
 annotations:
  - checks:
      - dangerous-workflow
    reasons:
      - reason: not-applicable # This workflow does not run untrusted code, the bot will only backport a code if the a PR was approved and merged into main.
--- a/13
+++ b/13
@ -1,15 +1,16 @@
-FROM alpine:3.19 as builder
+FROM alpine:3.21 AS builder
 RUN apk add --no-cache ca-certificates curl
 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.28.4
+ARG KUBECTL_VER=1.32.2
-RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
+RUN curl -sL https://dl.k8s.io/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
-    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
+    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl
    kubectl version --client=true
-FROM alpine:3.19 as flux-cli
+RUN kubectl version --client=true
 FROM alpine:3.21 AS flux-cli
 RUN apk add --no-cache ca-certificates
--- a/5
+++ b/5
@ -17,9 +17,8 @@ rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2
 all: test build
 tidy:
-	go mod tidy -compat=1.20
+	go mod tidy -compat=1.23
-	cd tests/azure && go mod tidy -compat=1.20
+	cd tests/integration && go mod tidy -compat=1.23
 	cd tests/integration && go mod tidy -compat=1.20
 fmt:
 	go fmt ./...
--- a/README.md
+++ b/README.md
@ -2,7 +2,7 @@
 [![release](https://img.shields.io/github/release/fluxcd/flux2/all.svg)](https://github.com/fluxcd/flux2/releases)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4782/badge)](https://bestpractices.coreinfrastructure.org/projects/4782)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/fluxcd/flux2/badge)](https://api.securityscorecards.dev/projects/github.com/fluxcd/flux2)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/fluxcd/flux2/badge)](https://scorecard.dev/viewer/?uri=github.com/fluxcd/flux2)
 [![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflux2.svg?type=shield)](https://app.fossa.com/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflux2?ref=badge_shield)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/flux2)](https://artifacthub.io/packages/helm/fluxcd-community/flux2)
 [![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://fluxcd.io/flux/security/slsa-assessment)
@ -21,7 +21,7 @@ Flux v2 is constructed with the [GitOps Toolkit](#gitops-toolkit), a
 set of composable APIs and specialized tools for building Continuous
 Delivery on top of Kubernetes.
-Flux is a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/)) project, used in
+Flux is a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/)) graduated project, used in
 production by various [organisations](https://fluxcd.io/adopters) and [cloud providers](https://fluxcd.io/ecosystem).
 ## Quickstart and documentation
@ -44,7 +44,7 @@ runtime for Flux v2. The APIs comprise Kubernetes custom resources,
 which can be created and updated by a cluster user, or by other
 automation tooling.
-![overview](https://fluxcd.io/img/diagrams/gitops-toolkit.png)
+![overview](https://raw.githubusercontent.com/fluxcd/flux2/main/docs/diagrams/fluxcd-controllers.png)
 You can use the toolkit to extend Flux, or to build your own systems
 for continuous delivery -- see [the developer
--- a/cmd/flux/bootstrap.go
+++ b/cmd/flux/bootstrap.go
@ -22,6 +22,7 @@ import (
 	"fmt"
 	"strings"
 	"github.com/fluxcd/pkg/git"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
@ -52,17 +53,19 @@ type bootstrapFlags struct {
 	extraComponents    []string
 	requiredComponents []string
-	registry        string
+	registry           string
-	imagePullSecret string
+	registryCredential string
 	imagePullSecret    string
-	secretName     string
+	secretName           string
-	tokenAuth      bool
+	tokenAuth            bool
-	keyAlgorithm   flags.PublicKeyAlgorithm
+	keyAlgorithm         flags.PublicKeyAlgorithm
-	keyRSABits     flags.RSAKeyBits
+	keyRSABits           flags.RSAKeyBits
-	keyECDSACurve  flags.ECDSACurve
+	keyECDSACurve        flags.ECDSACurve
-	sshHostname    string
+	sshHostname          string
-	caFile         string
+	caFile               string
-	privateKeyFile string
+	privateKeyFile       string
 	sshHostKeyAlgorithms []string
 	watchAllNamespaces bool
 	networkPolicy      bool
@ -98,6 +101,8 @@ func init() {
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registry, "registry", "ghcr.io/fluxcd",
 		"container registry where the Flux controller images are published")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registryCredential, "registry-creds", "",
 		"container registry credentials in the format 'user:password', requires --image-pull-secret to be set")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.imagePullSecret, "image-pull-secret", "",
 		"Kubernetes secret name used for pulling the controller images from a private registry")
@ -121,6 +126,7 @@ func init() {
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.secretName, "secret-name", rootArgs.defaults.Namespace, "name of the secret the sync credentials can be found in or stored to")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyAlgorithm, "ssh-key-algorithm", bootstrapArgs.keyAlgorithm.Description())
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyRSABits, "ssh-rsa-bits", bootstrapArgs.keyRSABits.Description())
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.sshHostKeyAlgorithms, "ssh-hostkey-algos", nil, "list of host key algorithms to be used by the CLI for SSH connections")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyECDSACurve, "ssh-ecdsa-curve", bootstrapArgs.keyECDSACurve.Description())
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.sshHostname, "ssh-hostname", "", "SSH hostname, to be used when the SSH host differs from the HTTPS one")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
@ -135,7 +141,7 @@ func init() {
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.commitMessageAppendix, "commit-message-appendix", "", "string to add to the commit messages, e.g. '[ci skip]'")
-	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.force, "force", false, "override existing Flux installation if it's managed by a diffrent tool such as Helm")
+	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.force, "force", false, "override existing Flux installation if it's managed by a different tool such as Helm")
 	bootstrapCmd.PersistentFlags().MarkHidden("manifests")
 	rootCmd.AddCommand(bootstrapCmd)
@ -181,6 +187,18 @@ func bootstrapValidate() error {
 		return err
 	}
 	if bootstrapArgs.registryCredential != "" && bootstrapArgs.imagePullSecret == "" {
 		return fmt.Errorf("--registry-creds requires --image-pull-secret to be set")
 	}
 	if bootstrapArgs.registryCredential != "" && len(strings.Split(bootstrapArgs.registryCredential, ":")) != 2 {
 		return fmt.Errorf("invalid --registry-creds format, expected 'user:password'")
 	}
 	if len(bootstrapArgs.sshHostKeyAlgorithms) > 0 {
 		git.HostKeyAlgos = bootstrapArgs.sshHostKeyAlgorithms
 	}
 	return nil
 }
--- a/cmd/flux/bootstrap_bitbucket_server.go
+++ b/cmd/flux/bootstrap_bitbucket_server.go
@ -196,6 +196,7 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
@ -225,7 +226,7 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 			secretOpts.Username = bServerArgs.username
 		}
 		secretOpts.Password = bitbucketToken
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 	} else {
 		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
 		if err != nil {
--- a/cmd/flux/bootstrap_git.go
+++ b/cmd/flux/bootstrap_git.go
@ -28,6 +28,9 @@ import (
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
@ -35,8 +38,6 @@ import (
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
 )
 var bootstrapGitCmd = &cobra.Command{
@ -65,7 +66,10 @@ command will perform an upgrade if needed.`,
  flux bootstrap git --url=ssh://<SSH-Key-ID>@git-codecommit.<region>.amazonaws.com/v1/repos/<repository> --private-key-file=<path/to/private.key> --password=<SSH-passphrase> --path=clusters/my-cluster
  # Run bootstrap for a Git repository on Azure Devops
-  flux bootstrap git --url=ssh://git@ssh.dev.azure.com/v3/<org>/<project>/<repository> --ssh-key-algorithm=rsa --ssh-rsa-bits=4096 --path=clusters/my-cluster
+  flux bootstrap git --url=ssh://git@ssh.dev.azure.com/v3/<org>/<project>/<repository> --private-key-file=<path/to/rsa-sha2-private.key> --ssh-hostkey-algos=rsa-sha2-512,rsa-sha2-256 --path=clusters/my-cluster
  # Run bootstrap for a Git repository on Oracle VBS
  flux bootstrap git --url=https://repository_url.git --with-bearer-token=true --password=<PAT> --path=clusters/my-cluster
 `,
 	RunE: bootstrapGitCmdRun,
 }
@ -78,6 +82,7 @@ type gitFlags struct {
 	password            string
 	silent              bool
 	insecureHttpAllowed bool
 	withBearerToken     bool
 }
 const (
@ -94,11 +99,16 @@ func init() {
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.password, "password", "p", "", "basic authentication password")
 	bootstrapGitCmd.Flags().BoolVarP(&gitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
 	bootstrapGitCmd.Flags().BoolVar(&gitArgs.insecureHttpAllowed, "allow-insecure-http", false, "allows insecure HTTP connections")
 	bootstrapGitCmd.Flags().BoolVar(&gitArgs.withBearerToken, "with-bearer-token", false, "use password as bearer token for Authorization header")
 	bootstrapCmd.AddCommand(bootstrapGitCmd)
 }
 func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	if gitArgs.withBearerToken {
 		bootstrapArgs.tokenAuth = true
 	}
 	gitPassword := os.Getenv(gitPasswordEnvVar)
 	if gitPassword != "" && gitArgs.password == "" {
 		gitArgs.password = gitPassword
@ -201,6 +211,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
@ -223,10 +234,16 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		TargetPath:   gitArgs.path.String(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
 	if bootstrapArgs.tokenAuth {
-		secretOpts.Username = gitArgs.username
+		if gitArgs.withBearerToken {
-		secretOpts.Password = gitArgs.password
+			secretOpts.BearerToken = gitArgs.password
-		secretOpts.CAFile = caBundle
+		} else {
 			secretOpts.Username = gitArgs.username
 			secretOpts.Password = gitArgs.password
 		}
 		secretOpts.CACrt = caBundle
 		// Remove port of the given host when not syncing over HTTP/S to not assume port for protocol
 		// This _might_ be overwritten later on by e.g. --ssh-hostname
@ -318,18 +335,28 @@ func getAuthOpts(u *url.URL, caBundle []byte) (*git.AuthOptions, error) {
 		if !gitArgs.insecureHttpAllowed {
 			return nil, fmt.Errorf("scheme http is insecure, pass --allow-insecure-http=true to allow it")
 		}
-		return &git.AuthOptions{
+		httpAuth := git.AuthOptions{
 			Transport: git.HTTP,
-			Username:  gitArgs.username,
+		}
-			Password:  gitArgs.password,
+		if gitArgs.withBearerToken {
-		}, nil
+			httpAuth.BearerToken = gitArgs.password
 		} else {
 			httpAuth.Username = gitArgs.username
 			httpAuth.Password = gitArgs.password
 		}
 		return &httpAuth, nil
 	case "https":
-		return &git.AuthOptions{
+		httpsAuth := git.AuthOptions{
 			Transport: git.HTTPS,
 			Username:  gitArgs.username,
 			Password:  gitArgs.password,
 			CAFile:    caBundle,
-		}, nil
+		}
 		if gitArgs.withBearerToken {
 			httpsAuth.BearerToken = gitArgs.password
 		} else {
 			httpsAuth.Username = gitArgs.username
 			httpsAuth.Password = gitArgs.password
 		}
 		return &httpsAuth, nil
 	case "ssh":
 		authOpts := &git.AuthOptions{
 			Transport: git.SSH,
--- a/cmd/flux/bootstrap_gitea.go
+++ b/cmd/flux/bootstrap_gitea.go
@ -184,6 +184,7 @@ func bootstrapGiteaCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
@ -209,7 +210,7 @@ func bootstrapGiteaCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = gtToken
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
--- a/cmd/flux/bootstrap_github.go
+++ b/cmd/flux/bootstrap_github.go
@ -191,6 +191,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
@ -216,7 +217,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = ghToken
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
--- a/cmd/flux/bootstrap_gitlab.go
+++ b/cmd/flux/bootstrap_gitlab.go
@ -24,6 +24,7 @@ import (
 	"strings"
 	"time"
 	"github.com/fluxcd/go-git-providers/gitprovider"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"
@ -58,14 +59,14 @@ the bootstrap command will perform an upgrade if needed.`,
  # Run bootstrap for a repository path
  flux bootstrap gitlab --owner=<group> --repository=<repository name> --path=dev-cluster
-  # Run bootstrap for a public repository on a personal account
+  # Run bootstrap for a public repository
-  flux bootstrap gitlab --owner=<user> --repository=<repository name> --private=false --personal --token-auth
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --visibility=public  --token-auth
  # Run bootstrap for a private repository hosted on a GitLab server
-  flux bootstrap gitlab --owner=<group> --repository=<repository name> --hostname=<domain> --token-auth
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --hostname=<gitlab_url> --token-auth
  # Run bootstrap for an existing repository with a branch named main
-  flux bootstrap gitlab --owner=<organization> --repository=<repository name> --branch=main --token-auth
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --branch=main --token-auth
  # Run bootstrap for a private repository using Deploy Token authentication
  flux bootstrap gitlab --owner=<group> --repository=<repository name> --deploy-token-auth
@ -85,6 +86,7 @@ type gitlabFlags struct {
 	repository      string
 	interval        time.Duration
 	personal        bool
 	visibility      flags.GitLabVisibility
 	private         bool
 	hostname        string
 	path            flags.SafeRelativePath
@ -94,7 +96,13 @@ type gitlabFlags struct {
 	deployTokenAuth bool
 }
-var gitlabArgs gitlabFlags
+func NewGitlabFlags() gitlabFlags {
 	return gitlabFlags{
 		visibility: flags.GitLabVisibility(gitprovider.RepositoryVisibilityPrivate),
 	}
 }
 var gitlabArgs = NewGitlabFlags()
 func init() {
 	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.owner, "owner", "", "GitLab user or group name")
@ -102,6 +110,8 @@ func init() {
 	bootstrapGitLabCmd.Flags().StringSliceVar(&gitlabArgs.teams, "team", []string{}, "GitLab teams to be given maintainer access (also accepts comma-separated values)")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.personal, "personal", false, "if true, the owner is assumed to be a GitLab user; otherwise a group")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.private, "private", true, "if true, the repository is setup or configured as private")
 	bootstrapGitLabCmd.Flags().MarkDeprecated("private", "use --visibility instead")
 	bootstrapGitLabCmd.Flags().Var(&gitlabArgs.visibility, "visibility", gitlabArgs.visibility.Description())
 	bootstrapGitLabCmd.Flags().DurationVar(&gitlabArgs.interval, "interval", time.Minute, "sync interval")
 	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.hostname, "hostname", glDefaultDomain, "GitLab hostname")
 	bootstrapGitLabCmd.Flags().Var(&gitlabArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
@ -133,6 +143,11 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("--token-auth and --deploy-token-auth cannot be set both.")
