build(deps): bump golang.org/x/crypto in /tests/integration

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.44.0 to 0.45.0.
- [Commits](https://github.com/golang/crypto/compare/v0.44.0...v0.45.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.45.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/labels.yaml

@@ -44,12 +44,12 @@
   description: Feature request proposals in the RFC format
   color: '#D621C3'
   aliases: ['area/RFC']
-- name: backport:release/v2.4.x
-  description: To be backported to release/v2.4.x
-  color: '#ffd700'
 - name: backport:release/v2.5.x
   description: To be backported to release/v2.5.x
   color: '#ffd700'
 - name: backport:release/v2.6.x
   description: To be backported to release/v2.6.x
   color: '#ffd700'
+- name: backport:release/v2.7.x
+  description: To be backported to release/v2.7.x
+  color: '#ffd700'

.github/workflows/backport.yaml

@@ -10,4 +10,4 @@ jobs:
       pull-requests: write # for creating pull requests against release branches.
     uses: fluxcd/gha-workflows/.github/workflows/backport.yaml@v0.4.0
     secrets:
-      github-token: ${{ secrets.GITHUB_TOKEN }}
+      github-token: ${{ secrets.BOT_GITHUB_TOKEN }}

CONTRIBUTING.md

@@ -49,7 +49,8 @@ you might want to take a look at the [introductory talk and demo](https://www.yo
 This project is composed of:
 
 - [flux2](https://github.com/fluxcd/flux2): The Flux CLI
-- [source-manager](https://github.com/fluxcd/source-controller): Kubernetes operator for managing sources (Git and Helm repositories, S3-compatible Buckets)
+- [source-controller](https://github.com/fluxcd/source-controller): Kubernetes operator for managing sources (Git, OCI and Helm repositories, S3-compatible Buckets)
+- [source-watcher](https://github.com/fluxcd/source-watcher): Kubernetes operator for advanced source composition and decomposition patterns
 - [kustomize-controller](https://github.com/fluxcd/kustomize-controller): Kubernetes operator for building GitOps pipelines with Kustomize
 - [helm-controller](https://github.com/fluxcd/helm-controller): Kubernetes operator for building GitOps pipelines with Helm
 - [notification-controller](https://github.com/fluxcd/notification-controller): Kubernetes operator for handling inbound and outbound events
@@ -67,10 +68,9 @@ for source changes.
 
 Prerequisites:
 
-* go >= 1.24
+* go >= 1.25
 * kubectl >= 1.30
 * kustomize >= 5.0
-* coreutils (on Mac OS)
 
 Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:
 

README.md

@@ -52,12 +52,14 @@ guides](https://fluxcd.io/flux/gitops-toolkit/source-watcher/).
 
 ### Components
 
-- [Source Controller](https://fluxcd.io/flux/components/source/)
+- [Source Controllers](https://fluxcd.io/flux/components/source/)
     - [GitRepository CRD](https://fluxcd.io/flux/components/source/gitrepositories/)
     - [OCIRepository CRD](https://fluxcd.io/flux/components/source/ocirepositories/)
     - [HelmRepository CRD](https://fluxcd.io/flux/components/source/helmrepositories/)
     - [HelmChart CRD](https://fluxcd.io/flux/components/source/helmcharts/)
     - [Bucket CRD](https://fluxcd.io/flux/components/source/buckets/)
+    - [ExternalArtifact CRD](https://fluxcd.io/flux/components/source/externalartifacts/)
+    - [ArtifactGenerator CRD](https://fluxcd.io/flux/components/source/artifactgenerators/)
 - [Kustomize Controller](https://fluxcd.io/flux/components/kustomize/)
     - [Kustomization CRD](https://fluxcd.io/flux/components/kustomize/kustomizations/)
 - [Helm Controller](https://fluxcd.io/flux/components/helm/)

cmd/flux/create_tenant.go

@@ -58,10 +58,9 @@ const (
 )
 
