Merge pull request #5462 from cappyzawa/feat/runtime-secrets-migration

Migrate sourcesecret package to runtime/secrets APIs
2025-07-29 14:59:44 +01:00 · 2025-07-29 22:50:56 +09:00 · 2025-07-28 11:37:24 +03:00 · 2025-07-28 10:09:12 +02:00 · 2025-07-18 14:16:08 +03:00 · 2025-07-18 13:33:10 +03:00
625 changed files with 22199 additions and 13480 deletions
--- a/.github/aur/flux-bin/.SRCINFO.template
+++ b/.github/aur/flux-bin/.SRCINFO.template
@ -4,19 +4,16 @@ pkgbase = flux-bin
 	pkgrel = ${PKGREL}
 	url = https://fluxcd.io/
 	arch = x86_64
-	arch = armv6h
 	arch = armv7h
 	arch = aarch64
 	license = APACHE
 	optdepends = bash-completion: auto-completion for flux in Bash
 	optdepends = zsh-completions: auto-completion for flux in ZSH
-	source_x86_64 = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_amd64.tar.gz
+	source_x86_64 = flux-bin-${PKGVER}_linux_amd64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_amd64.tar.gz
 	sha256sums_x86_64 = ${SHA256SUM_AMD64}
-	source_armv6h = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm.tar.gz
-	sha256sums_armv6h = ${SHA256SUM_ARM}
-	source_armv7h = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm.tar.gz
+	source_armv7h = flux-bin-${PKGVER}_linux_arm.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_arm.tar.gz
 	sha256sums_armv7h = ${SHA256SUM_ARM}
-	source_aarch64 = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm64.tar.gz
+	source_aarch64 = flux-bin-${PKGVER}_linux_arm64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_arm64.tar.gz
 	sha256sums_aarch64 = ${SHA256SUM_ARM64}

 pkgname = flux-bin
--- a/.github/aur/flux-bin/PKGBUILD.template
+++ b/.github/aur/flux-bin/PKGBUILD.template
@ -4,37 +4,32 @@
 pkgname=flux-bin
 pkgver=${PKGVER}
 pkgrel=${PKGREL}
+_srcname=flux
+_srcver=${VERSION}
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
-arch=("x86_64" "armv6h" "armv7h" "aarch64")
+arch=("x86_64" "armv7h" "aarch64")
 license=("APACHE")
 optdepends=('bash-completion: auto-completion for flux in Bash'
            'zsh-completions: auto-completion for flux in ZSH')
 source_x86_64=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_amd64.tar.gz"
-)
-source_armv6h=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+  "${pkgname}-${pkgver}_linux_amd64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_amd64.tar.gz"
 )
 source_armv7h=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+  "${pkgname}-${pkgver}_linux_arm.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_arm.tar.gz"
 )
 source_aarch64=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm64.tar.gz"
+  "${pkgname}-${pkgver}_linux_arm64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_arm64.tar.gz"
 )
 sha256sums_x86_64=(
  ${SHA256SUM_AMD64}
 )
-sha256sums_armv6h=(
-  ${SHA256SUM_ARM}
-)
 sha256sums_armv7h=(
  ${SHA256SUM_ARM}
 )
 sha256sums_aarch64=(
  ${SHA256SUM_ARM64}
 )
-_srcname=flux

 package() {
 	install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
--- a/.github/aur/flux-bin/publish.sh
+++ b/.github/aur/flux-bin/publish.sh
@ -28,6 +28,7 @@ git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
 CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
 CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')

+# Transform pre-release to AUR compatible version format
 export PKGVER=${VERSION/-/}

 if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
@ -36,12 +37,12 @@ else
    export PKGREL=1
 fi

-export SHA256SUM_ARM=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_arm.tar.gz | awk '{ print $1 }')
-export SHA256SUM_ARM64=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_arm64.tar.gz | awk '{ print $1 }')
-export SHA256SUM_AMD64=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_amd64.tar.gz | awk '{ print $1 }')
+export SHA256SUM_ARM=$(sha256sum ${ROOT}/dist/flux_${VERSION}_linux_arm.tar.gz | awk '{ print $1 }')
+export SHA256SUM_ARM64=$(sha256sum ${ROOT}/dist/flux_${VERSION}_linux_arm64.tar.gz | awk '{ print $1 }')
+export SHA256SUM_AMD64=$(sha256sum ${ROOT}/dist/flux_${VERSION}_linux_amd64.tar.gz | awk '{ print $1 }')

-envsubst '$PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < .SRCINFO.template > $GITDIR/.SRCINFO
-envsubst '$PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < PKGBUILD.template > $GITDIR/PKGBUILD
+envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < PKGBUILD.template > $GITDIR/PKGBUILD

 cd $GITDIR
 git config user.name "fluxcdbot"
--- a/.github/aur/flux-go/.SRCINFO.template
+++ b/.github/aur/flux-go/.SRCINFO.template
@ -4,7 +4,6 @@ pkgbase = flux-go
 	pkgrel = ${PKGREL}
 	url = https://fluxcd.io/
 	arch = x86_64
-	arch = armv6h
 	arch = armv7h
 	arch = aarch64
 	license = APACHE
@ -13,6 +12,6 @@ pkgbase = flux-go
 	provides = flux-bin
 	conflicts = flux-bin
  replaces = flux-cli
-	source = flux-go-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/archive/v${PKGVER}.tar.gz
+	source = flux-go-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/archive/v${VERSION}.tar.gz

 pkgname = flux-go
--- a/.github/aur/flux-go/PKGBUILD.template
+++ b/.github/aur/flux-go/PKGBUILD.template
@ -4,43 +4,44 @@
 pkgname=flux-go
 pkgver=${PKGVER}
 pkgrel=${PKGREL}
+_srcname=flux
+_srcver=${VERSION}
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
-arch=("x86_64" "armv6h" "armv7h" "aarch64")
+arch=("x86_64" "armv7h" "aarch64")
 license=("APACHE")
 provides=("flux-bin")
 conflicts=("flux-bin")
 replaces=("flux-cli")
 depends=("glibc")
-makedepends=('go>=1.17', 'kustomize>=3.0')
+makedepends=('go>=1.20', 'kustomize>=5.0')
 optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/archive/v${pkgver}.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/archive/v${_srcver}.tar.gz"
 )
 sha256sums=(
  ${SHA256SUM}
 )
-_srcname=flux

 build() {
-  cd "flux2-${pkgver}"
+  cd "flux2-${_srcver}"
  export CGO_LDFLAGS="$LDFLAGS"
  export CGO_CFLAGS="$CFLAGS"
  export CGO_CXXFLAGS="$CXXFLAGS"
  export CGO_CPPFLAGS="$CPPFLAGS"
  export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
  make cmd/flux/.manifests.done
-  go build -ldflags "-linkmode=external -X main.VERSION=${pkgver}" -o ${_srcname} ./cmd/flux
+  go build -ldflags "-linkmode=external -X main.VERSION=${_srcver}" -o ${_srcname} ./cmd/flux
 }

 check() {
-  cd "flux2-${pkgver}"
+  cd "flux2-${_srcver}"
  case $CARCH in
    aarch64)
      export ENVTEST_ARCH=arm64
      ;;
-    armv6h|armv7h)
+    armv7h)
      export ENVTEST_ARCH=arm
      ;;
  esac
@ -48,7 +49,7 @@ check() {
 }

 package() {
-  cd "flux2-${pkgver}"
+  cd "flux2-${_srcver}"
  install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"

--- a/.github/aur/flux-go/publish.sh
+++ b/.github/aur/flux-go/publish.sh
@ -28,6 +28,7 @@ git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
 CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
 CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')

+# Transform pre-release to AUR compatible version format
 export PKGVER=${VERSION/-/}

 if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
@ -36,10 +37,10 @@ else
    export PKGREL=1
 fi

-export SHA256SUM=$(curl -sL https://github.com/fluxcd/flux2/archive/v$PKGVER.tar.gz | sha256sum | awk '{ print $1 }')
+export SHA256SUM=$(curl -sL https://github.com/fluxcd/flux2/archive/v${VERSION}.tar.gz | sha256sum | awk '{ print $1 }')

-envsubst '$PKGVER $PKGREL $SHA256SUM' < .SRCINFO.template > $GITDIR/.SRCINFO
-envsubst '$PKGVER $PKGREL $SHA256SUM' < PKGBUILD.template > $GITDIR/PKGBUILD
+envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM' < PKGBUILD.template > $GITDIR/PKGBUILD

 cd $GITDIR
 git config user.name "fluxcdbot"
--- a/.github/aur/flux-scm/.SRCINFO.template
+++ b/.github/aur/flux-scm/.SRCINFO.template
@ -4,7 +4,6 @@ pkgbase = flux-scm
 	pkgrel = ${PKGREL}
 	url = https://fluxcd.io/
 	arch = x86_64
-	arch = armv6h
 	arch = armv7h
 	arch = aarch64
 	license = APACHE
--- a/.github/aur/flux-scm/PKGBUILD.template
+++ b/.github/aur/flux-scm/PKGBUILD.template
@ -4,21 +4,21 @@
 pkgname=flux-scm
 pkgver=${PKGVER}
 pkgrel=${PKGREL}
+_srcname=flux
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
-arch=("x86_64" "armv6h" "armv7h" "aarch64")
+arch=("x86_64" "armv7h" "aarch64")
 license=("APACHE")
 provides=("flux-bin")
 conflicts=("flux-bin")
 depends=("glibc")
-makedepends=('go>=1.17', 'kustomize>=3.0', 'git')
+makedepends=('go>=1.20', 'kustomize>=5.0', 'git')
 optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
  "git+https://github.com/fluxcd/flux2.git"
 )
 md5sums=('SKIP')
-_srcname=flux

 pkgver() {
  cd "flux2"
@ -42,7 +42,7 @@ check() {
    aarch64)
      export ENVTEST_ARCH=arm64
      ;;
-    armv6h|armv7h)
+    armv7h)
      export ENVTEST_ARCH=arm
      ;;
  esac
--- a/.github/aur/flux-scm/publish.sh
+++ b/.github/aur/flux-scm/publish.sh
@ -28,6 +28,7 @@ git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
 CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
 CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')

+# Transform pre-release to AUR compatible version format
 export PKGVER=${VERSION/-/}

 if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,14 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    labels: ["area/ci", "dependencies"]
+    groups:
+      # Group all updates together, so that they are all applied in a single PR.
+      # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
+      ci:
+        patterns:
+          - "*"
+    schedule:
+      interval: "monthly"
--- a/.github/kind/config.yaml
+++ b/.github/kind/config.yaml
@ -1,5 +1,9 @@
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+  - role: control-plane
+  - role: worker
+  - role: worker
 networking:
  disableDefaultCNI: true   # disable kindnet
  podSubnet: 192.168.0.0/16 # set to Calico's default subnet
--- a/.github/labels.yaml
+++ b/.github/labels.yaml
@ -0,0 +1,55 @@
+# Configuration file to declaratively configure labels
+# Ref: https://github.com/EndBug/label-sync#Config-files
+
+- name: area/bootstrap
+  description: Bootstrap related issues and pull requests
+  color: '#86efc9'
+- name: area/install
+  description: Install and uninstall related issues and pull requests
+  color: '#86efc9'
+- name: area/diff
+  description: Diff related issues and pull requests
+  color: '#BA4192'
+- name: area/bucket
+  description: Bucket related issues and pull requests
+  color: '#00b140'
+- name: area/git
+  description: Git related issues and pull requests
+  color: '#863faf'
+- name: area/oci
+  description: OCI related issues and pull requests
+  color: '#c739ff'
+- name: area/kustomization
+  description: Kustomization related issues and pull requests
+  color: '#00e54d'
+- name: area/helm
+  description: Helm related issues and pull requests
+  color: '#1673b6'
+- name: area/image-automation
+  description: Automated image updates related issues and pull requests
+  color: '#c5def5'
+- name: area/monitoring
+  description: Monitoring related issues and pull requests
+  color: '#dd75ae'
+- name: area/multi-tenancy
+  description: Multi-tenancy related issues and pull requests
+  color: '#72CDBD'
+- name: area/notification
+  description: Notification API related issues and pull requests
+  color: '#434ec1'
+- name: area/source
+  description: Source API related issues and pull requests
+  color: '#863faf'
+- name: area/rfc
+  description: Feature request proposals in the RFC format
+  color: '#D621C3'
+  aliases: ['area/RFC']
+- name: backport:release/v2.4.x
+  description: To be backported to release/v2.4.x
+  color: '#ffd700'
+- name: backport:release/v2.5.x
+  description: To be backported to release/v2.5.x
+  color: '#ffd700'
+- name: backport:release/v2.6.x
+  description: To be backported to release/v2.6.x
+  color: '#ffd700'
--- a/.github/runners/README.md
+++ b/.github/runners/README.md
@ -1,24 +1,34 @@
 # Flux ARM64 GitHub runners

-The Flux ARM64 end-to-end tests run on Equinix instances provisioned with Docker and GitHub self-hosted runners.
+The Flux ARM64 end-to-end tests run on Equinix Metal instances provisioned with Docker and GitHub self-hosted runners.

 ## Current instances

-| Runner        | Instance            | Region |
-|---------------|---------------------|--------|
-| equinix-arm-1 | flux-equinix-arm-01 | AMS1   |
-| equinix-arm-2 | flux-equinix-arm-01 | AMS1   |
-| equinix-arm-3 | flux-equinix-arm-01 | AMS1   |
-| equinix-arm-4 | flux-equinix-arm-02 | DFW2   |
-| equinix-arm-5 | flux-equinix-arm-02 | DFW2   |
-| equinix-arm-6 | flux-equinix-arm-02 | DFW2   |
+| Repository                  | Runner           | Instance       | Location      |
+|-----------------------------|------------------|----------------|---------------|
+| flux2                       | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
+| flux2                       | equinix-arm-dc-2 | flux-arm-dc-01 | Washington DC |
+| flux2                       | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
+| flux2                       | equinix-arm-da-2 | flux-arm-da-01 | Dallas        |
+| flux-benchmark              | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
+| flux-benchmark              | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
+| source-controller           | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
+| source-controller           | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
+| image-automation-controller | equinix-arm-dc-1 | flux-arm-dc-01 | Washington DC |
+| image-automation-controller | equinix-arm-da-1 | flux-arm-da-01 | Dallas        |
+
+Instance spec:
+- Ampere Altra Q80-30 80-core processor @ 2.8GHz
+- 2 x 960GB NVME
+- 256GB RAM
+- 2 x 25Gbps

 ## Instance setup

 In order to add a new runner to the GitHub Actions pool,
 first create a server on Equinix with the following configuration:
- Type: c2.large.arm
- OS: Ubuntu 20.04
+- Type: `c3.large.arm64`
+- OS: `Ubuntu 22.04 LTS`

 ### Install prerequisites

@ -54,14 +64,14 @@ sudo ./prereq.sh

 - Retrieve the GitHub runner token from the repository [settings page](https://github.com/fluxcd/flux2/settings/actions/runners/new?arch=arm64&os=linux)

- Create 3 directories `runner1`, `runner2`, `runner3`
+- Create two directories `flux2-01`, `flux2-02`

 - In each dir run:
 ```shell
 curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/runner-setup.sh > runner-setup.sh \
  && chmod +x ./runner-setup.sh

-./runner-setup.sh equinix-arm-<NUMBER> <TOKEN>
+./runner-setup.sh equinix-arm-<NUMBER> <TOKEN> <REPO>
 ```

 - Reboot the instance
--- a/.github/runners/prereq.sh
+++ b/.github/runners/prereq.sh
@ -18,11 +18,11 @@

 set -eu

-KIND_VERSION=0.14.0
-KUBECTL_VERSION=1.24.0
-KUSTOMIZE_VERSION=4.5.4
-HELM_VERSION=3.8.2
-GITHUB_RUNNER_VERSION=2.291.1
+KIND_VERSION=0.22.0
+KUBECTL_VERSION=1.29.0
+KUSTOMIZE_VERSION=5.3.0
+HELM_VERSION=3.14.1
+GITHUB_RUNNER_VERSION=2.313.0
 PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq pkg-config"

 # install prerequisites
@ -31,6 +31,10 @@ apt-get update \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*

+# fix Kubernetes DNS resolution
+rm /etc/resolv.conf
+cat "/run/systemd/resolve/stub-resolv.conf" | sed '/search/d' > /etc/resolv.conf
+
 # install docker
 curl -fsSL https://get.docker.com -o get-docker.sh \
  && chmod +x get-docker.sh
--- a/.github/runners/runner-setup.sh
+++ b/.github/runners/runner-setup.sh
@ -22,7 +22,7 @@ RUNNER_NAME=$1
 REPOSITORY_TOKEN=$2
 REPOSITORY_URL=${3:-https://github.com/fluxcd/flux2}

-GITHUB_RUNNER_VERSION=2.285.1
+GITHUB_RUNNER_VERSION=2.313.0

 # download runner
 curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@ -0,0 +1,50 @@
+# Flux GitHub Workflows
+
+## End-to-end Testing
+
+The e2e workflows run a series of tests to ensure that the Flux CLI and
+the GitOps Toolkit controllers work well all together.
+The tests are written in Go, Bash, Make and Terraform.
+
+| Workflow           | Jobs                 | Runner         | Role                                          |
+|--------------------|----------------------|----------------|-----------------------------------------------|
+| e2e.yaml           | e2e-amd64-kubernetes | GitHub Ubuntu  | integration testing with Kubernetes Kind<br/> |
+| e2e-arm64.yaml     | e2e-arm64-kubernetes | Equinix Ubuntu | integration testing with Kubernetes Kind<br/> |
+| e2e-bootstrap.yaml | e2e-boostrap-github  | GitHub Ubuntu  | integration testing with GitHub API<br/>      |
+| e2e-azure.yaml     | e2e-amd64-aks        | GitHub Ubuntu  | integration testing with Azure API<br/>       |
+| scan.yaml          | scan-fossa           | GitHub Ubuntu  | license scanning<br/>                         |
+| scan.yaml          | scan-snyk            | GitHub Ubuntu  | vulnerability scanning<br/>                   |
+| scan.yaml          | scan-codeql          | GitHub Ubuntu  | vulnerability scanning<br/>                   |
+
+## Components Update
+
+The components update workflow scans the GitOps Toolkit controller repositories for new releases,
+amd when it finds a new controller version, the workflow performs the following steps:
+- Updates the controller API package version in `go.mod`.
+- Patches the controller CRDs version in the `manifests/crds` overlay.
+- Patches the controller Deployment version in `manifests/bases` overlay.
+- Opens a Pull Request against the `main` branch.
+- Triggers the e2e test suite to run for the opened PR.
+
+
+| Workflow    | Jobs              | Runner        | Role                                                |
+|-------------|-------------------|---------------|-----------------------------------------------------|
+| update.yaml | update-components | GitHub Ubuntu | update the GitOps Toolkit APIs and controllers<br/> |
+
+## Release
+
+The release workflow is triggered by a semver Git tag and performs the following steps:
+- Generates the Flux install manifests (YAML).
+- Generates the OpenAPI validation schemas for the GitOps Toolkit CRDs (JSON).
+- Generates a Software Bill of Materials (SPDX JSON).
+- Builds the Flux CLI binaries and the multi-arch container images.
+- Pushes the container images to GitHub Container Registry and DockerHub.
+- Signs the sbom, the binaries checksum and the container images with Cosign and GitHub OIDC.
+- Uploads the sbom, binaries, checksums and install manifests to GitHub Releases.
+- Pushes the install manifests as OCI artifacts to GitHub Container Registry and DockerHub.
+- Signs the OCI artifacts with Cosign and GitHub OIDC.
+
+| Workflow     | Jobs                   | Runner        | Role                                                 |
+|--------------|------------------------|---------------|------------------------------------------------------|
+| release.yaml | release-flux-cli       | GitHub Ubuntu | build, push and sign the CLI release artifacts<br/>  |
+| release.yaml | release-flux-manifests | GitHub Ubuntu | build, push and sign the Flux install manifests<br/> |
--- a/.github/workflows/action.yaml
+++ b/.github/workflows/action.yaml
@ -0,0 +1,29 @@
+name: test-gh-action
+
+on:
+  pull_request:
+    paths:
+      - 'action/**'
+  push:
+    paths:
+      - 'action/**'
+    branches:
+      - 'main'
+      - 'release/**'
+
+permissions: read-all
+
+jobs:
+  actions:
+    strategy:
+      fail-fast: false
+      matrix:
+        version: [ubuntu-latest, macos-latest, windows-latest]
+
+    runs-on: ${{ matrix.version }}
+    name: action on ${{ matrix.version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup flux
+        uses: ./action
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@ -0,0 +1,34 @@
+name: backport
+
+on:
+  pull_request_target:
+    types: [closed, labeled]
+
+permissions: 
+  contents: read
+
+jobs:
+  pull-request:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Create backport PRs
+        uses: korthout/backport-action@0193454f0c5947491d348f33a275c119f30eb736 # v3.2.1
+        # xref: https://github.com/korthout/backport-action#inputs
+        with:
+          # Use token to allow workflows to be triggered for the created PR
+          github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          # Match labels with a pattern `backport:<target-branch>`
+          label_pattern: '^backport:([^ ]+)$'
+          # A bit shorter pull-request title than the default
+          pull_title: '[${target_branch}] ${pull_title}'
+          # Simpler PR description than default
+          pull_description: |-
+            Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@ -0,0 +1,256 @@
+name: conformance
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ 'main', 'update-components', 'release/**', 'conform*' ]
+
+permissions:
+  contents: read
+
+env:
+  GO_VERSION: 1.24.x
+
+jobs:
+  conform-kubernetes:
+    runs-on:
+      group: "ARM64"
+    strategy:
+      matrix:
+        # Keep this list up-to-date with https://endoflife.date/kubernetes
+        # Build images with https://github.com/fluxcd/flux-benchmark/actions/workflows/build-kind.yaml
+        KUBERNETES_VERSION: [1.31.5, 1.32.1, 1.33.0]
+      fail-fast: false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
+      - name: Prepare
+        id: prep
+        run: |
+          ID=${GITHUB_SHA:0:7}-${{ matrix.KUBERNETES_VERSION }}-$(date +%s)
+          echo "CLUSTER=arm64-${ID}" >> $GITHUB_OUTPUT
+      - name: Build
+        run: |
+          make build
+      - name: Setup Kubernetes
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
+        with:
+          version: v0.27.0
+          cluster_name: ${{ steps.prep.outputs.CLUSTER }}
+          node_image: ghcr.io/fluxcd/kindest/node:v${{ matrix.KUBERNETES_VERSION }}-arm64
+      - name: Run e2e tests
+        run: TEST_KUBECONFIG=$HOME/.kube/config make e2e
+      - name: Run multi-tenancy tests
+        run: |
+          ./bin/flux install
+          ./bin/flux create source git flux-system \
+          --interval=15m \
+          --url=https://github.com/fluxcd/flux2-multi-tenancy \
+          --branch=main \
+          --ignore-paths="./clusters/**/flux-system/"
+          ./bin/flux create kustomization flux-system \
+          --interval=15m \
+          --source=flux-system \
+          --path=./clusters/staging
+          kubectl -n flux-system wait kustomization/tenants --for=condition=ready --timeout=5m
+          kubectl -n apps wait kustomization/dev-team --for=condition=ready --timeout=1m
+          kubectl -n apps wait helmrelease/podinfo --for=condition=ready --timeout=1m
+      - name: Debug failure
+        if: failure()
+        run: |
+          kubectl -n flux-system get all
+          kubectl -n flux-system describe po 
+          kubectl -n flux-system logs deploy/source-controller
+          kubectl -n flux-system logs deploy/kustomize-controller
+
+  conform-k3s:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # Keep this list up-to-date with https://endoflife.date/kubernetes
+        # Available versions can be found with "replicated cluster versions"
+        K3S_VERSION: [ 1.31.8, 1.32.4, 1.33.0 ]
+      fail-fast: false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
+      - name: Prepare
+        id: prep
+        run: |
+          ID=${GITHUB_SHA:0:7}-${{ matrix.K3S_VERSION }}-$(date +%s)
+          PSEUDO_RAND_SUFFIX=$(echo "${ID}" | shasum | awk '{print $1}')
+          echo "cluster=flux2-k3s-${PSEUDO_RAND_SUFFIX}" >> $GITHUB_OUTPUT
+          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
+          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
+      - name: Setup Kustomize
+        uses: fluxcd/pkg/actions/kustomize@9e79277372c4746ff091eba1f10aee82974ecdaa # main
+      - name: Build
+        run: make build-dev
+      - name: Create repository
+        run: |
+          gh repo create --private --add-readme fluxcd-testing/${{ steps.prep.outputs.cluster }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+      - name: Create cluster
+        id: create-cluster
+        uses: replicatedhq/replicated-actions/create-cluster@49b440dabd7e0e868cbbabda5cfc0d8332a279fa # v1.19.0
+        with:
+          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
+          kubernetes-distribution: "k3s"
+          kubernetes-version: ${{ matrix.K3S_VERSION }}
+          ttl: 20m
+          cluster-name: "${{ steps.prep.outputs.cluster }}"
+          kubeconfig-path: ${{ steps.prep.outputs.kubeconfig-path }}
+          export-kubeconfig: true
+      - name: Run e2e tests
+        run: TEST_KUBECONFIG=${{ steps.prep.outputs.kubeconfig-path }} make e2e
+      - name: Run flux bootstrap
+        run: |
+          ./bin/flux bootstrap git --manifests ./manifests/install/ \
+          --components-extra=image-reflector-controller,image-automation-controller \
+          --url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
+          --branch=main \
+          --path=clusters/k3s \
+          --token-auth
+        env:
+          GIT_PASSWORD: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+      - name: Run flux check
+        run: |
+          ./bin/flux check
+      - name: Run flux reconcile
+        run: |
+          ./bin/flux reconcile ks flux-system --with-source
+          ./bin/flux get all
+          ./bin/flux events
+      - name: Collect reconcile logs
+        if: ${{ always() }}
+        continue-on-error: true
+        run: |
+          kubectl -n flux-system get all
+          kubectl -n flux-system describe pods
+          kubectl -n flux-system logs deploy/source-controller
+          kubectl -n flux-system logs deploy/kustomize-controller
+          kubectl -n flux-system logs deploy/notification-controller
+      - name: Delete flux
+        run: |
+          ./bin/flux uninstall -s --keep-namespace
+          kubectl delete ns flux-system --wait
+      - name: Delete cluster
+        if: ${{ always() }}
+        uses: replicatedhq/replicated-actions/remove-cluster@49b440dabd7e0e868cbbabda5cfc0d8332a279fa # v1.19.0
+        continue-on-error: true
+        with:
+          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
+          cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
+      - name: Delete repository
+        if: ${{ always() }}
+        continue-on-error: true
+        run: |
+          gh repo delete fluxcd-testing/${{ steps.prep.outputs.cluster }} --yes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+
+  conform-openshift:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # Keep this list up-to-date with https://endoflife.date/red-hat-openshift
+        OPENSHIFT_VERSION: [ 4.18.0-okd ]
+      fail-fast: false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
+      - name: Prepare
+        id: prep
+        run: |
+          ID=${GITHUB_SHA:0:7}-${{ matrix.OPENSHIFT_VERSION }}-$(date +%s)
+          PSEUDO_RAND_SUFFIX=$(echo "${ID}" | shasum | awk '{print $1}')
+          echo "cluster=flux2-openshift-${PSEUDO_RAND_SUFFIX}" >> $GITHUB_OUTPUT
+          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
+          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
+      - name: Setup Kustomize
+        uses: fluxcd/pkg/actions/kustomize@9e79277372c4746ff091eba1f10aee82974ecdaa # main
+      - name: Build
+        run: make build-dev
+      - name: Create repository
+        run: |
+          gh repo create --private --add-readme fluxcd-testing/${{ steps.prep.outputs.cluster }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+      - name: Create cluster
+        id: create-cluster
+        uses: replicatedhq/replicated-actions/create-cluster@49b440dabd7e0e868cbbabda5cfc0d8332a279fa # v1.19.0
+        with:
+          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
+          kubernetes-distribution: "openshift"
+          kubernetes-version: ${{ matrix.OPENSHIFT_VERSION }}
+          ttl: 20m
+          cluster-name: "${{ steps.prep.outputs.cluster }}"
+          kubeconfig-path: ${{ steps.prep.outputs.kubeconfig-path }}
+          export-kubeconfig: true
+      - name: Run flux bootstrap
+        run: |
+          ./bin/flux bootstrap git --manifests ./manifests/openshift/ \
+          --components-extra=image-reflector-controller,image-automation-controller \
+          --url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
+          --branch=main \
+          --path=clusters/openshift \
+          --token-auth
+        env:
+          GIT_PASSWORD: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+      - name: Run flux check
+        run: |
+          ./bin/flux check
+      - name: Run flux reconcile
+        run: |
+          ./bin/flux reconcile ks flux-system --with-source
+          ./bin/flux get all
+          ./bin/flux events
+      - name: Collect reconcile logs
+        if: ${{ always() }}
+        continue-on-error: true
+        run: |
+          kubectl -n flux-system get all
+          kubectl -n flux-system describe pods
+          kubectl -n flux-system logs deploy/source-controller
+          kubectl -n flux-system logs deploy/kustomize-controller
+          kubectl -n flux-system logs deploy/notification-controller
+      - name: Delete flux
+        run: |
+          ./bin/flux uninstall -s --keep-namespace
+          kubectl delete ns flux-system --wait
+      - name: Delete cluster
+        if: ${{ always() }}
+        uses: replicatedhq/replicated-actions/remove-cluster@49b440dabd7e0e868cbbabda5cfc0d8332a279fa # v1.19.0
+        continue-on-error: true
+        with:
+          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
+          cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
+      - name: Delete repository
+        if: ${{ always() }}
+        continue-on-error: true
+        run: |
+          gh repo delete fluxcd-testing/${{ steps.prep.outputs.cluster }} --yes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
--- a/.github/workflows/e2e-arm64.yaml
+++ b/.github/workflows/e2e-arm64.yaml
@ -1,37 +0,0 @@
-name: e2e-arm64
-
-on:
-  workflow_dispatch:
-  push:
-    branches: [ main, update-components ]
-
-jobs:
-  test:
-    # Hosted on Equinix
-    # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
-    runs-on: [self-hosted, Linux, ARM64, equinix]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.18.x
-      - name: Prepare
-        id: prep
-        run: |
-          echo ::set-output name=CLUSTER::arm64-${GITHUB_SHA:0:7}-$(date +%s)
-          echo ::set-output name=CONTEXT::kind-arm64-${GITHUB_SHA:0:7}-$(date +%s)
-      - name: Build
-        run: |
-          make build
-      - name: Setup Kubernetes Kind
-        run: |
-          kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }}
-      - name: Run e2e tests
-        run: TEST_KUBECONFIG=/tmp/${{ steps.prep.outputs.CLUSTER }} make e2e
-      - name: Cleanup
-        if: always()
-        run: |
-          kind delete cluster --name ${{ steps.prep.outputs.CLUSTER }}
-          rm /tmp/${{ steps.prep.outputs.CLUSTER }}
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@ -3,64 +3,91 @@ name: e2e-azure
 on:
  workflow_dispatch:
  schedule:
-    - cron:  '0 6 * * *'
+    - cron: '0 6 * * *'
  push:
-    branches: [ azure* ]
+    branches:
+      - main
+    paths:
+      - 'tests/**'
+      - '.github/workflows/e2e-azure.yaml'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'tests/**'
+      - '.github/workflows/e2e-azure.yaml'
+
+permissions:
+  contents: read

 jobs:
-  e2e:
-    runs-on: ubuntu-latest
+  e2e-aks:
+    runs-on: ubuntu-22.04
+    defaults:
+      run:
+        working-directory: ./tests/integration
+    # This job is currently disabled. Remove the false check when Azure subscription is enabled.
+    if: false && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Restore Go cache
-        uses: actions/cache@v3
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go1.18-
+      - name: CheckoutD
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
-          go-version: 1.18.x
-      - name: Install libgit2
-        run: |
-          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138
-          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9
-          echo "deb http://deb.debian.org/debian unstable main" | sudo tee -a /etc/apt/sources.list
-          echo "deb-src http://deb.debian.org/debian unstable main" | sudo tee -a /etc/apt/sources.list
-          sudo apt-get update
-          sudo apt-get install -y --allow-downgrades libgit2-dev/unstable zlib1g-dev/unstable libssh2-1-dev/unstable libpcre3-dev/unstable
+          go-version: 1.24.x
+          cache-dependency-path: tests/integration/go.sum
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
      - name: Setup Flux CLI
-        run: |
-          make build
-          mkdir -p $HOME/.local/bin
-          mv ./bin/flux $HOME/.local/bin
+        run: make build
+        working-directory: ./
      - name: Setup SOPS
        run: |
-          wget https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux
-          chmod +x sops-v3.7.1.linux
          mkdir -p $HOME/.local/bin
-          mv sops-v3.7.1.linux $HOME/.local/bin/sops
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v1
+          wget -O $HOME/.local/bin/sops https://github.com/mozilla/sops/releases/download/v$SOPS_VER/sops-v$SOPS_VER.linux
+          chmod +x $HOME/.local/bin/sops
+        env:
+          SOPS_VER: 3.7.1
+      - name: Authenticate to Azure
+        uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v1.4.6
        with:
-          terraform_version: 1.2.8
-          terraform_wrapper: false
-      - name: Setup Azure CLI
+          creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}'
+      - name: Set dynamic variables in .env
        run: |
-          curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+          cat > .env <<EOF
+          export TF_VAR_tags='{ "environment"="github", "ci"="true", "repo"="flux2", "createdat"="$(date -u +x%Y-%m-%d_%Hh%Mm%Ss)" }'
+          EOF
+      - name: Print .env for dynamic tag value reference
+        run: cat .env
      - name: Run Azure e2e tests
        env:
-          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
-          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
-          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
+          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
+          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
+          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
+          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
+          GITREPO_SSH_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_CONTENTS }}
+          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_PUB_CONTENTS }}
        run: |
-          echo $HOME
-          echo $PATH
-          ls $HOME/.local/bin
-          az login --service-principal -u ${ARM_CLIENT_ID} -p ${ARM_CLIENT_SECRET} -t ${ARM_TENANT_ID}
-          cd ./tests/azure
-          go test -v -coverprofile cover.out -timeout 60m .
+          source .env
+          mkdir -p ./build/ssh
+          touch ./build/ssh/key
+          echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
+          export GITREPO_SSH_PATH=build/ssh/key
+          touch ./build/ssh/key.pub
+          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
+          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
+          make test-azure
+      - name: Ensure resource cleanup
+        if: ${{ always() }}
+        env:
+          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
+          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
+          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
+          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
+        run: source .env && make destroy-azure
--- a/.github/workflows/e2e-bootstrap.yaml
+++ b/.github/workflows/e2e-bootstrap.yaml
@ -1,40 +1,45 @@
-name: bootstrap
+name: e2e-bootstrap