 	}
 	if !gitlabArgs.private {
 		gitlabArgs.visibility.Set(string(gitprovider.RepositoryVisibilityPublic))
 		cmd.Println("Using visibility public as --private=false")
 	}
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
@ -216,6 +231,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
 		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
@ -241,10 +257,10 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = glToken
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 	} else if gitlabArgs.deployTokenAuth {
 		// the actual deploy token will be reconciled later
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 	} else {
 		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
 		if err != nil {
@ -281,6 +297,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(gitlabArgs.owner, gitlabArgs.repository, gitlabArgs.personal),
 		bootstrap.WithProviderVisibility(gitlabArgs.visibility.String()),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
 		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
@ -300,9 +317,6 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	if gitlabArgs.deployTokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithDeployTokenAuth())
 	}
 	if !gitlabArgs.private {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
 	}
 	if gitlabArgs.reconcile {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
 	}
--- a/cmd/flux/build_kustomization.go
+++ b/cmd/flux/build_kustomization.go
@ -21,10 +21,10 @@ import (
 	"os"
 	"os/signal"
 	"github.com/fluxcd/pkg/ssa"
 	"github.com/spf13/cobra"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	ssautil "github.com/fluxcd/pkg/ssa/utils"
 	"github.com/fluxcd/flux2/v2/internal/build"
 )
@ -53,7 +53,12 @@ flux build kustomization my-app --path ./path/to/local/manifests \
 # Exclude files by providing a comma separated list of entries that follow the .gitignore pattern fromat.
 flux build kustomization my-app --path ./path/to/local/manifests \
 	--kustomization-file ./path/to/local/my-app.yaml \
-	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"`,
+	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"
 # Run recursively on all encountered Kustomizations
 flux build kustomization my-app --path ./path/to/local/manifests \
 	--recursive \
 	--local-sources GitRepository/flux-system/my-repo=./path/to/local/git`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              buildKsCmdRun,
 }
@ -63,6 +68,9 @@ type buildKsFlags struct {
 	path              string
 	ignorePaths       []string
 	dryRun            bool
 	strictSubst       bool
 	recursive         bool
 	localSources      map[string]string
 }
 var buildKsArgs buildKsFlags
@ -72,6 +80,10 @@ func init() {
 	buildKsCmd.Flags().StringVar(&buildKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
 	buildKsCmd.Flags().StringSliceVar(&buildKsArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in .gitignore format")
 	buildKsCmd.Flags().BoolVar(&buildKsArgs.dryRun, "dry-run", false, "Dry run mode.")
 	buildKsCmd.Flags().BoolVar(&buildKsArgs.strictSubst, "strict-substitute", false,
 		"When enabled, the post build substitutions will fail if a var without a default value is declared in files but is missing from the input vars.")
 	buildKsCmd.Flags().BoolVarP(&buildKsArgs.recursive, "recursive", "r", false, "Recursively build Kustomizations")
 	buildKsCmd.Flags().StringToStringVar(&buildKsArgs.localSources, "local-sources", nil, "Comma-separated list of repositories in format: Kind/namespace/name=path")
 	buildCmd.AddCommand(buildKsCmd)
 }
@ -107,6 +119,9 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 			build.WithDryRun(buildKsArgs.dryRun),
 			build.WithNamespace(*kubeconfigArgs.Namespace),
 			build.WithIgnore(buildKsArgs.ignorePaths),
 			build.WithStrictSubstitute(buildKsArgs.strictSubst),
 			build.WithRecursive(buildKsArgs.recursive),
 			build.WithLocalSources(buildKsArgs.localSources),
 		)
 	} else {
 		builder, err = build.NewBuilder(name, buildKsArgs.path,
@ -114,6 +129,9 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 			build.WithTimeout(rootArgs.timeout),
 			build.WithKustomizationFile(buildKsArgs.kustomizationFile),
 			build.WithIgnore(buildKsArgs.ignorePaths),
 			build.WithStrictSubstitute(buildKsArgs.strictSubst),
 			build.WithRecursive(buildKsArgs.recursive),
 			build.WithLocalSources(buildKsArgs.localSources),
 		)
 	}
@ -132,7 +150,7 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 			errChan <- err
 		}
-		manifests, err := ssa.ObjectsToYAML(objects)
+		manifests, err := ssautil.ObjectsToYAML(objects)
 		if err != nil {
 			errChan <- err
 		}
--- a/cmd/flux/build_kustomization_test.go
+++ b/cmd/flux/build_kustomization_test.go
@ -22,6 +22,7 @@ package main
 import (
 	"bytes"
 	"os"
 	"path/filepath"
 	"testing"
 	"text/template"
 )
@ -69,6 +70,12 @@ func TestBuildKustomization(t *testing.T) {
 			resultFile: "./testdata/build-kustomization/podinfo-with-ignore-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build with recursive",
 			args:       "build kustomization podinfo --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization",
 			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 	}
 	tmpl := map[string]string{
@ -118,6 +125,8 @@ spec:
      cluster_region: "eu-central-1"
 `
 	tmpFile := filepath.Join(t.TempDir(), "podinfo.yaml")
 	tests := []struct {
 		name       string
 		args       string
@ -132,28 +141,40 @@ spec:
 		},
 		{
 			name:       "build podinfo",
-			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/podinfo",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo",
 			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build podinfo without service",
-			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/delete-service",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/delete-service",
 			resultFile: "./testdata/build-kustomization/podinfo-without-service-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build deployment and configmap with var substitution",
-			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/var-substitution",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/var-substitution",
 			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build deployment and configmap with var substitution in dry-run mode",
-			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/var-substitution --dry-run",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/var-substitution --dry-run",
 			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build with recursive",
 			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization",
 			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build with recursive in dry-run mode",
 			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization --dry-run",
 			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 	}
 	tmpl := map[string]string{
@ -161,8 +182,6 @@ spec:
 	}
 	setup(t, tmpl)
 	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-source.yaml", tmpl, t)
 	temp, err := template.New("podinfo").Parse(podinfo)
 	if err != nil {
 		t.Fatal(err)
@ -174,11 +193,10 @@ spec:
 		t.Fatal(err)
 	}
-	err = os.WriteFile("./testdata/build-kustomization/podinfo.yaml", b.Bytes(), 0666)
+	err = os.WriteFile(tmpFile, b.Bytes(), 0666)
 	if err != nil {
 		t.Fatal(err)
 	}
 	t.Cleanup(func() { _ = os.Remove("./testdata/build-kustomization/podinfo.yaml") })
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/cmd/flux/check.go
+++ b/cmd/flux/check.go
@ -40,6 +40,7 @@ import (
 var checkCmd = &cobra.Command{
 	Use:   "check",
 	Args:  cobra.NoArgs,
 	Short: "Check requirements and installation",
 	Long: withPreviewNote(`The check command will perform a series of checks to validate that
 the local environment is configured correctly and if the installed components are healthy.`),
@ -59,7 +60,7 @@ type checkFlags struct {
 }
 var kubernetesConstraints = []string{
-	">=1.26.0-0",
+	">=1.30.0-0",
 }
 var checkArgs checkFlags
--- a/cmd/flux/cluster_info_test.go
+++ b/cmd/flux/cluster_info_test.go
@ -29,7 +29,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
-	"github.com/fluxcd/pkg/ssa"
+	ssautil "github.com/fluxcd/pkg/ssa/utils"
 )
 func Test_getFluxClusterInfo(t *testing.T) {
@ -37,7 +37,7 @@ func Test_getFluxClusterInfo(t *testing.T) {
 	f, err := os.Open("./testdata/cluster_info/gitrepositories.yaml")
 	g.Expect(err).To(BeNil())
-	objs, err := ssa.ReadObjects(f)
+	objs, err := ssautil.ReadObjects(f)
 	g.Expect(err).To(Not(HaveOccurred()))
 	gitrepo := objs[0]
--- a/cmd/flux/create.go
+++ b/cmd/flux/create.go
@ -125,7 +125,7 @@ func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) e
 	logger.Generatef("generating %s", names.kind)
 	logger.Actionf("applying %s", names.kind)
-	namespacedName, err := imageRepositoryType.upsert(ctx, kubeClient, object, mutate)
+	namespacedName, err := names.upsert(ctx, kubeClient, object, mutate)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_helmrelease.go
+++ b/cmd/flux/create_helmrelease.go
@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Flux authors
+Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -24,12 +24,6 @@ import (
 	"strings"
 	"time"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/transform"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/spf13/cobra"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@ -39,14 +33,21 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta2"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/transform"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Create or update a HelmRelease resource",
-	Long:    withPreviewNote(`The helmrelease create command generates a HelmRelease resource for a given HelmRepository source.`),
+	Long:    `The helmrelease create command generates a HelmRelease resource for a given HelmRepository source.`,
 	Example: `  # Create a HelmRelease with a chart from a HelmRepository source
  flux create hr podinfo \
    --interval=10m \
@ -105,7 +106,17 @@ var createHelmReleaseCmd = &cobra.Command{
    --source=HelmRepository/podinfo \
    --chart=podinfo \
    --values=./values.yaml \
-    --export > podinfo-release.yaml`,
+    --export > podinfo-release.yaml
  # Create a HelmRelease using a chart from a HelmChart resource
  flux create hr podinfo \
    --namespace=default \
    --chart-ref=HelmChart/podinfo.flux-system \
  # Create a HelmRelease using a chart from an OCIRepository resource
  flux create hr podinfo \
    --namespace=default \
    --chart-ref=OCIRepository/podinfo.flux-system`,
 	RunE: createHelmReleaseCmdRun,
 }
@ -115,6 +126,7 @@ type helmReleaseFlags struct {
 	dependsOn           []string
 	chart               string
 	chartVersion        string
 	chartRef            string
 	targetNamespace     string
 	createNamespace     bool
 	valuesFiles         []string
@ -130,6 +142,8 @@ var helmReleaseArgs helmReleaseFlags
 var supportedHelmReleaseValuesFromKinds = []string{"Secret", "ConfigMap"}
 var supportedHelmReleaseReferenceKinds = []string{sourcev1b2.OCIRepositoryKind, sourcev1.HelmChartKind}
 func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.name, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.source, "source", helmReleaseArgs.source.Description())
@ -145,14 +159,15 @@ func init() {
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFrom, "values-from", nil, "a Kubernetes object reference that contains the values.yaml data key in the format '<kind>/<name>', where kind must be one of: (Secret,ConfigMap)")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.crds, "crds", helmReleaseArgs.crds.Description())
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartRef, "chart-ref", "", "the name of the HelmChart resource to use as source for the HelmRelease, in the format '<kind>/<name>.<namespace>', where kind must be one of: (OCIRepository,HelmChart)")
 	createCmd.AddCommand(createHelmReleaseCmd)
 }
 func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
-	if helmReleaseArgs.chart == "" {
+	if helmReleaseArgs.chart == "" && helmReleaseArgs.chartRef == "" {
-		return fmt.Errorf("chart name or path is required")
+		return fmt.Errorf("chart or chart-ref is required")
 	}
 	sourceLabels, err := parseLabels()
@ -182,21 +197,40 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 				Duration: createArgs.interval,
 			},
 			TargetNamespace: helmReleaseArgs.targetNamespace,
 			Suspend:         false,
 		},
 	}
-			Chart: helmv2.HelmChartTemplate{
+	switch {
-				Spec: helmv2.HelmChartTemplateSpec{
+	case helmReleaseArgs.chart != "":
-					Chart:   helmReleaseArgs.chart,
+		helmRelease.Spec.Chart = &helmv2.HelmChartTemplate{
-					Version: helmReleaseArgs.chartVersion,
+			Spec: helmv2.HelmChartTemplateSpec{
-					SourceRef: helmv2.CrossNamespaceObjectReference{
+				Chart:   helmReleaseArgs.chart,
-						Kind:      helmReleaseArgs.source.Kind,
+				Version: helmReleaseArgs.chartVersion,
-						Name:      helmReleaseArgs.source.Name,
+				SourceRef: helmv2.CrossNamespaceObjectReference{
-						Namespace: helmReleaseArgs.source.Namespace,
+					Kind:      helmReleaseArgs.source.Kind,
-					},
+					Name:      helmReleaseArgs.source.Name,
-					ReconcileStrategy: helmReleaseArgs.reconcileStrategy,
+					Namespace: helmReleaseArgs.source.Namespace,
 				},
 				ReconcileStrategy: helmReleaseArgs.reconcileStrategy,
 			},
-			Suspend: false,
+		}
-		},
+		if helmReleaseArgs.chartInterval != 0 {
 			helmRelease.Spec.Chart.Spec.Interval = &metav1.Duration{
 				Duration: helmReleaseArgs.chartInterval,
 			}
 		}
 	case helmReleaseArgs.chartRef != "":
 		kind, name, ns := utils.ParseObjectKindNameNamespace(helmReleaseArgs.chartRef)
 		if kind != sourcev1.HelmChartKind && kind != sourcev1b2.OCIRepositoryKind {
 			return fmt.Errorf("chart reference kind '%s' is not supported, must be one of: %s",
 				kind, strings.Join(supportedHelmReleaseReferenceKinds, ", "))
 		}
 		helmRelease.Spec.ChartRef = &helmv2.CrossNamespaceSourceReference{
 			Kind:      kind,
 			Name:      name,
 			Namespace: ns,
 		}
 	}
 	if helmReleaseArgs.kubeConfigSecretRef != "" {
@ -207,12 +241,6 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 	if helmReleaseArgs.chartInterval != 0 {
 		helmRelease.Spec.Chart.Spec.Interval = &metav1.Duration{
 			Duration: helmReleaseArgs.chartInterval,
 		}
 	}
 	if helmReleaseArgs.createNamespace {
 		if helmRelease.Spec.Install == nil {
 			helmRelease.Spec.Install = &helmv2.Install{}
@ -309,7 +337,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Successf("HelmRelease %s is ready", name)
-	logger.Successf("applied revision %s", helmRelease.Status.LastAppliedRevision)
+	logger.Successf("applied revision %s", getHelmReleaseRevision(helmRelease))
 	return nil
 }
--- a/cmd/flux/create_helmrelease_test.go
+++ b/cmd/flux/create_helmrelease_test.go
@ -0,0 +1,86 @@
 //go:build unit
 // +build unit
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import "testing"
 func TestCreateHelmRelease(t *testing.T) {
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
 	setupHRSource(t, tmpl)
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "missing name",
 			args:   "create helmrelease --export",
 			assert: assertError("name is required"),
 		},
 		{
 			name:   "missing chart template and chartRef",
 			args:   "create helmrelease podinfo --export",
 			assert: assertError("chart or chart-ref is required"),
 		},
 		{
 			name:   "unknown source kind",
 			args:   "create helmrelease podinfo --source foobar/podinfo --chart podinfo --export",
 			assert: assertError(`invalid argument "foobar/podinfo" for "--source" flag: source kind 'foobar' is not supported, must be one of: HelmRepository, GitRepository, Bucket`),
 		},
 		{
 			name:   "unknown chart reference kind",
 			args:   "create helmrelease podinfo --chart-ref foobar/podinfo --export",
 			assert: assertError(`chart reference kind 'foobar' is not supported, must be one of: OCIRepository, HelmChart`),
 		},
 		{
 			name:   "basic helmrelease",
 			args:   "create helmrelease podinfo --source Helmrepository/podinfo --chart podinfo --interval=1m0s --export",
 			assert: assertGoldenTemplateFile("testdata/create_hr/basic.yaml", tmpl),
 		},
 		{
 			name:   "chart with OCIRepository source",
 			args:   "create helmrelease podinfo --chart-ref OCIRepository/podinfo --interval=1m0s --export",
 			assert: assertGoldenTemplateFile("testdata/create_hr/or_basic.yaml", tmpl),
 		},
 		{
 			name:   "chart with HelmChart source",
 			args:   "create helmrelease podinfo --chart-ref HelmChart/podinfo --interval=1m0s --export",
 			assert: assertGoldenTemplateFile("testdata/create_hr/hc_basic.yaml", tmpl),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args + " -n " + tmpl["fluxns"],
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
 func setupHRSource(t *testing.T, tmpl map[string]string) {
 	t.Helper()
 	testEnv.CreateObjectFile("./testdata/create_hr/setup-source.yaml", tmpl, t)
 }
--- a/cmd/flux/create_image_update.go
+++ b/cmd/flux/create_image_update.go
@ -22,7 +22,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
--- a/cmd/flux/create_kustomization.go
+++ b/cmd/flux/create_kustomization.go
@ -29,7 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta2"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	"github.com/fluxcd/pkg/apis/meta"
--- a/cmd/flux/create_secret_git.go
+++ b/cmd/flux/create_secret_git.go
@ -87,7 +87,6 @@ type secretGitFlags struct {
 	keyAlgorithm   flags.PublicKeyAlgorithm
 	rsaBits        flags.RSAKeyBits
 	ecdsaCurve     flags.ECDSACurve
 	caFile         string
 	caCrtFile      string
 	privateKeyFile string
 	bearerToken    string
@ -102,8 +101,7 @@ func init() {
 	createSecretGitCmd.Flags().Var(&secretGitArgs.keyAlgorithm, "ssh-key-algorithm", secretGitArgs.keyAlgorithm.Description())
 	createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description())
 	createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
-	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