 type tenantFlags struct {
-	namespaces    []string
-	clusterRole   string
-	account       string
-	skipNamespace bool
+	namespaces  []string
+	clusterRole string
+	account     string
 }
 
 var tenantArgs tenantFlags
@@ -70,7 +69,6 @@ func init() {
 	createTenantCmd.Flags().StringSliceVar(&tenantArgs.namespaces, "with-namespace", nil, "namespace belonging to this tenant")
 	createTenantCmd.Flags().StringVar(&tenantArgs.clusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
 	createTenantCmd.Flags().StringVar(&tenantArgs.account, "with-service-account", "", "service account belonging to this tenant")
-	createTenantCmd.Flags().BoolVar(&tenantArgs.skipNamespace, "skip-namespace", false, "skip namespace creation (namespace must exist already)")
 	createCmd.AddCommand(createTenantCmd)
 }
 
@@ -159,7 +157,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 
 	if createArgs.export {
 		for i := range tenantArgs.namespaces {
-			if err := exportTenant(namespaces[i], accounts[i], roleBindings[i], tenantArgs.skipNamespace); err != nil {
+			if err := exportTenant(namespaces[i], accounts[i], roleBindings[i]); err != nil {
 				return err
 			}
 		}
@@ -175,11 +173,9 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	for i := range tenantArgs.namespaces {
-		if !tenantArgs.skipNamespace {
-			logger.Actionf("applying namespace %s", namespaces[i].Name)
-			if err := upsertNamespace(ctx, kubeClient, namespaces[i]); err != nil {
-				return err
-			}
+		logger.Actionf("applying namespace %s", namespaces[i].Name)
+		if err := upsertNamespace(ctx, kubeClient, namespaces[i]); err != nil {
+			return err
 		}
 
 		logger.Actionf("applying service account %s", accounts[i].Name)
@@ -288,24 +284,19 @@ func upsertRoleBinding(ctx context.Context, kubeClient client.Client, roleBindin
 	return nil
 }
 
-func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, roleBinding rbacv1.RoleBinding, skipNamespace bool) error {
-	var data []byte
-	var err error
-
-	if !skipNamespace {
-		namespace.TypeMeta = metav1.TypeMeta{
-			APIVersion: "v1",
-			Kind:       "Namespace",
-		}
-		data, err = yaml.Marshal(namespace)
-		if err != nil {
-			return err
-		}
-		data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
-
-		printlnStdout("---")
-		printlnStdout(resourceToString(data))
+func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, roleBinding rbacv1.RoleBinding) error {
+	namespace.TypeMeta = metav1.TypeMeta{
+		APIVersion: "v1",
+		Kind:       "Namespace",
 	}
+	data, err := yaml.Marshal(namespace)
+	if err != nil {
+		return err
+	}
+	data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
+
+	printlnStdout("---")
+	printlnStdout(resourceToString(data))
 
 	account.TypeMeta = metav1.TypeMeta{
 		APIVersion: "v1",

cmd/flux/create_tenant_test.go

@@ -54,11 +54,6 @@ func TestCreateTenant(t *testing.T) {
 			args:   "create tenant dev-team --with-namespace=apps --cluster-role=custom-role --export",
 			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-cluster-role.yaml"),
 		},
-		{
-			name:   "tenant with skip namespace",
-			args:   "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --skip-namespace --export",
-			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-skip-namespace.yaml"),
-		},
 	}
 