 on:
+  workflow_dispatch:
  push:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
  pull_request:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
+    paths-ignore: [ 'docs/**', 'rfcs/**' ]
+
+permissions:
+  contents: read

 jobs:
-  github:
+  e2e-boostrap-github:
    runs-on: ubuntu-latest
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Restore Go cache
-        uses: actions/cache@v3
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go1.18-
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
-          go-version: 1.18.x
+          go-version: 1.24.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
      - name: Setup Kubernetes
-        uses: engineerd/setup-kind@v0.5.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
        with:
-          version: v0.11.1
-          image: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
+          version: v0.24.0
+          cluster_name: kind
+          # The versions below should target the newest Kubernetes version
+          # Keep this up-to-date with https://endoflife.date/kubernetes
+          node_image: ghcr.io/fluxcd/kindest/node:v1.33.0-amd64
+          kubectl_version: v1.32.0
      - name: Setup Kustomize
-        uses: fluxcd/pkg//actions/kustomize@main
+        uses: fluxcd/pkg/actions/kustomize@9e79277372c4746ff091eba1f10aee82974ecdaa # main
+      - name: Setup yq
+        uses: fluxcd/pkg/actions/yq@9e79277372c4746ff091eba1f10aee82974ecdaa # main
      - name: Build
-        run: |
-          make cmd/flux/.manifests.done
-          go build -o /tmp/flux ./cmd/flux
+        run: make build-dev
      - name: Set outputs
        id: vars
        run: |
@ -43,21 +48,27 @@ jobs:
          COMMIT_SHA=$(git rev-parse HEAD)
          PSEUDO_RAND_SUFFIX=$(echo "${BRANCH_NAME}-${COMMIT_SHA}" | shasum | awk '{print $1}')
          TEST_REPO_NAME="${REPOSITORY_NAME}-${PSEUDO_RAND_SUFFIX}"
-          echo "::set-output name=test_repo_name::$TEST_REPO_NAME"
+          echo "test_repo_name=$TEST_REPO_NAME" >> $GITHUB_OUTPUT
      - name: bootstrap init
        run: |
-          /tmp/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
+          --image-pull-secret=ghcr-auth \
+          --registry-creds=fluxcd:$GITHUB_TOKEN \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
          --team=team-z
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
+      - name: verify image pull secret
+        run: |
+          kubectl -n flux-system get secret ghcr-auth | grep dockerconfigjson
      - name: bootstrap no-op
        run: |
-          /tmp/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
+          --image-pull-secret=ghcr-auth \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
@ -67,7 +78,7 @@ jobs:
      - name: bootstrap customize
        run: |
          make setup-bootstrap-patch
-          /tmp/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
@ -80,56 +91,35 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
          GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
          GITHUB_ORG_NAME: fluxcd-testing
-      - name: libgit2
-        run: |
-          /tmp/flux create source git test-libgit2 \
-          --url=ssh://git@github.com/fluxcd-testing/${{ steps.vars.outputs.test_repo_name }} \
-          --git-implementation=libgit2 \
-          --secret-ref=flux-system \
-          --branch=main
      - name: uninstall
        run: |
-          /tmp/flux uninstall -s --keep-namespace
+          ./bin/flux uninstall -s --keep-namespace
          kubectl delete ns flux-system --timeout=10m --wait=true
      - name: test image automation
        run: |
          make setup-image-automation
-          /tmp/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/install/ \
          --owner=fluxcd-testing \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
          --read-write-key
-          /tmp/flux reconcile image repository podinfo
-          /tmp/flux reconcile image update flux-system
-          /tmp/flux get images all
-          
-          retries=10
-          count=0
-          ok=false
-          until ${ok}; do
-              /tmp/flux get image update flux-system | grep 'commit' && ok=true || ok=false
-              count=$(($count + 1))
-              if [[ ${count} -eq ${retries} ]]; then
-                  echo "No more retries left"
-                  exit 1
-              fi
-              sleep 6
-              /tmp/flux reconcile image update flux-system
-          done
+          ./bin/flux reconcile image repository podinfo
+          ./bin/flux reconcile image update flux-system
+          ./bin/flux get images all
+          ./bin/flux -n flux-system events --for ImageUpdateAutomation/flux-system
+          kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system
+          kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system | \
+           yq '.status.lastPushCommit | length > 1' | grep 'true'
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
          GITHUB_REPO_NAME: ${{ steps.vars.outputs.test_repo_name }}
          GITHUB_ORG_NAME: fluxcd-testing
      - name: delete repository
        if: ${{ always() }}
+        continue-on-error: true
        run: |
-          curl \
-            -X DELETE \
-            -H "Accept: application/vnd.github.v3+json" \
-            -H "Authorization: token ${GITHUB_TOKEN}" \
-            --fail --silent \
-            https://api.github.com/repos/fluxcd-testing/${{ steps.vars.outputs.test_repo_name }}
+          gh repo delete fluxcd-testing/${{ steps.vars.outputs.test_repo_name }} --yes
        env:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Debug failure
--- a/.github/workflows/e2e-gcp.yaml
+++ b/.github/workflows/e2e-gcp.yaml
@ -0,0 +1,104 @@
+name: e2e-gcp
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 6 * * *'
+  push:
+    branches:
+      - main
+    paths:
+      - 'tests/**'
+      - '.github/workflows/e2e-gcp.yaml'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'tests/**'
+      - '.github/workflows/e2e-gcp.yaml'
+
+permissions:
+  contents: read
+
+jobs:
+  e2e-gcp:
+    runs-on: ubuntu-22.04
+    defaults:
+      run:
+        working-directory: ./tests/integration
+    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: 1.24.x
+          cache-dependency-path: tests/integration/go.sum
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+      - name: Setup Flux CLI
+        run: make build
+        working-directory: ./
+      - name: Setup SOPS
+        run: |
+          mkdir -p $HOME/.local/bin
+          wget -O $HOME/.local/bin/sops https://github.com/mozilla/sops/releases/download/v$SOPS_VER/sops-v$SOPS_VER.linux
+          chmod +x $HOME/.local/bin/sops
+        env:
+          SOPS_VER: 3.7.1
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
+        id: 'auth'
+        with:
+          credentials_json: '${{ secrets.FLUX2_E2E_GOOGLE_CREDENTIALS }}'
+          token_format: 'access_token'
+      - name: Setup gcloud
+        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      - name: Log into us-central1-docker.pkg.dev
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: us-central1-docker.pkg.dev
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+      - name: Set dynamic variables in .env
+        run: |
+          cat > .env <<EOF
+          export TF_VAR_tags='{ "environment"="github", "ci"="true", "repo"="flux2", "createdat"="$(date -u +x%Y-%m-%d_%Hh%Mm%Ss)" }'
+          EOF
+      - name: Print .env for dynamic tag value reference
+        run: cat .env
+      - name: Run GCP e2e tests
+        env:
+          TF_VAR_gcp_project_id: ${{ vars.TF_VAR_gcp_project_id }}
+          TF_VAR_gcp_region: ${{ vars.TF_VAR_gcp_region }}
+          TF_VAR_gcp_zone: ${{ vars.TF_VAR_gcp_zone }}
+          TF_VAR_gcp_email: ${{ secrets.TF_VAR_gcp_email }}
+          TF_VAR_gcp_keyring: ${{ secrets.TF_VAR_gcp_keyring }}
+          TF_VAR_gcp_crypto_key: ${{ secrets.TF_VAR_gcp_crypto_key }}
+          GITREPO_SSH_CONTENTS: ${{ secrets.GCP_GITREPO_SSH_CONTENTS }}
+          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.GCP_GITREPO_SSH_PUB_CONTENTS }}
+        run: |
+          source .env
+          mkdir -p ./build/ssh
+          touch ./build/ssh/key
+          echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
+          export GITREPO_SSH_PATH=build/ssh/key
+          touch ./build/ssh/key.pub
+          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
+          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
+          make test-gcp
+      - name: Ensure resource cleanup
+        if: ${{ always() }}
+        env:
+          TF_VAR_gcp_project_id: ${{ vars.TF_VAR_gcp_project_id }}
+          TF_VAR_gcp_region: ${{ vars.TF_VAR_gcp_region }}
+          TF_VAR_gcp_zone: ${{ vars.TF_VAR_gcp_zone }}
+          TF_VAR_gcp_email: ${{ secrets.TF_VAR_gcp_email }}
+          TF_VAR_gcp_keyring: ${{ secrets.TF_VAR_gcp_keyring }}
+          TF_VAR_gcp_crypto_key: ${{ secrets.TF_VAR_gcp_crypto_key }}
+        run: source .env && make destroy-gcp
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@ -1,14 +1,21 @@
 name: e2e

 on:
+  workflow_dispatch:
  push:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
  pull_request:
-    branches: [ main, oci ]
+    branches: [ 'main', 'release/**' ]
+    paths-ignore: [ 'docs/**', 'rfcs/**' ]
+
+permissions:
+  contents: read

 jobs:
-  kind:
-    runs-on: ubuntu-latest
+  e2e-amd64-kubernetes:
+    runs-on:
+      group: "Default Larger Runners"
+      labels: ubuntu-latest-16-cores
    services:
      registry:
        image: registry:2
@ -16,30 +23,30 @@ jobs:
          - 5000:5000
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Restore Go cache
-        uses: actions/cache@v3
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go1.18-
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
-          go-version: 1.18.x
+          go-version: 1.24.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
      - name: Setup Kubernetes
-        uses: engineerd/setup-kind@v0.5.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
        with:
-          version: v0.11.1
-          image: kindest/node:v1.20.7
+          version: v0.24.0
+          cluster_name: kind
+          wait: 5s
          config: .github/kind/config.yaml # disable KIND-net
+          # The versions below should target the oldest supported Kubernetes version
+          # Keep this up-to-date with https://endoflife.date/kubernetes
+          node_image: ghcr.io/fluxcd/kindest/node:v1.31.5-amd64
+          kubectl_version: v1.32.0
      - name: Setup Calico for network policy
        run: |
-          kubectl apply -f https://docs.projectcalico.org/v3.20/manifests/calico.yaml
-          kubectl -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
+          kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.3/manifests/calico.yaml
      - name: Setup Kustomize
-        uses: fluxcd/pkg//actions/kustomize@main
+        uses: fluxcd/pkg/actions/kustomize@9e79277372c4746ff091eba1f10aee82974ecdaa # main
      - name: Run tests
        run: make test
      - name: Run e2e tests
@ -52,51 +59,43 @@ jobs:
            exit 1
          fi
      - name: Build
-        run: |
-          go build -o /tmp/flux ./cmd/flux
+        run: make build-dev
      - name: flux check --pre
        run: |
-          /tmp/flux check --pre
+          ./bin/flux check --pre
      - name: flux install --manifests
        run: |
-          /tmp/flux install --manifests ./manifests/install/
+          ./bin/flux install --manifests ./manifests/install/
      - name: flux create secret
        run: |
-          /tmp/flux create secret git git-ssh-test \
+          ./bin/flux create secret git git-ssh-test \
            --url ssh://git@github.com/stefanprodan/podinfo
-          /tmp/flux create secret git git-https-test \
+          ./bin/flux create secret git git-https-test \
            --url https://github.com/stefanprodan/podinfo \
            --username=test --password=test
-          /tmp/flux create secret helm helm-test \
+          ./bin/flux create secret helm helm-test \
            --username=test --password=test
      - name: flux create source git
        run: |
-          /tmp/flux create source git podinfo \
+          ./bin/flux create source git podinfo \
            --url https://github.com/stefanprodan/podinfo  \
-            --tag-semver=">=3.2.3"
+            --tag-semver=">=6.3.5"
      - name: flux create source git export apply
        run: |
-          /tmp/flux create source git podinfo-export \
+          ./bin/flux create source git podinfo-export \
            --url https://github.com/stefanprodan/podinfo  \
-            --tag-semver=">=3.2.3" \
+            --tag-semver=">=6.3.5" \
            --export | kubectl apply -f -
-          /tmp/flux delete source git podinfo-export --silent
-      - name: flux create source git libgit2 semver
-        run: |
-          /tmp/flux create source git podinfo-libgit2 \
-            --url https://github.com/stefanprodan/podinfo  \
-            --tag-semver=">=3.2.3" \
-            --git-implementation=libgit2
-          /tmp/flux delete source git podinfo-libgit2 --silent
+          ./bin/flux delete source git podinfo-export --silent
      - name: flux get sources git
        run: |
-          /tmp/flux get sources git
+          ./bin/flux get sources git
      - name: flux get sources git --all-namespaces
        run: |
-          /tmp/flux get sources git --all-namespaces
+          ./bin/flux get sources git --all-namespaces
      - name: flux create kustomization
        run: |
-          /tmp/flux create kustomization podinfo \
+          ./bin/flux create kustomization podinfo \
            --source=podinfo \
            --path="./deploy/overlays/dev" \
            --prune=true \
@ -106,140 +105,149 @@ jobs:
            --health-check-timeout=3m
      - name: flux trace
        run: |
-          /tmp/flux trace frontend \
+          ./bin/flux trace frontend \
            --kind=deployment \
            --api-version=apps/v1 \
            --namespace=dev
      - name: flux reconcile kustomization --with-source
        run: |
-          /tmp/flux reconcile kustomization podinfo --with-source
+          ./bin/flux reconcile kustomization podinfo --with-source
      - name: flux get kustomizations
        run: |
-          /tmp/flux get kustomizations
+          ./bin/flux get kustomizations
      - name: flux get kustomizations --all-namespaces
        run: |
-          /tmp/flux get kustomizations --all-namespaces
+          ./bin/flux get kustomizations --all-namespaces
      - name: flux suspend kustomization
        run: |
-          /tmp/flux suspend kustomization podinfo
+          ./bin/flux suspend kustomization podinfo
      - name: flux resume kustomization
        run: |
-          /tmp/flux resume kustomization podinfo
+          ./bin/flux resume kustomization podinfo
      - name: flux export
        run: |
-          /tmp/flux export source git --all
-          /tmp/flux export kustomization --all
+          ./bin/flux export source git --all
+          ./bin/flux export kustomization --all
      - name: flux delete kustomization
        run: |
-          /tmp/flux delete kustomization podinfo --silent
+          ./bin/flux delete kustomization podinfo --silent
      - name: flux create source helm
        run: |
-          /tmp/flux create source helm podinfo \
+          ./bin/flux create source helm podinfo \
            --url https://stefanprodan.github.io/podinfo
      - name: flux create helmrelease --source=HelmRepository/podinfo
        run: |
-          /tmp/flux create hr podinfo-helm \
+          ./bin/flux create hr podinfo-helm \
            --target-namespace=default \
            --source=HelmRepository/podinfo.flux-system \
            --chart=podinfo \
-            --chart-version=">4.0.0 <5.0.0"
+            --chart-version=">6.0.0 <7.0.0"
      - name: flux create helmrelease --source=GitRepository/podinfo
        run: |
-          /tmp/flux create hr podinfo-git \
+          ./bin/flux create hr podinfo-git \
            --target-namespace=default \
            --source=GitRepository/podinfo \
            --chart=./charts/podinfo
      - name: flux reconcile helmrelease --with-source
        run: |
-          /tmp/flux reconcile helmrelease podinfo-git --with-source
+          ./bin/flux reconcile helmrelease podinfo-git --with-source
      - name: flux get helmreleases
        run: |
-          /tmp/flux get helmreleases
+          ./bin/flux get helmreleases
      - name: flux get helmreleases --all-namespaces
        run: |
-          /tmp/flux get helmreleases --all-namespaces
+          ./bin/flux get helmreleases --all-namespaces
      - name: flux export helmrelease
        run: |
-          /tmp/flux export hr --all
+          ./bin/flux export hr --all
      - name: flux delete helmrelease podinfo-helm
        run: |
-          /tmp/flux delete hr podinfo-helm --silent
+          ./bin/flux delete hr podinfo-helm --silent
      - name: flux delete helmrelease podinfo-git
        run: |
-          /tmp/flux delete hr podinfo-git --silent
+          ./bin/flux delete hr podinfo-git --silent
      - name: flux delete source helm
        run: |
-          /tmp/flux delete source helm podinfo --silent
+          ./bin/flux delete source helm podinfo --silent
      - name: flux delete source git
        run: |
-          /tmp/flux delete source git podinfo --silent
+          ./bin/flux delete source git podinfo --silent
      - name: flux oci artifacts
        run: |
-          /tmp/flux push artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
+          ./bin/flux push artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
            --path="./manifests" \
            --source="${{ github.repositoryUrl }}" \
-            --revision="${{ github.ref }}/${{ github.sha }}"
-          /tmp/flux tag artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
+            --revision="${{ github.ref }}@sha1:${{ github.sha }}"
+          ./bin/flux tag artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
            --tag latest
-          /tmp/flux list artifacts oci://localhost:5000/fluxcd/flux
+          ./bin/flux list artifacts oci://localhost:5000/fluxcd/flux
      - name: flux oci repositories
        run: |
-          /tmp/flux create source oci podinfo-oci \
+          ./bin/flux create source oci podinfo-oci \
            --url oci://ghcr.io/stefanprodan/manifests/podinfo \
-            --tag-semver 6.1.x \
+            --tag-semver 6.3.x \
            --interval 10m
-          /tmp/flux create kustomization podinfo-oci \
+          ./bin/flux create kustomization podinfo-oci \
            --source=OCIRepository/podinfo-oci \
-            --path="./kustomize" \
+            --path="./" \
            --prune=true \
            --interval=5m \
            --target-namespace=default \
            --wait=true \
            --health-check-timeout=3m
-          /tmp/flux reconcile source oci podinfo-oci
-          /tmp/flux suspend source oci podinfo-oci
-          /tmp/flux get sources oci
-          /tmp/flux resume source oci podinfo-oci
-          /tmp/flux export source oci podinfo-oci
-          /tmp/flux delete ks podinfo-oci --silent
-          /tmp/flux delete source oci podinfo-oci --silent
+          ./bin/flux reconcile source oci podinfo-oci
+          ./bin/flux suspend source oci podinfo-oci
+          ./bin/flux get sources oci
+          ./bin/flux resume source oci podinfo-oci
+          ./bin/flux export source oci podinfo-oci
+          ./bin/flux delete ks podinfo-oci --silent
+          ./bin/flux delete source oci podinfo-oci --silent
      - name: flux create tenant
        run: |
-          /tmp/flux create tenant dev-team --with-namespace=apps
-          /tmp/flux -n apps create source helm podinfo \
+          ./bin/flux create tenant dev-team --with-namespace=apps
+          ./bin/flux -n apps create source helm podinfo \
            --url https://stefanprodan.github.io/podinfo
-          /tmp/flux -n apps create hr podinfo-helm \
+          ./bin/flux -n apps create hr podinfo-helm \
            --source=HelmRepository/podinfo \
            --chart=podinfo \
-            --chart-version="5.0.x" \
+            --chart-version="6.3.x" \
            --service-account=dev-team
      - name: flux2-kustomize-helm-example
        run: |
-          /tmp/flux create source git flux-system \
+          ./bin/flux create source git flux-system \
          --url=https://github.com/fluxcd/flux2-kustomize-helm-example \
          --branch=main \
+          --ignore-paths="./clusters/**/flux-system/" \
          --recurse-submodules
-          /tmp/flux create kustomization flux-system \
+          ./bin/flux create kustomization flux-system \
          --source=flux-system \
          --path=./clusters/staging
-          kubectl -n flux-system wait kustomization/infrastructure --for=condition=ready --timeout=5m
+          kubectl -n flux-system wait kustomization/infra-controllers --for=condition=ready --timeout=5m
          kubectl -n flux-system wait kustomization/apps --for=condition=ready --timeout=5m
-          kubectl -n nginx wait helmrelease/nginx --for=condition=ready --timeout=5m
-          kubectl -n redis wait helmrelease/redis --for=condition=ready --timeout=5m
          kubectl -n podinfo wait helmrelease/podinfo --for=condition=ready --timeout=5m
      - name: flux tree
        run: |
-          /tmp/flux tree kustomization flux-system | grep Service/podinfo
+          ./bin/flux tree kustomization flux-system | grep Service/podinfo
+      - name: flux events
+        run: |
+          ./bin/flux -n flux-system events --for Kustomization/apps | grep 'HelmRelease/podinfo'
+          ./bin/flux -n podinfo events --for HelmRelease/podinfo | grep 'podinfo.v1'
+      - name: flux stats
+        run: |
+          ./bin/flux stats -A
      - name: flux check
        run: |
-          /tmp/flux check
+          ./bin/flux check
+      - name: flux version
+        run: |
+          ./bin/flux version
      - name: flux uninstall
        run: |
-          /tmp/flux uninstall --silent
+          ./bin/flux uninstall --silent
      - name: Debug failure
        if: failure()
        run: |
-          kubectl version --client --short
+          kubectl version --client
          kubectl -n flux-system get all
          kubectl -n flux-system describe pods
          kubectl -n flux-system get kustomizations -oyaml
--- a/.github/workflows/ossf.yaml
+++ b/.github/workflows/ossf.yaml
@ -0,0 +1,39 @@
+name: ossf
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+  schedule:
+    # Weekly on Saturdays.
+    - cron:  '30 1 * * 6'
+
+permissions: read-all
+
+jobs:
+  scorecard:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+      actions: read
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Run analysis
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_results: true
+      - name: Upload artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+      - name: Upload SARIF results
+        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        with:
+          sarif_file: results.sarif
--- a/.github/workflows/release-manifests.yml
+++ b/.github/workflows/release-manifests.yml
@ -1,73 +0,0 @@
-name: release-manifests
-on:
-  release:
-    types: [published]
-  workflow_dispatch:
-
-permissions:
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
-
-jobs:
-  build-push:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@main
-      - name: Setup Flux CLI
-        uses: ./action/
-      - name: Prepare
-        id: prep
-        run: |
-          VERSION=$(flux version --client | awk '{ print $NF }')
-          echo ::set-output name=VERSION::${VERSION}
-      - name: Login to GHCR
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: fluxcdbot
-          password: ${{ secrets.GHCR_TOKEN }}
-      - name: Login to DockerHub
-        uses: docker/login-action@v2
-        with:
-          username: fluxcdbot
-          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
-      - name: Push manifests to GHCR
-        run: |
-          mkdir -p ./ghcr.io/flux-system
-          flux install --registry=ghcr.io/fluxcd \
-          --components-extra=image-reflector-controller,image-automation-controller \
-          --export > ./ghcr.io/flux-system/gotk-components.yaml
-          
-          cd ./ghcr.io && flux push artifact \
-          oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
-          --path="./flux-system" \
-          --source=${{ github.repositoryUrl }} \
-          --revision="${{ github.ref_name }}/${{ github.sha }}"
-      - name: Push manifests to DockerHub
-        run: |
-          mkdir -p ./docker.io/flux-system
-          flux install --registry=docker.io/fluxcd \
-          --components-extra=image-reflector-controller,image-automation-controller \
-          --export > ./docker.io/flux-system/gotk-components.yaml
-          
-          cd ./docker.io && flux push artifact \
-          oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
-          --path="./flux-system" \
-          --source=${{ github.repositoryUrl }} \
-          --revision="${{ github.ref_name }}/${{ github.sha }}"
-      - uses: sigstore/cosign-installer@main
-      - name: Sign manifests
-        env:
-          COSIGN_EXPERIMENTAL: 1
-        run: |
-          cosign sign ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }}
-          cosign sign docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }}
-      - name: Tag manifests
-        run: |
-          flux tag artifact oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
-          --tag latest
-
-          flux tag artifact oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
-          --tag latest
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -2,44 +2,51 @@ name: release

 on:
  push:
-    tags: [ 'v*' ]
+    tags: ["v*"]

 permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read

 jobs:
-  goreleaser:
+  release-flux-cli:
+    outputs:
+      hashes: ${{ steps.slsa.outputs.hashes }}
+      image_url: ${{ steps.slsa.outputs.image_url }}
+      image_digest: ${{ steps.slsa.outputs.image_digest }}
    runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Unshallow
        run: git fetch --prune --unshallow
      - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
-          go-version: 1.18.x
+          go-version: 1.24.x
+          cache: false
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
      - name: Setup Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@v0
+        uses: anchore/sbom-action/download-syft@cee1b8e05ae5b2593a75e197229729eabaa9f8ec # v0.20.2
      - name: Setup Cosign
-        uses: sigstore/cosign-installer@main
+        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
      - name: Setup Kustomize
-        uses: fluxcd/pkg//actions/kustomize@main
+        uses: fluxcd/pkg/actions/kustomize@9e79277372c4746ff091eba1f10aee82974ecdaa # main
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: fluxcdbot
-          password: ${{ secrets.GHCR_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@ -51,33 +58,143 @@ jobs:
      - name: Build CRDs
        run: |
          kustomize build manifests/crds > all-crds.yaml
-      # Pinned to commit before https://github.com/fluxcd/pkg/pull/189 due to
-      # introduction faulty behavior.
      - name: Generate OpenAPI JSON schemas from CRDs
-        uses: fluxcd/pkg//actions/crdjsonschema@49e26aa2ee9e734c3233c560253fd9542afe18ae
+        uses: fluxcd/pkg/actions/crdjsonschema@9e79277372c4746ff091eba1f10aee82974ecdaa # main
        with:
          crd: all-crds.yaml
          output: schemas
      - name: Archive the OpenAPI JSON schemas
        run: |
          tar -czvf ./output/crd-schemas.tar.gz -C schemas .
-      - name: Download release notes utility
-        env:
-          GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
-        run: cd /tmp && curl -sSL ${GH_REL_URL} | tar xz && sudo mv github-release-notes /usr/local/bin/
-      - name: Generate release notes
-        run: |
-          NOTES="./output/notes.md"
-          echo '## CLI Changelog' > ${NOTES}
-          github-release-notes -org fluxcd -repo flux2 -since-latest-release -include-author >> ${NOTES}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v3
+        id: run-goreleaser
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
        with:
          version: latest
-          args: release --release-notes=output/notes.md --skip-validate
+          args: release --skip=validate
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
          AUR_BOT_SSH_PRIVATE_KEY: ${{ secrets.AUR_BOT_SSH_PRIVATE_KEY }}
+      - name: Generate SLSA metadata
+        id: slsa
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+
+          hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+
+          image_url=fluxcd/flux-cli:$GITHUB_REF_NAME
+          echo "image_url=$image_url" >> $GITHUB_OUTPUT
+
+          image_digest=$(docker buildx imagetools inspect ${image_url}  --format '{{json .}}' | jq -r .manifest.digest)
+          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
+
+  release-flux-manifests:
+    runs-on: ubuntu-latest
+    needs: release-flux-cli
+    permissions:
+      id-token: write
+      packages: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup Kustomize
+        uses: fluxcd/pkg/actions/kustomize@9e79277372c4746ff091eba1f10aee82974ecdaa # main
+      - name: Setup Flux CLI
+        uses: ./action/
+      - name: Prepare
+        id: prep
+        run: |
+          VERSION=$(flux version --client | awk '{ print $NF }')
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+      - name: Login to GHCR
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: fluxcdbot
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to DockerHub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          username: fluxcdbot
+          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+      - name: Push manifests to GHCR
+        run: |
+          mkdir -p ./ghcr.io/flux-system
+          flux install --registry=ghcr.io/fluxcd \
+          --components-extra=image-reflector-controller,image-automation-controller \
+          --export > ./ghcr.io/flux-system/gotk-components.yaml
+
+          cd ./ghcr.io && flux push artifact \
+          oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
+          --path="./flux-system" \
+          --source=${{ github.repositoryUrl }} \
+          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
+      - name: Push manifests to DockerHub
+        run: |
+          mkdir -p ./docker.io/flux-system
+          flux install --registry=docker.io/fluxcd \
+          --components-extra=image-reflector-controller,image-automation-controller \
+          --export > ./docker.io/flux-system/gotk-components.yaml
+
+          cd ./docker.io && flux push artifact \
+          oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
+          --path="./flux-system" \
+          --source=${{ github.repositoryUrl }} \
+          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
+      - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
+      - name: Sign manifests
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          cosign sign --yes ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }}
+          cosign sign --yes docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }}
+      - name: Tag manifests
+        run: |
+          flux tag artifact oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
+          --tag latest
+
+          flux tag artifact oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
+          --tag latest
+
+  release-provenance:
+    needs: [release-flux-cli]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      contents: write # for uploading attestations to GitHub releases.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    with:
+      provenance-name: "provenance.intoto.jsonl"
+      base64-subjects: "${{ needs.release-flux-cli.outputs.hashes }}"
+      upload-assets: true
+
+  dockerhub-provenance:
+    needs: [release-flux-cli]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ${{ needs.release-flux-cli.outputs.image_url }}
+      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
+      registry-username: fluxcdbot
+    secrets:
+      registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+
+  ghcr-provenance:
+    needs: [release-flux-cli]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ghcr.io/${{ needs.release-flux-cli.outputs.image_url }}
+      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
+      registry-username: fluxcdbot
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@ -1,68 +1,53 @@
 name: scan

 on:
+  workflow_dispatch:
  push:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
  pull_request:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
  schedule:
    - cron: '18 10 * * 3'

 permissions:
-  contents: read # for actions/checkout to fetch code
-  security-events: write # for codeQL to write security events
+  contents: read

 jobs:
-  fossa:
-    name: FOSSA
+  scan-fossa:
    runs-on: ubuntu-latest
+    if: github.actor != 'dependabot[bot]'
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@v1
+        uses: fossa-contrib/fossa-action@3d2ef181b1820d6dcd1972f86a767d18167fa19b # v3.0.1
        with:
          # FOSSA Push-Only API Token
          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
          github-token: ${{ github.token }}

-  snyk:
-    name: Snyk
-    runs-on: ubuntu-latest
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-    steps:
-      - uses: actions/checkout@v3
-      - name: Setup Kustomize
-        uses: fluxcd/pkg//actions/kustomize@main
-      - name: Build manifests
-        run: |
-          make cmd/flux/.manifests.done
-      - name: Run Snyk to check for vulnerabilities
-        uses: snyk/actions/golang@master
-        continue-on-error: true
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          args: --sarif-file-output=snyk.sarif
-      - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v1
-        with:
-          sarif_file: snyk.sarif
-
-  codeql:
-    name: CodeQL
+  scan-codeql:
    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    if: github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
-      - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
-          go-version: 1.18
+          go-version-file: 'go.mod'
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
        with:
          languages: go
+          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # xref: https://codeql.github.com/codeql-query-help/go/
+          queries: security-and-quality
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
--- a/.github/workflows/sync-labels.yaml
+++ b/.github/workflows/sync-labels.yaml
@ -0,0 +1,28 @@
+name: sync-labels
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - .github/labels.yaml
+
+permissions:
+  contents: read
+
+jobs:
+  labels:
+    name: Run sync
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
+        with:
+          # Configuration file
+          config-file: |
+            https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
+            .github/labels.yaml
+          # Strictly declarative
+          delete-other-labels: true
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@ -1,4 +1,4 @@
-name: Update Components
+name: update

 on:
  workflow_dispatch:
@ -7,23 +7,34 @@ on:
  push:
    branches: [main]

+permissions:
+  contents: read
+
 jobs:
  update-components:
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
    steps:
      - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
-          go-version: 1.18.x
+          go-version: 1.24.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
      - name: Update component versions
        id: update
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          PR_BODY=""
+          PR_BODY=$(mktemp)

          bump_version() {
-            local LATEST_VERSION=$(curl -s https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
+            local LATEST_VERSION=$(curl -s -H "Authorization: token ${GITHUB_TOKEN}" https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
            local CTRL_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p;n" manifests/bases/$1/kustomization.yaml)
            local CRD_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p" manifests/crds/kustomization.yaml)
            local MOD_VERSION=$(go list -m -f '{{ .Version }}' "github.com/fluxcd/$1/api")
@ -47,7 +58,8 @@ jobs:
            fi

            if [[ "$changed" == true ]]; then
-              PR_BODY="$PR_BODY- $1 to ${LATEST_VERSION}%0A  https://github.com/fluxcd/$1/blob/${LATEST_VERSION}/CHANGELOG.md%0A"
+              echo "- $1 to ${LATEST_VERSION}" >> $PR_BODY
+              echo "  https://github.com/fluxcd/$1/blob/${LATEST_VERSION}/CHANGELOG.md" >> $PR_BODY
            fi
          }

@ -64,12 +76,17 @@ jobs:
            git diff

            # export PR_BODY for PR and commit
-            echo "::set-output name=pr_body::$PR_BODY"
+            # NB: this may look strange but it is the way it should be done to
+            # maintain our precious newlines
+            # Ref: https://github.com/github/docs/issues/21529
+            echo 'pr_body<<EOF' >> $GITHUB_OUTPUT
+            cat $PR_BODY >> $GITHUB_OUTPUT
+            echo 'EOF' >> $GITHUB_OUTPUT
          }

      - name: Create Pull Request
        id: cpr
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
          commit-message: |
@ -84,7 +101,7 @@ jobs:
          body: |
            ${{ steps.update.outputs.pr_body }}
          labels: |
-            area/build
+            dependencies
          reviewers: ${{ secrets.ASSIGNEES }}

      - name: Check output
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -1,4 +1,6 @@
 project_name: flux
+changelog:
+  use: github-native
 builds:
  - <<: &build_defaults
      binary: flux
@ -15,7 +17,7 @@ builds:
      - arm64
      - arm
    goarm:
-      - 7
+      - "7"
  - <<: *build_defaults
    id: darwin
    goos:
@ -65,6 +67,7 @@ signs:
    certificate: '${artifact}.pem'
    args:
      - sign-blob
+      - "--yes"
      - '--output-certificate=${certificate}'
      - '--output-signature=${signature}'
      - '${artifact}'
@ -72,24 +75,17 @@ signs:
    output: true
 brews:
  - name: flux
-    tap:
+    repository:
      owner: fluxcd
      name: homebrew-tap
      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
-    folder: Formula
+    directory: Formula
    homepage: "https://fluxcd.io/"
    description: "Flux CLI"
    install: |
      bin.install "flux"

-      bash_output = Utils.safe_popen_read(bin/"flux", "completion", "bash")
-      (bash_completion/"flux").write bash_output
-
-      zsh_output = Utils.safe_popen_read(bin/"flux", "completion", "zsh")
-      (zsh_completion/"_flux").write zsh_output
-
-      fish_output = Utils.safe_popen_read(bin/"flux", "completion", "fish")
-      (fish_completion/"flux.fish").write fish_output
+      generate_completions_from_executable(bin/"flux", "completion")
    test: |
      system "#{bin}/flux --version"
 publishers:
@ -175,6 +171,7 @@ docker_signs:
      - COSIGN_EXPERIMENTAL=1
    args:
      - sign
+      - "--yes"
      - '${artifact}'
    artifacts: all
    output: true
--- a/.scorecard.yml
+++ b/.scorecard.yml
@ -0,0 +1,5 @@
+annotations:
+  - checks:
+      - dangerous-workflow
+    reasons:
+      - reason: not-applicable # This workflow does not run untrusted code, the bot will only backport a code if the a PR was approved and merged into main.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -67,9 +67,9 @@ for source changes.