+	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caCrtFile, "ca-crt-file", "", "path to TLS CA certificate file used for validating self-signed certificates")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caCrtFile, "ca-crt-file", "", "path to TLS CA certificate file used for validating self-signed certificates; takes precedence over --ca-file")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.bearerToken, "bearer-token", "", "bearer authentication token")
@ -169,11 +167,6 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 			if err != nil {
 				return fmt.Errorf("unable to read TLS CA file: %w", err)
 			}
 		} else if secretGitArgs.caFile != "" {
 			opts.CAFile, err = os.ReadFile(secretGitArgs.caFile)
 			if err != nil {
 				return fmt.Errorf("unable to read TLS CA file: %w", err)
 			}
 		}
 	default:
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
--- a/cmd/flux/create_secret_github_app.go
+++ b/cmd/flux/create_secret_github_app.go
@ -0,0 +1,128 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 )
 var createSecretGitHubAppCmd = &cobra.Command{
 	Use:   "githubapp [name]",
 	Short: "Create or update a github app secret",
 	Long:  withPreviewNote(`The create secret githubapp command generates a Kubernetes secret that can be used for GitRepository authentication with github app`),
 	Example: `  # Create a githubapp authentication secret on disk and encrypt it with Mozilla SOPS
  flux create secret githubapp podinfo-auth \
    --app-id="1" \
    --app-installation-id="2" \
    --app-private-key=./private-key-file.pem \
    --export > githubapp-auth.yaml
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
    --in-place githubapp-auth.yaml
 	`,
 	RunE: createSecretGitHubAppCmdRun,
 }
 type secretGitHubAppFlags struct {
 	appID             string
 	appInstallationID string
 	privateKeyFile    string
 	baseURL           string
 }
 var secretGitHubAppArgs = secretGitHubAppFlags{}
 func init() {
 	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appID, "app-id", "", "github app ID")
 	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appInstallationID, "app-installation-id", "", "github app installation ID")
 	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.privateKeyFile, "app-private-key", "", "github app private key file path")
 	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.baseURL, "app-base-url", "", "github app base URL")
 	createSecretCmd.AddCommand(createSecretGitHubAppCmd)
 }
 func createSecretGitHubAppCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	secretName := args[0]
 	if secretGitHubAppArgs.appID == "" {
 		return fmt.Errorf("--app-id is required")
 	}
 	if secretGitHubAppArgs.appInstallationID == "" {
 		return fmt.Errorf("--app-installation-id is required")
 	}
 	if secretGitHubAppArgs.privateKeyFile == "" {
 		return fmt.Errorf("--app-private-key is required")
 	}
 	privateKey, err := os.ReadFile(secretGitHubAppArgs.privateKeyFile)
 	if err != nil {
 		return fmt.Errorf("unable to read private key file: %w", err)
 	}
 	opts := sourcesecret.Options{
 		Name:                    secretName,
 		Namespace:               *kubeconfigArgs.Namespace,
 		GitHubAppID:             secretGitHubAppArgs.appID,
 		GitHubAppInstallationID: secretGitHubAppArgs.appInstallationID,
 		GitHubAppPrivateKey:     string(privateKey),
 	}
 	if secretGitHubAppArgs.baseURL != "" {
 		opts.GitHubAppBaseURL = secretGitHubAppArgs.baseURL
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
 	if createArgs.export {
 		rootCmd.Println(secret.Content)
 		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("githubapp secret '%s' created in '%s' namespace", secretName, *kubeconfigArgs.Namespace)
 	return nil
 }
--- a/cmd/flux/create_secret_githubapp_test.go
+++ b/cmd/flux/create_secret_githubapp_test.go
@ -0,0 +1,74 @@
 /*
 Copyright 2022 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"testing"
 )
 func TestCreateSecretGitHubApp(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "create githubapp secret with missing name",
 			args:   "create secret githubapp",
 			assert: assertError("name is required"),
 		},
 		{
 			name:   "create githubapp secret with missing app-id",
 			args:   "create secret githubapp appinfo",
 			assert: assertError("--app-id is required"),
 		},
 		{
 			name:   "create githubapp secret with missing appInstallationID",
 			args:   "create secret githubapp appinfo --app-id 1",
 			assert: assertError("--app-installation-id is required"),
 		},
 		{
 			name:   "create githubapp secret with missing private key file",
 			args:   "create secret githubapp appinfo --app-id 1 --app-installation-id 2",
 			assert: assertError("--app-private-key is required"),
 		},
 		{
 			name:   "create githubapp secret with private key file that does not exist",
 			args:   "create secret githubapp appinfo --app-id 1 --app-installation-id 2 --app-private-key pk.pem",
 			assert: assertError("unable to read private key file: open pk.pem: no such file or directory"),
 		},
 		{
 			name:   "create githubapp secret with app info",
 			args:   "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-id 2 --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/githubapp/secret.yaml"),
 		},
 		{
 			name:   "create githubapp secret with appinfo and base url",
 			args:   "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-id 2 --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --app-base-url www.example.com/api/v3 --export",
 			assert: assertGoldenFile("testdata/create_secret/githubapp/secret-with-baseurl.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_secret_helm.go
+++ b/cmd/flux/create_secret_helm.go
@ -32,7 +32,7 @@ import (
 var createSecretHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Create or update a Kubernetes secret for Helm repository authentication",
-	Long:  withPreviewNote(`The create secret helm command generates a Kubernetes secret with basic authentication credentials.`),
+	Long:  `The create secret helm command generates a Kubernetes secret with basic authentication credentials.`,
 	Example: ` # Create a Helm authentication secret on disk and encrypt it with Mozilla SOPS
  flux create secret helm repo-auth \
    --namespace=my-namespace \
@ -58,12 +58,9 @@ func init() {
 	flags := createSecretHelmCmd.Flags()
 	flags.StringVarP(&secretHelmArgs.username, "username", "u", "", "basic authentication username")
 	flags.StringVarP(&secretHelmArgs.password, "password", "p", "", "basic authentication password")
-
+	flags.StringVar(&secretHelmArgs.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
-	initSecretDeprecatedTLSFlags(flags, &secretHelmArgs.secretTLSFlags)
+	flags.StringVar(&secretHelmArgs.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
-	deprecationMsg := "please use the command `flux create secret tls` to generate TLS secrets"
+	flags.StringVar(&secretHelmArgs.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
 	flags.MarkDeprecated("cert-file", deprecationMsg)
 	flags.MarkDeprecated("key-file", deprecationMsg)
 	flags.MarkDeprecated("ca-file", deprecationMsg)
 	createSecretCmd.AddCommand(createSecretHelmCmd)
 }
@ -77,20 +74,20 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	caBundle := []byte{}
-	if secretHelmArgs.caFile != "" {
+	if secretHelmArgs.caCrtFile != "" {
 		var err error
-		caBundle, err = os.ReadFile(secretHelmArgs.caFile)
+		caBundle, err = os.ReadFile(secretHelmArgs.caCrtFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	var certFile, keyFile []byte
-	if secretHelmArgs.certFile != "" && secretHelmArgs.keyFile != "" {
+	if secretHelmArgs.tlsCrtFile != "" && secretHelmArgs.tlsKeyFile != "" {
-		if certFile, err = os.ReadFile(secretHelmArgs.certFile); err != nil {
+		if certFile, err = os.ReadFile(secretHelmArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
-		if keyFile, err = os.ReadFile(secretHelmArgs.keyFile); err != nil {
+		if keyFile, err = os.ReadFile(secretHelmArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}
@ -101,9 +98,9 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 		Labels:    labels,
 		Username:  secretHelmArgs.username,
 		Password:  secretHelmArgs.password,
-		CAFile:    caBundle,
+		CACrt:     caBundle,
-		CertFile:  certFile,
+		TLSCrt:    certFile,
-		KeyFile:   keyFile,
+		TLSKey:    keyFile,
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
--- a/cmd/flux/create_secret_notation.go
+++ b/cmd/flux/create_secret_notation.go
@ -0,0 +1,161 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/notaryproject/notation-go/verifier/trustpolicy"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 )
 var createSecretNotationCmd = &cobra.Command{
 	Use:   "notation [name]",
 	Short: "Create or update a Kubernetes secret for verifications of artifacts signed by Notation",
 	Long:  withPreviewNote(`The create secret notation command generates a Kubernetes secret with root ca certificates and trust policy.`),
 	Example: ` # Create a Notation configuration secret on disk and encrypt it with Mozilla SOPS
  flux create secret notation my-notation-cert \
    --namespace=my-namespace \
    --trust-policy-file=./my-trust-policy.json \
    --ca-cert-file=./my-cert.crt \
    --export > my-notation-cert.yaml
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
    --in-place my-notation-cert.yaml`,
 	RunE: createSecretNotationCmdRun,
 }
 type secretNotationFlags struct {
 	trustPolicyFile string
 	caCrtFile       []string
 }
 var secretNotationArgs secretNotationFlags
 func init() {
 	createSecretNotationCmd.Flags().StringVar(&secretNotationArgs.trustPolicyFile, "trust-policy-file", "", "notation trust policy file path")
 	createSecretNotationCmd.Flags().StringSliceVar(&secretNotationArgs.caCrtFile, "ca-cert-file", []string{}, "root ca cert file path")
 	createSecretCmd.AddCommand(createSecretNotationCmd)
 }
 func createSecretNotationCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	if secretNotationArgs.caCrtFile == nil || len(secretNotationArgs.caCrtFile) == 0 {
 		return fmt.Errorf("--ca-cert-file is required")
 	}
 	if secretNotationArgs.trustPolicyFile == "" {
 		return fmt.Errorf("--trust-policy-file is required")
 	}
 	name := args[0]
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	policy, err := os.ReadFile(secretNotationArgs.trustPolicyFile)
 	if err != nil {
 		return fmt.Errorf("unable to read trust policy file: %w", err)
 	}
 	var doc trustpolicy.Document
 	if err := json.Unmarshal(policy, &doc); err != nil {
 		return fmt.Errorf("failed to unmarshal trust policy %s: %w", secretNotationArgs.trustPolicyFile, err)
 	}
 	if err := doc.Validate(); err != nil {
 		return fmt.Errorf("invalid trust policy: %w", err)
 	}
 	var (
 		caCerts []sourcesecret.VerificationCrt
 		fileErr error
 	)
 	for _, caCrtFile := range secretNotationArgs.caCrtFile {
 		fileName := filepath.Base(caCrtFile)
 		if !strings.HasSuffix(fileName, ".crt") && !strings.HasSuffix(fileName, ".pem") {
 			fileErr = errors.Join(fileErr, fmt.Errorf("%s must end with either .crt or .pem", fileName))
 			continue
 		}
 		caBundle, err := os.ReadFile(caCrtFile)
 		if err != nil {
 			fileErr = errors.Join(fileErr, fmt.Errorf("unable to read TLS CA file: %w", err))
 			continue
 		}
 		caCerts = append(caCerts, sourcesecret.VerificationCrt{Name: fileName, CACrt: caBundle})
 	}
 	if fileErr != nil {
 		return fileErr
 	}
 	if len(caCerts) == 0 {
 		return fmt.Errorf("no CA certs found")
 	}
 	opts := sourcesecret.Options{
 		Name:             name,
 		Namespace:        *kubeconfigArgs.Namespace,
 		Labels:           labels,
 		VerificationCrts: caCerts,
 		TrustPolicy:      policy,
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
 	if createArgs.export {
 		rootCmd.Println(secret.Content)
 		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("notation configuration secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
 	return nil
 }
--- a/cmd/flux/create_secret_notation_test.go
+++ b/cmd/flux/create_secret_notation_test.go
@ -0,0 +1,124 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
 )
 const (
 	trustPolicy        = "./testdata/create_secret/notation/test-trust-policy.json"
 	invalidTrustPolicy = "./testdata/create_secret/notation/invalid-trust-policy.json"
 	invalidJson        = "./testdata/create_secret/notation/invalid.json"
 	testCertFolder     = "./testdata/create_secret/notation"
 )
 func TestCreateNotationSecret(t *testing.T) {
 	crt, err := os.Create(filepath.Join(t.TempDir(), "ca.crt"))
 	if err != nil {
 		t.Fatal("could not create ca.crt file")
 	}
 	pem, err := os.Create(filepath.Join(t.TempDir(), "ca.pem"))
 	if err != nil {
 		t.Fatal("could not create ca.pem file")
 	}
 	invalidCert, err := os.Create(filepath.Join(t.TempDir(), "ca.p12"))
 	if err != nil {
 		t.Fatal("could not create ca.p12 file")
 	}
 	_, err = crt.Write([]byte("ca-data-crt"))
 	if err != nil {
 		t.Fatal("could not write to crt certificate file")
 	}
 	_, err = pem.Write([]byte("ca-data-pem"))
 	if err != nil {
 		t.Fatal("could not write to pem certificate file")
 	}
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "no args",
 			args:   "create secret notation",
 			assert: assertError("name is required"),
 		},
 		{
 			name:   "no trust policy",
 			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s", testCertFolder),
 			assert: assertError("--trust-policy-file is required"),
 		},
 		{
 			name:   "no cert",
 			args:   fmt.Sprintf("create secret notation notation-config --trust-policy-file=%s", trustPolicy),
 			assert: assertError("--ca-cert-file is required"),
 		},
 		{
 			name:   "non pem and crt cert",
 			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", invalidCert.Name(), trustPolicy),
 			assert: assertError("ca.p12 must end with either .crt or .pem"),
 		},
 		{
 			name:   "invalid trust policy",
 			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidTrustPolicy),
 			assert: assertError("invalid trust policy: trust policy: a trust policy statement is missing a name, every statement requires a name"),
 		},
 		{
 			name:   "invalid trust policy json",
 			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidJson),
 			assert: assertError(fmt.Sprintf("failed to unmarshal trust policy %s: json: cannot unmarshal string into Go value of type trustpolicy.Document", invalidJson)),
 		},
 		{
 			name:   "crt secret",
 			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", crt.Name(), trustPolicy),
 			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-crt.yaml"),
 		},
 		{
 			name:   "pem secret",
 			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", pem.Name(), trustPolicy),
 			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-pem.yaml"),
 		},
 		{
 			name:   "multi secret",
 			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", crt.Name(), pem.Name(), trustPolicy),
 			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-multi.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			defer func() {
 				secretNotationArgs = secretNotationFlags{}
 			}()
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_secret_proxy.go
+++ b/cmd/flux/create_secret_proxy.go
@ -0,0 +1,112 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"errors"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )
 var createSecretProxyCmd = &cobra.Command{
 	Use:   "proxy [name]",
 	Short: "Create or update a Kubernetes secret for proxy authentication",
 	Long: `The create secret proxy command generates a Kubernetes secret with the
 proxy address and the basic authentication credentials.`,
 	Example: ` # Create a proxy secret on disk and encrypt it with SOPS
  flux create secret proxy my-proxy \
    --namespace=my-namespace \
    --address=https://my-proxy.com \
    --username=my-username \
    --password=my-password \
    --export > proxy.yaml
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
    --in-place proxy.yaml`,
 	RunE: createSecretProxyCmdRun,
 }
 type secretProxyFlags struct {
 	address  string
 	username string
 	password string
 }
 var secretProxyArgs secretProxyFlags
 func init() {
 	createSecretProxyCmd.Flags().StringVar(&secretProxyArgs.address, "address", "", "proxy address")
 	createSecretProxyCmd.Flags().StringVarP(&secretProxyArgs.username, "username", "u", "", "basic authentication username")
 	createSecretProxyCmd.Flags().StringVarP(&secretProxyArgs.password, "password", "p", "", "basic authentication password")
 	createSecretCmd.AddCommand(createSecretProxyCmd)
 }
 func createSecretProxyCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	if secretProxyArgs.address == "" {
 		return errors.New("address is required")
 	}
 	opts := sourcesecret.Options{
 		Name:      name,
 		Namespace: *kubeconfigArgs.Namespace,
 		Labels:    labels,
 		Address:   secretProxyArgs.address,
 		Username:  secretProxyArgs.username,
 		Password:  secretProxyArgs.password,
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
 	if createArgs.export {
 		rootCmd.Println(secret.Content)
 		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("proxy secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
 	return nil
 }
--- a/cmd/flux/create_secret_proxy_test.go
+++ b/cmd/flux/create_secret_proxy_test.go
@ -0,0 +1,47 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"testing"
 )
 func TestCreateProxySecret(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			args:   "create secret proxy proxy-secret",
 			assert: assertError("address is required"),
 		},
 		{
 			args:   "create secret proxy proxy-secret --address=https://my-proxy.com --username=my-username --password=my-password --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/proxy/secret-proxy.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_secret_tls.go
+++ b/cmd/flux/create_secret_tls.go
@ -22,7 +22,6 @@ import (
 	"os"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
@ -33,8 +32,8 @@ import (
 var createSecretTLSCmd = &cobra.Command{
 	Use:   "tls [name]",
 	Short: "Create or update a Kubernetes secret with TLS certificates",
-	Long:  withPreviewNote(`The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`),
+	Long:  `The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`,
-	Example: ` # Create a TLS secret on disk and encrypt it with Mozilla SOPS.