 	for _, tt := range tests {

cmd/flux/export_source_external.go

@@ -0,0 +1,84 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+)
+
+var exportSourceExternalCmd = &cobra.Command{
+	Use:   "external [name]",
+	Short: "Export ExternalArtifact sources in YAML format",
+	Long:  "The export source external command exports one or all ExternalArtifact sources in YAML format.",
+	Example: `  # Export all ExternalArtifact sources
+  flux export source external --all > sources.yaml
+
+  # Export a specific ExternalArtifact
+  flux export source external my-artifact > source.yaml`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.ExternalArtifactKind)),
+	RunE: exportWithSecretCommand{
+		list:   externalArtifactListAdapter{&sourcev1.ExternalArtifactList{}},
+		object: externalArtifactAdapter{&sourcev1.ExternalArtifact{}},
+	}.run,
+}
+
+func init() {
+	exportSourceCmd.AddCommand(exportSourceExternalCmd)
+}
+
+func exportExternalArtifact(source *sourcev1.ExternalArtifact) any {
+	gvk := sourcev1.GroupVersion.WithKind(sourcev1.ExternalArtifactKind)
+	export := sourcev1.ExternalArtifact{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       gvk.Kind,
+			APIVersion: gvk.GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        source.Name,
+			Namespace:   source.Namespace,
+			Labels:      source.Labels,
+			Annotations: source.Annotations,
+		},
+		Spec: source.Spec,
+	}
+	return export
+}
+
+func getExternalArtifactSecret(source *sourcev1.ExternalArtifact) *types.NamespacedName {
+	// ExternalArtifact does not have a secretRef in its spec, this satisfies the interface
+	return nil
+}
+
+func (ex externalArtifactAdapter) secret() *types.NamespacedName {
+	return getExternalArtifactSecret(ex.ExternalArtifact)
+}
+
+func (ex externalArtifactListAdapter) secretItem(i int) *types.NamespacedName {
+	return getExternalArtifactSecret(&ex.ExternalArtifactList.Items[i])
+}
+
+func (ex externalArtifactAdapter) export() any {
+	return exportExternalArtifact(ex.ExternalArtifact)
+}
+
+func (ex externalArtifactListAdapter) exportItem(i int) any {
+	return exportExternalArtifact(&ex.ExternalArtifactList.Items[i])
+}

cmd/flux/export_test.go

@@ -110,6 +110,12 @@ func TestExport(t *testing.T) {
 			"testdata/export/bucket.yaml",
 			tmpl,
 		},
+		{
+			"source external",
+			"export source external flux-system",
+			"testdata/export/external-artifact.yaml",
+			tmpl,
+		},
 	}
 
 	for _, tt := range cases {

cmd/flux/get_source_all.go

@@ -59,6 +59,10 @@ var getSourceAllCmd = &cobra.Command{
 				apiType: helmChartType,
 				list:    &helmChartListAdapter{&sourcev1.HelmChartList{}},
 			},
+			{
+				apiType: externalArtifactType,
+				list:    &externalArtifactListAdapter{&sourcev1.ExternalArtifactList{}},
+			},
 		}
 