 Prerequisites:

-* go >= 1.17
-* kubectl >= 1.20
-* kustomize >= 4.4
+* go >= 1.24
+* kubectl >= 1.30
+* kustomize >= 5.0
 * coreutils (on Mac OS)

 Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:
--- a/15
+++ b/15
@ -1,19 +1,16 @@
-FROM alpine:3.16 as builder
+FROM alpine:3.21 AS builder

 RUN apk add --no-cache ca-certificates curl

 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.25.0
+ARG KUBECTL_VER=1.33.0

-RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
-    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
-    kubectl version --client=true
+RUN curl -sL https://dl.k8s.io/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
+    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl

-FROM alpine:3.16 as flux-cli
+RUN kubectl version --client=true

-# Create minimal nsswitch.conf file to prioritize the usage of /etc/hosts over DNS queries.
-# https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-354316460
-RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
+FROM alpine:3.21 AS flux-cli

 RUN apk add --no-cache ca-certificates

--- a/4
+++ b/4
@ -17,8 +17,8 @@ rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2
 all: test build

 tidy:
-	go mod tidy -compat=1.18
-	cd tests/azure && go mod tidy -compat=1.18
+	go mod tidy -compat=1.24
+	cd tests/integration && go mod tidy -compat=1.24

 fmt:
 	go fmt ./...
--- a/README.md
+++ b/README.md
@ -1,14 +1,15 @@
 # Flux version 2

-[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4782/badge)](https://bestpractices.coreinfrastructure.org/projects/4782)
-[![e2e](https://github.com/fluxcd/flux2/workflows/e2e/badge.svg)](https://github.com/fluxcd/flux2/actions)
-[![report](https://goreportcard.com/badge/github.com/fluxcd/flux2)](https://goreportcard.com/report/github.com/fluxcd/flux2)
-[![license](https://img.shields.io/github/license/fluxcd/flux2.svg)](https://github.com/fluxcd/flux2/blob/main/LICENSE)
 [![release](https://img.shields.io/github/release/fluxcd/flux2/all.svg)](https://github.com/fluxcd/flux2/releases)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4782/badge)](https://bestpractices.coreinfrastructure.org/projects/4782)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/fluxcd/flux2/badge)](https://scorecard.dev/viewer/?uri=github.com/fluxcd/flux2)
+[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflux2.svg?type=shield)](https://app.fossa.com/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflux2?ref=badge_shield)
+[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/flux2)](https://artifacthub.io/packages/helm/fluxcd-community/flux2)
+[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://fluxcd.io/flux/security/slsa-assessment)

 Flux is a tool for keeping Kubernetes clusters in sync with sources of
-configuration (like Git repositories), and automating updates to
-configuration when there is new code to deploy.
+configuration (like Git repositories and OCI artifacts),
+and automating updates to configuration when there is new code to deploy.

 Flux version 2 ("v2") is built from the ground up to use Kubernetes'
 API extension system, and to integrate with Prometheus and other core
@ -20,7 +21,8 @@ Flux v2 is constructed with the [GitOps Toolkit](#gitops-toolkit), a
 set of composable APIs and specialized tools for building Continuous
 Delivery on top of Kubernetes.

-Flux is a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/)) project.
+Flux is a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/)) graduated project, used in
+production by various [organisations](https://fluxcd.io/adopters) and [cloud providers](https://fluxcd.io/ecosystem).

 ## Quickstart and documentation

@ -31,7 +33,7 @@ For more comprehensive documentation, see the following guides:
 - [Ways of structuring your repositories](https://fluxcd.io/flux/guides/repository-structure/)
 - [Manage Helm Releases](https://fluxcd.io/flux/guides/helmreleases/)
 - [Automate image updates to Git](https://fluxcd.io/flux/guides/image-update/)  
- [Manage Kubernetes secrets with Mozilla SOPS](https://fluxcd.io/flux/guides/mozilla-sops/)  
+- [Manage Kubernetes secrets with Flux and SOPS](https://fluxcd.io/flux/guides/mozilla-sops/)  

 If you need help, please refer to our **[Support page](https://fluxcd.io/support/)**.

@ -42,7 +44,7 @@ runtime for Flux v2. The APIs comprise Kubernetes custom resources,
 which can be created and updated by a cluster user, or by other
 automation tooling.

-![overview](docs/_files/gitops-toolkit.png)
+![overview](https://raw.githubusercontent.com/fluxcd/flux2/main/docs/diagrams/fluxcd-controllers.png)

 You can use the toolkit to extend Flux, or to build your own systems
 for continuous delivery -- see [the developer
@ -57,18 +59,18 @@ guides](https://fluxcd.io/flux/gitops-toolkit/source-watcher/).
    - [HelmChart CRD](https://fluxcd.io/flux/components/source/helmcharts/)
    - [Bucket CRD](https://fluxcd.io/flux/components/source/buckets/)
 - [Kustomize Controller](https://fluxcd.io/flux/components/kustomize/)
-    - [Kustomization CRD](https://fluxcd.io/flux/components/kustomize/kustomization/)
+    - [Kustomization CRD](https://fluxcd.io/flux/components/kustomize/kustomizations/)
 - [Helm Controller](https://fluxcd.io/flux/components/helm/)
    - [HelmRelease CRD](https://fluxcd.io/flux/components/helm/helmreleases/)
 - [Notification Controller](https://fluxcd.io/flux/components/notification/)
-    - [Provider CRD](https://fluxcd.io/flux/components/notification/provider/)
-    - [Alert CRD](https://fluxcd.io/flux/components/notification/alert/)
-    - [Receiver CRD](https://fluxcd.io/flux/components/notification/receiver/)
+    - [Provider CRD](https://fluxcd.io/flux/components/notification/providers/)
+    - [Alert CRD](https://fluxcd.io/flux/components/notification/alerts/)
+    - [Receiver CRD](https://fluxcd.io/flux/components/notification/receivers/)
 - [Image Automation Controllers](https://fluxcd.io/flux/components/image/)
  - [ImageRepository CRD](https://fluxcd.io/flux/components/image/imagerepositories/)
  - [ImagePolicy CRD](https://fluxcd.io/flux/components/image/imagepolicies/)
  - [ImageUpdateAutomation CRD](https://fluxcd.io/flux/components/image/imageupdateautomations/)
-  
+
 ## Community

 Need help or want to contribute? Please see the links below. The Flux project is always looking for
@ -77,16 +79,17 @@ new contributors and there are a multitude of ways to get involved.
 - Getting Started?
    - Look at our [Get Started guide](https://fluxcd.io/flux/get-started/) and give us feedback
 - Need help?
-    - First: Ask questions on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions)
-    - Second: Talk to us in the #flux channel on [CNCF Slack](https://slack.cncf.io/)
+    - First: Ask questions on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions).
+    - Second: Talk to us in the #flux channel on [CNCF Slack](https://slack.cncf.io/).
    - Please follow our [Support Guidelines](https://fluxcd.io/support/)
      (in short: be nice, be respectful of volunteers' time, understand that maintainers and
      contributors cannot respond to all DMs, and keep discussions in the public #flux channel as much as possible).
 - Have feature proposals or want to contribute?
-    - Propose features on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions)
-    - Join our upcoming dev meetings ([meeting access and agenda](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/view))
+    - Propose features on our [GitHub Discussions page](https://github.com/fluxcd/flux2/discussions).
+    - Join our upcoming dev meetings ([meeting access and agenda](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/view)).
    - [Join the flux-dev mailing list](https://lists.cncf.io/g/cncf-flux-dev).
-    - Check out [how to contribute](CONTRIBUTING.md) to the project
+    - Check out [how to contribute](CONTRIBUTING.md) to the project.
+    - Check out the [project roadmap](https://fluxcd.io/roadmap/).

 ### Events

--- a/action/README.md
+++ b/action/README.md
@ -1,190 +1,22 @@
 # Flux GitHub Action

-Usage:
+To install the latest Flux CLI on Linux, macOS or Windows GitHub runners:

 ```yaml
-    steps:
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Run Flux commands
-        run: flux -v
+steps:
+  - name: Setup Flux CLI
+    uses: fluxcd/flux2/action@main
+    with:
+      version: 'latest'
+  - name: Run Flux CLI
+    run: flux version --client
 ```

-The latest stable version of the `flux` binary is downloaded from
-GitHub [releases](https://github.com/fluxcd/flux2/releases)
-and placed at `/usr/local/bin/flux`.
+The Flux GitHub Action can be used to automate various tasks in CI, such as:

-Note that this action can only be used on GitHub **Linux** runners.
-You can change the arch (defaults to `amd64`) with:
+- [Automate Flux upgrades on clusters via Pull Requests](https://fluxcd.io/flux/flux-gh-action/#automate-flux-updates)
+- [Push Kubernetes manifests to container registries](https://fluxcd.io/flux/flux-gh-action/#push-kubernetes-manifests-to-container-registries)
+- [Run end-to-end testing with Flux and Kubernetes Kind](https://fluxcd.io/flux/flux-gh-action/#end-to-end-testing)

-```yaml
-    steps:
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-        with:
-          arch: arm64 # can be amd64, arm64 or arm
-```
+For more information, please see the [Flux GitHub Action documentation](https://fluxcd.io/flux/flux-gh-action/).

-You can download a specific version with:
-
-```yaml
-    steps:
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-        with:
-          version: 0.32.0
-```
-
-### Automate Flux updates
-
-Example workflow for updating Flux's components generated with `flux bootstrap --path=clusters/production`:
-
-```yaml
-name: update-flux
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 * * * *"
-
-jobs:
-  components:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v2
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Check for updates
-        id: update
-        run: |
-          flux install \
-            --export > ./clusters/production/flux-system/gotk-components.yaml
-
-          VERSION="$(flux -v)"
-          echo "::set-output name=flux_version::$VERSION"
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v3
-        with:
-            token: ${{ secrets.GITHUB_TOKEN }}
-            branch: update-flux
-            commit-message: Update to ${{ steps.update.outputs.flux_version }}
-            title: Update to ${{ steps.update.outputs.flux_version }}
-            body: |
-              ${{ steps.update.outputs.flux_version }}
-```
-
-### Push Kubernetes manifests to container registries
-
-Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to GitHub Container Registry:
-
-```yaml
-name: push-artifact-staging
-
-on:
-  push:
-    branches:
-      - 'main'
-
-permissions:
-  packages: write # needed for ghcr.io access
-
-env:
-  OCI_REPO: "oci://ghcr.io/my-org/manifests/${{ github.event.repository.name }}"
-
-jobs:
-  kubernetes:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Login to GHCR
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Generate manifests
-        run: |
-          kustomize build ./manifests/staging > ./deploy/app.yaml
-      - name: Push manifests
-        run: |
-          flux push artifact $OCI_REPO:$(git rev-parse --short HEAD) \
-            --path="./deploy" \
-            --source="$(git config --get remote.origin.url)" \
-            --revision="$(git branch --show-current)/$(git rev-parse HEAD)"
-      - name: Deploy manifests to staging
-        run: |
-          flux tag artifact $OCI_REPO:$(git rev-parse --short HEAD) --tag staging
-```
-
-Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to Docker Hub:
-
-```yaml
-name: push-artifact-production
-
-on:
-  push:
-    tags:
-      - '*'
-
-env:
-  OCI_REPO: "oci://docker.io/my-org/app-config"
-
-jobs:
-  kubernetes:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Generate manifests
-        run: |
-          kustomize build ./manifests/production > ./deploy/app.yaml
-      - name: Push manifests
-        run: |
-          flux push artifact $OCI_REPO:$(git tag --points-at HEAD) \
-            --path="./deploy" \
-            --source="$(git config --get remote.origin.url)" \
-            --revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"
-      - name: Deploy manifests to production
-        run: |
-          flux tag artifact $OCI_REPO:$(git tag --points-at HEAD) --tag production
-```
-
-### End-to-end testing
-
-Example workflow for running Flux in Kubernetes Kind:
-
-```yaml
-name: e2e
-
-on:
-  push:
-    branches:
-      - '*'
-
-jobs:
-  kubernetes:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Setup Kubernetes Kind
-        uses: engineerd/setup-kind@v0.5.0
-      - name: Install Flux in Kubernetes Kind
-        run: flux install
-```
-
-A complete e2e testing workflow is available here
-[flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example/blob/main/.github/workflows/e2e.yaml)
--- a/action/action.yml
+++ b/action/action.yml
@ -1,52 +1,120 @@
 name: Setup Flux CLI
-description: A GitHub Action for running Flux commands
-author: Stefan Prodan
+description: A GitHub Action for installing the Flux CLI
+author: Flux project
 branding:
  color: blue
  icon: command
 inputs:
  version:
-    description: "Flux version e.g. 0.8.0 (defaults to latest stable release)"
+    description: "Flux version e.g. 2.0.0 (defaults to latest stable release)"
    required: false
  arch:
    description: "arch can be amd64, arm64 or arm"
-    required: true
-    default: "amd64"
+    required: false
+    deprecationMessage: "No longer required, action will now detect runner arch."
  bindir:
-    description: "Optional location of the Flux binary. Will not use sudo if set. Updates System Path."
+    description: "Alternative location for the Flux binary, defaults to path relative to $RUNNER_TOOL_CACHE."
+    required: false
+  token:
+    description: "Token used to authentication against the GitHub.com API. Defaults to the token from the GitHub context of the workflow."
    required: false
 runs:
  using: composite
  steps:
-    - name: "Download flux binary to tmp"
+    - name: "Download the binary to the runner's cache dir"
      shell: bash
      run: |
-        ARCH=${{ inputs.arch }}
        VERSION=${{ inputs.version }}

-        if [ -z $VERSION ]; then
-          VERSION=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
+        TOKEN=${{ inputs.token }}
+        if [[ -z "$TOKEN" ]]; then
+          TOKEN=${{ github.token }}
        fi

-        BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_${ARCH}.tar.gz"
-        curl -sL ${BIN_URL} -o /tmp/flux.tar.gz
-        mkdir -p /tmp/flux
-        tar -C /tmp/flux/ -zxvf /tmp/flux.tar.gz
-    - name: "Copy Flux binary to execute location"
-      shell: bash
-      run: |
-        BINDIR=${{ inputs.bindir }}
-        if [ -z $BINDIR ]; then
-          sudo cp /tmp/flux/flux /usr/local/bin
-        else
-          cp /tmp/flux/flux "${BINDIR}"
-          echo "${BINDIR}" >> $GITHUB_PATH
+        if [[ -z "$VERSION" ]] || [[ "$VERSION" = "latest" ]]; then
+          VERSION=$(curl -fsSL -H "Authorization: token ${TOKEN}" https://api.github.com/repos/fluxcd/flux2/releases/latest | grep tag_name | cut -d '"' -f 4)
        fi
-    - name: "Cleanup tmp"
-      shell: bash
-      run: |
-        rm -rf /tmp/flux/ /tmp/flux.tar.gz
-    - name: "Verify correct installation of binary"
+        if [[ -z "$VERSION" ]]; then
+          echo "Unable to determine Flux CLI version"
+          exit 1
+        fi
+        if [[ $VERSION = v* ]]; then
+          VERSION="${VERSION:1}"
+        fi
+
+        OS=$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$OS" == "macos" ]]; then
+          OS="darwin"
+        fi
+
+        ARCH=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ARCH" == "x64" ]]; then
+          ARCH="amd64"
+        elif [[ "$ARCH" == "x86" ]]; then
+          ARCH="386"
+        fi
+
+        FLUX_EXEC_FILE="flux"
+        if [[ "$OS" == "windows" ]]; then
+            FLUX_EXEC_FILE="${FLUX_EXEC_FILE}.exe"
+        fi
+
+        FLUX_TOOL_DIR=${{ inputs.bindir }}
+        if [[ -z "$FLUX_TOOL_DIR" ]]; then
+          FLUX_TOOL_DIR="${RUNNER_TOOL_CACHE}/flux2/${VERSION}/${OS}/${ARCH}"
+        fi
+        if [[ ! -x "$FLUX_TOOL_DIR/FLUX_EXEC_FILE" ]]; then
+          DL_DIR="$(mktemp -dt flux2-XXXXXX)"
+          trap 'rm -rf $DL_DIR' EXIT
+
+          echo "Downloading flux ${VERSION} for ${OS}/${ARCH}"
+          FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.tar.gz"
+          if [[ "$OS" == "windows" ]]; then
+            FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.zip"
+          fi
+
+          FLUX_CHECKSUMS_FILE="flux_${VERSION}_checksums.txt"
+
+          FLUX_DOWNLOAD_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/"
+
+          curl -fsSL -o "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_TARGET_FILE"
+          curl -fsSL -o "$DL_DIR/$FLUX_CHECKSUMS_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_CHECKSUMS_FILE"
+
+          echo "Verifying checksum"
+          sum=""
+          if command -v openssl > /dev/null; then
+            sum=$(openssl sha256 "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $2}')
+          elif command -v sha256sum > /dev/null; then
+            sum=$(sha256sum "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $1}')
+          fi
+
+          if [[ -z "$sum" ]]; then
+            echo "Neither openssl nor sha256sum found. Cannot calculate checksum."
+            exit 1
+          fi
+
+          expected_sum=$(grep " $FLUX_TARGET_FILE\$" "$DL_DIR/$FLUX_CHECKSUMS_FILE" | awk '{print $1}')
+          if [ "$sum" != "$expected_sum" ]; then
+            echo "SHA sum of ${FLUX_TARGET_FILE} does not match. Aborting."
+            exit 1
+          fi
+
+          echo "Installing flux to ${FLUX_TOOL_DIR}"
+          mkdir -p "$FLUX_TOOL_DIR"
+        
+          if [[ "$OS" == "windows" ]]; then
+            unzip "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_EXEC_FILE" -d "$FLUX_TOOL_DIR"
+          else
+            tar xzf "$DL_DIR/$FLUX_TARGET_FILE" -C "$FLUX_TOOL_DIR" $FLUX_EXEC_FILE
+          fi
+
+          chmod +x "$FLUX_TOOL_DIR/$FLUX_EXEC_FILE"
+        fi
+
+        echo "Adding flux to path"
+        echo "$FLUX_TOOL_DIR" >> "$GITHUB_PATH"
+
+    - name: "Print installed flux version"
      shell: bash
      run: |
        flux -v
--- a/cmd/flux/alert.go
+++ b/cmd/flux/alert.go
@ -19,7 +19,7 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )

 // notificationv1.Alert
--- a/cmd/flux/alert_provider.go
+++ b/cmd/flux/alert_provider.go
@ -19,7 +19,7 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 )

 // notificationv1.Provider
--- a/cmd/flux/bootstrap.go
+++ b/cmd/flux/bootstrap.go
@ -17,27 +17,32 @@ limitations under the License.
 package main

 import (
+	"context"
 	"crypto/elliptic"
 	"fmt"
 	"strings"

+	"github.com/fluxcd/pkg/git"
+	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"sigs.k8s.io/controller-runtime/pkg/client"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )

 var bootstrapCmd = &cobra.Command{
 	Use:   "bootstrap",
-	Short: "Bootstrap toolkit components",
-	Long:  "The bootstrap sub-commands bootstrap the toolkit components on the targeted Git provider.",
+	Short: "Deploy Flux on a cluster the GitOps way.",
+	Long: `The bootstrap sub-commands push the Flux manifests to a Git repository
+and deploy Flux on the cluster.`,
 }

 type bootstrapFlags struct {
 	version  string
-	arch     flags.Arch
 	logLevel flags.LogLevel

 	branch            string
@ -48,17 +53,19 @@ type bootstrapFlags struct {
 	extraComponents    []string
 	requiredComponents []string

-	registry        string
-	imagePullSecret string
+	registry           string
+	registryCredential string
+	imagePullSecret    string

-	secretName     string
-	tokenAuth      bool
-	keyAlgorithm   flags.PublicKeyAlgorithm
-	keyRSABits     flags.RSAKeyBits
-	keyECDSACurve  flags.ECDSACurve
-	sshHostname    string
-	caFile         string
-	privateKeyFile string
+	secretName           string
+	tokenAuth            bool
+	keyAlgorithm         flags.PublicKeyAlgorithm
+	keyRSABits           flags.RSAKeyBits
+	keyECDSACurve        flags.ECDSACurve
+	sshHostname          string
+	caFile               string
+	privateKeyFile       string
+	sshHostKeyAlgorithms []string

 	watchAllNamespaces bool
 	networkPolicy      bool
@ -72,6 +79,8 @@ type bootstrapFlags struct {
 	gpgPassphrase  string
 	gpgKeyID       string

+	force bool
+
 	commitMessageAppendix string
 }

@ -91,9 +100,11 @@ func init() {
 		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller'")

 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registry, "registry", "ghcr.io/fluxcd",
-		"container registry where the toolkit images are published")
+		"container registry where the Flux controller images are published")
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registryCredential, "registry-creds", "",
+		"container registry credentials in the format 'user:password', requires --image-pull-secret to be set")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.imagePullSecret, "image-pull-secret", "",
-		"Kubernetes secret name used for pulling the toolkit images from a private registry")
+		"Kubernetes secret name used for pulling the controller images from a private registry")

 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.branch, "branch", bootstrapDefaultBranch, "Git branch")
 	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.recurseSubmodules, "recurse-submodules", false,
@ -102,19 +113,20 @@ func init() {
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.manifestsPath, "manifests", "", "path to the manifest directory")

 	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.watchAllNamespaces, "watch-all-namespaces", true,
-		"watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed")
+		"watch for custom resources in all namespaces, if set to false it will only watch the namespace where the Flux controllers are installed")
 	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.networkPolicy, "network-policy", true,
-		"deny ingress access to the toolkit controllers from other namespaces using network policies")
+		"setup Kubernetes network policies to deny ingress access to the Flux controllers from other namespaces")
 	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.tokenAuth, "token-auth", false,
-		"when enabled, the personal access token will be used instead of SSH deploy key")
+		"when enabled, the personal access token will be used instead of the SSH deploy key")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.logLevel, "log-level", bootstrapArgs.logLevel.Description())
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.clusterDomain, "cluster-domain", rootArgs.defaults.ClusterDomain, "internal cluster domain")
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.tolerationKeys, "toleration-keys", nil,
-		"list of toleration keys used to schedule the components pods onto nodes with matching taints")
+		"list of toleration keys used to schedule the controller pods onto nodes with matching taints")

 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.secretName, "secret-name", rootArgs.defaults.Namespace, "name of the secret the sync credentials can be found in or stored to")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyAlgorithm, "ssh-key-algorithm", bootstrapArgs.keyAlgorithm.Description())
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyRSABits, "ssh-rsa-bits", bootstrapArgs.keyRSABits.Description())
+	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.sshHostKeyAlgorithms, "ssh-hostkey-algos", nil, "list of host key algorithms to be used by the CLI for SSH connections")
 	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.keyECDSACurve, "ssh-ecdsa-curve", bootstrapArgs.keyECDSACurve.Description())
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.sshHostname, "ssh-hostname", "", "SSH hostname, to be used when the SSH host differs from the HTTPS one")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
@ -129,8 +141,7 @@ func init() {

 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.commitMessageAppendix, "commit-message-appendix", "", "string to add to the commit messages, e.g. '[ci skip]'")

-	bootstrapCmd.PersistentFlags().Var(&bootstrapArgs.arch, "arch", bootstrapArgs.arch.Description())
-	bootstrapCmd.PersistentFlags().MarkDeprecated("arch", "multi-arch container image is now available for AMD64, ARMv7 and ARM64")
+	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapArgs.force, "force", false, "override existing Flux installation if it's managed by a different tool such as Helm")
 	bootstrapCmd.PersistentFlags().MarkHidden("manifests")

 	rootCmd.AddCommand(bootstrapCmd)
@ -176,6 +187,18 @@ func bootstrapValidate() error {
 		return err
 	}

+	if bootstrapArgs.registryCredential != "" && bootstrapArgs.imagePullSecret == "" {
+		return fmt.Errorf("--registry-creds requires --image-pull-secret to be set")
+	}
+
+	if bootstrapArgs.registryCredential != "" && len(strings.Split(bootstrapArgs.registryCredential, ":")) != 2 {
+		return fmt.Errorf("invalid --registry-creds format, expected 'user:password'")
+	}
+
+	if len(bootstrapArgs.sshHostKeyAlgorithms) > 0 {
+		git.HostKeyAlgos = bootstrapArgs.sshHostKeyAlgorithms
+	}
+
 	return nil
 }

@ -190,3 +213,27 @@ func mapTeamSlice(s []string, defaultPermission string) map[string]string {

 	return m
 }
+
+// confirmBootstrap gets a confirmation for running bootstrap over an existing Flux installation.
+// It returns a nil error if Flux is not installed or the user confirms overriding an existing installation
+func confirmBootstrap(ctx context.Context, kubeClient client.Client) error {
+	installed := true
+	info, err := getFluxClusterInfo(ctx, kubeClient)
+	if err != nil {
+		if !errors.IsNotFound(err) {
+			return fmt.Errorf("cluster info unavailable: %w", err)
+		}
+		installed = false
+	}
+
+	if installed {
+		err = confirmFluxInstallOverride(info)
+		if err != nil {
+			if err == promptui.ErrAbort {
+				return fmt.Errorf("bootstrap cancelled")
+			}
+			return err
+		}
+	}
+	return nil
+}
--- a/cmd/flux/bootstrap_bitbucket_server.go
+++ b/cmd/flux/bootstrap_bitbucket_server.go
@ -22,45 +22,42 @@ import (
 	"os"
 	"time"

-	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	"github.com/fluxcd/pkg/git"
+	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"

-	"github.com/fluxcd/flux2/internal/bootstrap"
-	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
-	"github.com/fluxcd/flux2/internal/bootstrap/provider"
-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 )

 var bootstrapBServerCmd = &cobra.Command{
 	Use:   "bitbucket-server",
-	Short: "Bootstrap toolkit components in a Bitbucket Server repository",
+	Short: "Deploy Flux on a cluster connected to a Bitbucket Server repository",
 	Long: `The bootstrap bitbucket-server command creates the Bitbucket Server repository if it doesn't exists and
-commits the toolkit components manifests to the master branch.
+commits the Flux manifests to the master branch.
 Then it configures the target cluster to synchronize with the repository.
-If the toolkit components are present on the cluster,
+If the Flux components are present on the cluster,
 the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a Bitbucket Server API token and export it as an env var
  export BITBUCKET_TOKEN=<my-token>

  # Run bootstrap for a private repository using HTTPS token authentication
-  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --token-auth
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --token-auth --path=clusters/my-cluster

  # Run bootstrap for a private repository using SSH authentication
-  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain>
-
-  # Run bootstrap for a repository path
-  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --path=dev-cluster --hostname=<domain>
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --path=clusters/my-cluster

  # Run bootstrap for a public repository on a personal account
-  flux bootstrap bitbucket-server --owner=<user> --repository=<repository name> --private=false --personal --hostname=<domain> --token-auth
+  flux bootstrap bitbucket-server --owner=<user> --repository=<repository name> --private=false --personal --hostname=<domain> --token-auth --path=clusters/my-cluster

-  # Run bootstrap for a an existing repository with a branch named main
-  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --branch=main --hostname=<domain> --token-auth`,
+  # Run bootstrap for an existing repository with a branch named main
+  flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --branch=main --hostname=<domain> --token-auth --path=clusters/my-cluster`,
 	RunE: bootstrapBServerCmdRun,
 }

@ -127,8 +124,17 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	if !bootstrapArgs.force {
+		err = confirmBootstrap(ctx, kubeClient)
+		if err != nil {
+			return err
+		}
+	}
+
 	// Manifest base
-	if ver, err := getVersion(bootstrapArgs.version); err == nil {
+	if ver, err := getVersion(bootstrapArgs.version); err != nil {
+		return err
+	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
@ -171,10 +177,17 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
-	gitClient := gogit.New(tmpDir, &http.BasicAuth{
-		Username: user,
-		Password: bitbucketToken,
-	})
+
+	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
+	gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
+		Transport: git.HTTPS,
+		Username:  user,
+		Password:  bitbucketToken,
+		CAFile:    caBundle,
+	}, clientOpts...)
+	if err != nil {
+		return fmt.Errorf("failed to create a Git client: %w", err)
+	}

 	// Install manifest config
 	installOptions := install.Options{
@ -183,6 +196,7 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
+		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
@ -212,19 +226,18 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 			secretOpts.Username = bServerArgs.username
 		}
 		secretOpts.Password = bitbucketToken
-
-		if bootstrapArgs.caFile != "" {
-			secretOpts.CAFilePath = bootstrapArgs.caFile
-		}
+		secretOpts.CACrt = caBundle
 	} else {
+		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
+		if err != nil {
+			return err
+		}
+		secretOpts.Keypair = keypair
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
-		secretOpts.SSHHostname = bServerArgs.hostname

-		if bootstrapArgs.privateKeyFile != "" {
-			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
-		}
+		secretOpts.SSHHostname = bServerArgs.hostname
 		if bootstrapArgs.sshHostname != "" {
 			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
@ -239,23 +252,27 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        bServerArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
-		GitImplementation: sourceGitArgs.gitImplementation.String(),
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}

+	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
+	if err != nil {
+		return err
+	}
+
 	// Bootstrap config
+
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(bServerArgs.owner, bServerArgs.repository, bServerArgs.personal),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
-		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(bServerArgs.teams, bServerDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(bServerArgs.readWriteKey),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithLogger(logger),
-		bootstrap.WithCABundle(caBundle),
-		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
+		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
--- a/cmd/flux/bootstrap_git.go
+++ b/cmd/flux/bootstrap_git.go
@ -24,44 +24,52 @@ import (
 	"strings"
 	"time"

-	"github.com/go-git/go-git/v5/plumbing/transport"
-	"github.com/go-git/go-git/v5/plumbing/transport/http"
-	"github.com/go-git/go-git/v5/plumbing/transport/ssh"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"