+	Example: ` # Create a TLS secret on disk and encrypt it with SOPS.
  # Files are expected to be PEM-encoded.
  flux create secret tls certs \
    --namespace=my-namespace \
@ -49,9 +48,6 @@ var createSecretTLSCmd = &cobra.Command{
 }
 type secretTLSFlags struct {
 	certFile   string
 	keyFile    string
 	caFile     string
 	caCrtFile  string
 	tlsKeyFile string
 	tlsCrtFile string
@ -59,26 +55,10 @@ type secretTLSFlags struct {
 var secretTLSArgs secretTLSFlags
 func initSecretDeprecatedTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
 	flags.StringVar(&args.certFile, "cert-file", "", "TLS authentication cert file path")
 	flags.StringVar(&args.keyFile, "key-file", "", "TLS authentication key file path")
 	flags.StringVar(&args.caFile, "ca-file", "", "TLS authentication CA file path")
 }
 func initSecretTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
 	flags.StringVar(&args.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
 	flags.StringVar(&args.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
 	flags.StringVar(&args.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
 }
 func init() {
-	flags := createSecretTLSCmd.Flags()
+	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
-	initSecretDeprecatedTLSFlags(flags, &secretTLSArgs)
+	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
-	initSecretTLSFlags(flags, &secretTLSArgs)
+	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
 	flags.MarkDeprecated("cert-file", "please use --tls-crt-file instead")
 	flags.MarkDeprecated("key-file", "please use --tls-key-file instead")
 	flags.MarkDeprecated("ca-file", "please use --ca-crt-file instead")
 	createSecretCmd.AddCommand(createSecretTLSCmd)
 }
@ -102,11 +82,6 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	} else if secretTLSArgs.caFile != "" {
 		opts.CAFile, err = os.ReadFile(secretTLSArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	if secretTLSArgs.tlsCrtFile != "" && secretTLSArgs.tlsKeyFile != "" {
@ -116,13 +91,6 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 		if opts.TLSKey, err = os.ReadFile(secretTLSArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	} else if secretTLSArgs.certFile != "" && secretTLSArgs.keyFile != "" {
 		if opts.CertFile, err = os.ReadFile(secretTLSArgs.certFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
 		if opts.KeyFile, err = os.ReadFile(secretTLSArgs.keyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}
 	secret, err := sourcesecret.Generate(opts)
--- a/cmd/flux/create_secret_tls_test.go
+++ b/cmd/flux/create_secret_tls_test.go
@ -18,10 +18,6 @@ func TestCreateTlsSecret(t *testing.T) {
 			args:   "create secret tls certs --namespace=my-namespace --tls-crt-file=./testdata/create_secret/tls/test-cert.pem --tls-key-file=./testdata/create_secret/tls/test-key.pem --ca-crt-file=./testdata/create_secret/tls/test-ca.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/tls/secret-tls.yaml"),
 		},
 		{
 			args:   "create secret tls certs --namespace=my-namespace --cert-file=./testdata/create_secret/tls/test-cert.pem --key-file=./testdata/create_secret/tls/test-key.pem --ca-file=./testdata/create_secret/tls/test-ca.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/tls/deprecated-secret-tls.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/cmd/flux/create_source_bucket.go
+++ b/cmd/flux/create_source_bucket.go
@ -32,7 +32,7 @@ import (
 	"github.com/fluxcd/pkg/apis/meta"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
@ -41,8 +41,8 @@ import (
 var createSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Create or update a Bucket source",
-	Long: withPreviewNote(`The create source bucket command generates a Bucket resource and waits for it to be downloaded.
+	Long: `The create source bucket command generates a Bucket resource and waits for it to be downloaded.
-For Buckets with static authentication, the credentials are stored in a Kubernetes secret.`),
+For Buckets with static authentication, the credentials are stored in a Kubernetes secret.`,
 	Example: `  # Create a source for a Bucket using static authentication
  flux create source bucket podinfo \
 	--bucket-name=podinfo \
@ -63,15 +63,16 @@ For Buckets with static authentication, the credentials are stored in a Kubernet
 }
 type sourceBucketFlags struct {
-	name        string
+	name           string
-	provider    flags.SourceBucketProvider
+	provider       flags.SourceBucketProvider
-	endpoint    string
+	endpoint       string
-	accessKey   string
+	accessKey      string
-	secretKey   string
+	secretKey      string
-	region      string
+	region         string
-	insecure    bool
+	insecure       bool
-	secretRef   string
+	secretRef      string
-	ignorePaths []string
+	proxySecretRef string
 	ignorePaths    []string
 }
 var sourceBucketArgs = newSourceBucketFlags()
@ -85,6 +86,7 @@ func init() {
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.region, "region", "", "the bucket region")
 	createSourceBucketCmd.Flags().BoolVar(&sourceBucketArgs.insecure, "insecure", false, "for when connecting to a non-TLS S3 HTTP endpoint")
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.secretRef, "secret-ref", "", "the name of an existing secret containing credentials")
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.proxySecretRef, "proxy-secret-ref", "", "the name of an existing secret containing the proxy address and credentials")
 	createSourceBucketCmd.Flags().StringSliceVar(&sourceBucketArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in bucket resource (can specify multiple paths with commas: path1,path2)")
 	createSourceCmd.AddCommand(createSourceBucketCmd)
@ -92,7 +94,7 @@ func init() {
 func newSourceBucketFlags() sourceBucketFlags {
 	return sourceBucketFlags{
-		provider: flags.SourceBucketProvider(sourcev1.GenericBucketProvider),
+		provider: flags.SourceBucketProvider(sourcev1.BucketProviderGeneric),
 	}
 }
@ -153,6 +155,12 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 	if sourceBucketArgs.proxySecretRef != "" {
 		bucket.Spec.ProxySecretRef = &meta.LocalObjectReference{
 			Name: sourceBucketArgs.proxySecretRef,
 		}
 	}
 	if createArgs.export {
 		return printExport(exportBucket(bucket))
 	}
--- a/cmd/flux/create_source_chart.go
+++ b/cmd/flux/create_source_chart.go
@ -0,0 +1,217 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createSourceChartCmd = &cobra.Command{
 	Use:   "chart [name]",
 	Short: "Create or update a HelmChart source",
 	Long:  `The create source chart command generates a HelmChart resource and waits for the chart to be available.`,
 	Example: `  # Create a source for a chart residing in a HelmRepository
  flux create source chart podinfo \
    --source=HelmRepository/podinfo \
    --chart=podinfo \
    --chart-version=6.x
  # Create a source for a chart residing in a Git repository
  flux create source chart podinfo \
    --source=GitRepository/podinfo \
    --chart=./charts/podinfo
  # Create a source for a chart residing in a S3 Bucket
  flux create source chart podinfo \
    --source=Bucket/podinfo \
    --chart=./charts/podinfo
  # Create a source for a chart from OCI and verify its signature
  flux create source chart podinfo \
    --source HelmRepository/podinfo \
    --chart podinfo \
    --chart-version=6.6.2 \
    --verify-provider=cosign \
    --verify-issuer=https://token.actions.githubusercontent.com \
    --verify-subject=https://github.com/stefanprodan/podinfo/.github/workflows/release.yml@refs/tags/6.6.2`,
 	RunE: createSourceChartCmdRun,
 }
 type sourceChartFlags struct {
 	chart             string
 	chartVersion      string
 	source            flags.LocalHelmChartSource
 	reconcileStrategy string
 	verifyProvider    flags.SourceOCIVerifyProvider
 	verifySecretRef   string
 	verifyOIDCIssuer  string
 	verifySubject     string
 }
 var sourceChartArgs sourceChartFlags
 func init() {
 	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.chart, "chart", "", "Helm chart name or path")
 	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
 	createSourceChartCmd.Flags().Var(&sourceChartArgs.source, "source", sourceChartArgs.source.Description())
 	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart (accepted values: Revision and ChartRevision)")
 	createSourceChartCmd.Flags().Var(&sourceChartArgs.verifyProvider, "verify-provider", sourceOCIRepositoryArgs.verifyProvider.Description())
 	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifySecretRef, "verify-secret-ref", "", "the name of a secret to use for signature verification")
 	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifySubject, "verify-subject", "", "regular expression to use for the OIDC subject during signature verification")
 	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifyOIDCIssuer, "verify-issuer", "", "regular expression to use for the OIDC issuer during signature verification")
 	createSourceCmd.AddCommand(createSourceChartCmd)
 }
 func createSourceChartCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	if sourceChartArgs.source.Kind == "" || sourceChartArgs.source.Name == "" {
 		return fmt.Errorf("chart source is required")
 	}
 	if sourceChartArgs.chart == "" {
 		return fmt.Errorf("chart name or path is required")
 	}
 	logger.Generatef("generating HelmChart source")
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	helmChart := &sourcev1.HelmChart{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
 		Spec: sourcev1.HelmChartSpec{
 			Chart:   sourceChartArgs.chart,
 			Version: sourceChartArgs.chartVersion,
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
 			ReconcileStrategy: sourceChartArgs.reconcileStrategy,
 			SourceRef: sourcev1.LocalHelmChartSourceReference{
 				Kind: sourceChartArgs.source.Kind,
 				Name: sourceChartArgs.source.Name,
 			},
 		},
 	}
 	if provider := sourceChartArgs.verifyProvider.String(); provider != "" {
 		helmChart.Spec.Verify = &sourcev1.OCIRepositoryVerification{
 			Provider: provider,
 		}
 		if secretName := sourceChartArgs.verifySecretRef; secretName != "" {
 			helmChart.Spec.Verify.SecretRef = &meta.LocalObjectReference{
 				Name: secretName,
 			}
 		}
 		verifyIssuer := sourceChartArgs.verifyOIDCIssuer
 		verifySubject := sourceChartArgs.verifySubject
 		if verifyIssuer != "" || verifySubject != "" {
 			helmChart.Spec.Verify.MatchOIDCIdentity = []sourcev1.OIDCIdentityMatch{{
 				Issuer:  verifyIssuer,
 				Subject: verifySubject,
 			}}
 		}
 	} else if sourceChartArgs.verifySecretRef != "" {
 		return fmt.Errorf("a verification provider must be specified when a secret is specified")
 	} else if sourceChartArgs.verifyOIDCIssuer != "" || sourceOCIRepositoryArgs.verifySubject != "" {
 		return fmt.Errorf("a verification provider must be specified when OIDC issuer/subject is specified")
 	}
 	if createArgs.export {
 		return printExport(exportHelmChart(helmChart))
 	}
 	logger.Actionf("applying HelmChart source")
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	namespacedName, err := upsertHelmChart(ctx, kubeClient, helmChart)
 	if err != nil {
 		return err
 	}
 	logger.Waitingf("waiting for HelmChart source reconciliation")
 	readyConditionFunc := isObjectReadyConditionFunc(kubeClient, namespacedName, helmChart)
 	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true, readyConditionFunc); err != nil {
 		return err
 	}
 	logger.Successf("HelmChart source reconciliation completed")
 	if helmChart.Status.Artifact == nil {
 		return fmt.Errorf("HelmChart source reconciliation completed but no artifact was found")
 	}
 	logger.Successf("fetched revision: %s", helmChart.Status.Artifact.Revision)
 	return nil
 }
 func upsertHelmChart(ctx context.Context, kubeClient client.Client,
 	helmChart *sourcev1.HelmChart) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: helmChart.GetNamespace(),
 		Name:      helmChart.GetName(),
 	}
 	var existing sourcev1.HelmChart
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			if err := kubeClient.Create(ctx, helmChart); err != nil {
 				return namespacedName, err
 			} else {
 				logger.Successf("source created")
 				return namespacedName, nil
 			}
 		}
 		return namespacedName, err
 	}
 	existing.Labels = helmChart.Labels
 	existing.Spec = helmChart.Spec
 	if err := kubeClient.Update(ctx, &existing); err != nil {
 		return namespacedName, err
 	}
 	helmChart = &existing
 	logger.Successf("source updated")
 	return namespacedName, nil
 }
--- a/cmd/flux/create_source_chart_test.go
+++ b/cmd/flux/create_source_chart_test.go
@ -0,0 +1,91 @@
 //go:build unit
 // +build unit
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import "testing"
 func TestCreateSourceChart(t *testing.T) {
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
 	setupSourceChart(t, tmpl)
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "missing name",
 			args:   "create source chart --export",
 			assert: assertError("name is required"),
 		},
 		{
 			name:   "missing source reference",
 			args:   "create source chart podinfo --export ",
 			assert: assertError("chart source is required"),
 		},
 		{
 			name:   "missing chart name",
 			args:   "create source chart podinfo --source helmrepository/podinfo --export",
 			assert: assertError("chart name or path is required"),
 		},
 		{
 			name:   "unknown source kind",
 			args:   "create source chart podinfo --source foobar/podinfo --export",
 			assert: assertError(`invalid argument "foobar/podinfo" for "--source" flag: source kind 'foobar' is not supported, must be one of: HelmRepository, GitRepository, Bucket`),
 		},
 		{
 			name:   "basic chart",
 			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --export",
 			assert: assertGoldenTemplateFile("testdata/create_source_chart/basic.yaml", tmpl),
 		},
 		{
 			name:   "chart with basic signature verification",
 			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider cosign --export",
 			assert: assertGoldenTemplateFile("testdata/create_source_chart/verify_basic.yaml", tmpl),
 		},
 		{
 			name:   "unknown signature verification provider",
 			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider foobar --export",
 			assert: assertError(`invalid argument "foobar" for "--verify-provider" flag: source OCI verify provider 'foobar' is not supported, must be one of: cosign`),
 		},
 		{
 			name:   "chart with complete signature verification",
 			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider cosign --verify-issuer foo --verify-subject bar --export",
 			assert: assertGoldenTemplateFile("testdata/create_source_chart/verify_complete.yaml", tmpl),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args + " -n " + tmpl["fluxns"],
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
 func setupSourceChart(t *testing.T, tmpl map[string]string) {
 	t.Helper()
 	testEnv.CreateObjectFile("./testdata/create_source_chart/setup-source.yaml", tmpl, t)
 }
--- a/cmd/flux/create_source_git.go
+++ b/cmd/flux/create_source_git.go
@ -56,6 +56,8 @@ type sourceGitFlags struct {
 	keyRSABits        flags.RSAKeyBits
 	keyECDSACurve     flags.ECDSACurve
 	secretRef         string
 	proxySecretRef    string
 	provider          flags.SourceGitProvider
 	caFile            string
 	privateKeyFile    string
 	recurseSubmodules bool
@ -119,7 +121,13 @@ For private Git repositories, the basic authentication credentials are stored in
    --url=https://github.com/stefanprodan/podinfo \
    --branch=master \
    --username=username \
-    --password=password`,
+    --password=password
  # Create a source for a Git repository using azure provider
  flux create source git podinfo \
    --url=https://dev.azure.com/foo/bar/_git/podinfo \
    --branch=master \
    --provider=azure`,
 	RunE: createSourceGitCmdRun,
 }
@ -130,14 +138,16 @@ func init() {
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.branch, "branch", "", "git branch")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.tag, "tag", "", "git tag")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.semver, "tag-semver", "", "git tag semver range")
-	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", " git reference name")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", "git reference name")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.commit, "commit", "", "git commit")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.username, "username", "u", "", "basic authentication username")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.password, "password", "p", "", "basic authentication password")
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyAlgorithm, "ssh-key-algorithm", sourceGitArgs.keyAlgorithm.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyRSABits, "ssh-rsa-bits", sourceGitArgs.keyRSABits.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyECDSACurve, "ssh-ecdsa-curve", sourceGitArgs.keyECDSACurve.Description())
-	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials or github app authentication")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.proxySecretRef, "proxy-secret-ref", "", "the name of an existing secret containing the proxy address and credentials")
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.provider, "provider", sourceGitArgs.provider.Description())
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSourceGitCmd.Flags().BoolVar(&sourceGitArgs.recurseSubmodules, "recurse-submodules", false,
@ -236,6 +246,16 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 	if sourceGitArgs.proxySecretRef != "" {
 		gitRepository.Spec.ProxySecretRef = &meta.LocalObjectReference{
 			Name: sourceGitArgs.proxySecretRef,
 		}
 	}
 	if provider := sourceGitArgs.provider.String(); provider != "" {
 		gitRepository.Spec.Provider = provider
 	}
 	if createArgs.export {
 		return printExport(exportGit(&gitRepository))
 	}
@ -273,7 +293,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 				if err != nil {
 					return fmt.Errorf("unable to read TLS CA file: %w", err)
 				}
-				secretOpts.CAFile = caBundle
+				secretOpts.CACrt = caBundle
 			}
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
--- a/cmd/flux/create_source_git_test.go
+++ b/cmd/flux/create_source_git_test.go
@ -134,6 +134,36 @@ func TestCreateSourceGitExport(t *testing.T) {
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --branch=test --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-branch.yaml"),
 		},
 		{
 			name:   "source with generic provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --provider generic --branch=test --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-generic.yaml"),
 		},
 		{
 			name:   "source with azure provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider azure --branch=test --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-azure.yaml"),
 		},
 		{
 			name:   "source with github provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --provider github --branch=test --interval=1m0s --secret-ref appinfo --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-github.yaml"),
 		},
 		{
 			name:   "source with invalid provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider dummy --branch=test --interval=1m0s --export",
 			assert: assertError("invalid argument \"dummy\" for \"--provider\" flag: source Git provider 'dummy' is not supported, must be one of: generic|azure|github"),
 		},
 		{
 			name:   "source with empty provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider \"\" --branch=test --interval=1m0s --export",
 			assert: assertError("invalid argument \"\" for \"--provider\" flag: no source Git provider given, please specify the Git provider name"),
 		},
 		{
 			name:   "source with no provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --branch=test --interval=1m0s --export --provider",
 			assert: assertError("flag needs an argument: --provider"),
 		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
--- a/cmd/flux/create_source_helm.go
+++ b/cmd/flux/create_source_helm.go
@ -22,7 +22,6 @@ import (
 	"net/url"
 	"os"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@ -32,7 +31,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
@ -41,8 +41,8 @@ import (
 var createSourceHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Create or update a HelmRepository source",
-	Long: withPreviewNote(`The create source helm command generates a HelmRepository resource and waits for it to fetch the index.