 		for _, c := range allSourceCmd {

cmd/flux/get_source_external.go

@@ -0,0 +1,108 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+)
+
+var getSourceExternalCmd = &cobra.Command{
+	Use:   "external",
+	Short: "Get ExternalArtifact source statuses",
+	Long:  `The get sources external command prints the status of the ExternalArtifact sources.`,
+	Example: `  # List all ExternalArtifacts and their status
+  flux get sources external
+
+  # List ExternalArtifacts from all namespaces
+  flux get sources external --all-namespaces`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.ExternalArtifactKind)),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		get := getCommand{
+			apiType: externalArtifactType,
+			list:    &externalArtifactListAdapter{&sourcev1.ExternalArtifactList{}},
+			funcMap: make(typeMap),
+		}
+
+		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
+			o, ok := obj.(*sourcev1.ExternalArtifact)
+			if !ok {
+				return nil, fmt.Errorf("impossible to cast type %#v to ExternalArtifact", obj)
+			}
+
+			sink := &externalArtifactListAdapter{&sourcev1.ExternalArtifactList{
+				Items: []sourcev1.ExternalArtifact{
+					*o,
+				}}}
+			return sink, nil
+		})
+
+		if err != nil {
+			return err
+		}
+
+		if err := get.run(cmd, args); err != nil {
+			return err
+		}
+
+		return nil
+	},
+}
+
+func init() {
+	getSourceCmd.AddCommand(getSourceExternalCmd)
+}
+
+func (a *externalArtifactListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
+	item := a.Items[i]
+	var revision string
+	if item.Status.Artifact != nil {
+		revision = item.Status.Artifact.Revision
+	}
+	status, msg := statusAndMessage(item.Status.Conditions)
+	revision = utils.TruncateHex(revision)
+	msg = utils.TruncateHex(msg)
+
+	var source string
+	if item.Spec.SourceRef != nil {
+		source = fmt.Sprintf("%s/%s/%s",
+			item.Spec.SourceRef.Kind,
+			item.Spec.SourceRef.Namespace,
+			item.Spec.SourceRef.Name)
+	}
+	return append(nameColumns(&item, includeNamespace, includeKind),
+		revision, source, status, msg)
+}
+
+func (a externalArtifactListAdapter) headers(includeNamespace bool) []string {
+	headers := []string{"Name", "Revision", "Source", "Ready", "Message"}
+	if includeNamespace {
+		headers = append([]string{"Namespace"}, headers...)
+	}
+	return headers
+}
+
+func (a externalArtifactListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := a.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/main.go

@@ -180,7 +180,7 @@ func main() {
 
 	// This is required because controller-runtime expects its consumers to
 	// set a logger through log.SetLogger within 30 seconds of the program's
-	// initalization. If not set, the entire debug stack is printed as an
+	// initialization. If not set, the entire debug stack is printed as an
 	// error, see: https://github.com/kubernetes-sigs/controller-runtime/blob/ed8be90/pkg/log/log.go#L59
 	// Since we have our own logging and don't care about controller-runtime's
 	// logger, we configure it's logger to do nothing.
@@ -225,7 +225,9 @@ func configureDefaultNamespace() {
 func readPasswordFromStdin(prompt string) (string, error) {
 	var out string
 	var err error
-	fmt.Fprint(os.Stdout, prompt)
+	if _, err := fmt.Fprint(os.Stdout, prompt); err != nil {
+		return "", fmt.Errorf("failed to write prompt: %w", err)
+	}
 	stdinFD := int(os.Stdin.Fd())
 	if term.IsTerminal(stdinFD) {
 		var inBytes []byte

cmd/flux/source.go

@@ -195,3 +195,37 @@ func (a helmRepositoryListAdapter) asClientList() client.ObjectList {
 func (a helmRepositoryListAdapter) len() int {
 	return len(a.HelmRepositoryList.Items)
 }
+
+// sourcev1.ExternalArtifact
+
+var externalArtifactType = apiType{
+	kind:         sourcev1.ExternalArtifactKind,
+	humanKind:    "source external-artifact",
+	groupVersion: sourcev1.GroupVersion,
+}
+
+type externalArtifactAdapter struct {
+	*sourcev1.ExternalArtifact
+}
+
+func (a externalArtifactAdapter) asClientObject() client.Object {
+	return a.ExternalArtifact
+}
+
+func (a externalArtifactAdapter) deepCopyClientObject() client.Object {
+	return a.ExternalArtifact.DeepCopy()
+}
+
+// sourcev1.ExternalArtifactList
+
+type externalArtifactListAdapter struct {
+	*sourcev1.ExternalArtifactList
+}
+
+func (a externalArtifactListAdapter) asClientList() client.ObjectList {
+	return a.ExternalArtifactList
+}
+
+func (a externalArtifactListAdapter) len() int {
+	return len(a.ExternalArtifactList.Items)
+}