-	"github.com/fluxcd/flux2/internal/bootstrap"
-	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+	"github.com/fluxcd/pkg/git"
+	"github.com/fluxcd/pkg/git/gogit"
+
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 )

 var bootstrapGitCmd = &cobra.Command{
 	Use:   "git",
-	Short: "Bootstrap toolkit components in a Git repository",
-	Long: `The bootstrap git command commits the toolkit components manifests to the
-branch of a Git repository. It then configures the target cluster to synchronize with
-the repository. If the toolkit components are present on the cluster, the bootstrap
+	Short: "Deploy Flux on a cluster connected to a Git repository",
+	Long: `The bootstrap git command commits the Flux manifests to the
+branch of a Git repository. And then it configures the target cluster to synchronize with
+that repository. If the Flux components are present on the cluster, the bootstrap
 command will perform an upgrade if needed.`,
 	Example: `  # Run bootstrap for a Git repository and authenticate with your SSH agent
-  flux bootstrap git --url=ssh://git@example.com/repository.git
+  flux bootstrap git --url=ssh://git@example.com/repository.git --path=clusters/my-cluster

  # Run bootstrap for a Git repository and authenticate using a password
-  flux bootstrap git --url=https://example.com/repository.git --password=<password>
+  flux bootstrap git --url=https://example.com/repository.git --password=<password> --path=clusters/my-cluster

  # Run bootstrap for a Git repository and authenticate using a password from environment variable
-  GIT_PASSWORD=<password> && flux bootstrap git --url=https://example.com/repository.git
+  GIT_PASSWORD=<password> && flux bootstrap git --url=https://example.com/repository.git --path=clusters/my-cluster

  # Run bootstrap for a Git repository with a passwordless private key
-  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key>
+  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key> --path=clusters/my-cluster

  # Run bootstrap for a Git repository with a private key and password
-  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key> --password=<password>
+  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key> --password=<password> --path=clusters/my-cluster
+
+  # Run bootstrap for a Git repository on AWS CodeCommit
+  flux bootstrap git --url=ssh://<SSH-Key-ID>@git-codecommit.<region>.amazonaws.com/v1/repos/<repository> --private-key-file=<path/to/private.key> --password=<SSH-passphrase> --path=clusters/my-cluster
+
+  # Run bootstrap for a Git repository on Azure Devops
+  flux bootstrap git --url=ssh://git@ssh.dev.azure.com/v3/<org>/<project>/<repository> --private-key-file=<path/to/rsa-sha2-private.key> --ssh-hostkey-algos=rsa-sha2-512,rsa-sha2-256 --path=clusters/my-cluster
+
+  # Run bootstrap for a Git repository on Oracle VBS
+  flux bootstrap git --url=https://repository_url.git --with-bearer-token=true --password=<PAT> --path=clusters/my-cluster
 `,
 	RunE: bootstrapGitCmdRun,
 }
@ -74,6 +82,7 @@ type gitFlags struct {
 	password            string
 	silent              bool
 	insecureHttpAllowed bool
+	withBearerToken     bool
 }

 const (
@ -89,12 +98,17 @@ func init() {
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.username, "username", "u", "git", "basic authentication username")
 	bootstrapGitCmd.Flags().StringVarP(&gitArgs.password, "password", "p", "", "basic authentication password")
 	bootstrapGitCmd.Flags().BoolVarP(&gitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
-	bootstrapGitCmd.Flags().BoolVar(&gitArgs.insecureHttpAllowed, "allow-insecure-http", false, "allows http git url connections")
+	bootstrapGitCmd.Flags().BoolVar(&gitArgs.insecureHttpAllowed, "allow-insecure-http", false, "allows insecure HTTP connections")
+	bootstrapGitCmd.Flags().BoolVar(&gitArgs.withBearerToken, "with-bearer-token", false, "use password as bearer token for Authorization header")

 	bootstrapCmd.AddCommand(bootstrapGitCmd)
 }

 func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
+	if gitArgs.withBearerToken {
+		bootstrapArgs.tokenAuth = true
+	}
+
 	gitPassword := os.Getenv(gitPasswordEnvVar)
 	if gitPassword != "" && gitArgs.password == "" {
 		gitArgs.password = gitPassword
@ -116,9 +130,22 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
-	gitAuth, err := transportForURL(repositoryURL)
-	if err != nil {
-		return err
+
+	if strings.Contains(repositoryURL.Hostname(), "git-codecommit") && strings.Contains(repositoryURL.Hostname(), "amazonaws.com") {
+		if repositoryURL.Scheme == string(git.SSH) {
+			if repositoryURL.User == nil {
+				return fmt.Errorf("invalid AWS CodeCommit url: ssh username should be specified in the url")
+			}
+			if repositoryURL.User.Username() == git.DefaultPublicKeyAuthUser {
+				return fmt.Errorf("invalid AWS CodeCommit url: ssh username should be the SSH key ID for the provided private key")
+			}
+			if bootstrapArgs.privateKeyFile == "" {
+				return fmt.Errorf("private key file is required for bootstrapping against AWS CodeCommit using ssh")
+			}
+		}
+		if repositoryURL.Scheme == string(git.HTTPS) && !bootstrapArgs.tokenAuth {
+			return fmt.Errorf("--token-auth=true must be specified for using an HTTPS AWS CodeCommit url")
+		}
 	}

 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
@ -129,8 +156,17 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	if !bootstrapArgs.force {
+		err = confirmBootstrap(ctx, kubeClient)
+		if err != nil {
+			return err
+		}
+	}
+
 	// Manifest base
-	if ver, err := getVersion(bootstrapArgs.version); err == nil {
+	if ver, err := getVersion(bootstrapArgs.version); err != nil {
+		return err
+	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
@ -145,7 +181,28 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
-	gitClient := gogit.New(tmpDir, gitAuth)
+
+	var caBundle []byte
+	if bootstrapArgs.caFile != "" {
+		var err error
+		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	}
+	authOpts, err := getAuthOpts(repositoryURL, caBundle)
+	if err != nil {
+		return fmt.Errorf("failed to create authentication options for %s: %w", repositoryURL.String(), err)
+	}
+
+	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
+	if gitArgs.insecureHttpAllowed {
+		clientOpts = append(clientOpts, gogit.WithInsecureCredentialsOverHTTP())
+	}
+	gitClient, err := gogit.NewClient(tmpDir, authOpts, clientOpts...)
+	if err != nil {
+		return fmt.Errorf("failed to create a Git client: %w", err)
+	}

 	// Install manifest config
 	installOptions := install.Options{
@ -154,6 +211,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
+		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
@ -176,14 +234,17 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		TargetPath:   gitArgs.path.String(),
 		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 	}
-	if bootstrapArgs.tokenAuth {
-		secretOpts.Username = gitArgs.username
-		secretOpts.Password = gitArgs.password

-		if bootstrapArgs.caFile != "" {
-			secretOpts.CAFilePath = bootstrapArgs.caFile
+	if bootstrapArgs.tokenAuth {
+		if gitArgs.withBearerToken {
+			secretOpts.BearerToken = gitArgs.password
+		} else {
+			secretOpts.Username = gitArgs.username
+			secretOpts.Password = gitArgs.password
 		}

+		secretOpts.CACrt = caBundle
+
 		// Remove port of the given host when not syncing over HTTP/S to not assume port for protocol
 		// This _might_ be overwritten later on by e.g. --ssh-hostname
 		if repositoryURL.Scheme != "https" && repositoryURL.Scheme != "http" {
@ -192,7 +253,9 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {

 		// Configure repository URL to match auth config for sync.
 		repositoryURL.User = nil
-		repositoryURL.Scheme = "https"
+		if !gitArgs.insecureHttpAllowed {
+			repositoryURL.Scheme = "https"
+		}
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.Password = gitArgs.password
@ -211,9 +274,12 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		if bootstrapArgs.sshHostname != "" {
 			repositoryURL.Host = bootstrapArgs.sshHostname
 		}
-		if bootstrapArgs.privateKeyFile != "" {
-			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
+
+		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
+		if err != nil {
+			return err
 		}
+		secretOpts.Keypair = keypair

 		// Configure last as it depends on the config above.
 		secretOpts.SSHHostname = repositoryURL.Host
@ -229,30 +295,24 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        gitArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
-		GitImplementation: sourceGitArgs.gitImplementation.String(),
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}

-	var caBundle []byte
-	if bootstrapArgs.caFile != "" {
-		var err error
-		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
-		if err != nil {
-			return fmt.Errorf("unable to read TLS CA file: %w", err)
-		}
+	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
+	if err != nil {
+		return err
 	}

 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitOption{
 		bootstrap.WithRepositoryURL(gitArgs.url),
 		bootstrap.WithBranch(bootstrapArgs.branch),
-		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithPostGenerateSecretFunc(promptPublicKey),
 		bootstrap.WithLogger(logger),
-		bootstrap.WithCABundle(caBundle),
-		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
+		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}

 	// Setup bootstrapper with constructed configs
@ -265,30 +325,57 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 }

-// transportForURL constructs a transport.AuthMethod based on the scheme
+// getAuthOpts retruns a AuthOptions based on the scheme
 // of the given URL and the configured flags. If the protocol equals
 // "ssh" but no private key is configured, authentication using the local
 // SSH-agent is attempted.
-func transportForURL(u *url.URL) (transport.AuthMethod, error) {
+func getAuthOpts(u *url.URL, caBundle []byte) (*git.AuthOptions, error) {
 	switch u.Scheme {
 	case "http":
 		if !gitArgs.insecureHttpAllowed {
 			return nil, fmt.Errorf("scheme http is insecure, pass --allow-insecure-http=true to allow it")
 		}
-		return &http.BasicAuth{
-			Username: gitArgs.username,
-			Password: gitArgs.password,
-		}, nil
-	case "https":
-		return &http.BasicAuth{
-			Username: gitArgs.username,
-			Password: gitArgs.password,
-		}, nil
-	case "ssh":
-		if bootstrapArgs.privateKeyFile != "" {
-			return ssh.NewPublicKeysFromFile(u.User.Username(), bootstrapArgs.privateKeyFile, gitArgs.password)
+		httpAuth := git.AuthOptions{
+			Transport: git.HTTP,
 		}
-		return nil, nil
+		if gitArgs.withBearerToken {
+			httpAuth.BearerToken = gitArgs.password
+		} else {
+			httpAuth.Username = gitArgs.username
+			httpAuth.Password = gitArgs.password
+		}
+		return &httpAuth, nil
+	case "https":
+		httpsAuth := git.AuthOptions{
+			Transport: git.HTTPS,
+			CAFile:    caBundle,
+		}
+		if gitArgs.withBearerToken {
+			httpsAuth.BearerToken = gitArgs.password
+		} else {
+			httpsAuth.Username = gitArgs.username
+			httpsAuth.Password = gitArgs.password
+		}
+		return &httpsAuth, nil
+	case "ssh":
+		authOpts := &git.AuthOptions{
+			Transport: git.SSH,
+			Username:  u.User.Username(),
+			Password:  gitArgs.password,
+		}
+		if bootstrapArgs.privateKeyFile != "" {
+			pk, err := os.ReadFile(bootstrapArgs.privateKeyFile)
+			if err != nil {
+				return nil, err
+			}
+			kh, err := sourcesecret.ScanHostKey(u.Host)
+			if err != nil {
+				return nil, err
+			}
+			authOpts.Identity = pk
+			authOpts.KnownHosts = kh
+		}
+		return authOpts, nil
 	default:
 		return nil, fmt.Errorf("scheme %q is not supported", u.Scheme)
 	}
--- a/cmd/flux/bootstrap_gitea.go
+++ b/cmd/flux/bootstrap_gitea.go
@ -0,0 +1,276 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/fluxcd/pkg/git"
+	"github.com/fluxcd/pkg/git/gogit"
+	"github.com/spf13/cobra"
+
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
+)
+
+var bootstrapGiteaCmd = &cobra.Command{
+	Use:   "gitea",
+	Short: "Deploy Flux on a cluster connected to a Gitea repository",
+	Long: `The bootstrap gitea command creates the Gitea repository if it doesn't exists and
+commits the Flux manifests to the specified branch.
+Then it configures the target cluster to synchronize with that repository.
+If the Flux components are present on the cluster,
+the bootstrap command will perform an upgrade if needed.`,
+	Example: `  # Create a Gitea personal access token and export it as an env var
+  export GITEA_TOKEN=<my-token>
+
+  # Run bootstrap for a private repository owned by a Gitea organization
+  flux bootstrap gitea --owner=<organization> --repository=<repository name> --path=clusters/my-cluster
+
+  # Run bootstrap for a private repository and assign organization teams to it
+  flux bootstrap gitea --owner=<organization> --repository=<repository name> --team=<team1 slug> --team=<team2 slug> --path=clusters/my-cluster
+
+  # Run bootstrap for a private repository and assign organization teams with their access level(e.g maintain, admin) to it
+  flux bootstrap gitea --owner=<organization> --repository=<repository name> --team=<team1 slug>:<access-level> --path=clusters/my-cluster
+
+  # Run bootstrap for a public repository on a personal account
+  flux bootstrap gitea --owner=<user> --repository=<repository name> --private=false --personal=true --path=clusters/my-cluster
+
+  # Run bootstrap for a private repository hosted on Gitea Enterprise using SSH auth
+  flux bootstrap gitea --owner=<organization> --repository=<repository name> --hostname=<domain> --ssh-hostname=<domain> --path=clusters/my-cluster
+
+  # Run bootstrap for a private repository hosted on Gitea Enterprise using HTTPS auth
+  flux bootstrap gitea --owner=<organization> --repository=<repository name> --hostname=<domain> --token-auth --path=clusters/my-cluster
+
+  # Run bootstrap for an existing repository with a branch named main
+  flux bootstrap gitea --owner=<organization> --repository=<repository name> --branch=main --path=clusters/my-cluster`,
+	RunE: bootstrapGiteaCmdRun,
+}
+
+type giteaFlags struct {
+	owner        string
+	repository   string
+	interval     time.Duration
+	personal     bool
+	private      bool
+	hostname     string
+	path         flags.SafeRelativePath
+	teams        []string
+	readWriteKey bool
+	reconcile    bool
+}
+
+const (
+	gtDefaultPermission = "maintain"
+	gtDefaultDomain     = "gitea.com"
+	gtTokenEnvVar       = "GITEA_TOKEN"
+)
+
+var giteaArgs giteaFlags
+
+func init() {
+	bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.owner, "owner", "", "Gitea user or organization name")
+	bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.repository, "repository", "", "Gitea repository name")
+	bootstrapGiteaCmd.Flags().StringSliceVar(&giteaArgs.teams, "team", []string{}, "Gitea team and the access to be given to it(team:maintain). Defaults to maintainer access if no access level is specified (also accepts comma-separated values)")
+	bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.personal, "personal", false, "if true, the owner is assumed to be a Gitea user; otherwise an org")
+	bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.private, "private", true, "if true, the repository is setup or configured as private")
+	bootstrapGiteaCmd.Flags().DurationVar(&giteaArgs.interval, "interval", time.Minute, "sync interval")
+	bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.hostname, "hostname", gtDefaultDomain, "Gitea hostname")
+	bootstrapGiteaCmd.Flags().Var(&giteaArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
+	bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
+	bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
+
+	bootstrapCmd.AddCommand(bootstrapGiteaCmd)
+}
+
+func bootstrapGiteaCmdRun(cmd *cobra.Command, args []string) error {
+	gtToken := os.Getenv(gtTokenEnvVar)
+	if gtToken == "" {
+		var err error
+		gtToken, err = readPasswordFromStdin("Please enter your Gitea personal access token (PAT): ")
+		if err != nil {
+			return fmt.Errorf("could not read token: %w", err)
+		}
+	}
+
+	if err := bootstrapValidate(); err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+
+	// Manifest base
+	if ver, err := getVersion(bootstrapArgs.version); err != nil {
+		return err
+	} else {
+		bootstrapArgs.version = ver
+	}
+	manifestsBase, err := buildEmbeddedManifestBase()
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(manifestsBase)
+
+	var caBundle []byte
+	if bootstrapArgs.caFile != "" {
+		var err error
+		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	}
+	// Build Gitea provider
+	providerCfg := provider.Config{
+		Provider: provider.GitProviderGitea,
+		Hostname: giteaArgs.hostname,
+		Token:    gtToken,
+		CaBundle: caBundle,
+	}
+	providerClient, err := provider.BuildGitProvider(providerCfg)
+	if err != nil {
+		return err
+	}
+
+	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
+	if err != nil {
+		return fmt.Errorf("failed to create temporary working dir: %w", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
+	gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
+		Transport: git.HTTPS,
+		Username:  giteaArgs.owner,
+		Password:  gtToken,
+		CAFile:    caBundle,
+	}, clientOpts...)
+	if err != nil {
+		return fmt.Errorf("failed to create a Git client: %w", err)
+	}
+
+	// Install manifest config
+	installOptions := install.Options{
+		BaseURL:                rootArgs.defaults.BaseURL,
+		Version:                bootstrapArgs.version,
+		Namespace:              *kubeconfigArgs.Namespace,
+		Components:             bootstrapComponents(),
+		Registry:               bootstrapArgs.registry,
+		RegistryCredential:     bootstrapArgs.registryCredential,
+		ImagePullSecret:        bootstrapArgs.imagePullSecret,
+		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
+		NetworkPolicy:          bootstrapArgs.networkPolicy,
+		LogLevel:               bootstrapArgs.logLevel.String(),
+		NotificationController: rootArgs.defaults.NotificationController,
+		ManifestFile:           rootArgs.defaults.ManifestFile,
+		Timeout:                rootArgs.timeout,
+		TargetPath:             giteaArgs.path.ToSlash(),
+		ClusterDomain:          bootstrapArgs.clusterDomain,
+		TolerationKeys:         bootstrapArgs.tolerationKeys,
+	}
+	if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
+		installOptions.BaseURL = customBaseURL
+	}
+
+	// Source generation and secret config
+	secretOpts := sourcesecret.Options{
+		Name:         bootstrapArgs.secretName,
+		Namespace:    *kubeconfigArgs.Namespace,
+		TargetPath:   giteaArgs.path.ToSlash(),
+		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
+	}
+	if bootstrapArgs.tokenAuth {
+		secretOpts.Username = "git"
+		secretOpts.Password = gtToken
+		secretOpts.CACrt = caBundle
+	} else {
+		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
+		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
+		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
+
+		secretOpts.SSHHostname = giteaArgs.hostname
+		if bootstrapArgs.sshHostname != "" {
+			secretOpts.SSHHostname = bootstrapArgs.sshHostname
+		}
+	}
+
+	// Sync manifest config
+	syncOpts := sync.Options{
+		Interval:          giteaArgs.interval,
+		Name:              *kubeconfigArgs.Namespace,
+		Namespace:         *kubeconfigArgs.Namespace,
+		Branch:            bootstrapArgs.branch,
+		Secret:            bootstrapArgs.secretName,
+		TargetPath:        giteaArgs.path.ToSlash(),
+		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
+		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
+	}
+
+	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
+	if err != nil {
+		return err
+	}
+
+	// Bootstrap config
+	bootstrapOpts := []bootstrap.GitProviderOption{
+		bootstrap.WithProviderRepository(giteaArgs.owner, giteaArgs.repository, giteaArgs.personal),
+		bootstrap.WithBranch(bootstrapArgs.branch),
+		bootstrap.WithBootstrapTransportType("https"),
+		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
+		bootstrap.WithProviderTeamPermissions(mapTeamSlice(giteaArgs.teams, gtDefaultPermission)),
+		bootstrap.WithReadWriteKeyPermissions(giteaArgs.readWriteKey),
+		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
+		bootstrap.WithLogger(logger),
+		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
+	}
+	if bootstrapArgs.sshHostname != "" {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
+	}
+	if bootstrapArgs.tokenAuth {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
+	}
+	if !giteaArgs.private {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
+	}
+	if giteaArgs.reconcile {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
+	}
+
+	// Setup bootstrapper with constructed configs
+	b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
+	if err != nil {
+		return err
+	}
+
+	// Run
+	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
+}
--- a/cmd/flux/bootstrap_github.go
+++ b/cmd/flux/bootstrap_github.go
@ -22,54 +22,51 @@ import (
 	"os"
 	"time"

-	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	"github.com/fluxcd/pkg/git"
+	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"

-	"github.com/fluxcd/flux2/internal/bootstrap"
-	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
-	"github.com/fluxcd/flux2/internal/bootstrap/provider"
-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 )

 var bootstrapGitHubCmd = &cobra.Command{
 	Use:   "github",
-	Short: "Bootstrap toolkit components in a GitHub repository",
+	Short: "Deploy Flux on a cluster connected to a GitHub repository",
 	Long: `The bootstrap github command creates the GitHub repository if it doesn't exists and
-commits the toolkit components manifests to the main branch.
-Then it configures the target cluster to synchronize with the repository.
-If the toolkit components are present on the cluster,
+commits the Flux manifests to the specified branch.
+Then it configures the target cluster to synchronize with that repository.
+If the Flux components are present on the cluster,
 the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a GitHub personal access token and export it as an env var
  export GITHUB_TOKEN=<my-token>

  # Run bootstrap for a private repository owned by a GitHub organization
-  flux bootstrap github --owner=<organization> --repository=<repository name>
+  flux bootstrap github --owner=<organization> --repository=<repository name> --path=clusters/my-cluster

  # Run bootstrap for a private repository and assign organization teams to it
-  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug> --team=<team2 slug>
+  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug> --team=<team2 slug> --path=clusters/my-cluster

  # Run bootstrap for a private repository and assign organization teams with their access level(e.g maintain, admin) to it
-  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug>:<access-level>
-
-  # Run bootstrap for a repository path
-  flux bootstrap github --owner=<organization> --repository=<repository name> --path=dev-cluster
+  flux bootstrap github --owner=<organization> --repository=<repository name> --team=<team1 slug>:<access-level> --path=clusters/my-cluster

  # Run bootstrap for a public repository on a personal account
-  flux bootstrap github --owner=<user> --repository=<repository name> --private=false --personal=true
+  flux bootstrap github --owner=<user> --repository=<repository name> --private=false --personal=true --path=clusters/my-cluster

  # Run bootstrap for a private repository hosted on GitHub Enterprise using SSH auth
-  flux bootstrap github --owner=<organization> --repository=<repository name> --hostname=<domain> --ssh-hostname=<domain>
+  flux bootstrap github --owner=<organization> --repository=<repository name> --hostname=<domain> --ssh-hostname=<domain> --path=clusters/my-cluster

  # Run bootstrap for a private repository hosted on GitHub Enterprise using HTTPS auth
-  flux bootstrap github --owner=<organization> --repository=<repository name> --hostname=<domain> --token-auth
+  flux bootstrap github --owner=<organization> --repository=<repository name> --hostname=<domain> --token-auth --path=clusters/my-cluster

  # Run bootstrap for an existing repository with a branch named main
-  flux bootstrap github --owner=<organization> --repository=<repository name> --branch=main`,
+  flux bootstrap github --owner=<organization> --repository=<repository name> --branch=main --path=clusters/my-cluster`,
 	RunE: bootstrapGitHubCmdRun,
 }

@ -131,8 +128,17 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	if !bootstrapArgs.force {
+		err = confirmBootstrap(ctx, kubeClient)
+		if err != nil {
+			return err
+		}
+	}
+
 	// Manifest base
-	if ver, err := getVersion(bootstrapArgs.version); err == nil {
+	if ver, err := getVersion(bootstrapArgs.version); err != nil {
+		return err
+	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
@ -161,16 +167,22 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	// Lazy go-git repository
 	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
-	gitClient := gogit.New(tmpDir, &http.BasicAuth{
-		Username: githubArgs.owner,
-		Password: ghToken,
-	})
+
+	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
+	gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
+		Transport: git.HTTPS,
+		Username:  githubArgs.owner,
+		Password:  ghToken,
+		CAFile:    caBundle,
+	}, clientOpts...)
+	if err != nil {
+		return fmt.Errorf("failed to create a Git client: %w", err)
+	}

 	// Install manifest config
 	installOptions := install.Options{
@ -179,6 +191,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
+		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
@ -204,16 +217,13 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = ghToken
-
-		if bootstrapArgs.caFile != "" {
-			secretOpts.CAFilePath = bootstrapArgs.caFile
-		}
+		secretOpts.CACrt = caBundle
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
-		secretOpts.SSHHostname = githubArgs.hostname

+		secretOpts.SSHHostname = githubArgs.hostname
 		if bootstrapArgs.sshHostname != "" {
 			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
@ -228,23 +238,26 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        githubArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
-		GitImplementation: sourceGitArgs.gitImplementation.String(),
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}

+	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
+	if err != nil {
+		return err
+	}
+
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(githubArgs.owner, githubArgs.repository, githubArgs.personal),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
-		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(githubArgs.teams, ghDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(githubArgs.readWriteKey),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithLogger(logger),
-		bootstrap.WithCABundle(caBundle),
-		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
+		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
--- a/cmd/flux/bootstrap_gitlab.go
+++ b/cmd/flux/bootstrap_gitlab.go
@ -24,27 +24,28 @@ import (
 	"strings"
 	"time"

-	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	"github.com/fluxcd/go-git-providers/gitprovider"
+	"github.com/fluxcd/pkg/git"
+	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"

-	"github.com/fluxcd/flux2/internal/bootstrap"
-	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
-	"github.com/fluxcd/flux2/internal/bootstrap/provider"
-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 )

 var bootstrapGitLabCmd = &cobra.Command{
 	Use:   "gitlab",
-	Short: "Bootstrap toolkit components in a GitLab repository",
-	Long: `The bootstrap gitlab command creates the GitLab repository if it doesn't exists and
-commits the toolkit components manifests to the master branch.
-Then it configures the target cluster to synchronize with the repository.
-If the toolkit components are present on the cluster,
+	Short: "Deploy Flux on a cluster connected to a GitLab repository",
+	Long: `The bootstrap gitlab command creates the GitLab repository if it doesn't exist and
+commits the Flux manifests to the specified branch.
+Then it configures the target cluster to synchronize with that repository.
+If the Flux components are present on the cluster,
 the bootstrap command will perform an upgrade if needed.`,
 	Example: `  # Create a GitLab API token and export it as an env var
  export GITLAB_TOKEN=<my-token>
@ -58,14 +59,18 @@ the bootstrap command will perform an upgrade if needed.`,
  # Run bootstrap for a repository path
  flux bootstrap gitlab --owner=<group> --repository=<repository name> --path=dev-cluster

-  # Run bootstrap for a public repository on a personal account
-  flux bootstrap gitlab --owner=<user> --repository=<repository name> --private=false --personal --token-auth
+  # Run bootstrap for a public repository
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --visibility=public  --token-auth

  # Run bootstrap for a private repository hosted on a GitLab server
-  flux bootstrap gitlab --owner=<group> --repository=<repository name> --hostname=<domain> --token-auth
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --hostname=<gitlab_url> --token-auth

-  # Run bootstrap for a an existing repository with a branch named main
-  flux bootstrap gitlab --owner=<organization> --repository=<repository name> --branch=main --token-auth`,
+  # Run bootstrap for an existing repository with a branch named main
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --branch=main --token-auth
+
+  # Run bootstrap for a private repository using Deploy Token authentication
+  flux bootstrap gitlab --owner=<group> --repository=<repository name> --deploy-token-auth
+  `,
 	RunE: bootstrapGitLabCmdRun,
 }

@ -77,19 +82,27 @@ const (
 )

 type gitlabFlags struct {
-	owner        string
-	repository   string
-	interval     time.Duration
-	personal     bool
-	private      bool
-	hostname     string
-	path         flags.SafeRelativePath
-	teams        []string
-	readWriteKey bool
-	reconcile    bool
+	owner           string
+	repository      string
+	interval        time.Duration
+	personal        bool
+	visibility      flags.GitLabVisibility
+	private         bool
+	hostname        string
+	path            flags.SafeRelativePath
+	teams           []string
+	readWriteKey    bool
+	reconcile       bool
+	deployTokenAuth bool
 }

-var gitlabArgs gitlabFlags
+func NewGitlabFlags() gitlabFlags {
+	return gitlabFlags{
+		visibility: flags.GitLabVisibility(gitprovider.RepositoryVisibilityPrivate),
+	}
+}
+
+var gitlabArgs = NewGitlabFlags()

 func init() {
 	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.owner, "owner", "", "GitLab user or group name")
@ -97,11 +110,14 @@ func init() {
 	bootstrapGitLabCmd.Flags().StringSliceVar(&gitlabArgs.teams, "team", []string{}, "GitLab teams to be given maintainer access (also accepts comma-separated values)")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.personal, "personal", false, "if true, the owner is assumed to be a GitLab user; otherwise a group")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.private, "private", true, "if true, the repository is setup or configured as private")
+	bootstrapGitLabCmd.Flags().MarkDeprecated("private", "use --visibility instead")
+	bootstrapGitLabCmd.Flags().Var(&gitlabArgs.visibility, "visibility", gitlabArgs.visibility.Description())
 	bootstrapGitLabCmd.Flags().DurationVar(&gitlabArgs.interval, "interval", time.Minute, "sync interval")
 	bootstrapGitLabCmd.Flags().StringVar(&gitlabArgs.hostname, "hostname", glDefaultDomain, "GitLab hostname")
 	bootstrapGitLabCmd.Flags().Var(&gitlabArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
+	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.deployTokenAuth, "deploy-token-auth", false, "when enabled, a Project Deploy Token is generated and will be used instead of the SSH deploy token")

 	bootstrapCmd.AddCommand(bootstrapGitLabCmd)
 }
@ -123,6 +139,15 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	if bootstrapArgs.tokenAuth && gitlabArgs.deployTokenAuth {
+		return fmt.Errorf("--token-auth and --deploy-token-auth cannot be set both.")
+	}
+
+	if !gitlabArgs.private {
+		gitlabArgs.visibility.Set(string(gitprovider.RepositoryVisibilityPublic))
+		cmd.Println("Using visibility public as --private=false")
+	}
+
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
@ -135,8 +160,17 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	if !bootstrapArgs.force {
+		err = confirmBootstrap(ctx, kubeClient)
+		if err != nil {
+			return err
+		}
+	}
+
 	// Manifest base
-	if ver, err := getVersion(bootstrapArgs.version); err == nil {
+	if ver, err := getVersion(bootstrapArgs.version); err != nil {
+		return err
+	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
@ -178,10 +212,17 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
-	gitClient := gogit.New(tmpDir, &http.BasicAuth{
-		Username: gitlabArgs.owner,
-		Password: glToken,
-	})
+
+	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
+	gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
+		Transport: git.HTTPS,
+		Username:  gitlabArgs.owner,
+		Password:  glToken,
+		CAFile:    caBundle,
+	}, clientOpts...)
+	if err != nil {
+		return fmt.Errorf("failed to create a Git client: %w", err)
+	}

 	// Install manifest config
 	installOptions := install.Options{
@ -190,6 +231,7 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		Namespace:              *kubeconfigArgs.Namespace,
 		Components:             bootstrapComponents(),
 		Registry:               bootstrapArgs.registry,
+		RegistryCredential:     bootstrapArgs.registryCredential,
 		ImagePullSecret:        bootstrapArgs.imagePullSecret,
 		WatchAllNamespaces:     bootstrapArgs.watchAllNamespaces,
 		NetworkPolicy:          bootstrapArgs.networkPolicy,
@ -215,19 +257,21 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = glToken
-
-		if bootstrapArgs.caFile != "" {
-			secretOpts.CAFilePath = bootstrapArgs.caFile
-		}
+		secretOpts.CACrt = caBundle
+	} else if gitlabArgs.deployTokenAuth {
+		// the actual deploy token will be reconciled later
+		secretOpts.CACrt = caBundle
 	} else {
+		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
+		if err != nil {
+			return err
+		}
+		secretOpts.Keypair = keypair
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
-		secretOpts.SSHHostname = gitlabArgs.hostname

-		if bootstrapArgs.privateKeyFile != "" {
-			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
-		}
+		secretOpts.SSHHostname = gitlabArgs.hostname
 		if bootstrapArgs.sshHostname != "" {
 			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
@ -242,32 +286,36 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		Secret:            bootstrapArgs.secretName,
 		TargetPath:        gitlabArgs.path.ToSlash(),
 		ManifestFile:      sync.MakeDefaultOptions().ManifestFile,
-		GitImplementation: sourceGitArgs.gitImplementation.String(),
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}

+	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
+	if err != nil {
+		return err
+	}
+
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(gitlabArgs.owner, gitlabArgs.repository, gitlabArgs.personal),
+		bootstrap.WithProviderVisibility(gitlabArgs.visibility.String()),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
-		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(gitlabArgs.teams, glDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(gitlabArgs.readWriteKey),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithLogger(logger),
-		bootstrap.WithCABundle(caBundle),
-		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
+		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
 	}
-	if bootstrapArgs.tokenAuth {
+	if bootstrapArgs.tokenAuth || gitlabArgs.deployTokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
 	}
-	if !gitlabArgs.private {
-		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
+	if gitlabArgs.deployTokenAuth {
+		bootstrapOpts = append(bootstrapOpts, bootstrap.WithDeployTokenAuth())
 	}
 	if gitlabArgs.reconcile {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
--- a/cmd/flux/build.go
+++ b/cmd/flux/build.go
@ -23,7 +23,7 @@ import (
 var buildCmd = &cobra.Command{
 	Use:   "build",
 	Short: "Build a flux resource",
-	Long:  "The build command is used to build flux resources.",
+	Long:  `The build command is used to build flux resources.`,
 }

 func init() {
--- a/cmd/flux/build_artifact.go
+++ b/cmd/flux/build_artifact.go
@ -17,23 +17,30 @@ limitations under the License.
 package main

 import (
+	"bufio"
+	"bytes"
 	"fmt"
+	"io"
 	"os"
 	"strings"