+	Long: `The create source helm command generates a HelmRepository resource and waits for it to fetch the index.
-For private Helm repositories, the basic authentication credentials are stored in a Kubernetes secret.`),
+For private Helm repositories, the basic authentication credentials are stored in a Kubernetes secret.`,
 	Example: `  # Create a source for an HTTPS public Helm repository
  flux create source helm podinfo \
    --url=https://stefanprodan.github.io/podinfo \
@ -197,9 +197,9 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			Namespace:    *kubeconfigArgs.Namespace,
 			Username:     sourceHelmArgs.username,
 			Password:     sourceHelmArgs.password,
-			CAFile:       caBundle,
+			CACrt:        caBundle,
-			CertFile:     certFile,
+			TLSCrt:       certFile,
-			KeyFile:      keyFile,
+			TLSKey:       keyFile,
 			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
 		secret, err := sourcesecret.Generate(secretOpts)
--- a/cmd/flux/create_source_oci.go
+++ b/cmd/flux/create_source_oci.go
@ -30,7 +30,8 @@ import (
 	"github.com/fluxcd/pkg/apis/meta"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
@ -43,32 +44,44 @@ var createSourceOCIRepositoryCmd = &cobra.Command{
 	Example: `  # Create an OCIRepository for a public container image
  flux create source oci podinfo \
    --url=oci://ghcr.io/stefanprodan/manifests/podinfo \
-    --tag=6.1.6 \
+    --tag=6.6.2 \
    --interval=10m
  # Create an OCIRepository with OIDC signature verification
  flux create source oci podinfo \
    --url=oci://ghcr.io/stefanprodan/manifests/podinfo \
    --tag=6.6.2 \
    --interval=10m \
    --verify-provider=cosign \
    --verify-subject="^https://github.com/stefanprodan/podinfo/.github/workflows/release.yml@refs/tags/6.6.2$" \
    --verify-issuer="^https://token.actions.githubusercontent.com$"
 `,
 	RunE: createSourceOCIRepositoryCmdRun,
 }
 type sourceOCIRepositoryFlags struct {
-	url             string
+	url              string
-	tag             string
+	tag              string
-	semver          string
+	semver           string
-	digest          string
+	digest           string
-	secretRef       string
+	secretRef        string
-	serviceAccount  string
+	proxySecretRef   string
-	certSecretRef   string
+	serviceAccount   string
-	verifyProvider  flags.SourceOCIVerifyProvider
+	certSecretRef    string
-	verifySecretRef string
+	verifyProvider   flags.SourceOCIVerifyProvider
-	ignorePaths     []string
+	verifySecretRef  string
-	provider        flags.SourceOCIProvider
+	verifyOIDCIssuer string
-	insecure        bool
+	verifySubject    string
 	ignorePaths      []string
 	provider         flags.SourceOCIProvider
 	insecure         bool
 }
 var sourceOCIRepositoryArgs = newSourceOCIFlags()
 func newSourceOCIFlags() sourceOCIRepositoryFlags {
 	return sourceOCIRepositoryFlags{
-		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
+		provider: flags.SourceOCIProvider(sourcev1b2.GenericOCIProvider),
 	}
 }
@ -79,10 +92,13 @@ func init() {
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.semver, "tag-semver", "", "the OCI artifact tag semver range")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.digest, "digest", "", "the OCI artifact digest")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.secretRef, "secret-ref", "", "the name of the Kubernetes image pull secret (type 'kubernetes.io/dockerconfigjson')")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.proxySecretRef, "proxy-secret-ref", "", "the name of an existing secret containing the proxy address and credentials")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.serviceAccount, "service-account", "", "the name of the Kubernetes service account that refers to an image pull secret")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
 	createSourceOCIRepositoryCmd.Flags().Var(&sourceOCIRepositoryArgs.verifyProvider, "verify-provider", sourceOCIRepositoryArgs.verifyProvider.Description())
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifySecretRef, "verify-secret-ref", "", "the name of a secret to use for signature verification")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifySubject, "verify-subject", "", "regular expression to use for the OIDC subject during signature verification")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifyOIDCIssuer, "verify-issuer", "", "regular expression to use for the OIDC issuer during signature verification")
 	createSourceOCIRepositoryCmd.Flags().StringSliceVar(&sourceOCIRepositoryArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore resources (can specify multiple paths with commas: path1,path2)")
 	createSourceOCIRepositoryCmd.Flags().BoolVar(&sourceOCIRepositoryArgs.insecure, "insecure", false, "for when connecting to a non-TLS registries over plain HTTP")
@ -111,20 +127,20 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 		ignorePaths = &ignorePathsStr
 	}
-	repository := &sourcev1.OCIRepository{
+	repository := &sourcev1b2.OCIRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
-		Spec: sourcev1.OCIRepositorySpec{
+		Spec: sourcev1b2.OCIRepositorySpec{
 			Provider: sourceOCIRepositoryArgs.provider.String(),
 			URL:      sourceOCIRepositoryArgs.url,
 			Insecure: sourceOCIRepositoryArgs.insecure,
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
-			Reference: &sourcev1.OCIRepositoryRef{},
+			Reference: &sourcev1b2.OCIRepositoryRef{},
 			Ignore:    ignorePaths,
 		},
 	}
@ -153,6 +169,12 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 	if secretName := sourceOCIRepositoryArgs.proxySecretRef; secretName != "" {
 		repository.Spec.ProxySecretRef = &meta.LocalObjectReference{
 			Name: secretName,
 		}
 	}
 	if secretName := sourceOCIRepositoryArgs.certSecretRef; secretName != "" {
 		repository.Spec.CertSecretRef = &meta.LocalObjectReference{
 			Name: secretName,
@ -168,8 +190,18 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 				Name: secretName,
 			}
 		}
 		verifyIssuer := sourceOCIRepositoryArgs.verifyOIDCIssuer
 		verifySubject := sourceOCIRepositoryArgs.verifySubject
 		if verifyIssuer != "" || verifySubject != "" {
 			repository.Spec.Verify.MatchOIDCIdentity = []sourcev1.OIDCIdentityMatch{{
 				Issuer:  verifyIssuer,
 				Subject: verifySubject,
 			}}
 		}
 	} else if sourceOCIRepositoryArgs.verifySecretRef != "" {
 		return fmt.Errorf("a verification provider must be specified when a secret is specified")
 	} else if sourceOCIRepositoryArgs.verifyOIDCIssuer != "" || sourceOCIRepositoryArgs.verifySubject != "" {
 		return fmt.Errorf("a verification provider must be specified when OIDC issuer/subject is specified")
 	}
 	if createArgs.export {
@ -205,13 +237,13 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 }
 func upsertOCIRepository(ctx context.Context, kubeClient client.Client,
-	ociRepository *sourcev1.OCIRepository) (types.NamespacedName, error) {
+	ociRepository *sourcev1b2.OCIRepository) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: ociRepository.GetNamespace(),
 		Name:      ociRepository.GetName(),
 	}
-	var existing sourcev1.OCIRepository
+	var existing sourcev1b2.OCIRepository
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
--- a/cmd/flux/create_source_oci_test.go
+++ b/cmd/flux/create_source_oci_test.go
@ -37,10 +37,35 @@ func TestCreateSourceOCI(t *testing.T) {
 			assertFunc: assertError("url is required"),
 		},
 		{
-			name:       "verify provider not specified",
+			name:       "verify secret specified but provider missing",
 			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-secret-ref=cosign-pub",
 			assertFunc: assertError("a verification provider must be specified when a secret is specified"),
 		},
 		{
 			name:       "verify issuer specified but provider missing",
 			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-issuer=github.com",
 			assertFunc: assertError("a verification provider must be specified when OIDC issuer/subject is specified"),
 		},
 		{
 			name:       "verify identity specified but provider missing",
 			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-subject=developer",
 			assertFunc: assertError("a verification provider must be specified when OIDC issuer/subject is specified"),
 		},
 		{
 			name:       "verify issuer specified but subject missing",
 			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-issuer=github --verify-provider=cosign --export",
 			assertFunc: assertGoldenFile("./testdata/oci/export_with_issuer.golden"),
 		},
 		{
 			name:       "all verify fields set",
 			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-issuer=github verify-subject=stefanprodan --verify-provider=cosign --export",
 			assertFunc: assertGoldenFile("./testdata/oci/export_with_issuer.golden"),
 		},
 		{
 			name:       "verify subject specified but issuer missing",
 			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-subject=stefanprodan --verify-provider=cosign --export",
 			assertFunc: assertGoldenFile("./testdata/oci/export_with_subject.golden"),
 		},
 		{
 			name:       "export manifest",
 			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --interval 10m --export",
--- a/cmd/flux/debug.go
+++ b/cmd/flux/debug.go
@ -0,0 +1,31 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"github.com/spf13/cobra"
 )
 var debugCmd = &cobra.Command{
 	Use:   "debug",
 	Short: "Debug a flux resource",
 	Long:  `The debug command can be used to troubleshoot failing resource reconciliations.`,
 }
 func init() {
 	rootCmd.AddCommand(debugCmd)
 }
--- a/cmd/flux/debug_helmrelease.go
+++ b/cmd/flux/debug_helmrelease.go
@ -0,0 +1,113 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	"github.com/fluxcd/pkg/chartutil"
 	"github.com/go-logr/logr"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var debugHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Debug a HelmRelease resource",
 	Long: withPreviewNote(`The debug helmrelease command can be used to troubleshoot failing Helm release reconciliations.
 WARNING: This command will print sensitive information if Kubernetes Secrets are referenced in the HelmRelease .spec.valuesFrom field.`),
 	Example: `  # Print the status of a Helm release
  flux debug hr podinfo --show-status
  # Export the final values of a Helm release composed from referred ConfigMaps and Secrets
  flux debug hr podinfo --show-values > values.yaml`,
 	RunE:              debugHelmReleaseCmdRun,
 	Args:              cobra.ExactArgs(1),
 	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
 }
 type debugHelmReleaseFlags struct {
 	showStatus bool
 	showValues bool
 }
 var debugHelmReleaseArgs debugHelmReleaseFlags
 func init() {
 	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showStatus, "show-status", false, "print the status of the Helm release")
 	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showValues, "show-values", false, "print the final values of the Helm release")
 	debugCmd.AddCommand(debugHelmReleaseCmd)
 }
 func debugHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	if (!debugHelmReleaseArgs.showStatus && !debugHelmReleaseArgs.showValues) ||
 		(debugHelmReleaseArgs.showStatus && debugHelmReleaseArgs.showValues) {
 		return fmt.Errorf("either --show-status or --show-values must be set")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	hr := &helmv2.HelmRelease{}
 	hrName := types.NamespacedName{Namespace: *kubeconfigArgs.Namespace, Name: name}
 	if err := kubeClient.Get(ctx, hrName, hr); err != nil {
 		return err
 	}
 	if debugHelmReleaseArgs.showStatus {
 		status, err := yaml.Marshal(hr.Status)
 		if err != nil {
 			return err
 		}
 		rootCmd.Println("# Status documentation: https://fluxcd.io/flux/components/helm/helmreleases/#helmrelease-status")
 		rootCmd.Print(string(status))
 		return nil
 	}
 	if debugHelmReleaseArgs.showValues {
 		finalValues, err := chartutil.ChartValuesFromReferences(ctx,
 			logr.Discard(),
 			kubeClient,
 			hr.GetNamespace(),
 			hr.GetValues(),
 			hr.Spec.ValuesFrom...)
 		if err != nil {
 			return err
 		}
 		values, err := yaml.Marshal(finalValues)
 		if err != nil {
 			return err
 		}
 		rootCmd.Print(string(values))
 	}
 	return nil
 }
--- a/cmd/flux/debug_helmrelease_test.go
+++ b/cmd/flux/debug_helmrelease_test.go
@ -0,0 +1,71 @@
 //go:build unit
 // +build unit
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"testing"
 )
 func TestDebugHelmRelease(t *testing.T) {
 	namespace := allocateNamespace("debug")
 	objectFile := "testdata/debug_helmrelease/objects.yaml"
 	tmpl := map[string]string{
 		"fluxns": namespace,
 	}
 	testEnv.CreateObjectFile(objectFile, tmpl, t)
 	cases := []struct {
 		name       string
 		arg        string
 		goldenFile string
 		tmpl       map[string]string
 	}{
 		{
 			"debug status",
 			"debug helmrelease test-values-inline --show-status --show-values=false",
 			"testdata/debug_helmrelease/status.golden.yaml",
 			tmpl,
 		},
 		{
 			"debug values",
 			"debug helmrelease test-values-inline --show-values --show-status=false",
 			"testdata/debug_helmrelease/values-inline.golden.yaml",
 			tmpl,
 		},
 		{
 			"debug values from",
 			"debug helmrelease test-values-from --show-values --show-status=false",
 			"testdata/debug_helmrelease/values-from.golden.yaml",
 			tmpl,
 		},
 	}
 	for _, tt := range cases {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.arg + " -n=" + namespace,
 				assert: assertGoldenTemplateFile(tt.goldenFile, tmpl),
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/debug_kustomization.go
+++ b/cmd/flux/debug_kustomization.go
@ -0,0 +1,134 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"errors"
 	"fmt"
 	"sort"
 	"strings"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	"github.com/fluxcd/pkg/kustomize"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var debugKustomizationCmd = &cobra.Command{
 	Use:     "kustomization [name]",
 	Aliases: []string{"ks"},
 	Short:   "Debug a Flux Kustomization resource",
 	Long: withPreviewNote(`The debug kustomization command can be used to troubleshoot failing Flux Kustomization reconciliations.