cmd/flux/testdata/create_tenant/tenant-with-skip-namespace.yaml

@@ -1,27 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    toolkit.fluxcd.io/tenant: dev-team
-  name: dev-team
-  namespace: apps
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    toolkit.fluxcd.io/tenant: dev-team
-  name: dev-team-reconciler
-  namespace: apps
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- apiGroup: rbac.authorization.k8s.io
-  kind: User
-  name: gotk:apps:reconciler
-- kind: ServiceAccount
-  name: dev-team
-  namespace: apps

cmd/flux/testdata/export/external-artifact.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: ExternalArtifact
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  sourceRef:
+    apiVersion: source.example.com/v1alpha1
+    kind: GitHubRelease
+    name: flux-system
+    namespace: {{ .fluxns }}

cmd/flux/testdata/export/objects.yaml

@@ -165,3 +165,15 @@ spec:
   endpoint: s3.amazonaws.com
   region: us-east-1
   timeout: 30s
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: ExternalArtifact
+metadata:
+  name: flux-system
+  namespace: {{ .fluxns }}
+spec:
+  sourceRef:
+    apiVersion: source.example.com/v1alpha1
+    kind: GitHubRelease
+    name: flux-system
+    namespace: {{ .fluxns }}

go.mod

@@ -12,11 +12,11 @@ require (
 	github.com/distribution/distribution/v3 v3.0.0
 	github.com/fluxcd/cli-utils v0.36.0-flux.15
 	github.com/fluxcd/go-git-providers v0.25.0
-	github.com/fluxcd/helm-controller/api v1.4.5
-	github.com/fluxcd/image-automation-controller/api v1.0.4
-	github.com/fluxcd/image-reflector-controller/api v1.0.4
-	github.com/fluxcd/kustomize-controller/api v1.7.3
-	github.com/fluxcd/notification-controller/api v1.7.5
+	github.com/fluxcd/helm-controller/api v1.4.3
+	github.com/fluxcd/image-automation-controller/api v1.0.3
+	github.com/fluxcd/image-reflector-controller/api v1.0.3
+	github.com/fluxcd/kustomize-controller/api v1.7.2
+	github.com/fluxcd/notification-controller/api v1.7.4
 	github.com/fluxcd/pkg/apis/event v0.21.0
 	github.com/fluxcd/pkg/apis/meta v1.23.0
 	github.com/fluxcd/pkg/auth v0.33.0
@@ -32,8 +32,8 @@ require (
 	github.com/fluxcd/pkg/ssh v0.23.0
 	github.com/fluxcd/pkg/tar v0.16.0
 	github.com/fluxcd/pkg/version v0.11.0
-	github.com/fluxcd/source-controller/api v1.7.4
-	github.com/fluxcd/source-watcher/api/v2 v2.0.3
+	github.com/fluxcd/source-controller/api v1.7.3
+	github.com/fluxcd/source-watcher/api/v2 v2.0.2
 	github.com/go-git/go-git/v5 v5.16.3
 	github.com/go-logr/logr v1.4.3
 	github.com/gonvenience/bunt v1.4.2