 	"github.com/spf13/cobra"

-	oci "github.com/fluxcd/pkg/oci/client"
+	"github.com/fluxcd/pkg/oci"
 	"github.com/fluxcd/pkg/sourceignore"
 )

 var buildArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Build artifact",
-	Long:  `The build artifact command creates a tgz file with the manifests from the given directory.`,
+	Long: `The build artifact command creates a tgz file with the manifests
+from the given directory or a single manifest file.`,
 	Example: `  # Build the given manifests directory into an artifact
  flux build artifact --path ./path/to/local/manifests --output ./path/to/artifact.tgz

+  # Build the given single manifest file into an artifact
+  flux build artifact --path ./path/to/local/manifest.yaml --output ./path/to/artifact.tgz
+
  # List the files bundled in the artifact
  tar -ztvf ./path/to/artifact.tgz
 `,
@ -51,7 +58,7 @@ var excludeOCI = append(strings.Split(sourceignore.ExcludeVCS, ","), strings.Spl
 var buildArtifactArgs buildArtifactFlags

 func init() {
-	buildArtifactCmd.Flags().StringVar(&buildArtifactArgs.path, "path", "", "Path to the directory where the Kubernetes manifests are located.")
+	buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.path, "path", "p", "", "Path to the directory where the Kubernetes manifests are located.")
 	buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.output, "output", "o", "artifact.tgz", "Path to where the artifact tgz file should be written.")
 	buildArtifactCmd.Flags().StringSliceVar(&buildArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")

@ -63,18 +70,48 @@ func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid path %q", buildArtifactArgs.path)
 	}

-	if fs, err := os.Stat(buildArtifactArgs.path); err != nil || !fs.IsDir() {
-		return fmt.Errorf("invalid path '%s', must point to an existing directory", buildArtifactArgs.path)
+	path := buildArtifactArgs.path
+	var err error
+	if buildArtifactArgs.path == "-" {
+		path, err = saveReaderToFile(os.Stdin)
+		if err != nil {
+			return err
+		}
+
+		defer os.Remove(path)
 	}

-	logger.Actionf("building artifact from %s", buildArtifactArgs.path)
+	if _, err := os.Stat(path); err != nil {
+		return fmt.Errorf("invalid path '%s', must point to an existing directory or file", path)
+	}

-	ociClient := oci.NewLocalClient()
-	if err := ociClient.Build(buildArtifactArgs.output, buildArtifactArgs.path, buildArtifactArgs.ignorePaths); err != nil {
-		return fmt.Errorf("bulding artifact failed, error: %w", err)
+	logger.Actionf("building artifact from %s", path)
+
+	ociClient := oci.NewClient(oci.DefaultOptions())
+	if err := ociClient.Build(buildArtifactArgs.output, path, buildArtifactArgs.ignorePaths); err != nil {
+		return fmt.Errorf("building artifact failed, error: %w", err)
 	}

 	logger.Successf("artifact created at %s", buildArtifactArgs.output)
-
 	return nil
 }
+
+func saveReaderToFile(reader io.Reader) (string, error) {
+	b, err := io.ReadAll(bufio.NewReader(reader))
+	if err != nil {
+		return "", err
+	}
+	b = bytes.TrimRight(b, "\r\n")
+	f, err := os.CreateTemp("", "*.yaml")
+	if err != nil {
+		return "", fmt.Errorf("unable to create temp dir for stdin")
+	}
+
+	defer f.Close()
+
+	if _, err := f.Write(b); err != nil {
+		return "", fmt.Errorf("error writing stdin to file: %w", err)
+	}
+
+	return f.Name(), nil
+}
--- a/cmd/flux/build_artifact_test.go
+++ b/cmd/flux/build_artifact_test.go
@ -0,0 +1,70 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"os"
+	"strings"
+	"testing"
+
+	. "github.com/onsi/gomega"
+)
+
+func Test_saveReaderToFile(t *testing.T) {
+	g := NewWithT(t)
+
+	testString := `apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: myapp
+data:
+  foo: bar`
+
+	tests := []struct {
+		name      string
+		string    string
+		expectErr bool
+	}{
+		{
+			name:   "yaml",
+			string: testString,
+		},
+		{
+			name:   "yaml with carriage return",
+			string: testString + "\r\n",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tmpFile, err := saveReaderToFile(strings.NewReader(tt.string))
+			g.Expect(err).To(BeNil())
+
+			t.Cleanup(func() { _ = os.Remove(tmpFile) })
+
+			b, err := os.ReadFile(tmpFile)
+			if tt.expectErr {
+				g.Expect(err).To(Not(BeNil()))
+				return
+			}
+
+			g.Expect(err).To(BeNil())
+			g.Expect(string(b)).To(BeEquivalentTo(testString))
+		})
+
+	}
+}
--- a/cmd/flux/build_kustomization.go
+++ b/cmd/flux/build_kustomization.go
@ -23,8 +23,10 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/fluxcd/flux2/internal/build"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	ssautil "github.com/fluxcd/pkg/ssa/utils"
+
+	"github.com/fluxcd/flux2/v2/internal/build"
 )

 var buildKsCmd = &cobra.Command{
@ -40,7 +42,23 @@ It is possible to specify a Flux kustomization file using --kustomization-file.`
 flux build kustomization my-app --path ./path/to/local/manifests

 # Build using a local flux kustomization file
-flux build kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml`,
+flux build kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml
+
+# Build in dry-run mode without connecting to the cluster.
+# Note that variable substitutions from Secrets and ConfigMaps are skipped in dry-run mode.
+flux build kustomization my-app --path ./path/to/local/manifests \
+	--kustomization-file ./path/to/local/my-app.yaml \
+	--dry-run
+
+# Exclude files by providing a comma separated list of entries that follow the .gitignore pattern fromat.
+flux build kustomization my-app --path ./path/to/local/manifests \
+	--kustomization-file ./path/to/local/my-app.yaml \
+	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"
+
+# Run recursively on all encountered Kustomizations
+flux build kustomization my-app --path ./path/to/local/manifests \
+	--recursive \
+	--local-sources GitRepository/flux-system/my-repo=./path/to/local/git`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              buildKsCmdRun,
 }
@ -48,6 +66,11 @@ flux build kustomization my-app --path ./path/to/local/manifests --kustomization
 type buildKsFlags struct {
 	kustomizationFile string
 	path              string
+	ignorePaths       []string
+	dryRun            bool
+	strictSubst       bool
+	recursive         bool
+	localSources      map[string]string
 }

 var buildKsArgs buildKsFlags
@ -55,10 +78,16 @@ var buildKsArgs buildKsFlags
 func init() {
 	buildKsCmd.Flags().StringVar(&buildKsArgs.path, "path", "", "Path to the manifests location.")
 	buildKsCmd.Flags().StringVar(&buildKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
+	buildKsCmd.Flags().StringSliceVar(&buildKsArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in .gitignore format")
+	buildKsCmd.Flags().BoolVar(&buildKsArgs.dryRun, "dry-run", false, "Dry run mode.")
+	buildKsCmd.Flags().BoolVar(&buildKsArgs.strictSubst, "strict-substitute", false,
+		"When enabled, the post build substitutions will fail if a var without a default value is declared in files but is missing from the input vars.")
+	buildKsCmd.Flags().BoolVarP(&buildKsArgs.recursive, "recursive", "r", false, "Recursively build Kustomizations")
+	buildKsCmd.Flags().StringToStringVar(&buildKsArgs.localSources, "local-sources", nil, "Comma-separated list of repositories in format: Kind/namespace/name=path")
 	buildCmd.AddCommand(buildKsCmd)
 }

-func buildKsCmdRun(cmd *cobra.Command, args []string) error {
+func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 	if len(args) < 1 {
 		return fmt.Errorf("%s name is required", kustomizationType.humanKind)
 	}
@ -72,13 +101,40 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
 	}

+	if buildKsArgs.dryRun && buildKsArgs.kustomizationFile == "" {
+		return fmt.Errorf("dry-run mode requires a kustomization file")
+	}
+
 	if buildKsArgs.kustomizationFile != "" {
 		if fs, err := os.Stat(buildKsArgs.kustomizationFile); os.IsNotExist(err) || fs.IsDir() {
 			return fmt.Errorf("invalid kustomization file %q", buildKsArgs.kustomizationFile)
 		}
 	}

-	builder, err := build.NewBuilder(kubeconfigArgs, kubeclientOptions, name, buildKsArgs.path, build.WithTimeout(rootArgs.timeout), build.WithKustomizationFile(buildKsArgs.kustomizationFile))
+	var builder *build.Builder
+	if buildKsArgs.dryRun {
+		builder, err = build.NewBuilder(name, buildKsArgs.path,
+			build.WithTimeout(rootArgs.timeout),
+			build.WithKustomizationFile(buildKsArgs.kustomizationFile),
+			build.WithDryRun(buildKsArgs.dryRun),
+			build.WithNamespace(*kubeconfigArgs.Namespace),
+			build.WithIgnore(buildKsArgs.ignorePaths),
+			build.WithStrictSubstitute(buildKsArgs.strictSubst),
+			build.WithRecursive(buildKsArgs.recursive),
+			build.WithLocalSources(buildKsArgs.localSources),
+		)
+	} else {
+		builder, err = build.NewBuilder(name, buildKsArgs.path,
+			build.WithClientConfig(kubeconfigArgs, kubeclientOptions),
+			build.WithTimeout(rootArgs.timeout),
+			build.WithKustomizationFile(buildKsArgs.kustomizationFile),
+			build.WithIgnore(buildKsArgs.ignorePaths),
+			build.WithStrictSubstitute(buildKsArgs.strictSubst),
+			build.WithRecursive(buildKsArgs.recursive),
+			build.WithLocalSources(buildKsArgs.localSources),
+		)
+	}
+
 	if err != nil {
 		return err
 	}
@ -89,12 +145,17 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) error {

 	errChan := make(chan error)
 	go func() {
-		manifests, err := builder.Build()
+		objects, err := builder.Build()
 		if err != nil {
 			errChan <- err
 		}

-		cmd.Print(string(manifests))
+		manifests, err := ssautil.ObjectsToYAML(objects)
+		if err != nil {
+			errChan <- err
+		}
+
+		cmd.Print(manifests)
 		errChan <- nil
 	}()

--- a/cmd/flux/build_kustomization_test.go
+++ b/cmd/flux/build_kustomization_test.go
@ -22,6 +22,7 @@ package main
 import (
 	"bytes"
 	"os"
+	"path/filepath"
 	"testing"
 	"text/template"
 )
@ -63,6 +64,18 @@ func TestBuildKustomization(t *testing.T) {
 			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
+		{
+			name:       "build ignore",
+			args:       "build kustomization podinfo --path ./testdata/build-kustomization/ignore --ignore-paths \"!configmap.yaml,!secret.yaml\"",
+			resultFile: "./testdata/build-kustomization/podinfo-with-ignore-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build with recursive",
+			args:       "build kustomization podinfo --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization",
+			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
 	}

 	tmpl := map[string]string{
@ -92,7 +105,7 @@ func TestBuildKustomization(t *testing.T) {
 }

 func TestBuildLocalKustomization(t *testing.T) {
-	podinfo := `apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+	podinfo := `apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: podinfo
@ -112,6 +125,8 @@ spec:
      cluster_region: "eu-central-1"
 `

+	tmpFile := filepath.Join(t.TempDir(), "podinfo.yaml")
+
 	tests := []struct {
 		name       string
 		args       string
@ -126,29 +141,46 @@ spec:
 		},
 		{
 			name:       "build podinfo",
-			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/podinfo",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo",
 			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build podinfo without service",
-			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/delete-service",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/delete-service",
 			resultFile: "./testdata/build-kustomization/podinfo-without-service-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build deployment and configmap with var substitution",
-			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/var-substitution",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/var-substitution",
 			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
+		{
+			name:       "build deployment and configmap with var substitution in dry-run mode",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/var-substitution --dry-run",
+			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build with recursive",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization",
+			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build with recursive in dry-run mode",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization --dry-run",
+			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
 	}

 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
-
-	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-source.yaml", tmpl, t)
+	setup(t, tmpl)

 	temp, err := template.New("podinfo").Parse(podinfo)
 	if err != nil {
@ -161,13 +193,11 @@ spec:
 		t.Fatal(err)
 	}

-	err = os.WriteFile("./testdata/build-kustomization/podinfo.yaml", b.Bytes(), 0666)
+	err = os.WriteFile(tmpFile, b.Bytes(), 0666)
 	if err != nil {
 		t.Fatal(err)
 	}

-	defer os.Remove("./testdata/build-kustomization/podinfo.yaml")
-
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var assert assertFunc
--- a/cmd/flux/check.go
+++ b/cmd/flux/check.go
@ -18,6 +18,7 @@ package main

 import (
 	"context"
+	"fmt"
 	"os"
 	"time"

@ -26,21 +27,23 @@ import (
 	v1 "k8s.io/api/apps/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/fluxcd/pkg/version"

-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/pkg/status"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/status"
 )

 var checkCmd = &cobra.Command{
 	Use:   "check",
+	Args:  cobra.NoArgs,
 	Short: "Check requirements and installation",
-	Long: `The check command will perform a series of checks to validate that
-the local environment is configured correctly and if the installed components are healthy.`,
+	Long: withPreviewNote(`The check command will perform a series of checks to validate that
+the local environment is configured correctly and if the installed components are healthy.`),
 	Example: `  # Run pre-installation checks
  flux check --pre

@ -57,7 +60,7 @@ type checkFlags struct {
 }

 var kubernetesConstraints = []string{
-	">=1.20.6-0",
+	">=1.31.0-0",
 }

 var checkArgs checkFlags
@ -80,7 +83,20 @@ func runCheckCmd(cmd *cobra.Command, args []string) error {

 	fluxCheck()

-	if !kubernetesCheck(kubernetesConstraints) {
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return fmt.Errorf("Kubernetes client initialization failed: %s", err.Error())
+	}
+
+	kubeClient, err := client.New(cfg, client.Options{Scheme: utils.NewScheme()})
+	if err != nil {
+		return err
+	}
+
+	if !kubernetesCheck(cfg, kubernetesConstraints) {
 		checkFailed = true
 	}

@ -92,13 +108,18 @@ func runCheckCmd(cmd *cobra.Command, args []string) error {
 		return nil
 	}

+	logger.Actionf("checking version in cluster")
+	if !fluxClusterVersionCheck(ctx, kubeClient) {
+		checkFailed = true
+	}
+
 	logger.Actionf("checking controllers")
-	if !componentsCheck() {
+	if !componentsCheck(ctx, kubeClient) {
 		checkFailed = true
 	}

 	logger.Actionf("checking crds")
-	if !crdsCheck() {
+	if !crdsCheck(ctx, kubeClient) {
 		checkFailed = true
 	}

@ -129,17 +150,11 @@ func fluxCheck() {
 		return
 	}
 	if latestSv.GreaterThan(curSv) {
-		logger.Failuref("flux %s <%s (new version is available, please upgrade)", curSv, latestSv)
+		logger.Failuref("flux %s <%s (new CLI version is available, please upgrade)", curSv, latestSv)
 	}
 }

-func kubernetesCheck(constraints []string) bool {
-	cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
-		return false
-	}
-
+func kubernetesCheck(cfg *rest.Config, constraints []string) bool {
 	clientSet, err := kubernetes.NewForConfig(cfg)
 	if err != nil {
 		logger.Failuref("Kubernetes client initialization failed: %s", err.Error())
@ -178,21 +193,8 @@ func kubernetesCheck(constraints []string) bool {
 	return true
 }

-func componentsCheck() bool {
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-
-	kubeConfig, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return false
-	}
-
-	statusChecker, err := status.NewStatusChecker(kubeConfig, checkArgs.pollInterval, rootArgs.timeout, logger)
-	if err != nil {
-		return false
-	}
-
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+func componentsCheck(ctx context.Context, kubeClient client.Client) bool {
+	statusChecker, err := status.NewStatusCheckerWithClient(kubeClient, checkArgs.pollInterval, rootArgs.timeout, logger)
 	if err != nil {
 		return false
 	}
@ -215,22 +217,14 @@ func componentsCheck() bool {
 				}
 			}
 			for _, c := range d.Spec.Template.Spec.Containers {
-				logger.Actionf(c.Image)
+				logger.Actionf("%s", c.Image)
 			}
 		}
 	}
 	return ok
 }

-func crdsCheck() bool {
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-
-	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
-	if err != nil {
-		return false
-	}
-
+func crdsCheck(ctx context.Context, kubeClient client.Client) bool {
 	ok := true
 	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 	var list apiextensionsv1.CustomResourceDefinitionList
@ -242,8 +236,9 @@ func crdsCheck() bool {
 		}

 		for _, crd := range list.Items {
-			if len(crd.Status.StoredVersions) > 0 {
-				logger.Successf(crd.Name + "/" + crd.Status.StoredVersions[0])
+			versions := crd.Status.StoredVersions
+			if len(versions) > 0 {
+				logger.Successf("%s", crd.Name+"/"+versions[len(versions)-1])
 			} else {
 				ok = false
 				logger.Failuref("no stored versions for %s", crd.Name)
@ -252,3 +247,17 @@ func crdsCheck() bool {
 	}
 	return ok
 }
+
+func fluxClusterVersionCheck(ctx context.Context, kubeClient client.Client) bool {
+	clusterInfo, err := getFluxClusterInfo(ctx, kubeClient)
+	if err != nil {
+		logger.Failuref("checking failed: %s", err.Error())
+		return false
+	}
+
+	if clusterInfo.distribution() != "" {
+		logger.Successf("distribution: %s", clusterInfo.distribution())
+	}
+	logger.Successf("bootstrapped: %t", clusterInfo.bootstrapped)
+	return true
+}
--- a/cmd/flux/check_test.go
+++ b/cmd/flux/check_test.go
@ -25,7 +25,7 @@ import (
 	"strings"
 	"testing"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 func TestCheckPre(t *testing.T) {
--- a/cmd/flux/cluster_info.go
+++ b/cmd/flux/cluster_info.go
@ -0,0 +1,126 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/manifoldco/promptui"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
+)
+
+// bootstrapLabels are labels put on a resource by kustomize-controller. These labels on the CRD indicates
+// that flux has been bootstrapped.
+var bootstrapLabels = []string{
+	fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group),
+	fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group),
+}
+
+// fluxClusterInfo contains information about an existing flux installation on a cluster.
+type fluxClusterInfo struct {
+	// bootstrapped indicates that Flux was installed using the `flux bootstrap` command.
+	bootstrapped bool
+	// managedBy is the name of the tool being used to manage the installation of Flux.
+	managedBy string
+	// partOf indicates which distribution the instance is a part of.
+	partOf string
+	// version is the Flux version number in semver format.
+	version string
+}
+
+// getFluxClusterInfo returns information on the Flux installation running on the cluster.
+// If an error occurred, the returned error will be non-nil.
+//
+// This function retrieves the GitRepository CRD from the cluster and checks it
+// for a set of labels used to determine the Flux version and how Flux was installed.
+// It returns the NotFound error from the underlying library if it was unable to find
+// the GitRepository CRD and this can be used to check if Flux is installed.
+func getFluxClusterInfo(ctx context.Context, c client.Client) (fluxClusterInfo, error) {
+	var info fluxClusterInfo
+	crdMetadata := &metav1.PartialObjectMetadata{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: apiextensionsv1.SchemeGroupVersion.String(),
+			Kind:       "CustomResourceDefinition",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: fmt.Sprintf("gitrepositories.%s", sourcev1.GroupVersion.Group),
+		},
+	}
+	if err := c.Get(ctx, client.ObjectKeyFromObject(crdMetadata), crdMetadata); err != nil {
+		return info, err
+	}
+
+	info.version = crdMetadata.Labels[manifestgen.VersionLabelKey]
+
+	var present bool
+	for _, l := range bootstrapLabels {
+		_, present = crdMetadata.Labels[l]
+	}
+	if present {
+		info.bootstrapped = true
+	}
+
+	// the `app.kubernetes.io/managed-by` label is not set by flux but might be set by other
+	// tools used to install Flux e.g Helm.
+	if manager, ok := crdMetadata.Labels["app.kubernetes.io/managed-by"]; ok {
+		info.managedBy = manager
+	}
+
+	if partOf, ok := crdMetadata.Labels[manifestgen.PartOfLabelKey]; ok {
+		info.partOf = partOf
+	}
+	return info, nil
+}
+
+// confirmFluxInstallOverride displays a prompt to the user so that they can confirm before overriding
+// a Flux installation. It returns nil if the installation should continue,
+// promptui.ErrAbort if the user doesn't confirm, or an error encountered.
+func confirmFluxInstallOverride(info fluxClusterInfo) error {
+	// no need to display prompt if installation is managed by Flux
+	if installManagedByFlux(info.managedBy) {
+		return nil
+	}
+
+	display := fmt.Sprintf("Flux %s has been installed on this cluster with %s!", info.version, info.managedBy)
+	fmt.Fprintln(rootCmd.ErrOrStderr(), display)
+	prompt := promptui.Prompt{
+		Label:     fmt.Sprintf("Are you sure you want to override the %s installation? Y/N", info.managedBy),
+		IsConfirm: true,
+	}
+	_, err := prompt.Run()
+	return err
+}
+
+func (info fluxClusterInfo) distribution() string {
+	distribution := info.version
+	if info.partOf != "" {
+		distribution = fmt.Sprintf("%s-%s", info.partOf, info.version)
+	}
+	return distribution
+}
+
+func installManagedByFlux(manager string) bool {
+	return manager == "" || manager == "flux"
+}
--- a/cmd/flux/cluster_info_test.go
+++ b/cmd/flux/cluster_info_test.go
@ -0,0 +1,141 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"testing"
+
+	. "github.com/onsi/gomega"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	ssautil "github.com/fluxcd/pkg/ssa/utils"
+)
+
+func Test_getFluxClusterInfo(t *testing.T) {
+	g := NewWithT(t)
+	f, err := os.Open("./testdata/cluster_info/gitrepositories.yaml")
+	g.Expect(err).To(BeNil())
+
+	objs, err := ssautil.ReadObjects(f)
+	g.Expect(err).To(Not(HaveOccurred()))
+	gitrepo := objs[0]
+
+	tests := []struct {
+		name     string
+		labels   map[string]string
+		wantErr  bool
+		wantInfo fluxClusterInfo
+	}{
+		{
+			name:    "no git repository CRD present",
+			wantErr: true,
+		},
+		{
+			name: "CRD with kustomize-controller labels",
+			labels: map[string]string{
+				fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group):      "flux-system",
+				fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group): "flux-system",
+				"app.kubernetes.io/version":                                 "v2.1.0",
+			},
+			wantInfo: fluxClusterInfo{
+				version:      "v2.1.0",
+				bootstrapped: true,
+			},
+		},
+		{
+			name: "CRD with kustomize-controller labels and managed-by label",
+			labels: map[string]string{
+				fmt.Sprintf("%s/name", kustomizev1.GroupVersion.Group):      "flux-system",
+				fmt.Sprintf("%s/namespace", kustomizev1.GroupVersion.Group): "flux-system",
+				"app.kubernetes.io/version":                                 "v2.1.0",
+				"app.kubernetes.io/managed-by":                              "flux",
+			},
+			wantInfo: fluxClusterInfo{
+				version:      "v2.1.0",
+				bootstrapped: true,
+				managedBy:    "flux",
+			},
+		},
+		{
+			name: "CRD with only managed-by label",
+			labels: map[string]string{
+				"app.kubernetes.io/version":    "v2.1.0",
+				"app.kubernetes.io/managed-by": "helm",
+			},
+			wantInfo: fluxClusterInfo{
+				version:   "v2.1.0",
+				managedBy: "helm",
+			},
+		},
+		{
+			name:     "CRD with no labels",
+			labels:   map[string]string{},
+			wantInfo: fluxClusterInfo{},
+		},
+		{
+			name: "CRD with only version label",
+			labels: map[string]string{
+				"app.kubernetes.io/version": "v2.1.0",
+			},
+			wantInfo: fluxClusterInfo{
+				version: "v2.1.0",
+			},
+		},
+		{
+			name: "CRD with version and part-of labels",
+			labels: map[string]string{
+				"app.kubernetes.io/version": "v2.1.0",
+				"app.kubernetes.io/part-of": "flux",
+			},
+			wantInfo: fluxClusterInfo{
+				version: "v2.1.0",
+				partOf:  "flux",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+			newscheme := runtime.NewScheme()
+			apiextensionsv1.AddToScheme(newscheme)
+			builder := fake.NewClientBuilder().WithScheme(newscheme)
+			if tt.labels != nil {
+				gitrepo.SetLabels(tt.labels)
+				builder = builder.WithRuntimeObjects(gitrepo)
+			}
+
+			client := builder.Build()
+			info, err := getFluxClusterInfo(context.Background(), client)
+			if tt.wantErr {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(errors.IsNotFound(err)).To(BeTrue())
+			} else {
+				g.Expect(err).To(Not(HaveOccurred()))
+			}
+
+			g.Expect(info).To(BeEquivalentTo(tt.wantInfo))
+		})
+	}
+}
--- a/cmd/flux/completion.go
+++ b/cmd/flux/completion.go
@ -20,7 +20,7 @@ import (
 	"context"
 	"strings"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -31,7 +31,7 @@ import (
 var completionCmd = &cobra.Command{
 	Use:   "completion",
 	Short: "Generates completion scripts for various shells",
-	Long:  "The completion sub-command generates completion scripts for various shells",
+	Long:  `The completion sub-command generates completion scripts for various shells.`,
 }

 func init() {
--- a/cmd/flux/completion_bash.go
+++ b/cmd/flux/completion_bash.go
@ -25,6 +25,7 @@ import (
 var completionBashCmd = &cobra.Command{
 	Use:   "bash",
 	Short: "Generates bash completion scripts",
+	Long:  `The completion sub-command generates completion scripts for bash.`,
 	Example: `To load completion run

 . <(flux completion bash)
--- a/cmd/flux/completion_fish.go
+++ b/cmd/flux/completion_fish.go
@ -25,6 +25,7 @@ import (
 var completionFishCmd = &cobra.Command{
 	Use:   "fish",
 	Short: "Generates fish completion scripts",
+	Long:  `The completion sub-command generates completion scripts for fish.`,
 	Example: `To configure your fish shell to load completions for each session write this script to your completions dir:

 flux completion fish > ~/.config/fish/completions/flux.fish
--- a/cmd/flux/completion_powershell.go
+++ b/cmd/flux/completion_powershell.go
@ -25,6 +25,7 @@ import (
 var completionPowerShellCmd = &cobra.Command{
 	Use:   "powershell",
 	Short: "Generates powershell completion scripts",
+	Long:  `The completion sub-command generates completion scripts for powershell.`,
 	Example: `To load completion run

 . <(flux completion powershell)
@ -34,12 +35,12 @@ To configure your powershell shell to load completions for each session add to y
 Windows:

 cd "$env:USERPROFILE\Documents\WindowsPowerShell\Modules"
-flux completion >> flux-completion.ps1
+flux completion powershell >> flux-completion.ps1

 Linux:

 cd "${XDG_CONFIG_HOME:-"$HOME/.config/"}/powershell/modules"
-flux completion >> flux-completions.ps1`,
+flux completion powershell >> flux-completions.ps1`,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenPowerShellCompletion(os.Stdout)
 	},
--- a/cmd/flux/completion_zsh.go
+++ b/cmd/flux/completion_zsh.go
@ -26,6 +26,7 @@ import (
 var completionZshCmd = &cobra.Command{
 	Use:   "zsh",
 	Short: "Generates zsh completion scripts",
+	Long:  `The completion sub-command generates completion scripts for zsh.`,
 	Example: `To load completion run

 . <(flux completion zsh)
--- a/cmd/flux/create.go
+++ b/cmd/flux/create.go
@ -30,13 +30,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createCmd = &cobra.Command{
 	Use:   "create",
 	Short: "Create or update sources and resources",
-	Long:  "The create sub-commands generate sources and resources.",
+	Long:  `The create sub-commands generate sources and resources.`,
 }

 type createFlags struct {
@ -79,12 +79,12 @@ type upsertable interface {
 // want to update. The mutate function is nullary -- you mutate a
 // value in the closure, e.g., by doing this:
 //
-//     var existing Value
-//     existing.Name = name
-//     existing.Namespace = ns
-//     upsert(ctx, client, valueAdapter{&value}, func() error {
-//       value.Spec = onePreparedEarlier
-//     })
+//	var existing Value
+//	existing.Name = name
+//	existing.Namespace = ns
+//	upsert(ctx, client, valueAdapter{&value}, func() error {
+//	  value.Spec = onePreparedEarlier
+//	})
 func (names apiType) upsert(ctx context.Context, kubeClient client.Client, object upsertable, mutate func() error) (types.NamespacedName, error) {
 	nsname := types.NamespacedName{
 		Namespace: object.GetNamespace(),
@ -125,14 +125,14 @@ func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) e
 	logger.Generatef("generating %s", names.kind)
 	logger.Actionf("applying %s", names.kind)

-	namespacedName, err := imageRepositoryType.upsert(ctx, kubeClient, object, mutate)
+	namespacedName, err := names.upsert(ctx, kubeClient, object, mutate)
 	if err != nil {
 		return err
 	}

 	logger.Waitingf("waiting for %s reconciliation", names.kind)
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isReady(ctx, kubeClient, namespacedName, object)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isObjectReadyConditionFunc(kubeClient, namespacedName, object.asClientObject())); err != nil {
 		return err
 	}
 	logger.Successf("%s reconciliation completed", names.kind)
@ -165,6 +165,6 @@ func parseLabels() (map[string]string, error) {
 }

 func validateObjectName(name string) bool {
-	r := regexp.MustCompile("^[a-z0-9]([a-z0-9\\-]){0,61}[a-z0-9]$")
+	r := regexp.MustCompile(`^[a-z0-9]([a-z0-9\-]){0,61}[a-z0-9]$`)
 	return r.MatchString(name)
 }
--- a/cmd/flux/create_alert.go
+++ b/cmd/flux/create_alert.go
@ -22,22 +22,22 @@ import (

 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
+	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
 	"github.com/fluxcd/pkg/apis/meta"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createAlertCmd = &cobra.Command{
 	Use:   "alert [name]",
 	Short: "Create or update a Alert resource",
-	Long:  "The create alert command generates a Alert resource.",
+	Long:  withPreviewNote(`The create alert command generates a Alert resource.`),
 	Example: `  # Create an Alert for kustomization events
  flux create alert \
  --event-severity info \
@ -96,13 +96,13 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Generatef("generating Alert")
 	}

-	alert := notificationv1.Alert{
+	alert := notificationv1b3.Alert{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
-		Spec: notificationv1.AlertSpec{
+		Spec: notificationv1b3.AlertSpec{
 			ProviderRef: meta.LocalObjectReference{
 				Name: alertArgs.providerRef,
 			},
@ -131,8 +131,8 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for Alert reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isAlertReady(ctx, kubeClient, namespacedName, &alert)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isStaticObjectReadyConditionFunc(kubeClient, namespacedName, &alert)); err != nil {
 		return err
 	}
 	logger.Successf("Alert %s is ready", name)
@ -140,13 +140,13 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 }

 func upsertAlert(ctx context.Context, kubeClient client.Client,
-	alert *notificationv1.Alert) (types.NamespacedName, error) {
+	alert *notificationv1b3.Alert) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: alert.GetNamespace(),
 		Name:      alert.GetName(),
 	}

-	var existing notificationv1.Alert
+	var existing notificationv1b3.Alert
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
@ -169,23 +169,3 @@ func upsertAlert(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Alert updated")
 	return namespacedName, nil
 }
-
-func isAlertReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, alert *notificationv1.Alert) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, alert)
-		if err != nil {
-			return false, err
-		}
-
-		if c := apimeta.FindStatusCondition(alert.Status.Conditions, meta.ReadyCondition); c != nil {
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/create_alertprovider.go
+++ b/cmd/flux/create_alertprovider.go
@ -22,22 +22,21 @@ import (

 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta3"
 	"github.com/fluxcd/pkg/apis/meta"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createAlertProviderCmd = &cobra.Command{
 	Use:   "alert-provider [name]",
 	Short: "Create or update a Provider resource",
-	Long:  "The create alert-provider command generates a Provider resource.",
+	Long:  withPreviewNote(`The create alert-provider command generates a Provider resource.`),
 	Example: `  # Create a Provider for a Slack channel
  flux create alert-provider slack \
  --type slack \
@ -127,8 +126,8 @@ func createAlertProviderCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for Provider reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isAlertProviderReady(ctx, kubeClient, namespacedName, &provider)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isStaticObjectReadyConditionFunc(kubeClient, namespacedName, &provider)); err != nil {
 		return err
 	}