 WARNING: This command will print sensitive information if Kubernetes Secrets are referenced in the Kustomization .spec.postBuild.substituteFrom field.`),
 	Example: `  # Print the status of a Flux Kustomization
  flux debug ks podinfo --show-status
  # Export the final variables used for post-build substitutions composed from referred ConfigMaps and Secrets
  flux debug ks podinfo --show-vars > vars.env`,
 	RunE:              debugKustomizationCmdRun,
 	Args:              cobra.ExactArgs(1),
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 }
 type debugKustomizationFlags struct {
 	showStatus bool
 	showVars   bool
 }
 var debugKustomizationArgs debugKustomizationFlags
 func init() {
 	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showStatus, "show-status", false, "print the status of the Flux Kustomization")
 	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showVars, "show-vars", false, "print the final vars of the Flux Kustomization in dot env format")
 	debugCmd.AddCommand(debugKustomizationCmd)
 }
 func debugKustomizationCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	if (!debugKustomizationArgs.showStatus && !debugKustomizationArgs.showVars) ||
 		(debugKustomizationArgs.showStatus && debugKustomizationArgs.showVars) {
 		return fmt.Errorf("either --show-status or --show-vars must be set")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	ks := &kustomizev1.Kustomization{}
 	ksName := types.NamespacedName{Namespace: *kubeconfigArgs.Namespace, Name: name}
 	if err := kubeClient.Get(ctx, ksName, ks); err != nil {
 		return err
 	}
 	if debugKustomizationArgs.showStatus {
 		status, err := yaml.Marshal(ks.Status)
 		if err != nil {
 			return err
 		}
 		rootCmd.Println("# Status documentation: https://fluxcd.io/flux/components/kustomize/kustomizations/#kustomization-status")
 		rootCmd.Print(string(status))
 		return nil
 	}
 	if debugKustomizationArgs.showVars {
 		if ks.Spec.PostBuild == nil {
 			return errors.New("no post build substitutions found")
 		}
 		ksObj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(ks)
 		if err != nil {
 			return err
 		}
 		finalVars, err := kustomize.LoadVariables(ctx, kubeClient, unstructured.Unstructured{Object: ksObj})
 		if err != nil {
 			return err
 		}
 		if len(ks.Spec.PostBuild.Substitute) > 0 {
 			for k, v := range ks.Spec.PostBuild.Substitute {
 				// Remove new lines from the values as they are not supported.
 				// Replicates the controller behavior from
 				// https://github.com/fluxcd/pkg/blob/main/kustomize/kustomize_varsub.go
 				finalVars[k] = strings.ReplaceAll(v, "\n", "")
 			}
 		}
 		keys := make([]string, 0, len(finalVars))
 		for k := range finalVars {
 			keys = append(keys, k)
 		}
 		sort.Strings(keys)
 		for _, k := range keys {
 			rootCmd.Println(k + "=" + finalVars[k])
 		}
 	}
 	return nil
 }
--- a/cmd/flux/debug_kustomization_test.go
+++ b/cmd/flux/debug_kustomization_test.go
@ -0,0 +1,71 @@
 //go:build unit
 // +build unit
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"testing"
 )
 func TestDebugKustomization(t *testing.T) {
 	namespace := allocateNamespace("debug")
 	objectFile := "testdata/debug_kustomization/objects.yaml"
 	tmpl := map[string]string{
 		"fluxns": namespace,
 	}
 	testEnv.CreateObjectFile(objectFile, tmpl, t)
 	cases := []struct {
 		name       string
 		arg        string
 		goldenFile string
 		tmpl       map[string]string
 	}{
 		{
 			"debug status",
 			"debug ks test --show-status --show-vars=false",
 			"testdata/debug_kustomization/status.golden.yaml",
 			tmpl,
 		},
 		{
 			"debug vars",
 			"debug ks test --show-vars --show-status=false",
 			"testdata/debug_kustomization/vars.golden.env",
 			tmpl,
 		},
 		{
 			"debug vars from",
 			"debug ks test-from --show-vars --show-status=false",
 			"testdata/debug_kustomization/vars-from.golden.env",
 			tmpl,
 		},
 	}
 	for _, tt := range cases {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.arg + " -n=" + namespace,
 				assert: assertGoldenTemplateFile(tt.goldenFile, tmpl),
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/delete_helmrelease.go
+++ b/cmd/flux/delete_helmrelease.go
@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Flux authors
+Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -19,14 +19,14 @@ package main
 import (
 	"github.com/spf13/cobra"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta2"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 )
 var deleteHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Delete a HelmRelease resource",
-	Long:    withPreviewNote("The delete helmrelease command removes the given HelmRelease from the cluster."),
+	Long:    "The delete helmrelease command removes the given HelmRelease from the cluster.",
 	Example: `  # Delete a Helm release and the Kubernetes resources created by it
  flux delete hr podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
--- a/cmd/flux/delete_image_update.go
+++ b/cmd/flux/delete_image_update.go
@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 )
 var deleteImageUpdateCmd = &cobra.Command{
--- a/cmd/flux/delete_source_bucket.go
+++ b/cmd/flux/delete_source_bucket.go
@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 var deleteSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Delete a Bucket source",
-	Long:  withPreviewNote("The delete source bucket command deletes the given Bucket from the cluster."),
+	Long:  "The delete source bucket command deletes the given Bucket from the cluster.",
 	Example: `  # Delete a Bucket source
  flux delete source bucket podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)),
--- a/cmd/flux/delete_source_chart.go
+++ b/cmd/flux/delete_source_chart.go
@ -0,0 +1,40 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"github.com/spf13/cobra"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 var deleteSourceChartCmd = &cobra.Command{
 	Use:   "chart [name]",
 	Short: "Delete a HelmChart source",
 	Long:  "The delete source chart command deletes the given HelmChart from the cluster.",
 	Example: `  # Delete a HelmChart
  flux delete source chart podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.HelmChartKind)),
 	RunE: deleteCommand{
 		apiType: helmChartType,
 		object:  universalAdapter{&sourcev1.HelmChart{}},
 	}.run,
 }
 func init() {
 	deleteSourceCmd.AddCommand(deleteSourceChartCmd)
 }
--- a/cmd/flux/delete_source_helm.go
+++ b/cmd/flux/delete_source_helm.go
@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 var deleteSourceHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Delete a HelmRepository source",
-	Long:  withPreviewNote("The delete source helm command deletes the given HelmRepository from the cluster."),
+	Long:  "The delete source helm command deletes the given HelmRepository from the cluster.",
 	Example: `  # Delete a Helm repository
  flux delete source helm podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)),
--- a/cmd/flux/diff_artifact.go
+++ b/cmd/flux/diff_artifact.go
@ -23,6 +23,7 @@ import (
 	oci "github.com/fluxcd/pkg/oci/client"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/v2/internal/flags"
@ -42,6 +43,7 @@ type diffArtifactFlags struct {
 	creds       string
 	provider    flags.SourceOCIProvider
 	ignorePaths []string
 	insecure    bool
 }
 var diffArtifactArgs = newDiffArtifactArgs()
@ -57,6 +59,7 @@ func init() {
 	diffArtifactCmd.Flags().StringVar(&diffArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	diffArtifactCmd.Flags().Var(&diffArtifactArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
 	diffArtifactCmd.Flags().StringSliceVar(&diffArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
 	diffArtifactCmd.Flags().BoolVar(&diffArtifactArgs.insecure, "insecure-registry", false, "allows the remote artifact to be pulled without TLS")
 	diffCmd.AddCommand(diffArtifactCmd)
 }
@ -82,7 +85,13 @@ func diffArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	ociClient := oci.NewClient(oci.DefaultOptions())
+	opts := oci.DefaultOptions()
 	if diffArtifactArgs.insecure {
 		opts = append(opts, crane.Insecure)
 	}
 	ociClient := oci.NewClient(opts)
 	if diffArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && diffArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
--- a/cmd/flux/diff_kustomization.go
+++ b/cmd/flux/diff_kustomization.go
@ -23,8 +23,9 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/v2/internal/build"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	"github.com/fluxcd/flux2/v2/internal/build"
 )
 var diffKsCmd = &cobra.Command{
@ -43,7 +44,12 @@ flux diff kustomization my-app --path ./path/to/local/manifests \
 # Exclude files by providing a comma separated list of entries that follow the .gitignore pattern fromat.
 flux diff kustomization my-app --path ./path/to/local/manifests \
 	--kustomization-file ./path/to/local/my-app.yaml \
-	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"`,
+	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"
 # Run recursively on all encountered Kustomizations
 flux diff kustomization my-app --path ./path/to/local/manifests \
    --recursive \
    --local-sources GitRepository/flux-system/my-repo=./path/to/local/git`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              diffKsCmdRun,
 }
@ -53,6 +59,9 @@ type diffKsFlags struct {
 	path              string
 	ignorePaths       []string
 	progressBar       bool
 	strictSubst       bool
 	recursive         bool
 	localSources      map[string]string
 }
 var diffKsArgs diffKsFlags
@ -62,6 +71,10 @@ func init() {
 	diffKsCmd.Flags().BoolVar(&diffKsArgs.progressBar, "progress-bar", true, "Boolean to set the progress bar. The default value is true.")
 	diffKsCmd.Flags().StringSliceVar(&diffKsArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in .gitignore format")
 	diffKsCmd.Flags().StringVar(&diffKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
 	diffKsCmd.Flags().BoolVar(&diffKsArgs.strictSubst, "strict-substitute", false,
 		"When enabled, the post build substitutions will fail if a var without a default value is declared in files but is missing from the input vars.")
 	diffKsCmd.Flags().BoolVarP(&diffKsArgs.recursive, "recursive", "r", false, "Recursively diff Kustomizations")
 	diffKsCmd.Flags().StringToStringVar(&diffKsArgs.localSources, "local-sources", nil, "Comma-separated list of repositories in format: Kind/namespace/name=path")
 	diffCmd.AddCommand(diffKsCmd)
 }
@ -96,6 +109,10 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 			build.WithKustomizationFile(diffKsArgs.kustomizationFile),
 			build.WithProgressBar(),
 			build.WithIgnore(diffKsArgs.ignorePaths),
 			build.WithStrictSubstitute(diffKsArgs.strictSubst),
 			build.WithRecursive(diffKsArgs.recursive),
 			build.WithLocalSources(diffKsArgs.localSources),
 			build.WithSingleKustomization(),
 		)
 	} else {
 		builder, err = build.NewBuilder(name, diffKsArgs.path,
@ -103,6 +120,10 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 			build.WithTimeout(rootArgs.timeout),
 			build.WithKustomizationFile(diffKsArgs.kustomizationFile),
 			build.WithIgnore(diffKsArgs.ignorePaths),
 			build.WithStrictSubstitute(diffKsArgs.strictSubst),
 			build.WithRecursive(diffKsArgs.recursive),
 			build.WithLocalSources(diffKsArgs.localSources),
 			build.WithSingleKustomization(),
 		)
 	}
@ -132,6 +153,12 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 	select {
 	case <-sigc:
 		if diffKsArgs.progressBar {
 			err := builder.StopSpinner()
 			if err != nil {
 				return err
 			}
 		}
 		fmt.Println("Build cancelled... exiting.")