go.sum

@@ -174,16 +174,16 @@ github.com/fluxcd/gitkit v0.6.0 h1:iNg5LTx6ePo+Pl0ZwqHTAkhbUHxGVSY3YCxCdw7VIFg=
 github.com/fluxcd/gitkit v0.6.0/go.mod h1:svOHuKi0fO9HoawdK4HfHAJJseZDHHjk7I3ihnCIqNo=
 github.com/fluxcd/go-git-providers v0.25.0 h1:zkVgujjo2VjKXbucrlTyNhHd9x+27oqyghJX9uLwQv4=
 github.com/fluxcd/go-git-providers v0.25.0/go.mod h1:8Mx5WRYb61FIjOA26DAi4Ls2rZUHSxP8Nl9qkQHDch8=
-github.com/fluxcd/helm-controller/api v1.4.5 h1:hMEBtgXUbJjp+ah0jPI3OOQNVngoToOQvTgFgVpAjNg=
-github.com/fluxcd/helm-controller/api v1.4.5/go.mod h1:rCgx3qhjjtoIH+1EbzFC2vN71/pp0PgMDrZnGCZX5XY=
-github.com/fluxcd/image-automation-controller/api v1.0.4 h1:Fgdy97hXkyh/JFjxLIyq4ZDHsKsa49aumtrvIyjVd08=
-github.com/fluxcd/image-automation-controller/api v1.0.4/go.mod h1:LLBf4XQJAgnpIMlZUwfpVIkCdUtBOi31B6fDbPwBCq4=
-github.com/fluxcd/image-reflector-controller/api v1.0.4 h1:/JGpTZf4eMcKG2FpWfP5H7SneSrD5P8EvwGnHiH/WLY=
-github.com/fluxcd/image-reflector-controller/api v1.0.4/go.mod h1:5GS4ojHaz+W6hK80WakGIOYk8sn93AyV5X+YOne1XMw=
-github.com/fluxcd/kustomize-controller/api v1.7.3 h1:g+C9Il+H33DQi/ZiQ8KpTvL9KXebXnS4oM/0uJ/C8Gw=
-github.com/fluxcd/kustomize-controller/api v1.7.3/go.mod h1:Yj80JyfQpBUgLhsUZ/c86qcvPGO2+P1VCKsb8fL+L/k=
-github.com/fluxcd/notification-controller/api v1.7.5 h1:6CO5bKyjodiK9exQFOdBcz0XLeo17rrrWQBTJL9NNa8=
-github.com/fluxcd/notification-controller/api v1.7.5/go.mod h1:IciwSg8Q0pVtdbsyDyEXx/MxBKWeagxAazpm64C8oCE=
+github.com/fluxcd/helm-controller/api v1.4.3 h1:CdZwjL1liXmYCWyk2jscmFEB59tICIlnWB9PfDDW5q4=
+github.com/fluxcd/helm-controller/api v1.4.3/go.mod h1:0XrBhKEaqvxyDj/FziG1Q8Fmx2UATdaqLgYqmZh6wW4=
+github.com/fluxcd/image-automation-controller/api v1.0.3 h1:YfdkrRTIjLmmP58Xow/9bbs1tPU7WBo6Xon1PHbDCgM=
+github.com/fluxcd/image-automation-controller/api v1.0.3/go.mod h1:dY6YiBQFU00SE7erlk5ckHxjzfIbsvgTD50k409QgDo=
+github.com/fluxcd/image-reflector-controller/api v1.0.3 h1:OFI+kJ0fZKAT0MmkGA3c2N7bnU98De3d/T1F1XKCY+k=
+github.com/fluxcd/image-reflector-controller/api v1.0.3/go.mod h1:PkzL5wY8s5UZxfr5kpnWf/nI/QZKpSAxr1ewFHNEfgA=
+github.com/fluxcd/kustomize-controller/api v1.7.2 h1:E+UwgztwYCwgOgpMuIZZfntCEYIer+hl2NH5O+tL8hs=
+github.com/fluxcd/kustomize-controller/api v1.7.2/go.mod h1:77OSly9kxQli7Nmcln0OqZDjVpRMc6eLKED0CiJHYz8=
+github.com/fluxcd/notification-controller/api v1.7.4 h1:nYcr/6n6TCB6Ga3q7u5U+Y5SWgVv+UHYRXXz27ne1fQ=
+github.com/fluxcd/notification-controller/api v1.7.4/go.mod h1:Q1TwKHYFaAsYAcnmkzJ4ocZ6QS3CXcPOx9/aVXNUpNw=
 github.com/fluxcd/pkg/apis/acl v0.9.0 h1:wBpgsKT+jcyZEcM//OmZr9RiF8klL3ebrDp2u2ThsnA=
 github.com/fluxcd/pkg/apis/acl v0.9.0/go.mod h1:TttNS+gocsGLwnvmgVi3/Yscwqrjc17+vhgYfqkfrV4=
 github.com/fluxcd/pkg/apis/event v0.21.0 h1:VVl0WmgDXJwDS3Pivkk+31h3fWHbq+BpbNLUF5d61ec=
@@ -222,10 +222,10 @@ github.com/fluxcd/pkg/tar v0.16.0 h1:P7hR2FjLBuI9AIndRqrZaO7VYFbbBzbYMBsLe2hh7fI
 github.com/fluxcd/pkg/tar v0.16.0/go.mod h1:Bz1DmQ5vTY3/HLWw9LM0kHRL1vtgF4eVs5QmeRAD8UM=
 github.com/fluxcd/pkg/version v0.11.0 h1:gcAXw/HZ4XX9v+2xhO+NWf/hAArYKgSmzqT9Yrx4VjY=
 github.com/fluxcd/pkg/version v0.11.0/go.mod h1:XsgsKJVmVFWnG3DE19YBM0EeWVuG4BPAHpAmOe6GFmo=
-github.com/fluxcd/source-controller/api v1.7.4 h1:+EOVnRA9LmLxOx7J273l7IOEU39m+Slt/nQGBy69ygs=
-github.com/fluxcd/source-controller/api v1.7.4/go.mod h1:ruf49LEgZRBfcP+eshl2n9SX1MfHayCcViAIGnZcaDY=
-github.com/fluxcd/source-watcher/api/v2 v2.0.3 h1:SsVGAaMBxzvcgrOz/Kl6c2ybMHVqoiEFwtI+bDuSeSs=
-github.com/fluxcd/source-watcher/api/v2 v2.0.3/go.mod h1:Nx3QZweVyuhaOtSNrw+oxifG+qrakPvjgNAN9qlUTb0=
+github.com/fluxcd/source-controller/api v1.7.3 h1:JCDbaJqAbQtjCt3Ijsm/6nZf+SZiby3/R6lVZ1gDllE=
+github.com/fluxcd/source-controller/api v1.7.3/go.mod h1:2JtCeUVpl0aqKImS19jUz9EEnMdzgqNWHkllrIhV004=
+github.com/fluxcd/source-watcher/api/v2 v2.0.2 h1:fWSxsDqYN7My2AEpQwbP7O6Qjix8nGBX+UE/qWHtZfM=
+github.com/fluxcd/source-watcher/api/v2 v2.0.2/go.mod h1:Hs6ueayPt23jlkIr/d1pGPZ+OHiibQwWjxvU6xqljzg=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=