@ -167,23 +166,3 @@ func upsertAlertProvider(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Provider updated")
 	return namespacedName, nil
 }
-
-func isAlertProviderReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, provider *notificationv1.Provider) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, provider)
-		if err != nil {
-			return false, err
-		}
-
-		if c := apimeta.FindStatusCondition(provider.Status.Conditions, meta.ReadyCondition); c != nil {
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/create_helmrelease.go
+++ b/cmd/flux/create_helmrelease.go
@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Flux authors
+Copyright 2024 The Flux authors

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -24,29 +24,29 @@ import (
 	"strings"
 	"time"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/transform"
-
 	"github.com/spf13/cobra"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"

-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/transform"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Create or update a HelmRelease resource",
-	Long:    "The helmrelease create command generates a HelmRelease resource for a given HelmRepository source.",
+	Long:    `The helmrelease create command generates a HelmRelease resource for a given HelmRepository source.`,
 	Example: `  # Create a HelmRelease with a chart from a HelmRepository source
  flux create hr podinfo \
    --interval=10m \
@ -83,9 +83,9 @@ var createHelmReleaseCmd = &cobra.Command{

  # Create a HelmRelease with a custom release name
  flux create hr podinfo \
-    --release-name=podinfo-dev
+    --release-name=podinfo-dev \
    --source=HelmRepository/podinfo \
-    --chart=podinfo \
+    --chart=podinfo

  # Create a HelmRelease targeting another namespace than the resource
  flux create hr podinfo \
@ -105,7 +105,17 @@ var createHelmReleaseCmd = &cobra.Command{
    --source=HelmRepository/podinfo \
    --chart=podinfo \
    --values=./values.yaml \
-    --export > podinfo-release.yaml`,
+    --export > podinfo-release.yaml
+		
+  # Create a HelmRelease using a chart from a HelmChart resource
+  flux create hr podinfo \
+    --namespace=default \
+    --chart-ref=HelmChart/podinfo.flux-system \
+
+  # Create a HelmRelease using a chart from an OCIRepository resource
+  flux create hr podinfo \
+    --namespace=default \
+    --chart-ref=OCIRepository/podinfo.flux-system`,
 	RunE: createHelmReleaseCmdRun,
 }

@ -115,6 +125,7 @@ type helmReleaseFlags struct {
 	dependsOn           []string
 	chart               string
 	chartVersion        string
+	chartRef            string
 	targetNamespace     string
 	createNamespace     bool
 	valuesFiles         []string
@ -130,6 +141,8 @@ var helmReleaseArgs helmReleaseFlags

 var supportedHelmReleaseValuesFromKinds = []string{"Secret", "ConfigMap"}

+var supportedHelmReleaseReferenceKinds = []string{sourcev1.OCIRepositoryKind, sourcev1.HelmChartKind}
+
 func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.name, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.source, "source", helmReleaseArgs.source.Description())
@ -145,14 +158,15 @@ func init() {
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.valuesFrom, "values-from", nil, "a Kubernetes object reference that contains the values.yaml data key in the format '<kind>/<name>', where kind must be one of: (Secret,ConfigMap)")
 	createHelmReleaseCmd.Flags().Var(&helmReleaseArgs.crds, "crds", helmReleaseArgs.crds.Description())
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartRef, "chart-ref", "", "the name of the HelmChart resource to use as source for the HelmRelease, in the format '<kind>/<name>.<namespace>', where kind must be one of: (OCIRepository,HelmChart)")
 	createCmd.AddCommand(createHelmReleaseCmd)
 }

 func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]

-	if helmReleaseArgs.chart == "" {
-		return fmt.Errorf("chart name or path is required")
+	if helmReleaseArgs.chart == "" && helmReleaseArgs.chartRef == "" {
+		return fmt.Errorf("chart or chart-ref is required")
 	}

 	sourceLabels, err := parseLabels()
@ -182,34 +196,47 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 				Duration: createArgs.interval,
 			},
 			TargetNamespace: helmReleaseArgs.targetNamespace,
-
-			Chart: helmv2.HelmChartTemplate{
-				Spec: helmv2.HelmChartTemplateSpec{
-					Chart:   helmReleaseArgs.chart,
-					Version: helmReleaseArgs.chartVersion,
-					SourceRef: helmv2.CrossNamespaceObjectReference{
-						Kind:      helmReleaseArgs.source.Kind,
-						Name:      helmReleaseArgs.source.Name,
-						Namespace: helmReleaseArgs.source.Namespace,
-					},
-					ReconcileStrategy: helmReleaseArgs.reconcileStrategy,
-				},
-			},
-			Suspend: false,
+			Suspend:         false,
 		},
 	}

-	if helmReleaseArgs.kubeConfigSecretRef != "" {
-		helmRelease.Spec.KubeConfig = &helmv2.KubeConfig{
-			SecretRef: meta.SecretKeyReference{
-				Name: helmReleaseArgs.kubeConfigSecretRef,
+	switch {
+	case helmReleaseArgs.chart != "":
+		helmRelease.Spec.Chart = &helmv2.HelmChartTemplate{
+			Spec: helmv2.HelmChartTemplateSpec{
+				Chart:   helmReleaseArgs.chart,
+				Version: helmReleaseArgs.chartVersion,
+				SourceRef: helmv2.CrossNamespaceObjectReference{
+					Kind:      helmReleaseArgs.source.Kind,
+					Name:      helmReleaseArgs.source.Name,
+					Namespace: helmReleaseArgs.source.Namespace,
+				},
+				ReconcileStrategy: helmReleaseArgs.reconcileStrategy,
 			},
 		}
+		if helmReleaseArgs.chartInterval != 0 {
+			helmRelease.Spec.Chart.Spec.Interval = &metav1.Duration{
+				Duration: helmReleaseArgs.chartInterval,
+			}
+		}
+	case helmReleaseArgs.chartRef != "":
+		kind, name, ns := utils.ParseObjectKindNameNamespace(helmReleaseArgs.chartRef)
+		if kind != sourcev1.HelmChartKind && kind != sourcev1.OCIRepositoryKind {
+			return fmt.Errorf("chart reference kind '%s' is not supported, must be one of: %s",
+				kind, strings.Join(supportedHelmReleaseReferenceKinds, ", "))
+		}
+		helmRelease.Spec.ChartRef = &helmv2.CrossNamespaceSourceReference{
+			Kind:      kind,
+			Name:      name,
+			Namespace: ns,
+		}
 	}

-	if helmReleaseArgs.chartInterval != 0 {
-		helmRelease.Spec.Chart.Spec.Interval = &metav1.Duration{
-			Duration: helmReleaseArgs.chartInterval,
+	if helmReleaseArgs.kubeConfigSecretRef != "" {
+		helmRelease.Spec.KubeConfig = &meta.KubeConfigReference{
+			SecretRef: &meta.SecretKeyReference{
+				Name: helmReleaseArgs.kubeConfigSecretRef,
+			},
 		}
 	}

@ -303,13 +330,13 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for HelmRelease reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isHelmReleaseReady(ctx, kubeClient, namespacedName, &helmRelease)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isObjectReadyConditionFunc(kubeClient, namespacedName, &helmRelease)); err != nil {
 		return err
 	}
 	logger.Successf("HelmRelease %s is ready", name)

-	logger.Successf("applied revision %s", helmRelease.Status.LastAppliedRevision)
+	logger.Successf("applied revision %s", getHelmReleaseRevision(helmRelease))
 	return nil
 }

@ -344,23 +371,6 @@ func upsertHelmRelease(ctx context.Context, kubeClient client.Client,
 	return namespacedName, nil
 }

-func isHelmReleaseReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, helmRelease *helmv2.HelmRelease) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, helmRelease)
-		if err != nil {
-			return false, err
-		}
-
-		// Confirm the state we are observing is for the current generation
-		if helmRelease.Generation != helmRelease.Status.ObservedGeneration {
-			return false, nil
-		}
-
-		return apimeta.IsStatusConditionTrue(helmRelease.Status.Conditions, meta.ReadyCondition), nil
-	}
-}
-
 func validateStrategy(input string) bool {
 	allowedStrategy := []string{"Revision", "ChartVersion"}

--- a/cmd/flux/create_helmrelease_test.go
+++ b/cmd/flux/create_helmrelease_test.go
@ -0,0 +1,86 @@
+//go:build unit
+// +build unit
+
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import "testing"
+
+func TestCreateHelmRelease(t *testing.T) {
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	setupHRSource(t, tmpl)
+
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "missing name",
+			args:   "create helmrelease --export",
+			assert: assertError("name is required"),
+		},
+		{
+			name:   "missing chart template and chartRef",
+			args:   "create helmrelease podinfo --export",
+			assert: assertError("chart or chart-ref is required"),
+		},
+		{
+			name:   "unknown source kind",
+			args:   "create helmrelease podinfo --source foobar/podinfo --chart podinfo --export",
+			assert: assertError(`invalid argument "foobar/podinfo" for "--source" flag: source kind 'foobar' is not supported, must be one of: HelmRepository, GitRepository, Bucket`),
+		},
+		{
+			name:   "unknown chart reference kind",
+			args:   "create helmrelease podinfo --chart-ref foobar/podinfo --export",
+			assert: assertError(`chart reference kind 'foobar' is not supported, must be one of: OCIRepository, HelmChart`),
+		},
+		{
+			name:   "basic helmrelease",
+			args:   "create helmrelease podinfo --source Helmrepository/podinfo --chart podinfo --interval=1m0s --export",
+			assert: assertGoldenTemplateFile("testdata/create_hr/basic.yaml", tmpl),
+		},
+		{
+			name:   "chart with OCIRepository source",
+			args:   "create helmrelease podinfo --chart-ref OCIRepository/podinfo --interval=1m0s --export",
+			assert: assertGoldenTemplateFile("testdata/create_hr/or_basic.yaml", tmpl),
+		},
+		{
+			name:   "chart with HelmChart source",
+			args:   "create helmrelease podinfo --chart-ref HelmChart/podinfo --interval=1m0s --export",
+			assert: assertGoldenTemplateFile("testdata/create_hr/hc_basic.yaml", tmpl),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args + " -n " + tmpl["fluxns"],
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
+
+func setupHRSource(t *testing.T, tmpl map[string]string) {
+	t.Helper()
+	testEnv.CreateObjectFile("./testdata/create_hr/setup-source.yaml", tmpl, t)
+}
--- a/cmd/flux/create_image.go
+++ b/cmd/flux/create_image.go
@ -20,14 +20,12 @@ import (
 	"github.com/spf13/cobra"
 )

-const createImageLong = `The create image sub-commands work with image automation objects; that is,
-object controlling updates to git based on e.g., new container images
-being available.`
-
 var createImageCmd = &cobra.Command{
 	Use:   "image",
 	Short: "Create or update resources dealing with image automation",
-	Long:  createImageLong,
+	Long: `The create image sub-commands work with image automation objects;
+that is, object controlling updates to git based on e.g., new container images
+being available.`,
 }

 func init() {
--- a/cmd/flux/create_image_policy.go
+++ b/cmd/flux/create_image_policy.go
@ -20,6 +20,7 @@ import (
 	"fmt"
 	"regexp/syntax"
 	"strings"
+	"time"
 	"unicode"
 	"unicode/utf8"

@ -28,7 +29,7 @@ import (

 	"github.com/fluxcd/pkg/apis/meta"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
 )

 var createImagePolicyCmd = &cobra.Command{
@ -54,13 +55,14 @@ the status of the object.`,
 	RunE: createImagePolicyRun}

 type imagePolicyFlags struct {
-	imageRef        string
-	semver          string
-	alpha           string
-	numeric         string
-	filterRegex     string
-	filterExtract   string
-	filterNumerical string
+	imageRef      string
+	semver        string
+	alpha         string
+	numeric       string
+	filterRegex   string
+	filterExtract string
+	reflectDigest string
+	interval      time.Duration
 }

 var imagePolicyArgs = imagePolicyFlags{}
@ -73,6 +75,8 @@ func init() {
 	flags.StringVar(&imagePolicyArgs.numeric, "select-numeric", "", "use numeric sorting to select image; either \"asc\" meaning select the last, or \"desc\" meaning select the first")
 	flags.StringVar(&imagePolicyArgs.filterRegex, "filter-regex", "", "regular expression pattern used to filter the image tags")
 	flags.StringVar(&imagePolicyArgs.filterExtract, "filter-extract", "", "replacement pattern (using capture groups from --filter-regex) to use for sorting")
+	flags.StringVar(&imagePolicyArgs.reflectDigest, "reflect-digest", "", "the digest reflection policy to use when observing latest image tags (one of 'Never', 'IfNotPresent', 'Never')")
+	flags.DurationVar(&imagePolicyArgs.interval, "interval", 0, "the interval at which to check for new image digests when the policy is set to 'Always'")

 	createImageCmd.AddCommand(createImagePolicyCmd)
 }
@ -154,6 +158,20 @@ func createImagePolicyRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("cannot specify --filter-extract without specifying --filter-regex")
 	}

+	if p := imagev1.ReflectionPolicy(imagePolicyArgs.reflectDigest); p != "" {
+		if p != imagev1.ReflectNever && p != imagev1.ReflectIfNotPresent && p != imagev1.ReflectAlways {
+			return fmt.Errorf("invalid value for --reflect-digest, must be one of 'Never', 'IfNotPresent', 'Always'")
+		}
+		policy.Spec.DigestReflectionPolicy = p
+	}
+
+	if imagePolicyArgs.interval != 0 {
+		if imagePolicyArgs.reflectDigest != string(imagev1.ReflectAlways) {
+			return fmt.Errorf("the --interval flag can only be used with the 'Always' digest reflection policy, use --reflect-digest=Always")
+		}
+		policy.Spec.Interval = &metav1.Duration{Duration: imagePolicyArgs.interval}
+	}
+
 	if createArgs.export {
 		return printExport(exportImagePolicy(&policy))
 	}
@ -183,7 +201,6 @@ func validateExtractStr(template string, capNames []string) error {
 		name, num, rest, ok := extract(template)
 		if !ok {
 			// Malformed extract string, assume user didn't want this
-			template = template[1:]
 			return fmt.Errorf("--filter-extract is malformed")
 		}
 		template = rest
--- a/cmd/flux/create_image_repository.go
+++ b/cmd/flux/create_image_repository.go
@ -26,7 +26,7 @@ import (

 	"github.com/fluxcd/pkg/apis/meta"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
 )

 var createImageRepositoryCmd = &cobra.Command{
--- a/cmd/flux/create_image_update.go
+++ b/cmd/flux/create_image_update.go
@ -22,8 +22,8 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )

 var createImageUpdateCmd = &cobra.Command{
--- a/cmd/flux/create_kustomization.go
+++ b/cmd/flux/create_kustomization.go
@ -24,25 +24,24 @@ import (

 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	"github.com/fluxcd/pkg/apis/meta"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createKsCmd = &cobra.Command{
 	Use:     "kustomization [name]",
 	Aliases: []string{"ks"},
 	Short:   "Create or update a Kustomization resource",
-	Long:    "The create command generates a Kustomization resource for a given source.",
+	Long:    `The create command generates a Kustomization resource for a given source.`,
 	Example: `  # Create a Kustomization resource from a source at a given path
  flux create kustomization kyverno \
    --source=GitRepository/kyverno \
@ -97,6 +96,7 @@ type kustomizationFlags struct {
 	targetNamespace     string
 	wait                bool
 	kubeConfigSecretRef string
+	retryInterval       time.Duration
 }

 var kustomizationArgs = NewKustomizationFlags()
@ -116,6 +116,7 @@ func init() {
 	createKsCmd.Flags().StringVar(&kustomizationArgs.targetNamespace, "target-namespace", "", "overrides the namespace of all Kustomization objects reconciled by this Kustomization")
 	createKsCmd.Flags().StringVar(&kustomizationArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
 	createKsCmd.Flags().MarkDeprecated("validation", "this arg is no longer used, all resources are validated using server-side apply dry-run")
+	createKsCmd.Flags().DurationVar(&kustomizationArgs.retryInterval, "retry-interval", 0, "the interval at which to retry a previously failed reconciliation")

 	createCmd.AddCommand(createKsCmd)
 }
@ -169,8 +170,8 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	if kustomizationArgs.kubeConfigSecretRef != "" {
-		kustomization.Spec.KubeConfig = &kustomizev1.KubeConfig{
-			SecretRef: meta.SecretKeyReference{
+		kustomization.Spec.KubeConfig = &meta.KubeConfigReference{
+			SecretRef: &meta.SecretKeyReference{
 				Name: kustomizationArgs.kubeConfigSecretRef,
 			},
 		}
@ -238,6 +239,10 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}

+	if kustomizationArgs.retryInterval > 0 {
+		kustomization.Spec.RetryInterval = &metav1.Duration{Duration: kustomizationArgs.retryInterval}
+	}
+
 	if createArgs.export {
 		return printExport(exportKs(&kustomization))
 	}
@ -257,8 +262,8 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for Kustomization reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isKustomizationReady(ctx, kubeClient, namespacedName, &kustomization)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isObjectReadyConditionFunc(kubeClient, namespacedName, &kustomization)); err != nil {
 		return err
 	}
 	logger.Successf("Kustomization %s is ready", name)
@ -297,28 +302,3 @@ func upsertKustomization(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Kustomization updated")
 	return namespacedName, nil
 }
-
-func isKustomizationReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, kustomization *kustomizev1.Kustomization) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, kustomization)
-		if err != nil {
-			return false, err
-		}
-
-		// Confirm the state we are observing is for the current generation
-		if kustomization.Generation != kustomization.Status.ObservedGeneration {
-			return false, nil
-		}
-
-		if c := apimeta.FindStatusCondition(kustomization.Status.Conditions, meta.ReadyCondition); c != nil {
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/create_receiver.go
+++ b/cmd/flux/create_receiver.go
@ -22,22 +22,21 @@ import (

 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/errors"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 	"github.com/fluxcd/pkg/apis/meta"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createReceiverCmd = &cobra.Command{
 	Use:   "receiver [name]",
 	Short: "Create or update a Receiver resource",
-	Long:  "The create receiver command generates a Receiver resource.",
+	Long:  `The create receiver command generates a Receiver resource.`,
 	Example: `  # Create a Receiver
  flux create receiver github-receiver \
 	--type github \
@ -139,13 +138,13 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for Receiver reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isReceiverReady(ctx, kubeClient, namespacedName, &receiver)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isObjectReadyConditionFunc(kubeClient, namespacedName, &receiver)); err != nil {
 		return err
 	}
 	logger.Successf("Receiver %s is ready", name)

-	logger.Successf("generated webhook URL %s", receiver.Status.URL)
+	logger.Successf("generated webhook URL %s", receiver.Status.WebhookPath)
 	return nil
 }

@ -179,23 +178,3 @@ func upsertReceiver(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Receiver updated")
 	return namespacedName, nil
 }
-
-func isReceiverReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, receiver *notificationv1.Receiver) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, receiver)
-		if err != nil {
-			return false, err
-		}
-
-		if c := apimeta.FindStatusCondition(receiver.Status.Conditions, meta.ReadyCondition); c != nil {
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/create_secret.go
+++ b/cmd/flux/create_secret.go
@ -29,7 +29,7 @@ import (
 var createSecretCmd = &cobra.Command{
 	Use:   "secret",
 	Short: "Create or update Kubernetes secrets",
-	Long:  "The create source sub-commands generate Kubernetes secrets specific to Flux.",
+	Long:  `The create source sub-commands generate Kubernetes secrets specific to Flux.`,
 }

 func init() {
--- a/cmd/flux/create_secret_git.go
+++ b/cmd/flux/create_secret_git.go
@ -21,22 +21,25 @@ import (
 	"crypto/elliptic"
 	"fmt"
 	"net/url"
+	"os"

 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )

 var createSecretGitCmd = &cobra.Command{
 	Use:   "git [name]",
 	Short: "Create or update a Kubernetes secret for Git authentication",
 	Long: `The create secret git command generates a Kubernetes secret with Git credentials.
-For Git over SSH, the host and SSH keys are automatically generated and stored in the secret.
-For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.`,
+For Git over SSH, the host and SSH keys are automatically generated and stored
+in the secret.
+For Git over HTTP/S, the provided basic authentication credentials or bearer
+authentication token are stored in the secret.`,
 	Example: `  # Create a Git SSH authentication secret using an ECDSA P-521 curve public key

  flux create secret git podinfo-auth \
@ -84,8 +87,9 @@ type secretGitFlags struct {
 	keyAlgorithm   flags.PublicKeyAlgorithm
 	rsaBits        flags.RSAKeyBits
 	ecdsaCurve     flags.ECDSACurve
-	caFile         string
+	caCrtFile      string
 	privateKeyFile string
+	bearerToken    string
 }

 var secretGitArgs = NewSecretGitFlags()
@ -97,8 +101,9 @@ func init() {
 	createSecretGitCmd.Flags().Var(&secretGitArgs.keyAlgorithm, "ssh-key-algorithm", secretGitArgs.keyAlgorithm.Description())
 	createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description())
 	createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
-	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
+	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caCrtFile, "ca-crt-file", "", "path to TLS CA certificate file used for validating self-signed certificates")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
+	createSecretGitCmd.Flags().StringVar(&secretGitArgs.bearerToken, "bearer-token", "", "bearer authentication token")

 	createSecretCmd.AddCommand(createSecretGitCmd)
 }
@ -135,24 +140,39 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	switch u.Scheme {
 	case "ssh":
+		keypair, err := sourcesecret.LoadKeyPairFromPath(secretGitArgs.privateKeyFile, secretGitArgs.password)
+		if err != nil {
+			return err
+		}
+		opts.Keypair = keypair
 		opts.SSHHostname = u.Host
-		opts.PrivateKeyPath = secretGitArgs.privateKeyFile
 		opts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(secretGitArgs.keyAlgorithm)
 		opts.RSAKeyBits = int(secretGitArgs.rsaBits)
 		opts.ECDSACurve = secretGitArgs.ecdsaCurve.Curve
 		opts.Password = secretGitArgs.password
 	case "http", "https":
-		if secretGitArgs.username == "" || secretGitArgs.password == "" {
-			return fmt.Errorf("for Git over HTTP/S the username and password are required")
+		if (secretGitArgs.username == "" || secretGitArgs.password == "") && secretGitArgs.bearerToken == "" {
+			return fmt.Errorf("for Git over HTTP/S the username and password, or a bearer token is required")
 		}
 		opts.Username = secretGitArgs.username
 		opts.Password = secretGitArgs.password
-		opts.CAFilePath = secretGitArgs.caFile
+		opts.BearerToken = secretGitArgs.bearerToken
+		if secretGitArgs.username != "" && secretGitArgs.password != "" && secretGitArgs.bearerToken != "" {
+			return fmt.Errorf("user credentials and bearer token cannot be used together")
+		}
+
+		// --ca-crt-file takes precedence over --ca-file.
+		if secretGitArgs.caCrtFile != "" {
+			opts.CACrt, err = os.ReadFile(secretGitArgs.caCrtFile)
+			if err != nil {
+				return fmt.Errorf("unable to read TLS CA file: %w", err)
+			}
+		}
 	default:
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}

-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateGit(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_git_test.go
+++ b/cmd/flux/create_secret_git_test.go
@ -1,10 +1,21 @@
 package main

 import (
+	"fmt"
+	"os"
 	"testing"
 )

 func TestCreateGitSecret(t *testing.T) {
+	file, err := os.CreateTemp(t.TempDir(), "ca-crt")
+	if err != nil {
+		t.Fatal("could not create CA certificate file")
+	}
+	_, err = file.Write([]byte("ca-data"))
+	if err != nil {
+		t.Fatal("could not write to CA certificate file")
+	}
+
 	tests := []struct {
 		name   string
 		args   string
@ -30,6 +41,21 @@ func TestCreateGitSecret(t *testing.T) {
 			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa-password.private --password=password --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret-password.yaml"),
 		},
+		{
+			name:   "git authentication with bearer token",
+			args:   "create secret git bearer-token-auth --url=https://github.com/stefanprodan/podinfo --bearer-token=ghp_baR2qnFF0O41WlucePL3udt2N9vVZS4R0hAS --namespace=my-namespace --export",
+			assert: assertGoldenFile("testdata/create_secret/git/git-bearer-token.yaml"),
+		},
+		{
+			name:   "git authentication with CA certificate",
+			args:   fmt.Sprintf("create secret git ca-crt --url=https://github.com/stefanprodan/podinfo --password=my-password --username=my-username --ca-crt-file=%s --namespace=my-namespace --export", file.Name()),
+			assert: assertGoldenFile("testdata/create_secret/git/secret-ca-crt.yaml"),
+		},
+		{
+			name:   "git authentication with basic auth and bearer token",
+			args:   "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=aaa --password=zzzz --bearer-token=aaaa --namespace=my-namespace --export",
+			assert: assertError("user credentials and bearer token cannot be used together"),
+		},
 	}

 	for _, tt := range tests {
--- a/cmd/flux/create_secret_github_app.go
+++ b/cmd/flux/create_secret_github_app.go
@ -0,0 +1,128 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
+)
+
+var createSecretGitHubAppCmd = &cobra.Command{
+	Use:   "githubapp [name]",
+	Short: "Create or update a github app secret",
+	Long:  withPreviewNote(`The create secret githubapp command generates a Kubernetes secret that can be used for GitRepository authentication with github app`),
+	Example: `  # Create a githubapp authentication secret on disk and encrypt it with Mozilla SOPS
+  flux create secret githubapp podinfo-auth \
+    --app-id="1" \
+    --app-installation-id="2" \
+    --app-private-key=./private-key-file.pem \
+    --export > githubapp-auth.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place githubapp-auth.yaml
+	`,
+	RunE: createSecretGitHubAppCmdRun,
+}
+
+type secretGitHubAppFlags struct {
+	appID             string
+	appInstallationID string
+	privateKeyFile    string
+	baseURL           string
+}
+
+var secretGitHubAppArgs = secretGitHubAppFlags{}
+
+func init() {
+	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appID, "app-id", "", "github app ID")
+	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appInstallationID, "app-installation-id", "", "github app installation ID")
+	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.privateKeyFile, "app-private-key", "", "github app private key file path")
+	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.baseURL, "app-base-url", "", "github app base URL")
+
+	createSecretCmd.AddCommand(createSecretGitHubAppCmd)
+}
+
+func createSecretGitHubAppCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("name is required")
+	}
+
+	secretName := args[0]
+
+	if secretGitHubAppArgs.appID == "" {
+		return fmt.Errorf("--app-id is required")
+	}
+
+	if secretGitHubAppArgs.appInstallationID == "" {
+		return fmt.Errorf("--app-installation-id is required")
+	}
+
+	if secretGitHubAppArgs.privateKeyFile == "" {
+		return fmt.Errorf("--app-private-key is required")
+	}
+
+	privateKey, err := os.ReadFile(secretGitHubAppArgs.privateKeyFile)
+	if err != nil {
+		return fmt.Errorf("unable to read private key file: %w", err)
+	}
+
+	opts := sourcesecret.Options{
+		Name:                    secretName,
+		Namespace:               *kubeconfigArgs.Namespace,
+		GitHubAppID:             secretGitHubAppArgs.appID,
+		GitHubAppInstallationID: secretGitHubAppArgs.appInstallationID,
+		GitHubAppPrivateKey:     string(privateKey),
+	}
+
+	if secretGitHubAppArgs.baseURL != "" {
+		opts.GitHubAppBaseURL = secretGitHubAppArgs.baseURL
+	}
+
+	secret, err := sourcesecret.GenerateGitHubApp(opts)
+	if err != nil {
+		return err
+	}
+
+	if createArgs.export {
+		rootCmd.Println(secret.Content)
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+	if err := upsertSecret(ctx, kubeClient, s); err != nil {
+		return err
+	}
+
+	logger.Actionf("githubapp secret '%s' created in '%s' namespace", secretName, *kubeconfigArgs.Namespace)
+	return nil
+}
--- a/cmd/flux/create_secret_githubapp_test.go
+++ b/cmd/flux/create_secret_githubapp_test.go
@ -0,0 +1,74 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateSecretGitHubApp(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "create githubapp secret with missing name",
+			args:   "create secret githubapp",
+			assert: assertError("name is required"),
+		},
+		{
+			name:   "create githubapp secret with missing app-id",
+			args:   "create secret githubapp appinfo",
+			assert: assertError("--app-id is required"),
+		},
+		{
+			name:   "create githubapp secret with missing appInstallationID",
+			args:   "create secret githubapp appinfo --app-id 1",
+			assert: assertError("--app-installation-id is required"),
+		},
+		{
+			name:   "create githubapp secret with missing private key file",
+			args:   "create secret githubapp appinfo --app-id 1 --app-installation-id 2",
+			assert: assertError("--app-private-key is required"),
+		},
+		{
+			name:   "create githubapp secret with private key file that does not exist",
+			args:   "create secret githubapp appinfo --app-id 1 --app-installation-id 2 --app-private-key pk.pem",
+			assert: assertError("unable to read private key file: open pk.pem: no such file or directory"),
+		},
+		{
+			name:   "create githubapp secret with app info",
+			args:   "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-id 2 --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --export",
+			assert: assertGoldenFile("testdata/create_secret/githubapp/secret.yaml"),
+		},
+		{
+			name:   "create githubapp secret with appinfo and base url",
+			args:   "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-id 2 --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --app-base-url www.example.com/api/v3 --export",
+			assert: assertGoldenFile("testdata/create_secret/githubapp/secret-with-baseurl.yaml"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
--- a/cmd/flux/create_secret_helm.go
+++ b/cmd/flux/create_secret_helm.go
@ -18,13 +18,15 @@ package main

 import (
 	"context"
+	"fmt"
+	"os"

 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"

-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )

 var createSecretHelmCmd = &cobra.Command{
@ -39,15 +41,8 @@ var createSecretHelmCmd = &cobra.Command{
    --export > repo-auth.yaml

  sops --encrypt --encrypted-regex '^(data|stringData)$' \
-    --in-place repo-auth.yaml
+    --in-place repo-auth.yaml`,

-  # Create a Helm authentication secret using a custom TLS cert
-  flux create secret helm repo-auth \
-    --username=username \
-    --password=password \
-    --cert-file=./cert.crt \
-    --key-file=./key.crt \
-    --ca-file=./ca.crt`,
 	RunE: createSecretHelmCmdRun,
 }

@ -60,9 +55,13 @@ type secretHelmFlags struct {
 var secretHelmArgs secretHelmFlags

 func init() {
-	createSecretHelmCmd.Flags().StringVarP(&secretHelmArgs.username, "username", "u", "", "basic authentication username")
-	createSecretHelmCmd.Flags().StringVarP(&secretHelmArgs.password, "password", "p", "", "basic authentication password")
-	initSecretTLSFlags(createSecretHelmCmd.Flags(), &secretHelmArgs.secretTLSFlags)
+	flags := createSecretHelmCmd.Flags()
+	flags.StringVarP(&secretHelmArgs.username, "username", "u", "", "basic authentication username")
+	flags.StringVarP(&secretHelmArgs.password, "password", "p", "", "basic authentication password")
+	flags.StringVar(&secretHelmArgs.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
+	flags.StringVar(&secretHelmArgs.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
+	flags.StringVar(&secretHelmArgs.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
+
 	createSecretCmd.AddCommand(createSecretHelmCmd)
 }