 		return builder.Cancel()
 	case err := <-errChan:
--- a/cmd/flux/diff_kustomization_test.go
+++ b/cmd/flux/diff_kustomization_test.go
@ -97,6 +97,12 @@ func TestDiffKustomization(t *testing.T) {
 			objectFile: "",
 			assert:     assertGoldenFile("./testdata/diff-kustomization/nothing-is-deployed.golden"),
 		},
 		{
 			name:       "diff with recursive",
 			args:       "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo-with-my-app --progress-bar=false --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization",
 			objectFile: "./testdata/diff-kustomization/my-app.yaml",
 			assert:     assertGoldenFile("./testdata/diff-kustomization/diff-with-recursive.golden"),
 		},
 	}
 	tmpl := map[string]string{
--- a/cmd/flux/envsubst.go
+++ b/cmd/flux/envsubst.go
@ -0,0 +1,74 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"bufio"
 	"fmt"
 	"github.com/fluxcd/pkg/envsubst"
 	"github.com/spf13/cobra"
 )
 var envsubstCmd = &cobra.Command{
 	Use:   "envsubst",
 	Args:  cobra.NoArgs,
 	Short: "envsubst substitutes the values of environment variables",
 	Long: withPreviewNote(`The envsubst command substitutes the values of environment variables
 in the string piped as standard input and writes the result to the standard output. This command can be used
 to replicate the behavior of the Flux Kustomization post-build substitutions.`),
 	Example: `  # Run env var substitutions on the kustomization build output
  export cluster_region=eu-central-1
  kustomize build . | flux envsubst
  # Run env var substitutions and error out if a variable is not set
  kustomize build . | flux envsubst --strict
 `,
 	RunE: runEnvsubstCmd,
 }
 type envsubstFlags struct {
 	strict bool
 }
 var envsubstArgs envsubstFlags
 func init() {
 	envsubstCmd.Flags().BoolVar(&envsubstArgs.strict, "strict", false,
 		"fail if a variable without a default value is declared in the input but is missing from the environment")
 	rootCmd.AddCommand(envsubstCmd)
 }
 func runEnvsubstCmd(cmd *cobra.Command, args []string) error {
 	stdin := bufio.NewScanner(rootCmd.InOrStdin())
 	stdout := bufio.NewWriter(rootCmd.OutOrStdout())
 	for stdin.Scan() {
 		line, err := envsubst.EvalEnv(stdin.Text(), envsubstArgs.strict)
 		if err != nil {
 			return err
 		}
 		_, err = fmt.Fprintln(stdout, line)
 		if err != nil {
 			return err
 		}
 		err = stdout.Flush()
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
--- a/cmd/flux/envsubst_test.go
+++ b/cmd/flux/envsubst_test.go
@ -0,0 +1,50 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"bytes"
 	"os"
 	"testing"
 	. "github.com/onsi/gomega"
 )
 func TestEnvsubst(t *testing.T) {
 	g := NewWithT(t)
 	input, err := os.ReadFile("testdata/envsubst/file.yaml")
 	g.Expect(err).NotTo(HaveOccurred())
 	t.Setenv("REPO_NAME", "test")
 	output, err := executeCommandWithIn("envsubst", bytes.NewReader(input))
 	g.Expect(err).NotTo(HaveOccurred())
 	expected, err := os.ReadFile("testdata/envsubst/file.gold")
 	g.Expect(err).NotTo(HaveOccurred())
 	g.Expect(output).To(Equal(string(expected)))
 }
 func TestEnvsubst_Strinct(t *testing.T) {
 	g := NewWithT(t)
 	input, err := os.ReadFile("testdata/envsubst/file.yaml")
 	g.Expect(err).NotTo(HaveOccurred())
 	_, err = executeCommandWithIn("envsubst --strict", bytes.NewReader(input))
 	g.Expect(err).To(HaveOccurred())
 	g.Expect(err.Error()).To(ContainSubstring("variable not set (strict mode)"))
 }
--- a/cmd/flux/events.go
+++ b/cmd/flux/events.go
@ -39,8 +39,8 @@ import (
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta2"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
@ -422,7 +422,7 @@ var fluxKindMap = refMap{
 		gvk:             helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind),
 		crossNamespaced: true,
 		otherRefs: func(namespace, name string) []string {
-			return []string{fmt.Sprintf("%s/%s-%s", sourcev1b2.HelmChartKind, namespace, name)}
+			return []string{fmt.Sprintf("%s/%s-%s", sourcev1.HelmChartKind, namespace, name)}
 		},
 		field: []string{"spec", "chart", "spec", "sourceRef"},
 	},
@ -440,15 +440,15 @@ var fluxKindMap = refMap{
 		crossNamespaced: true,
 		field:           []string{"spec", "imageRepositoryRef"},
 	},
-	sourcev1b2.HelmChartKind: {
+	sourcev1.HelmChartKind: {
-		gvk:             sourcev1b2.GroupVersion.WithKind(sourcev1b2.HelmChartKind),
+		gvk:             sourcev1.GroupVersion.WithKind(sourcev1.HelmChartKind),
 		crossNamespaced: true,
 		field:           []string{"spec", "sourceRef"},
 	},
 	sourcev1.GitRepositoryKind:       {gvk: sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)},
 	sourcev1b2.OCIRepositoryKind:     {gvk: sourcev1b2.GroupVersion.WithKind(sourcev1b2.OCIRepositoryKind)},
-	sourcev1b2.BucketKind:            {gvk: sourcev1b2.GroupVersion.WithKind(sourcev1b2.BucketKind)},
+	sourcev1.BucketKind:              {gvk: sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)},
-	sourcev1b2.HelmRepositoryKind:    {gvk: sourcev1b2.GroupVersion.WithKind(sourcev1b2.HelmRepositoryKind)},
+	sourcev1.HelmRepositoryKind:      {gvk: sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)},
 	autov1.ImageUpdateAutomationKind: {gvk: autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)},
 	imagev1.ImageRepositoryKind:      {gvk: imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)},
 }
--- a/cmd/flux/events_test.go
+++ b/cmd/flux/events_test.go
@ -31,7 +31,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	eventv1 "github.com/fluxcd/pkg/apis/event/v1beta1"
-	"github.com/fluxcd/pkg/ssa"
+	ssautil "github.com/fluxcd/pkg/ssa/utils"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
@ -78,7 +78,7 @@ spec:
  timeout: 1m0s
  url: ssh://git@github.com/example/repo
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: podinfo
@ -95,7 +95,7 @@ spec:
      version: '*'
  interval: 5m0s
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: podinfo
@ -104,7 +104,7 @@ spec:
  interval: 1m0s
  url: https://stefanprodan.github.io/podinfo
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmChart
 metadata:
  name: default-podinfo
@ -160,7 +160,7 @@ metadata:
 func Test_getObjectRef(t *testing.T) {
 	g := NewWithT(t)
-	objs, err := ssa.ReadObjects(strings.NewReader(objects))
+	objs, err := ssautil.ReadObjects(strings.NewReader(objects))
 	g.Expect(err).To(Not(HaveOccurred()))
 	builder := fake.NewClientBuilder().WithScheme(utils.NewScheme())
@ -244,7 +244,7 @@ func Test_getObjectRef(t *testing.T) {
 func Test_getRows(t *testing.T) {
 	g := NewWithT(t)
-	objs, err := ssa.ReadObjects(strings.NewReader(objects))
+	objs, err := ssautil.ReadObjects(strings.NewReader(objects))
 	g.Expect(err).To(Not(HaveOccurred()))
 	builder := fake.NewClientBuilder().WithScheme(utils.NewScheme())
--- a/cmd/flux/export_helmrelease.go
+++ b/cmd/flux/export_helmrelease.go
@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Flux authors
+Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -20,14 +20,14 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta2"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 )
 var exportHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Export HelmRelease resources in YAML format",
-	Long:    withPreviewNote("The export helmrelease command exports one or all HelmRelease resources in YAML format."),
+	Long:    "The export helmrelease command exports one or all HelmRelease resources in YAML format.",
 	Example: `  # Export all HelmRelease resources
  flux export helmrelease --all > kustomizations.yaml
--- a/cmd/flux/export_image_update.go
+++ b/cmd/flux/export_image_update.go
@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 )
 var exportImageUpdateCmd = &cobra.Command{
--- a/cmd/flux/export_source_bucket.go
+++ b/cmd/flux/export_source_bucket.go
@ -21,13 +21,13 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 var exportSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Export Bucket sources in YAML format",
-	Long:  withPreviewNote("The export source git command exports one or all Bucket sources in YAML format."),
+	Long:  "The export source git command exports one or all Bucket sources in YAML format.",
 	Example: `  # Export all Bucket sources
  flux export source bucket --all > sources.yaml
--- a/cmd/flux/export_source_chart.go
+++ b/cmd/flux/export_source_chart.go
@ -0,0 +1,67 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 var exportSourceChartCmd = &cobra.Command{
 	Use:   "chart [name]",
 	Short: "Export HelmChart sources in YAML format",
 	Long:  withPreviewNote("The export source chart command exports one or all HelmChart sources in YAML format."),
 	Example: `  # Export all chart sources
  flux export source chart --all > sources.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.HelmChartKind)),
 	RunE: exportCommand{
 		list:   helmChartListAdapter{&sourcev1.HelmChartList{}},
 		object: helmChartAdapter{&sourcev1.HelmChart{}},
 	}.run,
 }
 func init() {
 	exportSourceCmd.AddCommand(exportSourceChartCmd)
 }
 func exportHelmChart(source *sourcev1.HelmChart) interface{} {
 	gvk := sourcev1.GroupVersion.WithKind(sourcev1.HelmChartKind)
 	export := sourcev1.HelmChart{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       gvk.Kind,
 			APIVersion: gvk.GroupVersion().String(),
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        source.Name,
 			Namespace:   source.Namespace,
 			Labels:      source.Labels,
 			Annotations: source.Annotations,
 		},
 		Spec: source.Spec,
 	}
 	return export
 }
 func (ex helmChartAdapter) export() interface{} {
 	return exportHelmChart(ex.HelmChart)
 }
 func (ex helmChartListAdapter) exportItem(i int) interface{} {
 	return exportHelmChart(&ex.HelmChartList.Items[i])
 }
--- a/cmd/flux/export_source_helm.go
+++ b/cmd/flux/export_source_helm.go
@ -21,13 +21,13 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 var exportSourceHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Export HelmRepository sources in YAML format",
-	Long:  withPreviewNote("The export source git command exports one or all HelmRepository sources in YAML format."),
+	Long:  "The export source git command exports one or all HelmRepository sources in YAML format.",
 	Example: `  # Export all HelmRepository sources
  flux export source helm --all > sources.yaml
--- a/cmd/flux/export_test.go
+++ b/cmd/flux/export_test.go
@ -1,6 +1,22 @@
 //go:build unit
 // +build unit
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
@ -58,6 +74,12 @@ func TestExport(t *testing.T) {
 			"testdata/export/git-repo.yaml",
 			tmpl,
 		},
 		{
 			"source chart",
 			"export source chart flux-system",
 			"testdata/export/helm-chart.yaml",
 			tmpl,
 		},
 		{
 			"source helm",
 			"export source helm flux-system",
--- a/cmd/flux/get.go
+++ b/cmd/flux/get.go
@ -18,7 +18,6 @@ package main
 import (
 	"context"
 	"errors"
 	"fmt"
 	"os"
 	"strings"
@ -28,7 +27,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/discovery"
 	watchtools "k8s.io/client-go/tools/watch"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@ -178,8 +176,7 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 	err = kubeClient.List(ctx, get.list.asClientList(), listOpts...)
 	if err != nil {
-		var discErr *discovery.ErrGroupDiscoveryFailed
+		if getAll && apimeta.IsNoMatchError(err) {
 		if getAll && (strings.Contains(err.Error(), "no matches for kind") || errors.As(err, &discErr)) {
 			return nil
 		}
 		return err
--- a/cmd/flux/get_all.go
+++ b/cmd/flux/get_all.go
@ -17,11 +17,10 @@ limitations under the License.
 package main
 import (
 	"strings"
 	"github.com/spf13/cobra"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta2"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
@ -87,7 +86,7 @@ var getAllCmd = &cobra.Command{
 }
 func logError(err error) {
-	if !strings.Contains(err.Error(), "no matches for kind") {
+	if !apimeta.IsNoMatchError(err) {
 		logger.Failuref(err.Error())
 	}
 }
--- a/cmd/flux/get_helmrelease.go
+++ b/cmd/flux/get_helmrelease.go
@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Flux authors
+Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -25,14 +25,14 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta2"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 )
 var getHelmReleaseCmd = &cobra.Command{
 	Use:     "helmreleases",
 	Aliases: []string{"hr", "helmrelease"},
 	Short:   "Get HelmRelease statuses",
-	Long:    withPreviewNote("The get helmreleases command prints the statuses of the resources."),
+	Long:    "The get helmreleases command prints the statuses of the resources.",
 	Example: `  # List all Helm releases and their status
  flux get helmreleases`,
 	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
@ -72,9 +72,16 @@ func init() {
 	getCmd.AddCommand(getHelmReleaseCmd)
 }
 func getHelmReleaseRevision(helmRelease helmv2.HelmRelease) string {
 	if helmRelease.Status.History != nil && len(helmRelease.Status.History) > 0 {
 		return helmRelease.Status.History[0].ChartVersion
 	}
 	return helmRelease.Status.LastAttemptedRevision
 }
 func (a helmReleaseListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := a.Items[i]
-	revision := item.Status.LastAppliedRevision
+	revision := getHelmReleaseRevision(item)
 	status, msg := statusAndMessage(item.Status.Conditions)
 	return append(nameColumns(&item, includeNamespace, includeKind),
 		revision, cases.Title(language.English).String(strconv.FormatBool(item.Spec.Suspend)), status, msg)
--- a/cmd/flux/get_image_all.go
+++ b/cmd/flux/get_image_all.go
@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
 )
--- a/cmd/flux/get_image_update.go
+++ b/cmd/flux/get_image_update.go
@ -26,7 +26,7 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 )
 var getImageUpdateCmd = &cobra.Command{
--- a/cmd/flux/get_source_all.go
+++ b/cmd/flux/get_source_all.go
@ -17,9 +17,8 @@ limitations under the License.