internal/build/build.go

@@ -520,30 +520,32 @@ func (b *Builder) do(ctx context.Context, kustomization kustomizev1.Kustomizatio
 		return nil, fmt.Errorf("kustomize build failed: %w", err)
 	}
 
+	if kustomization.Spec.PostBuild == nil {
+		return m, nil
+	}
+
+	data, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&kustomization)
+	if err != nil {
+		return nil, err
+	}
 	for _, res := range m.Resources() {
 		// run variable substitutions
-		if kustomization.Spec.PostBuild != nil {
-			data, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&kustomization)
+		outRes, err := kustomize.SubstituteVariables(ctx,
+			b.client,
+			unstructured.Unstructured{Object: data},
+			res,
+			kustomize.SubstituteWithDryRun(b.dryRun),
+			kustomize.SubstituteWithStrict(b.strictSubst),
+		)
+		if err != nil {
+			return nil, fmt.Errorf("var substitution failed for '%s': %w", res.GetName(), err)
+		}
+
+		if outRes != nil {
+			_, err = m.Replace(res)
 			if err != nil {
 				return nil, err
 			}
-			outRes, err := kustomize.SubstituteVariables(ctx,
-				b.client,
-				unstructured.Unstructured{Object: data},
-				res,
-				kustomize.SubstituteWithDryRun(b.dryRun),
-				kustomize.SubstituteWithStrict(b.strictSubst),
-			)
-			if err != nil {
-				return nil, fmt.Errorf("var substitution failed for '%s': %w", res.GetName(), err)
-			}
-
-			if outRes != nil {
-				_, err = m.Replace(res)
-				if err != nil {
-					return nil, err
-				}
-			}
 		}
 	}
 