@ -74,17 +73,38 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	opts := sourcesecret.Options{
-		Name:         name,
-		Namespace:    *kubeconfigArgs.Namespace,
-		Labels:       labels,
-		Username:     secretHelmArgs.username,
-		Password:     secretHelmArgs.password,
-		CAFilePath:   secretHelmArgs.caFile,
-		CertFilePath: secretHelmArgs.certFile,
-		KeyFilePath:  secretHelmArgs.keyFile,
+	caBundle := []byte{}
+	if secretHelmArgs.caCrtFile != "" {
+		var err error
+		caBundle, err = os.ReadFile(secretHelmArgs.caCrtFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
 	}
-	secret, err := sourcesecret.Generate(opts)
+
+	var certFile, keyFile []byte
+	if secretHelmArgs.tlsCrtFile != "" {
+		if certFile, err = os.ReadFile(secretHelmArgs.tlsCrtFile); err != nil {
+			return fmt.Errorf("failed to read cert file: %w", err)
+		}
+	}
+	if secretHelmArgs.tlsKeyFile != "" {
+		if keyFile, err = os.ReadFile(secretHelmArgs.tlsKeyFile); err != nil {
+			return fmt.Errorf("failed to read key file: %w", err)
+		}
+	}
+
+	opts := sourcesecret.Options{
+		Name:      name,
+		Namespace: *kubeconfigArgs.Namespace,
+		Labels:    labels,
+		Username:  secretHelmArgs.username,
+		Password:  secretHelmArgs.password,
+		CACrt:     caBundle,
+		TLSCrt:    certFile,
+		TLSKey:    keyFile,
+	}
+	secret, err := sourcesecret.GenerateHelm(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_notation.go
+++ b/cmd/flux/create_secret_notation.go
@ -0,0 +1,161 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/notaryproject/notation-go/verifier/trustpolicy"
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
+)
+
+var createSecretNotationCmd = &cobra.Command{
+	Use:   "notation [name]",
+	Short: "Create or update a Kubernetes secret for verifications of artifacts signed by Notation",
+	Long:  withPreviewNote(`The create secret notation command generates a Kubernetes secret with root ca certificates and trust policy.`),
+	Example: ` # Create a Notation configuration secret on disk and encrypt it with Mozilla SOPS
+  flux create secret notation my-notation-cert \
+    --namespace=my-namespace \
+    --trust-policy-file=./my-trust-policy.json \
+    --ca-cert-file=./my-cert.crt \
+    --export > my-notation-cert.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place my-notation-cert.yaml`,
+
+	RunE: createSecretNotationCmdRun,
+}
+
+type secretNotationFlags struct {
+	trustPolicyFile string
+	caCrtFile       []string
+}
+
+var secretNotationArgs secretNotationFlags
+
+func init() {
+	createSecretNotationCmd.Flags().StringVar(&secretNotationArgs.trustPolicyFile, "trust-policy-file", "", "notation trust policy file path")
+	createSecretNotationCmd.Flags().StringSliceVar(&secretNotationArgs.caCrtFile, "ca-cert-file", []string{}, "root ca cert file path")
+
+	createSecretCmd.AddCommand(createSecretNotationCmd)
+}
+
+func createSecretNotationCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("name is required")
+	}
+
+	if secretNotationArgs.caCrtFile == nil || len(secretNotationArgs.caCrtFile) == 0 {
+		return fmt.Errorf("--ca-cert-file is required")
+	}
+
+	if secretNotationArgs.trustPolicyFile == "" {
+		return fmt.Errorf("--trust-policy-file is required")
+	}
+
+	name := args[0]
+
+	labels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	policy, err := os.ReadFile(secretNotationArgs.trustPolicyFile)
+	if err != nil {
+		return fmt.Errorf("unable to read trust policy file: %w", err)
+	}
+
+	var doc trustpolicy.Document
+
+	if err := json.Unmarshal(policy, &doc); err != nil {
+		return fmt.Errorf("failed to unmarshal trust policy %s: %w", secretNotationArgs.trustPolicyFile, err)
+	}
+
+	if err := doc.Validate(); err != nil {
+		return fmt.Errorf("invalid trust policy: %w", err)
+	}
+
+	var (
+		caCerts []sourcesecret.VerificationCrt
+		fileErr error
+	)
+	for _, caCrtFile := range secretNotationArgs.caCrtFile {
+		fileName := filepath.Base(caCrtFile)
+		if !strings.HasSuffix(fileName, ".crt") && !strings.HasSuffix(fileName, ".pem") {
+			fileErr = errors.Join(fileErr, fmt.Errorf("%s must end with either .crt or .pem", fileName))
+			continue
+		}
+		caBundle, err := os.ReadFile(caCrtFile)
+		if err != nil {
+			fileErr = errors.Join(fileErr, fmt.Errorf("unable to read TLS CA file: %w", err))
+			continue
+		}
+		caCerts = append(caCerts, sourcesecret.VerificationCrt{Name: fileName, CACrt: caBundle})
+	}
+
+	if fileErr != nil {
+		return fileErr
+	}
+
+	if len(caCerts) == 0 {
+		return fmt.Errorf("no CA certs found")
+	}
+
+	opts := sourcesecret.Options{
+		Name:             name,
+		Namespace:        *kubeconfigArgs.Namespace,
+		Labels:           labels,
+		VerificationCrts: caCerts,
+		TrustPolicy:      policy,
+	}
+	secret, err := sourcesecret.GenerateNotation(opts)
+	if err != nil {
+		return err
+	}
+
+	if createArgs.export {
+		rootCmd.Println(secret.Content)
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+	if err := upsertSecret(ctx, kubeClient, s); err != nil {
+		return err
+	}
+
+	logger.Actionf("notation configuration secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
+	return nil
+}
--- a/cmd/flux/create_secret_notation_test.go
+++ b/cmd/flux/create_secret_notation_test.go
@ -0,0 +1,124 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+const (
+	trustPolicy        = "./testdata/create_secret/notation/test-trust-policy.json"
+	invalidTrustPolicy = "./testdata/create_secret/notation/invalid-trust-policy.json"
+	invalidJson        = "./testdata/create_secret/notation/invalid.json"
+	testCertFolder     = "./testdata/create_secret/notation"
+)
+
+func TestCreateNotationSecret(t *testing.T) {
+	crt, err := os.Create(filepath.Join(t.TempDir(), "ca.crt"))
+	if err != nil {
+		t.Fatal("could not create ca.crt file")
+	}
+
+	pem, err := os.Create(filepath.Join(t.TempDir(), "ca.pem"))
+	if err != nil {
+		t.Fatal("could not create ca.pem file")
+	}
+
+	invalidCert, err := os.Create(filepath.Join(t.TempDir(), "ca.p12"))
+	if err != nil {
+		t.Fatal("could not create ca.p12 file")
+	}
+
+	_, err = crt.Write([]byte("ca-data-crt"))
+	if err != nil {
+		t.Fatal("could not write to crt certificate file")
+	}
+
+	_, err = pem.Write([]byte("ca-data-pem"))
+	if err != nil {
+		t.Fatal("could not write to pem certificate file")
+	}
+
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "no args",
+			args:   "create secret notation",
+			assert: assertError("name is required"),
+		},
+		{
+			name:   "no trust policy",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s", testCertFolder),
+			assert: assertError("--trust-policy-file is required"),
+		},
+		{
+			name:   "no cert",
+			args:   fmt.Sprintf("create secret notation notation-config --trust-policy-file=%s", trustPolicy),
+			assert: assertError("--ca-cert-file is required"),
+		},
+		{
+			name:   "non pem and crt cert",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", invalidCert.Name(), trustPolicy),
+			assert: assertError("ca.p12 must end with either .crt or .pem"),
+		},
+		{
+			name:   "invalid trust policy",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidTrustPolicy),
+			assert: assertError("invalid trust policy: trust policy: a trust policy statement is missing a name, every statement requires a name"),
+		},
+		{
+			name:   "invalid trust policy json",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidJson),
+			assert: assertError(fmt.Sprintf("failed to unmarshal trust policy %s: json: cannot unmarshal string into Go value of type trustpolicy.Document", invalidJson)),
+		},
+		{
+			name:   "crt secret",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", crt.Name(), trustPolicy),
+			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-crt.yaml"),
+		},
+		{
+			name:   "pem secret",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", pem.Name(), trustPolicy),
+			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-pem.yaml"),
+		},
+		{
+			name:   "multi secret",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", crt.Name(), pem.Name(), trustPolicy),
+			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-multi.yaml"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			defer func() {
+				secretNotationArgs = secretNotationFlags{}
+			}()
+
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
--- a/cmd/flux/create_secret_oci.go
+++ b/cmd/flux/create_secret_oci.go
@ -20,8 +20,8 @@ import (
 	"context"
 	"fmt"

-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
@ -31,7 +31,7 @@ import (
 var createSecretOCICmd = &cobra.Command{
 	Use:   "oci [name]",
 	Short: "Create or update a Kubernetes image pull secret",
-	Long:  `The create secret oci command generates a Kubernetes secret that can be used for OCIRepository authentication`,
+	Long:  withPreviewNote(`The create secret oci command generates a Kubernetes secret that can be used for OCIRepository authentication`),
 	Example: `  # Create an OCI authentication secret on disk and encrypt it with Mozilla SOPS
  flux create secret oci podinfo-auth \
    --url=ghcr.io \
@ -92,7 +92,7 @@ func createSecretOCICmdRun(cmd *cobra.Command, args []string) error {
 		Username:  secretOCIArgs.username,
 	}

-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateOCI(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_proxy.go
+++ b/cmd/flux/create_secret_proxy.go
@ -0,0 +1,112 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"errors"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+)
+
+var createSecretProxyCmd = &cobra.Command{
+	Use:   "proxy [name]",
+	Short: "Create or update a Kubernetes secret for proxy authentication",
+	Long: `The create secret proxy command generates a Kubernetes secret with the
+proxy address and the basic authentication credentials.`,
+	Example: ` # Create a proxy secret on disk and encrypt it with SOPS
+  flux create secret proxy my-proxy \
+    --namespace=my-namespace \
+    --address=https://my-proxy.com \
+    --username=my-username \
+    --password=my-password \
+    --export > proxy.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place proxy.yaml`,
+
+	RunE: createSecretProxyCmdRun,
+}
+
+type secretProxyFlags struct {
+	address  string
+	username string
+	password string
+}
+
+var secretProxyArgs secretProxyFlags
+
+func init() {
+	createSecretProxyCmd.Flags().StringVar(&secretProxyArgs.address, "address", "", "proxy address")
+	createSecretProxyCmd.Flags().StringVarP(&secretProxyArgs.username, "username", "u", "", "basic authentication username")
+	createSecretProxyCmd.Flags().StringVarP(&secretProxyArgs.password, "password", "p", "", "basic authentication password")
+
+	createSecretCmd.AddCommand(createSecretProxyCmd)
+}
+
+func createSecretProxyCmdRun(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	labels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	if secretProxyArgs.address == "" {
+		return errors.New("address is required")
+	}
+
+	opts := sourcesecret.Options{
+		Name:      name,
+		Namespace: *kubeconfigArgs.Namespace,
+		Labels:    labels,
+		Address:   secretProxyArgs.address,
+		Username:  secretProxyArgs.username,
+		Password:  secretProxyArgs.password,
+	}
+	secret, err := sourcesecret.GenerateProxy(opts)
+	if err != nil {
+		return err
+	}
+
+	if createArgs.export {
+		rootCmd.Println(secret.Content)
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+	if err := upsertSecret(ctx, kubeClient, s); err != nil {
+		return err
+	}
+
+	logger.Actionf("proxy secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
+	return nil
+}
--- a/cmd/flux/create_secret_proxy_test.go
+++ b/cmd/flux/create_secret_proxy_test.go
@ -0,0 +1,47 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateProxySecret(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			args:   "create secret proxy proxy-secret",
+			assert: assertError("address is required"),
+		},
+		{
+			args:   "create secret proxy proxy-secret --address=https://my-proxy.com --username=my-username --password=my-password --namespace=my-namespace --export",
+			assert: assertGoldenFile("testdata/create_secret/proxy/secret-proxy.yaml"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
--- a/cmd/flux/create_secret_tls.go
+++ b/cmd/flux/create_secret_tls.go
@ -18,26 +18,28 @@ package main

 import (
 	"context"
+	"fmt"
+	"os"

 	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"

-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )

 var createSecretTLSCmd = &cobra.Command{
 	Use:   "tls [name]",
 	Short: "Create or update a Kubernetes secret with TLS certificates",
 	Long:  `The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`,
-	Example: ` # Create a TLS secret on disk and encrypt it with Mozilla SOPS.
+	Example: ` # Create a TLS secret on disk and encrypt it with SOPS.
  # Files are expected to be PEM-encoded.
  flux create secret tls certs \
    --namespace=my-namespace \
-    --cert-file=./client.crt \
-    --key-file=./client.key \
+    --tls-crt-file=./client.crt \
+    --tls-key-file=./client.key \
+    --ca-crt-file=./ca.crt \
    --export > certs.yaml

  sops --encrypt --encrypted-regex '^(data|stringData)$' \
@ -46,22 +48,18 @@ var createSecretTLSCmd = &cobra.Command{
 }

 type secretTLSFlags struct {
-	certFile string
-	keyFile  string
-	caFile   string
+	caCrtFile  string
+	tlsKeyFile string
+	tlsCrtFile string
 }

 var secretTLSArgs secretTLSFlags

-func initSecretTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
-	flags.StringVar(&args.certFile, "cert-file", "", "TLS authentication cert file path")
-	flags.StringVar(&args.keyFile, "key-file", "", "TLS authentication key file path")
-	flags.StringVar(&args.caFile, "ca-file", "", "TLS authentication CA file path")
-}
-
 func init() {
-	flags := createSecretTLSCmd.Flags()
-	initSecretTLSFlags(flags, &secretTLSArgs)
+	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
+	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
+	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
+
 	createSecretCmd.AddCommand(createSecretTLSCmd)
 }

@ -74,14 +72,30 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	opts := sourcesecret.Options{
-		Name:         name,
-		Namespace:    *kubeconfigArgs.Namespace,
-		Labels:       labels,
-		CAFilePath:   secretTLSArgs.caFile,
-		CertFilePath: secretTLSArgs.certFile,
-		KeyFilePath:  secretTLSArgs.keyFile,
+		Name:      name,
+		Namespace: *kubeconfigArgs.Namespace,
+		Labels:    labels,
 	}
-	secret, err := sourcesecret.Generate(opts)
+
+	if secretTLSArgs.caCrtFile != "" {
+		opts.CACrt, err = os.ReadFile(secretTLSArgs.caCrtFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	}
+
+	if secretTLSArgs.tlsCrtFile != "" {
+		if opts.TLSCrt, err = os.ReadFile(secretTLSArgs.tlsCrtFile); err != nil {
+			return fmt.Errorf("failed to read cert file: %w", err)
+		}
+	}
+	if secretTLSArgs.tlsKeyFile != "" {
+		if opts.TLSKey, err = os.ReadFile(secretTLSArgs.tlsKeyFile); err != nil {
+			return fmt.Errorf("failed to read key file: %w", err)
+		}
+	}
+
+	secret, err := sourcesecret.GenerateTLS(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_tls_test.go
+++ b/cmd/flux/create_secret_tls_test.go
@ -4,7 +4,7 @@ import (
 	"testing"
 )

-func TestCreateTlsSecretNoArgs(t *testing.T) {
+func TestCreateTlsSecret(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
@ -15,7 +15,7 @@ func TestCreateTlsSecretNoArgs(t *testing.T) {
 			assert: assertError("name is required"),
 		},
 		{
-			args:   "create secret tls certs --namespace=my-namespace --cert-file=./testdata/create_secret/tls/test-cert.pem --key-file=./testdata/create_secret/tls/test-key.pem --export",
+			args:   "create secret tls certs --namespace=my-namespace --tls-crt-file=./testdata/create_secret/tls/test-cert.pem --tls-key-file=./testdata/create_secret/tls/test-key.pem --ca-crt-file=./testdata/create_secret/tls/test-ca.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/tls/secret-tls.yaml"),
 		},
 	}
--- a/cmd/flux/create_source.go
+++ b/cmd/flux/create_source.go
@ -25,7 +25,7 @@ import (
 var createSourceCmd = &cobra.Command{
 	Use:   "source",
 	Short: "Create or update sources",
-	Long:  "The create source sub-commands generate sources.",
+	Long:  `The create source sub-commands generate sources.`,
 }

 type createSourceFlags struct {
--- a/cmd/flux/create_source_bucket.go
+++ b/cmd/flux/create_source_bucket.go
@ -31,12 +31,11 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/conditions"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createSourceBucketCmd = &cobra.Command{
@ -64,15 +63,16 @@ For Buckets with static authentication, the credentials are stored in a Kubernet
 }

 type sourceBucketFlags struct {
-	name        string
-	provider    flags.SourceBucketProvider
-	endpoint    string
-	accessKey   string
-	secretKey   string
-	region      string
-	insecure    bool
-	secretRef   string
-	ignorePaths []string
+	name           string
+	provider       flags.SourceBucketProvider
+	endpoint       string
+	accessKey      string
+	secretKey      string
+	region         string
+	insecure       bool
+	secretRef      string
+	proxySecretRef string
+	ignorePaths    []string
 }

 var sourceBucketArgs = newSourceBucketFlags()
@ -86,6 +86,7 @@ func init() {
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.region, "region", "", "the bucket region")
 	createSourceBucketCmd.Flags().BoolVar(&sourceBucketArgs.insecure, "insecure", false, "for when connecting to a non-TLS S3 HTTP endpoint")
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.secretRef, "secret-ref", "", "the name of an existing secret containing credentials")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.proxySecretRef, "proxy-secret-ref", "", "the name of an existing secret containing the proxy address and credentials")
 	createSourceBucketCmd.Flags().StringSliceVar(&sourceBucketArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in bucket resource (can specify multiple paths with commas: path1,path2)")

 	createSourceCmd.AddCommand(createSourceBucketCmd)
@ -93,7 +94,7 @@ func init() {

 func newSourceBucketFlags() sourceBucketFlags {
 	return sourceBucketFlags{
-		provider: flags.SourceBucketProvider(sourcev1.GenericBucketProvider),
+		provider: flags.SourceBucketProvider(sourcev1.BucketProviderGeneric),
 	}
 }

@ -154,6 +155,12 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}

+	if sourceBucketArgs.proxySecretRef != "" {
+		bucket.Spec.ProxySecretRef = &meta.LocalObjectReference{
+			Name: sourceBucketArgs.proxySecretRef,
+		}
+	}
+
 	if createArgs.export {
 		return printExport(exportBucket(bucket))
 	}
@ -204,8 +211,8 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for Bucket source reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isBucketReady(ctx, kubeClient, namespacedName, bucket)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isObjectReadyConditionFunc(kubeClient, namespacedName, bucket)); err != nil {
 		return err
 	}
 	logger.Successf("Bucket source reconciliation completed")
@ -247,30 +254,3 @@ func upsertBucket(ctx context.Context, kubeClient client.Client,
 	logger.Successf("Bucket source updated")
 	return namespacedName, nil
 }
-
-func isBucketReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, bucket *sourcev1.Bucket) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, bucket)
-		if err != nil {
-			return false, err
-		}
-
-		if c := conditions.Get(bucket, meta.ReadyCondition); c != nil {
-			// Confirm the Ready condition we are observing is for the
-			// current generation
-			if c.ObservedGeneration != bucket.GetGeneration() {
-				return false, nil
-			}
-
-			// Further check the Status
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/create_source_chart.go
+++ b/cmd/flux/create_source_chart.go
@ -0,0 +1,217 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+)
+
+var createSourceChartCmd = &cobra.Command{
+	Use:   "chart [name]",
+	Short: "Create or update a HelmChart source",
+	Long:  `The create source chart command generates a HelmChart resource and waits for the chart to be available.`,
+	Example: `  # Create a source for a chart residing in a HelmRepository
+  flux create source chart podinfo \
+    --source=HelmRepository/podinfo \
+    --chart=podinfo \
+    --chart-version=6.x
+
+  # Create a source for a chart residing in a Git repository
+  flux create source chart podinfo \
+    --source=GitRepository/podinfo \
+    --chart=./charts/podinfo
+
+  # Create a source for a chart residing in a S3 Bucket
+  flux create source chart podinfo \
+    --source=Bucket/podinfo \
+    --chart=./charts/podinfo
+
+  # Create a source for a chart from OCI and verify its signature
+  flux create source chart podinfo \
+    --source HelmRepository/podinfo \
+    --chart podinfo \
+    --chart-version=6.6.2 \
+    --verify-provider=cosign \
+    --verify-issuer=https://token.actions.githubusercontent.com \
+    --verify-subject=https://github.com/stefanprodan/podinfo/.github/workflows/release.yml@refs/tags/6.6.2`,
+	RunE: createSourceChartCmdRun,
+}
+
+type sourceChartFlags struct {
+	chart             string
+	chartVersion      string
+	source            flags.LocalHelmChartSource
+	reconcileStrategy string
+	verifyProvider    flags.SourceOCIVerifyProvider
+	verifySecretRef   string
+	verifyOIDCIssuer  string
+	verifySubject     string
+}
+
+var sourceChartArgs sourceChartFlags
+
+func init() {
+	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.chart, "chart", "", "Helm chart name or path")
+	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
+	createSourceChartCmd.Flags().Var(&sourceChartArgs.source, "source", sourceChartArgs.source.Description())
+	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart (accepted values: Revision and ChartRevision)")
+	createSourceChartCmd.Flags().Var(&sourceChartArgs.verifyProvider, "verify-provider", sourceOCIRepositoryArgs.verifyProvider.Description())
+	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifySecretRef, "verify-secret-ref", "", "the name of a secret to use for signature verification")
+	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifySubject, "verify-subject", "", "regular expression to use for the OIDC subject during signature verification")
+	createSourceChartCmd.Flags().StringVar(&sourceChartArgs.verifyOIDCIssuer, "verify-issuer", "", "regular expression to use for the OIDC issuer during signature verification")
+
+	createSourceCmd.AddCommand(createSourceChartCmd)
+}
+
+func createSourceChartCmdRun(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	if sourceChartArgs.source.Kind == "" || sourceChartArgs.source.Name == "" {
+		return fmt.Errorf("chart source is required")
+	}
+
+	if sourceChartArgs.chart == "" {
+		return fmt.Errorf("chart name or path is required")
+	}
+
+	logger.Generatef("generating HelmChart source")
+
+	sourceLabels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	helmChart := &sourcev1.HelmChart{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: *kubeconfigArgs.Namespace,
+			Labels:    sourceLabels,
+		},
+		Spec: sourcev1.HelmChartSpec{
+			Chart:   sourceChartArgs.chart,
+			Version: sourceChartArgs.chartVersion,
+			Interval: metav1.Duration{
+				Duration: createArgs.interval,
+			},
+			ReconcileStrategy: sourceChartArgs.reconcileStrategy,
+			SourceRef: sourcev1.LocalHelmChartSourceReference{
+				Kind: sourceChartArgs.source.Kind,
+				Name: sourceChartArgs.source.Name,
+			},
+		},
+	}
+
+	if provider := sourceChartArgs.verifyProvider.String(); provider != "" {
+		helmChart.Spec.Verify = &sourcev1.OCIRepositoryVerification{
+			Provider: provider,
+		}
+		if secretName := sourceChartArgs.verifySecretRef; secretName != "" {
+			helmChart.Spec.Verify.SecretRef = &meta.LocalObjectReference{
+				Name: secretName,
+			}
+		}
+		verifyIssuer := sourceChartArgs.verifyOIDCIssuer
+		verifySubject := sourceChartArgs.verifySubject
+		if verifyIssuer != "" || verifySubject != "" {
+			helmChart.Spec.Verify.MatchOIDCIdentity = []sourcev1.OIDCIdentityMatch{{
+				Issuer:  verifyIssuer,
+				Subject: verifySubject,
+			}}
+		}
+	} else if sourceChartArgs.verifySecretRef != "" {
+		return fmt.Errorf("a verification provider must be specified when a secret is specified")
+	} else if sourceChartArgs.verifyOIDCIssuer != "" || sourceOCIRepositoryArgs.verifySubject != "" {
+		return fmt.Errorf("a verification provider must be specified when OIDC issuer/subject is specified")
+	}
+
+	if createArgs.export {
+		return printExport(exportHelmChart(helmChart))
+	}
+
+	logger.Actionf("applying HelmChart source")
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+
+	namespacedName, err := upsertHelmChart(ctx, kubeClient, helmChart)
+	if err != nil {
+		return err
+	}
+
+	logger.Waitingf("waiting for HelmChart source reconciliation")
+	readyConditionFunc := isObjectReadyConditionFunc(kubeClient, namespacedName, helmChart)
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true, readyConditionFunc); err != nil {
+		return err
+	}
+	logger.Successf("HelmChart source reconciliation completed")
+
+	if helmChart.Status.Artifact == nil {
+		return fmt.Errorf("HelmChart source reconciliation completed but no artifact was found")
+	}
+	logger.Successf("fetched revision: %s", helmChart.Status.Artifact.Revision)
+	return nil
+}
+
+func upsertHelmChart(ctx context.Context, kubeClient client.Client,
+	helmChart *sourcev1.HelmChart) (types.NamespacedName, error) {
+	namespacedName := types.NamespacedName{
+		Namespace: helmChart.GetNamespace(),
+		Name:      helmChart.GetName(),
+	}
+
+	var existing sourcev1.HelmChart
+	err := kubeClient.Get(ctx, namespacedName, &existing)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			if err := kubeClient.Create(ctx, helmChart); err != nil {
+				return namespacedName, err
+			} else {
+				logger.Successf("source created")
+				return namespacedName, nil
+			}
+		}
+		return namespacedName, err
+	}
+
+	existing.Labels = helmChart.Labels
+	existing.Spec = helmChart.Spec
+	if err := kubeClient.Update(ctx, &existing); err != nil {
+		return namespacedName, err
+	}
+	helmChart = &existing
+	logger.Successf("source updated")
+	return namespacedName, nil
+}
--- a/cmd/flux/create_source_chart_test.go
+++ b/cmd/flux/create_source_chart_test.go
@ -0,0 +1,91 @@
+//go:build unit
+// +build unit
+
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import "testing"
+
+func TestCreateSourceChart(t *testing.T) {
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	setupSourceChart(t, tmpl)
+
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "missing name",
+			args:   "create source chart --export",
+			assert: assertError("name is required"),
+		},
+		{
+			name:   "missing source reference",
+			args:   "create source chart podinfo --export ",
+			assert: assertError("chart source is required"),
+		},
+		{
+			name:   "missing chart name",
+			args:   "create source chart podinfo --source helmrepository/podinfo --export",
+			assert: assertError("chart name or path is required"),
+		},
+		{
+			name:   "unknown source kind",
+			args:   "create source chart podinfo --source foobar/podinfo --export",
+			assert: assertError(`invalid argument "foobar/podinfo" for "--source" flag: source kind 'foobar' is not supported, must be one of: HelmRepository, GitRepository, Bucket`),
+		},
+		{
+			name:   "basic chart",
+			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --export",
+			assert: assertGoldenTemplateFile("testdata/create_source_chart/basic.yaml", tmpl),
+		},
+		{
+			name:   "chart with basic signature verification",
+			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider cosign --export",
+			assert: assertGoldenTemplateFile("testdata/create_source_chart/verify_basic.yaml", tmpl),
+		},
+		{
+			name:   "unknown signature verification provider",
+			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider foobar --export",
+			assert: assertError(`invalid argument "foobar" for "--verify-provider" flag: source OCI verify provider 'foobar' is not supported, must be one of: cosign`),
+		},
+		{
+			name:   "chart with complete signature verification",
+			args:   "create source chart podinfo --source helmrepository/podinfo --chart podinfo --verify-provider cosign --verify-issuer foo --verify-subject bar --export",
+			assert: assertGoldenTemplateFile("testdata/create_source_chart/verify_complete.yaml", tmpl),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args + " -n " + tmpl["fluxns"],
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
+
+func setupSourceChart(t *testing.T, tmpl map[string]string) {
+	t.Helper()
+	testEnv.CreateObjectFile("./testdata/create_source_chart/setup-source.yaml", tmpl, t)
+}
--- a/cmd/flux/create_source_git.go
+++ b/cmd/flux/create_source_git.go
@ -35,32 +35,35 @@ import (
 	"sigs.k8s.io/yaml"

 	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/conditions"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"

-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )

 type sourceGitFlags struct {
-	url               string
-	branch            string
-	tag               string
-	semver            string
-	username          string
-	password          string
-	keyAlgorithm      flags.PublicKeyAlgorithm
-	keyRSABits        flags.RSAKeyBits
-	keyECDSACurve     flags.ECDSACurve
-	secretRef         string
-	gitImplementation flags.GitImplementation
-	caFile            string
-	privateKeyFile    string
-	recurseSubmodules bool
-	silent            bool
-	ignorePaths       []string
+	url                 string
+	branch              string
+	tag                 string
+	semver              string
+	refName             string
+	commit              string
+	username            string
+	password            string
+	keyAlgorithm        flags.PublicKeyAlgorithm
+	keyRSABits          flags.RSAKeyBits
+	keyECDSACurve       flags.ECDSACurve
+	secretRef           string
+	proxySecretRef      string
+	provider            flags.SourceGitProvider
+	caFile              string
+	privateKeyFile      string
+	recurseSubmodules   bool
+	silent              bool
+	ignorePaths         []string
+	sparseCheckoutPaths []string
 }

 var createSourceGitCmd = &cobra.Command{
@ -119,7 +122,13 @@ For private Git repositories, the basic authentication credentials are stored in
    --url=https://github.com/stefanprodan/podinfo \
    --branch=master \
    --username=username \
-    --password=password`,
+    --password=password
+
+  # Create a source for a Git repository using azure provider
+  flux create source git podinfo \
+    --url=https://dev.azure.com/foo/bar/_git/podinfo \
+    --branch=master \
+    --provider=azure`,
 	RunE: createSourceGitCmdRun,
 }

@ -130,19 +139,23 @@ func init() {
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.branch, "branch", "", "git branch")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.tag, "tag", "", "git tag")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.semver, "tag-semver", "", "git tag semver range")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", "git reference name")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.commit, "commit", "", "git commit")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.username, "username", "u", "", "basic authentication username")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.password, "password", "p", "", "basic authentication password")
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyAlgorithm, "ssh-key-algorithm", sourceGitArgs.keyAlgorithm.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyRSABits, "ssh-rsa-bits", sourceGitArgs.keyRSABits.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyECDSACurve, "ssh-ecdsa-curve", sourceGitArgs.keyECDSACurve.Description())
-	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials")
-	createSourceGitCmd.Flags().Var(&sourceGitArgs.gitImplementation, "git-implementation", sourceGitArgs.gitImplementation.Description())
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials or github app authentication")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.proxySecretRef, "proxy-secret-ref", "", "the name of an existing secret containing the proxy address and credentials")
+	createSourceGitCmd.Flags().Var(&sourceGitArgs.provider, "provider", sourceGitArgs.provider.Description())
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSourceGitCmd.Flags().BoolVar(&sourceGitArgs.recurseSubmodules, "recurse-submodules", false,
 		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
 	createSourceGitCmd.Flags().BoolVarP(&sourceGitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
 	createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in git resource (can specify multiple paths with commas: path1,path2)")
+	createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.sparseCheckoutPaths, "sparse-checkout-paths", nil, "set paths to sparse checkout in git resource (can specify multiple paths with commas: path1,path2)")

 	createSourceCmd.AddCommand(createSourceGitCmd)
 }
@ -170,18 +183,14 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}

-	if sourceGitArgs.branch == "" && sourceGitArgs.tag == "" && sourceGitArgs.semver == "" {
-		return fmt.Errorf("a Git ref is required, use one of the following: --branch, --tag or --tag-semver")
+	if sourceGitArgs.branch == "" && sourceGitArgs.tag == "" && sourceGitArgs.semver == "" && sourceGitArgs.commit == "" && sourceGitArgs.refName == "" {
+		return fmt.Errorf("a Git ref is required, use one of the following: --branch, --tag, --commit, --ref-name or --tag-semver")
 	}

 	if sourceGitArgs.caFile != "" && u.Scheme == "ssh" {
 		return fmt.Errorf("specifying a CA file is not supported for Git over SSH")
 	}

-	if sourceGitArgs.recurseSubmodules && sourceGitArgs.gitImplementation == sourcev1.LibGit2Implementation {
-		return fmt.Errorf("recurse submodules requires --git-implementation=%s", sourcev1.GoGitImplementation)
-	}
-
 	tmpDir, err := os.MkdirTemp("", name)
 	if err != nil {
 		return err
@ -213,6 +222,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			RecurseSubmodules: sourceGitArgs.recurseSubmodules,
 			Reference:         &sourcev1.GitRepositoryRef{},
 			Ignore:            ignorePaths,
+			SparseCheckout:    sourceGitArgs.sparseCheckoutPaths,
 		},
 	}

@ -220,11 +230,12 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		gitRepository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
 	}

-	if sourceGitArgs.gitImplementation != "" {
-		gitRepository.Spec.GitImplementation = sourceGitArgs.gitImplementation.String()
-	}
-
-	if sourceGitArgs.semver != "" {
+	if sourceGitArgs.commit != "" {
+		gitRepository.Spec.Reference.Commit = sourceGitArgs.commit
+		gitRepository.Spec.Reference.Branch = sourceGitArgs.branch
+	} else if sourceGitArgs.refName != "" {
+		gitRepository.Spec.Reference.Name = sourceGitArgs.refName
+	} else if sourceGitArgs.semver != "" {
 		gitRepository.Spec.Reference.SemVer = sourceGitArgs.semver
 	} else if sourceGitArgs.tag != "" {
 		gitRepository.Spec.Reference.Tag = sourceGitArgs.tag
@ -238,6 +249,16 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}

+	if sourceGitArgs.proxySecretRef != "" {
+		gitRepository.Spec.ProxySecretRef = &meta.LocalObjectReference{
+			Name: sourceGitArgs.proxySecretRef,
+		}
+	}
+
+	if provider := sourceGitArgs.provider.String(); provider != "" {
+		gitRepository.Spec.Provider = provider
+	}
+
 	if createArgs.export {
 		return printExport(exportGit(&gitRepository))
 	}
@ -259,22 +280,32 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		}
 		switch u.Scheme {
 		case "ssh":
+			keypair, err := sourcesecret.LoadKeyPairFromPath(sourceGitArgs.privateKeyFile, sourceGitArgs.password)
+			if err != nil {
+				return err
+			}
+			secretOpts.Keypair = keypair
 			secretOpts.SSHHostname = u.Host
-			secretOpts.PrivateKeyPath = sourceGitArgs.privateKeyFile
 			secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(sourceGitArgs.keyAlgorithm)
 			secretOpts.RSAKeyBits = int(sourceGitArgs.keyRSABits)
 			secretOpts.ECDSACurve = sourceGitArgs.keyECDSACurve.Curve
 			secretOpts.Password = sourceGitArgs.password
 		case "https":
+			if sourceGitArgs.caFile != "" {
+				caBundle, err := os.ReadFile(sourceGitArgs.caFile)
+				if err != nil {
+					return fmt.Errorf("unable to read TLS CA file: %w", err)
+				}
+				secretOpts.CACrt = caBundle
+			}
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
-			secretOpts.CAFilePath = sourceGitArgs.caFile
 		case "http":
 			logger.Warningf("insecure configuration: credentials configured for an HTTP URL")
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
 		}
-		secret, err := sourcesecret.Generate(secretOpts)
+		secret, err := sourcesecret.GenerateGit(secretOpts)
 		if err != nil {
 			return err
 		}
@ -316,8 +347,8 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for GitRepository source reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isGitRepositoryReady(ctx, kubeClient, namespacedName, &gitRepository)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isObjectReadyConditionFunc(kubeClient, namespacedName, &gitRepository)); err != nil {
 		return err
 	}
 	logger.Successf("GitRepository source reconciliation completed")
@ -359,30 +390,3 @@ func upsertGitRepository(ctx context.Context, kubeClient client.Client,
 	logger.Successf("GitRepository source updated")
 	return namespacedName, nil
 }
-
-func isGitRepositoryReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, gitRepository *sourcev1.GitRepository) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, gitRepository)
-		if err != nil {
-			return false, err
-		}
-
-		if c := conditions.Get(gitRepository, meta.ReadyCondition); c != nil {
-			// Confirm the Ready condition we are observing is for the
-			// current generation
-			if c.ObservedGeneration != gitRepository.GetGeneration() {
-				return false, nil
-			}
-
-			// Further check the Status
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/create_source_git_test.go
+++ b/cmd/flux/create_source_git_test.go
@ -24,14 +24,15 @@ import (
 	"testing"
 	"time"