 package main
 import (
 	"strings"
 	"github.com/spf13/cobra"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
@ -47,7 +46,7 @@ var getSourceAllCmd = &cobra.Command{
 			},
 			{
 				apiType: bucketType,
-				list:    &bucketListAdapter{&sourcev1b2.BucketList{}},
+				list:    &bucketListAdapter{&sourcev1.BucketList{}},
 			},
 			{
 				apiType: gitRepositoryType,
@ -55,17 +54,17 @@ var getSourceAllCmd = &cobra.Command{
 			},
 			{
 				apiType: helmRepositoryType,
-				list:    &helmRepositoryListAdapter{&sourcev1b2.HelmRepositoryList{}},
+				list:    &helmRepositoryListAdapter{&sourcev1.HelmRepositoryList{}},
 			},
 			{
 				apiType: helmChartType,
-				list:    &helmChartListAdapter{&sourcev1b2.HelmChartList{}},
+				list:    &helmChartListAdapter{&sourcev1.HelmChartList{}},
 			},
 		}
 		for _, c := range allSourceCmd {
 			if err := c.run(cmd, args); err != nil {
-				if !strings.Contains(err.Error(), "no matches for kind") {
+				if !apimeta.IsNoMatchError(err) {
 					logger.Failuref(err.Error())
 				}
 			}
--- a/cmd/flux/get_source_bucket.go
+++ b/cmd/flux/get_source_bucket.go
@ -25,7 +25,7 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
@ -33,7 +33,7 @@ import (
 var getSourceBucketCmd = &cobra.Command{
 	Use:   "bucket",
 	Short: "Get Bucket source statuses",
-	Long:  withPreviewNote("The get sources bucket command prints the status of the Bucket sources."),
+	Long:  "The get sources bucket command prints the status of the Bucket sources.",
 	Example: `  # List all Buckets and their status
  flux get sources bucket
--- a/cmd/flux/get_source_chart.go
+++ b/cmd/flux/get_source_chart.go
@ -25,7 +25,7 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
@ -33,7 +33,7 @@ import (
 var getSourceHelmChartCmd = &cobra.Command{
 	Use:   "chart",
 	Short: "Get HelmChart statuses",
-	Long:  withPreviewNote("The get sources chart command prints the status of the HelmCharts."),
+	Long:  "The get sources chart command prints the status of the HelmCharts.",
 	Example: `  # List all Helm charts and their status
  flux get sources chart
--- a/cmd/flux/get_source_helm.go
+++ b/cmd/flux/get_source_helm.go
@ -26,7 +26,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
@ -34,7 +34,7 @@ import (
 var getSourceHelmCmd = &cobra.Command{
 	Use:   "helm",
 	Short: "Get HelmRepository source statuses",
-	Long:  withPreviewNote("The get sources helm command prints the status of the HelmRepository sources."),
+	Long:  "The get sources helm command prints the status of the HelmRepository sources.",
 	Example: `  # List all Helm repositories and their status
  flux get sources helm
--- a/cmd/flux/helmrelease.go
+++ b/cmd/flux/helmrelease.go
@ -1,5 +1,5 @@
 /*
-Copyright 2021 The Flux authors
+Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -19,7 +19,7 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta2"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 )
 // helmv2.HelmRelease
--- a/cmd/flux/image.go
+++ b/cmd/flux/image.go
@ -19,7 +19,7 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
 )
--- a/cmd/flux/install.go
+++ b/cmd/flux/install.go
@ -21,16 +21,20 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/v2/pkg/status"
 )
@ -66,6 +70,7 @@ type installFlags struct {
 	defaultComponents  []string
 	extraComponents    []string
 	registry           string
 	registryCredential string
 	imagePullSecret    string
 	branch             string
 	watchAllNamespaces bool
@ -92,6 +97,8 @@ func init() {
 	installCmd.Flags().StringVar(&installArgs.manifestsPath, "manifests", "", "path to the manifest directory")
 	installCmd.Flags().StringVar(&installArgs.registry, "registry", rootArgs.defaults.Registry,
 		"container registry where the toolkit images are published")
 	installCmd.Flags().StringVar(&installArgs.registryCredential, "registry-creds", "",
 		"container registry credentials in the format 'user:password', requires --image-pull-secret to be set")
 	installCmd.Flags().StringVar(&installArgs.imagePullSecret, "image-pull-secret", "",
 		"Kubernetes secret name used for pulling the toolkit images from a private registry")
 	installCmd.Flags().BoolVar(&installArgs.watchAllNamespaces, "watch-all-namespaces", rootArgs.defaults.WatchAllNamespaces,
@ -102,7 +109,7 @@ func init() {
 	installCmd.Flags().StringVar(&installArgs.clusterDomain, "cluster-domain", rootArgs.defaults.ClusterDomain, "internal cluster domain")
 	installCmd.Flags().StringSliceVar(&installArgs.tolerationKeys, "toleration-keys", nil,
 		"list of toleration keys used to schedule the components pods onto nodes with matching taints")
-	installCmd.Flags().BoolVar(&installArgs.force, "force", false, "override existing Flux installation if it's managed by a diffrent tool such as Helm")
+	installCmd.Flags().BoolVar(&installArgs.force, "force", false, "override existing Flux installation if it's managed by a different tool such as Helm")
 	installCmd.Flags().MarkHidden("manifests")
 	rootCmd.AddCommand(installCmd)
@ -124,6 +131,14 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 	if installArgs.registryCredential != "" && installArgs.imagePullSecret == "" {
 		return fmt.Errorf("--registry-creds requires --image-pull-secret to be set")
 	}
 	if installArgs.registryCredential != "" && len(strings.Split(installArgs.registryCredential, ":")) != 2 {
 		return fmt.Errorf("invalid --registry-creds format, expected 'user:password'")
 	}
 	if ver, err := getVersion(installArgs.version); err != nil {
 		return err
 	} else {
@ -154,6 +169,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             components,
 		Registry:               installArgs.registry,
 		RegistryCredential:     installArgs.registryCredential,
 		ImagePullSecret:        installArgs.imagePullSecret,
 		WatchAllNamespaces:     installArgs.watchAllNamespaces,
 		NetworkPolicy:          installArgs.networkPolicy,
@ -224,6 +240,29 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	fmt.Fprintln(os.Stderr, applyOutput)
 	if opts.ImagePullSecret != "" && opts.RegistryCredential != "" {
 		logger.Actionf("generating image pull secret %s", opts.ImagePullSecret)
 		credentials := strings.SplitN(opts.RegistryCredential, ":", 2)
 		secretOpts := sourcesecret.Options{
 			Name:      opts.ImagePullSecret,
 			Namespace: opts.Namespace,
 			Registry:  opts.Registry,
 			Username:  credentials[0],
 			Password:  credentials[1],
 		}
 		imagePullSecret, err := sourcesecret.Generate(secretOpts)
 		if err != nil {
 			return fmt.Errorf("install failed: %w", err)
 		}
 		var s corev1.Secret
 		if err := yaml.Unmarshal([]byte(imagePullSecret.Content), &s); err != nil {
 			return fmt.Errorf("install failed: %w", err)
 		}
 		if err := upsertSecret(ctx, kubeClient, s); err != nil {
 			return fmt.Errorf("install failed: %w", err)
 		}
 	}
 	kubeConfig, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return fmt.Errorf("install failed: %w", err)
--- a/cmd/flux/install_test.go
+++ b/cmd/flux/install_test.go
@ -42,6 +42,11 @@ func TestInstall(t *testing.T) {
 			args:   "install unexpectedPosArg --namespace=example",
 			assert: assertError(`unknown command "unexpectedPosArg" for "flux install"`),
 		},
 		{
 			name:   "missing image pull secret",
 			args:   "install --registry-creds=fluxcd:test",
 			assert: assertError(`--registry-creds requires --image-pull-secret to be set`),
 		},
 	}
 	for _, tt := range tests {
--- a/cmd/flux/list_artifact.go
+++ b/cmd/flux/list_artifact.go
@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"
 	oci "github.com/fluxcd/pkg/oci/client"
@ -34,6 +35,7 @@ type listArtifactFlags struct {
 	regexFilter  string
 	creds        string
 	provider     flags.SourceOCIProvider
 	insecure     bool
 }
 var listArtifactArgs = newListArtifactFlags()
@ -60,6 +62,7 @@ func init() {
 	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.regexFilter, "filter-regex", "", "filter tags returned from the oci repository using regex")
 	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	listArtifactsCmd.Flags().Var(&listArtifactArgs.provider, "provider", listArtifactArgs.provider.Description())
 	listArtifactsCmd.Flags().BoolVar(&listArtifactArgs.insecure, "insecure-registry", false, "allows the remote artifacts list to be fetched without TLS")
 	listCmd.AddCommand(listArtifactsCmd)
 }
@ -78,7 +81,13 @@ func listArtifactsCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	ociClient := oci.NewClient(oci.DefaultOptions())
+	ociOpts := oci.DefaultOptions()
 	if listArtifactArgs.insecure {
 		ociOpts = append(ociOpts, crane.Insecure)
 	}
 	ociClient := oci.NewClient(ociOpts)
 	if listArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && listArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
--- a/cmd/flux/logs.go
+++ b/cmd/flux/logs.go
@ -235,7 +235,7 @@ func parallelPodLogs(ctx context.Context, requests []rest.ResponseWrapper) error
 	return errors.Join(<-stdoutErrCh, <-stderrErrCh)
 }
-// asyncCopy copies all data from from dst to src asynchronously and returns a channel for reading an error value.
+// asyncCopy copies all data from dst to src asynchronously and returns a channel for reading an error value.
 // This is basically an asynchronous wrapper around `io.Copy`. The returned channel is unbuffered and always is sent
 // a value (either nil or the error from `io.Copy`) as soon as `io.Copy` returns.
 // This function lets you copy from multiple sources into multiple destinations in parallel.
--- a/cmd/flux/main_test.go
+++ b/cmd/flux/main_test.go
@ -31,7 +31,6 @@ import (
 	"text/template"
 	"time"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/google/go-cmp/cmp"
 	"github.com/mattn/go-shellwords"
 	"k8s.io/apimachinery/pkg/api/errors"
@ -40,6 +39,8 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var nextNamespaceId int64
@ -393,6 +394,29 @@ func executeCommand(cmd string) (string, error) {
 	return result, err
 }
 // Run the command while passing the string as input and return the captured output.
 func executeCommandWithIn(cmd string, in io.Reader) (string, error) {
 	defer resetCmdArgs()
 	args, err := shellwords.Parse(cmd)
 	if err != nil {
 		return "", err
 	}
 	buf := new(bytes.Buffer)
 	rootCmd.SetOut(buf)
 	rootCmd.SetErr(buf)
 	rootCmd.SetArgs(args)
 	if in != nil {
 		rootCmd.SetIn(in)
 	}
 	_, err = rootCmd.ExecuteC()
 	result := buf.String()
 	return result, err
 }
 // resetCmdArgs resets the flags for various cmd
 // Note: this will also clear default value of the flags set in init()
 func resetCmdArgs() {
@ -405,7 +429,9 @@ func resetCmdArgs() {
 		tail:          -1,
 		fluxNamespace: rootArgs.defaults.Namespace,
 	}
-	buildKsArgs = buildKsFlags{}
+	buildKsArgs = buildKsFlags{
 		localSources: map[string]string{},
 	}
 	checkArgs = checkFlags{}
 	createArgs = createFlags{}
 	deleteArgs = deleteFlags{}
@ -427,6 +453,7 @@ func resetCmdArgs() {
 	rhrArgs = reconcileHelmReleaseFlags{}
 	rksArgs = reconcileKsFlags{}
 	secretGitArgs = NewSecretGitFlags()
 	secretProxyArgs = secretProxyFlags{}
 	secretHelmArgs = secretHelmFlags{}
 	secretTLSArgs = secretTLSFlags{}
 	sourceBucketArgs = sourceBucketFlags{}
@ -441,7 +468,9 @@ func resetCmdArgs() {
 	versionArgs = versionFlags{
 		output: "yaml",
 	}
-
+	envsubstArgs = envsubstFlags{}
 	debugHelmReleaseArgs = debugHelmReleaseFlags{}
 	debugKustomizationArgs = debugKustomizationFlags{}
 }
 func isChangeError(err error) bool {
--- a/cmd/flux/pull_artifact.go
+++ b/cmd/flux/pull_artifact.go
@ -22,6 +22,7 @@ import (
 	"os"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/v2/internal/flags"
@ -43,6 +44,7 @@ The command can read the credentials from '~/.docker/config.json' but they can a
 type pullArtifactFlags struct {
 	output   string
 	creds    string
 	insecure bool
 	provider flags.SourceOCIProvider
 }
@ -58,6 +60,7 @@ func init() {
 	pullArtifactCmd.Flags().StringVarP(&pullArtifactArgs.output, "output", "o", "", "path where the artifact content should be extracted.")
 	pullArtifactCmd.Flags().StringVar(&pullArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	pullArtifactCmd.Flags().Var(&pullArtifactArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
 	pullArtifactCmd.Flags().BoolVar(&pullArtifactArgs.insecure, "insecure-registry", false, "allows artifacts to be pulled without TLS")
 	pullCmd.AddCommand(pullArtifactCmd)
 }
@ -83,7 +86,13 @@ func pullArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	ociClient := oci.NewClient(oci.DefaultOptions())
+	opts := oci.DefaultOptions()
 	if pullArtifactArgs.insecure {
 		opts = append(opts, crane.Insecure)
 	}
 	ociClient := oci.NewClient(opts)
 	if pullArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && pullArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
--- a/cmd/flux/push_artifact.go
+++ b/cmd/flux/push_artifact.go
@ -105,15 +105,17 @@ The command can read the credentials from '~/.docker/config.json' but they can a
 }
 type pushArtifactFlags struct {
-	path        string
+	path         string
-	source      string
+	source       string
-	revision    string
+	revision     string
-	creds       string
+	creds        string
-	provider    flags.SourceOCIProvider
+	provider     flags.SourceOCIProvider
-	ignorePaths []string
+	ignorePaths  []string
-	annotations []string
+	annotations  []string
-	output      string
+	output       string
-	debug       bool
+	debug        bool
 	reproducible bool
 	insecure     bool
 }
 var pushArtifactArgs = newPushArtifactFlags()
@ -135,6 +137,8 @@ func init() {
 	pushArtifactCmd.Flags().StringVarP(&pushArtifactArgs.output, "output", "o", "",
 		"the format in which the artifact digest should be printed, can be 'json' or 'yaml'")
 	pushArtifactCmd.Flags().BoolVarP(&pushArtifactArgs.debug, "debug", "", false, "display logs from underlying library")
 	pushArtifactCmd.Flags().BoolVar(&pushArtifactArgs.reproducible, "reproducible", false, "ensure reproducible image digests by setting the created timestamp to '1970-01-01T00:00:00Z'")
 	pushArtifactCmd.Flags().BoolVar(&pushArtifactArgs.insecure, "insecure-registry", false, "allows artifacts to be pushed without TLS")
 	pushCmd.AddCommand(pushArtifactCmd)
 }
@ -202,6 +206,11 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		Annotations: annotations,
 	}
 	if pushArtifactArgs.reproducible {
 		zeroTime := time.Unix(0, 0)
 		meta.Created = zeroTime.Format(time.RFC3339)
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
@ -259,6 +268,10 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Actionf("pushing artifact to %s", url)
 	}
 	if pushArtifactArgs.insecure {
 		opts = append(opts, crane.Insecure)
 	}
 	ociClient := client.NewClient(opts)
 	digestURL, err := ociClient.Push(ctx, url, path,
 		client.WithPushMetadata(meta),
--- a/cmd/flux/reconcile.go
+++ b/cmd/flux/reconcile.go
@ -31,7 +31,7 @@ import (
 	"k8s.io/client-go/util/retry"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta2"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/v2/internal/utils"
--- a/cmd/flux/reconcile_helmrelease.go
+++ b/cmd/flux/reconcile_helmrelease.go
@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Flux authors
+Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -22,7 +22,8 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta2"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 )
@ -31,7 +32,7 @@ var reconcileHrCmd = &cobra.Command{
 	Aliases: []string{"hr"},
 	Short:   "Reconcile a HelmRelease resource",
 	Long: `
-The reconcile kustomization command triggers a reconciliation of a HelmRelease resource and waits for it to finish.`,
+The reconcile helmrelease command triggers a reconciliation of a HelmRelease resource and waits for it to finish.`,
 	Example: `  # Trigger a HelmRelease apply outside of the reconciliation interval
  flux reconcile hr podinfo
@ -55,7 +56,7 @@ var rhrArgs reconcileHelmReleaseFlags
 func init() {
 	reconcileHrCmd.Flags().BoolVar(&rhrArgs.syncHrWithSource, "with-source", false, "reconcile HelmRelease source")
 	reconcileHrCmd.Flags().BoolVar(&rhrArgs.syncForce, "force", false, "force a one-off install or upgrade of the HelmRelease resource")
-	reconcileHrCmd.Flags().BoolVar(&rhrArgs.syncReset, "reset", false, "reset the reset the failure count for this HelmRelease resource")
+	reconcileHrCmd.Flags().BoolVar(&rhrArgs.syncReset, "reset", false, "reset the failure count for this HelmRelease resource")
 	reconcileCmd.AddCommand(reconcileHrCmd)
 }
@ -68,20 +69,46 @@ func (obj helmReleaseAdapter) reconcileSource() bool {
 }
 func (obj helmReleaseAdapter) getSource() (reconcileSource, types.NamespacedName) {
-	cmd := reconcileWithSourceCommand{
+	var (
-		apiType: helmChartType,
+		name string
-		object:  helmChartAdapter{&sourcev1b2.HelmChart{}},
+		ns   string
-		force:   true,
+	)
-	}
+	switch {
-
+	case obj.Spec.ChartRef != nil:
-	ns := obj.Spec.Chart.Spec.SourceRef.Namespace
+		name, ns = obj.Spec.ChartRef.Name, obj.Spec.ChartRef.Namespace
-	if ns == "" {
+		if ns == "" {
-		ns = obj.Namespace
+			ns = obj.Namespace
-	}
+		}
-
+		namespacedName := types.NamespacedName{
-	return cmd, types.NamespacedName{
+			Name:      name,
-		Name:      fmt.Sprintf("%s-%s", obj.Namespace, obj.Name),
+			Namespace: ns,
-		Namespace: ns,
+		}
 		if obj.Spec.ChartRef.Kind == sourcev1.HelmChartKind {
 			return reconcileWithSourceCommand{
 				apiType: helmChartType,
 				object:  helmChartAdapter{&sourcev1.HelmChart{}},
 				force:   true,
 			}, namespacedName
 		}
 		return reconcileCommand{
 			apiType: ociRepositoryType,
 			object:  ociRepositoryAdapter{&sourcev1b2.OCIRepository{}},
 		}, namespacedName
 	default:
 		// default case assumes the HelmRelease is using a HelmChartTemplate
 		ns = obj.Spec.Chart.Spec.SourceRef.Namespace
 		if ns == "" {
 			ns = obj.Namespace
 		}
 		name = fmt.Sprintf("%s-%s", obj.Namespace, obj.Name)
 		return reconcileWithSourceCommand{
 				apiType: helmChartType,
 				object:  helmChartAdapter{&sourcev1.HelmChart{}},
 				force:   true,
 			}, types.NamespacedName{
 				Name:      name,
 				Namespace: ns,
 			}
 	}
 }
--- a/cmd/flux/reconcile_image_updateauto.go
+++ b/cmd/flux/reconcile_image_updateauto.go
@ -22,7 +22,7 @@ import (
 	"github.com/spf13/cobra"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
 	meta "github.com/fluxcd/pkg/apis/meta"
 )
--- a/Show More
+++ b/Show More