manifests/bases/helm-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/helm-controller/releases/download/v1.4.5/helm-controller.crds.yaml
-- https://github.com/fluxcd/helm-controller/releases/download/v1.4.5/helm-controller.deployment.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v1.4.3/helm-controller.crds.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v1.4.3/helm-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml

manifests/bases/image-automation-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/image-automation-controller/releases/download/v1.0.4/image-automation-controller.crds.yaml
-- https://github.com/fluxcd/image-automation-controller/releases/download/v1.0.4/image-automation-controller.deployment.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v1.0.3/image-automation-controller.crds.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v1.0.3/image-automation-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml

manifests/bases/image-reflector-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v1.0.4/image-reflector-controller.crds.yaml
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v1.0.4/image-reflector-controller.deployment.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v1.0.3/image-reflector-controller.crds.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v1.0.3/image-reflector-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml

manifests/bases/kustomize-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/kustomize-controller/releases/download/v1.7.3/kustomize-controller.crds.yaml
-- https://github.com/fluxcd/kustomize-controller/releases/download/v1.7.3/kustomize-controller.deployment.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v1.7.2/kustomize-controller.crds.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v1.7.2/kustomize-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml

manifests/bases/notification-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/notification-controller/releases/download/v1.7.5/notification-controller.crds.yaml
-- https://github.com/fluxcd/notification-controller/releases/download/v1.7.5/notification-controller.deployment.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v1.7.4/notification-controller.crds.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v1.7.4/notification-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml

manifests/bases/source-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v1.7.4/source-controller.crds.yaml
-- https://github.com/fluxcd/source-controller/releases/download/v1.7.4/source-controller.deployment.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v1.7.3/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v1.7.3/source-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml

manifests/bases/source-watcher/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-watcher/releases/download/v2.0.3/source-watcher.crds.yaml
-- https://github.com/fluxcd/source-watcher/releases/download/v2.0.3/source-watcher.deployment.yaml
+- https://github.com/fluxcd/source-watcher/releases/download/v2.0.2/source-watcher.crds.yaml
+- https://github.com/fluxcd/source-watcher/releases/download/v2.0.2/source-watcher.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml

manifests/crds/kustomization.yaml

@@ -1,10 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v1.7.4/source-controller.crds.yaml
-- https://github.com/fluxcd/kustomize-controller/releases/download/v1.7.3/kustomize-controller.crds.yaml
-- https://github.com/fluxcd/helm-controller/releases/download/v1.4.5/helm-controller.crds.yaml
-- https://github.com/fluxcd/notification-controller/releases/download/v1.7.5/notification-controller.crds.yaml
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v1.0.4/image-reflector-controller.crds.yaml
-- https://github.com/fluxcd/image-automation-controller/releases/download/v1.0.4/image-automation-controller.crds.yaml
-- https://github.com/fluxcd/source-watcher/releases/download/v2.0.3/source-watcher.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v1.7.3/source-controller.crds.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v1.7.2/kustomize-controller.crds.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v1.4.3/helm-controller.crds.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v1.7.4/notification-controller.crds.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v1.0.3/image-reflector-controller.crds.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v1.0.3/image-automation-controller.crds.yaml
+- https://github.com/fluxcd/source-watcher/releases/download/v2.0.2/source-watcher.crds.yaml

tests/integration/go.mod

@@ -127,7 +127,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.44.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/mod v0.29.0 // indirect
 	golang.org/x/net v0.47.0 // indirect
 	golang.org/x/oauth2 v0.32.0 // indirect

tests/integration/go.sum

@@ -398,8 +398,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
-golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
-golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=