-	"github.com/fluxcd/pkg/apis/meta"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )

 var pollInterval = 50 * time.Millisecond
@ -86,7 +87,7 @@ func (r *reconciler) conditionFunc() (bool, error) {
 }

 func TestCreateSourceGitExport(t *testing.T) {
-	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String()
+	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --sparse-checkout-paths .cosign,non-existent-dir/ --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String()

 	cases := []struct {
 		name   string
@ -98,6 +99,71 @@ func TestCreateSourceGitExport(t *testing.T) {
 			command,
 			assertGoldenFile("testdata/create_source_git/export.golden"),
 		},
+		{
+			name:   "no args",
+			args:   "create secret git",
+			assert: assertError("name is required"),
+		},
+		{
+			name:   "source with commit",
+			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --commit=c88a2f41 --interval=1m0s --export",
+			assert: assertGoldenFile("./testdata/create_source_git/source-git-commit.yaml"),
+		},
+		{
+			name:   "source with ref name",
+			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --ref-name=refs/heads/main --interval=1m0s --export",
+			assert: assertGoldenFile("testdata/create_source_git/source-git-refname.yaml"),
+		},
+		{
+			name:   "source with branch name and commit",
+			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --branch=main --commit=c88a2f41 --interval=1m0s --export",
+			assert: assertGoldenFile("testdata/create_source_git/source-git-branch-commit.yaml"),
+		},
+		{
+			name:   "source with semver",
+			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --tag-semver=v1.01 --interval=1m0s --export",
+			assert: assertGoldenFile("testdata/create_source_git/source-git-semver.yaml"),
+		},
+		{
+			name:   "source with git tag",
+			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --tag=test --interval=1m0s --export",
+			assert: assertGoldenFile("testdata/create_source_git/source-git-tag.yaml"),
+		},
+		{
+			name:   "source with git branch",
+			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --branch=test --interval=1m0s --export",
+			assert: assertGoldenFile("testdata/create_source_git/source-git-branch.yaml"),
+		},
+		{
+			name:   "source with generic provider",
+			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --provider generic --branch=test --interval=1m0s --export",
+			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-generic.yaml"),
+		},
+		{
+			name:   "source with azure provider",
+			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider azure --branch=test --interval=1m0s --export",
+			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-azure.yaml"),
+		},
+		{
+			name:   "source with github provider",
+			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --provider github --branch=test --interval=1m0s --secret-ref appinfo --export",
+			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-github.yaml"),
+		},
+		{
+			name:   "source with invalid provider",
+			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider dummy --branch=test --interval=1m0s --export",
+			assert: assertError("invalid argument \"dummy\" for \"--provider\" flag: source Git provider 'dummy' is not supported, must be one of: generic|azure|github"),
+		},
+		{
+			name:   "source with empty provider",
+			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider \"\" --branch=test --interval=1m0s --export",
+			assert: assertError("invalid argument \"\" for \"--provider\" flag: no source Git provider given, please specify the Git provider name"),
+		},
+		{
+			name:   "source with no provider",
+			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --branch=test --interval=1m0s --export --provider",
+			assert: assertError("flag needs an argument: --provider"),
+		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
@ -141,13 +207,25 @@ func TestCreateSourceGit(t *testing.T) {
 				repo.Status.Artifact = &sourcev1.Artifact{
 					Path:     "some-path",
 					Revision: "v1",
+					LastUpdateTime: metav1.Time{
+						Time: time.Now(),
+					},
 				}
+				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
 		}, {
 			"Failed",
 			command,
 			assertError("failed message"),
 			func(repo *sourcev1.GitRepository) {
+				stalledCondition := metav1.Condition{
+					Type:               meta.StalledCondition,
+					Status:             metav1.ConditionTrue,
+					Reason:             sourcev1.URLInvalidReason,
+					Message:            "failed message",
+					ObservedGeneration: repo.GetGeneration(),
+				}
+				apimeta.SetStatusCondition(&repo.Status.Conditions, stalledCondition)
 				newCondition := metav1.Condition{
 					Type:               meta.ReadyCondition,
 					Status:             metav1.ConditionFalse,
@ -156,6 +234,7 @@ func TestCreateSourceGit(t *testing.T) {
 					ObservedGeneration: repo.GetGeneration(),
 				}
 				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
+				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
 		}, {
 			"NoArtifact",
@ -171,6 +250,7 @@ func TestCreateSourceGit(t *testing.T) {
 					ObservedGeneration: repo.GetGeneration(),
 				}
 				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
+				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
 		},
 	}
--- a/cmd/flux/create_source_helm.go
+++ b/cmd/flux/create_source_helm.go
@ -22,8 +22,6 @@ import (
 	"net/url"
 	"os"

-	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/conditions"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@ -33,10 +31,11 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/fluxcd/pkg/apis/meta"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"

-	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )

 var createSourceHelmCmd = &cobra.Command{
@ -64,13 +63,13 @@ For private Helm repositories, the basic authentication credentials are stored i

  # Create a source for an OCI Helm repository
  flux create source helm podinfo \
-    --url=oci://ghcr.io/stefanprodan/charts/podinfo
+    --url=oci://ghcr.io/stefanprodan/charts/podinfo \
    --username=username \
    --password=password

  # Create a source for an OCI Helm repository using an existing secret with basic auth or dockerconfig credentials
  flux create source helm podinfo \
-    --url=oci://ghcr.io/stefanprodan/charts/podinfo
+    --url=oci://ghcr.io/stefanprodan/charts/podinfo \
    --secret-ref=docker-config`,
 	RunE: createSourceHelmCmdRun,
 }
@ -83,6 +82,7 @@ type sourceHelmFlags struct {
 	keyFile         string
 	caFile          string
 	secretRef       string
+	ociProvider     string
 	passCredentials bool
 }

@ -96,6 +96,7 @@ func init() {
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.keyFile, "key-file", "", "TLS authentication key file path")
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.caFile, "ca-file", "", "TLS authentication CA file path")
 	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.secretRef, "secret-ref", "", "", "the name of an existing secret containing TLS, basic auth or docker-config credentials")
+	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.ociProvider, "oci-provider", "", "OCI provider for authentication")
 	createSourceHelmCmd.Flags().BoolVarP(&sourceHelmArgs.passCredentials, "pass-credentials", "", false, "pass credentials to all domains")

 	createSourceCmd.AddCommand(createSourceHelmCmd)
@ -143,6 +144,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	if url.Scheme == sourcev1.HelmRepositoryTypeOCI {
 		helmRepository.Spec.Type = sourcev1.HelmRepositoryTypeOCI
+		helmRepository.Spec.Provider = sourceHelmArgs.ociProvider
 	}

 	if createSourceArgs.fetchTimeout > 0 {
@ -168,6 +170,25 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	caBundle := []byte{}
+	if sourceHelmArgs.caFile != "" {
+		var err error
+		caBundle, err = os.ReadFile(sourceHelmArgs.caFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	}
+
+	var certFile, keyFile []byte
+	if sourceHelmArgs.certFile != "" && sourceHelmArgs.keyFile != "" {
+		if certFile, err = os.ReadFile(sourceHelmArgs.certFile); err != nil {
+			return fmt.Errorf("failed to read cert file: %w", err)
+		}
+		if keyFile, err = os.ReadFile(sourceHelmArgs.keyFile); err != nil {
+			return fmt.Errorf("failed to read key file: %w", err)
+		}
+	}
+
 	logger.Generatef("generating HelmRepository source")
 	if sourceHelmArgs.secretRef == "" {
 		secretName := fmt.Sprintf("helm-%s", name)
@ -176,12 +197,12 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			Namespace:    *kubeconfigArgs.Namespace,
 			Username:     sourceHelmArgs.username,
 			Password:     sourceHelmArgs.password,
-			CertFilePath: sourceHelmArgs.certFile,
-			KeyFilePath:  sourceHelmArgs.keyFile,
-			CAFilePath:   sourceHelmArgs.caFile,
+			CACrt:        caBundle,
+			TLSCrt:       certFile,
+			TLSKey:       keyFile,
 			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
-		secret, err := sourcesecret.Generate(secretOpts)
+		secret, err := sourcesecret.GenerateHelm(secretOpts)
 		if err != nil {
 			return err
 		}
@ -209,8 +230,12 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for HelmRepository source reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isHelmRepositoryReady(ctx, kubeClient, namespacedName, helmRepository)); err != nil {
+	readyConditionFunc := isObjectReadyConditionFunc(kubeClient, namespacedName, helmRepository)
+	if helmRepository.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
+		// HelmRepository type OCI is a static object.
+		readyConditionFunc = isStaticObjectReadyConditionFunc(kubeClient, namespacedName, helmRepository)
+	}
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true, readyConditionFunc); err != nil {
 		return err
 	}
 	logger.Successf("HelmRepository source reconciliation completed")
@ -257,30 +282,3 @@ func upsertHelmRepository(ctx context.Context, kubeClient client.Client,
 	logger.Successf("source updated")
 	return namespacedName, nil
 }
-
-func isHelmRepositoryReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, helmRepository *sourcev1.HelmRepository) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, helmRepository)
-		if err != nil {
-			return false, err
-		}
-
-		if c := conditions.Get(helmRepository, meta.ReadyCondition); c != nil {
-			// Confirm the Ready condition we are observing is for the
-			// current generation
-			if c.ObservedGeneration != helmRepository.GetGeneration() {
-				return false, nil
-			}
-
-			// Further check the Status
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/create_source_oci.go
+++ b/cmd/flux/create_source_oci.go
@ -29,38 +29,50 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/conditions"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
-
-	"github.com/fluxcd/flux2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createSourceOCIRepositoryCmd = &cobra.Command{
 	Use:   "oci [name]",
 	Short: "Create or update an OCIRepository",
-	Long:  `The create source oci command generates an OCIRepository resource and waits for it to be ready.`,
+	Long:  withPreviewNote(`The create source oci command generates an OCIRepository resource and waits for it to be ready.`),
 	Example: `  # Create an OCIRepository for a public container image
  flux create source oci podinfo \
    --url=oci://ghcr.io/stefanprodan/manifests/podinfo \
-    --tag=6.1.6 \
+    --tag=6.6.2 \
    --interval=10m
+
+  # Create an OCIRepository with OIDC signature verification
+  flux create source oci podinfo \
+    --url=oci://ghcr.io/stefanprodan/manifests/podinfo \
+    --tag=6.6.2 \
+    --interval=10m \
+    --verify-provider=cosign \
+    --verify-subject="^https://github.com/stefanprodan/podinfo/.github/workflows/release.yml@refs/tags/6.6.2$" \
+    --verify-issuer="^https://token.actions.githubusercontent.com$"
 `,
 	RunE: createSourceOCIRepositoryCmdRun,
 }

 type sourceOCIRepositoryFlags struct {
-	url            string
-	tag            string
-	semver         string
-	digest         string
-	secretRef      string
-	serviceAccount string
-	certSecretRef  string
-	ignorePaths    []string
-	provider       flags.SourceOCIProvider
-	insecure       bool
+	url              string
+	tag              string
+	semver           string
+	digest           string
+	secretRef        string
+	proxySecretRef   string
+	serviceAccount   string
+	certSecretRef    string
+	verifyProvider   flags.SourceOCIVerifyProvider
+	verifySecretRef  string
+	verifyOIDCIssuer string
+	verifySubject    string
+	ignorePaths      []string
+	provider         flags.SourceOCIProvider
+	insecure         bool
 }

 var sourceOCIRepositoryArgs = newSourceOCIFlags()
@ -78,8 +90,13 @@ func init() {
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.semver, "tag-semver", "", "the OCI artifact tag semver range")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.digest, "digest", "", "the OCI artifact digest")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.secretRef, "secret-ref", "", "the name of the Kubernetes image pull secret (type 'kubernetes.io/dockerconfigjson')")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.proxySecretRef, "proxy-secret-ref", "", "the name of an existing secret containing the proxy address and credentials")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.serviceAccount, "service-account", "", "the name of the Kubernetes service account that refers to an image pull secret")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
+	createSourceOCIRepositoryCmd.Flags().Var(&sourceOCIRepositoryArgs.verifyProvider, "verify-provider", sourceOCIRepositoryArgs.verifyProvider.Description())
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifySecretRef, "verify-secret-ref", "", "the name of a secret to use for signature verification")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifySubject, "verify-subject", "", "regular expression to use for the OIDC subject during signature verification")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifyOIDCIssuer, "verify-issuer", "", "regular expression to use for the OIDC issuer during signature verification")
 	createSourceOCIRepositoryCmd.Flags().StringSliceVar(&sourceOCIRepositoryArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore resources (can specify multiple paths with commas: path1,path2)")
 	createSourceOCIRepositoryCmd.Flags().BoolVar(&sourceOCIRepositoryArgs.insecure, "insecure", false, "for when connecting to a non-TLS registries over plain HTTP")

@ -150,12 +167,41 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}

+	if secretName := sourceOCIRepositoryArgs.proxySecretRef; secretName != "" {
+		repository.Spec.ProxySecretRef = &meta.LocalObjectReference{
+			Name: secretName,
+		}
+	}
+
 	if secretName := sourceOCIRepositoryArgs.certSecretRef; secretName != "" {
 		repository.Spec.CertSecretRef = &meta.LocalObjectReference{
 			Name: secretName,
 		}
 	}

+	if provider := sourceOCIRepositoryArgs.verifyProvider.String(); provider != "" {
+		repository.Spec.Verify = &sourcev1.OCIRepositoryVerification{
+			Provider: provider,
+		}
+		if secretName := sourceOCIRepositoryArgs.verifySecretRef; secretName != "" {
+			repository.Spec.Verify.SecretRef = &meta.LocalObjectReference{
+				Name: secretName,
+			}
+		}
+		verifyIssuer := sourceOCIRepositoryArgs.verifyOIDCIssuer
+		verifySubject := sourceOCIRepositoryArgs.verifySubject
+		if verifyIssuer != "" || verifySubject != "" {
+			repository.Spec.Verify.MatchOIDCIdentity = []sourcev1.OIDCIdentityMatch{{
+				Issuer:  verifyIssuer,
+				Subject: verifySubject,
+			}}
+		}
+	} else if sourceOCIRepositoryArgs.verifySecretRef != "" {
+		return fmt.Errorf("a verification provider must be specified when a secret is specified")
+	} else if sourceOCIRepositoryArgs.verifyOIDCIssuer != "" || sourceOCIRepositoryArgs.verifySubject != "" {
+		return fmt.Errorf("a verification provider must be specified when OIDC issuer/subject is specified")
+	}
+
 	if createArgs.export {
 		return printExport(exportOCIRepository(repository))
 	}
@ -175,8 +221,8 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Waitingf("waiting for OCIRepository reconciliation")
-	if err := wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
-		isOCIRepositoryReady(ctx, kubeClient, namespacedName, repository)); err != nil {
+	if err := wait.PollUntilContextTimeout(ctx, rootArgs.pollInterval, rootArgs.timeout, true,
+		isObjectReadyConditionFunc(kubeClient, namespacedName, repository)); err != nil {
 		return err
 	}
 	logger.Successf("OCIRepository reconciliation completed")
@ -218,30 +264,3 @@ func upsertOCIRepository(ctx context.Context, kubeClient client.Client,
 	logger.Successf("OCIRepository updated")
 	return namespacedName, nil
 }
-
-func isOCIRepositoryReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, ociRepository *sourcev1.OCIRepository) wait.ConditionFunc {
-	return func() (bool, error) {
-		err := kubeClient.Get(ctx, namespacedName, ociRepository)
-		if err != nil {
-			return false, err
-		}
-
-		if c := conditions.Get(ociRepository, meta.ReadyCondition); c != nil {
-			// Confirm the Ready condition we are observing is for the
-			// current generation
-			if c.ObservedGeneration != ociRepository.GetGeneration() {
-				return false, nil
-			}
-
-			// Further check the Status
-			switch c.Status {
-			case metav1.ConditionTrue:
-				return true, nil
-			case metav1.ConditionFalse:
-				return false, fmt.Errorf(c.Message)
-			}
-		}
-		return false, nil
-	}
-}
--- a/cmd/flux/create_source_oci_test.go
+++ b/cmd/flux/create_source_oci_test.go
@ -36,16 +36,51 @@ func TestCreateSourceOCI(t *testing.T) {
 			args:       "create source oci podinfo",
 			assertFunc: assertError("url is required"),
 		},
+		{
+			name:       "verify secret specified but provider missing",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-secret-ref=cosign-pub",
+			assertFunc: assertError("a verification provider must be specified when a secret is specified"),
+		},
+		{
+			name:       "verify issuer specified but provider missing",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-issuer=github.com",
+			assertFunc: assertError("a verification provider must be specified when OIDC issuer/subject is specified"),
+		},
+		{
+			name:       "verify identity specified but provider missing",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-subject=developer",
+			assertFunc: assertError("a verification provider must be specified when OIDC issuer/subject is specified"),
+		},
+		{
+			name:       "verify issuer specified but subject missing",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-issuer=github --verify-provider=cosign --export",
+			assertFunc: assertGoldenFile("./testdata/oci/export_with_issuer.golden"),
+		},
+		{
+			name:       "all verify fields set",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-issuer=github verify-subject=stefanprodan --verify-provider=cosign --export",
+			assertFunc: assertGoldenFile("./testdata/oci/export_with_issuer.golden"),
+		},
+		{
+			name:       "verify subject specified but issuer missing",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --verify-subject=stefanprodan --verify-provider=cosign --export",
+			assertFunc: assertGoldenFile("./testdata/oci/export_with_subject.golden"),
+		},
 		{
 			name:       "export manifest",
-			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.1.6 --interval 10m --export",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --interval 10m --export",
 			assertFunc: assertGoldenFile("./testdata/oci/export.golden"),
 		},
 		{
 			name:       "export manifest with secret",
-			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.1.6 --interval 10m --secret-ref=creds --export",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --interval 10m --secret-ref=creds --export",
 			assertFunc: assertGoldenFile("./testdata/oci/export_with_secret.golden"),
 		},
+		{
+			name:       "export manifest with verify secret",
+			args:       "create source oci podinfo --url=oci://ghcr.io/stefanprodan/manifests/podinfo --tag=6.3.5 --interval 10m --verify-provider=cosign --verify-secret-ref=cosign-pub --export",
+			assertFunc: assertGoldenFile("./testdata/oci/export_with_verify_secret.golden"),
+		},
 	}

 	for _, tt := range tests {
--- a/cmd/flux/create_tenant.go
+++ b/cmd/flux/create_tenant.go
@ -21,7 +21,7 @@ import (
 	"context"
 	"fmt"

-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@ -37,8 +37,8 @@ import (
 var createTenantCmd = &cobra.Command{
 	Use:   "tenant",
 	Short: "Create or update a tenant",
-	Long: `The create tenant command generates namespaces, service accounts and role bindings to limit the
-reconcilers scope to the tenant namespaces.`,
+	Long: withPreviewNote(`The create tenant command generates namespaces, service accounts and role bindings to limit the
+reconcilers scope to the tenant namespaces.`),
 	Example: `  # Create a tenant with access to a namespace 
  flux create tenant dev-team \
    --with-namespace=frontend \
@ -59,6 +59,7 @@ const (
 type tenantFlags struct {
 	namespaces  []string
 	clusterRole string
+	account     string
 }

 var tenantArgs tenantFlags
@ -66,6 +67,7 @@ var tenantArgs tenantFlags
 func init() {
 	createTenantCmd.Flags().StringSliceVar(&tenantArgs.namespaces, "with-namespace", nil, "namespace belonging to this tenant")
 	createTenantCmd.Flags().StringVar(&tenantArgs.clusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
+	createTenantCmd.Flags().StringVar(&tenantArgs.account, "with-service-account", "", "service account belonging to this tenant")
 	createCmd.AddCommand(createTenantCmd)
 }

@ -107,9 +109,17 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 		}
 		namespaces = append(namespaces, namespace)

+		accountName := tenant
+		if tenantArgs.account != "" {
+			accountName = tenantArgs.account
+		}
+		if err := validation.IsQualifiedName(accountName); len(err) > 0 {
+			return fmt.Errorf("invalid service-account name '%s': %v", accountName, err)
+		}
+
 		account := corev1.ServiceAccount{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      tenant,
+				Name:      accountName,
 				Namespace: ns,
 				Labels:    objLabels,
 			},
@ -131,7 +141,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 				},
 				{
 					Kind:      "ServiceAccount",
-					Name:      tenant,
+					Name:      accountName,
 					Namespace: ns,
 				},
 			},
@ -283,9 +293,9 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 		return err
 	}

-	fmt.Println("---")
+	rootCmd.Println("---")
 	data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
-	fmt.Println(resourceToString(data))
+	rootCmd.Println(resourceToString(data))

 	account.TypeMeta = metav1.TypeMeta{
 		APIVersion: "v1",
@ -296,9 +306,9 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 		return err
 	}

-	fmt.Println("---")
+	rootCmd.Println("---")
 	data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
-	fmt.Println(resourceToString(data))
+	rootCmd.Println(resourceToString(data))

 	roleBinding.TypeMeta = metav1.TypeMeta{
 		APIVersion: "rbac.authorization.k8s.io/v1",
@ -309,8 +319,8 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 		return err
 	}

-	fmt.Println("---")
-	fmt.Println(resourceToString(data))
+	rootCmd.Println("---")
+	rootCmd.Println(resourceToString(data))

 	return nil
 }
--- a/cmd/flux/create_tenant_test.go
+++ b/cmd/flux/create_tenant_test.go
@ -0,0 +1,68 @@
+//go:build e2e
+// +build e2e
+
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateTenant(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "no args",
+			args:   "create tenant",
+			assert: assertError("name is required"),
+		},
+		{
+			name:   "no namespace",
+			args:   "create tenant dev-team --cluster-role=cluster-admin",
+			assert: assertError("with-namespace is required"),
+		},
+		{
+			name:   "basic tenant",
+			args:   "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --export",
+			assert: assertGoldenFile("./testdata/create_tenant/tenant-basic.yaml"),
+		},
+		{
+			name:   "tenant with custom serviceaccount",
+			args:   "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --with-service-account=flux-tenant --export",
+			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-service-account.yaml"),
+		},
+		{
+			name:   "tenant with custom cluster role",
+			args:   "create tenant dev-team --with-namespace=apps --cluster-role=custom-role --export",
+			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-cluster-role.yaml"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
--- a/cmd/flux/debug.go
+++ b/cmd/flux/debug.go
@ -0,0 +1,31 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var debugCmd = &cobra.Command{
+	Use:   "debug",
+	Short: "Debug a flux resource",
+	Long:  `The debug command can be used to troubleshoot failing resource reconciliations.`,
+}
+
+func init() {
+	rootCmd.AddCommand(debugCmd)
+}
--- a/cmd/flux/debug_helmrelease.go
+++ b/cmd/flux/debug_helmrelease.go
@ -0,0 +1,113 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	"github.com/fluxcd/pkg/chartutil"
+	"github.com/go-logr/logr"
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/yaml"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+)
+
+var debugHelmReleaseCmd = &cobra.Command{
+	Use:     "helmrelease [name]",
+	Aliases: []string{"hr"},
+	Short:   "Debug a HelmRelease resource",
+	Long: withPreviewNote(`The debug helmrelease command can be used to troubleshoot failing Helm release reconciliations.
+WARNING: This command will print sensitive information if Kubernetes Secrets are referenced in the HelmRelease .spec.valuesFrom field.`),
+	Example: `  # Print the status of a Helm release
+  flux debug hr podinfo --show-status
+
+  # Export the final values of a Helm release composed from referred ConfigMaps and Secrets
+  flux debug hr podinfo --show-values > values.yaml`,
+	RunE:              debugHelmReleaseCmdRun,
+	Args:              cobra.ExactArgs(1),
+	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
+}
+
+type debugHelmReleaseFlags struct {
+	showStatus bool
+	showValues bool
+}
+
+var debugHelmReleaseArgs debugHelmReleaseFlags
+
+func init() {
+	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showStatus, "show-status", false, "print the status of the Helm release")
+	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showValues, "show-values", false, "print the final values of the Helm release")
+	debugCmd.AddCommand(debugHelmReleaseCmd)
+}
+
+func debugHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	if (!debugHelmReleaseArgs.showStatus && !debugHelmReleaseArgs.showValues) ||
+		(debugHelmReleaseArgs.showStatus && debugHelmReleaseArgs.showValues) {
+		return fmt.Errorf("either --show-status or --show-values must be set")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+
+	hr := &helmv2.HelmRelease{}
+	hrName := types.NamespacedName{Namespace: *kubeconfigArgs.Namespace, Name: name}
+	if err := kubeClient.Get(ctx, hrName, hr); err != nil {
+		return err
+	}
+
+	if debugHelmReleaseArgs.showStatus {
+		status, err := yaml.Marshal(hr.Status)
+		if err != nil {
+			return err
+		}
+		rootCmd.Println("# Status documentation: https://fluxcd.io/flux/components/helm/helmreleases/#helmrelease-status")
+		rootCmd.Print(string(status))
+		return nil
+	}
+
+	if debugHelmReleaseArgs.showValues {
+		finalValues, err := chartutil.ChartValuesFromReferences(ctx,
+			logr.Discard(),
+			kubeClient,
+			hr.GetNamespace(),
+			hr.GetValues(),
+			hr.Spec.ValuesFrom...)
+		if err != nil {
+			return err
+		}
+
+		values, err := yaml.Marshal(finalValues)
+		if err != nil {
+			return err
+		}
+		rootCmd.Print(string(values))
+	}
+
+	return nil
+}
--- a/cmd/flux/debug_helmrelease_test.go
+++ b/cmd/flux/debug_helmrelease_test.go
@ -0,0 +1,71 @@
+//go:build unit
+// +build unit
+
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestDebugHelmRelease(t *testing.T) {
+	namespace := allocateNamespace("debug")
+
+	objectFile := "testdata/debug_helmrelease/objects.yaml"
+	tmpl := map[string]string{
+		"fluxns": namespace,
+	}
+	testEnv.CreateObjectFile(objectFile, tmpl, t)
+
+	cases := []struct {
+		name       string
+		arg        string
+		goldenFile string
+		tmpl       map[string]string
+	}{
+		{
+			"debug status",
+			"debug helmrelease test-values-inline --show-status --show-values=false",
+			"testdata/debug_helmrelease/status.golden.yaml",
+			tmpl,
+		},
+		{
+			"debug values",
+			"debug helmrelease test-values-inline --show-values --show-status=false",
+			"testdata/debug_helmrelease/values-inline.golden.yaml",
+			tmpl,
+		},
+		{
+			"debug values from",
+			"debug helmrelease test-values-from --show-values --show-status=false",
+			"testdata/debug_helmrelease/values-from.golden.yaml",
+			tmpl,
+		},
+	}
+
+	for _, tt := range cases {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.arg + " -n=" + namespace,
+				assert: assertGoldenTemplateFile(tt.goldenFile, tmpl),
+			}
+
+			cmd.runTestCmd(t)
+		})
+	}
+}
--- a/cmd/flux/debug_kustomization.go
+++ b/cmd/flux/debug_kustomization.go
@ -0,0 +1,134 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"sort"
+	"strings"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	"github.com/fluxcd/pkg/kustomize"
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/yaml"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+)
+
+var debugKustomizationCmd = &cobra.Command{
+	Use:     "kustomization [name]",
+	Aliases: []string{"ks"},
+	Short:   "Debug a Flux Kustomization resource",
+	Long: withPreviewNote(`The debug kustomization command can be used to troubleshoot failing Flux Kustomization reconciliations.
+WARNING: This command will print sensitive information if Kubernetes Secrets are referenced in the Kustomization .spec.postBuild.substituteFrom field.`),
+	Example: `  # Print the status of a Flux Kustomization
+  flux debug ks podinfo --show-status
+
+  # Export the final variables used for post-build substitutions composed from referred ConfigMaps and Secrets
+  flux debug ks podinfo --show-vars > vars.env`,
+	RunE:              debugKustomizationCmdRun,
+	Args:              cobra.ExactArgs(1),
+	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
+}
+
+type debugKustomizationFlags struct {
+	showStatus bool
+	showVars   bool
+}
+
+var debugKustomizationArgs debugKustomizationFlags
+
+func init() {
+	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showStatus, "show-status", false, "print the status of the Flux Kustomization")
+	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showVars, "show-vars", false, "print the final vars of the Flux Kustomization in dot env format")
+	debugCmd.AddCommand(debugKustomizationCmd)
+}
+
+func debugKustomizationCmdRun(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	if (!debugKustomizationArgs.showStatus && !debugKustomizationArgs.showVars) ||
+		(debugKustomizationArgs.showStatus && debugKustomizationArgs.showVars) {
+		return fmt.Errorf("either --show-status or --show-vars must be set")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+
+	ks := &kustomizev1.Kustomization{}
+	ksName := types.NamespacedName{Namespace: *kubeconfigArgs.Namespace, Name: name}
+	if err := kubeClient.Get(ctx, ksName, ks); err != nil {
+		return err
+	}
+
+	if debugKustomizationArgs.showStatus {
+		status, err := yaml.Marshal(ks.Status)
+		if err != nil {
+			return err
+		}
+		rootCmd.Println("# Status documentation: https://fluxcd.io/flux/components/kustomize/kustomizations/#kustomization-status")
+		rootCmd.Print(string(status))
+		return nil
+	}
+
+	if debugKustomizationArgs.showVars {
+		if ks.Spec.PostBuild == nil {
+			return errors.New("no post build substitutions found")
+		}
+
+		ksObj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(ks)
+		if err != nil {
+			return err
+		}
+
+		finalVars, err := kustomize.LoadVariables(ctx, kubeClient, unstructured.Unstructured{Object: ksObj})
+		if err != nil {
+			return err
+		}
+
+		if len(ks.Spec.PostBuild.Substitute) > 0 {
+			for k, v := range ks.Spec.PostBuild.Substitute {
+				// Remove new lines from the values as they are not supported.
+				// Replicates the controller behavior from
+				// https://github.com/fluxcd/pkg/blob/main/kustomize/kustomize_varsub.go
+				finalVars[k] = strings.ReplaceAll(v, "\n", "")
+			}
+		}
+
+		keys := make([]string, 0, len(finalVars))
+		for k := range finalVars {
+			keys = append(keys, k)
+		}
+		sort.Strings(keys)
+
+		for _, k := range keys {
+			rootCmd.Println(k + "=" + finalVars[k])
+		}
+	}
+
+	return nil
+}
--- a/cmd/flux/debug_kustomization_test.go
+++ b/cmd/flux/debug_kustomization_test.go
@ -0,0 +1,71 @@
+//go:build unit
+// +build unit
+
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestDebugKustomization(t *testing.T) {
+	namespace := allocateNamespace("debug")
+
+	objectFile := "testdata/debug_kustomization/objects.yaml"
+	tmpl := map[string]string{
+		"fluxns": namespace,
+	}
+	testEnv.CreateObjectFile(objectFile, tmpl, t)
+
+	cases := []struct {
+		name       string
+		arg        string
+		goldenFile string
+		tmpl       map[string]string
+	}{
+		{
+			"debug status",
+			"debug ks test --show-status --show-vars=false",
+			"testdata/debug_kustomization/status.golden.yaml",
+			tmpl,
+		},
+		{
+			"debug vars",
+			"debug ks test --show-vars --show-status=false",
+			"testdata/debug_kustomization/vars.golden.env",
+			tmpl,
+		},
+		{
+			"debug vars from",
+			"debug ks test-from --show-vars --show-status=false",
+			"testdata/debug_kustomization/vars-from.golden.env",
+			tmpl,
+		},
+	}
+
+	for _, tt := range cases {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.arg + " -n=" + namespace,
+				assert: assertGoldenTemplateFile(tt.goldenFile, tmpl),
+			}
+
+			cmd.runTestCmd(t)
+		})
+	}
+}
--- a/Show More
+++ b/Show More